Switch to flake-based configuration

nixos/modules/avahi.nix

@@ -0,0 +1,13 @@
+{
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+    publish.enable = true;
+    publish.domain = true;
+    publish.addresses = true;
+    publish.workstation = true;
+    publish.userServices = true;
+  };
+
+  networking.firewall.allowedUDPPorts = [ 5353 ];
+}

nixos/modules/common.nix

@@ -0,0 +1,23 @@
+{ pkgs, ... }: {
+  imports = [ ./ssh.nix ];
+
+  nixpkgs.config.allowUnfree = true;
+  i18n.defaultLocale = "en_US.UTF-8";
+  kevin.ssh.server.enable = true;
+
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "de";
+  };
+
+  services.xserver.layout = "de";   
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    curl
+    tmux
+  ];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+}

nixos/modules/default.nix

@@ -1,6 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./kevin/default.nix
-  ];
-}

nixos/modules/firewall/kde-connect.nix

@@ -0,0 +1,5 @@
+{
+  networking.firewall.allowedUDPPortRanges = [
+    { from = 1714; to = 1764; }
+  ];
+}

nixos/modules/firewall/syncthing.nix

@@ -0,0 +1,4 @@
+{
+  networking.firewall.allowedTCPPorts = [ 22000 ];
+  networking.firewall.allowedUDPPorts = [ 22000 21027 ];
+}

nixos/modules/firewall/wireguard.nix

@@ -0,0 +1,22 @@
+{ lib, ... }: 
+let 
+  wireguardPort = 51820;
+in
+{
+  networking.firewall = {
+    # if packets are still dropped, they will show up in dmesg
+    logReversePathDrops = true;
+
+    allowedUDPPorts = [ wireguardPort ];
+
+    # wireguard trips rpfilter up
+    extraCommands = ''
+      ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${toString wireguardPort} -j RETURN
+      ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${toString wireguardPort} -j RETURN
+    '';
+    extraStopCommands = ''
+      ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${toString wireguardPort} -j RETURN || true
+      ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${toString wireguardPort} -j RETURN || true
+    '';
+  };
+}

nixos/modules/gnome.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}:
+{
+  services.xserver.enable = true;
+  services.xserver.displayManager.gdm.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+  services.flatpak.enable = true;
+
+  environment.systemPackages = [
+    pkgs.gnome.gnome-tweaks
+    pkgs.gnome.dconf-editor
+  ];
+}

nixos/modules/kevin/audio.nix

@@ -1,23 +0,0 @@
-{ lib, pkgs, config, ... }:
-with lib;                      
-let
-  cfg = config.kevin.audio;
-in {
-  options.kevin.audio = {
-    enable = mkEnableOption "kevins audio";
-  };
-
-  config = mkIf cfg.enable (mkMerge [
-    ({
-      hardware.pulseaudio.enable = false;
-      security.rtkit.enable = true;
-      services.pipewire = {
-        enable = true;
-        alsa.enable = true;
-        alsa.support32Bit = true;
-        pulse.enable = true;
-        jack.enable = true;
-      };
-    })
-  ]);
-}

