Initial commit

2020-08-22 17:44:39 +02:00 · 2020-08-22 17:44:39 +02:00 · a05102e91c
commit a05102e91c
37 changed files with 887 additions and 0 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
+use nix
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,4 @@
+*.png filter=lfs diff=lfs merge=lfs -text
+*.jpg filter=lfs diff=lfs merge=lfs -text
+
+**/secrets/** filter=git-crypt diff=git-crypt
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+/result
+/*.qcow2
--- a/19
+++ b/19
@ -0,0 +1,19 @@
+Copyright 2020 Simon Bruder
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/README.md
+++ b/README.md
@ -0,0 +1,96 @@
+# NixOS configuration
+
+## How to install
+
+This guide describes how to install this configuration (or any NixOS
+configuration) with GPT and legacy (BIOS) boot.
+
+Create the partition table (enter the indented lines in the repl).
+
+    sudo parted /dev/sdX
+      mktable GPT
+      mkpart primary 1MiB 2MiB
+      mkpart primary 2MiB 500MiB
+      mkpart primary 500MiB 100%
+      set 1 bios_grub on
+      disk_toggle pmbr_boot
+      quit
+
+Format encrypted partition and open it
+
+    sudo cryptsetup luksFormat /dev/sdX3
+    sudo cryptsetup luksOpen /dev/sdX3 HOSTNAME-pv
+
+Create LVM (replace `8G` with desired swap size)
+
+    sudo pvcreate /dev/mapper/HOSTNAME-pv
+    sudo vgcreate HOSTNAME-vg /dev/mapper/HOSTNAME-pv
+    sudo lvcreate -L 8G -n swap HOSTNAME-vg
+    sudo lvcreate -l '100%FREE' -n root HOSTNAME-vg
+
+**Hint**: If you have to reboot to the installation system later because
+something went wrong and you need access to the LVM (but don’t know LVM), do
+the following after opening the luks partition: `sudo vgchange -ay`
+
+Create filesystems
+
+    sudo mkfs.ext2 /dev/sdX2
+    sudo mkfs.ext4 -L root /dev/HOSTNAME-vg/root
+    sudo mkswap -L swap /dev/HOSTNAME-vg/swap
+
+Mount the file systems and activate swap
+
+    sudo mount /dev/HOSTNAME-vg/root /mnt
+    sudo mkdir /mnt/boot
+    sudo mount /dev/sdX2 /mnt/boot
+    sudo swapon /dev/HOSTNAME-vg/swap
+
+Create the configuration (see [below](#how-to-add-new-device)) and copy this
+repository to your new home directory (e.g. `/mnt/home/simon/nixos`).
+
+Add a symlink as the global configuration
+
+    sudo mkdir -p /mnt/etc/nixos/
+    sudo ln -s /mnt/home/simon/nixos/machines/nunotaba/configuration.nix /mnt/etc/nixos/configuration.nix
+
+Generate hardware configuration and link it to the installation system
+(required because of absolute paths)
+
+    sudo nixos-generate-config --root /mnt/
+    sudo ln -s /mnt/etc/nixos/hardware-configuration.nix /etc/nixos/hardware-configuration.nix
+
+Install NixOS and reboot (if you do not have another machine, omit
+`--no-root-passwd`)
+
+    sudo nixos-install --no-root-passwd
+    sudo reboot
+
+**Hint**: If you need to reboot to the installation system because something
+didn’t work, first open the luks partition like in the setup script, run `sudo
+vgchange -ay` to scan for LVM VGs and then mount the other filesystems like in
+the script.
