cleanup, make checks pass

2024-04-27 11:33:38 +01:00 · 2024-04-27 11:33:38 +01:00 · 635f5902aa
parent c6cb14a14b
commit 635f5902aa
28 changed files with 515 additions and 443 deletions
--- a/flake.nix
+++ b/flake.nix
@ -36,11 +36,13 @@
        ];
        specialArgs = {inherit inputs system;};
      };
-    mkRaspi = pkgs: hostname:
+    mkRaspi = pkgs: hostname: let
      system = "aarch64-linux";
    in
      pkgs.lib.nixosSystem {
-        system = "aarch64-linux";
+        inherit system;
        modules = [(./. + "/nixos/boxes/${hostname}") sops.nixosModules.sops];
-        specialArgs = {inherit inputs;};
+        specialArgs = {inherit inputs system;};
      };
    mkKiosk = pkgs: system: hostname:
      pkgs.lib.nixosSystem {
@ -52,12 +54,14 @@
          home-manager.nixosModules.home-manager
          {
-            home-manager.useGlobalPkgs = true;
+            home-manager = {
-            home-manager.useUserPackages = true;
+              useGlobalPkgs = true;
-            home-manager.users.cyryl = {
+              useUserPackages = true;
-              imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
+              users.cyryl = {
-              _module.args.inputs = inputs;
+                imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
-              _module.args.system = system;
+                _module.args.inputs = inputs;
                _module.args.system = system;
              };
            };
          }
        ];
@ -86,12 +90,14 @@
          {programs.nix-ld.dev.enable = true;}
          home-manager.nixosModules.home-manager
          {
-            home-manager.useGlobalPkgs = true;
+            home-manager = {
-            home-manager.useUserPackages = true;
+              useGlobalPkgs = true;
-            home-manager.users.cyryl = {
+              useUserPackages = true;
-              imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
+              users.cyryl = {
-              _module.args.inputs = inputs;
+                imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
-              _module.args.system = system;
+                _module.args.inputs = inputs;
                _module.args.system = system;
              };
            };
          }
        ];
@ -138,12 +144,14 @@
          (./. + "/nixos/boxes/form3")
          home-manager.darwinModules.home-manager
          {
-            home-manager.useGlobalPkgs = true;
+            home-manager = {
-            home-manager.useUserPackages = true;
+              useGlobalPkgs = true;
-            home-manager.users.cyryl = {
+              useUserPackages = true;
-              imports = [./nixos/home-manager];
+              users.cyryl = {
-              _module.args.inputs = inputs;
+                imports = [./nixos/home-manager];
-              _module.args.system = system;
+                _module.args.inputs = inputs;
                _module.args.system = system;
              };
            };
          }
        ];
@ -154,7 +162,6 @@
      foryog = mkWorkstation nixpkgs-nixos-unstable "x86_64-linux" "foryog";
      thinky = mkWorkstation nixpkgs-stable "x86_64-linux" "thinky";
      bolty = mkServer nixpkgs-stable "x86_64-linux" "bolty";
      vpsfree1 = mkServer nixpkgs-stable "x86_64-linux" "vpsfree1";
      cupsnet = mkServer nixpkgs-stable "aarch64-linux" "cupsnet";
      mb1 = mkServer nixpkgs-stable "x86_64-linux" "mb1";
      homescreen = mkRaspi nixpkgs-stable "homescreen";
--- a/nixos/boxes/bolty/bolty-boot.nix
+++ b/nixos/boxes/bolty/bolty-boot.nix
@ -15,10 +15,13 @@
    zfs.forceImportRoot = false;
  };
-  services.btrfs.autoScrub.enable = true;
+  services = {
-  services.zfs.autoScrub.enable = true;
+    btrfs.autoScrub.enable = true;
-  services.zfs.trim.enable = true;
+    zfs = {
-
+      autoScrub.enable = true;
      trim.enable = true;
    };
  };
  boot.kernelParams = ["zfs.zfs_arc_max=17179869184"];
  boot.zfs.extraPools = ["data"];
--- a/nixos/boxes/bolty/default.nix
+++ b/nixos/boxes/bolty/default.nix
@ -7,13 +7,11 @@
    ../cli.nix
    ../send-logs.nix
    ./bolty-boot.nix
    ./gitea-runner.nix
    ./grafana.nix
    ./home-assistant.nix
    ./home-security.nix
    ./influxdb.nix
    ./logs.nix
    ./mastodon.nix
    ./nas.nix
    ./networking.nix
    ./nix-store-server.nix
--- a/nixos/boxes/bolty/home-assistant.nix
+++ b/nixos/boxes/bolty/home-assistant.nix
@ -14,49 +14,52 @@ in {
  imports = [../nginx.nix ./virtualisation.nix];
  networking.firewall.allowedTCPPorts = [port 1883 8089];
-  services.mosquitto = {
+
-    enable = true;
+  services = {
-    package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto;
+    mosquitto = {
-    dataDir = "/data/mosquitto";
+      enable = true;
-    listeners = [
