diff --git a/nix/configuration/configuration.nix b/nix/configuration/configuration.nix index 8139139..1b44775 100644 --- a/nix/configuration/configuration.nix +++ b/nix/configuration/configuration.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -12,6 +11,7 @@ ./roles/amd_s2idle ./roles/ansible ./roles/ares + ./roles/base ./roles/bluetooth ./roles/boot ./roles/chromecast @@ -19,6 +19,7 @@ ./roles/d2 ./roles/direnv ./roles/distributed_build + ./roles/doas ./roles/docker ./roles/ecc ./roles/emacs @@ -27,6 +28,7 @@ ./roles/firewall ./roles/flux ./roles/fonts + ./roles/image_based_appliance ./roles/gcloud ./roles/git ./roles/global_options @@ -66,12 +68,14 @@ ./roles/sound ./roles/spaghettikart ./roles/ssh + ./roles/sshd ./roles/steam ./roles/steam_run_free ./roles/sway ./roles/tekton ./roles/terraform ./roles/thunderbolt + ./roles/user ./roles/uutils ./roles/vnc_client ./roles/vscode @@ -86,201 +90,79 @@ ./util/unfree_polyfill ]; - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - nix.settings.trusted-users = [ "@wheel" ]; - - # boot.kernelPackages = pkgs.linuxPackages_6_11; - hardware.enableRedistributableFirmware = true; - - # Use nixos-rebuild-ng - # system.rebuild.enableNg = true; - - # Keep outputs so we can build offline. - nix.extraOptions = '' - keep-outputs = true - keep-derivations = true - substitute = false - ''; - - # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on. - boot.supportedFilesystems.zfs = true; - # TODO: Is this different from boot.supportedFilesystems = [ "zfs" ]; ? - - services.getty = { - autologinUser = "talexander"; # I use full disk encryption so the user password is irrelevant. - autologinOnce = true; - }; - users.mutableUsers = false; - users.users.talexander = { - isNormalUser = true; - createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481 - group = "talexander"; - extraGroups = [ "wheel" ]; - uid = 11235; - packages = with pkgs; [ - tree + config = { + nix.settings.experimental-features = [ + "nix-command" + "flakes" ]; - # Generate with `mkpasswd -m scrypt` - hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo=" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo=" - ]; - }; - users.groups.talexander.gid = 11235; + nix.settings.trusted-users = [ "@wheel" ]; - # Automatic garbage collection - nix.gc = lib.mkIf (!config.me.buildingIso) { - # Runs nix-collect-garbage --delete-older-than 5d - automatic = true; - persistent = true; - dates = "monthly"; - # randomizedDelaySec = "14m"; - options = "--delete-older-than 30d"; - }; - nix.settings.auto-optimise-store = !config.me.buildingIso; - nix.settings.substituters = lib.mkForce [ ]; + hardware.enableRedistributableFirmware = true; - # Use doas instead of sudo - security.doas.enable = true; - security.doas.wheelNeedsPassword = false; - security.sudo.enable = false; - security.doas.extraRules = [ - { - # Retain environment (for example NIX_PATH) - keepEnv = true; - persist = true; # Only ask for a password the first time. - } - ]; + # Keep outputs so we can build offline. + # Disable substituters to avoid risk of cache poisoning. + nix.extraOptions = '' + keep-outputs = true + keep-derivations = true + substitute = false + ''; + nix.settings.substituters = lib.mkForce [ ]; - environment.systemPackages = with pkgs; [ - wget - mg - rsync - libinput - htop - tmux - file - usbutils # for lsusb - pciutils # for lspci - ripgrep - strace - # ltrace # Disabled because it uses more than 48GB of /tmp space during test phase. - trace-cmd # ftrace - tcpdump - git-crypt - gnumake - ncdu - nix-tree - libarchive # bsdtar - lsof - doas-sudo-shim # To support --sudo for remote builds - dmidecode # Read SMBIOS information. - ipcalc - gptfdisk # for cgdisk - nix-output-monitor # For better view into nixos-rebuild - nix-serve-ng # Serve nix store over http - ]; - - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; + # Automatic garbage collection + nix.gc = lib.mkIf (!config.me.buildingPortable) { + # Runs nix-collect-garbage --delete-older-than 5d + automatic = true; + persistent = true; + dates = "monthly"; + # randomizedDelaySec = "14m"; + options = "--delete-older-than 30d"; }; - hostKeys = [ - { - path = "/persist/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/persist/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; - }; + nix.settings.auto-optimise-store = !config.me.buildingPortable; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - directories = [ - "/var/lib/iwd" # Wifi settings - "/var/lib/nixos" # Contains user information (uids/gids) - "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill - "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal - ]; - files = [ - "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - ]; - users.talexander = { + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; directories = [ - { - directory = "persist"; - user = "talexander"; - group = "talexander"; - mode = "0700"; - } + "/var/lib/nixos" # Contains user information (uids/gids) + "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill + "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal + ]; + files = [ + "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc" ]; }; + + # Write a list of the currently installed packages to /etc/current-system-packages + environment.etc."current-system-packages".text = + let + packages = builtins.map (p: "${p.name}") config.environment.systemPackages; + sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); + formatted = builtins.concatStringsSep "\n" sortedUnique; + in + formatted; + + # nixpkgs.overlays = [ + # (final: prev: { + # foot = throw "foo"; + # }) + # ]; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.11"; # Did you read the comment? }; - - # Write a list of the currently installed packages to /etc/current-system-packages - environment.etc."current-system-packages".text = - let - packages = builtins.map (p: "${p.name}") config.environment.systemPackages; - sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); - formatted = builtins.concatStringsSep "\n" sortedUnique; - in - formatted; - - # environment.etc."system-packages-with-source".text = builtins.concatStringsSep "\n\n" ( - # builtins.map ( - # x: x.file + "\n" + builtins.concatStringsSep "\n" (builtins.map (s: " " + s) x.value) - # ) config.environment.systemPackages.definitionsWithLocations - # ); - - # nixpkgs.overlays = [ - # (final: prev: { - # nix = pkgs-unstable.nix; - # }) - # ]; - - # nixpkgs.overlays = [ - # (final: prev: { - # foot = throw "foo"; - # }) - # ]; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.11"; # Did you read the comment? - } diff --git a/nix/configuration/flake.lock b/nix/configuration/flake.lock index 46888ae..3788e19 100644 --- a/nix/configuration/flake.lock +++ b/nix/configuration/flake.lock @@ -151,22 +151,6 @@ "type": "github" } }, - "nixpkgs-dda3dcd3f": { - "locked": { - "lastModified": 1746663147, - "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54", - "type": "github" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1730741070, @@ -232,7 +216,6 @@ "impermanence": "impermanence", "lanzaboote": "lanzaboote", "nixpkgs": "nixpkgs", - "nixpkgs-dda3dcd3f": "nixpkgs-dda3dcd3f", "nixpkgs-unoptimized": "nixpkgs-unoptimized" } }, diff --git a/nix/configuration/flake.nix b/nix/configuration/flake.nix index 583fb2d..a46b0c2 100644 --- a/nix/configuration/flake.nix +++ b/nix/configuration/flake.nix @@ -1,29 +1,7 @@ -# Build ISO image -# nix build --extra-experimental-features nix-command --extra-experimental-features flakes .#iso.odo -# output: result/iso/nixos.iso - -# Run the ISO image -# doas "$(nix-build '' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \ -# -accel kvm \ -# -cpu host \ -# -smp cores=8 \ -# -m 32768 \ -# -drive "file=$(nix-build '' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \ -# -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" \ -# -nic user,hostfwd=tcp::60022-:22 \ -# -boot order=d \ -# -cdrom "$(readlink -f ./result/iso/nixos*.iso)" \ -# -display vnc=127.0.0.1:0 -# -# doas cp "$(nix-build '' --no-out-link -A 'OVMF.fd')/FV/OVMF_VARS.fd" /tmp/OVMF_VARS.fd -# doas "$(nix-build '' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" -accel kvm -cpu host -smp cores=8 -m 32768 -drive "file=$(nix-build '' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" -nic user,hostfwd=tcp::60022-:22 -boot order=d -cdrom /persist/machine_setup/nix/configuration/result/iso/nixos*.iso -display vnc=127.0.0.1:0 - # Get a repl for this flake # nix repl --expr "builtins.getFlake \"$PWD\"" -# TODO maybe use `nix eval --raw .#iso.odo.outPath` -# iso.odo.isoName == "nixos.iso" -# full path = / iso / +# TODO maybe use `nix eval --raw .#odo.iso.outPath` # # Install on a new machine: @@ -41,12 +19,9 @@ inputs = { impermanence.url = "github:nix-community/impermanence"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixpkgs-dda3dcd3f.url = "github:NixOS/nixpkgs/dda3dcd3fe03e991015e9a74b22d35950f264a54"; nixpkgs-unoptimized.url = "github:NixOS/nixpkgs/nixos-unstable"; lanzaboote = { url = "github:nix-community/lanzaboote/v0.4.2"; - - # Optional but recommended to limit the size of your system closure. inputs.nixpkgs.follows = "nixpkgs"; }; disko = { @@ -57,186 +32,58 @@ outputs = { - self, nixpkgs, nixpkgs-unoptimized, - nixpkgs-dda3dcd3f, + disko, impermanence, lanzaboote, ... - }@inputs: + }: let - base_x86_64_linux = rec { - system = "x86_64-linux"; - specialArgs = { - pkgs-dda3dcd3f = import nixpkgs-dda3dcd3f { - inherit system; - }; - pkgs-unoptimized = import nixpkgs-unoptimized { - inherit system; - hostPlatform.gcc.arch = "default"; - hostPlatform.gcc.tune = "default"; - }; + forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed; + nodes = { + odo = { + system = "x86_64-linux"; + }; + quark = { + system = "x86_64-linux"; }; - modules = [ - impermanence.nixosModules.impermanence - lanzaboote.nixosModules.lanzaboote - inputs.disko.nixosModules.disko - ./configuration.nix - ]; }; - systems = - let - additional_iso_modules = [ - (nixpkgs + "/nixos/modules/installer/cd-dvd/iso-image.nix") - # TODO: Figure out how to do image based appliances - # (nixpkgs + "/nixos/modules/profiles/image-based-appliance.nix") - { - isoImage.makeEfiBootable = true; - isoImage.makeUsbBootable = true; - me.buildingIso = true; - me.optimizations.enable = nixpkgs.lib.mkForce false; - } - { - # These are big space hogs. The chance that I need them on an ISO is slim. - me.steam.enable = nixpkgs.lib.mkForce false; - me.pcsx2.enable = nixpkgs.lib.mkForce false; - } + nixosConfigs = builtins.mapAttrs ( + hostname: nodeConfig: format: + nixpkgs.lib.nixosSystem { + inherit (nodeConfig) system; + specialArgs = { + pkgs-unoptimized = import nixpkgs-unoptimized { + inherit (nodeConfig) system; + hostPlatform.gcc.arch = "default"; + hostPlatform.gcc.tune = "default"; + }; + }; + modules = [ + impermanence.nixosModules.impermanence + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + ./configuration.nix + (./. + "/hosts/${hostname}") + (./. + "/formats/${format}.nix") ]; - additional_vm_modules = [ - (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") - { - networking.dhcpcd.enable = true; - networking.useDHCP = true; - me.optimizations.enable = nixpkgs.lib.mkForce false; - } - { - # I don't need games on a virtual machine. - me.steam.enable = nixpkgs.lib.mkForce false; - me.pcsx2.enable = nixpkgs.lib.mkForce false; - me.sm64ex.enable = nixpkgs.lib.mkForce false; - me.shipwright.enable = nixpkgs.lib.mkForce false; - me.ship2harkinian.enable = nixpkgs.lib.mkForce false; - } - ]; - in - { - odo = rec { - main = base_x86_64_linux // { - modules = base_x86_64_linux.modules ++ [ - ./hosts/odo - ]; - }; - iso = main // { - modules = main.modules ++ additional_iso_modules; - }; - vm = main // { - modules = main.modules ++ additional_vm_modules; - }; - vm_iso = main // { - modules = main.modules ++ additional_vm_modules ++ additional_iso_modules; - }; - }; - quark = rec { - main = base_x86_64_linux // { - modules = base_x86_64_linux.modules ++ [ - ./hosts/quark - ]; - }; - iso = main // { - modules = main.modules ++ additional_iso_modules; - }; - vm = main // { - modules = main.modules ++ additional_vm_modules; - }; - vm_iso = main // { - modules = main.modules ++ additional_vm_modules ++ additional_iso_modules; - }; - }; - neelix = rec { - main = base_x86_64_linux // { - modules = base_x86_64_linux.modules ++ [ - ./hosts/neelix - ]; - }; - iso = main // { - modules = main.modules ++ additional_iso_modules; - }; - vm = main // { - modules = main.modules ++ additional_vm_modules; - }; - vm_iso = main // { - modules = main.modules ++ additional_vm_modules ++ additional_iso_modules; - }; - }; - hydra = - let - hydra_additional_iso_modules = additional_iso_modules ++ [ - { - me.optimizations.enable = true; - } - ]; - in - rec { - main = base_x86_64_linux // { - modules = base_x86_64_linux.modules ++ [ - ./hosts/hydra - ]; - }; - iso = main // { - modules = main.modules ++ hydra_additional_iso_modules; - }; - vm = main // { - modules = main.modules ++ additional_vm_modules; - }; - vm_iso = main // { - modules = main.modules ++ additional_vm_modules ++ hydra_additional_iso_modules; - }; - }; - ionlybootzfs = rec { - main = base_x86_64_linux // { - modules = base_x86_64_linux.modules ++ [ - ./hosts/ionlybootzfs - ]; - }; - iso = main // { - modules = main.modules ++ additional_iso_modules; - }; - vm = main // { - modules = main.modules ++ additional_vm_modules; - }; - vm_iso = main // { - modules = main.modules ++ additional_vm_modules ++ additional_iso_modules; - }; - }; - - }; + } + ) nodes; in { - nixosConfigurations.odo = nixpkgs.lib.nixosSystem systems.odo.main; - iso.odo = (nixpkgs.lib.nixosSystem systems.odo.iso).config.system.build.isoImage; - nixosConfigurations.vm_odo = nixpkgs.lib.nixosSystem systems.odo.vm; - vm_iso.odo = (nixpkgs.lib.nixosSystem systems.odo.vm_iso).config.system.build.isoImage; - - nixosConfigurations.quark = nixpkgs.lib.nixosSystem systems.quark.main; - iso.quark = (nixpkgs.lib.nixosSystem systems.quark.iso).config.system.build.isoImage; - nixosConfigurations.vm_quark = nixpkgs.lib.nixosSystem systems.quark.vm; - vm_iso.quark = (nixpkgs.lib.nixosSystem systems.quark.vm_iso).config.system.build.isoImage; - - nixosConfigurations.neelix = nixpkgs.lib.nixosSystem systems.neelix.main; - iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.iso).config.system.build.isoImage; - nixosConfigurations.vm_neelix = nixpkgs.lib.nixosSystem systems.neelix.vm; - vm_iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.vm_iso).config.system.build.isoImage; - - nixosConfigurations.hydra = nixpkgs.lib.nixosSystem systems.hydra.main; - iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.iso).config.system.build.isoImage; - nixosConfigurations.vm_hydra = nixpkgs.lib.nixosSystem systems.hydra.vm; - vm_iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.vm_iso).config.system.build.isoImage; - - nixosConfigurations.ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.main; - iso.ionlybootzfs = (nixpkgs.lib.nixosSystem systems.ionlybootzfs.iso).config.system.build.isoImage; - nixosConfigurations.vm_ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm; - vm_iso.ionlybootzfs = - (nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm_iso).config.system.build.isoImage; + nixosConfigurations = (builtins.mapAttrs (name: value: value "toplevel") nixosConfigs); + } + // { + packages = ( + forAllSystems ( + system: + (builtins.mapAttrs (hostname: nodeConfig: { + iso = (nixosConfigs."${hostname}" "iso").config.system.build.isoImage; + vm_iso = (nixosConfigs."${hostname}" "vm_iso").config.system.build.isoImage; + sd = (nixosConfigs."${hostname}" "sd").config.system.build.sdImage; + }) (nixpkgs.lib.attrsets.filterAttrs (hostname: nodeConfig: nodeConfig.system == system) nodes)) + ) + ); }; } diff --git a/nix/configuration/formats/iso.nix b/nix/configuration/formats/iso.nix new file mode 100644 index 0000000..8956470 --- /dev/null +++ b/nix/configuration/formats/iso.nix @@ -0,0 +1,23 @@ +{ + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/cd-dvd/iso-image.nix") + ]; + + config = { + isoImage.makeEfiBootable = true; + isoImage.makeUsbBootable = true; + + me.buildingPortable = true; + me.mountPersistence = lib.mkForce false; + me.optimizations.enable = lib.mkForce false; + me.image_based_appliance.enable = true; + + # TODO: image based appliance? + }; +} diff --git a/nix/configuration/formats/sd.nix b/nix/configuration/formats/sd.nix new file mode 100644 index 0000000..f84009b --- /dev/null +++ b/nix/configuration/formats/sd.nix @@ -0,0 +1,17 @@ +{ + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/sd-card/sd-image.nix") + ]; + + config = { + isoImage.makeEfiBootable = true; + isoImage.makeUsbBootable = true; + + # TODO: image based appliance? + }; +} diff --git a/nix/configuration/formats/toplevel.nix b/nix/configuration/formats/toplevel.nix new file mode 100644 index 0000000..ffcd441 --- /dev/null +++ b/nix/configuration/formats/toplevel.nix @@ -0,0 +1 @@ +{ } diff --git a/nix/configuration/formats/vm_iso.nix b/nix/configuration/formats/vm_iso.nix new file mode 100644 index 0000000..e4330dd --- /dev/null +++ b/nix/configuration/formats/vm_iso.nix @@ -0,0 +1,21 @@ +{ + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/cd-dvd/iso-image.nix") + (modulesPath + "/profiles/qemu-guest.nix") # VirtIO kernel modules + ]; + + config = { + isoImage.makeEfiBootable = true; + isoImage.makeUsbBootable = true; + + networking.dhcpcd.enable = true; + networking.useDHCP = true; + + # TODO: image based appliance? + }; +} diff --git a/nix/configuration/hosts/hydra/default.nix b/nix/configuration/hosts/hydra/default.nix index f9d405d..35c489c 100644 --- a/nix/configuration/hosts/hydra/default.nix +++ b/nix/configuration/hosts/hydra/default.nix @@ -14,12 +14,6 @@ # -display vnc=127.0.0.1:0 # -{ - config, - lib, - pkgs, - ... -}: { imports = [ ./disk-config.nix @@ -27,41 +21,57 @@ ./vm_disk.nix ]; - # Generate with `head -c4 /dev/urandom | od -A none -t x4` - networking.hostId = "fbd233d8"; + config = { + # Generate with `head -c4 /dev/urandom | od -A none -t x4` + networking.hostId = "fbd233d8"; - networking.hostName = "hydra"; # Define your hostname. + networking.hostName = "hydra"; # Define your hostname. - time.timeZone = "America/New_York"; - i18n.defaultLocale = "en_US.UTF-8"; + time.timeZone = "America/New_York"; + i18n.defaultLocale = "en_US.UTF-8"; - me.secureBoot.enable = false; + me.boot.secure = false; + me.mountPersistence = true; - me.optimizations = { - enable = true; - arch = "znver4"; - system_features = [ - "gccarch-znver4" - "gccarch-skylake" - # "gccarch-alderlake" missing WAITPKG - "gccarch-x86-64-v3" - "gccarch-x86-64-v4" - "benchmark" - "big-parallel" - "kvm" - "nixos-test" - ]; + me.optimizations = { + enable = true; + arch = "znver4"; + system_features = [ + "gccarch-znver4" + "gccarch-skylake" + # "gccarch-alderlake" missing WAITPKG + "gccarch-x86-64-v3" + "gccarch-x86-64-v4" + "benchmark" + "big-parallel" + "kvm" + "nixos-test" + ]; + }; + + # Mount tmpfs at /tmp + boot.tmp.useTmpfs = true; + + me.base.enable = true; + me.boot.enable = true; + me.doas.enable = true; + me.emacs_flavor = "plainmacs"; + me.firewall.enable = true; + me.font.enable = true; + me.git.enable = true; + me.graphical = false; + me.hydra.enable = false; + me.memtest.enable = true; + me.network.enable = true; + me.nix_worker.enable = true; + me.nvme.enable = true; + me.ssh.enable = true; + me.sshd.enable = true; + me.user.enable = true; + me.vm_disk.enable = true; + me.wireguard.activated = [ ]; + me.wireguard.deactivated = [ ]; + me.zfs.enable = true; + me.zsh.enable = true; }; - - # Mount tmpfs at /tmp - boot.tmp.useTmpfs = true; - - me.emacs_flavor = "plainmacs"; - me.graphical = false; - me.hydra.enable = false; - me.nix_worker.enable = true; - me.vm_disk.enable = true; - me.wireguard.activated = [ ]; - me.wireguard.deactivated = [ ]; - me.zsh.enable = true; } diff --git a/nix/configuration/hosts/hydra/disk-config.nix b/nix/configuration/hosts/hydra/disk-config.nix index f9204aa..3bf6a0d 100644 --- a/nix/configuration/hosts/hydra/disk-config.nix +++ b/nix/configuration/hosts/hydra/disk-config.nix @@ -4,7 +4,6 @@ { config, lib, - pkgs, ... }: diff --git a/nix/configuration/hosts/hydra/hardware-configuration.nix b/nix/configuration/hosts/hydra/hardware-configuration.nix index 4d4f9ba..9bf7cf9 100644 --- a/nix/configuration/hosts/hydra/hardware-configuration.nix +++ b/nix/configuration/hosts/hydra/hardware-configuration.nix @@ -1,10 +1,5 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { - config, lib, - pkgs, modulesPath, ... }: @@ -14,26 +9,28 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + config = { + boot.initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.dhcpcd.enable = lib.mkForce true; - networking.useDHCP = lib.mkForce true; - networking.interfaces.enp0s2.useDHCP = lib.mkForce true; - # systemd.network.enable = true; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.dhcpcd.enable = lib.mkForce true; + networking.useDHCP = lib.mkForce true; + networking.interfaces.enp0s2.useDHCP = lib.mkForce true; + # systemd.network.enable = true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + }; } diff --git a/nix/configuration/hosts/hydra/vm_disk.nix b/nix/configuration/hosts/hydra/vm_disk.nix index 43fef88..dd32a79 100644 --- a/nix/configuration/hosts/hydra/vm_disk.nix +++ b/nix/configuration/hosts/hydra/vm_disk.