cleanup, make checks pass

2024-04-27 11:33:38 +01:00 · 2024-04-27 11:33:38 +01:00 · 635f5902aa
commit 635f5902aa
parent c6cb14a14b
28 changed files with 515 additions and 443 deletions
--- a/flake.nix
+++ b/flake.nix
@ -36,11 +36,13 @@
        ];
        specialArgs = {inherit inputs system;};
      };
-    mkRaspi = pkgs: hostname:
+    mkRaspi = pkgs: hostname: let
+      system = "aarch64-linux";
+    in
      pkgs.lib.nixosSystem {
-        system = "aarch64-linux";
+        inherit system;
        modules = [(./. + "/nixos/boxes/${hostname}") sops.nixosModules.sops];
-        specialArgs = {inherit inputs;};
+        specialArgs = {inherit inputs system;};
      };
    mkKiosk = pkgs: system: hostname:
      pkgs.lib.nixosSystem {
@ -52,12 +54,14 @@

          home-manager.nixosModules.home-manager
          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.cyryl = {
-              imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
-              _module.args.inputs = inputs;
-              _module.args.system = system;
+            home-manager = {
+              useGlobalPkgs = true;
+              useUserPackages = true;
+              users.cyryl = {
+                imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
+                _module.args.inputs = inputs;
+                _module.args.system = system;
+              };
            };
          }
        ];
@ -86,12 +90,14 @@
          {programs.nix-ld.dev.enable = true;}
          home-manager.nixosModules.home-manager
          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.cyryl = {
-              imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
-              _module.args.inputs = inputs;
-              _module.args.system = system;
+            home-manager = {
+              useGlobalPkgs = true;
+              useUserPackages = true;
+              users.cyryl = {
+                imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
+                _module.args.inputs = inputs;
+                _module.args.system = system;
+              };
            };
          }
        ];
@ -138,12 +144,14 @@
          (./. + "/nixos/boxes/form3")
          home-manager.darwinModules.home-manager
          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.cyryl = {
-              imports = [./nixos/home-manager];
-              _module.args.inputs = inputs;
-              _module.args.system = system;
+            home-manager = {
+              useGlobalPkgs = true;
+              useUserPackages = true;
+              users.cyryl = {
+                imports = [./nixos/home-manager];
+                _module.args.inputs = inputs;
+                _module.args.system = system;
+              };
            };
          }
        ];
@ -154,7 +162,6 @@
      foryog = mkWorkstation nixpkgs-nixos-unstable "x86_64-linux" "foryog";
      thinky = mkWorkstation nixpkgs-stable "x86_64-linux" "thinky";
      bolty = mkServer nixpkgs-stable "x86_64-linux" "bolty";
-      vpsfree1 = mkServer nixpkgs-stable "x86_64-linux" "vpsfree1";
      cupsnet = mkServer nixpkgs-stable "aarch64-linux" "cupsnet";
      mb1 = mkServer nixpkgs-stable "x86_64-linux" "mb1";
      homescreen = mkRaspi nixpkgs-stable "homescreen";
--- a/nixos/boxes/bolty/bolty-boot.nix
+++ b/nixos/boxes/bolty/bolty-boot.nix
@ -15,10 +15,13 @@
    zfs.forceImportRoot = false;
  };

-  services.btrfs.autoScrub.enable = true;
-  services.zfs.autoScrub.enable = true;
-  services.zfs.trim.enable = true;
-
+  services = {
+    btrfs.autoScrub.enable = true;
+    zfs = {
+      autoScrub.enable = true;
+      trim.enable = true;
+    };
+  };
  boot.kernelParams = ["zfs.zfs_arc_max=17179869184"];

  boot.zfs.extraPools = ["data"];
--- a/nixos/boxes/bolty/default.nix
+++ b/nixos/boxes/bolty/default.nix
@ -7,13 +7,11 @@
    ../cli.nix
    ../send-logs.nix
    ./bolty-boot.nix
-    ./gitea-runner.nix
    ./grafana.nix
    ./home-assistant.nix
    ./home-security.nix
    ./influxdb.nix
    ./logs.nix
-    ./mastodon.nix
    ./nas.nix
    ./networking.nix
    ./nix-store-server.nix
--- a/nixos/boxes/bolty/home-assistant.nix
+++ b/nixos/boxes/bolty/home-assistant.nix
@ -14,49 +14,52 @@ in {
  imports = [../nginx.nix ./virtualisation.nix];