+
+SSH into the machine (or login locally if you set a root password), fix the
+`configuration.nix` symlink, set a user password and clone the dotfiles
+
+    ssh root@machine
+    rm /etc/nixos/configuration.nix
+    ln -s /home/simon/nixos/machines/nunotaba/configuration.nix /etc/nixos/configuration.nix
+    passwd simon
+    ^D
+    ssh simon@machine
+    # press “q” to get rid of zsh-newuser-install
+    git clone https://github.com/andsens/homeshick.git $HOME/.homesick/repos/homeshick
+    source $HOME/.homesick/repos/homeshick/homeshick.sh
+    homeshick clone https://git.sbruder.de/simon/dotfiles
+
+## How to add new device
+
+ * Copy the config from the device that is similar to the new one
+ * Import profiles/modules you want
+ * Change settings in `configuration.nix`
+ * Change secrets
+
+## License
+
+[MIT License](LICENSE)
--- a/machines/nunotaba/README.md
+++ b/machines/nunotaba/README.md
@ -0,0 +1,21 @@
+# nunotaba
+
+## Hardware
+
+ThinkPad T440 with mods to make it acceptable:
+
+ * Touchpad is changed for the T450’s, which has physical mouse buttons (I
+   fucked up during the installation and the touchpad part does not work, so it
+   does not need to be disabled in software).
+ * Screen has a resolution of 1920×1080 and has an IPS panel
+
+It is used standalone or in on a docking station that connects it to an
+external mouse, keyboard and monitor (Dell U2410).
+
+## Purpose
+
+It is my daily driver so it does everything (except server stuff obviously).
+
+## Name
+
+Shinobu Nunotaba is a student/scientist from *A Certain Scientific Railgun*
--- a/machines/nunotaba/configuration.nix
+++ b/machines/nunotaba/configuration.nix
@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      /etc/nixos/hardware-configuration.nix
+      ../../modules/restic.nix
+      ../../profiles/base.nix
+      ../../profiles/dev.nix
+      ../../profiles/gui.nix
+      ../../users/simon/base.nix
+    ];
+
+  boot.loader.grub.device = "/dev/disk/by-id/ata-ST500LM021-1KJ152_W623YDGB";
+
+  boot.initrd.luks.devices = {
+    root = {
+      name = "root";
+      device = "/dev/disk/by-uuid/4ecfca75-4dbb-4ba3-b1cd-7adf744c9446";
+      preLVM = true;
+      allowDiscards = true;
+    };
+  };
+
+  networking.hostName = "nunotaba";
+
+  networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ];
+}
--- a/modules/base.nix
+++ b/modules/base.nix
@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Essential system tools
+  environment.systemPackages = with pkgs; [
+    git
+    git-crypt # used to store secrets in configuration
+    git-lfs # not so essential, but required to clone config
+    htop
+    (unstable.neovim.override { vimAlias = true; }) # FIXME unstable is for python-msgpack 1.0; use stable once python-msgpack 1.0 is in stable
+    tmux
+  ];
+
+  # Clean temporary files on boot
+  boot.cleanTmpDir = true;
+
+  # Disable firewall
+  networking.firewall.enable = lib.mkDefault false;
+
+  # Set zsh as default shell
+  programs.zsh.enable = true;
+  users.defaultUserShell = pkgs.zsh;
+
+  # Sane swapping
+  boot.kernel.sysctl."vm.swapiness" = 10;
+
+  # Store logs persistently
+  services.journald.extraConfig = "Storage = persistent";
+
+  # Hard drive monitoring
+  services.smartd.enable = true;
+  # Network monitoring
+  services.vnstat.enable = true;
+
+  # Authentication/Encryption agents
+  programs.gnupg.agent.enable = true;
+  programs.ssh.startAgent = true;
+
+  # NixOS version
+  system.stateVersion = "20.03";
+
+  nixpkgs.config = {
+    # Explicitly allow unfree packages (rule of thumb: assets ok, code not ok)
+    allowUnfreePredicate = (
+      pkg: builtins.elem (lib.getName pkg) [
+        "corefonts"
+        "vista-fonts"
+      ]
+    );
+    # Add unstable channel
+    packageOverrides = pkgs: {
