Minor changes

Untested VF2 config, basic "user", option to enable users, option to enable git, basic graphics role, unfinished `router` role, global features

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>

.gitignore

@@ -1,2 +1,3 @@
 asahi*
 .key
+*.DS_Store

README.md

@@ -24,16 +24,16 @@ nix build path:{{REPO_PATH}}#nixosConfigurations.HOST.config.system.build.sdImag
 nixos-rebuild switch --flake path:/etc/nixos
 ```
 
-Apple Silicon hosts require additional `--impure` flag for firmware installation. (Firmware should be placed in /etc/nixos/asahi/firmware (ignored by git)).
+Apple Silicon hosts require additional `--impure` flag for firmware installation. (Firmware should be placed in `/etc/nixos/asahi/firmware` (ignored by git)).
 
 ### Hosts configured
 
-- stella (Random Ryzen 3 3250U laptop)
-- vetus (iMac 27" 2017)
-- celerrime (MacBook Air M2)
-- celerrime-x (MacBook Air M2 under Darwin) (Needs unifying)
-- rubusidaeus (Raspberry Pi 4B)
-
+- celerrime (MacBook Air M2) (coding)
+- vetus (iMac 27" 2017) (gaming)
+- stella (Random Ryzen 3 3250U laptop) (lite websurfing client)
+- celerrime-x (MacBook Air M2 under Darwin) - Needs unifying + doesn't work - Nix daemon "bootloops"
+- rubusidaeus (Raspberry Pi 4B) (small services)
+- periculo (StarFive VisionFive2) (as router) - WIP + untested
 
 ## Modules
 
@@ -70,7 +70,7 @@ curl https://iva.bz/nix | sh
   - [ ] iva.bz
   - [ ] ивабус.рф
 - Setup "secret" roles (I need them)
-- Setup router
+- Setup router (in progress with `periculo`)
 
 ## Copyright
 

common/base.nix

@@ -1,6 +1,9 @@
 { config, pkgs, lib, ... }:
 
-{
+let
+  my = import ../.;
+  secrets = my.secrets { inherit config; };
+in {
   nix = {
     package = pkgs.nixUnstable;
     extraOptions = ''
@@ -10,7 +13,7 @@
       auto-optimise-store = true;
       allowed-users = [ "root" "@wheel" ];
       trusted-users = [ "root" "@wheel" ];
-      sandbox = true;
+      #sandbox = true;
     };
     gc = {
       automatic = true;
@@ -25,12 +28,13 @@
   };
 
   environment.systemPackages = with pkgs;
-    [ wget curl git git-crypt neovim python3Minimal nixfmt ]
+    [ wget curl git git-crypt neovim python3Minimal ]
     ++ lib.optionals pkgs.stdenv.isLinux [
       usbutils
       pciutils
-      coreutils-full
+      coreutils
       killall
     ];
-
+  # Inject secrets through module arguments while evaluating configs.
+  _module.args.secrets = secrets;
 }

common/git.nix

@@ -4,7 +4,7 @@ let cfg = config.my.git;
 in {
   options = { my.git.enable = lib.mkEnableOption "Enable git configuration"; };
 
-  config = lib.mkIf (cfg.enable) {
+  config = lib.mkIf (cfg.enable && config.my.users.ivabus.enable) {
     home-manager.useGlobalPkgs = true;
     home-manager.useUserPackages = true;
     home-manager.users.ivabus = {

common/laptop.nix

@@ -7,13 +7,13 @@ in {
   };
 
   config = lib.mkIf (cfg.enable) {
-    networking.wireless.iwd.enable = true;
+    networking.wireless.iwd.enable = lib.mkDefault true;
     environment.systemPackages = with pkgs; [ lm_sensors ];
 
-    hardware.bluetooth.enable = true;
-    services.blueman.enable = true;
+    hardware.bluetooth.enable = lib.mkDefault true;
+    services.blueman.enable = lib.mkDefault true;
 
-    services.tlp.enable = true;
-    services.upower.enable = true;
+    services.tlp.enable = lib.mkDefault true;
+    services.upower.enable = lib.mkDefault true;
   };
 }

common/security.nix

@@ -6,7 +6,7 @@
   security = {
     lockKernelModules = true;
     protectKernelImage = true;
-    allowSimultaneousMultithreading = false;
+    allowSimultaneousMultithreading = lib.mkDefault false;
     forcePageTableIsolation = true;
     virtualisation.flushL1DataCache = "always";
     apparmor = {

common/user.nix

@@ -1,50 +1,77 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, secrets, ... }:
 
-let my = import ../.;
+let
+  cfg = config.my.users;
+  keys = [
+    # celerrime-x
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE= ivabus@celerrime-x"
+
+    # Celerrime
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime"
+  ];
 in rec {
-  users.mutableUsers = false;
-
-  users.groups.ivabus = { gid = 1000; };
-  users.users.ivabus = {
-    isNormalUser = true;
-    group = "ivabus";
-    extraGroups = [ "users" "wheel" ];
-    uid = 1000;
-    packages = with pkgs; [
-      tree
-      neofetch # I use NixOS BTW
-      duf
-      htop
-    ];
-    shell = pkgs.zsh;
-    openssh.authorizedKeys.keys = [
-      # celerrime-x
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE= ivabus@celerrime-x"
-
-      # Stella
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWPxd1uVVxEARVezy0s0LZ9fC/Mif6s218oNWDyJNqZMnAiaMwwP/mGHqCy1OXFCb8/5Kv3AM+z6sxY4mIvyXhx3lPW841HoOlJxR+JQ50qgxon/oCXjKFVMZjFptRtexgQLhubhjyINagj7T/K6UjsfC9sIG5DUJdem0O8ZD/8EqvIrkeNGP52klJM3sR4vhXMNwOIPkukNOMq+OLXgAaCXRImc53N+Whi/tCaxxr/Nen5CVGo9raAekRKaiBLKvgboXYnxzNFxiecUe7mqPbyE2bcnJ+rDC7UlwrNYGyIQ/8POjQwbanFxT4UJhS5ib6/hSpia0eYaSiutBqU3fQcIXrmTQWOrGPdrUsLHw5xGMfwnPmoDFMYHdcchU0v6QijbrHrsqVV/bikWoQF4JT7PCwOejfVowOioPghvW2u34gTyMKPkueaMk0w8Jq45V0meneyN5SbobqZX3XFze4Uz3BN8nuiZB6pFRPv0eKLqEqX8+nST9uQDBkqKTvwE= ivabus@stella"
-
-      # Celerrime
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime"
-    ];
-    hashedPassword = my.secrets.hashed-password;
+  options.my.users = {
+    ivabus.enable = lib.mkEnableOption "Enable ivabus user";
+    user.enable = lib.mkEnableOption "Enable general-purpose user";
   };
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.ivabus.enable) {
+      my.features.secrets = lib.mkForce true;
 
-  users.users.root = {
-    hashedPassword = null;
-    openssh.authorizedKeys.keys =
-      users.users.ivabus.openssh.authorizedKeys.keys;
-  };
+      users.groups.ivabus = { gid = 1000; };
+      users.users.ivabus = {
+        isNormalUser = true;
+        group = "ivabus";
+        extraGroups = [ "users" "wheel" ];
+        uid = 1000;
+        packages = with pkgs; [
+          tree
+          neofetch # I use NixOS BTW
+          duf
+          htop
+        ];
+        shell = pkgs.zsh;
+        openssh.authorizedKeys.keys = keys;
+        hashedPassword = secrets.hashed-password;
+      };
+      programs.gnupg.agent.enable = true;
+    })
 
-  environment.shells = [ pkgs.zsh ];
-  programs.zsh = {
-    enable = true;
-    promptInit = "";
-  };
+    (lib.mkIf (cfg.user.enable) {
+      users.users.user = {
+        isNormalUser = true;
+        group = "users";
+        extraGroups = [ "video" "audio" "networkmanager" ];
+        uid = 1001;
+        packages = with pkgs; [
+          tree
+          neofetch # I use NixOS BTW
+          duf
+          htop
+        ];
+        shell = pkgs.zsh;
+        openssh.authorizedKeys.keys = keys;
+        password = "12345";
+      };
+    })
 
-  programs.gnupg.agent.enable = true;
-  programs.ssh.startAgent = true;
+    ({
+      users.mutableUsers = false;
+      users.users.root = {
+        hashedPassword = null;
+        openssh.authorizedKeys.keys = keys;
+      };
 
-  home-manager.useGlobalPkgs = true;
-  home-manager.useUserPackages = true;
+      environment.shells = [ pkgs.zsh ];
+      programs.zsh = {
+        enable = true;
+        promptInit = "";
+      };
+
+      programs.ssh.startAgent = true;
+
+      home-manager.useGlobalPkgs = true;
+      home-manager.useUserPackages = true;
+    })
+  ];
 }

default.nix

@@ -1,7 +1,8 @@
 rec {
   common = import ./common;
   roles = import ./roles;
+  features = import ./features.nix;
   secrets = import ./secrets.nix;
 
-  modules = { pkgs, ... }: { imports = [ common roles ]; };
+  modules = { pkgs, ... }: { imports = [ features common roles ]; };
 }

features.nix

@@ -0,0 +1,5 @@
+{ lib, config, ... }:
+let
+in {
+  options.my.features.secrets = lib.mkEnableOption "Enable secrets decrypting";
+}

flake.lock

@@ -1,153 +0,0 @@
-{
-  "nodes": {
-    "apple-silicon-support": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs",
