refactor: use flakes with deploy-rs & nixos-hardware

2025-05-25 02:14:41 +02:00 · 2022-06-03 17:47:16 +02:00 · 2022-06-03 17:47:16 +02:00 · d17c2b69a0
commit d17c2b69a0
parent b1ef65594a
81 changed files with 1179 additions and 317 deletions
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@ -0,0 +1,56 @@
+{ self
+, nixpkgs
+, nixpkgs-unstable
+, sops-nix
+, inputs
+, nixos-hardware
+, nix
+, ...
+}:
+let
+  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
+  customModules = import ./modules/default.nix;
+  overlay-unstable = final: prev: {
+    unstable = import nixpkgs-unstable {
+      inherit (final) system;
+      config.allowUnfree = true;
+    };
+  };
+  baseModules = [
+    # make flake inputs accessiable in NixOS
+    {
+      _module.args.self = self;
+      _module.args.inputs = inputs;
+    }
+    {
+      imports = [
+        ({ pkgs, ... }: {
+          nixpkgs.overlays = [ overlay-unstable ];
+          nix.nixPath = [
+            "nixpkgs=${pkgs.path}"
+          ];
+          documentation.info.enable = false;
+        })
+        sops-nix.nixosModules.sops
+      ];
+    }
+  ];
+  defaultModules = baseModules ++ customModules;
+in
+{
+  # add your model from this list: https://github.com/NixOS/nixos-hardware/blob/master/flake.nix
+  thinkman = nixosSystem {
+    system = "x86_64-linux";
+    modules = defaultModules ++ [
+      nixos-hardware.nixosModules.lenovo-thinkpad-t14
+      ./thinkman/configuration.nix
+    ];
+  };
+  serverle = nixosSystem {
+    system = "aarch64-linux";
+    modules = defaultModules ++ [
+      nixos-hardware.nixosModules.raspberry-pi-4
+      ./serverle/configuration.nix
+    ];
+  };
+}
--- a/nixos/deploy.nix
+++ b/nixos/deploy.nix
@ -0,0 +1,20 @@
+{ self
+, deploy
+, ...
+}:
+let
+  mkNode = server: ip: fast: {
+    hostname = "${ip}:22";
+    fastConnection = fast;
+    profiles.system.path =
+      deploy.lib.x86_64-linux.activate.nixos
+        self.nixosConfigurations."${server}";
+  };
+in
+{
+  user = "root";
+  sshUser = "felix";
+  nodes = {
+    serverle = mkNode "serverle" "192.167.178.60" true;
+  };
+}
--- a/nixos/modules/3d-design.nix
+++ b/nixos/modules/3d-design.nix
@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    meshlab
+    cura
+    openscad
+  ];
+}
--- a/nixos/modules/3d-printer.nix
+++ b/nixos/modules/3d-printer.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  services.octoprint = {
+    enable = true;
+    plugins = plugins: with plugins; [
+      costestimation
+      displayprogress
+      m86motorsoff
+      stlviewer
+      telegram
+      titlestatus
+    ];
+  };
+  networking.firewall.allowedTCPPorts = [ 5000 ];
+}
--- a/nixos/modules/android.nix
+++ b/nixos/modules/android.nix
@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+{
+  programs.adb.enable = true;
+  environment.systemPackages = with pkgs; [
+    scrcpy
+  ];
+}
--- a/nixos/modules/avahi.nix
+++ b/nixos/modules/avahi.nix
@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+{
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      workstation = true;
+      userServices = true;
+    };
+  };
+}
--- a/nixos/modules/bluetooth-audio.nix
+++ b/nixos/modules/bluetooth-audio.nix
@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+{
+  hardware.bluetooth = {
+    enable = true;
+    package = pkgs.bluezFull;
+    settings = {
+      General = {
+        Enable = "Source,Sink,Media,Socket";
+      };
+    };
+  };
+  services.blueman.enable = true;
+  environment.systemPackages = with pkgs; [
+    sony-headphones-client
+  ];
+}
--- a/nixos/modules/clean.nix
+++ b/nixos/modules/clean.nix
@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    baobab
+    dupeguru
+    findimagedupes
+    jdupes
+    kondo
+  ];
+}
--- a/nixos/modules/compression.nix
+++ b/nixos/modules/compression.nix
@ -0,0 +1,6 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    brotli
+  ];
+}
--- a/nixos/modules/core.nix
+++ b/nixos/modules/core.nix
@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+{
+  # Packages
+  environment.systemPackages = with pkgs; [
+    bandwhich
+    bind # dig
+    borgbackup
+    cryptsetup
+    docker-compose
+    file
+    fzf
+    gettext
+    git
+    gitAndTools.delta
+    gnufdisk
+    gptfdisk
+    htop
+    inetutils
+    jq
+    killall
+    lsof
+    mosh
+    multipath-tools #-> kpartx
+    mtr
+    nix-index
+    nmap
+    nmon
+    pciutils
+    pv
+    reptyr
+    rsync
+    screen
+    stress-ng
+    usbutils
+    tmux
+    vim
+    wget
+    whois
+    zip
+    unzip
+  ];
+
+  time.timeZone = "Europe/Berlin";
+  services.timesyncd.enable = true;
+}
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -0,0 +1,6 @@
+[
+  ./core.nix
+  ./modules.nix
+  ./network.nix
+  ./users.nix
+]
--- a/nixos/modules/desktop-development.nix
+++ b/nixos/modules/desktop-development.nix
@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    arduino
+    bless # hex editor
+    chromium
+    dbeaver
+    filezilla
+    fritzing
+    gnome.gnome-font-viewer
