modules/nixos: rename config to shared

Signed-off-by: unexplrd <unexplrd@linerds.us>

modules/nixos/shared/boot/default.nix

@@ -0,0 +1,19 @@
+{
+  inputs,
+  pkgs,
+  ...
+}: {
+  imports = with inputs; [
+    chaotic.nixosModules.default
+    ./loader.nix
+    ./lanzaboote.nix
+  ];
+  boot = {
+    plymouth.enable = true;
+    consoleLogLevel = 0;
+    kernelPackages = pkgs.linuxPackages_cachyos;
+    initrd = {
+      systemd.enable = true;
+    };
+  };
+}

modules/nixos/shared/boot/lanzaboote.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  inputs,
+  ...
+}: {
+  imports = with inputs; [
+    lanzaboote.nixosModules.lanzaboote
+  ];
+  boot = {
+    lanzaboote = {
+      enable = config.module.config.secureBoot;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+}

modules/nixos/shared/boot/loader.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  boot.loader = {
+    timeout = 0;
+    efi.canTouchEfiVariables = true;
+    systemd-boot = {
+      consoleMode = "auto";
+      configurationLimit = lib.mkOverride 1337 10;
+    };
+  };
+}

modules/nixos/shared/default.nix

@@ -0,0 +1,87 @@
+{
+  config,
+  # inputs,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkDefault mkEnableOption mkIf;
+  cfg = config.module.config;
+in {
+  imports = [
+    ./boot
+    ./hardware
+    ./misc
+    ./networking
+    ./nix
+    ./security
+    ./programs.nix
+    ./services.nix
+    ./users.nix
+    ./sops.nix
+  ];
+  options = {
+    module.config = {
+      laptop.homeRowMods = mkEnableOption "set to have mods on asdfjkl;";
+      powerSave = mkEnableOption "set to use various power saving daemons";
+      secureBoot = mkEnableOption "set if secure boot is configured";
+      tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2";
+      useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant";
+      vaapi = lib.mkOption {
+        type = lib.types.nullOr (lib.types.enum ["intel-media-driver" "nvidia"]);
+        default = null;
+      };
+    };
+  };
+  config = lib.mkMerge [
+    {
+      boot.initrd.systemd.tpm2.enable = mkDefault cfg.tpmDiskUnlock;
+      boot.loader.systemd-boot.enable = mkDefault (!cfg.secureBoot);
+    }
+    (mkIf (cfg.laptop.homeRowMods) {
+      services.keyd = {
+        enable = true;
+        keyboards = {
+          internal = {
+            ids = ["0001:0001" "048d:c101"];
+            settings.main = {
+              a = "lettermod(alt, a, 200, 150)";
+              s = "lettermod(meta, s, 200, 150)";
+              d = "lettermod(control, d, 200, 150)";
+              f = "lettermod(shift, f, 200, 150)";
+              j = "lettermod(shift, j, 200, 150)";
+              k = "lettermod(control, k, 200, 150)";
+              l = "lettermod(meta, l, 200, 150)";
+              ";" = "lettermod(alt, ;, 200, 150)";
+            };
+          };
+        };
+      };
+    })
+    (mkIf (cfg.powerSave) {
+      powerManagement.enable = true;
+      powerManagement.powertop.enable = true;
+      services.power-profiles-daemon.enable = true;
+      services.thermald.enable = true;
+      services.upower.enable = true;
+    })
+    (mkIf cfg.useIwd {
+      networking = {
+        networkmanager.wifi.backend = "iwd";
+        wireless.iwd.enable = true;
+      };
+    })
+    (mkIf (cfg.vaapi == "intel-media-driver") {
+      hardware.graphics.extraPackages = with pkgs; [
+        intel-compute-runtime
+        intel-media-driver
+        vpl-gpu-rt
+      ];
+    })
+    (mkIf (cfg.vaapi == "nvidia") {
+      hardware.graphics.extraPackages = with pkgs; [
+        nvidia-vaapi-driver
+      ];
+    })
+  ];
+}

modules/nixos/shared/hardware/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./facter.nix
+  ];
+}

modules/nixos/shared/hardware/facter.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  inputs,
+  ...
+}: let
+  inherit (inputs) mysecrets;
+  inherit (config.networking) hostName;
+in {
+  imports = with inputs; [
+    nixos-facter-modules.nixosModules.facter
+  ];
+  facter.reportPath = "${mysecrets}/facter/${hostName}.json";
+  systemd.network.wait-online.enable = false;
+}

modules/nixos/shared/misc/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [./slim.nix ./zram.nix];
+}

modules/nixos/shared/misc/slim.nix

@@ -0,0 +1,20 @@
+{
+  # taken from https://github.com/NuschtOS/nixos-modules/blob/main/modules/slim.nix
+  documentation = {
+    # html docs and info are not required, man pages are enough
+    doc.enable = false;
+    info.enable = false;
+  };
+
+  # environment.defaultPackages = lib.mkForce [];
+
+  # programs.thunderbird.package = pkgs.thunderbird.override {cfg.speechSynthesisSupport = false;};
+
+  # during testing only 550K-650K of the tmpfs where used
+  security.wrapperDirSize = "10M";
+
+  services = {
+    orca.enable = false; # requires speechd
+    speechd.enable = false; # voice files are big and fat
+  };
+}