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -17,61 +16,57 @@ }; }; - config = lib.mkIf config.me.vm_disk.enable ( - lib.mkMerge [ - { - # Mount the local disk - fileSystems = { - "/.disk" = lib.mkForce { - device = "/dev/nvme0n1p1"; - fsType = "ext4"; - options = [ - "noatime" - "discard" - ]; - neededForBoot = true; - }; + config = lib.mkIf config.me.vm_disk.enable { + # Mount the local disk + fileSystems = { + "/.disk" = lib.mkForce { + device = "/dev/nvme0n1p1"; + fsType = "ext4"; + options = [ + "noatime" + "discard" + ]; + neededForBoot = true; + }; - "/persist" = { - fsType = "none"; - device = "/.disk/persist"; - options = [ - "bind" - "rw" - ]; - depends = [ - "/.disk/persist" - ]; - }; + "/persist" = { + fsType = "none"; + device = "/.disk/persist"; + options = [ + "bind" + "rw" + ]; + depends = [ + "/.disk/persist" + ]; + }; - "/state" = { - fsType = "none"; - device = "/.disk/state"; - options = [ - "bind" - "rw" - ]; - depends = [ - "/.disk/state" - ]; - }; + "/state" = { + fsType = "none"; + device = "/.disk/state"; + options = [ + "bind" + "rw" + ]; + depends = [ + "/.disk/state" + ]; + }; - "/nix/store" = lib.mkForce { - fsType = "overlay"; - device = "overlay"; - options = [ - "lowerdir=/nix/.ro-store" - "upperdir=/.disk/persist/store" - "workdir=/.disk/state/work" - ]; - depends = [ - "/nix/.ro-store" - "/.disk/persist/store" - "/.disk/state/work" - ]; - }; - }; - } - ] - ); + "/nix/store" = lib.mkForce { + fsType = "overlay"; + device = "overlay"; + options = [ + "lowerdir=/nix/.ro-store" + "upperdir=/.disk/persist/store" + "workdir=/.disk/state/work" + ]; + depends = [ + "/nix/.ro-store" + "/.disk/persist/store" + "/.disk/state/work" + ]; + }; + }; + }; } diff --git a/nix/configuration/hosts/ionlybootzfs/default.nix b/nix/configuration/hosts/ionlybootzfs/default.nix index e0aa9eb..e2faf35 100644 --- a/nix/configuration/hosts/ionlybootzfs/default.nix +++ b/nix/configuration/hosts/ionlybootzfs/default.nix @@ -14,50 +14,60 @@ # -display vnc=127.0.0.1:0 # -{ - config, - lib, - pkgs, - ... -}: { imports = [ ./wrapped-disk-config.nix ./hardware-configuration.nix ]; - # Generate with `head -c4 /dev/urandom | od -A none -t x4` - networking.hostId = "fbd233d8"; + config = { + # Generate with `head -c4 /dev/urandom | od -A none -t x4` + networking.hostId = "fbd233d8"; - networking.hostName = "ionlybootzfs"; # Define your hostname. + networking.hostName = "ionlybootzfs"; # Define your hostname. - time.timeZone = "America/New_York"; - i18n.defaultLocale = "en_US.UTF-8"; + time.timeZone = "America/New_York"; + i18n.defaultLocale = "en_US.UTF-8"; - me.secureBoot.enable = true; + me.boot.secure = true; + me.mountPersistence = true; - me.optimizations = { - enable = false; - arch = "znver4"; - system_features = [ - "gccarch-znver4" - "gccarch-skylake" - # "gccarch-alderlake" missing WAITPKG - "gccarch-x86-64-v3" - "gccarch-x86-64-v4" - "benchmark" - "big-parallel" - "kvm" - "nixos-test" - ]; + me.optimizations = { + enable = false; + arch = "znver4"; + system_features = [ + "gccarch-znver4" + "gccarch-skylake" + # "gccarch-alderlake" missing WAITPKG + "gccarch-x86-64-v3" + "gccarch-x86-64-v4" + "benchmark" + "big-parallel" + "kvm" + "nixos-test" + ]; + }; + + # Mount tmpfs at /tmp + boot.tmp.useTmpfs = true; + + me.base.enable = true; + me.boot.enable = true; + me.doas.enable = true; + me.emacs_flavor = "plainmacs"; + me.firewall.enable = true; + me.font.enable = true; + me.git.enable = true; + me.graphical = false; + me.memtest.enable = true; + me.network.enable = true; + me.nvme.enable = true; + me.ssh.enable = true; + me.sshd.enable = true; + me.user.enable = true; + me.wireguard.activated = [ ]; + me.wireguard.deactivated = [ ]; + me.zfs.enable = true; + me.zsh.enable = true; }; - - # Mount tmpfs at /tmp - boot.tmp.useTmpfs = true; - - me.emacs_flavor = "plainmacs"; - me.graphical = false; - me.wireguard.activated = [ ]; - me.wireguard.deactivated = [ ]; - me.zsh.enable = true; } diff --git a/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix b/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix index 72e2137..796e2b2 100644 --- a/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix +++ b/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix @@ -1,10 +1,5 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { - config, lib, - pkgs, modulesPath, ... }: @@ -14,25 +9,27 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + config = { + boot.initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.dhcpcd.enable = lib.mkForce true; - networking.useDHCP = lib.mkForce true; - # systemd.network.enable = true; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.dhcpcd.enable = lib.mkForce true; + networking.useDHCP = lib.mkForce true; + # systemd.network.enable = true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + }; } diff --git a/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix b/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix index 78e5f86..dea0d9e 100644 --- a/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix +++ b/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: diff --git a/nix/configuration/hosts/neelix/default.nix b/nix/configuration/hosts/neelix/default.nix index ee2dc78..00fbece 100644 --- a/nix/configuration/hosts/neelix/default.nix +++ b/nix/configuration/hosts/neelix/default.nix @@ -6,46 +6,61 @@ ./power_management.nix ]; - # Generate with `head -c4 /dev/urandom | od -A none -t x4` - networking.hostId = "bca9d0a5"; + config = { + # Generate with `head -c4 /dev/urandom | od -A none -t x4` + networking.hostId = "bca9d0a5"; - networking.hostName = "neelix"; # Define your hostname. + networking.hostName = "neelix"; # Define your hostname. - time.timeZone = "America/New_York"; - i18n.defaultLocale = "en_US.UTF-8"; + time.timeZone = "America/New_York"; + i18n.defaultLocale = "en_US.UTF-8"; - me.secureBoot.enable = false; + me.boot.secure = false; + me.mountPersistence = true; - me.optimizations = { - enable = false; - arch = "alderlake"; - system_features = [ - "gccarch-alderlake" - "gccarch-x86-64-v3" - "gccarch-x86-64-v4" - "benchmark" - "big-parallel" - "kvm" - "nixos-test" - ]; + me.optimizations = { + enable = false; + arch = "alderlake"; + system_features = [ + "gccarch-alderlake" + "gccarch-x86-64-v3" + "gccarch-x86-64-v4" + "benchmark" + "big-parallel" + "kvm" + "nixos-test" + ]; + }; + + # Early KMS + boot.initrd.kernelModules = [ "i915" ]; + + # Mount tmpfs at /tmp + # boot.tmp.useTmpfs = true; + + me.base.enable = true; + me.bluetooth.enable = true; + me.boot.enable = true; + me.doas.enable = true; + me.emacs_flavor = "plainmacs"; + me.firewall.enable = true; + me.font.enable = true; + me.git.enable = true; + me.graphical = true; + me.graphics_card_type = "intel"; + me.kodi.enable = true; + me.lvfs.enable = true; + me.memtest.enable = true; + me.network.enable = true; + me.nvme.enable = true; + me.sound.enable = true; + me.ssh.enable = true; + me.sshd.enable = true; + me.user.enable = true; + me.wireguard.activated = [ "wgh" ]; + me.wireguard.deactivated = [ "wgf" ]; + me.zfs.enable = true; + me.zrepl.enable = true; + me.zsh.enable = true; }; - - # Early KMS - boot.initrd.kernelModules = [ "i915" ]; - - # Mount tmpfs at /tmp - # boot.tmp.useTmpfs = true; - - me.bluetooth.enable = true; - me.emacs_flavor = "plainmacs"; - me.graphical = true; - me.graphics_card_type = "intel"; - me.kodi.enable = true; - me.lvfs.enable = true; - me.sound.enable = true; - me.wireguard.activated = [ "wgh" ]; - me.wireguard.deactivated = [ "wgf" ]; - me.zrepl.enable = true; - me.zsh.enable = true; - } diff --git a/nix/configuration/hosts/neelix/hardware-configuration.nix b/nix/configuration/hosts/neelix/hardware-configuration.nix index fe3c1cb..6871c5b 100644 --- a/nix/configuration/hosts/neelix/hardware-configuration.nix +++ b/nix/configuration/hosts/neelix/hardware-configuration.nix @@ -1,10 +1,6 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, - pkgs, modulesPath, ... }: @@ -14,26 +10,28 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + config = { + boot.initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; } diff --git a/nix/configuration/hosts/neelix/power_management.nix b/nix/configuration/hosts/neelix/power_management.nix index c63a7a9..d8d2683 100644 --- a/nix/configuration/hosts/neelix/power_management.nix +++ b/nix/configuration/hosts/neelix/power_management.nix @@ -1,6 +1,4 @@ { - config, - lib, pkgs, ... }: @@ -8,28 +6,30 @@ { imports = [ ]; - environment.systemPackages = with pkgs; [ - powertop - ]; + config = { + environment.systemPackages = with pkgs; [ + powertop + ]; - # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction. - # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above). - boot.kernelParams = [ - "pcie_aspm=force" - # "pcie_aspm.policy=powersupersave" - "nowatchdog" - ]; + # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction. + # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above). + boot.kernelParams = [ + "pcie_aspm=force" + # "pcie_aspm.policy=powersupersave" + "nowatchdog" + ]; - # default performance balance_performance balance_power power - # defaults to balance_performance - # systemd.tmpfiles.rules = [ - # "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power" - # ]; + # default performance balance_performance balance_power power + # defaults to balance_performance + # systemd.tmpfiles.rules = [ + # "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power" + # ]; - boot.extraModprobeConfig = '' - options snd_hda_intel power_save=1 - ''; + boot.extraModprobeConfig = '' + options snd_hda_intel power_save=1 + ''; + }; } diff --git a/nix/configuration/hosts/odo/DEPLOY_BOOT b/nix/configuration/hosts/odo/DEPLOY_BOOT index 4afc053..2fe966a 100755 --- a/nix/configuration/hosts/odo/DEPLOY_BOOT +++ b/nix/configuration/hosts/odo/DEPLOY_BOOT @@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" : "${JOBS:="1"}" -# TARGET=10.216.1.15 -# TARGET=192.168.211.250 TARGET=odo for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json - -# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#odo' diff --git a/nix/configuration/hosts/odo/DEPLOY_SWITCH b/nix/configuration/hosts/odo/DEPLOY_SWITCH index 880cfee..11f9f56 100755 --- a/nix/configuration/hosts/odo/DEPLOY_SWITCH +++ b/nix/configuration/hosts/odo/DEPLOY_SWITCH @@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" : "${JOBS:="1"}" -#TARGET=10.216.1.14 -# TARGET=192.168.211.250 TARGET=odo for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json - -# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#odo' diff --git a/nix/configuration/hosts/odo/ISO b/nix/configuration/hosts/odo/ISO index f187364..50f216d 100755 --- a/nix/configuration/hosts/odo/ISO +++ b/nix/configuration/hosts/odo/ISO @@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" : "${JOBS:="1"}" for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done -nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.odo" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json +nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/odo/default.nix b/nix/configuration/hosts/odo/default.nix index 6776c31..23d5f49 100644 --- a/nix/configuration/hosts/odo/default.nix +++ b/nix/configuration/hosts/odo/default.nix @@ -24,7 +24,8 @@ time.timeZone = "America/New_York"; i18n.defaultLocale = "en_US.UTF-8"; - me.secureBoot.enable = true; + me.boot.secure = true; + me.mountPersistence = true; me.optimizations = { enable = true; @@ -63,19 +64,25 @@ me.amd_s2idle.enable = true; me.ansible.enable = true; me.ares.enable = true; + me.base.enable = true; me.bluetooth.enable = true; + me.boot.enable = true; me.chromecast.enable = true; me.chromium.enable = true; me.d2.enable = true; me.direnv.enable = true; + me.doas.enable = true; me.docker.enable = false; me.ecc.enable = false; me.emacs_flavor = "full"; me.emulate_isa.enable = true; me.firefox.enable = true; + me.firewall.enable = true; me.flux.enable = true; + me.font.enable = true; me.gcloud.enable = true; me.git.config = ../../roles/git/files/gitconfig_home; + me.git.enable = true; me.gnuplot.enable = true; me.gpg.enable = true; me.graphical = true; @@ -87,7 +94,10 @@ me.launch_keyboard.enable = true; me.lvfs.enable = true; me.media.enable = true; + me.memtest.enable = true; + me.network.enable = true; me.nix_index.enable = true; + me.nvme.enable = true; me.openpgp_card_tools.enable = true; me.pcsx2.enable = true; me.podman.enable = true; @@ -101,12 +111,15 @@ me.sops.enable = true; me.sound.enable = true; me.spaghettikart.enable = true; + me.ssh.enable = true; + me.sshd.enable = true; me.steam.enable = true; me.steam_run_free.enable = true; me.sway.enable = true; me.tekton.enable = true; me.terraform.enable = true; me.thunderbolt.enable = true; + me.user.enable = true; me.uutils.enable = false; me.vnc_client.enable = true; me.vscode.enable = true; @@ -119,6 +132,7 @@ ]; me.wireguard.deactivated = [ "wgf" ]; me.yubikey.enable = true; + me.zfs.enable = true; me.zrepl.enable = true; me.zsh.enable = true; diff --git a/nix/configuration/hosts/odo/distributed_build.nix b/nix/configuration/hosts/odo/distributed_build.nix index 46dccfc..10755e8 100644 --- a/nix/configuration/hosts/odo/distributed_build.nix +++ b/nix/configuration/hosts/odo/distributed_build.nix @@ -1,27 +1,19 @@ -{ - config, - lib, - pkgs, - ... -}: { imports = [ ]; - config = lib.mkMerge [ - { - me.distributed_build.enable = true; - me.distributed_build.machines.hydra = { - enable = true; - additional_config = { - speedFactor = 2; - }; + config = { + me.distributed_build.enable = true; + me.distributed_build.machines.hydra = { + enable = true; + additional_config = { + speedFactor = 2; }; - me.distributed_build.machines.quark = { - enable = true; - additional_config = { - speedFactor = 2; - }; + }; + me.distributed_build.machines.quark = { + enable = true; + additional_config = { + speedFactor = 2; }; - } - ]; + }; + }; } diff --git a/nix/configuration/hosts/odo/framework_module.nix b/nix/configuration/hosts/odo/framework_module.nix index 5a54004..32f8e11 100644 --- a/nix/configuration/hosts/odo/framework_module.nix +++ b/nix/configuration/hosts/odo/framework_module.nix @@ -1,23 +1,19 @@ { config, - lib, - pkgs, ... }: { imports = [ ]; - config = lib.mkMerge [ - { - boot.extraModulePackages = with config.boot.kernelPackages; [ - framework-laptop-kmod - ]; - # https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage - boot.kernelModules = [ - "cros_ec" - "cros_ec_lpcs" - ]; - } - ]; + config = { + boot.extraModulePackages = with config.boot.kernelPackages; [ + framework-laptop-kmod + ]; + # https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage + boot.kernelModules = [ + "cros_ec" + "cros_ec_lpcs" + ]; + }; } diff --git a/nix/configuration/hosts/odo/hardware-configuration.nix b/nix/configuration/hosts/odo/hardware-configuration.nix index d463cf9..479321e 100644 --- a/nix/configuration/hosts/odo/hardware-configuration.nix +++ b/nix/configuration/hosts/odo/hardware-configuration.nix @@ -1,10 +1,6 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, - pkgs, modulesPath, ... }: @@ -14,23 +10,25 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ - "nvme" - "xhci_pci" - "thunderbolt" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + config = { + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; } diff --git a/nix/configuration/hosts/odo/power_management.nix b/nix/configuration/hosts/odo/power_management.nix index 15ae5ce..b6d3fef 100644 --- a/nix/configuration/hosts/odo/power_management.nix +++ b/nix/configuration/hosts/odo/power_management.nix @@ -1,6 +1,4 @@ { - config, - lib, pkgs, ... }: @@ -8,68 +6,70 @@ { imports = [ ]; - environment.systemPackages = with pkgs; [ - powertop - ]; + config = { + environment.systemPackages = with pkgs; [ + powertop + ]; - # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction. - # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction. - # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above). - # amd_pstate=passive :: Fully automated hardware pstate control. - # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency. - # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds. - # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32 - boot.kernelParams = [ - "amdgpu.abmlevel=2" - "pcie_aspm=force" - # "pcie_aspm.policy=powersupersave" - "nowatchdog" - # I don't see a measurable benefit from these two: - # "cpufreq.default_governor=powersave" - # "initcall_blacklist=cpufreq_gov_userspace_init" - ]; + # amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction. + # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction. + # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above). + # amd_pstate=passive :: Fully automated hardware pstate control. + # amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency. + # amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds. + # amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32 + boot.kernelParams = [ + "amdgpu.abmlevel=2" + "pcie_aspm=force" + # "pcie_aspm.policy=powersupersave" + "nowatchdog" + # I don't see a measurable benefit from these two: + # "cpufreq.default_governor=powersave" + # "initcall_blacklist=cpufreq_gov_userspace_init" + ]; - systemd.tmpfiles.rules = [ - "w- /sys/firmware/acpi/platform_profile - - - - low-power" - "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power" - "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0" - "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0" - ]; + systemd.tmpfiles.rules = [ + "w- /sys/firmware/acpi/platform_profile - - - - low-power" + "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0" + ]; - boot.extraModprobeConfig = '' - # Disable the hardware watchdog inside AMD 700 chipset series for power savings. - blacklist sp5100_tco + boot.extraModprobeConfig = '' + # Disable the hardware watchdog inside AMD 700 chipset series for power savings. + blacklist sp5100_tco - # Sound power-saving was causing chat notifications to be inaudible. - # options snd_hda_intel power_save=1 - ''; + # Sound power-saving was causing chat notifications to be inaudible. + # options snd_hda_intel power_save=1 + ''; + }; } diff --git a/nix/configuration/hosts/odo/screen_brightness.nix b/nix/configuration/hosts/odo/screen_brightness.nix index 543b7e2..448991c 100644 --- a/nix/configuration/hosts/odo/screen_brightness.nix +++ b/nix/configuration/hosts/odo/screen_brightness.nix @@ -1,14 +1,9 @@ -{ - config, - lib, - pkgs, - ... -}: - { imports = [ ]; - systemd.tmpfiles.rules = [ - "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 21845" - ]; + config = { + systemd.tmpfiles.rules = [ + "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 32767" + ]; + }; } diff --git a/nix/configuration/hosts/odo/wifi.nix b/nix/configuration/hosts/odo/wifi.nix index 867f37f..2ef839b 100644 --- a/nix/configuration/hosts/odo/wifi.nix +++ b/nix/configuration/hosts/odo/wifi.nix @@ -1,19 +1,7 @@ -{ - config, - lib, - pkgs, - ... -}: - { imports = [ ]; config = { - # Doesn't seem necessary starting with 6.13 - # environment.loginShellInit = lib.mkIf (!config.me.buildingIso) '' - # doas iw dev wlan0 set power_save off - # ''; - # Enable debug logging for ath12k wifi card. boot.kernelParams = [ "ath12k.debug_mask=0xffffffff" diff --git a/nix/configuration/hosts/odo/wrapped-disk-config.nix b/nix/configuration/hosts/odo/wrapped-disk-config.nix index 78e5f86..39e74f4 100644 --- a/nix/configuration/hosts/odo/wrapped-disk-config.nix +++ b/nix/configuration/hosts/odo/wrapped-disk-config.nix @@ -1,8 +1,7 @@ { config, lib, - pkgs, ... }: -lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix) +lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix) diff --git a/nix/configuration/hosts/quark/DEPLOY_BOOT b/nix/configuration/hosts/quark/DEPLOY_BOOT index 108ab01..2fef643 100755 --- a/nix/configuration/hosts/quark/DEPLOY_BOOT +++ b/nix/configuration/hosts/quark/DEPLOY_BOOT @@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" : "${JOBS:="1"}" -#TARGET=10.216.1.15 -# TARGET=192.168.211.250 TARGET=quark for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json - -# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#quark' diff --git a/nix/configuration/hosts/quark/DEPLOY_SWITCH b/nix/configuration/hosts/quark/DEPLOY_SWITCH index 7b18a97..878d35b 100755 --- a/nix/configuration/hosts/quark/DEPLOY_SWITCH +++ b/nix/configuration/hosts/quark/DEPLOY_SWITCH @@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" : "${JOBS:="1"}" -#TARGET=10.216.1.14 -# TARGET=192.168.211.250 TARGET=quark for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json - -# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#quark' diff --git a/nix/configuration/hosts/quark/ISO b/nix/configuration/hosts/quark/ISO index 4f00288..da8f353 100755 --- a/nix/configuration/hosts/quark/ISO +++ b/nix/configuration/hosts/quark/ISO @@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" : "${JOBS:="1"}" for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done -nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.quark" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json +nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#quark.