+    meld
+    insomnia
+    qgis
+    sqlitebrowser
+    unstable.sublime4
+  ];
+}
--- a/nixos/modules/development.nix
+++ b/nixos/modules/development.nix
@ -0,0 +1,44 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    # rust
+    unstable.cargo
+    unstable.clippy # lint
+    cargo-flamegraph
+    cargo-outdated
+    rustfmt
+    unstable.rustc
+    # general
+    clang
+    cloc
+    cmake
+    dfeet
+    direnv
+    entr
+    git
+    gnumake
+    go
+    hugo
+    meson
+    ninja
+    (python3.withPackages (ps: with ps; [
+      jupyter # notebooks
+      matplotlib
+      numpy
+      pandas
+      pillow
+      plotly
+      scikitlearn
+      scipy
+      tqdm # progressbar in pandas
+      wheel # python development
+    ]))
+    ripgrep
+    shellcheck
+    topgrade
+    valgrind
+    vimPlugins.YouCompleteMe
+    ycmd
+    unstable.woeusb-ng
+  ];
+}
--- a/nixos/modules/docker.nix
+++ b/nixos/modules/docker.nix
@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    docker
+    docker-compose
+  ];
+
+  virtualisation.docker = {
+    enable = true;
+    autoPrune.enable = true;
+  };
+}
--- a/nixos/modules/filesystem.nix
+++ b/nixos/modules/filesystem.nix
@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    davfs2
+    exfat
+    fuse3
+    hfsprogs
+    mtpfs
+    nfs-utils
+    ntfs3g
+    sshfs
+  ];
+}
--- a/nixos/modules/fonts.nix
+++ b/nixos/modules/fonts.nix
@ -0,0 +1,29 @@
+{ config, pkgs, ... }:
+{
+  fonts = {
+    fontconfig.defaultFonts = {
+      monospace = [ "Ubuntu Mono" ];
+      sansSerif = [ "Ubuntu" ];
+    };
+
+    fonts = with pkgs; [
+      cantarell-fonts # gnome default
+      dina-font
+      fira
+      fira-mono
+      fira-code
+      fira-code-symbols
+      font-awesome
+      liberation_ttf
+      #mplus-outline-fonts
+      noto-fonts
+      noto-fonts-cjk
+      noto-fonts-emoji
+      proggyfonts
+      ubuntu_font_family
+      joypixels
+      #unifont # unicode
+    ];
+  };
+  nixpkgs.config.joypixels.acceptLicense = true;
+}
--- a/nixos/modules/gaming.nix
+++ b/nixos/modules/gaming.nix
@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    blobby
+    discord
+    minecraft
+    minetest
+    openttd
+    superTuxKart
+    steam
+    SDL
+    SDL2
+    wine
+    winetricks
+  ];
+
+  programs.steam.enable = true;
+
+  hardware.opengl.driSupport32Bit = true;
+  hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
+  hardware.pulseaudio.support32Bit = true;
+}
--- a/nixos/modules/hardware-base.nix
+++ b/nixos/modules/hardware-base.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.smartd.enable = true;
+  environment.systemPackages = with pkgs; [
+    dmidecode
+    f3
+    hdparm
+    lm_sensors
+    nvme-cli
+    pciutils
+    smartmontools
+    testdisk
+  ];
+}
--- a/nixos/modules/intel-video.nix
+++ b/nixos/modules/intel-video.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+  hardware.opengl = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver # LIBVA_DRIVER_NAME=iHD
+      vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+      vaapiVdpau
+      libvdpau-va-gl
+    ];
+  };
+}
--- a/nixos/modules/intel.nix
+++ b/nixos/modules/intel.nix
@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  hardware.cpu.intel.updateMicrocode = true;
+}
--- a/nixos/modules/kvm.nix
+++ b/nixos/modules/kvm.nix
@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.kernelModules = [
+    "kvm-amd"
+    "kvm-intel"
+  ];
+  virtualisation.libvirtd.enable = true;
+}
--- a/nixos/modules/location.nix
+++ b/nixos/modules/location.nix
@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+{
+  location.provider = "geoclue2";
+
+  services.geoclue2 = {
+    enable = true;
+    enableDemoAgent = true;
+
+    appConfig."gammastep" = {
+      desktopID = "gammastep";
+      isAllowed = true;
+      isSystem = false;
+      # Empty list allows all users
+      users = [ ];
+    };
+    appConfig."gammastep-indicator" = {
+      desktopID = "gammastep-indicator";
+      isAllowed = true;
+      isSystem = false;
+      # Empty list allows all users
+      users = [ ];
+    };
+
+  };
+}
--- a/nixos/modules/media.nix
+++ b/nixos/modules/media.nix
@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+let
+  yt-dlp = pkgs.yt-dlp.override {
+    withAlias = true;
+  };
+in
+{
+  environment.systemPackages = with pkgs; [
+    audacity
+    chromaprint # music-brainz fingerprint
+    ffmpeg
+    gallery-dl
+    graphviz
+    handbrake
+    image_optim
+    imagemagick
+    inkscape
+    mat2 # metadata-cleaning
+    mediaelch
+    mp3gain
+    mp3splt # splitting mp3 files
+    mp3val
+    pdfsam-basic # pdf editing
+    picard # music tagging
+    projectm # visualization of music
+    puddletag # audio tagging
+    shotwell # photo management
+    sonixd # cloud-music-player
+    soundkonverter
+    yt-dlp
+  ];
+}
--- a/nixos/modules/meeting.nix
+++ b/nixos/modules/meeting.nix
@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    element-desktop-wayland
+    mumble
+    nheko
