switch to xanmod on selinunte

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

.sops.yaml

@@ -7,11 +7,9 @@ keys:
     # cspell:disable
     - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
     - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
-    #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
     - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
+    - &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
     # cspell:enable
-servers: &servers
-    - *palatine-hill
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
@@ -38,6 +36,13 @@ creation_rules:
             - *admin_alice
           age:
             - *artemision
+    - path_regex: systems/selinunte/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *artemision
+            - *selinunte
     - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
       key_groups:
         - pgp:

README.md

@@ -14,9 +14,7 @@ to onboard a new user or system.
 
 Although we are not actively looking for new members to join in on this repo,
 we are not strictly opposed. Please reach out to
-[@ahuston-0](https://github.com/ahuston-0) or
+[@ahuston-0](https://nayeonie.com/ahuston-0) for further information.
-[@RichieCahill](https://github.com/RichieCahill)
-for further information.
 
 ## Repo Structure
 

docs/CONTRIBUTING.md

@@ -107,8 +107,7 @@ rules.
 We allow secrets to be embedded in the repository using `sops-nix`. As part of
 the process everything is encrypted, however adding a new user is a change
 that every existing SOPS user needs to participate in. Please reach out to
-[@ahuston-0](https://github.com/ahuston-0) or
+[@ahuston-0](https://nayeonie.com/ahuston-0) or if you are interested
-[@RichieCahill](https://github.com/RichieCahill) if you are interested
 in using secrets on your machines.
 
 ## CI/CD

flake.nix

@@ -19,6 +19,7 @@
     ];
     trusted-users = [ "root" ];
     allow-import-from-derivation = true;
+    fallback = true;
   };
 
   inputs = {
@@ -136,7 +137,7 @@
       systems = [
         "x86_64-linux"
         # disable arm for now as hydra isn't set up for it
-        # "aarch64-linux"
+        # "aarch64-linuxa
       ];
 
       forEachSystem = lib.genAttrs systems;
@@ -152,7 +153,7 @@
           lib = self;
         }
       );
-      inherit (lib.rad-dev.systems) genSystems getImages;
+      inherit (lib.adev.systems) genSystems getImages;
       inherit (self) outputs; # for hydra
     in
     rec {

lib/default.nix

@@ -1,7 +1,7 @@
 { lib, ... }:
 {
-  # create rad-dev namespace for lib
+  # create adev namespace for lib
-  rad-dev = rec {
+  adev = rec {
     systems = import ./systems.nix { inherit lib; };
     container-utils = import ./container-utils.nix { inherit lib; };
 

lib/systems.nix

@@ -176,7 +176,7 @@ rec {
           (configPath + "/configuration.nix")
         ]
         ++ modules
-        ++ (lib.rad-dev.fileList (src + "/modules"))
+        ++ (lib.adev.fileList (src + "/modules"))
         ++ genWrapper sops genSops args
         ++ genWrapper home genHome args
         ++ genWrapper true genUsers args
@@ -222,7 +222,7 @@ rec {
             // import configPath { inherit inputs; }
           );
         }
-      ) (lib.rad-dev.lsdir path)
+      ) (lib.adev.lsdir path)
     );
 
   # gets all the images of a specified format

modules/autopull.nix

@@ -61,7 +61,7 @@ in
     lib.mkIf cfg.enable {
       environment.systemPackages =
         [ pkgs.git ]
-        ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.rad-dev.mapGetAttr "ssh-key" repos)) [
+        ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [
           pkgs.openssh
         ];
 

modules/kub_net.nix

@@ -1,10 +1,10 @@
 { lib, config, ... }:
 let
-  cfg = config.services.rad-dev.k3s-net;
+  cfg = config.services.adev.k3s-net;
 in
 {
   options = {
-    services.rad-dev.k3s-net = {
+    services.adev.k3s-net = {
       enable = lib.mkOption {
         default = false;
         example = true;

modules/yubikey.nix

@@ -5,11 +5,11 @@
   ...
 }:
 let
-  cfg = config.services.rad-dev.yubikey;
+  cfg = config.services.adev.yubikey;
 in
 {
   options = {
-    services.rad-dev.yubikey = {
+    services.adev.yubikey = {
       enable = lib.mkEnableOption "enable yubikey defaults";
       enable-desktop-app = lib.mkEnableOption "installs desktop application";
     };

shell.nix

@@ -38,7 +38,7 @@ forEachSystem (
     };
 
