From 45b5582559753220ac3243798f26dbfc7e6c6960 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Laure=CE=B7t?= Date: Mon, 15 Jan 2024 16:50:55 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(WIP)=20add=20new=20`aurum`=20host?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts/aurum/default.nix | 31 ++++++++++++ hosts/aurum/system/audio/default.nix | 7 +++ hosts/aurum/system/boot/default.nix | 24 +++++++++ hosts/aurum/system/boot/lanzaboot.nix | 16 ++++++ hosts/aurum/system/default.nix | 24 +++++++++ hosts/aurum/system/disko/default.nix | 54 +++++++++++++++++++++ hosts/aurum/system/docker/default.nix | 12 +++++ hosts/aurum/system/fonts/default.nix | 16 ++++++ hosts/aurum/system/hardware/default.nix | 31 ++++++++++++ hosts/aurum/system/i18n/default.nix | 10 ++++ hosts/aurum/system/impermanence/default.nix | 30 ++++++++++++ hosts/aurum/system/networking/default.nix | 18 +++++++ hosts/aurum/system/nix/default.nix | 48 ++++++++++++++++++ hosts/aurum/system/security/default.nix | 17 +++++++ hosts/aurum/system/users/default.nix | 14 ++++++ hosts/default.nix | 34 ++++++------- 16 files changed, 368 insertions(+), 18 deletions(-) create mode 100644 hosts/aurum/default.nix create mode 100644 hosts/aurum/system/audio/default.nix create mode 100644 hosts/aurum/system/boot/default.nix create mode 100644 hosts/aurum/system/boot/lanzaboot.nix create mode 100644 hosts/aurum/system/default.nix create mode 100644 hosts/aurum/system/disko/default.nix create mode 100644 hosts/aurum/system/docker/default.nix create mode 100644 hosts/aurum/system/fonts/default.nix create mode 100644 hosts/aurum/system/hardware/default.nix create mode 100644 hosts/aurum/system/i18n/default.nix create mode 100644 hosts/aurum/system/impermanence/default.nix create mode 100644 hosts/aurum/system/networking/default.nix create mode 100644 hosts/aurum/system/nix/default.nix create mode 100644 hosts/aurum/system/security/default.nix create mode 100644 hosts/aurum/system/users/default.nix diff --git a/hosts/aurum/default.nix b/hosts/aurum/default.nix new file mode 100644 index 0000000..5da04df --- /dev/null +++ b/hosts/aurum/default.nix @@ -0,0 +1,31 @@ +{pkgs, ...}: { + imports = [ + ./system + ]; + + # shorter timeout for systemd services + systemd.extraConfig = '' + DefaultTimeoutStopSec=10s + ''; + + services.dbus.enable = true; + xdg.portal = { + enable = true; + wlr.enable = true; + + config = { + common.default = ["wlr" "gtk"]; + hyprland.default = ["hyprland"]; + }; + extraPortals = [ + pkgs.xdg-desktop-portal-gtk + pkgs.xdg-desktop-portal-wlr + pkgs.xdg-desktop-portal-hyprland + ]; + }; + + programs.zsh.enable = true; + + # enable gnome virtual file system + services.gvfs.enable = true; +} diff --git a/hosts/aurum/system/audio/default.nix b/hosts/aurum/system/audio/default.nix new file mode 100644 index 0000000..e04ca2b --- /dev/null +++ b/hosts/aurum/system/audio/default.nix @@ -0,0 +1,7 @@ +{...}: { + services.pipewire = { + enable = true; + alsa.enable = true; + pulse.enable = true; + }; +} diff --git a/hosts/aurum/system/boot/default.nix b/hosts/aurum/system/boot/default.nix new file mode 100644 index 0000000..ab49306 --- /dev/null +++ b/hosts/aurum/system/boot/default.nix @@ -0,0 +1,24 @@ +{ + pkgs, + config, + ... +}: { + # support for mounting windaube partitions + boot.supportedFilesystems = ["ntfs"]; + boot.loader.efi.canTouchEfiVariables = true; + + # clean /tmp at each boot + boot.tmp.cleanOnBoot = true; + + # use latest kernel + boot.kernelPackages = pkgs.linuxPackages_latest; + + # imports = [ + # ./lanzaboot.nix + # ]; + + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-amd" "v4l2loopback"]; + boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback]; +} diff --git a/hosts/aurum/system/boot/lanzaboot.nix b/hosts/aurum/system/boot/lanzaboot.nix new file mode 100644 index 0000000..72dd6e0 --- /dev/null +++ b/hosts/aurum/system/boot/lanzaboot.nix @@ -0,0 +1,16 @@ +{lib, ...