feat(networking): auto-login for Deutsche Bahn WiFi portals

This runs optimisation periodically instead of during builds.

flake.lock

@@ -129,11 +129,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1751256218,
+        "lastModified": 1753070653,
-        "narHash": "sha256-WC1YSV4lFT41AaEhpiQZRuofe+2WLI9PNuuqgdRmjVM=",
+        "narHash": "sha256-vp4Svdpb90eEYkUKxjVROgcJ92u/2sVF8hnpsiKJEhI=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "fa40d85b15cbfb1a488ef9a119ff2d40a481c8da",
+        "rev": "87f5912350a5bac28eacc1b89bb1767ca1a77e7e",
         "type": "gitlab"
       },
       "original": {
@@ -198,11 +198,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749398372,
+        "lastModified": 1751413152,
-        "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
+        "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
+        "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
         "type": "github"
       },
       "original": {
@@ -314,11 +314,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750792728,
+        "lastModified": 1753055804,
-        "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=",
+        "narHash": "sha256-KerePGJYX47ex6OY3CWsid4AltO2gDtQROunYJ0eCEE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557",
+        "rev": "adf195f021a8cbb0c317f75b52e96c82616526f9",
         "type": "github"
       },
       "original": {
@@ -405,11 +405,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1750837715,
+        "lastModified": 1752666637,
-        "narHash": "sha256-2m1ceZjbmgrJCZ2PuQZaK4in3gcg3o6rZ7WK6dr5vAA=",
+        "narHash": "sha256-P8J72psdc/rWliIvp8jUpoQ6qRDlVzgSDDlgkaXQ0Fw=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "98236410ea0fe204d0447149537a924fb71a6d4f",
+        "rev": "d1bfa8f6ccfb5c383e1eba609c1eb67ca24ed153",
         "type": "github"
       },
       "original": {
@@ -420,11 +420,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1751211869,
+        "lastModified": 1752866191,
-        "narHash": "sha256-1Cu92i1KSPbhPCKxoiVG5qnoRiKTgR5CcGSRyLpOd7Y=",
+        "narHash": "sha256-NV4S2Lf2hYmZQ3Qf4t/YyyBaJNuxLPyjzvDma0zPp/M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b43c397f6c213918d6cfe6e3550abfe79b5d1c51",
+        "rev": "f01fe91b0108a7aff99c99f2e9abbc45db0adc2a",
         "type": "github"
       },
       "original": {
@@ -436,11 +436,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1751011381,
+        "lastModified": 1752950548,
-        "narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=",
+        "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7",
+        "rev": "c87b95e25065c028d31a94f06a62927d18763fdf",
         "type": "github"
       },
       "original": {
@@ -475,11 +475,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1751271961,
+        "lastModified": 1753086528,
-        "narHash": "sha256-Ka+zyYx1UeDccCv4ZlW7LAvVJdJGnSzKjZQt04fCIoQ=",
+        "narHash": "sha256-5RMRU6J7fiaHzA0Bz/xStfuLLQ1AtJfIagxHqEhAb2c=",
         "owner": "astro",
         "repo": "nix-openwrt-imagebuilder",
-        "rev": "8e3ee0a40fb019ec95bec661c45b9d4940d27583",
+        "rev": "09b9e58d8b4e98193590aa02f60b41881fad840d",
         "type": "github"
       },
       "original": {

hardware/base.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+_:
 
 {
   imports = [
@@ -7,19 +7,6 @@
     ./zsa.nix
   ];
 
-  boot.supportedFilesystems = lib.mkDefault [ "btrfs" ];
-  boot.kernelPackages = lib.mkOverride 800 pkgs.linuxPackages_latest;
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  boot.initrd.systemd.enable = true;
-
-  boot.plymouth.enable = true;
-
-  # prevents `systemd-vconsole-setup` failing during systemd initrd
-  console.earlySetup = true;
-  systemd.services.systemd-vconsole-setup.unitConfig.After = "local-fs.target";
-
   services.smartd.enable = true;
   services.smartd.notifications.x11.enable = true;
 }

home/browsers/mullvad-browser.nix

@@ -217,6 +217,7 @@ in
       work = {
         id = 1;
         settings = commonSettings;
+        search = commonSearch;
         extensions.packages =
           commonExtensions
           ++ (with firefox-addons; [

home/editors/lsp.nix

@@ -8,7 +8,7 @@
     unstable.nixd
     nls
     terraform-ls
-    unstable.opentofu-ls
+    unstable.tofu-ls
     pyright
     nodePackages.bash-language-server
     nodePackages.vim-language-server

home/felschr-work.nix

@@ -68,6 +68,7 @@ with pkgs;
 