-        "rust-overlay": "rust-overlay"
-      },
-      "locked": {
-        "lastModified": 1693064156,
-        "narHash": "sha256-EnZntHnlPqWZIoa593zDV4GSkfbLLAL6VAreMvM6JN4=",
-        "owner": "tpwrules",
-        "repo": "nixos-apple-silicon",
-        "rev": "bef25f9cdfd8513a42c175b88a1cb619e3ef5951",
-        "type": "github"
-      },
-      "original": {
-        "owner": "tpwrules",
-        "repo": "nixos-apple-silicon",
-        "type": "github"
-      }
-    },
-    "flake-compat": {
-      "locked": {
-        "lastModified": 1688025799,
-        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1693208669,
-        "narHash": "sha256-hHFaaUsZ860wvppPeiu7nJn/nXZjJfnqAQEu9SPFE9I=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "5bac4a1c06cd77cf8fc35a658ccb035a6c50cd2c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "release-23.05",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
-    "nix-darwin": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_2"
-      },
-      "locked": {
-        "lastModified": 1692248770,
-        "narHash": "sha256-tZeFpETKQGbgnaSIO1AGWD27IyTcBm4D+A9d7ulQ4NM=",
-        "owner": "LnL7",
-        "repo": "nix-darwin",
-        "rev": "511177ffe8226c78c9cf6a92a7b5f2df3684956b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "LnL7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1692913444,
-        "narHash": "sha256-1SvMQm2DwofNxXVtNWWtIcTh7GctEVrS/Xel/mdc6iY=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "18324978d632ffc55ef1d928e81630c620f4f447",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "18324978d632ffc55ef1d928e81630c620f4f447",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1694062546,
-        "narHash": "sha256-PiGI4f2BGnZcedP6slLjCLGLRLXPa9+ogGGgVPfGxys=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "b200e0df08f80c32974a6108ce431d8a8a5e6547",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-23.05-darwin",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1693985761,
-        "narHash": "sha256-K5b+7j7Tt3+AqbWkcw+wMeqOAWyCD1MH26FPZyWXpdo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "0bffda19b8af722f8069d09d8b6a24594c80b352",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "apple-silicon-support": "apple-silicon-support",
-        "home-manager": "home-manager",
-        "nix-darwin": "nix-darwin",
-        "nixpkgs": "nixpkgs_3"
-      }
-    },
-    "rust-overlay": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1686795910,
-        "narHash": "sha256-jDa40qRZ0GRQtP9EMZdf+uCbvzuLnJglTUI2JoHfWDc=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "5c2b97c0a9bc5217fc3dfb1555aae0fb756d99f9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}

flake.nix

@@ -12,13 +12,17 @@
 
     apple-silicon-support.url = "github:tpwrules/nixos-apple-silicon";
 
+    #nixos-vf2 = { url = "path:/root/nixos-vf2"; };
+    #nixos-vf2 = { url = "github:Snektron/nixos-vf2"; };
+
     nix-darwin = {
       url = "github:LnL7/nix-darwin/master";
-      inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
   outputs = { self, nixpkgs, home-manager, nix-darwin, apple-silicon-support
+    # , nixos-vf2
     , ... }@inputs: {
       # Stella = Unchartevice 6540 (Ryzen 3 3250U, 16GB RAM)
       nixosConfigurations."stella" = nixpkgs.lib.nixosSystem {
@@ -52,6 +56,17 @@
         ];
       };
 
+      # VisionFive 2, 8GB - firewall + router
+      nixosConfigurations."periculo" = nixpkgs.lib.nixosSystem {
+        system = "riscv64-linux";
+        modules = [
+          #nixos-vf2.nixosModules.sdImage
+          ./hardware/vf2.nix
+          home-manager.nixosModules.home-manager
+          ./machines/periculo
+        ];
+      };
+
       # Celerrime under macOS
       darwinConfigurations."celerrime-x" = nix-darwin.lib.darwinSystem {
         system = "aarch64-darwin";

hardware/README.md

@@ -3,3 +3,4 @@
 Contains `portable` configurations for hardware.