}: { + # This should already be here from switching to bootspec earlier. + # It's not required anymore, but also doesn't do any harm. + boot.bootspec.enable = true; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; +} diff --git a/hosts/aurum/system/default.nix b/hosts/aurum/system/default.nix new file mode 100644 index 0000000..28055dc --- /dev/null +++ b/hosts/aurum/system/default.nix @@ -0,0 +1,24 @@ +{...}: { + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. Itβ€˜s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + + imports = [ + ./audio + ./boot + ./disko + ./docker + ./fonts + ./hardware + ./i18n + # ./impermanence + ./networking + ./nix + ./security + ./users + ]; +} diff --git a/hosts/aurum/system/disko/default.nix b/hosts/aurum/system/disko/default.nix new file mode 100644 index 0000000..0f965d8 --- /dev/null +++ b/hosts/aurum/system/disko/default.nix @@ -0,0 +1,54 @@ +{...}: { + disko.devices = { + disk = { + nvme0 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + esp = { + size = "512MiB"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + settings.allowDiscards = true; + passwordFile = "/tmp/secret.key"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "@persistent" = { + mountpoint = "/persistent"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "@swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "10G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/aurum/system/docker/default.nix b/hosts/aurum/system/docker/default.nix new file mode 100644 index 0000000..f94fbc4 --- /dev/null +++ b/hosts/aurum/system/docker/default.nix @@ -0,0 +1,12 @@ +{...}: { + virtualisation.docker = { + enable = true; + + storageDriver = "btrfs"; + enableOnBoot = false; + autoPrune.enable = true; + }; + + # docker users + users.users.laurent.extraGroups = ["docker"]; +} diff --git a/hosts/aurum/system/fonts/default.nix b/hosts/aurum/system/fonts/default.nix new file mode 100644 index 0000000..57362a4 --- /dev/null +++ b/hosts/aurum/system/fonts/default.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: { + fonts.packages = with pkgs; [ + # https://notofonts.github.io/ + noto-fonts # standard characters + noto-fonts-lgc-plus # latin, greek, and cyrillic + noto-fonts-cjk # chinese, japanese, and korean + noto-fonts-emoji # emojis 🐒 + + # https://github.com/tonsky/FiraCode + fira-code # standard characters + fira-code-symbols # unicode ligature glyphs + + # https://github.com/ryanoasis/nerd-fonts + (nerdfonts.override {fonts = ["FiraCode"];}) + ]; +} diff --git a/hosts/aurum/system/hardware/default.nix b/hosts/aurum/system/hardware/default.nix new file mode 100644 index 0000000..a146c71 --- /dev/null +++ b/hosts/aurum/system/hardware/default.nix @@ -0,0 +1,31 @@ +{...}: { + # hardware + hardware = { + enableRedistributableFirmware = true; + opengl = { + enable = true; + driSupport = true; + }; + }; + + # logind configuration + services.logind = { + lidSwitch = "ignore"; + extraConfig = '' + HandlePowerKey=suspend + ''; + }; + + # tlp, power management + services.tlp.enable = true; + + # thermald, controls temperature + services.thermald.enable = true; + + # bluetooth + hardware.bluetooth.enable = true; + services.blueman.enable = true; + + # backlight intensity + programs.light.enable = true; +} diff --git a/hosts/aurum/system/i18n/default.nix b/hosts/aurum/system/i18n/default.nix new file mode 100644 index 0000000..90f1921 --- /dev/null +++ b/hosts/aurum/system/i18n/default.nix @@ -0,0 +1,10 @@ +{...}: { + # FRANCE πŸ‡«πŸ‡· πŸ₯– πŸ₯ + time.timeZone = "Europe/Paris"; + + # azerty keyboard + console.keyMap = "fr"; + + # english ISO metric system + i18n.defaultLocale = "en_DK.UTF-8"; +} diff --git a/hosts/aurum/system/impermanence/default.nix b/hosts/aurum/system/impermanence/default.nix new file mode 100644 index 0000000..7a65f0d --- /dev/null +++ b/hosts/aurum/system/impermanence/default.nix @@ -0,0 +1,30 @@ +{...}: { + environment.persistence."/persistent" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/etc/NetworkManager/system-connections" + "/etc/secureboot" + ]; + files = [ + "/etc/machine-id" + ]; + # TODO: move this into home config, when silicium has impermanence too + users.laurent = { + directories = [ + "Documents" + ".librewolf" + ".thunderbird" + ".local/share/direnv" + ".local/share/keyrings" + { + directory = ".ssh"; + mode = "0700"; + } + ]; + }; + }; +} diff --git a/hosts/aurum/system/networking/default.nix b/hosts/aurum/system/networking/default.nix new file mode 100644 index 0000000..2aee5e7 --- /dev/null +++ b/hosts/aurum/system/networking/default.nix @@ -0,0 +1,18 @@ +{...