♻️ modularize neodymium system config

flake.nix

@@ -37,11 +37,12 @@
       in {
         devShells.default = pkgs.mkShell {
           packages = [
-            pkgs.colmena
-            pkgs.nixfmt
-            pkgs.git
-            pkgs.update-nix-fetchgit
-            agenix.packages.${system}.ragenix
+            pkgs.colmena # remote deployment
+            pkgs.nixfmt # formatting
+            pkgs.git # version control
+            pkgs.update-nix-fetchgit # auto update fetchs
+            agenix.packages.${system}.ragenix # secrets
+            pkgs.sbctl # secure boot
           ];
         };
       })) // {

hosts/neodymium/configuration.nix

@@ -1,138 +1,14 @@
-{ config, pkgs, lib, ... }: {
-  imports = [ ./hardware-configuration.nix ];
-
-  # networking
-  networking.hostName = "neodymium";
-  networking.networkmanager.enable = true;
-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ ];
-  networking.firewall.allowedUDPPorts = [ ];
-
-  # bluetooth
-  hardware.bluetooth.enable = true;
-  services.blueman.enable = true;
-
-  # wireguard vpn
-  networking.wg-quick.interfaces = {
-    wg0 = {
-      privateKeyFile = "/root/wireguard-keys/private";
-      address = [ "10.0.0.3/24" "fd02:002:002::3/64" ];
-      dns = [ "10.0.0.1" ];
-      peers = [{
-        publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
-        allowedIPs = [ "0.0.0.0/0" "::0/0" ];
-        endpoint = "fainsin.bzh:5553";
-        persistentKeepalive = 30;
-      }];
-    };
-  };
-  systemd.services.wg-quick-wg0 = {
-    serviceConfig = {
-      Type = lib.mkForce "simple";
-      Restart = "on-failure";
-      RestartSec = "10s";
-    };
-    unitConfig = {
-      StartLimitIntervalSec = 0; # ensure Restart= is always honoured
-    };
-  };
-
-  # This should already be here from switching to bootspec earlier.
-  # It's not required anymore, but also doesn't do any harm.
-  boot.bootspec.enable = true;
-
-  environment.systemPackages = [
-    # For debugging and troubleshooting Secure Boot.
-    pkgs.sbctl
-  ];
-
-  # Lanzaboote currently replaces the systemd-boot module.
-  # This setting is usually set to true in configuration.nix
-  # generated at installation time. So we force it to false
-  # for now.
-  boot.loader.systemd-boot.enable = lib.mkForce false;
-
-  boot.lanzaboote = {
-    enable = true;
-    pkiBundle = "/etc/secureboot";
-  };
-
-  # enable NTFS disk mounting
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.supportedFilesystems = [ "ntfs" ];
-
-  # clean /tmp at each boot
-  boot.tmp.cleanOnBoot = true;
-
-  # use latest kernel
-  boot.kernelPackages = pkgs.linuxPackages_latest;
-
-  # restrict nix command to sudoers
-  nix.settings.allowed-users = [ "@wheel" ];
+{ pkgs, ... }: {
+  imports = [ ./hardware-configuration.nix ./system ];
 
   # shorter timeout for systemd services
   systemd.extraConfig = ''
     DefaultTimeoutStopSec=10s
   '';
 
-  # hardware
-  hardware = {
-    enableRedistributableFirmware = true;
-    opengl = {
-      enable = true;
-      driSupport = true;
-    };
-  };
-
-  # logind configuration
-  services.logind = {
-    lidSwitch = "ignore";
-    extraConfig = ''
-      HandlePowerKey=suspend
-    '';
-  };
-
-  services.tlp.enable = true;
-
-  # greeter
-  services.greetd = {
-    enable = true;
-    settings = {
-      default_session = {
-        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
-        user = "greeter";
-      };
-    };
-  };
-
-  # internationalisation
-  time.timeZone = "Europe/Paris";
-  i18n.defaultLocale = "en_DK.UTF-8";
-  console.keyMap = "fr";
-
-  # fonts
-  fonts.fonts = with pkgs; [
-    noto-fonts
-    noto-fonts-cjk
-    noto-fonts-extra
-    noto-fonts-emoji
-    fira-code
-    fira-code-symbols
-    (nerdfonts.override { fonts = [ "FiraCode" ]; })
-  ];
-
   # udev
   services.udev.packages = [ pkgs.android-udev-rules ];
 
-  # audio
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    pulse.enable = true;
-  };
-
-  services.gnome.gnome-keyring.enable = true;
-
   services.dbus.enable = true;
   xdg.portal = {
     enable = true;
@@ -140,96 +16,25 @@
     extraPortals = [ pkgs.xdg-desktop-portal-gtk pkgs.xdg-desktop-portal-wlr ];
   };
 
-  programs.light.enable = true;
+  users = {
+    # disable user creation/deletion
+    mutableUsers = false;
 
