diff --git a/flake.lock b/flake.lock index a2f410e..4bab678 100644 --- a/flake.lock +++ b/flake.lock @@ -67,6 +67,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1752113600, + "narHash": "sha256-7LYDxKxZgBQ8LZUuolAQ8UkIB+jb4A2UmiR+kzY9CLI=", + "owner": "nix-community", + "repo": "disko", + "rev": "79264292b7e3482e5702932949de9cbb69fedf6d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-registry": { "flake": false, "locked": { @@ -225,6 +245,7 @@ "inputs": { "agenix": "agenix", "devshell": "devshell", + "disko": "disko", "flake-registry": "flake-registry", "flake-utils": "flake-utils", "home-manager": "home-manager", diff --git a/flake.nix b/flake.nix index 6ccece0..622f9f0 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,10 @@ inputs = { nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; flake-utils = { url = "github:numtide/flake-utils"; inputs.systems.follows = "systems"; diff --git a/home/modules/zsh.nix b/home/modules/zsh.nix index 96364ff..7a0cd6c 100644 --- a/home/modules/zsh.nix +++ b/home/modules/zsh.nix @@ -34,7 +34,7 @@ in }; plugins = [ ]; - initExtra = '' + initContent = '' source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh source ${pkgs.fzf}/share/fzf/key-bindings.zsh source ${pkgs.fzf}/share/fzf/completion.zsh diff --git a/nixos/configurations.nix b/nixos/configurations.nix index adacb51..38c38da 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -1,6 +1,7 @@ { self, agenix, + disko, home-manager, homepage, nixos-hardware, @@ -31,6 +32,40 @@ let }; in { + stolas = + let + system = "x86_64-linux"; + in + nixosSystem { + inherit nixpkgs system; + + extraModules = [ + # TODO lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + dadada.pkgs = self.packages.${system}; + dadada.inputs = inputs // { + dadada = self; + }; + } + nixos-hardware.nixosModules.framework-amd-ai-300-series + home-manager.nixosModules.home-manager + ( + { pkgs, ... }: + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [ + { dadada.home.helix.package = pkgs.helix; } + ]; + home-manager.users.dadada = import ../home; + } + ) + ./stolas + ]; + }; + gorgon = let system = "x86_64-linux"; @@ -46,12 +81,10 @@ in dadada = self; }; } - nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1 - home-manager.nixosModules.home-manager ( - { pkgs, lib, ... }: + { pkgs, ... }: { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index b681d72..0976788 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -13,8 +13,8 @@ in ./upgrade-pg-cluster.nix ]; - boot.tmp.useTmpfs = true; - boot.tmp.tmpfsSize = "50%"; + boot.tmp.useTmpfs = lib.mkDefault true; + boot.tmp.tmpfsSize = lib.mkDefault "50%"; i18n.defaultLocale = mkDefault "en_US.UTF-8"; console = mkDefault { diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index d9f0bde..8e0b52f 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -48,7 +48,7 @@ with lib; alsa.support32Bit = true; pulse.enable = true; }; - hardware.pulseaudio.enable = false; + services.pulseaudio.enable = false; dadada.backupClient.gs = { enable = true; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix new file mode 100644 index 0000000..04fd504 --- /dev/null +++ b/nixos/stolas/default.nix @@ -0,0 +1,190 @@ +{ config, lib, pkgs, ... }: +{ + + imports = [ + ../modules/profiles/laptop.nix + ./disks.nix + ]; + + boot = { + # TODO lanzaboote = { + # enable = true; + # pkiBundle = "/var/lib/sbctl"; + #}; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; + initrd = { + availableKernelModules = [ + "nvme" + "ehci_pci" + "xhci_pci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; + # TODO disable for lanzaboote + systemd.enable = true; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + #boot.loader.systemd-boot.enable = lib.mkForce false; + luks.devices = { + root = { + # TODO + device = "/dev/disk/by-uuid/todo"; + allowDiscards = true; + # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL + #crypttabExtraOpts = [ "fido2-device=auto" ]; + }; + }; + }; + }; + + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + hardware = { + # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features + bluetooth.enable = true; + framework.laptop13.audioEnhancement.enable = true; + graphics = { + enable = true; + extraPackages = with pkgs; [ + vaapiVdpau + libvdpau-va-gl + ]; + }; + }; + + powerManagement = { + enable = true; + cpuFreqGovernor = "schedutil"; + # TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod? + powerUpCommands = '' + echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold + ''; + }; + + networking = { + hostName = "stolas"; + firewall = { + enable = true; + allowedTCPPorts = [ + 22000 # Syncthing + ]; + allowedUDPPorts = [ + 21027 # Syncthing + ]; + }; + }; + + nix = { + settings.max-jobs = lib.mkDefault 16; + }; + + # TODO dadada.backupClient.backup1.enable = true; + # dadada.backupClient.backup2 = { + # enable = true; + # passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path; + # sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; + # repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup"; + # }; + + programs = { + adb.enable = true; + firefox = { + enable = true; + package = pkgs.firefox-wayland; + }; + gnupg.agent.enable = true; + ssh.startAgent = true; + wireshark.enable = true; + }; + + services = { + avahi.enable = true; + desktopManager.plasma6.enable = true; + displayManager = { + sddm.enable = true; + sddm.wayland.enable = true; + }; + gnome.gnome-keyring.enable = lib.mkForce false; + smartd.enable = true; + printing = { + enable = true; + browsing = true; + }; + paperless = { + # TODO migrate DB + enable = true; + passwordFile = config.age.secrets.paperless.path; + }; + tlp.enable = false; + }; + + system = { + stateVersion = "25.05"; + }; + + systemd.tmpfiles.rules = + let + cfg = config.services.paperless; + in + [ + ( + if cfg.consumptionDirIsPublic then + "d '${cfg.consumptionDir}' 777 - - - -" + else + "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + ) + ]; + + systemd.services = { + modem-manager.enable = lib.mkForce false; + "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; + }; + + systemd.sleep.extraConfig = '' + HibernateDelaySec=1h + ''; + + virtualisation.libvirtd.enable = true; + + users = { + users = { + dadada = { + initialHashedPassword = "$y$j9T$43qGBeY6hg6AXQmcVkS131$6AeRDOe6XAnmgA/AkJGaSIYTj5dbQLd9vrQ7zSyi5TA"; + isNormalUser = true; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "adbusers" + "kvm" + "video" + "scanner" + "lp" + "docker" + "dialout" + "wireshark" + "paperless" + ]; + shell = "/run/current-system/sw/bin/zsh"; + }; + }; + }; + + age.secrets = { + paperless = { + file = "${config.dadada.secrets.path}/paperless.age"; + mode = "700"; + owner = "paperless"; + }; + }; + + # Create compressing swap space in RAM + zramSwap.enable = true; +} diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix new file mode 100644 index 0000000..6b07f9b --- /dev/null +++ b/nixos/stolas/disks.nix @@ -0,0 +1,99 @@ +{ + disko.devices = { + nodev."/nix/var/nix/builds" = { + fsType = "tmpfs"; + mountOptions = [ + "size=80%" + "defaults" + "mode=755" + ]; + }; + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-uuid/TODO"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + # TODO tmpfs for nix/var/nix/builds + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + allowDiscards = true; + #keyFile = "/tmp/secret.key"; + }; + #additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "relatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/dadada" = { + mountpoint = "/home/dadada"; + mountOptions = [ + "compress=zstd" + "relatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/var" = { + mountpoint = "/var"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/paperless" = { + mountpoint = "/var/lib/paperless"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "64G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +}