do the same for two other hosts

Signed-off-by: unexplrd <unexplrd@linerds.us>
2025-03-28 18:22:51 +02:00
parent b7f95a14c3
commit 2745bd1e35
20 changed files with 297 additions and 286 deletions
--- a/hosts/dunamis/boot.nix
+++ b/hosts/dunamis/boot.nix
@ -0,0 +1,55 @@
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = with inputs; [
+    chaotic.nixosModules.default
+  ];
+  boot = {
+    # kernelPackages = pkgs.linuxPackages_latest;
+    kernelPackages = pkgs.linuxPackages_cachyos;
+    kernelModules = ["kvm-amd"];
+    kernelParams = [
+      # "mitigations=auto"
+      # "spectre_v2=on"
+      # "spectre_v2_user=on"
+      # "spectre_bhi=on"
+      # "spec_store_bypass_disable=on"
+      # "tsx=off"
+      # "kvm.nx_huge_pages=force"
+      # "l1d_flush=on"
+      "amd_iommu=force_isolation"
+      "debugfs=off"
+      "efi=disable_early_pci_dma"
+      "gather_data_sampling=force"
+      # "ia32_emulation=0"
+      "intel_iommu=on"
+      "iommu.passthrough=0"
+      "iommu.strict=1"
+      "iommu=force"
+      "lockdown=confidentiality"
+      "module.sig_enforce=1"
+      "page_alloc.shuffle=1"
+      "reg_file_data_sampling=on"
+      "spec_rstack_overflow=safe-ret"
+      "vsyscall=none"
+    ];
+    initrd = {
+      availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+      kernelModules = ["i915"];
+      systemd.enable = true; # needed for auto-unlocking with TPM
+    };
+    loader.efi.canTouchEfiVariables = true;
+    loader.systemd-boot = {
+      enable = true;
+      consoleMode = "auto";
+    };
+    plymouth.enable = true;
+  };
+  console = {
+    earlySetup = true;
+    packages = [pkgs.terminus_font];
+    font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz";
+  };
+}
--- a/hosts/dunamis/configuration.nix
+++ b/hosts/dunamis/configuration.nix
@ -1,104 +1,39 @@
-{
-  pkgs,
-  config,
-  inputs,
-  ...
-}: {
+{inputs, ...}: {
  imports = with inputs; [
-    chaotic.nixosModules.default
-    lix.nixosModules.default
    self.nixosModules.desktop
    self.nixosModules.system
-    ./hardware.nix
-    ./programs.nix
-    ./stylix.nix
-    # ./stylix-light.nix
+    ./boot.nix
    ./disko.nix
-    ./users.nix
+    ./hardware.nix
+    ./networking.nix
+    ./nix.nix
+    ./programs.nix
+    ./services.nix
    ./sops.nix
+    ./stylix.nix
+    ./users.nix
  ];

-  desktop = {
-    niri.enable = true;
-  };
+  desktop.niri.enable = true;

-  nix = {
-    channel.enable = false;
-    settings.experimental-features = ["nix-command" "flakes"];
-    daemonCPUSchedPolicy = "idle";
-    sshServe.enable = true;
-    sshServe.write = true;
-    sshServe.keys = map (f: builtins.readFile f) config.users.users.user.openssh.authorizedKeys.keyFiles;
-  };
+  environment.memoryAllocator.provider = "mimalloc";
+
+  locale.ukrainian.enable = true;
+
+  opentabletdriver.enable = false;
+
+  qmk-vial.enable = true;
+
+  security.basic.enable = true;

  system.stateVersion = "25.05";

  time.timeZone = "Europe/Kyiv";
-  locale.ukrainian.enable = true;

