refactor(users/glittershark): Rename to grfn

Rename my //users directory and all places that refer to glittershark to
grfn, including nix references and documentation.

This may require some extra attention inside of gerrit's database after
it lands to allow me to actually push things.

Change-Id: I4728b7ec2c60024392c1c1fa6e0d4a59b3e266fa
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2933
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: glittershark <grfn@gws.fyi>

users/grfn/system/system/configuration.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+let machine = throw "Pick a machine from ./machines"; in
+{
+  imports =
+    [
+      /etc/nixos/hardware-configuration.nix
+      ./modules/common.nix
+      machine
+    ];
+}

users/grfn/system/system/default.nix

@@ -0,0 +1,77 @@
+args @ { depot, pkgs, ... }:
+
+rec {
+  chupacabra = import ./machines/chupacabra.nix;
+
+  chupacabraSystem = (depot.third_party.nixos {
+    configuration = chupacabra;
+  }).system;
+
+  mugwump = import ./machines/mugwump.nix;
+
+  mugwumpSystem = (depot.third_party.nixos {
+    configuration = mugwump;
+  }).system;
+
+  roswell = import ./machines/roswell.nix;
+
+  roswellSystem = (depot.ops.nixos.nixosFor ({ ... }: {
+    imports = [
+      ./machines/roswell.nix
+      "${pkgs.home-manager.src}/nixos"
+    ];
+
+    home-manager.users.grfn = { config, lib, ... }: {
+      imports = [ ../home/machines/roswell.nix ];
+      lib.depot = depot;
+      _module.args.pkgs = lib.mkForce
+        (import pkgs.path
+          (lib.filterAttrs (n: v: v != null) config.nixpkgs));
+    };
+  })).system;
+
+  yeren = import ./machines/yeren.nix;
+
+  yerenSystem = (depot.ops.nixos.nixosFor yeren).system;
+
+  iso = import ./iso.nix args;
+
+  # Build chupacabra in CI
+  meta.targets = [
+    "chupacabraSystem"
+    "mugwumpSystem"
+    "roswellSystem"
+    "yerenSystem"
+
+    "iso"
+  ];
+
+  rebuilder =
+    let
+      depotPath = "/home/grfn/code/depot";
+
+      caseFor = hostname: ''
+        ${hostname})
+          echo "Rebuilding NixOS for //users/grfn/nixos/${hostname}"
+          system=$(nix-build -E '(import ${depotPath} {}).users.grfn.system.system.${hostname}' --no-out-link)
+          ;;
+      '';
+    in pkgs.writeShellScriptBin "rebuilder" ''
+      set -ue
+      if [[ $EUID -ne 0 ]]; then
+        echo "Oh no! Only root is allowed to rebuild the system!" >&2
+        exit 1
+      fi
+
+      case $HOSTNAME in
+      ${caseFor "chupacabra"}
+      *)
+        echo "$HOSTNAME is not a known NixOS host!" >&2
+        exit 1
+        ;;
+      esac
+
+      nix-env -p /nix/var/nix/profiles/system --set $system
+      $system/bin/switch-to-configuration switch
+    '';
+}

users/grfn/system/system/iso.nix

@@ -0,0 +1,17 @@
+{ depot, lib, pkgs, ... }:
+
+let
+  configuration = { ... }: {
+    imports = [
+      "${pkgs.path}/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel.nix"
+      "${pkgs.path}/nixos/modules/installer/cd-dvd/channel.nix"
+    ];
+
+    networking.networkmanager.enable = true;
+    networking.useDHCP = false;
+    networking.firewall.enable = false;
+    networking.wireless.enable = lib.mkForce false;
+  };
+in (depot.third_party.nixos {
+  inherit configuration;
+}).config.system.build.isoImage

users/grfn/system/system/machines/bumblebee.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ../modules/reusable/battery.nix
+  ];
+
+  networking.hostName = "bumblebee";
+
+  powerManagement = {
+    enable = true;
+    cpuFreqGovernor = "powersave";
+    powertop.enable = true;
+  };
+
+  # Hibernate on low battery
+  laptop.onLowBattery = {
+    enable = true;
+    action = "hibernate";
+    thresholdPercentage = 5;
+  };
+
+  services.xserver.xkbOptions = "caps:swapescape";
+}

