schmittlauch/nixconfigs
2
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

start modularising NixOS config for several hosts

Browse source 
First step in modularising the NixOS config, with a focus on separation of host-specific and common configs.
Common modules still need to be split up and refined, several TODOs and FIXUPs remain in code. But the config builds fine on thinknix.

Roughly based on/ inspired by https://johns.codes/blog/organizing-system-configs-with-nixos#using-nixos
This commit is contained in:
Trolli Schmittlauch 2024-01-09 23:48:38 +01:00
parent 0639633b0d
commit 993308a2d3
11 changed files with 239 additions and 159 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
nixos/configuration.nix → common/default.nix
View file

@ -1,21 +1,14 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).
{ config, pkgs, lib, inputs, ... }:
let
unstable = inputs.nixos-unstable;
localfork = import /home/spiollinux/src/nixpkgs { };
in
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./modules/packages.nix
./modules/nitrokey.nix
./packages.nix
./nitrokey.nix
];
services.davfs2.enable = true;
@ -23,45 +16,13 @@ in
# try newer kernels
#boot.kernelPackages = pkgs.linuxPackages_latest;
services.fstrim.enable = true;
services.btrfs.autoScrub =
{
enable = true;
fileSystems = [ "/" "/home" ];
};
# exfat support
#boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
zramSwap =
{
enable = true;
memoryPercent = 20;
};
boot.kernel.sysctl."vm.swappiness" = 9;
boot.loader.efi.canTouchEfiVariables = true;
# UEFI secure boot
environment.systemPackages = [
pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
# make the boot look good
boot.plymouth.enable = true;
networking.hostName = "thinknix";
# configure console
console = {
font = "Lat2-Terminus16";
@ -102,6 +63,7 @@ in
# networking.firewall.allowedUDPPorts = [ ... ];
networking.firewall.allowedTCPPortRanges = [{ from = 1714; to = 1764; }];
networking.firewall.allowedUDPPortRanges = [{ from = 1714; to = 1764; }]; # for KDE connect
# FIXME: kdeconnect module
# Or disable the firewall altogether.
# networking.firewall.enable = false;
@ -183,6 +145,7 @@ in
};
# FIXME: at some point, hide GUI and sound (desktop vs. server) behind an option
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "de";
@ -198,7 +161,7 @@ in
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# dconf required for several Gnome applications like Cawbird
# dconf required for several Gnome applications
programs.dconf.enable = true;
programs.firefox.enable = true; # enables support for automatically setting additionsl nativeMessagingHosts
@ -301,10 +264,5 @@ in
# stop NetworkManager from managing virtual interfaces
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

0
nixos/modules/nitrokey.nix → common/nitrokey.nix
View file

0
nixos/modules/packages.nix → common/packages.nix
View file

71
flake.lock
View file

@ -74,6 +74,23 @@
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
@ -136,7 +153,7 @@
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs",
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
@ -316,6 +333,7 @@
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"logseq-fix-nixpkgs": "logseq-fix-nixpkgs",
@ -323,7 +341,8 @@
"nixos-hardware": "nixos-hardware",
"nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs_2",
"nur": "nur"
"nur": "nur",
"utils": "utils"
}
},
"rust-overlay": {
@ -365,6 +384,54 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

33
flake.nix
View file

@ -14,6 +14,7 @@
url = "github:nix-community/lanzaboote/v0.3.0";
# deliberately do _not_ follow the nixpkgs input here, because paranoia and test coverage
};
utils.url = "github:numtide/flake-utils";
nur.url = "github:nix-community/NUR";
# TODO: possible make this a flake as well
@ -25,24 +26,27 @@
};
outputs =
{ self, nixpkgs, nur, lanzaboote, ... }@inputs:
{ self, nixpkgs, nur, lanzaboote, flake-utils, ... }@inputs:
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
# FIXME: allow different systems
systems = flake-utils.lib.system;
# necessary to make the top-level inputs available to system configuration
defaultModules = [
{ _module.args = { inherit inputs; }; }
];
mkSystem = system: extraModules:
nixpkgs.lib.nixosSystem rec {
modules = defaultModules ++ extraModules;
inherit system;
};
in
{
nixosConfigurations.thinknix = nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./nixos/configuration.nix lanzaboote.nixosModules.lanzaboote ];
# necessary to make the top-level inputs available to system configuration
specialArgs = {
#TODO: for system, consider moving to flake-utils
inherit inputs system;
};
nixosConfigurations = {
thinknix = mkSystem systems.x86_64-linux [ ./hosts/thinknix inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t440s lanzaboote.nixosModules.lanzaboote ];
framenix = mkSystem systems.x86_64-linux [ ./hosts/framenix inputs.nixos-hardware.nixosModules.framework-13-7040-amd lanzaboote.nixosModules.lanzaboote ];
};
# FIXME: see mkHomemanager
homeConfigurations.spiollinux = inputs.home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [
{
@ -58,8 +62,7 @@
# Optionally use extraSpecialArgs
# to pass through arguments to home.nix
extraSpecialArgs = {
#TODO: for system, consider moving to flake-utils
inherit inputs system;
inherit inputs;
};
};
};