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/quark/default.nix b/nix/configuration/hosts/quark/default.nix index 25d8df7..b6cdc9d 100644 --- a/nix/configuration/hosts/quark/default.nix +++ b/nix/configuration/hosts/quark/default.nix @@ -6,7 +6,7 @@ }: { imports = [ - ./disk-config.nix + ./wrapped-disk-config.nix ./distributed_build.nix ./hardware-configuration.nix ./power_management.nix @@ -21,7 +21,8 @@ time.timeZone = "America/New_York"; i18n.defaultLocale = "en_US.UTF-8"; - me.secureBoot.enable = true; + me.boot.secure = true; + me.mountPersistence = true; me.optimizations = { enable = true; @@ -56,19 +57,25 @@ me.amd_s2idle.enable = true; me.ansible.enable = true; me.ares.enable = true; + me.base.enable = true; me.bluetooth.enable = true; + me.boot.enable = true; me.chromecast.enable = true; me.chromium.enable = true; me.d2.enable = true; me.direnv.enable = true; + me.doas.enable = true; me.docker.enable = false; me.ecc.enable = true; me.emacs_flavor = "full"; me.emulate_isa.enable = true; me.firefox.enable = true; + me.firewall.enable = true; me.flux.enable = true; + me.font.enable = true; me.gcloud.enable = true; me.git.config = ../../roles/git/files/gitconfig_home; + me.git.enable = true; me.gnuplot.enable = true; me.gpg.enable = true; me.graphical = true; @@ -80,8 +87,11 @@ me.launch_keyboard.enable = true; me.lvfs.enable = true; me.media.enable = true; + me.memtest.enable = true; + me.network.enable = true; me.nix_index.enable = true; me.nix_worker.enable = true; + me.nvme.enable = true; me.openpgp_card_tools.enable = true; me.pcsx2.enable = true; me.podman.enable = true; @@ -95,12 +105,15 @@ me.sops.enable = true; me.sound.enable = true; me.spaghettikart.enable = true; + me.ssh.enable = true; + me.sshd.enable = true; me.steam.enable = true; me.steam_run_free.enable = true; me.sway.enable = true; me.tekton.enable = true; me.terraform.enable = true; me.thunderbolt.enable = true; + me.user.enable = true; me.uutils.enable = false; me.vnc_client.enable = true; me.vscode.enable = true; @@ -113,6 +126,7 @@ ]; me.wireguard.deactivated = [ "wgf" ]; me.yubikey.enable = true; + me.zfs.enable = true; me.zrepl.enable = true; me.zsh.enable = true; diff --git a/nix/configuration/hosts/quark/disk-config.nix b/nix/configuration/hosts/quark/disk-config.nix index dc31c68..7ac3644 100644 --- a/nix/configuration/hosts/quark/disk-config.nix +++ b/nix/configuration/hosts/quark/disk-config.nix @@ -2,13 +2,6 @@ # Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1 # Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1 { - config, - lib, - pkgs, - ... -}: - -lib.mkIf (!config.me.buildingIso) { disko.devices = { disk = { main = { diff --git a/nix/configuration/hosts/quark/distributed_build.nix b/nix/configuration/hosts/quark/distributed_build.nix index 942c265..f4f49b0 100644 --- a/nix/configuration/hosts/quark/distributed_build.nix +++ b/nix/configuration/hosts/quark/distributed_build.nix @@ -1,21 +1,13 @@ -{ - config, - lib, - pkgs, - ... -}: { imports = [ ]; - config = lib.mkMerge [ - { - me.distributed_build.enable = true; - me.distributed_build.machines.hydra = { - enable = true; - additional_config = { - speedFactor = 2; - }; + config = { + me.distributed_build.enable = true; + me.distributed_build.machines.hydra = { + enable = true; + additional_config = { + speedFactor = 2; }; - } - ]; + }; + }; } diff --git a/nix/configuration/hosts/quark/hardware-configuration.nix b/nix/configuration/hosts/quark/hardware-configuration.nix index 3caa61f..c87dfa5 100644 --- a/nix/configuration/hosts/quark/hardware-configuration.nix +++ b/nix/configuration/hosts/quark/hardware-configuration.nix @@ -1,10 +1,6 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, - pkgs, modulesPath, ... }: @@ -14,22 +10,24 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ - "nvme" - "xhci_pci" - "thunderbolt" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + config = { + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; } diff --git a/nix/configuration/hosts/quark/power_management.nix b/nix/configuration/hosts/quark/power_management.nix index b6b6e26..0d1de28 100644 --- a/nix/configuration/hosts/quark/power_management.nix +++ b/nix/configuration/hosts/quark/power_management.nix @@ -8,41 +8,43 @@ { imports = [ ]; - environment.systemPackages = with pkgs; [ - powertop - ]; + config = { + environment.systemPackages = with pkgs; [ + powertop + ]; - boot.kernelParams = [ - # Enable undervolting GPU. - # "amdgpu.ppfeaturemask=0xfff7ffff" - ]; + boot.kernelParams = [ + # Enable undervolting GPU. + # "amdgpu.ppfeaturemask=0xfff7ffff" + ]; - systemd.tmpfiles.rules = [ - # "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power" - # "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power" - ]; + systemd.tmpfiles.rules = [ + # "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power" + # "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power" + ]; - # services.udev.packages = [ - # (pkgs.writeTextFile { - # name = "amdgpu-low-power"; - # text = '' - # ACTION=="add", SUBSYSTEM=="drm", DRIVERS=="amdgpu", ATTR{device/power_dpm_force_performance_level}="low" - # ''; - # destination = "/etc/udev/rules.d/30-amdgpu-low-power.rules"; - # }) - # ]; + # services.udev.packages = [ + # (pkgs.writeTextFile { + # name = "amdgpu-low-power"; + # text = '' + # ACTION=="add", SUBSYSTEM=="drm", DRIVERS=="amdgpu", ATTR{device/power_dpm_force_performance_level}="low" + # ''; + # destination = "/etc/udev/rules.d/30-amdgpu-low-power.rules"; + # }) + # ]; + }; } diff --git a/nix/configuration/hosts/quark/wrapped-disk-config.nix b/nix/configuration/hosts/quark/wrapped-disk-config.nix new file mode 100644 index 0000000..39e74f4 --- /dev/null +++ b/nix/configuration/hosts/quark/wrapped-disk-config.nix @@ -0,0 +1,7 @@ +{ + config, + lib, + ... +}: + +lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix) diff --git a/nix/configuration/roles/2ship2harkinian/default.nix b/nix/configuration/roles/2ship2harkinian/default.nix index 3119bb1..b2cbde6 100644 --- a/nix/configuration/roles/2ship2harkinian/default.nix +++ b/nix/configuration/roles/2ship2harkinian/default.nix @@ -17,32 +17,27 @@ }; }; - config = lib.mkIf config.me.ship2harkinian.enable ( - lib.mkMerge [ - { - allowedUnfree = [ "2ship2harkinian" ]; - } - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - _2ship2harkinian + config = lib.mkIf (config.me.ship2harkinian.enable && config.me.graphical) { + allowedUnfree = [ "2ship2harkinian" ]; + + environment.systemPackages = with pkgs; [ + _2ship2harkinian + ]; + + # TODO perhaps install ~/.local/share/2ship/2ship2harkinian.json + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".local/share/2ship"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } ]; - - # TODO perhaps install ~/.local/share/2ship/2ship2harkinian.json - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".local/share/2ship"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; - }) - ] - ); + }; + }; + }; } diff --git a/nix/configuration/roles/alacritty/default.nix b/nix/configuration/roles/alacritty/default.nix index e6e85f7..6fc4430 100644 --- a/nix/configuration/roles/alacritty/default.nix +++ b/nix/configuration/roles/alacritty/default.nix @@ -7,6 +7,7 @@ { imports = [ ]; + options.me = { alacritty.enable = lib.mkOption { type = lib.types.bool; @@ -16,21 +17,17 @@ }; }; - config = lib.mkIf config.me.alacritty.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - alacritty - xdg-utils # for xdg-open - ]; + config = lib.mkIf (config.me.alacritty.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + alacritty + xdg-utils # for xdg-open + ]; - me.install.user.talexander.file = { - ".config/alacritty/alacritty.toml" = { - source = ./files/alacritty.toml; - }; - }; - }) - ] - ); + me.install.user.talexander.file = { + ".config/alacritty/alacritty.toml" = { + source = ./files/alacritty.toml; + }; + }; + }; } diff --git a/nix/configuration/roles/amd_s2idle/default.nix b/nix/configuration/roles/amd_s2idle/default.nix index edfe1ed..e59e622 100644 --- a/nix/configuration/roles/amd_s2idle/default.nix +++ b/nix/configuration/roles/amd_s2idle/default.nix @@ -17,31 +17,27 @@ }; }; - config = lib.mkIf config.me.amd_s2idle.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - amd-debug-tools - ]; - nixpkgs.overlays = [ - ( - final: prev: - let - innerPackage = (final.callPackage ./package.nix { }); - in - { - amd-debug-tools = innerPackage; - } - ) - (final: prev: { - pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [ - (python-final: python-prev: { - cysystemd = (python-final.callPackage ./cysystemd.nix { }); - }) - ]; + config = lib.mkIf config.me.amd_s2idle.enable { + environment.systemPackages = with pkgs; [ + amd-debug-tools + ]; + nixpkgs.overlays = [ + ( + final: prev: + let + innerPackage = (final.callPackage ./package.nix { }); + in + { + amd-debug-tools = innerPackage; + } + ) + (final: prev: { + pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [ + (python-final: python-prev: { + cysystemd = (python-final.callPackage ./cysystemd.nix { }); }) ]; - } - ] - ); + }) + ]; + }; } diff --git a/nix/configuration/roles/ansible/default.nix b/nix/configuration/roles/ansible/default.nix index 8600402..190d71f 100644 --- a/nix/configuration/roles/ansible/default.nix +++ b/nix/configuration/roles/ansible/default.nix @@ -17,73 +17,69 @@ }; }; - config = lib.mkIf config.me.ansible.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - ansible - ]; + config = lib.mkIf config.me.ansible.enable { + environment.systemPackages = with pkgs; [ + ansible + ]; - nixpkgs.overlays = [ - (final: prev: { - ansible-sshjail = (final.callPackage ./package/ansible-sshjail/package.nix { }); - }) - (final: prev: { - ansible = pkgs.symlinkJoin { - name = "ansible"; - paths = [ - (prev.ansible.overridePythonAttrs { - propagatedBuildInputs = prev.ansible.propagatedBuildInputs ++ [ prev.python3Packages.jmespath ]; - }) - pkgs.ansible-sshjail - ]; - buildInputs = [ pkgs.makeWrapper ]; + nixpkgs.overlays = [ + (final: prev: { + ansible-sshjail = (final.callPackage ./package/ansible-sshjail/package.nix { }); + }) + (final: prev: { + ansible = pkgs.symlinkJoin { + name = "ansible"; + paths = [ + (prev.ansible.overridePythonAttrs { + propagatedBuildInputs = prev.ansible.propagatedBuildInputs ++ [ prev.python3Packages.jmespath ]; + }) + pkgs.ansible-sshjail + ]; + buildInputs = [ pkgs.makeWrapper ]; - postBuild = '' - ${lib.concatMapStringsSep "\n" - ( - prog: - ( - "wrapProgram $out/bin/${prog} ${ - lib.concatMapStringsSep " " - ( - plugin_type: - "--set ANSIBLE_${lib.toUpper plugin_type}_PLUGINS $out/share/ansible/plugins/${lib.toLower plugin_type}_plugins" - ) - [ - "action" - "cache" - "callback" - "connection" - "filter" - "inventory" - "lookup" - "shell" - "strategy" - "test" - "vars" - ] - } --prefix PATH : ${lib.makeBinPath [ ]}" - ) - ) - [ - "ansible" - "ansible-config" - "ansible-console" - "ansible-doc" - "ansible-galaxy" - "ansible-inventory" - "ansible-playbook" - "ansible-pull" - "ansible-test" - "ansible-vault" - ] - } - ''; - }; - }) - ]; - } - ] - ); + postBuild = '' + ${lib.concatMapStringsSep "\n" + ( + prog: + ( + "wrapProgram $out/bin/${prog} ${ + lib.concatMapStringsSep " " + ( + plugin_type: + "--set ANSIBLE_${lib.toUpper plugin_type}_PLUGINS $out/share/ansible/plugins/${lib.toLower plugin_type}_plugins" + ) + [ + "action" + "cache" + "callback" + "connection" + "filter" + "inventory" + "lookup" + "shell" + "strategy" + "test" + "vars" + ] + } --prefix PATH : ${lib.makeBinPath [ ]}" + ) + ) + [ + "ansible" + "ansible-config" + "ansible-console" + "ansible-doc" + "ansible-galaxy" + "ansible-inventory" + "ansible-playbook" + "ansible-pull" + "ansible-test" + "ansible-vault" + ] + } + ''; + }; + }) + ]; + }; } diff --git a/nix/configuration/roles/ares/default.nix b/nix/configuration/roles/ares/default.nix index 4aa5a41..e71c55c 100644 --- a/nix/configuration/roles/ares/default.nix +++ b/nix/configuration/roles/ares/default.nix @@ -17,28 +17,23 @@ }; }; - config = lib.mkIf config.me.ares.enable ( - lib.mkMerge [ - { } - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - ares - ]; + config = lib.mkIf (config.me.ares.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + ares + ]; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".local/share/ares"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; - }) - ] - ); + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".local/share/ares"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + ]; + }; + }; + }; } diff --git a/nix/configuration/roles/base/default.nix b/nix/configuration/roles/base/default.nix new file mode 100644 index 0000000..dbe9766 --- /dev/null +++ b/nix/configuration/roles/base/default.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ ]; + + options.me = { + base.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install base."; + }; + }; + + config = lib.mkIf config.me.base.enable { + environment.systemPackages = with pkgs; [ + wget + mg + rsync + libinput + htop + tmux + file + usbutils # for lsusb + pciutils # for lspci + ripgrep + strace + # ltrace # Disabled because it uses more than 48GB of /tmp space during test phase. + trace-cmd # ftrace + tcpdump + git-crypt + gnumake + ncdu + nix-tree + libarchive # bsdtar + lsof + doas-sudo-shim # To support --sudo for remote builds + dmidecode # Read SMBIOS information. + ipcalc + gptfdisk # for cgdisk + nix-output-monitor # For better view into nixos-rebuild + nix-serve-ng # Serve nix store over http + ]; + }; +} diff --git a/nix/configuration/roles/bluetooth/default.nix b/nix/configuration/roles/bluetooth/default.nix index eb026c6..7f2c434 100644 --- a/nix/configuration/roles/bluetooth/default.nix +++ b/nix/configuration/roles/bluetooth/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -17,30 +16,23 @@ }; }; - config = lib.mkIf config.me.bluetooth.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - ]; - - hardware.bluetooth = { - enable = true; - powerOnBoot = true; - settings = { - General = { - # Enable support for showing battery charge level. - Experimental = true; - }; - }; + config = lib.mkIf config.me.bluetooth.enable { + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + settings = { + General = { + # Enable support for showing battery charge level. + Experimental = true; }; + }; + }; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - directories = [ - "/var/lib/bluetooth" # Bluetooth pairing information. - ]; - }; - } - ] - ); + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + directories = [ + "/var/lib/bluetooth" # Bluetooth pairing information. + ]; + }; + }; } diff --git a/nix/configuration/roles/boot/default.nix b/nix/configuration/roles/boot/default.nix index 07bce51..5940757 100644 --- a/nix/configuration/roles/boot/default.nix +++ b/nix/configuration/roles/boot/default.nix @@ -9,90 +9,96 @@ { imports = [ ]; - options = { - me.secureBoot = { - enable = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Enable to use secure boot. - ''; - }; + options.me = { + boot.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install boot."; + }; + + boot.secure = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Enable to use secure boot."; }; }; - config = lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - tpm2-tools # For tpm2_eventlog to check for OptionRoms - # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog - # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER" - sbctl # For debugging and troubleshooting Secure Boot. - ]; - } - (lib.mkIf (!config.me.buildingIso) { - - boot.loader.grub.enable = false; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - # TODO: make not write bootx64.efi - boot.loader.efi.canTouchEfiVariables = false; - - # Automatically delete old generations - boot.loader.systemd-boot.configurationLimit = 3; - - boot.loader.systemd-boot.memtest86.enable = true; - - # Check what will be lost with `zfs diff zroot/linux/root@blank` - boot.initrd.systemd.enable = lib.mkDefault true; - boot.initrd.systemd.services.zfs-rollback = { - description = "Rollback ZFS root dataset to blank snapshot"; - wantedBy = [ - "initrd.target" + config = lib.mkIf config.me.boot.enable ( + lib.mkMerge [ + { + environment.systemPackages = with pkgs; [ + tpm2-tools # For tpm2_eventlog to check for OptionRoms + # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog + # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER" + sbctl # For debugging and troubleshooting Secure Boot. ]; - after = [ - "zfs-import-zroot.service" - ]; - before = [ - "sysroot.mount" - ]; - path = with pkgs; [ - zfs - ]; - unitConfig.DefaultDependencies = "no"; - serviceConfig.Type = "oneshot"; - script = '' - zfs rollback -r zroot/linux/nix/root@blank - zfs rollback -r zroot/linux/nix/home@blank - echo "rollback complete" - ''; - }; + } + (lib.mkIf (!config.me.buildingPortable) { - # boot.loader.systemd-boot.extraEntries = { - # "windows.conf" = '' - # title Windows - # efi /EFI/Microsoft/Boot/bootmgfw.efi - # options root=PARTUUID=17e325bf-a378-4d1d-be6a-f6df5476f0fa - # ''; - # }; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - directories = [ - "/var/lib/sbctl" # Secure Boot Keys + boot.loader.grub.enable = false; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + # TODO: make not write bootx64.efi + boot.loader.efi.canTouchEfiVariables = false; + + # Automatically delete old generations + boot.loader.systemd-boot.configurationLimit = 3; + + boot.loader.systemd-boot.memtest86.enable = true; + + # Check what will be lost with `zfs diff zroot/linux/root@blank` + boot.initrd.systemd.enable = lib.mkDefault true; + boot.initrd.systemd.services.zfs-rollback = { + description = "Rollback ZFS root dataset to blank snapshot"; + wantedBy = [ + "initrd.target" + ]; + after = [ + "zfs-import-zroot.service" + ]; + before = [ + "sysroot.mount" + ]; + path = with pkgs; [ + zfs + ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + zfs rollback -r zroot/linux/nix/root@blank + zfs rollback -r zroot/linux/nix/home@blank + echo "rollback complete" + ''; + }; + + # boot.loader.systemd-boot.extraEntries = { + # "windows.conf" = '' + # title Windows + # efi /EFI/Microsoft/Boot/bootmgfw.efi + # options root=PARTUUID=17e325bf-a378-4d1d-be6a-f6df5476f0fa + # ''; + # }; + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + directories = [ + "/var/lib/sbctl" # Secure Boot Keys + ]; + }; + }) + (lib.mkIf (config.me.boot.secure) { + environment.systemPackages = with pkgs; [ + sbctl ]; - }; - }) - (lib.mkIf (config.me.secureBoot.enable) { - environment.systemPackages = with pkgs; [ - sbctl - ]; - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.lanzaboote = { - enable = true; - pkiBundle = "/var/lib/sbctl"; - }; - }) - ]; + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }) + ] + ); } # efibootmgr -c -d /dev/sda -p 1 -L NixOS-boot -l '\EFI\NixOS-boot\grubx64.efi' diff --git a/nix/configuration/roles/chromecast/default.nix b/nix/configuration/roles/chromecast/default.nix index d84022c..cff8451 100644 --- a/nix/configuration/roles/chromecast/default.nix +++ b/nix/configuration/roles/chromecast/default.nix @@ -17,15 +17,9 @@ }; }; - config = lib.mkIf config.me.chromecast.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - catt - ]; - } - (lib.mkIf config.me.graphical { - }) - ] - ); + config = lib.mkIf config.me.chromecast.enable { + environment.systemPackages = with pkgs; [ + catt + ]; + }; } diff --git a/nix/configuration/roles/chromium/default.nix b/nix/configuration/roles/chromium/default.nix index 453909e..e117c0a 100644 --- a/nix/configuration/roles/chromium/default.nix +++ b/nix/configuration/roles/chromium/default.nix @@ -17,59 +17,54 @@ }; }; - config = lib.mkIf config.me.chromium.enable ( - lib.mkMerge [ - { } - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - chromium - ]; - allowedUnfree = [ - "chromium" - "chromium-unwrapped" - "widevine-cdm" - ]; + config = lib.mkIf (config.me.chromium.