Move vim packages to pkgs

Add system config

Split up modules into home and system sets

Update

Cleanup

Move home config

Add module attrs

Fix empty LUKS device UUID

Import local secrets

.gitignore

@@ -2,5 +2,5 @@ private/
 home.nix
 *.swp
 result
-pkgs/tubslatex_1.3.2.tds.zip
+*.zip
 work.nix

default.nix

@@ -0,0 +1,12 @@
+{ pkgs ? import <nixpkgs> }:
+
+with pkgs;
+{
+  lib = import ./lib { inherit pkgs; };
+  modules = import ./modules;
+  hmModules = import ./modules/home;
+  overlays = import ./overlays;
+
+  tubslatex = callPackage ./pkgs/tubslatex {};
+  keys = callPackage ./pkgs/keys {};
+}

hosts/gorgon/default.nix

@@ -0,0 +1,123 @@
+{ config, pkgs, lib, ... }:
+let
+  this = import ../.. {};
+in
+{
+  imports = (lib.attrValues this.modules) ++ [
+    ../../modules/profiles/base
+    <nixos-hardware/lenovo/thinkpad/t14s/amd/gen1>
+  ];
+
+  boot.kernelModules = [ "kvm-amd" ];
+
+  virtualisation = {
+    libvirtd.enable = true;
+    docker.enable = false;
+  };
+
+  networking.hostName = "gorgon";
+
+  dadada = {
+    steam.enable = true;
+    fido2 = {
+      credential = "04ea2813a116f634e90f9728dbbb45f1c0f93b7811941a5a14fb75e711794df0c26552dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec01473070000";
+      enablePam = true;
+    };
+    luks.uuid = "3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4";
+    networking = {
+      wanInterfaces = [ "enp2s0f0" "wlp3s0" ];
+      enableBsShare = true;
+      vpnExtension = "3";
+    };
+  };
+
+  boot.kernel.sysctl = {
+    "vm.swappiness" = 90;
+  };
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  programs.adb.enable = true;
+
+  services.fstrim.enable = true;
+
+  # Enable CUPS to print documents.
+  services.printing = {
+    enable = true;
+    browsing = true;
+    drivers = with pkgs; [
+      hplip
+      brlaser
+      brgenml1lpr
+      brgenml1cupswrapper
+    ];
+  };
+
+  hardware = {
+    bluetooth.enable = true;
+    pulseaudio = {
+      enable = true;
+      extraModules = [ pkgs.pulseaudio-modules-bt ];
+      extraConfig = ''
+        set-source-volume 1 10000
+      '';
+      package = pkgs.pulseaudioFull;
+    };
+  };
+
+  services.avahi.enable = true;
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      22000 # Syncthing
+    ];
+    allowedUDPPorts = [
+      21027 # Syncthing
+    ];
+  };
+
+  services.xserver.enable = true;
+  services.xserver.displayManager.gdm.enable = true;
+  services.xserver.desktopManager.gnome3.enable = true;
+
+  xdg.mime.enable = true;
+
+  users.users = {
+    dadada = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" "networkmanager" "libvirtd" "adbusers" "kvm" "video" "scanner" "lp" "docker" ];
+      shell = "/run/current-system/sw/bin/zsh";
+      initialHashedPassword = "nopass";
+    };
+
+    "tim.schubert" = {
+      isNormalUser = true;
+      extraGroups = [ "networkmanager" "libvirtd" "adbusers" "kvm" "video" "scanner" "lp" "docker" ];
+      shell = "/run/current-system/sw/bin/zsh";
+      initialHashedPassword = "nopass";
+    };
+  };
+
+  networking.hosts = {
+    "fd42:dead:beef:0:5054:ff:fefb:7361" = [
+      "media.dadada.li"
+      "ifrit.dadada.li"
+      "weechat.dadada.li"
+      "webchat.dadada.li"
+    ];
+    "192.168.42.103" = [
+      "media.dadada.li"
+      "ifrit.dadada.li"
+      "weechat.dadada.li"
+      "webchat.dadada.li"
+    ];
+    "fd42:dead:beef::5054:ff:fe8b:58df" = [ "iot.dadada.li" ];
+    "fd42:dead:beef::20d:b9ff:fe4c:c9ac" = [ "agares.dadada.li" ];
+    "192.168.42.15" = [ "agares.dadada.li" "agares" ];
+    "192.168.42.11" = [ "wohnzimmerpi.dadada.li" "wohnzimmerpi" ];
+    "10.1.2.9" = [ "fgprinter.fginfo.tu-bs.de" ];
+  };
+}

hosts/gorgon/home/default.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, lib, ... }:
+let
+  this = import ../../.. {};
+in
+{
+  nixpkgs.overlays = [
+    this.overlays.tubslatex
+  ];
+
+  imports = lib.attrValues this.hmModules;
+
+  dadada.home = {
+    vim.enable = true;
+    direnv.enable = true;
+    git.enable = true;
+    gpg.enable = true;
+    gtk.enable = true;
+    keyring.enable = true;
+    kitty.enable = true;
+    ssh.enable = true;
+    syncthing.enable = true;
+    xdg.enable = true;
+    zsh.enable = true;
+
+    session = {
+      enable = true;
+      sessionVars = {
+        EDITOR = "vim";
+        PAGER = "less";
+        MAILDIR = "\$HOME/.var/mail";
+        MBLAZE = "\$HOME/.config/mblaze";
+        NOTMUCH_CONFIG = "\$HOME/.config/notmuch/config";
+        MOZ_ENABLE_WAYLAND= "1";
+      };
+    };
+  };
+
+  # Let Home Manager install and manage itself.
+  programs.home-manager.enable = true;
+
+  home.packages = import ./pkgs.nix { pkgs = pkgs; };
+}

