dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Compare commits

base: dadada:1f9c599c405446eb372c05ee59109cf1113c7fd6
Branches Tags
dadada:main
dadada:dev/stolas
dadada:dependabot/github_actions/DeterminateSystems/update-flake-lock-23
dadada:update_flake_lock_action
dadada:dependabot/github_actions/DeterminateSystems/nix-installer-action-12
dadada:dependabot/github_actions/cachix/cachix-action-15
dadada:dependabot/github_actions/cachix/install-nix-action-27
dadada:v0.1
...
compare: dadada:e58a47af3f383f6358309f80aae39b9a8ad86e77
Branches Tags
dadada:main
dadada:dev/stolas
dadada:dependabot/github_actions/DeterminateSystems/update-flake-lock-23
dadada:update_flake_lock_action
dadada:dependabot/github_actions/DeterminateSystems/nix-installer-action-12
dadada:dependabot/github_actions/cachix/cachix-action-15
dadada:dependabot/github_actions/cachix/install-nix-action-27
dadada:v0.1

3 commits
1f9c599c40 ... e58a47af3f

Author SHA1 Message Date
Tim Schubert
e58a47af3f
feat(stolas): disko for disk setup 2025-07-13 21:53:43 +02:00
Tim Schubert
0b08beee35
feat(stolas): set initial hashed password 2025-07-13 20:41:06 +02:00
Tim Schubert
0e9b76da48
fix: some deprecations 2025-07-13 20:36:26 +02:00
8 changed files with 354 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

21
flake.lock generated
View file

@ -67,6 +67,26 @@
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1752113600,
"narHash": "sha256-7LYDxKxZgBQ8LZUuolAQ8UkIB+jb4A2UmiR+kzY9CLI=",
"owner": "nix-community",
"repo": "disko",
"rev": "79264292b7e3482e5702932949de9cbb69fedf6d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-registry": {
"flake": false,
"locked": {
@ -225,6 +245,7 @@
"inputs": {
"agenix": "agenix",
"devshell": "devshell",
"disko": "disko",
"flake-registry": "flake-registry",
"flake-utils": "flake-utils",
"home-manager": "home-manager",

4
flake.nix
View file

@ -4,6 +4,10 @@
inputs = {
nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";

2
home/modules/zsh.nix
View file

@ -34,7 +34,7 @@ in
};
plugins = [
];
initExtra = ''
initContent = ''
source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh
source ${pkgs.fzf}/share/fzf/key-bindings.zsh
source ${pkgs.fzf}/share/fzf/completion.zsh

39
nixos/configurations.nix
View file

@ -1,6 +1,7 @@
{
self,
agenix,
disko,
home-manager,
homepage,
nixos-hardware,
@ -31,6 +32,40 @@ let
};
in
{
stolas =
let
system = "x86_64-linux";
in
nixosSystem {
inherit nixpkgs system;
extraModules = [
# TODO lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
{
nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays;
dadada.pkgs = self.packages.${system};
dadada.inputs = inputs // {
dadada = self;
};
}
nixos-hardware.nixosModules.framework-amd-ai-300-series
home-manager.nixosModules.home-manager
(
{ pkgs, ... }:
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [
{ dadada.home.helix.package = pkgs.helix; }
];
home-manager.users.dadada = import ../home;
}
)
./stolas
];
};
gorgon =
let
system = "x86_64-linux";
@ -46,12 +81,10 @@ in
dadada = self;
};
}
nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
home-manager.nixosModules.home-manager
(
{ pkgs, lib, ... }:
{ pkgs, ... }:
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;

4
nixos/modules/profiles/base.nix
View file

@ -13,8 +13,8 @@ in
./upgrade-pg-cluster.nix
];
boot.tmp.useTmpfs = true;
boot.tmp.tmpfsSize = "50%";
boot.tmp.useTmpfs = lib.mkDefault true;
boot.tmp.tmpfsSize = lib.mkDefault "50%";
i18n.defaultLocale = mkDefault "en_US.UTF-8";
console = mkDefault {

2
nixos/modules/profiles/laptop.nix
View file

@ -48,7 +48,7 @@ with lib;
alsa.support32Bit = true;
pulse.enable = true;
};
hardware.pulseaudio.enable = false;
services.pulseaudio.enable = false;
dadada.backupClient.gs = {
enable = true;