nixos/modules/kevin/default.nix

@@ -1,157 +0,0 @@
-{ lib, config, pkgs, ... }:
-with lib;
-let cfg = config.kevin;
-in {
-  imports = [
-    ./power.nix
-    ./networking.nix
-    ./audio.nix
-    ./desktop.nix
-    ./yubikey.nix
-    ./ssh.nix
-  ];
-
-  options.kevin = {
-    defaults = mkOption {
-      type = types.enum [ "none" "laptop" "desktop" ];
-      default = "none";
-    };
-  };
-
-  config = mkIf (cfg.defaults != "none") (mkMerge [
-    ({
-      nixpkgs.config.allowUnfree = true;
-      i18n.defaultLocale = "en_US.UTF-8";
-      kevin.ssh.server.enable = true;     
- 
-      console = {
-        font = "Lat2-Terminus16";
-        keyMap = "de";
-      };
-
-      services.xserver.layout = "de";   
-   
-      environment.systemPackages = with pkgs; [
-        vim
-        wget
-        curl
-        tmux
-      ];
-    })
-    (mkIf (cfg.defaults == "laptop" || cfg.defaults == "desktop") {
-      kevin.networking.enable = true;
-      kevin.networking.avahi.enable = true;
-      kevin.networking.firewall.wireguard = true;
-      kevin.networking.firewall.kdeConnect = true;
-      kevin.audio.enable = true;
-      kevin.desktop.enable = true;
-      kevin.desktop.type = "gnome";
-      kevin.yubikey.enable = true;
-
-      networking.networkmanager.enable = true;
-
-      environment.systemPackages = with pkgs; [
-        firefox
-        league-of-moveable-type
-        hunspell
-        hunspellDicts.de_DE
-      ];
-
-      programs.gnupg.agent = {
-        enable = true;
-        # enableSSHSupport = true;
-      };
-
-      kevin.networking.firewall.syncthing = true;
-      services.syncthing = {
-        enable = true;
-        user = "kevin";
-        dataDir = "/home/kevin/Syncthing";
-        configDir = "/home/kevin/Syncthing/.config/syncthing";
-      };
-
-      services.fwupd.enable = true;
-      hardware.cpu.intel.updateMicrocode = true;
-
-      boot.supportedFilesystems = [ "ntfs" ];
-
-      services.printing.enable = true;
-
-      virtualisation.docker.enable = true;
-
-      users.users.kevin = {
-        isNormalUser = true;
-        description = "Kevin Kandlbinder";
-        extraGroups = [ "wheel" "docker" "dialout" "networkmanager" "floppy" "audio" "lp" "cdrom" "tape" "video" "render" ]; 
-      };
-      kevin.ssh.authorized.kevin.users = ["kevin" "root"];
-    })
-    (mkIf (cfg.defaults == "desktop") {
-      services.xserver.videoDrivers = [ "nvidia" ];
-      hardware.opengl.enable = true;
-
-      services.clamav.daemon.enable = true;
-      services.clamav.updater.enable = true;
-      #services.opensnitch.enable = true;
-      networking.hostName = "kevin-PC";
-
-      hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
-    })
-    (mkIf (cfg.defaults == "laptop") {
-      kevin.power.mode = "laptop";
-      networking.hostName = "kevin-tp-l580";
-
-      services.xserver.libinput.enable = true;
-
-      hardware.opengl.extraPackages = with pkgs; [
-        vaapiIntel
-        libvdpau-va-gl
-        intel-media-driver
-      ];
-
-      
-      specialisation.xmonad.configuration = {
-        kevin.desktop.type = mkForce "xmonad";
-      };
-
-
-      boot.kernel.sysctl = {
-        "vm.swappiness" = 1;
-        "vm.vfs_cache_pressure" = 50;
-        "vm.dirty_background_ratio" = 20;
-        "vm.dirty_ratio" = 50;
-        # these are the zen-kernel tweaks to CFS defaults (mostly)
-        "kernel.sched_latency_ns" = 4000000;
-        # should be one-eighth of sched_latency (this ratio is not
-        # configurable, apparently -- so while zen changes that to
-        # one-tenth, we cannot):
-        "kernel.sched_min_granularity_ns" = 500000;
-        "kernel.sched_wakeup_granularity_ns" = 50000;
-        "kernel.sched_migration_cost_ns" = 250000;
-        "kernel.sched_cfs_bandwidth_slice_us" = 3000;
-        "kernel.sched_nr_migrate" = 128;
-      };
-
-      systemd = {
-        extraConfig = ''
-          DefaultCPUAccounting=yes
-          DefaultMemoryAccounting=yes
-          DefaultIOAccounting=yes
-        '';
-        user.extraConfig = ''
-          DefaultCPUAccounting=yes
-          DefaultMemoryAccounting=yes
-          DefaultIOAccounting=yes
-        ''; 
-        services."user@".serviceConfig.Delegate = true;
-      };
-  
-      systemd.services.nix-daemon.serviceConfig = {
-        CPUWeight = 20;
-        IOWeight = 20;
-      };
-
-      boot.kernelParams = ["cgroup_no_v1=all" "systemd.unified_cgroup_hierarchy=yes"];
-    })
-  ]);
-}