hosts/gorgon/home/pkgs.nix

@@ -35,10 +35,12 @@ with pkgs; [
   imagemagick
   inkscape
   inotify-tools
+  irssi
   jameica
   jq
   kcachegrind
   keepassxc
+  #keys
   kitty
   ldns
   libreoffice
@@ -71,7 +73,7 @@ with pkgs; [
   steam
   tcpdump
   tdesktop
-  texlive-tubslatex
+  tubslatex
   thunderbird-bin
   unzip
   usbutils

hosts/ifrit/default.nix

@@ -0,0 +1,150 @@
+{ config, pkgs, lib, ... }:
+let
+  hostAliases = [
+    "ifrit.dadada.li"
+    "vpn.dadada.li"
+    "media.dadada.li"
+    "media.local"
+  ];
+  backups = "/mnt/storage/backup";
+  this = import ../.. {};
+  keys = ../../pkgs/keys/keys;
+in {
+  imports = (lib.attrValues this.modules) ++ [
+    ../../modules/profiles/base
+    <nixpkgs/nixos/modules/profiles/minimal.nix>
+  ];
+
+  dadada = {
+    admin.enable = true;
+    fileShare.enable = true;
+    admin.users = {
+      "dadada" = [ "${keys}/dadada.pub" ];
+    };
+
+    vpnServer.enable = true;
+    vpnServer.peers = {
+      "metis" = {
+        id = "1";
+        key = "u+HCYDbK0zwbIEfGf+LVQErlJ0vchf5ZYj0N93NB5ns=";
+      };
+      "morax" = {
+        id = "2";
+        key = "Lq5QLGoI3r3BXEJ72dWH9UTmY/8uaYRPLQB5WWHqJUE=";
+      };
+      "gorgon" = {
+        id = "3";
+        key = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU=";
+      };
+    };
+
+    weechat.enable = true;
+  };
+
+  services.borgbackup.repos = {
+    "metis" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/metis";
+      quota = "1T";
+    };
+    "gorgon" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/gorgon";
+      quota = "1T";
+    };
+    "wohnzimmerpi" = {
+      allowSubRepos = false;
+      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
+      path = "${backups}/wohnzimmerpi";
+      quota = "50G";
+    };
+  };
+
+  networking.hostName = "ifrit";
+  networking.domain = "dadada.li";
+
+  networking.hosts = {
+    "127.0.0.1" = hostAliases;
+    "::1" = hostAliases;
+  };
+
+  networking.nameservers = [
+    "1.1.1.1"
+    "1.0.0.1"
+  ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+
+  fileSystems."/mnt/storage" = {
+    device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7";
+    mountPoint = "/mnt/storage";
+    neededForBoot = false;
+    options = [ "nofail" ];
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowPing = true;
+    allowedTCPPorts = [
+      22 # SSH
+      80 443 # HTTP(S)
+      111 2049 # NFS
+      137 138 139 445 # SMB
+    ];
+    allowedUDPPorts = [
+      137 138 139 445 # SMB
+      111 2049 # NFS
+      51234 # Wireguard
+    ];
+  };
+
+  security.acme = {
+    email = "d553a78d-0349-48db-9c20-5b27af3a1dfc@dadada.li";
+    acceptTerms = true;
+    certs."webchat.dadada.li" = {
+      credentialsFile = "/var/lib/lego/acme-joker.env";
+      dnsProvider = "joker";
+      postRun = "systemctl reload nginx.service";
+    };
+    certs."weechat.dadada.li" = {
+      credentialsFile = "/var/lib/lego/acme-joker.env";
+      dnsProvider = "joker";
+      postRun = "systemctl reload nginx.service";
+    };
+  };
+
+  users.users."mist" = {
+    isNormalUser = true;
+  };
+
+  services.ddclient = {
+    enable = true;
+    configFile = /var/lib/dyndns/config;
+  };
+
+  services.avahi = {
+    enable = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      workstation = true;
+    };
+  };
+}

lib/colors.nix

@@ -1,29 +0,0 @@
-{
-  foreground = "#a3a3a3";
-  foregroundBold = "#e8e8e8";
-  cursor = "#e8e8e8";
-  cursorForeground = "#1f2022";
-  background = "#292b2e";
-  color0  = "#1f2022";
-  color8  = "#585858";
-  color7  = "#a3a3a3";
-  color15 = "#f8f8f8";
-  color1  = "#f2241f";
-  color9  = "#f2241f";
-  color2  = "#67b11d";
-  color10 = "#67b11d";
-  color3  = "#b1951d";
-  color11 = "#b1951d";
-  color4  = "#4f97d7";
-  color12 = "#4f97d7";
-  color5  = "#a31db1";
-  color13 = "#a31db1";
-  color6  = "#2d9574";
-  color14 = "#2d9574";
-  color16 = "#ffa500";
-  color17 = "#b03060";
-  color18 = "#282828";
-  color19 = "#444155";
-  color20 = "#b8b8b8";
-  color21 = "#e8e8e8";
-}