+      package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto;
-      {
+      dataDir = "/data/mosquitto";
-        port = 1883;
+      listeners = [
-        omitPasswordAuth = true;
+        {
-        users = {};
+          port = 1883;
-        settings = {
+          omitPasswordAuth = true;
-          allow_anonymous = true;
+          users = {};
          settings = {
            allow_anonymous = true;
          };
          acl = ["topic readwrite #"];
        }
      ];
    };
    zigbee2mqtt = {
      enable = true;
      package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt;
      settings = {
        homeassistant = true;
        permit_join = true;
        availability.active.timeout = 10;
        availability.passive.timeout = 90;
        frontend.port = 8089;
        mqtt.server = "mqtt://10.0.0.8:1883";
        serial = {
          port = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
          baudrate = 115200;
        };
        acl = ["topic readwrite #"];
      }
    ];
  };
  services.zigbee2mqtt = {
    enable = true;
    package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt;
    settings = {
      homeassistant = true;
      permit_join = true;
      availability.active.timeout = 10;
      availability.passive.timeout = 90;
      frontend.port = 8089;
      mqtt.server = "mqtt://10.0.0.8:1883";
      serial = {
        port = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
        baudrate = 115200;
      };
    };
-  };
+    nginx = {
-  services.nginx = {
+      virtualHosts = {
-    virtualHosts = {
+        "bolty.raptor-carp.ts.net" = {
-      "bolty.raptor-carp.ts.net" = {
+          forceSSL = true;
-        forceSSL = true;
+          enableACME = false;
-        enableACME = false;
+          locations."/" = {
-        locations."/" = {
+            proxyPass = "http://10.0.0.244:8123";
-          proxyPass = "http://10.0.0.244:8123";
+            proxyWebsockets = true;
-          proxyWebsockets = true;
+          };
          sslCertificateKey = keyPath;
          sslCertificate = certPath;
        };
        sslCertificateKey = keyPath;
        sslCertificate = certPath;
      };
    };
  };
--- a/nixos/boxes/bolty/networking.nix
+++ b/nixos/boxes/bolty/networking.nix
@ -6,23 +6,25 @@
  ...
 }: {
  networking.hostName = "bolty";
  systemd.network.enable = true;
  networking.networkmanager.enable = false;
  systemd.network.netdevs."br0".netdevConfig = {
    Name = "br0";
    Kind = "bridge";
  };
  systemd.network.networks."br0" = {
    name = "br0";
    address = ["10.0.0.8/24"];
    gateway = ["10.0.0.1"];
    DHCP = "no";
    dns = ["100.100.100.100" "9.9.9.9"];
  };
-  systemd.network.networks."eth" = {
+  systemd.network = {
-    name = "enp4s0";
+    enable = true;
-    networkConfig.Bridge = "br0";
+    netdevs."br0".netdevConfig = {
-    DHCP = "no";
+      Name = "br0";
      Kind = "bridge";
    };
    networks."br0" = {
      name = "br0";
      address = ["10.0.0.8/24"];
      gateway = ["10.0.0.1"];
      DHCP = "no";
      dns = ["100.100.100.100" "9.9.9.9"];
    };
    networks."eth" = {
      name = "enp4s0";
      networkConfig.Bridge = "br0";
      DHCP = "no";
    };
  };
 }
--- a/nixos/boxes/bolty/print-server.nix
+++ b/nixos/boxes/bolty/print-server.nix
@ -4,20 +4,36 @@
  lib,
  ...
 }: {
-  networking.firewall.enable = true;
+  networking.firewall = {
  networking.firewall.allowedTCPPorts = [631 6566];
  networking.firewall.allowedUDPPorts = [631 6566];
  services.printing = {
    enable = true;
-    drivers = with pkgs; [epson-escpr];
+    allowedTCPPorts = [631 6566];
-    listenAddresses = ["*:631"];
+    allowedUDPPorts = [631 6566];
-    defaultShared = true;
+  };
-    browsing = true;
+  services = {
-    allowFrom = ["all"];
+    printing = {
-    extraConf = ''
+      enable = true;
-      ServerAlias *
+      drivers = with pkgs; [epson-escpr];
-      DefaultEncryption Never
+      listenAddresses = ["*:631"];
-    '';
+      defaultShared = true;
      browsing = true;
      allowFrom = ["all"];
      extraConf = ''
        ServerAlias *
        DefaultEncryption Never
      '';
    };
    udev.packages = [];
    saned = {
      enable = true;
      extraConfig = ''
        100.69.222.80
        10.0.24.0/24
        10.0.0.1/24
        foureighty
        hagath
      '';
    };
  };
  hardware.printers.ensurePrinters = [
@ -37,17 +53,5 @@
    snapshot = true;
  };
  services.udev.packages = [];
  environment.systemPackages = with pkgs; [gawk];
  services.saned = {
    enable = true;
    extraConfig = ''
      100.69.222.80
      10.0.24.0/24
      10.0.0.1/24
      foureighty
      hagath
    '';
  };
 }
--- a/nixos/boxes/bolty/real-hardware.nix
+++ b/nixos/boxes/bolty/real-hardware.nix
@ -4,11 +4,13 @@
  lib,
  ...