+    pidgin
+    skypeforlinux
+    signal-desktop
+    teamspeak_client
+  ];
+}
--- a/nixos/modules/modules.nix
+++ b/nixos/modules/modules.nix
@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Enable all firmware modules, so that bluetooth and wifi modules can load
+  # https://github.com/NixOS/nixpkgs/issues/85377#issuecomment-616424682
+  hardware.enableRedistributableFirmware = true;
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+
+  boot.initrd = {
+    availableKernelModules = [
+      "ahci"
+      "e1000e"
+      "ehci_pci"
+      "nvme"
+      "sd_mod"
+      "uas"
+      "usbhid"
+      "usb_storage"
+      "xhci_pci"
+    ];
+
+    kernelModules = [
+      "dm-snapshot"
+      "e1000e"
+      "nvme"
+    ];
+
+  };
+
+}
--- a/nixos/modules/nautilus.nix
+++ b/nixos/modules/nautilus.nix
@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+{
+  # enable trash & network-mount
+  services.gvfs.enable = true;
+
+  environment.sessionVariables.NAUTILUS_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-3.0";
+  environment.pathsToLink = [
+    "/share/nautilus-python/extensions"
+  ];
+
+  services.gnome.glib-networking.enable = true; # network-mount
+
+  environment.systemPackages = with pkgs; [
+    # thumbnails
+    ffmpegthumbnailer
+    gnome.nautilus
+    # enable plugins
+    gnome.nautilus-python
+    # thumbnails
+    gst_all_1.gst-libav
+    # default-programms
+    shared-mime-info
+    # terminal-context-entry
+    nautilus-open-any-terminal
+  ];
+}
--- a/nixos/modules/network.nix
+++ b/nixos/modules/network.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.networkmanager = {
+    enable = true;
+
+    unmanaged = [
+      "interface-name:br-*" # Ignore docker compose network bridges
+      "interface-name:docker?" # Ignore docker default bridge
+      "interface-name:veth*" # Ignore docker compose network devices
+      "interface-name:virbr?" # Ignore libvirt default bridge
+    ];
+  };
+
+}
--- a/nixos/modules/networkdecrypt.nix
+++ b/nixos/modules/networkdecrypt.nix
@ -0,0 +1,22 @@
+{ pkgs, ... }:
+
+{
+  boot.initrd.network = {
+    enable = true;
+
+    ssh = {
+      enable = true;
+      port = 2222;
+      hostKeys = [
+        /etc/secrets/initrd/ssh_host_ed25519_key
+      ];
+      authorizedKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@thinkman"
+      ];
+    };
+
+    postCommands = ''
+      echo 'cryptsetup-askpass' >> /root/.profile
+    '';
+  };
+}
--- a/nixos/modules/nix.nix
+++ b/nixos/modules/nix.nix
@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    nix-prefetch
+    nix-update
+    nixpkgs-fmt
+    nixpkgs-lint
+    nixpkgs-review
+  ];
+}
--- a/nixos/modules/power.nix
+++ b/nixos/modules/power.nix
@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = [
+    config.boot.kernelPackages.cpupower
+    pkgs.powertop
+    pkgs.s-tui
+  ];
+
+  powerManagement = {
+    cpuFreqGovernor = lib.mkDefault "powersave";
+    #powertop.enable = true; # messes up usb mouse
+  };
+
+  services = {
+    thermald.enable = true;
+    upower.enable = true;
+  };
+}
--- a/nixos/modules/presentation.nix
+++ b/nixos/modules/presentation.nix
@ -0,0 +1,6 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    pdfpc
+  ];
+}
--- a/nixos/modules/printer.nix
+++ b/nixos/modules/printer.nix
@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.printing.enable = true;
+  services.printing.drivers = with pkgs; [
+    canon-cups-ufr2
+    gutenprint
+    hplip
+  ];
+  programs.system-config-printer.enable = true;
+}
--- a/nixos/modules/screen-sharing.nix
+++ b/nixos/modules/screen-sharing.nix
@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    remmina
+    teamviewer
+  ];
+
+  services.pipewire.enable = true;
+
+  xdg.portal = {
+    enable = true;
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-gtk
+      xdg-desktop-portal-wlr
+    ];
+    gtkUsePortal = true;
+  };
+
+  # for firefox
+  environment.sessionVariables = {
+    MOZ_ENABLE_WAYLAND = "1";
+    XDG_CURRENT_DESKTOP = "sway";
+    XDG_SESSION_TYPE = "wayland";
+  };
+}
--- a/nixos/modules/security.nix
+++ b/nixos/modules/security.nix
@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    aircrack-ng
+    lynis
+  ];
+}
--- a/nixos/modules/sound.nix
+++ b/nixos/modules/sound.nix
@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+{
+  sound.enable = true;
+
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+
+  # programs.noisetorch.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    # noisetorch
+    pavucontrol
+    playerctl
+    pulseaudio # provide pactl to enable keyboard shortcuts
+  ];
+}
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@ -0,0 +1,9 @@
+{ config, ... }:
+{
+  services.openssh.enable = true;
+
+  # WARNING: if you remove this, then you need to assign a password to your user, otherwise
+  # `sudo` won't work. You can do that either by using `passwd` after the first rebuild or
+  # by setting an hashed password in the `users.users.felix` block as `initialHashedPassword`.
