big refactor of a lot of files

flake.nix

@@ -120,6 +120,29 @@
         allowUnfreePredicate = _: true;
       };
     };
+
+    sharedModules = [
+      {_module.args = {inherit pkgs-edge;};}
+      sops-nix.nixosModules.sops
+      disko.nixosModules.disko
+      home-manager.nixosModules.home-manager
+      catppuccin.nixosModules.catppuccin
+      stylix.nixosModules.stylix
+      nix-index-database.nixosModules.nix-index
+      {
+        home-manager.sharedModules = [
+          inputs.catppuccin.homeManagerModules.catppuccin
+        ];
+      }
+    ];
+
+    desktopModules = [
+      {
+        home-manager.sharedModules = [
+          inputs.plasma-manager.homeManagerModules.plasma-manager
+        ];
+      }
+    ];
   in {
     # Your custom packages
     # Accessible through 'nix build', 'nix shell', etc
@@ -148,152 +171,64 @@
       EDI = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {inherit inputs outputs;};
-        modules = [
+        modules =
-          {_module.args = {inherit pkgs-edge;};}
+          sharedModules
+          ++ desktopModules
+          ++ [
             nixos-hardware.nixosModules.dell-xps-13-7390
+            lanzaboote.nixosModules.lanzaboote
             # > Our main nixos configuration file <
             ./nixos/hosts/EDI/configuration.nix
-          sops-nix.nixosModules.sops
-          lanzaboote.nixosModules.lanzaboote
-          disko.nixosModules.disko
-          home-manager.nixosModules.home-manager
-          nix-index-database.nixosModules.nix-index
-          catppuccin.nixosModules.catppuccin
-          stylix.nixosModules.stylix
-          {
-            home-manager.sharedModules = [
-              inputs.catppuccin.homeManagerModules.catppuccin
-              inputs.plasma-manager.homeManagerModules.plasma-manager
-            ];
-          }
           ];
       };
 
       GLaDOS = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {inherit inputs outputs;};
-        modules = [
+        modules =
-          {_module.args = {inherit pkgs-edge;};}
+          sharedModules
+          ++ desktopModules
+          ++ [
             # > Our main nixos configuration file <
             ./nixos/hosts/GLaDOS/configuration.nix
-          sops-nix.nixosModules.sops
-          #lanzaboote.nixosModules.lanzaboote
-          disko.nixosModules.disko
-          home-manager.nixosModules.home-manager
-          nix-index-database.nixosModules.nix-index
-          catppuccin.nixosModules.catppuccin
-          stylix.nixosModules.stylix
-          {
-            home-manager.sharedModules = [
-              inputs.catppuccin.homeManagerModules.catppuccin
-              inputs.plasma-manager.homeManagerModules.plasma-manager
-            ];
-          }
           ];
       };
 
       queen = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {inherit inputs outputs;};
-        modules = [
+        modules =
-          {_module.args = {inherit pkgs-edge;};}
+          sharedModules
+          ++ [
+            simple-nixos-mailserver.nixosModule
             # > Our main nixos configuration file <
             ./nixos/hosts/queen/configuration.nix
-          sops-nix.nixosModules.sops
-          disko.nixosModules.disko
-          simple-nixos-mailserver.nixosModule
-          catppuccin.nixosModules.catppuccin
-          stylix.nixosModules.stylix
-          {
-            home-manager.sharedModules = [
-              inputs.catppuccin.homeManagerModules.catppuccin
-            ];
-          }
           ];
       };
 
       shodan = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {inherit inputs outputs;};
-        modules = [
+        modules =
-          {_module.args = {inherit pkgs-edge;};}
+          sharedModules
+          ++ desktopModules
+          ++ [
             # > Our main nixos configuration file <
             ./nixos/hosts/shodan/configuration.nix
-          sops-nix.nixosModules.sops
             lanzaboote.nixosModules.lanzaboote
-          disko.nixosModules.disko
             jovian.nixosModules.jovian
-          home-manager.nixosModules.home-manager
-          catppuccin.nixosModules.catppuccin
-          stylix.nixosModules.stylix
-          {
-            home-manager.sharedModules = [
-              inputs.catppuccin.homeManagerModules.catppuccin
-              inputs.plasma-manager.homeManagerModules.plasma-manager
-            ];
-          }
           ];
       };
 
