From 993308a2d32261ffb3c68e7e157cd99df6448099 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Tue, 9 Jan 2024 23:48:38 +0100 Subject: [PATCH] start modularising NixOS config for several hosts First step in modularising the NixOS config, with a focus on separation of host-specific and common configs. Common modules still need to be split up and refined, several TODOs and FIXUPs remain in code. But the config builds fine on thinknix. Roughly based on/ inspired by https://johns.codes/blog/organizing-system-configs-with-nixos#using-nixos --- nixos/configuration.nix => common/default.nix | 52 +--------- {nixos/modules => common}/nitrokey.nix | 0 {nixos/modules => common}/packages.nix | 0 flake.lock | 71 +++++++++++++- flake.nix | 33 ++++--- hosts/thinknix/default.nix | 28 ++++++ hosts/thinknix/hardware-configuration.nix | 20 ++++ hosts/thinknix/secureboot.nix | 20 ++++ hosts/thinknix/storage.nix | 67 +++++++++++++ hosts/thinknix/swap.nix | 12 +++ nixos/hardware-configuration.nix | 95 ------------------- 11 files changed, 239 insertions(+), 159 deletions(-) rename nixos/configuration.nix => common/default.nix (82%) rename {nixos/modules => common}/nitrokey.nix (100%) rename {nixos/modules => common}/packages.nix (100%) create mode 100644 hosts/thinknix/default.nix create mode 100644 hosts/thinknix/hardware-configuration.nix create mode 100644 hosts/thinknix/secureboot.nix create mode 100644 hosts/thinknix/storage.nix create mode 100644 hosts/thinknix/swap.nix delete mode 100644 nixos/hardware-configuration.nix diff --git a/nixos/configuration.nix b/common/default.nix similarity index 82% rename from nixos/configuration.nix rename to common/default.nix index 999c472..2fdf524 100644 --- a/nixos/configuration.nix +++ b/common/default.nix @@ -1,21 +1,14 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running `nixos-help`). - { config, pkgs, lib, inputs, ... }: let unstable = inputs.nixos-unstable; - localfork = import /home/spiollinux/src/nixpkgs { }; in { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./modules/packages.nix - ./modules/nitrokey.nix + ./packages.nix + ./nitrokey.nix ]; services.davfs2.enable = true; @@ -23,45 +16,13 @@ in # try newer kernels #boot.kernelPackages = pkgs.linuxPackages_latest; - services.fstrim.enable = true; - services.btrfs.autoScrub = - { - enable = true; - fileSystems = [ "/" "/home" ]; - }; # exfat support #boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; - zramSwap = - { - enable = true; - memoryPercent = 20; - }; - boot.kernel.sysctl."vm.swappiness" = 9; - - boot.loader.efi.canTouchEfiVariables = true; - - # UEFI secure boot - environment.systemPackages = [ - pkgs.sbctl - ]; - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - boot.loader.systemd-boot.enable = lib.mkForce false; - - boot.lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - # make the boot look good boot.plymouth.enable = true; - networking.hostName = "thinknix"; - # configure console console = { font = "Lat2-Terminus16"; @@ -102,6 +63,7 @@ in # networking.firewall.allowedUDPPorts = [ ... ]; networking.firewall.allowedTCPPortRanges = [{ from = 1714; to = 1764; }]; networking.firewall.allowedUDPPortRanges = [{ from = 1714; to = 1764; }]; # for KDE connect + # FIXME: kdeconnect module # Or disable the firewall altogether. # networking.firewall.enable = false; @@ -183,6 +145,7 @@ in }; + # FIXME: at some point, hide GUI and sound (desktop vs. server) behind an option # Enable the X11 windowing system. services.xserver.enable = true; services.xserver.layout = "de"; @@ -198,7 +161,7 @@ in services.xserver.displayManager.sddm.enable = true; services.xserver.desktopManager.plasma5.enable = true; - # dconf required for several Gnome applications like Cawbird + # dconf required for several Gnome applications programs.dconf.enable = true; programs.firefox.enable = true; # enables support for automatically setting additionsl nativeMessagingHosts @@ -301,10 +264,5 @@ in # stop NetworkManager from managing virtual interfaces networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "18.09"; # Did you read the comment? } diff --git a/nixos/modules/nitrokey.nix b/common/nitrokey.nix similarity index 100% rename from