meow

2025-09-10 15:33:48 +02:00 · 2025-09-10 15:33:48 +02:00 · 35c8ebb56a
commit 35c8ebb56a
parent c999ed6520
20 changed files with 670 additions and 405 deletions
--- a/modules/desktop/common-programs.nix
+++ b/modules/desktop/common-programs.nix
@ -13,8 +13,7 @@ in
    lib.mkEnableOption "install some commonly used programs";
  config = lib.mkIf cfg.enable {
    home-manager.users.${config.xyno.system.user.name} = lib.mkIf config.xyno.presets.home-manager.enable ({...}: {
-      # xyno.alacritty.enable = true;
-      xyno.helix.enable = true;
+      xyno.firefox.enable = true;
    });
    programs.steam = {
      enable = true;
@ -24,7 +23,6 @@ in
    };
    programs.evolution.enable = true;
    services.gnome.evolution-data-server.enable = true;
-    services.flatpak.enable = true;
    programs.fuse.userAllowOther = true;
    programs.nix-ld.enable = true;
    programs.gamescope.enable = true;
--- a/modules/desktop/niri.nix
+++ b/modules/desktop/niri.nix
@ -5,6 +5,7 @@
  lib,
  ...
 }:
+with lib;
 let
  cfg = config.xyno.desktop.niri;
  floatingAppids = [
@ -14,7 +15,7 @@ let
    "org.gnome.NautilusPreviewer"
    "io.github.Qalculate.qalculate-qt"
  ];
-  matchFloat = lib.concatStringsSep "\n" (
+  matchFloat = concatStringsSep "\n" (
    map (x: ''
      window-rule {
        match app-id="${x}"
@ -25,43 +26,44 @@ let
  );
 in
 {
-  options.xyno.desktop.niri.enable = lib.mkEnableOption "enable the niri desktop with xynos config";
-  options.xyno.desktop.niri.launcher = lib.mkOption { type = lib.types.str; };
-  options.xyno.desktop.niri.term = lib.mkOption { type = lib.types.str; };
-  options.xyno.desktop.niri.extraConfig = lib.mkOption { type = lib.types.lines; };
-  config = lib.mkIf cfg.enable {
+  options.xyno.desktop.niri.enable = mkEnableOption "enable the niri desktop with xynos config";
+  options.xyno.desktop.niri.launcher = mkOption { type = types.str; };
+  options.xyno.desktop.niri.term = mkOption { type = types.str; };
+  options.xyno.desktop.niri.extraConfig = mkOption { type = types.lines; };
+  config = mkIf cfg.enable {
    xyno.desktop = {
-      foot.enable = lib.mkDefault true;
-      fuzzel.enable = lib.mkDefault true;
-      mako.enable = lib.mkDefault true;
-      shikane.enable = lib.mkDefault true;
-      swayidle.enable = lib.mkDefault true;
-      waybar.enable = lib.mkDefault true;
-      wpaperd.enable = lib.mkDefault true;
+      foot.enable = mkDefault true;
+      fuzzel.enable = mkDefault true;
+      mako.enable = mkDefault true;
+      shikane.enable = mkDefault true;
+      swayidle.enable = mkDefault true;
+      waybar.enable = mkDefault true;
+      wpaperd.enable = mkDefault true;
    };
    nixpkgs.overlays = [
        inputs.niri.overlays.default
    ];
+    services.displayManager.defaultSession = mkDefault "niri";
    home-manager.users.${config.xyno.system.user.name} =
-      lib.mkIf config.xyno.presets.home-manager.enable
+      mkIf config.xyno.presets.home-manager.enable
        (
          { ... }:
          {
            xyno.dark-theme.enable = true;
-            home.file.".config/xdg-desktop-portal-termfilechooser/config".text = ''
-              [filechooser]
-              cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh
-              default_dir=$HOME
-              env=TERMCMD=footclient --app-id floating-alacritty
-              open_mode = suggested
-              save_mode = suggested
-            '';
+            # home.file.".config/xdg-desktop-portal-termfilechooser/config".text = ''
+            #   [filechooser]
+            #   cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh
+            #   default_dir=$HOME
+            #   env=TERMCMD=footclient --app-id floating-alacritty
+            #   open_mode = suggested
+            #   save_mode = suggested
+            # '';
          }
        );

    xdg.portal = {
      extraPortals = [
-        pkgs.xdg-desktop-portal-termfilechooser
+        # pkgs.xdg-desktop-portal-termfilechooser
      ];
      config.niri.default = [
        "gnome"
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -17,6 +17,7 @@
  ./networking/networkd.nix
  ./presets/cli.nix
  ./presets/common.nix
+  ./presets/development.nix
  ./presets/gui.nix
  ./presets/server.nix
  ./presets/home-manager.nix
--- a/modules/presets/cli.nix
+++ b/modules/presets/cli.nix
@ -11,6 +11,17 @@ in
  options.xyno.presets.cli.enable =
    lib.mkEnableOption "enables xynos cli config with fish and helix and stuff";
  config = lib.mkIf cfg.enable {
+    home-manager.users.${config.xyno.system.user.name} =
+      lib.mkIf config.xyno.presets.home-manager.enable
+        (
+          { ... }:
+          {
+            xyno.helix.enable = true;
+            home.sessionVariables.LOCALE_ARCHIVE_2_27 = lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";
+            systemd.user.sessionVariables.LOCALE_ARCHIVE_2_27 = lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";
+          }
+        );
+
    xyno.cli.fish.enable = true;
    xyno.cli.starship.enable = true;
    security.sudo.enable = false;
@ -31,19 +42,15 @@ in
      LC_TIME = "de_DE.UTF-8";
      LC_COLLATE = "de_DE.UTF-8";
    };
-    home-manager.users.xyno.home.sessionVariables.LOCALE_ARCHIVE_2_27 =
-      lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";
-    home-manager.users.xyno.systemd.user.sessionVariables.LOCALE_ARCHIVE_2_27 =
-      lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";

    nix.settings = {
      substituters = [
        # "https://cache.lix.systems"
-        "https://helix.cachix.org"
+        # "https://helix.cachix.org"
      ];
      trusted-public-keys = [
        # "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
-        "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
+        # "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
      ];
      trusted-users = lib.mkDefault [
        "root"
@ -78,33 +85,35 @@ in
      # pinentrywlavor = "curses";
      # enableSSHSupport = true;
    };
-    services.udev.packages = [ pkgs.yubikey-personalization ]; # needed for yubikeys to be used as smartcards