+  security.sudo.wheelNeedsPassword = false;
+}
--- a/nixos/modules/sway.nix
+++ b/nixos/modules/sway.nix
@ -0,0 +1,50 @@
+{ config, lib, pkgs, ... }:
+{
+  programs.light.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    polkit_gnome
+  ];
+  environment.pathsToLink = [ "/libexec" ];
+  programs.wshowkeys.enable = true;
+
+  programs.sway = {
+    enable = true;
+    wrapperFeatures = {
+      gtk = true;
+      base = true;
+    };
+
+    extraPackages = with pkgs; [
+      brightnessctl
+      dmenu
+      foot
+      gammastep
+      grim
+      i3status-rust
+      mako
+      slurp
+      swayidle
+      swaylock
+      wdisplays
+      wf-recorder
+      wl-clipboard
+      wofi
+      xwayland
+      wshowkeys
+    ];
+
+    extraSessionCommands = ''
+      export XDG_SESSION_TYPE=wayland
+      export XDG_CURRENT_DESKTOP=sway
+      export SDL_VIDEODRIVER=wayland
+      export QT_QPA_PLATFORM=wayland
+      export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
+      export _JAVA_AWT_WM_NONREPARENTING=1
+      export CLUTTER_BACKEND=wayland
+      export SAL_USE_VCLPLUGIN=gtk3
+      export MOZ_ENABLE_WAYLAND=1
+      export MOZ_USE_XINPUT2=1
+    '';
+  };
+}
--- a/nixos/modules/sync.nix
+++ b/nixos/modules/sync.nix
@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    nextcloud-client
+    syncthing
+    magic-wormhole
+    vdirsyncer
+  ];
+}
--- a/nixos/modules/systemd-user.nix
+++ b/nixos/modules/systemd-user.nix
@ -0,0 +1,6 @@
+{ config, ... }:
+{
+  systemd.user.extraConfig = ''
+    DefaultEnvironment="PATH=/run/current-system/sw/bin"
+  '';
+}
--- a/nixos/modules/systemduefi.nix
+++ b/nixos/modules/systemduefi.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot = {
+    loader = {
+      timeout = 1;
+      systemd-boot = {
+        enable = true;
+        configurationLimit = 10;
+        consoleMode = "keep";
+        editor = true;
+      };
+    };
+  };
+}
--- a/nixos/modules/tex.nix
+++ b/nixos/modules/tex.nix
@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    biber
+    jabref
+    qtikz
+    texlive.combined.scheme-full
+    texstudio
+  ];
+}
--- a/nixos/modules/theme.nix
+++ b/nixos/modules/theme.nix
@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    gtk-engine-murrine
+    gtk_engines
+    gsettings-desktop-schemas
+    lxappearance
+  ];
+  programs.qt5ct.enable = true;
+}
--- a/nixos/modules/thunderbolt.nix
+++ b/nixos/modules/thunderbolt.nix
@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    thunderbolt
+  ];
+  services.hardware.bolt.enable = true;
+}
--- a/nixos/modules/users.nix
+++ b/nixos/modules/users.nix
@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+{
+  users.users.felix = {
+    isNormalUser = true;
+    home = "/home/felix";
+    group = "felix";
+    extraGroups = [
+      "wheel"
+      "adbusers"
+      "audio"
+      "dialout"
+      "docker"
+      "input"
+      "libvirtd"
+      "networkmanager"
+      "video"
+    ];
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@thinkman" ];
+  };
+
+  users.groups.felix = {
+    gid = 1000;
+  };
+}
--- a/nixos/modules/webapps/bazarr.nix
+++ b/nixos/modules/webapps/bazarr.nix
@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+{
+  services.bazarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  systemd.services.bazarr = {
+    after = [ "network-online.target" ];
+    #unitConfig.RequiresMountsFor = [ "/storage" ];
+  };
+
+  webapps.apps.bazarr = {
+    dashboard = {
+      name = "Bazarr";
+      category = "manag";
+      icon = "closed-captioning";
+      link = "http://192.168.178.60:6767";
+    };
+  };
+}
--- a/nixos/modules/webapps/config.nix
+++ b/nixos/modules/webapps/config.nix
@ -0,0 +1,109 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.webapps = {
+    dashboardCategories = lib.mkOption {
+      type = lib.types.listOf (lib.types.submodule {
+        options = {
+          name = lib.mkOption {
+            type = lib.types.str;
+            description = ''
+              Category name.