nixos/modules/nitrokey.nix rename to common/nitrokey.nix diff --git a/nixos/modules/packages.nix b/common/packages.nix similarity index 100% rename from nixos/modules/packages.nix rename to common/packages.nix diff --git a/flake.lock b/flake.lock index 5523caf..5ab8624 100644 --- a/flake.lock +++ b/flake.lock @@ -74,6 +74,23 @@ "inputs": { "systems": "systems" }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -136,7 +153,7 @@ "crane": "crane", "flake-compat": "flake-compat", "flake-parts": "flake-parts", - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" @@ -316,6 +333,7 @@ }, "root": { "inputs": { + "flake-utils": "flake-utils", "home-manager": "home-manager", "lanzaboote": "lanzaboote", "logseq-fix-nixpkgs": "logseq-fix-nixpkgs", @@ -323,7 +341,8 @@ "nixos-hardware": "nixos-hardware", "nixos-unstable": "nixos-unstable", "nixpkgs": "nixpkgs_2", - "nur": "nur" + "nur": "nur", + "utils": "utils" } }, "rust-overlay": { @@ -365,6 +384,54 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index b03bfc7..61e55a0 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,7 @@ url = "github:nix-community/lanzaboote/v0.3.0"; # deliberately do _not_ follow the nixpkgs input here, because paranoia and test coverage }; + utils.url = "github:numtide/flake-utils"; nur.url = "github:nix-community/NUR"; # TODO: possible make this a flake as well @@ -25,24 +26,27 @@ }; outputs = - { self, nixpkgs, nur, lanzaboote, ... }@inputs: + { self, nixpkgs, nur, lanzaboote, flake-utils, ... }@inputs: let - system = "x86_64-linux"; - pkgs = nixpkgs.legacyPackages.${system}; + # FIXME: allow different systems + systems = flake-utils.lib.system; + # necessary to make the top-level inputs available to system configuration + defaultModules = [ + { _module.args = { inherit inputs; }; } + ]; + mkSystem = system: extraModules: + nixpkgs.lib.nixosSystem rec { + modules = defaultModules ++ extraModules; + inherit system; + }; in { - - nixosConfigurations.thinknix = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ ./nixos/configuration.nix lanzaboote.nixosModules.lanzaboote ]; - # necessary to make the top-level inputs available to system configuration - specialArgs = { - #TODO: for system, consider moving to flake-utils - inherit inputs system; - }; + nixosConfigurations = { + thinknix = mkSystem systems.x86_64-linux [ ./hosts/thinknix inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t440s lanzaboote.nixosModules.lanzaboote ]; + framenix = mkSystem systems.x86_64-linux [ ./hosts/framenix inputs.nixos-hardware.nixosModules.framework-13-7040-amd lanzaboote.nixosModules.lanzaboote ]; }; + # FIXME: see mkHomemanager homeConfigurations.spiollinux = inputs.home-manager.lib.homeManagerConfiguration { - inherit pkgs; modules = [ { @@ -58,8 +62,7 @@ # Optionally use extraSpecialArgs # to pass through arguments to home.nix extraSpecialArgs = { - #TODO: for system, consider moving to flake-utils - inherit inputs system; + inherit inputs; }; }; }; diff --git a/hosts/thinknix/default.nix b/hosts/thinknix/default.nix new file mode 100644 index 0000000..8451bc0 --- /dev/null +++ b/hosts/thinknix/default.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, inputs, ...}: +{ + imports = [ + ../../common + + ./hardware-configuration.nix + ./storage.nix + ./swap.nix + # FIXME: move this to common, conditional enabling + ./secureboot.nix + ]; + + + hardware.trackpoint = { + enable = true; + sensitivity = 180; + speed = 180; + }; + + networking.hostName = "thinknix"; + + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "18.09"; # Did you read the comment? +} diff --git a/hosts/thinknix/hardware-configuration.nix b/hosts/thinknix/hardware-configuration.nix new file mode 100644 index 0000000..f3e821a --- /dev/null +++ b/hosts/thinknix/hardware-configuration.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, modulesPath, inputs, ... }: + + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = []; + + nix.settings.max-jobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + # modesetting is always better than intel (legacy) + services.xserver.videoDrivers = [ "modesetting" ]; + +} diff --git a/hosts/thinknix/secureboot.nix b/hosts/thinknix/secureboot.nix new file mode 100644 index 0000000..6e20c35 --- /dev/null +++ b/hosts/thinknix/secureboot.