Merge pull request #4 from kaesaecracker/flakes

Flakes
2025-01-18 10:30:14 +01:00 · 2024-10-26 18:20:15 +02:00 · 2024-10-26 18:20:15 +02:00 · e976f65099
parent 31e80e7401 164795dfd2
commit e976f65099
61 changed files with 1020 additions and 1328 deletions
--- a/README.md
+++ b/README.md
@ -1,15 +0,0 @@
 # nixos-configuration
 ```
 /
 ├── modules
 │  ├── desktop
 │  ├── hardware (includes hostname.nix)
 │  └── users
 └── hostname.nix (imports modules)
 ```
 When adding a new host: `ln -s ./new-devicename.nix /etc/nixos/configuration.nix`
 Use `sudo nix-channel --add https://github.com/nix-community/home-manager/archive/release-23.05.tar.gz home-manager` to add home manager support.
--- a/common/default.nix
+++ b/common/default.nix
@ -0,0 +1,8 @@
 {...}: {
  imports = [
    ./nixpkgs.nix
    ./globalinstalls.nix
    ./i18n.nix
    ./networking.nix
  ];
 }
--- a/modules/globalinstalls.nix
+++ b/modules/globalinstalls.nix
@ -22,14 +22,11 @@
      zsh.enable = true;
      htop.enable = true;
      iotop.enable = true;
      git.enable = true;
      nano = {
        enable = true;
        syntaxHighlight = true;
      };
      git = {
        enable = true;
        package = pkgs.gitFull;
      };
    };
  };
 }
--- a/modules/i18n.nix
+++ b/modules/i18n.nix
--- a/common/networking.nix
+++ b/common/networking.nix
@ -9,5 +9,15 @@
        KbdInteractiveAuthentication = false;
      };
    };
    services.tailscale = {
      enable = true;
      openFirewall = true;
    };
    networking.firewall = {
      enable = true;
      checkReversePath = "loose";
    };
  };
 }
--- a/common/nixpkgs.nix
+++ b/common/nixpkgs.nix
@ -0,0 +1,47 @@
 {
  config,
  lib,
  ...
 }: {
  options.my.allowUnfreePackages = lib.mkOption {
    type = lib.types.listOf lib.types.str;
    default = [];
    example = ["steam"];
  };
  config = {
    nixpkgs.config = {
      # https://github.com/NixOS/nixpkgs/issues/197325#issuecomment-1579420085
      allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) config.my.allowUnfreePackages;
    };
    nix = {
      settings = {
        substituters = ["https://nix-community.cachix.org" "https://cache.nixos.org/"];
        trusted-public-keys = ["nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="];
        experimental-features = ["nix-command" "flakes"];
      };
      gc = {
        automatic = true;
        dates = "daily";
        options = "--delete-older-than 7d";
      };
    };
    system = {
      stateVersion = "22.11";
      # enable auto updates
      autoUpgrade = {
        enable = true;
        dates = "weekly";
      };
    };
    documentation = {
      enable = true; # documentation of packages
      nixos.enable = false; # nixos documentation
      man.enable = true; # manual pages and the man command
      info.enable = false; # info pages and the info command
      doc.enable = false; # documentation distributed in packages' /share/doc
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,133 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1726560853,
        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flakey-profile": {
      "locked": {
        "lastModified": 1712898590,
        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
        "owner": "lf-",
        "repo": "flakey-profile",
        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
        "type": "github"
      },
      "original": {
        "owner": "lf-",
        "repo": "flakey-profile",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1726989464,
        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-24.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "lix": {
      "flake": false,
      "locked": {
        "lastModified": 1729298361,
        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
      }
    },
    "lix-module": {
      "inputs": {
        "flake-utils": "flake-utils",
        "flakey-profile": "flakey-profile",
        "lix": "lix",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1729360442,
        "narHash": "sha256-6U0CyPycIBc04hbYy2hBINnVso58n/ZyywY2BD3hu+s=",
        "rev": "9098ac95768f7006d7e070b88bae76939f6034e6",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/9098ac95768f7006d7e070b88bae76939f6034e6.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1729691686,
        "narHash": "sha256-BAuPWW+9fa1moZTU+jFh+1cUtmsuF8asgzFwejM4wac=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "32e940c7c420600ef0d1ef396dc63b04ee9cad37",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "lix-module": "lix-module",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,42 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    home-manager = {
      url = "github:nix-community/home-manager/release-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lix-module = {
      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = inputs @ {
    nixpkgs,
    home-manager,
    lix-module,
    ...
  }: {
    nixosConfigurations = let
      host-params = {
        inherit nixpkgs;
        inherit home-manager;
        inherit lix-module;
        common-modules = [
          lix-module.nixosModules.default
          ./common
        ];
        desktop-modules = [
          home-manager.nixosModules.home-manager
          ./home
          ./modules/desktop-environment.nix
          ./modules/desktop-hardware.nix
        ];
      };
    in {
      vinzenz-lpt2 = import ./hosts/vinzenz-lpt2 host-params;
      vinzenz-pc2 = import ./hosts/vinzenz-pc2 host-params;
      hetzner-vpn1 = import ./hosts/hetzner-vpn1 host-params;
    };
  };
 }
--- a/hetzner-vpn1.nix
+++ b/hetzner-vpn1.nix
@ -1,88 +0,0 @@
 {
  pkgs,
  lib,
  ...
 }: let
  servicesDomain = "services.zerforschen.plus";
  mkServiceConfig = host: port: {
    addSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${host}:${toString port}/";
      extraConfig = ''
        # bind to tailscale ip
        proxy_bind 100.88.118.60;
        # pam auth
        limit_except OPTIONS {
          auth_pam  "Password Required";
          auth_pam_service_name "nginx";
        }
      '';
    };
  };
  lpt2 = "vinzenz-lpt2.donkey-pentatonic.ts.net";
  pc2 = "vinzenz-pc2.donkey-pentatonic.ts.net";
 in {
  imports = [
    (import ./modules {
      hostName = "hetzner-vpn1";
      enableHomeManager = false;
    })
  ];
  config = {
    my = {
      enabledUsers = ["ronja" "vinzenz"];
      tailscale.enable = true;
    };
    users.users = {
      root.openssh.authorizedKeys.keys = [
        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf''
        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
      ];
      vinzenz.openssh.authorizedKeys.keys = [
        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf''
        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
      ];
      ronja.openssh.authorizedKeys.keys = [
        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ronja-ssh-host-key''
      ];
    };
    security.acme = {
      acceptTerms = true;
      defaults.email = "acme@zerforschen.plus";
    };
    security.pam.services.nginx.setEnvironment = false;
    systemd.services.nginx.serviceConfig = {
      SupplementaryGroups = ["shadow"];
    };
    services.nginx = {
      enable = true;
      additionalModules = [pkgs.nginxModules.pam];
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      virtualHosts = {
        "vscode.${servicesDomain}" = lib.mkMerge [
          (mkServiceConfig pc2 8542)
          {locations."/" .proxyWebsockets = true;}
        ];
        "preon-app.${servicesDomain}" = mkServiceConfig pc2 8543;
        "preon-api.${servicesDomain}" = mkServiceConfig pc2 8544;