users/grfn/system/system/machines/chupacabra.nix

@@ -0,0 +1,142 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ../modules/common.nix
+    ../modules/laptop.nix
+    ../modules/tvl.nix
+    ../modules/fcitx.nix
+    ../modules/rtlsdr.nix
+    ../../../../../ops/modules/v4l2loopback.nix
+    ../modules/desktop.nix
+    ../modules/development.nix
+  ];
+
+  hardware.enableRedistributableFirmware = true;
+
+  networking.hostName = "chupacabra";
+
+  powerManagement = {
+    enable = true;
+    powertop.enable = true;
+    cpuFreqGovernor = "powersave";
+  };
+
+  laptop.onLowBattery = {
+    enable = true;
+    action = "hibernate";
+    thresholdPercentage = 5;
+  };
+
+  boot = {
+    blacklistedKernelModules = [ "nouveau" "intel" ];
+    extraModulePackages = [ ];
+
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+      kernelModules = [ ];
+
+      luks.devices = {
+        "cryptroot".device = "/dev/disk/by-uuid/c2fc7ce7-a45e-48a1-8cde-be966ef601db";
+        "cryptswap".device = "/dev/disk/by-uuid/3b6e2fd4-bfe9-4392-a6e0-4f3b3b76e019";
+      };
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    kernelParams = [ "acpi_rev_override" ];
+
+    kernel.sysctl = {
+      "kernel.perf_event_paranoid" = -1;
+      "vm.swappiness" = 1;
+    };
+  };
+
+  services.thermald.enable = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  # Intel-only graphics
+  hardware.nvidiaOptimus.disable = true;
+  services.xserver.videoDrivers = [ "intel" ];
+
+  # Nvidia Optimus (hybrid) - currently not working
+  # services.xserver.videoDrivers = [ "intel" "nvidia" ];
+  # boot.blacklistedKernelModules = [ "nouveau" "bbswitch" ];
+  # boot.extraModulePackages = [ pkgs.linuxPackages.nvidia_x11 ];
+  # hardware.bumblebee.enable = true;
+  # hardware.bumblebee.pmMethod = "none";
+
+  systemd.services.disable-usb-autosuspend = {
+    description = "Disable USB autosuspend";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = { Type = "oneshot"; };
+    unitConfig.RequiresMountsFor = "/sys";
+    script = ''
+      echo -1 > /sys/module/usbcore/parameters/autosuspend
+    '';
+  };
+
+  # From hardware-configuration.nix
+
+  fileSystems."/" =
+    { device = "/dev/mapper/cryptroot";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/3492-9E3A";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/caa7e2ff-475b-4024-b29e-4f88f733fc4c"; }
+    ];
+
+  # High-DPI console
+  console.font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+
+  # from nixos-hardware TODO sort this around
+  services.tlp.enable = true;
+  services.fstrim.enable = lib.mkDefault true;
+
+  # Intel cpu stuff
+  hardware.opengl.extraPackages = with pkgs; [
+    vaapiIntel
+    vaapiVdpau
+    libvdpau-va-gl
+    intel-media-driver
+  ];
+
+  services.udev.extraRules = ''
+    # UDEV rules for Teensy USB devices
+    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
+    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666"
+    KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666"
+  '';
+
+  # Necessary to get steam working
+  hardware.opengl.driSupport32Bit = true;
+
+  nix = {
+    maxJobs = lib.mkDefault 12;
+    binaryCaches = [ "ssh://grfn@172.16.0.5" ];
+    trustedBinaryCaches = [ "ssh://grfn@172.16.0.5" ];
+    buildMachines = [
+      {
+        hostName = "172.16.0.4";
+        sshUser = "griffin";
+        sshKey = "/home/grfn/.ssh/id_rsa";
+        system = "x86_64-darwin";
+        maxJobs = 8; # 16 cpus
+      }
+      {
+        hostName = "172.16.0.3";
+        sshUser = "griffin";
+        sshKey = "/home/grfn/.ssh/id_rsa";
+        system = "x86_64-darwin";
+        maxJobs = 4;
+      }
+    ];
+  };
+}