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, inputs, ...}: +{ + boot.loader.efi.canTouchEfiVariables = true; + + # UEFI secure boot + environment.systemPackages = [ + pkgs.sbctl + ]; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + +} diff --git a/hosts/thinknix/storage.nix b/hosts/thinknix/storage.nix new file mode 100644 index 0000000..557db3f --- /dev/null +++ b/hosts/thinknix/storage.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, inputs, ...}: +let + fsOptions = [ "noatime" "ssd" "space_cache" "compress=zstd" ]; +in +{ + # encrypted partitions + boot.initrd.luks = { + devices = + # allow discards on all devices + builtins.mapAttrs (name: val: val // {allowDiscards = true;}) + { + "system".device = "/dev/disk/by-uuid/85154131-b2a8-4ef5-9d74-47429cb267ef"; + "cryptswap".device = "/dev/disk/by-uuid/ac586df6-6332-4809-beb1-f51906a2adaa"; + "ssd2".device = "/dev/disk/by-uuid/cadd4e1f-3642-4faa-8d4e-37dd85465df1"; + }; + reusePassphrases = true; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=nixos_root" ]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/DED9-661B"; + fsType = "vfat"; + options = [ "discard" ]; + }; + + "/home" = { + device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=home" ]; + }; + + "/var/tmp" = { + device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=vartmp" ]; + }; + + "/var/log" = { + device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=varlog" ]; + }; + + "/var/cache" = { + device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=varcache" ]; + }; + }; + + services.fstrim.enable = true; + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ "/" "/home" ]; + }; + + + boot.tmp.useTmpfs = true; + fileSystems."/tmp".fsType = "tmpfs"; + +} diff --git a/hosts/thinknix/swap.nix b/hosts/thinknix/swap.nix new file mode 100644 index 0000000..5aeb2bc --- /dev/null +++ b/hosts/thinknix/swap.nix @@ -0,0 +1,12 @@ +{ + swapDevices = [ + { device = "/dev/disk/by-uuid/bf928178-4e92-4e7e-8df2-18fbd658eecf"; } + ]; + + zramSwap = { + enable = true; + memoryPercent = 20; + }; + + boot.kernel.sysctl."vm.swappiness" = 9; +} diff --git a/nixos/hardware-configuration.nix b/nixos/hardware-configuration.nix deleted file mode 100644 index 5b903fc..0000000 --- a/nixos/hardware-configuration.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, lib, pkgs, modulesPath, inputs, ... }: - - -let - fsOptions = [ "noatime" "ssd" "space_cache" "compress=zstd" ]; -in -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - (inputs.nixos-hardware + "/lenovo/thinkpad/t440s") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = []; - - # encrypted partitions - boot.initrd.luks = - { - devices = - # allow discards on all devices - builtins.mapAttrs (name: val: val // {allowDiscards = true;}) - { - "system".device = "/dev/disk/by-uuid/85154131-b2a8-4ef5-9d74-47429cb267ef"; - "cryptswap".device = "/dev/disk/by-uuid/ac586df6-6332-4809-beb1-f51906a2adaa"; - "ssd2".device = "/dev/disk/by-uuid/cadd4e1f-3642-4faa-8d4e-37dd85465df1"; - }; - reusePassphrases = true; - }; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=nixos_root" ]; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/DED9-661B"; - fsType = "vfat"; - options = [ "discard" ]; - }; - - fileSystems."/home" = - { - device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=home" ]; - }; - - fileSystems."/var/tmp" = - { - device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=vartmp" ]; - }; - - fileSystems."/var/log" = - { - device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=varlog" ]; - }; - - fileSystems."/var/cache" = - { - device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=varcache" ]; - }; - - boot.tmp.useTmpfs = true; - fileSystems."/tmp".fsType = "tmpfs"; - - swapDevices = - [ - { device = "/dev/disk/by-uuid/bf928178-4e92-4e7e-8df2-18fbd658eecf"; } - ]; - - nix.settings.max-jobs = lib.mkDefault 4; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - hardware.trackpoint = { - enable = true; - sensitivity = 180; - speed = 180; - }; - - - # modesetting is always better than intel (legacy) - services.xserver.videoDrivers = [ "modesetting" ]; - -}