refactoring

nixos/logical/blackadder.nix

@@ -1,8 +1,6 @@
 { config, pkgs, lib, ... }: {
   imports = [ ../physical/3950x.nix ../roles/workstation.nix ];
 
-  nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
-
   system.stateVersion = "19.09";
 
   yorick.lumi-vpn = {
@@ -10,8 +8,7 @@
     mtu = 1408;
   };
 
-  xdg.autostart.enable = false;
-
+  # backups
   services.znapzend = {
     enable = true;
     pure = true;
@@ -31,12 +28,8 @@
     };
   };
 
-  services.udev.extraRules = ''
-    SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", MODE="0660", GROUP="dialout", TAG+="uaccess"
-  '';
-
+  # lars user
   nix.settings.trusted-users = [ "lars" ];
-  users.users.yorick.extraGroups = [ "docker" ];
   users.users.lars = {
     isNormalUser = true;
     openssh.authorizedKeys.keys = [
@@ -44,8 +37,8 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvdQ963wjgWyFMp6djRTqVwZr3/PQ/V+Qm5JTcxRTdY lumi@channelwood"
     ];
   };
+
+  # docker
   virtualisation.docker.enable = true;
-  # castnow
-  networking.firewall.allowedUDPPorts = [ 5353 ];
-  networking.firewall.allowedTCPPortRanges = [ { from = 4100; to = 4105; } ];
+  users.users.yorick.extraGroups = [ "docker" ];
 }

nixos/logical/smithers.nix

@@ -1,35 +1,9 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
 { config, pkgs, lib, ... }:
 
-let sources = import ../../nix/sources.nix;
-in {
-  imports =
-    [ # Include the results of the hardware scan.
-      "${sources.nixos-hardware}/lenovo/thinkpad/x1"
-      ../physical/x11-hardware-config.nix
-      ../roles/workstation.nix
+{
+  imports = [ ../physical/x11.nix ../roles/workstation.nix ];
 
-    ];
   yorick.lumi-vpn.enable = lib.mkForce false;
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.zfs.requestEncryptionCredentials = true;
-
-  networking.hostName = "smithers";
-  networking.wireless.iwd.enable = true;
-  networking.hostId = "54a8968e";
-
-  hardware.bluetooth.enable = true;
-  services.fprintd.enable = true;
   system.stateVersion = "21.05";
-  boot.kernelPackages = pkgs.linuxPackages_5_15;
-
-  boot.initrd.availableKernelModules = [ "i915" ];
-  boot.loader.timeout = 1;
-  boot.kernelParams = ["i915.fastboot=1" "i915.enable_psr=0" ]; # todo: 2?, "quiet"
-  #boot.plymouth.enable = true;
 }

nixos/modules/lumi-cache.nix

@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.yorick.lumi-cache;
+  nixNetrcFile = pkgs.runCommand "nix-netrc-file" {
+    hostname = "cache.lumi.guide";
+    username = "lumi";
+  } ''
+    cat > $out <<EOI
+    machine $hostname
+    login $username
+    password ${
+      builtins.readFile
+      /home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password
+    }
+    EOI
+  '';
+in {
+  options.yorick.lumi-cache = with lib; {
+    enable = mkEnableOption "lumi cache";
+  };
+  config = lib.mkIf cfg.enable {
+    nix = {
+      settings.substituters = [ "https://cache.lumi.guide/" ];
+      settings.netrc-file = nixNetrcFile;
+      settings.trusted-public-keys = [
+        "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
+      ];
+    };
+  };
+}

nixos/physical/x11.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+let sources = import ../../nix/sources.nix;
+in {
+  imports = [
+    ./.
+    "${sources.nixos-hardware}/lenovo/thinkpad/x1"
+    ./x11-hardware-config.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.zfs.requestEncryptionCredentials = true;
+
+  boot.supportedFilesystems = [ "zfs" ];
+  networking.wireless.iwd.enable = true;
+  networking.hostId = "54a8968e";
+
+  services.zfs.autoScrub.enable = true;
+  services.zfs.trim.enable = true;
+  hardware.bluetooth.enable = true;
+  services.fprintd.enable = true;
+
+  boot.initrd.availableKernelModules = [ "i915" ];
+  boot.loader.timeout = 1;
+  boot.kernelParams = [ "i915.fastboot=1" ];
+  #boot.plymouth.enable = true;
+}