 
 `./rpi4.nix` - Raspberry Pi 4
+`./vf2.nix` - StarFive VisionFive 2

hardware/vf2.nix

@@ -0,0 +1,60 @@
+{ config, pkgs, lib, ... }:
+
+let
+  overlay = final: super: {
+    makeModulesClosure = x:
+      super.makeModulesClosure (x // {
+        allowMissing = true;
+      }); # Ignores missing kernel modules (can't build image without this fix)
+    # Overflow tests fail
+    diffutils = super.diffutils.override { doCheck = false; };
+  };
+in {
+  boot = {
+    kernelParams = [
+      "console=tty0"
+      "console=ttyS0,115200"
+      "earlycon=sbi"
+      "boot.shell_on_fail"
+    ];
+    supportedFilesystems = lib.mkForce [ "ext4" ];
+    initrd.includeDefaultModules = false;
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "usbhid"
+      "usb_storage"
+      "dw_mmc-pltfm"
+      "dw_mmc-starfive"
+      "dwmac-starfive"
+      "spi-dw-mmio"
+      "mmc_block"
+      "nvme"
+      "sdhci"
+      "sdhci-pci"
+      "sdhci-of-dwcmshc"
+    ];
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+  systemd.services."serial-getty@hvc0".enable = false;
+  systemd.services."serial-getty@ttyS0" = {
+    enable = true;
+    wantedBy = [ "getty.target" ];
+    serviceConfig.Restart = "always";
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+  };
+
+  sdImage.compressImage = false;
+
+  hardware.enableRedistributableFirmware = true;
+}
+

machines/celerrime-x/default.nix

@@ -38,23 +38,22 @@
     enable = true;
     promptInit = "";
   };
+  /* users.users.ivabus.home = "/Users/ivabus";
+     users.users.ivabus.openssh.authorizedKeys.keys = [
+       # i should somehow reuse it from common/user.nix
+       # celerrime-x
+       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE="
 
-  users.users.ivabus.home = "/Users/ivabus";
-  users.users.ivabus.openssh.authorizedKeys.keys = [
-    # i should somehow reuse it from common/user.nix
-    # celerrime-x
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE="
+       # Stella
+       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWPxd1uVVxEARVezy0s0LZ9fC/Mif6s218oNWDyJNqZMnAiaMwwP/mGHqCy1OXFCb8/5Kv3AM+z6sxY4mIvyXhx3lPW841HoOlJxR+JQ50qgxon/oCXjKFVMZjFptRtexgQLhubhjyINagj7T/K6UjsfC9sIG5DUJdem0O8ZD/8EqvIrkeNGP52klJM3sR4vhXMNwOIPkukNOMq+OLXgAaCXRImc53N+Whi/tCaxxr/Nen5CVGo9raAekRKaiBLKvgboXYnxzNFxiecUe7mqPbyE2bcnJ+rDC7UlwrNYGyIQ/8POjQwbanFxT4UJhS5ib6/hSpia0eYaSiutBqU3fQcIXrmTQWOrGPdrUsLHw5xGMfwnPmoDFMYHdcchU0v6QijbrHrsqVV/bikWoQF4JT7PCwOejfVowOioPghvW2u34gTyMKPkueaMk0w8Jq45V0meneyN5SbobqZX3XFze4Uz3BN8nuiZB6pFRPv0eKLqEqX8+nST9uQDBkqKTvwE= ivabus@stella"
 
-    # Stella
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWPxd1uVVxEARVezy0s0LZ9fC/Mif6s218oNWDyJNqZMnAiaMwwP/mGHqCy1OXFCb8/5Kv3AM+z6sxY4mIvyXhx3lPW841HoOlJxR+JQ50qgxon/oCXjKFVMZjFptRtexgQLhubhjyINagj7T/K6UjsfC9sIG5DUJdem0O8ZD/8EqvIrkeNGP52klJM3sR4vhXMNwOIPkukNOMq+OLXgAaCXRImc53N+Whi/tCaxxr/Nen5CVGo9raAekRKaiBLKvgboXYnxzNFxiecUe7mqPbyE2bcnJ+rDC7UlwrNYGyIQ/8POjQwbanFxT4UJhS5ib6/hSpia0eYaSiutBqU3fQcIXrmTQWOrGPdrUsLHw5xGMfwnPmoDFMYHdcchU0v6QijbrHrsqVV/bikWoQF4JT7PCwOejfVowOioPghvW2u34gTyMKPkueaMk0w8Jq45V0meneyN5SbobqZX3XFze4Uz3BN8nuiZB6pFRPv0eKLqEqX8+nST9uQDBkqKTvwE= ivabus@stella"
+       # Celerrime
+       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime"
+     ];
 
-    # Celerrime
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime"
-  ];
-
-  home-manager.useGlobalPkgs = true;
-  home-manager.useUserPackages = true;
+     home-manager.useGlobalPkgs = true;
+     home-manager.useUserPackages = true;
+  */
 
   services.nix-daemon.enable = true;
-  nix.package = lib.mkForce pkgs.nix;
 }

machines/celerrime/default.nix

@@ -26,6 +26,11 @@ in {
 
     server = { ivabus-dev.enable = false; };
   };
+  my.users = {
+    ivabus.enable = true;
+    user.enable = false;
+  };
