stuff

2025-05-18 01:08:10 +02:00 · 2025-05-18 01:08:10 +02:00 · 8164e92af6
commit 8164e92af6
parent b8af0e9761
84 changed files with 674 additions and 567 deletions
--- a/common/bash.nix
+++ b/common/bash.nix
@ -1,5 +0,0 @@
-{
-  programs.bash.interactiveShellInit = ''
-    shopt -s autocd globstar nullglob extglob checkwinsize
-  '';
-}
--- a/common/boot.nix
+++ b/common/boot.nix
@ -1,28 +1,22 @@
-{ config, ... }:
-{
+{config, inputs, ...}: {
+  imports = [
+    inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
  fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
    label = "BOOT";
    fsType = "vfat";
  };

  boot = {
-    loader = {
-      systemd-boot = {
-        enable = true;
-        consoleMode = "max";
-      };
-
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
    };

-    # TODO
-    tmp = {
-      useTmpfs = true;
-      tmpfsSize = "50%";
-      cleanOnBoot = true;
+    loader.efi = {
+      canTouchEfiVariables = true;
+      efiSysMountPoint = "/boot";
    };
  };
 }
--- a/common/bottom.nix
+++ b/common/bottom.nix
@ -1,4 +1,6 @@
 { pkgs, ... }:
 {
-  environment.systemPackages = [ pkgs.bottom ];
+  environment.systemPackages = [
+    pkgs.bottom
+  ];
 }
--- a/common/comma.nix
+++ b/common/comma.nix
@ -1,3 +1,8 @@
+{ inputs, ... }:
 {
+  imports = [
+    inputs.nix-index-database.nixosModules.nix-index
+  ];
+
  programs.nix-index-database.comma.enable = true;
 }
--- a/common/command-not-found.nix
+++ b/common/command-not-found.nix
@ -1,4 +0,0 @@
-{
-  # TODO
-  programs.command-not-found.enable = false;
-}
--- a/common/dbus.nix
+++ b/common/dbus.nix
@ -1,3 +0,0 @@
-{
-  services.dbus.implementation = "broker";
-}
--- a/common/editor.nix
+++ b/common/editor.nix
@ -0,0 +1,23 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  package = inputs.hxwrap.packages.${pkgs.system}.default;
+in
+{
+  environment = {
+    systemPackages = [ package ];
+
+    sessionVariables =
+      let
+        exe = builtins.baseNameOf (lib.getExe package);
+      in
+      {
+        EDITOR = exe;
+        VISUAL = exe;
+      };
+  };
+}
--- a/common/fish.nix
+++ b/common/fish.nix
@ -1,6 +0,0 @@
-{ pkgs, ... }:
-{
-  programs.fish.enable = true;
-
-  users.defaultUserShell = pkgs.fish;
-}
--- a/common/gc.nix
+++ b/common/gc.nix
@ -0,0 +1,9 @@
+{
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 30d";
+  };
+
+  boot.loader.systemd-boot.configurationLimit = 5;
+}
--- a/common/git.nix
+++ b/common/git.nix
@ -1,6 +1,10 @@
-{
+{pkgs, ...}: {
  programs.git = {
    enable = true;
    lfs.enable = true;
  };
+
+  environment.systemPackages = [
+    pkgs.gitui
+  ];
 }
--- a/common/gitui.nix
+++ b/common/gitui.nix
@ -1,6 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = [
-    pkgs.gitui
-  ];
-}
--- a/common/hardware.nix
+++ b/common/hardware.nix
--- a/common/helix.nix
+++ b/common/helix.nix
@ -1,21 +0,0 @@
-{
-  inputs,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  package = inputs.hxwrap.packages.${pkgs.system}.default;
-in
-{
-  environment.systemPackages = [ package ];
-
-  environment.sessionVariables =
-    let
-      exe = builtins.baseNameOf (lib.getExe package);
-    in
-    {
-      EDITOR = exe;
-      VISUAL = exe;
-    };
-}
--- a/common/nh.nix
+++ b/common/nh.nix
@ -1,17 +0,0 @@
-{
-  pkgs,
-  self,
-  ...
-}:
-{
-  programs.nh = {
-    enable = true;
-    clean = {
-      enable = true;
-      extraArgs = "--keep 5 --keep-since 1w";
-      dates = "weekly";
-    };
-  };
-
-  environment.sessionVariables.NH_FLAKE = "git+https://forgejo@forgejo.helveticanonstandard.net/helvetica/puter.git"; # TODO
-}
--- a/common/nini.nix
+++ b/common/nini.nix
@ -0,0 +1,10 @@
+{inputs, ...}: {
+  imports = [
+    inputs.nini.nixosModules.default
+  ];
+
+  programs.nini = {
+    enable = true;
+    flakeref = "git+https://forgejo.helveticanonstandard.net/helvetica/puter.git";
+  };
+}
--- a/common/nix-index-database.nix
+++ b/common/nix-index-database.nix
@ -1,6 +0,0 @@
-{ inputs, ... }:
-{
-  imports = [
-    inputs.nix-index-database.nixosModules.nix-index
-  ];
-}
--- a/common/pubkeys.nix
+++ b/common/pubkeys.nix
@ -1,19 +0,0 @@
-{
-  lib,
-  self,
-  ...
-}:
-{
-  options.pubkeys =
-    let
-      inherit (lib) types;
-    in
-    lib.mkOption {
-      type = types.attrsOf (types.attrsOf types.str);
-      description = ''
-        Public keys.
-      '';
-    };
-
-  config.pubkeys = lib.mkForce (import (self + /pubkeys.nix));
-}
--- a/common/rsync.nix
+++ b/common/rsync.nix
@ -1,25 +0,0 @@
-{
-  lib,
-  pkgs,
-  ...
-}:
-{
-  #services.rsync = {
-  #  enable = true;
-
-  #  commonArgs = let
-  #    rsh = "${lib.getExe pkgs.openssh} -i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
-  #  in [
-  #    "--verbose"
-  #    "--verbose"
-  #    "--archive"
-  #    "--update"
-  #    "--delete"
-  #    "--mkpath"
-  #    "--exclude"
-  #    "lost+found"
-  #    "--rsh"
-  #    rsh
-  #  ];
-  #};
-}
--- a/common/secure-boot.nix
+++ b/common/secure-boot.nix
@ -0,0 +1,12 @@
+{self, attrName, config, lib, pkgs, ...}: let
+  inherit (config.age) secrets;
+in{
+  age.secrets.secure-boot.file = self + /secrets/secure-boot/${attrName}.tar.age;
+
+  system.activationScripts.secureboot = let
+    target = config.boot.lanzaboote.pkiBundle;
+  in ''
+    mkdir --parents ${target}
+    ${lib.getExe pkgs.gnutar} --extract --file ${secrets.secure-boot.path} --directory ${target}
+  '';
+}
--- a/common/shell.nix
+++ b/common/shell.nix
@ -0,0 +1,18 @@
+{ config, ... }:
+{
+  programs = {
+    fish.enable = true;
+
+    bash.interactiveShellInit = ''
+      shopt -s autocd globstar nullglob extglob checkwinsize
+    '';
+
+    starship = {
+      enable = true;
+      interactiveOnly = true;
+      settings.format = "$all";
+    };
+  };
+
+  users.defaultUserShell = config.programs.fish.package;
+}
--- a/common/starship.nix
+++ b/common/starship.nix
@ -1,7 +0,0 @@
-{
-  programs.starship = {
-    enable = true;
-    interactiveOnly = true;
-    settings.format = "$all";
-  };
-}
--- a/common/sudo.nix
+++ b/common/sudo.nix
@ -3,6 +3,8 @@
    enable = true;
    execWheelOnly = true;
    wheelNeedsPassword = true;
-    extraConfig = "Defaults lecture=\"never\"";
+    extraConfig = ''
+      Defaults lecture="never"
+    '';
  };
 }
--- a/common/swap.nix
+++ b/common/swap.nix
@ -1,3 +1,6 @@
 {
-  zramSwap.enable = true;
+  zramSwap = {
+    enable = true;
+    memoryPercent = 50;
+  };
 }
--- a/common/tailscale.nix
+++ b/common/tailscale.nix
@ -3,13 +3,10 @@
  services.tailscale = {
    enable = true;
    openFirewall = true;
+    useRoutingFeatures = "both"; # TODO
  };