      };
    };
    networking.firewall.allowedTCPPorts = [80 443];
  };
 }
--- a/home/default.nix
+++ b/home/default.nix
@ -0,0 +1,14 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: {
  config = {
    home-manager = {
      useGlobalPkgs = true;
      useUserPackages = true;
      sharedModules = import ./shared-modules.nix;
    };
  };
 }
--- a/home/gnome-shared-dconf.nix
+++ b/home/gnome-shared-dconf.nix
@ -0,0 +1,42 @@
 {
  "org/gnome/desktop/interface" = {
    color-scheme = "prefer-dark";
    clock-show-seconds = true;
    show-battery-percentage = true;
  };
  "org/gnome/mutter" = {
    edge-tiling = true;
    dynamic-workspaces = true;
  };
  "org/gnome/desktop/peripherals/keyboard" = {
    numlock-state = true;
  };
  "org/gnome/desktop/peripherals/touchpad" = {
    tap-to-click = true;
    two-finger-scrolling-enabled = true;
  };
  "org/gnome/tweaks" = {
    show-extensions-notice = false;
  };
  "org/gnome/shell" = {
    disable-user-extensions = false;
    disabled-extensions = [];
    enabled-extensions = [
      "appindicatorsupport@rgcjonas.gmail.com"
      "workspace-indicator@gnome-shell-extensions.gcampax.github.com"
      "caffeine@patapon.info"
      "GPaste@gnome-shell-extensions.gnome.org"
      "gsconnect@andyholmes.github.io"
      "solaar-extension@sidevesh"
    ];
  };
  "ca/desrt/dconf-editor" = {
    show-warning = false;
  };
  "org/gnome/desktop/wm/keybindings" = {
    switch-windows = ["<Alt>Tab"];
    switch-windows-backward = ["<Shift><Alt>Tab"];
    switch-applications = ["<Super>Tab"];
    switch-applications-backward = ["<Shift><Super>Tab"];
  };
 }
--- a/home/gnome.nix
+++ b/home/gnome.nix
@ -0,0 +1,63 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: {
  imports = [
    ../modules/gnome.nix
  ];
  config = {
    home-manager.sharedModules = [
      {
        home.packages = with pkgs;
          [
            amberol
            gitg
            gnome-builder
            meld
            simple-scan
            pinta
          ]
          ++ (with gnome; [
            dconf-editor
            gpaste
            # graphical installer for flatpak apps
            gnome-software
          ])
          ++ (with gnomeExtensions; [
            caffeine
            appindicator
            gsconnect
            battery-health-charging
            quick-settings-tweaker
            solaar-extension
          ]);
        dconf.settings = import ./gnome-shared-dconf.nix;
        gtk = {
          enable = true;
          iconTheme.name = "Adwaita";
          cursorTheme.name = "Adwaita";
          theme = {
            name = "adw-gtk3-dark";
            package = pkgs.adw-gtk3;
          };
        };
      }
      {
        home.packages = with pkgs;
          [
            trayscale
          ]
          ++ (with gnomeExtensions; [
            tailscale-qs
          ]);
        dconf.settings."org/gnome/shell".enabled-extensions = ["tailscale@joaophi.github.com"];
      }
    ];
  };
 }
--- a/modules/users/ronja-home.nix
+++ b/modules/users/ronja-home.nix
@ -3,7 +3,7 @@
  pkgs,
  ...
 }: {
-  home .packages = with pkgs; [
+  home.packages = with pkgs; [
    ## Apps
    telegram-desktop
    kdiff3
--- a/modules/users/home-shared-modules.nix
+++ b/modules/users/home-shared-modules.nix
--- a/home/vinzenz/default.nix
+++ b/home/vinzenz/default.nix
@ -0,0 +1,72 @@
 inputs @ {
  config,
  osConfig,
  pkgs,
  lib,
  ...
 }: {
  programs = {
    home-manager.enable = true;
    fzf.enable = true;
    zsh = import ./zsh.nix inputs;
    git = import ./git.nix;
    vscode = import ./vscode.nix inputs;
    ssh = import ./ssh.nix;
    direnv = {
      enable = true;
      nix-direnv.enable = true;
    };
    eza = {
      enable = true;
      git = true;
      icons = true;
      extraOptions = [
        "--group-directories-first"
        "--header"
      ];
    };
  };
  editorconfig = import ./editorconfig.nix;
  home.packages = with pkgs; [
    keepassxc
    insync
    telegram-desktop
    element-desktop
    wireguard-tools
    wirelesstools
    alejandra # nix formatter
    arduino
    uucp
    kdiff3
    jetbrains-toolbox
  ];
  home.file."policy.json" = {
    target = ".config/containers/policy.json";
    text = ''
      {
          "default": [
              {
                  "type": "insecureAcceptAnything"
              }
          ],
          "transports":
              {
                  "docker-daemon":
                      {
                          "": [{"type":"insecureAcceptAnything"}]
                      }
              }
      }
    '';
  };
 }
--- a/home/vinzenz/editorconfig.nix
+++ b/home/vinzenz/editorconfig.nix
@ -0,0 +1,17 @@
 {
  enable = true;
  settings = {
    "*" = {
      charset = "utf-8";
      end_of_line = "lf";
      trim_trailing_whitespace = true;
      insert_final_newline = true;
      max_line_width = 120;
      indent_style = "space";
      indent_size = 4;
    };
    "*.nix" = {
      indent_size = 2;
    };
  };
 }
--- a/home/vinzenz/git.nix
+++ b/home/vinzenz/git.nix
@ -0,0 +1,16 @@
 {
  enable = true;
  userName = "Vinzenz Schroeter";
  userEmail = "vinzenz.f.s@gmail.com";
  aliases = {
    prettylog = "log --pretty=oneline --graph";
    spring-clean = "!git branch --merged | xargs -n 1 -r git branch -d";
  };
  extraConfig = {
    pull.ff = "only";
    merge.tool = "kdiff3";
    push.autoSetupRemote = "true";
  };
 }
--- a/home/vinzenz/ssh.nix
+++ b/home/vinzenz/ssh.nix
@ -0,0 +1,47 @@
 {
  enable = true;
  matchBlocks = {
    "vpn1" = {
      host = "vpn1 hetzner-vpn1";
      hostname = "157.90.146.125"; # 2a01:4f8:c012:7137::/64
      user = "root";
    };
    "vpn1-ts" = {
      host = "vpn1-ts hetzner-vpn1.donkey-pentatonic.ts.net";
      hostname = "hetzner-vpn1.donkey-pentatonic.ts.net";
      user = "root";
    };
    "openwrt" = {
      host = "openwrt openwrt.lan";
      hostname = "openwrt.lan";
      user = "root";
    };
    "openwrt-ts" = {
      hostname = "openwrt.donkey-pentatonic.ts.net";
      port = 2222;
      user = "root";
    };
    "openwrt-j" = {
      hostname = "openwrt.donkey-pentatonic.ts.net";
      proxyJump = "vpn1";
      port = 2222;
      user = "root";
    };
    "pc2-power" = {
      hostname = "openwrt.donkey-pentatonic.ts.net";
      proxyJump = "vpn1";
      port = 2222;
      user = "pc2-power";
    };
    "avd-power" = {
      # hostname = "2001:678:560:23:9833:63ff:fe2d:f477"
      # hostname = "195.160.172.25";
      hostname = "avd-jumphost.club.berlin.ccc.de";
      user = "power";
    };
    "avd" = {
      hostname = "avd.club.berlin.ccc.de";
      user = "vinzenz";
    };
  };
 }
--- a/home/vinzenz/vscode.nix
+++ b/home/vinzenz/vscode.nix
@ -0,0 +1,46 @@
 {pkgs, ...}: {
  enable = true;
  package = pkgs.vscodium;
  enableUpdateCheck = false;
  extensions = with pkgs.vscode-extensions; [
    bbenoist.nix
    ms-python.python
    kamadorueda.alejandra
    editorconfig.editorconfig
    yzhang.markdown-all-in-one
    redhat.vscode-yaml
    pkief.material-icon-theme
    mhutchie.git-graph
    rust-lang.rust-analyzer
    tamasfe.even-better-toml
    llvm-vs-code-extensions.vscode-clangd
    mkhl.direnv
    vadimcn.vscode-lldb
    ms-dotnettools.csharp
  ];
  userSettings = {
    "git.autofetch" = true;
    "update.mode" = "none";
    "editor.fontFamily" = "'Fira Code', 'Droid Sans Mono', 'monospace', monospace";
    "editor.fontLigatures" = true;
    "editor.formatOnSave" = true;
    "editor.formatOnSaveMode" = "modificationsIfAvailable";
    "editor.minimap.autohide" = true;
    "diffEditor.diffAlgorithm" = "advanced";
    "explorer.excludeGitIgnore" = true;
    "markdown.extension.tableFormatter.normalizeIndentation" = true;
    "markdown.extension.toc.orderedList" = false;
    "telemetry.telemetryLevel" = "off";
    "redhat.telemetry.enabled" = false;
    "workbench.startupEditor" = "readme";
    "workbench.enableExperiments" = false;
    "workbench.iconTheme" = "material-icon-theme";
    "rust-analyzer.checkOnSave.command" = "clippy";
    "extensions.autoUpdate" = false;
    "extensions.autoCheckUpdates" = false;
    "\[makefile\]" = {
      "editor.insertSpaces" = false;
      "editor.detectIndentation" = false;
    };
  };
 }
--- a/home/vinzenz/zsh.nix
+++ b/home/vinzenz/zsh.nix
@ -0,0 +1,29 @@
 {config, ...}: {
  initExtra = ''
    eval "$(direnv hook zsh)";
    export PATH=$PATH:/home/vinzenz/.cargo/bin
  '';
  shellAliases = {
    my-apply = "sudo nixos-rebuild boot";
    my-switch = "sudo nixos-rebuild switch";
    my-update = "sudo nixos-rebuild boot --upgrade";
    my-pull = "git -C ~/Repos/nixos-configuration pull --rebase";
    my-fmt = "alejandra .";
    my-test = "sudo nixos-rebuild test";
    my-direnvallow = "echo \"use nix\" > .envrc && direnv allow";
    my-ip4 = "ip addr show | grep 192";
  };
  history = {
    size = 10000;
    path = "${config.xdg.dataHome}/zsh/history";
    expireDuplicatesFirst = true;
  };
  oh-my-zsh = {
    enable = true;
    theme = "agnoster";
    plugins = ["git" "sudo" "docker" "systemadmin"];
  };
 }
--- a/hosts/hetzner-vpn1/default.nix
+++ b/hosts/hetzner-vpn1/default.nix
@ -0,0 +1,43 @@
 {
  nixpkgs,
  common-modules,
  desktop-modules,
  ...
 }:
 nixpkgs.lib.nixosSystem {
  system = "aarch64-linux";
  modules =
    common-modules
    ++ [
      ./hardware.nix
      ./nginx.nix
      ../../users/vinzenz.nix
      ../../users/ronja.nix
      {
        networking.hostName = "hetzner-vpn1";
      }
      {
        # uncomment for build check on non arm system (requires --impure)
        # nixpkgs.buildPlatform = builtins.currentSystem;
      }
      {
        users.users = {
          root.openssh.authorizedKeys.keys = [
            ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf''
            ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
            ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
            ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
          ];
          vinzenz.openssh.authorizedKeys.keys = [
            ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf''
            ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
            ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
            ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
          ];
          ronja.openssh.authorizedKeys.keys = [
            ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ronja-ssh-host-key''
          ];
        };
      }
    ];
 }
--- a/modules/hardware/hetzner-vpn1.nix
+++ b/modules/hardware/hetzner-vpn1.nix
@ -96,7 +96,6 @@
    services.udev.extraRules = ''
      ATTR{address}=="96:00:02:87:7f:c9", NAME="eth0"
    '';
  };
 }
--- a/hosts/hetzner-vpn1/nginx.nix
+++ b/hosts/hetzner-vpn1/nginx.nix
@ -0,0 +1,52 @@
 {pkgs, ...}: {
  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@zerforschen.plus";
  };
  security.pam.services.nginx.setEnvironment = false;
  systemd.services.nginx.serviceConfig = {
    SupplementaryGroups = ["shadow"];
  };
  services.nginx = {
    enable = true;
    additionalModules = [pkgs.nginxModules.pam];
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    virtualHosts = let
      servicesDomain = "services.zerforschen.plus";
      mkServiceConfig = host: port: {
        addSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://${host}:${toString port}/";
          extraConfig = ''
            # bind to tailscale ip
            proxy_bind 100.88.118.60;
            # pam auth
            limit_except OPTIONS {
              auth_pam  "Password Required";
              auth_pam_service_name "nginx";
            }
          '';
        };
      };
      lpt2 = "vinzenz-lpt2.donkey-pentatonic.ts.net";
      pc2 = "vinzenz-pc2.donkey-pentatonic.ts.net";
    in {
      "vscode.${servicesDomain}" = lib.mkMerge [
        (mkServiceConfig pc2 8542)
        {locations."/" .proxyWebsockets = true;}
      ];
      "preon-app.${servicesDomain}" = mkServiceConfig pc2 8543;
      "preon-api.${servicesDomain}" = mkServiceConfig pc2 8544;
    };
  };
  networking.firewall.allowedTCPPorts = [80 443];
 }
--- a/hosts/vinzenz-lpt2/default.nix
+++ b/hosts/vinzenz-lpt2/default.nix
@ -0,0 +1,42 @@
 {
  nixpkgs,
  common-modules,
  desktop-modules,
  ...
 }:
 nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
  modules =
    common-modules
    ++ desktop-modules
    ++ [
      ./hardware.nix
      ./nginx.nix
      ../../home/gnome.nix
      ../../users/vinzenz.nix
      ../../modules/gnome.nix
      ../../modules/gaming.nix
      ../../modules/printing.nix
      ../../modules/latex.nix
      ../../modules/podman.nix
      {
        networking.hostName = "vinzenz-lpt2";
        nix.settings.extra-platforms = ["aarch64-linux"];
      }
      {
        home-manager.users.vinzenz = import ../../home/vinzenz;
        users.users.vinzenz.openssh.authorizedKeys.keys = [
          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
        ];
        #users.users.ronja.openssh.authorizedKeys.keys = [
        #  ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ronja-ssh-host-key''
        #];
      }
    ];
 }
--- a/hosts/vinzenz-lpt2/hardware.nix
+++ b/hosts/vinzenz-lpt2/hardware.nix
@ -0,0 +1,61 @@
 {
  pkgs,
  lib,
  ...
 }: {
  imports = [
    ../../modules/intel-graphics.nix
  ];
  config = {
    # intel cpu
    boot.kernelModules = ["kvm-intel"];
    hardware.cpu.intel.updateMicrocode = true;
    boot.loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
    # (the default) this is the recommended approach. When using systemd-networkd it's
    # still possible to use this option, but it's recommended to use it in conjunction
    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
    networking.useDHCP = lib.mkDefault true;
    hardware.enableRedistributableFirmware = true;
    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
    boot.initrd = {
      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme"];
      luks.devices = {
        "luks-2c654ff2-3c42-48d3-a1e3-9545679afaa3" = {
          device = "/dev/disk/by-uuid/2c654ff2-3c42-48d3-a1e3-9545679afaa3";
        };
      };
    };
    fileSystems = {
      "/" = {
        device = "/dev/disk/by-uuid/e4dad0c8-26a1-45e9-bbd9-48565eb6574e";
        fsType = "btrfs";
        options = ["subvol=@"];
      };
      "/boot" = {
        device = "/dev/disk/by-uuid/E2B7-2BC1";
        fsType = "vfat";
      };
    };
    swapDevices = [
      {
        device = "/var/lib/swapfile";
        size = 32 * 1024;
      }
    ];
    services.thermald.enable = true;
    services.hardware.bolt.enable = true; # thunderbolt security
  };
 }
--- a/hosts/vinzenz-lpt2/nginx.nix
+++ b/hosts/vinzenz-lpt2/nginx.nix
@ -0,0 +1,26 @@
 {...}: {
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    virtualHosts = {
      "vinzenz-lpt2" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:3000/";
          proxyWebsockets = true;
        };
        serverAliases = ["172.23.42.96"];
      };
    };
  };
  networking.firewall = {
    allowedTCPPorts = [80 8001 3000];
    allowedUDPPorts = [2342];
  };
 }
--- a/hosts/vinzenz-pc2/default.nix
+++ b/hosts/vinzenz-pc2/default.nix
@ -0,0 +1,42 @@
 {
  nixpkgs,
  common-modules,
  desktop-modules,
  ...
