From c8cfa37bb9e3dbd3bc0e2c004db909aca512b5a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?m=C3=BCde?= Date: Sun, 3 May 2026 15:19:06 +0200 Subject: [PATCH 1/7] hm modules: gate behind enable options, always import --- homeConfigurations/muede/default.nix | 9 +++++++++ homeConfigurations/ronja/default.nix | 8 ++++++++ homeModules/gnome-extensions.nix | 2 +- homeModules/nano.nix | 17 +++++++++++------ homeModules/tailscale.nix | 12 ++++++++++-- homeModules/templates.nix | 23 ++++++++++++++--------- homeModules/zsh-basics.nix | 21 +++++++++++++-------- nixosConfigurations.nix | 11 +---------- 8 files changed, 67 insertions(+), 36 deletions(-) diff --git a/homeConfigurations/muede/default.nix b/homeConfigurations/muede/default.nix index 87db634..17c66a0 100644 --- a/homeConfigurations/muede/default.nix +++ b/homeConfigurations/muede/default.nix @@ -23,6 +23,15 @@ ]; config = { + my = { + # keep-sorted start + gnome-extensions.enable = true; + nano.enable = true; + templates.enable = true; + zsh.enable = true; + # keep-sorted end + }; + programs = { home-manager.enable = true; fzf.enable = true; diff --git a/homeConfigurations/ronja/default.nix b/homeConfigurations/ronja/default.nix index 0f202cd..4d5c5ee 100644 --- a/homeConfigurations/ronja/default.nix +++ b/homeConfigurations/ronja/default.nix @@ -2,6 +2,14 @@ { imports = [ ./vscode.nix ]; config = { + my = { + # keep-sorted start + nano.enable = true; + templates.enable = true; + zsh.enable = true; + # keep-sorted end + }; + home.packages = with pkgs; [ ## Apps telegram-desktop diff --git a/homeModules/gnome-extensions.nix b/homeModules/gnome-extensions.nix index 071fa15..20b3a70 100644 --- a/homeModules/gnome-extensions.nix +++ b/homeModules/gnome-extensions.nix @@ -18,7 +18,7 @@ }; in { - enable = mkDefaultEnabledOption "gnome extended options"; + enable = lib.mkEnableOption "gnome extended options"; appindicator.enable = mkDefaultEnabledOption "appindicator"; caffeine.enable = mkDefaultEnabledOption "caffeine"; tailscale-qs.enable = lib.mkOption { diff --git a/homeModules/nano.nix b/homeModules/nano.nix index ab3e7b2..2293b99 100644 --- a/homeModules/nano.nix +++ b/homeModules/nano.nix @@ -1,9 +1,14 @@ +{ lib, config, ... }: { - home = { - sessionVariables.EDITOR = "nano"; - file.".nanorc".text = '' - set linenumbers - set mouse - ''; + options.my.nano.enable = lib.mkEnableOption "nano editor config"; + + config = lib.mkIf config.my.nano.enable { + home = { + sessionVariables.EDITOR = "nano"; + file.".nanorc".text = '' + set linenumbers + set mouse + ''; + }; }; } diff --git a/homeModules/tailscale.nix b/homeModules/tailscale.nix index 34d1c3d..5f51fc9 100644 --- a/homeModules/tailscale.nix +++ b/homeModules/tailscale.nix @@ -1,4 +1,12 @@ -{ osConfig, thisDevice, ... }: +{ lib, config, osConfig, thisDevice, ... }: { - services.tailscale-systray.enable = (thisDevice.isDesktop or false) && osConfig.my.tailscale.enable; + options.my.tailscale.enable = lib.mkOption { + type = lib.types.bool; + default = (thisDevice.isDesktop or false) && osConfig.my.tailscale.enable; + description = "Whether to enable the Tailscale system tray applet. Defaults to true on desktops with Tailscale enabled."; + }; + + config = lib.mkIf config.my.tailscale.enable { + services.tailscale-systray.enable = true; + }; } diff --git a/homeModules/templates.nix b/homeModules/templates.nix index 71d2e0b..e0a6df2 100644 --- a/homeModules/templates.nix +++ b/homeModules/templates.nix @@ -1,12 +1,17 @@ +{ lib, config, ... }: { - home.file = { - "Templates/Empty file".text = ""; - "Templates/Empty bash script".text = '' - #!