initial commit

TODO: Modify `orion`'s filesystem file to be accurate to the laptop, not a VM
2023-09-17 03:40:50 -05:00 · 2023-09-17 03:40:50 -05:00 · 61671baedc
commit 61671baedc
16 changed files with 502 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,10 @@
+# Commands
+
+```bash
+git config --global user.email "m@m.com"; git config --global user.name "name"; git add .; git commit -m "Shit" >/dev/null 2>&1; \
+  git clone . /mnt/etc/nixos
+git config --global user.email "m@m.com"; git config --global user.name "name"; git add .; git commit -m "Shit" >/dev/null 2>&1; \
+  nixos-generate-config  --root /mnt --dir /mnt/persist/etc/nixos/hosts/orion/os;
+git config --global user.email "m@m.com"; git config --global user.name "name"; git add .; git commit -m "Shit" >/dev/null 2>&1; \
+  nixos-install --flake "git+file:.#orion"
+``
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,64 @@
+{
+  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1694069327,
+        "narHash": "sha256-Si2otUNjCe8kY5nsV7tILi4PsI0odBFrdSu8cCjn/eQ=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "7bee8de8e6755506c70323b864a884f9624cc23a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1690797372,
+        "narHash": "sha256-GImz19e33SeVcIvBB7NnhbJSbTpFFmNtWLh7Z85Y188=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "e3a7acd113903269a1b5c8b527e84ce7ee859851",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1693985761,
+        "narHash": "sha256-K5b+7j7Tt3+AqbWkcw+wMeqOAWyCD1MH26FPZyWXpdo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0bffda19b8af722f8069d09d8b6a24594c80b352",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "impermanence": "impermanence",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,22 @@
+{
+  description = "Price Hiller's flake for managing system configurations";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    impermanence.url = "github:nix-community/impermanence";
+  };
+
+  outputs = inputs @ { self, nixpkgs, impermanence, ... }: rec {
+    imports = [
+      ./configuration.nix
+    ];
+    nixosConfigurations.orion = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = inputs;
+      modules = [
+        ./hosts/orion
+        impermanence.nixosModules.impermanence
+      ];
+    };
+  };
+}
--- a/hosts/luna/README.md
+++ b/hosts/luna/README.md
@ -0,0 +1,3 @@
+# Luna
+
+This is my primary server.
--- a/hosts/orion/README.md
+++ b/hosts/orion/README.md
@ -0,0 +1,2 @@
+# Orion
+This is my laptop and primary (and only) developer machine.
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@ -0,0 +1,9 @@
+{ config, lib, nixpkgs, ... }:
+
+{
+  imports = [
+    ./modules
+    ./os/filesystem.nix
+  ];
+  system.stateVersion = "23.11";
+}
--- a/hosts/orion/modules/audio.nix
+++ b/hosts/orion/modules/audio.nix
@ -0,0 +1,16 @@
+{ inputs, lib, pkgs, ... }:
+
+{
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+    pulse.enable = true;
+    wireplumber.enable = true;
+    jack.enable = true;
+  };
+}
--- a/hosts/orion/modules/bluetooth.nix
+++ b/hosts/orion/modules/bluetooth.nix
@ -0,0 +1,30 @@
+{ inputs, lib, pkgs, ... }:
+
+{
+  hardware.bluetooth.enable = true;
+  services.blueman.enable = true;
+  environment.systemPackages = with pkgs; [
+    bluez
+  ];
+
+  systemd.user.services.mpris-proxy = {
+    description = "Mpris proxy";
+    after = [ "network.target" "sound.target" ];
+    wantedBy = [ "default.target" ];
+    serviceConfig.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
+  };
+
+  security.polkit.extraConfig = ''
+    /* Allow users in wheel group to use blueman feature requiring root without authentication */