lib/default.nix

@@ -0,0 +1,5 @@
+{ pkgs }:
+
+with pkgs.lib; {
+  # TODO
+}

modules/admin.nix

@@ -0,0 +1,56 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.dadada.admin;
+in {
+  options.dadada.admin = {
+    enable = mkEnableOption "Enable admin access";
+
+    users = mkOption {
+      type = with types; attrsOf (listOf path);
+      default = [];
+      description = ''
+              List of admin users with root access to all the machine.
+      '';
+      example = literalExample "\"user1\" = [ /path/to/key1 /path/to/key2 ]";
+    };
+
+    rat = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Enable NAT and firewall traversal for SSH via tor hidden service
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.sshd.enable = true;
+    services.openssh.passwordAuthentication = false;
+    security.sudo.wheelNeedsPassword = false;
+
+    users.mutableUsers = false;
+
+    users.users = mapAttrs (user: keys: (
+      {
+        extraGroups = [ "wheel" ];
+        isNormalUser = true;
+        openssh.authorizedKeys.keyFiles = keys;
+      })) cfg.users;
+
+    networking.firewall.allowedTCPPorts = [ 22 ];
+
+    environment.systemPackages = with pkgs; [
+      vim
+    ];
+
+    services.tor.hiddenServices = {
+      "rat" = mkIf cfg.rat.enable {
+        name = "rat";
+        map = [ { port = 22; } ];
+      };
+    };
+  };
+}
+

modules/backup.nix

@@ -0,0 +1,82 @@
+{ config, pkgs, lib, ...}:
+with lib;
+let
+  backupExcludes =  [
+    "/backup"
+    "/dev"
+    "/efi"
+    "/home/*/.cache"
+    "/home/*/.config/Riot/Cache"
+    "/home/iserv"
+    "/lost+found"
+    "/mnt"
+    "/nix"
+    "/proc"
+    "/run"
+    "/sys"
+    "/tmp"
+    "/var/cache"
+    "/var/log"
+    "/var/tmp"
+  ];
+  cfg = config.dadada.backupClient;
+in {
+  options.dadada.backupClient = {
+    enable = mkEnableOption "Enable backup client";
+    gs = mkEnableOption "Enable backup to GS location";
+    bs = mkEnableOption "Enable backup to BS location";
+  };
+
+  config = mkIf cfg.enable {
+
+    fileSystems = mkIf cfg.gs {
+      "/backup" = {
+        device = "/dev/disk/by-uuid/0fdab735-cc3e-493a-b4ec-cbf6a77d48d5";
+        fsType = "ext4";
+        options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
+      };
+    };
+
+    services.borgbackup.jobs.gs = mkIf cfg.gs {
+      paths = "/";
+      exclude = backupExcludes;
+      repo = "/backup/${config.networking.hostName}";
+      doInit = false;
+      encryption = {
+        mode = "repokey";
+        passCommand = "cat /var/lib/borgbackup/gs/passphrase";
+      };
+      compression = "auto,lz4";
+      prune.keep = {
+        within = "1d"; # Keep all archives from the last day
+        daily = 7;
+        weekly = 2;
+        monthly = -1;  # Keep at least one archive for each month
+        yearly = -1;  # Keep at least one archive for each year
+      };
+      startAt = "monthly";
+    };
+
+    networking.hosts = mkIf cfg.bs {
+      "fd42:dead:beef:0:5054:ff:fefb:7361" = [
+        "media.dadada.li"
+      ];
+    };
+
+    services.borgbackup.jobs.bs = mkIf cfg.bs{
+      paths = "/";
+      exclude = backupExcludes;
+      repo = "borg@media.dadada.li:/mnt/storage/backup/${config.networking.hostName}";
+      doInit = true;
+      environment = {
+        BORG_RSH = "ssh -i /var/lib/borgbackup/bs/id_ed25519 -o 'StrictHostKeyChecking accept-new'";
+      };
+      encryption = {
+        mode = "repokey";
+        passCommand = "cat /var/lib/borgbackup/bs/passphrase";
+      };
+      compression = "auto,lz4";
+      startAt = "daily";
+    };
+  };
+}

modules/default.nix

@@ -0,0 +1,11 @@
+{
+  admin = ./admin.nix;
+  backup = ./backup.nix;
+  fido2 = ./fido2.nix;
+  fileShare = ./fileShare.nix;
+  networking = ./networking.nix;
+  steam = ./steam.nix;
+  update = ./update.nix;
+  vpnServer = ./vpnServer.nix;
+  weechat = ./weechat.nix;
+}