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + chromium + ]; + allowedUnfree = [ + "chromium" + "chromium-unwrapped" + "widevine-cdm" + ]; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".config/chromium"; - user = "talexander"; - group = "talexander"; - mode = "0700"; - } - ]; - }; - }; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".cache/chromium"; - user = "talexander"; - group = "talexander"; - mode = "0700"; - } - ]; - }; - }; - - nixpkgs.overlays = [ - (final: prev: { - chromium = prev.chromium.override { - enableWideVine = true; - commandLineArgs = [ - "--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder" - # Enabling vulkan causes video to render as white - # "--enable-features=Vulkan"; - ]; - }; - }) + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".config/chromium"; + user = "talexander"; + group = "talexander"; + mode = "0700"; + } ]; + }; + }; + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".cache/chromium"; + user = "talexander"; + group = "talexander"; + mode = "0700"; + } + ]; + }; + }; + + nixpkgs.overlays = [ + (final: prev: { + chromium = prev.chromium.override { + enableWideVine = true; + commandLineArgs = [ + "--enable-features=VaapiVideoDecoder,VaapiIgnoreDriverChecks,Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,AcceleratedVideoEncoder" + # Enabling vulkan causes video to render as white + # "--enable-features=Vulkan"; + ]; + }; }) - ] - ); + ]; + }; } diff --git a/nix/configuration/roles/d2/default.nix b/nix/configuration/roles/d2/default.nix index 3fda8aa..a6d20df 100644 --- a/nix/configuration/roles/d2/default.nix +++ b/nix/configuration/roles/d2/default.nix @@ -17,13 +17,9 @@ }; }; - config = lib.mkIf config.me.d2.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - d2 - ]; - } - ] - ); + config = lib.mkIf config.me.d2.enable { + environment.systemPackages = with pkgs; [ + d2 + ]; + }; } diff --git a/nix/configuration/roles/direnv/default.nix b/nix/configuration/roles/direnv/default.nix index c184172..e93255f 100644 --- a/nix/configuration/roles/direnv/default.nix +++ b/nix/configuration/roles/direnv/default.nix @@ -25,31 +25,27 @@ in }; }; - config = lib.mkIf config.me.direnv.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - direnv - nix-direnv + config = lib.mkIf config.me.direnv.enable { + environment.systemPackages = with pkgs; [ + direnv + nix-direnv + ]; + + me.zsh.includes = [ direnv_zsh_hook ]; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + # List of allowed directories from `direnv allow`. + directory = ".local/share/direnv"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } ]; - - me.zsh.includes = [ direnv_zsh_hook ]; - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - # List of allowed directories from `direnv allow`. - directory = ".local/share/direnv"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; - } - ] - ); + }; + }; + }; } diff --git a/nix/configuration/roles/distributed_build/default.nix b/nix/configuration/roles/distributed_build/default.nix index 6e20734..65b31a7 100644 --- a/nix/configuration/roles/distributed_build/default.nix +++ b/nix/configuration/roles/distributed_build/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: diff --git a/nix/configuration/roles/doas/default.nix b/nix/configuration/roles/doas/default.nix new file mode 100644 index 0000000..56c37ed --- /dev/null +++ b/nix/configuration/roles/doas/default.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: + +{ + imports = [ ]; + + options.me = { + doas.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install doas."; + }; + }; + + config = lib.mkIf config.me.doas.enable { + # Use doas instead of sudo + security.doas.enable = true; + security.doas.wheelNeedsPassword = false; + security.sudo.enable = false; + security.doas.extraRules = [ + { + # Retain environment (for example NIX_PATH) + keepEnv = true; + persist = true; # Only ask for a password the first time. + } + ]; + }; +} diff --git a/nix/configuration/roles/docker/default.nix b/nix/configuration/roles/docker/default.nix index 7d90a56..4c1381c 100644 --- a/nix/configuration/roles/docker/default.nix +++ b/nix/configuration/roles/docker/default.nix @@ -17,82 +17,77 @@ }; }; - config = lib.mkIf config.me.docker.enable ( - lib.mkMerge [ + config = lib.mkIf config.me.docker.enable { + assertions = [ { - assertions = [ - { - assertion = !config.me.podman.enable; - message = "docker conflicts with podman"; - } - ]; + assertion = !config.me.podman.enable; + message = "docker conflicts with podman"; } - { - virtualisation.docker.enable = true; - # Use docker activation - virtualisation.docker.enableOnBoot = false; - # Rootless docker breaks access to ssh for buildkit. - # virtualisation.docker.rootless = { - # enable = true; - # setSocketVariable = true; - # }; - # Give docker access to ssh for fetching repos with buildkit. - virtualisation.docker.extraPackages = [ pkgs.openssh ]; - environment.systemPackages = with pkgs; [ - docker-buildx - ]; + ]; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - directories = [ - { - directory = "/var/lib/docker"; - user = "root"; - group = "root"; - mode = "0740"; - } - ]; - # users.talexander = { - # directories = [ - # { - # directory = ".local/share/docker"; - # user = "talexander"; - # group = "talexander"; - # mode = "0740"; - # } - # ]; - # }; - }; + virtualisation.docker.enable = true; + # Use docker activation + virtualisation.docker.enableOnBoot = false; + # Rootless docker breaks access to ssh for buildkit. + # virtualisation.docker.rootless = { + # enable = true; + # setSocketVariable = true; + # }; + # Give docker access to ssh for fetching repos with buildkit. + virtualisation.docker.extraPackages = [ pkgs.openssh ]; + environment.systemPackages = with pkgs; [ + docker-buildx + ]; - systemd.services.link-docker-creds = { - # Contains credentials so it cannot be added to the nix store - enable = true; - description = "link-docker-creds"; - wantedBy = [ "multi-user.target" ]; - wants = [ "multi-user.target" ]; - after = [ "multi-user.target" ]; - # path = with pkgs; [ - # zfs - # ]; - unitConfig.DefaultDependencies = "no"; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - }; - script = '' - if [ -e /persist/manual/docker/config.json ]; then - install --directory --owner talexander --group talexander --mode 0700 /home/talexander/.docker - ln -s /persist/manual/docker/config.json /home/talexander/.docker/config.json - fi - ''; - preStop = '' - rm -f /home/talexander/.docker/config.json - ''; - }; + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + directories = [ + { + directory = "/var/lib/docker"; + user = "root"; + group = "root"; + mode = "0740"; + } + ]; + # users.talexander = { + # directories = [ + # { + # directory = ".local/share/docker"; + # user = "talexander"; + # group = "talexander"; + # mode = "0740"; + # } + # ]; + # }; + }; - # Needed for non-rootless docker - users.users.talexander.extraGroups = [ "docker" ]; - } - ] - ); + systemd.services.link-docker-creds = { + # Contains credentials so it cannot be added to the nix store + enable = true; + description = "link-docker-creds"; + wantedBy = [ "multi-user.target" ]; + wants = [ "multi-user.target" ]; + after = [ "multi-user.target" ]; + # path = with pkgs; [ + # zfs + # ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + }; + script = '' + if [ -e /persist/manual/docker/config.json ]; then + install --directory --owner talexander --group talexander --mode 0700 /home/talexander/.docker + ln -s /persist/manual/docker/config.json /home/talexander/.docker/config.json + fi + ''; + preStop = '' + rm -f /home/talexander/.docker/config.json + ''; + }; + + # Needed for non-rootless docker + users.users.talexander.extraGroups = [ "docker" ]; + }; } diff --git a/nix/configuration/roles/ecc/default.nix b/nix/configuration/roles/ecc/default.nix index 1cfa7dd..07368a4 100644 --- a/nix/configuration/roles/ecc/default.nix +++ b/nix/configuration/roles/ecc/default.nix @@ -2,7 +2,6 @@ { config, lib, - pkgs, ... }: @@ -18,11 +17,7 @@ }; }; - config = lib.mkIf config.me.ecc.enable ( - lib.mkMerge [ - { - hardware.rasdaemon.enable = true; - } - ] - ); + config = lib.mkIf config.me.ecc.enable { + hardware.rasdaemon.enable = true; + }; } diff --git a/nix/configuration/roles/emacs/default.nix b/nix/configuration/roles/emacs/default.nix index a8270dd..40a1332 100644 --- a/nix/configuration/roles/emacs/default.nix +++ b/nix/configuration/roles/emacs/default.nix @@ -68,7 +68,7 @@ in (e_shorthand my_emacs) ]; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { hideMounts = true; users.talexander = { directories = [ diff --git a/nix/configuration/roles/emacs/files/emacs/elisp/base.el b/nix/configuration/roles/emacs/files/emacs/elisp/base.el index eb0b88d..347e865 100644 --- a/nix/configuration/roles/emacs/files/emacs/elisp/base.el +++ b/nix/configuration/roles/emacs/files/emacs/elisp/base.el @@ -110,8 +110,6 @@ project-mode-line t ) -;; (setq-default fringes-outside-margins t) - ;; Typed text replaces selection (delete-selection-mode) diff --git a/nix/configuration/roles/emacs/files/emacs/elisp/util-tree-sitter.el b/nix/configuration/roles/emacs/files/emacs/elisp/util-tree-sitter.el index 2dc791e..21d76b5 100644 --- a/nix/configuration/roles/emacs/files/emacs/elisp/util-tree-sitter.el +++ b/nix/configuration/roles/emacs/files/emacs/elisp/util-tree-sitter.el @@ -1,3 +1,5 @@ +;; (add-to-list 'major-mode-remap-alist '(c-mode . c-ts-mode)) + (use-package treesit :pin manual :ensure nil diff --git a/nix/configuration/roles/emulate_isa/default.nix b/nix/configuration/roles/emulate_isa/default.nix index 183eb4e..8d2a753 100644 --- a/nix/configuration/roles/emulate_isa/default.nix +++ b/nix/configuration/roles/emulate_isa/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -17,17 +16,12 @@ }; }; - config = lib.mkIf config.me.emulate_isa.enable ( - lib.mkMerge [ - { - boot.binfmt.emulatedSystems = [ - "aarch64-linux" # Raspberry Pi gen 3 - "riscv64-linux" - # TODO: Should "x86_64-linux" be in this list or should this list be dependent on the host CPU? - "armv6l-linux" # Raspberry Pi gen 1 - ]; - } - ] - ); + config = lib.mkIf config.me.emulate_isa.enable { + boot.binfmt.emulatedSystems = [ + "aarch64-linux" # Raspberry Pi gen 3 + "riscv64-linux" + # TODO: Should "x86_64-linux" be in this list or should this list be dependent on the host CPU? + "armv6l-linux" # Raspberry Pi gen 1 + ]; + }; } -# NOTE: build nixosConfigurations..config.system.build.sdImage diff --git a/nix/configuration/roles/firefox/default.nix b/nix/configuration/roles/firefox/default.nix index 8c36fcb..a0ad99f 100644 --- a/nix/configuration/roles/firefox/default.nix +++ b/nix/configuration/roles/firefox/default.nix @@ -17,123 +17,119 @@ }; }; - config = lib.mkIf config.me.firefox.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - programs.firefox = { - enable = true; - package = (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override { pipewireSupport = true; }) { }); - languagePacks = [ "en-US" ]; - preferences = { - # "identity.sync.tokenserver.uri": "https://ffsync.fizz.buzz/token/1.0/sync/1.5"; - "media.hardware-video-decoding.force-enabled" = true; - "media.ffmpeg.vaapi.enabled" = true; - "doh-rollout.doorhanger-decision" = "UIDisabled"; - "dom.security.https_only_mode" = true; - "dom.security.https_only_mode_ever_enabled" = true; - "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org"; - # Disable ads - "extensions.pocket.enabled" = false; - "browser.newtabpage.activity-stream.showSponsored" = false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; - "browser.newtabpage.activity-stream.feeds.section.topstories" = false; - "browser.newtabpage.pinned" = "[]"; - "browser.newtabpage.activity-stream.section.highlights.includePocket" = false; - "browser.topsites.contile.enabled" = false; - # Disable cache when devtools are open. - "devtools.cache.disabled" = true; - # Do not track header. - "privacy.donottrackheader.enabled" = true; - # Tell websites not to share or sell my data. - "privacy.globalprivacycontrol.enabled" = true; - # Disable "studies" (slice testing) - "app.shield.optoutstudies.enabled" = false; - # Disable attribution which is used by advertisers to track you. - "dom.private-attribution.submission.enabled" = false; - # Disable battery status, used to track users. - "dom.battery.enabled" = false; + config = lib.mkIf (config.me.firefox.enable && config.me.graphical) { + programs.firefox = { + enable = true; + package = (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override { pipewireSupport = true; }) { }); + languagePacks = [ "en-US" ]; + preferences = { + # "identity.sync.tokenserver.uri": "https://ffsync.fizz.buzz/token/1.0/sync/1.5"; + "media.hardware-video-decoding.force-enabled" = true; + "media.ffmpeg.vaapi.enabled" = true; + "doh-rollout.doorhanger-decision" = "UIDisabled"; + "dom.security.https_only_mode" = true; + "dom.security.https_only_mode_ever_enabled" = true; + "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org"; + # Disable ads + "extensions.pocket.enabled" = false; + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.activity-stream.feeds.section.topstories" = false; + "browser.newtabpage.pinned" = "[]"; + "browser.newtabpage.activity-stream.section.highlights.includePocket" = false; + "browser.topsites.contile.enabled" = false; + # Disable cache when devtools are open. + "devtools.cache.disabled" = true; + # Do not track header. + "privacy.donottrackheader.enabled" = true; + # Tell websites not to share or sell my data. + "privacy.globalprivacycontrol.enabled" = true; + # Disable "studies" (slice testing) + "app.shield.optoutstudies.enabled" = false; + # Disable attribution which is used by advertisers to track you. + "dom.private-attribution.submission.enabled" = false; + # Disable battery status, used to track users. + "dom.battery.enabled" = false; - # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected. - # - # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540 - # dom.event.clipboardevents.enabled: false + # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected. + # + # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540 + # dom.event.clipboardevents.enabled: false - # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains. - "privacy.firstparty.isolate" = true; - # Do not preload URLs that auto-complete in the address bar. - "browser.urlbar.speculativeConnect.enabled" = false; - # Do not resist fingerprinting because that tells websites to use light mode. - # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114 - "privacy.resistFingerprinting" = false; # (default false) - # Instead, enable fingerprinting protection, which allows configuring an override. - "privacy.fingerprintingProtection" = true; - # Allow sending dark mode preference to websites. - # Allow sending timezone to websites. - "privacy.fingerprintingProtection.overrides" = - "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt"; - # Disable weather on new tab page - "browser.newtabpage.activity-stream.showWeather" = false; - # Disable AI stuff that wastes battery life - "browser.ml.chat.enabled" = false; - "browser.ml.enabled" = false; + # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains. + "privacy.firstparty.isolate" = true; + # Do not preload URLs that auto-complete in the address bar. + "browser.urlbar.speculativeConnect.enabled" = false; + # Do not resist fingerprinting because that tells websites to use light mode. + # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114 + "privacy.resistFingerprinting" = false; # (default false) + # Instead, enable fingerprinting protection, which allows configuring an override. + "privacy.fingerprintingProtection" = true; + # Allow sending dark mode preference to websites. + # Allow sending timezone to websites. + "privacy.fingerprintingProtection.overrides" = + "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt"; + # Disable weather on new tab page + "browser.newtabpage.activity-stream.showWeather" = false; + # Disable AI stuff that wastes battery life + "browser.ml.chat.enabled" = false; + "browser.ml.enabled" = false; + }; + # Check about:policies#documentation and https://mozilla.github.io/policy-templates/ for options. + policies = { + DisableTelemetry = true; + DisplayBookmarksToolbar = "newtab"; + + # Check about:support for extension/add-on ID strings. + # Valid strings for installation_mode are "allowed", "blocked", + # "force_installed" and "normal_installed". + ExtensionSettings = { + # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below + "uBlock0@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + installation_mode = "force_installed"; }; - # Check about:policies#documentation and https://mozilla.github.io/policy-templates/ for options. - policies = { - DisableTelemetry = true; - DisplayBookmarksToolbar = "newtab"; - - # Check about:support for extension/add-on ID strings. - # Valid strings for installation_mode are "allowed", "blocked", - # "force_installed" and "normal_installed". - ExtensionSettings = { - # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below - "uBlock0@raymondhill.net" = { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; - installation_mode = "force_installed"; - }; - # "firefox@teleparty.com" = { - # install_url = "https://addons.mozilla.org/firefox/downloads/latest/netflix-party-is-now-teleparty/latest.xpi"; - # installation_mode = "normal_installed"; - # }; - "@ublacklist" = { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublacklist/latest.xpi"; - installation_mode = "normal_installed"; - }; - "@react-devtools" = { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/react-devtools/latest.xpi"; - installation_mode = "normal_installed"; - }; - }; + # "firefox@teleparty.com" = { + # install_url = "https://addons.mozilla.org/firefox/downloads/latest/netflix-party-is-now-teleparty/latest.xpi"; + # installation_mode = "normal_installed"; + # }; + "@ublacklist" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublacklist/latest.xpi"; + installation_mode = "normal_installed"; + }; + "@react-devtools" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/react-devtools/latest.xpi"; + installation_mode = "normal_installed"; }; }; + }; + }; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".mozilla"; - user = "talexander"; - group = "talexander"; - mode = "0700"; - } - ]; - }; - }; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".cache/mozilla"; - user = "talexander"; - group = "talexander"; - mode = "0700"; - } - ]; - }; - }; - }) - ] - ); + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".mozilla"; + user = "talexander"; + group = "talexander"; + mode = "0700"; + } + ]; + }; + }; + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".cache/mozilla"; + user = "talexander"; + group = "talexander"; + mode = "0700"; + } + ]; + }; + }; + }; } diff --git a/nix/configuration/roles/firewall/default.nix b/nix/configuration/roles/firewall/default.nix index 74fbaec..b17c93b 100644 --- a/nix/configuration/roles/firewall/default.nix +++ b/nix/configuration/roles/firewall/default.nix @@ -1,20 +1,30 @@ { config, lib, - pkgs, ... }: { imports = [ ]; - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ - 22 # ssh - ]; - networking.firewall.allowedUDPPorts = [ - 5353 # mDNS - ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; + options.me = { + firewall.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install firewall."; + }; + }; + + config = lib.mkIf config.me.firewall.enable { + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ + 22 # ssh + ]; + networking.firewall.allowedUDPPorts = [ + 5353 # mDNS + ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + }; } diff --git a/nix/configuration/roles/flux/default.nix b/nix/configuration/roles/flux/default.nix index 4554200..9d30707 100644 --- a/nix/configuration/roles/flux/default.nix +++ b/nix/configuration/roles/flux/default.nix @@ -17,13 +17,9 @@ }; }; - config = lib.mkIf config.me.flux.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - fluxcd - ]; - } - ] - ); + config = lib.mkIf config.me.flux.enable { + environment.systemPackages = with pkgs; [ + fluxcd + ]; + }; } diff --git a/nix/configuration/roles/fonts/default.nix b/nix/configuration/roles/fonts/default.nix index 13f5fd2..f891f88 100644 --- a/nix/configuration/roles/fonts/default.nix +++ b/nix/configuration/roles/fonts/default.nix @@ -8,7 +8,16 @@ { imports = [ ]; - config = lib.mkIf config.me.graphical { + options.me = { + font.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install font."; + }; + }; + + config = lib.mkIf (config.me.font.enable && config.me.graphical) { fonts = { enableDefaultPackages = false; packages = with pkgs; [ diff --git a/nix/configuration/roles/gcloud/default.nix b/nix/configuration/roles/gcloud/default.nix index b5146eb..b89d278 100644 --- a/nix/configuration/roles/gcloud/default.nix +++ b/nix/configuration/roles/gcloud/default.nix @@ -17,27 +17,23 @@ }; }; - config = lib.mkIf config.me.gcloud.