update

devshell.nix

@@ -0,0 +1,20 @@
+{inputs, ...}: {
+  imports = [inputs.agenix-rekey.flakeModule];
+
+  perSystem = {
+    system,
+    pkgs,
+    ...
+  }: {
+    devShells.default = pkgs.mkShell {
+      inherit system;
+
+      packages = [
+        pkgs.nix
+        pkgs.nixos-rebuild
+        pkgs.nixos-rebuild
+        pkgs.nh
+      ];
+    };
+  };
+}

flake.nix

@@ -66,10 +66,10 @@
     flake-parts.lib.mkFlake {inherit inputs;} {
       imports = [
         inputs.agenix-rekey.flakeModule
-        ./parts/devshell.nix
+        ./devshell.nix
-        ./parts/vm.nix
+        ./vm.nix
-        ./parts/formatter.nix
+        ./formatter.nix
-        ./parts/hosts
+        ./hosts
       ];
       systems = [
         "x86_64-linux"

hosts/bootstrap/configuration.nix

@@ -0,0 +1,5 @@
+{username, ...}: {
+  networking.wireless.enable = false;
+  networking.networkmanager.enable = true;
+  users.users.${username}.extraGroups = [ "networkmanager" ];
+}

hosts/default.nix

@@ -55,6 +55,15 @@ with lib; let
     );
 in {
   config.flake.nixosConfigurations = {
+    bootstrap = mkSystem {
+      hostname = "bootstrap";
+      username = "nixos";
+      modules = [
+        ../modules/required.nix
+        ../modules/shell.nix
+      ];
+    };
+
     laptop = mkSystem {
       hostname = "laptop";
       username = "nickolaj";

hosts/desktop/nvidia.nix

@@ -9,4 +9,7 @@ _: {
     powerManagement.enable = true;
     nvidiaSettings = true;
   };
+
+  # Avoid nvidia driver from crashing the system
+  boot.kernelParams = ["pcie_aspm=off"];
 }

hosts/work/disk-configuration.nix

@@ -2,7 +2,7 @@ _: {
   disko.devices = {
     disk = {
       main = {
-        device = "/dev/disk/by-id/ata-SanDisk_SDSSDXPS240G_153251401377";
+        device = "/dev/sda";
         type = "disk";
         content = {
           type = "gpt";

justfile

@@ -1,10 +1,15 @@
 # export NIXPKGS_ALLOW_UNFREE := "1"
 
+nixcmd := "nix --experimental-features 'nix-command flakes'"
+
+@_default:
+    just --list
+
 [group('vm')]
 vm-build:
     git add .
     echo "Building VM..."
-    nix build .#vm
+    {{ nixcmd }} build .#vm
     echo "VM built."
     sudo chmod 777 result/nixos.qcow2
     echo "VM permissions set."
@@ -42,96 +47,119 @@ vm-destroy:
     virsh pool-destroy nixos
     virsh pool-undefine nixos
 
-[group('nix')]
+[doc('Wrapper for nixos-facter')]
-repl:
-    nix repl --show-trace ".#" nixpkgs
-
 [group('deploy')]
-deploy-factor hostname target='':
+factor hostname target='':
     #!/usr/bin/env -S bash -e
     target="{{ target }}"
     if [ -z "$target" ]; then
-        sudo nix run nixpkgs#nixos-facter -- -o parts/hosts/{{ hostname }}/facter.json
+        {{ nixcmd }} run nixpkgs#nixos-facter -- -o hosts/{{ hostname }}/facter.json
     else
-        nix run github:nix-community/nixos-anywhere -- \
+        {{ nixcmd }} run github:nix-community/nixos-anywhere -- \
             --flake .#{{ hostname }} \
             --target-host {{ target }} \
             --generate-hardware-config nixos-facter \
-            ./parts/hosts/{{ hostname }}/facter.json
+            ./hosts/{{ hostname }}/facter.json
     fi
 
-tmp_dir := "/tmp/secrets/" + uuid()
+[doc('Wrapper for nixos-rebuild switch')]
-
 [group("deploy")]
-deploy hostname *ARGS:
+switch hostname target='':
-    nix run nixpkgs#nixos-rebuild -- \
+    #!/usr/bin/env -S bash -e
-        --flake .#{{ hostname }} \
+    target="{{ target }}"
-        {{ ARGS }} switch
+    if [ -z "$target" ]; then
+        {{ nixcmd }} run nixpkgs#nixos-rebuild -- switch --flake .#{{ hostname }} 
+    else
+        {{ nixcmd }} run nixpkgs#nixos-rebuild -- switch \
+            --flake .#{{ hostname }} \
+            --target-host {{ target }} \
+            --use-remote-sudo
+    fi
 
+[doc('Use nixos-anywhere to deploy to a remote host')]
 [group('deploy')]
 deploy-remote hostname target:
     #!/usr/bin/env -S bash -e
     git add .
 