+  my.features.secrets = true;
 
   networking.useDHCP = true;
 

machines/example/default.nix

@@ -21,6 +21,7 @@ in {
     devel.enable = true;
     gaming.enable = true;
     graphical.enable = true;
+    graphical.basic.enable = false;
     latex.enable = true;
     media-client.enable = true;
     torrent.enable = true;
@@ -29,6 +30,11 @@ in {
 
     server = { ivabus-dev.enable = true; };
   };
+  my.users = {
+    ivabus.enable = true;
+    user.enable = false;
+  };
+  my.features.secrets = true;
 
   networking.useDHCP = true;
 

machines/periculo/default.nix

@@ -0,0 +1,54 @@
+{ config, pkgs, lib, ... }:
+
+let my = import ../..;
+in {
+  imports = [ my.modules ];
+
+  networking.hostName = "periculo";
+
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+
+  # All "my" options
+  my.laptop.enable = false;
+  my.git.enable = false;
+  my.roles = {
+    design.enable = false;
+    devel.enable = false;
+    gaming.enable = false;
+    graphical.enable = false;
+    latex.enable = false;
+    media-client.enable = false;
+    torrent.enable = false;
+    virtualisation.enable = false;
+    yggdrasil-client.enable = false;
+
+    server = { ivabus-dev.enable = false; };
+  };
+
+  my.users = {
+    ivabus.enable = true;
+    user.enable = false;
+  };
+
+  my.features.secrets = true;
+
+  my.roles.router = {
+    enable = false;
+    interfaces = {
+      wan = "enp1s0";
+      lan = "enp2s0";
+    };
+  };
+
+  # find out interfaces that show onboard
+  /* networking = {
+       enp1s0.useDHCP = false;
+       enp2s0.useDHCP = false;
+     };
+  */
+  hardware.enableRedistributableFirmware = true;
+
+  system.stateVersion = "23.05";
+}
+

machines/rubusidaeus/default.nix

@@ -29,6 +29,13 @@ in {
     server = { ivabus-dev.enable = true; };
   };
 
+  my.users = {
+    ivabus.enable = true;
+    user.enable = false;
+  };
+
+  my.features.secrets = true;
+
   networking = {
     useNetworkd = false;
     useDHCP = false;

machines/stella/default.nix

@@ -7,31 +7,48 @@ in {
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
+  nixpkgs.config.allowUnfree = true;
+  environment.systemPackages = with pkgs; [
+    google-chrome
+    zoom-us
+    whatsapp-for-linux
+    telegram-desktop
+  ];
+
   networking.hostName = "stella";
 
   my.laptop.enable = true;
   my.git.enable = true;
   my.roles = {
-    design.enable = true;
-    devel.enable = true;
-    gaming.enable = true;
-    graphical.enable = true;
+    design.enable = false;
+    devel.enable = false;
+    gaming.enable = false;
+    graphical.enable = false;
+    graphical.basic.enable = true;
     latex.enable = false;
     media-client.enable = true;
-    torrent.enable = true;
-    virtualisation.enable = true;
-    yggdrasil-client.enable = true;
+    torrent.enable = false;
+    virtualisation.enable = false;
+    yggdrasil-client.enable = false;
   };
 
+  my.users = {
+    ivabus.enable = false;
+    user.enable = true;
+  };
+
+  my.features.secrets = false;
+
   services.xserver.videoDrivers = [ "amdgpu" ];
   boot.initrd.kernelModules = [ "amdgpu" ];
 
   powerManagement = {
     enable = true;
-    cpuFreqGovernor = "ondemand";
+    cpuFreqGovernor = "powersave";
   };
 
-  networking.useDHCP = true;
+  # system is very slow without it
+  security.allowSimultaneousMultithreading = lib.mkForce true;
 
   system.stateVersion = "23.05";
 }

machines/stella/hardware.nix

@@ -1,36 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
 
-  boot.initrd.availableKernelModules =
-    [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" "nct6775" ];
+  boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  environment.etc = {
-    "sysconfig/lm_sensors".text = ''
-            HWMON_MODULES="lm75"
-      	'';
-  };
