modules/config: init new module

Signed-off-by: unexplrd <unexplrd@linerds.us>
2025-05-04 16:58:22 +03:00
parent 6ae0a38f62
commit b55a50ada8
42 changed files with 220 additions and 280 deletions
--- a/hosts/dunamis/boot/loader.nix
+++ b/hosts/dunamis/boot/loader.nix
@ -1,15 +0,0 @@
-{config, ...}: {
-  boot = {
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/var/lib/sbctl";
-    };
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot = {
-        enable = !config.boot.lanzaboote.enable;
-        consoleMode = "auto";
-      };
-    };
-  };
-}
--- a/hosts/dunamis/configuration.nix
+++ b/hosts/dunamis/configuration.nix
@ -1,34 +1,35 @@
 {inputs, ...}: {
  imports = with inputs; [
+    self.nixosModules.config
    self.nixosModules.desktop
    self.nixosModules.system
-    ./boot
    ./disko
-    ./hardware
    ./minecraft.nix
-    ./networking
-    ./nix
-    ./programs.nix
-    ./services.nix
-    ./sops.nix
-    ./users.nix
  ];

-  desktop.niri.enable = true;
+  networking = {
+    hostId = "c7f6c4a1";
+    hostName = "dunamis";
+  };
+
  environment.memoryAllocator.provider = "mimalloc";
-  locale.ukrainian.enable = true;
+  system.stateVersion = "25.05";
+  time.timeZone = "Europe/Kyiv";
+
+  desktop.niri.enable = true;
+
+  module.config = {
+    secureBoot = true;
+    tpmDiskUnlock = true;
+  };
  module.stylix = {
    enable = true;
    theme = "helios";
  };
+
+  locale.ukrainian.enable = true;
  opentabletdriver.enable = false;
  qmk-vial.enable = true;
  security.basic.enable = true;
-  system.stateVersion = "25.05";
-  time.timeZone = "Europe/Kyiv";
  virtual.libvirt.enable = true;
-  wireless = {
-    bluetooth.enable = true;
-    bluetooth.enableBlueman = false;
-  };
 }
--- a/hosts/dunamis/hardware/vaapi/intel-media-driver.nix
+++ b/hosts/dunamis/hardware/vaapi/intel-media-driver.nix
@ -1,7 +0,0 @@
-{pkgs, ...}: {
-  hardware.graphics.extraPackages = with pkgs; [
-    intel-compute-runtime
-    intel-media-driver
-    vpl-gpu-rt
-  ];
-}
--- a/hosts/dunamis/networking/host-name-id.nix
+++ b/hosts/dunamis/networking/host-name-id.nix
@ -1,6 +0,0 @@
-{
-  networking = {
-    hostId = "c7f6c4a1";
-    hostName = "dunamis";
-  };
-}
--- a/hosts/dunamis/networking/network-manager.nix
+++ b/hosts/dunamis/networking/network-manager.nix
@ -1,7 +0,0 @@
-{
-  networking.networkmanager = {
-      enable = true;
-      ethernet.macAddress = "stable";
-    };
-  };
-}
--- a/hosts/dunamis/nix/common.nix
+++ b/hosts/dunamis/nix/common.nix
@ -1,11 +0,0 @@
-{pkgs, ...}: {
-  nix = {
-    package = pkgs.lixPackageSets.latest.lix;
-    channel.enable = false;
-    daemonCPUSchedPolicy = "idle";
-    settings = {
-      experimental-features = ["nix-command" "flakes"];
-      builders-use-substitutes = true;
-    };
-  };
-}
--- a/hosts/eldrid/networking/network-manager.nix
+++ b/hosts/eldrid/networking/network-manager.nix
@ -1,20 +0,0 @@
-{
-  networking = {
-    networkmanager = {
-      enable = true;
-      ethernet.macAddress = "stable";
-      wifi = {
-        backend = "iwd";
-        macAddress = "random";
-        scanRandMacAddress = true;
-      };
-    };
-    wireless.iwd = {
-      enable = true;
-      settings = {
-        General.AddressRandomization = "network";
-        Settings.AlwaysRandomizeAddress = true;
-      };
-    };
-  };
-}
--- a/hosts/sarien/boot/default.nix
+++ b/hosts/sarien/boot/default.nix
@ -1,39 +0,0 @@
-{
-  pkgs,
-  inputs,
-  ...
