initial commit

2025-05-24 09:54:40 +02:00 · 2020-11-16 21:14:46 +01:00 · 2020-11-16 21:14:46 +01:00 · 7517f318dc
commit 7517f318dc
55 changed files with 1401 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+configuration.nix
+vars-uuids.nix
+vars-backup.nix
--- a/README.md
+++ b/README.md
@ -0,0 +1,27 @@
+# My personal NixOS-configuration
+work in progress...
+
+get internet
+`wpa_passphrase "<SSID>" > /etc/wpa_supplicant.conf`
+`systemctl restart wpa_supplicant`
+
+install git
+`nix-env -iA nixos.git`
+
+get this repo
+`git clone https://github.com/Stunkymonkey/nixos.git`
+`cd nixos`
+
+link to correct host
+`ln -s <host>.nix configuration.nix`
+
+set password for luks
+`vim /tmp/password`
+enter password
+`head -c <#char> /tmp/password > /tmp/passwd`
+
+install
+`bash install-<hostname>.sh`
+
+wait + enter password
+`reboot`
--- a/backup.nix
+++ b/backup.nix
@ -0,0 +1,82 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = import ./vars-backup.nix;
+  borgbackupMonitor = { config, pkgs, lib, ... }: with lib; {
+    key = "borgbackupMonitor";
+    _file = "borgbackupMonitor";
+    config.systemd.services = {
+      "notify-problems@" = {
+        enable = true;
+        serviceConfig.User = "felix";
+        environment.SERVICE = "%i";
+        script = ''
+          export $(cat /proc/$(${pkgs.procps}/bin/pgrep -x "sway" -u "$USER")/environ |grep -z '^DBUS_SESSION_BUS_ADDRESS=')
+          ${pkgs.libnotify}/bin/notify-send -u critical "$SERVICE FAILED!" "Run journalctl -u $SERVICE for details"
+        '';
+      };
+    } // flip mapAttrs' config.services.borgbackup.jobs (name: value:
+      nameValuePair "borgbackup-job-${name}" {
+        unitConfig.OnFailure = "notify-problems@%i.service";
+        preStart = lib.mkBefore ''
+          # waiting for internet after resume-from-suspend
+          until /run/wrappers/bin/ping google.com -c1 -q >/dev/null; do :; done
+        '';
+      }
+    );
+
+    # forces backup after boot in case server was powered off during scheduled event
+    config.systemd.timers = flip mapAttrs' config.services.borgbackup.jobs (name: value:
+      nameValuePair "borgbackup-job-${name}" {
+        timerConfig.Persistent = true;
+      }
+    );
+  };
+
+in
+{
+  # notification
+  imports = [
+    borgbackupMonitor
+  ];
+
+  services.borgbackup.jobs.thinkman = {
+    paths = [
+      "/"
+      "/etc/nixos/"
+      "/home/"
+    ];
+    exclude = [
+      "/nix"
+      "/root/.cache/"
+      "**/.Trash"
+      "/tmp/*"
+      "/var/lock/*"
+      "/var/run/*"
+      "/var/tmp/*"
+      "/home/*/tmp"
+      "/home/*/todo"
+      "/home/*/.cache"
+      "/home/*/.gvfs"
+      "/home/*/.thumbnails"
+      "/home/*/.local/share/Trash"
+    ];
+    extraCreateArgs = "--one-file-system --exclude-caches --keep-exclude-tags --stats";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat /root/.borg_password";
+    };
+    environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i /root/.ssh/backup_ed25519 -p 23";
+    repo = "${cfg.borg.user}@${cfg.borg.host}:${cfg.borg.dir}";
+    compression = "auto,zstd";
+    doInit = false;
+    startAt = "daily";
+    prune.keep = {
+      last = 1;
+      within = "3d";
+      daily = 7;
+      weekly = 4;
+      monthly = 6;
+      yearly = 2;
+    };
+  };
+}
--- a/core.nix
+++ b/core.nix
@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+{
+  # Packages
+  environment.systemPackages = with pkgs; [
+    bandwhich
+    bind # dig
+    borgbackup
+    cryptsetup
+    docker-compose
+    file
+    fzf
+    gettext
+    git
+    gitAndTools.delta
+    gnufdisk
+    gptfdisk
+    htop
+    inetutils
+    jq
+    killall
+    lsof
+    mosh
+    multipath-tools #-> kpartx
+    mtr
+    nix-index
+    nmap
+    nmon
+    pciutils
+    pv
+    reptyr
+    rsync
+    screen
+    stress-ng
+    usbutils
+    tmux
+    vim
+    wget
+    whois
+    zip
+    unzip
+  ];
+
+  time.timeZone = "Europe/Berlin";
+  services.timesyncd.enable = true;
+}
--- a/default.nix
+++ b/default.nix
@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./modules.nix
+    ./network.nix
+    ./users.nix
+  ];
+}
--- a/disks-home.nix
+++ b/disks-home.nix
@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+#FIXME: komplett anpassen
+let
+  uuids = import ./vars-uuids.nix;