modules/nixos/shared/misc/zram.nix

@@ -0,0 +1,8 @@
+{
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    memoryPercent = 25;
+    priority = 5;
+  };
+}

modules/nixos/shared/networking/default.nix

@@ -0,0 +1,18 @@
+{
+  networking = {
+    hosts = import ./hosts.nix;
+    networkmanager = {
+      ethernet.macAddress = "stable";
+      wifi = {
+        macAddress = "random";
+        scanRandMacAddress = true;
+      };
+    };
+    wireless.iwd = {
+      settings = {
+        General.AddressRandomization = "network";
+        Settings.AlwaysRandomizeAddress = true;
+      };
+    };
+  };
+}

modules/nixos/shared/networking/hosts.nix

@@ -0,0 +1,3 @@
+{
+  "192.168.1.42" = ["dunamis"];
+}

modules/nixos/shared/nix/common.nix

@@ -0,0 +1,41 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  nix = {
+    package = pkgs.lixPackageSets.latest.lix;
+    channel.enable = false;
+    daemonCPUSchedPolicy = "idle";
+    optimise = {
+      automatic = true;
+      dates = ["weekly"];
+    };
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        # for container in builds support
+        "auto-allocate-uids"
+        "cgroups"
+
+        # Enable the use of the fetchClosure built-in function in the Nix language.
+        "fetch-closure"
+
+        # Allow derivation builders to call Nix, and thus build derivations recursively.
+        # "recursive-nix"
+
+        # Allow the use of the impure-env setting.
+        # "configurable-impure-env"
+      ];
+    };
+  };
+  # no longer need to pre-allocate build users for everything
+  nix.settings.auto-allocate-uids = lib.mkDefault true;
+  # Needs a patch in Nix to work properly: https://github.com/NixOS/nix/pull/13135
+  nix.settings.use-cgroups = true;
+
+  # for container in builds support
+  nix.settings.system-features = ["uid-range"];
+}

modules/nixos/shared/nix/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./common.nix
+    ./distibuted-build.nix
+    ./substituters.nix
+  ];
+}

modules/nixos/shared/nix/distibuted-build.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}: let
+  isBuildHost = config.networking.hostName == "dunamis";
+in {
+  config = lib.mkMerge [
+    (lib.mkIf isBuildHost {
+      nix = let
+        inherit (builtins) readFile;
+        inherit (config.users.users) user;
+      in {
+        sshServe = {
+          enable = true;
+          keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
+          protocol = "ssh-ng";
+          trusted = true;
+          write = true;
+        };
+      };
+    })
+    (lib.mkIf (!isBuildHost) {
+      nix = let
+        inherit (builtins) readFile;
+        inherit (config.networking) hostName;
+        inherit (config.sops) secrets;
+        inherit (inputs) mysecrets;
+        pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
+      in {
+        distributedBuilds = true;
+        buildMachines = [
+          {
+            hostName = "dunamis";
+            maxJobs = 3;
+            protocol = "ssh-ng";
+            publicHostKey = pubHost;
+            speedFactor = 2;
+            sshKey = secrets."ssh-${hostName}-user".path;
+            sshUser = "nix-ssh";
+            supportedFeatures = ["benchmark" "big-parallel" "kvm" "nixos-test"];
+            system = "x86_64-linux";
+          }
+        ];
+      };
+    })
+  ];
+}

modules/nixos/shared/nix/substituters.nix

@@ -0,0 +1,16 @@
+{
+  nix.settings = {
+    substituters = [
+      "https://cache.nixos.org/"
+      "https://chaotic-nyx.cachix.org/"
+      "https://cosmic.cachix.org/"
+      "https://nix-community.cachix.org/"
+    ];
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
+      "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+}

modules/nixos/shared/programs.nix

@@ -0,0 +1,20 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  programs = {
+    fish.enable = true;
+    mosh.enable = true;
+    nix-ld.enable = true;
+    nh = {
+      enable = true;
+      flake = "/home/user/.config/nixos";
+    };
+  };
+  environment.systemPackages = with pkgs; [
+    (lib.hiPrio uutils-coreutils-noprefix)
+    helix
+    nushell
+  ];
+}

