hosts/sarien: new theme

Signed-off-by: unexplrd <unexplrd@linerds.us>

hosts/dunamis/boot/loader.nix

@@ -1,15 +0,0 @@
-{config, ...}: {
-  boot = {
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/var/lib/sbctl";
-    };
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot = {
-        enable = !config.boot.lanzaboote.enable;
-        consoleMode = "auto";
-      };
-    };
-  };
-}

hosts/dunamis/configuration.nix

@@ -1,34 +1,35 @@
 {inputs, ...}: {
   imports = with inputs; [
+    self.nixosModules.config
     self.nixosModules.desktop
     self.nixosModules.system
-    ./boot
     ./disko
-    ./hardware
     ./minecraft.nix
-    ./networking
-    ./nix
-    ./programs.nix
-    ./services.nix
-    ./sops.nix
-    ./users.nix
   ];
 
-  desktop.niri.enable = true;
+  networking = {
+    hostId = "c7f6c4a1";
+    hostName = "dunamis";
+  };
+
   environment.memoryAllocator.provider = "mimalloc";
-  locale.ukrainian.enable = true;
+  system.stateVersion = "25.05";
+  time.timeZone = "Europe/Kyiv";
+
+  desktop.niri.enable = true;
+
+  module.config = {
+    secureBoot = true;
+    tpmDiskUnlock = true;
+  };
   module.stylix = {
     enable = true;
     theme = "helios";
   };
+
+  locale.ukrainian.enable = true;
   opentabletdriver.enable = false;
   qmk-vial.enable = true;
   security.basic.enable = true;
-  system.stateVersion = "25.05";
-  time.timeZone = "Europe/Kyiv";
   virtual.libvirt.enable = true;
-  wireless = {
-    bluetooth.enable = true;
-    bluetooth.enableBlueman = false;
-  };
 }

hosts/dunamis/hardware/vaapi/intel-media-driver.nix

@@ -1,7 +0,0 @@
-{pkgs, ...}: {
-  hardware.graphics.extraPackages = with pkgs; [
-    intel-compute-runtime
-    intel-media-driver
-    vpl-gpu-rt
-  ];
-}

hosts/dunamis/networking/host-name-id.nix

@@ -1,6 +0,0 @@
-{
-  networking = {
-    hostId = "c7f6c4a1";
-    hostName = "dunamis";
-  };
-}

hosts/dunamis/networking/network-manager.nix

@@ -1,7 +0,0 @@
-{
-  networking.networkmanager = {
-      enable = true;
-      ethernet.macAddress = "stable";
-    };
-  };
-}

hosts/dunamis/nix/common.nix

@@ -1,11 +0,0 @@
-{pkgs, ...}: {
-  nix = {
-    package = pkgs.lixPackageSets.latest.lix;
-    channel.enable = false;
-    daemonCPUSchedPolicy = "idle";
-    settings = {
-      experimental-features = ["nix-command" "flakes"];
-      builders-use-substitutes = true;
-    };
-  };
-}

hosts/eldrid/networking/network-manager.nix

@@ -1,20 +0,0 @@
-{
-  networking = {
-    networkmanager = {
-      enable = true;
-      ethernet.macAddress = "stable";
-      wifi = {
-        backend = "iwd";
-        macAddress = "random";
-        scanRandMacAddress = true;
-      };
-    };
-    wireless.iwd = {
-      enable = true;
-      settings = {
-        General.AddressRandomization = "network";
-        Settings.AlwaysRandomizeAddress = true;
-      };
-    };
-  };
-}

hosts/sarien/boot/default.nix

@@ -1,39 +0,0 @@
-{
-  pkgs,
-  inputs,
-  ...
-}: {
-  imports = with inputs;
-    [
-      chaotic.nixosModules.default
-      lanzaboote.nixosModules.lanzaboote
-    ]
-    ++ [
-      ./loader.nix
-    ];
-  boot = {
-    # kernelPackages = pkgs.linuxPackages_latest;
-    plymouth.enable = true;
-    consoleLogLevel = 0;
-    kernelPackages = pkgs.linuxPackages_cachyos;
-    kernelParams = [
-      "amd_iommu=force_isolation"
-      "debugfs=off"
-      "efi=disable_early_pci_dma"
-      "gather_data_sampling=force"
-      "intel_iommu=on"
-      "iommu.passthrough=0"
-      "iommu.strict=1"
-      "iommu=force"
-      "page_alloc.shuffle=1"
-      "vsyscall=none"
-      # "ia32_emulation=0"
-      # "lockdown=confidentiality"
-      # "module.sig_enforce=1"
-    ];
-    initrd = {
-      systemd.enable = true; # needed for auto-unlocking with TPM
-      systemd.tpm2.enable = false; # no TPM
-    };
-  };
-}

