hosts/common: split into multiple files

also add smartd, systemd-lock-handler and usbtop
2024-08-12 17:36:13 +02:00 · 2024-08-12 17:36:13 +02:00 · dbea006c50
parent feb001699d
commit dbea006c50
21 changed files with 323 additions and 241 deletions
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -3,102 +3,28 @@ let
  inherit (config) machineVars;
 in {
  imports = [
-    ./nix-builders/bob.nix
-    ./nix-builders/isvegg.nix
-    ./nix-builders/tsuki.nix
+    ./fonts.nix
+    ./nix.nix
+
+    ./programs/gnupg.nix
+    ./programs/neovim.nix
+    ./programs/nix-ld.nix
+    ./programs/ssh.nix
+    ./programs/usbtop.nix
+
+    ./services/dbus.nix
+    ./services/openssh.nix
+    ./services/pcscd.nix
+    ./services/pipewire.nix
+    ./services/printing.nix
+    ./services/resolved.nix
+    ./services/smartd.nix
+    ./services/systemd-lock-handler.nix
+    ./services/xserver.nix
  ];

  sops.defaultSopsFile = ./../.. + "/secrets/${config.networking.hostName}.yaml";

-  sops.secrets = {
-    "nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; };
-
-    "ssh/secret-config" = {
-      sopsFile = ./../../secrets/common.yaml;
-      mode = "0444";
-    };
-  };
-
-  nix = {
-    package = unstable-pkgs.nixVersions.stable;
-    distributedBuilds = config.networking.hostName != "tsuki";
-
-    settings = {
-      allow-dirty = true;
-      allowed-uris = [ "http://" "https://" ];
-      auto-optimise-store = true;
-      binary-caches = [ "https://cache.nixos.org/" ];
-      builders-use-substitutes = true;
-      experimental-features = [ "nix-command" "flakes" ];
-      log-lines = 50;
-      trusted-users = [ "h7x4" "nix-builder" ];
-      use-xdg-base-directories = true;
-    };
-
-    extraOptions = ''
-      !include ${config.sops.secrets."nix/access-tokens".path}
-    '';
-
-    registry = {
-      home.to = {
-        type = "path";
-        path = "/home/h7x4/nix";
-      };
-      wack.to = {
-        type = "path";
-        path = "/home/h7x4/git/wack-ctf-flake";
-      };
-      nxpt.to = {
-        type = "path";
-        path = "/home/h7x4/git/nixpkgs-tools";
-      };
-    };
-  };
-
-  programs.nix-ld = {
-    enable = true;
-    libraries = with pkgs; [
-      libusb1
-    ];
-  };
-
-  programs.ssh = {
-    extraConfig = ''
-      Include ${config.sops.secrets."ssh/secret-config".path}
-    '';
-
-    knownHosts = {
-      bob = {
-        hostNames = [
-          "bob.pvv.ntnu.no"
-          "bob.pvv.org"
-        ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJSgh20qDIYEXiK4MUZhc879dJIyH0K/s0RZ+9wFI0F";
-      };
-      hildring = {
-        hostNames = [
-          "hildring.pvv.ntnu.no"
-          "hildring.pvv.org"
-          "login.pvv.ntnu.no"
-          "login.pvv.org"
-        ];
-        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
-      };
-      isvegg = {
-        hostNames = [
-          "isvegg.pvv.ntnu.no"
-          "isvegg.pvv.org"
-        ];
-        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
-      };
-    #   tsukir = {
-    #     hostNames = [ "nani.wtf" "gingakei.loginto.me" ];
-    #     # publicKeyFile = config.sops.secrets."ssh/nix-builders/tsuki/pub".path;
-    #     publicKeyFile = "/var/keys/tsuki_nix-builder.pub";
-    #   };
-    };
-  };
-
  time.timeZone = "Europe/Oslo";

  console = {
@ -162,49 +88,6 @@ in {
          else (lib.mkIf (fixDisplayCommand != null) fixDisplayCommand));
  };

