Move common host features to features-nixos folder

features-nixos/global/auto-upgrade.nix

@@ -0,0 +1,16 @@
+{
+  inputs,
+  config,
+  ...
+}: {
+  system.hydraAutoUpgrade = {
+    # Only enable if not dirty
+    enable = inputs.self ? rev;
+    dates = "*:0/10"; # Every 10 minutes
+    instance = "http://hydra.julian-mutter.de";
+    project = "dotfiles";
+    jobset = "main";
+    job = "hosts.${config.networking.hostName}";
+    oldFlakeRef = "self";
+  };
+}

features-nixos/global/default.nix

@@ -0,0 +1,47 @@
+# Common config for all hosts
+{
+  inputs,
+  outputs,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports =
+    [
+      ./fish.nix # fish for admin
+      ./locale.nix
+      ./nix.nix
+      ./sops.nix
+      ./root.nix
+    ]
+    ++ [
+      inputs.home-manager.nixosModules.home-manager
+    ]
+    ++ (builtins.attrValues outputs.nixosModules);
+
+  # Replaces the (modulesPath + "/installer/scan/not-detected.nix") from default hardware-configuration.nix
+  # Enables non-free firmware
+  hardware.enableRedistributableFirmware = true;
+
+  # Networking
+  networking.networkmanager = {
+    enable = true;
+    plugins = with pkgs; [
+      networkmanager-openconnect
+    ];
+  };
+  services.resolved.enable = false;
+  # MDNS Taken by avahi
+  # networking.networkmanager.dns = "none";
+  networking.nameservers = lib.mkDefault [
+    "1.1.1.1"
+    "8.8.8.8"
+  ];
+
+  # HM module
+  home-manager.useGlobalPkgs = true; # hm module uses the pkgs of the nixos config
+  home-manager.backupFileExtension = "hm-backup"; # backup conflicting files. So hm activation never fails
+  home-manager.extraSpecialArgs = {
+    inherit inputs outputs;
+  };
+}

features-nixos/global/fish.nix

@@ -0,0 +1,10 @@
+{
+  programs.fish = {
+    enable = true;
+    vendor = {
+      completions.enable = true;
+      config.enable = true;
+      functions.enable = true;
+    };
+  };
+}

features-nixos/global/locale.nix

@@ -0,0 +1,26 @@
+{
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    LC_IDENTIFICATION = "de_DE.UTF-8";
+    LC_MEASUREMENT = "de_DE.UTF-8";
+    LC_MONETARY = "de_DE.UTF-8";
+    LC_NAME = "de_DE.UTF-8";
+    LC_NUMERIC = "en_US.UTF-8";
+    LC_PAPER = "de_DE.UTF-8";
+    LC_TELEPHONE = "de_DE.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
+  };
+
+  # Keymap
+  services.xserver.xkb = {
+    layout = "de";
+    variant = "";
+  };
+
+  console.keyMap = "de";
+
+  time.timeZone = "Europe/Berlin";
+}

features-nixos/global/nix.nix

@@ -0,0 +1,46 @@
+{outputs, ...}: {
+  # Apply overlays
+  nixpkgs = {
+    # TODO: apply this to hm and nixos without duplicate code
+    overlays = builtins.attrValues outputs.overlays;
+    config = {
+      nvidia.acceptLicense = true;
+      allowUnfree = true;
+      allowUnfreePredicate = _: true; # TODO: what is this
+      warn-dirty = false;
+      permittedInsecurePackages = [
+        "olm-3.2.16"
+      ];
+    };
+  };
+
+  # optimize at every build, slows down builds
+  # better to do optimise.automatic for regular optimising
+  # nix.settings.auto-optimise-store = lib.mkDefault true;
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+    "ca-derivations"
+  ];
+  # warn-dirty = false;
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+    persistent = true;
+  };
+  nix.optimise = {
+    automatic = true;
+    dates = ["weekly"]; # Optional; allows customizing optimisation schedule
+    persistent = true;
+  };
+
+  programs.nix-ld.enable = true;
+
+  # TODO: is this useful?, what does it do?
+  # nix.settings.flake-registry = ""; # Disable global flake registry
+  # Add each flake input as a registry and nix_path
+  # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
+  # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+}

features-nixos/global/root.nix

@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  # Packages needed as root
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    mc
+    gparted-xhost # needs to be installed as system package so it can be actually opened
+  ];
+}

