diff --git a/nixos/configuration.nix b/common/default.nix similarity index 82% rename from nixos/configuration.nix rename to common/default.nix index 999c472..2fdf524 100644 --- a/nixos/configuration.nix +++ b/common/default.nix @@ -1,21 +1,14 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running `nixos-help`). - { config, pkgs, lib, inputs, ... }: let unstable = inputs.nixos-unstable; - localfork = import /home/spiollinux/src/nixpkgs { }; in { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./modules/packages.nix - ./modules/nitrokey.nix + ./packages.nix + ./nitrokey.nix ]; services.davfs2.enable = true; @@ -23,45 +16,13 @@ in # try newer kernels #boot.kernelPackages = pkgs.linuxPackages_latest; - services.fstrim.enable = true; - services.btrfs.autoScrub = - { - enable = true; - fileSystems = [ "/" "/home" ]; - }; # exfat support #boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; - zramSwap = - { - enable = true; - memoryPercent = 20; - }; - boot.kernel.sysctl."vm.swappiness" = 9; - - boot.loader.efi.canTouchEfiVariables = true; - - # UEFI secure boot - environment.systemPackages = [ - pkgs.sbctl - ]; - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - boot.loader.systemd-boot.enable = lib.mkForce false; - - boot.lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - # make the boot look good boot.plymouth.enable = true; - networking.hostName = "thinknix"; - # configure console console = { font = "Lat2-Terminus16"; @@ -102,6 +63,7 @@ in # networking.firewall.allowedUDPPorts = [ ... ]; networking.firewall.allowedTCPPortRanges = [{ from = 1714; to = 1764; }]; networking.firewall.allowedUDPPortRanges = [{ from = 1714; to = 1764; }]; # for KDE connect + # FIXME: kdeconnect module # Or disable the firewall altogether. # networking.firewall.enable = false; @@ -183,6 +145,7 @@ in }; + # FIXME: at some point, hide GUI and sound (desktop vs. server) behind an option # Enable the X11 windowing system. services.xserver.enable = true; services.xserver.layout = "de"; @@ -198,7 +161,7 @@ in services.xserver.displayManager.sddm.enable = true; services.xserver.desktopManager.plasma5.enable = true; - # dconf required for several Gnome applications like Cawbird + # dconf required for several Gnome applications programs.dconf.enable = true; programs.firefox.enable = true; # enables support for automatically setting additionsl nativeMessagingHosts @@ -301,10 +264,5 @@ in # stop NetworkManager from managing virtual interfaces networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "18.09"; # Did you read the comment? } diff --git a/nixos/modules/nitrokey.nix b/common/nitrokey.nix similarity index 100% rename from nixos/modules/nitrokey.nix rename to common/nitrokey.nix diff --git a/nixos/modules/packages.nix b/common/packages.nix similarity index 100% rename from nixos/modules/packages.nix rename to common/packages.nix diff --git a/flake.lock b/flake.lock index 5523caf..5ab8624 100644 --- a/flake.lock +++ b/flake.lock @@ -74,6 +74,23 @@ "inputs": { "systems": "systems" }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -136,7 +153,7 @@ "crane": "crane", "flake-compat": "flake-compat", "flake-parts": "flake-parts", - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" @@ -316,6 +333,7 @@ }, "root": { "inputs": { + "flake-utils": "flake-utils", "home-manager": "home-manager", "lanzaboote": "lanzaboote", "logseq-fix-nixpkgs": "logseq-fix-nixpkgs", @@ -323,7 +341,8 @@ "nixos-hardware": "nixos-hardware", "nixos-unstable": "nixos-unstable", "nixpkgs": "nixpkgs_2", - "nur": "nur" + "nur": "nur", + "utils": "utils" } }, "rust-overlay": { @@ -365,6 +384,54 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index b03bfc7..61e55a0 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,7 @@ url = "github:nix-community/lanzaboote/v0.3.0"; # deliberately do _not_ follow the nixpkgs input here, because paranoia and test coverage }; + utils.url = "github:numtide/flake-utils"; nur.url = "github:nix-community/NUR"; # TODO: possible make this a flake as well @@ -25,24 +26,27 @@ }; outputs = - { self, nixpkgs, nur, lanzaboote, ... }@inputs: + { self, nixpkgs, nur, lanzaboote, flake-utils, ... }@inputs: let - system = "x86_64-linux"; - pkgs = nixpkgs.legacyPackages.${system}; + # FIXME: allow different systems + systems = flake-utils.lib.system; + # necessary to make the top-level inputs available to system configuration + defaultModules = [ + { _module.args = { inherit inputs; }; } + ]; + mkSystem = system: extraModules: + nixpkgs.lib.nixosSystem rec { + modules = defaultModules ++ extraModules; + inherit system; + }; in { - - nixosConfigurations.thinknix = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ ./nixos/configuration.nix lanzaboote.nixosModules.lanzaboote ]; - # necessary to make the top-level inputs available to system configuration - specialArgs = { - #TODO: for system, consider moving to flake-utils - inherit inputs system; - }; + nixosConfigurations = { + thinknix = mkSystem systems.x86_64-linux [ ./hosts/thinknix inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t440s lanzaboote.nixosModules.lanzaboote ]; + framenix = mkSystem systems.x86_64-linux [ ./hosts/framenix inputs.nixos-hardware.nixosModules.framework-13-7040-amd lanzaboote.nixosModules.lanzaboote ]; }; + # FIXME: see mkHomemanager homeConfigurations.spiollinux = inputs.home-manager.lib.homeManagerConfiguration { - inherit pkgs; modules = [ { @@ -58,8 +62,7 @@ # Optionally use extraSpecialArgs # to pass through arguments to home.nix extraSpecialArgs = { - #TODO: for system, consider moving to flake-utils - inherit inputs system; + inherit inputs; }; }; }; diff --git a/hosts/thinknix/default.nix b/hosts/thinknix/default.nix new file mode 100644 index 0000000..8451bc0 --- /dev/null +++ b/hosts/thinknix/default.