     # constructs a custom shell with commonly used utilities
-    rad-dev = pkgs.mkShell {
+    adev = pkgs.mkShell {
       packages = with pkgs; [
         deadnix
         pre-commit
@@ -56,7 +56,7 @@ forEachSystem (
     default = pkgs.mkShell {
       inputsFrom = [
         pre-commit
-        rad-dev
+        adev
         sops
       ];
     };

systems/artemision/configuration.nix

@@ -75,7 +75,7 @@
     fprintd.enable = lib.mkForce false;
     openssh.enable = lib.mkForce false;
 
-    rad-dev.yubikey = {
+    adev.yubikey = {
       enable = true;
       enable-desktop-app = true;
     };

systems/palatine-hill/default.nix

@@ -3,5 +3,8 @@
   users = [ "alice" ];
   modules = [
     # inputs.attic.nixosModules.atticd
+    inputs.nixos-hardware.nixosModules.common-cpu-amd
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
+    inputs.nixos-hardware.nixosModules.supermicro
   ];
 }

systems/palatine-hill/docker/archiveteam.nix

@@ -122,7 +122,7 @@ let
     cmd = lib.splitString " " "--concurrent 6 AmAnd0";
 
   };
-  inherit (lib.rad-dev.container-utils) createTemplatedContainers;
+  inherit (lib.adev.container-utils) createTemplatedContainers;
 
   vars = import ../vars.nix;
   at_path = vars.primary_archiveteam;

systems/palatine-hill/docker/minecraft.nix

@@ -46,7 +46,7 @@ in
       cmd = [
         (
           "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
-          + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
+          + (lib.adev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
         )
       ];
     };

systems/selinunte/audio.nix

@@ -0,0 +1,35 @@
+{ pkgs, ... }:
+
+{
+  # rtkit is optional but recommended
+  security.rtkit.enable = true;
+  services = {
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      # If you want to use JACK applications, uncomment this
+      #jack.enable = true;
+    };
+
+    pipewire.wireplumber.configPackages = [
+      (pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
+        bluez_monitor.properties = {
+        	["bluez5.enable-sbc-xq"] = true,
+        	["bluez5.enable-msbc"] = true,
+        	["bluez5.enable-hw-volume"] = true,
+        	["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
+        }
+      '')
+    ];
+    blueman.enable = true;
+  };
+
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+
+  environment.systemPackages = with pkgs; [ pavucontrol ];
+
+  programs.noisetorch.enable = true;
+}

systems/selinunte/configuration.nix

@@ -0,0 +1,54 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./audio.nix
+    ./desktop.nix
+    ./fonts.nix
+    ./graphics.nix
+    ./polkit.nix
+    ./programs.nix
+    ./steam.nix
+    ./stylix.nix
+  ];
+
+  time.timeZone = "America/New_York";
+
+  # temp workaround for building while in nixos-enter
+  #services.logrotate.checkConfig = false;
+
+  networking = {
+    hostId = "9f2e1ff9";
+    firewall.enable = true;
+    useNetworkd = true;
+  };
+
+  boot = {
+    kernelPackages = lib.mkForce pkgs.linuxPackages_xanmod;
+    useSystemdBoot = true;
+    default = true;
+  };
+
+  i18n = {
+    defaultLocale = "en_US.utf8";
+    supportedLocales = [ "en_US.UTF-8/UTF-8" ];
+  };
+
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  services = {
+    flatpak.enable = true;
+    gvfs.enable = true;
+    openssh.enable = lib.mkForce false;
+  };
+
+  system.stateVersion = "25.05";
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}