-  networking = {
-    networkmanager.enable = true;
-    hostName = "dunamis";
+  virtual.libvirt.enable = true;
+
+  wireless = {
+    bluetooth.enable = true;
+    bluetooth.enableBlueman = true;
  };
-
-  boot = {
-    kernelPackages = pkgs.linuxPackages_cachyos;
-    # kernelPackages = pkgs.linuxPackages_latest;
-    plymouth.enable = true;
-    loader.efi.canTouchEfiVariables = true;
-    loader.systemd-boot = {
-      enable = true;
-      consoleMode = "auto";
-    };
-  };
-
-  console = {
-    earlySetup = true;
-    packages = [pkgs.terminus_font];
-    font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz";
-  };
-
-  environment.memoryAllocator.provider = "mimalloc";
-
-  services = {
-    # hardware.openrgb.enable = true;
-    flatpak.enable = true;
-    fstrim.enable = true;
-    fwupd.enable = true;
-    openssh.enable = true;
-    syncthing.openDefaultPorts = true;
-    dnscrypt-proxy2 = {
-      enable = true;
-      settings = {
-        require_dnssec = true;
-        server_names = ["mullvad-doh"];
-        bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
-      };
-    };
-    opensnitch = {
-      enable = false;
-      settings = {
-        DefaultAaction = "deny";
-        Firewall = "iptables";
-        InterceptUnknown = true;
-        ProcMonitorMethod = "ebpf";
-      };
-    };
-  };
-  services.scx = {
-    enable = true;
-    scheduler = "scx_flash";
-  };
-
-  security.basic.enable = true;
-
-  virtual = {
-    libvirt.enable = true;
-    podman.enable = false;
-  };
-
-  wireless.bluetooth.enableBlueman = true;
-
-  opentabletdriver.enable = false;
-  qmk-vial.enable = true;
 }
--- a/hosts/dunamis/disko.nix
+++ b/hosts/dunamis/disko.nix
@ -10,7 +10,7 @@
  };
  disko.devices.disk.main = {
    type = "disk";
-    device = "/dev/nvme0n1";
+    device = "/dev/disk/by-id/nvme-eui.000000000000000100a075244b5d6185";
    content = {
      type = "gpt";
      partitions = {
@ -26,6 +26,8 @@
              "fmask=0022"
              "dmask=0022"
              "noexec"
+              "nosuid"
+              "nodev"
            ];
          };
        };
@ -33,7 +35,7 @@
          size = "100%";
          content = {
            type = "luks";
-            name = "luks-fe586da4-b164-4362-bcdf-9c5dd6c69a2b";
+            name = "luks-main";
            initrdUnlock = true;
            settings.allowDiscards = true;
            content = {
--- a/hosts/dunamis/hardware.nix
+++ b/hosts/dunamis/hardware.nix
@ -9,50 +9,6 @@
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  wireless.bluetooth.enable = true;
-
-  services.logind = {
-    lidSwitch = "ignore";
-    powerKey = "suspend";
-  };
-
-  boot = {
-    kernelModules = ["kvm-amd"];
-    extraModulePackages = [];
-    initrd = {
-      systemd.enable = true; # needed for auto-unlocking with TPM
-      availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-      kernelModules = [
-        "i915"
-      ];
-    };
-  };
-  boot.kernelParams = [
-    # "mitigations=auto"
-    # "spectre_v2=on"
-    # "spectre_v2_user=on"
-    # "spectre_bhi=on"
-    # "spec_store_bypass_disable=on"
-    # "tsx=off"
-    # "kvm.nx_huge_pages=force"
-    # "l1d_flush=on"
-    "amd_iommu=force_isolation"
-    "debugfs=off"
-    "efi=disable_early_pci_dma"
-    "gather_data_sampling=force"
-    # "ia32_emulation=0"
-    "intel_iommu=on"
-    "iommu.passthrough=0"
-    "iommu.strict=1"
-    "iommu=force"
-    "lockdown=confidentiality"
-    "module.sig_enforce=1"
-    "page_alloc.shuffle=1"
-    "reg_file_data_sampling=on"
-    "spec_rstack_overflow=safe-ret"
-    "vsyscall=none"
-  ];
-
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
--- a/hosts/dunamis/networking.nix
+++ b/hosts/dunamis/networking.nix
@ -0,0 +1,6 @@
+{
+  networking = {
+    networkmanager.enable = true;
+    hostName = "dunamis";
+  };
+}
--- a/hosts/dunamis/nix.nix
+++ b/hosts/dunamis/nix.nix
@ -0,0 +1,20 @@
+# TODO: better file name
+{
+  config,
+  inputs,
+  ...
+}: {
+  imports = with inputs; [
+    lix.nixosModules.default
+  ];
+  nix = {
+    channel.enable = false;
+    settings.experimental-features = ["nix-command" "flakes"];
+    daemonCPUSchedPolicy = "idle";
+    sshServe = {
+      enable = true;
+      write = true;
+      keys = map (f: builtins.readFile f) config.users.users.user.openssh.authorizedKeys.keyFiles;
+    };
+  };
+}
--- a/hosts/dunamis/services.nix
+++ b/hosts/dunamis/services.nix
@ -0,0 +1,35 @@
+{
+  services = {
+    # hardware.openrgb.enable = true;
+    flatpak.enable = true;
+    fstrim.enable = true;
+    fwupd.enable = true;
+    openssh.enable = true;
+    syncthing.openDefaultPorts = true;
+    dnscrypt-proxy2 = {
+      enable = true;
+      settings = {
+        require_dnssec = true;
+        server_names = ["mullvad-doh"];
+        bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
+      };
+    };
+    opensnitch = {
+      enable = false;
+      settings = {
+        DefaultAaction = "deny";
+        Firewall = "iptables";
+        InterceptUnknown = true;
+        ProcMonitorMethod = "ebpf";
+      };
+    };
+    scx = {
+      enable = true;
+      scheduler = "scx_flash";
+    };
+    logind = {
+      lidSwitch = "ignore";
+      powerKey = "suspend";
+    };
+  };
+}
--- a/hosts/dunamis/sops.nix
+++ b/hosts/dunamis/sops.nix
@ -1,8 +1,7 @@
 {inputs, ...}: let
-  secretsPath = builtins.toString inputs.mysecrets;
 in {
-  imports = [
-    inputs.sops-nix.nixosModules.sops
+  imports = with inputs; [
+    sops-nix.nixosModules.sops
  ];