users/grfn/system/system/machines/mugwump.nix

@@ -0,0 +1,279 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../modules/common.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  networking.hostName = "mugwump";
+
+  boot = {
+    loader.systemd-boot.enable = true;
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+      kernelModules = [
+        "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"
+      ];
+
+      postDeviceCommands = pkgs.lib.mkBefore ''
+        mkdir -m 0755 -p /key
+        sleep 2
+        mount -n -t vfat -o ro `findfs UUID=9048-A9D5` /key
+      '';
+
+      luks.devices."cryptroot" = {
+        device = "/dev/disk/by-uuid/803a9028-339c-4617-a213-4fe138161f6d";
+        keyFile = "/key/keyfile";
+        preLVM = false;
+      };
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/cryptroot";
+      fsType = "btrfs";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/7D74-0E4B";
+      fsType = "vfat";
+    };
+  };
+
+  networking.interfaces = {
+    enp0s25.useDHCP = false;
+    wlp2s0.useDHCP = false;
+  };
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+
+  security.sudo.extraRules = [{
+    groups = ["wheel"];
+    commands = [{ command = "ALL"; options = ["NOPASSWD"]; }];
+  }];
+
+  nix.gc.dates = "monthly";
+
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "172.16.0.0/16"
+    ];
+  };
+
+  services.openssh = {
+    allowSFTP = false;
+    passwordAuthentication = false;
+    permitRootLogin = "no";
+  };
+
+  services.grafana = {
+    enable = true;
+    port = 3000;
+    domain = "metrics.gws.fyi";
+    rootUrl = "https://metrics.gws.fyi";
+    dataDir = "/var/lib/grafana";
+    analytics.reporting.enable = false;
+
+    provision = {
+      enable = true;
+      datasources = [{
+        name = "Prometheus";
+        type = "prometheus";
+        url = "http://localhost:9090";
+      }];
+    };
+  };
+
+  security.acme.email = "root@gws.fyi";
+  security.acme.acceptTerms = true;
+
+  services.nginx = {
+    enable = true;
+    statusPage = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "metrics.gws.fyi" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.grafana.port}";
+        };
+      };
+    };
+  };
+
+  services.ddclient = {
+    enable = true;
+    domains = [ "home.gws.fyi" ];
+    interval = "1d";
+    zone = "gws.fyi";
+    protocol = "cloudflare";
+    username = "root@gws.fyi";
+    quiet = true;
+  };
+
+  systemd.services.ddclient.serviceConfig = {
+    EnvironmentFile = "/etc/secrets/cloudflare.env";
+    DynamicUser = lib.mkForce false;
+    ExecStart = lib.mkForce (
+      let runtimeDir =
+            config.systemd.services.ddclient.serviceConfig.RuntimeDirectory;
+      in pkgs.writeShellScript "ddclient" ''
+        set -eo pipefail
+
+        ${pkgs.gnused}/bin/sed -i -s s/password=/password=$CLOUDFLARE_API_KEY/ /run/${runtimeDir}/ddclient.conf
+        exec ${pkgs.ddclient}/bin/ddclient \
+          -file /run/${runtimeDir}/ddclient.conf \
+          -login=$CLOUDFLARE_EMAIL \
+      '');
+  };
+
+  security.acme.certs."metrics.gws.fyi" = {
+    dnsProvider = "cloudflare";
+    credentialsFile = "/etc/secrets/cloudflare.env";
+    webroot = mkForce null;
+  };
+
+  services.prometheus = {
+    enable = true;
+    exporters = {
+      node = {
+        enable = true;
+        openFirewall = false;
+
+        enabledCollectors = [
+          "processes"
+          "systemd"