  networking.firewall.allowedTCPPorts = [port 1883 8089];
-  services.mosquitto = {
-    enable = true;
-    package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto;
-    dataDir = "/data/mosquitto";
-    listeners = [
-      {
-        port = 1883;
-        omitPasswordAuth = true;
-        users = {};
-        settings = {
-          allow_anonymous = true;
+
+  services = {
+    mosquitto = {
+      enable = true;
+      package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto;
+      dataDir = "/data/mosquitto";
+      listeners = [
+        {
+          port = 1883;
+          omitPasswordAuth = true;
+          users = {};
+          settings = {
+            allow_anonymous = true;
+          };
+          acl = ["topic readwrite #"];
+        }
+      ];
+    };
+    zigbee2mqtt = {
+      enable = true;
+      package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt;
+      settings = {
+        homeassistant = true;
+        permit_join = true;
+        availability.active.timeout = 10;
+        availability.passive.timeout = 90;
+        frontend.port = 8089;
+        mqtt.server = "mqtt://10.0.0.8:1883";
+        serial = {
+          port = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
+          baudrate = 115200;
        };
-        acl = ["topic readwrite #"];
-      }
-    ];
-  };
-  services.zigbee2mqtt = {
-    enable = true;
-    package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt;
-    settings = {
-      homeassistant = true;
-      permit_join = true;
-      availability.active.timeout = 10;
-      availability.passive.timeout = 90;
-      frontend.port = 8089;
-      mqtt.server = "mqtt://10.0.0.8:1883";
-      serial = {
-        port = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
-        baudrate = 115200;
      };
    };
-  };
-  services.nginx = {
-    virtualHosts = {
-      "bolty.raptor-carp.ts.net" = {
-        forceSSL = true;
-        enableACME = false;
-        locations."/" = {
-          proxyPass = "http://10.0.0.244:8123";
-          proxyWebsockets = true;
+    nginx = {
+      virtualHosts = {
+        "bolty.raptor-carp.ts.net" = {
+          forceSSL = true;
+          enableACME = false;
+          locations."/" = {
+            proxyPass = "http://10.0.0.244:8123";
+            proxyWebsockets = true;
+          };
+          sslCertificateKey = keyPath;
+          sslCertificate = certPath;
        };
-        sslCertificateKey = keyPath;
-        sslCertificate = certPath;
      };
    };
  };
--- a/nixos/boxes/bolty/networking.nix
+++ b/nixos/boxes/bolty/networking.nix
@ -6,23 +6,25 @@
  ...
 }: {
  networking.hostName = "bolty";
-  systemd.network.enable = true;
  networking.networkmanager.enable = false;
-  systemd.network.netdevs."br0".netdevConfig = {
-    Name = "br0";
-    Kind = "bridge";
-  };
-  systemd.network.networks."br0" = {
-    name = "br0";
-    address = ["10.0.0.8/24"];
-    gateway = ["10.0.0.1"];
-    DHCP = "no";
-    dns = ["100.100.100.100" "9.9.9.9"];
-  };

-  systemd.network.networks."eth" = {
-    name = "enp4s0";
-    networkConfig.Bridge = "br0";
-    DHCP = "no";
+  systemd.network = {
+    enable = true;
+    netdevs."br0".netdevConfig = {
+      Name = "br0";
+      Kind = "bridge";
+    };
+    networks."br0" = {
+      name = "br0";
+      address = ["10.0.0.8/24"];
+      gateway = ["10.0.0.1"];
+      DHCP = "no";
+      dns = ["100.100.100.100" "9.9.9.9"];
+    };
+    networks."eth" = {
+      name = "enp4s0";
+      networkConfig.Bridge = "br0";
+      DHCP = "no";
+    };
  };
 }
--- a/nixos/boxes/bolty/print-server.nix
+++ b/nixos/boxes/bolty/print-server.nix
@ -4,20 +4,36 @@
  lib,
  ...
 }: {
-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [631 6566];
-  networking.firewall.allowedUDPPorts = [631 6566];
-  services.printing = {
+  networking.firewall = {
    enable = true;
-    drivers = with pkgs; [epson-escpr];
-    listenAddresses = ["*:631"];
-    defaultShared = true;
-    browsing = true;
-    allowFrom = ["all"];
-    extraConf = ''
-      ServerAlias *
-      DefaultEncryption Never
-    '';
+    allowedTCPPorts = [631 6566];
+    allowedUDPPorts = [631 6566];
+  };
+  services = {
+    printing = {
+      enable = true;
+      drivers = with pkgs; [epson-escpr];
+      listenAddresses = ["*:631"];
+      defaultShared = true;
+      browsing = true;
+      allowFrom = ["all"];
+      extraConf = ''
+        ServerAlias *
+        DefaultEncryption Never
+      '';
+    };
+    udev.packages = [];
+
+    saned = {
+      enable = true;
+      extraConfig = ''
+        100.69.222.80
+        10.0.24.0/24
+        10.0.0.1/24
+        foureighty
+        hagath
+      '';
+    };
  };

  hardware.printers.ensurePrinters = [
@ -37,17 +53,5 @@
    snapshot = true;
  };