28
hosts/thinknix/default.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, inputs, ...}:
{
imports = [
../../common
./hardware-configuration.nix
./storage.nix
./swap.nix
# FIXME: move this to common, conditional enabling
./secureboot.nix
];
hardware.trackpoint = {
enable = true;
sensitivity = 180;
speed = 180;
};
networking.hostName = "thinknix";
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

20
hosts/thinknix/hardware-configuration.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, pkgs, modulesPath, inputs, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [];
nix.settings.max-jobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
# modesetting is always better than intel (legacy)
services.xserver.videoDrivers = [ "modesetting" ];
}

20
hosts/thinknix/secureboot.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, pkgs, inputs, ...}:
{
boot.loader.efi.canTouchEfiVariables = true;
# UEFI secure boot
environment.systemPackages = [
pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
}

67
hosts/thinknix/storage.nix Normal file
View file

@ -0,0 +1,67 @@
{ config, lib, pkgs, inputs, ...}:
let
fsOptions = [ "noatime" "ssd" "space_cache" "compress=zstd" ];
in
{
# encrypted partitions
boot.initrd.luks = {
devices =
# allow discards on all devices
builtins.mapAttrs (name: val: val // {allowDiscards = true;})
{
"system".device = "/dev/disk/by-uuid/85154131-b2a8-4ef5-9d74-47429cb267ef";
"cryptswap".device = "/dev/disk/by-uuid/ac586df6-6332-4809-beb1-f51906a2adaa";
"ssd2".device = "/dev/disk/by-uuid/cadd4e1f-3642-4faa-8d4e-37dd85465df1";
};
reusePassphrases = true;
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=nixos_root" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/DED9-661B";
fsType = "vfat";
options = [ "discard" ];
};
"/home" = {
device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=home" ];
};
"/var/tmp" = {
device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=vartmp" ];
};
"/var/log" = {
device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=varlog" ];
};
"/var/cache" = {
device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=varcache" ];
};
};
services.fstrim.enable = true;
services.btrfs.autoScrub = {
enable = true;
fileSystems = [ "/" "/home" ];
};
boot.tmp.useTmpfs = true;
fileSystems."/tmp".fsType = "tmpfs";
}

12
hosts/thinknix/swap.nix Normal file
View file

@ -0,0 +1,12 @@
{
swapDevices = [
{ device = "/dev/disk/by-uuid/bf928178-4e92-4e7e-8df2-18fbd658eecf"; }
];
zramSwap = {
enable = true;
memoryPercent = 20;
};
boot.kernel.sysctl."vm.swappiness" = 9;
}

95
nixos/hardware-configuration.nix
View file

@ -1,95 +0,0 @@
{ config, lib, pkgs, modulesPath, inputs, ... }:
let
fsOptions = [ "noatime" "ssd" "space_cache" "compress=zstd" ];
in
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
(inputs.nixos-hardware + "/lenovo/thinkpad/t440s")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [];
# encrypted partitions
boot.initrd.luks =
{
devices =
# allow discards on all devices
builtins.mapAttrs (name: val: val // {allowDiscards = true;})
{
"system".device = "/dev/disk/by-uuid/85154131-b2a8-4ef5-9d74-47429cb267ef";
"cryptswap".device = "/dev/disk/by-uuid/ac586df6-6332-4809-beb1-f51906a2adaa";
"ssd2".device = "/dev/disk/by-uuid/cadd4e1f-3642-4faa-8d4e-37dd85465df1";
};
reusePassphrases = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=nixos_root" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/DED9-661B";
fsType = "vfat";
options = [ "discard" ];
};
fileSystems."/home" =
{
device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=home" ];
};
fileSystems."/var/tmp" =
{
device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=vartmp" ];
};
fileSystems."/var/log" =
{
device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=varlog" ];
};
fileSystems."/var/cache" =
{
device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15";
fsType = "btrfs";
options = fsOptions ++ [ "subvol=varcache" ];
};
boot.tmp.useTmpfs = true;
fileSystems."/tmp".fsType = "tmpfs";
swapDevices =
[
{ device = "/dev/disk/by-uuid/bf928178-4e92-4e7e-8df2-18fbd658eecf"; }
];
nix.settings.max-jobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.trackpoint = {
enable = true;
sensitivity = 180;
speed = 180;
};
# modesetting is always better than intel (legacy)
services.xserver.videoDrivers = [ "modesetting" ];
}