diff options
Diffstat (limited to 'nixos/alpha')
| -rw-r--r-- | nixos/alpha/configuration.nix | 148 | ||||
| -rw-r--r-- | nixos/alpha/hardware-configuration.nix | 49 | ||||
| -rw-r--r-- | nixos/alpha/secrets/secrets.yaml | 52 |
3 files changed, 249 insertions, 0 deletions
diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix new file mode 100644 index 0000000..54ec24f --- /dev/null +++ b/nixos/alpha/configuration.nix @@ -0,0 +1,148 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ ]; + + security = { + protectKernelImage = true; + rtkit.enable = true; + sudo.wheelNeedsPassword = false; + }; + + boot.kernelPackages = pkgs.linuxPackages_xanmod; + boot.kernelParams = [ + "nmi_watchdog=0" + "systemd.watchdog-device/dev/watchdog" + ]; + + # GRUB bootloader + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub = { + enable = true; + version = 2; + + efiSupport = true; + configurationLimit = 10; + devices = [ "nodev" ]; + useOSProber = true; + # device = "/dev/disk/by-uuid/7905-2E41"; + extraEntries = '' + menuentry "Reboot" { + reboot + } + menuentry "Shutdown" { + halt + } + ''; + }; + + networking.hostName = "alpha"; + networking.networkmanager.enable = true; + networking.useDHCP = false; + networking.firewall.enable = true; + + i18n.defaultLocale = "en_US.UTF-8"; + + console.font = "Lat2-Terminus16"; + console.keyMap = "us"; + + time.timeZone = "Asia/Seoul"; + + environment.systemPackages = with pkgs; [ gcc ]; + + services.openssh.enable = true; + services.openssh.passwordAuthentication = false; + + sound.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + hardware.bluetooth.enable = true; + + services.greetd = { + enable = true; + + settings.default_session.command = "${pkgs.greetd.tuigreet}/bin/tuigreet -t -c sway"; + }; + + # https://github.com/apognu/tuigreet/issues/17 + systemd.services.greetd.unitConfig.After = lib.mkOverride 0 [ "multi-user.target" ]; + + services.journald.extraConfig = lib.mkForce ""; + + # HACK: fix treesitter + systemd.tmpfiles.rules = [ + "L+ /lib/libstdc++.so.6 - - - - ${pkgs.stdenv.cc.cc.lib}/lib/libstdc++.so.6" + ]; + + systemd.extraConfig = "RebootWatchdogSec=5"; + + programs = { + sway = { + enable = true; + wrapperFeatures.gtk = true; + + extraPackages = with pkgs; [ + autotiling + alacritty + swaylock + swayidle + swaybg + wayland-utils + wl-clipboard + grim + slurp + sway-contrib.grimshot + waybar + bemenu + qt5.qtwayland + xdg_utils + ]; + }; + + zsh.enable = true; + zsh.enableCompletion = false; + }; + + hardware.opengl.enable = true; + hardware.opengl.driSupport32Bit = true; + hardware.opengl.extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ]; + + xdg.portal = { + enable = true; + gtkUsePortal = true; + extraPortals = with pkgs; [ + xdg-desktop-portal-gtk + xdg-desktop-portal-wlr + ]; + }; + + virtualisation.libvirtd.enable = true; + + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.secrets.spotify-password.owner = "boopy"; + + users.users = { + boopy = { + isNormalUser = true; + shell = pkgs.zsh; + + extraGroups = [ + "wheel" + "audio" + "networkmanager" + "libvirtd" + ]; + }; + }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "22.05"; # Did you read the comment? +} diff --git a/nixos/alpha/hardware-configuration.nix b/nixos/alpha/hardware-configuration.nix new file mode 100644 index 0000000..3e99ea9 --- /dev/null +++ b/nixos/alpha/hardware-configuration.