host/thinkpad: split into modules

hosts/thinkpad/modules/graphics/default.nix

@@ -0,0 +1,44 @@
+{ config, pkgs, ... }:
+{
+  # control display backlight
+  programs.light.enable = true;
+
+  fonts = {
+    enableDefaultPackages = false;
+    packages = with pkgs;
+      [
+        nerdfonts
+        noto-fonts
+        noto-fonts-cjk
+        noto-fonts-emoji
+        dejavu_fonts
+        fira
+      ];
+  };
+  console = {
+    colors = let colors = config.home-manager.users.rouven.colorScheme.colors; in
+      [
+        colors.base00
+        colors.base08
+        colors.base0A
+        colors.base0B
+        colors.base0D
+        colors.base0E
+        colors.base0C
+        colors.base05
+
+        colors.base03
+        colors.base08
+        colors.base0A
+        colors.base0B
+        colors.base0D
+        colors.base0E
+        colors.base0C
+        colors.base07
+      ];
+  };
+  hardware.opengl.extraPackages = with pkgs; [
+    intel-compute-runtime
+    intel-media-driver
+  ];
+}

hosts/thinkpad/modules/networks/default.nix

@@ -160,4 +160,16 @@
       ];
     };
   };
+  programs.wireshark = {
+    enable = true;
+    package = pkgs.wireshark-qt;
+  };
+  users.groups.etherape = { };
+  security.wrappers.etherape = {
+    source = "${pkgs.etherape}/bin/etherape";
+    capabilities = "cap_net_raw,cap_net_admin+eip";
+    owner = "root";
+    group = "etherape"; # too lazy to create a new one
+    permissions = "u+rx,g+x";
+  };
 }

hosts/thinkpad/modules/security/default.nix

@@ -0,0 +1,36 @@
+{ pkgs, lib, agenix, ... }:
+{
+  age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
+  security = {
+    polkit.enable = true;
+    tpm2 = {
+      enable = true;
+      pkcs11.enable = true;
+      abrmd.enable = true;
+      tctiEnvironment.enable = true;
+    };
+  };
+  services = {
+    fprintd.enable = true; # log in using fingerprint
+  };
+  environment.systemPackages = with pkgs; [
+    agenix.packages.x86_64-linux.default
+    tpm2-tools
+    sbctl
+  ];
+  # enable secure boot using lanzaboote
+  boot = {
+    # Lanzaboote currently replaces the systemd-boot module.
+    # This setting is usually set to true in configuration.nix
+    # generated at installation time. So we force it to false
+    # for now.
+    loader.systemd-boot.enable = lib.mkForce false;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+      configurationLimit = 10;
+    };
+    loader.systemd-boot.editor = false;
+    loader.efi.canTouchEfiVariables = true;
+  };
+}

hosts/thinkpad/modules/sound/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  sound.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  environment.systemPackages = with pkgs; [
+    qpwgraph
+  ];
+}