From 993308a2d32261ffb3c68e7e157cd99df6448099 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Tue, 9 Jan 2024 23:48:38 +0100 Subject: [PATCH 01/11] start modularising NixOS config for several hosts First step in modularising the NixOS config, with a focus on separation of host-specific and common configs. Common modules still need to be split up and refined, several TODOs and FIXUPs remain in code. But the config builds fine on thinknix. Roughly based on/ inspired by https://johns.codes/blog/organizing-system-configs-with-nixos#using-nixos --- nixos/configuration.nix => common/default.nix | 52 +--------- {nixos/modules => common}/nitrokey.nix | 0 {nixos/modules => common}/packages.nix | 0 flake.lock | 71 +++++++++++++- flake.nix | 33 ++++--- hosts/thinknix/default.nix | 28 ++++++ hosts/thinknix/hardware-configuration.nix | 20 ++++ hosts/thinknix/secureboot.nix | 20 ++++ hosts/thinknix/storage.nix | 67 +++++++++++++ hosts/thinknix/swap.nix | 12 +++ nixos/hardware-configuration.nix | 95 ------------------- 11 files changed, 239 insertions(+), 159 deletions(-) rename nixos/configuration.nix => common/default.nix (82%) rename {nixos/modules => common}/nitrokey.nix (100%) rename {nixos/modules => common}/packages.nix (100%) create mode 100644 hosts/thinknix/default.nix create mode 100644 hosts/thinknix/hardware-configuration.nix create mode 100644 hosts/thinknix/secureboot.nix create mode 100644 hosts/thinknix/storage.nix create mode 100644 hosts/thinknix/swap.nix delete mode 100644 nixos/hardware-configuration.nix diff --git a/nixos/configuration.nix b/common/default.nix similarity index 82% rename from nixos/configuration.nix rename to common/default.nix index 999c472..2fdf524 100644 --- a/nixos/configuration.nix +++ b/common/default.nix @@ -1,21 +1,14 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running `nixos-help`). - { config, pkgs, lib, inputs, ... }: let unstable = inputs.nixos-unstable; - localfork = import /home/spiollinux/src/nixpkgs { }; in { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./modules/packages.nix - ./modules/nitrokey.nix + ./packages.nix + ./nitrokey.nix ]; services.davfs2.enable = true; @@ -23,45 +16,13 @@ in # try newer kernels #boot.kernelPackages = pkgs.linuxPackages_latest; - services.fstrim.enable = true; - services.btrfs.autoScrub = - { - enable = true; - fileSystems = [ "/" "/home" ]; - }; # exfat support #boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; - zramSwap = - { - enable = true; - memoryPercent = 20; - }; - boot.kernel.sysctl."vm.swappiness" = 9; - - boot.loader.efi.canTouchEfiVariables = true; - - # UEFI secure boot - environment.systemPackages = [ - pkgs.sbctl - ]; - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - boot.loader.systemd-boot.enable = lib.mkForce false; - - boot.lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - # make the boot look good boot.plymouth.enable = true; - networking.hostName = "thinknix"; - # configure console console = { font = "Lat2-Terminus16"; @@ -102,6 +63,7 @@ in # networking.firewall.allowedUDPPorts = [ ... ]; networking.firewall.allowedTCPPortRanges = [{ from = 1714; to = 1764; }]; networking.firewall.allowedUDPPortRanges = [{ from = 1714; to = 1764; }]; # for KDE connect + # FIXME: kdeconnect module # Or disable the firewall altogether. # networking.firewall.enable = false; @@ -183,6 +145,7 @@ in }; + # FIXME: at some point, hide GUI and sound (desktop vs. server) behind an option # Enable the X11 windowing system. services.xserver.enable = true; services.xserver.layout = "de"; @@ -198,7 +161,7 @@ in services.xserver.displayManager.sddm.enable = true; services.xserver.desktopManager.plasma5.enable = true; - # dconf required for several Gnome applications like Cawbird + # dconf required for several Gnome applications programs.dconf.enable = true; programs.firefox.enable = true; # enables support for automatically setting additionsl nativeMessagingHosts @@ -301,10 +264,5 @@ in # stop NetworkManager from managing virtual interfaces networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "18.09"; # Did you read the comment? } diff --git a/nixos/modules/nitrokey.nix b/common/nitrokey.nix similarity index 100% rename