modules/fido2.nix

@@ -0,0 +1,56 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  luks = config.dadada.luks;
+  fido2 = config.dadada.fido2;
+in {
+
+  options = {
+    dadada.luks = {
+      uuid = mkOption {
+        type = with types; nullOr str;
+        description = "Device UUID";
+        default = null;
+      };
+    };
+
+    dadada.fido2 = {
+      enablePam = mkEnableOption "Enable PAM U2F";
+      credential = mkOption {
+        type = with types; nullOr str;
+        description = "FIDO2 credential string";
+        default = null;
+      };
+    };
+  };
+
+  config = {
+    boot.initrd.luks.devices = mkIf (luks.uuid != null) {
+      root = {
+        device = "/dev/disk/by-uuid/${luks.uuid}";
+        preLVM = true;
+        allowDiscards = true;
+        fido2 = mkIf (fido2.credential != null) {
+          credential = fido2.credential;
+          passwordLess = true;
+        };
+      };
+    };
+
+    boot.initrd.luks.fido2Support = mkIf (fido2.credential != null) true;
+
+    environment.systemPackages = mkIf (fido2.credential != null) (with pkgs; [
+      linuxPackages.acpi_call
+      fido2luks
+      python27Packages.dbus-python
+      python38Packages.solo-python    
+    ]);
+
+    security.pam.u2f = mkIf fido2.enablePam {
+      enable = true;
+      control = "sufficient";
+      cue = true;
+    };
+  };
+
+}

modules/fileShare.nix

@@ -0,0 +1,50 @@
+{ config, lib, ... }:
+with lib;
+let
+  cfg = config.dadada.fileShare;
+  sharePath = "/mnt/storage/share";
+  ipv6 = "fd42:dead:beef::/48";
+  ipv4 = "192.168.42.0/24";
+  allow = "192.168.42.0 fd42:dead:beef::";
+in {
+  options.dadada.fileShare = {
+    enable = mkEnableOption "Enable file share server";
+  };
+  config = mkIf cfg.enable {
+    services.samba = {
+      enable = true;
+      securityType = "user";
+      extraConfig = ''
+        workgroup = WORKGROUP
+        server string = media
+        netbios name = media
+        security = user 
+        #use sendfile = yes
+        #max protocol = smb2
+        hosts allow = ${allow} localhost
+        hosts deny = 0.0.0.0/0
+        guest account = nobody
+        map to guest = bad user
+      '';
+      shares = {
+        public = {
+          path = sharePath;
+          browseable = "yes";
+          "read only" = "no";
+          "guest ok" = "yes";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "username";
+          "force group" = "groupname";
+        };
+      };
+    };
+    services.nfs = {
+      server.enable = true;
+      server.exports = ''
+        ${sharePath} ${ipv6}(rw,all_squash,insecure,subtree_check) ${ipv4}(rw,all_squash,insecure,subtree_check) # map to user/group - in this case nobody
+      '';
+    };
+  };
+}
+

modules/home/colors.nix

@@ -0,0 +1,40 @@
+{ config, lib, ... }:
+with lib;
+{
+  options.dadada.home.colors = mkOption {
+    type = types.attrs;
+    description = "Color scheme";
+  };
+
+  config = {
+    dadada.home.colors = {
+      foreground = "#a3a3a3";
+      foregroundBold = "#e8e8e8";
+      cursor = "#e8e8e8";
+      cursorForeground = "#1f2022";
+      background = "#292b2e";
+      color0  = "#1f2022";
+      color8  = "#585858";
+      color7  = "#a3a3a3";
+      color15 = "#f8f8f8";
+      color1  = "#f2241f";
+      color9  = "#f2241f";
+      color2  = "#67b11d";
+      color10 = "#67b11d";
+      color3  = "#b1951d";
+      color11 = "#b1951d";
+      color4  = "#4f97d7";
+      color12 = "#4f97d7";
+      color5  = "#a31db1";
+      color13 = "#a31db1";
+      color6  = "#2d9574";
+      color14 = "#2d9574";
+      color16 = "#ffa500";
+      color17 = "#b03060";
+      color18 = "#282828";
+      color19 = "#444155";
+      color20 = "#b8b8b8";
+      color21 = "#e8e8e8";
+    };
+  };
+}

modules/home/default.nix

@@ -0,0 +1,20 @@
+{
+  colors = ./colors.nix;
+  direnv = ./direnv.nix;
+  fish = ./fish.nix;
+  git = ./git.nix;
+  gpg = ./gpg.nix;
+  gtk = ./gtk.nix;
+  keyring = ./keyring.nix;
+  kitty = ./kitty;
+  mako = ./mako.nix;
+  session = ./session.nix;
+  ssh = ./ssh.nix;
+  sway = ./sway;
+  syncthing = ./syncthing.nix;
+  termite = ./termite.nix;
+  tmux = ./tmux.nix;
+  vim = ./vim;
+  xdg = ./xdg.nix;
+  zsh = ./zsh.nix;
+}

modules/home/direnv.nix

@@ -1,10 +1,10 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.direnv;
+  cfg = config.dadada.home.direnv;
 in
 {
-  options.dadada.direnv = {
+  options.dadada.home.direnv = {
     enable = mkEnableOption "Enable direnv config";
   };
   config = mkIf cfg.enable {

modules/home/fish.nix

@@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.fish;
+  cfg = config.dadada.home.fish;
 in {
-  options.dadada.fish = {
+  options.dadada.home.fish = {
     enable = mkEnableOption "Enable fish config";
   };
 

modules/home/git.nix

@@ -1,10 +1,10 @@
 { config, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.git;
+  cfg = config.dadada.home.git;
 in
 {
-  options.dadada.git = {
+  options.dadada.home.git = {
     enable = mkEnableOption "Enable git config";
   };
   config = mkIf cfg.enable {