hosts/sarien/boot/loader.nix

@@ -1,15 +0,0 @@
-{config, ...}: {
-  boot = {
-    lanzaboote = {
-      enable = false;
-      pkiBundle = "/var/lib/sbctl";
-    };
-    loader = {
-      efi.canTouchEfiVariables = true;
-      systemd-boot = {
-        enable = !config.boot.lanzaboote.enable;
-        consoleMode = "auto";
-      };
-    };
-  };
-}

hosts/sarien/configuration.nix

@@ -1,28 +1,26 @@
-{
+{inputs, ...}: {
-  inputs,
-  pkgs,
-  ...
-}: {
   imports = with inputs; [
     self.nixosModules.desktop
     self.nixosModules.system
-    ./boot
+    self.nixosModules.config
     ./disko
     ./hardware
-    ./networking
-    ./nix
-    ../dunamis/programs.nix
-    ../dunamis/services.nix
-    ../dunamis/sops.nix
-    ../dunamis/users.nix
   ];
 
+  networking = {
+    hostId = "31150fae";
+    hostName = "sarien";
+  };
+
   system.stateVersion = "25.05";
   time.timeZone = "Europe/Kyiv";
 
+  module.config = {
+    useIwd = true;
+  };
   module.stylix = {
     enable = true;
-    theme = "helios";
+    theme = "himalaya";
   };
 
   desktop.niri.enable = true;

hosts/sarien/hardware/default.nix

@@ -1,8 +1,6 @@
 {
   imports = [
-    ./facter.nix
     ./laptop
-    ./vaapi/intel-media-driver.nix
   ];
   services = {
     logind = {

hosts/sarien/hardware/facter.nix

@@ -1,14 +0,0 @@
-{
-  config,
-  inputs,
-  ...
-}: let
-  inherit (inputs) mysecrets;
-  inherit (config.networking) hostName;
-in {
-  imports = with inputs; [
-    nixos-facter-modules.nixosModules.facter
-  ];
-  facter.reportPath = "${mysecrets}/facter/${hostName}.json";
-  systemd.network.wait-online.enable = false;
-}

hosts/sarien/hardware/vaapi/intel-media-driver.nix

@@ -1,7 +0,0 @@
-{pkgs, ...}: {
-  hardware.graphics.extraPackages = with pkgs; [
-    intel-compute-runtime
-    intel-media-driver
-    vpl-gpu-rt
-  ];
-}

hosts/sarien/networking/default.nix

@@ -1,9 +0,0 @@
-{
-  imports = [
-    ./network-manager.nix
-    ./host-name-id.nix
-  ];
-  networking = {
-    hosts = import ./hosts.nix;
-  };
-}

hosts/sarien/networking/host-name-id.nix

@@ -1,6 +0,0 @@
-{
-  networking = {
-    hostId = "31150fae";
-    hostName = "sarien";
-  };
-}

hosts/sarien/networking/hosts.nix

@@ -1,3 +0,0 @@
-{
-  "192.168.1.42" = ["dunamis"];
-}

hosts/sarien/nix/common.nix

@@ -1,11 +0,0 @@
-{pkgs, ...}: {
-  nix = {
-    package = pkgs.lixPackageSets.latest.lix;
-    channel.enable = false;
-    daemonCPUSchedPolicy = "idle";
-    settings = {
-      experimental-features = ["nix-command" "flakes"];
-      builders-use-substitutes = true;
-    };
-  };
-}

hosts/sarien/nix/default.nix

@@ -1,7 +0,0 @@
-{
-  imports = [
-    ./common.nix
-    ./substituters.nix
-    ./distributed-build.nix
-  ];
-}

hosts/sarien/nix/distributed-build.nix

@@ -1,30 +0,0 @@
-{
-  config,
-  inputs,
-  ...
-}: let
-  inherit (builtins) readFile;
-  inherit (config.networking) hostName;
-  inherit (config.sops) secrets;
-  inherit (inputs) mysecrets;
-  pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
-in {
-  nix = {
-    distributedBuilds = true;
-    buildMachines = [
-      {
-        hostName = "dunamis";
-        publicHostKey = pubHost;
-        sshKey = secrets."ssh-${hostName}-user".path;
-        sshUser = "nix-ssh";
-        supportedFeatures = [
-          "benchmark"
-          "big-parallel"
-          "kvm"
-          "nixos-test"
-        ];
-        system = "x86_64-linux";
-      }
-    ];
-  };
-}