from nixos/modules/nitrokey.nix rename to common/nitrokey.nix diff --git a/nixos/modules/packages.nix b/common/packages.nix similarity index 100% rename from nixos/modules/packages.nix rename to common/packages.nix diff --git a/flake.lock b/flake.lock index 5523caf..5ab8624 100644 --- a/flake.lock +++ b/flake.lock @@ -74,6 +74,23 @@ "inputs": { "systems": "systems" }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -136,7 +153,7 @@ "crane": "crane", "flake-compat": "flake-compat", "flake-parts": "flake-parts", - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" @@ -316,6 +333,7 @@ }, "root": { "inputs": { + "flake-utils": "flake-utils", "home-manager": "home-manager", "lanzaboote": "lanzaboote", "logseq-fix-nixpkgs": "logseq-fix-nixpkgs", @@ -323,7 +341,8 @@ "nixos-hardware": "nixos-hardware", "nixos-unstable": "nixos-unstable", "nixpkgs": "nixpkgs_2", - "nur": "nur" + "nur": "nur", + "utils": "utils" } }, "rust-overlay": { @@ -365,6 +384,54 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index b03bfc7..61e55a0 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,7 @@ url = "github:nix-community/lanzaboote/v0.3.0"; # deliberately do _not_ follow the nixpkgs input here, because paranoia and test coverage }; + utils.url = "github:numtide/flake-utils"; nur.url = "github:nix-community/NUR"; # TODO: possible make this a flake as well @@ -25,24 +26,27 @@ }; outputs = - { self, nixpkgs, nur, lanzaboote, ... }@inputs: + { self, nixpkgs, nur, lanzaboote, flake-utils, ... }@inputs: let - system = "x86_64-linux"; - pkgs = nixpkgs.legacyPackages.${system}; + # FIXME: allow different systems + systems = flake-utils.lib.system; + # necessary to make the top-level inputs available to system configuration + defaultModules = [ + { _module.args = { inherit inputs; }; } + ]; + mkSystem = system: extraModules: + nixpkgs.lib.nixosSystem rec { + modules = defaultModules ++ extraModules; + inherit system; + }; in { - - nixosConfigurations.thinknix = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ ./nixos/configuration.nix lanzaboote.nixosModules.lanzaboote ]; - # necessary to make the top-level inputs available to system configuration - specialArgs = { - #TODO: for system, consider moving to flake-utils - inherit inputs system; - }; + nixosConfigurations = { + thinknix = mkSystem systems.x86_64-linux [ ./hosts/thinknix inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t440s lanzaboote.nixosModules.lanzaboote ]; + framenix = mkSystem systems.x86_64-linux [ ./hosts/framenix inputs.nixos-hardware.nixosModules.framework-13-7040-amd lanzaboote.nixosModules.lanzaboote ]; }; + # FIXME: see mkHomemanager homeConfigurations.spiollinux = inputs.home-manager.lib.homeManagerConfiguration { - inherit pkgs; modules = [ { @@ -58,8 +62,7 @@ # Optionally use extraSpecialArgs # to pass through arguments to home.nix extraSpecialArgs = { - #TODO: for system, consider moving to flake-utils - inherit inputs system; + inherit inputs; }; }; }; diff --git a/hosts/thinknix/default.nix b/hosts/thinknix/default.nix new file mode 100644 index 0000000..8451bc0 --- /dev/null +++ b/hosts/thinknix/default.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, inputs, ...}: +{ + imports = [ + ../../common + + ./hardware-configuration.nix + ./storage.nix + ./swap.nix + # FIXME: move this to common, conditional enabling + ./secureboot.nix + ]; + + + hardware.trackpoint = { + enable = true; + sensitivity = 180; + speed = 180; + }; + + networking.hostName = "thinknix"; + + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "18.09"; # Did you read the comment? +} diff --git a/hosts/thinknix/hardware-configuration.nix b/hosts/thinknix/hardware-configuration.nix new file mode 100644 index 0000000..f3e821a --- /dev/null +++ b/hosts/thinknix/hardware-configuration.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, modulesPath, inputs, ... }: + + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = []; + + nix.settings.max-jobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + # modesetting is always better than intel (legacy) + services.xserver.videoDrivers = [ "modesetting" ]; + +} diff --git a/hosts/thinknix/secureboot.nix b/hosts/thinknix/secureboot.nix new file mode 100644 index 0000000..6e20c35 --- /dev/null +++ b/hosts/thinknix/secureboot.