+            '';
+            example = "Applications";
+          };
+          tag = lib.mkOption {
+            type = lib.types.str;
+            description = ''
+              Category tag.
+            '';
+            example = "app";
+          };
+        };
+      });
+      description = ''
+        App categories to display on the dashboard.
+      '';
+      example = [
+        {
+          name = "Application";
+          tag = "app";
+        }
+      ];
+      default = [ ];
+    };
+
+    apps = lib.mkOption {
+      type = lib.types.attrsOf
+        (lib.types.submodule {
+          options = {
+            dashboard.link = lib.mkOption {
+              type = lib.types.nullOr lib.types.str;
+              description = ''
+                Link to webapp
+              '';
+              example = "http://192.168.1.10:1234";
+              default = null;
+            };
+            dashboard.name = lib.mkOption {
+              type = lib.types.nullOr lib.types.str;
+              description = ''
+                Application name.
+              '';
+              example = "App";
+              default = null;
+            };
+            dashboard.category = lib.mkOption {
+              type = lib.types.nullOr lib.types.str;
+              description = ''
+                App category tag.
+              '';
+              example = "app";
+              default = null;
+            };
+            dashboard.icon = lib.mkOption {
+              type = lib.types.nullOr lib.types.str;
+              description = ''
+                Font Awesome application icon.
+              '';
+              example = "rss";
+              default = null;
+            };
+          };
+        });
+      description = ''
+        Defines a web application.
+      '';
+      default = { };
+    };
+  };
+
+  config =
+    let
+      cfg = config.webapps;
+    in {
+    lib.webapps.homerServices =
+        let
+          apps = builtins.filter (a: a.dashboard.name != null) (lib.attrValues cfg.apps);
+        in
+        lib.forEach cfg.dashboardCategories (cat:
+          let
+            catApps = lib.sort (a: b: a.dashboard.name < b.dashboard.name) (
+              builtins.filter
+                (a:
+                  a.dashboard.category != null && a.dashboard.category == cat.tag ||
+                  a.dashboard.category == null && cat.tag == "misc")
+                apps);
+          in
+          {
+            name = cat.name;
+            items = lib.forEach catApps (a: {
+              name = a.dashboard.name;
+              icon = lib.optionalString (a.dashboard.icon != null) "fas fa-${a.dashboard.icon}";
+              url = a.dashboard.link;
+              target = "_blank";
+            });
+          }
+        );
+      };
+}
--- a/nixos/modules/webapps/homer.nix
+++ b/nixos/modules/webapps/homer.nix
@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+let
+  homer = pkgs.stdenv.mkDerivation rec {
+    pname = "homer";
+    version = "22.02.2";
+
+    src = pkgs.fetchurl {
+      urls = [
+        "https://github.com/bastienwirtz/${pname}/releases/download/v${version}/${pname}.zip"
+      ];
+      sha256 = "sha256-34kukIT3ZrT03jIqnBT6h8T92fsQggWbCjf2NhVbHhI=";
+    };
+    nativeBuildInputs = [ pkgs.unzip ];
+
+    dontInstall = true;
+    sourceRoot = ".";
+    unpackCmd = "${pkgs.unzip}/bin/unzip -d $out $curSrc";
+  };
+
+  homeConfig = {
+    title = "Dashboard";
+    header = false;
+    footer = false;
+    connectivityCheck = true;
+    colums = "auto";
+    services = config.lib.webapps.homerServices;
+  };
+in
+{
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+  services.nginx = {
+    enable = true;
+    #virtualHosts."dashboard.rocks" = {
+    virtualHosts."_" = {
+      default = true;
+      locations = {
+        "/" = {
+          root = homer;
+        };
+        "=/assets/config.yml" = {
+          alias = pkgs.writeText "homerConfig.yml" (builtins.toJSON homeConfig);
+        };
+      };
+    };
+  };
+  webapps = {
+    dashboardCategories = [
+      { name = "Applications"; tag = "app"; }
+      { name = "Media-Management"; tag = "manag"; }
+      { name = "Infrastructure"; tag = "infra"; }
+    ];
+  };
+}
--- a/nixos/modules/webapps/jellyfin.nix
+++ b/nixos/modules/webapps/jellyfin.nix
@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  systemd.services.jellyfin = {
+    after = [ "network-online.target" ];
+    #unitConfig.RequiresMountsFor = [ "/storage" ];