hosts/sarien/nix/ssh-serve.nix

@@ -1,10 +0,0 @@
-{config, ...}: let
-  inherit (builtins) readFile;
-  inherit (config.users.users) user;
-in {
-  nix.sshServe = {
-    enable = true;
-    write = true;
-    keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
-  };
-}

hosts/sarien/nix/substituters.nix

@@ -1,16 +0,0 @@
-{
-  nix.settings = {
-    substituters = [
-      "https://cache.nixos.org/"
-      "https://chaotic-nyx.cachix.org/"
-      "https://cosmic.cachix.org/"
-      "https://nix-community.cachix.org/"
-    ];
-    trusted-public-keys = [
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-      "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
-      "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-    ];
-  };
-}

modules/nixos/config/boot/default.nix

@@ -1,15 +1,13 @@
 {
+  config,
   inputs,
   pkgs,
   ...
 }: {
-  imports = with inputs;
+  imports = with inputs; [
-    [
     chaotic.nixosModules.default
-      lanzaboote.nixosModules.lanzaboote
-    ]
-    ++ [
     ./loader.nix
+    ./lanzaboote.nix
   ];
   boot = {
     plymouth.enable = true;
@@ -32,7 +30,7 @@
     ];
     initrd = {
       systemd.enable = true; # needed for auto-unlocking with TPM
-      systemd.tpm2.enable = true;
+      systemd.tpm2.enable = config.module.config.tpmDiskUnlock;
     };
   };
 }

modules/nixos/config/boot/lanzaboote.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}: {
+  imports = with inputs; [
+    lanzaboote.nixosModules.lanzaboote
+  ];
+  boot = {
+    lanzaboote = {
+      enable = config.module.config.secureBoot;
+      pkiBundle = "/var/lib/sbctl";
+    };
+    loader.systemd-boot.enable = lib.mkDefault (!config.boot.lanzaboote.enable);
+  };
+}

modules/nixos/config/boot/loader.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  boot.loader = {
+    timeout = 3;
+    efi.canTouchEfiVariables = true;
+    systemd-boot = {
+      enable = true;
+      consoleMode = "auto";
+      configurationLimit = lib.mkOverride 1337 10;
+    };
+  };
+}

modules/nixos/config/default.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkDefault mkEnableOption mkIf;
+  cfg = config.module.config;
+in {
+  imports = [
+    ./boot
+    ./hardware
+    ./networking
+    ./nix
+    ./programs.nix
+    ./services.nix
+    ./users.nix
+    ./sops.nix
+  ];
+  options = {
+    module.config = {
+      tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2";
+      secureBoot = mkEnableOption "set if secure boot is configured";
+      useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant";
+      vaapi = lib.mkOption {
+        type = lib.types.enum ["intel-media-driver"];
+        default = "intel-media-driver";
+      };
+    };
+  };
+  config = mkIf (cfg.vaapi
+    == "intel-media-driver") {
+    hardware.graphics.extraPackages = with pkgs; [
+      intel-compute-runtime
+      intel-media-driver
+      vpl-gpu-rt
+    ];
+  };
+}

modules/nixos/config/hardware/default.nix

@@ -1,6 +1,5 @@
 {
   imports = [
     ./facter.nix
-    ./vaapi/intel-media-driver.nix
   ];
 }

modules/nixos/config/networking/default.nix

@@ -1,7 +1,6 @@
 {
   imports = [
-    ./network-manager.nix
+    ./network-manager
-    ./host-name-id.nix
   ];
   networking = {
     hosts = import ./hosts.nix;

modules/nixos/config/networking/network-manager/default.nix

@@ -1,20 +1,15 @@
 {
+  imports = [
+    ./wireless-iwd.nix
+  ];
   networking = {
     networkmanager = {
       enable = true;
       ethernet.macAddress = "stable";
       wifi = {
-        backend = "iwd";
         macAddress = "random";
         scanRandMacAddress = true;
       };
     };
-    wireless.iwd = {
-      enable = true;
-      settings = {
-        General.AddressRandomization = "network";
-        Settings.AlwaysRandomizeAddress = true;
-      };
-    };
   };
 }