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, inputs, ...}: +{ + boot.loader.efi.canTouchEfiVariables = true; + + # UEFI secure boot + environment.systemPackages = [ + pkgs.sbctl + ]; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + +} diff --git a/hosts/thinknix/storage.nix b/hosts/thinknix/storage.nix new file mode 100644 index 0000000..557db3f --- /dev/null +++ b/hosts/thinknix/storage.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, inputs, ...}: +let + fsOptions = [ "noatime" "ssd" "space_cache" "compress=zstd" ]; +in +{ + # encrypted partitions + boot.initrd.luks = { + devices = + # allow discards on all devices + builtins.mapAttrs (name: val: val // {allowDiscards = true;}) + { + "system".device = "/dev/disk/by-uuid/85154131-b2a8-4ef5-9d74-47429cb267ef"; + "cryptswap".device = "/dev/disk/by-uuid/ac586df6-6332-4809-beb1-f51906a2adaa"; + "ssd2".device = "/dev/disk/by-uuid/cadd4e1f-3642-4faa-8d4e-37dd85465df1"; + }; + reusePassphrases = true; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=nixos_root" ]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/DED9-661B"; + fsType = "vfat"; + options = [ "discard" ]; + }; + + "/home" = { + device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=home" ]; + }; + + "/var/tmp" = { + device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=vartmp" ]; + }; + + "/var/log" = { + device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=varlog" ]; + }; + + "/var/cache" = { + device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=varcache" ]; + }; + }; + + services.fstrim.enable = true; + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ "/" "/home" ]; + }; + + + boot.tmp.useTmpfs = true; + fileSystems."/tmp".fsType = "tmpfs"; + +} diff --git a/hosts/thinknix/swap.nix b/hosts/thinknix/swap.nix new file mode 100644 index 0000000..5aeb2bc --- /dev/null +++ b/hosts/thinknix/swap.nix @@ -0,0 +1,12 @@ +{ + swapDevices = [ + { device = "/dev/disk/by-uuid/bf928178-4e92-4e7e-8df2-18fbd658eecf"; } + ]; + + zramSwap = { + enable = true; + memoryPercent = 20; + }; + + boot.kernel.sysctl."vm.swappiness" = 9; +} diff --git a/nixos/hardware-configuration.nix b/nixos/hardware-configuration.nix deleted file mode 100644 index 5b903fc..0000000 --- a/nixos/hardware-configuration.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, lib, pkgs, modulesPath, inputs, ... }: - - -let - fsOptions = [ "noatime" "ssd" "space_cache" "compress=zstd" ]; -in -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - (inputs.nixos-hardware + "/lenovo/thinkpad/t440s") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = []; - - # encrypted partitions - boot.initrd.luks = - { - devices = - # allow discards on all devices - builtins.mapAttrs (name: val: val // {allowDiscards = true;}) - { - "system".device = "/dev/disk/by-uuid/85154131-b2a8-4ef5-9d74-47429cb267ef"; - "cryptswap".device = "/dev/disk/by-uuid/ac586df6-6332-4809-beb1-f51906a2adaa"; - "ssd2".device = "/dev/disk/by-uuid/cadd4e1f-3642-4faa-8d4e-37dd85465df1"; - }; - reusePassphrases = true; - }; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=nixos_root" ]; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/DED9-661B"; - fsType = "vfat"; - options = [ "discard" ]; - }; - - fileSystems."/home" = - { - device = "/dev/disk/by-uuid/cb5998ae-cfc9-447f-8756-1ceaec6ca4c4"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=home" ]; - }; - - fileSystems."/var/tmp" = - { - device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=vartmp" ]; - }; - - fileSystems."/var/log" = - { - device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=varlog" ]; - }; - - fileSystems."/var/cache" = - { - device = "/dev/disk/by-uuid/cd6b8f25-c029-49a6-b326-656faec3ce15"; - fsType = "btrfs"; - options = fsOptions ++ [ "subvol=varcache" ]; - }; - - boot.tmp.useTmpfs = true; - fileSystems."