+in
+{
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/${uuids.fs.home}";
+    fsType = "ext4";
+  };
+}
--- a/disks-srv.nix
+++ b/disks-srv.nix
@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+let
+  uuids = import ./vars-uuids.nix;
+in
+{
+  # FS
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-uuid/${uuids.fs.srv}";
+    fsType = "ext4";
+  };
+}
--- a/disks.nix
+++ b/disks.nix
@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+
+#FIXME: komplett anpassen
+let
+  uuids = import ./vars-uuids.nix;
+in
+{
+  boot.initrd.luks.devices."luks-drive" = {
+    name = "luks-drive";
+    device = "/dev/disk/by-partuuid/${uuids.luks.root}";
+    preLVM = true;
+    allowDiscards = true;
+  };
+
+  # FS
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/${uuids.fs.root}";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/${uuids.fs.boot}";
+    fsType = "vfat";
+  };
+
+  # Swap
+  swapDevices = [
+    {
+      device = "/dev/disk/by-uuid/${uuids.fs.swap}";
+    }
+  ];
+}
--- a/extra/3d-printing.nix
+++ b/extra/3d-printing.nix
@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    meshlab
+    cura
+    openscad
+  ];
+}
--- a/extra/android.nix
+++ b/extra/android.nix
@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+{
+  programs.adb.enable = true;
+  environment.systemPackages = with pkgs; [
+    scrcpy
+  ];
+}
--- a/extra/arch-linux.nix
+++ b/extra/arch-linux.nix
@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    pacman
+  ];
+  environment.etc."makepkg.conf".source = "${pkgs.pacman}/etc/makepkg.conf";
+}
--- a/extra/avahi.nix
+++ b/extra/avahi.nix
@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+{
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      workstation = true;
+      userServices = true;
+    };
+  };
+}
--- a/extra/bluetooth-audio.nix
+++ b/extra/bluetooth-audio.nix
@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+{
+  hardware.bluetooth = {
+    enable = true;
+    package = pkgs.bluezFull;
+    config = {
+      General = {
+        Enable = "Source,Sink,Media,Socket";
+      };
+    };
+  };
+  hardware.pulseaudio = {
+    enable = true;
+    extraModules = [ pkgs.pulseaudio-modules-bt ];
+    package = pkgs.pulseaudioFull;
+  };
+  services.blueman.enable = true;
+}
--- a/extra/clean.nix
+++ b/extra/clean.nix
@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    baobab
+    #dupeguru
+    jdupes
+    kondo
+  ];
+}
--- a/extra/default.nix
+++ b/extra/default.nix
@ -0,0 +1,119 @@
+{ config, lib, pkgs, ... }:
+let
+  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };
+in
+{
+
+  imports = [
+    ./fonts.nix
+  ];
+
+  programs.gnome-disks.enable = true;
+  services.udisks2.enable = true;
+
+  # test if working
+  #xdg.mime.enable = true;
+
+  # make gnome settings persistent
+  
+  programs.dconf.enable = true;
+
+  # gnome services
+  services.dbus.packages = [ pkgs.gnome3.dconf ];
+  services.udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
+  services.gnome3.gnome-keyring.enable = true;
+  services.gnome3.glib-networking.enable = true;
+  # enable trash & network-mount in nautilus
+  services.gvfs.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    #mime-types
+    xdg_utils
+    adwaita-qt
+    arc-icon-theme
+    arc-kde-theme
+    arc-theme
+    evince
+    firefox-wayland
+    #geary
+    ghostwriter
+    (gimp-with-plugins.override { plugins = with gimpPlugins; [ resynthesizer ]; })
+    glib
+    gnome3.adwaita-icon-theme
+    gnome3.eog
+    gnome3.file-roller
+    gnome3.gnome-calendar
+    gnome3.gnome-system-monitor
+    gnome3.nautilus
+    gnome3.nautilus-python
+    gnome3.simple-scan
+    keepassxc
+    keychain
+    konsole
+    libnotify
+    libreoffice
+    lollypop
+    unstable.newsflash
+    numix-cursor-theme
+    numix-icon-theme
+    numix-icon-theme-circle
+    polkit_gnome
+    qgnomeplatform
+    rhythmbox
+    simple-scan
+    #spotify
+    socat
+    tdesktop
+    thunderbird
+    typora
+    virtmanager
+    vlc
+    mpv-with-scripts
+    wayvnc
+    zathura
+    zeal
+
+    # TODO sort them in different files
+    pdfgrep
+    physlock
+    #symlinks
+  ];
+
+  # Enable firmware update daemon
+  services.fwupd.enable = true;
+
+  programs.wireshark.enable = true;
+  programs.wireshark.package = pkgs.wireshark;