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - (google-cloud-sdk.withExtraComponents [ google-cloud-sdk.components.gke-gcloud-auth-plugin ]) - ]; + config = lib.mkIf config.me.gcloud.enable { + environment.systemPackages = with pkgs; [ + (google-cloud-sdk.withExtraComponents [ google-cloud-sdk.components.gke-gcloud-auth-plugin ]) + ]; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".config/gcloud"; - user = "talexander"; - group = "talexander"; - mode = "0700"; - } - ]; - }; - }; - } - ] - ); + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".config/gcloud"; + user = "talexander"; + group = "talexander"; + mode = "0700"; + } + ]; + }; + }; + }; } diff --git a/nix/configuration/roles/git/default.nix b/nix/configuration/roles/git/default.nix index db65e52..0527452 100644 --- a/nix/configuration/roles/git/default.nix +++ b/nix/configuration/roles/git/default.nix @@ -21,6 +21,13 @@ in imports = [ ]; options.me = { + git.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install git."; + }; + git.config = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; @@ -29,51 +36,53 @@ in }; }; - config = lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - my_git - ]; - } - (lib.mkIf (config.me.git.config != null) { - me.install.user.talexander.file = { - ".gitconfig" = { - source = config.me.git.config; + config = lib.mkIf config.me.git.enable ( + lib.mkMerge [ + { + environment.systemPackages = with pkgs; [ + my_git + ]; + } + (lib.mkIf (config.me.git.config != null) { + me.install.user.talexander.file = { + ".gitconfig" = { + source = config.me.git.config; + }; }; - }; - }) - (lib.mkIf (config.me.graphical) { - nixpkgs.overlays = [ - (final: prev: { - my_git = ( - pkgs.buildEnv { - name = prev.git.name; - version = prev.git.version; - paths = - (builtins.map (git_wrapped prev.git) [ - "git" - ]) - ++ [ - prev.git + }) + (lib.mkIf (config.me.graphical) { + nixpkgs.overlays = [ + (final: prev: { + my_git = ( + pkgs.buildEnv { + name = prev.git.name; + version = prev.git.version; + paths = + (builtins.map (git_wrapped prev.git) [ + "git" + ]) + ++ [ + prev.git + ]; + extraOutputsToInstall = [ + "man" + "doc" + "info" ]; - extraOutputsToInstall = [ - "man" - "doc" - "info" - ]; - nativeBuildInputs = [ final.makeWrapper ]; - ignoreCollisions = true; - } - ); - }) - ]; - }) - (lib.mkIf (!config.me.graphical) { - nixpkgs.overlays = [ - (final: prev: { - my_git = prev.git; - }) - ]; - }) - ]; + nativeBuildInputs = [ final.makeWrapper ]; + ignoreCollisions = true; + } + ); + }) + ]; + }) + (lib.mkIf (!config.me.graphical) { + nixpkgs.overlays = [ + (final: prev: { + my_git = prev.git; + }) + ]; + }) + ] + ); } diff --git a/nix/configuration/roles/gnuplot/default.nix b/nix/configuration/roles/gnuplot/default.nix index 57c8ffa..52fc13f 100644 --- a/nix/configuration/roles/gnuplot/default.nix +++ b/nix/configuration/roles/gnuplot/default.nix @@ -17,13 +17,9 @@ }; }; - config = lib.mkIf config.me.gnuplot.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - gnuplot - ]; - } - ] - ); + config = lib.mkIf config.me.gnuplot.enable { + environment.systemPackages = with pkgs; [ + gnuplot + ]; + }; } diff --git a/nix/configuration/roles/gpg/default.nix b/nix/configuration/roles/gpg/default.nix index b59ea11..60187b0 100644 --- a/nix/configuration/roles/gpg/default.nix +++ b/nix/configuration/roles/gpg/default.nix @@ -25,109 +25,105 @@ in }; }; - config = lib.mkIf config.me.gpg.enable ( - lib.mkMerge [ - { - # Fetch public keys: - # gpg --locate-external-keys tom@fizz.buzz + config = lib.mkIf config.me.gpg.enable { + # Fetch public keys: + # gpg --locate-external-keys tom@fizz.buzz - hardware.gpgSmartcards.enable = true; - services.udev.packages = [ - pkgs.yubikey-personalization - pkgs.libfido2 - (pkgs.writeTextFile { - name = "my-rules"; - text = '' - ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel" - KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660" - ''; - destination = "/etc/udev/rules.d/50-yubikey.rules"; - }) + hardware.gpgSmartcards.enable = true; + services.udev.packages = [ + pkgs.yubikey-personalization + pkgs.libfido2 + (pkgs.writeTextFile { + name = "my-rules"; + text = '' + ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel" + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660" + ''; + destination = "/etc/udev/rules.d/50-yubikey.rules"; + }) + ]; + services.pcscd.enable = true; + + me.install.user.talexander.file = { + ".gnupg/scdaemon.conf" = { + source = ./files/scdaemon.conf; + }; + }; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-qt; + # Settings block populates /etc/gnupg/gpg-agent.conf + # settings = { + # }; + }; + + # Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it. + # + # environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + # hideMounts = true; + # users.talexander = { + # files = [ + # { + # file = ".gnupg/trustdb.gpg"; + # parentDirectory = { + # mode = "u=rwx,g=,o="; + # }; + # } + # { + # file = ".gnupg/pubring.kbx"; + # parentDirectory = { + # mode = "u=rwx,g=,o="; + # }; + # } + # { + # file = ".gnupg/tofu.db"; + # parentDirectory = { + # mode = "u=rwx,g=,o="; + # }; + # } + # ]; + # directories = [ + # { + # directory = ".gnupg/crls.d"; + # user = "talexander"; + # group = "talexander"; + # mode = "0700"; + # } + # { + # directory = ".gnupg/private-keys-v1.d"; + # user = "talexander"; + # group = "talexander"; + # mode = "0700"; + # } + # ]; + # }; + # }; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".gnupg"; + user = "talexander"; + group = "talexander"; + mode = "0700"; + } ]; - services.pcscd.enable = true; + }; + }; - me.install.user.talexander.file = { - ".gnupg/scdaemon.conf" = { - source = ./files/scdaemon.conf; - }; - }; + environment.systemPackages = with pkgs; [ + pcsclite + pcsctools + glibcLocales + ccid + libusb-compat-0_1 + gpg_test_wkd + ]; - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-qt; - # Settings block populates /etc/gnupg/gpg-agent.conf - # settings = { - # }; - }; - - # Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it. - # - # environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - # hideMounts = true; - # users.talexander = { - # files = [ - # { - # file = ".gnupg/trustdb.gpg"; - # parentDirectory = { - # mode = "u=rwx,g=,o="; - # }; - # } - # { - # file = ".gnupg/pubring.kbx"; - # parentDirectory = { - # mode = "u=rwx,g=,o="; - # }; - # } - # { - # file = ".gnupg/tofu.db"; - # parentDirectory = { - # mode = "u=rwx,g=,o="; - # }; - # } - # ]; - # directories = [ - # { - # directory = ".gnupg/crls.d"; - # user = "talexander"; - # group = "talexander"; - # mode = "0700"; - # } - # { - # directory = ".gnupg/private-keys-v1.d"; - # user = "talexander"; - # group = "talexander"; - # mode = "0700"; - # } - # ]; - # }; - # }; - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".gnupg"; - user = "talexander"; - group = "talexander"; - mode = "0700"; - } - ]; - }; - }; - - environment.systemPackages = with pkgs; [ - pcsclite - pcsctools - glibcLocales - ccid - libusb-compat-0_1 - gpg_test_wkd - ]; - - programs.gnupg.agent.enableExtraSocket = true; - } - ] - ); + programs.gnupg.agent.enableExtraSocket = true; + }; } diff --git a/nix/configuration/roles/hydra/default.nix b/nix/configuration/roles/hydra/default.nix index 7175424..88697bc 100644 --- a/nix/configuration/roles/hydra/default.nix +++ b/nix/configuration/roles/hydra/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -17,33 +16,29 @@ }; }; - config = lib.mkIf config.me.hydra.enable ( - lib.mkMerge [ - { - services.hydra = { - enable = true; - hydraURL = "http://localhost:3000"; # Externally visible URL - notificationSender = "hydra@localhost"; # "From" address for hydra emails. - # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = [ ]; - useSubstitutes = true; - }; + config = lib.mkIf config.me.hydra.enable { + services.hydra = { + enable = true; + hydraURL = "http://localhost:3000"; # Externally visible URL + notificationSender = "hydra@localhost"; # "From" address for hydra emails. + # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines + buildMachinesFiles = [ ]; + useSubstitutes = true; + }; - # nix.buildMachines = [ - # { - # hostName = "localhost"; - # protocol = null; - # system = "x86_64-linux"; - # supportedFeatures = [ - # "kvm" - # "nixos-test" - # "big-parallel" - # "benchmark" - # ]; - # maxJobs = 8; - # } - # ]; - } - ] - ); + # nix.buildMachines = [ + # { + # hostName = "localhost"; + # protocol = null; + # system = "x86_64-linux"; + # supportedFeatures = [ + # "kvm" + # "nixos-test" + # "big-parallel" + # "benchmark" + # ]; + # maxJobs = 8; + # } + # ]; + }; } diff --git a/nix/configuration/roles/image_based_appliance/default.nix b/nix/configuration/roles/image_based_appliance/default.nix new file mode 100644 index 0000000..d25d5b1 --- /dev/null +++ b/nix/configuration/roles/image_based_appliance/default.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + ... +}: + +{ + imports = [ ]; + + options.me = { + image_based_appliance.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install image_based_appliance."; + }; + }; + + config = lib.mkIf config.me.image_based_appliance.enable ( + lib.mkMerge [ + { + # Do not install nix. A full new image must be built to update + # the machine. + nix.enable = false; + system.switch.enable = false; + } + ] + ); +} diff --git a/nix/configuration/roles/iso/default.nix b/nix/configuration/roles/iso/default.nix index 58efa42..f09f8c7 100644 --- a/nix/configuration/roles/iso/default.nix +++ b/nix/configuration/roles/iso/default.nix @@ -1,18 +1,22 @@ { - config, lib, - pkgs, ... }: { imports = [ ]; - options.me.buildingIso = lib.mkOption { + options.me.buildingPortable = lib.mkOption { type = lib.types.bool; default = false; example = true; - description = "Whether we are building an ISO image."; + description = "Whether we are building a portable image (iso/sd). This would disable CPU-specific optimizations and persistent file mounts."; }; + options.me.mountPersistence = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we should mount persistent directories."; + }; } diff --git a/nix/configuration/roles/iso_mount/default.nix b/nix/configuration/roles/iso_mount/default.nix index 32c0af6..6d9c536 100644 --- a/nix/configuration/roles/iso_mount/default.nix +++ b/nix/configuration/roles/iso_mount/default.nix @@ -32,14 +32,10 @@ in }; }; - config = lib.mkIf config.me.iso_mount.enable ( - lib.mkMerge [ - { - environment.systemPackages = [ - iso_mount - iso_unmount - ]; - } - ] - ); + config = lib.mkIf config.me.iso_mount.enable { + environment.systemPackages = [ + iso_mount + iso_unmount + ]; + }; } diff --git a/nix/configuration/roles/kanshi/default.nix b/nix/configuration/roles/kanshi/default.nix index be886c4..960b3ea 100644 --- a/nix/configuration/roles/kanshi/default.nix +++ b/nix/configuration/roles/kanshi/default.nix @@ -26,27 +26,19 @@ in }; }; - config = lib.mkIf config.me.kanshi.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - ]; - } - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - kanshi - ]; + config = lib.mkIf (config.me.kanshi.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + kanshi + ]; - me.swayIncludes = [ - exec_kanshi - ]; + me.swayIncludes = [ + exec_kanshi + ]; - me.install.user.talexander.file = { - ".config/kanshi/config" = { - source = ./files/config_kanshi; - }; - }; - }) - ] - ); + me.install.user.talexander.file = { + ".config/kanshi/config" = { + source = ./files/config_kanshi; + }; + }; + }; } diff --git a/nix/configuration/roles/kodi/default.nix b/nix/configuration/roles/kodi/default.nix index 93380e4..1ece357 100644 --- a/nix/configuration/roles/kodi/default.nix +++ b/nix/configuration/roles/kodi/default.nix @@ -17,75 +17,67 @@ }; }; - config = lib.mkIf config.me.kodi.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - ]; - } - (lib.mkIf config.me.graphical { - services.cage.user = "kodi"; - services.cage.program = "${pkgs.kodi-wayland}/bin/kodi-standalone"; - services.cage.enable = true; + config = lib.mkIf (config.me.kodi.enable && config.me.graphical) { + services.cage.user = "kodi"; + services.cage.program = "${pkgs.kodi-wayland}/bin/kodi-standalone"; + services.cage.enable = true; - nixpkgs.overlays = [ - (final: prev: { - kodi-wayland = prev.kodi-wayland.withPackages ( - kodiPkgs: with kodiPkgs; [ - joystick - vfs-sftp - ] - ); - }) - ]; - - users.users.kodi = { - isNormalUser = true; - createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481 - group = "kodi"; - extraGroups = [ ]; - uid = 12000; - packages = with pkgs; [ - tree - ]; - # Generate with `mkpasswd -m scrypt` - hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo=" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo=" - ]; - }; - users.groups.kodi.gid = 12000; - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.kodi = { - directories = [ - { - directory = ".ssh"; - user = "kodi"; - group = "kodi"; - mode = "0755"; - } - { - directory = ".kodi"; - user = "kodi"; - group = "kodi"; - mode = "0755"; - } - ]; - }; - }; - - # home.file.".kodi/userdata/mediasources.xml".source = ./files/mediasources.xml; - - # home.file.".kodi/userdata/addon_data/peripheral.joystick/resources/buttonmaps/xml/linux/DualSense_Wireless_Controller_13b_8a.xml".source = - # ./files/DualSense_Wireless_Controller_13b_8a.xml; - - # TODO: Maybe .kodi/userdata/sources.xml - # TODO: ./userdata/guisettings.xml:303: 128 + nixpkgs.overlays = [ + (final: prev: { + kodi-wayland = prev.kodi-wayland.withPackages ( + kodiPkgs: with kodiPkgs; [ + joystick + vfs-sftp + ] + ); }) - ] - ); + ]; + + users.users.kodi = { + isNormalUser = true; + createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481 + group = "kodi"; + extraGroups = [ ]; + uid = 12000; + packages = with pkgs; [ + tree + ]; + # Generate with `mkpasswd -m scrypt` + hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo=" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo=" + ]; + }; + users.groups.kodi.gid = 12000; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.kodi = { + directories = [ + { + directory = ".ssh"; + user = "kodi"; + group = "kodi"; + mode = "0755"; + } + { + directory = ".kodi"; + user = "kodi"; + group = "kodi"; + mode = "0755"; + } + ]; + }; + }; + + # home.file.".kodi/userdata/mediasources.xml".source = ./files/mediasources.xml; + + # home.file.".kodi/userdata/addon_data/peripheral.joystick/resources/buttonmaps/xml/linux/DualSense_Wireless_Controller_13b_8a.xml".source = + # ./files/DualSense_Wireless_Controller_13b_8a.xml; + + # TODO: Maybe .kodi/userdata/sources.xml + # TODO: ./userdata/guisettings.xml:303: 128 + }; } diff --git a/nix/configuration/roles/kubernetes/default.nix b/nix/configuration/roles/kubernetes/default.nix index bee0b72..05af910 100644 --- a/nix/configuration/roles/kubernetes/default.nix +++ b/nix/configuration/roles/kubernetes/default.nix @@ -56,38 +56,34 @@ in }; }; - config = lib.mkIf config.me.kubernetes.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - kubectl - kubeswitch - stern - alias_kx - alias_ks - alias_k - alias_ka - alias_kdel - alias_kd - alias_klog - decrypt_k8s_secret - ingress2gateway # Convert ingress yaml to gateway yaml - ]; + config = lib.mkIf config.me.kubernetes.enable { + environment.systemPackages = with pkgs; [ + kubectl + kubeswitch + stern + alias_kx + alias_ks + alias_k + alias_ka + alias_kdel + alias_kd + alias_klog + decrypt_k8s_secret + ingress2gateway # Convert ingress yaml to gateway yaml + ]; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".kube"; - user = "talexander"; - group = "talexander"; - mode = "0750"; - } - ]; - }; - }; - } - ] - ); + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".kube"; + user = "talexander"; + group = "talexander"; + mode = "0750"; + } + ]; + }; + }; + }; } diff --git a/nix/configuration/roles/latex/default.nix b/nix/configuration/roles/latex/default.nix index f24573e..378e3f4 100644 --- a/nix/configuration/roles/latex/default.nix +++ b/nix/configuration/roles/latex/default.nix @@ -17,42 +17,36 @@ }; }; - config = lib.mkIf config.me.latex.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - tex - ]; - } - { - nixpkgs.overlays = [ - (final: prev: { - tex = ( - pkgs.texlive.combine { - inherit (pkgs.texlive) - scheme-basic - dvisvgm - dvipng # for preview and export as html in org-mode - wrapfig - amsmath - ulem - hyperref - capt-of - svg # emacs org-mode pdf export - catchfile # emacs org-mode pdf export - xcolor # emacs org-mode pdf export - transparent # emacs org-mode pdf export - pgf # emacs org-mode pdf export - minted # emacs org-mode pdf export code block highlighting - upquote # emacs org-mode pdf export - lineno # emacs org-mode pdf export - ; - } - ); - }) - ]; + config = lib.mkIf config.me.latex.enable { + environment.systemPackages = with pkgs; [ + tex + ]; - } - ] - ); + nixpkgs.overlays = [ + (final: prev: { + tex = ( + pkgs.texlive.combine { + inherit (pkgs.texlive) + scheme-basic + dvisvgm + dvipng # for preview and export as html in org-mode + wrapfig + amsmath + ulem + hyperref + capt-of + svg # emacs org-mode pdf export + catchfile # emacs org-mode pdf export + xcolor # emacs org-mode pdf export + transparent # emacs org-mode pdf export + pgf # emacs org-mode pdf export + minted # emacs org-mode pdf export code block highlighting + upquote # emacs org-mode pdf export + lineno # emacs org-mode pdf export + ; + } + ); + }) + ]; + }; } diff --git a/nix/configuration/roles/launch_keyboard/default.nix b/nix/configuration/roles/launch_keyboard/default.nix index 0587ccb..810394a 100644 --- a/nix/configuration/roles/launch_keyboard/default.nix +++ b/nix/configuration/roles/launch_keyboard/default.nix @@ -17,32 +17,28 @@ }; }; - config = lib.mkIf config.me.launch_keyboard.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - system76-keyboard-configurator - dfu-programmer # For flashing keyboard https://support.system76.com/articles/launch_2-firmware-update/ - avrdude # For flashing keyboard https://support.system76.com/articles/launch_2-firmware-update/ - lxqt.lxqt-policykit # Need a polkit agent to launch the keyboard configurator - ]; + config = lib.mkIf (config.me.launch_keyboard.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + system76-keyboard-configurator + dfu-programmer # For flashing keyboard https://support.system76.com/articles/launch_2-firmware-update/ + avrdude # For flashing keyboard https://support.system76.com/articles/launch_2-firmware-update/ + lxqt.lxqt-policykit # Need a polkit agent to launch the keyboard configurator + ]; - systemd = { - user.services.lxqt-policykit-agent = { - description = "lxqt-policykit-agent"; - wantedBy = [ "graphical-session.target" ]; - wants = [ "graphical-session.target" ]; - after = [ "graphical-session.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.lxqt.lxqt-policykit}/bin/lxqt-policykit-agent"; - Restart = "on-failure"; - RestartSec = 1; - TimeoutStopSec = 10; - }; - }; + systemd = { + user.services.lxqt-policykit-agent = { + description = "lxqt-policykit-agent"; + wantedBy = [ "graphical-session.target" ]; + wants = [ "graphical-session.target" ]; + after = [ "graphical-session.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.lxqt.lxqt-policykit}/bin/lxqt-policykit-agent"; + Restart = "on-failure"; + RestartSec = 1; + TimeoutStopSec = 10; }; - }) - ] - ); + }; + }; + }; } diff --git a/nix/configuration/roles/lvfs/default.nix b/nix/configuration/roles/lvfs/default.nix index bcce856..1286165 100644 --- a/nix/configuration/roles/lvfs/default.nix +++ b/nix/configuration/roles/lvfs/default.nix @@ -22,7 +22,7 @@ { # TODO: Is this installing firmware or just downloading it? services.fwupd.enable = true; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { hideMounts = true; directories = [ { diff --git a/nix/configuration/roles/memtest86/default.nix b/nix/configuration/roles/memtest86/default.nix index 490071a..1d336d6 100644 --- a/nix/configuration/roles/memtest86/default.nix +++ b/nix/configuration/roles/memtest86/default.nix @@ -7,15 +7,27 @@ { imports = [ ]; - config = lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - memtest86plus - ]; - } - # (lib.mkIf (config.me.buildingIso) { - # boot.loader.systemd-boot.memtest86.enable = true; - # boot.loader.grub.memtest86.enable = true; - # }) - ]; + + options.me = { + memtest.