-  users.mutableUsers = false;
-  users.users.laurent = {
+    # damn, who's this handsome guy?
+    users.laurent = {
       isNormalUser = true;
       initialPassword = "laurent";
       extraGroups = [ "wheel" "video" "docker" "adbusers" ];
       shell = pkgs.zsh;
     };
+  };
   programs.zsh.enable = true;
 
   home-manager = { users.laurent = ./home; };
 
-  # enable docker
-  virtualisation.docker = {
-    enable = true;
-    storageDriver = "btrfs";
-    enableOnBoot = false;
-    autoPrune.enable = true;
-  };
-
   # enable gnome virtual file system
   services.gvfs.enable = true;
 
-  # enable gpg agent
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
-    pinentryFlavor = "gnome3";
-  };
-
-  # enable polkit
-  security.polkit.enable = true;
-
-  # allow swaylock to use pam
-  security.pam.services.swaylock = { };
-
-  # enable unfree
-  nixpkgs.config.allowUnfree = true;
-
-  # experimental features
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  # optimizations
-  nix.settings.auto-optimise-store = true;
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-  };
-
-  age.secrets.borgbackup = {
-    file = "/home/laurent/infrastructure/secrets/borgbackup.age";
-    owner = "laurent";
-    group = "users";
-  };
-  age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
-
-  services.borgbackup.jobs.home = {
-    paths = "/home/laurent/";
-    repo = "/mnt/home_backup";
-    exclude = [
-      # Largest cache dirs
-      ".cache"
-      ".compose-cache"
-      "*/cache"
-      "*/cache2" # firefox
-      "*/Cache"
-      "*/Code Cache"
-      ".config/Slack/logs"
-      ".config/Code/CachedData"
-      ".container-diff"
-      ".npm/_cacache"
-      # Work related dirs
-      "*/node_modules"
-      "*/bower_components"
-      "*/build"
-      "*/_build"
-      "*/.tox"
-      "*/venv"
-      "*/.venv"
-    ];
-    encryption = {
-      mode = "repokey";
-      passCommand = "cat ${config.age.secrets.borgbackup.path}";
-    };
-    compression = "auto,zstd";
-    startAt = [ ];
-  };
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/neodymium/home/wayland/default.nix

@@ -12,6 +12,7 @@ in {
     defaultTimeout = 5000;
     extraConfig = builtins.readFile "${catppuccin-mako}/src/mocha";
   };
+
   wayland.windowManager.sway = {
     enable = true;
     package = (pkgs.swayfx.overrideAttrs (old: {

hosts/neodymium/system/age/default.nix

@@ -0,0 +1,8 @@
+{ ... }: {
+  age.secrets.borgbackup = {
+    file = "/home/laurent/infrastructure/secrets/borgbackup.age";
+    owner = "laurent";
+    group = "users";
+  };
+  age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
+}

hosts/neodymium/system/audio/default.nix

@@ -0,0 +1,7 @@
+{ ... }: {
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+  };
+}

hosts/neodymium/system/boot/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }: {
+  # support for mounting windaube partitions
+  boot.supportedFilesystems = [ "ntfs" ];
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # clean /tmp at each boot
+  boot.tmp.cleanOnBoot = true;
+
+  # use latest kernel
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  imports = [ ./lanzaboot.nix ];
+}

hosts/neodymium/system/boot/lanzaboot.nix

@@ -0,0 +1,16 @@
+{ lib, ... }: {
+  # This should already be here from switching to bootspec earlier.
+  # It's not required anymore, but also doesn't do any harm.
+  boot.bootspec.enable = true;
+
+  # Lanzaboote currently replaces the systemd-boot module.
+  # This setting is usually set to true in configuration.nix
+  # generated at installation time. So we force it to false
+  # for now.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+}

hosts/neodymium/system/borgbackup/default.nix

@@ -0,0 +1,33 @@
+{ config, ... }: {
+  services.borgbackup.jobs.home = {
+    paths = "/home/laurent/";
+    repo = "/mnt/home_backup";
+    exclude = [
+      # Largest cache dirs
+      ".cache"
+      ".compose-cache"
+      "*/cache"
+      "*/cache2" # firefox
+      "*/Cache"
+      "*/Code Cache"
+      ".config/Slack/logs"
+      ".config/Code/CachedData"
+      ".container-diff"
+      ".npm/_cacache"
+      # Work related dirs
+      "*/node_modules"
+      "*/bower_components"
+      "*/build"
+      "*/_build"
+      "*/.tox"
+      "*/venv"
+      "*/.venv"
+    ];
+    encryption = {
+      mode = "repokey";
+      passCommand = "cat ${config.age.secrets.borgbackup.path}";
+    };
+    compression = "auto,zstd";
+    startAt = [ ];
+  };
+}