+
+  services.accounts-daemon.enable = true;
+
+  environment.interactiveShellInit = ''
+    if test `tty` = /dev/tty1; then
+      exec sway
+    fi
+  '';
+
+#  services.xserver = {
+#    enable = true;
+#    layout = "us";
+#    xkbOptions = "eurosign:e";
+#    libinput.enable = true;
+#    libinput.naturalScrolling = true;
+#
+#    startDbusSession = true;
+#    updateDbusEnvironment = true;
+#
+#    desktopManager = {
+#      xterm.enable = false;
+#      gnome3.enable = false;
+#    };
+#
+#    displayManager = {
+#      sessionData.sessionNames = [ "sway" "none+i3" ];
+#      defaultSession = "sway";
+#      gdm.enable = true;
+#      gdm.wayland = true;
+#      lightdm.enable = false;
+#    };
+#  };
+}
--- a/extra/desktop-development.nix
+++ b/extra/desktop-development.nix
@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    arduino
+    bless # hex editor
+    chromium
+    dbeaver
+    filezilla
+    fritzing
+    insomnia
+    #jetbrains.idea-community
+    sublime3
+  ];
+}
--- a/extra/development.nix
+++ b/extra/development.nix
@ -0,0 +1,52 @@
+{ config, pkgs, ... }:
+let
+  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };
+in
+{
+  environment.systemPackages = with pkgs; [
+    # rust
+    unstable.cargo
+    unstable.clippy # lint
+    cargo-flamegraph
+    cargo-outdated
+    # general
+    clang
+    cmake
+    cvs
+    dfeet
+    direnv
+    entr
+    git
+    gnumake
+    go
+    hugo
+    meson
+    ninja
+    patchelf
+    pkg-config
+    (python3.withPackages (ps: with ps; [
+      nltk # language-toolkit
+      tqdm # progressbar in pandas
+      jupyter # notebooks
+      Keras # machine learning
+      tensorflow-build_2 # machine learning
+      transformers # machine learning
+      numpy
+      pandas
+      matplotlib
+      scipy
+      scikitlearn
+      pillow
+    ]))
+    ripgrep
+    rustfmt
+    unstable.rustc
+    shellcheck
+    sloccount
+    topgrade
+    valgrind
+    vimPlugins.YouCompleteMe
+    ycmd
+    woeusb
+  ];
+}
--- a/extra/docker.nix
+++ b/extra/docker.nix
@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker.enable = true;
+  environment.systemPackages = with pkgs; [
+    docker_compose
+  ];
+}
--- a/extra/filesystem.nix
+++ b/extra/filesystem.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    davfs2
+    fuse3
+    hfsprogs
+    mtpfs
+    nfs-utils
+    ntfs3g
+    sshfs
+  ];
+}
--- a/extra/fonts.nix
+++ b/extra/fonts.nix
@ -0,0 +1,29 @@
+{ config, pkgs, ... }:
+{
+  fonts = {
+    fontconfig.defaultFonts = {
+      monospace = [ "Ubuntu Mono" ];
+      sansSerif = [ "Ubuntu" ];
+      serif = [ "DejaVu Serif" ];
+    };
+
+    fonts = with pkgs; [
+      cantarell-fonts # gnome default
+      dina-font
+      fira
+      fira-mono
+      fira-code
+      fira-code-symbols
+      font-awesome
+      liberation_ttf
+      #mplus-outline-fonts
+      noto-fonts
+      noto-fonts-cjk
+      noto-fonts-emoji
+      proggyfonts
+      ubuntu_font_family
+      joypixels
+      #unifont # unicode
+    ];
+  };
+}
--- a/extra/gaming.nix
+++ b/extra/gaming.nix
@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    blobby
+    discord
+    minecraft
+    minetest
+    openttd
+    superTuxKart
+    steam
+    SDL
+    SDL2
+    wine
+    winetricks
+  ];
+
+  programs.steam.enable = true;
+
+  hardware.opengl.driSupport32Bit = true;
+  hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
+  hardware.pulseaudio.support32Bit = true;
+}
--- a/extra/hardware-base.nix
+++ b/extra/hardware-base.nix
@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.smartd.enable = true;
+  environment.systemPackages = with pkgs; [
+    dmidecode
+    f3
+    hdparm
+    lm_sensors
+    pciutils
+    smartmontools
+    testdisk
+  ];
+}
--- a/extra/intel-video.nix
+++ b/extra/intel-video.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+  hardware.opengl = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver # LIBVA_DRIVER_NAME=iHD
+      vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+      vaapiVdpau
+      libvdpau-va-gl
+    ];
+  };
+}
--- a/extra/intel.nix
+++ b/extra/intel.nix
@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  hardware.cpu.intel.updateMicrocode = true;
+}
--- a/extra/kvm.nix
+++ b/extra/kvm.nix
