hosts/dunamis: add userborn

Signed-off-by: unexplrd <unexplrd@linerds.us>

flake.lock

@@ -1025,19 +1025,18 @@
         "type": "github"
       }
     },
-    "nixos-hardware": {
+    "nixos-facter-modules": {
       "locked": {
-        "lastModified": 1745503349,
+        "lastModified": 1743671943,
-        "narHash": "sha256-bUGjvaPVsOfQeTz9/rLTNLDyqbzhl0CQtJJlhFPhIYw=",
+        "narHash": "sha256-7sYig0+RcrR3sOL5M+2spbpFUHyEP7cnUvCaqFOBjyU=",
-        "owner": "NixOS",
+        "owner": "numtide",
-        "repo": "nixos-hardware",
+        "repo": "nixos-facter-modules",
-        "rev": "f7bee55a5e551bd8e7b5b82c9bc559bc50d868d1",
+        "rev": "58ad9691670d293a15221d4a78818e0088d2e086",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
+        "owner": "numtide",
-        "ref": "master",
+        "repo": "nixos-facter-modules",
-        "repo": "nixos-hardware",
         "type": "github"
       }
     },
@@ -1240,7 +1239,7 @@
         "nix-flatpak": "nix-flatpak",
         "nix-index-database": "nix-index-database",
         "nixos-cosmic": "nixos-cosmic",
-        "nixos-hardware": "nixos-hardware",
+        "nixos-facter-modules": "nixos-facter-modules",
         "nixpkgs": "nixpkgs_3",
         "nixpkgs-stable": "nixpkgs-stable_3",
         "sops-nix": "sops-nix",

flake.nix

@@ -13,13 +13,14 @@
     # lix.url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-2.tar.gz";
     mysecrets.url = "git+ssh://gitea@gitea.linerds.us/unexplrd/nix-secrets";
     # neve.url = "git+https://gitea.linerds.us/unexplrd/Neve";
+    # nixvim.url = "github:nix-community/nixvim";
     nix-flatpak.url = "github:gmodena/nix-flatpak";
     nix-index-database.url = "github:nix-community/nix-index-database";
     nixos-cosmic.url = "github:lilyinstarlight/nixos-cosmic";
-    # nixvim.url = "github:nix-community/nixvim";
+    nixos-facter-modules.url = "github:numtide/nixos-facter-modules";
-    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    # nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-unstable";
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-unstable";
     sops-nix.url = "github:mic92/sops-nix";
     stylix.url = "github:danth/stylix/8b0d9317edd57c5374adcf6957ae4775875c2a9d";
     # TODO: somehow reduce the number of *.inputs.nixpkgs.follows = "nixpkgs" stuff, mb a function?

hosts/dunamis/boot.nix

@@ -1,56 +0,0 @@
-{
-  pkgs,
-  config,
-  inputs,
-  ...
-}: {
-  imports = with inputs; [
-    chaotic.nixosModules.default
-    lanzaboote.nixosModules.lanzaboote
-  ];
-  boot = {
-    # kernelPackages = pkgs.linuxPackages_latest;
-    consoleLogLevel = 0;
-    kernelPackages = pkgs.linuxPackages_cachyos;
-    kernelModules = ["kvm-amd"];
-    kernelParams = [
-      # "mitigations=auto"
-      # "spectre_v2=on"
-      # "spectre_v2_user=on"
-      # "spectre_bhi=on"
-      # "spec_store_bypass_disable=on"
-      # "tsx=off"
-      # "kvm.nx_huge_pages=force"
-      # "l1d_flush=on"
-      "amd_iommu=force_isolation"
-      "debugfs=off"
-      "efi=disable_early_pci_dma"
-      "gather_data_sampling=force"
-      # "ia32_emulation=0"
-      "intel_iommu=on"
-      "iommu.passthrough=0"
-      "iommu.strict=1"
-      "iommu=force"
-      # "lockdown=confidentiality"
-      # "module.sig_enforce=1"
-      "page_alloc.shuffle=1"
-      # "reg_file_data_sampling=on"
-      # "spec_rstack_overflow=safe-ret"
-      "vsyscall=none"
-    ];
-    initrd = {
-      availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-      systemd.enable = true; # needed for auto-unlocking with TPM
-    };
-    loader.efi.canTouchEfiVariables = true;
-    loader.systemd-boot = {
-      enable = !config.boot.lanzaboote.enable;
-      consoleMode = "auto";
-    };
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/var/lib/sbctl";
-    };
-    plymouth.enable = true;
-  };
-}