 }:
 nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
  modules =
    common-modules
    ++ desktop-modules
    ++ [
      ./hardware.nix
      ./vscode-server.nix
      ../../home/gnome.nix
      ../../users/vinzenz.nix
      ../../users/ronja.nix
      ../../modules/gnome.nix
      ../../modules/gaming.nix
      ../../modules/printing.nix
      ../../modules/podman.nix
      {
        networking.hostName = "vinzenz-pc2";
      }
      {
        home-manager.users = {
          vinzenz = import ../../home/vinzenz;
          ronja = import ../../home/ronja.nix;
        };
        users.users.vinzenz.openssh.authorizedKeys.keys = [
          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrY6tcgnoC/xbgL7vxSjddEY9MBxRXe9n2cAHt88/TT home roaming''
          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
        ];
        users.users.ronja.openssh.authorizedKeys.keys = [
          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ssh-host-key''
        ];
      }
    ];
 }
--- a/hosts/vinzenz-pc2/fstab.nix
+++ b/hosts/vinzenz-pc2/fstab.nix
@ -0,0 +1,37 @@
 {
  "/" = {
    device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
    fsType = "btrfs";
    options = ["subvol=@"];
  };
  "/home" = {
    device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
    fsType = "btrfs";
    options = ["subvol=@home"];
  };
  "/games" = {
    device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
    fsType = "btrfs";
    options = ["subvol=@games"];
  };
  "/boot" = {
    device = "/dev/disk/by-uuid/AF67-8F16";
    fsType = "vfat";
  };
  "/mnt/nixos_btrfs_root" = {
    # subvolume with id 5 is always the root volume
    # this is convenient for managing the flat subvolume hierarchy
    device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
    fsType = "btrfs";
    options = ["subvolid=5"];
  };
  "/mnt/ssd2" = {
    device = "/dev/disk/by-uuid/6b2a647d-c68e-4c07-85bf-c9bfc5db7e8a";
    fsType = "ext4";
  };
 }
--- a/hosts/vinzenz-pc2/hardware.nix
+++ b/hosts/vinzenz-pc2/hardware.nix
@ -0,0 +1,20 @@
 {...}: {
  imports = [
    ../../modules/amd-graphics.nix
  ];
  config = {
    # amd cpu
    boot.kernelModules = ["kvm-amd"];
    hardware.cpu.amd.updateMicrocode = true;
    boot = {
      initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"]; # "usb_storage"
      loader.efi.efiSysMountPoint = "/boot";
    };
    fileSystems = import ./fstab.nix;
    swapDevices = [];
    interfaces.eno1.wakeOnLan.enable = true;
  };
 }
--- a/hosts/vinzenz-pc2/vscode-server.nix
+++ b/hosts/vinzenz-pc2/vscode-server.nix
@ -0,0 +1,16 @@
 {pkgs, ...}: {
  services.openvscode-server = {
    enable = true;
    telemetryLevel = "off";
    port = 8542;
    host = "100.125.93.127"; # tailscale
    withoutConnectionToken = true;
    extraPackages = with pkgs; [nodejs git gh direnv];
  };
  networking = {
    firewall = {
      allowedTCPPorts = [8542 8543 8544 80];
    };
  };
 }
--- a/modules/amd-graphics.nix
+++ b/modules/amd-graphics.nix
@ -0,0 +1,24 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: {
  config = {
    boot.kernelModules = ["amdgpu"];
    services.xserver.videoDrivers = ["amdgpu"];
    hardware.opengl = {
      extraPackages = with pkgs; [
        amdvlk
      ];
      extraPackages32 = with pkgs; [
        driversi686Linux.amdvlk
      ];
    };
    environment.systemPackages = with pkgs; [
      nvtopPackages.amd
    ];
  };
 }
--- a/modules/buildtools.nix
+++ b/modules/buildtools.nix
@ -1,116 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  cfg = config.my.buildtools;
  isDesktop = config.my.desktop.enable;
  dotnetPackage = with pkgs.unstable; (dotnetCorePackages.combinePackages [
    dotnet-sdk_8
  ]);
 in {
  options.my.buildtools = {
    native = lib.mkEnableOption "include native build tools";
    dotnet = lib.mkEnableOption "include dotnet build tools";
    rust = lib.mkEnableOption "include rust build tools";
    jetbrains-remote-server = lib.mkEnableOption "setup jetbrais IDE installs so -remote-dev-server can be started";
    objective-c = lib.mkEnableOption "Objective-C with GNUStep";
    js = lib.mkEnableOption "node stuff";
    android = lib.mkEnableOption "android development";
    python = lib.mkEnableOption "generic python 3";
  };
  config = lib.mkMerge [
    (lib.mkIf cfg.native {
      environment.systemPackages = with pkgs; [
        cmake
        gnumake
        gcc
        gdb
      ];
    })
    (lib.mkIf cfg.dotnet {
      environment = {
        systemPackages = with pkgs; [
          dotnetPackage
          zlib
          zlib.dev
          openssl
          icu
          icu.dev
          # native aot
          gcc
          libunwind
        ];
        variables = {
          DOTNET_CLI_TELEMETRY_OPTOUT = "1";
        };
      };
      programs.nix-ld.libraries = with pkgs; [
        # native aot
        libunwind
        icu
        zlib
        zlib.dev
        openssl
        icu
        icu.dev
        dotnetPackage
      ];
    })
    (lib.mkIf cfg.js {
      environment.systemPackages = with pkgs; [
        nodejs
      ];
    })
    (lib.mkIf cfg.rust {
      environment.systemPackages = with pkgs; [
        rustup
        musl
      ];
    })
    (lib.mkIf cfg.jetbrains-remote-server {
      my.buildtools.dotnet = true;
      my.buildtools.native = true;
      my.buildtools.python = true;
    })
    (lib.mkIf cfg.objective-c {
      my.buildtools.native = true;
      environment.systemPackages =
        (with pkgs.gnustep; [
          gui
          make
          gorm
          base
          back
          system_preferences
          projectcenter
          libobjc
          gworkspace
        ])
        ++ (with pkgs; [
          clang-tools
          clang
        ]);
    })
    (lib.mkIf cfg.android {
      environment.systemPackages = with pkgs; [
        android-tools
        android-udev-rules
      ];
    })
    (lib.mkIf cfg.python {
      environment.systemPackages = with pkgs; [python3 python3Packages.pip];
    })
  ];
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,25 +0,0 @@
 modulesCfg: {lib, ...}: {
  imports =
    [
      ./i18n.nix
      ./nixpkgs.nix
      ./globalinstalls.nix
      ./sshd.nix
      ./tailscale.nix
      ./buildtools.nix
    ]
    ++ (map (path: (import path modulesCfg)) [
      ./hardware
      ./users
      ./desktop
    ]);
  config = {
    my.modulesCfg = modulesCfg;
    networking.firewall = {
      enable = true;
      checkReversePath = "loose";
    };
  };
 }
--- a/modules/desktop-environment.nix
+++ b/modules/desktop-environment.nix
@ -1,41 +1,15 @@
-modulesCfg: {
+{
  config,
  pkgs,
  lib,
  ...