@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.kernelModules = [
+    "kvm-amd"
+    "kvm-intel"
+  ];
+  virtualisation.libvirtd.enable = true;
+}
--- a/extra/location.nix
+++ b/extra/location.nix
@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+{
+  location.provider = "geoclue2";
+
+  services.geoclue2.enable = true;
+  services.geoclue2.enableDemoAgent = true;
+  services.geoclue2.appConfig."gammastep" = {
+    desktopID = "gammastep";
+    isAllowed = true;
+    isSystem = false;
+    # Empty list allows all users
+    users = [ ];
+  };
+
+  services.geoclue2.appConfig."gammastep-indicator" = {
+    desktopID = "gammastep-indicator";
+    isAllowed = true;
+    isSystem = false;
+    # Empty list allows all users
+    users = [ ];
+  };
+
+}
--- a/extra/media.nix
+++ b/extra/media.nix
@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+let
+  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };
+in
+{
+  environment.systemPackages = with pkgs; [
+    audacity
+    chromaprint # music-brainz fingerprint
+    ffmpeg
+    gallery-dl
+    graphviz
+    handbrake
+    imagemagick
+    image_optim
+    inkscape
+    unstable.puddletag # audio tagging
+    mp3val
+    #mediaelch
+    unstable.mediaelch
+    picard
+    projectm
+    shotwell
+    soundkonverter
+    youtube-dl
+  ];
+}
--- a/extra/meeting.nix
+++ b/extra/meeting.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+let
+  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };
+in
+{
+  environment.systemPackages = with pkgs; [
+    element-desktop
+    mumble
+    unstable.nheko
+    pidgin
+    skypeforlinux
+    signal-desktop
+    teamspeak_client
+  ];
+}
--- a/extra/networkdecrypt.nix
+++ b/extra/networkdecrypt.nix
@ -0,0 +1,22 @@
+{ pkgs, ... }:
+
+{
+  boot.initrd.network = {
+    enable = true;
+
+    ssh = {
+      enable = true;
+      port = 2222;
+      hostKeys = [
+        /etc/secrets/initrd/ssh_host_ed25519_key
+      ];
+      authorizedKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@thinkman"
+      ];
+    };
+
+    postCommands = ''
+      echo 'cryptsetup-askpass' >> /root/.profile
+    '';
+  };
+}
--- a/extra/nix.nix
+++ b/extra/nix.nix
@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    nixpkgs-fmt
+    nix-prefetch-git
+  ];
+}
--- a/extra/power.nix
+++ b/extra/power.nix
@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = [
+    config.boot.kernelPackages.cpupower
+    pkgs.powertop
+    pkgs.s-tui
+  ];
+
+  powerManagement = {
+    cpuFreqGovernor = lib.mkDefault "powersave";
+    powertop.enable = true;
+  };
+
+  services = {
+    thermald.enable = true;
+    upower.enable = true;
+  };
+}
--- a/extra/presentation.nix
+++ b/extra/presentation.nix
@ -0,0 +1,6 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    pdfpc
+  ];
+}
--- a/extra/printer.nix
+++ b/extra/printer.nix
@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.printing.enable = true;
+  services.printing.drivers = with pkgs; [
+    gutenprint
+    hplip
+  ];
+  programs.system-config-printer.enable = true;
+}
--- a/extra/screen-sharing.nix
+++ b/extra/screen-sharing.nix
@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    remmina
+    teamviewer
+  ];  
+
+  services.pipewire.enable = true;
+
+  xdg.portal = {
+    enable = true;
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-gtk
+      xdg-desktop-portal-wlr
+    ];
+    gtkUsePortal = true;
+  };
+
+  # for firefox
+  environment.sessionVariables = {
+    MOZ_ENABLE_WAYLAND = "1";
+    XDG_CURRENT_DESKTOP = "sway";
+    XDG_SESSION_TYPE = "wayland";
+  };
+}
--- a/extra/security.nix
+++ b/extra/security.nix
@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    aircrack-ng
+    lynis
+  ];
+}
--- a/extra/sound.nix
+++ b/extra/sound.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+  environment.systemPackages = with pkgs; [
+    noisetorch
+    pavucontrol
+    playerctl
+  ];
+}
--- a/extra/ssh.nix
+++ b/extra/ssh.nix
@ -0,0 +1,9 @@
+{ config, ... }:
+{
+  services.openssh.enable = true;
+
+  # WARNING: if you remove this, then you need to assign a password to your user, otherwise
+  # `sudo` won't work. You can do that either by using `passwd` after the first rebuild or
+  # by setting an hashed password in the `users.users.felix` block as `initialHashedPassword`.