modules/home/gpg.nix

@@ -1,9 +1,9 @@
 { config, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.gpg;
+  cfg = config.dadada.home.gpg;
 in {
-  options.dadada.gpg = {
+  options.dadada.home.gpg = {
     enable = mkEnableOption "Enable GnuPG config";
   };
   config = mkIf cfg.enable {

modules/home/gtk.nix

@@ -1,10 +1,10 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
-  cfg = config.dadada.gtk;
+  cfg = config.dadada.home.gtk;
 in
 {
-  options.dadada.gtk = {
+  options.dadada.home.gtk = {
     enable = mkEnableOption "Enable GTK config";
   };
   config = mkIf cfg.enable {

modules/home/keyring.nix

@@ -1,9 +1,9 @@
 { config, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.keyring;
+  cfg = config.dadada.home.keyring;
 in {
-  options.dadada.keyring = {
+  options.dadada.home.keyring = {
     enable = mkEnableOption "Enable keyring config";
   };
   config = mkIf cfg.enable {

modules/home/kitty/default.nix

@@ -1,9 +1,9 @@
 { pkgs, lib, config, ... }:
 with lib;
 let
-  cfg = config.dadada.kitty;
+  cfg = config.dadada.home.kitty;
 in {
-  options.dadada.kitty = {
+  options.dadada.home.kitty = {
     enable = mkEnableOption "Enable kitty config";
   };
   config = mkIf cfg.enable {

modules/home/mako.nix

@@ -1,9 +1,9 @@
 { config, lib, pkgs, colors, ...}:
 with lib;
 let
-  cfg = config.dadada.mako;
+  cfg = config.dadada.home.mako;
 in {
-  options.dadada.mako = {
+  options.dadada.home.mako = {
     enable = mkEnableOption "Enable mako config";
   };
   config = mkIf cfg.enable {

modules/home/module-list.nix

@@ -0,0 +1,20 @@
+[
+  ./colors.nix
+  ./direnv.nix
+  ./fish.nix
+  ./git.nix
+  ./gpg.nix
+  ./gtk.nix
+  ./keyring.nix
+  ./kitty
+  ./mako.nix
+  ./session.nix
+  ./ssh.nix
+  ./sway
+  ./syncthing.nix
+  ./termite.nix
+  ./tmux.nix
+  ./vim
+  ./xdg.nix
+  ./zsh.nix
+]

modules/home/session.nix

@@ -1,9 +1,9 @@
 { config, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.session;
+  cfg = config.dadada.home.session;
 in {
-  options.dadada.session = {
+  options.dadada.home.session = {
     enable = mkEnableOption "Enable session variable management";
     sessionVars = mkOption {
       description = "Session variables";

modules/home/ssh.nix

@@ -1,9 +1,9 @@
 { config, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.ssh;
+  cfg = config.dadada.home.ssh;
 in {
-  options.dadada.ssh = {
+  options.dadada.home.ssh = {
     enable = mkEnableOption "Enable SSH config";
   };
   config = mkIf cfg.enable {

modules/home/sway/default.nix

@@ -1,9 +1,9 @@
 { config, pkgs, lib, colors, ...}:
 with lib;
 let
-  cfg = config.dadada.sway;
+  cfg = config.dadada.home.sway;
 in {
-  options.dadada.sway = {
+  options.dadada.home.sway = {
     enable = mkEnableOption "Enable Sway config";
   };
   config = mkIf cfg.enable {

modules/home/syncthing.nix

@@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.syncthing;
+  cfg = config.dadada.home.syncthing;
 in {
-  options.dadada.syncthing = {
+  options.dadada.home.syncthing = {
     enable = mkEnableOption "Enable Syncthing config";
   };
   config = mkIf cfg.enable {

modules/home/termite.nix

@@ -7,9 +7,9 @@
 }:
 with lib;
 let
-  cfg = config.dadada.termite;
+  cfg = config.dadada.home.termite;
 in {
-  options.dadada.termite = {
+  options.dadada.home.termite = {
     enable = mkEnableOption "Enable termite config";
   };
   config = mkIf cfg.enable {

modules/home/tmux.nix

@@ -1,9 +1,9 @@
 { config, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.tmux;
+  cfg = config.dadada.home.tmux;
 in {
-  options.dadada.tmux = {
+  options.dadada.home.tmux = {
     enable = mkEnableOption "Enable tmux config";
   };
   config = mkIf cfg.enable {

modules/home/vim/default.nix

@@ -1,27 +1,11 @@
-{ config, pkgs, lib, fetchFromGitHub, ... }:
+{ config, pkgs, lib, ... }:
 with lib;
 let 
-  cfg = config.dadada.vim;
-
-  myFtplugins = pkgs.vimUtils.buildVimPluginFrom2Nix {
-    pname = "myFtplugins";
-    version = "2010-11-06";
-    src = vim/plugins/myFtplugins;
-  };
-
-  spacemacsTheme = pkgs.vimUtils.buildVimPluginFrom2Nix {
-    pname = "spacemacs-theme";
-    version = "2.0.1";
-    src = pkgs.fetchFromGitHub {
-      owner = "colepeters";
-      repo = "spacemacs-theme.vim";
-      rev = "056bba9bd05a2c97c63c28216a1c232cfb91529e";
-      sha256 = "0iy3i6waigk759p2z59mrxkjc0p412y7d8zf3cjak4a9sh1sh6qz";
-    };
-  };
+  cfg = config.dadada.home.vim;
+  vimPlugins = pkgs.callPackage ../../../pkgs/vimPlugins {};
 in
 {
-  options.dadada.vim = {
+  options.dadada.home.vim = {
     enable = mkEnableOption "Enable VIM config";
   };
 