       wheatley = nixpkgs.lib.nixosSystem {
         system = "aarch64-linux";
         specialArgs = {inherit inputs outputs;};
-        modules = [
+        modules =
+          sharedModules
+          ++ [
             ./nixos/hosts/wheatley/configuration.nix
-          sops-nix.nixosModules.sops
-          home-manager.nixosModules.home-manager
-          nixos-hardware.nixosModules.raspberry-pi-4
-          nix-index-database.nixosModules.nix-index
-          catppuccin.nixosModules.catppuccin
-          stylix.nixosModules.stylix
-          {
-            home-manager.sharedModules = [
-              inputs.catppuccin.homeManagerModules.catppuccin
-            ];
-          }
           ];
       };
-
-      # ISO = nixpkgs.lib.nixosSystem {
-      #   system = "x86_64-linux";
-      #   specialArgs = {inherit inputs outputs;};
-      #   modules = [
-      #     {_module.args = {inherit pkgs-edge;};}
-      #     "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix"
-      #     "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
-      #     ./nixos/hosts/iso/configuration.nix
-      #     sops-nix.nixosModules.sops
-      #     home-manager.nixosModules.home-manager
-      #     nix-index-database.nixosModules.nix-index
-      #     catppuccin.nixosModules.catppuccin
-      #     {
-      #       home-manager.sharedModules = [
-      #         inputs.plasma-manager.homeManagerModules.plasma-manager
-      #         inputs.catppuccin.homeManagerModules.catppuccin
-      #       ];
-      #     }
-      #   ];
-      # };
-
-      # iso_server = nixpkgs.lib.nixosSystem {
-      #   system = "x86_64-linux";
-      #   specialArgs = {inherit inputs outputs;};
-      #   modules = [
-      #     {_module.args = {inherit pkgs-edge;};}
-      #     "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
-      #     "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
-      #     ./nixos/hosts/iso_server/configuration.nix
-      #     sops-nix.nixosModules.sops
-      #     home-manager.nixosModules.home-manager
-      #     nix-index-database.nixosModules.nix-index
-      #     catppuccin.nixosModules.catppuccin
-      #     {
-      #       home-manager.sharedModules = [
-      #         inputs.catppuccin.homeManagerModules.catppuccin
-      #       ];
-      #     }
-      #   ];
-      # };
     };
   };
 }

home-manager/desktop/default.nix

@@ -15,7 +15,6 @@
     ./package-configs/foot
   ];
   nixpkgs = {
-    config.permittedInsecurePackages = ["cinny-4.2.3" "cinny-unwrapped-4.2.3" "cinny-4.2.2" "cinny-unwrapped-4.2.2"];
     # You can add overlays here
     overlays = [
       # You can also add overlays exported from other flakes:
@@ -54,8 +53,10 @@
         });
       })
     ];
-    # Configure your nixpkgs instance
     config = {
+      permittedInsecurePackages = ["cinny-4.2.3" "cinny-unwrapped-4.2.3" "cinny-4.2.2" "cinny-unwrapped-4.2.2"];
+      # Configure your nixpkgs instance
+
       # Disable if you don't want unfree packages
       allowUnfree = true;
     };
@@ -132,8 +133,8 @@
     firefoxpwa
     ungoogled-chromium
   ];
-
+  programs = {
-  # programs.vscode = {
+    # vscode = {
     #   enable = true;
     #   package = pkgs.vscodium;
     #   extensions = with pkgs.vscode-extensions; [
@@ -153,18 +154,16 @@
     #   ];
     # };
 
-  programs.obs-studio = {
+    obs-studio.enable = true;
-    enable = true;
+    obs-studio.plugins = with pkgs.obs-studio-plugins; [
-    plugins = with pkgs.obs-studio-plugins; [
       wlrobs
       obs-backgroundremoval
       obs-pipewire-audio-capture
     ];
-  };
 
     # Enable home-manager and git
-  programs.home-manager.enable = true;
+    home-manager.enable = true;
-  programs.git = {
+    git = {
       enable = true;
       userEmail = "git@lillianviolet.dev";
       userName = "Lillian-Violet";
@@ -182,8 +181,8 @@
       ];
     };
 
-  programs.gpg.enable = true;
+    gpg.enable = true;
-  programs.gpg.settings = {
+    gpg.settings = {
       default-key = "0d43 5407 034c 2ad9 2d42 799d 280e 061d ff60 0f0d";
       default-recipient-self = true;
       auto-key-locate = "local,wkd,keyserver";
@@ -193,10 +192,10 @@
       keyserver-options = "honor-keyserver-url";
       no-autostart = true;
     };
-
+  };
-  services.kdeconnect = {
+  services = {
-    package = pkgs.kdePackages.kdeconnect-kde;
+    kdeconnect.package = pkgs.kdePackages.kdeconnect-kde;
-    enable = true;
+    kdeconnect.enable = true;
   };
 
   # Nicely reload system units when changing configs

home-manager/hosts/shodan/lillian.nix

@@ -84,7 +84,7 @@
     firefox
     ungoogled-chromium
   ];
-
+  programs = {
     # # Automount services for user
     # programs.bashmount.enable = true;
     # services.udiskie = {
@@ -95,12 +95,13 @@
     # };
 
