host/thinkpad: split into modules

hosts/nuc/modules/grafana/default.nix

@@ -25,9 +25,7 @@ in
     ensureUsers = [
       {
         name = "grafana";
-        ensurePermissions = {
+        ensureDBOwnership = true;
-          "DATABASE grafana" = "ALL PRIVILEGES";
-        };
       }
     ];
     ensureDatabases = [ "grafana" ];

hosts/nuc/modules/vaultwarden/default.nix

@@ -24,9 +24,7 @@ in
     ensureUsers = [
       {
         name = "vaultwarden";
-        ensurePermissions = {
+        ensureDBOwnership = true;
-          "DATABASE vaultwarden" = "ALL PRIVILEGES";
-        };
       }
     ];
     ensureDatabases = [ "vaultwarden" ];

hosts/thinkpad/default.nix

@@ -1,35 +1,20 @@
-{ config, pkgs, lib, agenix, ... }:
+{ config, pkgs, ... }:
 {
 
   imports =
     [
       ./hardware-configuration.nix
       ./modules/backup
-      ./modules/networks
+      ./modules/graphics
       ./modules/greetd
+      ./modules/networks
+      ./modules/security
+      ./modules/sound
       ./modules/virtualisation
     ];
 
   # Use the systemd-boot EFI boot loader.
-  # boot.initrd.systemd.additionalUpstreamUnits = [ "systemd-vconsole-setup.service" ];
   boot = {
-    # Lanzaboote currently replaces the systemd-boot module.
-    # This setting is usually set to true in configuration.nix
-    # generated at installation time. So we force it to false
-    # for now.
-    loader.systemd-boot.enable = lib.mkForce false;
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/etc/secureboot";
-      configurationLimit = 10;
-    };
-    extraModulePackages = [
-      config.boot.kernelPackages.v4l2loopback.out
-    ];
-
-
-    loader.systemd-boot.editor = false;
-    loader.efi.canTouchEfiVariables = true;
     kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
     tmp.useTmpfs = true;
   };
@@ -48,105 +33,29 @@
       "/etc/machine-id"
     ];
   };
-  age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
 
   time.timeZone = "Europe/Berlin";
   i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    keyMap = "dvorak";
-    colors = let colors = config.home-manager.users.rouven.colorScheme.colors; in
-      [
-        colors.base00
-        colors.base08
-        colors.base0A
-        colors.base0B
-        colors.base0D
-        colors.base0E
-        colors.base0C
-        colors.base05
 
-        colors.base03
+  console.keyMap = "dvorak";
-        colors.base08
-        colors.base0A
-        colors.base0B
-        colors.base0D
-        colors.base0E
-        colors.base0C
-        colors.base07
-      ];
-  };
 
-  fonts = {
-    enableDefaultPackages = false;
-    packages = with pkgs;
-      [
-        nerdfonts
-        noto-fonts
-        noto-fonts-cjk
-        noto-fonts-emoji
-        dejavu_fonts
-        fira
-      ];
-  };
-  # Enable sound.
-  sound.enable = true;
-  #hardware.pulseaudio.enable = true;
-  hardware.bluetooth.enable = true;
-
-  security = {
-    polkit.enable = true;
-  };
-
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-  };
-  xdg.portal = {
-    enable = true;
-    extraPortals = [
-      pkgs.xdg-desktop-portal-wlr
-    ];
-  };
-
-
-  # control display backlight
-  programs.light.enable = true;
 
   services = {
-    # homed.enable = true;
     blueman.enable = true; # bluetooth
     devmon.enable = true; # automount stuff
-    # printing = {
-    #   enable = true;
-    #   stateless = true;
-    #   browsedConf = ''
-    #     BrowsePoll tomate.local
-    #     BrowsePoll cups.agdsn.network
-    #     LocalQueueNamingRemoteCUPS RemoteName
-    #   '';
-    # };
     avahi = {
-      # autodiscover printers
       enable = true;
       nssmdns = true;
     };
-    fprintd.enable = true; # log in using fingerprint
     fwupd.enable = true; # firmware updates
     zfs.autoScrub.enable = true;
   };
-
+  hardware.bluetooth.enable = true;
-  programs.steam.enable = true; # putting steam in here cause in home manager it doesn't work
-
-  programs.ausweisapp = {
-    enable = true;
-    openFirewall = true;
-  };
 
