✨ (WIP) add new aurum host

2024-01-15 16:50:55 +01:00 · 2024-01-15 16:50:55 +01:00 · 45b5582559
parent a3436021ad
commit 45b5582559
16 changed files with 368 additions and 18 deletions
--- a/hosts/aurum/default.nix
+++ b/hosts/aurum/default.nix
@ -0,0 +1,31 @@
+{pkgs, ...}: {
+  imports = [
+    ./system
+  ];
+
+  # shorter timeout for systemd services
+  systemd.extraConfig = ''
+    DefaultTimeoutStopSec=10s
+  '';
+
+  services.dbus.enable = true;
+  xdg.portal = {
+    enable = true;
+    wlr.enable = true;
+
+    config = {
+      common.default = ["wlr" "gtk"];
+      hyprland.default = ["hyprland"];
+    };
+    extraPortals = [
+      pkgs.xdg-desktop-portal-gtk
+      pkgs.xdg-desktop-portal-wlr
+      pkgs.xdg-desktop-portal-hyprland
+    ];
+  };
+
+  programs.zsh.enable = true;
+
+  # enable gnome virtual file system
+  services.gvfs.enable = true;
+}
--- a/hosts/aurum/system/audio/default.nix
+++ b/hosts/aurum/system/audio/default.nix
@ -0,0 +1,7 @@
+{...}: {
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+  };
+}
--- a/hosts/aurum/system/boot/default.nix
+++ b/hosts/aurum/system/boot/default.nix
@ -0,0 +1,24 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  # support for mounting windaube partitions
+  boot.supportedFilesystems = ["ntfs"];
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # clean /tmp at each boot
+  boot.tmp.cleanOnBoot = true;
+
+  # use latest kernel
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # imports = [
+  #   ./lanzaboot.nix
+  # ];
+
+  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-amd" "v4l2loopback"];
+  boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
+}
--- a/hosts/aurum/system/boot/lanzaboot.nix
+++ b/hosts/aurum/system/boot/lanzaboot.nix
@ -0,0 +1,16 @@
+{lib, ...}: {
+  # This should already be here from switching to bootspec earlier.
+  # It's not required anymore, but also doesn't do any harm.
+  boot.bootspec.enable = true;
+
+  # Lanzaboote currently replaces the systemd-boot module.
+  # This setting is usually set to true in configuration.nix
+  # generated at installation time. So we force it to false
+  # for now.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+}
--- a/hosts/aurum/system/default.nix
+++ b/hosts/aurum/system/default.nix
@ -0,0 +1,24 @@
+{...}: {
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+  imports = [
+    ./audio
+    ./boot
+    ./disko
+    ./docker
+    ./fonts
+    ./hardware
+    ./i18n
+    # ./impermanence
+    ./networking
+    ./nix
+    ./security
+    ./users
+  ];
+}
--- a/hosts/aurum/system/disko/default.nix
+++ b/hosts/aurum/system/disko/default.nix
@ -0,0 +1,54 @@
+{...}: {
+  disko.devices = {
+    disk = {
+      nvme0 = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            esp = {
+              size = "512MiB";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "defaults"
+                ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                settings.allowDiscards = true;
+                passwordFile = "/tmp/secret.key";
+                content = {
+                  type = "btrfs";
+                  extraArgs = ["-f"];
+                  subvolumes = {
+                    "@persistent" = {
+                      mountpoint = "/persistent";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                    "@nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                    "@swap" = {
+                      mountpoint = "/.swapvol";
+                      swap.swapfile.size = "10G";
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/aurum/system/docker/default.nix
+++ b/hosts/aurum/system/docker/default.nix
@ -0,0 +1,12 @@
+{...}: {
+  virtualisation.docker = {
+    enable = true;
+
+    storageDriver = "btrfs";
+    enableOnBoot = false;
+    autoPrune.enable = true;
+  };
+
+  # docker users
+  users.users.laurent.extraGroups = ["docker"];
+}
--- a/hosts/aurum/system/fonts/default.nix
+++ b/hosts/aurum/system/fonts/default.nix
@ -0,0 +1,16 @@
+{pkgs, ...}: {
+  fonts.packages = with pkgs; [
+    # https://notofonts.github.io/
+    noto-fonts # standard characters
+    noto-fonts-lgc-plus # latin, greek, and cyrillic
+    noto-fonts-cjk # chinese, japanese, and korean
+    noto-fonts-emoji # emojis 🐢
+
+    # https://github.com/tonsky/FiraCode
+    fira-code # standard characters
+    fira-code-symbols # unicode ligature glyphs
+
+    # https://github.com/ryanoasis/nerd-fonts
+    (nerdfonts.override {fonts = ["FiraCode"];})
+  ];
+}
--- a/hosts/aurum/system/hardware/default.nix
+++ b/hosts/aurum/system/hardware/default.nix
@ -0,0 +1,31 @@
+{...}: {
+  # hardware
+  hardware = {
+    enableRedistributableFirmware = true;
+    opengl = {
+      enable = true;
+      driSupport = true;
+    };
+  };
+
+  # logind configuration
+  services.logind = {
+    lidSwitch = "ignore";
+    extraConfig = ''
+      HandlePowerKey=suspend
+    '';
+  };
+
+  # tlp, power management
+  services.tlp.enable = true;
+
+  # thermald, controls temperature
+  services.thermald.enable = true;
+
+  # bluetooth
+  hardware.bluetooth.enable = true;
+  services.blueman.enable = true;
+
+  # backlight intensity
+  programs.light.enable = true;
+}
--- a/hosts/aurum/system/i18n/default.nix
+++ b/hosts/aurum/system/i18n/default.nix
@ -0,0 +1,10 @@
+{...}: {
+  # FRANCE 🇫🇷 🥖 🥐
+  time.timeZone = "Europe/Paris";
+
+  # azerty keyboard
+  console.keyMap = "fr";
+
+  # english ISO metric system
+  i18n.defaultLocale = "en_DK.UTF-8";
+}
--- a/hosts/aurum/system/impermanence/default.nix
+++ b/hosts/aurum/system/impermanence/default.nix
@ -0,0 +1,30 @@
+{...}: {
+  environment.persistence."/persistent" = {
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/bluetooth"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/etc/NetworkManager/system-connections"
+      "/etc/secureboot"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+    # TODO: move this into home config, when silicium has impermanence too
+    users.laurent = {
+      directories = [
+        "Documents"
+        ".librewolf"
+        ".thunderbird"
+        ".local/share/direnv"
+        ".local/share/keyrings"
+        {
+          directory = ".ssh";
+          mode = "0700";
+        }
+      ];
+    };
+  };
+}
--- a/hosts/aurum/system/networking/default.nix
+++ b/hosts/aurum/system/networking/default.nix
@ -0,0 +1,18 @@
+{...}: {
+  networking = {
+    # the name of the machine
+    hostName = "aurum";
+
+    # domain name servers, use clouflare family
+    nameservers = ["1.1.1.2" "1.0.0.2"];
+
+    # use networkManager, see nmcli
+    networkmanager.enable = true;
+
+    # firewall
+    firewall.enable = true;
+
+    # https://github.com/StevenBlack/hosts
+    stevenblack.enable = true;
+  };
+}
--- a/hosts/aurum/system/nix/default.nix
+++ b/hosts/aurum/system/nix/default.nix
@ -0,0 +1,48 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  # restrict nix command to sudoers
+  nix.settings.allowed-users = ["root" "@wheel"];
+  nix.settings.trusted-users = ["root" "@wheel"];
+
+  # experimental features
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+
+  # limit number of cores when building
+  nix.settings.max-jobs = 6;
+
+  # optimizations
+  nix.settings.auto-optimise-store = true;
+  nix.optimise = {
+    automatic = true;
+    dates = ["12:00"];
+  };
+
+  # garbage collection
+  nix.gc = {
+    automatic = true;
+    dates = "12:00";
+    options = "--delete-older-than 30d";
+  };
+
+  # pin nixpkgs registry
+  nix.registry.nixpkgs.flake = inputs.nixpkgs;
+
+  # list of allowed unfree packages
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) [
+      "vscode"
+      "vscode-extension-github-copilot"
+      "vscode-extension-github-copilot-chat"
+      "vscode-extension-ms-vsliveshare-vsliveshare"
+    ];
+
+  # print diff between two generations
+  system.activationScripts.nvd-report-changes = ''
+    PATH=$PATH:${lib.makeBinPath [pkgs.nvd pkgs.nix]}
+    nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
+  '';
+}
--- a/hosts/aurum/system/security/default.nix
+++ b/hosts/aurum/system/security/default.nix
@ -0,0 +1,17 @@
+{...}: {
+  # enable polkit
+  security.polkit.enable = true;
+
+  # enable gpg agent
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    pinentryFlavor = "gnome3";
+  };
+
+  # secrets keyring
+  services.gnome.gnome-keyring.enable = true;
+
+  # allow swaylock to use pam
+  security.pam.services.swaylock = {};
+}
--- a/hosts/aurum/system/users/default.nix
+++ b/hosts/aurum/system/users/default.nix
@ -0,0 +1,14 @@
+{pkgs, ...}: {
+  # disable user creation/deletion
+  users.mutableUsers = false;
+
+  # configure users
+  users = {
+    users.laurent = {
+      isNormalUser = true;
+      initialPassword = "laurent";
+      extraGroups = ["wheel" "video"];
+      shell = pkgs.zsh;
+    };
+  };
+}
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -33,24 +33,22 @@ in {
    ];
  };

