host/thinkpad: split into modules

2025-01-18 17:11:39 +01:00 · 2023-11-24 09:57:15 +01:00 · 2023-11-24 09:57:15 +01:00 · aa2c1e702c
commit aa2c1e702c
parent 70a6695ca1
13 changed files with 153 additions and 160 deletions
--- a/hosts/nuc/modules/grafana/default.nix
+++ b/hosts/nuc/modules/grafana/default.nix
@ -25,9 +25,7 @@ in
    ensureUsers = [
      {
        name = "grafana";
-        ensurePermissions = {
-          "DATABASE grafana" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
      }
    ];
    ensureDatabases = [ "grafana" ];
--- a/hosts/nuc/modules/vaultwarden/default.nix
+++ b/hosts/nuc/modules/vaultwarden/default.nix
@ -24,9 +24,7 @@ in
    ensureUsers = [
      {
        name = "vaultwarden";
-        ensurePermissions = {
-          "DATABASE vaultwarden" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
      }
    ];
    ensureDatabases = [ "vaultwarden" ];
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -1,35 +1,20 @@
-{ config, pkgs, lib, agenix, ... }:
+{ config, pkgs, ... }:
 {

  imports =
    [
      ./hardware-configuration.nix
      ./modules/backup
-      ./modules/networks
+      ./modules/graphics
      ./modules/greetd
+      ./modules/networks
+      ./modules/security
+      ./modules/sound
      ./modules/virtualisation
    ];

  # Use the systemd-boot EFI boot loader.
-  # boot.initrd.systemd.additionalUpstreamUnits = [ "systemd-vconsole-setup.service" ];
  boot = {
-    # Lanzaboote currently replaces the systemd-boot module.
-    # This setting is usually set to true in configuration.nix
-    # generated at installation time. So we force it to false
-    # for now.
-    loader.systemd-boot.enable = lib.mkForce false;
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/etc/secureboot";
-      configurationLimit = 10;
-    };
-    extraModulePackages = [
-      config.boot.kernelPackages.v4l2loopback.out
-    ];
-
-
-    loader.systemd-boot.editor = false;
-    loader.efi.canTouchEfiVariables = true;
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
    tmp.useTmpfs = true;
  };
@ -48,105 +33,29 @@
      "/etc/machine-id"
    ];
  };
-  age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];

  time.timeZone = "Europe/Berlin";
  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    keyMap = "dvorak";
-    colors = let colors = config.home-manager.users.rouven.colorScheme.colors; in
-      [
-        colors.base00
-        colors.base08
-        colors.base0A
-        colors.base0B
-        colors.base0D
-        colors.base0E
-        colors.base0C
-        colors.base05

-        colors.base03
-        colors.base08
-        colors.base0A
-        colors.base0B
-        colors.base0D
-        colors.base0E
-        colors.base0C
-        colors.base07
-      ];
-  };
+  console.keyMap = "dvorak";

-  fonts = {
-    enableDefaultPackages = false;
-    packages = with pkgs;
-      [
-        nerdfonts
-        noto-fonts
-        noto-fonts-cjk
-        noto-fonts-emoji
-        dejavu_fonts
-        fira
-      ];
-  };
-  # Enable sound.
-  sound.enable = true;
-  #hardware.pulseaudio.enable = true;
-  hardware.bluetooth.enable = true;
-
-  security = {
-    polkit.enable = true;
-  };
-
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-  };
-  xdg.portal = {
-    enable = true;
-    extraPortals = [
-      pkgs.xdg-desktop-portal-wlr
-    ];
-  };
-
-
-  # control display backlight
-  programs.light.enable = true;

  services = {
-    # homed.enable = true;
    blueman.enable = true; # bluetooth
    devmon.enable = true; # automount stuff
-    # printing = {
-    #   enable = true;
-    #   stateless = true;
-    #   browsedConf = ''
-    #     BrowsePoll tomate.local
-    #     BrowsePoll cups.agdsn.network
-    #     LocalQueueNamingRemoteCUPS RemoteName
-    #   '';
-    # };
    avahi = {
-      # autodiscover printers
      enable = true;
      nssmdns = true;
    };
-    fprintd.enable = true; # log in using fingerprint
    fwupd.enable = true; # firmware updates
    zfs.autoScrub.enable = true;
  };
-
-  programs.steam.enable = true; # putting steam in here cause in home manager it doesn't work
-
-  programs.ausweisapp = {
-    enable = true;
-    openFirewall = true;
-  };
+  hardware.bluetooth.enable = true;

  systemd.sleep.extraConfig = ''
    HibernateDelaySec=2h
  '';
+
  services.logind = {
    lidSwitch = "suspend-then-hibernate";
    lidSwitchDocked = "suspend-then-hibernate";
@ -155,6 +64,7 @@
      HandlePowerKey = ignore
    '';
  };
+
  services.tlp = {
    enable = true;
    settings = {
@ -163,55 +73,6 @@
    };
  };

-  security.tpm2 = {
-    enable = true;
-    pkcs11.enable = true;
-    abrmd.enable = true;
-    tctiEnvironment.enable = true;
-  };
-
-  hardware.opengl.extraPackages = with pkgs; [
-    intel-compute-runtime
-    intel-media-driver
-  ];
-
-  environment.systemPackages = with pkgs; [
-    # hardware utilities
-    nvme-cli
-    intel-gpu-tools
-    tpm2-tools
-    lm_sensors
-    pciutils
-
-    # system essentials
-    htop-vim
-    lsof
-    killall
-    zip
-    unzip
-    sbctl
-    man-pages
-    cups
-    agenix.packages.x86_64-linux.default
-    mosh
-    qpwgraph
-  ];
-
-  programs.java.enable = true;
-  programs.wireshark = {
-    enable = true;
-    package = pkgs.wireshark-qt;
-  };
-  security.wrappers.etherape = {
-    source = "${pkgs.etherape}/bin/etherape";
-    capabilities = "cap_net_raw,cap_net_admin+eip";
-    owner = "root";
-    group = "wireshark"; # too lazy to create a new one
-    permissions = "u+rx,g+x";
-  };
-
  documentation.dev.enable = true;
-
-
  system.stateVersion = "22.11";
 }
--- a/hosts/thinkpad/hardware-configuration.nix
+++ b/hosts/thinkpad/hardware-configuration.nix
@ -1,7 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{ pkgs, config, lib, modulesPath, ... }:

 {
  imports =
@ -9,6 +6,12 @@
      (modulesPath + "/installer/scan/not-detected.nix")
    ];