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/01106217-beff-4837-87ce-60f36ad0296e";
+      fsType = "btrfs";
+    };
 
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/e9d47776-8f25-490b-9ea3-ee80ab9d6110";
-    fsType = "btrfs";
-  };
-
-  boot.initrd.luks.devices."cryptroot".device =
-    "/dev/disk/by-uuid/c2e3757b-b29c-4797-9535-084eb71351e9";
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/4F73-6FFF";
-    fsType = "vfat";
-  };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/22B9-FD88";
+      fsType = "vfat";
+    };
 
   swapDevices = [ ];
 
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

machines/vetus/default.nix

@@ -21,6 +21,13 @@ in {
     yggdrasil-client.enable = true;
   };
 
+  my.users = {
+    ivabus.enable = true;
+    user.enable = false;
+  };
+
+  my.features.secrets = true;
+
   networking.useDHCP = true;
 
   services.xserver.videoDrivers = [ "amdgpu" ];

roles/default.nix

@@ -6,6 +6,7 @@
     ./graphical.nix
     ./latex.nix
     ./media-client.nix # TODO: media-server
+    ./router.nix
     ./ntp-server.nix
     ./torrent.nix
     ./virtualisation.nix

roles/devel.nix

@@ -23,6 +23,7 @@ in {
         picocom
         screen
         hyperfine
+        nixfmt
       ];
     }
     # Architecture-specific packages and configuration
@@ -35,16 +36,20 @@ in {
     (lib.mkIf (!pkgs.stdenv.isx86_64) {
       boot.binfmt.emulatedSystems = [ "x86_64-linux" "i686-linux" ];
     })
-
-    # Install CLion only if we are on x86_64
-    (lib.mkIf (pkgs.stdenv.isx86_64) {
-      environment.systemPackages = with pkgs; [ jetbrains.clion ];
+    (lib.mkIf (builtins.currentSystem != "riscv64-linux") {
+      boot.binfmt.emulatedSystems = [ "riscv64-linux" ];
     })
 
-    # Install vscode only if we are on x86_64 or aarch64 or aarch32
-    (lib.mkIf
-      (pkgs.stdenv.isx86_64 || pkgs.stdenv.isAarch64 || pkgs.stdenv.isAarch32) {
-        environment.systemPackages = with pkgs; [ vscode ];
-      })
+    /* # Install CLion only if we are on x86_64
+        (lib.mkIf (pkgs.stdenv.isx86_64) {
+          environment.systemPackages = with pkgs; [ jetbrains.clion ];
+        })
+
+        # Install vscode only if we are on x86_64 or aarch64 or aarch32
+        (lib.mkIf
+          (pkgs.stdenv.isx86_64 || pkgs.stdenv.isAarch64 || pkgs.stdenv.isAarch32) {
+            environment.systemPackages = with pkgs; [ vscode ];
+          })
+    */
   ]);
 }

roles/graphical.nix

@@ -2,121 +2,138 @@
 
 let cfg = config.my.roles.graphical;
 in {
-  options.my.roles.graphical.enable = lib.mkEnableOption "Enable GUI";
-  config = lib.mkIf (cfg.enable) {
-    environment.systemPackages = with pkgs; [
-      firefox
-      alacritty
-      pavucontrol
-      bottom
-      mpv
-      glib
-      ffmpeg
-      cinnamon.nemo
-      usbmuxd
-      keepassxc
-    ];
-    # When adding pkgs prefer GTK over Qt, because Qt bad GTK good
-
-    services.greetd = {
-      enable = true;
-      vt = 7;
-      settings = {
-        default_session = {
-          command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
-          user = "greeter";
-        };
-      };
-    };
-
-    programs.sway = {
-      enable = true;
-      extraPackages = with pkgs; [
-        waybar
-        grim
-        slurp
-        wf-recorder
-        sway-launcher-desktop
-        swaybg
-        swayidle
-        swaylock
-        poweralertd
-        kanshi
-        libsForQt5.qt5ct
-        mako
-        brightnessctl
-        wdisplays
+  options.my.roles.graphical.enable = lib.mkEnableOption "Enable GUI (sway)";
+  options.my.roles.graphical.basic.enable =
+    lib.mkEnableOption "Enable GUI (MATE)";
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.enable) {
+      environment.systemPackages = with pkgs; [
+        firefox
