more work on hosts/ and modules/config

Signed-off-by: unexplrd <unexplrd@linerds.us>

hosts/dunamis/configuration.nix

@@ -1,4 +1,8 @@
-{inputs, ...}: {
+{
+  config,
+  inputs,
+  ...
+}: {
   imports = with inputs; [
     self.nixosModules.config
     self.nixosModules.desktop
@@ -8,6 +12,7 @@
   ];
 
   networking = {
+    networkmanager.enable = true;
     hostId = "c7f6c4a1";
     hostName = "dunamis";
   };
@@ -18,18 +23,32 @@
 
   desktop.niri.enable = true;
 
-  module.config = {
+  module = {
+    config = {
       secureBoot = true;
       tpmDiskUnlock = true;
     };
-  module.stylix = {
+    stylix = {
       enable = true;
       theme = "helios";
     };
+  };
 
   locale.ukrainian.enable = true;
   opentabletdriver.enable = false;
   qmk-vial.enable = true;
   security.basic.enable = true;
   virtual.libvirt.enable = true;
+
+  nix = let
+    inherit (builtins) readFile;
+    inherit (config.users.users) user;
+  in {
+    settings.trusted-users = ["nix-ssh"];
+    sshServe = {
+      enable = true;
+      write = true;
+      keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
+    };
+  };
 }

hosts/eldrid/boot/default.nix

@@ -1,39 +0,0 @@
-{
-  pkgs,
-  inputs,
-  ...
-}: {
-  imports = with inputs;
-    [
-      chaotic.nixosModules.default
-      lanzaboote.nixosModules.lanzaboote
-    ]
-    ++ [
-      ./loader.nix
-    ];
-  boot = {
-    # kernelPackages = pkgs.linuxPackages_latest;
-    plymouth.enable = true;
-    consoleLogLevel = 0;
-    kernelPackages = pkgs.linuxPackages_cachyos;
-    kernelParams = [
-      "amd_iommu=force_isolation"
-      "debugfs=off"
-      "efi=disable_early_pci_dma"
-      "gather_data_sampling=force"
-      "intel_iommu=on"
-      "iommu.passthrough=0"
-      "iommu.strict=1"
-      "iommu=force"
-      "page_alloc.shuffle=1"
-      "vsyscall=none"
-      # "ia32_emulation=0"
-      # "lockdown=confidentiality"
-      # "module.sig_enforce=1"
-    ];
-    initrd = {
-      systemd.enable = true; # needed for auto-unlocking with TPM
-      systemd.tpm2.enable = false; # no TPM
-    };
-  };
-}

hosts/eldrid/boot/loader.nix

@@ -1,15 +0,0 @@
-{config, ...}: {
-  boot = {
-    lanzaboote = {
-      enable = false;
-      pkiBundle = "/var/lib/sbctl";
-    };
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot = {
-        enable = !config.boot.lanzaboote.enable;
-        consoleMode = "auto";
-      };
-    };
-  };
-}

hosts/eldrid/configuration.nix

@@ -2,29 +2,38 @@
   imports = with inputs; [
     self.nixosModules.desktop
     self.nixosModules.system
-    ./boot
     ./disko
     ./hardware
-    ./networking
-    ./nix
-    ../dunamis/programs.nix
-    ../dunamis/services.nix
-    ../dunamis/sops.nix
-    ../dunamis/users.nix
   ];
 
+  networking = {
+    networkmanager.enable = true;
+    # hostId = "";
+    hostName = "eldrid";
+  };
+
+  environment.memoryAllocator.provider = "mimalloc";
+  system.stateVersion = "25.05";
+  time.timeZone = "Europe/Kyiv";
+
   desktop.plasma.enable = true;
 
-  locale.ukrainian.enable = true;
+  module = {
-
+    config = {
-  module.stylix = {
+      secureBoot = true;
+      useIwd = true;
+    };
+    stylix = {
       enable = true;
-    theme = "nord";
+      theme = "helios";
+    };
   };
 