-  services.udev.packages = [];
-
  environment.systemPackages = with pkgs; [gawk];
-  services.saned = {
-    enable = true;
-    extraConfig = ''
-      100.69.222.80
-      10.0.24.0/24
-      10.0.0.1/24
-      foureighty
-      hagath
-    '';
-  };
 }
--- a/nixos/boxes/bolty/real-hardware.nix
+++ b/nixos/boxes/bolty/real-hardware.nix
@ -4,11 +4,13 @@
  lib,
  ...
 }: {
-  hardware.enableRedistributableFirmware = true;
-  services.smartd.enable = true;
-  services.fstrim.enable = true;
  environment.systemPackages = with pkgs; [smartmontools];
-  services.fwupd.enable = true;
-  services.thermald.enable = true;
-  services.haveged.enable = true;
+  hardware.enableRedistributableFirmware = true;
+  services = {
+    smartd.enable = true;
+    fstrim.enable = true;
+    fwupd.enable = true;
+    thermald.enable = true;
+    haveged.enable = true;
+  };
 }
--- a/nixos/boxes/bolty/tailscale-cert.nix
+++ b/nixos/boxes/bolty/tailscale-cert.nix
@ -12,43 +12,44 @@
 in {
  imports = [];

-  systemd.services.tailscale-cert-make-path = {
-    script = ''
-      mkdir -p ${basePath}
-    '';
-    serviceConfig = {Type = "oneshot";};
-    before = ["tailscale-cert.service"];
-    wantedBy = ["multi-user.target"];
-  };
-
-  systemd.services.tailscale-cert = {
-    after = ["network.target" "network-online.target" "tailscaled.service"];
-    wants = ["tailscaled.service"];
-    wantedBy = ["multi-user.target"];
-
-    path = with pkgs; [tailscale];
-
-    serviceConfig = {
-      Type = "oneshot";
-      UMask = 22;
-      StateDirectoryMode = 750;
-      ProtectSystem = "strict";
-      ReadWritePaths = ["${basePath}"];
-      PrivateTmp = true;
-      WorkingDirectory = "${basePath}";
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      ProtectClock = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      StateDirectory = ["${basePath}"];
+  systemd.services = {
+    tailscale-cert-make-path = {
+      script = ''
+        mkdir -p ${basePath}
+      '';
+      serviceConfig = {Type = "oneshot";};
+      before = ["tailscale-cert.service"];
+      wantedBy = ["multi-user.target"];
    };

-    script = ''
-      tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
-    '';
-  };
+    tailscale-cert = {
+      after = ["network.target" "network-online.target" "tailscaled.service"];
+      wants = ["tailscaled.service"];
+      wantedBy = ["multi-user.target"];

+      path = with pkgs; [tailscale];
+
+      serviceConfig = {
+        Type = "oneshot";
+        UMask = 22;
+        StateDirectoryMode = 750;
+        ProtectSystem = "strict";
+        ReadWritePaths = ["${basePath}"];
+        PrivateTmp = true;
+        WorkingDirectory = "${basePath}";
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        StateDirectory = ["${basePath}"];
+      };
+
+      script = ''
+        tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
+      '';
+    };
+  };
  systemd.timers.tailscale-renew = {
    wantedBy = ["timers.target"];
    description = "Renew tailscale server cert";
--- a/nixos/boxes/cupsnet/boot.nix
+++ b/nixos/boxes/cupsnet/boot.nix
@ -5,12 +5,14 @@
  lib,
  ...
 }: {
-  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"];
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"];

-  boot.loader.grub = {
-    devices = ["/dev/vda"];
-    efiSupport = true;
-    efiInstallAsRemovable = true;
+    loader.grub = {
+      devices = ["/dev/vda"];
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+    };
  };
 }
--- a/nixos/boxes/form3/default.nix
+++ b/nixos/boxes/form3/default.nix
@ -51,16 +51,18 @@ in {
  home-manager.users.cyryl = {...}: {
    imports = [];
    home.packages = with pkgs; [awscli kubectl cargo-update];
-    programs.git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
-    programs.git.extraConfig = {
-      user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED";
-      commit.gpgsign = true;
-      "url \"git@github.com:\"".insteadOf = "https://github.com/";
+    programs = {
+      git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
+      git.extraConfig = {
+        user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED";
+        commit.gpgsign = true;
+        "url \"git@github.com:\"".insteadOf = "https://github.com/";
+      };
+      gpg.enable = true;
+      gpg.homedir = "/Users/cyryl/.gnupg";
+      zsh.loginExtra = ''
+        eval "$(/opt/homebrew/bin/brew shellenv)"
+      '';
    };
-    programs.gpg.enable = true;
-    programs.gpg.homedir = "/Users/cyryl/.gnupg";
-    programs.zsh.loginExtra = ''
-      eval "$(/opt/homebrew/bin/brew shellenv)"
-    '';
  };
 }
--- a/nixos/boxes/foryog/default.nix
+++ b/nixos/boxes/foryog/default.nix
@ -26,12 +26,15 @@
  services.restic.backups.home-to-b2 = {
    repository = lib.mkForce "b2:cyplo-restic-foureighty:/";
  };
-  boot.kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"];
-  boot.tmp.cleanOnBoot = true;
-  boot.binfmt.emulatedSystems = ["aarch64-linux"];
-  boot.plymouth = {
-    enable = true;
-    logo = ./boot.png;
+
+  boot = {
+    kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"];
+    tmp.cleanOnBoot = true;
+    binfmt.emulatedSystems = ["aarch64-linux"];
+    plymouth = {
+      enable = true;
+      logo = ./boot.png;
+    };
  };