+    polkit.addRule(function(action, subject) {
+        if ((action.id == "org.blueman.network.setup" ||
+            action.id == "org.blueman.dhcp.client" ||
+            action.id == "org.blueman.rfkill.setstate" ||
+            action.id == "org.blueman.pppd.pppconnect") &&
+            subject.isInGroup("wheel")) {
+
+            return polkit.Result.YES;
+        }
+    });
+  '';
+}
--- a/hosts/orion/modules/default.nix
+++ b/hosts/orion/modules/default.nix
@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./audio.nix
+    ./bluetooth.nix
+    ./hardware.nix
+    ./networking.nix
+    ./nix.nix
+    ./power.nix
+    ./user.nix
+  ];
+}
--- a/hosts/orion/modules/hardware.nix
+++ b/hosts/orion/modules/hardware.nix
@ -0,0 +1,21 @@
+{ inputs, lib, pkgs, ... }:
+
+{
+  # NOTE: Disable Nvidia GPU
+  boot.extraModprobeConfig = ''
+    blacklist nouveau
+    options nouveau iwlwifi power_save=1 modeset=0
+  '';
+  services.udev.extraRules = ''
+    # Remove NVIDIA USB xHCI Host Controller devices, if present
+    ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{power/control}="auto", ATTR{remove}="1"
+    # Remove NVIDIA USB Type-C UCSI devices, if present
+    ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{power/control}="auto", ATTR{remove}="1"
+    # Remove NVIDIA Audio devices, if present
+    ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{power/control}="auto", ATTR{remove}="1"
+    # Remove NVIDIA VGA/3D controller devices
+    ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", ATTR{power/control}="auto", ATTR{remove}="1"
+  '';
+  boot.blacklistedKernelModules = [ "nouveau" "nvidia" "nvidia_drm" "nvidia_modeset" ];
+
+}
--- a/hosts/orion/modules/networking.nix
+++ b/hosts/orion/modules/networking.nix
@ -0,0 +1,86 @@
+{ inputs, lib, pkgs, hostname, ... }:
+
+let
+  hostname = "orion";
+  networks_dhcp_use_dns = "no";
+  networks_dhcp = "yes";
+  networks_multicast_dns = "yes";
+  networks_ipv6_privacy = "yes";
+  networks_ipv6_accept_ra = "yes";
+  networks_network_config = {
+    DHCP = networks_dhcp;
+    MulticastDNS = networks_multicast_dns;
+    IPv6PrivacyExtensions = networks_ipv6_privacy;
+    IPv6AcceptRA = networks_ipv6_accept_ra;
+  };
+  resolved_nameservers = [
+    "198.180.150.12#rgnet-iad.anycast.uncensoreddns.org"
+    "2001:418:8006::12:853#rgnet-iad.anycast.uncensoreddns.org"
+    "194.242.2.2#dns.mullvad.net"
+    "2a07:e340::2:853#dns.mullvad.net"
+  ];
+  resolved_fallback_nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
+in
+{
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-wlan" = {
+        matchConfig.Name = [ "wl*" ];
+        networkConfig = networks_network_config;
+        dhcpV4Config = {
+          RouteMetric = 600;
+          UseDNS = networks_dhcp_use_dns;
+        };
+        ipv6AcceptRAConfig = {
+          RouteMetric = 600;
+          UseDNS = networks_dhcp_use_dns;
+        };
+      };
+      "10-ethernet" = {
+        matchConfig.name = [ "en*" "eth*" ];
+        networkConfig = networks_network_config;
+        dhcpV4Config = {
+          RouteMetric = 100;
+          UseDNS = networks_dhcp_use_dns;
+        };
+        ipv6AcceptRAConfig = {
+          RouteMetric = 100;
+          UseDNS = networks_dhcp_use_dns;
+        };
+      };
+      "10-wwan" = {
+        matchConfig.name = [ "ww*" ];
+        networkConfig = networks_network_config;
+        dhcpV4Config = {
+          RouteMetric = 700;
+          UseDNS = networks_dhcp_use_dns;
+        };
+        ipv6AcceptRAConfig = {
+          RouteMetric = 700;
+          UseDNS = networks_dhcp_use_dns;
