Commit b5b5dc2922a6
Changed files (18)
lib
systems
common
desktop
hardware
services
kyushu
lib/default.nix
@@ -55,7 +55,7 @@
system = system;
modules = [
inputs.agenix.nixosModules.default
- # inputs.lanzaboote.nixosModules.lanzaboote
+ inputs.lanzaboote.nixosModules.lanzaboote
homeInput.nixosModules.home-manager
../systems
];
systems/common/base/boot.nix
@@ -0,0 +1,15 @@
+_: {
+ boot = {
+ initrd.systemd.enable = true;
+
+ kernel.sysctl = {
+ "net.ipv4.ip_forward" = 1;
+ "net.ipv6.conf.all.forwarding" = 1;
+ };
+
+ loader = {
+ systemd-boot.enable = true;
+ efi.canTouchEfiVariables = true;
+ };
+ };
+}
systems/common/base/console.nix
@@ -0,0 +1,10 @@
+{ pkgs
+, ...
+}:
+{
+ console = {
+ earlySetup = true;
+ keyMap = "fr-bepo";
+ font = "Lat2-Terminus16";
+ };
+}
systems/common/base/default.nix
@@ -0,0 +1,71 @@
+{ hostname
+, config
+, pkgs
+, lib
+, ...
+}:
+{
+ imports = [
+ ./boot.nix
+ ./console.nix
+ ./hardware.nix
+ ./locale.nix
+ ./nh.nix
+
+ # All my machine have this running
+ ../services/avahi.nix
+ ../services/openssh.nix
+ # ../services/wireguard.nix # or netbird
+ ];
+
+ networking = {
+ hostName = hostname;
+ useDHCP = lib.mkDefault true;
+ };
+
+ environment.systemPackages = with pkgs; [
+ age
+ agenix
+ binutils
+ curl
+ file
+ htop
+ iotop
+ killall
+ lsof
+ netcat
+ pciutils
+ psmisc
+ pv
+ rsync
+ tpm2-tss
+ traceroute
+ tree
+ usbutils
+ vim
+ wget
+ ];
+
+ programs = {
+ zsh.enable = true;
+ };
+
+ services = {
+ # Only keep the last 500MiB of systemd journal.
+ journald.extraConfig = "SystemMaxUse=500M";
+ };
+
+ security = {
+ polkit.enable = true;
+ rtkit.enable = true;
+ };
+
+ # Clear out /tmp after a fortnight and give all normal users a ~/tmp
+ # cleaned out weekly.
+ systemd.tmpfiles.rules = [ "d /tmp 1777 root root 14d" ] ++
+ (
+ let mkTmpDir = n: u: "d ${u.home}/tmp 0700 ${n} ${u.group} 7d";
+ in lib.mapAttrsToList mkTmpDir (lib.filterAttrs (_: u: u.isNormalUser) config.users.extraUsers)
+ );
+
+}
systems/common/base/hardware.nix
@@ -0,0 +1,1 @@
+_: { hardware.enableRedistributableFirmware = true; }
systems/common/base/locale.nix
@@ -0,0 +1,18 @@
+_: {
+ time.timeZone = "Europe/Paris";
+
+ i18n = {
+ defaultLocale = "en_GB.utf8";
+ extraLocaleSettings = {
+ LC_ADDRESS = "en_GB.utf8";
+ LC_IDENTIFICATION = "en_GB.utf8";
+ LC_MEASUREMENT = "en_GB.utf8";
+ LC_MONETARY = "en_GB.utf8";
+ LC_NAME = "en_GB.utf8";
+ LC_NUMERIC = "en_GB.utf8";
+ LC_PAPER = "en_GB.utf8";
+ LC_TELEPHONE = "en_GB.utf8";
+ LC_TIME = "en_GB.utf8";
+ };
+ };
+}
systems/common/base/nh.nix
@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+ programs.nh = {
+ enable = true;
+ package = pkgs.nh;
+ flake = "/home/vincent/src/home";
+ clean = {
+ enable = true;
+ extraArgs = "--keep-since 15d --keep 3";
+ };
+ };
+}
systems/common/desktop/binfmt.nix
@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+{
+ boot = {
+ binfmt.registrations = {
+ s390x-linux = {
+ # interpreter = getEmulator "s390x-linux";
+ interpreter = "${pkgs.qemu}/bin/qemu-s390x";
+ magicOrExtension = ''\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16'';
+ mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'';
+ };
+ };
+ binfmt.emulatedSystems = [
+ "armv6l-linux"
+ "armv7l-linux"
+ "aarch64-linux"
+ "powerpc64le-linux"
+ ];
+ };
+}
systems/common/desktop/default.nix
@@ -0,0 +1,43 @@
+{ desktop
+, pkgs
+, self
+, ...