+      unstable = import (builtins.fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz") {
+        config = config.nixpkgs.config;
+      };
+      nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") {
+        inherit pkgs;
+      };
+    };
+  };
+}
--- a/modules/cli-tools.nix
+++ b/modules/cli-tools.nix
@ -0,0 +1,104 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    # top like tools
+    bmon # network monitor
+    gotop # fancy top
+    iotop # top for io
+    mtr # interactive traceroute
+
+    # batch processing/automation
+    jq # sed for json
+    parallel # parallel batch processing
+    yq # sed for yaml
+
+    # unix tools on steroids
+    curlie # better httpie (easier curl)
+    exa # better ls
+    fd # better find
+    ripgrep # better grep
+
+    # file tools
+    dos2unix # convert CRLF (dos) or CR (classic mac) line endings to LF (unix)
+    fdupes # find duplicate files
+    file # file type
+    hexyl # user friendly hex file viewer
+    hyperfine # cli benchmarking
+    megatools # cli for mega.nz
+    minio-client # client for s3 compatible storage systems
+    mktorrent # bittorrent seed file generator
+    rclone # rsync for cloud storage
+    rename # sed for filenames
+    restic # backup tool
+    rsync # incremental file transfer
+    tokei # fast cloc
+    xdelta # binary diff
+
+    # file format tools
+    p7zip # 7z cli
+    pdftk # pdf multitool
+    sqlite # cli for sqlite databses
+    upx # executable packer
+
+    # network tools
+    dnsutils # dig
+    gatling # high performance web serve
+    iperf
+    iperf2 # bandwidth measurement tool
+    sshfs # mount remote host
+    vnstat # client for vnstatd
+    whois # whois client
+
+    # system tools
+    libva-utils # vainfo
+    ncdu # interactive du
+    reptyr # move process to current terminal
+    smartmontools # hard drive monitoring
+
+    # clients
+    drone-cli # client for drone ci
+    hcloud # cli for Hetzner Cloud
+    libnotify # notify-send
+
+    # function eye candy
+    fzf # fuzzy finder
+    pv # monitor progress in pipe
+    starship # zsh prompt
+
+    # end user programs
+    apacheHttpd # for htpasswd
+    libqalculate # flexible calculator for humans
+    scrcpy # stream/control android phones over adb
+    taskwarrior # todo list manager
+
+    # passwords
+    pass-wayland #passExtensions.pass-otp # password manager (FIXME: otp collides with main)
+    pwgen
+    pwgen-secure # password generator
+    unstable.xkcdpass # memorable password generator
+
+    # misc
+    toilet # free figlet
+    python38Packages.ipython # better python repl (useful for one-liners)
+
+    # vim
+    neovim-remote # controlling another neovim process
+    universal-ctags # ctags
+
+    # direnv
+    direnv # per-directory environment
+    nix-direnv # per-directory environment for nix
+
+    # git
+    gitAndTools.git-annex
+    gitAndTools.git-annex-remote-rclone # git for non source files
+    gitAndTools.pre-commit # pre-commit hook for git
+  ];
+
+  programs.adb.enable = true;
+
+  environment.pathsToLink = [
+    "/share/nix-direnv"
+  ];
+}
--- a/modules/communication.nix
+++ b/modules/communication.nix
@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    (mumble.override { pulseSupport = true; }) # VoIP group chat
+    claws-mail # email client that looks ugly but just works
+  ];
+}
--- a/modules/creative.nix
+++ b/modules/creative.nix
@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    blender # 3d animation
+    darktable # photo development
+    gimp
+    gimpPlugins.gmic # bitmap editor
+    krita # drawing
+    openscad # parametric/procedural 3d modelling
+    unstable.inkscape # vector graphics editor
+  ];
+}
--- a/modules/cups.nix
+++ b/modules/cups.nix