-  fonts = {
-    fontDir.enable = true;
-
-    enableDefaultPackages = true;
-    packages = with pkgs; [
-      ark-pixel-font
-      cm_unicode
-      corefonts
-      dejavu_fonts
-      fira-code
-      fira-code-symbols
-      iosevka
-      ipaexfont
-      ipafont
-      liberation_ttf
-      migmix
-      noto-fonts
-      noto-fonts-cjk-sans
-      noto-fonts-cjk-serif
-      noto-fonts-emoji
-      ocr-a
-      open-sans
-      powerline-fonts
-      source-han-sans
-      source-sans
-      symbola
-      texlivePackages.asana-math
-      ubuntu_font_family
-      victor-mono
-      yasashisa-gothic
-      (nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
-    ];
-
-    fontconfig = {
-      defaultFonts = {
-        serif = [ "Droid Sans Serif" "Ubuntu" ];
-        sansSerif = [ "Droid Sans" "Ubuntu" ];
-        monospace = [ "Fira Code" "Ubuntu" ];
-        emoji = [ "Noto Sans Emoji" ];
-      };
-    };
-  };
-
  users = {
    users.h7x4 = {
      isNormalUser = true;
@ -233,21 +116,7 @@ in {
  };

  services = {
-    tumbler.enable = !config.machineVars.headless;
    gnome.gnome-keyring.enable = !config.machineVars.headless;
-    printing.enable = !config.machineVars.headless;
-
-    resolved.enable = true;
-
-    openssh = {
-      startWhenNeeded = true;
-      settings = {
-        StreamLocalBindUnlink = true;
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitRootLogin = "no";
-      };
-    };

    udev.packages = with pkgs; [
      yubikey-personalization
@ -255,49 +124,12 @@ in {
      light
    ];

-    pcscd.enable = true;
-
-    dbus = {
-      enable = true;
-      packages = with pkgs; [
-        gcr
-        dconf
-      ];
-    };
-
    libinput = {
      enable = !config.machineVars.headless;
      touchpad.disableWhileTyping = true;
    };

    displayManager.defaultSession = "none+xmonad";
-
-    xserver = {
-      enable = !config.machineVars.headless;
-
-      xkb = {
-        layout = "us";
-        options = "caps:escape";
-      };
-
-      desktopManager = {
-        xterm.enable = false;
-        xfce.enable = !config.machineVars.headless;
-      };
-
-      displayManager.lightdm.enable = !config.machineVars.headless;
-
-      windowManager.xmonad = {
-        enable = true;
-        enableContribAndExtras = true;
-        enableConfiguredRecompile = true;
-        extraPackages = hPkgs: with hPkgs; [
-          dbus
-        ];
-      };
-
-    };
-
  };

  programs = {
@ -305,38 +137,6 @@ in {
    git.enable = true;
    tmux.enable = true;
    zsh.enable = true;
-
-    gnupg.agent.enable = true;
-    gnupg.agent.pinentryPackage = pkgs.pinentry-curses;
-
-    neovim = {
-      enable = true;
-      defaultEditor = true;
-      viAlias = true;
-      vimAlias = true;
-      configure = {
-        packages.myVimPackage = with pkgs.vimPlugins; {
-          start = [
-            direnv-vim
-            vim-nix
-            vim-polyglot
-          ];
-
-          opt = [
-            vim-monokai
-          ];
-        };
-
-        customRC = ''
-          set number relativenumber
-          set undofile
-          set undodir=~/.cache/vim/undodir
-
-          packadd! vim-monokai
-          colorscheme monokai
-        '';
-      };
-    };
  };

  system.extraDependencies =
@ -379,12 +179,6 @@ in {
    ]);

  security.rtkit.enable = !config.machineVars.headless;
-  services.pipewire = {
-    enable = !config.machineVars.headless;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-  };

  security.sudo.extraConfig = let
    sudoLecture = pkgs.writeText "sudo-lecture.txt" (extendedLib.termColors.front.red "Be careful or something, idk...\n");
--- a/hosts/common/fonts.nix
+++ b/hosts/common/fonts.nix
@ -0,0 +1,45 @@
+{ pkgs, ... }:
+{
+  fonts = {
+    fontDir.enable = true;
+
+    enableDefaultPackages = true;
+    packages = with pkgs; [
+      ark-pixel-font
+      cm_unicode
+      corefonts
+      dejavu_fonts
+      fira-code
+      fira-code-symbols
+      iosevka
+      ipaexfont
+      ipafont
+      liberation_ttf
+      migmix
+      noto-fonts
+      noto-fonts-cjk-sans
+      noto-fonts-cjk-serif
+      noto-fonts-emoji
+      ocr-a
+      open-sans
+      powerline-fonts
+      source-han-sans
+      source-sans
+      symbola
+      texlivePackages.asana-math
+      ubuntu_font_family
+      victor-mono
+      yasashisa-gothic
+      (nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
+    ];
+
+    fontconfig = {
+      defaultFonts = {
+        serif = [ "Droid Sans Serif" "Ubuntu" ];
+        sansSerif = [ "Droid Sans" "Ubuntu" ];
+        monospace = [ "Fira Code" "Ubuntu" ];
+        emoji = [ "Noto Sans Emoji" ];
+      };
+    };
+  };
+}
--- a/hosts/common/nix-builders/bob.nix
+++ b/hosts/common/nix-builders/bob.nix
@ -18,11 +18,21 @@
    # sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
  }];