    environment.systemPackages = with pkgs; [
-      jq
-      fd
+      (pkgs.writeShellScriptBin "sudo" "run0 $@")
+      aria2
+      openssl
+      bat
      bottom
+      curl
+      croc
+      dig
+      fd
+      ffmpeg
+      file
+      fzf
+      git
+      helix
      htop
      imagemagick
-      bat
-      ffmpeg
-      poppler
-      w3m
-      curl
-      aria2
-      fzf
-      file
-      git
-      neofetch
-      ripgrep
-      pv
-      yt-dlp
-      moar
-      helix
+      jq
      lm_sensors
-      dig
+      moar
+      neofetch
      nix-output-monitor
-      (pkgs.writeShellScriptBin "sudo" "run0 $@")
+      poppler
+      pv
+      ripgrep
+      w3m
+      yt-dlp
+      p7zip
    ];
    programs.mosh.enable = true;
    environment.variables.EDITOR = "hx";
@ -125,6 +134,7 @@ in
      p = "cd ~/proj";
      ytl = ''yt-dlp -f "bv*+mergeall[vcodec=none]" --audio-multistreams'';
      sudo = "run0";
+      less = "moar";
    };
  };
 }
--- a/modules/presets/development.nix
+++ b/modules/presets/development.nix
@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  cfg = config.xyno.presets.development;
+in
+{
+  options.xyno.presets.development.enable =
+    mkEnableOption "enables xynos configs for a development machine";
+  config = mkIf cfg.enable {
+    home-manager.users.${config.xyno.system.user.name} = mkIf config.xyno.presets.home-manager.enable (
+      { ... }:
+      {
+        xyno.helix.withLargeLSPs = true;
+        xyno.git.enable = true;
+      }
+    );
+    xyno.presets.cli.enable = true;
+    xyno.presets.home-manager.enable = true;
+    xyno.system.user.enable = true;
+    virtualisation.podman.enable = true;
+
+    environment.systemPackages = with pkgs; [
+      unstable.jetbrains.rider
+      android-studio
+      nixpkgs-manual
+      nixpkgs-manual.lib-docs
+      podman-compose
+      tio
+      (
+        let
+          helpScript = pkgs.writeShellScriptBin "nixpkgs-help" ''
+            exec xdg-open ${pkgs.nixpkgs-manual}/share/doc/nixpkgs/index.html
+          '';
+          desktopItem = pkgs.makeDesktopItem {
+            name = "nixpkgs-manual";
+            desktopName = "nixpkgs Manual";
+            genericName = "System Manual";
+            comment = "View nixpkgs documentation in a web browser";
+            icon = "nix-snowflake";
+            exec = "nixpkgs-help";
+            categories = [ "System" ];
+          };
+
+        in
+        pkgs.symlinkJoin {
+          name = "nixpkgs-help";
+          paths = [
+            helpScript
+            desktopItem
+          ];
+
+        }
+      )
+    ];
+  };
+}
--- a/modules/presets/gui.nix
+++ b/modules/presets/gui.nix
@ -4,34 +4,36 @@
  lib,
  ...
 }:
+with lib;
 let
  cfg = config.xyno.presets.gui;
 in
 {
-  options.xyno.presets.gui.enable = lib.mkEnableOption "enables xynos gui config";
-  options.xyno.presets.gui.terminalEmulator = lib.mkOption {
-    type = lib.types.str;
-    default = "alacritty";
+  options.xyno.presets.gui.enable = mkEnableOption "enables xynos gui config";
+  options.xyno.presets.gui.terminalEmulator = mkOption {
+    type = types.str;
+    default = "foot";
  };
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
    services.udev.packages = [
      pkgs.openocd # fix permission errors with connecting things (especially esp32-c3)
      pkgs.ptouch-print
+      pkgs.yubikey-personalization
    ];
    xyno.desktop.niri.enable = true;
-    xyno.desktop.audio.enable = lib.mkDefault true;
+    xyno.desktop.audio.enable = mkDefault true;
+    boot.kernelPackages = mkDefault pkgs.linuxPackages_zen;
    security.soteria.enable = true;
    security.rtkit.enable = true;
    services.pcscd.enable = true;
-    services.pcscd.plugins = [ pkgs.pcsc-scm-scl011];
+    services.pcscd.plugins = [ pkgs.pcsc-scm-scl011 ];
    xyno.hardware.kmonad.enable = true;
    # wayland on electron
    environment.sessionVariables.NIXOS_OZONE_WL = "1";
-    services.displayManager.defaultSession = "niri";
    # gdm
-    services.xserver.displayManager.gdm.enable = true;
-    services.xserver.enable = true;
-    services.xserver.displayManager.gdm.wayland = true;
+    services.displayManager.gdm.enable = true;
+    # services.xserver.enable = true;
+    services.displayManager.gdm.wayland = true;
    # ssh agent
    programs.ssh.startAgent = true;

@ -67,8 +69,8 @@ in
    # enable the gnome shit
    services.gnome.gnome-keyring.enable = true;
    services.gnome.gnome-online-accounts.enable = true;
-    services.gnome.core-utilities.enable = true;
-    services.gnome.gcr-ssh-agent.enable = lib.mkForce false;
+    services.gnome.core-apps.enable = true;
+    services.gnome.gcr-ssh-agent.enable = mkForce false;
    services.gnome.sushi.enable = true;
    services.gnome.gnome-settings-daemon.enable = true;
    services.gvfs.enable = true;
@ -81,9 +83,10 @@ in

    environment.sessionVariables.GTK_USE_PORTAL = "1";

-    # home-manager.users.${config.xyno.system.user.name} =
-    #   { pkgs, ... }:
-    #   {
+    home-manager.users.${config.xyno.system.user.name} =
+      { pkgs, ... }:
+      {
+        xyno.mpv.enable = true;
    #     xdg.mimeApps = {
    #       enable = true;
    #       defaultApplications = {
@ -104,7 +107,7 @@ in

    #       };
    #     };
-    #   };
+      };

    environment.systemPackages = with pkgs; [
      kdePackages.breeze-gtk
@ -113,11 +116,16 @@ in
      kdePackages.breeze-icons
    ];