@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  services.printing.enable = true;
+}
--- a/modules/dev/default.nix
+++ b/modules/dev/default.nix
@ -0,0 +1,7 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./rust.nix
+  ];
+}
--- a/modules/dev/rust.nix
+++ b/modules/dev/rust.nix
@ -0,0 +1,7 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    rustup
+  ];
+}
--- a/modules/docker.nix
+++ b/modules/docker.nix
@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    docker-compose
+    docker-ls
+  ];
+
+  virtualisation.docker = {
+    enable = true;
+    logDriver = "journald";
+    extraOptions = builtins.concatStringsSep " " [
+      "--ipv6"
+      "--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
+    ];
+  };
+
+  docker-containers.ipv6nat = {
+    image = "robbertkl/ipv6nat";
+    volumes = [
+      "/var/run/docker.sock:/var/run/docker.sock:ro"
+    ];
+    extraDockerOptions = [
+      "--network=host"
+      "--cap-drop=ALL"
+      "--cap-add=NET_ADMIN"
+      "--cap-add=NET_RAW"
+      "--cap-add=SYS_MODULE"
+    ];
+  };
+
+  environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n";
+}
--- a/modules/fonts.nix
+++ b/modules/fonts.nix
@ -0,0 +1,24 @@
+{ pkgs, ... }:
+
+{
+  fonts = {
+    fonts = with pkgs; [
+      corefonts # good ol’ microsoft fonts
+      google-fonts # google font collection (free)
+      (unstable.nerdfonts.override { fonts = [ "Iosevka" ]; })
+      #roboto # standalone roboto has awful kerning
+      unstable.source-han-sans
+      unstable.source-han-serif # CJK fonts
+      vistafonts # newer microsoft fonts
+    ];
+
+    enableDefaultFonts = true;
+    enableFontDir = true;
+
+    fontconfig.defaultFonts = {
+      monospace = [ "Iosevka Nerd Font" "Source Han Sans" ];
+      sansSerif = [ "Roboto" "Source Han Sans" ];
+      serif = [ "Georgia" "Source Han Serif" ];
+    };
+  };
+}
--- a/modules/grub.nix
+++ b/modules/grub.nix
@ -0,0 +1,10 @@
+{ lib, ... }:
+
+{
+  boot.loader.grub.enable = lib.mkDefault true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.gfxmodeBios = "1920x1080,1024x768,auto";
+  boot.loader.grub.gfxpayloadBios = "keep";
+  boot.loader.grub.memtest86.enable = true;
+  boot.loader.timeout = 2;
+}
--- a/modules/gui-tools.nix
+++ b/modules/gui-tools.nix
@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    anki # flashcard SRS
+    unstable.antimicroX # gamepad to keyboard/mouse mapping
+    filezilla # ftp client
+    gparted # gui for parted
+    xfce.thunar # graphical file manager
+    qalculate-gtk # flexible calculator
+    wxhexeditor # hex editor
+  ];
+}
--- a/modules/locales.nix
+++ b/modules/locales.nix
@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  i18n.defaultLocale = "en_GB.UTF-8";
+  console.keyMap = "de";
+
+  time.timeZone = "Europe/Berlin";
+
+  location = {
+    latitude = 49.52;
+    longitude = 10.17;
+  };
+}
--- a/modules/media.nix
+++ b/modules/media.nix
@ -0,0 +1,42 @@
+{ pkgs, gui ? false, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    # Audio
+    abcde # cd ripper
+    shntool # split audio with cue
+    sidplayfp # SID chiptune player
+    sox # “Swiss Army knife of audio manipulation”
+
+    # Audio + Video
+    mediainfo # show information about media files
+    youtube-dl # universal video downloader
+
+    # Images
+    exiftool # manipulate EXIF meta data
+    jpegoptim # lossless jpeg optimiser
+    libwebp # tools for webp image format
+    optipng # lossless png optimiser
+    pngcrush
+    pngquant # lossy png optimisers
+
+    # Literature
+    mupdf # document (pdf) viewer and tools
+  ] ++ (
+    if gui then [
+      # Audio
+      picard # musicbrainz tagger
+
+      # Audio + Video
+      mkvtoolnix # matroska (de-)muxing
+      mpv # media player
+
+      # Literature