/usr/bin/env bash - # abort on error, undefined variables - set -eu - # print commands before execution - set -x - ''; + options.my.templates.enable = lib.mkEnableOption "file templates"; + + config = lib.mkIf config.my.templates.enable { + home.file = { + "Templates/Empty file".text = ""; + "Templates/Empty bash script".text = '' + #!/usr/bin/env bash + # abort on error, undefined variables + set -eu + # print commands before execution + set -x + ''; + }; }; } diff --git a/homeModules/zsh-basics.nix b/homeModules/zsh-basics.nix index 0b0e281..50e116a 100644 --- a/homeModules/zsh-basics.nix +++ b/homeModules/zsh-basics.nix @@ -1,13 +1,18 @@ +{ lib, config, ... }: { - programs = { - command-not-found.enable = true; - dircolors.enable = true; + options.my.zsh.enable = lib.mkEnableOption "zsh with basic settings"; - zsh = { - enable = true; - syntaxHighlighting.enable = true; - autosuggestion.enable = true; - enableVteIntegration = true; + config = lib.mkIf config.my.zsh.enable { + programs = { + command-not-found.enable = true; + dircolors.enable = true; + + zsh = { + enable = true; + syntaxHighlighting.enable = true; + autosuggestion.enable = true; + enableVteIntegration = true; + }; }; }; } diff --git a/nixosConfigurations.nix b/nixosConfigurations.nix index c0d3a80..1c39c23 100644 --- a/nixosConfigurations.nix +++ b/nixosConfigurations.nix @@ -96,16 +96,7 @@ forDevice ( useGlobalPkgs = true; useUserPackages = true; users = home-manager-users; - sharedModules = [ - { home.stateVersion = "22.11"; } - # keep-sorted start - self.homeModules.gnome-extensions - self.homeModules.nano - self.homeModules.tailscale - self.homeModules.templates - self.homeModules.zsh-basics - # keep-sorted end - ]; + sharedModules = [ { home.stateVersion = "22.11"; } ] ++ builtins.attrValues self.homeModules; }; time.timeZone = "Europe/Berlin"; From 9bff3f718f51080897ade7eda4de06611675f5ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?m=C3=BCde?= Date: Sun, 3 May 2026 16:04:27 +0200 Subject: [PATCH 2/7] ditributed builds: use fqdn if available --- devices.nix | 1 + nixosModules/distributed-builds.nix | 31 ++++++++++++++++++----------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/devices.nix b/devices.nix index 7313e7b..a4fbeb4 100644 --- a/devices.nix +++ b/devices.nix @@ -26,6 +26,7 @@ in }; forgejo-runner-1 = { system = "aarch64-linux"; + publicFqdn = "forgejo-runner-1.dev.zerforschen.plus"; distributedBuilds = { isBuilder = true; speedFactor = 1; diff --git a/nixosModules/distributed-builds.nix b/nixosModules/distributed-builds.nix index 50d9ee6..84628e4 100644 --- a/nixosModules/distributed-builds.nix +++ b/nixosModules/distributed-builds.nix @@ -21,13 +21,14 @@ let _: v: (v.distributedBuilds or { }).isBuilder or false ) allDevices; + sshHostname = m: m.publicFqdn or m.hostName; + buildServerKnownHosts = lib.pipe buildServerDevices [ (lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey)) - (lib.mapAttrs ( - _: v: { - publicKey = v.distributedBuilds.hostPublicKey; - } - )) + (lib.mapAttrs (name: v: { + publicKey = v.distributedBuilds.hostPublicKey; + hostNames = [ (v.publicFqdn or name) ]; + })) ]; remoteBuildServerDevices = builtins.filter ( @@ -37,7 +38,7 @@ let buildMachines = map ( m: { - hostName = m.hostName; + hostName = sshHostname m; systems = [ m.system ]; sshUser = buildUser; sshKey = clientSshKeyPath; @@ -65,6 +66,8 @@ in # All machines { nix.settings = { + #fallback = true; + connect-timeout = 5; trusted-public-keys = lib.pipe buildServerDevices [ (lib.mapAttrsToList (_: v: v.distributedBuilds.storeSigningPublicKey or null)) (builtins.filter (k: k != null)) @@ -103,11 +106,15 @@ in programs.ssh = { knownHosts = buildServerKnownHosts; extraConfig = lib.concatStringsSep "\n" ( - lib.mapAttrsToList (name: _: '' - Match originalhost ${name} user ${buildUser} - IdentityFile ${clientSshKeyPath} - IdentitiesOnly yes - '') buildServerDevices + lib.mapAttrsToList (name: v: + let + names = lib.unique [ name (v.publicFqdn or name) ]; + in + '' + Match originalhost ${lib.concatStringsSep "," names} user ${buildUser} + IdentityFile ${clientSshKeyPath} + IdentitiesOnly yes + '') buildServerDevices ); }; nix = { @@ -115,7 +122,7 @@ in buildMachines = buildMachines; settings = { builders-use-substitutes = true; - substituters = map (m: "ssh-ng://${buildUser}@${m.hostName}") ( + substituters = map (m: "ssh-ng://${buildUser}@${sshHostname m}") ( builtins.filter (m: m.distributedBuilds ? storeSigningPublicKey) remoteBuildServerDevices ); }; From 7de5751743ccba459fbde3b1a11c44b4af13ac31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?m=C3=BCde?= Date: Sun, 3 May 2026 16:13:47 +0200 Subject: [PATCH 3/7] distributed builds: add assertions, nix fmt --- homeModules/tailscale.nix | 8 +++++- nixosModules/distributed-builds.nix | 41 ++++++++++++++++++++++------- 2 files changed, 38 insertions(+), 11 deletions(-) diff --git a/homeModules/tailscale.nix b/homeModules/tailscale.nix index 5f51fc9..686bf84 100644 --- a/homeModules/tailscale.nix +++ b/homeModules/tailscale.nix @@ -1,4 +1,10 @@ -{ lib, config, osConfig, thisDevice, ... }: +{ + lib, + config, + osConfig, + thisDevice, + ... +}: { options.my.tailscale.enable = lib.mkOption { type = lib.types.bool; diff --git a/nixosModules/distributed-builds.nix b/nixosModules/distributed-builds.nix index 84628e4..c08d657 100644 --- a/nixosModules/distributed-builds.nix +++ b/nixosModules/distributed-builds.nix @@ -25,15 +25,17 @@ let buildServerKnownHosts = lib.pipe buildServerDevices [ (lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey)) - (lib.mapAttrs (name: v: { - publicKey = v.distributedBuilds.hostPublicKey; - hostNames = [ (v.publicFqdn or name) ]; - })) + (lib.mapAttrs ( + name: v: { + publicKey = v.distributedBuilds.hostPublicKey; + hostNames = [ (v.publicFqdn or name) ]; + } + )) ]; - remoteBuildServerDevices = builtins.filter ( - m: m.hostName != config.networking.hostName - ) (lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices); + remoteBuildServerDevices = builtins.filter (m: m.hostName != config.networking.hostName) ( + lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices + ); buildMachines = map ( m: @@ -65,6 +67,20 @@ in # All machines { + assertions = + lib.mapAttrsToList (name: v: { + assertion = v.distributedBuilds ? hostPublicKey && v.distributedBuilds ? storeSigningPublicKey; + message = "devices.${name}: isBuilder = true requires distributedBuilds.hostPublicKey and distributedBuilds.storeSigningPublicKey"; + }) buildServerDevices + ++ lib.mapAttrsToList (name: v: { + assertion = lib.hasPrefix "ssh-" v.distributedBuilds.clientPublicKey; + message = "devices.${name}: distributedBuilds.clientPublicKey must start with 'ssh-'"; + }) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? clientPublicKey) allDevices) + ++ lib.mapAttrsToList (name: v: { + assertion = builtins.match ".+:.+" v.distributedBuilds.storeSigningPublicKey != null; + message = "devices.${name}: distributedBuilds.storeSigningPublicKey must be in ':' format"; + }) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? storeSigningPublicKey) allDevices); + nix.settings = { #fallback = true; connect-timeout = 5; @@ -106,15 +122,20 @@ in programs.ssh = { knownHosts = buildServerKnownHosts; extraConfig = lib.concatStringsSep "\n" ( - lib.mapAttrsToList (name: v: + lib.mapAttrsToList ( + name: v: let - names = lib.unique [ name (v.publicFqdn or name) ]; + names = lib.unique [ + name + (v.publicFqdn or name) + ]; in '' Match originalhost ${lib.concatStringsSep "," names} user ${buildUser} IdentityFile ${clientSshKeyPath} IdentitiesOnly yes - '') buildServerDevices + '' + ) buildServerDevices ); }; nix = { From d2acd47e715a97240c2136fefda4a10654e2c152 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?m=C3=BCde?