+  security.sudo.wheelNeedsPassword = false;
+}
--- a/extra/sync.nix
+++ b/extra/sync.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+let
+  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };
+in
+{
+  environment.systemPackages = with pkgs; [
+    nextcloud-client
+    unstable.syncthing
+    magic-wormhole
+    vdirsyncer
+  ];
+}
--- a/extra/systemd-user.nix
+++ b/extra/systemd-user.nix
@ -0,0 +1,6 @@
+{ config, ... }:
+{
+  systemd.user.extraConfig = ''
+    DefaultEnvironment="PATH=/run/current-system/sw/bin"
+  '';
+}
--- a/extra/systemduefi.nix
+++ b/extra/systemduefi.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot = {
+    loader = {
+      timeout = 1;
+      systemd-boot = {
+        enable = true;
+        configurationLimit = 10;
+        consoleMode = "keep";
+        editor = true;
+      };
+    };
+  };
+}
--- a/extra/tex.nix
+++ b/extra/tex.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+let
+  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };
+in
+{
+  environment.systemPackages = with pkgs; [
+    unstable.jabref
+    biber
+    texlive.combined.scheme-full
+    texstudio
+  ];
+}
--- a/extra/theme.nix
+++ b/extra/theme.nix
@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    gtk-engine-murrine
+    gtk_engines
+    gsettings-desktop-schemas
+    lxappearance
+  ];
+  programs.qt5ct.enable = true;
+}
--- a/extra/thunderbolt.nix
+++ b/extra/thunderbolt.nix
@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+let
+  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };
+in
+{
+  environment.systemPackages = with pkgs; [
+    thunderbolt
+  ];
+  services.hardware.bolt.enable = true;
+}
--- a/extra/webcam.nix
+++ b/extra/webcam.nix
@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    fswebcam
+    gnome3.cheese
+  ];
+}
--- a/hardware/raspberrypi4.nix
+++ b/hardware/raspberrypi4.nix
@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+{
+  # Boot
+  boot.loader.grub.enable = false;
+  boot.loader.raspberryPi.enable = true;
+  boot.loader.raspberryPi.version = 4;
+  boot.loader.raspberryPi.firmwareConfig = "
+    # Disable the ACT LED.
+    dtparam=act_led_trigger=none
+    dtparam=act_led_activelow=off
+    # Disable the PWR LED.
+    dtparam=pwr_led_trigger=none
+    dtparam=pwr_led_activelow=off
+    
+    # Disable SD-Card pools
+    dtparam=sd_pool_once=on";
+
+  # Kernel configuration
+  boot.kernelPackages = pkgs.linuxPackages_rpi4;
+  boot.kernelParams = [ "cma=64M" "console=tty0" ];
+
+  # Enable additional firmware (such as Wi-Fi drivers).
+  hardware.enableRedistributableFirmware = true;
+
+  #swapDevices = [{ device = "/swapfile"; size = 1024; }];
+}
--- a/hardware/t14.nix
+++ b/hardware/t14.nix
@ -0,0 +1,20 @@
+{ config, lib, ... }:
+{
+  boot = {
+    # acpi_call makes tlp work for newer thinkpads
+    kernelModules = [ "acpi_call" ];
+    extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
+
+    # Force use of the thinkpad_acpi driver for backlight control.
+    # This allows the backlight save/load systemd service to work.
+    kernelParams = [ "acpi_backlight=native" ];
+
+    # video driver
+    initrd.kernelModules = [ "i915" ];
+  };
+
+  services.fstrim.enable = lib.mkDefault true;
+
+  # Special power management settings for ThinkPads
+  services.tlp.enable = true;
+}
--- a/helpers.sh
+++ b/helpers.sh
@ -0,0 +1,136 @@
+#!/bin/sh
+
+ask_if_sure(){
+	while true; do
+		read -p "reinstall & ERASE ALL DATA? [y/n] " yn
+		case $yn in
+			[Yy]* ) break;;
+			[Nn]* ) exit 1;;
+			* ) echo "Please answer yes or no.";;
+		esac
+	done
+}
+
+blk_wait(){
+	local dev="${1?}"
+
+	while ! [ -b "${dev}" ]; do
+		sleep 0.1
+	done
+}
+
+blk_info_partuuid(){
+	local dev="${1?}"
+
+	printf '/dev/disk/by-partuuid/%s' "$(blkid -o value -s PARTUUID "${dev}")"
+}
+
+blk_info_uuid(){
+	local dev="${1?}"
+
+	printf '/dev/disk/by-uuid/%s' "$(blkid -o value -s UUID "${dev}")"
+}
+
+# Write into /tmp/password your password (without a trailing newline!)