+        };
+      };
+
+    };
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = [ "~." ];
+    fallbackDns = resolved_fallback_nameservers;
+    llmnr = "true";
+    extraConfig = ''
+      MulticastDNS=yes
+      DNSOverTLS=yes
+      CacheFromLocalhost=no
+      Cache=yes
+    '';
+  };
+  networking = {
+    hostName = "${hostname}";
+    wireless.iwd.enable = true;
+  };
+
+}
--- a/hosts/orion/modules/nix.nix
+++ b/hosts/orion/modules/nix.nix
@ -0,0 +1,16 @@
+{ pkgs, ... }:
+
+{
+  nix = {
+    settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+      auto-optimise-store = true;
+      trusted-users = ["@wheel"];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+  };
+}
--- a/hosts/orion/modules/power.nix
+++ b/hosts/orion/modules/power.nix
@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  powerManagement.enable = true;
+  powerManagement.powertop.enable = true;
+  services.thermald.enable = true;
+}
--- a/hosts/orion/modules/user.nix
+++ b/hosts/orion/modules/user.nix
@ -0,0 +1,37 @@
+{ pkgs, user, ... }:
+
+let
+ user = "price";
+in
+{
+  programs = {
+    zsh.enable = true;
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  users.users = {
+    root.initialPassword = "pass";
+    "${user}" = {
+      initialPassword = "pass";
+      shell = pkgs.zsh;
+      isNormalUser = true;
+      description = "${user}";
+      extraGroups = [
+        "wheel"
+        "docker"
+        "nix-users"
+        "libvirt"
+        "log"
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    ungoogled-chromium
+    wezterm
+    yamllint
+    stylua
+    eza
+  ];
+}
--- a/hosts/orion/os/filesystem.nix
+++ b/hosts/orion/os/filesystem.nix
@ -0,0 +1,84 @@
+{ config, lib, pkgs, modulesPath, ... }:
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+      kernelModules = [ ];
+      luks.devices = {
+        "luksroot" = {
+          device = "/dev/disk/by-label/NixOS-Crypt";
+          allowDiscards = true;
+        };
+      };
+    };
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  swapDevices = [{ device = "/dev/disk/by-label/NixOS-Swap"; }];
+
+  fileSystems = {
+    "/" = {
+      device = "none";
+      fsType = "tmpfs";
+      options = [ "defaults" "noatime" "mode=755" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-label/NixOS-Boot";
+      fsType = "vfat";
+      options = [ "defaults" "noatime" ];
+      depends = [ "/" ];
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-label/NixOS-Primary";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "compress=zstd" "noatime" ];
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-label/NixOS-Primary";
+      fsType = "btrfs";
+      options = [ "subvol=@home" "compress=zstd" "noatime" ];
+    };
+  };
+
+
+  environment.persistence = {
+    "/nix/persist" = {
+      hideMounts = true;
+      directories = [
+        "/var/lib"
+        "/var/log"
+        "/etc/nixos"
+      ];
+      files = [
+        "/etc/machine-id"
+        "/etc/nix/id_rsa"
+      ];
+      users.price = {
+        directories = [
+          "Git"
+          "ISOs"
+          "Downloads"
+          "Keep"
+          "Notes"
+          ".local/share"
+          { directory = ".gnupg"; mode = "0700"; }
+          { directory = ".ssh"; mode = "0700"; }
+        ];
+        files = [
+          ".zsh_history"
+        ];
+      };
+    };
+  };
+}
--- a/install.bash
+++ b/install.bash
@ -0,0 +1,82 @@
+#!/usr/env/bin bash
+
+set -euox pipefail
+
+export DISK="/dev/vda"
+export DISK_EXT="${DISK}"
+ # The size is large because I'd like to be able to hibernate my laptop in its entirety. I have 64 GB of ram.
