nixos: bumped to HEAD of 23.11

hardware/purism_librem_15.nix

@@ -19,7 +19,7 @@
         "sd_mod" # SCSI disk support
       ];
     };
-    kernelModules = ["kvm-intel"]; # Enable kvm for libvirtd
+    kernelModules = ["hid_multitouch" "kvm-intel" "psmouse"]; # Enable kvm for libvirtd
   };
 
   fileSystems = {

hardware/system76_lemurPro.nix

@@ -26,10 +26,11 @@
             allowDiscards = true;
             preLVM = true;
           };
-          #"cryptswap" = {
-          #  device = "/dev/disk/by-label/cryptswap";
-          #  #  keyFile = "/root/swap.key"; # enable encrypted hibernation & sleep
-          #};
+          "cryptmirror" = {
+            device = "/dev/disk/by-label/cryptmirror";
+            allowDiscards = true;
+            preLVM = true;
+          };
         };
       };
     };
@@ -45,6 +46,10 @@
       device = "/dev/disk/by-label/EFI";
       fsType = "vfat";
     };
+    "/var/lib/backup" = {
+      device = "/dev/disk/by-label/backup";
+      fsType = "ext4";
+    };
   };
 
   swapDevices = [

hardware/system76_thelioMira.nix

@@ -0,0 +1,74 @@
+# Hardware configuration file for the System76 Thelio Mira
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ahci"
+        "nvme" # NVMe drives (really fast SSDs)
+        "sd_mod" # SCSI disk support
+        "usb_storage" # USB Mass Storage support
+        "usbhid"
+        "xhci_pci" # USB 3.0 (eXtensible Host Controller Interface)
+      ];
+      kernelModules = ["dm-snapshot"];
+      luks = {
+        devices = {
+          "cryptroot" = {
+            device = "/dev/disk/by-label/cryptroot";
+            allowDiscards = true;
+            preLVM = true;
+          };
+          "cryptstore" = {
+            device = "/dev/disk/by-label/cryptstore";
+            allowDiscards = true;
+            preLVM = true;
+          };
+        };
+      };
+    };
+    kernelModules = ["kvm-intel"]; # Enable kvm for libvirtd
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+    };
+    "/nix" = {
+      device = "/dev/disk/by-label/nixStore";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/677E-FD28";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-label/swap";
+      discardPolicy = "both";
+    }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nix.settings.max-jobs = lib.mkDefault 12;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware = {
+    cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    system76 = {
+      enableAll = true; # all recommended configuration for system76 systems
+      power-daemon.enable = true;
+    };
+  };
+}

hosts/cuallaidh.nix

@@ -15,7 +15,7 @@
     ../profiles/ipv6.nix
     ../profiles/mastodon.nix
     ../profiles/matrix.nix
-    #../profiles/mcwhirter.io.nix
+    ../profiles/mcwhirter.io.nix
     ../profiles/minecraftServer.nix
     ../profiles/nextcloud.nix
     ../profiles/nixpkgs-dev.nix
@@ -41,6 +41,11 @@
       sshHostname = "tmate.mcwhirter.io";
     };
     nginx = {
+      virtualHosts."git.mcwhirter.io" = {
+        enableACME = true;
+        forceSSL = true;
+        globalRedirect = "reciproka.dev"; # Redirect permanently to the host
+      };
       virtualHosts."source.mcwhirter.io" = {
         enableACME = true;
         forceSSL = true;
@@ -51,6 +56,7 @@
 
   security.acme = {
     acceptTerms = true;
+    certs = {"git.mcwhirter.io" = {email = "craige@mcwhirter.io";};};
     certs = {"source.mcwhirter.io" = {email = "craige@mcwhirter.io";};};
   };
 