+# So you won't get asked for a password during installation
+#
+# If you want to get asked for every password, just remove this function
+cryptsetup(){
+	command cryptsetup $* --key-file /tmp/passwd -q
+}
+
+install_os(){
+	local folder="${1?}"
+	nixos-install --cores 0 --max-jobs auto --root "${folder}"
+}
+
+luks_close(){
+	local drive="${1?}"
+
+	if cryptsetup status "${drive}" &>/dev/null; then
+		cryptsetup close "${drive}"
+	fi
+}
+
+lvm_remove_lv(){
+	local lv="${1?}"
+
+	if lvs "${lv}"; then
+		lvremove -f "${lv}"
+	fi
+}
+
+lvm_remove_vg(){
+	local vg="${1?}"
+
+	if vgs "${vg}"; then
+		vgremove "${vg}"
+	fi
+}
+
+lvm_remove_pv(){
+	local pv="${1?}"
+
+	if pvs "${pv}"; then
+		pvremove "${pv}"
+	fi
+}
+
+macro_replace(){
+	local macro="${1?}"
+	local value="${2?}"
+	local file="${3?}"
+
+	sed -i "s%${macro}%${value}%g" "${file}"
+}
+
+mp_mount(){
+	local src="${1?}"
+	local dst="${2?}"
+	local fstype="${3:-}"
+
+	mkdir -p "${CHROOT_BASE?}${dst}"
+	mount ${fstype:+-t} ${fstype:+"${fstype}"} "${src}" "${CHROOT_BASE?}${dst}"
+}
+
+mp_umount(){
+	local mountpoint="${1?}"
+
+	if mountpoint "${CHROOT_BASE}${mountpoint}" &>/dev/null; then
+		umount -R "${CHROOT_BASE}${mountpoint}"
+	fi
+
+	if [ -d "${CHROOT_BASE}${mountpoint}" ]; then
+		rmdir "${CHROOT_BASE}${mountpoint}"
+	fi
+	! [ -e "${CHROOT_BASE}${mountpoint}" ]
+}
+
+parttable_clear(){
+	local drive="${1?}"
+
+	while ! sgdisk -Z "${drive}" &>/dev/null; do
+		sleep 0.1
+	done
+}
+
+zero_blockdev(){
+	local dev="${1?}"
+
+	blkdiscard "${dev}"
+}
+
+zero_overwrite(){
+	local fsdev="${1?}"
+	local MBs="${2:-10}"
+
+	dd if=/dev/zero of="${fsdev}" bs=1M count="${MBs}" conv=sync
+}
+
+# Helper.sh
+zfs_pool_destroy(){
+	local pool="${1?}"
+	if zpool status "${pool}" &>/dev/null; then
+		zpool destroy "${pool}"
+	fi
+}
--- a/install-serverle.sh
+++ b/install-serverle.sh
@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+set -eux -o pipefail
+
+BASE="$(dirname "$(readlink -f "$0")")"
+. "${BASE}/helpers.sh"
+
+export HOST=serverle
+export DRIVE_ROOT=/dev/disk/by-id/usb-Seagate_Expansion_2HC015KJ-0\:0
+
+export NIXOS_FILES="${NIXOS_FILES:-$PWD}"
+export CHROOT_BASE="/mnt/newroot-${HOST}"
+
+export DRIVE_ROOT_LUKS=/dev/mapper/luks-root
+PARTSEP="-part"
+
+ask_if_sure
+
+mp_umount /
+
+################################################################################################
+echo "Starting Root SSD"
+
+lvm_remove_lv /dev/vg_root/lv_root
+lvm_remove_lv /dev/vg_root/lv_srv
+lvm_remove_vg vg_root
+lvm_remove_pv "${DRIVE_ROOT_LUKS}"
+
+luks_close "$(basename "${DRIVE_ROOT_LUKS}")"
+#zero_blockdev "${DRIVE_ROOT}" # trim support is not available on external drives
+
+parttable_clear "${DRIVE_ROOT}"
+
+# ROOT SSD SETUP
+sgdisk \
+	-o "${DRIVE_ROOT}" \
+	-n 1:2048:4095   -c 1:"BIOS Boot Partition"  -t 1:ef02 \
+	-n 2:4096:823295 -c 2:"EFI System Partition" -t 2:ef00 \
+	--largest-new=3  -c 3:"Crypt"                -t 3:8309 \
+	-p
+
+cryptsetup luksFormat "${DRIVE_ROOT}${PARTSEP}3"
+cryptsetup luksOpen --allow-discards "${DRIVE_ROOT}${PARTSEP}3" "$(basename "${DRIVE_ROOT_LUKS}")"
+
+pvcreate         "${DRIVE_ROOT_LUKS}"
+vgcreate vg_root "${DRIVE_ROOT_LUKS}"
+
+lvcreate -L 50GiB -n lv_root vg_root
+mkfs.ext4 -L "${HOST}-root" /dev/vg_root/lv_root
+
+lvcreate -L 250GiB -n lv_srv vg_root
+mkfs.ext4 -L "${HOST}-srv" /dev/vg_root/lv_srv
+
+lvcreate -L 4GiB -n lv_swap vg_root
+mkswap -L "${HOST}-swap" /dev/vg_root/lv_swap
+
+zero_overwrite "${DRIVE_ROOT}${PARTSEP}2"
+mkfs.vfat -n "${HOST}-boot" "${DRIVE_ROOT}${PARTSEP}2"
+
+mp_mount /dev/vg_root/lv_root /
+mp_mount /dev/vg_root/lv_srv /srv
+mp_mount "${DRIVE_ROOT}${PARTSEP}2" /boot
+
+mkdir -p /etc/secrets/initrd
+ssh-keygen -t ed25519 -N "" -f "/etc/secrets/initrd/ssh_host_ed25519_key"
+
+mkdir -p "${CHROOT_BASE}/etc/nixos/"
+rsync -avH "${NIXOS_FILES}/" "${CHROOT_BASE}/etc/nixos/"
+
+mkdir -p "${CHROOT_BASE}/etc/secrets/initrd"
+rsync -avH "/etc/secrets/" "${CHROOT_BASE}/etc/secrets/"