hosts/dunamis/boot/default.nix

@@ -0,0 +1,38 @@
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = with inputs;
+    [
+      chaotic.nixosModules.default
+      lanzaboote.nixosModules.lanzaboote
+    ]
+    ++ [
+      ./loader.nix
+    ];
+  boot = {
+    # kernelPackages = pkgs.linuxPackages_latest;
+    plymouth.enable = true;
+    consoleLogLevel = 0;
+    kernelPackages = pkgs.linuxPackages_cachyos;
+    kernelParams = [
+      "amd_iommu=force_isolation"
+      "debugfs=off"
+      "efi=disable_early_pci_dma"
+      "gather_data_sampling=force"
+      "intel_iommu=on"
+      "iommu.passthrough=0"
+      "iommu.strict=1"
+      "iommu=force"
+      "page_alloc.shuffle=1"
+      "vsyscall=none"
+      # "ia32_emulation=0"
+      # "lockdown=confidentiality"
+      # "module.sig_enforce=1"
+    ];
+    initrd = {
+      systemd.enable = true; # needed for auto-unlocking with TPM
+    };
+  };
+}

hosts/dunamis/boot/loader.nix

@@ -0,0 +1,15 @@
+{config, ...}: {
+  boot = {
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot = {
+        enable = !config.boot.lanzaboote.enable;
+        consoleMode = "auto";
+      };
+    };
+  };
+}

hosts/dunamis/configuration.nix

@@ -1,12 +1,16 @@
-{inputs, ...}: {
+{
+  inputs,
+  pkgs,
+  ...
+}: {
   imports = with inputs; [
     self.nixosModules.desktop
     self.nixosModules.system
-    ./boot.nix
+    ./boot
-    ./disko.nix
+    ./disko
-    ./hardware.nix
+    ./facter
     ./networking.nix
-    ./nix.nix
+    ./nix
     ./programs.nix
     ./services.nix
     ./sops.nix
@@ -14,7 +18,7 @@
     ./minecraft.nix
   ];
 
-  desktop.cosmic.enable = true;
+  desktop.niri.enable = true;
   environment.memoryAllocator.provider = "mimalloc";
   locale.ukrainian.enable = true;
   module.stylix = {
@@ -31,4 +35,9 @@
     bluetooth.enable = true;
     bluetooth.enableBlueman = false;
   };
+  hardware.graphics.extraPackages = with pkgs; [
+    intel-compute-runtime
+    intel-media-driver
+    vpl-gpu-rt
+  ];
 }

hosts/dunamis/disko.nix

@@ -1,83 +0,0 @@
-{inputs, ...}: let
-  disk = "/dev/disk/by-id/nvme-eui.000000000000000100a075244b5d6185";
-in {
-  imports = with inputs; [
-    disko.nixosModules.disko
-  ];
-  disko.devices.nodev = {
-    "/tmp" = {
-      fsType = "tmpfs";
-      mountOptions = ["rw" "nosuid" "nodev"];
-    };
-  };
-  disko.devices.disk.main = {
-    type = "disk";
-    device = disk;
-    content = {
-      type = "gpt";
-      partitions = {
-        ESP = {
-          size = "2G";
-          type = "EF00";
-          content = {
-            type = "filesystem";
-            format = "vfat";
-            mountpoint = "/boot";
-            mountOptions = [
-              "umask=0077"
-              "fmask=0022"
-              "dmask=0022"
-              "noexec"
-              "nosuid"
-              "nodev"
-            ];
-          };
-        };
-        luks = {
-          size = "100%";
-          content = {
-            type = "luks";
-            name = "luks-main";
-            initrdUnlock = true;
-            settings.allowDiscards = true;
-            content = {
-              type = "btrfs";
-              extraArgs = ["-f"];
-              subvolumes = {
-                "@nixos-root" = {
-                  mountpoint = "/";
-                  mountOptions = [
-                    "compress=zstd"
-                    "noatime"
-                    "noexec"
-                  ];
-                };
-                "@home" = {
-                  mountpoint = "/home";
-                  mountOptions = [
-                    "compress=zstd"
-                    "noatime"
-                  ];
-                };
-                "@storage" = {
-                  mountpoint = "/storage";
-                  mountOptions = [
-                    "compress=zstd"
-                    "noatime"
-                  ];
-                };
-                "@nix" = {
-                  mountpoint = "/nix";
-                  mountOptions = [
-                    "compress-force=zstd"
-                    "noatime"
-                  ];
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/dunamis/disko/default.nix