+  };
+
+  webapps.apps.jellyfin = {
+    dashboard = {
+      name = "Jellyfin";
+      category = "app";
+      icon = "film";
+      link = "http://192.168.178.60:8096";
+    };
+  };
+}
--- a/nixos/modules/webapps/navidrome.nix
+++ b/nixos/modules/webapps/navidrome.nix
@ -0,0 +1,25 @@
+{ config, pkgs, ... }:
+{
+  services.navidrome = {
+    enable = true;
+    settings = {
+      Address = "0.0.0.0";
+      MusicFolder = "/srv/data/music";
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 4533 ];
+
+  systemd.services.navidrome = {
+    after = [ "network-online.target" ];
+    #unitConfig.RequiresMountsFor = [ "/storage" ];
+  };
+
+  webapps.apps.navidrome = {
+    dashboard = {
+      name = "Navidrome";
+      category = "app";
+      icon = "music";
+      link = "http://192.168.178.60:4533";
+    };
+  };
+}
--- a/nixos/modules/webapps/prowlarr.nix
+++ b/nixos/modules/webapps/prowlarr.nix
@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+{
+  services.prowlarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  systemd.services.prowlarr = {
+    after = [ "network-online.target" ];
+    #unitConfig.RequiresMountsFor = [ "/storage" ];
+  };
+
+  webapps.apps.prowlarr = {
+    dashboard = {
+      name = "Prowlarr";
+      category = "manag";
+      icon = "sync-alt";
+      link = "http://192.168.178.60:9696";
+    };
+  };
+  # ugly fix for service not having a homedirectory
+  users.users.prowlarr = {
+    isSystemUser = true;
+    home = "/var/lib/prowlarr";
+    group = "prowlarr";
+    uid = 61654;
+  };
+  users.groups.prowlarr = {
+    gid = 61654;
+  };
+}
--- a/nixos/modules/webapps/radarr.nix
+++ b/nixos/modules/webapps/radarr.nix
@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+{
+  services.radarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  systemd.services.radarr = {
+    after = [ "network-online.target" ];
+    #unitConfig.RequiresMountsFor = [ "/storage" ];
+  };
+
+  webapps.apps.radarr = {
+    dashboard = {
+      name = "Radarr";
+      category = "manag";
+      icon = "film";
+      link = "http://192.168.178.60:7878";
+    };
+  };
+}
--- a/nixos/modules/webapps/sonarr.nix
+++ b/nixos/modules/webapps/sonarr.nix
@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+{
+  services.sonarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  systemd.services.sonarr = {
+    after = [ "network-online.target" ];
+    #unitConfig.RequiresMountsFor = [ "/storage" ];
+  };
+
+  webapps.apps.sonarr = {
+    dashboard = {
+      name = "Sonarr";
+      category = "manag";
+      icon = "tv";
+      link = "http://192.168.178.60:8989";
+    };
+  };
+}
--- a/nixos/modules/webcam.nix
+++ b/nixos/modules/webcam.nix
@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    fswebcam
+    gnome.cheese
+  ];
+}
--- a/nixos/serverle/backup.nix
+++ b/nixos/serverle/backup.nix
@ -0,0 +1,75 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = import ./vars-backup.nix;
+  borgbackupMonitor = { config, pkgs, lib, ... }: with lib; {
+    key = "borgbackupMonitor";
+    _file = "borgbackupMonitor";
+    config.systemd.services = {
+      "notify-problems@" = {
+        enable = true;
+        serviceConfig.User = "felix";
+        environment.SERVICE = "%i";
+        script = ''
+          export $(cat /proc/$(${pkgs.procps}/bin/pgrep -x "sway" -u "$USER")/environ |grep -z '^DBUS_SESSION_BUS_ADDRESS=')
+          ${pkgs.libnotify}/bin/notify-send -u critical "$SERVICE FAILED!" "Run journalctl -u $SERVICE for details"
+        '';
+      };
+    } // flip mapAttrs' config.services.borgbackup.jobs (name: value:
+      nameValuePair "borgbackup-job-${name}" {
+        unitConfig.OnFailure = "notify-problems@%i.service";
+      }
+    );
+  };
+
+in
+{
+  # notification
+  imports = [
+    borgbackupMonitor
+  ];
+
+  services.borgbackup.jobs.hetzner = {
+    paths = [
+      "/"
+    ];
+    exclude = [
+      "/nix"
+      "/sys"
+      "/run"
+      "/proc"
+      "/root/.cache/"
+      "**/.Trash"
+      "/tmp/*"
+      "/var/lock/*"
+      "/var/run/*"
+      "/var/tmp/*"
+      "/home/*/tmp"
+      "/home/*/todo"
+      "/home/*/.cache"
+      "/home/*/.gvfs"
+      "/home/*/.thumbnails"
+      "/home/*/.local/share/Trash"
+      "/srv/data/tmp"
+      "/srv/data/todo"
+    ];
+    extraCreateArgs = "--exclude-caches --keep-exclude-tags --stats";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat /root/.borg_password";
+    };