   systemd.sleep.extraConfig = ''
     HibernateDelaySec=2h
   '';
+
   services.logind = {
     lidSwitch = "suspend-then-hibernate";
     lidSwitchDocked = "suspend-then-hibernate";
@@ -155,6 +64,7 @@
       HandlePowerKey = ignore
     '';
   };
+
   services.tlp = {
     enable = true;
     settings = {
@@ -163,55 +73,6 @@
     };
   };
 
-  security.tpm2 = {
-    enable = true;
-    pkcs11.enable = true;
-    abrmd.enable = true;
-    tctiEnvironment.enable = true;
-  };
-
-  hardware.opengl.extraPackages = with pkgs; [
-    intel-compute-runtime
-    intel-media-driver
-  ];
-
-  environment.systemPackages = with pkgs; [
-    # hardware utilities
-    nvme-cli
-    intel-gpu-tools
-    tpm2-tools
-    lm_sensors
-    pciutils
-
-    # system essentials
-    htop-vim
-    lsof
-    killall
-    zip
-    unzip
-    sbctl
-    man-pages
-    cups
-    agenix.packages.x86_64-linux.default
-    mosh
-    qpwgraph
-  ];
-
-  programs.java.enable = true;
-  programs.wireshark = {
-    enable = true;
-    package = pkgs.wireshark-qt;
-  };
-  security.wrappers.etherape = {
-    source = "${pkgs.etherape}/bin/etherape";
-    capabilities = "cap_net_raw,cap_net_admin+eip";
-    owner = "root";
-    group = "wireshark"; # too lazy to create a new one
-    permissions = "u+rx,g+x";
-  };
-
   documentation.dev.enable = true;
-
-
   system.stateVersion = "22.11";
 }

hosts/thinkpad/hardware-configuration.nix

@@ -1,7 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+{ pkgs, config, lib, modulesPath, ... }:
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
 
 {
   imports =
@@ -9,6 +6,12 @@
       (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
+  environment.systemPackages = with pkgs; [
+    nvme-cli
+    intel-gpu-tools
+    lm_sensors
+    pciutils
+  ];
   boot = {
     initrd = {
       availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];

hosts/thinkpad/modules/graphics/default.nix

@@ -0,0 +1,44 @@
+{ config, pkgs, ... }:
+{
+  # control display backlight
+  programs.light.enable = true;
+
+  fonts = {
+    enableDefaultPackages = false;
+    packages = with pkgs;
+      [
+        nerdfonts
+        noto-fonts
+        noto-fonts-cjk
+        noto-fonts-emoji
+        dejavu_fonts
+        fira
+      ];
+  };
+  console = {
+    colors = let colors = config.home-manager.users.rouven.colorScheme.colors; in
+      [
+        colors.base00
+        colors.base08
+        colors.base0A
+        colors.base0B
+        colors.base0D
+        colors.base0E
+        colors.base0C
+        colors.base05
+
+        colors.base03
+        colors.base08
+        colors.base0A
+        colors.base0B
+        colors.base0D
+        colors.base0E
+        colors.base0C
+        colors.base07
+      ];
+  };
+  hardware.opengl.extraPackages = with pkgs; [
+    intel-compute-runtime
+    intel-media-driver
+  ];
+}

hosts/thinkpad/modules/networks/default.nix

@@ -160,4 +160,16 @@
       ];
     };
   };
+  programs.wireshark = {
+    enable = true;
+    package = pkgs.wireshark-qt;
+  };
+  users.groups.etherape = { };
+  security.wrappers.etherape = {
+    source = "${pkgs.etherape}/bin/etherape";
+    capabilities = "cap_net_raw,cap_net_admin+eip";
+    owner = "root";
+    group = "etherape"; # too lazy to create a new one
+    permissions = "u+rx,g+x";
+  };
 }