+
+cat >> "${CHROOT_BASE}/etc/nixos/vars-uuids.nix" <<END
+{
+	fs = {
+		root = "$(blkid -o value -s UUID "/dev/vg_root/lv_root")";
+		boot = "$(blkid -o value -s UUID "${DRIVE_ROOT}${PARTSEP}2")";
+		srv = "$(blkid -o value -s UUID "/dev/vg_root/lv_srv")";
+		swap = "$(blkid -o value -s UUID "/dev/vg_root/lv_swap")";
+	};
+
+	luks = {
+		root = "$(blkid -o value -s PARTUUID "${DRIVE_ROOT}${PARTSEP}3")";
+	};
+}
+END
+
+install_os "${CHROOT_BASE}"
--- a/install-thinkman.sh
+++ b/install-thinkman.sh
@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+
+set -eux -o pipefail
+
+BASE="$(dirname "$(readlink -f "$0")")"
+. "${BASE}/helpers.sh"
+
+export HOST=thinkman
+export DRIVE_ROOT=/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_1TB_S5H9NS0NB16097P
+
+export NIXOS_FILES="${NIXOS_FILES?}"
+export CHROOT_BASE="/mnt/newroot-${HOST}"
+
+export DRIVE_ROOT_LUKS=/dev/mapper/luks-root
+PARTSEP="-part"
+
+ask_if_sure
+
+mp_umount /
+
+################################################################################################
+echo "Starting Root SSD"
+
+lvm_remove_lv /dev/vg_root/lv_root
+lvm_remove_lv /dev/vg_root/lv_home
+lvm_remove_vg vg_root
+lvm_remove_pv "${DRIVE_ROOT_LUKS}"
+
+luks_close "$(basename "${DRIVE_ROOT_LUKS}")"
+zero_blockdev "${DRIVE_ROOT}"
+
+parttable_clear "${DRIVE_ROOT}"
+
+# ROOT SSD SETUP
+sgdisk \
+	-o "${DRIVE_ROOT}" \
+	-n 1:2048:4095   -c 1:"BIOS Boot Partition"  -t 1:ef02 \
+	-n 2:4096:823295 -c 2:"EFI System Partition" -t 2:ef00 \
+	--largest-new=3  -c 3:"Crypt"                -t 3:8309 \
+	-p
+
+cryptsetup luksFormat "${DRIVE_ROOT}${PARTSEP}3"
+cryptsetup luksOpen --allow-discards "${DRIVE_ROOT}${PARTSEP}3" "$(basename "${DRIVE_ROOT_LUKS}")"
+
+pvcreate         "${DRIVE_ROOT_LUKS}"
+vgcreate vg_root "${DRIVE_ROOT_LUKS}"
+
+lvcreate -L 50GiB -n lv_root vg_root
+mkfs.ext4 -L "${HOST}-root" /dev/vg_root/lv_root
+
+lvcreate -L 100GiB -n lv_home vg_root
+mkfs.ext4 -L "${HOST}-home" /dev/vg_root/lv_home
+
+lvcreate -L 10GiB -n lv_swap vg_root
+mkswap -L "${HOST}-swap" /dev/vg_root/lv_swap
+
+zero_overwrite "${DRIVE_ROOT}${PARTSEP}2"
+mkfs.vfat -n "${HOST}-boot" "${DRIVE_ROOT}${PARTSEP}2"
+
+mp_mount /dev/vg_root/lv_root /
+mp_mount /dev/vg_root/lv_home /home
+mp_mount "${DRIVE_ROOT}${PARTSEP}2" /boot
+
+mkdir -p ${CHROOT_BASE}/etc/secrets/initrd
+ssh-keygen -t ed25519 -N "" -f "${CHROOT_BASE}/etc/secrets/initrd/ssh_host_ed25519_key"
+ssh-keygen -t rsa     -N "" -f "${CHROOT_BASE}/etc/secrets/initrd/ssh_host_rsa_key"
+
+mkdir -p "${CHROOT_BASE}/etc/nixos/"
+rsync -avH "${NIXOS_FILES}/" "${CHROOT_BASE}/etc/nixos/"
+
+cat >> "${CHROOT_BASE}/etc/nixos/vars-uuids.nix" <<END
+{
+	fs = {
+		root = "$(blkid -o value -s UUID "/dev/vg_root/lv_root")";
+		boot = "$(blkid -o value -s UUID "${DRIVE_ROOT}${PARTSEP}2")";
+		home = "$(blkid -o value -s UUID "/dev/vg_root/lv_home")";
+		swap = "$(blkid -o value -s UUID "/dev/vg_root/lv_swap")";
+	};
+
+	luks = {
+		root = "$(blkid -o value -s PARTUUID "${DRIVE_ROOT}${PARTSEP}3")";
+	};
+}
+END
+
+install_os "${CHROOT_BASE}"
--- a/modules.nix
+++ b/modules.nix
@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Enable all firmware modules, so that bluetooth and wifi modules can load
+  # https://github.com/NixOS/nixpkgs/issues/85377#issuecomment-616424682
+  hardware.enableRedistributableFirmware = true;
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+
+  boot.initrd = {
+    availableKernelModules = [
+      "ahci"
+      "e1000e"
+      "ehci_pci"
+      "nvme"
+      "sd_mod"
+      "uas"
+      "usbhid"
+      "usb_storage"
+      "xhci_pci"
+    ];
+
+    kernelModules = [
+      "dm-snapshot"
+      "e1000e"
+      "nvme"
+    ];
+
+  };
+
+}
--- a/network.nix
+++ b/network.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.networkmanager = {
+    enable = true;
+
+    unmanaged = [
+      "interface-name:br-*" # Ignore docker compose network bridges