+}:
+{
+ imports = [
+ # (./. + "/${desktop}.nix")
+
+ ./binfmt.nix
+ # ../hardware/yubikey.nix
+ # ../services/pipewire.nixt
+ # ../virt
+ ];
+ # Enable Plymouth and surpress some logs by default.
+ boot = {
+ plymouth.enable = true;
+ kernelParams = [
+ # The 'splash' arg is included by the plymouth option
+ "quiet"
+ "loglevel=3"
+ "rd.udev.log_priority=3"
+ "vt.global_cursor_default=0"
+ ];
+ };
+
+ hardware.graphics.enable = true;
+
+ # Enable location services
+ location.provider = "geoclue2";
+
+ environment.systemPackages = with pkgs; [
+ bat # cat
+ cyme # lsusb
+ dig
+ eza # ls
+ fd # find
+ duf # df
+ ripgrep
+ ];
+
+ services.power-profiles-daemon.enable = true;
+}
systems/common/hardware/acpid.nix
@@ -0,0 +1,5 @@
+_: {
+ services.acpid = {
+ enable = true;
+ };
+}
systems/common/hardware/bluetooth.nix
@@ -0,0 +1,14 @@
+{ pkgs, desktop, ... }:
+{
+ hardware.bluetooth = {
+ enable = true;
+ package = pkgs.bluez;
+ settings = {
+ General = {
+ Experimental = true;
+ KernelExperimental = true;
+ };
+ };
+ };
+ environment.systemPackages = if (builtins.isString desktop) then [ pkgs.blueberry ] else [ ];
+}
systems/common/services/avahi.nix
@@ -0,0 +1,18 @@
+{ desktop, ... }:
+{
+ services = {
+ avahi = {
+ enable = true;
+ openFirewall = true;
+ nssmdns4 = true;
+ ipv4 = true;
+ ipv6 = true;
+ publish = {
+ enable = true;
+ userServices = true;
+ addresses = true;
+ workstation = if (builtins.isString desktop) then true else false;
+ };
+ };
+ };
+}
systems/common/services/openssh.nix
@@ -0,0 +1,18 @@
+_: {
+ services = {
+ openssh = {
+ enable = true;
+ openFirewall = true;
+ settings = {
+ # FIXME: enable this
+ # PasswordAuthentication = false;
+ # PermitRootLogin = "no"
+ };
+ extraConfig =
+ ''
+ StreamLocalBindUnlink yes
+ '';
+ };
+ sshguard.enable = true;
+ };
+}
systems/kyushu/boot.nix
@@ -0,0 +1,51 @@
+{ pkgs, lib, ... }:
+{
+ boot = {
+ # Secure boot configuration
+ bootspec.enable = true;
+ loader.systemd-boot.enable = lib.mkForce false;
+ lanzaboote = {
+ enable = true;
+ pkiBundle = "/etc/secureboot";
+ };
+
+ initrd = { };
+
+ # extraModprobeConfig = ''
+ # options snd_hda_intel power_save=1
+ # '';
+
+ blacklistedKernelModules = [
+ "sierra_net" # sierra wireless modules
+ "cdc_mbim" # modem mobile broadband modules
+ "cdc_ncm" # similar
+ ];
+ kernelModules = [
+ "ahci" # sata controller, might not be needed
+ "nvme" # required for nvme disks
+ "thunderbolt" # required for thunderbolt (dock, …)
+ # from thinkpad x1 gen 9
+ "dm-mod"
+ "cryptd" # required for encryption
+ "xhci_pci" # usb controller related
+ "usb_storage" # usb storage related
+ "sd_mod" # block device related
+ "sdhci_pci" # block device related as well
+ "aesni-intel" # advanced encryption for intel
+ "kvm_intel"
+ ];
+
+ kernelParams = [
+ # Kernel GPU Savings Options (NOTE i915 chipset only)
+ # "i915.enable_rc6=1"
+ # "i915.enable_fbc=1"
+ # "i915.lvds_use_ssc=0"
+ # "drm.debug=0"
+ # "drm.vblankoffdelay=1"
+ "kvm_intel.nested=1"
+ "intel_iommu=on"
+ ];
+
+ kernelPackages = pkgs.linuxPackages_latest;
+ };
+}
systems/kyushu/disks.nix
@@ -0,0 +1,69 @@
+{ lib
+, disks ? [
+ "/dev/nvme0n1"
+ ]
+, ...