hosts/thinkpad/modules/security/default.nix

@@ -0,0 +1,36 @@
+{ pkgs, lib, agenix, ... }:
+{
+  age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
+  security = {
+    polkit.enable = true;
+    tpm2 = {
+      enable = true;
+      pkcs11.enable = true;
+      abrmd.enable = true;
+      tctiEnvironment.enable = true;
+    };
+  };
+  services = {
+    fprintd.enable = true; # log in using fingerprint
+  };
+  environment.systemPackages = with pkgs; [
+    agenix.packages.x86_64-linux.default
+    tpm2-tools
+    sbctl
+  ];
+  # enable secure boot using lanzaboote
+  boot = {
+    # Lanzaboote currently replaces the systemd-boot module.
+    # This setting is usually set to true in configuration.nix
+    # generated at installation time. So we force it to false
+    # for now.
+    loader.systemd-boot.enable = lib.mkForce false;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+      configurationLimit = 10;
+    };
+    loader.systemd-boot.editor = false;
+    loader.efi.canTouchEfiVariables = true;
+  };
+}

hosts/thinkpad/modules/sound/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  sound.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  environment.systemPackages = with pkgs; [
+    qpwgraph
+  ];
+}

overlays/default.nix

@@ -4,7 +4,6 @@ let
   inherit (prev) python3Packages;
   inherit (prev) fetchFromGitHub;
   inherit (prev) fetchPypi;
-  inherit (prev) fetchpatch;
   inherit (prev) makeWrapper;
 in
 {

users/rouven/default.nix

@@ -5,7 +5,7 @@
   users.users.rouven = {
     description = "Rouven Seifert";
     isNormalUser = true;
-    extraGroups = [ "wheel" "video" "libvirtd" "tss" "input" "_lldpd" "wireshark" ];
+    extraGroups = [ "wheel" "video" "libvirtd" "tss" "input" "_lldpd" "wireshark" "etherape" ];
     initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1";
   };
   home-manager.useUserPackages = true;
@@ -18,6 +18,7 @@
       home.username = "rouven";
       home.homeDirectory = "/home/rouven";
       home.stateVersion = config.system.stateVersion;
+      home.enableNixpkgsReleaseCheck = false;
     };
   };
 }

users/rouven/fixes.nix

@@ -22,6 +22,13 @@
     '';
     wrapperFeatures.gtk = true;
   };
+  # enable xdg portals for sway
+  xdg.portal = {
+    enable = true;
+    extraPortals = [
+      pkgs.xdg-desktop-portal-wlr
+    ];
+  };
   # wayland keylogger needs setuid
   programs.wshowkeys.enable = true;
   # fixes pam entries for swaylock
@@ -42,4 +49,14 @@
     session required pam_env.so conffile=/etc/pam/environment readenv=0
     session required pam_unix.so
   '';
+  # global wrapper for ausweisapp
+  programs.ausweisapp = {
+    enable = true;
+    openFirewall = true;
+  };
+  # home manager steam is borderline broken
+  programs.steam.enable = true;
+
+  # enable java black magic 
+  programs.java.enable = true;
 }

users/rouven/modules/packages.nix

@@ -8,6 +8,12 @@ in
   home.packages = with pkgs; [
 
     # essentials
+    htop-vim
+    lsof
+    killall
+    zip
+    unzip
+    man-pages
     wpa_supplicant_gui
     pcmanfm
     xdg-utils # used for xdg-open
@@ -15,6 +21,9 @@ in
     appimage-run
     seafile-client
 
+    # printing
+    cups
+
     # graphics
     evince # pdf viewer
     gimp
@@ -71,6 +80,7 @@ in
     jq
     xournalpp
     libreoffice
+    mosh
 
     # programming languages
     cargo

users/rouven/modules/spotify/default.nix

@@ -11,6 +11,7 @@
         username = config.accounts.email.accounts."gmail".address;
         password_cmd = "${pkgs.coreutils}/bin/cat ${config.age.secrets.spotify.path}";
       };
+      backend = "pulseaudio";
     };
   };
   systemd.user.services.spotifyd.Unit.After = [ "agenix.service" ];