-}: let
+}: {
-  isEnabled = config.my.desktop.enable;
+  config = {
  isHomeManager = modulesCfg.enableHomeManager;
 in {
  imports =
    [
      ./gnome.nix
      ./kde.nix
      ./gaming.nix
      ./printing.nix
      ./latex.nix
    ]
    ++ lib.optionals isHomeManager [
      ./gnome-home.nix
      ./kde-home.nix
    ];
  options.my.desktop.enable = lib.mkEnableOption "desktop";
  config = lib.mkIf isEnabled {
    services = {
-      # Enable the X11 windowing system / wayland depending on DE
+      xserver.enable = true;
      xserver = {
        enable = true;
      };
      libinput.enable = true;
      # flatpak xdg-portal-kde crashes, otherwise this would be global
      flatpak.enable = true;
      fstrim.enable = true;
      earlyoom = {
        enable = true;
        freeMemThreshold = 5;
@ -124,8 +98,6 @@ in {
      hunspell
      hunspellDicts.de-de
      hunspellDicts.en-us-large
      gnumake
    ];
    nixpkgs.config.permittedInsecurePackages = [];
--- a/modules/hardware/common-desktop.nix
+++ b/modules/hardware/common-desktop.nix
@ -3,12 +3,8 @@
  pkgs,
  config,
  ...
-}: let
+}: {
-  isEnabled = config.my.hardware.enableCommonDesktopSettings;
+  config = {
 in {
  options.my.hardware.enableCommonDesktopSettings = lib.mkEnableOption "common hw settings for desktops";
  config = lib.mkIf isEnabled {
    boot = {
      kernelPackages = pkgs.linuxPackages_zen;
      kernelParams = ["quiet" "udev.log_level=3"];
--- a/modules/desktop/gnome-home.nix
+++ b/modules/desktop/gnome-home.nix
@ -1,103 +0,0 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: let
  isEnabled = config.my.desktop.enableGnome;
 in {
  config = lib.mkIf isEnabled {
    home-manager.sharedModules = [
      {
        home.packages = with pkgs;
          [
            amberol
            gitg
            gnome-builder
            meld
            simple-scan
            pinta
          ]
          ++ (with gnome; [
            dconf-editor
            gpaste
            # graphical installer for flatpak apps
            gnome-software
          ])
          ++ (with gnomeExtensions; [
            caffeine
            appindicator
            gsconnect
            battery-health-charging
            quick-settings-tweaker
            solaar-extension
          ]);
        dconf.settings = {
          "org/gnome/desktop/interface" = {
            color-scheme = "prefer-dark";
            clock-show-seconds = true;
            show-battery-percentage = true;
          };
          "org/gnome/mutter" = {
            edge-tiling = true;
            dynamic-workspaces = true;
          };
          "org/gnome/desktop/peripherals/keyboard" = {
            numlock-state = true;
          };
          "org/gnome/desktop/peripherals/touchpad" = {
            tap-to-click = true;
            two-finger-scrolling-enabled = true;
          };
          "org/gnome/tweaks" = {
            show-extensions-notice = false;
          };
          "org/gnome/shell" = {
            disable-user-extensions = false;
            disabled-extensions = [];
            enabled-extensions = [
              "appindicatorsupport@rgcjonas.gmail.com"
              "workspace-indicator@gnome-shell-extensions.gcampax.github.com"
              "caffeine@patapon.info"
              "GPaste@gnome-shell-extensions.gnome.org"
              "gsconnect@andyholmes.github.io"
              "solaar-extension@sidevesh"
            ];
          };
          "ca/desrt/dconf-editor" = {
            show-warning = false;
          };
          "org/gnome/desktop/wm/keybindings" = {
            switch-windows = ["<Alt>Tab"];
            switch-windows-backward = ["<Shift><Alt>Tab"];
            switch-applications = ["<Super>Tab"];
            switch-applications-backward = ["<Shift><Super>Tab"];
          };
        };
        gtk = {
          enable = true;
          iconTheme.name = "Adwaita";
          cursorTheme.name = "Adwaita";
          theme = {
            name = "adw-gtk3-dark";
            package = pkgs.adw-gtk3;
          };
        };
      }
      (lib.mkIf config.my.tailscale.enable
        {
          home.packages = with pkgs;
            [
              trayscale
            ]
            ++ (with gnomeExtensions; [
              tailscale-qs
            ]);
          dconf.settings."org/gnome/shell".enabled-extensions = ["tailscale@joaophi.github.com"];
        })
    ];
  };
 }
--- a/modules/desktop/kde-home.nix
+++ b/modules/desktop/kde-home.nix
@ -1,18 +0,0 @@
 {
  lib,
  config,
  ...
 }: let
  isEnabled = config.my.desktop.enableKde;
 in {
  config = lib.mkIf isEnabled {
    home-manager.sharedModules = [
      {
        services.kdeconnect = {
          enable = true;
          indicator = true;
        };
      }
    ];
  };
 }
--- a/modules/desktop/kde.nix
+++ b/modules/desktop/kde.nix
@ -1,46 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  isEnabled = config.my.desktop.enableKde;
 in {
  options.my.desktop.enableKde = lib.mkEnableOption "KDE desktop";
  config = lib.mkIf isEnabled {
    my.desktop.enable = true;
    services = {
      # Enable the KDE Plasma Desktop Environment.
      xserver = {
        desktopManager.plasma5.enable = true;
        displayManager = {
          sddm.enable = true;
          defaultSession = "plasmawayland";
        };
      };
    };
    environment = {
      systemPackages = with pkgs; [
        libsForQt5.kate
        libsForQt5.kalk
      ];
      plasma5.excludePackages = with pkgs.libsForQt5; [
        elisa
        gwenview
        okular
        khelpcenter
      ];
    };
    programs = {
      dconf.enable = true;
      partition-manager.enable = true;
      kdeconnect.enable = true;
    };
  };
 }
--- a/modules/desktop/latex.nix
+++ b/modules/desktop/latex.nix
@ -1,20 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  isEnabled = config.my.desktop.enableLaTeX;
 in {
  options.my.desktop.enableLaTeX = lib.mkEnableOption "LaTeX tools and IDE";
  config = lib.mkIf isEnabled {
    my.desktop.enable = true;
    environment.systemPackages = with pkgs; [
      fontconfig
      texliveFull
      texstudio
    ];
  };
 }
--- a/modules/desktop/gaming.nix
+++ b/modules/desktop/gaming.nix
@ -3,12 +3,8 @@
  pkgs,
  lib,
  ...
-}: let
+}: {
-  isEnabled = config.my.desktop.enableGaming;
+  config = {
 in {
  options.my.desktop.enableGaming = lib.mkEnableOption "gaming with wine";
  config = lib.mkIf isEnabled {
    hardware = {
      opengl = {
        driSupport = true;
--- a/modules/desktop/gnome.nix
+++ b/modules/desktop/gnome.nix
@ -3,14 +3,8 @@
  pkgs,
  lib,
  ...
-}: let
+}: {
-  isEnabled = config.my.desktop.enableGnome;
+  config = {
 in {
  options.my.desktop.enableGnome = lib.mkEnableOption "gnome desktop";
  config = lib.mkIf isEnabled {
    my.desktop.enable = true;
    services = {
      xserver = {
        # Enable the GNOME Desktop Environment.
--- a/modules/hardware/amd.nix
+++ b/modules/hardware/amd.nix
@ -1,47 +0,0 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: let
  cfg = config.my.hardware.amd;
 in {
  options.my.hardware.amd = {
    cpu = lib.mkEnableOption "amd cpu";
    gpu = lib.mkEnableOption "amd gpu";
    radeon = lib.mkEnableOption "amd legacy gpu"; # old hardware, dont judge
  };
  config = lib.mkMerge [
    (lib.mkIf cfg.cpu {
      boot.kernelModules = ["kvm-amd"];
      hardware.cpu.amd.updateMicrocode = true;
    })
    (lib.mkIf cfg.gpu {
      boot.kernelModules = ["amdgpu"];
      services.xserver.videoDrivers = ["amdgpu"];
      hardware.opengl = {
        extraPackages = with pkgs; [
          amdvlk
        ];
        extraPackages32 = with pkgs; [
          driversi686Linux.amdvlk
        ];
      };
      environment.systemPackages = with pkgs; [
        nvtopPackages.amd
      ];
    })
    (lib.mkIf cfg.radeon {
      boot.kernelModules = ["radeon"];
      services.xserver.videoDrivers = ["radeon"];
      environment.systemPackages = with pkgs; [
        radeontop
      ];
    })
  ];
 }
--- a/modules/hardware/default.nix
+++ b/modules/hardware/default.nix
@ -1,40 +0,0 @@
 modulesCfg: {
  modulesPath,
  lib,
  ...