+}:
+{
+
+ boot.initrd.luks.devices."root" = {
+ # FIXME setup this
+ # TODO: Remove this "device" attr if/when machine is reinstalled.
+ # This is a workaround for the legacy -> gpt tables disko format.
+ # device = lib.mkForce "/dev/disk/by-uuid/c0cac87c-53ec-4262-9ab2-a3ee8331c75a";
+ preLVM = true;
+ allowDiscards = true;
+ keyFile = "/dev/disk/by-id/usb-_USB_DISK_2.0_070D375D84327E87-0:0";
+ keyFileOffset = 30992883712;
+ keyFileSize = 4096;
+ # fallbackToPassword = lib.mkForce true;
+ };
+
+ # TODO: Remove this if/when machine is reinstalled.
+ # This is a workaround for the legacy -> gpt tables disko format.
+ fileSystems."/boot".device = lib.mkForce "/dev/disk/by-partlabel/ESP";
+
+ disko.devices = {
+ disk = {
+ # 512GB root/boot drive. Configured with:
+ # - A FAT32 ESP partition for systemd-boot
+ # - A LUKS container which contains an EXT4 filesystem
+ nvme0 = {
+ device = "/dev/nvme0n1";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ ESP = {
+ start = "0%";
+ size = "512MiB";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ # mountOptions = [ "umask=0077" ];
+ };
+ };
+ luks = {
+ start = "512MiB";
+ size = "100%";
+ content = {
+ type = "luks";
+ name = "root";
+ settings.allowDiscards = true;
+ passwordFile = "/tmp/secret.key";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ mountOptions = [ "noatime" "nodiratime" "discard" ];
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+}
systems/kyushu/extra.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+
+ imports = [
+ # ../common/services/backup
+ ];
+ # services.pipewire…
+
+}
systems/kyushu/hardware.nix
@@ -0,0 +1,16 @@
+{ inputs, lib, ... }:
+{
+ imports = [
+ inputs.disko.nixosModules.disko
+ (import ./disks.nix { inherit lib; })
+
+ inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-12th-gen
+
+ ../common/hardware/acpid.nix
+ ../common/hardware/bluetooth.nix
+ ];
+
+ hardware = {
+ # opengl.extraPackages = with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl intel-media-driver ];
+ };
+}
systems/default.nix
@@ -17,7 +17,8 @@
./common/base
# ./common/users/${username}
]
- ++ lib.optional (builtins.pathExists (./. + "/${hostname}/extra.nix")) ./${hostname}/extra.nix;
+ ++ lib.optional (builtins.pathExists (./. + "/${hostname}/extra.nix")) ./${hostname}/extra.nix
+ ++ lib.optional (builtins.isString desktop) ./common/desktop;
nixpkgs = {
overlays = [
@@ -75,14 +76,20 @@
];
# See https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-use-xdg-base-directories
use-xdg-base-directories = true;
- extraOptions = ''
- connect-timeout = 20
- build-cores = 0
- keep-outputs = true
- keep-derivations = true
- builders-use-substitutes = true
- '';
};
+
+ extraOptions = ''
+ connect-timeout = 20
+ build-cores = 0
+ keep-outputs = true
+ keep-derivations = true
+ builders-use-substitutes = true
+ '';
+
+ # On laptops at least, make the daemon and builders low priority
+ # to have a responding system while building
+ daemonIOSchedClass = "idle";
+ daemonCPUSchedPolicy = "idle";
};
# `nix-daemon` will hit the stack limit when using `nixFlakes`.