+      "interface-name:docker?" # Ignore docker default bridge
+      "interface-name:veth*" # Ignore docker compose network devices
+      "interface-name:virbr?" # Ignore libvirt default bridge
+    ];
+  };
+
+}
--- a/serverle.nix
+++ b/serverle.nix
@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  imports = [
+    ./default.nix
+    ./core.nix
+    ./disks.nix
+    ./disks-srv.nix
+    ./users.nix
+    ./extra/networkdecrypt.nix
+    ./extra/ssh.nix
+    ./extra/avahi.nix
+    ./hardware/raspberrypi4.nix
+  ];
+  networking.hostName = "serverle";
+
+  #environment.noXlibs = true;
+
+  # Nix
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 30d";
+
+  system.stateVersion = "20.09";
+  system.autoUpgrade.enable = true;
+  system.autoUpgrade.channel = https://nixos.org/channels/nixos-20.09;
+}
--- a/sway.nix
+++ b/sway.nix
@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+let
+  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };
+in
+{
+  programs.light.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    polkit_gnome
+  ];
+  environment.pathsToLink = [ "/libexec" ];
+  #programs.wshowkeys.enable = true;
+
+  programs.sway = {
+    enable = true;
+    wrapperFeatures = {
+      gtk = true;
+      base = true;
+    };
+
+    extraPackages = with pkgs; [
+      alacritty
+      brightnessctl
+      dmenu
+      gammastep
+      grim
+      unstable.i3status-rust
+      mako
+      slurp
+      swayidle
+      swaylock
+      wdisplays
+      wf-recorder
+      wl-clipboard
+      wofi
+      xwayland
+      unstable.wshowkeys
+    ];
+
+     
+    extraSessionCommands = 
+    ''  
+      export XDG_SESSION_TYPE=wayland
+      export XDG_CURRENT_DESKTOP=sway
+      export SDL_VIDEODRIVER=wayland
+      export QT_QPA_PLATFORM=wayland
+      export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
+      export _JAVA_AWT_WM_NONREPARENTING=1
+      export CLUTTER_BACKEND=wayland
+      export SAL_USE_VCLPLUGIN=gtk3
+      export MOZ_ENABLE_WAYLAND=1
+      export MOZ_USE_XINPUT2=1
+    ''; 
+  };
+}
--- a/thinkman.nix
+++ b/thinkman.nix
@ -0,0 +1,57 @@
+{ config, pkgs, lib, ... }:
+{
+  imports = [
+    ./backup.nix
+    ./core.nix
+    ./default.nix
+    ./disks.nix
+    ./disks-home.nix
+    ./sway.nix
+    ./extra/3d-printing.nix
+    ./extra/android.nix
+    ./extra/arch-linux.nix
+    ./extra/avahi.nix
+    ./extra/bluetooth-audio.nix
+    ./extra/clean.nix
+    ./extra/default.nix
+    ./extra/desktop-development.nix
+    ./extra/development.nix
+    ./extra/docker.nix
+    ./extra/filesystem.nix
+    ./extra/gaming.nix
+    ./extra/hardware-base.nix
+    ./extra/intel-video.nix
+    ./extra/intel.nix
+    ./extra/kvm.nix
+    ./extra/location.nix
+    ./extra/media.nix
+    ./extra/meeting.nix
+    ./extra/nix.nix
+    ./extra/power.nix
+    ./extra/presentation.nix
+    ./extra/printer.nix
+    ./extra/screen-sharing.nix
+    ./extra/sound.nix
+    ./extra/sync.nix
+    ./extra/systemd-user.nix
+    ./extra/systemduefi.nix
+    ./extra/tex.nix
+    ./extra/theme.nix
+    ./extra/thunderbolt.nix
+    ./extra/webcam.nix
+    ./hardware/t14.nix
+  ];
+
+  networking.hostName = "thinkman";
+
+  # Use latest kernel
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # Nix
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 30d";
+
+  system.stateVersion = "20.09";
+  system.autoUpgrade.enable = true;
+  system.autoUpgrade.channel = https://nixos.org/channels/nixos-20.09;
+}
--- a/users.nix
+++ b/users.nix
@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+{
+  users.users.felix = {
+    isNormalUser = true;
+    home = "/home/felix";
+    group = "felix";
+    extraGroups = [
+      "wheel"
+      "adbusers"
+      "audio"
+      "docker"
+      "input"
+      "libvirtd"
+      "networkmanager"
+      "video"
+    ];
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@thinkman" ];
+  };
+
+  users.groups.felix = {
+    gid = 1000;
+  };
+}