  zramSwap = {
@ -42,13 +45,15 @@

  time.timeZone = "Europe/London";

-  hardware.trackpoint.enable = true;
-  hardware.keyboard.qmk.enable = true;
+  hardware = {
+    trackpoint.enable = true;
+    keyboard.qmk.enable = true;
+    opengl.extraPackages = with pkgs; [libva];
+  };
+
  services.udev.packages = [pkgs.qmk-udev-rules];
  programs.ccache.enable = true;
-  hardware.opengl.extraPackages = with pkgs; [libva];
  programs.steam.enable = true;
-  nixpkgs.config.allowUnfree = true;

  home-manager.users.cyryl = {...}: {
    imports = [
--- a/nixos/boxes/foureighty/default.nix
+++ b/nixos/boxes/foureighty/default.nix
@ -45,25 +45,28 @@
    device = "0000:00:02.0";
  };
  hardware.trackpoint.enable = true;
-  services.hardware.bolt.enable = true;
+  services = {
+    hardware.bolt.enable = true;

-  services.xserver = {
-    libinput = {
-      enable = true;
-      touchpad = {
-        tapping = true;
-        naturalScrolling = false;
-        middleEmulation = false;
-        disableWhileTyping = true;
-        buttonMapping = "1 0 3 4 5 6 7 8 9 10";
-      };
-      mouse = {
-        middleEmulation = false;
-        buttonMapping = "1 0 3 4 5 6 7 8 9 10";
+    xserver = {
+      libinput = {
+        enable = true;
+        touchpad = {
+          tapping = true;
+          naturalScrolling = false;
+          middleEmulation = false;
+          disableWhileTyping = true;
+          buttonMapping = "1 0 3 4 5 6 7 8 9 10";
+        };
+        mouse = {
+          middleEmulation = false;
+          buttonMapping = "1 0 3 4 5 6 7 8 9 10";
+        };
      };
    };
+    fprintd = {enable = true;};
  };
-  services.fprintd = {enable = true;};
+
  programs.ccache.enable = true;
  hardware.opengl.extraPackages = with pkgs; [libva];
  programs.steam.enable = true;
--- a/nixos/boxes/foureighty/hardware-configuration.nix
+++ b/nixos/boxes/foureighty/hardware-configuration.nix
@ -13,9 +13,11 @@
      availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
    };

-    loader.systemd-boot.enable = true;
-    loader.efi.canTouchEfiVariables = true;
-    loader.efi.efiSysMountPoint = "/boot/efi";
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot/efi";
+    };
  };

  boot.initrd.secrets = {"/crypto_keyfile.bin" = null;};
--- a/nixos/boxes/homescreen/default.nix
+++ b/nixos/boxes/homescreen/default.nix
@ -11,40 +11,43 @@
    hostName = "homescreen";
    networkmanager = {enable = true;};
  };
-  hardware.enableRedistributableFirmware = true;

  environment.systemPackages = with pkgs; [neovim htop btop atop];

-  services.fail2ban.enable = true;
+  hardware = {
+    raspberry-pi."4".fkms-3d.enable = true;

-  services.openssh = {
-    enable = true;
-    permitRootLogin = "prohibit-password";
-    passwordAuthentication = false;
+    enableRedistributableFirmware = true;
+    deviceTree.filter = lib.mkForce "*rpi-*.dtb";
  };
+  services = {
+    fail2ban.enable = true;

