From 0e9b76da4831dcc7ad23f2c93b39a91727ea74f0 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sun, 13 Jul 2025 20:36:26 +0200 Subject: [PATCH 1/3] fix: some deprecations --- home/modules/zsh.nix | 2 +- nixos/configurations.nix | 37 +++- nixos/modules/profiles/base.nix | 4 +- nixos/modules/profiles/laptop.nix | 2 +- nixos/stolas/default.nix | 297 ++++++++++++++++++++++++++++++ 5 files changed, 335 insertions(+), 7 deletions(-) create mode 100644 nixos/stolas/default.nix diff --git a/home/modules/zsh.nix b/home/modules/zsh.nix index 96364ff..7a0cd6c 100644 --- a/home/modules/zsh.nix +++ b/home/modules/zsh.nix @@ -34,7 +34,7 @@ in }; plugins = [ ]; - initExtra = '' + initContent = '' source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh source ${pkgs.fzf}/share/fzf/key-bindings.zsh source ${pkgs.fzf}/share/fzf/completion.zsh diff --git a/nixos/configurations.nix b/nixos/configurations.nix index adacb51..14780f1 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -31,6 +31,39 @@ let }; in { + stolas = + let + system = "x86_64-linux"; + in + nixosSystem { + inherit nixpkgs system; + + extraModules = [ + # TODO lanzaboote.nixosModules.lanzaboote + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + dadada.pkgs = self.packages.${system}; + dadada.inputs = inputs // { + dadada = self; + }; + } + nixos-hardware.nixosModules.framework-amd-ai-300-series + home-manager.nixosModules.home-manager + ( + { pkgs, ... }: + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [ + { dadada.home.helix.package = pkgs.helix; } + ]; + home-manager.users.dadada = import ../home; + } + ) + ./stolas + ]; + }; + gorgon = let system = "x86_64-linux"; @@ -46,12 +79,10 @@ in dadada = self; }; } - nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1 - home-manager.nixosModules.home-manager ( - { pkgs, lib, ... }: + { pkgs, ... }: { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index b681d72..0976788 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -13,8 +13,8 @@ in ./upgrade-pg-cluster.nix ]; - boot.tmp.useTmpfs = true; - boot.tmp.tmpfsSize = "50%"; + boot.tmp.useTmpfs = lib.mkDefault true; + boot.tmp.tmpfsSize = lib.mkDefault "50%"; i18n.defaultLocale = mkDefault "en_US.UTF-8"; console = mkDefault { diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index d9f0bde..8e0b52f 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -48,7 +48,7 @@ with lib; alsa.support32Bit = true; pulse.enable = true; }; - hardware.pulseaudio.enable = false; + services.pulseaudio.enable = false; dadada.backupClient.gs = { enable = true; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix new file mode 100644 index 0000000..e526eff --- /dev/null +++ b/nixos/stolas/default.nix @@ -0,0 +1,297 @@ +{ config, lib, pkgs, ... }: +{ + + imports = [ + ../modules/profiles/laptop.nix + ]; + + ### TODO double check with generated hw-config + + boot = { + # TODO lanzaboote = { + # enable = true; + # pkiBundle = "/var/lib/sbctl"; + #}; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; + initrd = { + availableKernelModules = [ + "nvme" + "ehci_pci" + "xhci_pci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; + # TODO disable for lanzaboote + systemd.enable = true; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + #boot.loader.systemd-boot.enable = lib.mkForce false; + luks.devices = { + root = { + # TODO + device = "/dev/disk/by-uuid/todo"; + allowDiscards = true; + # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL + #crypttabExtraOpts = [ "fido2-device=auto" ]; + }; + }; + }; + }; + + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + # TODO compare with nixos-generate-config --show-hardware-config + fileSystems = { + "/boot" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "vfat"; + }; + + "/" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "subvol=root" + "compress=zstd" + ]; + }; + + "/home" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + options = [ + "compress=zstd" + "subvol=home" + ]; + }; + + "/home/dadada" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + options = [ + "compress=zstd" + "subvol=home/dadada" + ]; + }; + + "/nix" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "noatime" + "compress=zstd" + "subvol=nix" + ]; + }; + + "/nix/var/nix/builds" = { + device = "none"; + fsType = "tmpfs"; + options = [ + # Max 80% of available RAM + "size=80%" + # Only owner (nix daemon may