-
    # fonts
    fonts.fontconfig.defaultFonts = {
-      sansSerif = ["Source Sans 3" "Noto Sans Symbols 2"];
-      monospace = ["JetBrainsMono Nerd Font" "Noto Sans Symbols 2"];
+      sansSerif = [
+        "Source Sans 3"
+        "Noto Sans Symbols 2"
+      ];
+      monospace = [
+        "JetBrainsMono Nerd Font"
+        "Noto Sans Symbols 2"
+      ];
    };
    fonts.packages = with pkgs; [
      nerd-fonts.jetbrains-mono
--- a/modules/presets/home-manager.nix
+++ b/modules/presets/home-manager.nix
@ -13,8 +13,8 @@ in
  config = lib.mkIf cfg.enable {
    home-manager.useGlobalPkgs = true;
    home-manager.extraSpecialArgs = { inherit inputs;}; 
-    home-manager.sharedModules = (import ../../hm-modules/module-list.nix) ++ [
-      inputs.nix-flatpak.homeManagerModules.nix-flatpak
+    home-manager.sharedModules = (import ../../hm-modules/module-list.nix { inherit inputs;}) ++ [
+      inputs.zen-browser.homeModules.default
    ];
    home-manager.users.${config.xyno.system.user.name} = {pkgs, ... }: {
      home.stateVersion = lib.mkDefault "24.11";
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@ -7,11 +7,12 @@
  ...
 }:
 let
-  wgServer = instanceConfig?wg.server && instanceConfig.wg.server;
+  wgServer = instanceConfig ? wg.server && instanceConfig.wg.server;
  cfg = config.xyno.services.wireguard;
  ula = cfg.ula;
  ulaPrefix = "${ula}:1337"; # /64 for normal vpn
  monitoringUlaPrefix = "${ula}:2337"; # /64 for monitoring
+  v4Subnet = "10.13.12.0/24";