-  hardware.raspberry-pi."4".fkms-3d.enable = true;
-
-  hardware.deviceTree.filter = lib.mkForce "*rpi-*.dtb";
-
-  services.xserver = {
-    enable = true;
-    displayManager = {
-      lightdm.enable = true;
-      autoLogin.enable = true;
-      autoLogin.user = "kiosk";
+    openssh = {
+      enable = true;
+      permitRootLogin = "prohibit-password";
+      passwordAuthentication = false;
+    };
+    xserver = {
+      enable = true;
+      displayManager = {
+        lightdm.enable = true;
+        autoLogin.enable = true;
+        autoLogin.user = "kiosk";
+      };
+      desktopManager.gnome.enable = true;
+      libinput.enable = true;
    };
-    desktopManager.gnome.enable = true;
-    libinput.enable = true;
  };

  users = {
    mutableUsers = false;
    users.kiosk = {isNormalUser = true;};
+    extraUsers.root.openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
+    ];
  };
-  users.extraUsers.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
-  ];
+
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
@ -57,6 +60,7 @@
      options = ["nofail" "noauto"];
    };
  };
+
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

  security.allowUserNamespaces = true;
--- a/nixos/boxes/skinnyv/default.nix
+++ b/nixos/boxes/skinnyv/default.nix
@ -19,11 +19,14 @@
    ../../zsh
  ];

-  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  time.timeZone = "Europe/London";
-
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    time.timeZone = "Europe/London";
+  };
  services.thermald.enable = true;
  home-manager.users.cyryl = {...}: {
    imports = [../../home-manager/programs/kitty.nix];
--- a/nixos/common-hardware.nix
+++ b/nixos/common-hardware.nix
@ -1,110 +1,113 @@
-{ config, pkgs, nixpkgs-nixos-unstable-and-unfree, lib, ... }: {
-  boot.kernelModules = [ "fuse" ];
-  services.smartd.enable = true;
+{
+  config,
+  pkgs,
+  nixpkgs-nixos-unstable-and-unfree,
+  lib,
+  ...
+}: {
+  boot.kernelModules = ["fuse"];

  sound.enable = true;

  networking.networkmanager = {
    enable = true;
-    dispatcherScripts = [{
-      source = pkgs.writeText "upHook" ''
-        enable_disable_wifi ()
-        {
-          result=$(nmcli dev | grep "ethernet" | grep -w "connected")
-          if [ -n "$result" ]; then
-            nmcli radio wifi off
-          else
-            nmcli radio wifi on
+    dispatcherScripts = [
+      {
+        source = pkgs.writeText "upHook" ''
+          enable_disable_wifi ()
+          {
+            result=$(nmcli dev | grep "ethernet" | grep -w "connected")
+            if [ -n "$result" ]; then
+              nmcli radio wifi off
+            else
+              nmcli radio wifi on
+            fi
+          }
+
+          if [ "$2" = "up" ]; then
+            enable_disable_wifi
          fi
-        }

-        if [ "$2" = "up" ]; then
-          enable_disable_wifi
-        fi
-
-        if [ "$2" = "down" ]; then
-          enable_disable_wifi
-        fi
-      '';
-      type = "basic";
-    }];
+          if [ "$2" = "down" ]; then
+            enable_disable_wifi
+          fi
+        '';
+        type = "basic";
+      }
+    ];
  };

-  hardware.enableRedistributableFirmware = true;
-  hardware.cpu.intel.updateMicrocode = true;
-
-  hardware.bluetooth = {
-    enable = true;
-    package = pkgs.bluez;
-    settings = { General = { Enable = "Source,Sink,Media,Socket"; }; };
-  };
-
-  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-    extraConfig.pipewire."92-low-latency" = {
-      context.properties = {
-        default.clock.rate = 48000;
-        default.clock.quantum = 32;
-        default.clock.min-quantum = 32;
-        default.clock.max-quantum = 32;
-      };
+
+  services = {
+    smartd.enable = true;
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+    };
+    printing = {
+      enable = true;
+      drivers = with pkgs; [
+        epson-escpr
+        nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
+        gutenprint
+      ];
+      extraConf = ''
+        Option pdftops-renderer hybrid
+      '';
+    };
+
+    udev.packages = [];
+  };
+
+  environment.systemPackages = with pkgs; [ghostscript poppler];
+
+  hardware = {
+    enableRedistributableFirmware = true;
+    cpu.intel.updateMicrocode = true;
+
+    bluetooth = {
+      enable = true;
+      package = pkgs.bluez;
+      settings = {General = {Enable = "Source,Sink,Media,Socket";};};
+    };
+
+    pulseaudio.enable = false;
+    printers.ensurePrinters = [
+      {
+        description = "Epson XP-540 via bolty";
+        name = "epson_xp540_via_bolty";
+        deviceUri = "ipp://bolty:631/printers/epson_xp540";
+        model = "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
+        ppdOptions = {
+          PageSize = "A4";
+          Duplex = "DuplexNoTumble";
+        };
+      }
+      {
+        description = "Samsung SCX-4623 Series";
+        name = "samsung-SCX-4623";
+        deviceUri = "usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1";
+        model = "samsung/SCX-4623FW.ppd";
+        ppdOptions = {
+          PageSize = "A4";
+          Duplex = "DuplexNoTumble";
+        };
+      }
+    ];
+
+    sane = {
+      enable = true;
+      snapshot = true;
+      extraBackends = with pkgs; [
+        nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
+        sane-airscan
+        gawk
+      ];
    };
  };
-
-  environment.systemPackages = with pkgs; [ ghostscript poppler ];
-  services.printing = {
-    enable = true;
-    drivers = with pkgs; [
-      epson-escpr
-      nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
-      gutenprint
-    ];
-    extraConf = ''
-      Option pdftops-renderer hybrid
-    '';
-  };
-
-  hardware.printers.ensurePrinters = [
-    {
-      description = "Epson XP-540 via bolty";
-      name = "epson_xp540_via_bolty";
-      deviceUri = "ipp://bolty:631/printers/epson_xp540";
-      model =
-        "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
-      ppdOptions = {
-        PageSize = "A4";
-        Duplex = "DuplexNoTumble";
-      };
-    }
-    {
-      description = "Samsung SCX-4623 Series";
-      name = "samsung-SCX-4623";
-      deviceUri =
-        "usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1";
-      model = "samsung/SCX-4623FW.ppd";
-      ppdOptions = {
-        PageSize = "A4";
-        Duplex = "DuplexNoTumble";
-      };
-    }
-  ];
-
-  services.udev.packages = [ ];
-  hardware.sane = {
-    enable = true;
-    snapshot = true;
-    extraBackends = with pkgs; [
-      nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
-      sane-airscan
-      gawk
-    ];
-  };
-
  powerManagement = {
    enable = lib.mkForce true;
    resumeCommands = ''
--- a/nixos/common.nix
+++ b/nixos/common.nix
@ -20,6 +20,7 @@ in {
  boot.supportedFilesystems = ["ntfs"];
  environment.enableDebugInfo = true;