+          "tcpstat"
+          "wifi"
+          "textfile"
+        ];
+
+        extraFlags = [
+          "--collector.textfile.directory=/var/lib/prometheus/node-exporter"
+        ];
+      };
+
+      nginx = {
+        enable = true;
+        openFirewall = true;
+        sslVerify = false;
+        constLabels = [ "host=mugwump" ];
+      };
+
+      blackbox = {
+        enable = true;
+        openFirewall = true;
+        configFile = pkgs.writeText "blackbox-exporter.yaml" (builtins.toJSON {
+          modules = {
+            https_2xx = {
+              prober = "http";
+              http = {
+                method = "GET";
+                fail_if_ssl = false;
+                fail_if_not_ssl = true;
+                preferred_ip_protocol = "ip4";
+              };
+            };
+          };
+        });
+      };
+    };
+
+    scrapeConfigs = [{
+      job_name = "node";
+      scrape_interval = "5s";
+      static_configs = [{
+        targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"];
+      }];
+    } {
+      job_name = "nginx";
+      scrape_interval = "5s";
+      static_configs = [{
+        targets = ["localhost:${toString config.services.prometheus.exporters.nginx.port}"];
+      }];
+    } {
+      job_name = "blackbox";
+      metrics_path = "/probe";
+      params.module = ["https_2xx"];
+      scrape_interval = "5s";
+      static_configs = [{
+        targets = [
+          "https://gws.fyi"
+          "https://windtunnel.ci"
+          "https://app.windtunnel.ci"
+          "https://metrics.gws.fyi"
+        ];
+      }];
+      relabel_configs = [{
+        source_labels = ["__address__"];
+        target_label = "__param_target";
+      } {
+        source_labels = ["__param_target"];
+        target_label = "instance";
+      } {
+        target_label = "__address__";
+        replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
+      }];
+    }];
+  };
+
+  systemd.services."prometheus-fail2ban-exporter" = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" "fail2ban.service" ];
+    serviceConfig = {
+      User = "root";
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "prometheus-fail2ban-exporter" ''
+        set -eo pipefail
+        mkdir -p /var/lib/prometheus/node-exporter
+        exec ${pkgs.python3.withPackages (p: [
+          p.prometheus_client
+        ])}/bin/python ${pkgs.fetchurl {
+          url = "https://raw.githubusercontent.com/jangrewe/prometheus-fail2ban-exporter/11066950b47bb2dbef96ea8544f76e46ed829e81/fail2ban-exporter.py";
+          sha256 = "049lsvw1nj65bbvp8ygyz3743ayzdawrbjixaxmpm03qbrcfmwc4";
+        }}
+      '';
+    };
+
+    path = with pkgs; [ fail2ban ];
+  };
+
+  systemd.timers."prometheus-fail2ban-exporter" = {
+    wantedBy = [ "multi-user.target" ];
+    timerConfig.OnCalendar = "minutely";
+  };
+
+  virtualisation.docker.enable = true;
+
+  services.buildkite-agents = listToAttrs (map (n: rec {
+    name = "mugwump-${toString n}";
+    value = {
+      inherit name;
+      enable = true;
+      tokenPath = "/etc/secrets/buildkite-agent-token";
+      privateSshKeyPath = "/etc/secrets/buildkite-ssh-key";
+      runtimePackages = with pkgs; [
+        docker
+        nix
+        gnutar
+        gzip
+      ];
+    };
+  }) (range 1 1));
+
+  users.users."buildkite-agent-mugwump-1".extraGroups = [ "docker" ];
+  users.users."buildkite-agent-mugwump-2".extraGroups = [ "docker" ];
+}