 }: {
  hardware.enableRedistributableFirmware = true;
  services.smartd.enable = true;
  services.fstrim.enable = true;
  environment.systemPackages = with pkgs; [smartmontools];
-  services.fwupd.enable = true;
+  hardware.enableRedistributableFirmware = true;
-  services.thermald.enable = true;
+  services = {
-  services.haveged.enable = true;
+    smartd.enable = true;
    fstrim.enable = true;
    fwupd.enable = true;
    thermald.enable = true;
    haveged.enable = true;
  };
 }
--- a/nixos/boxes/bolty/tailscale-cert.nix
+++ b/nixos/boxes/bolty/tailscale-cert.nix
@ -12,43 +12,44 @@
 in {
  imports = [];
-  systemd.services.tailscale-cert-make-path = {
+  systemd.services = {
-    script = ''
+    tailscale-cert-make-path = {
-      mkdir -p ${basePath}
+      script = ''
-    '';
+        mkdir -p ${basePath}
-    serviceConfig = {Type = "oneshot";};
+      '';
-    before = ["tailscale-cert.service"];
+      serviceConfig = {Type = "oneshot";};
-    wantedBy = ["multi-user.target"];
+      before = ["tailscale-cert.service"];
-  };
+      wantedBy = ["multi-user.target"];
  systemd.services.tailscale-cert = {
    after = ["network.target" "network-online.target" "tailscaled.service"];
    wants = ["tailscaled.service"];
    wantedBy = ["multi-user.target"];
    path = with pkgs; [tailscale];
    serviceConfig = {
      Type = "oneshot";
      UMask = 22;
      StateDirectoryMode = 750;
      ProtectSystem = "strict";
      ReadWritePaths = ["${basePath}"];
      PrivateTmp = true;
      WorkingDirectory = "${basePath}";
      NoNewPrivileges = true;
      PrivateDevices = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      StateDirectory = ["${basePath}"];
    };
-    script = ''
+    tailscale-cert = {
-      tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
+      after = ["network.target" "network-online.target" "tailscaled.service"];
-    '';
+      wants = ["tailscaled.service"];
-  };
+      wantedBy = ["multi-user.target"];
      path = with pkgs; [tailscale];
      serviceConfig = {
        Type = "oneshot";
        UMask = 22;
        StateDirectoryMode = 750;
        ProtectSystem = "strict";
        ReadWritePaths = ["${basePath}"];
        PrivateTmp = true;
        WorkingDirectory = "${basePath}";
        NoNewPrivileges = true;
        PrivateDevices = true;
        ProtectClock = true;
        ProtectHome = true;
        ProtectHostname = true;
        StateDirectory = ["${basePath}"];
      };
      script = ''
        tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
      '';
    };
  };
  systemd.timers.tailscale-renew = {
    wantedBy = ["timers.target"];
    description = "Renew tailscale server cert";
--- a/nixos/boxes/cupsnet/boot.nix
+++ b/nixos/boxes/cupsnet/boot.nix
@ -5,12 +5,14 @@
  lib,
  ...
