about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-09-13 15:46:11 +0900
committersefidel <contact@sefidel.net>2023-09-13 15:46:11 +0900
commitef6dd49bb693fa924065687d539b4642c44f9bb4 (patch)
tree22560b959c95304de3d2b7692c3b9777441a067c
parent654a68a613e4914089bbaded610b513e4fd157e7 (diff)
downloadnixrc-ef6dd49bb693fa924065687d539b4642c44f9bb4.tar.gz
nixrc-ef6dd49bb693fa924065687d539b4642c44f9bb4.zip
feat(nixos): add haruka
-rw-r--r--modules/laptop.nix11
-rw-r--r--nixos/default.nix13
-rw-r--r--nixos/haruka/configuration.nix292
-rw-r--r--nixos/haruka/hardware-configuration.nix56
4 files changed, 372 insertions, 0 deletions
diff --git a/modules/laptop.nix b/modules/laptop.nix
new file mode 100644
index 0000000..7820a29
--- /dev/null
+++ b/modules/laptop.nix
@@ -0,0 +1,11 @@
+{ config, lib, ... }:
+
+{
+  # Laptop-specific system tweaks
+
+  # Don't protect kernel image to enable hibernation
+  security.protectKernelImage = lib.mkForce false;
+
+  # Enable auto trimming on SSDs
+  services.fstrim.enable = lib.mkDefault (!config.services.zfs.trim.enable);
+}
diff --git a/nixos/default.nix b/nixos/default.nix
index 3be741d..bc14379 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -22,6 +22,19 @@
     ];
   };
 
+  haruka = self.lib.mkSystem {
+    name = "haruka";
+    nixpkgs = unstable;
+    extraModules = [
+      ../modules/security.nix
+      ../modules/laptop.nix
+      ../modules/cachix
+      ../modules/keyd-qol.nix
+      inputs.sops-nix.nixosModules.sops
+      inputs.impermanence.nixosModules.impermanence
+    ];
+  };
+
   kompakt = self.lib.mkSystem {
     name = "kompakt";
     system = "aarch64-linux";
diff --git a/nixos/haruka/configuration.nix b/nixos/haruka/configuration.nix
new file mode 100644
index 0000000..1dc71a8
--- /dev/null
+++ b/nixos/haruka/configuration.nix
@@ -0,0 +1,292 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =  [ ];
+
+  security = {
+    rtkit.enable = true;
+    doas.enable = true;
+    doas.wheelNeedsPassword = false;
+    sudo.wheelNeedsPassword = false;
+  };
+
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  boot.kernelParams = [
+    "console=tty1"
+  ];
+
+  boot.initrd.supportedFilesystems = [ "zfs" ];
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.enableUnstable = true;
+  boot.zfs.forceImportRoot = false;
+  boot.zfs.forceImportAll = false;
+  boot.zfs.allowHibernation = true; # NOTE: disable if using swap on ZFS
+
+  # GRUB bootloader
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub = {
+    enable = true;
+
+    efiSupport = true;
+    configurationLimit = 10;
+    device = "nodev";
+    useOSProber = true;
+    copyKernels = true;
+    gfxmodeEfi = "1920x1200";
+    fontSize = 32;
+  };
+
+  # Erase your darlings.
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    zfs rollback -r rpool/local/root@blank
+  '';
+
+  # Enable microcode updates, etc
+  hardware.enableRedistributableFirmware = true;
+
+  networking.hostName = "haruka";
+  networking.hostId = "8425e349";
+
+  networking.networkmanager.enable = true;
+  networking.firewall.enable = true;
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  # HiDPI
+  console.earlySetup = lib.mkDefault true;
+  console.font = lib.mkForce "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+  services.xserver.dpi = 100;
+  environment.variables = {
+    GDK_SCALE = lib.mkDefault "2";
+    GDK_DPI_SCALE = lib.mkDefault "0.5";
+  };
+
+  console.keyMap = "us";
+  console.colors = [
+    "151515"
+    "cf6a4c"
+    "99ad6a"
+    "dfa358"
+    "8197bf"
+    "b3a3ff"
+    "8fbfdc"
+    "cbc0ab"
+    "333333"
+    "d98870"
+    "adbd88"
+    "e5b579"
+    "9aaccc"
+    "c2b5ff"
+    "a5cce3"
+    "d5cdbc"
+  ];
+
+  time.timeZone = "Asia/Tokyo";
+
+  environment.systemPackages = with pkgs; [ gcc git gnumake ];
+
+  services.zfs.trim.enable = true;
+  services.zfs.autoScrub.enable = true;
+  services.zfs.autoScrub.pools = [ "rpool" ];
+
+  # NOTE: `com.sun:auto-snapshot` property must be set to true on datasets you
+  # wish to snapshot
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoSnapshot.flags = "-k -p --utc";
+
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.hostKeys = [
+    {
+      path = "/persist/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }
+    {
+      path = "/persist/ssh/ssh_host_rsa_key";
+      type = "rsa";
+      bits = 4096;
+    }
+  ];
+
+  #SOPSsops.secrets.borg-haruka-rolling-pass = { };
+  #SOPSservices.borgbackup.jobs.haruka-rolling = {
+    #SOPSpaths = [
+      #SOPS"/persist"
+      #SOPS"/home"
+    #SOPS];
+
+    #SOPSexclude = [
+      #SOPS# Rust build files
+      #SOPS"**/target"