@@ -40,7 +24,8 @@ in
         pkgs.vimPlugins.vim-airline
         pkgs.vimPlugins.vim-airline-themes
         pkgs.vimPlugins.vim-fish
-        spacemacsTheme
+        vimPlugins.spacemacsTheme
+        vimPlugins.filetype
         #pkgs.vimPlugins.vim-gnupg
         #pkgs.vimPlugins.vim-l9
         pkgs.vimPlugins.vim-ledger

modules/home/xdg.nix

@@ -18,9 +18,9 @@ let
     "text/plain" = "vim.desktop";
     "application/pdf" = "org.pwmt.zathura.desktop";
   };
-  cfg = config.dadada.xdg;
+  cfg = config.dadada.home.xdg;
 in {
-  options.dadada.xdg = {
+  options.dadada.home.xdg = {
     enable = mkEnableOption "Enable XDG config";
   };
   config = mkIf cfg.enable {

modules/home/zsh.nix

@@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
-  cfg = config.dadada.zsh;
+  cfg = config.dadada.home.zsh;
 in {
-  options.dadada.zsh = {
+  options.dadada.home.zsh = {
     enable = mkEnableOption "Enable ZSH config";
   };
   config = mkIf cfg.enable {

modules/module-list.nix

@@ -1,19 +1,11 @@
 [
-  ./dadada/direnv.nix
-  ./dadada/fish.nix
-  ./dadada/git.nix
-  ./dadada/gpg.nix
-  ./dadada/gtk.nix
-  ./dadada/keyring.nix
-  ./dadada/kitty
-  ./dadada/mako.nix
-  ./dadada/session.nix
-  ./dadada/ssh.nix
-  ./dadada/sway
-  ./dadada/syncthing.nix
-  ./dadada/termite.nix
-  ./dadada/tmux.nix
-  ./dadada/vim
-  ./dadada/xdg.nix
-  ./dadada/zsh.nix
+  ./admin.nix
+  ./backup.nix
+  ./fido2.nix
+  ./fileShare.nix
+  ./networking.nix
+  ./steam.nix
+  ./update.nix
+  ./vpnServer.nix
+  ./weechat.nix
 ]

modules/networking.nix

@@ -0,0 +1,86 @@
+{ config, pkgs, lib, ...}:
+with lib;
+let
+  cfg = config.dadada.networking;
+in {
+  options.dadada.networking = {
+    useLocalResolver = mkEnableOption "Enable local caching name server";
+    domain = mkOption {
+      type = with types; nullOr str;
+      description = "Network domain name";
+      default = null;
+    };
+    wanInterfaces = mkOption {
+      type = with types; listOf str;
+      description = "WAN network interfaces";
+      default = [];
+    };
+    vpnExtension = mkOption {
+      type = with types; nullOr str;
+      description = "Last part of VPN address";
+      default = null;
+    };
+    enableBsShare = mkEnableOption "Enable network share at BS location";
+  };
+
+  config = {
+    networking.domain = cfg.domain;
+    networking.resolvconf.useLocalResolver = mkIf cfg.useLocalResolver true;
+    services.unbound = mkIf cfg.useLocalResolver {
+      enable = true;
+      allowedAccess = [
+        "127.0.0.1/8"
+        "::1"
+      ];
+      extraConfig = ''
+        tls-upstream: yes
+        tls-cert-bundle: "/etc/ssl/certs/ca-bundle.crt"
+        forward-zone:
+        name: .
+        forward-tls-upstream: yes
+        forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
+        forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+        forward-addr: 1.1.1.1@853#cloudflare-dns.com
+        forward-addr: 1.0.0.1@853#cloudflare-dns.com
+      '';
+    };
+
+    networking.useDHCP = false;
+
+    networking.interfaces = listToAttrs (forEach cfg.wanInterfaces (i: nameValuePair i {
+      useDHCP = true;
+    }));
+
+    networking.wireguard.interfaces = mkIf (cfg.vpnExtension != null) {
+      bs = {
+        ips = [ "fd42:dead:beef:1337::${cfg.vpnExtension}/64" ];
+        listenPort = 51234;
+
+        privateKeyFile = "/var/lib/wireguard/privkey";
+
+        peers = [
+          {
+            publicKey = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU=";
+            allowedIPs = [ "fd42:dead:beef::/48" ];
+            endpoint = "bs.vpn.dadada.li:51234";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+
+    fileSystems."/mnt/media.dadada.li" = mkIf cfg.enableBsShare {
+      device = "media.dadada.li:/mnt/storage/share";
+      fsType = "nfs";
+      options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
+    };
+
+    networking.firewall = {
+      enable = true;
+      allowedUDPPorts = [
+        51234 # Wireguard
+        5353  # mDNS
+      ];
+    };
+  };
+}