/tmp".fsType = "tmpfs"; - - swapDevices = - [ - { device = "/dev/disk/by-uuid/bf928178-4e92-4e7e-8df2-18fbd658eecf"; } - ]; - - nix.settings.max-jobs = lib.mkDefault 4; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - hardware.trackpoint = { - enable = true; - sensitivity = 180; - speed = 180; - }; - - - # modesetting is always better than intel (legacy) - services.xserver.videoDrivers = [ "modesetting" ]; - -} From 27100bacb770aace381d032880588b94976217dd Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Wed, 10 Jan 2024 00:25:45 +0100 Subject: [PATCH 02/11] modularise flake config: fix and modularise home-manager config generation unfortunately, homeConfigurations do not follow the pattern of having system-specific sub-attrs and thus are dependent on a specific system per-se. --- flake.nix | 45 ++++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/flake.nix b/flake.nix index 61e55a0..21a0317 100644 --- a/flake.nix +++ b/flake.nix @@ -26,7 +26,7 @@ }; outputs = - { self, nixpkgs, nur, lanzaboote, flake-utils, ... }@inputs: + { self, nixpkgs, nur, lanzaboote, flake-utils, home-manager, ... }@inputs: let # FIXME: allow different systems systems = flake-utils.lib.system; @@ -39,31 +39,34 @@ modules = defaultModules ++ extraModules; inherit system; }; + mkHomeManager = confName: user: system: # unfortunately, home-manager configs are still system-specific + # FIXME: this is thus still linux-x86_64 specific + home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages.${system}; + modules = [ + { + imports = [ + nur.hmModules.nur + # TODO: $name can be utilised to conditionally load other config files + ./home/home.nix + ]; + # extends the home config + home.username = user; + home.homeDirectory = "/home/${user}"; + } + ]; + # Optionally use extraSpecialArgs + # to pass through arguments to home.nix + extraSpecialArgs = { + inherit inputs system; + }; + }; in { nixosConfigurations = { thinknix = mkSystem systems.x86_64-linux [ ./hosts/thinknix inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t440s lanzaboote.nixosModules.lanzaboote ]; framenix = mkSystem systems.x86_64-linux [ ./hosts/framenix inputs.nixos-hardware.nixosModules.framework-13-7040-amd lanzaboote.nixosModules.lanzaboote ]; }; - # FIXME: see mkHomemanager - homeConfigurations.spiollinux = inputs.home-manager.lib.homeManagerConfiguration { - - modules = [ - { - imports = [ - nur.hmModules.nur - ./home/home.nix - ]; - # extends the home config - home.username = "spiollinux"; - home.homeDirectory = "/home/spiollinux"; - } - ]; - # Optionally use extraSpecialArgs - # to pass through arguments to home.nix - extraSpecialArgs = { - inherit inputs; - }; - }; + homeConfigurations.spiollinux = mkHomeManager "spiollinux" "spiollinux" systems.x86_64-linux; }; } From 317aeb248e87bd1e1df3f660fd1af13ebd910250 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Wed, 10 Jan 2024 00:45:04 +0100 Subject: [PATCH 03/11] [flake lock update] --- flake.lock | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 5ab8624..3ba28eb 100644 --- a/flake.lock +++ b/flake.lock @@ -77,10 +77,9 @@ "locked": { "lastModified": 1701680307, "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "owner": "numtide", - "repo": "flake-utils", + "path": "/nix/store/pgid9c9xfcrbqx2giry0an0bi0df7s5c-source", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", - "type": "github" + "type": "path" }, "original": { "id": "flake-utils", @@ -134,11 +133,11 @@ ] }, "locked": { - "lastModified": 1703113038, - "narHash": "sha256-oxkyzjpD+mNT7arzU/zHrkNHLuY9tKwmnD2MNaZiSDw=", + "lastModified": 1704099619, + "narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=", "owner": "nix-community", "repo": "home-manager", - "rev": "0c2353d5d930c3d93724df6858aef064a31b3c00", + "rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851", "type": "github" }, "original": { @@ -207,11 +206,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1702453208, - "narHash": "sha256-0wRi9SposfE2wHqjuKt8WO2izKB/ASDOV91URunIqgo=", + "lastModified": 1704786394, + "narHash": "sha256-aJM0ln9fMGWw1+tjyl5JZWZ3ahxAA2gw2ZpZY/hkEMs=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "7763c6fd1f299cb9361ff2abf755ed9619ef01d6", + "rev": "b34a6075e9e298c4124e35c3ccaf2210c1f3a43b", "type": "github" }, "original": { @@ -223,11 +222,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1703013332, - "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "lastModified": 