+  locale.ukrainian.enable = true;
+  opentabletdriver.enable = false;
+  qmk-vial.enable = true;
   security.basic.enable = true;
-
+  virtual.libvirt.enable = false;
-  system.stateVersion = "25.05";
 
   swapDevices = [
     {
@@ -32,8 +41,4 @@
       size = 8 * 1024; # eight gigs
     }
   ];
-
-  time.timeZone = "Europe/Kyiv";
-
-  # virtual.libvirt.enable = true;
 }

hosts/eldrid/hardware/default.nix

@@ -1,8 +1,6 @@
 {
   imports = [
-    ./facter.nix
     ./laptop
-    ./vaapi/intel-media-driver.nix
   ];
   services = {
     logind = {

hosts/eldrid/hardware/facter.nix

@@ -1,14 +0,0 @@
-{
-  config,
-  inputs,
-  ...
-}: let
-  inherit (inputs) mysecrets;
-  inherit (config.networking) hostName;
-in {
-  imports = with inputs; [
-    nixos-facter-modules.nixosModules.facter
-  ];
-  facter.reportPath = "${mysecrets}/facter/${hostName}.json";
-  systemd.network.wait-online.enable = false;
-}

hosts/eldrid/hardware/vaapi/intel-media-driver.nix

@@ -1,7 +0,0 @@
-{pkgs, ...}: {
-  hardware.graphics.extraPackages = with pkgs; [
-    intel-compute-runtime
-    intel-media-driver
-    vpl-gpu-rt
-  ];
-}

hosts/eldrid/networking/default.nix

@@ -1,9 +0,0 @@
-{
-  imports = [
-    ./network-manager.nix
-    ./host-name-id.nix
-  ];
-  networking = {
-    hosts = import ./hosts.nix;
-  };
-}

hosts/eldrid/networking/host-name-id.nix

@@ -1,6 +0,0 @@
-{
-  networking = {
-    # hostId = "";
-    hostName = "eldrid";
-  };
-}

hosts/eldrid/networking/hosts.nix

@@ -1,3 +0,0 @@
-{
-  "192.168.1.42" = ["dunamis"];
-}

hosts/eldrid/nix/common.nix

@@ -1,11 +0,0 @@
-{pkgs, ...}: {
-  nix = {
-    package = pkgs.lixPackageSets.latest.lix;
-    channel.enable = false;
-    daemonCPUSchedPolicy = "idle";
-    settings = {
-      experimental-features = ["nix-command" "flakes"];
-      builders-use-substitutes = true;
-    };
-  };
-}

hosts/eldrid/nix/default.nix

@@ -1,7 +0,0 @@
-{
-  imports = [
-    ./common.nix
-    ./substituters.nix
-    ./distributed-build.nix
-  ];
-}

hosts/eldrid/nix/ssh-serve.nix

@@ -1,10 +0,0 @@
-{config, ...}: let
-  inherit (builtins) readFile;
-  inherit (config.users.users) user;
-in {
-  nix.sshServe = {
-    enable = true;
-    write = true;
-    keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
-  };
-}

hosts/eldrid/nix/substituters.nix

@@ -1,16 +0,0 @@
-{
-  nix.settings = {
-    substituters = [
-      "https://cache.nixos.org/"
-      "https://chaotic-nyx.cachix.org/"
-      "https://cosmic.cachix.org/"
-      "https://nix-community.cachix.org/"
-    ];
-    trusted-public-keys = [
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-      "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
-      "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-    ];
-  };
-}

hosts/sarien/configuration.nix

@@ -5,27 +5,33 @@
     self.nixosModules.config
     ./disko
     ./hardware
+    ./distributed-build.nix
   ];
 
   networking = {
+    networkmanager.enable = true;
     hostId = "31150fae";
     hostName = "sarien";
   };
 
+  environment.memoryAllocator.provider = "mimalloc";
   system.stateVersion = "25.05";
   time.timeZone = "Europe/Kyiv";
 
-  module.config = {
+  desktop.niri.enable = true;
+
+  module = {
+    config = {
       useIwd = true;
     };
-  module.stylix = {
+    stylix = {
       enable = true;
       theme = "himalaya";
     };
-
+  };
-  desktop.niri.enable = true;
 
   locale.ukrainian.enable = true;
+  opentabletdriver.enable = false;
   qmk-vial.enable = true;
   security.basic.enable = true;
   virtual.libvirt.enable = true;

hosts/sarien/distributed-build.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  inputs,
+  ...
+}: let
+  inherit (builtins) readFile;
+  inherit (config.networking) hostName;
+  inherit (config.sops) secrets;
+  inherit (inputs) mysecrets;
+  pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
+in {
+  nix = {
+    distributedBuilds = true;
+    buildMachines = [
+      {
+        hostName = "dunamis";
+        publicHostKey = pubHost;
+        sshKey = secrets."ssh-${hostName}-user".path;
+        sshUser = "nix-ssh";
+        supportedFeatures = [
+          "benchmark"
+          "big-parallel"
+          "kvm"
+          "nixos-test"
+        ];
+        system = "x86_64-linux";
+      }
+    ];
+  };
+}