  sops = {
@ -11,7 +10,7 @@ in {
      keyFile = "/var/lib/sops-nix/key.txt";
      generateKey = true;
    };
-    defaultSopsFile = "${secretsPath}/secrets.yaml";
+    defaultSopsFile = "${toString inputs.mysecrets}/secrets.yaml";
    secrets = {
      "user-password-hashed".neededForUsers = true;
      "ssh-config" = {
--- a/hosts/dunamis/users.nix
+++ b/hosts/dunamis/users.nix
@ -5,7 +5,6 @@
  ...
 }: let
  sopSec = config.sops.secrets;
-  secrets = inputs.mysecrets;
 in {
  nix.settings.trusted-users = [
    "user"
@ -15,12 +14,12 @@ in {
  users.users = {
    user = {
      hashedPasswordFile = sopSec."user-password-hashed".path;
-      isNormalUser = true;
      extraGroups = ["wheel" "video" "libvirtd" "dialout"];
+      isNormalUser = true;
      shell = pkgs.fish;
-      openssh.authorizedKeys.keyFiles = [
-        "${secrets}/ssh/id_ed25519_sarien_user.pub"
-        "${secrets}/ssh/id_ed25519_eldrid_user.pub"
+      openssh.authorizedKeys.keyFiles = map (f: "${inputs.mysecrets}/ssh/" + f) [
+        "id_ed25519_sarien_user.pub"
+        "id_ed25519_eldrid_user.pub"
      ];
    };
  };
--- a/hosts/dunamis/users/user/flatpak.nix
+++ b/hosts/dunamis/users/user/flatpak.nix
@ -18,37 +18,34 @@
    packages = [
      # misc
      "app.zen_browser.zen"
-      "net.mullvad.MullvadBrowser"
      "io.github.ungoogled_software.ungoogled_chromium"
-      "com.obsproject.Studio"
+      "net.mullvad.MullvadBrowser"
      "com.bitwarden.desktop"
      "com.github.tchx84.Flatseal"
+      "com.logseq.Logseq"
+      "com.obsproject.Studio"
+      "com.usebottles.bottles"
      "de.haeckerfelix.Fragments"
      "org.qbittorrent.qBittorrent"