+  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
    ccache
    curl
--- a/nixos/distributed-builds.nix
+++ b/nixos/distributed-builds.nix
@ -3,23 +3,25 @@
  pkgs,
  ...
 }: {
-  nix.buildMachines = [
-    {
-      hostName = "bolty";
-      sshUser = "nix-builder";
-      sshKey = "/home/cyryl/.ssh/id_ed25519";
-      systems = ["i686-linux" "x86_64-linux" "aarch64-linux"];
-      maxJobs = 2;
-      speedFactor = 1;
-      supportedFeatures = ["kvm" "big-parallel"];
-      mandatoryFeatures = [];
-    }
-  ];
+  nix = {
+    buildMachines = [
+      {
+        hostName = "bolty";
+        sshUser = "nix-builder";
+        sshKey = "/home/cyryl/.ssh/id_ed25519";
+        systems = ["i686-linux" "x86_64-linux" "aarch64-linux"];
+        maxJobs = 2;
+        speedFactor = 1;
+        supportedFeatures = ["kvm" "big-parallel"];
+        mandatoryFeatures = [];
+      }
+    ];

-  nix.extraOptions = ''
-    builders-use-substitutes = true
-  '';
-  nix.distributedBuilds = true;
-  nix.settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"];
-  nix.settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="];
+    extraOptions = ''
+      builders-use-substitutes = true
+    '';
+    distributedBuilds = true;
+    settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"];
+    settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="];
+  };
 }
--- a/nixos/git/home.nix
+++ b/nixos/git/home.nix
@ -20,9 +20,11 @@
      colour.ui = true;
      core.fsmonitor = true;
      credential = {helper = "cache";};
-      diff.algorithm = "histogram";
-      diff.renameLimit = 2048;
-      diff.renames = "copy";
+      diff = {
+        algorithm = "histogram";
+        renameLimit = 2048;
+        renames = "copy";
+      };
      help.autocorrect = 1;
      init.defaultBranch = "main";
      merge.renamelimit = 8192;
--- a/nixos/gui/default.nix
+++ b/nixos/gui/default.nix
@ -22,9 +22,11 @@

    imports = [];

-    programs.chromium.enable = true;
-    programs.firefox.enable = true;
-    programs.sioyek.enable = true;
+    programs = {
+      chromium.enable = true;
+      firefox.enable = true;
+      sioyek.enable = true;
+    };
    home.packages =
      (with pkgs;
        with pkgs.gnome3;
--- a/nixos/gui/vscode/home.nix
+++ b/nixos/gui/vscode/home.nix
@ -7,9 +7,11 @@
  programs.vscode = {
    enable = true;
    userSettings = {
-      editor.fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace";
-      editor.formatOnType = true;
-      editor.fontSize = 16;
+      editr = {
+        fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace";
+        formatOnType = true;
+        fontSize = 16;
+      };
      files.autoSave = "onFocusChange";
      rust-analyzer.checkOnSave.command = "clippy";
      platformio-ide = {
--- a/nixos/home-manager/default.nix
+++ b/nixos/home-manager/default.nix
@ -7,19 +7,20 @@
 }: let
  username = "cyryl";
 in {
-  home.sessionVariables = {
-    LC_ALL = "en_GB.UTF-8";
-    LANG = "en_GB.UTF-8";
-    PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
+  home = {
+    inherit username;
+    sessionVariables = {
+      LC_ALL = "en_GB.UTF-8";
+      LANG = "en_GB.UTF-8";
+      PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
+    };
+
+    packages = with pkgs; [];
+
+    homeDirectory = lib.mkDefault "/home/${username}";
+    stateVersion = "23.11";
  };
-
  news.display = "show";
-
-  home.packages = with pkgs; [];
-
-  home.username = username;
-  home.homeDirectory = lib.mkDefault "/home/${username}";
-  home.stateVersion = "23.11";
  programs.home-manager.enable = true;