     # Enable home-manager and git
-  programs.home-manager.enable = true;
+    home-manager.enable = true;
-  programs.git = {
+    git = {
       enable = true;
       userEmail = "git@lillianviolet.dev";
       userName = "Lillian-Violet";
     };
+  };
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
   home.stateVersion = "24.11";

home-manager/shared/default.nix

@@ -32,13 +32,15 @@
     navi
     nil
   ];
-  programs.navi.enable = true;
+  programs = {
-  programs.yazi = {
+    navi.enable = true;
+    yazi = {
       enable = true;
       package = pkgs.yazi.override {
         _7zz = pkgs._7zz.override {useUasm = true;};
       };
     };
+  };
   stylix.enable = true;
   # stylix = {
   #   enable = true;

home-manager/shared/shell/zellij/default.nix

@@ -206,14 +206,12 @@ in {
       };
     };
   };
-
   home.file = {
     "layout" = {
       source = "${layout}";
       target = ".config/zellij/layouts/default.kdl";
     };
-  };
+
-  home.file = {
     "helix_zellij" = {
       source = "${helix_zellij}";
       target = ".config/zellij/layouts/helix.kdl";

home-manager/shared/shell/zsh.nix

@@ -1,9 +1,9 @@
 {pkgs, ...}: {
-  programs.zoxide = {
+  programs = {
+    zoxide = {
       enable = true;
     };
-
+    zsh = {
-  programs.zsh = {
       enable = true;
       shellAliases = {
         cd = "z";
@@ -67,4 +67,5 @@
         zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; }
       '';
     };
+  };
 }

nixos/desktop/default.nix

@@ -29,11 +29,6 @@
     };
   };
 
-  # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
-  programs.command-not-found.enable = lib.mkForce false;
-  programs.nix-index.enable = true;
-  programs.nix-index-database.comma.enable = true;
-
   environment.systemPackages =
     (with pkgs; [
       # Custom tools
@@ -98,61 +93,63 @@
       # list of latest packages from nixpkgs master
       # Can be used to install latest version of some packages
     ]);
+  programs = {
+    # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
+    command-not-found.enable = lib.mkForce false;
+    nix-index.enable = true;
+    nix-index-database.comma.enable = true;
 
-  programs.direnv = {
+    direnv = {
       enable = true;
     };
 
-  # Enable networking
+    steam = {
-  networking.networkmanager.enable = true;
-
-  programs.steam = {
       enable = true;
       remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
       dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
       extest.enable = true;
     };
-  hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses
+    kdeconnect.enable = true;
+
+    noisetorch = {
+      enable = true;
+    };
+  };
+
+  # Enable networking
+  networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses
 
   # Set your time zone.
   time.timeZone = "Europe/Amsterdam";
-
+  services = {
     # Enable the X11 windowing system.
-  services.xserver.enable = true;
+    xserver.enable = true;
 
     # Enable the KDE Plasma Desktop Environment.
-  services.displayManager.sddm = {
+    displayManager.sddm = {
       enable = true;
       wayland.enable = true;
     };
-  services.displayManager.defaultSession = "plasma";
+    displayManager.defaultSession = "plasma";
-  services.desktopManager.plasma6.enable = true;
+    desktopManager.plasma6.enable = true;
-  programs.kdeconnect.enable = true;
 
     # Enable flatpak support
-  services.flatpak.enable = true;
+    flatpak.enable = true;
-  services.packagekit.enable = true;
+    packagekit.enable = true;
 
     # Configure keymap in X11
-  services.xserver.xkb = {
+    xserver.xkb = {
       layout = "us";
       variant = "";
       options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
     };
 
     # Enable CUPS to print documents.
-  services.printing.enable = true;
+    printing.enable = true;
-
-  # Enable bluetooth hardware
-  hardware.bluetooth.enable = true;
 
     # Enable fwupd daemon and user space client
-  services.fwupd.enable = true;
+    fwupd.enable = true;
-
+    pipewire = {
-  # Enable sound with pipewire.
-  hardware.pulseaudio.enable = false;
-  security.rtkit.enable = true;
-  services.pipewire = {
       enable = true;
       alsa.enable = true;
       alsa.support32Bit = true;
@@ -161,16 +158,7 @@
       wireplumber.enable = true;
     };
 
-  programs.noisetorch = {
+    avahi = {
-    enable = true;
-  };
-
-  virtualisation.podman = {
-    enable = true;
-    dockerCompat = true;
-  };
-
-  services.avahi = {
       nssmdns4 = true;
       enable = true;
       ipv4 = true;
@@ -181,30 +169,49 @@
         workstation = true;
       };
     };
+  };
+  hardware = {
+    graphics.enable32Bit = true;
 
-  security.tpm2.enable = true;
+    # Enable bluetooth hardware
-  security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+    bluetooth.enable = true;
-  security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
-  users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
 