features-nixos/global/sops.nix

@@ -0,0 +1,23 @@
+{
+  self,
+  inputs,
+  config,
+  ...
+}: let
+  isEd25519 = k: k.type == "ed25519";
+  getKeyPath = k: k.path;
+  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+in {
+  imports = [inputs.sops-nix.nixosModules.sops];
+
+  sops.age = {
+    sshKeyPaths = map getKeyPath keys;
+
+    # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
+    # keyFile = "/home/julian/.config/sops/age/keys.txt";
+    # Generate key if none of the above worked. With this, building will still work, just without secrets
+    generateKey = false; # TODO: building should not work without secrets!?
+  };
+
+  sops.defaultSopsFile = "${self}/hosts/secrets-common.yaml";
+}

features-nixos/optional/authentication.nix

@@ -0,0 +1,29 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  # Make programs like nextcloud client access saved passwords
+  services.gnome.gnome-keyring.enable = true;
+
+  programs.seahorse.enable = true;
+  programs.ssh.askPassword = lib.mkForce "${pkgs.seahorse}/libexec/seahorse/ssh-askpass"; # Solve conflicting definition in seahorse and plasma6
+
+  # Make authentication work for e.g. gparted
+  security.polkit.enable = true;
+  systemd = {
+    user.services.polkit-gnome-authentication-agent-1 = {
+      description = "polkit-gnome-authentication-agent-1";
+      wantedBy = ["graphical-session.target"];
+      wants = ["graphical-session.target"];
+      after = ["graphical-session.target"];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+        Restart = "on-failure";
+        RestartSec = 1;
+        TimeoutStopSec = 10;
+      };
+    };
+  };
+}

features-nixos/optional/avahi.nix

@@ -0,0 +1,12 @@
+{
+  # MDNS on local network
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    nssmdns6 = true;
+    publish.enable = true;
+    publish.addresses = true;
+    ipv4 = true;
+    ipv6 = true;
+  };
+}

features-nixos/optional/binarycaches.nix

@@ -0,0 +1,31 @@
+{
+  lib,
+  outputs,
+  ...
+}: {
+  # Setup binary caches
+  nix.settings = {
+    substituters = [
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+      "https://hyprland.cachix.org"
+      "http://binarycache.julian-mutter.de"
+      "https://devenv.cachix.org"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+    ];
+
+    trusted-users = [
+      "root"
+      "@wheel"
+    ]; # needed for devenv to add custom caches
+
+    # Ensure we can still build when missing-server is not accessible
+    fallback = true;
+  };
+}

features-nixos/optional/boot-efi.nix

@@ -0,0 +1,17 @@
+{
+  # Bootloader
+  # Use this for simple nix boot menu, if no dual boot required
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.configurationLimit = 10;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # https://github.com/NixOS/nixpkgs/blob/c32c39d6f3b1fe6514598fa40ad2cf9ce22c3fb7/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix#L66
+  boot.loader.systemd-boot.editor = false;
+
+  boot.supportedFilesystems = [
+    "btrfs"
+    "ntfs"
+    "nfs"
+    "cifs"
+  ];
+}

features-nixos/optional/docker.nix

@@ -0,0 +1,5 @@
+{
+  virtualisation.docker = {
+    enable = true;
+  };
+}

features-nixos/optional/flatpak.nix

@@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  services.flatpak.enable = true;
+  xdg.portal.enable = true;
+  xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
+  xdg.portal.config.common.default = "*"; # Use first portal implementation found
+}

features-nixos/optional/gamemode.nix

@@ -0,0 +1,21 @@
+{pkgs, ...}: {
+  programs.gamemode = {
+    enable = true;
+    settings = {
+      general = {
+        softrealtime = "auto";
+        inhibit_screensaver = 1;
+        renice = 5;
+      };
+      # gpu = {
+      #   apply_gpu_optimisations = "accept-responsibility";
+      #   gpu_device = 1;
+      #   amd_performance_level = "high";
+      # };
+      custom = {
+        start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
+        end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
+      };
+    };
+  };
+}

features-nixos/optional/gdm.nix

@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.xserver.displayManager.gdm = {
+    enable = true;
+  };
+
+  # unlock GPG keyring on login
+  security.pam.services.gdm.enableGnomeKeyring = true;
+}

features-nixos/optional/greetd.nix

@@ -0,0 +1,37 @@
+{config, ...}: let
+  homeCfgs = config.home-manager.users;
+  julianCfg = homeCfgs.julian;
+in {
+  users.extraUsers.greeter = {
+    # For caching
+    home = "/tmp/greeter-home";
+    createHome = true;
+  };
+
+  programs.regreet = {
+    enable = true;
+    iconTheme = julianCfg.gtk.iconTheme;
+    theme = julianCfg.gtk.theme;
+    # font = julianCfg.fontProfiles.regular; # TODO: do
+    cursorTheme = {
+      inherit (julianCfg.gtk.cursorTheme) name package;
+    };
+    cageArgs = [
+      "-s"
+      "-m"
+      "last"
+    ]; # multimonitor use last monitor
+    # settings.background = {
+    #   path = julianCfg.wallpaper;
+    #   fit = "Cover";
+    # }; # TODO: fix
+
+    # TODO: setting keyboard language does not work
+    # settings = {
+    #   env = {
+    #     XKB_DEFAULT_LAYOUT = "de";
+    #     # XKB_DEFAULT_VARIANT = "altgr-intl";
+    #   };
+    # };
+  };
+}