-  programs.ssh.extraConfig = ''
+  programs.ssh = {
+    extraConfig = ''
      Host nix-builder-bob
        HostName bob.pvv.ntnu.no
        ProxyJump nix-builder-isvegg
        User oysteikt
        IdentityFile ${config.sops.secrets."ssh/nix-builders/bob/key".path}
    '';
+
+    knownHosts.bob = {
+      hostNames = [
+        "bob.pvv.ntnu.no"
+        "bob.pvv.org"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJSgh20qDIYEXiK4MUZhc879dJIyH0K/s0RZ+9wFI0F";
+    };
+  };
 }
--- a/hosts/common/nix-builders/tsuki.nix
+++ b/hosts/common/nix-builders/tsuki.nix
@ -22,9 +22,17 @@
    sshKey = config.sops.secrets."ssh/nix-builders/tsuki/key".path;
  }];

-  programs.ssh.extraConfig = ''
+  programs.ssh = {
+    extraConfig = ''
      Host nix-builder-tsukir
        HostName gingakei.loginto.me
        Port ${toString secrets.ports.ssh.home-in}
    '';
+
+    # knownHosts.tsukir = {
+    #   hostNames = [ "nani.wtf" "gingakei.loginto.me" ];
+    #   # publicKeyFile = config.sops.secrets."ssh/nix-builders/tsuki/pub".path;
+    #   publicKeyFile = "/var/keys/tsuki_nix-builder.pub";
+    # };
+  };
 }
--- a/hosts/common/nix.nix
+++ b/hosts/common/nix.nix
@ -0,0 +1,48 @@
+{ config, unstable-pkgs, ... }:
+{
+  imports = [
+    ./nix-builders/bob.nix
+    ./nix-builders/isvegg.nix
+    ./nix-builders/tsuki.nix
+  ];
+
+  sops.secrets = {
+    "nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; };
+  };
+
+  nix = {
+    package = unstable-pkgs.nixVersions.stable;
+    distributedBuilds = config.networking.hostName != "tsuki";
+
+    settings = {
+      allow-dirty = true;
+      allowed-uris = [ "http://" "https://" ];
+      auto-optimise-store = true;
+      binary-caches = [ "https://cache.nixos.org/" ];
+      builders-use-substitutes = true;
+      experimental-features = [ "nix-command" "flakes" ];
+      log-lines = 50;
+      trusted-users = [ "h7x4" "nix-builder" ];
+      use-xdg-base-directories = true;
+    };
+
+    extraOptions = ''
+      !include ${config.sops.secrets."nix/access-tokens".path}
+    '';
+
+    registry = {
+      home.to = {
+        type = "path";
+        path = "/home/h7x4/nix";
+      };
+      wack.to = {
+        type = "path";
+        path = "/home/h7x4/git/wack-ctf-flake";
+      };
+      nxpt.to = {
+        type = "path";
+        path = "/home/h7x4/git/nixpkgs-tools";
+      };
+    };
+  };
+}
--- a/hosts/common/programs/gnupg.nix
+++ b/hosts/common/programs/gnupg.nix
@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  programs.gnupg = {
+    agent = {
+      enable = true;
+      pinentryPackage = pkgs.pinentry-curses;
+    };
+  };
+}
--- a/hosts/common/programs/neovim.nix
+++ b/hosts/common/programs/neovim.nix
@ -0,0 +1,31 @@
+{ pkgs, ... }:
+{
+  programs.neovim = {
+    enable = true;
+    defaultEditor = true;
+    viAlias = true;
+    vimAlias = true;
+    configure = {
+      packages.myVimPackage = with pkgs.vimPlugins; {
+        start = [
+          direnv-vim
+          vim-nix
+          vim-polyglot
+        ];
+
+        opt = [
+          vim-monokai
+        ];
+      };
+
+      customRC = ''
+        set number relativenumber
+        set undofile
+        set undodir=~/.cache/vim/undodir
+
+        packadd! vim-monokai
+        colorscheme monokai
+      '';
+    };
+  };
+}
--- a/hosts/common/programs/nix-ld.nix
+++ b/hosts/common/programs/nix-ld.nix
@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  programs.nix-ld = {
+    enable = true;
+    libraries = with pkgs; [
+      libusb1
+    ];
+  };
+}
--- a/hosts/common/programs/ssh.nix
+++ b/hosts/common/programs/ssh.nix
@ -0,0 +1,32 @@
+{ config, ... }:
+{
+  sops.secrets."ssh/secret-config" = {