1704538339, + "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701", "type": "github" }, "original": { @@ -271,11 +270,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1703068421, - "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", + "lastModified": 1704420045, + "narHash": "sha256-C36QmoJd5tdQ5R9MC1jM7fBkZW9zBUqbUCsgwS6j4QU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", + "rev": "c1be43e8e837b8dbee2b3665a007e761680f0c3d", "type": "github" }, "original": { @@ -287,11 +286,11 @@ }, "nur": { "locked": { - "lastModified": 1703159048, - "narHash": "sha256-TcW0kf7nd/OEZwwxPs1y07YU4oZe18ezolScRbXXWZA=", + "lastModified": 1704840324, + "narHash": "sha256-Bt16Bq+o/HgBi4T9bvvFGvQ6IxAZ+w0LD5gQwm5vPnA=", "owner": "nix-community", "repo": "NUR", - "rev": "9ef37017837733a76fe18680264fcd815df1eea6", + "rev": "4657978e02a45a3f90dcba0f5a878d8d4ff439a5", "type": "github" }, "original": { From bb61531df1d3fb1f257c51543b83d31d1d912695 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Thu, 11 Jan 2024 01:13:42 +0100 Subject: [PATCH 04/11] WIP framenix --- common/default.nix | 2 +- hosts/framenix/default.nix | 36 +++++++++++++++++++ hosts/framenix/hardware-configuration.nix | 26 ++++++++++++++ hosts/framenix/storage.nix | 44 +++++++++++++++++++++++ hosts/framenix/swap.nix | 12 +++++++ 5 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 hosts/framenix/default.nix create mode 100644 hosts/framenix/hardware-configuration.nix create mode 100644 hosts/framenix/storage.nix create mode 100644 hosts/framenix/swap.nix diff --git a/common/default.nix b/common/default.nix index 2fdf524..31c6593 100644 --- a/common/default.nix +++ b/common/default.nix @@ -48,7 +48,7 @@ in programs.adb.enable = true; - # programs.mtr.enable = true; + programs.mtr.enable = true; # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; # List services that you want to enable: diff --git a/hosts/framenix/default.nix b/hosts/framenix/default.nix new file mode 100644 index 0000000..bde4c32 --- /dev/null +++ b/hosts/framenix/default.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, inputs, ...}: +{ + imports = [ + ../../common + + ./hardware-configuration.nix + ./storage.nix + ./swap.nix + ]; + + networking.hostName = "framenix"; # Define your hostname. + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? + + hardware.enableRedistributableFirmware = true; +} + diff --git a/hosts/framenix/hardware-configuration.nix b/hosts/framenix/hardware-configuration.nix new file mode 100644 index 0000000..a731402 --- /dev/null +++ b/hosts/framenix/hardware-configuration.nix @@ -0,0 +1,26 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp193s0f3u1c2.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/framenix/storage.nix b/hosts/framenix/storage.nix new file mode 100644 index 0000000..3efa655 --- /dev/null +++ b/hosts/framenix/storage.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: +let + fsOptions = [ "noatime" "ssd" "compress=zstd" ]; +in +{ + boot.initrd.luks = { + devices = + # allow discards on all devices + builtins.mapAttrs (name: val: val // {allowDiscards = true;}) + { + "system".device = "/dev/disk/by-uuid/1838cdc5-9b0b-4c46-9f23-9465549eeb92"; + "cryptswap".device = "/dev/disk/by-uuid/ded7d649-ab3a-42ee-ae4a-f8c4ba029e9c"; + }; + reusePassphrases = true; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/22388786-4285-403b-9994-e9aae1f11172"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=nixos_root" ]; + }; + + "/home" = { + device = "/dev/disk/by-uuid/22388786-4285-403b-9994-e9aae1f11172"; + fsType = "btrfs"; + options = fsOptions ++ [ "subvol=home" ]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/AF8E-E9E6"; + fsType = "vfat"; + options = [ "discard" ]; + }; + }; + + services.fstrim.enable = true; + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ "/" "/home" ]; + }; + + boot.tmp.useTmpfs = true; +} diff --git a/hosts/framenix/swap.nix b/hosts/framenix/swap.nix new file mode 100644 index 0000000..262809c --- /dev/null +++ b/hosts/framenix/swap.nix @@ -0,0 +1,12 @@ +{ + swapDevices = + [ { device = "/dev/disk/by-uuid/24c47f3d-0d3e-4575-92a2-174b5a6b6086"; } + ]; + + zramSwap = { + enable = true; + memoryPercent = 20; + }; + + boot.kernel.sysctl."vm.swappiness" = 