features-nixos/optional/i3.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.xserver.windowManager.i3.enable = true;
+  services.xserver.windowManager.i3.package = pkgs.i3-gaps;
+  services.displayManager.defaultSession = "none+i3";
+
+  programs.xss-lock = {
+    # responds to "loginctl lock-session" via dbus
+    enable = true;
+    lockerCommand = "${pkgs.i3lock}/bin/i3lock --ignore-empty-password --color=000000";
+  };
+}

features-nixos/optional/kerberos.nix

@@ -0,0 +1,23 @@
+{
+  security.krb5.enable = true;
+  security.krb5.settings = {
+    # domain_realm = {
+    #   ".julian-mutter.de" = "julian-mutter.de";
+    #   "julian-mutter.de" = "julian-mutter.de";
+    # };
+    libdefaults = {
+      default_realm = "julian-mutter.de";
+      #   dns_lookup_realm = true;
+      #   dns_lookup_kdc = true;
+      #   ticket_lifetime = "24h";
+      #   renew_lifetime = "7d";
+    };
+    realms = {
+      "julian-mutter.de" = {
+        kdc = ["kerberos.julian-mutter.de"];
+        admin_server = "kerberos-admin.julian-mutter.de";
+        default_domain = "julian-mutter.de";
+      };
+    };
+  };
+}

features-nixos/optional/openssh.nix

@@ -0,0 +1,49 @@
+{
+  outputs,
+  lib,
+  config,
+  ...
+}: let
+  hosts = lib.attrNames outputs.nixosConfigurations;
+in {
+  services.openssh = {
+    enable = true;
+    settings = {
+      # Harden
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+
+      # TODO: what does this do
+      # Let WAYLAND_DISPLAY be forwarded
+      AcceptEnv = "WAYLAND_DISPLAY";
+      X11Forwarding = true;
+    };
+
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+
+  # TODO: is automatic known hosts file even necessary?
+  # programs.ssh = {
+  #   # Each hosts public key
+  #   knownHosts = lib.genAttrs hosts (hostname: {
+  #     publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub;
+  #     extraHostNames =
+  #       [
+  #         # "${hostname}.m7.rs"
+  #       ]
+  #       ++
+  #         # Alias for localhost if it's the same host
+  #         (lib.optional (hostname == config.networking.hostName) "localhost")
+  #       # Alias to m7.rs and git.m7.rs if it's alcyone
+  #       ++ (lib.optionals (hostname == "alcyone") [
+  #         "m7.rs"
+  #         "git.m7.rs"
+  #       ]);
+  #   });
+  # };
+}

features-nixos/optional/pcmanfm.nix

@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    shared-mime-info # extended mimetype support
+    lxmenu-data # open with "Installed Applications"
+    pcmanfm
+  ];
+
+  services.gvfs.enable = true; # Mount, trash, and other functionalities
+}

features-nixos/optional/pipewire.nix

@@ -0,0 +1,28 @@
+{
+  security.rtkit.enable = true;
+  services.pulseaudio.enable = false;
+  services.pipewire = {
+    enable = true;
+    wireplumber.enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+    extraConfig.pipewire = {
+      "99-no-bell" = {
+        # Disable bell sound
+        "context.properties" = {
+          "module.x11.bell" = false;
+        };
+      };
+      "10-increase-buffer" = {
+        "context.properties" = {
+          "default.clock.rate" = 48000;
+          "default.clock.quantum" = 1024;
+          "default.clock.min-quantum" = 1024;
+          "default.clock.max-quantum" = 2048;
+        };
+      };
+    };
+  };
+}

features-nixos/optional/podman.nix

@@ -0,0 +1,10 @@
+{config, ...}: let
+  dockerEnabled = config.virtualisation.docker.enable;
+in {
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = !dockerEnabled;
+    dockerSocket.enable = !dockerEnabled;
+    defaultNetwork.settings.dns_enabled = true;
+  };
+}

features-nixos/optional/redshift.nix

@@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Set location used by redshift
+  location.provider = "manual";
+  location.latitude = 47.92;
+  location.longitude = 10.12;
+  services.redshift.enable = true;
+}