190
nixos/stolas/default.nix Normal file
View file

@ -0,0 +1,190 @@
{ config, lib, pkgs, ... }:
{
imports = [
../modules/profiles/laptop.nix
./disks.nix
];
boot = {
# TODO lanzaboote = {
# enable = true;
# pkiBundle = "/var/lib/sbctl";
#};
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ];
initrd = {
availableKernelModules = [
"nvme"
"ehci_pci"
"xhci_pci"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
];
# TODO disable for lanzaboote
systemd.enable = true;
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
#boot.loader.systemd-boot.enable = lib.mkForce false;
luks.devices = {
root = {
# TODO
device = "/dev/disk/by-uuid/todo";
allowDiscards = true;
# TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL
#crypttabExtraOpts = [ "fido2-device=auto" ];
};
};
};
};
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
];
hardware = {
# NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features
bluetooth.enable = true;
framework.laptop13.audioEnhancement.enable = true;
graphics = {
enable = true;
extraPackages = with pkgs; [
vaapiVdpau
libvdpau-va-gl
];
};
};
powerManagement = {
enable = true;
cpuFreqGovernor = "schedutil";
# TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod?
powerUpCommands = ''
echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold
'';
};
networking = {
hostName = "stolas";
firewall = {
enable = true;
allowedTCPPorts = [
22000 # Syncthing
];
allowedUDPPorts = [
21027 # Syncthing
];
};
};
nix = {
settings.max-jobs = lib.mkDefault 16;
};
# TODO dadada.backupClient.backup1.enable = true;
# dadada.backupClient.backup2 = {
# enable = true;
# passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path;
# sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
# repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup";
# };
programs = {
adb.enable = true;
firefox = {
enable = true;
package = pkgs.firefox-wayland;
};
gnupg.agent.enable = true;
ssh.startAgent = true;
wireshark.enable = true;
};
services = {
avahi.enable = true;
desktopManager.plasma6.enable = true;
displayManager = {
sddm.enable = true;
sddm.wayland.enable = true;
};
gnome.gnome-keyring.enable = lib.mkForce false;
smartd.enable = true;
printing = {
enable = true;
browsing = true;
};
paperless = {
# TODO migrate DB
enable = true;
passwordFile = config.age.secrets.paperless.path;
};
tlp.enable = false;
};
system = {
stateVersion = "25.05";
};
systemd.tmpfiles.rules =
let
cfg = config.services.paperless;
in
[
(
if cfg.consumptionDirIsPublic then
"d '${cfg.consumptionDir}' 777 - - - -"
else
"d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
)
];
systemd.services = {
modem-manager.enable = lib.mkForce false;
"dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false;
};
systemd.sleep.extraConfig = ''
HibernateDelaySec=1h
'';
virtualisation.libvirtd.enable = true;
users = {
users = {
dadada = {
initialHashedPassword = "$y$j9T$43qGBeY6hg6AXQmcVkS131$6AeRDOe6XAnmgA/AkJGaSIYTj5dbQLd9vrQ7zSyi5TA";
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"libvirtd"
"adbusers"
"kvm"
"video"
"scanner"
"lp"
"docker"
"dialout"
"wireshark"
"paperless"
];
shell = "/run/current-system/sw/bin/zsh";
};
};
};
age.secrets = {
paperless = {
file = "${config.dadada.secrets.path}/paperless.age";
mode = "700";
owner = "paperless";
};
};
# Create compressing swap space in RAM
zramSwap.enable = true;
}

99
nixos/stolas/disks.nix Normal file
View file

@ -0,0 +1,99 @@
{
disko.devices = {
nodev."/nix/var/nix/builds" = {
fsType = "tmpfs";
mountOptions = [
"size=80%"
"defaults"
"mode=755"
];
};
disk = {
main = {
type = "disk";
device = "/dev/disk/by-uuid/TODO";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
# TODO tmpfs for nix/var/nix/builds
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
#passwordFile = "/tmp/secret.key"; # Interactive
settings = {
allowDiscards = true;
#keyFile = "/tmp/secret.key";
};
#additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"relatime"
];
};
"/home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/dadada" = {
mountpoint = "/home/dadada";
mountOptions = [
"compress=zstd"
"relatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/var" = {
mountpoint = "/var";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/paperless" = {
mountpoint = "/var/lib/paperless";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "64G";
};
};
};
};
};
};
};
};
};
};
}