modules/nixos/config/networking/network-manager/wireless-iwd.nix

@@ -0,0 +1,15 @@
+{config, ...}: {
+  networking = {
+    networkmanager.wifi.backend =
+      if config.module.config.useIwd
+      then "iwd"
+      else "wpa_supplicant";
+    wireless.iwd = {
+      enable = config.module.config.useIwd;
+      settings = {
+        General.AddressRandomization = "network";
+        Settings.AlwaysRandomizeAddress = true;
+      };
+    };
+  };
+}

modules/nixos/config/nix/common.nix

@@ -0,0 +1,39 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  nix = {
+    package = pkgs.lixPackageSets.latest.lix;
+    channel.enable = false;
+    daemonCPUSchedPolicy = "idle";
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        # for container in builds support
+        "auto-allocate-uids"
+        "cgroups"
+
+        # Enable the use of the fetchClosure built-in function in the Nix language.
+        "fetch-closure"
+
+        # Allow derivation builders to call Nix, and thus build derivations recursively.
+        "recursive-nix"
+
+        # Allow the use of the impure-env setting.
+        # "configurable-impure-env"
+      ];
+    };
+  };
+  # no longer need to pre-allocate build users for everything
+  nix.settings.auto-allocate-uids = lib.mkDefault true;
+  # Needs a patch in Nix to work properly: https://github.com/NixOS/nix/pull/13135
+  nix.settings.use-cgroups = true;
+
+  # for container in builds support
+  nix.settings.system-features =
+    if lib.versionAtLeast lib.version "25.05pre"
+    then ["uid-range"]
+    else lib.mkDefault ["uid-range"];
+}

modules/nixos/config/nix/default.nix

@@ -2,6 +2,6 @@
   imports = [
     ./common.nix
     ./substituters.nix
-    ./ssh-serve.nix
+    # ./ssh-serve.nix
   ];
 }

modules/nixos/system/common.nix

@@ -1,5 +1,27 @@
-{
+{lib, ...}: {
   environment.variables = {
     LESS = "-R --mouse";
   };
+
+  environment.ldso32 = null;
+
+  boot.tmp.cleanOnBoot = lib.mkDefault true;
+
+  services.openssh = {
+    settings.X11Forwarding = false;
+    settings.KbdInteractiveAuthentication = false;
+    settings.PasswordAuthentication = false;
+    settings.UseDns = false;
+    # unbind gnupg sockets if they exists
+    settings.StreamLocalBindUnlink = true;
+
+    # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+    settings.KexAlgorithms = [
+      "curve25519-sha256"
+      "curve25519-sha256@libssh.org"
+      "diffie-hellman-group16-sha512"
+      "diffie-hellman-group18-sha512"
+      "sntrup761x25519-sha512@openssh.com"
+    ];
+  };
 }

modules/nixos/system/misc/stylix/default.nix

@@ -30,6 +30,18 @@
     then pkgs.nerdfonts.override {fonts = ["JetBrainsMono"];}
     else pkgs.nerd-fonts.jetbrains-mono;
 
+  wallpapers = {
+    fern-outline = builtins.fetchurl {
+      url = "https://w.wallhaven.cc/full/p9/wallhaven-p9m7ve.png";
+      name = "wallhaven-p9m7ve.png";
+      sha256 = "0r7dl4fjwv2p5q5ggr4sjsl2h5m0s98k9qhiwkvmwi010lyffkx7";
+    };
+    mountains-pink = builtins.fetchurl {
+      url = "https://w.wallhaven.cc/full/yq/wallhaven-yq7gox.jpg";
+      name = "wallhaven-yq7gox.jpg";
+      sha256 = "09s31spp9mq71fgkl1w80nzdc1458p1gjfyi3y6fy14wj2dza0pj";
+    };
+  };
   themes = {
     nord = {
       polarity = "dark";
@@ -134,6 +146,28 @@
         size = 24;
       };
     };
+    himalaya = {
+      # lightly pink like himalayan salt
+      polarity = "light";
+      scheme = "${pkgs.base16-schemes}/share/themes/atelier-plateau-light.yaml";
+      wallpaper = wallpapers.mountains-pink;
+
+      serif = {
+        package = interPackage;
+        name = "Inter Nerd Font";
+      };
+
+      monospace = {
+        package = iosevkaTermPackage;
+        name = "IosevkaTerm Nerd Font Mono";
+      };
+
+      cursor = {
+        package = pkgs.bibata-cursors;
+        name = "Bibata-Modern-Ice";
+        size = 24;
+      };
+    };
   };
 in {
   imports = with inputs; [