modules/profiles/base/default.nix

@@ -0,0 +1,39 @@
+{ config, pkgs, lib, ... }:
+with lib;
+{
+  imports = import ../../module-list.nix;
+
+  config = {
+    dadada = {
+      autoUpgrade.enable = mkDefault true;
+      networking = {
+        useLocalResolver = mkDefault true;
+        domain = mkDefault "dadada.li";
+      };
+    };
+
+    i18n.defaultLocale = mkDefault "en_US.UTF-8";
+    console = {
+      font = mkDefault "Lat2-Terminus16";
+      keyMap = mkDefault "us";
+    };
+
+    fonts.fonts = mkDefault (with pkgs; [
+      source-code-pro
+    ]);
+
+    time.timeZone = mkDefault "Europe/Berlin";
+
+    programs.zsh = mkDefault {
+      enable = true;
+      autosuggestions.enable = true;
+      enableCompletion = true;
+      histSize = 100000;
+      vteIntegration = true;
+      syntaxHighlighting = {
+        enable = true;
+        highlighters = [ "main" "brackets" "pattern" "cursor" "root" "line" ];
+      };
+    };
+  };
+}

modules/profiles/home/default.nix

@@ -1,54 +0,0 @@
-{ config, pkgs, lib, ... }:
-let 
-  sources = import ../../../nix/sources.nix;
-  stable = import <nixpkgs-stable> {};
-in {
-  nixpkgs = {
-    overlays = [
-      (import ../../../overlays/texlive-tubslatex.nix)
-    ];
-  };
-
-  imports = import ../../module-list.nix;
-
-  dadada = {
-    vim.enable = true;
-    direnv.enable = true;
-    git.enable = true;
-    gpg.enable = true;
-    gtk.enable = true;
-    keyring.enable = true;
-    kitty.enable = true;
-    session.enable = true;
-    ssh.enable = true;
-    syncthing.enable = true;
-    xdg.enable = true;
-    zsh.enable = true;
-  };
-
-  dadada.session = {
-    sessionVars = {
-      EDITOR = "vim";
-      PAGER = "less";
-      MAILDIR = "\$HOME/.var/mail";
-      MBLAZE = "\$HOME/.config/mblaze";
-      NOTMUCH_CONFIG = "\$HOME/.config/notmuch/config";
-      MOZ_ENABLE_WAYLAND= "1";
-    };
-  };
-
-  # Let Home Manager install and manage itself.
-  programs.home-manager.enable = true;
-
-  home.packages = import ./pkgs.nix { pkgs = pkgs; };
-
-  # This value determines the Home Manager release that your
-  # configuration is compatible with. This helps avoid breakage
-  # when a new Home Manager release introduces backwards
-  # incompatible changes.
-  #
-  # You can update Home Manager without changing this value. See
-  # the Home Manager release notes for a list of state version
-  # changes in each release.
-  home.stateVersion = "19.09";
-}

modules/profiles/work.nix

@@ -1,45 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  imports = [
-    (import ../session.nix {
-      inherit config;
-      sessionVars = {
-        EDITOR = "vim";
-        PAGER = "less";
-        MOZ_ENABLE_WAYLAND= "1";
-      };
-    })
-    ../vim
-    ../direnv.nix
-    ../git.nix
-    ../gpg.nix
-    ../gtk.nix
-    ../keyring.nix
-    ../kitty.nix
-    ../ssh.nix
-    ../tmux.nix
-    ../zsh.nix
-  ];
-
-  # Let Home Manager install and manage itself.
-  programs.home-manager.enable = true;
-
-  home.packages = with pkgs; [
-    file
-    gnupg
-    libreoffice
-    python3
-    sshfs-fuse
-    unzip
-  ];
-
-  # This value determines the Home Manager release that your
-  # configuration is compatible with. This helps avoid breakage
-  # when a new Home Manager release introduces backwards
-  # incompatible changes.
-  #
-  # You can update Home Manager without changing this value. See
-  # the Home Manager release notes for a list of state version
-  # changes in each release.
-  home.stateVersion = "19.09";
-}

modules/steam.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.dadada.steam;
+in {
+  options.dadada.steam = {
+    enable = mkEnableOption "Enable Steam config";
+  };
+  config = mkIf cfg.enable {
+    nixpkgs.config.allowUnfree = true;
+
+    hardware.opengl = {
+      enable = true;
+      driSupport32Bit = true;
+      extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
+    };
+
+    hardware.pulseaudio.support32Bit = true;
+  };
+}

modules/update.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.dadada.autoUpgrade;
+in {
+  options = {
+    dadada.autoUpgrade = {
+      enable = mkEnableOption "Enable automatic upgrades";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.fwupd.enable = true;
+
+    nix = {
+      autoOptimiseStore = true;
+      useSandbox = true;
+      gc = {
+        automatic = true;
+        dates = "weekly";
+        options = "--delete-older-than 30d";
+      };
+    };
+
+    system.autoUpgrade = {
+      enable = true;
+      dates = "daily";
+    };
+  };
+}