hosts/sanganto.nix

@@ -0,0 +1,126 @@
+# NixOS configuration for ŝanĝanto
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../hardware/system76_thelioMira.nix # Include results of the hardware scan.
+    ../profiles/cron-craige.nix # Provide Craige's cron jobs
+    ../profiles/desktopCraige.nix # Craige's desktop tools and apps
+    ../profiles/haskell-dev.nix # Haskell dev environment
+    ../profiles/host_common.nix # Common host configuration options
+    ../profiles/iog.nix # IOHK environment
+    ../profiles/keyboard.nix
+    ../profiles/neomutt.nix # Neomutt email
+    ../profiles/nix-community.nix # Nix community aarch64 tooling
+    ../profiles/nixpkgs-dev.nix # Nix pkgs dev tools
+    ../profiles/openssh.nix # Enable and configure openssh
+    ../profiles/pantheon.nix # Enable and configure the pantheon desktop
+    ../profiles/pipewire.nix # Enable and pipewire audio system
+    ../profiles/xmonad.nix # Xmonad desktop environment
+    ../profiles/yubikey.nix # Yubikey tooling
+    ../secrets/craige.nix # Ssshhhhh!
+    ../secrets/root.nix # Ssshhhhh!
+  ];
+
+  deployment.targetHost = "10.42.0.11";
+
+  nixpkgs = {
+    config = {
+      allowUnfree = true;
+      permittedInsecurePackages = [
+        "openssl-1.0.2u"
+      ];
+    };
+    overlays = [(import ../overlays/ncmpcpp.nix)];
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernel.sysctl."net.ipv4.ip_forward" = "1";
+    extraModprobeConfig = "options kvm_intel nested=1";
+  };
+
+  networking = {
+    hostName = "sanganto"; # Define your hostname.
+    networkmanager.enable = true; # Enables network support via NetworkManager.
+  };
+
+  fonts.packages = with pkgs; [
+    anonymousPro
+    dejavu_fonts # A typeface family based on the Bitstream Vera fonts
+    fira-code # Monospace font with programming ligaturess
+    font-awesome
+    hack-font # A typeface designed for source code
+    jetbrains-mono
+    nerdfonts # Iconic font aggregator, collection, & patcher
+    open-sans # Used in in my polybar configuration
+    xkcd-font # Font based handwriting in xkcd comics
+  ];
+
+  # List packages installed in system profile. To search, run:
+  environment.systemPackages = with pkgs; [
+  ];
+
+  services = {
+    acpid.enable = true;
+    blueman.enable = true;
+    gvfs.enable = true; # required by pcmanfm
+    kbfs.enable = true;
+  };
+
+  networking.firewall = {
+    enable = true;
+    checkReversePath = false; # Needed for libvirtd
+    allowedTCPPorts = [15000];
+  };
+
+  # Virtualisation configuration:
+  virtualisation = {
+    libvirtd = {
+      enable = true; # Enable libvirtd
+      qemu = {
+        #package = pkgs.qemu_kvm;   # Enable guest only for the same arch
+        package = pkgs.qemu; # Enable full emulation
+        verbatimConfig = ''
+          user = "craige"
+          group = "libvirtd"
+        '';
+      };
+      onShutdown = "shutdown"; # Set gust VMs to shutdown on host shutdown
+      extraConfig = ''
+        disk_bus = "virtio"
+      '';
+    };
+  };
+
+  # Enable sound.
+  sound.enable = true;
+  hardware = {
+    bluetooth = {
+      enable = true;
+      settings = {Policy = {AutoEnable = "true";};};
+    };
+    opengl.enable = true;
+  };
+
+  # The below pair are set to overcome flakey connections / busy servers that
+  # fail to respond to ssh keep alive requests, sometimes triggering:
+  # client_loop: send disconnect: Broken pipe
+  programs.ssh.extraConfig = ''
+    ServerAliveInterval 20
+    TCPKeepAlive no
+  '';
+
+  users.groups = {lp.members = ["messagebus"];};
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

hosts/sercanto.nix

@@ -27,7 +27,7 @@
     #../secrets/wireless.nix # Hey look! A squirrel!
   ];
 