     # entertainment
     celluloid
+    spotify
 
     # ai
     unstable.alpaca

hosts/cmdframe/default.nix

@@ -5,7 +5,7 @@
     ./disk-config.nix
     ../../hardware/base.nix
     ../../hardware/bluetooth.nix
-    ../../system/desktop.nix
+    ../../system/laptop.nix
     ../../system/printing/home.nix
     ../../desktop
     ../../desktop/cosmic.nix
@@ -13,6 +13,7 @@
     ../../virtualisation/podman.nix
     ../../virtualisation/libvirt.nix
     ../../modules/systemdNotify.nix
+    ../../services/llm.nix
     inputs.seven-modules.nixosModules.seven
   ];
 
@@ -39,6 +40,11 @@
     "--operator=felschr"
   ];
 
+  services.ollama = {
+    acceleration = "rocm";
+    rocmOverrideGfx = "11.5.0";
+  };
+
   seven = {
     enable = true;
     wireguard = {

hosts/home-pc/default.nix

@@ -20,7 +20,7 @@
     ../../services/samba/home-pc.nix
     ../../services/restic/home-pc.nix
     ../../services/pcscd.nix
-    ../../services/open-webui.nix
+    ../../services/llm.nix
     inputs.seven-modules.nixosModules.seven
   ];
 
@@ -61,6 +61,11 @@
     "87.98.162.88" = [ "portcheck.transmissionbt.com" ];
   };
 
+  services.ollama = {
+    acceleration = "rocm";
+    rocmOverrideGfx = "10.3.1";
+  };
+
   seven = {
     enable = true;
     wireguard = {

services/adguardhome.nix

@@ -59,12 +59,12 @@ in
         {
           name = "OISD (Big)";
           url = "https://big.oisd.nl";
-          enabled = false;
+          enabled = true;
         }
         {
           name = "AdGuard DNS filter";
           url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
-          enabled = false;
+          enabled = true;
         }
       ];
       whitelist_filters = [

services/llm.nix

@@ -19,8 +19,6 @@
   services.ollama = {
     enable = true;
     package = pkgs.unstable.ollama;
-    acceleration = "rocm";
-    rocmOverrideGfx = "10.3.1";
   };
 
   services.open-webui = {

system/boot.nix

@@ -0,0 +1,16 @@
+{ lib, pkgs, ... }:
+
+{
+  boot.supportedFilesystems = lib.mkDefault [ "btrfs" ];
+  boot.kernelPackages = lib.mkOverride 800 pkgs.linuxPackages_latest;
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.initrd.systemd.enable = true;
+
+  boot.plymouth.enable = true;
+
+  # prevents `systemd-vconsole-setup` failing during systemd initrd
+  console.earlySetup = true;
+  systemd.services.systemd-vconsole-setup.unitConfig.After = "local-fs.target";
+}

system/common.nix

@@ -2,6 +2,7 @@
 
 {
   imports = [
+    ./boot.nix
     ./zram.nix
     ./i18n.nix
     ./nix.nix

system/hardened.nix

@@ -12,8 +12,16 @@
   # @TODO hardened kernel causes Bluetooth issues
   boot.kernelPackages = lib.mkOverride 900 pkgs.linuxPackages;
 