nixos/modules/kevin/desktop.nix

@@ -1,138 +0,0 @@
-{ lib, pkgs, config, ... }:
-with lib;                      
-let
-  cfg = config.kevin.desktop;
-in {
-  options.kevin.desktop = {
-    enable = mkEnableOption "kevins desktop";
-    type = mkOption {
-      type = types.enum [ "gnome" "xmonad" ];
-      default = "gnome";
-    };
-  };
-
-  config = mkIf cfg.enable (mkMerge [
-    (mkIf (cfg.type == "gnome") {
-      services.xserver.enable = true;
-      services.xserver.displayManager.gdm.enable = true;
-      services.xserver.desktopManager.gnome.enable = true;
-      services.flatpak.enable = true;
-    })
-    (mkIf (cfg.type == "xmonad") {
-      services = {
-        gnome.gnome-keyring.enable = true;
-        upower.enable = true;
-
-        dbus = {
-          enable = true;
-          #socketActivated = true;
-          # packages = [ pkgs.gnome3.dconf ];
-        };
-
-        xserver = {
-          enable = true;
-          # startDbusSession = true;
-          layout = "de";
-
-          libinput = {
-            enable = true;
-          };
-
-          displayManager.defaultSession = "none+xmonad";
-
-          windowManager.xmonad = {
-            enable = true;
-            enableContribAndExtras = true;
-            extraPackages = hp: [
-              hp.dbus
-              hp.monad-logger
-              hp.xmonad-contrib
-            ];
-          };
-
-          xkbOptions = "caps:ctrl_modifier";
-        }; # /xserver
-      }; # /services
-
-      hardware.bluetooth.enable = true;
-      services.blueman.enable = true;
-
-      systemd.services.upower.enable = true;
-
-
-      home-manager.users.kevin = {
-        home.packages = with pkgs; [
-          nitrogen
-          polybar
-        ];
-
-        programs.rofi = {
-          enable = true;
-          terminal = "${pkgs.xterm}/bin/xterm";
-          # theme = ./theme.rafi;
-        };
-        
-        services.dunst = {
-          enable = true;
-          iconTheme = {
-            name = "Adwaita";
-            package = pkgs.gnome3.adwaita-icon-theme;
-            size = "16x16";
-          };
-          settings = {
-            global = {
-              monitor = 0;
-              geometry = "600x50-50+65";
-              shrink = "yes";
-              transparency = 10;
-              padding = 16;
-              horizontal_padding = 16;
-              font = "JetBrainsMono Nerd Font 10";
-              line_height = 4;
-              format = ''<b>%s</b>\n%b'';
-            };
-          };
-
-        };
-
-        services.picom = {
-          enable = true;
-          activeOpacity = 1.0;
-          inactiveOpacity = 0.8;
-          backend = "glx";
-          fade = true;
-          fadeDelta = 5;
-          #opacityRule = [ "100:name *= 'i3lock'" ];
-          shadow = false;
-          settings = {
-            corner-radius = 10;
-            blur-background = true;
-            blur-background-fixed = true;
-            blur = {
-              method = "gaussian";
-              size = 100;
-            };
-          };
-        };
-
-        services.screen-locker = {
-          enable = true;
-          inactiveInterval = 30;
-          lockCmd = "${pkgs.betterlockscreen}/bin/betterlockscreen -l dim";
-          xautolockExtraOptions = [
-            "Xautolock.killer: systemctl suspend"
-          ];
-        };
-
-
-        services.udiskie = {
-          enable = true;
-          tray = "always";
-        };
-
-
-      };
-
-    })
-  ]);
-}