-}: {
-  imports = with inputs;
-    [
-      chaotic.nixosModules.default
-      lanzaboote.nixosModules.lanzaboote
-    ]
-    ++ [
-      ./loader.nix
-    ];
-  boot = {
-    # kernelPackages = pkgs.linuxPackages_latest;
-    plymouth.enable = true;
-    consoleLogLevel = 0;
-    kernelPackages = pkgs.linuxPackages_cachyos;
-    kernelParams = [
-      "amd_iommu=force_isolation"
-      "debugfs=off"
-      "efi=disable_early_pci_dma"
-      "gather_data_sampling=force"
-      "intel_iommu=on"
-      "iommu.passthrough=0"
-      "iommu.strict=1"
-      "iommu=force"
-      "page_alloc.shuffle=1"
-      "vsyscall=none"
-      # "ia32_emulation=0"
-      # "lockdown=confidentiality"
-      # "module.sig_enforce=1"
-    ];
-    initrd = {
-      systemd.enable = true; # needed for auto-unlocking with TPM
-      systemd.tpm2.enable = false; # no TPM
-    };
-  };
-}
--- a/hosts/sarien/boot/loader.nix
+++ b/hosts/sarien/boot/loader.nix
@ -1,15 +0,0 @@
-{config, ...}: {
-  boot = {
-    lanzaboote = {
-      enable = false;
-      pkiBundle = "/var/lib/sbctl";
-    };
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot = {
-        enable = !config.boot.lanzaboote.enable;
-        consoleMode = "auto";
-      };
-    };
-  };
-}
--- a/hosts/sarien/configuration.nix
+++ b/hosts/sarien/configuration.nix
@ -6,20 +6,22 @@
  imports = with inputs; [
    self.nixosModules.desktop
    self.nixosModules.system
-    ./boot
+    self.nixosModules.config
    ./disko
    ./hardware
-    ./networking
-    ./nix
-    ../dunamis/programs.nix
-    ../dunamis/services.nix
-    ../dunamis/sops.nix
-    ../dunamis/users.nix
  ];

+  networking = {
+    hostId = "31150fae";
+    hostName = "sarien";
+  };
+
  system.stateVersion = "25.05";
  time.timeZone = "Europe/Kyiv";

+  module.config = {
+    useIwd = true;
+  };
  module.stylix = {
    enable = true;
    theme = "helios";
--- a/hosts/sarien/hardware/default.nix
+++ b/hosts/sarien/hardware/default.nix
@ -1,8 +1,6 @@
 {
  imports = [
-    ./facter.nix
    ./laptop
-    ./vaapi/intel-media-driver.nix
  ];
  services = {
    logind = {
--- a/hosts/sarien/hardware/facter.nix
+++ b/hosts/sarien/hardware/facter.nix
@ -1,14 +0,0 @@
-{
-  config,
-  inputs,
-  ...
-}: let
-  inherit (inputs) mysecrets;
-  inherit (config.networking) hostName;
-in {
-  imports = with inputs; [
-    nixos-facter-modules.nixosModules.facter
-  ];
-  facter.reportPath = "${mysecrets}/facter/${hostName}.json";
-  systemd.network.wait-online.enable = false;
-}
--- a/hosts/sarien/hardware/vaapi/intel-media-driver.nix
+++ b/hosts/sarien/hardware/vaapi/intel-media-driver.nix
@ -1,7 +0,0 @@
-{pkgs, ...}: {
-  hardware.graphics.extraPackages = with pkgs; [
-    intel-compute-runtime
-    intel-media-driver
-    vpl-gpu-rt
-  ];
-}
--- a/hosts/sarien/networking/default.nix
+++ b/hosts/sarien/networking/default.nix
@ -1,9 +0,0 @@
-{
-  imports = [
-    ./network-manager.nix
-    ./host-name-id.nix
-  ];
-  networking = {
-    hosts = import ./hosts.nix;
-  };
-}
--- a/hosts/sarien/networking/host-name-id.nix
+++ b/hosts/sarien/networking/host-name-id.nix
@ -1,6 +0,0 @@
-{
-  networking = {
-    hostId = "31150fae";
-    hostName = "sarien";
-  };
-}
--- a/hosts/sarien/networking/hosts.nix
+++ b/hosts/sarien/networking/hosts.nix
@ -1,3 +0,0 @@
-{
-  "192.168.1.42" = ["dunamis"];
-}
--- a/hosts/sarien/nix/common.nix
+++ b/hosts/sarien/nix/common.nix
@ -1,11 +0,0 @@
-{pkgs, ...}: {
-  nix = {
-    package = pkgs.lixPackageSets.latest.lix;
-    channel.enable = false;
-    daemonCPUSchedPolicy = "idle";
-    settings = {
-      experimental-features = ["nix-command" "flakes"];
-      builders-use-substitutes = true;
-    };
-  };
-}
--- a/hosts/sarien/nix/default.nix
+++ b/hosts/sarien/nix/default.nix
@ -1,7 +0,0 @@
-{
-  imports = [
-    ./common.nix
-    ./substituters.nix
-    ./distributed-build.nix
-  ];
-}
--- a/hosts/sarien/nix/distributed-build.nix
+++ b/hosts/sarien/nix/distributed-build.nix
@ -1,30 +0,0 @@
-{
-  config,
-  inputs,
-  ...
-}: let
-  inherit (builtins) readFile;
-  inherit (config.networking) hostName;
-  inherit (config.sops) secrets;
-  inherit (inputs) mysecrets;
-  pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
-in {
-  nix = {
-    distributedBuilds = true;
-    buildMachines = [
-      {
-        hostName = "dunamis";
-        publicHostKey = pubHost;
-        sshKey = secrets."ssh-${hostName}-user".path;
-        sshUser = "nix-ssh";
-        supportedFeatures = [
-          "benchmark"
-          "big-parallel"
-          "kvm"
-          "nixos-test"
-        ];
-        system = "x86_64-linux";
-      }
-    ];
-  };
-}
--- a/hosts/sarien/nix/ssh-serve.nix
+++ b/hosts/sarien/nix/ssh-serve.nix
@ -1,10 +0,0 @@
-{config, ...}: let
-  inherit (builtins) readFile;
-  inherit (config.users.users) user;
-in {
-  nix.sshServe = {
-    enable = true;
-    write = true;
-    keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
-  };
-}
--- a/hosts/sarien/nix/substituters.nix
+++ b/hosts/sarien/nix/substituters.nix
@ -1,16 +0,0 @@
-{
-  nix.settings = {
-    substituters = [
-      "https://cache.nixos.org/"
-      "https://chaotic-nyx.cachix.org/"
-      "https://cosmic.cachix.org/"
-      "https://nix-community.cachix.org/"
-    ];
-    trusted-public-keys = [
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-      "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
-      "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-    ];
-  };
-}
--- a/modules/nixos/config/boot/default.nix
+++ b/modules/nixos/config/boot/default.nix
@ -1,16 +1,14 @@
 {
+  config,
  inputs,
  pkgs,
  ...
 }: {
-  imports = with inputs;
-    [
-      chaotic.nixosModules.default
-      lanzaboote.nixosModules.lanzaboote
-    ]
-    ++ [
-      ./loader.nix
-    ];
+  imports = with inputs; [
+    chaotic.nixosModules.default
+    ./loader.nix
+    ./lanzaboote.nix
+  ];
  boot = {
    plymouth.enable = true;
    consoleLogLevel = 0;
@ -32,7 +30,7 @@
    ];
    initrd = {
      systemd.enable = true; # needed for auto-unlocking with TPM
-      systemd.tpm2.enable = true;
+      systemd.tpm2.enable = config.module.config.tpmDiskUnlock;
    };
  };
 }
--- a/modules/nixos/config/boot/lanzaboote.nix
+++ b/modules/nixos/config/boot/lanzaboote.nix
@ -0,0 +1,17 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}: {
+  imports = with inputs; [
+    lanzaboote.nixosModules.lanzaboote
+  ];
+  boot = {
+    lanzaboote = {
+      enable = config.module.config.secureBoot;
+      pkiBundle = "/var/lib/sbctl";
+    };
+    loader.systemd-boot.enable = lib.mkDefault (!config.boot.lanzaboote.enable);
+  };
+}
--- a/modules/nixos/config/boot/loader.nix
+++ b/modules/nixos/config/boot/loader.nix
@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  boot.loader = {
+    timeout = 3;
+    efi.canTouchEfiVariables = true;
+    systemd-boot = {
+      enable = true;
+      consoleMode = "auto";
+      configurationLimit = lib.mkOverride 1337 10;
+    };
+  };
+}
--- a/modules/nixos/config/default.nix
+++ b/modules/nixos/config/default.nix
@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkDefault mkEnableOption mkIf;
+  cfg = config.module.config;
+in {
+  imports = [
+    ./boot
+    ./hardware
+    ./networking
+    ./nix
+    ./programs.nix
+    ./services.nix
+    ./users.nix
+    ./sops.nix
+  ];
+  options = {
+    module.config = {
+      tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2";
+      secureBoot = mkEnableOption "set if secure boot is configured";
+      useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant";
+      vaapi = lib.mkOption {
+        type = lib.types.enum ["intel-media-driver"];
+        default = "intel-media-driver";
+      };
+    };
+  };
+  config = mkIf (cfg.vaapi
+    == "intel-media-driver") {
+    hardware.graphics.extraPackages = with pkgs; [
+      intel-compute-runtime
+      intel-media-driver
+      vpl-gpu-rt
+    ];
+  };
+}
--- a/modules/nixos/config/hardware/default.nix
+++ b/modules/nixos/config/hardware/default.nix
@ -1,6 +1,5 @@
 {
  imports = [
    ./facter.nix
-    ./vaapi/intel-media-driver.nix
  ];
 }
--- a/modules/nixos/config/hardware/facter.nix
+++ b/modules/nixos/config/hardware/facter.nix
--- a/modules/nixos/config/networking/default.nix
+++ b/modules/nixos/config/networking/default.nix
@ -1,7 +1,6 @@
 {
  imports = [
-    ./network-manager.nix
-    ./host-name-id.nix
+    ./network-manager
  ];
  networking = {
    hosts = import ./hosts.nix;
--- a/modules/nixos/config/networking/hosts.nix
+++ b/modules/nixos/config/networking/hosts.nix
--- a/modules/nixos/config/networking/network-manager/default.nix
+++ b/modules/nixos/config/networking/network-manager/default.nix
@ -1,20 +1,15 @@
 {
+  imports = [
+    ./wireless-iwd.nix
+  ];
  networking = {
    networkmanager = {
      enable = true;
      ethernet.macAddress = "stable";
      wifi = {
-        backend = "iwd";
        macAddress = "random";
        scanRandMacAddress = true;
      };
    };
-    wireless.iwd = {
-      enable = true;
-      settings = {
-        General.AddressRandomization = "network";
-        Settings.AlwaysRandomizeAddress = true;
-      };
-    };
  };
 }
--- a/modules/nixos/config/networking/network-manager/wireless-iwd.nix
+++ b/modules/nixos/config/networking/network-manager/wireless-iwd.nix
@ -0,0 +1,15 @@
+{config, ...}: {
+  networking = {
+    networkmanager.wifi.backend =
+      if config.module.config.useIwd
+      then "iwd"
+      else "wpa_supplicant";
+    wireless.iwd = {
+      enable = config.module.config.useIwd;
+      settings = {
+        General.AddressRandomization = "network";
+        Settings.AlwaysRandomizeAddress = true;
+      };
+    };
+  };
+}
--- a/modules/nixos/config/nix/common.nix
+++ b/modules/nixos/config/nix/common.nix
@ -0,0 +1,39 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  nix = {
+    package = pkgs.lixPackageSets.latest.lix;
+    channel.enable = false;
+    daemonCPUSchedPolicy = "idle";
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        # for container in builds support
+        "auto-allocate-uids"
+        "cgroups"
+
+        # Enable the use of the fetchClosure built-in function in the Nix language.
+        "fetch-closure"
+
+        # Allow derivation builders to call Nix, and thus build derivations recursively.
+        "recursive-nix"
+
+        # Allow the use of the impure-env setting.
+        # "configurable-impure-env"
+      ];
+    };
+  };
+  # no longer need to pre-allocate build users for everything
+  nix.settings.auto-allocate-uids = lib.mkDefault true;
+  # Needs a patch in Nix to work properly: https://github.com/NixOS/nix/pull/13135
+  nix.settings.use-cgroups = true;
+
+  # for container in builds support
+  nix.settings.system-features =
+    if lib.versionAtLeast lib.version "25.05pre"
+    then ["uid-range"]
+    else lib.mkDefault ["uid-range"];
+}
--- a/modules/nixos/config/nix/default.nix
+++ b/modules/nixos/config/nix/default.nix
@ -2,6 +2,6 @@
  imports = [
    ./common.nix
    ./substituters.nix
-    ./ssh-serve.nix
+    # ./ssh-serve.nix
  ];
 }
--- a/modules/nixos/config/nix/distributed-build.nix
+++ b/modules/nixos/config/nix/distributed-build.nix
--- a/modules/nixos/config/nix/ssh-serve.nix
+++ b/modules/nixos/config/nix/ssh-serve.nix
--- a/modules/nixos/config/nix/substituters.nix
+++ b/modules/nixos/config/nix/substituters.nix
--- a/modules/nixos/config/programs.nix
+++ b/modules/nixos/config/programs.nix
--- a/modules/nixos/config/services.nix
+++ b/modules/nixos/config/services.nix
--- a/modules/nixos/config/sops.nix
+++ b/modules/nixos/config/sops.nix
--- a/modules/nixos/config/users.nix
+++ b/modules/nixos/config/users.nix
--- a/modules/nixos/system/common.nix
+++ b/modules/nixos/system/common.nix
@ -1,5 +1,27 @@
-{
+{lib, ...}: {
  environment.variables = {
    LESS = "-R --mouse";
  };
+
+  environment.ldso32 = null;
+
+  boot.tmp.cleanOnBoot = lib.mkDefault true;
+
+  services.openssh = {
+    settings.X11Forwarding = false;
+    settings.KbdInteractiveAuthentication = false;
+    settings.PasswordAuthentication = false;
+    settings.UseDns = false;
+    # unbind gnupg sockets if they exists
+    settings.StreamLocalBindUnlink = true;
+
+    # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+    settings.KexAlgorithms = [
+      "curve25519-sha256"
+      "curve25519-sha256@libssh.org"
+      "diffie-hellman-group16-sha512"
+      "diffie-hellman-group18-sha512"
+      "sntrup761x25519-sha512@openssh.com"
+    ];
+  };
 }
--- a/modules/nixos/system/misc/stylix/default.nix
+++ b/modules/nixos/system/misc/stylix/default.nix
@ -30,6 +30,18 @@
    then pkgs.nerdfonts.override {fonts = ["JetBrainsMono"];}
    else pkgs.nerd-fonts.jetbrains-mono;

+  wallpapers = {
+    fern-outline = builtins.fetchurl {
+      url = "https://w.wallhaven.cc/full/p9/wallhaven-p9m7ve.png";
+      name = "wallhaven-p9m7ve.png";
+      sha256 = "0r7dl4fjwv2p5q5ggr4sjsl2h5m0s98k9qhiwkvmwi010lyffkx7";
+    };
+    mountains-pink = builtins.fetchurl {
+      url = "https://w.wallhaven.cc/full/yq/wallhaven-yq7gox.jpg";
+      name = "wallhaven-yq7gox.jpg";
+      sha256 = "09s31spp9mq71fgkl1w80nzdc1458p1gjfyi3y6fy14wj2dza0pj";
+    };
+  };
  themes = {
    nord = {
      polarity = "dark";
@ -134,6 +146,28 @@
        size = 24;
      };
    };
+    himalaya = {
+      # lightly pink like himalayan salt
+      polarity = "light";
+      scheme = "${pkgs.base16-schemes}/share/themes/atelier-plateau-light.yaml";
+      wallpaper = wallpapers.mountains-pink;
+
+      serif = {
+        package = interPackage;
+        name = "Inter Nerd Font";
+      };
+
+      monospace = {
+        package = iosevkaTermPackage;
+        name = "IosevkaTerm Nerd Font Mono";
+      };
+
+      cursor = {
+        package = pkgs.bibata-cursors;
+        name = "Bibata-Modern-Ice";
+        size = 24;
+      };
+    };
  };
 in {
  imports = with inputs; [