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +let + espDev = "/dev/disk/by-uuid/7905-2E41"; + btrfsDev = "/dev/disk/by-uuid/dc47a0a6-3c73-45c1-951c-40032e762180"; + swapDev = "/dev/disk/by-uuid/4a74b247-99e9-42c7-9a86-75aea964bb85"; + dataDev = "/dev/disk/by-uuid/fe7a00a8-0a3c-48de-9d7a-ed7cf172f501"; + + subvolume = name: { + device = btrfsDev; + fsType = "btrfs"; + options = [ "subvol=${name}" "compress=zstd" "noatime" ]; + }; +in +{ + boot.initrd.availableKernelModules = [ "xhci-pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" "tcp_bbr" ]; + boot.extraModulePackages = [ ]; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.enableRedistributableFirmware = true; + + fileSystems."/" = subvolume "root"; + fileSystems."/home" = subvolume "home"; + fileSystems."/nix" = subvolume "nix"; + fileSystems."/persist" = subvolume "persist"; + fileSystems."/var/log" = { + device = btrfsDev; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd" "noatime" ]; + neededForBoot = true; + }; + + fileSystems."/boot" = { + device = espDev; + fsType = "vfat"; + }; + + fileSystems."/data" = { + device = dataDev; + fsType = "ext4"; + }; + + swapDevices = [{ device = swapDev; }]; + + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "schedutil"; +} diff --git a/nixos/alpha/secrets/secrets.yaml b/nixos/alpha/secrets/secrets.yaml new file mode 100644 index 0000000..f1abf24 --- /dev/null +++ b/nixos/alpha/secrets/secrets.yaml @@ -0,0 +1,52 @@ +spotify-password: ENC[AES256_GCM,data:tmzSh7Cf9fmL4PIdrV1dMz0=,iv:tLnKsQ2qEEZbGmuavMqiAXczlsZh21JU4tWWhhZP3OY=,tag:egoGT/V8AxIfcaVV0/ddtg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-01-15T16:15:09Z" + mac: ENC[AES256_GCM,data:1uhM/dHYwkdWoF90gbqdX+y1LgCkY0xFrC/tGQtm6tk0/X9Q9yq7se646IUVwhyZDP4+PRA1DhmjJTOwFxRWpXLPtRbPgcAGjNoMjP/n8HhDiDr5dUJWLsuHg4vB9MGA8UnEewUdYjZiR+7+x6iULcnRojR06Uzy1D47f6tQqZ8=,iv:yTY9blxNtbvYjOVidtLeTzuDfWpN+AgLtkAC/D+VV+Q=,tag:fIR+NVF9YkghhMJTOpGrPw==,type:str] + pgp: + - created_at: "2022-01-15T16:14:51Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA0MrV1e36x+kAQ/+N5pvwngEyucZTGlNZV1yachrUEkylK84bfJPwCn5JMWY + mBhdhgBZ5DEmseA2pny6mDyid6EQjKB/akIDnW2ZTaBposdDlJUw4S7wqO+vtuLM + 9L1jFg+y9xn9H2HzIyaglBN0cLQIPqZtu72yriV3bAu7wPLd3J+5fq/ohPV4GrsL + CVs0h8t/n/BkJ6q0s7gTBe2+tvB78fsLZwSpSwc5fzXdaZTRBCopEqT+3DO/shX3 + qOsP3zvbUIKvdIXsfGhwtfpuPD3qg42HoyI+CmedjoG1DkPX0jLiu44K+EJJr9n1 + jQ9Ms/jc4But5DW+EyWm9rkMGinMY+cEENKcJ/8LVuUzud/KFsJhJnEAi23U705+ + om7Gte+UOLE+Z5LDaLNKNJ51mHcl/JS+ze74mafkcyrbQsCXgicyS47VxPltVtnX + P6u/NQmrvWlnWGw1QLHVjOzN5FEedAWvUaS4kQABG/LFobMx6M9dPucKUBAkOhXy + ZvcJDUN4XbIIxnfM8bQ9ijYAC5+axhonY95UX9OCwiErXC7rawa1J8mJTdGmxFIK + MVV2yfBoqGyhQduq/j7ScPfGkY/pC7NtFtphwjocQkVDO6SO/o1zYEAzgqpOKYzP + 1piFC7Z0MUnOYu0omhXXt2UGIxmxl4DbPSq3hZVfTzjjVlPp3wr6EmI6eUO2o6nS + WAG60D7zdhWEJF7LrNqg0abwbsqUUMGOzdSUA89AfoQIK3mZ0hDl4fzklPMxpqio + K5gNpvazqLGDLQXXjByoPXg8sFZXm3Isoq1WbrdkRonmjYJCIhGzdt4= + =ntAB + -----END PGP MESSAGE----- + fp: e1965a67a09b4b20fcea3b57432b5757b7eb1fa4 + - created_at: "2022-01-15T16:14:51Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzBHloZFtyD7AQ//YazK3vEkUC9A8gtjn7mst91PL57bBEFOsgp0MXYR4U9m + +Ro9qA98vF6PIcBLA9yfixpbiT+JVUTJPHrS8j0aegocVgUTNlrh7qPMU0w220oF + e+6P9XmEh4w1rSy03F5Ch7AVZ/o9aUEFKSMud7Zl5oPk2v7JqgqtHy7SHdlDa6JL + PQftiu9rozzOM+7UmRWA1pzi2JX03Md6qLGaPpMyM0AhdZuf/bLV8zpcKRIBWmkF + n5LE0blIYv/9yvowXgZQaDj2eejWzKWm0Zpd9Cw3MsuJHG1TLOgyjhpdV9raMg+k + BE8kBN+EwUy4CTKzeBeyGenY5mn7ll+x/vGo3aa2Shywalkr6mSmnH5B8FuO2c2U + S1hwrpoTJjsTiQzCnxVEm+Jv1uRAfoOQwJMt2Br0MM3iVCrm+/mGNv5K4GC96MqN + FPfGt1tsUViZ0xbbVbJ2ULAZUpBHzK7XTFcobnuHMRSjQ16QO8mIAN0ROEzTl/ng + 7gVRxV2X9f+9aChQ14bmoovjPqVbxl09B3cYPrvXvd0x7V0FGUTHWexXZBOg9OOc + zG9VTDBiEy26G9a7XOMGNAIwNPxULCa7uKRql2UvtrDZf4CZx3H7dnJKAKXmTbx2 + WjxQ2N0au8oVEkMK6TFUdOBuPGJq/skNXOU0S9kCBhcrA81pwF3Q6I42gml2GiHS + XgEgxy2EntotByYJ88UmB6y6WSROfTVGJGykJ0QnU6bAJErss3BmE45yYo6ymI9X + kRLyz6YManX2UMUfDrlumeqRFFYkdx+7kdqvgc8vLcGjrCIGsPoEpMltj0A2+M4= + =dGjP + -----END PGP MESSAGE----- + fp: EE731799CAE9F76B048BDF71F05C1C600B728A18 + unencrypted_suffix: _unencrypted + version: 3.7.1 |