+      calibre # ebook library
+      zathura # plugin based document viewer
+    ] else [
+      # Packages only installed when gui is disabled
+      mkvtoolnix-cli # matroska (de-)muxing
+    ]
+  );
+}
--- a/modules/mpd.nix
+++ b/modules/mpd.nix
@ -0,0 +1,54 @@
+{ pkgs, ... }:
+
+let
+  mpdConf = pkgs.writeText "mpd.conf" ''
+    music_directory    "~/Music"
+    playlist_directory "~/.mpd/playlists"
+    db_file            "~/.mpd/tag_cache"
+    state_file         "~/.mpd/state"
+    sticker_file       "~/.mpd/sticker.sql"
+
+    bind_to_address    "127.0.0.1"
+    zeroconf_enabled   "no"
+
+    restore_paused     "yes"
+    replaygain         "track"
+    auto_update        "yes"
+
+    audio_output {
+      type "pulse"
+      name "pulse"
+    }
+
+    audio_output {
+      type   "fifo"
+      name   "fifo"
+      path   "~/.mpd/fifo"
+      format "44100:16:2"
+    }
+  '';
+in
+{
+  imports = [
+    ./pulseaudio.nix
+  ];
+
+  systemd.user.services.mpd = {
+    after = [ "network.target" "sound.target" ];
+    description = "Music Player Daemon";
+
+    wantedBy = [ "default.target" ];
+    partOf = [ "default.target" ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}";
+      Type = "notify";
+      ExecStartPre = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/mkdir -p ~/Music ~/.mpd/playlists"'';
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    mpc_cli
+    (pkgs.ncmpcpp.override { visualizerSupport = true; taglibSupport = false; })
+  ];
+}
--- a/modules/network-manager.nix
+++ b/modules/network-manager.nix
@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  networking.networkmanager = {
+    enable = true;
+  };
+}
--- a/modules/office.nix
+++ b/modules/office.nix
@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    aspellDicts.de
+    hunspellDicts.de-de # dictionary
+    gscan2pdf # scanning tool
+    jameica # application framework (used for hibiscus online banking)
+    khal # calendar
+    khard # address book
+    libreoffice # office suite
+    pdfsam-basic # pdf multitool
+    vdirsyncerStable # dav sync client
+    xournalpp # notebook
+    xsane # scanning tool
+  ];
+
+  hardware.sane.enable = true;
+}
--- a/modules/prometheus/node_exporter.nix
+++ b/modules/prometheus/node_exporter.nix
@ -0,0 +1,17 @@
+{ config, ... }:
+
+let
+  vpnNetRanges = config.networking.wireguard.interfaces.wg-home.ips;
+  vpnNetRange = builtins.elemAt vpnNetRanges 0;
+  vpnAddress = builtins.elemAt (builtins.split "/" vpnNetRange) 0;
+in
+{
+  imports = [
+    ../wireguard/home.nix
+  ];
+
+  services.prometheus.exporters.node = {
+    enable = true;
+    listenAddress = vpnAddress;
+  };
+}
--- a/modules/pubkeys.nix
+++ b/modules/pubkeys.nix
@ -0,0 +1,3 @@
+{
+  "simon@kipf" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs0igb6TTxPkKEQ96pk/NEqqWvQH/miJEBAEe1bzHlo5n5ThnGYvVPadfHIwq1ix0IdAfyWoG8duaKVDJAUAFBtegRO7vRBYBYR04V8DE8n66MgDbbLDuu7Kbm4JWMUNg43KwJDzZtSvEKjyh5/u/TT59D1F+toxMfet++jNG03mFa6ANhMTjghbkFHj3eyuiXA/SxZLorhkCFW6Tri3u5FFLGpjaom1dZ5PAcic0+ZOECpgEwTj8FpOzmldjsu8gFxdPYGrqfA1dOxL3OQ6/rB0LfHjwrN9i3DrZzG+RfJxZbgO4/RLQz2sHYM6S6d1MtCcXThozCXSbmpdNdwdPp";
+}
--- a/modules/pulseaudio.nix
+++ b/modules/pulseaudio.nix
@ -0,0 +1,18 @@
+{ pkgs, ... }:
+
+{
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+  hardware.pulseaudio.package = pkgs.pulseaudioFull;
+  hardware.pulseaudio.daemon.config = {
+    "default-sample-format" = "s16le";
+    "default-sample-rate" = "48000";
+    "alternate-sample-rate" = "44100";
+    "resample-method" = "soxr-hq";
+    "flat-volumes" = "no";
+  };
+
+  environment.systemPackages = with pkgs; [
+    pavucontrol
+  ];
+}
--- a/modules/restic.nix
+++ b/modules/restic.nix
@ -0,0 +1,66 @@
+{ pkgs, config, lib, ... }:
+
+let
+  excludes = [