modules/vpnServer.nix

@@ -0,0 +1,47 @@
+{ config, lib, ... }:
+
+with lib;
+let
+  cfg = config.dadada.vpnServer;
+  wgPeer = { name, ... }: {
+    options = {
+      name = mkOption {
+        internal = true;
+        default = name;
+      };
+      id = mkOption {
+        description = "VPN client id";
+        default = 0;
+        type = types.str;
+      };
+      key = mkOption {
+        description = "VPN client public key";
+        default = "";
+        type = types.str;
+      };
+    };
+  };
+in {
+  options.dadada.vpnServer = {
+    enable = mkEnableOption "Enable wireguard gateway";
+    peers = mkOption {
+      description = "Set of extensions and public keys of peers";
+      type = with types; attrsOf (submodule wgPeer);
+      default = {};
+    };
+  };
+  config = mkIf cfg.enable {
+    networking.wireguard.enable = true;
+    networking.wireguard.interfaces."wg0" = {
+      allowedIPsAsRoutes = true;
+      privateKeyFile = "/var/lib/wireguard/wg0-key";
+      ips = [ "fd42:dead:beef:1337::0/64" ];
+      listenPort = 51234;
+      peers = map (peer: (
+        {
+          allowedIPs = [ "fd42:dead:beef:1337::${peer.id}/128" ];
+          publicKey = peer.key;
+        })) (attrValues cfg.peers);
+    };
+  };
+}

modules/weechat.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.dadada.weechat;
+in {
+  options.dadada.weechat = {
+    enable = mkEnableOption "Enable weechat relay";
+  };
+  config = mkIf cfg.enable {
+    services.weechat = {
+      enable = true;
+      sessionName = "weechat-dadada";
+    };
+
+    services.nginx.virtualHosts."webchat.dadada.li" = {
+      useACMEHost = "webchat.dadada.li";
+      forceSSL = true;
+      serverAliases = [ "webchat.${config.networking.domain}" ];
+
+      root = pkgs.glowing-bear;
+
+      locations = {
+        "/robots.txt" = {
+          extraConfig = ''
+            add_header Content-Type text/plain;
+            return 200 "User-agent: *\nDisallow: /\n";
+          '';
+        };
+      };
+    };
+    services.nginx.virtualHosts."weechat.dadada.li" = {
+      useACMEHost = "weechat.dadada.li";
+      forceSSL = true;
+      serverAliases = [ "weechat.${config.networking.domain}" ];
+
+      root = "${pkgs.nginx}/html";
+      locations = {
+        "/weechat" = {
+          extraConfig = ''
+            proxy_pass http://localhost:9001;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_read_timeout 8h;
+          '';
+        };
+        "/robots.txt" = {
+          extraConfig = ''
+            add_header Content-Type text/plain;
+            return 200 "User-agent: *\nDisallow: /\n";
+          '';
+        };
+      };
+    };
+  };
+}
+

overlay.nix

@@ -0,0 +1,11 @@
+self: super:
+
+let
+  isReserved = n: n == "lib" || n == "overlays" || n == "modules";
+  nameValuePair = n: v: { name = n; value = v; };
+  attrs = import ./default.nix { pkgs = super; };
+in
+  builtins.listToAttrs
+  (map (n: nameValuePair n attrs.${n})
+  (builtins.filter (n: !isReserved n)
+  (builtins.attrNames attrs)))

overlays/default.nix

@@ -0,0 +1,3 @@
+{
+  tubslatex = import ./tubslatex.nix;
+}

overlays/tubslatex.nix

@@ -1,9 +1,9 @@
 self: super:
 {
   # Based on https://gist.github.com/clefru/9ed1186bf0b76d27e0ad20cbd9966b87
-  texlive-tubslatex = super.lib.overrideDerivation (super.texlive.combine {
+  tubslatex = super.lib.overrideDerivation (super.texlive.combine {
     inherit (super.texlive) scheme-full;
-    tubslatex.pkgs = [ (super.callPackage ../pkgs/tubslatex.nix {}) ];
+    tubslatex.pkgs = [ (super.callPackage ../pkgs/tubslatex {}) ];
   }) (oldAttrs: {
     postBuild = ''
        # Save the udpmap.cfg because texlive.combine removes it.

pkgs/keys/default.nix

@@ -0,0 +1,20 @@
+{ stdenv }:
+
+stdenv.mkDerivation rec {
+  pname = "infra-keys";
+  version = "1";
+
+  src = ./keys;
+
+  installPhase = ''
+      mkdir $out
+      mv * $out
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Public keys for my infrastructure";
+    license = licenses.publicDomain;
+    platforms = platforms.all;
+    maintainers = [ "dadada" ];
+  };
+}

pkgs/keys/keys/dadada.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis

pkgs/vimPlugins/default.nix

@@ -0,0 +1,20 @@
+{ pkgs, lib, fetchFromGitHub, ... }:
+with lib;
+{
+  filetype = pkgs.vimUtils.buildVimPluginFrom2Nix {
+    pname = "dadadaVimFiletype";
+    version = "2010-11-06";
+    src = ./filetype;
+  };
+
+  spacemacsTheme = pkgs.vimUtils.buildVimPluginFrom2Nix {
+    pname = "spacemacs-theme";
+    version = "2.0.1";
+    src = pkgs.fetchFromGitHub {
+      owner = "colepeters";
+      repo = "spacemacs-theme.vim";
+      rev = "056bba9bd05a2c97c63c28216a1c232cfb91529e";
+      sha256 = "0iy3i6waigk759p2z59mrxkjc0p412y7d8zf3cjak4a9sh1sh6qz";
+    };
+  };
+}