@@ -0,0 +1,14 @@
+{inputs, ...}: let
+  disk = "/dev/disk/by-id/nvme-eui.000000000000000100a075244b5d6185";
+in {
+  imports = with inputs; [
+    disko.nixosModules.disko
+  ];
+  disko.devices.nodev = {
+    "/tmp" = {
+      fsType = "tmpfs";
+      mountOptions = ["rw" "nosuid" "nodev"];
+    };
+  };
+  disko.devices.disk.main = import ./disk-main.nix {inherit disk;};
+}

hosts/dunamis/disko/disk-main.nix

@@ -0,0 +1,70 @@
+{disk, ...}: {
+  type = "disk";
+  device = disk;
+  content = {
+    type = "gpt";
+    partitions = {
+      ESP = {
+        size = "2G";
+        type = "EF00";
+        content = {
+          type = "filesystem";
+          format = "vfat";
+          mountpoint = "/boot";
+          mountOptions = [
+            "umask=0077"
+            "fmask=0022"
+            "dmask=0022"
+            "noexec"
+            "nosuid"
+            "nodev"
+          ];
+        };
+      };
+      luks = {
+        size = "100%";
+        content = {
+          type = "luks";
+          name = "luks-main";
+          initrdUnlock = true;
+          settings.allowDiscards = true;
+          content = {
+            type = "btrfs";
+            extraArgs = ["-f"];
+            subvolumes = {
+              "@nixos-root" = {
+                mountpoint = "/";
+                mountOptions = [
+                  "compress=zstd"
+                  "noatime"
+                  "noexec"
+                ];
+              };
+              "@home" = {
+                mountpoint = "/home";
+                mountOptions = [
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "@storage" = {
+                mountpoint = "/storage";
+                mountOptions = [
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "@nix" = {
+                mountpoint = "/nix";
+                mountOptions = [
+                  "compress-force=zstd"
+                  "noatime"
+                ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/dunamis/facter/default.nix

@@ -0,0 +1,7 @@
+{inputs, ...}: {
+  imports = with inputs; [
+    nixos-facter-modules.nixosModules.facter
+  ];
+  facter.reportPath = ./facter.json;
+  systemd.network.wait-online.enable = false;
+}

hosts/dunamis/nix.nix

@@ -1,18 +0,0 @@
-# TODO: better file name
-{
-  config,
-  pkgs,
-  ...
-}: {
-  nix = {
-    package = pkgs.lix;
-    channel.enable = false;
-    settings.experimental-features = ["nix-command" "flakes"];
-    daemonCPUSchedPolicy = "idle";
-    sshServe = {
-      enable = true;
-      write = true;
-      keys = map (f: builtins.readFile f) config.users.users.user.openssh.authorizedKeys.keyFiles;
-    };
-  };
-}

hosts/dunamis/nix/common.nix

@@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  nix = {
+    package = pkgs.lixPackageSets.latest.lix;
+    channel.enable = false;
+    daemonCPUSchedPolicy = "idle";
+    settings = {
+      experimental-features = ["nix-command" "flakes"];
+      builders-use-substitutes = true;
+    };
+  };
+}

hosts/dunamis/nix/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./common.nix
+    ./substituters.nix
+    ./ssh-serve.nix
+  ];
+}

hosts/dunamis/nix/distributed-build.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  inputs,
+  ...
+}: let
+  inherit (builtins) readFile;
+  inherit (config.networking) hostName;
+  inherit (config.sops) secrets;
+  inherit (inputs) mysecrets;
+  pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
+in {
+  nix = {
+    distributedBuilds = true;
+    buildMachines = [
+      {
+        hostName = "dunamis";
+        publicHostKey = pubHost;
+        sshKey = secrets."ssh-${hostName}-user".path;
+        sshUser = "nix-ssh";
+        supportedFeatures = [
+          "benchmark"
+          "big-parallel"
+          "kvm"
+          "nixos-test"
+        ];
+        system = "x86_64-linux";
+      }
+    ];
+  };
+}