+    environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i /root/.ssh/backup_ed25519 -p 23";
+    repo = "${cfg.borg.user}@${cfg.borg.host}:${cfg.borg.dir}";
+    compression = "auto,zstd";
+    doInit = false;
+    startAt = "daily";
+    persistentTimer = true;
+    prune.keep = {
+      last = 1;
+      within = "3d";
+      daily = 7;
+      weekly = 4;
+      monthly = 6;
+      yearly = 2;
+    };
+  };
+}
--- a/nixos/serverle/configuration.nix
+++ b/nixos/serverle/configuration.nix
@ -0,0 +1,43 @@
+{ config, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disks.nix
+    ./backup.nix
+    ../modules/3d-printer.nix
+    ../modules/avahi.nix
+    ../modules/compression.nix
+    ../modules/development.nix
+    ../modules/docker.nix
+    ./dyndns.nix
+    ../modules/networkdecrypt.nix
+    ../modules/nix.nix
+    ../modules/ssh.nix
+    ../modules/webapps/config.nix
+    ../modules/webapps/bazarr.nix
+    ../modules/webapps/homer.nix
+    ../modules/webapps/jellyfin.nix
+    ../modules/webapps/navidrome.nix
+    ../modules/webapps/prowlarr.nix
+    ../modules/webapps/radarr.nix
+    ../modules/webapps/sonarr.nix
+  ];
+  networking.hostName = "serverle";
+
+  #environment.noXlibs = true;
+
+  networking.firewall.allowedTCPPorts = [
+    8080 # aria
+  ];
+
+  # Nix
+  nix.gc = {
+    automatic = true;
+    options = "--delete-older-than 30d";
+  };
+
+  system = {
+    stateVersion = "21.11";
+    autoUpgrade.enable = true;
+  };
+}
--- a/nixos/serverle/disks.nix
+++ b/nixos/serverle/disks.nix
@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.luks.devices."luks-drive" = {
+    name = "luks-drive";
+    device = "/dev/sda";
+    preLVM = true;
+    allowDiscards = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/serverle-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/serverle-bo";
+    fsType = "vfat";
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/serverle-srv";
+    fsType = "ext4";
+  };
+
+  swapDevices = [{
+    device = "/dev/disk/by-label/serverle-swap";
+  }];
+}
+
--- a/nixos/serverle/dyndns.nix
+++ b/nixos/serverle/dyndns.nix
@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = import ./vars-dyndns.nix;
+in
+{
+  services.ddclient = {
+    enable = true;
+    server = cfg.dyndns.server;
+    username = cfg.dyndns.username;
+    passwordFile = "/root/.dyndns_password";
+    domains = cfg.dyndns.domains;
+    ipv6 = true;
+  };
+}
--- a/nixos/serverle/hardware-configuration.nix
+++ b/nixos/serverle/hardware-configuration.nix
@ -0,0 +1,34 @@
+{ config, pkgs, lib, ... }:
+{
+  # Boot
+  boot.loader.grub.enable = false;
+  boot.loader.raspberryPi.enable = true;
+  boot.loader.raspberryPi.version = 4;
+  boot.loader.raspberryPi.firmwareConfig = ''
+    # Disable the ACT LED.
+    dtparam=act_led_trigger=none
+    dtparam=act_led_activelow=off
+    # Disable the PWR LED.
+    dtparam=pwr_led_trigger=none
+    dtparam=pwr_led_activelow=off
+
+    # Disable ethernet port LEDs
+    dtparam=eth0_led=4
+    dtparam=eth1_led=4
+    
+    # Disable SD-Card pools
+    dtparam=sd_pool_once=on
+  '';
+
+  # Kernel configuration
+  boot.kernelPackages = pkgs.linuxPackages_rpi4;
+  boot.kernelParams = [ "cma=64M" "console=tty0" ];
+
+  # Enable additional firmware (such as Wi-Fi drivers).
+  hardware.enableRedistributableFirmware = true;
+
+  #swapDevices = [{ device = "/swapfile"; size = 1024; }];
+
+  # Fix wifi disconnect
+  networking.networkmanager.wifi.powersave = false;
+}
--- a/nixos/serverle/vars-backup.nix
+++ b/nixos/serverle/vars-backup.nix
@ -0,0 +1,7 @@
+{
+  borg = {
+    user = "u181505-sub1";
+    host = "u181505-sub1.your-storagebox.de";
+    dir = "serverle/";
+  };
+}
--- a/nixos/serverle/vars-dyndns.nix
+++ b/nixos/serverle/vars-dyndns.nix
@ -0,0 +1,7 @@
+{
+  dyndns = {
+    server = "dyndns.inwx.com";
+    username = "Stunkymonkey-dyndns";
+    domains =  [ "serverle.stunkymonkey.de" ];
+  };
+}
--- a/nixos/thinkman/backup.nix
+++ b/nixos/thinkman/backup.nix
@ -0,0 +1,75 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = import ./vars-backup.nix;
+  borgbackupMonitor = { config, pkgs, lib, ... }: with lib; {
+    key = "borgbackupMonitor";
+    _file = "borgbackupMonitor";
+    config.systemd.services = {
+      "notify-problems@" = {
+        enable = true;
+        serviceConfig.User = "felix";
+        environment.SERVICE = "%i";
+        script = ''
+          export $(cat /proc/$(${pkgs.procps}/bin/pgrep -x "sway" -u "$USER")/environ |grep -z '^DBUS_SESSION_BUS_ADDRESS=')
