start modularising NixOS config for several hosts

First step in modularising the NixOS config, with a focus on separation of host-specific and common configs. Common modules still need to be split up and refined, several TODOs and FIXUPs remain in code. But the config builds fine on thinknix. Roughly based on/ inspired by https://johns.codes/blog/organizing-system-configs-with-nixos#using-nixos
2024-01-09 23:48:38 +01:00 · 2024-01-09 23:48:38 +01:00 · 993308a2d3
commit 993308a2d3
parent 0639633b0d
11 changed files with 239 additions and 159 deletions
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -1,310 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running `nixos-help`).
-
-{ config, pkgs, lib, inputs, ... }:
-
-let
-  unstable = inputs.nixos-unstable;
-  localfork = import /home/spiollinux/src/nixpkgs { };
-
-in
-{
-  imports =
-    [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ./modules/packages.nix
-      ./modules/nitrokey.nix
-    ];
-
-  services.davfs2.enable = true;
-
-  # try newer kernels
-  #boot.kernelPackages = pkgs.linuxPackages_latest;
-
-  services.fstrim.enable = true;
-  services.btrfs.autoScrub =
-    {
-      enable = true;
-      fileSystems = [ "/" "/home" ];
-    };
-
-  # exfat support
-  #boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
-
-  zramSwap =
-    {
-      enable = true;
-      memoryPercent = 20;
-    };
-  boot.kernel.sysctl."vm.swappiness" = 9;
-
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  # UEFI secure boot
-  environment.systemPackages = [
-    pkgs.sbctl
-  ];
-  # Lanzaboote currently replaces the systemd-boot module.
-  # This setting is usually set to true in configuration.nix
-  # generated at installation time. So we force it to false
-  # for now.
-  boot.loader.systemd-boot.enable = lib.mkForce false;
-
-  boot.lanzaboote = {
-    enable = true;
-    pkiBundle = "/etc/secureboot";
-  };
-
-  # make the boot look good
-  boot.plymouth.enable = true;
-
-  networking.hostName = "thinknix";
-
-  # configure console
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "de";
-  };
-
-  # Select internationalisation properties.
-  i18n = {
-    defaultLocale = "de_DE.UTF-8";
-  };
-
-  # Set your time zone.
-  time.timeZone = "Europe/Berlin";
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  programs.bash.enableCompletion = true;
-  programs.wireshark =
-    {
-      enable = true;
-      package = pkgs.wireshark;
-    };
-
-  programs.adb.enable = true;
-
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-
-  programs.ssh.startAgent = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  networking.firewall.allowedTCPPortRanges = [{ from = 1714; to = 1764; }];
-  networking.firewall.allowedUDPPortRanges = [{ from = 1714; to = 1764; }]; # for KDE connect
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  networking.networkmanager = { 
-    enable = true;
-    # FIXME: move into own file, use SOPS for secrets
-    ensureProfiles.profiles = {
-    "37C3" = {
-      connection = {
-        id = "37C3";
-        type = "wifi";
-        interface-name = "wlan0";
-      };
-      wifi = {
-        mode = "infrastructure";
-        ssid = "37C3";
-      };
-      wifi-security = {
-        auth-alg = "open";
-        key-mgmt = "wpa-eap";
-      };
-      "802-1x" = {
-        anonymous-identity = "37C3";
-        eap = "ttls;";
-        identity = "37C3";
-        password = "37C3";
-        phase2-auth = "pap";
-        altsubject-matches = "DNS:radius.c3noc.net";
-        ca-cert = "${builtins.fetchurl {
-          url = "https://letsencrypt.org/certs/isrgrootx1.pem";
-          sha256 = "sha256:1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
-        }}";
-      };
-      ipv4 = {
-        method = "auto";
-      };
-      ipv6 = {
-        addr-gen-mode = "default";
-        method = "auto";
-      };
-    };
-  };
-};
-
-  services.avahi.enable = true;
-
-  # Enable CUPS to print documents.
-  services.printing =
-    {
-      enable = true;
-      drivers = [ pkgs.hplip ];
-    };
-  # scanners
-  hardware.sane =
-    {
-      enable = true;
-      extraBackends = [ pkgs.hplip ];
-    };
-
-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio = {
-    enable = true;
-    # decouple pulseaudio application and sink volumes
-    daemon.config = { flat-volumes = "no"; };
-    # C3D2 hq music
-    zeroconf.discovery.enable = true;
-    zeroconf.publish.enable = true;
-  };
-
-
-  # Bluetooth
-  hardware.bluetooth = {
-    enable = true;
-    settings.General.Disable = "Headset"; # disable headset profile
-  };
-  hardware.pulseaudio = {
-    package = pkgs.pulseaudioFull;
-  };
-
-
-  # Enable the X11 windowing system.