 }: {
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot = {
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"];
+    kernelPackages = pkgs.linuxPackages_latest;
    initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"];
-  boot.loader.grub = {
+    loader.grub = {
-    devices = ["/dev/vda"];
+      devices = ["/dev/vda"];
-    efiSupport = true;
+      efiSupport = true;
-    efiInstallAsRemovable = true;
+      efiInstallAsRemovable = true;
    };
  };
 }
--- a/nixos/boxes/form3/default.nix
+++ b/nixos/boxes/form3/default.nix
@ -51,16 +51,18 @@ in {
  home-manager.users.cyryl = {...}: {
    imports = [];
    home.packages = with pkgs; [awscli kubectl cargo-update];
-    programs.git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
+    programs = {
-    programs.git.extraConfig = {
+      git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
-      user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED";
+      git.extraConfig = {
-      commit.gpgsign = true;
+        user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED";
-      "url \"git@github.com:\"".insteadOf = "https://github.com/";
+        commit.gpgsign = true;
        "url \"git@github.com:\"".insteadOf = "https://github.com/";
      };
      gpg.enable = true;
      gpg.homedir = "/Users/cyryl/.gnupg";
      zsh.loginExtra = ''
        eval "$(/opt/homebrew/bin/brew shellenv)"
      '';
    };
    programs.gpg.enable = true;
    programs.gpg.homedir = "/Users/cyryl/.gnupg";
    programs.zsh.loginExtra = ''
      eval "$(/opt/homebrew/bin/brew shellenv)"
    '';
  };
 }
--- a/nixos/boxes/foryog/default.nix
+++ b/nixos/boxes/foryog/default.nix
@ -26,12 +26,15 @@
  services.restic.backups.home-to-b2 = {
    repository = lib.mkForce "b2:cyplo-restic-foureighty:/";
  };
-  boot.kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"];
+
-  boot.tmp.cleanOnBoot = true;
+  boot = {
-  boot.binfmt.emulatedSystems = ["aarch64-linux"];
+    kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"];
-  boot.plymouth = {
+    tmp.cleanOnBoot = true;
-    enable = true;
+    binfmt.emulatedSystems = ["aarch64-linux"];
-    logo = ./boot.png;
+    plymouth = {
      enable = true;
      logo = ./boot.png;
    };
  };
  zramSwap = {
@ -42,13 +45,15 @@
  time.timeZone = "Europe/London";
-  hardware.trackpoint.enable = true;
+  hardware = {
-  hardware.keyboard.qmk.enable = true;
+    trackpoint.enable = true;
    keyboard.qmk.enable = true;
    opengl.extraPackages = with pkgs; [libva];
  };
  services.udev.packages = [pkgs.qmk-udev-rules];
  programs.ccache.enable = true;
  hardware.opengl.extraPackages = with pkgs; [libva];
  programs.steam.enable = true;
  nixpkgs.config.allowUnfree = true;
  home-manager.users.cyryl = {...}: {
    imports = [
--- a/nixos/boxes/foureighty/default.nix
+++ b/nixos/boxes/foureighty/default.nix
@ -45,25 +45,28 @@
    device = "0000:00:02.0";
  };
  hardware.trackpoint.enable = true;
-  services.hardware.bolt.enable = true;
+  services = {
    hardware.bolt.enable = true;
-  services.xserver = {
+    xserver = {
-    libinput = {
+      libinput = {
-      enable = true;
+        enable = true;
-      touchpad = {
+        touchpad = {
-        tapping = true;
+          tapping = true;
-        naturalScrolling = false;
+          naturalScrolling = false;
-        middleEmulation = false;
+          middleEmulation = false;
-        disableWhileTyping = true;
+          disableWhileTyping = true;
-        buttonMapping = "1 0 3 4 5 6 7 8 9 10";
+          buttonMapping = "1 0 3 4 5 6 7 8 9 10";
-      };
+        };
-      mouse = {
+        mouse = {
-        middleEmulation = false;
+          middleEmulation = false;
-        buttonMapping = "1 0 3 4 5 6 7 8 9 10";
+          buttonMapping = "1 0 3 4 5 6 7 8 9 10";
        };
      };
    };
    fprintd = {enable = true;};
  };
-  services.fprintd = {enable = true;};
+
  programs.ccache.enable = true;
  hardware.opengl.extraPackages = with pkgs; [libva];
  programs.steam.enable = true;
--- a/nixos/boxes/foureighty/hardware-configuration.nix
+++ b/nixos/boxes/foureighty/hardware-configuration.nix
@ -13,9 +13,11 @@
      availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
    };
-    loader.systemd-boot.enable = true;
+    loader = {
-    loader.efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
-    loader.efi.efiSysMountPoint = "/boot/efi";
+      efi.canTouchEfiVariables = true;
      efi.efiSysMountPoint = "/boot/efi";
    };
  };
  boot.initrd.secrets = {"/crypto_keyfile.bin" = null;};
--- a/nixos/boxes/homescreen/default.nix
+++ b/nixos/boxes/homescreen/default.nix
@ -11,40 +11,43 @@
    hostName = "homescreen";
    networkmanager = {enable = true;};
  };
  hardware.enableRedistributableFirmware = true;
  environment.systemPackages = with pkgs; [neovim htop btop atop];
-  services.fail2ban.enable = true;
+  hardware = {
    raspberry-pi."4".fkms-3d.enable = true;
-  services.openssh = {
+    enableRedistributableFirmware = true;
-    enable = true;
+    deviceTree.filter = lib.mkForce "*rpi-*.dtb";
    permitRootLogin = "prohibit-password";
    passwordAuthentication = false;
  };
  services = {
    fail2ban.enable = true;
-  hardware.raspberry-pi."4".fkms-3d.enable = true;
+    openssh = {
-
+      enable = true;
-  hardware.deviceTree.filter = lib.mkForce "*rpi-*.dtb";