systems/selinunte/default.nix

@@ -0,0 +1,23 @@
+{ inputs, ... }:
+{
+  system = "x86_64-linux";
+  home = true;
+  sops = true;
+  server = false;
+  users = [ "alice" ];
+  modules = [
+    inputs.nixos-hardware.nixosModules.common-pc
+    inputs.nixos-hardware.nixosModules.common-pc-ssd
+    inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
+    inputs.nixos-hardware.nixosModules.common-cpu-amd
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
+    inputs.stylix.nixosModules.stylix
+    {
+      environment.systemPackages = [
+        inputs.wired-notify.packages.x86_64-linux.default
+        inputs.hyprland-contrib.packages.x86_64-linux.grimblast
+      ];
+    }
+  ];
+}

systems/selinunte/desktop.nix

@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+
+{
+  # installs hyprland, and its dependencies
+
+  programs = {
+    hyprland = {
+      enable = true;
+      xwayland.enable = true;
+      withUWSM = true;
+    };
+    hyprlock.enable = true;
+    ydotool.enable = true;
+  };
+  # Optional, hint electron apps to use wayland:
+  environment.sessionVariables.NIXOS_OZONE_WL = "1";
+
+  services = {
+    xserver = {
+      enable = true;
+      displayManager.gdm = {
+        enable = true;
+        wayland = true;
+      };
+    };
+
+    dbus = {
+      enable = true;
+      implementation = "broker";
+    };
+  };
+
+  powerManagement = {
+    enable = true;
+    resumeCommands = ''
+      ${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
+    '';
+  };
+
+  environment.systemPackages = with pkgs; [
+    libsForQt5.qt5.qtwayland
+    qt6.qtwayland
+  ];
+}

systems/selinunte/fonts.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  fonts = {
+    fontconfig.enable = true;
+    enableDefaultPackages = true;
+    packages = with pkgs.nerd-fonts; [
+      fira-code
+      droid-sans-mono
+      hack
+      dejavu-sans-mono
+      noto
+      open-dyslexic
+    ];
+  };
+}

systems/selinunte/graphics.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+
+{
+  hardware.graphics = {
+    ## radv: an open-source Vulkan driver from freedesktop
+    enable = true;
+    enable32Bit = true;
+
+  };
+  hardware.nvidia = {
+
+    # Modesetting is required.
+    modesetting.enable = true;
+
+    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
+    # Enable this if you have graphical corruption issues or application crashes after waking
+    # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
+    # of just the bare essentials.
+    powerManagement.enable = false;
+
+    # Fine-grained power management. Turns off GPU when not in use.
+    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
+    powerManagement.finegrained = false;
+
+    # Use the NVidia open source kernel module (not to be confused with the
+    # independent third-party "nouveau" open source driver).
+    # Support is limited to the Turing and later architectures. Full list of
+    # supported GPUs is at:
+    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
+    # Only available from driver 515.43.04+
+    open = false;
+
+    # Enable the Nvidia settings menu,
+    # accessible via `nvidia-settings`.
+    nvidiaSettings = true;
+
+    # Optionally, you may need to select the appropriate driver version for your specific GPU.
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+  };
+}

systems/selinunte/hardware.nix

@@ -0,0 +1,96 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+      "usb_storage"
+      "usbhid"
+      "sd_mod"
+      "ip_vs"
+      "ip_vs_rr"
+      "nf_conntrack"
+    ];
+    initrd.kernelModules = [
+      "dm-snapshot"
+      "r8152"
+    ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+    kernelParams = [
+      "amdgpu.sg_display=0"
+      "amdgpu.graphics_sg=0"
+      "amdgpu.abmlevel=3"
+    ];
+  };
+
+  fileSystems = {
+
+    "/" = lib.mkDefault {
+      device = "/dev/disk/by-uuid/f3c11d62-37f4-495e-b668-1ff49e0d3a47";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-uuid/720af942-464c-4c1e-be41-0438936264f0";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/035f23f8-d895-4b0c-bcf5-45885a5dbbd9";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/5AD7-6005";
+      fsType = "vfat";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
+
+  boot.initrd.luks.devices = {
+    "nixos-pv" = {
+      device = "/dev/disk/by-uuid/12a7f660-bbcc-4066-81d0-e66005ee534a";
+      preLVM = true;
+      allowDiscards = true;
+    };
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

