Move common host features to features-nixos folder

2026-03-23 20:57:12 +01:00
parent b31791b9ef
commit eec600d1d0
37 changed files with 49 additions and 45 deletions
--- a/features-nixos/global/auto-upgrade.nix
+++ b/features-nixos/global/auto-upgrade.nix
@@ -0,0 +1,16 @@
+{
+  inputs,
+  config,
+  ...
+}: {
+  system.hydraAutoUpgrade = {
+    # Only enable if not dirty
+    enable = inputs.self ? rev;
+    dates = "*:0/10"; # Every 10 minutes
+    instance = "http://hydra.julian-mutter.de";
+    project = "dotfiles";
+    jobset = "main";
+    job = "hosts.${config.networking.hostName}";
+    oldFlakeRef = "self";
+  };
+}
--- a/features-nixos/global/default.nix
+++ b/features-nixos/global/default.nix
@@ -0,0 +1,47 @@
+# Common config for all hosts
+{
+  inputs,
+  outputs,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports =
+    [
+      ./fish.nix # fish for admin
+      ./locale.nix
+      ./nix.nix
+      ./sops.nix
+      ./root.nix
+    ]
+    ++ [
+      inputs.home-manager.nixosModules.home-manager
+    ]
+    ++ (builtins.attrValues outputs.nixosModules);
+
+  # Replaces the (modulesPath + "/installer/scan/not-detected.nix") from default hardware-configuration.nix
+  # Enables non-free firmware
+  hardware.enableRedistributableFirmware = true;
+
+  # Networking
+  networking.networkmanager = {
+    enable = true;
+    plugins = with pkgs; [
+      networkmanager-openconnect
+    ];
+  };
+  services.resolved.enable = false;
+  # MDNS Taken by avahi
+  # networking.networkmanager.dns = "none";
+  networking.nameservers = lib.mkDefault [
+    "1.1.1.1"
+    "8.8.8.8"
+  ];
+
+  # HM module
+  home-manager.useGlobalPkgs = true; # hm module uses the pkgs of the nixos config
+  home-manager.backupFileExtension = "hm-backup"; # backup conflicting files. So hm activation never fails
+  home-manager.extraSpecialArgs = {
+    inherit inputs outputs;
+  };
+}
--- a/features-nixos/global/fish.nix
+++ b/features-nixos/global/fish.nix
@@ -0,0 +1,10 @@
+{
+  programs.fish = {
+    enable = true;
+    vendor = {
+      completions.enable = true;
+      config.enable = true;
+      functions.enable = true;
+    };
+  };
+}
--- a/features-nixos/global/locale.nix
+++ b/features-nixos/global/locale.nix
@@ -0,0 +1,26 @@
+{
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    LC_IDENTIFICATION = "de_DE.UTF-8";
+    LC_MEASUREMENT = "de_DE.UTF-8";
+    LC_MONETARY = "de_DE.UTF-8";
+    LC_NAME = "de_DE.UTF-8";
+    LC_NUMERIC = "en_US.UTF-8";
+    LC_PAPER = "de_DE.UTF-8";
+    LC_TELEPHONE = "de_DE.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
+  };
+
+  # Keymap
+  services.xserver.xkb = {
+    layout = "de";
+    variant = "";
+  };
+
+  console.keyMap = "de";
+
+  time.timeZone = "Europe/Berlin";
+}
--- a/features-nixos/global/nix.nix
+++ b/features-nixos/global/nix.nix
@@ -0,0 +1,46 @@
+{outputs, ...}: {
+  # Apply overlays
+  nixpkgs = {
+    # TODO: apply this to hm and nixos without duplicate code
+    overlays = builtins.attrValues outputs.overlays;
+    config = {
+      nvidia.acceptLicense = true;
+      allowUnfree = true;
+      allowUnfreePredicate = _: true; # TODO: what is this
+      warn-dirty = false;
+      permittedInsecurePackages = [
+        "olm-3.2.16"
+      ];
+    };
+  };
+
+  # optimize at every build, slows down builds
+  # better to do optimise.automatic for regular optimising
+  # nix.settings.auto-optimise-store = lib.mkDefault true;
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+    "ca-derivations"
+  ];
+  # warn-dirty = false;
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+    persistent = true;
+  };
+  nix.optimise = {
+    automatic = true;
+    dates = ["weekly"]; # Optional; allows customizing optimisation schedule
+    persistent = true;
+  };
+
+  programs.nix-ld.enable = true;
+
+  # TODO: is this useful?, what does it do?
+  # nix.settings.flake-registry = ""; # Disable global flake registry
+  # Add each flake input as a registry and nix_path
+  # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
+  # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+}
--- a/features-nixos/global/root.nix
+++ b/features-nixos/global/root.nix
@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  # Packages needed as root
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    mc
+    gparted-xhost # needs to be installed as system package so it can be actually opened
+  ];
+}
--- a/features-nixos/global/sops.nix
+++ b/features-nixos/global/sops.nix
@@ -0,0 +1,23 @@
+{
+  self,
+  inputs,
+  config,
+  ...
+}: let
+  isEd25519 = k: k.type == "ed25519";
+  getKeyPath = k: k.path;
+  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+in {
+  imports = [inputs.sops-nix.nixosModules.sops];
+
+  sops.age = {
+    sshKeyPaths = map getKeyPath keys;
+
+    # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
+    # keyFile = "/home/julian/.config/sops/age/keys.txt";
+    # Generate key if none of the above worked. With this, building will still work, just without secrets
+    generateKey = false; # TODO: building should not work without secrets!?
+  };
+
+  sops.defaultSopsFile = "${self}/hosts/secrets-common.yaml";
+}