From 579c7ae494c68648e03830d32973a160aabd354a Mon Sep 17 00:00:00 2001 From: Harry Ying Date: Wed, 18 Dec 2024 09:14:59 +0800 Subject: [PATCH] build: create tb14 target - increased GitHub Action swap - tweaked disko config - created tb14 targets (TODO: refactor later) --- .github/workflows/buildiso.yaml | 4 +- cfgs/deck/default.nix | 1 - cfgs/img-deck/default.nix | 1 - cfgs/img-tb14/default.nix | 150 ++++++++++++++++++++++ cfgs/img-tb14/install.sh | 32 +++++ cfgs/img-tb14/networking.nix | 21 +++ cfgs/img-x1c7/default.nix | 1 - cfgs/tb14/boot.nix | 34 +++++ cfgs/tb14/default.nix | 221 ++++++++++++++++++++++++++++++++ cfgs/tb14/hardware.nix | 31 +++++ cfgs/tb14/i18n.nix | 29 +++++ cfgs/tb14/networking.nix | 86 +++++++++++++ cfgs/tb14/security.nix | 70 ++++++++++ cfgs/tb14/services.nix | 82 ++++++++++++ cfgs/x1c7/default.nix | 1 - flake.nix | 69 +++++++++- modules/disko/default.nix | 14 +- modules/disko/disk.nix | 6 +- 18 files changed, 838 insertions(+), 15 deletions(-) create mode 100644 cfgs/img-tb14/default.nix create mode 100644 cfgs/img-tb14/install.sh create mode 100644 cfgs/img-tb14/networking.nix create mode 100644 cfgs/tb14/boot.nix create mode 100644 cfgs/tb14/default.nix create mode 100644 cfgs/tb14/hardware.nix create mode 100644 cfgs/tb14/i18n.nix create mode 100644 cfgs/tb14/networking.nix create mode 100644 cfgs/tb14/security.nix create mode 100644 cfgs/tb14/services.nix diff --git a/.github/workflows/buildiso.yaml b/.github/workflows/buildiso.yaml index 2e86622..d0711fe 100644 --- a/.github/workflows/buildiso.yaml +++ b/.github/workflows/buildiso.yaml @@ -41,7 +41,7 @@ jobs: strategy: fail-fast: false matrix: - target: ["imgs.x1c7", "imgs.deck"] + target: ["imgs.x1c7", "imgs.deck", "imgs.tb14" ] # GitHub Action may not have enough space to build the deck image. # target: ["imgs.x1c7"] @@ -52,7 +52,7 @@ jobs: with: # Reserved for /tmp root-reserve-mb: 20480 - swap-size-mb: 1024 + swap-size-mb: 4096 temp-reserve-mb: 100 build-mount-path: '/nix' build-mount-path-ownership: 'root:root' diff --git a/cfgs/deck/default.nix b/cfgs/deck/default.nix index a3a9330..091c2aa 100644 --- a/cfgs/deck/default.nix +++ b/cfgs/deck/default.nix @@ -62,7 +62,6 @@ # We are auto login user. security.sudo.wheelNeedsPassword = lib.mkForce true; - my.disko.enable = true; my.gnome-desktop = { enable = true; enableDisplayManager = false; diff --git a/cfgs/img-deck/default.nix b/cfgs/img-deck/default.nix index 501fe07..3a82c90 100644 --- a/cfgs/img-deck/default.nix +++ b/cfgs/img-deck/default.nix @@ -123,7 +123,6 @@ with lib; enable = true; }; - disko.devices = (import ./../../modules/disko/disk.nix { }); # This is a LiveCD, please don't enable disk config in NixOS. disko.enableConfig = false; diff --git a/cfgs/img-tb14/default.nix b/cfgs/img-tb14/default.nix new file mode 100644 index 0000000..659a900 --- /dev/null +++ b/cfgs/img-tb14/default.nix @@ -0,0 +1,150 @@ +{ + inputs, + config, + lib, + pkgs, + ... +}: +with lib; +{ + imports = [ + ./networking.nix + ]; + + config = { + # To fix home-manager issue + # https://github.com/nix-community/home-manager/blob/master/modules/misc/version.nix + system.stateVersion = "24.11"; + + boot.kernelPackages = pkgs.linuxPackages_latest; + + # This is a dummy key in ISO image, we shall not worry about its security. + # Agenix breaks in LiveCD due to https://github.com/ryantm/agenix/issues/165. + age.identityPaths = [ + (pkgs.writeText "img_key_ed25519" (builtins.readFile ../../secrets/raw/img_key_ed25519)) + ]; + + # GPG agent that makes GPG work in LiveCD. + programs.gnupg.agent.enable = true; + + # ZFS is currently broken on the latest kernel. Since we don't use it, it's fine to disable it. + boot.supportedFilesystems = lib.mkForce [ + "btrfs" + "reiserfs" + "vfat" + "f2fs" + "xfs" + "ntfs" + "cifs" + ]; + + # Set internationalisation properties. + console = { + font = "Lat2-Terminus16"; + useXkbConfig = true; + }; + i18n = { + defaultLocale = "en_US.UTF-8"; + inputMethod = { + enable = true; + type = "ibus"; + ibus.engines = with pkgs.ibus-engines; [ + libpinyin + typing-booster + ]; + }; + }; + + # Fonts + fonts.packages = with pkgs; [ + noto-fonts + noto-fonts-cjk-sans + noto-fonts-emoji + fira-code + fira-code-symbols + nerd-fonts.fira-code + ]; + + isoImage.edition = "gnome"; + + # Whitelist wheel users to do anything + # This is useful for things like pkexec + # + # WARNING: this is dangerous for systems + # outside the installation-cd and shouldn't + # be used anywhere else. + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (subject.isInGroup("wheel")) { + return polkit.Result.YES; + } + }); + ''; + + networking.wireless.enable = mkForce false; + + services.xserver.displayManager = { + gdm = { + # autoSuspend makes the machine automatically suspend after inactivity. + # It's possible someone could/try to ssh'd into the machine and obviously + # have issues because it's inactive. + # See: + # * https://github.com/NixOS/nixpkgs/pull/63790 + # * https://gitlab.gnome.org/GNOME/gnome-control-center/issues/22 + autoSuspend = false; + }; + }; + services.displayManager.autoLogin = { + enable = true; + user = "nixos"; + }; + + my.gnome-desktop = { + enable = true; + extraExcludePackages = [ pkgs.orca ]; + }; + my.base = { + enable = true; + hostname = "img"; + }; + my.home.nixos = { + extraPackages = with pkgs; [ + firefox-wayland + htop + dnsutils + smartmontools + ]; + extraDconf = + let + hm = inputs.home-manager.lib.hm; + in + { + "org/gnome/desktop/interface"."scaling-factor" = hm.gvariant.mkUint32 2; + }; + }; + + # This is a LiveCD, please don't enable disk config in NixOS. + disko.enableConfig = false; + + environment.systemPackages = + with pkgs; + let + create-disko-pkg = + name: path: + (runCommandLocal "disko-${name}" { } '' + mkdir -p $out/bin + install ${path} $out/bin/disko-${name} + ''); + in + [ + (writeShellScriptBin "install-script" (builtins.readFile ./install.sh)) + + (create-disko-pkg "main" config.system.build.diskoScript) + (create-disko-pkg "format" config.system.build.formatScript) + (create-disko-pkg "mount" config.system.build.mountScript) + ]; + + users.users.nixos.shell = pkgs.zsh; + programs.zsh.enable = true; + }; +} diff --git a/cfgs/img-tb14/install.sh b/cfgs/img-tb14/install.sh new file mode 100644 index 0000000..f9ff68f --- /dev/null +++ b/cfgs/img-tb14/install.