Move common host features to features-nixos folder

features-nixos/optional/authentication.nix

@@ -0,0 +1,29 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  # Make programs like nextcloud client access saved passwords
+  services.gnome.gnome-keyring.enable = true;
+
+  programs.seahorse.enable = true;
+  programs.ssh.askPassword = lib.mkForce "${pkgs.seahorse}/libexec/seahorse/ssh-askpass"; # Solve conflicting definition in seahorse and plasma6
+
+  # Make authentication work for e.g. gparted
+  security.polkit.enable = true;
+  systemd = {
+    user.services.polkit-gnome-authentication-agent-1 = {
+      description = "polkit-gnome-authentication-agent-1";
+      wantedBy = ["graphical-session.target"];
+      wants = ["graphical-session.target"];
+      after = ["graphical-session.target"];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+        Restart = "on-failure";
+        RestartSec = 1;
+        TimeoutStopSec = 10;
+      };
+    };
+  };
+}

features-nixos/optional/avahi.nix

@@ -0,0 +1,12 @@
+{
+  # MDNS on local network
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    nssmdns6 = true;
+    publish.enable = true;
+    publish.addresses = true;
+    ipv4 = true;
+    ipv6 = true;
+  };
+}

features-nixos/optional/binarycaches.nix

@@ -0,0 +1,31 @@
+{
+  lib,
+  outputs,
+  ...
+}: {
+  # Setup binary caches
+  nix.settings = {
+    substituters = [
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+      "https://hyprland.cachix.org"
+      "http://binarycache.julian-mutter.de"
+      "https://devenv.cachix.org"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+    ];
+
+    trusted-users = [
+      "root"
+      "@wheel"
+    ]; # needed for devenv to add custom caches
+
+    # Ensure we can still build when missing-server is not accessible
+    fallback = true;
+  };
+}

features-nixos/optional/boot-efi.nix

@@ -0,0 +1,17 @@
+{
+  # Bootloader
+  # Use this for simple nix boot menu, if no dual boot required
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.configurationLimit = 10;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # https://github.com/NixOS/nixpkgs/blob/c32c39d6f3b1fe6514598fa40ad2cf9ce22c3fb7/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix#L66
+  boot.loader.systemd-boot.editor = false;
+
+  boot.supportedFilesystems = [
+    "btrfs"
+    "ntfs"
+    "nfs"
+    "cifs"
+  ];
+}

features-nixos/optional/docker.nix

@@ -0,0 +1,5 @@
+{
+  virtualisation.docker = {
+    enable = true;
+  };
+}

features-nixos/optional/flatpak.nix

@@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  services.flatpak.enable = true;
+  xdg.portal.enable = true;
+  xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
+  xdg.portal.config.common.default = "*"; # Use first portal implementation found
+}

features-nixos/optional/gamemode.nix

@@ -0,0 +1,21 @@
+{pkgs, ...}: {
+  programs.gamemode = {
+    enable = true;
+    settings = {
+      general = {
+        softrealtime = "auto";
+        inhibit_screensaver = 1;
+        renice = 5;
+      };
+      # gpu = {
+      #   apply_gpu_optimisations = "accept-responsibility";
+      #   gpu_device = 1;
+      #   amd_performance_level = "high";
+      # };
+      custom = {
+        start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
+        end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
+      };
+    };
+  };
+}

features-nixos/optional/gdm.nix

@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.xserver.displayManager.gdm = {
+    enable = true;
+  };
+
+  # unlock GPG keyring on login
+  security.pam.services.gdm.enableGnomeKeyring = true;
+}

features-nixos/optional/greetd.nix

@@ -0,0 +1,37 @@
+{config, ...}: let
+  homeCfgs = config.home-manager.users;
+  julianCfg = homeCfgs.julian;
+in {
+  users.extraUsers.greeter = {
+    # For caching
+    home = "/tmp/greeter-home";
+    createHome = true;
+  };
+
+  programs.regreet = {
+    enable = true;
+    iconTheme = julianCfg.gtk.iconTheme;
+    theme = julianCfg.gtk.theme;
+    # font = julianCfg.fontProfiles.regular; # TODO: do
+    cursorTheme = {
+      inherit (julianCfg.gtk.cursorTheme) name package;
+    };
+    cageArgs = [
+      "-s"
+      "-m"
+      "last"
+    ]; # multimonitor use last monitor
+    # settings.background = {
+    #   path = julianCfg.wallpaper;
+    #   fit = "Cover";
+    # }; # TODO: fix
+
+    # TODO: setting keyboard language does not work
+    # settings = {
+    #   env = {
+    #     XKB_DEFAULT_LAYOUT = "de";
+    #     # XKB_DEFAULT_VARIANT = "altgr-intl";
+    #   };
+    # };
+  };
+}

features-nixos/optional/i3.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.xserver.windowManager.i3.enable = true;
+  services.xserver.windowManager.i3.package = pkgs.i3-gaps;
+  services.displayManager.defaultSession = "none+i3";
+
+  programs.xss-lock = {
+    # responds to "loginctl lock-session" via dbus
+    enable = true;
+    lockerCommand = "${pkgs.i3lock}/bin/i3lock --ignore-empty-password --color=000000";
+  };
+}

features-nixos/optional/kerberos.nix

@@ -0,0 +1,23 @@
+{
+  security.krb5.enable = true;
+  security.krb5.settings = {
+    # domain_realm = {
+    #   ".julian-mutter.de" = "julian-mutter.de";
+    #   "julian-mutter.de" = "julian-mutter.de";
+    # };
+    libdefaults = {
+      default_realm = "julian-mutter.de";
+      #   dns_lookup_realm = true;
+      #   dns_lookup_kdc = true;
+      #   ticket_lifetime = "24h";
+      #   renew_lifetime = "7d";
+    };
+    realms = {
+      "julian-mutter.de" = {
+        kdc = ["kerberos.julian-mutter.de"];
+        admin_server = "kerberos-admin.julian-mutter.de";
+        default_domain = "julian-mutter.de";
+      };
+    };
+  };
+}