 }: let
  hostName = modulesCfg.hostName;
 in {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (builtins.toString ./. + "/${hostName}.nix")
    ./common-desktop.nix
    ./amd.nix
    ./intel.nix
  ];
  options.my.modulesCfg.hostName = lib.mkOption {
    type = lib.types.str;
  };
  config = {
    networking.hostName = hostName;
    boot.loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
    # (the default) this is the recommended approach. When using systemd-networkd it's
    # still possible to use this option, but it's recommended to use it in conjunction
    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
    networking.useDHCP = lib.mkDefault true;
    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
    # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
    hardware.enableRedistributableFirmware = true;
    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  };
 }
--- a/modules/hardware/intel.nix
+++ b/modules/hardware/intel.nix
@ -1,42 +0,0 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: let
  cfg = config.my.hardware.intel;
 in {
  options.my.hardware.intel = {
    cpu = lib.mkEnableOption "intel cpu";
    iGpu = lib.mkEnableOption "intel integrated gpu";
    xe = lib.mkEnableOption "intel xe gpu";
  };
  config = lib.mkMerge [
    (lib.mkIf cfg.cpu {
      boot.kernelModules = ["kvm-intel"];
      hardware.cpu.intel.updateMicrocode = true;
    })
    (lib.mkIf (cfg.iGpu || cfg.xe) {
      hardware.opengl = {
        extraPackages = with pkgs; [
          intel-media-driver
          vaapiIntel
          vaapiVdpau
          libvdpau-va-gl
          intel-ocl
        ];
        extraPackages32 = with pkgs.pkgsi686Linux; [
          intel-media-driver
          vaapiIntel
          vaapiVdpau
          libvdpau-va-gl
        ];
      };
      environment.systemPackages = with pkgs; [
        nvtopPackages.intel
      ];
      my.allowUnfreePackages = ["intel-ocl"];
    })
  ];
 }
--- a/modules/hardware/vinzenz-lpt.nix
+++ b/modules/hardware/vinzenz-lpt.nix
@ -1,34 +0,0 @@
 {...}: {
  config = {
    my.hardware = {
      enableCommonDesktopSettings = true;
      amd.radeon = true;
      intel = {
        cpu = true;
        iGpu = true;
      };
    };
    boot = {
      initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
      loader.efi.efiSysMountPoint = "/boot/efi";
    };
    fileSystems = {
      "/" = {
        device = "/dev/disk/by-uuid/34cb86c4-8823-4785-9672-92ef0bcd5eaf";
        fsType = "btrfs";
        options = ["subvol=@"];
      };
      "/boot/efi" = {
        device = "/dev/disk/by-uuid/2381-1CD2";
        fsType = "vfat";
      };
    };
    swapDevices = [
      {device = "/dev/disk/by-uuid/f5932f70-60e4-4abe-b23d-2cab3c095c7d";}
    ];
  };
 }
--- a/modules/hardware/vinzenz-lpt2.nix
+++ b/modules/hardware/vinzenz-lpt2.nix
@ -1,43 +0,0 @@
 {...}: {
  config = {
    my.hardware = {
      enableCommonDesktopSettings = true;
      intel = {
        cpu = true;
        xe = true;
      };
    };
    boot.initrd = {
      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme"];
      luks.devices = {
        "luks-2c654ff2-3c42-48d3-a1e3-9545679afaa3" = {
          device = "/dev/disk/by-uuid/2c654ff2-3c42-48d3-a1e3-9545679afaa3";
        };
      };
    };
    fileSystems = {
      "/" = {
        device = "/dev/disk/by-uuid/e4dad0c8-26a1-45e9-bbd9-48565eb6574e";
        fsType = "btrfs";
        options = ["subvol=@"];
      };
      "/boot" = {
        device = "/dev/disk/by-uuid/E2B7-2BC1";
        fsType = "vfat";
      };
    };
    swapDevices = [
      {
        device = "/var/lib/swapfile";
        size = 32 * 1024;
      }
    ];
    services.thermald.enable = true;
    services.hardware.bolt.enable = true; # thunderbolt security
  };
 }
--- a/modules/hardware/vinzenz-pc2.nix
+++ b/modules/hardware/vinzenz-pc2.nix
@ -1,56 +0,0 @@
 {...}: {
  config = {
    my.hardware = {
      enableCommonDesktopSettings = true;
      amd = {
        cpu = true;
        gpu = true;
      };
    };
    boot = {
      initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"]; # "usb_storage"
      loader.efi.efiSysMountPoint = "/boot";
    };
    fileSystems = {
      "/" = {
        device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
        fsType = "btrfs";
        options = ["subvol=@"];
      };
      "/home" = {
        device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
        fsType = "btrfs";
        options = ["subvol=@home"];
      };
      "/games" = {
        device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
        fsType = "btrfs";
        options = ["subvol=@games"];
      };
      "/boot" = {
        device = "/dev/disk/by-uuid/AF67-8F16";
        fsType = "vfat";
      };
      "/mnt/nixos_btrfs_root" = {
        # subvolume with id 5 is always the root volume
        # this is convenient for managing the flat subvolume hierarchy
        device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
        fsType = "btrfs";
        options = ["subvolid=5"];
      };
      "/mnt/ssd2" = {
        device = "/dev/disk/by-uuid/6b2a647d-c68e-4c07-85bf-c9bfc5db7e8a";
        fsType = "ext4";
      };
    };
    swapDevices = [];
  };
 }
--- a/modules/intel-graphics.nix
+++ b/modules/intel-graphics.nix
@ -0,0 +1,28 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: {
  config = {
    hardware.opengl = {
      extraPackages = with pkgs; [
        intel-media-driver
        vaapiIntel
        vaapiVdpau
        libvdpau-va-gl
        intel-ocl
      ];
      extraPackages32 = with pkgs.pkgsi686Linux; [
        intel-media-driver
        vaapiIntel
        vaapiVdpau
        libvdpau-va-gl
      ];
    };
    environment.systemPackages = with pkgs; [
      nvtopPackages.intel
    ];
    my.allowUnfreePackages = ["intel-ocl"];
  };
 }
--- a/modules/latex.nix
+++ b/modules/latex.nix
@ -0,0 +1,14 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: {
  config = {
    environment.systemPackages = with pkgs; [
      fontconfig
      texliveFull
      texstudio
    ];
  };
 }
--- a/modules/nixpkgs.nix
+++ b/modules/nixpkgs.nix
@ -1,80 +0,0 @@
 {
  config,
  lib,
  ...