+    # General
+    "/home/*/Downloads/"
+    "/home/*/.cache/"
+    "/home/*/**/cache/"
+    "/home/*/.claws-mail/imapcache"
+    "/home/*/.local/share/Trash"
+    "/home/*/.local/share/nvim/"
+
+    # Rust
+    "/home/*/**/target/debug/"
+    "/home/*/**/target/doc/"
+    "/home/*/**/target/release/"
+    "/home/*/**/target/rls/"
+    "/home/*/**/target/tarpaulin/"
+    "/home/*/**/target/wasm32-unknown-unknown/"
+    "/home/*/.rustup/toolchains/"
+    "/home/*/.cargo"
+
+    # Python
+    "/home/*/.local/share/pyppeteer"
+    "/home/*/.local/share/virtualenvs/"
+    "/home/*/.platformio/"
+
+    # Node
+    "/home/*/**/.local-chromium"
+
+    # Project related
+    "/home/*/Music"
+    "/home/*/mount"
+    "/home/*/projects/vapoursynth/data/"
+    "/home/*/projects/vapoursynth/out/"
+    "/home/*/projects/vapoursynth/src/"
+
+    # Docker
+    "/var/lib/docker/"
+  ];
+  excludesFile = pkgs.writeText "exludes.txt" (builtins.concatStringsSep "\n" excludes);
+  maybePath = path: (lib.optional (builtins.pathExists path) (toString path));
+in
+{
+  services.restic.backups."${config.networking.hostName}-system" = {
+    passwordFile = toString (../machines/. + "/${config.networking.hostName}" + /secrets/restic_password);
+    s3CredentialsFile = toString ../secrets/s3_credentials;
+    repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
+    paths = lib.mkDefault (
+      []
+      ++ maybePath /data
+      ++ maybePath /home
+      ++ maybePath /srv
+      ++ maybePath /var
+    );
+    initialize = true;
+    extraBackupArgs = [
+      "--exclude-caches"
+      "--exclude-file=${excludesFile}"
+    ];
+    timerConfig = {
+      OnCalendar = "20:00";
+      RandomizedDelaySec = "2h";
+    };
+  };
+}
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -0,0 +1,16 @@
+{ ... }:
+
+let
+  pubkeys = import ./pubkeys.nix;
+in
+{
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "yes";
+    passwordAuthentication = false;
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    pubkeys."simon@kipf"
+  ];
+}
--- a/modules/sway.nix
+++ b/modules/sway.nix
@ -0,0 +1,43 @@
+{ config, pkgs, ... }:
+
+{
+  programs.sway = {
+    enable = true;
+    extraPackages = with pkgs; [
+      swaylock # lockscreen
+      swayidle # autolock
+      xwayland # for legacy apps
+      (waybar.override { pulseSupport = true; }) # better status bar
+      mako # notification daemon
+      #kanshi # autorandr
+      alacritty # temrinal
+      unstable.dmenu-wayland # launcher
+      brightnessctl # control screen brightness
+      #redshift-wlr # natural color temperature
+      unstable.sway-contrib.grimshot # screenshots
+    ];
+    extraSessionCommands = ''
+      export CLUTTER_BACKEND=wayland
+      export GDK_BACKEND=wayland
+      export MOZ_ENABLE_WAYLAND=1
+      export QT_QPA_PLATFORM=wayland-egl
+      export QT_WAYLAND_DISABLE_WINDOWDECORATION=1
+      export SDL_VIDEODRIVER=wayland
+      export _JAVA_AWT_WM_NONREPARENTING=1
+    '';
+  };
+
+  services.redshift = {
+    enable = true;
+    package = pkgs.redshift-wlr;
+    extraOptions = [ "-m" "wayland" ];
+    temperature = {
+      day = 6500;
+      night = 3500;
+    };
+  };
+
+  systemd.user.targets.graphical-session.wantedBy = [ "multi-user.target" ];
+
+  services.logind.lidSwitchDocked = config.services.logind.lidSwitch;
+}
--- a/modules/web.nix
+++ b/modules/web.nix
@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    firefox-wayland
+    passff-host # host app for pass firefox extension
+    # Buidling chromium from source on a potato laptop is not fun
+    #(ungoogled-chromium.override { useOzone = true; })
+  ];
+}
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@ -0,0 +1,28 @@
+# Module for setting up the shared part of my home wireguard network.