users/grfn/system/system/machines/roswell.nix

@@ -0,0 +1,17 @@
+{ depot, config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    ../modules/common.nix
+    "${modulesPath}/installer/scan/not-detected.nix"
+    "${modulesPath}/virtualisation/amazon-image.nix"
+  ];
+
+  ec2.hvm = true;
+
+  networking.hostName = "roswell";
+
+  users.users.grfn.openssh.authorizedKeys.keys = [
+    depot.users.grfn.keys.main
+  ];
+}

users/grfn/system/system/machines/yeren.nix

@@ -0,0 +1,125 @@
+{ depot, modulesPath, config, lib, pkgs, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    ../modules/common.nix
+    ../modules/laptop.nix
+    ../modules/xserver.nix
+    ../modules/fonts.nix
+    ../modules/sound.nix
+    ../modules/tvl.nix
+    ../modules/development.nix
+    ../modules/work/kolide.nix
+  ];
+
+  networking.hostName = "yeren";
+
+  system.stateVersion = "21.03";
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+      kernelModules = [ ];
+
+      luks.devices = {
+        "cryptroot".device = "/dev/disk/by-uuid/dcfbc22d-e0d2-411b-8dd3-96704d3aae2e";
+        "cryptswap".device = "/dev/disk/by-uuid/48b8a8fd-559c-4759-a617-56f221cfaaec";
+      };
+    };
+
+    kernelPackages = pkgs.linuxPackages_latest;
+
+    kernelModules = [ "kvm-intel" ];
+    blacklistedKernelModules = [ "psmouse" ];
+    extraModulePackages = [
+      config.boot.kernelPackages.digimend
+    ];
+    kernelParams = [
+      "i915.preliminary_hw_support=1"
+    ];
+
+    # https://bbs.archlinux.org/viewtopic.php?pid=1933643#p1933643
+    extraModprobeConfig = ''
+      options snd-intel-dspcfg dsp_driver=1
+    '';
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/cryptroot";
+      fsType = "btrfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/53A9-248B";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [{ device = "/dev/mapper/cryptswap"; }];
+
+  services.xserver = {
+    exportConfiguration = true;
+    extraConfig = ''
+      Section "Device"
+        Identifier  "Intel Graphics"
+        Driver      "intel"
+        Option      "TripleBuffer" "true"
+        Option      "TearFree"     "true"
+        Option      "DRI"          "true"
+        Option      "AccelMethod"  "sna"
+      EndSection
+    '';
+  };
+
+  hardware.firmware = with pkgs; [
+    alsa-firmware
+    sof-firmware
+  ];
+
+  hardware.opengl.extraPackages = with pkgs; [
+    vaapiIntel
+    vaapiVdpau
+    libvdpau-va-gl
+    intel-media-driver
+  ];
+
+  services.fprintd = {
+    enable = true;
+    package = pkgs.fprintd-tod;
+  };
+
+  systemd.services.fprintd.environment.FP_TOD_DRIVERS_DIR =
+    "${pkgs.libfprint-2-tod1-goodix}/usr/lib/libfprint-2/tod-1";
+
+  security.pam.loginLimits = [
+    {
+      domain = "grfn";
+      type = "soft";
+      item = "nofile";
+      value = "65535";
+    }
+  ];
+
+  security.pam.services = {
+    login.fprintAuth = true;
+    sudo.fprintAuth = true;
+    i3lock.fprintAuth = false;
+    i3lock-color.fprintAuth = false;
+    lightdm.fprintAuth = true;
+    lightdm-greeter.fprintAuth = true;
+  };
+
+  hardware.opengl.driSupport32Bit = true;
+
+  hardware.pulseaudio.extraConfig = ''
+    load-module module-remap-source source_name=KompleteAudio6_1 source_properties=device.description=KompleteAudio6Input1 master=alsa_input.usb-Native_Instruments_Komplete_Audio_6_458E0FFD-00.multichannel-input remix=no channels=1 master_channel_map=front-left channel_map=mono
+    load-module module-remap-source source_name=KompleteAudio6_2 source_properties=device.description=KompleteAudio6Input2 master=alsa_input.usb-Native_Instruments_Komplete_Audio_6_458E0FFD-00.multichannel-input remix=no channels=1 master_channel_map=front-right channel_map=mono
+    load-module module-remap-sink sink_name=KompleteAudio6_12 sink_properties=device.description=KompleteAudio6_12 remix=no master=alsa_output.usb-Native_Instruments_Komplete_Audio_6_458E0FFD-00.analog-surround-21 channels=2 master_channel_map=front-left,front-right channel_map=front-left,front-right
+  '';
+
+  services.fwupd.enable = true;
+
+  services.tailscale.enable = true;
+}

users/grfn/system/system/modules/common.nix

@@ -0,0 +1,78 @@
+{ config, lib, pkgs, ... }:
+
+let
+
+  depot = import ../../../../.. {};
+
+in
+
+with lib;
+
+{
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.useDHCP = false;
+  networking.networkmanager.enable = true;
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  time.timeZone = "America/New_York";
+
+  environment.systemPackages = with pkgs; [
+    wget
+    vim
+    zsh
+    git
+    w3m
+    libnotify
+    file
+    lm_sensors
+    dnsutils
+    depot.users.grfn.system.system.rebuilder
+    htop
+  ];
+
+  services.openssh.enable = true;
+
+  programs.ssh.startAgent = true;
+
+  networking.firewall.enable = mkDefault false;
+
+  users.mutableUsers = true;
+  programs.zsh.enable = true;
+  environment.pathsToLink = [ "/share/zsh" ];
+  users.users.grfn = {
+    isNormalUser = true;
+    initialPassword = "password";
+    extraGroups = [
+      "wheel"
+      "networkmanager"
+      "audio"
+      "docker"
+    ];
+    shell = pkgs.zsh;
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  nix = {
+    trustedUsers = [ "grfn" ];
+    autoOptimiseStore = true;
+    distributedBuilds = true;
+
+    gc = {
+      automatic = true;
+      dates = mkDefault "weekly";
+      options = "--delete-older-than 30d";
+    };
+  };
+
+  services.udev.packages = with pkgs; [
+    yubikey-personalization
+  ];
+
+  services.pcscd.enable = true;
+}