-    trap "rm -rf {{ tmp_dir }}" EXIT
+    temp=$(mktemp -d)
+    trap "rm -rf $temp" EXIT
+
+
+    install -d -m755 "$temp/etc/ssh"
 
     # Copy ssh key to decrypt agenix secrets    
-    install -d -m755 {{ tmp_dir }}/etc/ssh
+    just age -d "./secrets/hosts/{{ hostname }}/id_ed25519.age" > "$temp/etc/ssh/ssh_host_ed25519_key"
-    just secret-echo ./secrets/hosts/{{ hostname }}/id_ed25519 > {{ tmp_dir }}/etc/ssh/ssh_host_ed25519_key
+    chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
-    chmod 600 {{ tmp_dir }}/etc/ssh/ssh_host_ed25519_key
+
-    cp ./secrets/hosts/{{ hostname }}/id_ed25519.pub {{ tmp_dir }}/etc/ssh/ssh_host_ed25519_key.pub
+    cp "./secrets/hosts/{{ hostname }}/id_ed25519.pub" "$temp/etc/ssh/ssh_host_ed25519_key.pub"
 
     # Deploy
-    nix run github:nix-community/nixos-anywhere -- \
+    {{ nixcmd }} run github:nix-community/nixos-anywhere -- \
         --flake .#{{ hostname }} \
-        --disk-encryption-keys /luks-password <(just secret-echo ./secrets/luks-password) \
+        --disk-encryption-keys /luks-password <(just age -d ./secrets/luks-password.age) \
-        --extra-files {{ tmp_dir }} \
+        --extra-files "$temp" \
-        --target-host {{ target }}
+        --target-host "{{ target }}"
 
+[doc('A wrapper disko-install')]
 [group('deploy')]
-deploy-switch hostname target *ARGS:
+disko-install hostname disk="/dev/sda":
-    nix run nixpkgs#nixos-rebuild -- \
+    sudo {{ nixcmd }} run 'github:nix-community/disko/latest#disko-install' -- --flake .#{{ hostname }} --disk main {{ disk }}
-        --flake .#{{ hostname }} \
-        --target-host {{ target }} \
-        --use-remote-sudo \
-        {{ ARGS }} switch
 
+[doc('Build an install ISO for a host')]
 [group('deploy')]
-deploy-iso hostname:
+iso hostname:
-    nix build .#nixosConfigurations.{{ hostname }}.config.formats.install-iso
+    {{ nixcmd }} build .#nixosConfigurations.{{ hostname }}.config.formats.install-iso
-
-identifier := "./secrets/yubikey-identity.pub"
-
-[group("secret")]
-secret-import path:
-    #!/usr/bin/env bash
-    # load the file from the root system
-    cat {{ path }} | nix develop --quiet --command bash -c \
-        "rage -e -r -o secrets/{{ path }}.age -i {{ identifier }}"
 
+[doc('Runs (r)age with yubikey identity')]
 [group('secret')]
-secret-echo file:
+age *ARGS="--help":
-    nix develop --quiet --command bash -c \
+    @{{ nixcmd }} shell nixpkgs#rage nixpkgs#age-plugin-yubikey --command rage {{ ARGS }} -i ./secrets/yubikey-identity.pub
-        "rage -d {{ file }}.age -i {{ identifier }}"
-
-default := ""
 
+[doc('Decrypt a file to stdout')]
 [group('secret')]
-secret-edit name=default:
+decrypt file:
-    nix run .#agenix-rekey.x86_64-linux.edit {{ name }}
+    just age -d {{ file }}
 
+[doc('Edit an encrypted file in $EDITOR')]
+[group('secret')]
+secret-edit name:
+    {{ nixcmd }} run .#agenix-rekey.x86_64-linux.edit {{ name }}
+
+[doc('Rekey all secrets - needed when adding secrets/hosts')]
 [group('secret')]
 secret-rekey:
-    nix develop --quiet --command bash -c \
+    {{ nixcmd }} run .#agenix-rekey.x86_64-linux.rekey
-        "agenix rekey"
-    git add .
 