-  services.xserver.enable = true;
-  services.xserver.layout = "de";
-  services.xserver.xkbOptions = "eurosign:e";
-
-  # Enable touchpad support.
-  services.xserver.libinput.enable = true;
-
-  # while libinput also supports graphic tablets, enable more-specific wacom driver
-  services.xserver.wacom.enable = true;
-
-  # Enable the KDE Desktop Environment.
-  services.xserver.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.plasma5.enable = true;
-
-  # dconf required for several Gnome applications like Cawbird
-  programs.dconf.enable = true;
-  
-  programs.firefox.enable = true;   # enables support for automatically setting additionsl nativeMessagingHosts
-
-  # Flatpak support
-  services.flatpak.enable = true;
-  xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-kde ];
-
-  # Define a user account. Don't forget to set a password with `passwd`.
-  users.users.spiollinux = {
-    isNormalUser = true;
-    uid = 1000;
-    extraGroups = [ "vboxusers" "wheel" "networkmanager" "scanner" "lp" "wireshark" "dialout" "cdrom" "input" "adbusers" ];
-    shell = pkgs.zsh;
-  };
-
-  # enable virtualbox support
-  virtualisation.virtualbox.host = {
-    enable = true;
-    #enableExtensionPack = true;
-  };
-  # allow PUEL license
-  nixpkgs.config.whitelistedLicenses = [ pkgs.lib.licenses.virtualbox-puel ];
-  users.extraGroups.vboxusers.members = [ "spiollinux" ];
-
-  programs.zsh =
-    {
-      enable = true;
-      autosuggestions.enable = true;
-    };
-
-  # profile sync daemon
-  services.psd.enable = true;
-
-  services.smartd =
-    {
-      enable = true;
-      devices = [{ device = "/dev/sda"; } { device = "/dev/sdb"; }];
-    };
-
-  fonts = {
-    fontDir.enable = true;
-    fontconfig.enable = true;
-    fontconfig.includeUserConf = true;
-  };
-
-  # Enable all sysrq functions (useful to recover from some issues):
-  boot.kernel.sysctl."kernel.sysrq" = 1; # NixOS default: 16 (only the sync command)
-
-  nix = {
-    # expose all flake inputs through nix Path and registry
-    registry = (lib.mapAttrs (_: value: { flake = value; }) inputs) // {
-      nixpkgs.flake = inputs.nixpkgs;
-    };
-    nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
-  # keep build-time deps around for offline-rebuilding
-    settings = {
-      # keep around all inputs necessary for offline-rebuilding the system
-      keep-outputs = true;
-      keep-derivations = true;
-      trusted-users = [ "spiollinux" ];
-      experimental-features = [ "nix-command" "flakes" "repl-flake" ];
-      # use all cores for building
-      cores = 0;
-    };
-  };
-  # override tmpdir for daemon
-  #systemd.services.nix-daemon.environment.TMPDIR = "/var/tmp";
-
-  # remote builders
-  #nix.buildMachines = [
-  #  {
-  #    hostName = "build01.nix-community.org";
-  #    sshUser = "ssh-ng://schmittlauch";
-  #    sshKey = "/root/.ssh/remote_builder_key";
-  #    system = "x86_64-linux";
-  #    maxJobs = 64;
-  #    supportedFeatures = [
-  #      "big-parallel"
-  #      "kvm"
-  #      "nixos-test"
-  #    ];
-  #  }
-  #];
-  programs.ssh.knownHosts."build01.nix-community.org".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElIQ54qAy7Dh63rBudYKdbzJHrrbrrMXLYl7Pkmk88H";
-
-  # package debugging
-  # programs.sysdig.enable = true;
-
-  # declarative containers
-  containers = {
-    #  hash2PubSim = import ./Hash2PubTestbed.nix
-    #    {
-    #      inherit pkgs config;
-    #      experimentUid = config.users.users.spiollinux.uid;
-    #      projectDir = "/home/spiollinux/Seafile/Studium/Semester11/INF-PM-FP-ANW";
-    #    };
-  };
-
-  # stop NetworkManager from managing virtual interfaces
-  networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
-
-  # This value determines the NixOS release with which your system is to be
-  # compatible, in order to avoid breaking some software such as database
-  # servers. You should change this only after NixOS release notes say you
-  # should.
-  system.stateVersion = "18.09"; # Did you read the comment?
