diff --git a/hosts/nuc/modules/grafana/default.nix b/hosts/nuc/modules/grafana/default.nix index c7ded09..85b9ef3 100644 --- a/hosts/nuc/modules/grafana/default.nix +++ b/hosts/nuc/modules/grafana/default.nix @@ -25,9 +25,7 @@ in ensureUsers = [ { name = "grafana"; - ensurePermissions = { - "DATABASE grafana" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; ensureDatabases = [ "grafana" ]; diff --git a/hosts/nuc/modules/vaultwarden/default.nix b/hosts/nuc/modules/vaultwarden/default.nix index 9d6eebd..0f88ae0 100644 --- a/hosts/nuc/modules/vaultwarden/default.nix +++ b/hosts/nuc/modules/vaultwarden/default.nix @@ -24,9 +24,7 @@ in ensureUsers = [ { name = "vaultwarden"; - ensurePermissions = { - "DATABASE vaultwarden" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; ensureDatabases = [ "vaultwarden" ]; diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 40bb579..bfb830d 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -1,35 +1,20 @@ -{ config, pkgs, lib, agenix, ... }: +{ config, pkgs, ... }: { imports = [ ./hardware-configuration.nix ./modules/backup - ./modules/networks + ./modules/graphics ./modules/greetd + ./modules/networks + ./modules/security + ./modules/sound ./modules/virtualisation ]; # Use the systemd-boot EFI boot loader. - # boot.initrd.systemd.additionalUpstreamUnits = [ "systemd-vconsole-setup.service" ]; boot = { - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - loader.systemd-boot.enable = lib.mkForce false; - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - configurationLimit = 10; - }; - extraModulePackages = [ - config.boot.kernelPackages.v4l2loopback.out - ]; - - - loader.systemd-boot.editor = false; - loader.efi.canTouchEfiVariables = true; kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; tmp.useTmpfs = true; }; @@ -48,105 +33,29 @@ "/etc/machine-id" ]; }; - age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; time.timeZone = "Europe/Berlin"; i18n.defaultLocale = "en_US.UTF-8"; - console = { - keyMap = "dvorak"; - colors = let colors = config.home-manager.users.rouven.colorScheme.colors; in - [ - colors.base00 - colors.base08 - colors.base0A - colors.base0B - colors.base0D - colors.base0E - colors.base0C - colors.base05 - colors.base03 - colors.base08 - colors.base0A - colors.base0B - colors.base0D - colors.base0E - colors.base0C - colors.base07 - ]; - }; + console.keyMap = "dvorak"; - fonts = { - enableDefaultPackages = false; - packages = with pkgs; - [ - nerdfonts - noto-fonts - noto-fonts-cjk - noto-fonts-emoji - dejavu_fonts - fira - ]; - }; - # Enable sound. - sound.enable = true; - #hardware.pulseaudio.enable = true; - hardware.bluetooth.enable = true; - - security = { - polkit.enable = true; - }; - - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - }; - xdg.portal = { - enable = true; - extraPortals = [ - pkgs.xdg-desktop-portal-wlr - ]; - }; - - - # control display backlight - programs.light.enable = true; services = { - # homed.enable = true; blueman.enable = true; # bluetooth devmon.enable = true; # automount stuff - # printing = { - # enable = true; - # stateless = true; - # browsedConf = '' - # BrowsePoll tomate.local - # BrowsePoll cups.agdsn.network - # LocalQueueNamingRemoteCUPS RemoteName - # ''; - # }; avahi = { - # autodiscover printers enable = true; nssmdns = true; }; - fprintd.enable = true; # log in using fingerprint fwupd.enable = true; # firmware updates zfs.autoScrub.enable = true; }; - - programs.steam.enable = true; # putting steam in here cause in home manager it doesn't work - - programs.ausweisapp = { - enable = true; - openFirewall = true; - }; + hardware.bluetooth.enable = true; systemd.sleep.extraConfig = '' HibernateDelaySec=2h ''; + services.logind = { lidSwitch = "suspend-then-hibernate"; lidSwitchDocked = "suspend-then-hibernate"; @@ -155,6 +64,7 @@ HandlePowerKey = ignore ''; }; + services.tlp = { enable = true; settings = { @@ -163,55 +73,6 @@ }; }; - security.tpm2 = { - enable = true; - pkcs11.enable = true; - abrmd.enable = true; - tctiEnvironment.enable = true; - }; - - hardware.opengl.extraPackages = with pkgs; [ - intel-compute-runtime - intel-media-driver - ]; - - environment.systemPackages = with pkgs; [ - # hardware utilities - nvme-cli - intel-gpu-tools - tpm2-tools - lm_sensors - pciutils - - # system essentials - htop-vim - lsof - killall - zip - unzip - sbctl - man-pages - cups - agenix.packages.x86_64-linux.default - mosh - qpwgraph - ]; - - programs.java.enable = true; - programs.wireshark = { - enable = true; - package = pkgs.wireshark-qt; - }; - security.wrappers.etherape = { - source = "${pkgs.etherape}/bin/etherape"; - capabilities = "cap_net_raw,cap_net_admin+eip"; - owner = "root"; - group = "wireshark"; # too lazy to create a new one - permissions = "u+rx,g+x"; - }; - documentation.dev.enable = true; - - system.stateVersion = "22.11"; } diff --git a/hosts/thinkpad/hardware-configuration.nix b/hosts/thinkpad/hardware-configuration.nix index f805473..44466b0 100644 --- a/hosts/thinkpad/hardware-configuration.nix +++ b/hosts/thinkpad/hardware-configuration.nix @@ -1,7 +1,4 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, modulesPath, ... }: +{ pkgs, config, lib, modulesPath, ... }: { imports = @@ -9,6 +6,12 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; + environment.systemPackages = with pkgs; [ + nvme-cli + intel-gpu-tools + lm_sensors + pciutils + ]; boot = { initrd = { availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ]; diff --git a/hosts/thinkpad/modules/graphics/default.nix b/hosts/thinkpad/modules/graphics/default.nix new file mode 100644 index 0000000..460de5b --- /dev/null +++ b/hosts/thinkpad/modules/graphics/default.nix @@ -0,0 +1,44 @@ +{ config, pkgs, ... }: +{ + # control display backlight + programs.light.enable = true; + + fonts = { + enableDefaultPackages = false; + packages = with pkgs; + [ + nerdfonts + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + dejavu_fonts + fira + ]; + }; + console = { + colors = let colors = config.home-manager.users.rouven.colorScheme.colors; in + [ + colors.base00 + colors.base08 + colors.base0A + colors.base0B + colors.base0D + colors.base0E + colors.base0C + colors.base05 + + colors.base03 + colors.base08 + colors.base0A + colors.base0B + colors.base0D + colors.base0E + colors.base0C + colors.base07 + ]; + }; + hardware.opengl.extraPackages = with pkgs; [ + intel-compute-runtime + intel-media-driver + ]; +} diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix index 4c42ff0..b2dc4f7 100644 --- a/hosts/thinkpad/modules/networks/default.nix +++ b/hosts/thinkpad/modules/networks/default.nix @@ -160,4 +160,16 @@ ]; }; }; + programs.wireshark = { + enable = true; + package = pkgs.wireshark-qt; + }; + users.groups.etherape = { }; + security.wrappers.etherape = { + source = "${pkgs.etherape}/bin/etherape"; + capabilities = "cap_net_raw,cap_net_admin+eip"; + owner = "root"; + group = "etherape"; # too lazy to create a new one + permissions = "u+rx,g+x"; + }; } diff --git a/hosts/thinkpad/modules/security/default.nix b/hosts/thinkpad/modules/security/default.nix new file mode 100644 index 0000000..2823578 --- /dev/null +++ b/hosts/thinkpad/modules/security/default.nix @@ -0,0 +1,36 @@ +{ pkgs, lib, agenix, ... }: +{ + age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; + security = { + polkit.enable = true; + tpm2 = { + enable = true; + pkcs11.enable = true; + abrmd.enable = true; + tctiEnvironment.enable = true; + }; + }; + services = { + fprintd.enable = true; # log in using fingerprint + }; + environment.systemPackages = with pkgs; [ + agenix.packages.x86_64-linux.default + tpm2-tools + sbctl + ]; + # enable secure boot using lanzaboote + boot = { + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + loader.systemd-boot.enable = lib.mkForce false; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + configurationLimit = 10; + }; + loader.systemd-boot.editor = false; + loader.efi.canTouchEfiVariables = true; + }; +} diff --git a/hosts/thinkpad/modules/sound/default.nix b/hosts/thinkpad/modules/sound/default.nix new file mode 100644 index 0000000..ffc4116 --- /dev/null +++ b/hosts/thinkpad/modules/sound/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +{ + sound.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + environment.systemPackages = with pkgs; [ + qpwgraph + ]; +} diff --git a/overlays/default.nix b/overlays/default.nix index 0269d3d..3b2e7e0 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -4,7 +4,6 @@ let inherit (prev) python3Packages; inherit (prev) fetchFromGitHub; inherit (prev) fetchPypi; - inherit (prev) fetchpatch; inherit (prev) makeWrapper; in { diff --git a/users/rouven/default.nix b/users/rouven/default.nix index b2700d4..9a54b15 100644 --- a/users/rouven/default.nix +++ b/users/rouven/default.nix @@ -5,7 +5,7 @@ users.users.rouven = { description = "Rouven Seifert"; isNormalUser = true; - extraGroups = [ "wheel" "video" "libvirtd" "tss" "input" "_lldpd" "wireshark" ]; + extraGroups = [ "wheel" "video" "libvirtd" "tss" "input" "_lldpd" "wireshark" "etherape" ]; initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1"; }; home-manager.useUserPackages = true; @@ -18,6 +18,7 @@ home.username = "rouven"; home.homeDirectory = "/home/rouven"; home.stateVersion = config.system.stateVersion; + home.enableNixpkgsReleaseCheck = false; }; }; } diff --git a/users/rouven/fixes.nix b/users/rouven/fixes.nix index 579fb5e..eecb06e 100644 --- a/users/rouven/fixes.nix +++ b/users/rouven/fixes.nix @@ -22,6 +22,13 @@ ''; wrapperFeatures.gtk = true; }; + # enable xdg portals for sway + xdg.portal = { + enable = true; + extraPortals = [ + pkgs.xdg-desktop-portal-wlr + ]; + }; # wayland keylogger needs setuid programs.wshowkeys.enable = true; # fixes pam entries for swaylock @@ -42,4 +49,14 @@ session required pam_env.so conffile=/etc/pam/environment readenv=0 session required pam_unix.so ''; + # global wrapper for ausweisapp + programs.ausweisapp = { + enable = true; + openFirewall = true; + }; + # home manager steam is borderline broken + programs.steam.enable = true; + + # enable java black magic + programs.java.enable = true; } diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index 23decf4..f2f97b6 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -8,6 +8,12 @@ in home.packages = with pkgs; [ # essentials + htop-vim + lsof + killall + zip + unzip + man-pages wpa_supplicant_gui pcmanfm xdg-utils # used for xdg-open @@ -15,6 +21,9 @@ in appimage-run seafile-client + # printing + cups + # graphics evince # pdf viewer gimp @@ -71,6 +80,7 @@ in jq xournalpp libreoffice + mosh # programming languages cargo diff --git a/users/rouven/modules/spotify/default.nix b/users/rouven/modules/spotify/default.nix index 654c6aa..2bcc3c7 100644 --- a/users/rouven/modules/spotify/default.nix +++ b/users/rouven/modules/spotify/default.nix @@ -11,6 +11,7 @@ username = config.accounts.email.accounts."gmail".address; password_cmd = "${pkgs.coreutils}/bin/cat ${config.age.secrets.spotify.path}"; }; + backend = "pulseaudio"; }; }; systemd.user.services.spotifyd.Unit.After = [ "agenix.service" ];