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, inputs, ...}: +{ + imports = [ + ../../common + + ./hardware-configuration.nix + ./storage.nix + ./swap.nix + # FIXME: move this to common, conditional enabling + ./secureboot.nix + ]; + + + hardware.trackpoint = { + enable = true; + sensitivity = 180; + speed = 180; + }; + + networking.hostName = "thinknix"; + + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "18.09"; # Did you read the comment? +} diff --git a/hosts/thinknix/hardware-configuration.nix b/hosts/thinknix/hardware-configuration.nix new file mode 100644 index 0000000..f3e821a --- /dev/null +++ b/hosts/thinknix/hardware-configuration.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, modulesPath, inputs, ... }: + + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = []; + + nix.settings.max-jobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + # modesetting is always better than intel (legacy) + services.xserver.videoDrivers = [ "modesetting" ]; + +} diff --git a/hosts/thinknix/secureboot.nix b/hosts/thinknix/secureboot.nix new file mode 100644 index 0000000..6e20c35 --- /dev/null +++ b/hosts/thinknix/secureboot.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, inputs, ...}: +{ + boot.loader.efi.canTouchEfiVariables = true; + + # UEFI secure boot + environment.systemPackages = [ + pkgs.sbctl + ]; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + +} diff --git a/hosts/thinknix/storage.nix b/hosts/thinknix/storage.nix new file mode 100644 index 0000000..557db3f --- /dev/null +++ b/hosts/thinknix/storage.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, inputs, ...}: +let + fsOptions = [ "noatime" "ssd" "space_cache" "compress=zstd" ]; +in +{ + # encrypted partitions + boot.initrd.luks = { + devices = + # allow discards on all devices + builtins.mapAttrs (name: val: val // {allowDiscards = true;}) + { + "system".device = "/dev/disk/by-uuid/85154131-b2a8-4ef5-9d74-47429cb267ef"; + "cryptswap".device = "/dev/disk/by-uuid/ac586df6-6332-4809-beb1-f51906a2adaa"; + "ssd2".device = "/dev/disk/by-uuid/cadd4e1f-3642-4faa-8d4e-37dd85465df1"; + }; + reusePassphrases = true; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=nixos_root" ]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/DED9-661B"; + fsType = "vfat"; + options = [ "discard" ]; + }; + + "/home" = { + device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=home" ]; + }; + + "/var/tmp" = { + device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=vartmp" ]; + }; + + "/var/log" = { + device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=varlog" ]; + }; + + "/var/cache" = { + device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=varcache" ]; + }; + }; + + services.fstrim.enable = true; + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ "/" "/home" ]; + }; + + + boot.tmp.useTmpfs = true; + fileSystems."/tmp".fsType = "tmpfs"; + +} diff --git a/hosts/thinknix/swap.nix b/hosts/thinknix/swap.nix new file mode 100644 index 0000000..5aeb2bc --- /dev/null +++ b/hosts/thinknix/swap.nix @@ -0,0 +1,12 @@ +{ + swapDevices = [ + { device = "/dev/disk/by-uuid/bf928178-4e92-4e7e-8df2-18fbd658eecf"; } + ]; + + zramSwap = { + enable = true; + memoryPercent = 20; + }; + + boot.kernel.sysctl."vm.swappiness" = 9; +} diff --git a/nixos/hardware-configuration.nix b/nixos/hardware-configuration.nix deleted file mode 100644 index 5b903fc..0000000 --- a/nixos/hardware-configuration.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, lib, pkgs, modulesPath, inputs, ... }: - - -let - fsOptions = [ "noatime" "ssd" "space_cache" "compress=zstd" ]; -in -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - (inputs.nixos-hardware + "/lenovo/thinkpad/t440s") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = []; - - # encrypted partitions - boot.initrd.luks = - { - devices = - # allow discards on all devices - builtins.mapAttrs (name: val: val // {allowDiscards = true;}) - { - "system".device = "/dev/disk/by-uuid/85154131-b2a8-4ef5-9d74-47429cb267ef"; - "cryptswap".device = "/dev/disk/by-uuid/ac586df6-6332-4809-beb1-f51906a2adaa"; - "ssd2".device = "/dev/disk/by-uuid/cadd4e1f-3642-4faa-8d4e-37dd85465df1"; - }; - reusePassphrases = true; - }; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=nixos_root" ]; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/DED9-661B"; - fsType = "vfat"; - options = [ "discard" ]; - }; - - fileSystems."/home" = - { - device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=home" ]; - }; - - fileSystems."/var/tmp" = - { - device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=vartmp" ]; - }; - - fileSystems."/var/log" = - { - device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=varlog" ]; - }; - - fileSystems."/var/cache" = - { - device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=varcache" ]; - }; - - boot.tmp.useTmpfs = true; - fileSystems."/tmp".fsType = "tmpfs"; - - swapDevices = - [ - { device = "/dev/disk/by-uuid/bf928178-4e92-4e7e-8df2-18fbd658eecf"; } - ]; - - nix.settings.max-jobs = lib.mkDefault 4; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - hardware.trackpoint = { - enable = true; - sensitivity = 180; - speed = 180; - }; - - - # modesetting is always better than intel (legacy) - services.xserver.videoDrivers = [ "modesetting" ]; - -}