9; +} From 9178d539f00010b6432d4037f2564d6ea21a730d Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Thu, 11 Jan 2024 01:33:58 +0100 Subject: [PATCH 05/11] [flake lock update] --- flake.lock | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index 3ba28eb..fe01484 100644 --- a/flake.lock +++ b/flake.lock @@ -77,9 +77,10 @@ "locked": { "lastModified": 1701680307, "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "path": "/nix/store/pgid9c9xfcrbqx2giry0an0bi0df7s5c-source", + "owner": "numtide", + "repo": "flake-utils", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", - "type": "path" + "type": "github" }, "original": { "id": "flake-utils", @@ -222,11 +223,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1704538339, - "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=", + "lastModified": 1704722960, + "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701", + "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d", "type": "github" }, "original": { @@ -270,11 +271,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1704420045, - "narHash": "sha256-C36QmoJd5tdQ5R9MC1jM7fBkZW9zBUqbUCsgwS6j4QU=", + "lastModified": 1704874635, + "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c1be43e8e837b8dbee2b3665a007e761680f0c3d", + "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356", "type": "github" }, "original": { @@ -286,11 +287,11 @@ }, "nur": { "locked": { - "lastModified": 1704840324, - "narHash": "sha256-Bt16Bq+o/HgBi4T9bvvFGvQ6IxAZ+w0LD5gQwm5vPnA=", + "lastModified": 1704926790, + "narHash": "sha256-cvIgvBUvwD4pVQQ0n30b9v52+L27zldSBZzPY5dL2tw=", "owner": "nix-community", "repo": "NUR", - "rev": "4657978e02a45a3f90dcba0f5a878d8d4ff439a5", + "rev": "45a706bce225239a923b84019d693ba3d656c8ee", "type": "github" }, "original": { From 85101e1d859b0825137580949eaf37cef003057c Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Thu, 11 Jan 2024 01:50:08 +0100 Subject: [PATCH 06/11] host framenix: disable fingerprint sensor, enable fwupd --- hosts/framenix/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/framenix/default.nix b/hosts/framenix/default.nix index bde4c32..e2df6a9 100644 --- a/hosts/framenix/default.nix +++ b/hosts/framenix/default.nix @@ -32,5 +32,10 @@ system.stateVersion = "23.11"; # Did you read the comment? hardware.enableRedistributableFirmware = true; + + services.fwupd.enable = true; + + # I do not need fingerprint reading + services.fprintd.enable = false; } From fbef60be21d8bf20da66a58b255ee731beb0b596 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Thu, 11 Jan 2024 01:50:31 +0100 Subject: [PATCH 07/11] hosts: smartd only activated on thinknix --- common/default.nix | 6 ------ hosts/thinknix/storage.nix | 5 +++++ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/common/default.nix b/common/default.nix index 31c6593..cc698e4 100644 --- a/common/default.nix +++ b/common/default.nix @@ -196,12 +196,6 @@ in # profile sync daemon services.psd.enable = true; - services.smartd = - { - enable = true; - devices = [{ device = "/dev/sda"; } { device = "/dev/sdb"; }]; - }; - fonts = { fontDir.enable = true; fontconfig.enable = true; diff --git a/hosts/thinknix/storage.nix b/hosts/thinknix/storage.nix index 557db3f..358370f 100644 --- a/hosts/thinknix/storage.nix +++ b/hosts/thinknix/storage.nix @@ -64,4 +64,9 @@ in boot.tmp.useTmpfs = true; fileSystems."/tmp".fsType = "tmpfs"; + services.smartd = + { + enable = true; + devices = [{ device = "/dev/sda"; } { device = "/dev/sdb"; }]; + }; } From ee009e1d038412016c6a3187b967155f3a189104 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Thu, 11 Jan 2024 18:16:12 +0100 Subject: [PATCH 08/11] host framenix: install radeontop --- hosts/framenix/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/framenix/default.nix b/hosts/framenix/default.nix index e2df6a9..1571457 100644 --- a/hosts/framenix/default.nix +++ b/hosts/framenix/default.nix @@ -37,5 +37,7 @@ # I do not need fingerprint reading services.fprintd.enable = false; + + environment.systemPackages = [ pkgs.radeontop ]; } From 34dce961d3d2057349d9385dbe71c704e5f12288 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Thu, 11 Jan 2024 18:24:06 +0100 Subject: [PATCH 