= Date: Sun, 3 May 2026 16:29:34 +0200 Subject: [PATCH 4/7] move some imports to desktop only --- nixosConfigurations.nix | 36 ++++++++++++------------- nixosModules/muede-desktop-settings.nix | 3 --- 2 files changed, 18 insertions(+), 21 deletions(-) diff --git a/nixosConfigurations.nix b/nixosConfigurations.nix index 1c39c23..55af611 100644 --- a/nixosConfigurations.nix +++ b/nixosConfigurations.nix @@ -45,10 +45,6 @@ forDevice ( # keep-sorted start home-manager.nixosModules.home-manager lanzaboote.nixosModules.lanzaboote - nova-shell.nixosModules.default - servicepoint-cli.nixosModules.default - servicepoint-simulator.nixosModules.default - servicepoint-tanks.nixosModules.default stylix.nixosModules.stylix zerforschen-plus.nixosModules.default # keep-sorted end @@ -80,15 +76,32 @@ forDevice ( lixIsNix.enable = true; openssh.enable = true; overlays.unstable.enable = true; - overlays.vscodeExtensions.enable = true; # prometheusNode.enable = true; systemdBoot.enable = true; tailscale.enable = true; # keep-sorted end + + # keep-sorted start + enDe.enable = isDesktop; + firmwareUpdates.enable = isDesktop; + gnome.enable = isDesktop; + kdeconnect.enable = isDesktop; + modernDesktop.enable = isDesktop; + nixLd.enable = isDesktop; + overlays.vscodeExtensions.enable = isDesktop; + quietBoot.enable = isDesktop; + stylix.enable = isDesktop; + # keep-sorted end }; } ] ++ lib.optionals isDesktop [ + inputs.niri.nixosModules.niri + nova-shell.nixosModules.default + servicepoint-cli.nixosModules.default + servicepoint-simulator.nixosModules.default + servicepoint-tanks.nixosModules.default + # Desktop config { home-manager = { @@ -106,19 +119,6 @@ forDevice ( daemonCPUSchedPolicy = "idle"; daemonIOSchedClass = "idle"; }; - - my = { - # keep-sorted start - enDe.enable = true; - firmwareUpdates.enable = true; - gnome.enable = true; - kdeconnect.enable = true; - modernDesktop.enable = true; - nixLd.enable = true; - quietBoot.enable = true; - stylix.enable = true; - # keep-sorted end - }; } ]; } diff --git a/nixosModules/muede-desktop-settings.nix b/nixosModules/muede-desktop-settings.nix index 8f25f62..980af13 100644 --- a/nixosModules/muede-desktop-settings.nix +++ b/nixosModules/muede-desktop-settings.nix @@ -2,12 +2,9 @@ lib, config, pkgs, - niri, ... }: { - imports = [ niri.nixosModules.niri ]; - options.my.muedeDesktopSettings.enable = lib.mkEnableOption "muede desktop settings (Firefox, Logitech, RDP)"; config = lib.mkIf config.my.muedeDesktopSettings.enable { From 63ce7eac05ea8610ebb2cf4b9933d5f5e08619e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?m=C3=BCde?= Date: Sun, 3 May 2026 16:32:26 +0200 Subject: [PATCH 5/7] move allowedUnfreePackages into my namespace --- nixosConfigurations/damocles/android-dev.nix | 2 +- nixosConfigurations/damocles/claude-container.nix | 2 +- nixosModules/allowed-unfree-list.nix | 4 ++-- nixosModules/intel-graphics.nix | 2 +- nixosModules/steam.nix | 2 +- nixosModules/user-muede.nix | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/nixosConfigurations/damocles/android-dev.nix b/nixosConfigurations/damocles/android-dev.nix index ea5432c..f484e6a 100644 --- a/nixosConfigurations/damocles/android-dev.nix +++ b/nixosConfigurations/damocles/android-dev.nix @@ -12,7 +12,7 @@ in { nixpkgs.config.android_sdk.accept_license = true; - allowedUnfreePackages = [ + my.allowedUnfreePackages = [ "android-sdk-cmdline-tools" "android-sdk-platform-tools" "android-sdk-tools" diff --git a/nixosConfigurations/damocles/claude-container.nix b/nixosConfigurations/damocles/claude-container.nix index c568243..7df7b24 100644 --- a/nixosConfigurations/damocles/claude-container.nix +++ b/nixosConfigurations/damocles/claude-container.nix @@ -6,7 +6,7 @@ { my.overlays.unstable.enable = true; - allowedUnfreePackages = [ "claude-code" ]; + my.allowedUnfreePackages = [ "claude-code" ]; environment.systemPackages = with pkgs; [ unstable.claude-code diff --git a/nixosModules/allowed-unfree-list.nix b/nixosModules/allowed-unfree-list.nix index 7bfa758..2aee96f 100644 --- a/nixosModules/allowed-unfree-list.nix +++ b/nixosModules/allowed-unfree-list.nix @@ -1,6 +1,6 @@ { lib, config, ... }: { - options.allowedUnfreePackages = lib.mkOption { + options.my.allowedUnfreePackages = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; example = [ "steam" ]; @@ -10,7 +10,7 @@ nixpkgs.config = { # https://github.com/NixOS/nixpkgs/issues/197325#issuecomment-1579420085 allowUnfreePredicate = lib.mkDefault ( - pkg: builtins.elem (lib.getName pkg) config.allowedUnfreePackages + pkg: builtins.elem (lib.getName pkg) config.my.allowedUnfreePackages ); }; }; diff --git a/nixosModules/intel-graphics.nix b/nixosModules/intel-graphics.nix index b367489..619af5a 100644 --- a/nixosModules/intel-graphics.nix +++ b/nixosModules/intel-graphics.nix @@ -22,6 +22,6 @@ ]; }; environment.systemPackages = with pkgs; [ nvtopPackages.intel ]; - allowedUnfreePackages = [ "intel-ocl" ]; + my.allowedUnfreePackages = [ "intel-ocl" ]; }; } diff --git a/nixosModules/steam.nix b/nixosModules/steam.nix index 78bbf71..3a4f25a 100644 --- a/nixosModules/steam.nix +++ b/nixosModules/steam.nix @@ -40,7 +40,7 @@ ]; }; - allowedUnfreePackages = [ + my.allowedUnfreePackages = [ "steam" "steam-original" "steam-run" diff --git a/nixosModules/user-muede.nix b/nixosModules/user-muede.nix index 20f9cdb..078cb96 100644 --- a/nixosModules/user-muede.nix +++ b/nixosModules/user-muede.nix @@ -31,7 +31,7 @@ nix.settings.trusted-users = [ "muede" ]; - allowedUnfreePackages = [ + my.allowedUnfreePackages = [ "rider" "pycharm-professional" "jetbrains-toolbox" From d75e91b7bc10dddec3c7c296f415386311093628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?m=C3=BCde?= Date: Sun, 3 May 2026 16:33:56 +0200 Subject: [PATCH 6/7] group options in my namespace --- .../damocles/claude-container.nix | 6 ++++-- nixosConfigurations/muede-lpt2/default.nix | 18 +++++++++++------- nixosConfigurations/muede-pc2/default.nix | 18 +++++++++++------- nixosConfigurations/ronja-pc/default.nix | 12 ++++++++---- nixosModules/gnome.nix | 6 +++--- 5 files changed, 37 insertions(+), 23 deletions(-) diff --git a/nixosConfigurations/damocles/claude-container.nix b/nixosConfigurations/damocles/claude-container.nix index 7df7b24..aea9343 100644 --- a/nixosConfigurations/damocles/claude-container.nix +++ b/nixosConfigurations/damocles/claude-container.nix @@ -5,8 +5,10 @@ }: { - my.overlays.unstable.enable = true; - my.allowedUnfreePackages = [ "claude-code" ]; + my = { + allowedUnfreePackages = [ "claude-code" ]; + overlays.unstable.enable = true; + }; environment.systemPackages = with pkgs; [ unstable.claude-code diff --git a/nixosConfigurations/muede-lpt2/default.nix b/nixosConfigurations/muede-lpt2/default.nix index 78c9d55..f52d735 100644 --- a/nixosConfigurations/muede-lpt2/default.nix +++ b/nixosConfigurations/muede-lpt2/default.nix @@ -5,13 +5,17 @@ ]; config = { - my.users.muede.enable = true; - my.wineGaming.enable = true; - my.steam.enable = true; - my.podman.enable = true; - my.muedeDesktopSettings.enable = true; - my.intelGraphics.enable = true; - my.secureBoot.enable = true; + my = { + # keep-sorted start + intelGraphics.enable = true; + muedeDesktopSettings.enable = true; + podman.enable = true; + secureBoot.enable = true; + steam.enable = true; + users.muede.enable = true; + wineGaming.enable = true; + # keep-sorted end + }; nix.settings.extra-platforms = [ "aarch64-linux" diff --git a/nixosConfigurations/muede-pc2/default.nix b/nixosConfigurations/muede-pc2/default.nix index 4686ffb..42f77b3 100644 --- a/nixosConfigurations/muede-pc2/default.nix +++ b/nixosConfigurations/muede-pc2/default.nix @@ -7,13 +7,17 @@ ]; config = { - my.users.muede.enable = true; - my.wineGaming.enable = true; - my.steam.enable = true; - my.podman.enable = true; - my.muedeDesktopSettings.enable = true; - my.amdGraphics.enable = true; - my.secureBoot.enable = true; + my = { + # keep-sorted start + amdGraphics.enable = true; + muedeDesktopSettings.enable = true; + podman.enable = true; + secureBoot.enable = true; + steam.enable = true; + users.muede.enable = true; + wineGaming.enable = true; + # keep-sorted end + }; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; nix.settings.extra-platforms = [ diff --git a/nixosConfigurations/ronja-pc/default.nix b/nixosConfigurations/ronja-pc/default.nix index 85227ff..2a56407 100644 --- a/nixosConfigurations/ronja-pc/default.nix +++ b/nixosConfigurations/ronja-pc/default.nix @@ -5,10 +5,14 @@ ]; config = { - my.users.ronja.enable = true; - my.steam.enable = true; - my.wineGaming.enable = true; - my.muedeDesktopSettings.enable = true; + my = { + # keep-sorted start + muedeDesktopSettings.enable = true; + steam.enable = true; + users.ronja.enable = true; + wineGaming.enable = true; + # keep-sorted end + }; # Configure keymap in X11 services.xserver.xkb = { diff --git a/nixosModules/gnome.nix b/nixosModules/gnome.nix index 8311373..fd195e8 100644 --- a/nixosModules/gnome.nix +++ b/nixosModules/gnome.nix @@ -5,9 +5,9 @@ ... }: { - options = { - my.gnome.enable = lib.mkEnableOption "GNOME desktop environment"; - my.gnome.keep-default-apps = lib.mkEnableOption "keep gnome default apps"; + options.my.gnome = { + enable = lib.mkEnableOption "GNOME desktop environment"; + keep-default-apps = lib.mkEnableOption "keep gnome default apps"; }; config = lib.mkIf config.my.gnome.enable ( From a2494f52134980e9b0ae7a87df494afb45fca4ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?m=C3=BCde?= Date: Sun, 3 May 2026 17:11:13 +0200 Subject: [PATCH 7/7] ssh: block sleep while conntections acive --- nixosModules/openssh.nix | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/nixosModules/openssh.nix b/nixosModules/openssh.nix index bed46f8..f1ba770 100644 --- a/nixosModules/openssh.nix +++ b/nixosModules/openssh.nix @@ -1,4 +1,10 @@ -{ lib, config, ... }: +{ + lib, + config, + pkgs, + thisDevice, + ... +}: { options.my.openssh.enable = lib.mkEnableOption "OpenSSH server"; @@ -12,5 +18,35 @@ KbdInteractiveAuthentication = false; }; }; + + # On desktops, hold a systemd sleep inhibitor while SSH connections are active + security.pam.services.sshd.rules.session.ssh-inhibit = lib.mkIf (thisDevice.isDesktop or false) { + order = 10000; + control = "optional"; + modulePath = "${pkgs.pam}/lib/security/pam_exec.so"; + args = [ + "quiet" + "${pkgs.writeShellScript "ssh-inhibit-pam" '' + PIDFILE="/run/ssh-inhibitor-''${PPID}.pid" + case "''${PAM_TYPE:-}" in + open) + ${pkgs.systemd}/bin/systemd-inhibit \ + --what=sleep \ + --who=sshd \ + --why="SSH session active" \ + --mode=block \ + sleep infinity & + echo $! > "$PIDFILE" + ;; + close) + if [ -f "$PIDFILE" ]; then + kill "$(cat "$PIDFILE")" 2>/dev/null || true + rm -f "$PIDFILE" + fi + ;; + esac + ''}" + ]; + }; }; }