users/grfn/system/system/modules/desktop.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./xserver.nix
+    ./fonts.nix
+    ./sound.nix
+    ./kernel.nix
+  ];
+
+  programs.nm-applet.enable = true;
+
+  users.users.grfn.extraGroups = [
+    "audio"
+    "video"
+  ];
+
+  services.geoclue2.enable = true;
+}

users/grfn/system/system/modules/development.nix

@@ -0,0 +1,6 @@
+{ config, lib, pkgs, ... }:
+
+{
+  virtualisation.docker.enable = true;
+  users.users.grfn.extraGroups = [ "docker" ];
+}

users/grfn/system/system/modules/fcitx.nix

@@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+
+{
+  i18n.inputMethod = {
+    enabled = "fcitx";
+    fcitx.engines = with pkgs.fcitx-engines; [
+      cloudpinyin
+    ];
+  };
+}

users/grfn/system/system/modules/fonts.nix

@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+{
+  fonts = {
+    fonts = with pkgs; [
+      nerdfonts
+      noto-fonts-emoji
+      twitter-color-emoji
+    ];
+
+    fontconfig.defaultFonts.emoji = ["Twitter Color Emoji"];
+  };
+}

users/grfn/system/system/modules/kernel.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+with lib.versions;
+let
+  inherit (pkgs) stdenvNoCC;
+  kernelRelease = config.boot.kernelPackages.kernel.version;
+  mj = major kernelRelease;
+  mm = majorMinor kernelRelease;
+  patched-linux-ck = stdenvNoCC.mkDerivation {
+    name = "linux-ck";
+    src = builtins.fetchurl {
+      name = "linux-ck-patch-${mm}-ck1.xz";
+      # example: http://ck.kolivas.org/patches/5.0/5.4/5.4-ck1/patch-5.4-ck1.xz
+      url = "http://ck.kolivas.org/patches/${mj}.0/${mm}/${mm}-ck1/patch-${mm}-ck1.xz";
+      sha256 = "14lfpq9hvq1amxrl0ayfid1d04kd35vwsvk1ppnqa87nqfkjq47c";
+    };
+
+    unpackPhase = ''
+      ${pkgs.xz}/bin/unxz -kfdc $src > patch-${mm}-ck1
+    '';
+
+    installPhase = ''
+      cp patch-${mm}-ck1 $out
+    '';
+  };
+in
+{
+  boot.kernelPackages = pkgs.linuxPackages_5_11.extend (self: super: {
+    kernel = super.kernel.override {
+      ignoreConfigErrors = true;
+      kernelPatches = super.kernel.kernelPatches ++ [{
+        name = "linux-ck";
+        patch = patched-linux-ck;
+      }];
+      argsOverride = {
+        modDirVersion = super.kernel.modDirVersion + "-ck1";
+      };
+    };
+  });
+}

users/grfn/system/system/modules/laptop.nix

@@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./reusable/battery.nix
+  ];
+
+  laptop.onLowBattery.enable = true;
+
+  services.logind.extraConfig = ''
+    HandlePowerKey=hibernate
+  '';
+}

users/grfn/system/system/modules/reusable/README.org

@@ -0,0 +1,2 @@
+This directory contains things I'm eventually planning on contributing upstream
+to nixpkgs

users/grfn/system/system/modules/reusable/battery.nix

@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+with lib;
+{
+  options = {
+    laptop.onLowBattery = {
+      enable = mkEnableOption "Perform action on low battery";
+
+      thresholdPercentage = mkOption {
+        description = "Threshold battery percentage on which to perform the action";
+        default = 8;
+        type = types.int;
+      };
+
+      action = mkOption {
+        description = "Action to perform on low battery";
+        default = "hibernate";
+        type = types.enum [ "hibernate" "suspend" "suspend-then-hibernate" ];
+      };
+    };
+  };
+
+  config =
+    let cfg = config.laptop.onLowBattery;
+    in mkIf cfg.enable {
+    services.udev.extraRules = concatStrings [
+      ''SUBSYSTEM=="power_supply", ''
+      ''ATTR{status}=="Discharging", ''
+      ''ATTR{capacity}=="[0-${toString cfg.thresholdPercentage}]", ''
+      ''RUN+="${pkgs.systemd}/bin/systemctl ${cfg.action}"''
+    ];
+  };
+}