-  # Xbox Controller not working via Bluetooth if enabled
+  security = {
-  security.lockKernelModules = lib.mkOverride 900 false;
+    # Xbox Controller not working via Bluetooth if enabled
+    lockKernelModules = lib.mkOverride 900 false;
+
+    sudo.enable = false;
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+    };
+  };
 
   boot.loader.systemd-boot.editor = lib.mkDefault false;
 

system/laptop.nix

@@ -0,0 +1,8 @@
+_:
+
+{
+  imports = [
+    ./desktop.nix
+    ./lid.nix
+  ];
+}

system/lid.nix

@@ -0,0 +1,27 @@
+{ config, lib, ... }:
+
+{
+  services.acpid = lib.mkIf config.services.fprintd.enable {
+    enable = true;
+    handlers.lidClosed = {
+      event = "button/lid \\w+ close";
+      action = ''
+        echo "Lid closed. Disabling fprintd."
+        systemctl stop fprintd
+        ln -s /dev/null /run/systemd/transient/fprintd.service
+        systemctl daemon-reload
+      '';
+    };
+    handlers.lidOpen = {
+      event = "button/lid \\w+ open";
+      action = ''
+        if ! $(systemctl is-active --quiet fprintd); then
+          echo "Lid open. Enabling fprintd."
+          rm -f /run/systemd/transient/fprintd.service
+          systemctl daemon-reload
+          systemctl start fprintd
+        fi
+      '';
+    };
+  };
+}

system/networking.nix

@@ -35,6 +35,24 @@ let
       "fd7a:115c:a1e0::a0a1:203c#dns.felschr.com"
     ];
   };
+
+  mkPublicWifiProfile = ssid: {
+    connection = {
+      id = ssid;
+      type = "wifi";
+    };
+    wifi = {
+      mode = "infrastructure";
+      inherit ssid;
+    };
+    ipv4 = {
+      method = "auto";
+    };
+    ipv6 = {
+      method = "auto";
+      addr-gen-mode = "stable-privacy";
+    };
+  };
 in
 {
   networking = {
@@ -46,6 +64,11 @@ in
       5353 # mDNS
     ];
     networkmanager.dns = "systemd-resolved";
+    networkmanager.ensureProfiles.profiles = {
+      "WIFIonICE" = mkPublicWifiProfile "WIFIonICE";
+      "WIFI@DB" = mkPublicWifiProfile "WIFI@DB";
+      "metronom free WLAN" = mkPublicWifiProfile "metronom free WLAN";
+    };
   };
 
   systemd.network = {
@@ -96,4 +119,20 @@ in
     dig
     wireguard-tools
   ];
+
+  networking.networkmanager.dispatcherScripts = [
+    {
+      #!/usr/bin/env bash
+      source = pkgs.writeText "connect_ice" ''
+        set -euxo pipefail
+        ACTION="$2"
+        if [[ "$ACTION" == "up" ]]; then
+          if [[ "$CONNECTION_ID" =~ "WIFIonICE|WIFI@DB" ]]; then
+            ${pkgs.curl}/bin/curl 'https://login.wifionice.de/cna/logon' -sSL -X POST
+          fi
+        fi
+      '';
+      type = "basic";
+    }
+  ];
 }

system/nix.nix

@@ -18,17 +18,18 @@ in
 
   nixpkgs.config.allowUnfree = true;
 
-  nix.gc = {
+  nix = {
-    automatic = true;
+    settings = {
-    dates = "04:00";
+      trusted-users = [ "@wheel" ];
-    options = "--delete-older-than 30d";
+      substituters = nixConfig.extra-substituters;
-  };
+      trusted-public-keys = nixConfig.extra-trusted-public-keys;
-
+    };
-  nix.settings = {
+    optimise.automatic = true;
-    trusted-users = [ "@wheel" ];
+    gc = {
-    auto-optimise-store = true;
+      automatic = true;
-    substituters = nixConfig.extra-substituters;
+      dates = "04:00";
-    trusted-public-keys = nixConfig.extra-trusted-public-keys;
+      options = "--delete-older-than 30d";
+    };
   };
 
   system.autoUpgrade = {
@@ -54,4 +55,8 @@ in
     ''
       nix flake update ${inputsToUpdateStr} --flake ${config.system.autoUpgrade.flake}
     '';
+
+  environment.systemPackages = with pkgs; [
+    unstable.nix-tree
+  ];
 }