+export SWAP_SIZE="32"
+export SWAP_OFFSET="$(( SWAP_SIZE + 1 ))"
+
+export LABEL_CRYPT_LUKS="NixOS-Crypt"
+export LABEL_SWAP="NixOS-Swap"
+export LABEL_BTRFS="NixOS-Primary"
+export LABEL_BOOT="NixOS-Boot"
+
+swapoff -a || true
+umount /mnt/**/* || true
+umount /mnt/* || true
+umount /mnt || true
+cryptsetup close enc || true
+dd if=/dev/zero of="${DISK}" bs=512 count=1024 || true
+
+### Partition The Disk
+parted "${DISK}" -- mklabel gpt
+# Boot partition
+parted -a optimal "${DISK}" -- mkpart ESP fat32 1MiB 1GiB
+parted "${DISK}" -- set 1 boot on
+mkfs.vfat "${DISK_EXT}1"
+fatlabel "${DISK_EXT}1" "${LABEL_BOOT}"
+# Swap Partition
+parted -a optimal "${DISK}" -- mkpart "${LABEL_SWAP}" linux-swap 1Gib "${SWAP_OFFSET}GB"
+mkswap -L "${LABEL_SWAP}" "${DISK_EXT}2"
+swapon "${DISK_EXT}2"
+# Nix Partition, where the OS will reside with our data
+parted -a optimal "${DISK}" -- mkpart "${LABEL_BTRFS}" "${SWAP_OFFSET}GiB" 100%
+
+### Encrypt
+cryptsetup --verify-passphrase -v luksFormat "${DISK_EXT}3"
+cryptsetup config "${DISK_EXT}3" --label "${LABEL_CRYPT_LUKS}"
+# Have to decrypt it so we can actually get other things setup
+export CRYPT_OPEN_NAME="enc"
+export CRYPT_PATH="/dev/mapper/${CRYPT_OPEN_NAME}"
+cryptsetup open "${DISK_EXT}3" "${CRYPT_OPEN_NAME}"
+
+### BTRFS Setup
+# Go ahead and make the unerypted BTRFS
+mkfs.btrfs -L "${LABEL_BTRFS}"  "${CRYPT_PATH}"
+
+# Mount it
+mount -t btrfs "${CRYPT_PATH}" /mnt
+
+# Create our subvolumes
+for subvol in "home" "nix"; do
+	btrfs subvolume create "/mnt/@${subvol}"
+done
+umount /mnt
+
+### Final Mountings
+# Mount tmpfs to mnt
+mount -t tmpfs -o mode=755 none /mnt
+
+# Create our directories
+mkdir /mnt/{"boot","nix","home"}
+# Mount our boot partition
+mount -t vfat -o defaults,noatime "${DISK_EXT}1" /mnt/boot
+
+# Mount our btrfs subvolumes individually with some btrfs options
+# NOTE: On high performance NVME SSDs with a beefy CPU it may be worth considering ZLO compression instead of ZSTD. In
+# many cases ZLO is more performant, especially when writing, than ZSTD while having a somewhat worse comrpession ratio.
+# WARN: ZLO *may* be a good solution, it can be VERY slow on incompressible data. Something to keep in mind.
+mount -t btrfs -o noatime,compress=zstd,subvol=@nix "${CRYPT_PATH}" /mnt/nix
+mount -t btrfs -o noatime,compress=zstd,subvol=@home "${CRYPT_PATH}" /mnt/home
+
+mkdir -p /mnt/nix/persist
+### Install NixOS
+# Gotta make sure current working tree isn't dirty for the flake
+git config --global user.email "m@m.com"; git config --global user.name "name"; git add .; git commit -m "Shit" >/dev/null 2>&1; \
+# Clone the flake into place
+git clone . /mnt/nix/persist/etc/nixos && cd /mnt/nix/persist/etc/nixos
+# Finally, actually install NixOS
+nixos-install --flake "git+file:.#orion"
+