-  deployment.targetHost = "10.42.0.126";
+  deployment.targetHost = "10.42.0.180";
 
   nixpkgs = {
     config = {

nix/sources.json

@@ -86,10 +86,10 @@
         "homepage": "https://github.com/NixOS/nixpkgs",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a8695cbd09a7ecf3376bd62c798b9864d20f86ee",
-        "sha256": "0qwypwz0gabw6nzrgl1pb74zlqpmfwwiilc0043gfvij6j1kpwcb",
+        "rev": "9d29cd266cebf80234c98dd0b87256b6be0af44e",
+        "sha256": "0bkrjx4x6sy4g9kmcddhlwrl4cpm4yvj7cljd7b8crf7kxpvaaf6",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a8695cbd09a7ecf3376bd62c798b9864d20f86ee.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/9d29cd266cebf80234c98dd0b87256b6be0af44e.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgsUnstable": {

nixops.nix

@@ -27,6 +27,7 @@
   eamhair = import hosts/eamhair.nix;
   ceitidh = import hosts/ceitidh.nix;
   paidh-uachdar = import hosts/paidh-uachdar.nix;
+  sanganto = import hosts/sanganto.nix;
   sercanto = import hosts/sercanto.nix;
   sithlainnir = import hosts/sithlainnir.nix;
   teintidh = import hosts/teintidh.nix;

profiles/desktopCraige.nix

@@ -27,6 +27,7 @@
     nvme-cli # NVM-Express user space tooling for Linux
     pandoc # Conversion between documentation formats
     pwgen # Password generator
+    siji # An iconic bitmap font based on Stlarch with additional glyphs
     shared-mime-info # A database of common MIME types
     shotwell # Photo organizer
     signal-desktop # Private, simple, and secure messenger

profiles/desktop_common.nix

@@ -68,7 +68,13 @@
         gdm.enable = false; # Enable the GNOME display manager
         lightdm.greeters.pantheon.enable = true;
       };
-      libinput.enable = true; # Enable touchpad support.
+      libinput = {
+        enable = true; # Enable touchpad support.
+        touchpad = {
+          tapping = true;
+          tappingButtonMap = "lrm"; # Set the touchpad button mappeing
+        };
+      };
     };
 
     pipewire = {

profiles/mastodon.nix

@@ -31,6 +31,8 @@
       # Required to redirect requests to the mastodon service
       "mcwhirter.io" = {
         locations."/.well-known/host-meta".extraConfig = "return 301 $scheme://social.mcwhirter.io$request_uri;";
+        enableACME = true; # Use ACME certs
+        forceSSL = true; # Force SSL
       };
       "social.mcwhirter.io" = {
         enableACME = true; # Use ACME certs

profiles/nix-community.nix

@@ -1,6 +1,10 @@
 # Use the Nix community aarch64 server as a build server
 # https://github.com/nix-community/aarch64-build-box
 {
+  programs.ssh.knownHosts."aarch64.nixos.community" = {
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds";
+  };
+
   nix = {
     distributedBuilds = true;
     buildMachines = [

profiles/pantheon.nix

@@ -0,0 +1,24 @@
+# Configuration for my pantheon desktop requirements
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services = {
+    pantheon = {
+      apps.enable = true;
+      contractor.enable = true;
+    };
+    xserver = {
+      enable = true; # Enable the X11 windowing system.
+      desktopManager = {
+        pantheon.enable = true;
+      };
+      libinput.enable = true; # Enable touchpad support.
+    };
+  };
+  programs = {
+    dconf.enable = true;
+    pantheon-tweaks.enable = true; # additional system settings
+  };
+}

profiles/powerManagement.nix

@@ -15,6 +15,12 @@
     logind = {
       lidSwitch = "suspend-then-hibernate";
       lidSwitchDocked = "ignore";
+      # powerKey = "suspend-then-hibernate"; # Enable in 23.11
+      extraConfig = ''
+        HandlePowerKey=suspend-then-hibernate
+        IdleAction=suspend-then-hibernate
+        IdleActionSec=10m
+      '';
     };
     thermald.enable = true;
     auto-cpufreq = {
@@ -37,4 +43,14 @@
       criticalPowerAction = "Hibernate";
     };
   };
+
+  programs.xss-lock = {
+    enable = true;
+    lockerCommand = "${pkgs.xscreensaver}/bin/screensaver-command -lock";
+    extraOptions = [
+      "-n ${pkgs.libnotify}/bin/notify-send \"Locking screen now\""
+      "IdleAction=lock"
+      "IdleActionSec=5m"
+    ];
+  };
 }