+    sopsFile = ./../../../secrets/common.yaml;
+    mode = "0444";
+  };
+
+  programs.ssh = {
+    extraConfig = ''
+      Include ${config.sops.secrets."ssh/secret-config".path}
+    '';
+
+    knownHosts = {
+      hildring = {
+        hostNames = [
+          "hildring.pvv.ntnu.no"
+          "hildring.pvv.org"
+          "login.pvv.ntnu.no"
+          "login.pvv.org"
+        ];
+        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
+      };
+      isvegg = {
+        hostNames = [
+          "isvegg.pvv.ntnu.no"
+          "isvegg.pvv.org"
+        ];
+        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
+      };
+    };
+  };
+}
--- a/hosts/common/programs/usbtop.nix
+++ b/hosts/common/programs/usbtop.nix
@ -0,0 +1,22 @@
+{ pkgs, lib, ... }:
+{
+  # programs.usbtop.enable = true;
+
+  boot.kernelModules = [ "usbmon" ];
+
+  security.wrappers."usbtop" = {
+    owner = "root";
+    group = "usbmon";
+    setgid = true;
+    source = lib.getExe pkgs.usbtop;
+  };
+
+  users.groups.usbmon = {
+    # NOTE: picked at random
+    gid = 872;
+  };
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usbmon", MODE="0660", OWNER="root", GROUP="usbmon"
+  '';
+}
--- a/hosts/common/services/dbus.nix
+++ b/hosts/common/services/dbus.nix
@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  services.dbus = {
+    enable = true;
+    packages = with pkgs; [
+      gcr
+      dconf
+    ];
+  };
+}
--- a/hosts/common/services/openssh.nix
+++ b/hosts/common/services/openssh.nix
@ -0,0 +1,12 @@
+{ ... }:
+{
+  services.openssh = {
+    startWhenNeeded = true;
+    settings = {
+      StreamLocalBindUnlink = true;
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+}
--- a/hosts/common/services/pcscd.nix
+++ b/hosts/common/services/pcscd.nix
@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.pcscd.enable = true;
+}
--- a/hosts/common/services/pipewire.nix
+++ b/hosts/common/services/pipewire.nix
@ -0,0 +1,9 @@
+{ config, ... }:
+{
+  services.pipewire = {
+    enable = !config.machineVars.headless;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+}
--- a/hosts/common/services/printing.nix
+++ b/hosts/common/services/printing.nix
@ -0,0 +1,4 @@
+{ config, ... }:
+{
+  services.printing.enable = !config.machineVars.headless;
+}
--- a/hosts/common/services/resolved.nix
+++ b/hosts/common/services/resolved.nix
@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.resolved.enable = true;
+}
--- a/hosts/common/services/smartd.nix
+++ b/hosts/common/services/smartd.nix
@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.smartd.enable = true;
+}
--- a/hosts/common/services/systemd-lock-handler.nix
+++ b/hosts/common/services/systemd-lock-handler.nix
@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.systemd-lock-handler.enable = true;
+}
--- a/hosts/common/services/xserver.nix
+++ b/hosts/common/services/xserver.nix
@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  services.xserver = {
+    enable = !config.machineVars.headless;
+
+    xkb = {
+      layout = "us";
+      options = "caps:escape";
+    };
+
+    # desktopManager = {
+    #   xterm.enable = false;
+    #   xfce.enable = !config.machineVars.headless;
+    # };
+
+    displayManager.lightdm.enable = !config.machineVars.headless;
+
+    windowManager.xmonad = {
+      enable = true;
+      enableContribAndExtras = true;
+      enableConfiguredRecompile = true;
+      extraPackages = hPkgs: with hPkgs; [ dbus ];
+    };
+  };
+}
--- a/hosts/dosei/configuration.nix
+++ b/hosts/dosei/configuration.nix
@ -66,8 +66,6 @@
    # hostId = "";
  };

-  programs.usbtop.enable = true;
-
  services = {
    openssh = {
      enable = true;