features-nixos/optional/remote-builder.nix

@@ -0,0 +1,34 @@
+{
+  nix.distributedBuilds = true;
+  nix.settings.builders-use-substitutes = true;
+
+  nix.buildMachines = [
+    {
+      hostName = "builder.julian-mutter.de";
+      protocol = "ssh";
+      sshUser = "nix";
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
+      maxJobs = 4;
+      speedFactor = 3;
+      supportedFeatures = [
+        "nixos-test"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+      ];
+      mandatoryFeatures = [];
+    }
+    # {
+    #   hostName = "localhost";
+    #   protocol = null;
+    #   systems = [
+    #     "x86_64-linux"
+    #   ];
+    #   maxJobs = 4;
+    #   speedFactor = 1;
+    # }
+  ];
+}

features-nixos/optional/thunar.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  programs.thunar.enable = true;
+  programs.xfconf.enable = true; # Persist saved preferences
+  programs.thunar.plugins = with pkgs.xfce; [
+    thunar-archive-plugin
+    thunar-volman
+    thunar-media-tags-plugin
+  ];
+  services.gvfs.enable = true; # Mount, trash, and other functionalities
+  services.tumbler.enable = true; # Thumbnail support for images
+}

features-nixos/optional/virtualbox.nix

@@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.virtualbox.host.enable = true;
+  # virtualisation.virtualbox.host.enableExtensionPack = true;
+  # virtualisation.virtualbox.guest.enable = true;
+  # virtualisation.virtualbox.guest.x11 = true;
+  users.extraGroups.vboxusers.members = ["julian"];
+}

features-nixos/optional/wireguard.nix

@@ -0,0 +1,12 @@
+{
+  networking.wg-quick.interfaces = {
+    julian = {
+      configFile = "/etc/wireguard/julian.conf";
+      autostart = true; # This interface is started on boot
+    };
+    comu = {
+      configFile = "/etc/wireguard/comu.conf";
+      autostart = false;
+    };
+  };
+}

features-nixos/optional/wireshark.nix

@@ -0,0 +1,9 @@
+{
+  programs.wireshark = {
+    enable = true;
+    dumpcap.enable = true;
+    usbmon.enable = true;
+  };
+
+  users.users.julian.extraGroups = ["wireshark"];
+}

features-nixos/optional/xserver.nix

@@ -0,0 +1,6 @@
+{
+  services.xserver = {
+    enable = true;
+    wacom.enable = true;
+  };
+}

features-nixos/users/julian/default.nix

@@ -0,0 +1,51 @@
+{
+  self,
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+in {
+  users.mutableUsers = false;
+  users.users.julian = {
+    description = "Julian";
+    group = "julian";
+    isNormalUser = true;
+    uid = 1000;
+    shell = pkgs.fish;
+    extraGroups = ifTheyExist [
+      "networkmanager"
+      "wheel"
+      "audio"
+      "realtime"
+      "rtkit"
+      "network"
+      "video"
+      "podman"
+      "docker"
+      "git"
+      "gamemode"
+      "dialout"
+    ];
+
+    openssh.authorizedKeys.keys = lib.splitString "\n" (
+      builtins.readFile ./ssh.pub
+    );
+    # hashedPasswordFile = config.sops.secrets.julian-password.path;
+    hashedPassword = "$y$j9T$N33kLJQbV8soUoCbDkpwA1$r/yahJDgOPo4GGOrAi6BUG5zLTzmaBrA5NQ4nno561A";
+    packages = [pkgs.home-manager];
+  };
+  users.groups.julian = {
+    gid = 1000;
+  };
+
+  sops.secrets.julian-password = {
+    sopsFile = ../../secrets.yaml;
+    neededForUsers = true;
+  };
+
+  home-manager.users.julian = import "${self}/homes/julian/${config.networking.hostName}.nix";
+
+  security.pam.services.swaylock = {}; # Make swaylock unlocking work
+}

features-nixos/users/julian/ssh.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H

features-nixos/users/wolfi/default.nix

@@ -0,0 +1,30 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+in {
+  users.mutableUsers = false;
+  users.users.wolfi = {
+    description = "Wolfi";
+    group = "wolfi";
+    isNormalUser = true;
+    shell = pkgs.fish;
+    extraGroups = ifTheyExist [
+      "networkmanager"
+      "wheel"
+      "audio"
+      "network"
+      "video"
+      "podman"
+      "docker"
+      "git"
+      "gamemode"
+    ];
+
+    hashedPassword = "$y$j9T$ifzWjoZaRtPUOOfMYnbJ20$uFOO1EyDApL52vRUicZYgupaTA/a6sGNUj3imZ/lcb6";
+    packages = [pkgs.home-manager];
+  };
+  users.groups.wolfi = {};
+}