users/grfn/system/system/modules/rtlsdr.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  environment.systemPackages = with pkgs; [
+    rtl-sdr
+  ];
+
+  services.udev.packages = with pkgs; [
+    rtl-sdr
+  ];
+
+  # blacklist for rtl-sdr
+  boot.blacklistedKernelModules = [
+    "dvb_usb_rtl28xxu"
+  ];
+}

users/grfn/system/system/modules/sound.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+{
+  # Enable sound.
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+  nixpkgs.config.pulseaudio = true;
+
+  environment.systemPackages = with pkgs; [
+    pulseaudio-ctl
+    paprefs
+    pasystray
+    pavucontrol
+  ];
+
+  hardware.pulseaudio.package = pkgs.pulseaudioFull;
+}

users/grfn/system/system/modules/tvl.nix

@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+
+{
+  nix = {
+    buildMachines = [{
+      hostName = "whitby.tvl.fyi";
+      sshUser = "grfn";
+      sshKey = "/root/.ssh/id_rsa";
+      system = "x86_64-linux";
+      maxJobs = 64;
+      supportedFeatures = ["big-parallel" "kvm" "nixos-test" "benchmark"];
+    }];
+
+    extraOptions = ''
+      builders-use-substitutes = true
+    '';
+
+    binaryCaches = [
+      "https://cache.nixos.org"
+      "ssh://nix-ssh@whitby.tvl.fyi"
+    ];
+    trustedBinaryCaches = [
+      "https://cache.nixos.org"
+      "ssh://nix-ssh@whitby.tvl.fyi"
+    ];
+    binaryCachePublicKeys = [
+      "cache.tvl.fyi:fd+9d1ceCPvDX/xVhcfv8nAa6njEhAGAEe+oGJDEeoc="
+    ];
+  };
+
+  programs.ssh.knownHosts.whitby = {
+    hostNames = [ "whitby" "whitby.tvl.fyi" "49.12.129.211"];
+    publicKeyFile = pkgs.writeText "whitby.pub" ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I
+    '';
+  };
+}

users/grfn/system/system/modules/work/kolide.nix

@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+
+let
+  deb = ./kolide.deb;
+
+  kolide = pkgs.runCommand "kolide-data" {
+    buildInputs = [ pkgs.binutils-unwrapped ];
+  } ''
+    cp ${deb} ./kolide.deb
+    ar x kolide.deb
+    mkdir result
+    tar xzf data.tar.gz -C result
+    patchelf \
+      --set-interpreter ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 \
+      --set-rpath "${lib.makeLibraryPath (with pkgs; [
+        zlib
+      ])}" \
+      result/usr/local/kolide-k2/bin/osqueryd
+    mv result $out
+  '';
+
+in {
+  systemd.services."launcher.kolide-k2" = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" "syslog.service" ];
+    description = "The Kolide Launcher";
+    serviceConfig = {
+      ExecStart = ''
+        ${kolide}/usr/local/kolide-k2/bin/launcher \
+          -config \
+          ${pkgs.writeText "launcher.flags" ''
+            with_initial_runner
+            control
+            autoupdate
+            root_directory /var/lib/kolide
+            osqueryd_path ${kolide}/usr/local/kolide-k2/bin/osqueryd
+            enroll_secret_path ${kolide}/etc/kolide-k2/secret
+            control_hostname k2control.kolide.com
+            update_channel stable
+            transport jsonrpc
+            hostname k2device.kolide.com
+          ''}
+      '';
+      StateDirectory = "kolide";
+      Restart = "on-failure";
+      RestartSec = 3;
+    };
+  };
+}

users/grfn/system/system/modules/xserver.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+{
+  # Enable the X11 windowing system.
+  services.xserver = {
+    enable = true;
+    layout = "us";
+
+    libinput.enable = true;
+
+    displayManager = {
+      defaultSession = "none+i3";
+    };
+
+    windowManager.i3.enable = true;
+  };
+}