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install memtest."; + }; + }; + + config = lib.mkIf config.me.memtest.enable ( + lib.mkMerge [ + { + environment.systemPackages = with pkgs; [ + memtest86plus + ]; + } + # (lib.mkIf (config.me.buildingPortable) { + # boot.loader.systemd-boot.memtest86.enable = true; + # boot.loader.grub.memtest86.enable = true; + # }) + ] + ); } diff --git a/nix/configuration/roles/network/default.nix b/nix/configuration/roles/network/default.nix index 59eed75..3ec37e7 100644 --- a/nix/configuration/roles/network/default.nix +++ b/nix/configuration/roles/network/default.nix @@ -2,7 +2,6 @@ config, lib, pkgs, - pkgs-dda3dcd3f, ... }: @@ -19,114 +18,108 @@ { imports = [ ]; - networking.dhcpcd.enable = lib.mkDefault false; - networking.useDHCP = lib.mkDefault false; - networking.nameservers = [ - "194.242.2.2#doh.mullvad.net" - "2a07:e340::2#doh.mullvad.net" - ]; - services.resolved = { - enable = true; - # dnssec = "true"; - domains = [ "~." ]; - fallbackDns = [ ]; - dnsovertls = "true"; - }; - - # Without this, systemd-resolved will send DNS requests for .home.arpa to the per-link DNS server (172.16.0.1) which does not support DNS-over-TLS. This leads to the connection hanging and timing out. This causes firefox startup to take an extra 10+ seconds. - # - # Test with: drill @127.0.0.53 odo.home.arpa - # TODO: The 127.0.0.1 address should probably be moved to a host-specific file. - networking.extraHosts = '' - 127.0.0.1 ${config.networking.hostName}.home.arpa - 10.216.1.1 homeserver - 10.216.1.6 media - 10.216.1.12 odo - 10.216.1.14 neelix - 10.216.1.15 quark - 10.217.1.1 drmario - 10.217.2.1 mrmanager - ''; - - networking.wireless.iwd = { - enable = true; - - settings = { - General = { - EnableNetworkConfiguration = true; - AddressRandomization = "network"; - }; - # Rank = { - # BandModifier2_4GHz = 1.0; - # BandModifier5GHz = 1.0; - # BandModifier6GHz = 1.0; - # }; - DriverQuirks = { - PowerSaveDisable = "*"; - # ath12k_pci - }; - # Scan = { - # DisablePeriodicScan = true; - # DisableRoamingScan = true; - # }; + options.me = { + network.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install network."; }; }; - environment.systemPackages = with pkgs; [ - iw - iwd - ldns # for drill - arp-scan # To find devices on the network - wavemon - dhcpcd # For Android USB tethering. - ]; - boot.extraModprobeConfig = '' - # Set wifi to US - options cfg80211 ieee80211_regdom=US - ''; + config = lib.mkIf config.me.network.enable { + networking.dhcpcd.enable = lib.mkDefault false; + networking.useDHCP = lib.mkDefault false; + networking.nameservers = [ + "194.242.2.2#doh.mullvad.net" + "2a07:e340::2#doh.mullvad.net" + ]; + services.resolved = { + enable = true; + # dnssec = "true"; + domains = [ "~." ]; + fallbackDns = [ ]; + dnsovertls = "true"; + }; - boot.kernel.sysctl = { - # Enable TCP packetization-layer PMTUD when an ICMP black hole is detected. - "net.ipv4.tcp_mtu_probing" = 1; - # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi. - # We set this in the kernel config, but include this here for unoptimized builds. - "net.ipv4.tcp_congestion_control" = "bbr"; - # Don't do a slow start after a connection has been idle for a single RTO. - "net.ipv4.tcp_slow_start_after_idle" = 0; - # 3x time to accumulate filesystem changes before flushing to disk. - "vm.dirty_writeback_centisecs" = 1500; - # Adjust ttl - "net.ipv4.ip_default_ttl" = 65; - "net.ipv6.conf.all.hop_limit" = 65; - "net.ipv6.conf.default.hop_limit" = 65; - # Enable IPv6 Privacy Extensions - "net.ipv6.conf.all.use_tempaddr" = 2; - # Enable IPv6 Privacy Extensions - # This is enabled by default in nixos. - # "net.ipv6.conf.default.use_tempaddr" = 2; + # Without this, systemd-resolved will send DNS requests for .home.arpa to the per-link DNS server (172.16.0.1) which does not support DNS-over-TLS. This leads to the connection hanging and timing out. This causes firefox startup to take an extra 10+ seconds. + # + # Test with: drill @127.0.0.53 odo.home.arpa + # TODO: The 127.0.0.1 address should probably be moved to a host-specific file. + networking.extraHosts = '' + 127.0.0.1 ${config.networking.hostName}.home.arpa + 10.216.1.1 homeserver + 10.216.1.6 media + 10.216.1.12 odo + 10.216.1.14 neelix + 10.216.1.15 quark + 10.217.1.1 drmario + 10.217.2.1 mrmanager + ''; + + networking.wireless.iwd = { + enable = true; + + settings = { + General = { + EnableNetworkConfiguration = true; + AddressRandomization = "network"; + }; + # Rank = { + # BandModifier2_4GHz = 1.0; + # BandModifier5GHz = 1.0; + # BandModifier6GHz = 1.0; + # }; + DriverQuirks = { + PowerSaveDisable = "*"; + # ath12k_pci + }; + # Scan = { + # DisablePeriodicScan = true; + # DisableRoamingScan = true; + # }; + }; + }; + environment.systemPackages = with pkgs; [ + iw + iwd + ldns # for drill + arp-scan # To find devices on the network + wavemon + dhcpcd # For Android USB tethering. + ]; + + boot.extraModprobeConfig = '' + # Set wifi to US + options cfg80211 ieee80211_regdom=US + ''; + + boot.kernel.sysctl = { + # Enable TCP packetization-layer PMTUD when an ICMP black hole is detected. + "net.ipv4.tcp_mtu_probing" = 1; + # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi. + # We set this in the kernel config, but include this here for unoptimized builds. + "net.ipv4.tcp_congestion_control" = "bbr"; + # Don't do a slow start after a connection has been idle for a single RTO. + "net.ipv4.tcp_slow_start_after_idle" = 0; + # 3x time to accumulate filesystem changes before flushing to disk. + "vm.dirty_writeback_centisecs" = 1500; + # Adjust ttl + "net.ipv4.ip_default_ttl" = 65; + "net.ipv6.conf.all.hop_limit" = 65; + "net.ipv6.conf.default.hop_limit" = 65; + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + # Enable IPv6 Privacy Extensions + # This is enabled by default in nixos. + # "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + directories = [ + "/var/lib/iwd" # Wifi settings + ]; + }; }; - - # nixpkgs.overlays = [ - # (final: prev: { - # inherit (pkgs-dda3dcd3f) - # linux-firmware - # ; - # }) - # ]; - - # nixpkgs.overlays = [ - # (final: prev: { - # linux-firmware = prev.linux-firwmare.overrideAttrs (old: rec { - # version = "20250917"; - - # src = final.fetchFromGitLab { - # owner = "kernel-firmware"; - # repo = "linux-firmware"; - # tag = version; - # hash = "sha256-tecFB6WYEfBK9FB7Rv8nHLdefIoaFnHrpzXBl+iSd08="; - # }; - # }); - # }) - # ]; - } diff --git a/nix/configuration/roles/nix_index/default.nix b/nix/configuration/roles/nix_index/default.nix index 81f392e..ee75260 100644 --- a/nix/configuration/roles/nix_index/default.nix +++ b/nix/configuration/roles/nix_index/default.nix @@ -17,28 +17,23 @@ }; }; - config = lib.mkIf config.me.nix_index.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - nix-index-unwrapped + config = lib.mkIf config.me.nix_index.enable { + environment.systemPackages = with pkgs; [ + nix-index-unwrapped + ]; + + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".cache/nix-index"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } ]; - - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".cache/nix-index"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; - - } - ] - ); + }; + }; + }; } diff --git a/nix/configuration/roles/nix_worker/default.nix b/nix/configuration/roles/nix_worker/default.nix index 97164b3..7244e98 100644 --- a/nix/configuration/roles/nix_worker/default.nix +++ b/nix/configuration/roles/nix_worker/default.nix @@ -13,7 +13,6 @@ { config, lib, - pkgs, ... }: @@ -29,29 +28,25 @@ }; }; - config = lib.mkIf config.me.nix_worker.enable ( - lib.mkMerge [ - { - nix.settings.trusted-users = [ "nixworker" ]; + config = lib.mkIf config.me.nix_worker.enable { + nix.settings.trusted-users = [ "nixworker" ]; - users.users.nixworker = { - isNormalUser = true; - createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481 - group = "nixworker"; - # extraGroups = [ "wheel" ]; - # Generate with `mkpasswd -m scrypt` - hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48"; - openssh.authorizedKeys.keys = [ - # Normal keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo=" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo=" - # Key for nix to connect: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/IlYTQ0M5pFN5tdoswh37CDl/gbULI3h+SsKXCansh talexander@odo" - ]; - }; - users.groups.nixworker = { }; - } - ] - ); + users.users.nixworker = { + isNormalUser = true; + createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481 + group = "nixworker"; + # extraGroups = [ "wheel" ]; + # Generate with `mkpasswd -m scrypt` + hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48"; + openssh.authorizedKeys.keys = [ + # Normal keys: + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo=" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo=" + # Key for nix to connect: + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/IlYTQ0M5pFN5tdoswh37CDl/gbULI3h+SsKXCansh talexander@odo" + ]; + }; + users.groups.nixworker = { }; + }; } diff --git a/nix/configuration/roles/nvme/default.nix b/nix/configuration/roles/nvme/default.nix index 76cb0be..646ae6d 100644 --- a/nix/configuration/roles/nvme/default.nix +++ b/nix/configuration/roles/nvme/default.nix @@ -8,7 +8,18 @@ { imports = [ ]; - environment.systemPackages = with pkgs; [ - nvme-cli - ]; + options.me = { + nvme.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install nvme."; + }; + }; + + config = lib.mkIf config.me.nvme.enable { + environment.systemPackages = with pkgs; [ + nvme-cli + ]; + }; } diff --git a/nix/configuration/roles/openpgp_card_tools/default.nix b/nix/configuration/roles/openpgp_card_tools/default.nix index 262cc12..f9e5f31 100644 --- a/nix/configuration/roles/openpgp_card_tools/default.nix +++ b/nix/configuration/roles/openpgp_card_tools/default.nix @@ -19,31 +19,27 @@ }; }; - config = lib.mkIf config.me.openpgp_card_tools.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - openpgp-card-tools - openpgp-card-tool-git - openpgp-card-ssh-agent - ]; + config = lib.mkIf config.me.openpgp_card_tools.enable { + environment.systemPackages = with pkgs; [ + openpgp-card-tools + openpgp-card-tool-git + openpgp-card-ssh-agent + ]; - nixpkgs.overlays = [ - (final: prev: { - openpgp-card-tool-git = (final.callPackage ./package/openpgp-card-tool-git/package.nix { }); - openpgp-card-ssh-agent = (final.callPackage ./package/openpgp-card-ssh-agent/package.nix { }); - }) - ]; + nixpkgs.overlays = [ + (final: prev: { + openpgp-card-tool-git = (final.callPackage ./package/openpgp-card-tool-git/package.nix { }); + openpgp-card-ssh-agent = (final.callPackage ./package/openpgp-card-ssh-agent/package.nix { }); + }) + ]; - me.install.user.talexander.file = { - ".config/openpgp-card-state/config.toml" = { - source = ./files/openpgp-card-state.toml; - }; - }; + me.install.user.talexander.file = { + ".config/openpgp-card-state/config.toml" = { + source = ./files/openpgp-card-state.toml; + }; + }; - # The current openpgp-card-ssh-agent has an outdated dependency on openpgp-card-state which makes it not handle my current openpgp-card-state.toml - # services.openpgp-card-ssh-agent.enable = true; - } - ] - ); + # The current openpgp-card-ssh-agent has an outdated dependency on openpgp-card-state which makes it not handle my current openpgp-card-state.toml + # services.openpgp-card-ssh-agent.enable = true; + }; } diff --git a/nix/configuration/roles/openpgp_card_tools/openpgp-card-ssh-agent.nix b/nix/configuration/roles/openpgp_card_tools/openpgp-card-ssh-agent.nix index c620b6b..17489bf 100644 --- a/nix/configuration/roles/openpgp_card_tools/openpgp-card-ssh-agent.nix +++ b/nix/configuration/roles/openpgp_card_tools/openpgp-card-ssh-agent.nix @@ -9,13 +9,7 @@ let inherit (lib) mkIf - mkOption - mkEnableOption mkPackageOption - mkDefault - types - concatMapStringsSep - generators ; cfg = config.services.openpgp-card-ssh-agent; in diff --git a/nix/configuration/roles/optimized_build/default.nix b/nix/configuration/roles/optimized_build/default.nix index 8768e83..27ed12b 100644 --- a/nix/configuration/roles/optimized_build/default.nix +++ b/nix/configuration/roles/optimized_build/default.nix @@ -31,7 +31,6 @@ "gccarch-znver4" "gccarch-znver5" "gccarch-skylake" - # "gccarch-alderlake" missing WAITPKG "gccarch-x86-64-v3" "gccarch-x86-64-v4" "benchmark" @@ -99,9 +98,10 @@ ) (final: prev: { inherit (pkgs-unoptimized) + assimp + binaryen gsl rapidjson - assimp ; }) ]; @@ -115,6 +115,5 @@ } ] )) - ]; } diff --git a/nix/configuration/roles/pcsx2/default.nix b/nix/configuration/roles/pcsx2/default.nix index a5866da..c303a2b 100644 --- a/nix/configuration/roles/pcsx2/default.nix +++ b/nix/configuration/roles/pcsx2/default.nix @@ -17,77 +17,73 @@ }; }; - config = lib.mkIf config.me.pcsx2.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - pcsx2 + config = lib.mkIf (config.me.pcsx2.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + pcsx2 + ]; + + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + # Shaders, games list, and achievement data. + directory = ".config/PCSX2/cache"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # Save states. + directory = ".config/PCSX2/sstates"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # Screenshots. + directory = ".config/PCSX2/snaps"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # Game covers. + directory = ".config/PCSX2/covers"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # Video recordings. + directory = ".config/PCSX2/videos"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } ]; + }; + }; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - # Shaders, games list, and achievement data. - directory = ".config/PCSX2/cache"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # Save states. - directory = ".config/PCSX2/sstates"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # Screenshots. - directory = ".config/PCSX2/snaps"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # Game covers. - directory = ".config/PCSX2/covers"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # Video recordings. - directory = ".config/PCSX2/videos"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + # Game saves + directory = ".config/PCSX2/memcards"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + ]; + }; + }; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - # Game saves - directory = ".config/PCSX2/memcards"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; - - me.install.user.talexander.file = { - ".config/PCSX2/inis/PCSX2.ini" = { - source = ./files/PCSX2.ini; - }; - }; - }) - ] - ); + me.install.user.talexander.file = { + ".config/PCSX2/inis/PCSX2.ini" = { + source = ./files/PCSX2.ini; + }; + }; + }; } diff --git a/nix/configuration/roles/podman/default.nix b/nix/configuration/roles/podman/default.nix index c4e9584..ba4abe6 100644 --- a/nix/configuration/roles/podman/default.nix +++ b/nix/configuration/roles/podman/default.nix @@ -17,64 +17,59 @@ }; }; - config = lib.mkIf config.me.podman.enable ( - lib.mkMerge [ + config = lib.mkIf config.me.podman.enable { + assertions = [ { - assertions = [ + assertion = !config.me.docker.enable; + message = "podman conflicts with docker"; + } + ]; + + environment.systemPackages = with pkgs; [ + dive + podman-tui + podman-compose + ]; + + # Write config files in /etc/containers + virtualisation.containers.enable = true; + # By default this includes "quay.io" which leads to prompting for which registry to download from. + virtualisation.containers.registries.search = [ "docker.io" ]; + virtualisation = { + podman = { + enable = true; + # Install docker shim + dockerCompat = true; + # Support name resolution in podman-compose. + defaultNetwork.settings.dns_enabled = true; + }; + }; + + environment.variables = { + # For compatibility with tools expecting a docker socket (like dive). + DOCKER_HOST = "unix://$XDG_RUNTIME_DIR/podman/podman.sock"; + }; + + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + directories = [ + { + directory = "/var/lib/containers"; + user = "root"; + group = "root"; + mode = "0755"; + } + ]; + users.talexander = { + directories = [ { - assertion = !config.me.docker.enable; - message = "podman conflicts with docker"; + directory = ".local/share/containers"; + user = "talexander"; + group = "talexander"; + mode = "0700"; } ]; - } - { - environment.systemPackages = with pkgs; [ - dive - podman-tui - podman-compose - ]; - - # Write config files in /etc/containers - virtualisation.containers.enable = true; - # By default this includes "quay.io" which leads to prompting for which registry to download from. - virtualisation.containers.registries.search = [ "docker.io" ]; - virtualisation = { - podman = { - enable = true; - # Install docker shim - dockerCompat = true; - # Support name resolution in podman-compose. - defaultNetwork.settings.dns_enabled = true; - }; - }; - - environment.variables = { - # For compatibility with tools expecting a docker socket (like dive). - DOCKER_HOST = "unix://$XDG_RUNTIME_DIR/podman/podman.sock"; - }; - - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - directories = [ - { - directory = "/var/lib/containers"; - user = "root"; - group = "root"; - mode = "0755"; - } - ]; - users.talexander = { - directories = [ - { - directory = ".local/share/containers"; - user = "talexander"; - group = "talexander"; - mode = "0700"; - } - ]; - }; - }; - } - ] - ); + }; + }; + }; } diff --git a/nix/configuration/roles/python/default.nix b/nix/configuration/roles/python/default.nix index 015760b..052c7f7 100644 --- a/nix/configuration/roles/python/default.nix +++ b/nix/configuration/roles/python/default.nix @@ -17,38 +17,35 @@ }; }; - config = lib.mkIf config.me.python.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - (python3.withPackages (python-pkgs: [ - python-pkgs.distro # For https://gitlab.freedesktop.org/drm/amd/-/blob/master/scripts/amd_s2idle.py - python-pkgs.pyudev # For https://gitlab.freedesktop.org/drm/amd/-/blob/master/scripts/amd_s2idle.py - python-pkgs.systemd # For https://gitlab.freedesktop.org/drm/amd/-/blob/master/scripts/amd_s2idle.py - python-pkgs.packaging # For https://gitlab.freedesktop.org/drm/amd/-/blob/master/scripts/amd_s2idle.py - ])) - poetry - pyright - isort - black - uv - ]; + config = lib.mkIf config.me.python.enable { + environment.systemPackages = with pkgs; [ + # (python3.withPackages (python-pkgs: [ + # python-pkgs.distro # For https://gitlab.freedesktop.org/drm/amd/-/blob/master/scripts/amd_s2idle.py + # python-pkgs.pyudev # For https://gitlab.freedesktop.org/drm/amd/-/blob/master/scripts/amd_s2idle.py + # python-pkgs.systemd # For https://gitlab.freedesktop.org/drm/amd/-/blob/master/scripts/amd_s2idle.py + # python-pkgs.packaging # For https://gitlab.freedesktop.org/drm/amd/-/blob/master/scripts/amd_s2idle.py + # ])) + python3 + poetry + pyright + isort + black + uv + ]; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - # Poetry virtual environments. - directory = ".cache/pypoetry"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; - } - ] - ); + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + # Poetry virtual environments. + directory = ".cache/pypoetry"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + ]; + }; + }; + }; } diff --git a/nix/configuration/roles/qemu/default.nix b/nix/configuration/roles/qemu/default.nix index be098aa..edfba5a 100644 --- a/nix/configuration/roles/qemu/default.nix +++ b/nix/configuration/roles/qemu/default.nix @@ -52,14 +52,10 @@ in }; }; - config = lib.mkIf config.me.qemu.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - qemu - qemurc_wrapped - ]; - } - ] - ); + config = lib.mkIf config.me.qemu.enable { + environment.systemPackages = with pkgs; [ + qemu + qemurc_wrapped + ]; + }; } diff --git a/nix/configuration/roles/reset/default.nix b/nix/configuration/roles/reset/default.nix index a5e5cb1..7ce384c 100644 --- a/nix/configuration/roles/reset/default.nix +++ b/nix/configuration/roles/reset/default.nix @@ -1,7 +1,5 @@ { - config, lib, - pkgs, ... }: diff --git a/nix/configuration/roles/rpcs3/default.nix b/nix/configuration/roles/rpcs3/default.nix index 7d2d074..df41ecb 100644 --- a/nix/configuration/roles/rpcs3/default.nix +++ b/nix/configuration/roles/rpcs3/default.nix @@ -48,139 +48,135 @@ in }; }; - config = lib.mkIf config.me.rpcs3.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - rpcs3 - ]; + config = lib.mkIf (config.me.rpcs3.