+    # Enable sound with pipewire.
+    pulseaudio.enable = false;
+  };
+  security.rtkit.enable = true;
+
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+  };
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+    tctiEnvironment.enable = true;
+  }; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  users.users.lillian.extraGroups = ["tss"];
+  boot = {
+    # tss group has access to TPM devices
     # FIXME: re-enable virtual camera loopback when it build again.
-  boot.bootspec.enable = true;
+    bootspec.enable = true;
     #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
     #boot.supportedFilesystems = ["bcachefs"];
-  boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
+    extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
-  boot.kernelModules = [
+    kernelModules = [
       # Virtual Camera
       "v4l2loopback"
       # Virtual Microphone, built-in
       "snd-aloop"
     ];
     # Set initial kernel module settings
-  boot.extraModprobeConfig = ''
+    extraModprobeConfig = ''
       # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
       # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
       # https://github.com/umlaeute/v4l2loopback
       options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
     '';
-  boot.loader.systemd-boot.configurationLimit = 3;
+    loader.systemd-boot.configurationLimit = 3;
-  boot.loader.efi.canTouchEfiVariables = true;
+    loader.efi.canTouchEfiVariables = true;
+  };
 }

nixos/hosts/EDI/configuration.nix

@@ -29,8 +29,12 @@
     # Import your generated (nixos-generate-config) hardware configuration
     ./hardware-configuration.nix
   ];
+  sops = {
+    defaultSopsFile = ./secrets/sops.yaml;
 
-  sops.defaultSopsFile = ./secrets/sops.yaml;
+    secrets."wg-private-key".mode = "0440";
+    secrets."wg-private-key".owner = config.users.users.root.name;
+  };
 
   home-manager = {
     extraSpecialArgs = {inherit inputs outputs;};
@@ -42,15 +46,12 @@
 
   environment.systemPackages = with pkgs; [
   ];
+  networking = {
+    hostName = "EDI";
 
-  networking.hostName = "EDI";
+    wireguard.enable = true;
 
-  sops.secrets."wg-private-key".mode = "0440";
+    wg-quick.interfaces = {
-  sops.secrets."wg-private-key".owner = config.users.users.root.name;
-
-  networking.wireguard.enable = true;
-
-  networking.wg-quick.interfaces = {
       wg0 = {
         autostart = true;
         address = ["10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/64"];
@@ -67,18 +68,20 @@
         ];
       };
     };
-
+  };
+  boot = {
     # Lanzaboote currently replaces the systemd-boot module.
     # This setting is usually set to true in configuration.nix
     # generated at installation time. So we force it to false
     # for now.
-  boot.loader.systemd-boot.enable = lib.mkForce false;
+    loader.systemd-boot.enable = lib.mkForce false;
-  boot.initrd.systemd.enable = true;
+    initrd.systemd.enable = true;
 
-  boot.lanzaboote = {
+    lanzaboote = {
       enable = true;
       pkiBundle = "/etc/secureboot";
     };
+  };
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
   system.stateVersion = "24.11";

nixos/hosts/GLaDOS/configuration.nix

@@ -28,26 +28,36 @@
     # Import your generated (nixos-generate-config) hardware configuration
     ./hardware-configuration.nix
   ];
+  sops = {
+    defaultSopsFile = ./secrets/sops.yaml;
 
-  sops.defaultSopsFile = ./secrets/sops.yaml;
+    secrets."wg-private-key".mode = "0440";
+    secrets."wg-private-key".owner = config.users.users.root.name;
+
+    secrets."ssh-private-key" = {
+      mode = "0600";
+      owner = config.users.users.lillian.name;
+      path = "/home/lillian/.ssh/id_ed25519";
+    };
+  };
 
   environment.systemPackages = with pkgs; [
   ];
 
   services.xserver.videoDrivers = ["amdgpu"];
-
+  hardware = {
     # Add vulkan support to GPU
-  hardware.graphics.extraPackages = with pkgs; [
+    graphics.extraPackages = with pkgs; [
       amdvlk
     ];
     # For 32 bit applications
-  hardware.graphics.extraPackages32 = with pkgs; [
+    graphics.extraPackages32 = with pkgs; [
       driversi686Linux.amdvlk
     ];
-
+  };
-  programs.gamemode = {
+  programs = {
-    enable = true;
+    gamemode.enable = true;
-    settings = {
+    gamemode.settings = {
       general = {
         renice = 10;
       };
@@ -65,9 +75,10 @@
       };
     };
   };
-
+  boot = {
-  boot.loader.systemd-boot.enable = true;
+    loader.systemd-boot.enable = true;
-  boot.binfmt.emulatedSystems = ["aarch64-linux"];
+    binfmt.emulatedSystems = ["aarch64-linux"];
+  };
 
   # boot.lanzaboote = {
   #   enable = true;
@@ -83,22 +94,13 @@
       lillian = import ../../../home-manager/hosts/GLaDOS;
     };
   };
-
+  networking = {
     # virtualisation.waydroid.enable = false;
-  networking.hostName = "GLaDOS";
+    hostName = "GLaDOS";
 
-  sops.secrets."wg-private-key".mode = "0440";
+    wireguard.enable = true;
-  sops.secrets."wg-private-key".owner = config.users.users.root.name;
 