write) + "mode=755" + ]; + }; + + "/root" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "compress=zstd" + "subvol=root" + ]; + }; + + "/var" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "compress=zstd" + "subvol=var" + ]; + }; + + "/var/lib/paperless" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "compress=zstd" + "subvol=var/lib/paperless" + ]; + }; + + "/var/swap" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "noatime" + "subvol=swap" + ]; + }; + + # NOTE: /tmp is tmpfs because of config in base.nix + }; + + # TODO btrfs filesystem mkswapfile --uuid clear /var/swap/swapfile + # swapDevices = [{ + # device = "/var/swap/swapfile"; + # size = 80*1024; # Creates an 80GB swap file + # }]; + + hardware = { + # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features + bluetooth.enable = true; + framework.laptop13.audioEnhancement.enable = true; + graphics = { + enable = true; + extraPackages = with pkgs; [ + vaapiVdpau + libvdpau-va-gl + ]; + }; + }; + + powerManagement = { + enable = true; + cpuFreqGovernor = "schedutil"; + # TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod? + powerUpCommands = '' + echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold + ''; + }; + + networking = { + hostName = "stolas"; + firewall = { + enable = true; + allowedTCPPorts = [ + 22000 # Syncthing + ]; + allowedUDPPorts = [ + 21027 # Syncthing + ]; + }; + }; + + nix = { + settings.max-jobs = lib.mkDefault 16; + }; + + # TODO dadada.backupClient.backup1.enable = true; + # dadada.backupClient.backup2 = { + # enable = true; + # passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path; + # sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; + # repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup"; + # }; + + programs = { + adb.enable = true; + firefox = { + enable = true; + package = pkgs.firefox-wayland; + }; + gnupg.agent.enable = true; + ssh.startAgent = true; + wireshark.enable = true; + }; + + services = { + avahi.enable = true; + desktopManager.plasma6.enable = true; + displayManager = { + sddm.enable = true; + sddm.wayland.enable = true; + }; + gnome.gnome-keyring.enable = lib.mkForce false; + smartd.enable = true; + printing = { + enable = true; + browsing = true; + }; + paperless = { + # TODO migrate DB + enable = true; + passwordFile = config.age.secrets.paperless.path; + }; + tlp.enable = false; + }; + + system = { + stateVersion = "25.05"; + }; + + systemd.tmpfiles.rules = + let + cfg = config.services.paperless; + in + [ + ( + if cfg.consumptionDirIsPublic then + "d '${cfg.consumptionDir}' 777 - - - -" + else + "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + ) + ]; + + systemd.services = { + modem-manager.enable = lib.mkForce false; + "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; + }; + + systemd.sleep.extraConfig = '' + HibernateDelaySec=1h + ''; + + virtualisation.libvirtd.enable = true; + + users = { + users = { + dadada = { + isNormalUser = true; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "adbusers" + "kvm" + "video" + "scanner" + "lp" + "docker" + "dialout" + "wireshark" + "paperless" + ]; + shell = "/run/current-system/sw/bin/zsh"; + }; + }; + }; + + age.secrets = { + paperless = { + file = "${config.dadada.secrets.path}/paperless.age"; + mode = "700"; + owner = "paperless"; + }; + }; + + # Create compressing swap space in RAM + zramSwap.enable = true; +} From 0b08beee355add707010e684267bdf77bc2dc834 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sun, 13 Jul 2025 20:41:06 +0200 Subject: [PATCH 2/3] feat(stolas): set initial hashed password --- nixos/stolas/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index e526eff..56b3bcb 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -264,6 +264,7 @@ users = { users = { dadada = { + initialHashedPassword = "$y$j9T$43qGBeY6hg6AXQmcVkS131$6AeRDOe6XAnmgA/AkJGaSIYTj5dbQLd9vrQ7zSyi5TA"; isNormalUser = true; extraGroups = [ "wheel" From e58a47af3f383f6358309f80aae39b9a8ad86e77 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sun, 13 Jul 2025 21:53:21 +0200 Subject: [PATCH 3/3] feat(stolas): disko for disk setup --- flake.lock | 21 ++++++++ flake.nix | 4 ++ nixos/configurations.nix | 2 + nixos/stolas/default.nix | 110 +-------------------------------------- nixos/stolas/disks.nix | 99 +++++++++++++++++++++++++++++++++++ 5 files changed, 127 insertions(+), 109 deletions(-) create