-      # "com.transmissionbt.Transmission"
-      "com.usebottles.bottles"
-      "com.logseq.Logseq"
-      "org.octave.Octave"
-
      # chatting
-      "org.signal.Signal"
      "im.riot.Riot"
-      "org.telegram.desktop"
      "io.github.spacingbat3.webcord"
      "org.mozilla.Thunderbird"
+      "org.signal.Signal"
+      "org.telegram.desktop"

      # media
      "io.bassi.Amberol"
      "io.freetubeapp.FreeTube"
-      #"io.github.celluloid_player.Celluloid"
      # "io.mpv.Mpv"
+      #"io.github.celluloid_player.Celluloid"

      # gaming
      #"com.github._0negal.Viper"
+      "com.heroicgameslauncher.hgl"
      "com.valvesoftware.Steam"
      "net.lutris.Lutris"
-      "com.heroicgameslauncher.hgl"
      {
        appId = "org.unmojang.FjordLauncher";
        origin = "hero-persson";
@ -62,14 +59,14 @@
        Context = {
          sockets = ["wayland" "!x11" "!fallback-x11"];
          filesystems = [
-            "!host"
            "!home"
+            "!host"
            "!~/.ssh"
-            "xdg-run/pipewire-0"
+            "/nix/store:ro"
            "xdg-config/gtk-3.0:ro"
            "xdg-config/gtk-4.0:ro"
+            "xdg-run/pipewire-0"
            "~/.local/share/icons:ro"
-            "/nix/store:ro"
          ];
        };
        Environment = {
@ -86,6 +83,16 @@
      "org.signal.Signal" = {
        Environment.SIGNAL_PASSWORD_STORE = "gnome-libsecret";
      };
+      "com.obsproject.Studio" = {
+        Context.filesystems = ["~/vids"];
+      };
+      "com.logseq.Logseq" = {
+        Context.filesystems = [
+          "~/docs/logseq"
+          "~/docs/nure/2025/logseq"
+          "~/syncthing/logseq"
+        ];
+      };
      "net.lutris.Lutris".Context = {
        sockets = ["x11" "wayland"];
        filesystems = ["/storage/games/lutris" "~/games/lutris"];
--- a/hosts/dunamis/users/user/home-configuration.nix
+++ b/hosts/dunamis/users/user/home-configuration.nix
@ -1,4 +1,8 @@
-{inputs, ...}: {
+{
+  inputs,
+  osConfig,
+  ...
+}: {
  imports = with inputs; [
    nix-index-database.hmModules.nix-index
    self.homeModules.desktop
@ -6,13 +10,10 @@
    ./programs.nix
    ./flatpak.nix
  ];
-  desktop = {
-    niri.enable = true;
-  };
  home = {
-    stateVersion = "25.05";
-    sessionPath = [
-      "$HOME/.local/bin"
-    ];
+    stateVersion = osConfig.system.stateVersion;
+    sessionPath = ["$HOME/.local/bin"];
  };
+
+  desktop.niri.enable = true;
 }
--- a/hosts/dunamis/users/user/programs.nix
+++ b/hosts/dunamis/users/user/programs.nix
@ -49,7 +49,6 @@

  editor = {
    helix.enable = true;
-    # zed.enable = true;
  };

  home.packages = with pkgs; [
--- a/hosts/eldrid/boot.nix
+++ b/hosts/eldrid/boot.nix
@ -10,12 +10,12 @@
  boot = {
    # kernelPackages = pkgs.linuxPackages_latest;
    kernelPackages = pkgs.linuxPackages_cachyos;
-    plymouth.enable = true;
    loader.efi.canTouchEfiVariables = true;
    loader.systemd-boot = {
      enable = !config.boot.lanzaboote.enable;
      consoleMode = "auto";
    };
+    plymouth.enable = true;
    initrd = {
      availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" "xe" "i915"];
      kernelModules = [];
--- a/hosts/eldrid/users/user/home-configuration.nix
+++ b/hosts/eldrid/users/user/home-configuration.nix
@ -10,11 +10,10 @@
    ./programs.nix
    ./flatpak.nix
  ];
-  desktop.niri.enable = true;
  home = {
    stateVersion = osConfig.system.stateVersion;
-    sessionPath = [
-      "$HOME/.local/bin"
-    ];
+    sessionPath = ["$HOME/.local/bin"];
  };
+
+  desktop.niri.enable = true;
 }
--- a/hosts/sarien/boot.nix
+++ b/hosts/sarien/boot.nix
@ -0,0 +1,31 @@
+{
+  pkgs,
+  config,
+  inputs,
+  ...
+}: {
+  imports = with inputs; [
+    chaotic.nixosModules.default
+  ];
+  boot = {
+    # kernelPackages = pkgs.linuxPackages_latest;
+    kernelPackages = pkgs.linuxPackages_cachyos;
+    kernelModules = ["kvm-intel"];
+    kernelParams = [
+      "i915.enable_guc=2"
+      "i915.enable_fbc=1"
+      "i915.enable_psr=2"
+    ];
+    loader.efi.canTouchEfiVariables = true;
+    loader.systemd-boot = {
+      enable = true;
+      consoleMode = "auto";
+    };
+    plymouth.enable = true;
+  };
+  console = {
+    earlySetup = true;
+    packages = [pkgs.terminus_font];
+    font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz";
+  };
+}
--- a/hosts/sarien/configuration.nix
+++ b/hosts/sarien/configuration.nix
@ -1,106 +1,38 @@
-# device-specific setup
-{
-  pkgs,
-  config,
-  inputs,
-  ...
-}: {
+{inputs, ...}: {
  imports = with inputs; [
-    chaotic.nixosModules.default
-    lix.nixosModules.default
    self.nixosModules.desktop
    self.nixosModules.system
-    ./hardware.nix
-    ./programs.nix
-    ./stylix.nix
+    ./boot.nix
    ./disko.nix
-    ./users.nix
+    ./hardware.nix
+    ./networking.nix
+    ./nix.nix
+    ./programs.nix
+    ./services.nix
    ./sops.nix
+    ./stylix.nix
+    ./users.nix
  ];

-  desktop = {
-    niri.enable = true;
-  };
+  desktop.niri.enable = true;

-  nix = {
-    channel.enable = false;
-    daemonCPUSchedPolicy = "idle";
-    settings = {
-      experimental-features = ["nix-command" "flakes"];
-      builders-use-substitutes = true;
-    };
-    distributedBuilds = true;
-    buildMachines = [
-      {
-        hostName = "dunamis";
-        sshUser = "nix-ssh";
-        system = "x86_64-linux";
-        sshKey = config.sops.secrets."ssh-sarien-user".path;
-        supportedFeatures = ["nixos-test" "big-parallel" "kvm" "benchmark"];
-        publicHostKey = builtins.readFile "${inputs.mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
-      }
-    ];
-  };
+  locale.ukrainian.enable = true;
+
+  opentabletdriver.enable = false;
+
+  qmk-vial.enable = true;
+
+  security.basic.enable = true;

  system.stateVersion = "25.05";

  time.timeZone = "Europe/Kyiv";
-  locale.ukrainian.enable = true;

-  networking = {
-    networkmanager.enable = true;
-    hostName = "vylxae";
-    hosts = {
-      "192.168.1.42" = ["dunamis"];
-    };
+  virtual.libvirt.enable = true;
+
+  wireless = {
+    wifi.enable = true;
+    bluetooth.enable = true;
+    bluetooth.enableBlueman = true;
  };
-
-  boot = {
-    # kernelPackages = pkgs.linuxPackages_latest;
-    kernelPackages = pkgs.linuxPackages_cachyos;
-    plymouth.enable = true;
-    loader.efi.canTouchEfiVariables = true;
-    loader.systemd-boot = {
-      enable = true;
-      consoleMode = "auto";
-    };
-  };
-
-  console = {
-    earlySetup = true;
-    packages = [pkgs.terminus_font];
-    font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz";
-  };
-
-  services = {
-    power-profiles-daemon.enable = true;
-    flatpak.enable = true;
-    fstrim.enable = true;
-    openssh.enable = true;
-    syncthing.openDefaultPorts = true;
-    dnscrypt-proxy2 = {
-      enable = true;
-      settings = {
-        require_dnssec = true;
-        server_names = ["mullvad-doh"];
-        bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
-      };
-    };
-  };
-  services.scx = {
-    enable = true;
-    scheduler = "scx_flash";
-  };
-
-  security.basic.enable = true;
-
-  virtual = {
-    libvirt.enable = true;
-    podman.enable = false;
-  };
-
-  wireless.bluetooth.enableBlueman = true;
-
-  opentabletdriver.enable = false;
-  qmk-vial.enable = true;
 }
--- a/hosts/sarien/hardware.nix
+++ b/hosts/sarien/hardware.nix
@ -8,37 +8,14 @@
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
-
-  wireless = {
-    wifi.enable = true;
-    bluetooth.enable = true;
-  };
-
  services.logind = {
    lidSwitch = "ignore";
    powerKey = "suspend";
  };

-  boot = {
-    kernelModules = ["kvm-intel"];
-    kernelParams = [
-      "i915.enable_guc=2"
-      "i915.enable_fbc=1"
-      "i915.enable_psr=2"
-    ];
-    initrd = {
-      availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" "rtsx_pci_sdmmc"];
-      kernelModules = ["i915"];
-    };
-  };
-
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

-  services.thermald.enable = true;
-  services.upower.enable = true;
-  powerManagement.powertop.enable = true;
-
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
--- a/hosts/sarien/networking.nix
+++ b/hosts/sarien/networking.nix
@ -0,0 +1,9 @@
+{
+  networking = {
+    networkmanager.enable = true;
+    hostName = "vylxae";
+    hosts = {
+      "192.168.1.42" = ["dunamis"];
+    };
+  };
+}
--- a/hosts/sarien/nix.nix
+++ b/hosts/sarien/nix.nix
@ -0,0 +1,28 @@
+{
+  config,
+  inputs,
+  ...
+}: {
+  imports = with inputs; [
+    lix.nixosModules.default
+  ];
+  nix = {
+    channel.enable = false;
+    daemonCPUSchedPolicy = "idle";
+    settings = {
+      experimental-features = ["nix-command" "flakes"];
+      builders-use-substitutes = true;
+    };
+    distributedBuilds = true;
+    buildMachines = [
+      {
+        hostName = "dunamis";
+        sshUser = "nix-ssh";
+        system = "x86_64-linux";
+        sshKey = config.sops.secrets."ssh-sarien-user".path;
+        supportedFeatures = ["nixos-test" "big-parallel" "kvm" "benchmark"];
+        publicHostKey = builtins.readFile "${inputs.mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
+      }
+    ];
+  };
+}
--- a/hosts/sarien/services.nix
+++ b/hosts/sarien/services.nix
@ -0,0 +1,21 @@
+{
+  services = {
+    flatpak.enable = true;
+    fstrim.enable = true;
+    openssh.enable = true;
+    power-profiles-daemon.enable = true;
+    syncthing.openDefaultPorts = true;
+    dnscrypt-proxy2 = {
+      enable = true;
+      settings = {
+        require_dnssec = true;
+        server_names = ["mullvad-doh"];
+        bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
+      };
+    };
+    scx = {
+      enable = true;
+      scheduler = "scx_flash";
+    };
+  };
+}