+          ${pkgs.libnotify}/bin/notify-send -u critical "$SERVICE FAILED!" "Run journalctl -u $SERVICE for details"
+        '';
+      };
+    } // flip mapAttrs' config.services.borgbackup.jobs (name: value:
+      nameValuePair "borgbackup-job-${name}" {
+        unitConfig.OnFailure = "notify-problems@%i.service";
+      }
+    );
+  };
+
+in
+{
+  # notification
+  imports = [
+    borgbackupMonitor
+  ];
+
+  services.borgbackup.jobs.hetzner = {
+    paths = [
+      "/"
+    ];
+    exclude = [
+      "/nix"
+      "/sys"
+      "/run"
+      "/proc"
+      "/root/.cache/"
+      "**/.Trash"
+      "/tmp/*"
+      "/var/lock/*"
+      "/var/run/*"
+      "/var/tmp/*"
+      "/home/*/tmp"
+      "/home/*/todo"
+      "/home/*/.cache"
+      "/home/*/.gvfs"
+      "/home/*/.thumbnails"
+      "/home/*/.local/share/Trash"
+      "/srv/data/tmp"
+      "/srv/data/todo"
+    ];
+    extraCreateArgs = "--exclude-caches --keep-exclude-tags --stats";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat /root/.borg_password";
+    };
+    environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i /root/.ssh/backup_ed25519 -p 23";
+    repo = "${cfg.borg.user}@${cfg.borg.host}:${cfg.borg.dir}";
+    compression = "auto,zstd";
+    doInit = false;
+    startAt = "daily";
+    persistentTimer = true;
+    prune.keep = {
+      last = 1;
+      within = "3d";
+      daily = 7;
+      weekly = 4;
+      monthly = 6;
+      yearly = 2;
+    };
+  };
+}
--- a/nixos/thinkman/configuration.nix
+++ b/nixos/thinkman/configuration.nix
@ -0,0 +1,62 @@
+{ config, pkgs, lib, ... }:
+{
+  imports = [
+    ./disks.nix
+    ./hardware-configuration.nix
+    ../modules/sway.nix
+    ./backup.nix
+    ../modules/3d-design.nix
+    ../modules/android.nix
+    ../modules/avahi.nix
+    ../modules/bluetooth-audio.nix
+    ../modules/clean.nix
+    ../modules/compression.nix
+    ../modules/desktop-development.nix
+    ../modules/development.nix
+    ../modules/docker.nix
+    ../modules/filesystem.nix
+    ../modules/gaming.nix
+    ../modules/hardware-base.nix
+    ../modules/intel-video.nix
+    ../modules/intel.nix
+    ../modules/kvm.nix
+    ../modules/location.nix
+    ../modules/media.nix
+    ../modules/meeting.nix
+    ../modules/nix.nix
+    ../modules/power.nix
+    ../modules/presentation.nix
+    ../modules/printer.nix
+    ../modules/screen-sharing.nix
+    ../modules/sound.nix
+    ../modules/sync.nix
+    ../modules/systemd-user.nix
+    ../modules/systemduefi.nix
+    ../modules/tex.nix
+    ../modules/theme.nix
+    ../modules/thunderbolt.nix
+    ../modules/webcam.nix
+  ];
+
+  networking.hostName = "thinkman";
+
+  # Use latest kernel
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # Nix
+  nix = {
+    autoOptimiseStore = true;
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+    daemonCPUSchedPolicy = "idle";
+    daemonIOSchedPriority = 7;
+  };
+
+  system = {
+    stateVersion = "22.05";
+    autoUpgrade.enable = true;
+  };
+}
--- a/nixos/thinkman/disks.nix
+++ b/nixos/thinkman/disks.nix
@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.luks.devices."luks-drive" = {
+    name = "luks-drive";
+    device = "/dev/nvme0";
+    preLVM = true;
+    allowDiscards = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/thinkman-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/thinkman-bo";
+    fsType = "vfat";
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/thinkman-home";
+    fsType = "ext4";
+  };
+
+  swapDevices = [{
+    device = "/dev/disk/by-label/thinkman-swap";
+  }];
+}
+
--- a/nixos/thinkman/hardware-configuration.nix
+++ b/nixos/thinkman/hardware-configuration.nix
@ -0,0 +1,20 @@
+{ config, lib, ... }:
+{
+  boot = {
+    # acpi_call makes tlp work for newer thinkpads
+    kernelModules = [ "acpi_call" ];
+    extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
+
+    # Force use of the thinkpad_acpi driver for backlight control.
+    # This allows the backlight save/load systemd service to work.
+    kernelParams = [ "acpi_backlight=native" ];
+
+    # video driver
+    initrd.kernelModules = [ "i915" ];
+  };
+
+  services.fstrim.enable = lib.mkDefault true;
+
+  # Special power management settings for ThinkPads
+  services.tlp.enable = true;
+}
--- a/nixos/thinkman/vars-backup.nix
+++ b/nixos/thinkman/vars-backup.nix
@ -0,0 +1,7 @@
+{
+  borg = {
+    user = "u181505-sub1";
+    host = "u181505-sub1.your-storagebox.de";
+    dir = "thinkman/";
+  };
+}