hosts/neodymium/system/default.nix

@@ -0,0 +1,16 @@
+{ ... }: {
+  imports = [
+    ./age
+    ./audio
+    ./boot
+    ./borgbackup
+    ./docker
+    ./fonts
+    ./greetd
+    ./hardware
+    ./i18n
+    ./networking
+    ./nix
+    ./security
+  ];
+}

hosts/neodymium/system/docker/default.nix

@@ -0,0 +1,9 @@
+{ ... }: {
+  virtualisation.docker = {
+    enable = true;
+
+    storageDriver = "btrfs";
+    enableOnBoot = false;
+    autoPrune.enable = true;
+  };
+}

hosts/neodymium/system/fonts/default.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }: {
+  fonts.fonts = with pkgs; [
+    # https://notofonts.github.io/
+    noto-fonts # standard characters
+    noto-fonts-lgc-plus # latin, greek, and cyrillic
+    noto-fonts-cjk # chinese, japanese, and korean
+    noto-fonts-emoji # emojis 🐢
+
+    # https://github.com/tonsky/FiraCode
+    fira-code # standard characters
+    fira-code-symbols # unicode ligature glyphs
+
+    # https://github.com/ryanoasis/nerd-fonts
+    (nerdfonts.override { fonts = [ "FiraCode" ]; })
+  ];
+}

hosts/neodymium/system/greetd/default.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }: {
+  services.greetd = {
+    enable = true;
+
+    settings = {
+      default_session = {
+        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
+        user = "greeter";
+      };
+    };
+  };
+}

hosts/neodymium/system/hardware/default.nix

@@ -0,0 +1,28 @@
+{ ... }: {
+  # hardware
+  hardware = {
+    enableRedistributableFirmware = true;
+    opengl = {
+      enable = true;
+      driSupport = true;
+    };
+  };
+
+  # logind configuration
+  services.logind = {
+    lidSwitch = "ignore";
+    extraConfig = ''
+      HandlePowerKey=suspend
+    '';
+  };
+
+  # tlp, power management
+  services.tlp.enable = true;
+
+  # bluetooth
+  hardware.bluetooth.enable = true;
+  services.blueman.enable = true;
+
+  # backlight intensity
+  programs.light.enable = true;
+}

hosts/neodymium/system/i18n/default.nix

@@ -0,0 +1,10 @@
+{ ... }: {
+  # FRANCE 🇫🇷 🥖 🥐
+  time.timeZone = "Europe/Paris";
+
+  # azerty keyboard
+  console.keyMap = "fr";
+
+  # english ISO metric system
+  i18n.defaultLocale = "en_DK.UTF-8";
+}

hosts/neodymium/system/networking/default.nix

@@ -0,0 +1,17 @@
+{ ... }: {
+  # set hostname
+  networking.hostName = "neodymium";
+
+  # use networkManager, see nmcli
+  networking.networkmanager.enable = true;
+
+  # firewall
+  networking.firewall = {
+    enable = true;
+
+    allowedTCPPorts = [ ];
+    allowedUDPPorts = [ ];
+  };
+
+  imports = [ ./wireguard.nix ];
+}

hosts/neodymium/system/networking/wireguard.nix

@@ -0,0 +1,31 @@
+{ lib, ... }: {
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      # client
+      privateKeyFile = "/root/wireguard-keys/private";
+      address = [ "10.0.0.3/24" "fd02:002:002::3/64" ];
+      dns = [ "10.0.0.1" ];
+
+      # server
+      peers = [{
+        publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
+        allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+        endpoint = "fainsin.bzh:5553";
+        persistentKeepalive = 30;
+      }];
+    };
+  };
+
+  # modify the systemd service to restart on failure every 10 seconds
+  systemd.services.wg-quick-wg0 = {
+    serviceConfig = {
+      Type = lib.mkForce "simple";
+      Restart = "on-failure";
+      RestartSec = "10s";
+    };
+    unitConfig = {
+      # ensures Restart= is always honoured
+      StartLimitIntervalSec = 0;
+    };
+  };
+}

hosts/neodymium/system/nix/default.nix

@@ -0,0 +1,20 @@
+{ ... }: {
+  # restrict nix command to sudoers
+  nix.settings.allowed-users = [ "@wheel" ];
+
+  # experimental features
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # optimizations
+  nix.settings.auto-optimise-store = true;
+
+  # garbage collection
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+  # enable unfree
+  nixpkgs.config.allowUnfree = true;
+}

hosts/neodymium/system/security/default.nix

@@ -0,0 +1,17 @@
+{ ... }: {
+  # enable polkit
+  security.polkit.enable = true;
+
+  # enable gpg agent
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    pinentryFlavor = "gnome3";
+  };
+
+  # secrets keyring
+  services.gnome.gnome-keyring.enable = true;
+
+  # allow swaylock to use pam
+  security.pam.services.swaylock = { };
+}