+        alacritty
+        pavucontrol
+        bottom
+        mpv
+        glib
+        ffmpeg
+        cinnamon.nemo
+        usbmuxd
+        keepassxc
       ];
-      wrapperFeatures.gtk = true;
-    };
+      # When adding pkgs prefer GTK over Qt, because Qt bad GTK good
 
-    xdg.portal = {
-      enable = true;
-      wlr.enable = true;
-    };
-    services.pipewire = {
-      enable = true;
-      alsa.enable = true;
-      pulse.enable = true;
-      alsa.support32Bit = true;
-    };
-
-    qt = {
-      enable = true;
-      platformTheme = "gtk2";
-      style = "gtk2";
-    };
-
-    services.dbus.enable = true;
-
-    fonts.packages = with pkgs; [
-      noto-fonts
-      noto-fonts-cjk
-      noto-fonts-cjk-sans
-      noto-fonts-cjk-serif
-      noto-fonts-emoji
-      jetbrains-mono
-      font-awesome
-      #google-fonts
-      liberation_ttf
-      open-sans
-      roboto
-      roboto-mono
-      kochi-substitute
-    ];
-    environment.sessionVariables.NIXOS_OZONE_WL =
-      "1"; # Enable wayland for electron
-    home-manager.users.ivabus = {
-      gtk = {
+      services.greetd = {
         enable = true;
-        theme = {
-          name = "Catppuccin-Macchiato-Standard-Blue-dark";
-          package = pkgs.catppuccin-gtk.override {
-            accents = [ "blue" ];
-            tweaks = [ "rimless" ];
-            size = "standard";
-            variant = "macchiato";
+        vt = 7;
+        settings = {
+          default_session = {
+            command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
+            user = "greeter";
           };
         };
-        iconTheme = {
-          name = "Mint-Y-Blue";
-          package = pkgs.cinnamon.mint-y-icons;
+      };
+
+      programs.sway = {
+        enable = true;
+        extraPackages = with pkgs; [
+          waybar
+          grim
+          slurp
+          wf-recorder
+          sway-launcher-desktop
+          swaybg
+          swayidle
+          swaylock
+          poweralertd
+          kanshi
+          libsForQt5.qt5ct
+          mako
+          brightnessctl
+          wdisplays
+        ];
+        wrapperFeatures.gtk = true;
+      };
+
+      xdg.portal = {
+        enable = true;
+        wlr.enable = true;
+      };
+      environment.sessionVariables.NIXOS_OZONE_WL =
+        "1"; # Enable wayland for electron
+      home-manager.users.ivabus = {
+        gtk = {
+          enable = true;
+          theme = {
+            name = "Catppuccin-Macchiato-Standard-Blue-dark";
+            package = pkgs.catppuccin-gtk.override {
+              accents = [ "blue" ];
+              tweaks = [ "rimless" ];
+              size = "standard";
+              variant = "macchiato";
+            };
+          };
+          iconTheme = {
+            name = "Mint-Y-Blue";
+            package = pkgs.cinnamon.mint-y-icons;
+          };
+          cursorTheme = {
+            name = "Catppuccin-Macchiato-Dark-Cursors";
+            package = pkgs.catppuccin-cursors.macchiatoDark;
+          };
+          font = {
+            name = "Ubuntu";
+            size = 9;
+            package = pkgs.ubuntu_font_family;
+          };
         };
-        cursorTheme = {
+        home.pointerCursor = {
           name = "Catppuccin-Macchiato-Dark-Cursors";
           package = pkgs.catppuccin-cursors.macchiatoDark;
-        };
-        font = {
-          name = "Ubuntu";
-          size = 9;
-          package = pkgs.ubuntu_font_family;
+          x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors";
         };
       };
-      home.pointerCursor = {
-        name = "Catppuccin-Macchiato-Dark-Cursors";
-        package = pkgs.catppuccin-cursors.macchiatoDark;
-        x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors";