+      permitRootLogin = "prohibit-password";
-
+      passwordAuthentication = false;
-  services.xserver = {
+    };
-    enable = true;
+    xserver = {
-    displayManager = {
+      enable = true;
-      lightdm.enable = true;
+      displayManager = {
-      autoLogin.enable = true;
+        lightdm.enable = true;
-      autoLogin.user = "kiosk";
+        autoLogin.enable = true;
        autoLogin.user = "kiosk";
      };
      desktopManager.gnome.enable = true;
      libinput.enable = true;
    };
    desktopManager.gnome.enable = true;
    libinput.enable = true;
  };
  users = {
    mutableUsers = false;
    users.kiosk = {isNormalUser = true;};
    extraUsers.root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
    ];
  };
-  users.extraUsers.root.openssh.authorizedKeys.keys = [
+
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
  ];
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
@ -57,6 +60,7 @@
      options = ["nofail" "noauto"];
    };
  };
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  security.allowUserNamespaces = true;
--- a/nixos/boxes/skinnyv/default.nix
+++ b/nixos/boxes/skinnyv/default.nix
@ -19,11 +19,14 @@
    ../../zsh
  ];
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot = {
-  boot.loader.systemd-boot.enable = true;
+    kernelPackages = pkgs.linuxPackages_latest;
-  boot.loader.efi.canTouchEfiVariables = true;
+    loader = {
-  time.timeZone = "Europe/London";
+      systemd-boot.enable = true;
-
+      efi.canTouchEfiVariables = true;
    };
    time.timeZone = "Europe/London";
  };
  services.thermald.enable = true;
  home-manager.users.cyryl = {...}: {
    imports = [../../home-manager/programs/kitty.nix];
--- a/nixos/common-hardware.nix
+++ b/nixos/common-hardware.nix
@ -1,110 +1,113 @@
-{ config, pkgs, nixpkgs-nixos-unstable-and-unfree, lib, ... }: {
+{
-  boot.kernelModules = [ "fuse" ];
+  config,
-  services.smartd.enable = true;
+  pkgs,
  nixpkgs-nixos-unstable-and-unfree,
  lib,
  ...
 }: {
  boot.kernelModules = ["fuse"];
  sound.enable = true;
  networking.networkmanager = {
    enable = true;
-    dispatcherScripts = [{
+    dispatcherScripts = [
-      source = pkgs.writeText "upHook" ''
+      {
-        enable_disable_wifi ()
+        source = pkgs.writeText "upHook" ''
-        {
+          enable_disable_wifi ()
-          result=$(nmcli dev | grep "ethernet" | grep -w "connected")
+          {
-          if [ -n "$result" ]; then
+            result=$(nmcli dev | grep "ethernet" | grep -w "connected")
-            nmcli radio wifi off
+            if [ -n "$result" ]; then
-          else
+              nmcli radio wifi off
-            nmcli radio wifi on
+            else
              nmcli radio wifi on
            fi
          }
          if [ "$2" = "up" ]; then
            enable_disable_wifi
          fi
        }
-        if [ "$2" = "up" ]; then
+          if [ "$2" = "down" ]; then
-          enable_disable_wifi
+            enable_disable_wifi
-        fi
+          fi
-
+        '';
-        if [ "$2" = "down" ]; then
+        type = "basic";
-          enable_disable_wifi
+      }
-        fi
+    ];
      '';
      type = "basic";
    }];
  };
  hardware.enableRedistributableFirmware = true;
  hardware.cpu.intel.updateMicrocode = true;
  hardware.bluetooth = {
    enable = true;
    package = pkgs.bluez;
    settings = { General = { Enable = "Source,Sink,Media,Socket"; }; };
  };
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
-  services.pipewire = {
+
-    enable = true;
+  services = {
-    alsa.enable = true;
+    smartd.enable = true;
-    alsa.support32Bit = true;
+    pipewire = {
-    pulse.enable = true;
+      enable = true;
-    extraConfig.pipewire."92-low-latency" = {
+      alsa.enable = true;
-      context.properties = {
+      alsa.support32Bit = true;
-        default.clock.rate = 48000;
+      pulse.enable = true;
-        default.clock.quantum = 32;
+    };
-        default.clock.min-quantum = 32;
+    printing = {
-        default.clock.max-quantum = 32;
+      enable = true;
-      };
+      drivers = with pkgs; [
        epson-escpr
        nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
        gutenprint
      ];
      extraConf = ''
        Option pdftops-renderer hybrid
      '';
    };
    udev.packages = [];
  };
  environment.systemPackages = with pkgs; [ghostscript poppler];
  hardware = {
    enableRedistributableFirmware = true;
    cpu.intel.updateMicrocode = true;
    bluetooth = {
      enable = true;
      package = pkgs.bluez;
      settings = {General = {Enable = "Source,Sink,Media,Socket";};};
    };
    pulseaudio.enable = false;
    printers.ensurePrinters = [
      {
        description = "Epson XP-540 via bolty";
        name = "epson_xp540_via_bolty";
        deviceUri = "ipp://bolty:631/printers/epson_xp540";
        model = "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
        ppdOptions = {
          PageSize = "A4";
          Duplex = "DuplexNoTumble";
        };
      }
      {
        description = "Samsung SCX-4623 Series";
        name = "samsung-SCX-4623";
        deviceUri = "usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1";
        model = "samsung/SCX-4623FW.ppd";
        ppdOptions = {
          PageSize = "A4";
          Duplex = "DuplexNoTumble";