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + rpcs3 + ]; - security.pam.loginLimits = [ + security.pam.loginLimits = [ + { + domain = "@wheel"; + item = "memlock"; + type = "hard"; + value = "unlimited"; + } + { + domain = "@wheel"; + item = "memlock"; + type = "soft"; + value = "unlimited"; + } + ]; + + me.install.user.talexander.file = { + ".config/rpcs3/config.yml" = lib.mkIf (config.me.rpcs3.config != null) { + source = rpcs3_config_yaml; + }; + ".config/rpcs3/GuiConfigs/CurrentSettings.ini" = { + source = ./files/CurrentSettings.ini; + }; + ".config/rpcs3/custom_configs/config_BLUS30443.yml" = { + # Demon's Souls per-game config. + source = ./files/config_BLUS30443.yml; + }; + ".config/rpcs3/patches/patch.yml" = { + # All of the available patches. + source = ./files/patch.yml; + }; + ".config/rpcs3/patch_config.yml" = { + # Patches that I have enabled. + source = ./files/patch_config.yml; + }; + }; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ { - domain = "@wheel"; - item = "memlock"; - type = "hard"; - value = "unlimited"; + # Location of ROMs. + directory = ".config/rpcs3/games"; + user = "talexander"; + group = "talexander"; + mode = "0755"; } { - domain = "@wheel"; - item = "memlock"; - type = "soft"; - value = "unlimited"; + directory = ".config/rpcs3/dev_hdd0"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + directory = ".config/rpcs3/dev_hdd1"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + directory = ".config/rpcs3/savestates"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + directory = ".config/rpcs3/dev_usb000"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # Seems to be where the firmware is installed. + directory = ".config/rpcs3/dev_flash"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # Controller config. + directory = ".config/rpcs3/input_configs"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # Game icons. + directory = ".config/rpcs3/Icons"; + user = "talexander"; + group = "talexander"; + mode = "0755"; } ]; + files = [ + { + # play times and recently played + file = ".config/rpcs3/GuiConfigs/persistent_settings.dat"; + parentDirectory = { + mode = "0755"; + }; + } + { + # Netplay (RPCN) config and credentials + file = ".config/rpcs3/rpcn.yml"; + parentDirectory = { + mode = "0755"; + }; + } + ]; + }; + }; - me.install.user.talexander.file = { - ".config/rpcs3/config.yml" = lib.mkIf (config.me.rpcs3.config != null) { - source = rpcs3_config_yaml; - }; - ".config/rpcs3/GuiConfigs/CurrentSettings.ini" = { - source = ./files/CurrentSettings.ini; - }; - ".config/rpcs3/custom_configs/config_BLUS30443.yml" = { - # Demon's Souls per-game config. - source = ./files/config_BLUS30443.yml; - }; - ".config/rpcs3/patches/patch.yml" = { - # All of the available patches. - source = ./files/patch.yml; - }; - ".config/rpcs3/patch_config.yml" = { - # Patches that I have enabled. - source = ./files/patch_config.yml; - }; - }; - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - # Location of ROMs. - directory = ".config/rpcs3/games"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - directory = ".config/rpcs3/dev_hdd0"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - directory = ".config/rpcs3/dev_hdd1"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - directory = ".config/rpcs3/savestates"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - directory = ".config/rpcs3/dev_usb000"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # Seems to be where the firmware is installed. - directory = ".config/rpcs3/dev_flash"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # Controller config. - directory = ".config/rpcs3/input_configs"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # Game icons. - directory = ".config/rpcs3/Icons"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - files = [ - { - # play times and recently played - file = ".config/rpcs3/GuiConfigs/persistent_settings.dat"; - parentDirectory = { - mode = "0755"; - }; - } - { - # Netplay (RPCN) config and credentials - file = ".config/rpcs3/rpcn.yml"; - parentDirectory = { - mode = "0755"; - }; - } - ]; - }; - }; - - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".cache/rpcs3"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; - }) - ] - ); + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".cache/rpcs3"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + ]; + }; + }; + }; } diff --git a/nix/configuration/roles/rust/default.nix b/nix/configuration/roles/rust/default.nix index 4ac6cb2..df37744 100644 --- a/nix/configuration/roles/rust/default.nix +++ b/nix/configuration/roles/rust/default.nix @@ -35,105 +35,101 @@ in }; }; - config = lib.mkIf config.me.rust.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - rustup - lldb # for lldb-vscode - musl # for building static binaries - cargo-semver-checks - # ? cargo-bloat - # ? cargo-outdated - # ? cargo-public-api + config = lib.mkIf config.me.rust.enable { + environment.systemPackages = with pkgs; [ + rustup + lldb # for lldb-vscode + musl # for building static binaries + cargo-semver-checks + # ? cargo-bloat + # ? cargo-outdated + # ? cargo-public-api + ]; + + me.install.user.talexander.file = { + ".cargo/config.toml" = { + source = ./files/cargo_config.toml; + }; + ".rustup/settings.toml" = { + source = ./files/rustup_settings.toml; + }; + }; + + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".rustup"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + directory = ".cargo/registry"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } ]; + }; + }; - me.install.user.talexander.file = { - ".cargo/config.toml" = { - source = ./files/cargo_config.toml; - }; - ".rustup/settings.toml" = { - source = ./files/rustup_settings.toml; - }; - }; + systemd.services.link-rust-creds = { + # Contains credentials so it cannot be added to the nix store + enable = true; + description = "link-rust-creds"; + wantedBy = [ "multi-user.target" ]; + wants = [ "multi-user.target" ]; + after = [ "multi-user.target" ]; + # path = with pkgs; [ + # zfs + # ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + }; + script = '' + if [ -e /persist/manual/rust/cargo_credentials.toml ]; then + install --directory --owner talexander --group talexander --mode 0755 /home/talexander/.cargo + ln -s /persist/manual/rust/cargo_credentials.toml /home/talexander/.cargo/credentials.toml + fi + ''; + preStop = '' + rm -f /home/talexander/.cargo/credentials.toml + ''; + }; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".rustup"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - directory = ".cargo/registry"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } + nixpkgs.overlays = [ + (final: prev: { + rustup = pkgs.symlinkJoin { + name = "rustup"; + paths = + (builtins.map (cargo_wrapped prev.rustup) [ + "cargo" + "cargo-clippy" + "cargo-fmt" + "cargo-miri" + "clippy-driver" + "rls" + "rust-analyzer" + "rust-gdb" + "rust-gdbgui" + "rust-lldb" + "rustc" + "rustdoc" + "rustfmt" + "rustup" + ]) + ++ [ + prev.rustup ]; - }; + nativeBuildInputs = [ pkgs.makeWrapper ]; }; - - systemd.services.link-rust-creds = { - # Contains credentials so it cannot be added to the nix store - enable = true; - description = "link-rust-creds"; - wantedBy = [ "multi-user.target" ]; - wants = [ "multi-user.target" ]; - after = [ "multi-user.target" ]; - # path = with pkgs; [ - # zfs - # ]; - unitConfig.DefaultDependencies = "no"; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - }; - script = '' - if [ -e /persist/manual/rust/cargo_credentials.toml ]; then - install --directory --owner talexander --group talexander --mode 0755 /home/talexander/.cargo - ln -s /persist/manual/rust/cargo_credentials.toml /home/talexander/.cargo/credentials.toml - fi - ''; - preStop = '' - rm -f /home/talexander/.cargo/credentials.toml - ''; - }; - - nixpkgs.overlays = [ - (final: prev: { - rustup = pkgs.symlinkJoin { - name = "rustup"; - paths = - (builtins.map (cargo_wrapped prev.rustup) [ - "cargo" - "cargo-clippy" - "cargo-fmt" - "cargo-miri" - "clippy-driver" - "rls" - "rust-analyzer" - "rust-gdb" - "rust-gdbgui" - "rust-lldb" - "rustc" - "rustdoc" - "rustfmt" - "rustup" - ]) - ++ [ - prev.rustup - ]; - nativeBuildInputs = [ pkgs.makeWrapper ]; - }; - }) - ]; - } - ] - ); + }) + ]; + }; } # TODO: Install clippy, cranelift, rust-src diff --git a/nix/configuration/roles/sequoia/default.nix b/nix/configuration/roles/sequoia/default.nix index a69e0f8..5817e5a 100644 --- a/nix/configuration/roles/sequoia/default.nix +++ b/nix/configuration/roles/sequoia/default.nix @@ -17,13 +17,9 @@ }; }; - config = lib.mkIf config.me.sequoia.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - sequoia-sq - ]; - } - ] - ); + config = lib.mkIf config.me.sequoia.enable { + environment.systemPackages = with pkgs; [ + sequoia-sq + ]; + }; } diff --git a/nix/configuration/roles/shadps4/default.nix b/nix/configuration/roles/shadps4/default.nix index 08bc049..c35780a 100644 --- a/nix/configuration/roles/shadps4/default.nix +++ b/nix/configuration/roles/shadps4/default.nix @@ -17,94 +17,118 @@ }; }; - config = lib.mkIf config.me.shadps4.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - shadps4 + config = lib.mkIf (config.me.shadps4.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + shadps4 + ]; + + me.install.user.talexander.file = { + ".local/share/shadPS4/config.toml" = { + source = ./files/config.toml; + }; + }; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + # Location of ROMs. + directory = ".local/share/shadPS4/games"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # Firmware. + directory = ".local/share/shadPS4/sys_modules"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # Game saves. + directory = ".local/share/shadPS4/savedata"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + { + # DLC. + directory = ".local/share/shadPS4/addcont"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } ]; + files = [ + { + # play times and recently played + file = ".local/share/shadPS4/play_time.txt"; + parentDirectory = { + mode = "0755"; + }; + } + ]; + }; + }; - me.install.user.talexander.file = { - ".local/share/shadPS4/config.toml" = { - source = ./files/config.toml; + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + # Cache. + directory = ".local/share/shadPS4/data"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + ]; + }; + }; + + nixpkgs.overlays = [ + (final: prev: { + shadps4 = prev.shadps4.overrideAttrs (old: { + version = "0.11.0"; + src = final.fetchFromGitHub { + owner = "AzaharPlus"; + repo = "shadPS4Plus"; + tag = "SHAD_PS4_PLUS_0_11_0"; + hash = "sha256-puyINtFBTdMkOE2E9OnUlZ526vXHCWyKIWsZBaojQRk="; + fetchSubmodules = true; }; - }; + }); + }) - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - # Location of ROMs. - directory = ".local/share/shadPS4/games"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # Firmware. - directory = ".local/share/shadPS4/sys_modules"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # Game saves. - directory = ".local/share/shadPS4/savedata"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - { - # DLC. - directory = ".local/share/shadPS4/addcont"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - files = [ - { - # play times and recently played - file = ".local/share/shadPS4/play_time.txt"; - parentDirectory = { - mode = "0755"; - }; - } - ]; - }; - }; - - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - # Cache. - directory = ".local/share/shadPS4/data"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; - - nixpkgs.overlays = [ - (final: prev: { - shadps4 = prev.shadps4.overrideAttrs (old: { - version = "0.9.0"; - src = final.fetchFromGitHub { - owner = "AzaharPlus"; - repo = "shadPS4Plus"; - tag = "SHADPS4PLUS_0_9_0_A"; - hash = "sha256-ZwP+bOE4roWt51Ii53blDZzdq/SxK4Q69I4rLCNARLA="; - fetchSubmodules = true; - }; + (final: prev: { + pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [ + (python-final: python-prev: { + shiboken2 = python-prev.shiboken2.overrideAttrs (old: { + cmakeFlags = old.cmakeFlags ++ [ + # Fix build with cmake>=4 + (lib.strings.cmakeFeature "CMAKE_POLICY_VERSION_MINIMUM" "3.5") + # "-DCMAKE_POLICY_VERSION_MINIMUM=3.5" + ]; + }); + pyside2 = python-prev.pyside2.overrideAttrs (old: { + cmakeFlags = old.cmakeFlags ++ [ + # Fix build with cmake>=4 + (lib.strings.cmakeFeature "CMAKE_POLICY_VERSION_MINIMUM" "3.5") + # "-DCMAKE_POLICY_VERSION_MINIMUM=3.5" + ]; + }); + pyside2-tools = python-prev.pyside2-tools.overrideAttrs (old: { + cmakeFlags = old.cmakeFlags ++ [ + # Fix build with cmake>=4 + (lib.strings.cmakeFeature "CMAKE_POLICY_VERSION_MINIMUM" "3.5") + # "-DCMAKE_POLICY_VERSION_MINIMUM=3.5" + ]; }); }) ]; }) - ] - ); + ]; + }; } diff --git a/nix/configuration/roles/shikane/default.nix b/nix/configuration/roles/shikane/default.nix index 1d79348..a629f07 100644 --- a/nix/configuration/roles/shikane/default.nix +++ b/nix/configuration/roles/shikane/default.nix @@ -25,23 +25,19 @@ in }; }; - config = lib.mkIf config.me.shikane.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - shikane - ]; + config = lib.mkIf (config.me.shikane.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + shikane + ]; - me.swayIncludes = [ - exec_shikane - ]; + me.swayIncludes = [ + exec_shikane + ]; - me.install.user.talexander.file = { - ".config/shikane/config.toml" = { - source = ./files/config.toml; - }; - }; - }) - ] - ); + me.install.user.talexander.file = { + ".config/shikane/config.toml" = { + source = ./files/config.toml; + }; + }; + }; } diff --git a/nix/configuration/roles/shipwright/default.nix b/nix/configuration/roles/shipwright/default.nix index 96de982..13afa9b 100644 --- a/nix/configuration/roles/shipwright/default.nix +++ b/nix/configuration/roles/shipwright/default.nix @@ -17,32 +17,27 @@ }; }; - config = lib.mkIf config.me.shipwright.enable ( - lib.mkMerge [ - { - allowedUnfree = [ "shipwright" ]; - } - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - shipwright + config = lib.mkIf (config.me.shipwright.enable && config.me.graphical) { + allowedUnfree = [ "shipwright" ]; + + environment.systemPackages = with pkgs; [ + shipwright + ]; + + # TODO perhaps install ~/.local/share/soh/shipofharkinian.json + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".local/share/soh"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } ]; - - # TODO perhaps install ~/.local/share/soh/shipofharkinian.json - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".local/share/soh"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; - }) - ] - ); + }; + }; + }; } diff --git a/nix/configuration/roles/sm64ex/default.nix b/nix/configuration/roles/sm64ex/default.nix index a6be1bb..8934dff 100644 --- a/nix/configuration/roles/sm64ex/default.nix +++ b/nix/configuration/roles/sm64ex/default.nix @@ -17,47 +17,43 @@ }; }; - config = lib.mkIf config.me.sm64ex.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - allowedUnfree = [ "sm64ex" ]; + config = lib.mkIf (config.me.sm64ex.enable && config.me.graphical) { + allowedUnfree = [ "sm64ex" ]; - environment.systemPackages = with pkgs; [ - sm64ex - ]; + environment.systemPackages = with pkgs; [ + sm64ex + ]; - # nixpkgs.overlays = [ - # (final: prev: { - # sm4ex = prev.sm64ex.override { - # baseRom.name = "SuperMario64.z64"; - # }; - # }) - # ]; + # nixpkgs.overlays = [ + # (final: prev: { + # sm4ex = prev.sm64ex.override { + # baseRom.name = "SuperMario64.z64"; + # }; + # }) + # ]; - nixpkgs.overlays = [ - (final: prev: { - sm64ex = prev.sm64ex.overrideAttrs (old: { - buildInputs = old.buildInputs ++ [ final.libGL ]; - }); - }) - ]; - - # TODO perhaps install ~/.local/share/sm64ex/sm64config.txt - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".local/share/sm64ex"; - user = "talexander"; - group = "talexander"; - mode = "0755"; - } - ]; - }; - }; + nixpkgs.overlays = [ + (final: prev: { + sm64ex = prev.sm64ex.overrideAttrs (old: { + buildInputs = old.buildInputs ++ [ final.libGL ]; + }); }) - ] - ); + ]; + + # TODO perhaps install ~/.local/share/sm64ex/sm64config.txt + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".local/share/sm64ex"; + user = "talexander"; + group = "talexander"; + mode = "0755"; + } + ]; + }; + }; + }; } diff --git a/nix/configuration/roles/sops/default.nix b/nix/configuration/roles/sops/default.nix index 0213d6f..e16fd2c 100644 --- a/nix/configuration/roles/sops/default.nix +++ b/nix/configuration/roles/sops/default.nix @@ -17,13 +17,9 @@ }; }; - config = lib.mkIf config.me.sops.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - sops # For encrypting kubernetes secrets. - ]; - } - ] - ); + config = lib.mkIf config.me.sops.enable { + environment.systemPackages = with pkgs; [ + sops # For encrypting kubernetes secrets. + ]; + }; } diff --git a/nix/configuration/roles/sound/default.nix b/nix/configuration/roles/sound/default.nix index b35a59b..421f066 100644 --- a/nix/configuration/roles/sound/default.nix +++ b/nix/configuration/roles/sound/default.nix @@ -72,7 +72,7 @@ ]; }; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { hideMounts = true; users.talexander = { directories = [ diff --git a/nix/configuration/roles/spaghettikart/default.nix b/nix/configuration/roles/spaghettikart/default.nix index 138af0e..d38c9f2 100644 --- a/nix/configuration/roles/spaghettikart/default.nix +++ b/nix/configuration/roles/spaghettikart/default.nix @@ -17,33 +17,27 @@ }; }; - config = lib.mkIf config.me.spaghettikart.enable ( - lib.mkMerge [ - { - allowedUnfree = [ "spaghettikart" ]; - } - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - spaghettikart + config = lib.mkIf (config.me.spaghettikart.enable && config.me.graphical) { + allowedUnfree = [ "spaghettikart" ]; + environment.systemPackages = with pkgs; [ + spaghettikart + ]; + + me.install.user.talexander.file = { + ".local/share/spaghettikart/spaghettify.cfg.json" = { + source = ./files/spaghettify.cfg.json; + method = "overwrite"; + }; + }; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + files = [ + ".local/share/spaghettikart/default.sav" + ".local/share/spaghettikart/mk64.o2r" ]; - - me.install.user.talexander.file = { - ".local/share/spaghettikart/spaghettify.cfg.json" = { - source = ./files/spaghettify.cfg.json; - method = "overwrite"; - }; - }; - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - files = [ - ".local/share/spaghettikart/default.sav" - ".local/share/spaghettikart/mk64.o2r" - ]; - }; - }; - }) - ] - ); + }; + }; + }; } diff --git a/nix/configuration/roles/ssh/default.nix b/nix/configuration/roles/ssh/default.nix index 3c7dc68..e5ad8ae 100644 --- a/nix/configuration/roles/ssh/default.nix +++ b/nix/configuration/roles/ssh/default.nix @@ -8,33 +8,44 @@ { imports = [ ]; - environment.systemPackages = with pkgs; [ - sshfs - ]; - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - files = [ - ".ssh/known_hosts" - ]; - }; - users.root = { - home = "/root"; - files = [ - ".ssh/known_hosts" - ]; + options.me = { + ssh.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install ssh."; }; }; - me.install.user.root.file = { - ".ssh/config" = { - source = ./files/ssh_config_root; + config = lib.mkIf config.me.ssh.enable { + environment.systemPackages = with pkgs; [ + sshfs + ]; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + files = [ + ".ssh/known_hosts" + ]; + }; + users.root = { + home = "/root"; + files = [ + ".ssh/known_hosts" + ]; + }; }; - }; - me.install.user.talexander.file = { - ".ssh/config" = { - source = ./files/ssh_config; + + me.install.user.root.file = { + ".ssh/config" = { + source = ./files/ssh_config_root; + }; + }; + me.install.user.talexander.file = { + ".ssh/config" = { + source = ./files/ssh_config; + }; }; }; } diff --git a/nix/configuration/roles/sshd/default.nix b/nix/configuration/roles/sshd/default.nix new file mode 100644 index 0000000..928a059 --- /dev/null +++ b/nix/configuration/roles/sshd/default.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + ... +}: + +{ + imports = [ ]; + + options.me = { + sshd.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install sshd."; + }; + }; + + config = lib.mkIf config.me.sshd.enable { + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + hostKeys = [ + { + path = "/persist/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + files = [ + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + ]; + }; + }; +} diff --git a/nix/configuration/roles/steam/default.nix b/nix/configuration/roles/steam/default.nix index 61705ee..28c33b1 100644 --- a/nix/configuration/roles/steam/default.nix +++ b/nix/configuration/roles/steam/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -17,34 +16,30 @@ }; }; - config = lib.mkIf config.me.steam.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - allowedUnfree = [ - "steam" - "steam-original" - "steam-unwrapped" - "steam-run" + config = lib.mkIf (config.me.steam.enable && config.me.graphical) { + allowedUnfree = [ + "steam" + "steam-original" + "steam-unwrapped" + "steam-run" + ]; + + programs.steam = { + enable = true; + remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play + # dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server + localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers + }; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + ".local/share/Steam" + ".steam" + ".factorio" ]; - - programs.steam = { - enable = true; - remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play - # dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server - localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers - }; - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - ".local/share/Steam" - ".steam" - ".factorio" - ]; - }; - }; - }) - ] - ); + }; + }; + }; } diff --git a/nix/configuration/roles/steam_run_free/default.nix b/nix/configuration/roles/steam_run_free/default.nix index b592500..8f8d773 100644 --- a/nix/configuration/roles/steam_run_free/default.nix +++ b/nix/configuration/roles/steam_run_free/default.nix @@ -17,13 +17,9 @@ }; }; - config = lib.mkIf config.me.steam_run_free.