nixos/roles/default.nix

@@ -7,10 +7,14 @@ in {
   imports = [
     ../modules/tor-hidden-service.nix
     ../modules/nginx.nix
+    ../modules/lumi-cache.nix
     ../modules/lumi-vpn.nix
     ../deploy/keys.nix
     ../services
   ];
+
+  nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
+
   networking.domain = "yori.cc";
   networking.hostName = machine;
   time.timeZone = "Europe/Amsterdam";
@@ -99,7 +103,6 @@ in {
     rsync
 
     #gitMinimal
-    #rxvt_unicode.terminfo
   ];
   nix.gc.automatic = true;
 
@@ -132,4 +135,5 @@ in {
     disabledCollectors = [ "rapl" ];
   };
   networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9100 ];
+  xdg.autostart.enable = false;
 }

nixos/roles/graphical.nix

@@ -1,49 +0,0 @@
-let secrets = import <secrets>;
-in { config, lib, pkgs, ... }: {
-  imports = [ ./. ];
-  options.yorick.support32bit = with lib;
-    mkOption {
-      type = types.bool;
-      default = false;
-    };
-  config = {
-    hardware.opengl = {
-      enable = true;
-      driSupport32Bit = config.yorick.support32bit;
-    };
-    users.users.yorick.extraGroups = [ "video" ];
-    # fix backlight permissions
-    services.udev.extraRules = ''
-      ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
-      ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
-    '';
-
-    fonts = {
-      fontDir.enable = true;
-      enableGhostscriptFonts = true;
-      fonts = with pkgs; [
-        corefonts # Micrsoft free fonts
-        inconsolata # monospaced
-        source-code-pro
-        ubuntu_font_family # Ubuntu fonts
-        source-han-sans-japanese
-        iosevka
-        font-awesome
-      ];
-    };
-    # spotify
-    networking.firewall.allowedTCPPorts = [ 55025 57621 ];
-    networking.firewall.allowedUDPPorts = [ 55025 57621 ];
-
-    services.openssh.forwardX11 = true;
-
-    programs.sway = {
-      enable = true;
-      extraSessionCommands = ''
-        export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${
-          lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])
-        }
-      '';
-    };
-  };
-}

nixos/roles/workstation.nix

@@ -1,87 +1,54 @@
 { config, lib, pkgs, ... }:
-let
-  nixNetrcFile = pkgs.runCommand "nix-netrc-file" {
-    hostname = "cache.lumi.guide";
-    username = "lumi";
-  } ''
-    cat > $out <<EOI
-    machine $hostname
-    login $username
-    password ${
-      builtins.readFile
-      /home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password
-    }
-    EOI
-  '';
-in {
-  imports = [ ./graphical.nix ];
+{
+  imports = [ ./default.nix ];
 