-  # # work laptop
-  # aurum = nixpkgs.lib.nixosSystem {
-  #   system = "x86_64-linux";
-  #   specialArgs = {
-  #     inherit inputs;
-  #   };
-  #   modules = [
-  #     ./aurum
-  #     inputs.home-manager.nixosModules.home-manager
-  #     inputs.agenix.nixosModules.default
-  #     # inputs.lanzaboote.nixosModules.lanzaboote
-  #     # inputs.nixos-hardware.nixosModules.common-cpu-amd
-  #     # inputs.nixos-hardware.nixosModules.common-gpu-nvidia-disable
-  #     # inputs.nixos-hardware.nixosModules.common-pc-laptop
-  #     # inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd
-  #     {inherit home-manager;}
-  #   ];
-  # };
+  # work laptop
+  aurum = nixpkgs.lib.nixosSystem {
+    system = "x86_64-linux";
+    specialArgs = {
+      inherit inputs;
+    };
+    modules = [
+      ./aurum
+      inputs.home-manager.nixosModules.home-manager
+      inputs.disko.nixosModules.default
+      # inputs.lanzaboote.nixosModules.lanzaboote
+      # inputs.impermanence.nixosModules.impermanence
+      # inputs.nixos-hardware.nixosModules.dell-xps-13-something
+      {inherit home-manager;}
+    ];
+  };

  # vps
  cesium = nixpkgs.lib.nixosSystem rec {