modules/nixos/config/boot/default.nix

@@ -29,8 +29,8 @@
       # "module.sig_enforce=1"
     ];
     initrd = {
-      systemd.enable = true; # needed for auto-unlocking with TPM
+      systemd.enable = true;
-      systemd.tpm2.enable = config.module.config.tpmDiskUnlock;
+      systemd.tpm2.enable = false;
     };
   };
 }

modules/nixos/config/boot/lanzaboote.nix

@@ -1,7 +1,6 @@
 {
   config,
   inputs,
-  lib,
   ...
 }: {
   imports = with inputs; [
@@ -12,6 +11,5 @@
       enable = config.module.config.secureBoot;
       pkiBundle = "/var/lib/sbctl";
     };
-    loader.systemd-boot.enable = lib.mkDefault (!config.boot.lanzaboote.enable);
   };
 }

modules/nixos/config/boot/loader.nix

@@ -7,7 +7,6 @@
     timeout = 3;
     efi.canTouchEfiVariables = true;
     systemd-boot = {
-      enable = true;
       consoleMode = "auto";
       configurationLimit = lib.mkOverride 1337 10;
     };

modules/nixos/config/default.nix

@@ -1,10 +1,12 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }: let
   inherit (lib) mkDefault mkEnableOption mkIf;
+  inherit (config.networking) hostName;
   cfg = config.module.config;
 in {
   imports = [
@@ -28,12 +30,28 @@ in {
       };
     };
   };
-  config = mkIf (cfg.vaapi
+  config =
+    mkIf (cfg.vaapi
       == "intel-media-driver") {
       hardware.graphics.extraPackages = with pkgs; [
         intel-compute-runtime
         intel-media-driver
         vpl-gpu-rt
       ];
+    }
+    // mkIf cfg.tpmDiskUnlock {
+      initrd.systemd.tpm2.enable = mkDefault true;
+    }
+    // mkIf cfg.useIwd {
+      networking = {
+        networkmanager.wifi.backend = "iwd";
+        wireless.iwd.enable = true;
+      };
+    }
+    // {
+      boot.loader.systemd-boot.enable =
+        if cfg.secureBoot
+        then false
+        else true;
     };
 }

modules/nixos/config/networking/default.nix

@@ -1,8 +1,18 @@
 {
-  imports = [
-    ./network-manager
-  ];
   networking = {
     hosts = import ./hosts.nix;
+    networkmanager = {
+      ethernet.macAddress = "stable";
+      wifi = {
+        macAddress = "random";
+        scanRandMacAddress = true;
+      };
+    };
+    wireless.iwd.settings = {
+      settings = {
+        General.AddressRandomization = "network";
+        Settings.AlwaysRandomizeAddress = true;
+      };
+    };
   };
 }

modules/nixos/config/networking/network-manager/default.nix

@@ -1,15 +0,0 @@
-{
-  imports = [
-    ./wireless-iwd.nix
-  ];
-  networking = {
-    networkmanager = {
-      enable = true;
-      ethernet.macAddress = "stable";
-      wifi = {
-        macAddress = "random";
-        scanRandMacAddress = true;
-      };
-    };
-  };
-}

modules/nixos/config/networking/network-manager/wireless-iwd.nix

@@ -1,15 +0,0 @@
-{config, ...}: {
-  networking = {
-    networkmanager.wifi.backend =
-      if config.module.config.useIwd
-      then "iwd"
-      else "wpa_supplicant";
-    wireless.iwd = {
-      enable = config.module.config.useIwd;
-      settings = {
-        General.AddressRandomization = "network";
-        Settings.AlwaysRandomizeAddress = true;
-      };
-    };
-  };
-}

modules/nixos/config/users.nix

@@ -8,6 +8,7 @@
   inherit (inputs) mysecrets;
   sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub";
 in {
+  nix.settings.trusted-users = ["user"];
   users.mutableUsers = false;
   users.users = {
     user = {

modules/nixos/system/wireless/default.nix

@@ -1,6 +1,5 @@
 {
   imports = [
     ./bluetooth.nix
-    ./wifi.nix
   ];
 }

modules/nixos/system/wireless/wifi.nix

@@ -1,29 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  cfg = config.wireless.wifi;
-in {
-  options = {
-    wireless.wifi.enable =
-      mkEnableOption "enables wifi with iwd and MAC address randomisation";
-  };
-  config = mkIf cfg.enable {
-    networking = {
-      networkmanager.wifi = {
-        backend = "iwd";
-        macAddress = "random";
-        scanRandMacAddress = true;
-      };
-      wireless.iwd = {
-        enable = true;
-        settings = {
-          General.AddressRandomization = "network";
-          Settings.AlwaysRandomizeAddress = true;
-        };
-      };
-    };
-  };
-}