-  sops.secrets."ssh-private-key" = {
+    wg-quick.interfaces = {
-    mode = "0600";
-    owner = config.users.users.lillian.name;
-    path = "/home/lillian/.ssh/id_ed25519";
-  };
-
-  networking.wireguard.enable = true;
-
-  networking.wg-quick.interfaces = {
       wg0 = {
         autostart = true;
         address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"];
@@ -115,6 +117,7 @@
         ];
       };
     };
+  };
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
   system.stateVersion = "24.11";

nixos/hosts/queen/configuration.nix

@@ -26,16 +26,17 @@
     # Import disko
     # ../../../disko/queen
   ];
-
-  boot.tmp.cleanOnBoot = true;
   zramSwap.enable = false;
-  networking.domain = "";
+  services = {
-  services.openssh = {
+    openssh = {
       enable = true;
+      settings = {
         # require public key authentication for better security
-    settings.PasswordAuthentication = false;
+        PasswordAuthentication = false;
-    settings.KbdInteractiveAuthentication = false;
+        KbdInteractiveAuthentication = false;
-    settings.PermitRootLogin = "no";
+        PermitRootLogin = "no";
+      };
+    };
   };
 
   nixpkgs = {
@@ -88,6 +89,8 @@
     sqlite
     rocksdb
   ];
+  networking = {
+    domain = "";
 
     # Create an auto-update systemd service that runs every day
     # system.autoUpgrade = {
@@ -102,8 +105,8 @@
     # networking.nat.enable = true;
     # networking.nat.internalInterfaces = ["ve-+"];
     # networking.nat.externalInterface = "ens18";
-  networking.enableIPv6 = lib.mkForce true;
+    enableIPv6 = lib.mkForce true;
-  networking.nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"];
+    nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"];
 
     # networking.interfaces.ens18.ipv4.addresses = [
     #   {
@@ -112,19 +115,19 @@
     #   }
     # ];
 
-  networking.interfaces.ens18.ipv6.addresses = [
+    interfaces.ens18.ipv6.addresses = [
       {
         address = "2a02:c207:2063:2448::1";
         prefixLength = 64;
       }
     ];
-  networking.defaultGateway6 = {
+    defaultGateway6 = {
       address = "fe80::1";
       interface = "ens18";
     };
-
+    firewall = {
       # Open ports in the firewall.
-  networking.firewall = {
+
       enable = true;
       allowPing = false;
       allowedTCPPorts = [
@@ -142,6 +145,9 @@
       ];
     };
 
+    hostName = "queen";
+  };
+
   # networking.useNetworkd = true;
 
   # networking.useDHCP = false;
@@ -179,12 +185,14 @@
       lillian = import ../../../home-manager/hosts/queen;
     };
   };
-
+  boot = {
-  networking.hostName = "queen";
+    tmp.cleanOnBoot = true;
-
+    loader.grub = {
-  boot.loader.grub.enable = true;
+      enable = true;
-  boot.loader.grub.configurationLimit = 3;
+      configurationLimit = 3;
-  boot.loader.efi.canTouchEfiVariables = true;
+    };
+    loader.efi.canTouchEfiVariables = true;
+  };
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
   system.stateVersion = "24.11";

nixos/hosts/shodan/configuration.nix

@@ -27,11 +27,117 @@
 
     ./auto-mount.nix
   ];
+  boot = {
+    tmp.cleanOnBoot = true;
+    loader = {
+      # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+      # tss group has access to TPM devices
 
-  boot.tmp.cleanOnBoot = true;
+      # Lanzaboote currently replaces the systemd-boot module.
+      # This setting is usually set to true in configuration.nix
+      # generated at installation time. So we force it to false
+      # for now.
+      systemd-boot.enable = lib.mkForce false;
+      systemd-boot.configurationLimit = 3;
+      timeout = 0;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd.systemd.enable = true;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+    consoleLogLevel = 0;
+    kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"];
+    plymouth.enable = true;
+  };
   zramSwap.enable = false;
-  networking.domain = "";
+  networking = {
-  services.openssh.enable = true;
+    domain = "";
+
+    # Enable networking
+    networkmanager.enable = true;
+
+    firewall.enable = true;
+
+    firewall.allowedTCPPorts = [22];
+
+    hostName = "shodan";
+
+    wireguard.enable = true;
+
+    wg-quick.interfaces = {
+      wg0 = {
+        autostart = true;
+        address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"];
+        dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
+        listenPort = 51821;
+        privateKeyFile = config.sops.secrets."wg-private-key".path;
+        peers = [
+          {
+            publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
+            endpoint = "84.87.146.85:51821";
+            allowedIPs = ["0.0.0.0/0" "::/0"];
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+  services = {
+    openssh.enable = true; # Enables support for 32bit libs that steam uses
+
+    # Enable the X11 windowing system.
+    xserver.enable = true;
+
+    # Enable the KDE Plasma Desktop Environment.
+    desktopManager.plasma6.enable = true;
+
+    avahi = {
+      nssmdns4 = true;
+      enable = true;
+      ipv4 = true;
+      ipv6 = true;
+      publish = {
+        enable = true;
+        addresses = true;
+        workstation = true;
+      };
+    };
+    displayManager = {
+      defaultSession = "plasma";
+      sddm.wayland.enable = lib.mkForce true;
+      sddm.settings = {
+        Autologin = {
+          Session = "plasma.desktop";
+          User = "lillian";
+        };
+      };
+    };
+
+    # Enable flatpak support
+    flatpak.enable = true;
+    packagekit.enable = true;
+
+    # Configure keymap in X11
+    xserver = {
+      xkb.layout = "us";
+      xkb.variant = "";
+    };
+
+    # Enable CUPS to print documents.
+    printing.enable = true;
+
+    # Enable fwupd daemon and user space client
+    fwupd.enable = true;
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+    };
+  };
 
   nixpkgs = {
     # You can add overlays here
@@ -43,9 +149,13 @@
       allowUnfree = true;
     };
   };
-
+  sops = {
     #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
-  sops.defaultSopsFile = ./secrets/sops.yaml;
+    defaultSopsFile = ./secrets/sops.yaml;
+
+    secrets."wg-private-key".mode = "0440";
+    secrets."wg-private-key".owner = config.users.users.root.name;
+  };
 
   environment.systemPackages = with pkgs; [
     # Custom tools
@@ -109,60 +219,24 @@
       enableGyroDsuService = true;
     };
   };
-
+  programs = {
-  programs.steam = lib.mkForce {
+    steam = lib.mkForce {
       enable = true;
       remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
       dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
       extest.enable = true;
     };
-  hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses
+    kdeconnect.enable = true;
 
-  # Enable the X11 windowing system.
+    noisetorch = {
-  services.xserver.enable = true;
-
-  # Enable the KDE Plasma Desktop Environment.
-  services.desktopManager.plasma6.enable = true;
-  programs.kdeconnect.enable = true;
-
-  services.avahi = {
-    nssmdns4 = true;
       enable = true;
-    ipv4 = true;
+    };
-    ipv6 = true;
+
-    publish = {
+    git = {
       enable = true;
-      addresses = true;
-      workstation = true;
     };
   };
 
-  services.displayManager.defaultSession = "plasma";
-  services.displayManager.sddm.wayland.enable = lib.mkForce true;
-  services.displayManager.sddm.settings = {
-    Autologin = {
-      Session = "plasma.desktop";
-      User = "lillian";
-    };
-  };
-
-  # Enable flatpak support
-  services.flatpak.enable = true;
-  services.packagekit.enable = true;
-
-  # Configure keymap in X11
-  services.xserver = {
-    xkb.layout = "us";
-    xkb.variant = "";
-  };
-
-  # Enable networking
-  networking.networkmanager.enable = true;
-
-  networking.firewall.enable = true;
-
-  networking.firewall.allowedTCPPorts = [22];
-
   # # Enable automounting of removable media
   # services.udisks2.enable = true;
   # services.devmon.enable = true;
@@ -171,32 +245,14 @@
 
   # Set your time zone.
   time.timeZone = "Europe/Amsterdam";
-
+  hardware = {
-  # Enable CUPS to print documents.
+    graphics.enable32Bit = true;
-  services.printing.enable = true;
 
     # Enable bluetooth hardware
-  hardware.bluetooth.enable = true;
+    bluetooth.enable = true;
-
-  # Enable fwupd daemon and user space client
-  services.fwupd.enable = true;
 
     # Enable sound with pipewire.
-  hardware.pulseaudio.enable = false;
+    pulseaudio.enable = false;
-  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-  };
-
-  programs.noisetorch = {
-    enable = true;
-  };
-
-  programs.git = {
-    enable = true;
   };
 
   users.users.lillian.extraGroups = ["decky" "tss" "input"];
@@ -211,54 +267,14 @@
       lillian = import ../../../home-manager/hosts/shodan;
     };
   };
-
+  security = {
-  networking.hostName = "shodan";
+    rtkit.enable = true;
-
+    tpm2 = {
-  sops.secrets."wg-private-key".mode = "0440";
-  sops.secrets."wg-private-key".owner = config.users.users.root.name;
-
-  networking.wireguard.enable = true;
-
-  networking.wg-quick.interfaces = {
-    wg0 = {
-      autostart = true;
-      address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"];
-      dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
-      listenPort = 51821;
-      privateKeyFile = config.sops.secrets."wg-private-key".path;
-      peers = [
-        {
-          publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
-          endpoint = "84.87.146.85:51821";
-          allowedIPs = ["0.0.0.0/0" "::/0"];
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-
-  security.tpm2.enable = true;
-  security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
-  security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
-  # tss group has access to TPM devices
-
-  # Lanzaboote currently replaces the systemd-boot module.
-  # This setting is usually set to true in configuration.nix
-  # generated at installation time. So we force it to false
-  # for now.
-  boot.loader.systemd-boot.enable = lib.mkForce false;
-  boot.initrd.systemd.enable = true;
-
-  boot.lanzaboote = {
       enable = true;
-    pkiBundle = "/etc/secureboot";
+      pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+      tctiEnvironment.enable = true;
+    };
   };
-  boot.loader.systemd-boot.configurationLimit = 3;
-  boot.loader.timeout = 0;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.consoleLogLevel = 0;
-  boot.kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"];
-  boot.plymouth.enable = true;
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
   system.stateVersion = "24.11";

nixos/hosts/wheatley/configuration.nix

@@ -23,54 +23,16 @@
         super.makeModulesClosure (x // {allowMissing = true;});
     })
   ];
-
+  programs = {
     # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
-  programs.command-not-found.enable = lib.mkForce false;
+    command-not-found.enable = lib.mkForce false;
-  programs.nix-index.enable = true;
+    nix-index.enable = true;
-  programs.nix-index-database.comma.enable = true;
+    nix-index-database.comma.enable = true;
-
-  services.automatic-timezoned.enable = true;
-
-  #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
-  sops.defaultSopsFile = ./secrets/sops.yaml;
-
-  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
-
-  boot.initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"];
-
-  sdImage.compressImage = false;
-
-  home-manager = {
-    extraSpecialArgs = {inherit inputs outputs;};
-    users = {
-      # Import your home-manager configuration
-      lillian = import ../../../home-manager/hosts/wheatley;
-    };
   };
+  services = {
+    automatic-timezoned.enable = true;
 
-  networking.hostName = "wheatley";
+    # stubby = {
-
-  networking.networkmanager.enable = true;
-
-  # Disable NetworkManager's internal DNS resolution
-  networking.networkmanager.dns = "none";
-
-  # These options are unnecessary when managing DNS ourselves
-  networking.useDHCP = false;
-  networking.dhcpcd.enable = false;
-
-  # Configure DNS servers manually (this example uses Cloudflare and Google DNS)
-  # IPv6 DNS servers can be used here as well.
-  networking.nameservers = [
-    # "127.0.0.1"
-    # "::1"
-    "94.140.14.49"
-    "94.140.14.59"
-    "2a10:50c0:0:0:0:0:ded:ff"
-    "2a10:50c0:0:0:0:0:ded:ff"
-  ];
-
-  # services.stubby = {
     #   enable = true;
     #   settings =
     #     pkgs.stubby.passthru.settingsExample
@@ -120,7 +82,7 @@
     #     };
     # };
 
-  services.openssh = {
+    openssh = {
       enable = true;
       # require public key authentication for better security
       settings.PasswordAuthentication = false;
@@ -128,6 +90,28 @@
       settings.PermitRootLogin = "no";
     };
 
+    davfs2.enable = true;
+
+    aria2 = {
+      enable = true;
+      settings = {
+        dir = "/var/lib/media";
+        rpc-listen-port = 6969;
+      };
+      rpcSecretFile = config.sops.secrets."rpcSecret".path;
+    };
+
+    dnsmasq = {
+      enable = true;
+      settings = {
+        interface = "wg1";
+      };
+    };
+  };
+  sops = {
+    #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
+    defaultSopsFile = ./secrets/sops.yaml;
+
     # users.users = {
     #   ombi.extraGroups = ["radarr" "sonarr" "aria2"];
     # };
@@ -149,77 +133,65 @@
     #   prowlarr.enable = true;
     # };
 
-  sops.secrets."webdav-secret" = {
+    secrets."webdav-secret" = {
       mode = "0600";
       path = "/etc/davfs2/secrets";
     };
 
-  services.davfs2.enable = true;
+    secrets."rpcSecret".mode = "0440";
-  systemd.mounts = [
+    secrets."rpcSecret".owner = config.users.users.aria2.name;
-    {
-      enable = true;
-      description = "Webdav mount point";
-      after = ["network-online.target"];
-      wants = ["network-online.target"];
 
-      what = "https://nextcloud.gladtherescake.eu/remote.php/dav/files/GLaDTheresCake";
+    secrets."protonvpn-priv-key".mode = "0440";
-      where = "/home/jellyfinmediaplayer/nextcloud";
+    secrets."protonvpn-priv-key".owner = config.users.users.root.name;
-      options = "uid=1003,gid=100,file_mode=0664,dir_mode=2775";
+    secrets."wg-private-key".mode = "0440";
-      type = "davfs";
+    secrets."wg-private-key".owner = config.users.users.root.name;
-    }
+  };
-  ];
+  boot = {
-
+    kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
-  # #uses port 8096
+
-  # services.jellyfin.enable = true;
+    initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"];
-  # users.groups.jellyfinmediaplayer = {};
+
-  # users.users.jellyfinmediaplayer.group = "jellyfinmediaplayer";
+    kernel.sysctl = {
-  # users.users.jellyfin.extraGroups = ["jellyfinmediaplayer"];
+      "net.ipv4.ip_forward" = 1;
-
+      "net.ipv6.conf.all.forwarding" = 1;
-  # # Add stremio kiosk on wayland :)
-  # users.extraUsers.jellyfinmediaplayer.isNormalUser = true;
-  # services.cage.user = "jellyfinmediaplayer";
-  # services.cage.program = "${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer";
-  # services.cage.enable = true;
-  # services.cage.extraArguments = ["-f"];
-
-  users.users.aria2.group = "aria2";
-  users.groups.aria2 = {};
-  users.users.aria2.isSystemUser = true;
-
-  sops.secrets."rpcSecret".mode = "0440";
-  sops.secrets."rpcSecret".owner = config.users.users.aria2.name;
-
-  services.aria2 = {
-    enable = true;
-    settings = {
-      dir = "/var/lib/media";
-      rpc-listen-port = 6969;
     };
-    rpcSecretFile = config.sops.secrets."rpcSecret".path;
   };
 