-[group('secret')]
+[doc("Sets up configuration + SSH keys for a new host")]
-secret-new-ssh-key hostname $USER:
+new-host hostname username:
-    #!/usr/bin/env -S nix develop --quiet --command bash
+    #!/usr/bin/env -S bash -e
+    temp=$(mktemp -d)
+    trap "rm -rf $temp" EXIT
 
-    mkdir -p secrets/hosts/{{ hostname }}
+    echo "Setting up folders"
-    ssh-keygen -t ed25519 -f secrets/hosts/{{ hostname }}/id_ed25519 -C "${USER}@{{ hostname }}"
+    mkdir -p "secrets/hosts/{{ hostname }}"
-    age-plugin-yubikey -e secrets/hosts/{{ hostname }}/id_ed25519 \
+    mkdir -p "hosts/{{ hostname }}"
-        -o secrets/hosts/{{ hostname }}/id_ed25519.age
+
-    rm secrets/hosts/{{ hostname }}/id_ed25519
+    echo "Generating SSH key for {{ username }}@{{ hostname }}"
+    ssh-keygen -q -t ed25519 -f "$temp/id_ed25519" -C "{{ username }}@{{ hostname }}" -N ""
+    cp "$temp/id_ed25519.pub" "secrets/hosts/{{ hostname }}/id_ed25519.pub"
+
+    echo "Encrypting SSH key"
+    just age -e "$temp/id_ed25519" -o "secrets/hosts/{{ hostname }}/id_ed25519.age"
+
+    echo "Remember to update ./hosts/default.nix eg:"
+
+    # Bold with no newline
+    cat <<EOF
+    {{ BOLD }}{{ hostname }} = mkSystem {
+      hostname = "{{ hostname }}";
+      username = "{{ username }}";
+      modules = [
+        ../modules/required.nix
+        ../modules/shell.nix
+        ../modules/graphical.nix
+        ../modules/devenv.nix
+      ];
+    };
+    EOF

modules/apps/spotify.nix

@@ -0,0 +1,22 @@
+{
+  username,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = with pkgs; [
+    spotify
+  ];
+
+  age.secrets.spotify-player = {
+    rekeyFile = ../../secrets/spotify-player.age;
+    path = "/home/${username}/.cache/spotify-player/credentials.json";
+    mode = "0600";
+    owner = username;
+  };
+
+  fireproof.home-manager = {
+    programs.spotify-player = {
+      enable = true;
+    };
+  };
+}

modules/apps/sublime-merge.nix

@@ -0,0 +1,5 @@
+{pkgsUnstable, ...}: {
+  environment.systemPackages = [
+    pkgsUnstable.sublime-merge
+  ];
+}

modules/apps/virtualbox.nix

@@ -0,0 +1,9 @@
+{
+  username,
+  pkgsUnstable,
+  ...
+}: {
+  virtualisation.virtualbox.host.enable = true;
+  virtualisation.virtualbox.host.package = pkgsUnstable.virtualbox;
+  users.extraGroups.vboxusers.members = [username];
+}

modules/apps/vscode.nix

@@ -39,6 +39,7 @@ in {
 
           # Theme
           "workbench.colorTheme" = "Darcula Theme from IntelliJ";
+          "window.titleBarStyle" = "custom";
 
           # Keybindings
           "workbench.commandPalette.experimental.suggestCommands" = true; # Emulates IntelliJ's "Search Everywhere"

modules/base/networking.nix

@@ -5,7 +5,7 @@
 }: {
   age.secrets.hosts-private = {
     # Contains IP addresses that i have no business sharing
-    rekeyFile = ../../../secrets/hosts-private.age;
+    rekeyFile = ../../secrets/hosts-private.age;
   };
 