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +MOUNTPOINT="/mnt" + +set -e + +sudo -u nixos git clone https://github.com/LEXUGE/flake + +# Create secureboot keys +mkdir -p /etc/secureboot/keys/db + +# start using user "nixos" is necessary, otherwise pinetry cannot work +# we cannot directly output the decrypted files to /etc due to permission issue +sudo -u nixos gpg -o db.pem -d flake/secrets/raw/db.pem.asc +sudo -u nixos gpg -o db.key -d flake/secrets/raw/db.key.asc + +mv db.pem /etc/secureboot/keys/db/db.pem +mv db.key /etc/secureboot/keys/db/db.key + +chmod 400 /etc/secureboot + +disko-main + +mkdir -p ${MOUNTPOINT}/persist/secrets/ + +sudo -u nixos gpg -o ash_ed25519 -d flake/secrets/raw/ash_ed25519.asc +mv ash_ed25519 "${MOUNTPOINT}"/persist/secrets/ + +# secrets folder not be accessible by anybody +chmod 700 "${MOUNTPOINT}"/persist/secrets/ + +nixos-install --flake "./flake#tb14" --no-root-passwd --no-channel-copy diff --git a/cfgs/img-tb14/networking.nix b/cfgs/img-tb14/networking.nix new file mode 100644 index 0000000..fbc548f --- /dev/null +++ b/cfgs/img-tb14/networking.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: +{ + # Use local DNS server all the time + networking.resolvconf.useLocalResolver = true; + + networking.networkmanager = { + # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff. + enable = true; + # Don't use DNS advertised by connected network. Use local configuration + dns = "none"; + # Use the random MAC Address when scan + wifi.scanRandMacAddress = true; + }; + + # Setup our local DNS + my.dcompass = { + enable = true; + package = pkgs.dcompass.dcompass-maxmind; + settings = (import ../../misc/dcompass_settings.nix { inherit pkgs; }); + }; +} diff --git a/cfgs/img-x1c7/default.nix b/cfgs/img-x1c7/default.nix index fc18599..d6e3f22 100644 --- a/cfgs/img-x1c7/default.nix +++ b/cfgs/img-x1c7/default.nix @@ -123,7 +123,6 @@ with lib; }; }; - disko.devices = (import ./../../modules/disko/disk.nix { }); # This is a LiveCD, please don't enable disk config in NixOS. disko.enableConfig = false; diff --git a/cfgs/tb14/boot.nix b/cfgs/tb14/boot.nix new file mode 100644 index 0000000..64950b5 --- /dev/null +++ b/cfgs/tb14/boot.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + my.lanzaboote.enable = true; + + # Clean tmp folder which is a btrfs subvol + boot.tmp.cleanOnBoot = true; + + # Create root on tmpfs + fileSystems."/" = { + fsType = "tmpfs"; + options = [ + "defaults" + "size=2G" + "mode=755" + ]; + }; + + fileSystems."/persist".neededForBoot = true; + + # LUKS device registration and swap registration are already handled by disko + # fallBackToPassword is implied by systemd-initrd + boot.initrd.luks.devices."cryptroot" = { + # keyFile = "/keyfile.bin"; + allowDiscards = true; + # fallbackToPassword = true; + }; + + boot.kernelPackages = pkgs.linuxPackages_latest; +} diff --git a/cfgs/tb14/default.nix b/cfgs/tb14/default.nix new file mode 100644 index 0000000..c47b663 --- /dev/null +++ b/cfgs/tb14/default.nix @@ -0,0 +1,221 @@ +{ + inputs, + lib, + config, + pkgs, + ... +}: +{ + imports = [ + ./boot.nix + ./hardware.nix + ./networking.nix + ./i18n.nix + ./services.nix + ./security.nix + ]; + + config = + let + # To avoid having to reseal on each kernel/initrd update + # (must have secure boot and use Unified Kernel Image) + # https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers + pcrBanks = [ + 0 # Core System Firmware executable code + 1 # UEFI Settings + 2 # Extended or pluggable executable code (e.g., Option ROMs) + 3 # Boot Device selection + # 4 # Measures the boot manager and the devices that the firmware tried to boot from + 5 # Can measure configuration of boot loaders; includes the GPT Partition Table + 7 # Secure Boot state (full contents of PK/KEK/db + certificates used to validate each boot