+  environment.systemPackages = with pkgs; [
+    nvme-cli
+    intel-gpu-tools
+    lm_sensors
+    pciutils
+  ];
  boot = {
    initrd = {
      availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
--- a/hosts/thinkpad/modules/graphics/default.nix
+++ b/hosts/thinkpad/modules/graphics/default.nix
@ -0,0 +1,44 @@
+{ config, pkgs, ... }:
+{
+  # control display backlight
+  programs.light.enable = true;
+
+  fonts = {
+    enableDefaultPackages = false;
+    packages = with pkgs;
+      [
+        nerdfonts
+        noto-fonts
+        noto-fonts-cjk
+        noto-fonts-emoji
+        dejavu_fonts
+        fira
+      ];
+  };
+  console = {
+    colors = let colors = config.home-manager.users.rouven.colorScheme.colors; in
+      [
+        colors.base00
+        colors.base08
+        colors.base0A
+        colors.base0B
+        colors.base0D
+        colors.base0E
+        colors.base0C
+        colors.base05
+
+        colors.base03
+        colors.base08
+        colors.base0A
+        colors.base0B
+        colors.base0D
+        colors.base0E
+        colors.base0C
+        colors.base07
+      ];
+  };
+  hardware.opengl.extraPackages = with pkgs; [
+    intel-compute-runtime
+    intel-media-driver
+  ];
+}
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@ -160,4 +160,16 @@
      ];
    };
  };
+  programs.wireshark = {
+    enable = true;
+    package = pkgs.wireshark-qt;
+  };
+  users.groups.etherape = { };
+  security.wrappers.etherape = {
+    source = "${pkgs.etherape}/bin/etherape";
+    capabilities = "cap_net_raw,cap_net_admin+eip";
+    owner = "root";
+    group = "etherape"; # too lazy to create a new one
+    permissions = "u+rx,g+x";
+  };
 }
--- a/hosts/thinkpad/modules/security/default.nix
+++ b/hosts/thinkpad/modules/security/default.nix
@ -0,0 +1,36 @@
+{ pkgs, lib, agenix, ... }:
+{
+  age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
+  security = {
+    polkit.enable = true;
+    tpm2 = {
+      enable = true;
+      pkcs11.enable = true;
+      abrmd.enable = true;
+      tctiEnvironment.enable = true;
+    };
+  };
+  services = {
+    fprintd.enable = true; # log in using fingerprint
+  };
+  environment.systemPackages = with pkgs; [
+    agenix.packages.x86_64-linux.default
+    tpm2-tools
+    sbctl
+  ];
+  # enable secure boot using lanzaboote
+  boot = {
+    # Lanzaboote currently replaces the systemd-boot module.
+    # This setting is usually set to true in configuration.nix
+    # generated at installation time. So we force it to false
+    # for now.
+    loader.systemd-boot.enable = lib.mkForce false;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+      configurationLimit = 10;
+    };
+    loader.systemd-boot.editor = false;
+    loader.efi.canTouchEfiVariables = true;
+  };
+}
--- a/hosts/thinkpad/modules/sound/default.nix
+++ b/hosts/thinkpad/modules/sound/default.nix
@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  sound.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  environment.systemPackages = with pkgs; [
+    qpwgraph
+  ];
+}
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -4,7 +4,6 @@ let
  inherit (prev) python3Packages;
  inherit (prev) fetchFromGitHub;
  inherit (prev) fetchPypi;
-  inherit (prev) fetchpatch;
  inherit (prev) makeWrapper;
 in
 {
--- a/users/rouven/default.nix
+++ b/users/rouven/default.nix
@ -5,7 +5,7 @@
  users.users.rouven = {
    description = "Rouven Seifert";
    isNormalUser = true;
-    extraGroups = [ "wheel" "video" "libvirtd" "tss" "input" "_lldpd" "wireshark" ];
+    extraGroups = [ "wheel" "video" "libvirtd" "tss" "input" "_lldpd" "wireshark" "etherape" ];
    initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1";
  };
  home-manager.useUserPackages = true;
@ -18,6 +18,7 @@
      home.username = "rouven";
      home.homeDirectory = "/home/rouven";
      home.stateVersion = config.system.stateVersion;
+      home.enableNixpkgsReleaseCheck = false;
    };
  };
 }
--- a/users/rouven/fixes.nix
+++ b/users/rouven/fixes.nix
@ -22,6 +22,13 @@
    '';
    wrapperFeatures.gtk = true;
  };
+  # enable xdg portals for sway
+  xdg.portal = {
+    enable = true;
+    extraPortals = [
+      pkgs.xdg-desktop-portal-wlr
+    ];
+  };
  # wayland keylogger needs setuid
  programs.wshowkeys.enable = true;
  # fixes pam entries for swaylock
@ -42,4 +49,14 @@
    session required pam_env.so conffile=/etc/pam/environment readenv=0
    session required pam_unix.so
  '';
+  # global wrapper for ausweisapp
+  programs.ausweisapp = {
+    enable = true;
+    openFirewall = true;
+  };
+  # home manager steam is borderline broken
+  programs.steam.enable = true;
+
+  # enable java black magic 
+  programs.java.enable = true;
 }
--- a/users/rouven/modules/packages.nix
+++ b/users/rouven/modules/packages.nix
@ -8,6 +8,12 @@ in
  home.packages = with pkgs; [

    # essentials
+    htop-vim
+    lsof
+    killall
+    zip
+    unzip
+    man-pages
    wpa_supplicant_gui
    pcmanfm
    xdg-utils # used for xdg-open
@ -15,6 +21,9 @@ in
    appimage-run
    seafile-client

+    # printing
+    cups
+
    # graphics
    evince # pdf viewer
    gimp
@ -71,6 +80,7 @@ in
    jq
    xournalpp
    libreoffice
+    mosh

    # programming languages
    cargo
--- a/users/rouven/modules/spotify/default.nix
+++ b/users/rouven/modules/spotify/default.nix
@ -11,6 +11,7 @@
        username = config.accounts.email.accounts."gmail".address;
        password_cmd = "${pkgs.coreutils}/bin/cat ${config.age.secrets.spotify.path}";
      };
+      backend = "pulseaudio";
    };
  };
  systemd.user.services.spotifyd.Unit.After = [ "agenix.service" ];