-  users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ];
+  users.users.yorick = {
+    extraGroups = [ "input" "wireshark" "dialout" "video" "libvirtd" ];
+    shell = pkgs.fish;
+  };
   services.printing = {
     enable = true;
-    drivers = [ pkgs.gutenprint pkgs.cups-dymo ];
+    drivers = with pkgs; [ gutenprint cups-dymo ];
   };
   environment.systemPackages = with pkgs; [
-    pkgs.ghostscript
-    pkgs.yubikey-manager
-    pkgs.glib
+    ghostscript yubikey-manager glib
   ];
   environment.sessionVariables.XDG_DATA_DIRS = with pkgs; [
     "${gnome-themes-extra}/share"
     "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}"
+    # emacs?
   ];
-  programs.dconf.enable = true;
-  virtualisation.virtualbox.host.enable = false;
-  programs.noisetorch.enable = true;
-  yorick.support32bit = true;
-  services.pcscd.enable = true;
-  #environment.systemPackages = [pkgs.yubikey-manager];
-  fonts.fonts = [ pkgs.emojione ];
-  programs.wireshark.enable = true;
   nix = {
     gc.automatic = pkgs.lib.mkOverride 30 false;
     settings.substituters = [
       "https://cache.nixos.org"
-      "https://cache.lumi.guide/"
       #"s3://yori-nix?endpoint=s3.eu-central-003.backblazeb2.com&profile=backblaze-read"
       #"https://nixpkgs-wayland.cachix.org"
     ];
-    settings.trusted-substituters = config.nix.settings.substituters ++ [
-      "ssh://yorick@jupiter.serokell.io"
-      "ssh-ng://jupiter"
-      "https://serokell.cachix.org"
-    ];
     settings.trusted-public-keys = [
-      "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss="
-      "serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0="
-      (lib.mkIf config.yorick.lumi-vpn.enable "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE=")
-      "serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8="
       #"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
       "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0="
     ];
-    extraOptions = lib.mkIf config.yorick.lumi-vpn.enable ''
-      netrc-file = ${nixNetrcFile}
-    # '';
   };
   services.avahi = {
     enable = true;
     nssmdns = true;
   };
   virtualisation.libvirtd.enable = true;
-  users.users.yorick.extraGroups = [ "libvirtd" "pico" ];
-  users.users.yorick.shell = pkgs.fish;
+  # fix glasgow, fomu, backlight
   services.udev.extraRules = ''
-    SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout"
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", TAG+="uaccess"
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", TAG+="uaccess"
+    ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
+    ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
   '';
 
   # picoscope
-  #users.users.yorick.extraGroups = ["pico"];
   services.udev.packages = [
     (pkgs.writeTextDir "lib/udev/rules.d/95-pico.rules" ''
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0ce9", MODE="664",GROUP="pico"
+      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0ce9", TAG+="uaccess"
     '')
   ];
-  users.groups.pico = { };
 
   # development
   services.postgresql = {
@@ -94,6 +61,7 @@ in {
   boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000;
 
   yorick.lumi-vpn.enable = true;
+  yorick.lumi-cache.enable = true;
 
   security.rtkit.enable = true;
   services.pipewire = {
@@ -104,7 +72,7 @@ in {
     media-session.config.bluez-monitor.rules = [
       {
         # Matches all cards
-        matches = [ { "device.name" = "~bluez_card.*"; } ];
+        matches = [{ "device.name" = "~bluez_card.*"; }];
         actions = {
           "update-props" = {
             "bluez5.reconnect-profiles" = [ "hfp_hf" "hsp_hs" "a2dp_sink" ];
@@ -118,13 +86,13 @@ in {
       {
         matches = [
           # Matches all sources
-          { "node.name" = "~bluez_input.*"; }
+          {
+            "node.name" = "~bluez_input.*";
+          }
           # Matches all outputs
           { "node.name" = "~bluez_output.*"; }
         ];
-        actions = {
-          "node.pause-on-idle" = false;
-        };
+        actions = { "node.pause-on-idle" = false; };
       }
     ];
   };
@@ -133,4 +101,44 @@ in {
     extraPortals = with pkgs; [ xdg-desktop-portal-wlr xdg-desktop-portal-gtk ];
     gtkUsePortal = true;
   };
+  hardware.opengl = {
+    enable = true;
+    driSupport32Bit = true;
+  };
+
+  fonts = {
+    fontDir.enable = true;
+    enableGhostscriptFonts = true;
+    fonts = with pkgs; [
+      corefonts # Micrsoft free fonts
+      inconsolata # monospaced
+      source-code-pro
+      ubuntu_font_family # Ubuntu fonts
+      source-han-sans-japanese
+      iosevka
+      emojione
+      font-awesome
+    ];
+  };
+  # spotify, castnow
+  networking.firewall = {
+    allowedTCPPorts = [ 55025 57621 5353 ];
+    allowedTCPPortRanges = [ { from = 4100; to = 4105; } ];
+    allowedUDPPorts = [ 55025 57621 ];
+  };
+
+  programs = {
+    dconf.enable = true;
+    noisetorch.enable = true;
+    wireshark.enable = true;
+    sway = {
+      enable = true;
+      extraSessionCommands = ''
+        export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${
+          lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])
+        }
+      '';
+    };
+  };
+  services.pcscd.enable = true;
 }