nixos/modules/kevin/networking.nix

@@ -1,74 +0,0 @@
-{ lib, pkgs, config, ... }:
-with lib;                      
-let
-  cfg = config.kevin.networking;
-in {
-  options.kevin.networking = {
-    enable = mkEnableOption "kevins networking";
-    avahi.enable = mkEnableOption "avahi";
-    ssh.enable = mkEnableOption "ssh";
-    firewall.wireguard = mkEnableOption "wireguard exceptions";
-    firewall.wireguardPort = mkOption {
-      type = types.int;
-      default = 51820;
-      description = "Port used by your Wireguard";
-    };
-    firewall.syncthing = mkEnableOption "syncthing exceptions";
-    firewall.kdeConnect = mkEnableOption "KDE Connect exceptions";
-  };
-
-  config = mkIf cfg.enable (mkMerge [
-    (mkIf cfg.avahi.enable {
-      services.avahi = {
-        enable = true;
-        nssmdns = true;
-        publish.enable = true;
-        publish.domain = true;
-        publish.addresses = true;
-        publish.workstation = true;
-        publish.userServices = true;
-      };
- 
-      networking.firewall.allowedUDPPorts = [ 5353 ];
-    })
-    (mkIf cfg.ssh.enable {
-      services.openssh = {
-        enable = true;
-        # require public key authentication for better security
-        passwordAuthentication = false;
-        kbdInteractiveAuthentication = false;
-        #permitRootLogin = "yes";
-      };
-      
-      networking.firewall.allowedTCPPorts = [ 22 ];
-    })
-    (mkIf cfg.firewall.wireguard {
-      networking.firewall = {
-        # if packets are still dropped, they will show up in dmesg
-        logReversePathDrops = true;
-
-        allowedUDPPorts = [ cfg.firewall.wireguardPort ];
-
-
-        # wireguard trips rpfilter up
-        extraCommands = ''
-          ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.firewall.wireguardPort} -j RETURN
-          ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.firewall.wireguardPort} -j RETURN
-        '';
-        extraStopCommands = ''
-          ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.firewall.wireguardPort} -j RETURN || true
-          ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.firewall.wireguardPort} -j RETURN || true
-        '';
-      };
-    })
-    (mkIf cfg.firewall.syncthing {
-      networking.firewall.allowedTCPPorts = [ 22000 ];
-      networking.firewall.allowedUDPPorts = [ 22000 21027 ];
-    })
-    (mkIf cfg.firewall.kdeConnect {
-      networking.firewall.allowedUDPPortRanges = [
-        { from = 1714; to = 1764; }
-      ];
-    })
-  ]);
-}

nixos/modules/kevin/power.nix

@@ -1,78 +0,0 @@
-{ lib, pkgs, config, ... }:
-with lib;                      
-let
-  cfg = config.kevin.power;
-in {
-  options.kevin.power = {
-    mode = mkOption {
-      type = types.enum [ "desktop" "laptop" ];
-      default = "desktop";
-    };
-  };
-
-  config = mkMerge [
-    (mkIf (cfg.mode == "laptop") {
-      powerManagement.powertop.enable = true;
-      services.thermald.enable = true;
-      services.power-profiles-daemon.enable = false;
-
-      services.tlp = {
-        enable = true;
-        settings = {
-            START_CHARGE_THRESH_BAT0 = 85;
-            STOP_CHARGE_THRESH_BAT0 = 90;
-
-            CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
-            CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
-
-            CPU_SCALING_MIN_FREQ_ON_AC = 800000;
-            CPU_SCALING_MAX_FREQ_ON_AC = 2201000;
-            CPU_SCALING_MIN_FREQ_ON_BAT = 400000;
-            CPU_SCALING_MAX_FREQ_ON_BAT = 2100000;
-
-            # Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
-            # A value of 0 disables, >=1 enables power saving (recommended: 1).
-            # Default: 0 (AC), 1 (BAT)
-            SOUND_POWER_SAVE_ON_AC = 0;
-            SOUND_POWER_SAVE_ON_BAT = 1;
-
-            # Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable.
-            # Default: on (AC), auto (BAT)
-            RUNTIME_PM_ON_AC = "on";
-            RUNTIME_PM_ON_BAT = "auto";
-
-            # Battery feature drivers: 0=disable, 1=enable
-            # Default: 1 (all)
-            NATACPI_ENABLE = 1;
-            TPACPI_ENABLE = 1;
-            TPSMAPI_ENABLE = 1;
-        };
-
-      };
-
-      boot.extraModprobeConfig = lib.mkMerge [
-        # idle audio card after one second
-        "options snd_hda_intel power_save=1"
-        # enable wifi power saving (keep uapsd off to maintain low latencies)
-        "options iwlwifi power_save=1 uapsd_disable=1"
-      ];
-      
-      boot.initrd.availableKernelModules = [
-        "thinkpad_acpi"
-      ];
-      
-      boot.kernelParams = ["intel_pstate=disable"];
-      boot.kernelModules = ["acpi_call" "coretemp" "cpuid"];
-
-      services.udev.extraRules = lib.mkMerge [
-        # autosuspend USB devices
-        ''ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="auto"''
-        # autosuspend PCI devices
-        ''ACTION=="add", SUBSYSTEM=="pci", TEST=="power/control", ATTR{power/control}="auto"''
-        # disable Ethernet Wake-on-LAN
-        ''ACTION=="add", SUBSYSTEM=="net", NAME=="enp*", RUN+="${pkgs.ethtool}/sbin/ethtool -s $name wol d"''
-      ];
-      services.upower.enable = true;
-    })
-  ];
-}