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - steam-run-free - ]; - } - ] - ); + config = lib.mkIf config.me.steam_run_free.enable { + environment.systemPackages = with pkgs; [ + steam-run-free + ]; + }; } diff --git a/nix/configuration/roles/sway/default.nix b/nix/configuration/roles/sway/default.nix index 04a636a..80bc144 100644 --- a/nix/configuration/roles/sway/default.nix +++ b/nix/configuration/roles/sway/default.nix @@ -313,7 +313,7 @@ in # Probably would be cleaner to use environment.sessionVariables but programs.sway.extraSessionCommands is sway-specific. programs.sway.extraSessionCommands = - if config.me.buildingIso then + if config.me.buildingPortable then '' export WLR_RENDERER_ALLOW_SOFTWARE=1 export NIXOS_OZONE_WL=1 # Wayland support for chromium and electron @@ -330,7 +330,7 @@ in enable = true; wrapperFeatures.gtk = true; extraOptions = - if config.me.buildingIso then + if config.me.buildingPortable then [ "--config" "${sway-config}" @@ -343,7 +343,7 @@ in ]; }; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { hideMounts = true; users.talexander = { files = [ diff --git a/nix/configuration/roles/sway/graphical_session_target.nix b/nix/configuration/roles/sway/graphical_session_target.nix index c5aa7f5..611b783 100644 --- a/nix/configuration/roles/sway/graphical_session_target.nix +++ b/nix/configuration/roles/sway/graphical_session_target.nix @@ -18,8 +18,9 @@ in { imports = [ ]; - me.swayIncludes = lib.mkAfter [ - start_sway_session - ]; - + config = lib.mkIf (config.me.graphical && config.me.sway.enable) { + me.swayIncludes = lib.mkAfter [ + start_sway_session + ]; + }; } diff --git a/nix/configuration/roles/sway/iso.nix b/nix/configuration/roles/sway/iso.nix index 66bbb1f..ea226df 100644 --- a/nix/configuration/roles/sway/iso.nix +++ b/nix/configuration/roles/sway/iso.nix @@ -16,7 +16,7 @@ in { imports = [ ]; - config = lib.mkIf (config.me.buildingIso && config.me.graphical && config.me.sway.enable) { + config = lib.mkIf (config.me.buildingPortable && config.me.graphical && config.me.sway.enable) { # Launch a terminal at boot in the live ISO for when hotkeys don't work. me.swayIncludes = [ launch_terminal diff --git a/nix/configuration/roles/sway/rofimoji.nix b/nix/configuration/roles/sway/rofimoji.nix index b220e3f..8540d26 100644 --- a/nix/configuration/roles/sway/rofimoji.nix +++ b/nix/configuration/roles/sway/rofimoji.nix @@ -22,7 +22,7 @@ in rofimoji_sway_config ]; - environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { + environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) { hideMounts = true; users.talexander = { directories = [ diff --git a/nix/configuration/roles/tekton/default.nix b/nix/configuration/roles/tekton/default.nix index 24ffacb..b1c7dd8 100644 --- a/nix/configuration/roles/tekton/default.nix +++ b/nix/configuration/roles/tekton/default.nix @@ -17,13 +17,9 @@ }; }; - config = lib.mkIf config.me.tekton.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - tektoncd-cli - ]; - } - ] - ); + config = lib.mkIf config.me.tekton.enable { + environment.systemPackages = with pkgs; [ + tektoncd-cli + ]; + }; } diff --git a/nix/configuration/roles/terraform/default.nix b/nix/configuration/roles/terraform/default.nix index 358df4d..883b326 100644 --- a/nix/configuration/roles/terraform/default.nix +++ b/nix/configuration/roles/terraform/default.nix @@ -34,7 +34,7 @@ in "terraform" ]; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { hideMounts = true; users.talexander = { directories = [ diff --git a/nix/configuration/roles/thunderbolt/default.nix b/nix/configuration/roles/thunderbolt/default.nix index f87e1e3..0368ada 100644 --- a/nix/configuration/roles/thunderbolt/default.nix +++ b/nix/configuration/roles/thunderbolt/default.nix @@ -17,13 +17,9 @@ }; }; - config = lib.mkIf config.me.thunderbolt.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - bolt # For boltctl - ]; - } - ] - ); + config = lib.mkIf config.me.thunderbolt.enable { + environment.systemPackages = with pkgs; [ + bolt # For boltctl + ]; + }; } diff --git a/nix/configuration/roles/user/default.nix b/nix/configuration/roles/user/default.nix new file mode 100644 index 0000000..4d7d45d --- /dev/null +++ b/nix/configuration/roles/user/default.nix @@ -0,0 +1,59 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ ]; + + options.me = { + user.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to create my user."; + }; + }; + + config = lib.mkIf config.me.user.enable { + services.getty = { + autologinUser = "talexander"; # I use full disk encryption so the user password is irrelevant. + autologinOnce = true; + }; + users.mutableUsers = false; + users.users.talexander = { + isNormalUser = true; + createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481 + group = "talexander"; + extraGroups = [ "wheel" ]; + uid = 11235; + packages = with pkgs; [ + tree + ]; + # Generate with `mkpasswd -m scrypt` + hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo=" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo=" + ]; + }; + users.groups.talexander.gid = 11235; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = "persist"; + user = "talexander"; + group = "talexander"; + mode = "0700"; + } + ]; + }; + }; + }; +} diff --git a/nix/configuration/roles/uutils/default.nix b/nix/configuration/roles/uutils/default.nix index 020ee52..da995df 100644 --- a/nix/configuration/roles/uutils/default.nix +++ b/nix/configuration/roles/uutils/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -17,17 +16,13 @@ }; }; - config = lib.mkIf config.me.uutils.enable ( - lib.mkMerge [ - { - # environment.corePackages automatically installes coreutils-full, so merely installing uutils-coreutils-noprefix is insufficient for replacing GNU coreutils. - nixpkgs.overlays = [ - (final: prev: { - coreutils = final.uutils-coreutils-noprefix; - coreutils-full = final.uutils-coreutils-noprefix; - }) - ]; - } - ] - ); + config = lib.mkIf config.me.uutils.enable { + # environment.corePackages automatically installes coreutils-full, so merely installing uutils-coreutils-noprefix is insufficient for replacing GNU coreutils. + nixpkgs.overlays = [ + (final: prev: { + coreutils = final.uutils-coreutils-noprefix; + coreutils-full = final.uutils-coreutils-noprefix; + }) + ]; + }; } diff --git a/nix/configuration/roles/vnc_client/default.nix b/nix/configuration/roles/vnc_client/default.nix index 42cfa5c..ea5ee0c 100644 --- a/nix/configuration/roles/vnc_client/default.nix +++ b/nix/configuration/roles/vnc_client/default.nix @@ -17,13 +17,9 @@ }; }; - config = lib.mkIf config.me.vnc_client.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - wlvncc - ]; - }) - ] - ); + config = lib.mkIf (config.me.vnc_client.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + wlvncc + ]; + }; } diff --git a/nix/configuration/roles/vscode/default.nix b/nix/configuration/roles/vscode/default.nix index b37b0e0..f8b3fb5 100644 --- a/nix/configuration/roles/vscode/default.nix +++ b/nix/configuration/roles/vscode/default.nix @@ -17,46 +17,42 @@ }; }; - config = lib.mkIf config.me.vscode.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - allowedUnfree = [ - "vscode" - "vscode-x86_64-unknown-linux-gnu-with-extensions" - "vscode-with-extensions" - "vscode-extension-ms-vscode-remote-remote-ssh" - ]; + config = lib.mkIf (config.me.vscode.enable && config.me.graphical) { + allowedUnfree = [ + "vscode" + "vscode-x86_64-unknown-linux-gnu-with-extensions" + "vscode-with-extensions" + "vscode-extension-ms-vscode-remote-remote-ssh" + ]; - environment.systemPackages = with pkgs; [ - (vscode-with-extensions.override { - vscodeExtensions = with vscode-extensions; [ - bbenoist.nix - ms-python.python - ms-azuretools.vscode-docker - ms-vscode-remote.remote-ssh - esbenp.prettier-vscode - ] - # ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ - # { - # name = "remote-ssh-edit"; - # publisher = "ms-vscode-remote"; - # version = "0.47.2"; - # sha256 = "1hp6gjh4xp2m1xlm1jsdzxw9d8frkiidhph6nvl24d0h8z34w49g"; - # } - # ] - ; - }) - ]; - - me.install.user.talexander.file = { - ".config/Code/User/settings.json" = { - source = ./files/settings.json; - }; - ".config/Code/User/keybindings.json" = { - source = ./files/keybindings.json; - }; - }; + environment.systemPackages = with pkgs; [ + (vscode-with-extensions.override { + vscodeExtensions = with vscode-extensions; [ + bbenoist.nix + ms-python.python + ms-azuretools.vscode-docker + ms-vscode-remote.remote-ssh + esbenp.prettier-vscode + ] + # ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ + # { + # name = "remote-ssh-edit"; + # publisher = "ms-vscode-remote"; + # version = "0.47.2"; + # sha256 = "1hp6gjh4xp2m1xlm1jsdzxw9d8frkiidhph6nvl24d0h8z34w49g"; + # } + # ] + ; }) - ] - ); + ]; + + me.install.user.talexander.file = { + ".config/Code/User/settings.json" = { + source = ./files/settings.json; + }; + ".config/Code/User/keybindings.json" = { + source = ./files/keybindings.json; + }; + }; + }; } diff --git a/nix/configuration/roles/wasm/default.nix b/nix/configuration/roles/wasm/default.nix index 8f8a696..cffd882 100644 --- a/nix/configuration/roles/wasm/default.nix +++ b/nix/configuration/roles/wasm/default.nix @@ -2,7 +2,6 @@ config, lib, pkgs, - pkgs-unoptimized, ... }: @@ -18,23 +17,11 @@ }; }; - config = lib.mkIf config.me.wasm.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - wabt - wasm-bindgen-cli - binaryen # for wasm-opt - ]; - - nixpkgs.overlays = [ - (final: prev: { - inherit (pkgs-unoptimized) - binaryen - ; - }) - ]; - } - ] - ); + config = lib.mkIf config.me.wasm.enable { + environment.systemPackages = with pkgs; [ + wabt + wasm-bindgen-cli + binaryen # for wasm-opt + ]; + }; } diff --git a/nix/configuration/roles/waybar/default.nix b/nix/configuration/roles/waybar/default.nix index b2ef5d3..2cd5b08 100644 --- a/nix/configuration/roles/waybar/default.nix +++ b/nix/configuration/roles/waybar/default.nix @@ -89,39 +89,35 @@ in }; }; - config = lib.mkIf config.me.waybar.enable ( - lib.mkMerge [ - (lib.mkIf config.me.graphical { - environment.systemPackages = with pkgs; [ - waybar - waybar_available_memory - waybar_battery - waybar_clock - waybar_night_mode - waybar_sound - waybar_temperature - python3 # for clock TODO python should not be in the system packages, maybe switch to a venv? ref https://nixos.wiki/wiki/Python - bc # for temperature and sound - jq # for memory, battery, sound, night mode, and temperature - upower # for battery - wlsunset # for night mode - ]; + config = lib.mkIf (config.me.waybar.enable && config.me.graphical) { + environment.systemPackages = with pkgs; [ + waybar + waybar_available_memory + waybar_battery + waybar_clock + waybar_night_mode + waybar_sound + waybar_temperature + python3 # for clock TODO python should not be in the system packages, maybe switch to a venv? ref https://nixos.wiki/wiki/Python + bc # for temperature and sound + jq # for memory, battery, sound, night mode, and temperature + upower # for battery + wlsunset # for night mode + ]; - me.swayIncludes = [ - waybar_sway_config - ]; + me.swayIncludes = [ + waybar_sway_config + ]; - services.upower.enable = true; # for battery + services.upower.enable = true; # for battery - me.install.user.talexander.file = { - ".config/waybar/config" = { - source = ./files/waybar_config.json; - }; - ".config/waybar/style.css" = { - source = ./files/style.css; - }; - }; - }) - ] - ); + me.install.user.talexander.file = { + ".config/waybar/config" = { + source = ./files/waybar_config.json; + }; + ".config/waybar/style.css" = { + source = ./files/style.css; + }; + }; + }; } diff --git a/nix/configuration/roles/wireguard/default.nix b/nix/configuration/roles/wireguard/default.nix index 1d4a56b..1c07663 100644 --- a/nix/configuration/roles/wireguard/default.nix +++ b/nix/configuration/roles/wireguard/default.nix @@ -5,52 +5,72 @@ ... }: let - activatedWg = name: { - networking.wg-quick.interfaces."${name}".configFile = "/persist/manual/wireguard/${name}.conf"; - systemd.services."wg-quick-${name}" = { - after = [ - "network-online.target" - "nss-lookup.target" - ]; - preStart = "${pkgs.toybox}/bin/sleep 3"; - }; - }; - deactivatedWg = name: { - networking.wg-quick.interfaces."${name}" = { - configFile = "/persist/manual/wireguard/${name}.conf"; - autostart = false; - }; - }; - wireguard_enable = (config.me.wireguard.activated != [ ] || config.me.wireguard.deactivated != [ ]); + wireguard_enable = ( + (lib.attrsets.filterAttrs (name: value: value) config.me.wireguard.activated) != [ ] + || (lib.attrsets.filterAttrs (name: value: value) config.me.wireguard.deactivated) != [ ] + ); in { imports = [ ]; options.me = { wireguard.activated = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = false; - example = true; + default = { }; + example = lib.literalExpression '' + { + wgh = true; + colo = lib.mkForce false; + } + ''; + type = lib.types.coercedTo (lib.types.listOf lib.types.str) ( + enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled) + ) (lib.types.attrsOf lib.types.bool); description = "List of wireguard config names that should be activated at boot."; }; + wireguard.deactivated = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = false; - example = true; + default = { }; + example = lib.literalExpression '' + { + wgf = true; + drmario = lib.mkForce false; + } + ''; + type = lib.types.coercedTo (lib.types.listOf lib.types.str) ( + enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled) + ) (lib.types.attrsOf lib.types.bool); description = "List of wireguard config names that are not activated at boot but can be manually activated later."; }; }; - config = lib.mkIf wireguard_enable ( - lib.mkMerge [ - { - networking.firewall.allowedUDPPorts = [ 51821 ]; - networking.wireguard.enable = true; - } - (activatedWg "drmario") - (activatedWg "wgh") - (activatedWg "colo") - (deactivatedWg "wgf") - ] - ); + config = lib.mkIf wireguard_enable { + networking.firewall.allowedUDPPorts = [ 51821 ]; + networking.wireguard.enable = true; + + networking.wg-quick.interfaces = + (builtins.mapAttrs ( + name: value: + (lib.attrsets.optionalAttrs value { + configFile = "/persist/manual/wireguard/${name}.conf"; + }) + ) config.me.wireguard.activated) + // (builtins.mapAttrs ( + name: value: + (lib.attrsets.optionalAttrs value { + configFile = "/persist/manual/wireguard/${name}.conf"; + autostart = false; + }) + ) config.me.wireguard.deactivated); + + systemd.services = lib.attrsets.mapAttrs' ( + name: value: + (lib.attrsets.nameValuePair "wg-quick-${name}" { + after = [ + "network-online.target" + "nss-lookup.target" + ]; + preStart = "${pkgs.toybox}/bin/sleep 3"; + }) + ) config.me.wireguard.activated; + }; } diff --git a/nix/configuration/roles/yubikey/default.nix b/nix/configuration/roles/yubikey/default.nix index 257388a..c18f2bb 100644 --- a/nix/configuration/roles/yubikey/default.nix +++ b/nix/configuration/roles/yubikey/default.nix @@ -17,14 +17,10 @@ }; }; - config = lib.mkIf config.me.yubikey.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - yubikey-personalization - yubikey-manager - ]; - } - ] - ); + config = lib.mkIf config.me.yubikey.enable { + environment.systemPackages = with pkgs; [ + yubikey-personalization + yubikey-manager + ]; + }; } diff --git a/nix/configuration/roles/zfs/default.nix b/nix/configuration/roles/zfs/default.nix index 756d503..ed53227 100644 --- a/nix/configuration/roles/zfs/default.nix +++ b/nix/configuration/roles/zfs/default.nix @@ -29,26 +29,40 @@ in { imports = [ ]; - boot.zfs.devNodes = "/dev/disk/by-partuuid"; - - services.zfs = { - autoScrub = { - enable = true; - interval = "monthly"; + options.me = { + zfs.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install zfs."; }; - trim.enable = true; }; - environment.systemPackages = with pkgs; [ - zfs_clone_send - zfs_clone_recv - zfs_clone_resume - ]; + config = lib.mkIf config.me.zfs.enable { + # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on. + boot.supportedFilesystems.zfs = true; - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - directories = [ - "/etc/zfs/zpool.cache" # Which zpools to import, the root zpool is already imported and does not need this cache file but this captures additional pools. + boot.zfs.devNodes = "/dev/disk/by-partuuid"; + + services.zfs = { + autoScrub = { + enable = true; + interval = "monthly"; + }; + trim.enable = true; + }; + + environment.systemPackages = [ + zfs_clone_send + zfs_clone_recv + zfs_clone_resume ]; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + directories = [ + "/etc/zfs/zpool.cache" # Which zpools to import, the root zpool is already imported and does not need this cache file but this captures additional pools. + ]; + }; }; } diff --git a/nix/configuration/roles/zrepl/default.nix b/nix/configuration/roles/zrepl/default.nix index 9ed4ff9..2c60485 100644 --- a/nix/configuration/roles/zrepl/default.nix +++ b/nix/configuration/roles/zrepl/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -17,44 +16,40 @@ }; }; - config = lib.mkIf config.me.zrepl.enable ( - lib.mkMerge [ - { - services.zrepl = { - enable = true; - settings = { - jobs = [ - { - name = "snapjob"; - type = "snap"; - filesystems = { - "zroot/linux/nix/persist<" = true; - "zroot/bridge<" = true; - }; - snapshotting = { - type = "periodic"; - interval = "15m"; - prefix = "zrepl_"; - }; - pruning = { - keep = [ - { - type = "grid"; - grid = "1x1h(keep=all) | 24x1h | 14x1d"; - regex = "^zrepl_.*"; - } - { - type = "regex"; - negate = true; - regex = "^zrepl_.*"; - } - ]; - }; - } - ]; - }; - }; - } - ] - ); + config = lib.mkIf config.me.zrepl.enable { + services.zrepl = { + enable = true; + settings = { + jobs = [ + { + name = "snapjob"; + type = "snap"; + filesystems = { + "zroot/linux/nix/persist<" = true; + "zroot/bridge<" = true; + }; + snapshotting = { + type = "periodic"; + interval = "15m"; + prefix = "zrepl_"; + }; + pruning = { + keep = [ + { + type = "grid"; + grid = "1x1h(keep=all) | 24x1h | 14x1d"; + regex = "^zrepl_.*"; + } + { + type = "regex"; + negate = true; + regex = "^zrepl_.*"; + } + ]; + }; + } + ]; + }; + }; + }; } diff --git a/nix/configuration/roles/zsh/default.nix b/nix/configuration/roles/zsh/default.nix index 9417755..645b305 100644 --- a/nix/configuration/roles/zsh/default.nix +++ b/nix/configuration/roles/zsh/default.nix @@ -76,46 +76,42 @@ in }; }; - config = lib.mkIf config.me.zsh.enable ( - lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - zsh + config = lib.mkIf config.me.zsh.enable { + environment.systemPackages = with pkgs; [ + zsh + ]; + + users.users.talexander.shell = pkgs.zsh; + environment.shells = with pkgs; [ zsh ]; + + programs.zsh = { + enable = true; + }; + + me.install.user.talexander.file = { + ".zshrc" = { + source = "${zshrc}"; + }; + }; + + environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) { + hideMounts = true; + users.talexander = { + directories = [ + { + directory = ".histdb"; + user = "talexander"; + group = "talexander"; + mode = "0700"; + } ]; + }; + }; - users.users.talexander.shell = pkgs.zsh; - environment.shells = with pkgs; [ zsh ]; - - programs.zsh = { - enable = true; - }; - - me.install.user.talexander.file = { - ".zshrc" = { - source = "${zshrc}"; - }; - }; - - environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { - hideMounts = true; - users.talexander = { - directories = [ - { - directory = ".histdb"; - user = "talexander"; - group = "talexander"; - mode = "0700"; - } - ]; - }; - }; - - nixpkgs.overlays = [ - (final: prev: { - zsh-histdb = (final.callPackage ./package/zsh-histdb/package.nix { }); - }) - ]; - } - ] - ); + nixpkgs.overlays = [ + (final: prev: { + zsh-histdb = (final.callPackage ./package/zsh-histdb/package.nix { }); + }) + ]; + }; } diff --git a/nix/configuration/util/install_files/default.nix b/nix/configuration/util/install_files/default.nix index 7be496d..adc937d 100644 --- a/nix/configuration/util/install_files/default.nix +++ b/nix/configuration/util/install_files/default.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -309,25 +308,23 @@ in Type = "oneshot"; RemainAfterExit = "yes"; }; - script = - '' - set -o pipefail - IFS=$'\n\t' - source ${./files/lib.bash} - '' - + (lib.strings.concatStringsSep "\n" ( - [ - ] - ++ check_commands - ++ install_commands - )); - preStop = - '' - set -o pipefail - IFS=$'\n\t' - source ${./files/lib.bash} - '' - + (lib.strings.concatStringsSep "\n" uninstall_commands); + script = '' + set -o pipefail + IFS=$'\n\t' + source ${./files/lib.bash} + '' + + (lib.strings.concatStringsSep "\n" ( + [ + ] + ++ check_commands + ++ install_commands + )); + preStop = '' + set -o pipefail + IFS=$'\n\t' + source ${./files/lib.bash} + '' + + (lib.strings.concatStringsSep "\n" uninstall_commands); }; }; }