+    })
+    (lib.mkIf (cfg.basic.enable) {
+      environment.systemPackages = with pkgs; [ firefox ubuntu-themes ];
+      services.xserver.desktopManager.mate.enable = true;
+      networking.networkmanager.enable = lib.mkForce true;
+      networking.networkmanager.wifi.backend = "iwd";
+      programs.nm-applet.enable = true;
+      services.xserver.displayManager.sddm.enable = true;
+      services.xserver.enable = true;
+      services.xserver.layout = "us,ru";
+      services.xserver.xkbOptions = "grp:alt_shift_toggle";
+    })
+    (lib.mkIf (cfg.basic.enable || cfg.enable) {
+      services.pipewire = {
+        enable = true;
+        alsa.enable = true;
+        pulse.enable = true;
+        alsa.support32Bit = true;
       };
-    };
-  };
+
+      qt = {
+        enable = true;
+        platformTheme = "gtk2";
+        style = "gtk2";
+      };
+
+      services.dbus.enable = true;
+
+      fonts.packages = with pkgs; [
+        noto-fonts
+        noto-fonts-cjk
+        noto-fonts-cjk-sans
+        noto-fonts-cjk-serif
+        noto-fonts-emoji
+        jetbrains-mono
+        font-awesome
+        #google-fonts
+        liberation_ttf
+        open-sans
+        roboto
+        roboto-mono
+        kochi-substitute
+      ];
+    })
+  ];
 }

roles/router.nix

@@ -0,0 +1,69 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.my.roles.router;
+in {
+  options.my.roles.router.enable =
+    lib.mkEnableOption "Enable router capabilities";
+
+  options.my.roles.router.interfaces.wan = lib.mkOption {
+    type = lib.types.str;
+    default = "wan0";
+    description = ''
+      WAN interface name.
+    '';
+  };
+  options.my.roles.router.interfaces.lan = lib.mkOption {
+    type = lib.types.str;
+    default = "lan0";
+    description = ''
+      LAN interface name.
+    '';
+  };
+
+  config = lib.mkIf (cfg.enable) {
+    boot.kernel.sysctl = lib.mkForce {
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv6.conf.all.forwarding" = true;
+
+      "net.ipv6.conf.all.accept_ra" = 0;
+      "net.ipv6.conf.all.autoconf" = 0;
+      "net.ipv6.conf.all.use_tempaddr" = 0;
+
+      # On WAN, allow IPv6 autoconfiguration and tempory address use.
+      "net.ipv6.conf.${cfg.interfaces.wan}.accept_ra" = 2;
+      "net.ipv6.conf.${cfg.interfaces.wan}.autoconf" = 1;
+    };
+    services = {
+      avahi = {
+        enable = true;
+        allowInterfaces = [ "${cfg.interfaces.lan}" ];
+        ipv4 = true;
+        ipv6 = true;
+        reflector = true;
+      };
+      dhcpd4 = {
+        enable = true;
+        interfaces = [ "${cfg.interfaces.lan}" ];
+        extraConfig = ''
+          option domain-name-servers 1.1.1.1, 8.8.8.8;
+          option subnet-mask 255.255.255.0;
+
+          subnet 192.168.1.0 netmask 255.255.255.0 {
+            option broadcast-address 192.168.1.255;
+            option routers 192.168.1.1;
+            interface ${cfg.interfaces.lan};
+            range 192.168.1.64 192.168.1.254;
+          }
+        '';
+      };
+    };
+    networking = {
+      nat = {
+        enable = true;
+        externalInterface = "${cfg.interfaces.wan}";
+        internalInterfaces = [ "${cfg.interfaces.lan}" ];
+        internalIPs = [ "192.168.0.0/24" "192.168.1.0" /24 ];
+      };
+    };
+  };
+}

secrets.nix

@@ -1,8 +1,9 @@
+{ config, ... }:
 let
   canaryHash = builtins.hashFile "sha256" ./secrets/canary;
   expectedHash =
     "bc6f38a927602241c5e0996b61ebd3a90d5356ca76dc968ec14df3cd45c6612c";
-in if canaryHash != expectedHash then
+in if (canaryHash != expectedHash && config.my.features.secrets) then
   abort "Secrets are not readable. Have you run `git-crypt unlock`?"
 else {
   hashed-password = builtins.readFile ./secrets/hashed-password;