   # Inject the private hosts file, because setting networking.hostFiles doesn't work

modules/base/secrets.nix

@@ -1,5 +1,5 @@
 {hostname, ...}: let
-  hostSecrets = ../../../secrets/hosts + ("/" + hostname);
+  hostSecrets = ../../secrets/hosts + ("/" + hostname);
   publicKey = builtins.readFile (hostSecrets + "/id_ed25519.pub");
 in {
   age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
@@ -8,7 +8,7 @@ in {
     hostPubkey = publicKey;
     masterIdentities = [
       {
-        identity = ../../../secrets/yubikey-identity.pub;
+        identity = ../../secrets/yubikey-identity.pub;
       }
     ];
     extraEncryptionPubkeys = [

modules/base/ssh.nix

@@ -5,21 +5,23 @@
   lib,
   ...
 }: let
-  # Load all public keys from ../../../secrets/hosts/*/id_ed25519.pub
+  # Load all public keys from ../../secrets/hosts/*/id_ed25519.pub
-  allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../../secrets/hosts));
+  allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../secrets/hosts));
-  publicKeys = map (x: builtins.readFile (../../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
+  publicKeys = map (x: builtins.readFile (../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
 in {
   age.secrets.ssh-key = {
-    rekeyFile = ../../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
+    rekeyFile = ../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
+    path = "/home/" + username + "/.ssh/id_ed25519";
     mode = "0600";
     owner = username;
   };
   age.secrets.ssh-key-ao = {
-    rekeyFile = ../../../secrets/ssh-key-ao.age;
+    rekeyFile = ../../secrets/ssh-key-ao.age;
     mode = "0600";
     owner = username;
   };
   fireproof.home-manager = {
+    home.file.".ssh/id_ed25519.pub".source = ../../secrets/hosts + ("/" + hostname) + "/id_ed25519.pub";
     programs.ssh = {
       enable = true;
       forwardAgent = true;

modules/base/user.nix

@@ -14,7 +14,7 @@ in {
     };
   };
   config = {
-    age.secrets.hashed-user-password.rekeyFile = ../../../secrets/hashed-user-password.age;
+    age.secrets.hashed-user-password.rekeyFile = ../../secrets/hashed-user-password.age;
 
     users.users.${username} = {
       isNormalUser = true;

modules/desktop/gtk/default.nix

@@ -1,10 +1,13 @@
-{
+{pkgs, ...}: {
-  pkgs,
-  ...
-}: {
   environment.systemPackages = with pkgs; [
     nautilus
+    gnome-photos
+    evince
+    nautilus-open-any-terminal
+    sushi
   ];
+  services.gvfs.enable = true;
+  programs.dconf.enable = true;
 
   fireproof.home-manager = {
     home.pointerCursor = {
@@ -21,8 +24,15 @@
         package = pkgs.adw-gtk3;
       };
 
-      gtk4.extraCss = builtins.readFile ./theme.css;
+      gtk3.extraConfig = {gtk-application-prefer-dark-theme = true;};
       gtk3.extraCss = builtins.readFile ./theme.css;
+
+      gtk4.extraConfig = {gtk-application-prefer-dark-theme = true;};
+      gtk4.extraCss = builtins.readFile ./theme.css;
+    };
+    dconf = {
+      enable = true;
+      settings."org/gnome/desktop/interface".color-scheme = "prefer-dark";
     };
   };
 }

modules/desktop/hyprland/background.svg

@@ -0,0 +1,9 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="1600" height="900">
+  <g>
+    <path fill="#1C1B1A" d="M0 0h1600v900H0z"/>
+    <path fill="#cf6a4c" d="M400,350 L200,550 L1200,550 L1400,350"/>
+    <path fill="#b14d2f" d="M350,400 L200,550 L1200,550 L1350,400"/>
+    <path fill="#a1462b" d="M300,450 L200,550 L1200,550 L1300,450"/>
+    <path fill="#71311e" d="M250,500 L200,550 L1200,550 L1250,500"/>
+  </g>
+</svg>

modules/desktop/hyprland/default.nix

@@ -11,8 +11,6 @@ with lib; let
     then (builtins.elemAt config.monitors 0).name
     else "";
 
-  
-
   mkKeyboard = name: {
     inherit name;
     kb_layout = "eu";
@@ -20,6 +18,7 @@ with lib; let
 in {
   imports = [
     ./hyprpolkitagent.nix
+    ./hyprpaper.nix
   ];
 
   config = {
@@ -79,6 +78,8 @@ in {
             )
             config.monitors;
 
+          exec = ["systemctl --user start hyprpaper"];
+
           input = {
             # Most unknown keyboards will be of the DK layout, we set known keyboards to eu in `devices`
             kb_layout = "dk";