-  environment.systemPackages = [
+  sdImage.compressImage = false;
-    # (pkgs.kodi.withPackages (kodiPkgs:
+
-    #   with kodiPkgs; [
+  home-manager = {
-    #     steam-controller
+    extraSpecialArgs = {inherit inputs outputs;};
-    #     invidious
+    users = {
-    #     netflix
+      # Import your home-manager configuration
-    #     upnext
+      lillian = import ../../../home-manager/hosts/wheatley;
-    #     sponsorblock
+    };
-    #     sendtokodi
+  };
-    #     jellyfin
+  networking = {
-    #   ]))
+    hostName = "wheatley";
-    pkgs.iptables
+
+    networkmanager.enable = true;
+
+    # Disable NetworkManager's internal DNS resolution
+    networkmanager.dns = "none";
+
+    # These options are unnecessary when managing DNS ourselves
+    useDHCP = false;
+    dhcpcd.enable = false;
+
+    # Configure DNS servers manually (this example uses Cloudflare and Google DNS)
+    # IPv6 DNS servers can be used here as well.
+    nameservers = [
+      # "127.0.0.1"
+      # "::1"
+      "94.140.14.49"
+      "94.140.14.59"
+      "2a10:50c0:0:0:0:0:ded:ff"
+      "2a10:50c0:0:0:0:0:ded:ff"
     ];
 
-  sops.secrets."protonvpn-priv-key".mode = "0440";
+    wireguard.enable = true;
-  sops.secrets."protonvpn-priv-key".owner = config.users.users.root.name;
-  sops.secrets."wg-private-key".mode = "0440";
-  sops.secrets."wg-private-key".owner = config.users.users.root.name;
 
-  networking.wireguard.enable = true;
+    wg-quick.interfaces = {
-
-  networking.wg-quick.interfaces = {
       #   # "wg0" is the network interface name. You can name the interface arbitrarily.
       #   wg0 = {
       #     autostart = true;
@@ -300,24 +272,13 @@
         ];
       };
     };
-
+    nat = {
-  services.dnsmasq = {
-    enable = true;
-    settings = {
-      interface = "wg1";
-    };
-  };
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-    "net.ipv6.conf.all.forwarding" = 1;
-  };
-
       # enable NAT
-  networking.nat.enable = true;
+      enable = true;
-  networking.nat.externalInterface = "end0";
+      externalInterface = "end0";
-  networking.nat.internalInterfaces = ["wg1"];
+      internalInterfaces = ["wg1"];
-  networking.firewall = {
+    };
+    firewall = {
       enable = true;
       allowPing = false;
       allowedTCPPorts = [
@@ -344,6 +305,54 @@
         } # TURN relay
       ];
     };
+  };
+  systemd.mounts = [
+    {
+      enable = true;
+      description = "Webdav mount point";
+      after = ["network-online.target"];
+      wants = ["network-online.target"];
+
+      what = "https://nextcloud.gladtherescake.eu/remote.php/dav/files/GLaDTheresCake";
+      where = "/home/jellyfinmediaplayer/nextcloud";
+      options = "uid=1003,gid=100,file_mode=0664,dir_mode=2775";
+      type = "davfs";
+    }
+  ];
+  users = {
+    users.aria2 = {
+      # #uses port 8096
+      # services.jellyfin.enable = true;
+      # users.groups.jellyfinmediaplayer = {};
+      # users.users.jellyfinmediaplayer.group = "jellyfinmediaplayer";
+      # users.users.jellyfin.extraGroups = ["jellyfinmediaplayer"];
+
+      # # Add stremio kiosk on wayland :)
+      # users.extraUsers.jellyfinmediaplayer.isNormalUser = true;
+      # services.cage.user = "jellyfinmediaplayer";
+      # services.cage.program = "${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer";
+      # services.cage.enable = true;
+      # services.cage.extraArguments = ["-f"];
+
+      group = "aria2";
+      isSystemUser = true;
+    };
+    groups.aria2 = {};
+  };
+
+  environment.systemPackages = [
+    # (pkgs.kodi.withPackages (kodiPkgs:
+    #   with kodiPkgs; [
+    #     steam-controller
+    #     invidious
+    #     netflix
+    #     upnext
+    #     sponsorblock
+    #     sendtokodi
+    #     jellyfin
+    #   ]))
+    pkgs.iptables
+  ];
 
   system.stateVersion = "25.05";
   nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";