+    #SOPS];
+
+    #SOPSprune.keep = {
+      #SOPSwithin = "1d";
+      #SOPSdaily = 7;
+      #SOPSweekly = 4;
+      #SOPSmonthly = 3;
+    #SOPS};
+
+    #SOPSrepo = "20963@hk-s020.rsync.net:rolling/haruka";
+    #SOPSencryption.mode = "repokey-blake2";
+    #SOPSencryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass}";
+
+    #SOPSenvironment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key";
+    #SOPS# use borg 1.0+ on rsync.net
+    #SOPSenvironment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1";
+    #SOPSextraCreateArgs = "--verbose --stats --checkpoint-interval 600";
+    #SOPScompression = "auto,zstd";
+    #SOPSstartAt = "hourly";
+    #SOPSpersistentTimer = true;
+  #SOPS};
+
+  #SOPSsystemd.services.borgbackup-job-haruka-rolling = {
+    #SOPSpreStart = lib.mkBefore ''
+      #SOPS# Wait until internet is reachable after resuming
+      #SOPSuntil /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done
+    #SOPS'';
+  #SOPS};
+
+  services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH";
+
+  sound.enable = true;
+
+  services.pipewire = {
+    enable = true;
+
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+
+  hardware.bluetooth.enable = true;
+  hardware.opentabletdriver.enable = true;
+
+  services.fwupd.enable = true;
+
+  services.keyd-qol.enable = true;
+
+  services.printing.enable = true;
+  services.avahi.enable = true;
+  services.avahi.nssmdns = true;
+
+  environment.persistence."/persist".directories = [
+    "/etc/cups"
+  ];
+
+  services.pcscd.enable = true;
+
+  programs.dconf.enable = true;
+  services.gnome.gnome-keyring.enable = true; # TODO: replace this with pass-secret-service?
+
+  services.greetd = {
+    enable = true;
+    vt = 2;
+
+    settings.default_session.command = "${pkgs.greetd.tuigreet}/bin/tuigreet -t -c sway";
+  };
+
+  systemd.extraConfig = "RebootWatchdogSec=5";
+
+  fonts = {
+    fontDir.enable = true;
+
+    packages = with pkgs; [
+      dina-font
+      nanum
+      sarasa-gothic
+      tamzen
+      siji
+      jetbrains-mono
+      twemoji-color-font
+      emacs-all-the-icons-fonts
+      (nerdfonts.override { fonts = [ "Iosevka" "JetBrainsMono" ]; })
+    ];
+
+    fontconfig = {
+      enable = true;
+
+      defaultFonts = {
+        serif = [
+          "Sarasa Gothic C"
+          "Sarasa Gothic J"
+          "Sarasa Gothic K"
+        ];
+
+        sansSerif = [
+          "Sarasa Gothic C"
+          "Sarasa Gothic J"
+          "Sarasa Gothic K"
+        ];
+
+        monospace = [
+          "Dina"
+          "Terminus"
+          "Iosevka Nerd Font"
+          "JetBrainsMono Nerd Font"
+        ];
+
+        emoji = [
+          "Siji"
+          "Twitter Color Emoji"
+        ];
+      };
+    };
+  };
+
+  programs = {
+    sway.enable = true;
+    sway.extraPackages = lib.mkForce [ ];
+
+    zsh.enable = true;
+    zsh.enableCompletion = true;
+  };
+
+  hardware.opengl.enable = true;
+  hardware.opengl.driSupport = true;
+  hardware.opengl.driSupport32Bit = true;
+  hardware.opengl.extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ];
+
+  xdg.portal = {
+    enable = true;
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-gtk
+      xdg-desktop-portal-wlr
+    ];
+  };
+
+  #SOPSsops.defaultSopsFile = ./secrets/secrets.yaml;
+  #SOPSsops.secrets.root-password.neededForUsers = true;
+  #SOPSsops.secrets.sefidel-password.neededForUsers = true;
+
+  users.mutableUsers = false;
+
+  fileSystems."/persist".neededForBoot = true;
+
+  users.users = {
+    #SOPSroot.passwordFile = config.sops.secrets.root-password.path;
+    root.password = "1111";
+    sefidel = {
+      isNormalUser = true;
+      shell = pkgs.zsh;
+      #SOPSpasswordFile = config.sops.secrets.sefidel-password.path;
+      password = "1111";
+
+      extraGroups = [
+        "wheel"
+        "audio"
+        "networkmanager"
+      ];
+    };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+}
+
diff --git a/nixos/haruka/hardware-configuration.nix b/nixos/haruka/hardware-configuration.nix
new file mode 100644
index 0000000..d4b89d1
--- /dev/null
+++ b/nixos/haruka/hardware-configuration.nix
@@ -0,0 +1,56 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/local/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/5382-69DE";
+      fsType = "vfat";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/persist" =
+    { device = "rpool/safe/persist";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/88f5f850-d91c-4eba-be16-944717e9d24d"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s13f0u3u3c2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}