-  networking.firewall = {
-    trustedInterfaces = [
-      config.services.tailscale.interfaceName
-    ];
-    # Required to connect to Tailscale exit nodes
-    checkReversePath = "loose";
-  };
+  networking.firewall.trustedInterfaces = [
+    config.services.tailscale.interfaceName
+  ];
 }
--- a/common/tmp.nix
+++ b/common/tmp.nix
@ -0,0 +1,6 @@
+{
+  boot.tmp = {
+    useTmpfs = true;
+    tmpfsSize = "50%";
+  };
+}
--- a/common/users.nix
+++ b/common/users.nix
@ -1,13 +1,13 @@
 {
+  self,
  config,
-  lib,
  ...
 }:
 let
  inherit (config.users) mainUser;
 in
 {
-  age.secrets = lib.mkSecrets { "user-${mainUser}" = { }; };
+  age.secrets."user-${mainUser}".file = self + /secrets/users/${mainUser}.age;

  users = {
    mutableUsers = false;
--- a/common/yazi.nix
+++ b/common/yazi.nix
@ -1,3 +0,0 @@
-{
-  programs.yazi.enable = true;
-}
--- a/common/zellij.nix
+++ b/common/zellij.nix
@ -1,6 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = [
-    pkgs.zellij
-  ];
-}