systems/selinunte/polkit.nix

@@ -0,0 +1,22 @@
+{ pkgs, ... }:
+
+{
+  security.polkit.enable = true;
+  environment.systemPackages = with pkgs; [ polkit_gnome ];
+
+  systemd = {
+    user.services.polkit-gnome-authentication-agent-1 = {
+      description = "polkit-gnome-authentication-agent-1";
+      wantedBy = [ "graphical-session.target" ];
+      wants = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+        Restart = "on-failure";
+        RestartSec = 1;
+        TimeoutStopSec = 10;
+      };
+    };
+  };
+}

systems/selinunte/programs.nix

@@ -0,0 +1,114 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    act
+    alacritty
+    attic-client
+    amdgpu_top
+    bat
+    bitwarden-cli
+    bfg-repo-cleaner
+    brightnessctl
+    btop
+    calibre
+    # calibre dedrm?
+    candy-icons
+    chromium
+    chromedriver
+    croc
+    deadnix
+    direnv
+    easyeffects
+    eza
+    fanficfare
+    ferium
+    fd
+    file
+    firefox
+    # gestures replacement
+    git
+    glances
+    gpu-viewer
+    grim
+    helvum
+    htop
+    hwloc
+    ipmiview
+    iperf3
+    # ipscan
+    jp2a
+    jq
+    kdePackages.kdenlive
+    kitty
+    kubectl
+    kubernetes-helm
+    libreoffice-fresh
+    libtool
+    lsof
+    lynis
+    masterpdfeditor4
+    minikube
+    mons
+    mpv
+    # nbt explorer?
+    ncdu
+    nemo-with-extensions
+    neofetch
+    neovim
+    nix-init
+    nix-output-monitor
+    nix-prefetch
+    nix-tree
+    nixpkgs-fmt
+    nmap
+    obs-studio
+    obsidian
+    ocrmypdf
+    pciutils
+    #disabled until wxpython compat with python3.12
+    #playonlinux
+    prismlauncher
+    protonmail-bridge
+    protontricks
+    proxychains
+    qrencode
+    redshift
+    restic
+    ripgrep
+    rpi-imager
+    rofi-wayland
+    samba
+    signal-desktop
+    # signal in tray?
+    siji
+    simple-mtpfs
+    skaffold
+    slack
+    slurp
+    smartmontools
+    snyk
+    sops
+    spotify
+    spotify-player
+    #swaylock/waylock?
+    sweet-nova
+    telegram-desktop
+    terraform
+    tig
+    tokei
+    tree
+    unipicker
+    unzip
+    uutils-coreutils-noprefix
+    ventoy
+    vesktop
+    vscode
+    watchman
+    wget
+    wl-clipboard
+    yq
+    yt-dlp
+    zoom-us
+    zoxide
+  ];
+}

systems/selinunte/steam.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = [ pkgs.steam-run ];
+  hardware.steam-hardware.enable = true;
+  programs = {
+    gamescope = {
+      enable = true;
+      capSysNice = true;
+    };
+    steam = {
+      enable = true;
+      remotePlay.openFirewall = true;
+      localNetworkGameTransfers.openFirewall = true;
+      extraCompatPackages = with pkgs; [ proton-ge-bin ];
+      gamescopeSession.enable = true;
+      extest.enable = true;
+    };
+  };
+}

systems/selinunte/stylix.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+# let
+# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
+#   numWallpapers =
+#   $((1 + $RANDOM % 10))
+
+# in
+{
+  stylix = {
+    enable = true;
+    image = "${pkgs.hyprland}/share/hypr/wall2.png";
+
+    #image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
+    polarity = "dark";
+  };
+}

users/alice/home.nix

@@ -90,6 +90,8 @@
       nodejs_20
       nodePackages.prettier
       treefmt
+
+      gocryptfs
     ];
   };