-
-}
--- a/nixos/hardware-configuration.nix
+++ b/nixos/hardware-configuration.nix
@ -1,95 +0,0 @@
-{ config, lib, pkgs, modulesPath, inputs, ... }:
-
-
-let
-  fsOptions = [ "noatime" "ssd" "space_cache" "compress=zstd" ];
-in
-{
-  imports =
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
-      (inputs.nixos-hardware + "/lenovo/thinkpad/t440s")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [];
-
-  # encrypted partitions
-  boot.initrd.luks =
-    {
-      devices =
-        # allow discards on all devices
-        builtins.mapAttrs (name: val: val // {allowDiscards = true;})
-        {
-          "system".device = "/dev/disk/by-uuid/85154131-b2a8-4ef5-9d74-47429cb267ef";
-          "cryptswap".device = "/dev/disk/by-uuid/ac586df6-6332-4809-beb1-f51906a2adaa";
-          "ssd2".device = "/dev/disk/by-uuid/cadd4e1f-3642-4faa-8d4e-37dd85465df1";
-        };
-      reusePassphrases = true;
-    };
-
-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4";
-      fsType = "btrfs";
-      options = fsOptions ++ [ "subvol=nixos_root" ];
-    };
-
-  fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/DED9-661B";
-      fsType = "vfat";
-      options = [ "discard" ];
-    };
-
-  fileSystems."/home" =
-    {
-      device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4";
-      fsType = "btrfs";
-      options = fsOptions ++ [ "subvol=home" ];
-    };
-
-    fileSystems."/var/tmp" =
-      {
-        device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15";
-        fsType = "btrfs";
-        options = fsOptions ++ [ "subvol=vartmp" ];
-      };
-
-    fileSystems."/var/log" =
-      {
-        device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15";
-        fsType = "btrfs";
-        options = fsOptions ++ [ "subvol=varlog" ];
-      };
-
-    fileSystems."/var/cache" =
-      {
-        device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15";
-        fsType = "btrfs";
-        options = fsOptions ++ [ "subvol=varcache" ];
-      };
-
-    boot.tmp.useTmpfs = true;
-    fileSystems."/tmp".fsType = "tmpfs";
-
-  swapDevices =
-    [
-      { device = "/dev/disk/by-uuid/bf928178-4e92-4e7e-8df2-18fbd658eecf"; }
-    ];
-
-  nix.settings.max-jobs = lib.mkDefault 4;
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-
-  hardware.trackpoint = {
-    enable = true;
-    sensitivity = 180;
-    speed = 180;
-  };
-
-
-  # modesetting is always better than intel (legacy)
-  services.xserver.videoDrivers = [ "modesetting" ];
-
-}
--- a/nixos/modules/nitrokey.nix
+++ b/nixos/modules/nitrokey.nix
@ -1,11 +0,0 @@
-{ pkgs, lib, ...}:
-{
-hardware.nitrokey.enable = true;
-environment.systemPackages = [ pkgs.pynitrokey ];
-nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
-   "nrfutil"
-   "pc-ble-driver-py"
-   "pc-ble-driver"
-   "pypemicro"
-];
-}
--- a/nixos/modules/packages.nix
+++ b/nixos/modules/packages.nix
@ -1,87 +0,0 @@
-{ pkgs, config, ... }:
-
-{ 
-  # List packages installed in system profile.
-  environment.systemPackages = with pkgs; [
-    wget
-    vim
-    vimPlugins.vim-nix
-    vimPlugins.pathogen
-    tmux
-    htop
-    zsh
-    btrfs-progs
-    git
-    python3
-    man-pages
-    dnsutils
-    netcat
-    ntfs3g
-    file
-    multipath-tools
-    strace
-    ltrace
-    valgrind
-    testdisk
-    rsync
-    pv
-    exfat
-    iotop
-    cifs-utils
-    dstat
-    lsof
-    macchanger
-    borgbackup
-
-    # for debugging WLAN failures:
-    ethtool
-    trace-cmd
-    
-    # NetworkManager stuff
-    networkmanager-openconnect
-    networkmanager-vpnc
-    networkmanager-openvpn
-    plasma5Packages.kdeGear.akonadi-mime # for KOrganizer
-    ]
-  ++ (with plasma5Packages; with kdeGear; [
-    #akonadi
-    #akonadi-calendar
-    #akonadi-contacts
-    #akonadi-import-wizard
-    #akonadi-mime
-    #akonadi-notes
-    #akonadi-search
-    #akonadiconsole
-    #akregator
-    #kaddressbook
-    #kalarm
-    #kalarmcal
-    #kcalutils
-    #kcontacts
-    #kdav
-    #kdepim-addons
-
-    #kdepim-runtime
-    #kidentitymanagement
-    #kldap
-    #kmail
-    #kmailtransport
-    #kmbox
-    #kmime
-    #kontact
-    #kontactinterface
-    #korganizer
-    #kpimtextedit
-    #libkdepim
-    #libksieve
-    #mailcommon
-    #messagelib
-    #pimcommon
-    #pim-sieve-editor
-
-    # for some Flatpak packkages
-    accountsservice
-  ]);
-}
-
-