        };
      }
    ];
    sane = {
      enable = true;
      snapshot = true;
      extraBackends = with pkgs; [
        nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
        sane-airscan
        gawk
      ];
    };
  };
  environment.systemPackages = with pkgs; [ ghostscript poppler ];
  services.printing = {
    enable = true;
    drivers = with pkgs; [
      epson-escpr
      nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
      gutenprint
    ];
    extraConf = ''
      Option pdftops-renderer hybrid
    '';
  };
  hardware.printers.ensurePrinters = [
    {
      description = "Epson XP-540 via bolty";
      name = "epson_xp540_via_bolty";
      deviceUri = "ipp://bolty:631/printers/epson_xp540";
      model =
        "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
      ppdOptions = {
        PageSize = "A4";
        Duplex = "DuplexNoTumble";
      };
    }
    {
      description = "Samsung SCX-4623 Series";
      name = "samsung-SCX-4623";
      deviceUri =
        "usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1";
      model = "samsung/SCX-4623FW.ppd";
      ppdOptions = {
        PageSize = "A4";
        Duplex = "DuplexNoTumble";
      };
    }
  ];
  services.udev.packages = [ ];
  hardware.sane = {
    enable = true;
    snapshot = true;
    extraBackends = with pkgs; [
      nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
      sane-airscan
      gawk
    ];
  };
  powerManagement = {
    enable = lib.mkForce true;
    resumeCommands = ''
--- a/nixos/common.nix
+++ b/nixos/common.nix
@ -20,6 +20,7 @@ in {
  boot.supportedFilesystems = ["ntfs"];
  environment.enableDebugInfo = true;
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
    ccache
    curl
--- a/nixos/distributed-builds.nix
+++ b/nixos/distributed-builds.nix
@ -3,23 +3,25 @@
  pkgs,
  ...
 }: {
-  nix.buildMachines = [
+  nix = {
-    {
+    buildMachines = [
-      hostName = "bolty";
+      {
-      sshUser = "nix-builder";
+        hostName = "bolty";
-      sshKey = "/home/cyryl/.ssh/id_ed25519";
+        sshUser = "nix-builder";
-      systems = ["i686-linux" "x86_64-linux" "aarch64-linux"];
+        sshKey = "/home/cyryl/.ssh/id_ed25519";
-      maxJobs = 2;
+        systems = ["i686-linux" "x86_64-linux" "aarch64-linux"];
-      speedFactor = 1;
+        maxJobs = 2;
-      supportedFeatures = ["kvm" "big-parallel"];
+        speedFactor = 1;
-      mandatoryFeatures = [];
+        supportedFeatures = ["kvm" "big-parallel"];
-    }
+        mandatoryFeatures = [];
-  ];
+      }
    ];
-  nix.extraOptions = ''
+    extraOptions = ''
-    builders-use-substitutes = true
+      builders-use-substitutes = true
-  '';
+    '';
-  nix.distributedBuilds = true;
+    distributedBuilds = true;
-  nix.settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"];
+    settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"];
-  nix.settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="];
+    settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="];
  };
 }
--- a/nixos/git/home.nix
+++ b/nixos/git/home.nix
@ -20,9 +20,11 @@
      colour.ui = true;
      core.fsmonitor = true;
      credential = {helper = "cache";};
-      diff.algorithm = "histogram";
+      diff = {
-      diff.renameLimit = 2048;
+        algorithm = "histogram";
-      diff.renames = "copy";
+        renameLimit = 2048;
        renames = "copy";
      };
      help.autocorrect = 1;
      init.defaultBranch = "main";
      merge.renamelimit = 8192;
--- a/nixos/gui/default.nix
+++ b/nixos/gui/default.nix
@ -22,9 +22,11 @@
    imports = [];
-    programs.chromium.enable = true;
+    programs = {
-    programs.firefox.enable = true;
+      chromium.enable = true;
-    programs.sioyek.enable = true;
+      firefox.enable = true;
      sioyek.enable = true;
    };
    home.packages =
      (with pkgs;
        with pkgs.gnome3;
--- a/nixos/gui/vscode/home.nix
+++ b/nixos/gui/vscode/home.nix
@ -7,9 +7,11 @@
  programs.vscode = {
    enable = true;
    userSettings = {
-      editor.fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace";
+      editr = {
-      editor.formatOnType = true;
+        fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace";
-      editor.fontSize = 16;
+        formatOnType = true;
        fontSize = 16;
      };
      files.autoSave = "onFocusChange";
      rust-analyzer.checkOnSave.command = "clippy";
      platformio-ide = {
--- a/nixos/home-manager/default.nix
+++ b/nixos/home-manager/default.nix
@ -7,19 +7,20 @@
 }: let
  username = "cyryl";
 in {
-  home.sessionVariables = {
+  home = {
-    LC_ALL = "en_GB.UTF-8";
+    inherit username;
-    LANG = "en_GB.UTF-8";
+    sessionVariables = {
-    PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
+      LC_ALL = "en_GB.UTF-8";
      LANG = "en_GB.UTF-8";
      PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
    };
    packages = with pkgs; [];
    homeDirectory = lib.mkDefault "/home/${username}";
    stateVersion = "23.11";
  };
  news.display = "show";
  home.packages = with pkgs; [];
  home.username = username;
  home.homeDirectory = lib.mkDefault "/home/${username}";
  home.stateVersion = "23.11";
  programs.home-manager.enable = true;
  imports = [
--- a/nixos/home-manager/links.nix
+++ b/nixos/home-manager/links.nix
@ -3,18 +3,20 @@
  pkgs,
  ...
 }: {
-  home.file.".config/nixpkgs/config.nix".source = ../shell-config.nix;
+  home.file = {
-  home.file.".gdbinit".text = ''
+    ".config/nixpkgs/config.nix".source = ../shell-config.nix;
-    set auto-load python-scripts on
+    ".gdbinit".text = ''
-    add-auto-load-safe-path /home/cyryl/dev/dotfiles/.gdbinit
+      set auto-load python-scripts on
-    set auto-load safe-path /
+      add-auto-load-safe-path /home/cyryl/dev/dotfiles/.gdbinit
-    source /home/cyryl/dev/dotfiles/.gdbinit
+      set auto-load safe-path /
-  '';
+      source /home/cyryl/dev/dotfiles/.gdbinit
-  home.file.".gdbinit.d/dashboard".text = ''
+    '';
-    dashboard -layout breakpoints source expressions stack threads variables
+    ".gdbinit.d/dashboard".text = ''
-    dashboard variables -style compact 0
+      dashboard -layout breakpoints source expressions stack threads variables
-    dashboard source -style height 24
+      dashboard variables -style compact 0
-    dashboard stack -style compact 1
+      dashboard source -style height 24
-    dashboard stack -style limit 3
+      dashboard stack -style compact 1
-  '';
+      dashboard stack -style limit 3
    '';
  };
 }
--- a/nixos/i3/default.nix
+++ b/nixos/i3/default.nix
@ -44,10 +44,13 @@
    fractalart.enable = true;
    colord.enable = true;
-    xserver.windowManager.i3.enable = true;
+    xserver = {
    xserver.displayManager.sddm = {
      enable = true;
-      enableHidpi = true;
+      windowManager.i3.enable = true;
      displayManager.sddm = {
        enable = true;
        enableHidpi = true;
      };
    };
  };
  home-manager.users.cyryl = {...}: {
--- a/nixos/security.nix
+++ b/nixos/security.nix
@ -9,83 +9,89 @@
  nix.settings.allowed-users = ["@users"];
-  security.apparmor.enable = true;
+  security = {
-  security.apparmor.killUnconfinedConfinables = true;
+    apparmor.enable = true;
-  security.forcePageTableIsolation = true;
+    apparmor.killUnconfinedConfinables = true;
-  security.lockKernelModules = false;
+    forcePageTableIsolation = true;
-  security.protectKernelImage = true;
+    lockKernelModules = false;
-  security.virtualisation.flushL1DataCache = "always";
+    protectKernelImage = true;
    virtualisation.flushL1DataCache = "always";
  };
  sops.age = {
    keyFile = "/var/lib/sops-nix/key.txt";
    generateKey = true;
  };
-  boot.kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"];
+  boot = {
    kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"];
-  boot.blacklistedKernelModules = [
+    blacklistedKernelModules = [
-    # Obscure network protocols
+      # Obscure network protocols
-    "ax25"
+      "ax25"
-    "netrom"
+      "netrom"
-    "rose"
+      "rose"
-    # Old or rare or insufficiently audited filesystems
+      # Old or rare or insufficiently audited filesystems
-    "adfs"
+      "adfs"
-    "affs"
+      "affs"
-    "bfs"
+      "bfs"
-    "befs"
+      "befs"
-    "cramfs"
+      "cramfs"
-    "efs"
+      "efs"
-    "erofs"
+      "erofs"
-    "exofs"
+      "exofs"
-    "freevxfs"
+      "freevxfs"
-    "f2fs"
+      "f2fs"
-    "hfs"
+      "hfs"
-    "hpfs"
+      "hpfs"
-    "jfs"
+      "jfs"
-    "minix"
+      "minix"
-    "nilfs2"
+      "nilfs2"
-    "omfs"
+      "omfs"
-    "qnx4"
+      "qnx4"
-    "qnx6"
+      "qnx6"
-    "sysv"
+      "sysv"
-    "ufs"
+      "ufs"
-  ];
+    ];
-  # Restrict ptrace() usage to processes with a pre-defined relationship
+    kernel.sysctl = {
-  # (e.g., parent/child)
+      # Restrict ptrace() usage to processes with a pre-defined relationship
-  boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
+      # (e.g., parent/child)
      "kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
-  # Hide kptrs even for processes with CAP_SYSLOG
+      # Hide kptrs even for processes with CAP_SYSLOG
-  boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
+      "kernel.kptr_restrict" = lib.mkOverride 500 2;
-  # Disable bpf() JIT (to eliminate spray attacks)
+      # Disable bpf() JIT (to eliminate spray attacks)
-  boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
+      "net.core.bpf_jit_enable" = false;
-  # Disable ftrace debugging
+      # Disable ftrace debugging
-  boot.kernel.sysctl."kernel.ftrace_enabled" = false;
+      "kernel.ftrace_enabled" = false;
-  # Enable strict reverse path filtering (that is, do not attempt to route
+      # Enable strict reverse path filtering (that is, do not attempt to route
-  # packets that "obviously" do not belong to the iface's network; dropped
+      # packets that "obviously" do not belong to the iface's network; dropped
-  # packets are logged as martians).
+      # packets are logged as martians).
-  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
+      "net.ipv4.conf.all.log_martians" = true;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
+      "net.ipv4.conf.all.rp_filter" = "1";
-  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
+      "net.ipv4.conf.default.log_martians" = true;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
+      "net.ipv4.conf.default.rp_filter" = "1";
-  # Ignore broadcast ICMP (mitigate SMURF)
+      # Ignore broadcast ICMP (mitigate SMURF)
-  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
+      "net.ipv4.icmp_echo_ignore_broadcasts" = true;
-  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+      # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-  # setting is applied to interfaces added after the sysctls are set)
+      # setting is applied to interfaces added after the sysctls are set)
-  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
+      "net.ipv4.conf.all.accept_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
+      "net.ipv4.conf.all.secure_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
+      "net.ipv4.conf.default.accept_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
+      "net.ipv4.conf.default.secure_redirects" = false;
-  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
+      "net.ipv6.conf.all.accept_redirects" = false;
-  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
+      "net.ipv6.conf.default.accept_redirects" = false;
-  # Ignore outgoing ICMP redirects (this is ipv4 only)
+      # Ignore outgoing ICMP redirects (this is ipv4 only)
-  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
+      "net.ipv4.conf.all.send_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+      "net.ipv4.conf.default.send_redirects" = false;
    };
  };
 }
--- a/nixos/server-security.nix
+++ b/nixos/server-security.nix
@ -30,7 +30,9 @@ in {
    openssh.authorizedKeys.keys = authorizedKeys;
  };
-  nix.settings.trusted-users = ["root" "nix-builder"];
+  nix = {
-  nix.sshServe.enable = true;
+    settings.trusted-users = ["root" "nix-builder"];
-  nix.sshServe.keys = authorizedKeys;
+    sshServe.enable = true;
    sshServe.keys = authorizedKeys;
  };
 }
--- a/nixos/sway/default.nix
+++ b/nixos/sway/default.nix
@ -52,10 +52,12 @@ in {
        gsettings-desktop-schemas
        lxappearance
      ];
-      file.".config/wofi/style.css".source = ../../.config/wofi/style.css;
+      file = {
-      file.".config/waybar/config".source = ../../.config/waybar/config;
+        ".config/wofi/style.css".source = ../../.config/wofi/style.css;
-      file.".config/waybar/style.css".source =
+        ".config/waybar/config".source = ../../.config/waybar/config;
-        ../../.config/waybar/style.css;
+        ".config/waybar/style.css".source =
          ../../.config/waybar/style.css;
      };
    };
    services.udiskie.enable = true;
    xsession.preferStatusNotifierItems = true;
--- a/nixos/vim/home.nix
+++ b/nixos/vim/home.nix
@ -11,12 +11,15 @@
  cocPackage = unstablePackages.vimPlugins.coc-nvim;
  nvimPackage = unstablePackages.neovim-unwrapped;
 in {
-  home.file.".vimrc".source = ../../.vimrc;
+  home = {
-  home.packages = with pkgs; [ripgrep];
+    file.".vimrc".source = ../../.vimrc;
-  home.sessionVariables = {
+    packages = with pkgs; [ripgrep];
-    EDITOR = "vim";
+    sessionVariables = {
-    VISUAL = "vim";
+      EDITOR = "vim";
      VISUAL = "vim";
    };
  };
  programs.zsh.sessionVariables = {
    EDITOR = "vim";
    VISUAL = "vim";