+# Every machine using this still has to set the `ips` for the `wg-home`
+# interface and place the private key in their secrets directory as
+# `wg-home_private_key`
+#
+# Example:
+#
+#     networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ];
+{ config, ... }:
+
+{
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      wg-home = {
+        privateKeyFile = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key);
+        peers = [
+          {
+            allowedIPs = [ "10.80.0.0/24" ];
+            publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
+            endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+nixpkgs-fmt --check .
--- a/profiles/base.nix
+++ b/profiles/base.nix
@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  imports =
+    [
+      ../modules/base.nix
+      ../modules/cli-tools.nix
+      ../modules/docker.nix
+      ../modules/grub.nix
+      ../modules/locales.nix
+      ../modules/prometheus/node_exporter.nix
+      ../modules/ssh.nix
+    ];
+}
--- a/profiles/dev.nix
+++ b/profiles/dev.nix
@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  imports =
+    [
+      ../modules/dev
+    ];
+}
--- a/profiles/gui.nix
+++ b/profiles/gui.nix
@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+  imports =
+    [
+      ../modules/communication.nix
+      ../modules/creative.nix
+      ../modules/cups.nix
+      ../modules/fonts.nix
+      ../modules/gui-tools.nix
+      (import ../modules/media.nix { inherit pkgs; gui = true; })
+      ../modules/mpd.nix
+      ../modules/network-manager.nix
+      ../modules/office.nix
+      ../modules/pulseaudio.nix
+      ../modules/sway.nix
+      ../modules/web.nix
+    ];
+}
--- a/shell.nix
+++ b/shell.nix
@ -0,0 +1,10 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.mkShell {
+  nativeBuildInputs = with pkgs; [
+    nixpkgs-fmt
+  ];
+  buildPhase = ''
+    ln -f -s ../../pre-commit-hook .git/hooks/pre-commit
+  '';
+}
--- a/users/simon/base.nix
+++ b/users/simon/base.nix
@ -0,0 +1,43 @@
+{ pkgs, ... }:
+
+let
+  pubkeys = import ../../modules/pubkeys.nix;
+in
+{
+  imports = [
+    (import "${builtins.fetchTarball https://github.com/rycee/home-manager/archive/master.tar.gz}/nixos") # FIXME: pin to release
+  ];
+
+  users.users.simon = {
+    isNormalUser = true;
+    extraGroups = [
+      "adbusers"
+      "dialout"
+      "docker"
+      "lp"
+      "networkmanager"
+      "wheel"
+    ];
+    openssh.authorizedKeys.keys = [
+      pubkeys."simon@kipf"
+    ];
+  };
+
+  home-manager.useUserPackages = true;
+  home-manager.useGlobalPkgs = true;
+
+  home-manager.users.simon = { pkgs, ... }: {
+    gtk = {
+      enable = true;
+      font.name = "sans-serif 10";
+      theme = {
+        package = pkgs.gnome-themes-extra;
+        name = "Adwaita";
+      };
+      iconTheme = {
+        package = pkgs.gnome3.adwaita-icon-theme;
+        name = "Adwaita";
+      };
+    };
+  };
+}