 }: let
  unstable-commit-sha = "9df3e30ce24fd28c7b3e2de0d986769db5d6225d";
  ultrastable-commit-sha = "2be119add7b37dc535da2dd4cba68e2cf8d1517e";
 in {
  options.my.allowUnfreePackages = lib.mkOption {
    type = lib.types.listOf lib.types.str;
    default = [];
    example = ["steam"];
  };
  imports = [
    # this switches the nix implementation to lix everywhere, but means recompiling lix every build.
    # https://lix.systems/add-to-config/
    (
      let
        module = fetchTarball {
          name = "source";
          url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0.tar.gz";
          sha256 = "sha256-yEO2cGNgzm9x/XxiDQI+WckSWnZX63R8aJLBRSXtYNE=";
        };
        lixSrc = fetchTarball {
          name = "source";
          url = "https://git.lix.systems/lix-project/lix/archive/2.90.0.tar.gz";
          sha256 = "sha256-f8k+BezKdJfmE+k7zgBJiohtS3VkkriycdXYsKOm3sc=";
        };
      in
        import "${module}/module.nix" {lix = lixSrc;}
    )
  ];
  config = {
    nixpkgs.config = {
      # make nixos-unstable availiable as 'pkgs.unstable'
      packageOverrides = pkgs: {
        unstable = import (fetchTarball "https://github.com/nixos/nixpkgs/tarball/${unstable-commit-sha}") {
          config = config.nixpkgs.config;
        };
        ultrastable = import (fetchTarball "https://github.com/nixos/nixpkgs/tarball/${ultrastable-commit-sha}") {
          config = config.nixpkgs.config;
        };
      };
      # https://github.com/NixOS/nixpkgs/issues/197325#issuecomment-1579420085
      allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) config.my.allowUnfreePackages;
    };
    nix = {
      settings = {
        substituters = ["https://nix-community.cachix.org" "https://cache.nixos.org/"];
        trusted-public-keys = ["nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="];
      };
      gc = {
        automatic = true;
        dates = "daily";
        options = "--delete-older-than 7d";
      };
    };
    system = {
      stateVersion = "22.11";
      # enable auto updates
      autoUpgrade = {
        enable = true;
        dates = "weekly";
      };
    };
    documentation = {
      enable = true; # documentation of packages
      nixos.enable = false; # nixos documentation
      man.enable = true; # manual pages and the man command
      info.enable = false; # info pages and the info command
      doc.enable = false; # documentation distributed in packages' /share/doc
    };
  };
 }
--- a/modules/podman.nix
+++ b/modules/podman.nix
@ -0,0 +1,11 @@
 {...}: {
  virtualisation = {
    containers.enable = true;
    podman = {
      enable = true;
      dockerCompat = true;
      dockerSocket.enable = true;
      autoPrune.enable = true;
    };
  };
 }
--- a/modules/desktop/printing.nix
+++ b/modules/desktop/printing.nix
@ -3,12 +3,8 @@
  pkgs,
  lib,
  ...
-}: let
+}: {
-  isEnabled = config.my.desktop.enablePrinting;
+  config = {
 in {
  options.my.desktop.enablePrinting = lib.mkEnableOption "printing";
  config = lib.mkIf isEnabled {
    services = {
      # Enable CUPS to print documents.
      printing.enable = true;
--- a/modules/tailscale.nix
+++ b/modules/tailscale.nix
@ -1,19 +0,0 @@
 {
  pkgs,
  config,
  lib,
  ...
 }: let
  cfg = config.my.tailscale;
 in {
  options.my.tailscale = {
    enable = lib.mkEnableOption "enable tailscale vpn";
  };
  config = lib.mkIf cfg.enable {
    services.tailscale = {
      enable = true;
      openFirewall = true;
    };
  };
 }
--- a/modules/users/default.nix
+++ b/modules/users/default.nix
@ -1,24 +0,0 @@
 modulesCfg: {
  config,
  pkgs,
  lib,
  ...
 }: let
  enableHomeManager = modulesCfg.enableHomeManager;
 in {
  options.my = {
    modulesCfg.enableHomeManager = lib.mkEnableOption "enable home manager";
    enabledUsers = lib.mkOption {
      type = lib.types.listOf lib.types.str;
    };
  };
  imports =
    [
      ./vinzenz.nix
      ./ronja.nix
    ]
    ++ lib.optionals enableHomeManager [
      ./home-manager.nix
    ];
 }
--- a/modules/users/home-manager.nix
+++ b/modules/users/home-manager.nix
@ -1,25 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: {
  imports = [
    <home-manager/nixos>
  ];
  config = {
    home-manager = {
      useUserPackages = true;
      useGlobalPkgs = true;
      # defaults for users
      sharedModules = import ./home-shared-modules.nix;
      users = {
        ronja = lib.mkIf (builtins.elem "ronja" config.my.enabledUsers) (import ./ronja-home.nix);
        vinzenz = lib.mkIf (builtins.elem "vinzenz" config.my.enabledUsers) (import ./vinzenz-home.nix);
      };
    };
  };
 }
--- a/modules/users/vinzenz-home.nix
+++ b/modules/users/vinzenz-home.nix
@ -1,248 +0,0 @@
 {
  config,
  osConfig,
  pkgs,
  lib,
  ...
 }: let
  isGnomeEnabled = osConfig.my.desktop.enableGnome;
 in
  lib.mkMerge [
    {
      home.packages = with pkgs; [
        keepassxc
        insync
        telegram-desktop
        element-desktop
        wireguard-tools
        wirelesstools
        alejandra # nix formatter
        arduino
        uucp
        kdiff3
        jetbrains-toolbox
      ];
      programs = {
        home-manager.enable = true;
        fzf.enable = true;
        zsh = {
          initExtra = ''
            eval "$(direnv hook zsh)";
            export PATH=$PATH:/home/vinzenz/.cargo/bin
          '';
          shellAliases = {
            my-apply = "sudo nixos-rebuild boot";
            my-switch = "sudo nixos-rebuild switch";
            my-update = "sudo nixos-rebuild boot --upgrade";
            my-pull = "git -C ~/Repos/nixos-configuration pull --rebase";
            my-fmt = "alejandra .";
            my-test = "sudo nixos-rebuild test";
            my-direnvallow = "echo \"use nix\" > .envrc && direnv allow";
            my-ip4 = "ip addr show | grep 192";
          };
          history = {
            size = 10000;
            path = "${config.xdg.dataHome}/zsh/history";
            expireDuplicatesFirst = true;
          };
          oh-my-zsh = {
            enable = true;
            theme = "agnoster";
            plugins = ["git" "sudo" "docker" "systemadmin"];
          };
        };
        git = {
          enable = true;
          userName = "Vinzenz Schroeter";
          userEmail = "vinzenz.f.s@gmail.com";
          aliases = {
            prettylog = "log --pretty=oneline --graph";
            spring-clean = "!git branch --merged | xargs -n 1 -r git branch -d";
          };
          extraConfig = {
            pull.ff = "only";
            merge.tool = "kdiff3";
            push.autoSetupRemote = "true";
          };
        };
        vscode = {
          enable = true;
          package = pkgs.vscodium;
          enableUpdateCheck = false;
          extensions = with pkgs.vscode-extensions; [
            bbenoist.nix
            ms-python.python
            kamadorueda.alejandra
            editorconfig.editorconfig
            yzhang.markdown-all-in-one
            redhat.vscode-yaml
            pkief.material-icon-theme
            mhutchie.git-graph
            rust-lang.rust-analyzer
            tamasfe.even-better-toml
            llvm-vs-code-extensions.vscode-clangd
            mkhl.direnv
            vadimcn.vscode-lldb
            ms-dotnettools.csharp
          ];
          userSettings = {
            "git.autofetch" = true;
            "update.mode" = "none";
            "editor.fontFamily" = "'Fira Code', 'Droid Sans Mono', 'monospace', monospace";
            "editor.fontLigatures" = true;
            "editor.formatOnSave" = true;
            "editor.formatOnSaveMode" = "modificationsIfAvailable";
            "editor.minimap.autohide" = true;
            "diffEditor.diffAlgorithm" = "advanced";
            "explorer.excludeGitIgnore" = true;
            "markdown.extension.tableFormatter.normalizeIndentation" = true;
            "markdown.extension.toc.orderedList" = false;
            "telemetry.telemetryLevel" = "off";