09/11] host framenix: use latest stable linux kernel to profit from fixes for new hardware --- common/default.nix | 3 --- hosts/framenix/default.nix | 9 +++++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/common/default.nix b/common/default.nix index cc698e4..a5a7119 100644 --- a/common/default.nix +++ b/common/default.nix @@ -13,9 +13,6 @@ in services.davfs2.enable = true; - # try newer kernels - #boot.kernelPackages = pkgs.linuxPackages_latest; - # exfat support #boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; diff --git a/hosts/framenix/default.nix b/hosts/framenix/default.nix index 1571457..d3d828c 100644 --- a/hosts/framenix/default.nix +++ b/hosts/framenix/default.nix @@ -10,8 +10,13 @@ networking.hostName = "framenix"; # Define your hostname. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + # try newer kernels + boot.kernelPackages = pkgs.linuxPackages_latest; + + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. From 0b821e04da03fe7946f61032bf352d8476a4e5b8 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Thu, 11 Jan 2024 22:59:14 +0100 Subject: [PATCH 10/11] netcat: switch to openbsd implementation, it turned out more reliable in manual tests --- common/packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/packages.nix b/common/packages.nix index be11975..0a048cc 100644 --- a/common/packages.nix +++ b/common/packages.nix @@ -15,7 +15,7 @@ python3 man-pages dnsutils - netcat + netcat-openbsd ntfs3g file multipath-tools From c44dcb450fb3e0bff04611c2fd6c47b96763ae59 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Thu, 18 Jan 2024 19:45:44 +0100 Subject: [PATCH 11/11] [flake lock update] --- flake.lock | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index fe01484..923378c 100644 --- a/flake.lock +++ b/flake.lock @@ -77,10 +77,9 @@ "locked": { "lastModified": 1701680307, "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "owner": "numtide", - "repo": "flake-utils", + "path": "/nix/store/pgid9c9xfcrbqx2giry0an0bi0df7s5c-source", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", - "type": "github" + "type": "path" }, "original": { "id": "flake-utils", @@ -134,11 +133,11 @@ ] }, "locked": { - "lastModified": 1704099619, - "narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=", + "lastModified": 1705476964, + "narHash": "sha256-W5OK1fnj4qdn1HWOlxV2S3YiUvfaVjQM5ldWVpGV1fs=", "owner": "nix-community", "repo": "home-manager", - "rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851", + "rev": "85c3b600f660abd86e94cbcd1c46733943197a07", "type": "github" }, "original": { @@ -207,11 +206,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1704786394, - "narHash": "sha256-aJM0ln9fMGWw1+tjyl5JZWZ3ahxAA2gw2ZpZY/hkEMs=", + "lastModified": 1705312285, + "narHash": "sha256-rd+dY+v61Y8w3u9bukO/hB55Xl4wXv4/yC8rCGVnK5U=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b34a6075e9e298c4124e35c3ccaf2210c1f3a43b", + "rev": "bee2202bec57e521e3bd8acd526884b9767d7fa0", "type": "github" }, "original": { @@ -223,11 +222,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1704722960, - "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=", + "lastModified": 1705496572, + "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d", + "rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19", "type": "github" }, "original": { @@ -271,11 +270,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1704874635, - "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", + "lastModified": 1705458851, + "narHash": "sha256-uQvEhiv33Zj/Pv364dTvnpPwFSptRZgVedDzoM+HqVg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356", + "rev": "8bf65f17d8070a0a490daf5f1c784b87ee73982c", "type": "github" }, "original": { @@ -287,11 +286,11 @@ }, "nur": { "locked": { - "lastModified": 1704926790, - "narHash": "sha256-cvIgvBUvwD4pVQQ0n30b9v52+L27zldSBZzPY5dL2tw=", + "lastModified": 1705602701, + "narHash": "sha256-FkR40ElbG1pW3f/mpSzbRON9Tjx5pkT2IBWNtd3YKDQ=", "owner": "nix-community", "repo": "NUR", - "rev": "45a706bce225239a923b84019d693ba3d656c8ee", + "rev": "66c3aec51e9d40381a053798de41b5e477d4b665", "type": "github" }, "original": { @@ -420,11 +419,11 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": {