From 1c904907d648c3a94ee0131928040655235774f2 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Sat, 18 Oct 2025 00:25:15 -0400
Subject: [PATCH] split up no-rgb and secureboot

---
 configuration.nix | 67 ++---------------------------------------------
 no-rgb.nix        | 49 ++++++++++++++++++++++++++++++++++
 secureboot.nix    | 33 +++++++++++++++++++++++
 3 files changed, 84 insertions(+), 65 deletions(-)
 create mode 100644 no-rgb.nix
 create mode 100644 secureboot.nix

diff --git a/configuration.nix b/configuration.nix
index 815384b..e05d14a 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -16,6 +16,8 @@
     ./impermanence.nix
     ./usb-secrets.nix
     ./age-secrets.nix
+    ./secureboot.nix
+    ./no-rgb.nix
 
     ./services/postgresql.nix
     ./services/jellyfin.nix
@@ -100,29 +102,6 @@
       compressor = "zstd";
       supportedFilesystems = [ "f2fs" ];
     };
-
-    loader.systemd-boot.enable = lib.mkForce false;
-
-    lanzaboote = {
-      enable = true;
-      # needed to be in `/etc/secureboot` for sbctl to work
-      pkiBundle = "/etc/secureboot";
-    };
-  };
-
-  system.activationScripts = {
-    # extract secureboot keys from agenix-decrypted tar
-    "secureboot-keys" = {
-      deps = [ "agenix" ];
-      text = ''
-        #!/bin/sh
-        rm -fr ${config.boot.lanzaboote.pkiBundle} || true
-        mkdir -p ${config.boot.lanzaboote.pkiBundle}
-        ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
-        chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
-        chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
-      '';
-    };
   };
 
   environment.etc = {
@@ -197,48 +176,6 @@
     libatasmart
   ];
 
-  systemd.services.no-rgb =
-    let
-      no-rgb = (
-        pkgs.writeShellApplication {
-          name = "no-rgb";
-          runtimeInputs = with pkgs; [
-            openrgb
-            coreutils
-            gnugrep
-          ];
-
-          text = ''
-            #!/bin/sh
-            set -e
-
-            NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ')
-
-            for i in $(seq 0 $((NUM_DEVICES - 1))); do
-              openrgb --noautoconnect --device "$i" --mode direct --color 000000
-            done
-          '';
-        }
-      );
-    in
-    {
-      description = "disable rgb";
-      serviceConfig = {
-        ExecStart = lib.getExe no-rgb;
-        Type = "oneshot";
-      };
-      wantedBy = [ "multi-user.target" ];
-    };
-
-  services.hardware.openrgb = {
-    enable = true;
-    package = pkgs.openrgb-with-all-plugins;
-    motherboard = "amd";
-  };
-
-  services.udev.packages = [ pkgs.openrgb-with-all-plugins ];
-  hardware.i2c.enable = true;
-
   networking = {
     nameservers = [
       "1.1.1.1"
diff --git a/no-rgb.nix b/no-rgb.nix
new file mode 100644
index 0000000..b304ecf
--- /dev/null
+++ b/no-rgb.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  systemd.services.no-rgb =
+    let
+      no-rgb = (
+        pkgs.writeShellApplication {
+          name = "no-rgb";
+          runtimeInputs = with pkgs; [
+            openrgb
+            coreutils
+            gnugrep
+          ];
+
+          text = ''
+            #!/bin/sh
+            set -e
+
+            NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ')
+
+            for i in $(seq 0 $((NUM_DEVICES - 1))); do
+              openrgb --noautoconnect --device "$i" --mode direct --color 000000
+            done
+          '';
+        }
+      );
+    in
+    {
+      description = "disable rgb";
+      serviceConfig = {
+        ExecStart = lib.getExe no-rgb;
+        Type = "oneshot";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
+  services.hardware.openrgb = {
+    enable = true;
+    package = pkgs.openrgb-with-all-plugins;
+    motherboard = "amd";
+  };
+
+  services.udev.packages = [ pkgs.openrgb-with-all-plugins ];
+  hardware.i2c.enable = true;
+}
diff --git a/secureboot.nix b/secureboot.nix
new file mode 100644
index 0000000..ac78827
--- /dev/null
+++ b/secureboot.nix
@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  boot = {
+    loader.systemd-boot.enable = lib.mkForce false;
+
+    lanzaboote = {
+      enable = true;
+      # needed to be in `/etc/secureboot` for sbctl to work
+      pkiBundle = "/etc/secureboot";
+    };
+
+  };
+  system.activationScripts = {
+    # extract secureboot keys from agenix-decrypted tar
+    "secureboot-keys" = {
+      deps = [ "agenix" ];
+      text = ''
+        #!/bin/sh
+        rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+        mkdir -p ${config.boot.lanzaboote.pkiBundle}
+        ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
+        chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+        chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+      '';
+    };
+  };
+}