            "redhat.telemetry.enabled" = false;
            "workbench.startupEditor" = "readme";
            "workbench.enableExperiments" = false;
            "workbench.iconTheme" = "material-icon-theme";
            "rust-analyzer.checkOnSave.command" = "clippy";
            "extensions.autoUpdate" = false;
            "extensions.autoCheckUpdates" = false;
            "\[makefile\]" = {
              "editor.insertSpaces" = false;
              "editor.detectIndentation" = false;
            };
          };
        };
        direnv = {
          enable = true;
          nix-direnv.enable = true;
        };
        chromium = {
          enable = true;
          extensions = [
            {
              # ublock origin
              id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";
            }
            {
              id = "dcpihecpambacapedldabdbpakmachpb";
              updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml";
            }
          ];
        };
        eza = {
          enable = true;
          git = true;
          icons = true;
                    extraOptions = [
            "--group-directories-first"
            "--header"
          ];
        };
        # checked https://rycee.gitlab.io/home-manager/options.html until "programs.notmuch"
        ssh = {
          enable = true;
          matchBlocks = {
            "vpn1" = {
              host = "vpn1 hetzner-vpn1";
              hostname = "157.90.146.125"; # 2a01:4f8:c012:7137::/64
              user = "root";
            };
            "vpn1-ts" = {
              host = "vpn1-ts hetzner-vpn1.donkey-pentatonic.ts.net";
              hostname = "hetzner-vpn1.donkey-pentatonic.ts.net";
              user = "root";
            };
            "openwrt" = {
              host = "openwrt openwrt.lan";
              hostname = "openwrt.lan";
              user = "root";
            };
            "openwrt-ts" = {
              hostname = "openwrt.donkey-pentatonic.ts.net";
              port = 2222;
              user = "root";
            };
            "openwrt-j" = {
              hostname = "openwrt.donkey-pentatonic.ts.net";
              proxyJump = "vpn1";
              port = 2222;
              user = "root";
            };
            "pc2-power" = {
              hostname = "openwrt.donkey-pentatonic.ts.net";
              proxyJump = "vpn1";
              port = 2222;
              user = "pc2-power";
            };
            "avd-power" = {
              # hostname = "2001:678:560:23:9833:63ff:fe2d:f477"
              # hostname = "195.160.172.25";
              hostname = "avd-jumphost.club.berlin.ccc.de";
              user = "power";
            };
            "avd" = {
              hostname = "avd.club.berlin.ccc.de";
              user = "vinzenz";
            };
          };
        };
      };
      editorconfig = {
        enable = true;
        settings = {
          "*" = {
            charset = "utf-8";
            end_of_line = "lf";
            trim_trailing_whitespace = true;
            insert_final_newline = true;
            max_line_width = 120;
            indent_style = "space";
            indent_size = 4;
          };
          "*.nix" = {
            indent_size = 2;
          };
        };
      };
      home.file."policy.json" = {
        target = ".config/containers/policy.json";
        text = ''
          {
              "default": [
                  {
                      "type": "insecureAcceptAnything"
                  }
              ],
              "transports":
                  {
                      "docker-daemon":
                          {
                              "": [{"type":"insecureAcceptAnything"}]
                          }
                  }
          }
        '';
      };
    }
  ]
--- a/modules/users/ronja.nix
+++ b/modules/users/ronja.nix
@ -1,12 +1,5 @@
-{
+{pkgs, ...}: {
-  config,
+  config = {
  pkgs,
  lib,
  ...
 }: let
  isUserEnabled = builtins.elem "ronja" config.my.enabledUsers;
 in {
  config = lib.mkIf isUserEnabled {
    # Define user account
    users.users.ronja = {
      isNormalUser = true;
--- a/modules/users/vinzenz.nix
+++ b/modules/users/vinzenz.nix
@ -1,12 +1,5 @@
-{
+{pkgs, ...}: {
-  config,
+  config = {
  pkgs,
  lib,
  ...
 }: let
  isUserEnabled = builtins.elem "vinzenz" config.my.enabledUsers;
 in {
  config = lib.mkIf isUserEnabled {
    users.users.vinzenz = {
      isNormalUser = true;
      name = "vinzenz";
--- a/vinzenz-lpt.nix
+++ b/vinzenz-lpt.nix
@ -1,28 +0,0 @@
 {...}: {
  imports = [
    (import ./modules {
      hostName = "vinzenz-lpt";
      enableHomeManager = true;
    })
  ];
  config = {
    my = {
      enabledUsers = ["vinzenz"];
      tailscale.enable = true;
      desktop = {
        enableGnome = true;
        enableGaming = true;
        enablePrinting = true;
      };
      buildtools = {
        dotnet = true;
      };
    };
    users.users.vinzenz.openssh.authorizedKeys.keys = [
      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
    ];
  };
 }
--- a/vinzenz-lpt2.nix
+++ b/vinzenz-lpt2.nix
@ -1,72 +0,0 @@
 {pkgs, ...}: {
  imports = [
    (import ./modules {
      hostName = "vinzenz-lpt2";
      enableHomeManager = true;
    })
  ];
  config = {
    my = {
      enabledUsers = ["vinzenz" "ronja"];
      tailscale.enable = true;
      desktop = {
        enableGnome = true;
        enableGaming = true;
        enablePrinting = true;
        enableLaTeX = true;
      };
      allowUnfreePackages = [
        "rider"
        "clion"
        "pycharm-professional"
      ];
    };
    virtualisation = {
      containers.enable = true;
      podman = {
        enable = true;
        dockerCompat = true;
        dockerSocket.enable = true;
        autoPrune.enable = true;
      };
    };
    users.users.vinzenz.openssh.authorizedKeys.keys = [
      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
    ];
    users.users.ronja.openssh.authorizedKeys.keys = [
      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ronja-ssh-host-key''
    ];
    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      virtualHosts = {
        "vinzenz-lpt2" = {
          locations."/" = {
            proxyPass = "http://127.0.0.1:3000/";
            proxyWebsockets = true;
          };
          serverAliases = ["172.23.42.96"];
        };
      };
    };
    networking.firewall = {
      allowedTCPPorts = [80 8001 3000];
      allowedUDPPorts = [2342];
    };
  };
 }
--- a/vinzenz-pc2.nix
+++ b/vinzenz-pc2.nix
@ -1,57 +0,0 @@
 {pkgs, ...}: {
  imports = [
    (import ./modules {
      hostName = "vinzenz-pc2";
      enableHomeManager = true;
    })
  ];
  config = {
    my = {
      enabledUsers = ["vinzenz" "ronja"];
      tailscale.enable = true;
      desktop = {
        enableGnome = true;
        enableGaming = true;
        enablePrinting = true;
      };
      buildtools = {
        native = true;
        dotnet = true;
        rust = true;
        jetbrains-remote-server = true;
      };
    };
    users.users.vinzenz.openssh.authorizedKeys.keys = [
      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrY6tcgnoC/xbgL7vxSjddEY9MBxRXe9n2cAHt88/TT home roaming''
      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
    ];
    users.users.ronja.openssh.authorizedKeys.keys = [
      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ssh-host-key''
    ];
    services.openvscode-server = {
      enable = true;
      telemetryLevel = "off";
      port = 8542;
      host = "100.125.93.127"; # tailscale
      withoutConnectionToken = true;
      extraPackages = with pkgs; [nodejs gitFull gh direnv];
    };
    virtualisation.podman = {
      enable = true;
    };
    networking = {
      firewall = {
        allowedTCPPorts = [8542 8543 8544 80];
      };
      interfaces.eno1.wakeOnLan.enable = true;
    };
  };
 }