  imports = [
--- a/nixos/home-manager/links.nix
+++ b/nixos/home-manager/links.nix
@ -3,18 +3,20 @@
  pkgs,
  ...
 }: {
-  home.file.".config/nixpkgs/config.nix".source = ../shell-config.nix;
-  home.file.".gdbinit".text = ''
-    set auto-load python-scripts on
-    add-auto-load-safe-path /home/cyryl/dev/dotfiles/.gdbinit
-    set auto-load safe-path /
-    source /home/cyryl/dev/dotfiles/.gdbinit
-  '';
-  home.file.".gdbinit.d/dashboard".text = ''
-    dashboard -layout breakpoints source expressions stack threads variables
-    dashboard variables -style compact 0
-    dashboard source -style height 24
-    dashboard stack -style compact 1
-    dashboard stack -style limit 3
-  '';
+  home.file = {
+    ".config/nixpkgs/config.nix".source = ../shell-config.nix;
+    ".gdbinit".text = ''
+      set auto-load python-scripts on
+      add-auto-load-safe-path /home/cyryl/dev/dotfiles/.gdbinit
+      set auto-load safe-path /
+      source /home/cyryl/dev/dotfiles/.gdbinit
+    '';
+    ".gdbinit.d/dashboard".text = ''
+      dashboard -layout breakpoints source expressions stack threads variables
+      dashboard variables -style compact 0
+      dashboard source -style height 24
+      dashboard stack -style compact 1
+      dashboard stack -style limit 3
+    '';
+  };
 }
--- a/nixos/i3/default.nix
+++ b/nixos/i3/default.nix
@ -44,10 +44,13 @@

    fractalart.enable = true;
    colord.enable = true;
-    xserver.windowManager.i3.enable = true;
-    xserver.displayManager.sddm = {
+    xserver = {
      enable = true;
-      enableHidpi = true;
+      windowManager.i3.enable = true;
+      displayManager.sddm = {
+        enable = true;
+        enableHidpi = true;
+      };
    };
  };
  home-manager.users.cyryl = {...}: {
--- a/nixos/security.nix
+++ b/nixos/security.nix
@ -9,83 +9,89 @@

  nix.settings.allowed-users = ["@users"];

-  security.apparmor.enable = true;
-  security.apparmor.killUnconfinedConfinables = true;
-  security.forcePageTableIsolation = true;
-  security.lockKernelModules = false;
-  security.protectKernelImage = true;
-  security.virtualisation.flushL1DataCache = "always";
+  security = {
+    apparmor.enable = true;
+    apparmor.killUnconfinedConfinables = true;
+    forcePageTableIsolation = true;
+    lockKernelModules = false;
+    protectKernelImage = true;
+    virtualisation.flushL1DataCache = "always";
+  };

  sops.age = {
    keyFile = "/var/lib/sops-nix/key.txt";
    generateKey = true;
  };

-  boot.kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"];
+  boot = {
+    kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"];

-  boot.blacklistedKernelModules = [
-    # Obscure network protocols
-    "ax25"
-    "netrom"
-    "rose"
+    blacklistedKernelModules = [
+      # Obscure network protocols
+      "ax25"
+      "netrom"
+      "rose"

-    # Old or rare or insufficiently audited filesystems
-    "adfs"
-    "affs"
-    "bfs"
-    "befs"
-    "cramfs"
-    "efs"
-    "erofs"
-    "exofs"
-    "freevxfs"
-    "f2fs"
-    "hfs"
-    "hpfs"
-    "jfs"
-    "minix"
-    "nilfs2"
-    "omfs"
-    "qnx4"
-    "qnx6"
-    "sysv"
-    "ufs"
-  ];
+      # Old or rare or insufficiently audited filesystems
+      "adfs"
+      "affs"
+      "bfs"
+      "befs"
+      "cramfs"
+      "efs"
+      "erofs"
+      "exofs"
+      "freevxfs"
+      "f2fs"
+      "hfs"
+      "hpfs"
+      "jfs"
+      "minix"
+      "nilfs2"
+      "omfs"
+      "qnx4"
+      "qnx6"
+      "sysv"
+      "ufs"
+    ];