  # uses a hash digest as the host identifier
  genUlaForHost =
@ -23,35 +24,49 @@ let
    in
    "${prefix}:${localPart}";
  # peers list for networkd
-  filteredConfigs = builtins.filter (x: x.hostName != config.networking.hostName ) (lib.attrValues instanceConfigs);
+  filteredConfigs = builtins.filter (x: x.hostName != config.networking.hostName) (
+    lib.attrValues instanceConfigs
+  );
  wgPeersLists = map (
    c:
    (
-      (lib.optional (c?publicHostname) {
+      (lib.optional (c ? publicHostname) {
        # if peer is publicly on the internet
        AllowedIPs =
-          (lib.optionals ( c?wg.server && c.wg.server) [
-            "${ulaPrefix}::/48" # all traffic in the ula shall be sent to the server
+          (lib.optionals (c ? wg.server && c.wg.server) [
+            # is server
+            "::/0"
          ])
-          ++ (lib.optionals (!c?wg.server || !c.wg.server) [
+          ++ (lib.optionals (c ? wg.server && c.wg.server && c ? wg.v4 && instanceConfig ? wg.v4) [
+            # both client and server have a v4
+            "0.0.0.0/0"
+          ])
+          ++ (lib.optionals (!c ? wg.server || !c.wg.server) [
+            # is not server
            "${genUlaForHost ulaPrefix c.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip
+          ])
+          ++ (lib.optionals ((!c ? wg.server || !c.wg.server) && c ? wg.v4 && instanceConfig ? wg.v4) [
+            # no server, no ipv4 yay
+            "${c.wg.v4}/32"
          ]);
+        RouteTable = 1000;
        Endpoint = "${c.publicHostname}:51820";
        PersistentKeepalive = 25;
        PublicKey = c.wg.pubKey;
+        PresharedKeyFile = config.sops.secrets."wg/psk".path;
+      })
+      ++ (lib.optional ((!c ? publicHostname) && wgServer && (c ? wg.pubKey)) {
+        # if this is the server and the peer isn't reachable on the internet
+        AllowedIPs = [
+          "${genUlaForHost ulaPrefix c.hostName}/128"
+          "${genUlaForHost monitoringUlaPrefix c.hostName}/128"
+        ]
+        ++ (lib.optionals (c ? wg.v4 && instanceConfig ? wg.v4) [
+          "${c.wg.v4}/32"
+        ]);
+        PublicKey = c.wg.pubKey;
+        PresharedKeyFile = config.sops.secrets."wg/psk".path;
      })
-      ++ (lib.optional
-        ((!c?publicHostname) && wgServer && (c?wg.pubKey))
-        {
-          # if this is the server and the peer isn't reachable on the internet
-          AllowedIPs = [
-            "${genUlaForHost ulaPrefix c.hostName}/128"
-            "${genUlaForHost monitoringUlaPrefix c.hostName}/128"
-          ];
-          PublicKey = c.wg.pubKey;
-          PresharedKeyFile = config.sops.secrets."wg/psk".path; # TODO
-        }
-      )
    )
  ) filteredConfigs;
  wgPeers = lib.flatten wgPeersLists;
@ -79,48 +94,72 @@ in
    default = genUlaForHost monitoringUlaPrefix config.networking.hostName;
  };
  config = lib.mkIf cfg.enable {
-    networking.hosts = (lib.mapAttrs' (
-      n: v: {
-        value = ["${v.hostName}.${cfg.hostsDomain}"];
+    # TODO: add a all traffic through this network
+    networking.hosts =
+      (lib.mapAttrs' (n: v: {
+        value = [ "${v.hostName}.${cfg.hostsDomain}" ];
        name = (genUlaForHost ulaPrefix v.hostName);
-      }
-    ) instanceConfigs) // (lib.mapAttrs' (
-      n: v: {
-        value = ["${v.hostName}.${cfg.monHostsDomain}"];
+      }) instanceConfigs)
+      // (lib.mapAttrs' (n: v: {
+        value = [ "${v.hostName}.${cfg.monHostsDomain}" ];
        name = (genUlaForHost monitoringUlaPrefix v.hostName);
-      }
-    ) instanceConfigs);
+      }) instanceConfigs);
    networking.firewall.allowedUDPPorts = lib.optional wgServer 51820;
    networking.firewall.interfaces."wg0".allowedUDPPorts = lib.optional wgServer 53;
-    systemd.network.netdevs."wg0" = {
+    systemd.network.netdevs."99-wg0" = {
      netdevConfig = {
        Name = "wg0";
        Kind = "wireguard";
        Description = "main wireguard tunnel";
-        
+
      };
      wireguardConfig = {
        ListenPort = lib.mkIf wgServer 51820;
-        PrivateKeyFile = config.sops.secrets."wg/privkey".path; # TODO
+        PrivateKeyFile = config.sops.secrets."wg/privkey".path;
+        FirewallMark = "0x8888";
      };
      wireguardPeers = wgPeers;
    };
-    systemd.network.networks."wg0" = {
+    systemd.network.networks."50-wg0" = {
      matchConfig.Name = "wg0";
      networkConfig = {
        Description = "xyno wireguard";
+        IPMasquerade = lib.mkIf (instanceConfig ? wg.server && instanceConfig.wg.server) "both";
+        IPv4Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server);
+        IPv6Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server);
      };
      address = [
-        "${(genUlaForHost ulaPrefix config.networking.hostName)}/128"
-        "${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/128"
+        "${(genUlaForHost ulaPrefix config.networking.hostName)}/64"
+        "${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/64"
+      ]
+      ++ (lib.optionals (instanceConfig ? wg.v4) [ "${instanceConfig.wg.v4}/24" ]);
+    };
+    systemd.network.networks."51-wg0-all-traffic" = {
+      matchConfig.Name = "wg0";
+      networkConfig = {
+        Description = "xyno wireguard all traffic";
+        DNSDefaultRoute = true;
+        DNS = "2a07:e340::2#dns.mullvad.net";
+        DNSOverTLS = true;
+      };
+      routingPolicyRules = [
+        {
+          FirewallMark = "0x8888";
+          InvertRule = true;
+          Table = 1000;
+          Priority = 10;
+        }
      ];
    };
-    services.prometheus.exporters.wireguard = lib.mkIf (wgServer && config.xyno.services.monitoring.enable) {
-      enable = true;
-      interfaces = [ "wg0" ];
-    };
+    services.prometheus.exporters.wireguard =
+      lib.mkIf (wgServer && config.xyno.services.monitoring.enable)
+        {
+          enable = true;
+          interfaces = [ "wg0" ];
+        };

-    services.coredns = lib.mkIf wgServer { # for non nixos devices to be able to resolve vpn hostnames
+    services.coredns = lib.mkIf wgServer {
+      # for non nixos devices to be able to resolve vpn hostnames
      enable = true;
      config = ''
        . {
@ -132,9 +171,11 @@ in
      '';
    };
    xyno.services.monitoring.exporters.coredns = lib.mkIf wgServer 9153;
-    xyno.services.monitoring.exporters.wireguard = lib.mkIf wgServer config.services.prometheus.exporters.wireguard.port;
+    xyno.services.monitoring.exporters.wireguard =
+      lib.mkIf wgServer config.services.prometheus.exporters.wireguard.port;
    sops.secrets."wg/privkey" = {
      reloadUnits = [ "systemd-networkd.service" ];
+      sopsFile = ../../instances/${config.networking.hostName}/secrets/wg.yaml;
    };
    sops.secrets."wg/psk" = {
      reloadUnits = [ "systemd-networkd.service" ];