features-nixos/optional/openssh.nix

@@ -0,0 +1,49 @@
+{
+  outputs,
+  lib,
+  config,
+  ...
+}: let
+  hosts = lib.attrNames outputs.nixosConfigurations;
+in {
+  services.openssh = {
+    enable = true;
+    settings = {
+      # Harden
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+
+      # TODO: what does this do
+      # Let WAYLAND_DISPLAY be forwarded
+      AcceptEnv = "WAYLAND_DISPLAY";
+      X11Forwarding = true;
+    };
+
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+
+  # TODO: is automatic known hosts file even necessary?
+  # programs.ssh = {
+  #   # Each hosts public key
+  #   knownHosts = lib.genAttrs hosts (hostname: {
+  #     publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub;
+  #     extraHostNames =
+  #       [
+  #         # "${hostname}.m7.rs"
+  #       ]
+  #       ++
+  #         # Alias for localhost if it's the same host
+  #         (lib.optional (hostname == config.networking.hostName) "localhost")
+  #       # Alias to m7.rs and git.m7.rs if it's alcyone
+  #       ++ (lib.optionals (hostname == "alcyone") [
+  #         "m7.rs"
+  #         "git.m7.rs"
+  #       ]);
+  #   });
+  # };
+}

features-nixos/optional/pcmanfm.nix

@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    shared-mime-info # extended mimetype support
+    lxmenu-data # open with "Installed Applications"
+    pcmanfm
+  ];
+
+  services.gvfs.enable = true; # Mount, trash, and other functionalities
+}

features-nixos/optional/pipewire.nix

@@ -0,0 +1,28 @@
+{
+  security.rtkit.enable = true;
+  services.pulseaudio.enable = false;
+  services.pipewire = {
+    enable = true;
+    wireplumber.enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+    extraConfig.pipewire = {
+      "99-no-bell" = {
+        # Disable bell sound
+        "context.properties" = {
+          "module.x11.bell" = false;
+        };
+      };
+      "10-increase-buffer" = {
+        "context.properties" = {
+          "default.clock.rate" = 48000;
+          "default.clock.quantum" = 1024;
+          "default.clock.min-quantum" = 1024;
+          "default.clock.max-quantum" = 2048;
+        };
+      };
+    };
+  };
+}

features-nixos/optional/podman.nix

@@ -0,0 +1,10 @@
+{config, ...}: let
+  dockerEnabled = config.virtualisation.docker.enable;
+in {
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = !dockerEnabled;
+    dockerSocket.enable = !dockerEnabled;
+    defaultNetwork.settings.dns_enabled = true;
+  };
+}

features-nixos/optional/redshift.nix

@@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Set location used by redshift
+  location.provider = "manual";
+  location.latitude = 47.92;
+  location.longitude = 10.12;
+  services.redshift.enable = true;
+}

features-nixos/optional/remote-builder.nix

@@ -0,0 +1,34 @@
+{
+  nix.distributedBuilds = true;
+  nix.settings.builders-use-substitutes = true;
+
+  nix.buildMachines = [
+    {
+      hostName = "builder.julian-mutter.de";
+      protocol = "ssh";
+      sshUser = "nix";
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
+      maxJobs = 4;
+      speedFactor = 3;
+      supportedFeatures = [
+        "nixos-test"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+      ];
+      mandatoryFeatures = [];
+    }
+    # {
+    #   hostName = "localhost";
+    #   protocol = null;
+    #   systems = [
+    #     "x86_64-linux"
+    #   ];
+    #   maxJobs = 4;
+    #   speedFactor = 1;
+    # }
+  ];
+}

features-nixos/optional/thunar.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  programs.thunar.enable = true;
+  programs.xfconf.enable = true; # Persist saved preferences
+  programs.thunar.plugins = with pkgs.xfce; [
+    thunar-archive-plugin
+    thunar-volman
+    thunar-media-tags-plugin
+  ];
+  services.gvfs.enable = true; # Mount, trash, and other functionalities
+  services.tumbler.enable = true; # Thumbnail support for images
+}

features-nixos/optional/virtualbox.nix

@@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.virtualbox.host.enable = true;
+  # virtualisation.virtualbox.host.enableExtensionPack = true;
+  # virtualisation.virtualbox.guest.enable = true;
+  # virtualisation.virtualbox.guest.x11 = true;
+  users.extraGroups.vboxusers.members = ["julian"];
+}

features-nixos/optional/wireguard.nix

@@ -0,0 +1,12 @@
+{
+  networking.wg-quick.interfaces = {
+    julian = {
+      configFile = "/etc/wireguard/julian.conf";
+      autostart = true; # This interface is started on boot
+    };
+    comu = {
+      configFile = "/etc/wireguard/comu.conf";
+      autostart = false;
+    };
+  };
+}

features-nixos/optional/wireshark.nix

@@ -0,0 +1,9 @@
+{
+  programs.wireshark = {
+    enable = true;
+    dumpcap.enable = true;
+    usbmon.enable = true;
+  };
+
+  users.users.julian.extraGroups = ["wireshark"];
+}

features-nixos/optional/xserver.nix

@@ -0,0 +1,6 @@
+{
+  services.xserver = {
+    enable = true;
+    wacom.enable = true;
+  };
+}