}: { + networking = { + # the name of the machine + hostName = "aurum"; + + # domain name servers, use clouflare family + nameservers = ["1.1.1.2" "1.0.0.2"]; + + # use networkManager, see nmcli + networkmanager.enable = true; + + # firewall + firewall.enable = true; + + # https://github.com/StevenBlack/hosts + stevenblack.enable = true; + }; +} diff --git a/hosts/aurum/system/nix/default.nix b/hosts/aurum/system/nix/default.nix new file mode 100644 index 0000000..53d7556 --- /dev/null +++ b/hosts/aurum/system/nix/default.nix @@ -0,0 +1,48 @@ +{ + lib, + pkgs, + inputs, + ... +}: { + # restrict nix command to sudoers + nix.settings.allowed-users = ["root" "@wheel"]; + nix.settings.trusted-users = ["root" "@wheel"]; + + # experimental features + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # limit number of cores when building + nix.settings.max-jobs = 6; + + # optimizations + nix.settings.auto-optimise-store = true; + nix.optimise = { + automatic = true; + dates = ["12:00"]; + }; + + # garbage collection + nix.gc = { + automatic = true; + dates = "12:00"; + options = "--delete-older-than 30d"; + }; + + # pin nixpkgs registry + nix.registry.nixpkgs.flake = inputs.nixpkgs; + + # list of allowed unfree packages + nixpkgs.config.allowUnfreePredicate = pkg: + builtins.elem (lib.getName pkg) [ + "vscode" + "vscode-extension-github-copilot" + "vscode-extension-github-copilot-chat" + "vscode-extension-ms-vsliveshare-vsliveshare" + ]; + + # print diff between two generations + system.activationScripts.nvd-report-changes = '' + PATH=$PATH:${lib.makeBinPath [pkgs.nvd pkgs.nix]} + nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) + ''; +} diff --git a/hosts/aurum/system/security/default.nix b/hosts/aurum/system/security/default.nix new file mode 100644 index 0000000..8a05d96 --- /dev/null +++ b/hosts/aurum/system/security/default.nix @@ -0,0 +1,17 @@ +{...}: { + # enable polkit + security.polkit.enable = true; + + # enable gpg agent + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryFlavor = "gnome3"; + }; + + # secrets keyring + services.gnome.gnome-keyring.enable = true; + + # allow swaylock to use pam + security.pam.services.swaylock = {}; +} diff --git a/hosts/aurum/system/users/default.nix b/hosts/aurum/system/users/default.nix new file mode 100644 index 0000000..e427ce8 --- /dev/null +++ b/hosts/aurum/system/users/default.nix @@ -0,0 +1,14 @@ +{pkgs, ...}: { + # disable user creation/deletion + users.mutableUsers = false; + + # configure users + users = { + users.laurent = { + isNormalUser = true; + initialPassword = "laurent"; + extraGroups = ["wheel" "video"]; + shell = pkgs.zsh; + }; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix index f95f5a7..69927ec 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -33,24 +33,22 @@ in { ]; }; - # # work laptop - # aurum = nixpkgs.lib.nixosSystem { - # system = "x86_64-linux"; - # specialArgs = { - # inherit inputs; - # }; - # modules = [ - # ./aurum - # inputs.home-manager.nixosModules.home-manager - # inputs.agenix.nixosModules.default - # # inputs.lanzaboote.nixosModules.lanzaboote - # # inputs.nixos-hardware.nixosModules.common-cpu-amd - # # inputs.nixos-hardware.nixosModules.common-gpu-nvidia-disable - # # inputs.nixos-hardware.nixosModules.common-pc-laptop - # # inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd - # {inherit home-manager;} - # ]; - # }; + # work laptop + aurum = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit inputs; + }; + modules = [ + ./aurum + inputs.home-manager.nixosModules.home-manager + inputs.disko.nixosModules.default + # inputs.lanzaboote.nixosModules.lanzaboote + # inputs.impermanence.nixosModules.impermanence + # inputs.nixos-hardware.nixosModules.dell-xps-13-something + {inherit home-manager;} + ]; + }; # vps cesium = nixpkgs.lib.nixosSystem rec {