-  # Restrict ptrace() usage to processes with a pre-defined relationship
-  # (e.g., parent/child)
-  boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
+    kernel.sysctl = {
+      # Restrict ptrace() usage to processes with a pre-defined relationship
+      # (e.g., parent/child)
+      "kernel.yama.ptrace_scope" = lib.mkOverride 500 1;

-  # Hide kptrs even for processes with CAP_SYSLOG
-  boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
+      # Hide kptrs even for processes with CAP_SYSLOG
+      "kernel.kptr_restrict" = lib.mkOverride 500 2;

-  # Disable bpf() JIT (to eliminate spray attacks)
-  boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
+      # Disable bpf() JIT (to eliminate spray attacks)
+      "net.core.bpf_jit_enable" = false;

-  # Disable ftrace debugging
-  boot.kernel.sysctl."kernel.ftrace_enabled" = false;
+      # Disable ftrace debugging
+      "kernel.ftrace_enabled" = false;

-  # Enable strict reverse path filtering (that is, do not attempt to route
-  # packets that "obviously" do not belong to the iface's network; dropped
-  # packets are logged as martians).
-  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
-  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
+      # Enable strict reverse path filtering (that is, do not attempt to route
+      # packets that "obviously" do not belong to the iface's network; dropped
+      # packets are logged as martians).
+      "net.ipv4.conf.all.log_martians" = true;
+      "net.ipv4.conf.all.rp_filter" = "1";
+      "net.ipv4.conf.default.log_martians" = true;
+      "net.ipv4.conf.default.rp_filter" = "1";

-  # Ignore broadcast ICMP (mitigate SMURF)
-  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
+      # Ignore broadcast ICMP (mitigate SMURF)
+      "net.ipv4.icmp_echo_ignore_broadcasts" = true;

-  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-  # setting is applied to interfaces added after the sysctls are set)
-  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
-  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
-  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
+      # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+      # setting is applied to interfaces added after the sysctls are set)
+      "net.ipv4.conf.all.accept_redirects" = false;
+      "net.ipv4.conf.all.secure_redirects" = false;
+      "net.ipv4.conf.default.accept_redirects" = false;
+      "net.ipv4.conf.default.secure_redirects" = false;
+      "net.ipv6.conf.all.accept_redirects" = false;
+      "net.ipv6.conf.default.accept_redirects" = false;

-  # Ignore outgoing ICMP redirects (this is ipv4 only)
-  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+      # Ignore outgoing ICMP redirects (this is ipv4 only)
+      "net.ipv4.conf.all.send_redirects" = false;
+      "net.ipv4.conf.default.send_redirects" = false;
+    };
+  };
 }
--- a/nixos/server-security.nix
+++ b/nixos/server-security.nix
@ -30,7 +30,9 @@ in {
    openssh.authorizedKeys.keys = authorizedKeys;
  };

-  nix.settings.trusted-users = ["root" "nix-builder"];
-  nix.sshServe.enable = true;
-  nix.sshServe.keys = authorizedKeys;
+  nix = {
+    settings.trusted-users = ["root" "nix-builder"];
+    sshServe.enable = true;
+    sshServe.keys = authorizedKeys;
+  };
 }
--- a/nixos/sway/default.nix
+++ b/nixos/sway/default.nix
@ -52,10 +52,12 @@ in {
        gsettings-desktop-schemas
        lxappearance
      ];
-      file.".config/wofi/style.css".source = ../../.config/wofi/style.css;
-      file.".config/waybar/config".source = ../../.config/waybar/config;
-      file.".config/waybar/style.css".source =
-        ../../.config/waybar/style.css;
+      file = {
+        ".config/wofi/style.css".source = ../../.config/wofi/style.css;
+        ".config/waybar/config".source = ../../.config/waybar/config;
+        ".config/waybar/style.css".source =
+          ../../.config/waybar/style.css;
+      };
    };
    services.udiskie.enable = true;
    xsession.preferStatusNotifierItems = true;
--- a/nixos/vim/home.nix
+++ b/nixos/vim/home.nix
@ -11,12 +11,15 @@
  cocPackage = unstablePackages.vimPlugins.coc-nvim;
  nvimPackage = unstablePackages.neovim-unwrapped;
 in {
-  home.file.".vimrc".source = ../../.vimrc;
-  home.packages = with pkgs; [ripgrep];
-  home.sessionVariables = {
-    EDITOR = "vim";
-    VISUAL = "vim";
+  home = {
+    file.".vimrc".source = ../../.vimrc;
+    packages = with pkgs; [ripgrep];
+    sessionVariables = {
+      EDITOR = "vim";
+      VISUAL = "vim";
+    };
  };
+
  programs.zsh.sessionVariables = {
    EDITOR = "vim";
    VISUAL = "vim";