application) + + # Not very useful as SecureBoot already ensures that we are booting trustworthy kernels. + # WARN: Still could be dangerous as Microsoft key is present and someone could boot Ubuntu and decrypt the disk. + # 9 # Hash of the initrd and EFI Load Options + # 11 # Hash of the unified kernel image + ]; + + root = config.boot.initrd.luks.devices."cryptroot".device; + swap = config.boot.initrd.luks.devices."cryptswap".device; + + bless = + let + pcrBankList = builtins.concatStringsSep "+" (map (x: builtins.toString x) pcrBanks); + in + pkgs.writeShellScriptBin "bless-current-pcr" '' + set -euo pipefail + + /run/current-system/sw/bin/systemd-cryptenroll --wipe-slot=tpm2 ${root} + /run/current-system/sw/bin/systemd-cryptenroll --wipe-slot=tpm2 ${swap} + /run/current-system/sw/bin/systemd-cryptenroll --tpm2-pcrs=${pcrBankList} --tpm2-device=auto ${root} + /run/current-system/sw/bin/systemd-cryptenroll --tpm2-pcrs=${pcrBankList} --tpm2-device=auto ${swap} + + echo "Blessed current PCRs" + ''; + + hm = inputs.home-manager.lib.hm; + in + { + my.gnome-desktop.enable = true; + my.base = { + enable = true; + hostname = "tb14"; + }; + + # home-manager.users.ash.systemd.user.sessionVariables = config.home-manager.users.ash.home.sessionVariables; + my.home.ash = { + extraPackages = with pkgs; [ + zulip + # minecraft + tor-browser-bundle-bin + tpm2-tools + sbctl + firefox-wayland + tdesktop + htop + qbittorrent + zoom-us + thunderbird-bin + pavucontrol + dnsperf + bless + dnsutils + smartmontools + # Steam scaling seems to be broken, doing it manually + # (runCommand "steam-hidpi" + # { + # nativeBuildInputs = [ makeWrapper ]; + # } '' + # mkdir -p $out/bin + # makeWrapper ${steam}/bin/steam $out/bin/steam --set GDK_SCALE 2 + # cp -r ${steam}/share $out/share/ + # '') + steam + # obsidian + # We fix installer version so don't get updated automatically when Wolfram releases new version + (import inputs.nixpkgs-mathematica { + system = pkgs.system; + config.allowUnfree = true; + overlays = [ + (final: prev: { + # Patch mathematica to solve "libdbus not found" error. + # Also pin it to a specific commit to prevent from rebuilding. + mathematica_13_3_1 = + (prev.mathematica.overrideAttrs ( + _: prevAttrs: { + wrapProgramFlags = prevAttrs.wrapProgramFlags ++ [ + "--prefix LD_LIBRARY_PATH : ${prev.lib.makeLibraryPath [ prev.dbus.lib ]}" + ]; + } + )).override + { + version = "13.3.1"; + }; + }) + ]; + }).mathematica_13_3_1 + coyim + zotero + ]; + extraDconf = { + "org/gnome/desktop/interface"."scaling-factor" = hm.gvariant.mkUint32 2; + }; + }; + + # Fonts + fonts.packages = with pkgs; [ + noto-fonts + noto-fonts-cjk-sans + noto-fonts-emoji + fira-code + fira-code-symbols + nerd-fonts.fira-code + ]; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib" + "/var/cache" + "/etc/NetworkManager/system-connections" + ]; + files = [ + "/etc/machine-id" + "/etc/persisted-timezone" + ]; + users.ash = { + files = [ + ".config/monitors.xml" + ]; + directories = [ + "Desktop" + "Documents" + "Downloads" + "Music" + "Pictures" + "Videos" + "Zotero" + ".zotero" + ".cache" + ".local" + ".mozilla" + ".thunderbird" + ".config/qBittorrent" + ".config/coyim" + ".config/Zulip" + ".julia" + ".Mathematica" + "org-files" + # Both git-credentials and zsh_hist_dir doesn't seem to play well with impermanence + { + directory = ".git_creds_dir"; + mode = "0700"; + } + { + directory = ".zsh_hist_dir"; + mode = "0700"; + } + { + directory = ".gnupg"; + mode = "0700"; + } + { + directory = ".ssh"; + mode = "0700"; + } + { + directory = ".local/share/keyrings"; + mode = "0700"; + } + ]; + }; + }; + + users = { + mutableUsers = false; + users = { + root.hashedPassword = "$6$TqNkihvO4K$x.qSUVbLQ9.IfAc9tOQawDzVdHJtQIcKrJpBCBR.wMuQ8qfbbbm9bN7JNMgneYnNPzAi2k9qXk0klhTlRgGnk0"; + ash = { + hashedPassword = "$6$FAs.ZfxAkhAK0ted$/aHwa39iJ6wsZDCxoJVjedhfPZ0XlmgKcxkgxGDE.hw3JlCjPHmauXmQAZUlF8TTUGgxiOJZcbYSPsW.QBH5F."; + shell = pkgs.zsh; + isNormalUser = true; + # wheel - sudo + # networkmanager - manage network + # video - light control + # libvirtd - virtual manager controls. + # docker - Docker control + # tss - TPM2 control + extraGroups = [ + "wheel" + "networkmanager" + "wireshark" + "tss" + ]; + }; + }; + }; + + system.stateVersion = "22.11"; + }; +} diff --git a/cfgs/tb14/hardware.nix b/cfgs/tb14/hardware.nix new file mode 100644 index 0000000..a152e7c --- /dev/null +++ b/cfgs/tb14/hardware.nix @@ -0,0 +1,31 @@ +{ pkgs, modulesPath, ... }: +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + # Needed for boot! we didn't include these for steamdeck as Jovian did these for us. + boot.initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + hardware.enableRedistributableFirmware = true; + + # Update Intel CPU Microcode + hardware.cpu.intel.updateMicrocode = true; + + # Intel UHD 620 Hardware Acceleration + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + vaapiIntel + vaapiVdpau + libvdpau-va-gl + intel-media-driver # only available starting nixos-19.03 or the current nixos-unstable + ]; + }; +} diff --git a/cfgs/tb14/i18n.nix b/cfgs/tb14/i18n.nix new file mode 100644 index 0000000..da41316 --- /dev/null +++ b/cfgs/tb14/i18n.nix @@ -0,0 +1,29 @@ +{ + pkgs, + lib, + config, + ... +}: +{ + my.timezone = { + enable = true; + path = "/etc/persisted-timezone"; + }; + + # Select internationalisation properties. + console = { + font = "Lat2-Terminus16"; + useXkbConfig = true; + }; + i18n = { + defaultLocale = "en_US.UTF-8"; + inputMethod = { + enable = true; + type = "ibus"; + ibus.engines = with pkgs.ibus-engines; [ + libpinyin + typing-booster + ]; + }; + }; +} diff --git a/cfgs/tb14/networking.nix b/cfgs/tb14/networking.nix new file mode 100644 index 0000000..22e8c71 --- /dev/null +++ b/cfgs/tb14/networking.nix @@ -0,0 +1,86 @@ +{ config, pkgs, ... }: +{ + networking.resolvconf.useLocalResolver = true; + + networking.networkmanager = { + # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff. + enable = true; + # Don't use DNS advertised by connected network. Use local configuration + dns = "none"; + # Use the MAC Address same as my iPad + wifi = { + macAddress = "3c:7d:0a:be:5c:98"; + scanRandMacAddress = true; + }; + }; + + my.sing-box = { + enable = true; + settings = { + log = { + level = "info"; + }; + + inbounds = [ + { + type = "tun"; + # sing-box version is too old to support this + # address = [ + # "172.18.0.1/30" + # "fdfe:dcba:9876::1/126" + # ]; + inet4_address = "172.19.0.1/30"; + inet6_address = "fdfe:dcba:9876::1/126"; + auto_route = true; + strict_route = true; + # sniff = true; + # # Override IP addr with sniffed domain + # sniff_override_destination = true; + } + ]; + + outbounds = [ + { + type = "direct"; + tag = "direct"; + } + { + _secret = config.age.secrets.sing-box.path; + quote = false; + } + ]; + + route = { + rules = [ + { + type = "logical"; + mode = "or"; + rules = [ + { ip_is_private = true; } + { process_name = "dcompass"; } + { process_name = "NetworkManager"; } + { process_name = "steam"; } + # { process_name = "qbittorrent"; } + ]; + outbound = "direct"; + } + # TODO: This is deprecated and would be removed in the future. + { + geoip = [ "cn" ]; + geosite = [ "cn" ]; + outbound = "direct"; + } + ]; + final = "proxy"; + auto_detect_interface = true; + }; + }; + }; + + # Setup our local DNS + my.dcompass = { + enable = true; + package = pkgs.dcompass.dcompass-maxmind; + settings = (import ../../misc/dcompass_settings.nix { inherit pkgs; }); + }; +} diff --git a/cfgs/tb14/security.nix b/cfgs/tb14/security.nix new file mode 100644 index 0000000..835cc41 --- /dev/null +++ b/cfgs/tb14/security.nix @@ -0,0 +1,70 @@ +{ + pkgs, + lib, + config, + ... +}: +{ + # sbctl database files + age.secrets = { + secureboot_guid = { + file = ../../secrets/secureboot/GUID.age; + path = "/etc/secureboot/GUID"; + mode = "444"; + owner = "root"; + }; + + # secureboot db + secureboot_db_key = { + file = ../../secrets/secureboot/db_key.age; + path = "/etc/secureboot/keys/db/db.key"; + mode = "400"; + owner = "root"; + }; + secureboot_db_cert = { + file = ../../secrets/secureboot/db_cert.age; + path = "/etc/secureboot/keys/db/db.pem"; + mode = "400"; + owner = "root"; + }; + + # secureboot KEK + secureboot_kek_key = { + file = ../../secrets/secureboot/KEK_key.age; + path = "/etc/secureboot/keys/KEK/KEK.key"; + mode = "400"; + owner = "root"; + }; + + secureboot_kek_cert = { + file = ../../secrets/secureboot/KEK_cert.age; + path = "/etc/secureboot/keys/KEK/KEK.pem"; + mode = "400"; + owner = "root"; + }; + + # secureboot PK + secureboot_pk_key = { + file = ../../secrets/secureboot/PK_key.age; + path = "/etc/secureboot/keys/PK/PK.key"; + mode = "400"; + owner = "root"; + }; + + secureboot_pk_cert = { + file = ../../secrets/secureboot/PK_cert.age; + path = "/etc/secureboot/keys/PK/PK.pem"; + mode = "400"; + owner = "root"; + }; + }; + + age.secrets.sing-box = { + file = ../../secrets/sing-box.age; + mode = "400"; + owner = "root"; + }; + + # secret key decrypted on install + age.identityPaths = [ "/persist/secrets/ash_ed25519" ]; +} diff --git a/cfgs/tb14/services.nix b/cfgs/tb14/services.nix new file mode 100644 index 0000000..f6ef028 --- /dev/null +++ b/cfgs/tb14/services.nix @@ -0,0 +1,82 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + ### Power and hardware + # Enable fwupd service for firmware updates + services.fwupd.enable = true; + + hardware.bluetooth = { + enable = true; + disabledPlugins = [ "sap" ]; + }; + + # Don't suspend if lid is closed with computer on power. + services.logind.lidSwitchExternalPower = "lock"; + # suspend-then-hibernate to survive through critical power level. + services.logind.lidSwitch = "suspend-then-hibernate"; + + ### Sound and graphics + + # This uses pipewire and conflicts with pulseaudio + # services.gnome.gnome-remote-desktop.enable = false; + # # Have to additionally disable pipewire: https://github.com/NixOS/nixpkgs/commit/438fd16359cf30090c66d3748727829afa90e814 + # services.pipewire.enable = false; + # # Configuration of pulseaudio to facilitate bluetooth headphones and Steam. + # hardware.pulseaudio = { + # enable = true; + # # 32 bit support for steam. + # support32Bit = true; + # # NixOS allows either a lightweight build (default) or full build of PulseAudio to be installed. + # # Only the full build has Bluetooth support, so it must be selected here. + # package = pkgs.pulseaudioFull; + # }; + + # OpenGL 32 bit support for steam + hardware.graphics.enable32Bit = true; + + ### Misc + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable GVFS, implementing "trash" and so on. + services.gvfs.enable = true; + + # Enable GNU Agent in order to make GnuPG works. + programs.gnupg.agent.enable = true; + + # Use btrbk to snapshot persistent states and home + services.btrbk.instances.snapshot = { + # snapshot on the start and the middle of every hour. + onCalendar = "*:00,30"; + settings = { + timestamp_format = "long-iso"; + preserve_day_of_week = "monday"; + preserve_hour_of_day = "23"; + # All snapshots are retained for at least 6 hours regardless of other policies. + snapshot_preserve_min = "6h"; + volume."/" = { + snapshot_dir = ".snapshots"; + subvolume."persist".snapshot_preserve = "48h 7d"; + subvolume."persist/home".snapshot_preserve = "48h 7d 4w"; + }; + }; + }; + + programs.wireshark = { + enable = true; + package = pkgs.wireshark-qt; + }; + + # Required to enable completion somehow. + programs.zsh.enable = true; + + # Scrub btrfs to protect data integrity + services.btrfs.autoScrub.enable = true; + + # setup uxplay related services + my.uxplay.enable = true; +} diff --git a/cfgs/x1c7/default.nix b/cfgs/x1c7/default.nix index e829e4d..f5a65d8 100644 --- a/cfgs/x1c7/default.nix +++ b/cfgs/x1c7/default.nix @@ -57,7 +57,6 @@ in { my.gnome-desktop.enable = true; - my.disko.enable = true; my.base = { enable = true; hostname = "x1c7"; diff --git a/flake.nix b/flake.nix index c16190a..d711875 100644 --- a/flake.nix +++ b/flake.nix @@ -88,6 +88,7 @@ extraOverlays ? [ ], extraSubstituters ? [ ], extraPublicKeys ? [ ], + extraArgs ? { }, system, }: (lib.nixosSystem { @@ -118,7 +119,9 @@ } ) ] ++ extraMods; - specialArgs = { inherit inputs; }; + specialArgs = { + inherit inputs; + } // extraArgs; }); in nixpkgs.lib.recursiveUpdate @@ -143,6 +146,58 @@ # Export modules under ./modules as NixOS modules nixosModules = (import ./modules { inherit lib; }); + # Export system cfgs + nixosConfigurations.tb14 = mkSystem { + name = "tb14"; + extraMods = [ + nixosModules.clash + nixosModules.base + nixosModules.lanzaboote + nixosModules.uxplay + nixosModules.home + nixosModules.gnome-desktop + nixosModules.dcompass + nixosModules.sing-box + nixosModules.timezone + impermanence.nixosModules.impermanence + disko.nixosModules.disko + home-manager.nixosModules.home-manager + lanzaboote.nixosModules.lanzaboote + agenix.nixosModules.age + { disko.devices = diskoConfigurations.tb14; } + ]; + extraOverlays = [ + dcompass.overlays.default + ash-emacs.overlays.emacs-overlay + ash-emacs.overlays.default + vimrc.overlays.default + ]; + system = system.x86_64-linux; + }; + + nixosConfigurations.img-tb14 = mkSystem { + name = "img-tb14"; + extraMods = [ + nixosModules.clash + nixosModules.home + nixosModules.base + nixosModules.gnome-desktop + nixosModules.dcompass + disko.nixosModules.disko + home-manager.nixosModules.home-manager + agenix.nixosModules.age + "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-base.nix" + { disko.devices = diskoConfigurations.tb14; } + ]; + extraOverlays = [ + dcompass.overlays.default + ash-emacs.overlays.emacs-overlay + ash-emacs.overlays.default + vimrc.overlays.default + ]; + system = system.x86_64-linux; + }; + # Export system cfgs nixosConfigurations.x1c7 = mkSystem { name = "x1c7"; @@ -151,7 +206,6 @@ extraMods = [ nixosModules.clash nixosModules.base - nixosModules.disko nixosModules.lanzaboote nixosModules.uxplay nixosModules.home @@ -164,6 +218,7 @@ home-manager.nixosModules.home-manager lanzaboote.nixosModules.lanzaboote agenix.nixosModules.age + { disko.devices = diskoConfigurations.x1c7; } ]; extraOverlays = [ dcompass.overlays.default @@ -175,8 +230,9 @@ }; diskoConfigurations = { - deck = (import ./modules/disko/disk.nix { }); - x1c7 = (import ./modules/disko/disk.nix { }); + deck = (import ./modules/disko/disk.nix { swap = 20; }); + x1c7 = (import ./modules/disko/disk.nix { swap = 20; }); + tb14 = (import ./modules/disko/disk.nix { swap = 40; }); shards = (import ./cfgs/shards/disk-config.nix { }); }; @@ -199,7 +255,6 @@ extraMods = [ nixosModules.clash nixosModules.base - nixosModules.disko nixosModules.lanzaboote nixosModules.home nixosModules.gnome-desktop @@ -213,6 +268,7 @@ agenix.nixosModules.age lanzaboote.nixosModules.lanzaboote jovian.nixosModules.default + { disko.devices = diskoConfigurations.deck; } ]; extraOverlays = [ dcompass.overlays.default @@ -235,6 +291,7 @@ home-manager.nixosModules.home-manager agenix.nixosModules.age "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-base.nix" + { disko.devices = diskoConfigurations.x1c7; } ]; extraOverlays = [ dcompass.overlays.default @@ -259,6 +316,7 @@ agenix.nixosModules.age "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-base.nix" jovian.nixosModules.default + { disko.devices = diskoConfigurations.deck; } ]; extraOverlays = [ dcompass.overlays.default @@ -272,6 +330,7 @@ # ISO image entry point imgs.x1c7 = nixosConfigurations.img-x1c7.config.system.build.isoImage; imgs.deck = nixosConfigurations.img-deck.config.system.build.isoImage; + imgs.tb14 = nixosConfigurations.img-tb14.config.system.build.isoImage; publicKey = "lexuge.cachix.org-1:RRFg8AxcexeBd33smnmcayMLU6r2wbVKbZHWtg2dKnY="; } diff --git a/modules/disko/default.nix b/modules/disko/default.nix index c624ae4..2ba7447 100644 --- a/modules/disko/default.nix +++ b/modules/disko/default.nix @@ -1,6 +1,6 @@ +#WARN: Use of this module is deprecated. Use flake.nix to directly setup the diskoConfigurations and use in each system configuration instead. { lib, - pkgs, config, ... }: @@ -19,9 +19,19 @@ in default = "/dev/nvme0n1"; description = "devices"; }; + + swap = mkOption { + type = types.int; + description = "Size of swap (in GiB)"; + }; }; config = mkIf cfg.enable { - disko.devices = (import ./disk.nix { device = cfg.device; }); + disko.devices = ( + import ./disk.nix { + device = cfg.device; + swap = cfg.swap; + } + ); }; } diff --git a/modules/disko/disk.nix b/modules/disko/disk.nix index f2562e1..7fc6102 100644 --- a/modules/disko/disk.nix +++ b/modules/disko/disk.nix @@ -1,7 +1,9 @@ { device ? "/dev/nvme0n1", + swap, ... }: +with builtins; { disk = { nvme = { @@ -27,7 +29,7 @@ swap = { label = "swap"; start = "1G"; - end = "21G"; + end = "${toString (1 + swap)}G"; content = { type = "luks"; name = "cryptswap"; @@ -39,7 +41,7 @@ # Root partition root = { label = "root"; - start = "21G"; + start = "${toString (1 + swap)}G"; end = "100%"; content = { type = "luks";