nixos/modules/kevin/xmonad/polybar/config.ini

@@ -1,107 +0,0 @@
-[colors]
-background = #282A2E
-background-alt = #373B41
-foreground = #C5C8C6
-primary = #F0C674
-secondary = #8ABEB7
-alert = #A54242
-disabled = #707880
-
-[global/wm]
-margin-top = 0
-margin-bottom = 0
-
-[bar/main]
-width = 100%
-height = 48
-radius = 6.0
-fixed-center = true
-background = ${colors.background}
-foreground = ${colors.foreground}
-
-line-size = 3pt
-border-size = 4pt
-border-color = #00000000
-padding-left = 10px
-padding-right = 10px
-
-module-margin = 1
-separator = |
-separator-foreground = ${colors.disabled}
-
-font-0 = monospace;2
-
-[bar/top]
-inherit = bar/main
-modules-left = clock
-modules-center = 
-modules-right = filesystem xkeyboard memory cpu wlan eth
-
-enable-ipc = true
-
-[module/filesystem]
-type = internal/fs
-interval = 25
-
-mount-0 = /
-
-label-mounted = %{F#F0C674}%mountpoint%%{F-} %percentage_used%%
-
-label-unmounted = %mountpoint% not mounted
-label-unmounted-foreground = ${colors.disabled}
-
-[module/xkeyboard]
-type = internal/xkeyboard
-blacklist-0 = num lock
-
-label-layout = %layout%
-label-layout-foreground = ${colors.primary}
-
-label-indicator-padding = 2
-label-indicator-margin = 1
-label-indicator-foreground = ${colors.background}
-label-indicator-background = ${colors.secondary}
-
-[module/memory]
-type = internal/memory
-interval = 2
-format-prefix = "RAM "
-format-prefix-foreground = ${colors.primary}
-label = %percentage_used:2%%
-
-[module/cpu]
-type = internal/cpu
-interval = 2
-format-prefix = "CPU "
-format-prefix-foreground = ${colors.primary}
-label = %percentage:2%%
-
-[network-base]
-type = internal/network
-interval = 5
-format-connected = <label-connected>
-format-disconnected = <label-disconnected>
-label-disconnected = %{F#F0C674}%ifname%%{F#707880} disconnected
-
-[module/wlan]
-inherit = network-base
-interface-type = wireless
-label-connected = %{F#F0C674}%ifname%%{F-} %essid% %local_ip%
-
-[module/eth]
-inherit = network-base
-interface-type = wired
-label-connected = %{F#F0C674}%ifname%%{F-} %local_ip%
-
-[module/clock]
-type = internal/date
-interval = 1.0
-date = %Y-%m-%d%
-time = %H:%H:%S
-
-label = %date% %time%
-label-foreground = ${colors.primary}
-
-[settings]
-screenchange-reload = true
-pseudo-transparency = true

nixos/modules/kevin/yubikey.nix

@@ -1,21 +0,0 @@
-{ lib, pkgs, config, ... }:
-with lib;                      
-let
-  cfg = config.kevin.yubikey;
-in {
-  options.kevin.yubikey = {
-    enable = mkEnableOption "yubikey setup";
-  };
-
-  config = mkIf cfg.enable (mkMerge [
-    ({
-      security.pam.yubico = {
-        enable = true;
-        debug = false;
-        mode = "challenge-response";
-      };
-
-      services.udev.packages = [ pkgs.yubikey-personalization ];
-    })
-  ]);
-}

nixos/modules/pipewire.nix

@@ -0,0 +1,11 @@
+{
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+}

nixos/modules/power/thinkpad.nix

@@ -0,0 +1,63 @@
+{ lib, pkgs, ... }: {
+  powerManagement.powertop.enable = true;
+  services.thermald.enable = true;
+  services.power-profiles-daemon.enable = false;
+
+  services.tlp = {
+    enable = true;
+    settings = {
+        START_CHARGE_THRESH_BAT0 = 85;
+        STOP_CHARGE_THRESH_BAT0 = 90;
+
+        CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
+        CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
+
+        CPU_SCALING_MIN_FREQ_ON_AC = 800000;
+        CPU_SCALING_MAX_FREQ_ON_AC = 2201000;
+        CPU_SCALING_MIN_FREQ_ON_BAT = 400000;
+        CPU_SCALING_MAX_FREQ_ON_BAT = 2100000;
+
+        # Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
+        # A value of 0 disables, >=1 enables power saving (recommended: 1).
+        # Default: 0 (AC), 1 (BAT)
+        SOUND_POWER_SAVE_ON_AC = 0;
+        SOUND_POWER_SAVE_ON_BAT = 1;
+
+        # Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable.
+        # Default: on (AC), auto (BAT)
+        RUNTIME_PM_ON_AC = "on";
+        RUNTIME_PM_ON_BAT = "auto";
+
+        # Battery feature drivers: 0=disable, 1=enable
+        # Default: 1 (all)
+        NATACPI_ENABLE = 1;
+        TPACPI_ENABLE = 1;
+        TPSMAPI_ENABLE = 1;
+    };
+
+  };
+
+  boot.extraModprobeConfig = lib.mkMerge [
+    # idle audio card after one second
+    "options snd_hda_intel power_save=1"
+    # enable wifi power saving (keep uapsd off to maintain low latencies)
+    "options iwlwifi power_save=1 uapsd_disable=1"
+  ];
+  
+  boot.initrd.availableKernelModules = [
+    "thinkpad_acpi"
+  ];
+  
+  boot.kernelParams = ["intel_pstate=disable"];
+  boot.kernelModules = ["acpi_call" "coretemp" "cpuid"];
+
+  services.udev.extraRules = lib.mkMerge [
+    # autosuspend USB devices
+    ''ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="auto"''
+    # autosuspend PCI devices
+    ''ACTION=="add", SUBSYSTEM=="pci", TEST=="power/control", ATTR{power/control}="auto"''
+    # disable Ethernet Wake-on-LAN
+    ''ACTION=="add", SUBSYSTEM=="net", NAME=="enp*", RUN+="${pkgs.ethtool}/sbin/ethtool -s $name wol d"''
+  ];
+  services.upower.enable = true;
+}

nixos/modules/ssh.nix

@@ -4,10 +4,6 @@ let
   cfg = config.kevin.ssh;
   authorizedOpts = {name, config, ...}: {
     options = {
-      /*name = mkOption { 
-        type = types.passwdEntry types.str;
-        description = "Name of the user. Must be the name of a directory in /etc/nixos/ssh";
-      };*/
       users = mkOption {
         type = with types; listOf types.str;
         default = [];
@@ -37,7 +33,17 @@ in {
 
   config = mkMerge [
     (mkIf cfg.server.enable {
-      kevin.networking.ssh.enable = true;
+      services.openssh = {
+        enable = true;
+        # require public key authentication for better security
+        settings = {
+          PasswordAuthentication = false;
+          KbdInteractiveAuthentication = false;
+        };
+        #permitRootLogin = "yes";
+      };
+      
+      networking.firewall.allowedTCPPorts = [ 22 ];
     })
     {
       users.users = mkMerge (map (name: (

nixos/modules/users.nix

@@ -0,0 +1,11 @@
+{
+  imports = [ ./ssh.nix ];
+
+  users.users.kevin = {
+    isNormalUser = true;
+    description = "Kevin Kandlbinder";
+    extraGroups = [ "wheel" "docker" "dialout" "networkmanager" "floppy" "audio" "lp" "cdrom" "tape" "video" "render" ]; 
+  };
+  
+  kevin.ssh.authorized.kevin.users = ["kevin" "root"];
+}

nixos/modules/yubikey.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }: {
+  security.pam.yubico = {
+    enable = true;
+    debug = false;
+    mode = "challenge-response";
+  };
+
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+}