hosts/dunamis/nix/ssh-serve.nix

@@ -0,0 +1,10 @@
+{config, ...}: let
+  inherit (builtins) readFile;
+  inherit (config.users.users) user;
+in {
+  nix.sshServe = {
+    enable = true;
+    write = true;
+    keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
+  };
+}

hosts/dunamis/nix/substituters.nix

@@ -0,0 +1,16 @@
+{
+  nix.settings = {
+    substituters = [
+      "https://cache.nixos.org/"
+      "https://chaotic-nyx.cachix.org/"
+      "https://cosmic.cachix.org/"
+      "https://nix-community.cachix.org/"
+    ];
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
+      "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+}

hosts/dunamis/services.nix

@@ -5,6 +5,7 @@
     fwupd.enable = true;
     openssh.enable = true;
     syncthing.openDefaultPorts = true;
+    userborn.enable = true;
     dnscrypt-proxy2 = {
       enable = true;
       settings = {

hosts/dunamis/users.nix

@@ -6,6 +6,7 @@
 }: let
   inherit (config.sops) secrets;
   inherit (inputs) mysecrets;
+  sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub";
 in {
   nix.settings.trusted-users = ["user" "nix-ssh"];
   users.mutableUsers = false;
@@ -15,7 +16,7 @@ in {
       extraGroups = ["wheel" "video" "libvirtd" "dialout"];
       isNormalUser = true;
       shell = pkgs.fish;
-      openssh.authorizedKeys.keyFiles = map (f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub") [
+      openssh.authorizedKeys.keyFiles = map sshKeys [
         "dunamis"
         "eldrid"
         "sarien"

modules/home/programs/editor/helix.nix

@@ -66,6 +66,10 @@ in {
           markdown-oxide.command = getExe pkgs.markdown-oxide;
           # nil.command = getExe pkgs.nil;
           nixd.command = getExe pkgs.nixd;
+          pyright.command = getExe pkgs.pyright;
+          pyright.args = ["-"];
+          ruff.command = getExe pkgs.ruff;
+          ruff.args = ["server"];
           # rust-analyzer.command = getExe pkgs.rust-analyzer;
           # texlab.command = getExe pkgs.texlab;
           tinymist.command = getExe pkgs.tinymist;
@@ -111,6 +115,20 @@ in {
           #   language-servers = ["rust-analyzer"];
           #   formatter.command = getExe pkgs.rustfmt;
           # }
+          {
+            name = "python";
+            auto-format = true;
+            language-servers = [
+              {
+                name = "ruff";
+                only-features = ["format" "diagnostics"];
+              }
+              {
+                name = "pyright";
+                except-features = ["format" "diagnostics"];
+              }
+            ];
+          }
         ];
       };
     };

modules/nixos/desktop/cosmic.nix

@@ -16,23 +16,21 @@ in {
       mkEnableOption "enable cosmic desktop";
   };
   config = mkIf cfg.enable {
-    sound.pipewire.enable = true;
-    nix.settings = {
-      substituters = ["https://cosmic.cachix.org/"];
-      trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="];
-    };
     environment.sessionVariables.COSMIC_DATA_CONTROL_ENABLED = 1;
-    systemd.packages = [pkgs.observatory];
+    sound.pipewire.enable = true;
-    systemd.services.monitord.wantedBy = ["multi-user.target"];
-    services.desktopManager.cosmic.enable = true;
-    services.displayManager.cosmic-greeter.enable = true;
     services = {
+      desktopManager.cosmic.enable = true;
+      displayManager.cosmic-greeter.enable = true;
       gnome.gnome-keyring.enable = true;
       dbus = {
         apparmor = "enabled";
         implementation = "broker";
       };
     };
+    systemd = {
+      packages = [pkgs.observatory];
+      services.monitord.wantedBy = ["multi-user.target"];
+    };
     xdg.portal = {
       enable = true;
       extraPortals = with pkgs; [