modules/nixos/shared/security/default.nix

@@ -0,0 +1,119 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf mkDefault;
+in {
+  security = {
+    sudo.enable = false;
+    # doas.enable = true;
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+    };
+    polkit.enable = true;
+    polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (
+          subject.isInGroup("users")
+            && (
+              action.id == "org.freedesktop.login1.reboot" ||
+              action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+              action.id == "org.freedesktop.login1.power-off" ||
+              action.id == "org.freedesktop.login1.power-off-multiple-sessions"
+            )
+          )
+        {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+    apparmor.enable = mkDefault true;
+    pam.sshAgentAuth.enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
+  ];
+
+  services.dbus = {
+    apparmor = "enabled";
+    implementation = "broker";
+  };
+  services.ntpd-rs = {
+    enable = true;
+    #settings = {
+    #  server = {
+    #    require-nts = true;
+    #  };
+    #};
+  };
+
+  boot.kernel.sysctl = {
+    "dev.tty.ldisc_autoload" = 0;
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
+    "fs.suid_dumpable" = 0;
+    "kernel.kptr_restrict" = 2;
+    "kernel_kexec_load_disabled" = 1;
+    # "kernel.modules_disabled" = 1;
+    "kernel.sysrq" = 0;
+    "kernel.unprivileged_bpf_disabled" = 1;
+    "net.ipv4.conf.all.forwarding" = 0;
+    "net.ipv4.conf.all.log_martians" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.default.log_martians" = 1;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+  };
+  boot.kernelParams = [
+    "amd_iommu=force_isolation"
+    "debugfs=off"
+    "efi=disable_early_pci_dma"
+    "gather_data_sampling=force"
+    "intel_iommu=on"
+    "iommu.passthrough=0"
+    "iommu.strict=1"
+    "iommu=force"
+    "page_alloc.shuffle=1"
+    "vsyscall=none"
+    # "ia32_emulation=0"
+    # "lockdown=confidentiality"
+    # "module.sig_enforce=1"
+  ];
+
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "ax25"
+    "netrom"
+    "rose"
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "hfs"
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "ntfs"
+    "omfs"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ufs"
+  ];
+
+  nix.settings.allowed-users = mkDefault ["@users"];
+}

modules/nixos/shared/services.nix

@@ -0,0 +1,41 @@
+{lib, ...}: {
+  services = {
+    # hardware.openrgb.enable = true;
+    avahi.enable = true;
+    flatpak.enable = true;
+    fwupd.enable = true;
+    openssh.enable = true;
+    speechd.enable = lib.mkForce false;
+    syncthing.openDefaultPorts = true;
+    userborn.enable = true;
+    dnscrypt-proxy2 = {
+      enable = true;
+      settings = {
+        require_dnssec = true;
+        server_names = ["mullvad-doh"];
+        bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
+      };
+    };
+    fstrim = {
+      enable = true;
+      interval = "daily";
+    };
+    opensnitch = {
+      enable = false;
+      settings = {
+        DefaultAaction = "deny";
+        Firewall = "iptables";
+        InterceptUnknown = true;
+        ProcMonitorMethod = "ebpf";
+      };
+    };
+    scx = {
+      enable = true;
+      scheduler = "scx_flash";
+    };
+    logind = {
+      lidSwitch = "ignore";
+      powerKey = "suspend";
+    };
+  };
+}

modules/nixos/shared/sops.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  inputs,
+  ...
+}: let
+  inherit (inputs) mysecrets;
+  inherit (config.networking) hostName;
+  dotSsh = name: "/home/user/.ssh/" + name;
+  sopsFile = mysecrets + "/hosts/${hostName}.yaml";
+  sshKey = {
+    mode = "0400";
+    owner = "user";
+  };
+in {
+  imports = with inputs; [
+    sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    age = {
+      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+    defaultSopsFile = mysecrets + "/common.yaml";
+    secrets = {
+      "user-password-hashed".neededForUsers = true;
+      "ssh-config" = {
+        path = dotSsh "config";
+        mode = "0400";
+        owner = "user";
+      };
+      "ssh-${hostName}-user" = {
+        inherit sopsFile;
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_ed25519";
+      };
+      "ssh-${hostName}-user.pub" = {
+        inherit sopsFile;
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_ed25519.pub";
+      };
+      "ssh-unexplrd" = {
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_unexplrd_ed25519";
+      };
+      "ssh-unexplrd.pub" = {
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_unexplrd_ed25519.pub";
+      };
+      "ssh-uni" = {
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_uni_ed25519";
+      };
+      "ssh-uni.pub" = {
+        inherit (sshKey) mode owner;
+        path = dotSsh "id_uni_ed25519.pub";
+      };
+    };
+  };
+}

modules/nixos/shared/users.nix

@@ -0,0 +1,35 @@
+{
+  inputs,
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (config.networking) hostName;
+  inherit (config.sops) secrets;
+  inherit (inputs) mysecrets;
+  sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub";
+in {
+  nix.settings.trusted-users = ["user"];
+  users.mutableUsers = false;
+  users.users = {
+    user = {
+      hashedPasswordFile = secrets."user-password-hashed".path;
+      extraGroups =
+        ["wheel" "video" "libvirtd" "dialout"]
+        /*
+        for lisgd
+        */
+        ++ lib.optional (hostName == "morphius" && config.desktop.niri.enable) "input";
+      isNormalUser = true;
+      shell = pkgs.fish;
+      openssh.authorizedKeys.keyFiles = map sshKeys [
+        "dunamis"
+        "eldrid"
+        "legion"
+        "morphius"
+        "sarien"
+      ];
+    };
+  };
+}