mode 100644 nixos/stolas/disks.nix diff --git a/flake.lock b/flake.lock index a2f410e..4bab678 100644 --- a/flake.lock +++ b/flake.lock @@ -67,6 +67,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1752113600, + "narHash": "sha256-7LYDxKxZgBQ8LZUuolAQ8UkIB+jb4A2UmiR+kzY9CLI=", + "owner": "nix-community", + "repo": "disko", + "rev": "79264292b7e3482e5702932949de9cbb69fedf6d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-registry": { "flake": false, "locked": { @@ -225,6 +245,7 @@ "inputs": { "agenix": "agenix", "devshell": "devshell", + "disko": "disko", "flake-registry": "flake-registry", "flake-utils": "flake-utils", "home-manager": "home-manager", diff --git a/flake.nix b/flake.nix index 6ccece0..622f9f0 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,10 @@ inputs = { nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; flake-utils = { url = "github:numtide/flake-utils"; inputs.systems.follows = "systems"; diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 14780f1..38c38da 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -1,6 +1,7 @@ { self, agenix, + disko, home-manager, homepage, nixos-hardware, @@ -40,6 +41,7 @@ in extraModules = [ # TODO lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko { nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; dadada.pkgs = self.packages.${system}; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 56b3bcb..04fd504 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -3,10 +3,9 @@ imports = [ ../modules/profiles/laptop.nix + ./disks.nix ]; - ### TODO double check with generated hw-config - boot = { # TODO lanzaboote = { # enable = true; @@ -47,113 +46,6 @@ pkgs.sbctl ]; - # TODO compare with nixos-generate-config --show-hardware-config - fileSystems = { - "/boot" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "vfat"; - }; - - "/" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "subvol=root" - "compress=zstd" - ]; - }; - - "/home" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - options = [ - "compress=zstd" - "subvol=home" - ]; - }; - - "/home/dadada" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - options = [ - "compress=zstd" - "subvol=home/dadada" - ]; - }; - - "/nix" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "noatime" - "compress=zstd" - "subvol=nix" - ]; - }; - - "/nix/var/nix/builds" = { - device = "none"; - fsType = "tmpfs"; - options = [ - # Max 80% of available RAM - "size=80%" - # Only owner (nix daemon may write) - "mode=755" - ]; - }; - - "/root" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "compress=zstd" - "subvol=root" - ]; - }; - - "/var" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "compress=zstd" - "subvol=var" - ]; - }; - - "/var/lib/paperless" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "compress=zstd" - "subvol=var/lib/paperless" - ]; - }; - - "/var/swap" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "noatime" - "subvol=swap" - ]; - }; - - # NOTE: /tmp is tmpfs because of config in base.nix - }; - - # TODO btrfs filesystem mkswapfile --uuid clear /var/swap/swapfile - # swapDevices = [{ - # device = "/var/swap/swapfile"; - # size = 80*1024; # Creates an 80GB swap file - # }]; - hardware = { # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features bluetooth.enable = true; diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix new file mode 100644 index 0000000..6b07f9b --- /dev/null +++ b/nixos/stolas/disks.nix @@ -0,0 +1,99 @@ +{ + disko.devices = { + nodev."/nix/var/nix/builds" = { + fsType = "tmpfs"; + mountOptions = [ + "size=80%" + "defaults" + "mode=755" + ]; + }; + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-uuid/TODO"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + # TODO tmpfs for nix/var/nix/builds + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + allowDiscards = true; + #keyFile = "/tmp/secret.key"; + }; + #additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "relatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/dadada" = { + mountpoint = "/home/dadada"; + mountOptions = [ + "compress=zstd" + "relatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/var" = { + mountpoint = "/var"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/paperless" = { + mountpoint = "/var/lib/paperless"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "64G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +}