From 61671baedca6a3c6fc04123a0bed01f7a5c84850 Mon Sep 17 00:00:00 2001 From: Price Hiller Date: Sun, 17 Sep 2023 03:40:50 -0500 Subject: [PATCH] initial commit TODO: Modify `orion`'s filesystem file to be accurate to the laptop, not a VM --- README.md | 10 ++++ flake.lock | 64 ++++++++++++++++++++++ flake.nix | 22 ++++++++ hosts/luna/README.md | 3 ++ hosts/orion/README.md | 2 + hosts/orion/default.nix | 9 ++++ hosts/orion/modules/audio.nix | 16 ++++++ hosts/orion/modules/bluetooth.nix | 30 +++++++++++ hosts/orion/modules/default.nix | 13 +++++ hosts/orion/modules/hardware.nix | 21 ++++++++ hosts/orion/modules/networking.nix | 86 ++++++++++++++++++++++++++++++ hosts/orion/modules/nix.nix | 16 ++++++ hosts/orion/modules/power.nix | 7 +++ hosts/orion/modules/user.nix | 37 +++++++++++++ hosts/orion/os/filesystem.nix | 84 +++++++++++++++++++++++++++++ install.bash | 82 ++++++++++++++++++++++++++++ 16 files changed, 502 insertions(+) create mode 100644 README.md create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/luna/README.md create mode 100644 hosts/orion/README.md create mode 100644 hosts/orion/default.nix create mode 100644 hosts/orion/modules/audio.nix create mode 100644 hosts/orion/modules/bluetooth.nix create mode 100644 hosts/orion/modules/default.nix create mode 100644 hosts/orion/modules/hardware.nix create mode 100644 hosts/orion/modules/networking.nix create mode 100644 hosts/orion/modules/nix.nix create mode 100644 hosts/orion/modules/power.nix create mode 100644 hosts/orion/modules/user.nix create mode 100644 hosts/orion/os/filesystem.nix create mode 100644 install.bash diff --git a/README.md b/README.md new file mode 100644 index 0000000..df0a896 --- /dev/null +++ b/README.md @@ -0,0 +1,10 @@ +# Commands + +```bash +git config --global user.email "m@m.com"; git config --global user.name "name"; git add .; git commit -m "Shit" >/dev/null 2>&1; \ + git clone . /mnt/etc/nixos +git config --global user.email "m@m.com"; git config --global user.name "name"; git add .; git commit -m "Shit" >/dev/null 2>&1; \ + nixos-generate-config --root /mnt --dir /mnt/persist/etc/nixos/hosts/orion/os; +git config --global user.email "m@m.com"; git config --global user.name "name"; git add .; git commit -m "Shit" >/dev/null 2>&1; \ + nixos-install --flake "git+file:.#orion" +`` diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..7daa480 --- /dev/null +++ b/flake.lock @@ -0,0 +1,64 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1694069327, + "narHash": "sha256-Si2otUNjCe8kY5nsV7tILi4PsI0odBFrdSu8cCjn/eQ=", + "owner": "nix-community", + "repo": "disko", + "rev": "7bee8de8e6755506c70323b864a884f9624cc23a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1690797372, + "narHash": "sha256-GImz19e33SeVcIvBB7NnhbJSbTpFFmNtWLh7Z85Y188=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "e3a7acd113903269a1b5c8b527e84ce7ee859851", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1693985761, + "narHash": "sha256-K5b+7j7Tt3+AqbWkcw+wMeqOAWyCD1MH26FPZyWXpdo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0bffda19b8af722f8069d09d8b6a24594c80b352", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "impermanence": "impermanence", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..0bff675 --- /dev/null +++ b/flake.nix @@ -0,0 +1,22 @@ +{ + description = "Price Hiller's flake for managing system configurations"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + impermanence.url = "github:nix-community/impermanence"; + }; + + outputs = inputs @ { self, nixpkgs, impermanence, ... }: rec { + imports = [ + ./configuration.nix + ]; + nixosConfigurations.orion = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = inputs; + modules = [ + ./hosts/orion + impermanence.nixosModules.impermanence + ]; + }; + }; +} diff --git a/hosts/luna/README.md b/hosts/luna/README.md new file mode 100644 index 0000000..52e872b --- /dev/null +++ b/hosts/luna/README.md @@ -0,0 +1,3 @@ +# Luna + +This is my primary server. diff --git a/hosts/orion/README.md b/hosts/orion/README.md new file mode 100644 index 0000000..fa2f30a --- /dev/null +++ b/hosts/orion/README.md @@ -0,0 +1,2 @@ +# Orion +This is my laptop and primary (and only) developer machine. diff --git a/hosts/orion/default.nix b/hosts/orion/default.nix new file mode 100644 index 0000000..da8cde7 --- /dev/null +++ b/hosts/orion/default.nix @@ -0,0 +1,9 @@ +{ config, lib, nixpkgs, ... }: + +{ + imports = [ + ./modules + ./os/filesystem.nix + ]; + system.stateVersion = "23.11"; +} diff --git a/hosts/orion/modules/audio.nix b/hosts/orion/modules/audio.nix new file mode 100644 index 0000000..a789e7d --- /dev/null +++ b/hosts/orion/modules/audio.nix @@ -0,0 +1,16 @@ +{ inputs, lib, pkgs, ... }: + +{ + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa = { + enable = true; + support32Bit = true; + }; + pulse.enable = true; + wireplumber.enable = true; + jack.enable = true; + }; +} diff --git a/hosts/orion/modules/bluetooth.nix b/hosts/orion/modules/bluetooth.nix new file mode 100644 index 0000000..1dd475b --- /dev/null +++ b/hosts/orion/modules/bluetooth.nix @@ -0,0 +1,30 @@ +{ inputs, lib, pkgs, ... }: + +{ + hardware.bluetooth.enable = true; + services.blueman.enable = true; + environment.systemPackages = with pkgs; [ + bluez + ]; + + systemd.user.services.mpris-proxy = { + description = "Mpris proxy"; + after = [ "network.target" "sound.target" ]; + wantedBy = [ "default.target" ]; + serviceConfig.ExecStart = "${pkgs.bluez}/bin/mpris-proxy"; + }; + + security.polkit.extraConfig = '' + /* Allow users in wheel group to use blueman feature requiring root without authentication */ + polkit.addRule(function(action, subject) { + if ((action.id == "org.blueman.network.setup" || + action.id == "org.blueman.dhcp.client" || + action.id == "org.blueman.rfkill.setstate" || + action.id == "org.blueman.pppd.pppconnect") && + subject.isInGroup("wheel")) { + + return polkit.Result.YES; + } + }); + ''; +} diff --git a/hosts/orion/modules/default.nix b/hosts/orion/modules/default.nix new file mode 100644 index 0000000..4d7e0b2 --- /dev/null +++ b/hosts/orion/modules/default.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ./audio.nix + ./bluetooth.nix + ./hardware.nix + ./networking.nix + ./nix.nix + ./power.nix + ./user.nix + ]; +} diff --git a/hosts/orion/modules/hardware.nix b/hosts/orion/modules/hardware.nix new file mode 100644 index 0000000..74be2bb --- /dev/null +++ b/hosts/orion/modules/hardware.nix @@ -0,0 +1,21 @@ +{ inputs, lib, pkgs, ... }: + +{ + # NOTE: Disable Nvidia GPU + boot.extraModprobeConfig = '' + blacklist nouveau + options nouveau iwlwifi power_save=1 modeset=0 + ''; + services.udev.extraRules = '' + # Remove NVIDIA USB xHCI Host Controller devices, if present + ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{power/control}="auto", ATTR{remove}="1" + # Remove NVIDIA USB Type-C UCSI devices, if present + ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{power/control}="auto", ATTR{remove}="1" + # Remove NVIDIA Audio devices, if present + ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{power/control}="auto", ATTR{remove}="1" + # Remove NVIDIA VGA/3D controller devices + ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", ATTR{power/control}="auto", ATTR{remove}="1" + ''; + boot.blacklistedKernelModules = [ "nouveau" "nvidia" "nvidia_drm" "nvidia_modeset" ]; + +} diff --git a/hosts/orion/modules/networking.nix b/hosts/orion/modules/networking.nix new file mode 100644 index 0000000..2ab00ba --- /dev/null +++ b/hosts/orion/modules/networking.nix @@ -0,0 +1,86 @@ +{ inputs, lib, pkgs, hostname, ... }: + +let + hostname = "orion"; + networks_dhcp_use_dns = "no"; + networks_dhcp = "yes"; + networks_multicast_dns = "yes"; + networks_ipv6_privacy = "yes"; + networks_ipv6_accept_ra = "yes"; + networks_network_config = { + DHCP = networks_dhcp; + MulticastDNS = networks_multicast_dns; + IPv6PrivacyExtensions = networks_ipv6_privacy; + IPv6AcceptRA = networks_ipv6_accept_ra; + }; + resolved_nameservers = [ + "198.180.150.12#rgnet-iad.anycast.uncensoreddns.org" + "2001:418:8006::12:853#rgnet-iad.anycast.uncensoreddns.org" + "194.242.2.2#dns.mullvad.net" + "2a07:e340::2:853#dns.mullvad.net" + ]; + resolved_fallback_nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; +in +{ + systemd.network = { + enable = true; + networks = { + "10-wlan" = { + matchConfig.Name = [ "wl*" ]; + networkConfig = networks_network_config; + dhcpV4Config = { + RouteMetric = 600; + UseDNS = networks_dhcp_use_dns; + }; + ipv6AcceptRAConfig = { + RouteMetric = 600; + UseDNS = networks_dhcp_use_dns; + }; + }; + "10-ethernet" = { + matchConfig.name = [ "en*" "eth*" ]; + networkConfig = networks_network_config; + dhcpV4Config = { + RouteMetric = 100; + UseDNS = networks_dhcp_use_dns; + }; + ipv6AcceptRAConfig = { + RouteMetric = 100; + UseDNS = networks_dhcp_use_dns; + }; + }; + "10-wwan" = { + matchConfig.name = [ "ww*" ]; + networkConfig = networks_network_config; + dhcpV4Config = { + RouteMetric = 700; + UseDNS = networks_dhcp_use_dns; + }; + ipv6AcceptRAConfig = { + RouteMetric = 700; + UseDNS = networks_dhcp_use_dns; + }; + }; + + }; + }; + + services.resolved = { + enable = true; + dnssec = "true"; + domains = [ "~." ]; + fallbackDns = resolved_fallback_nameservers; + llmnr = "true"; + extraConfig = '' + MulticastDNS=yes + DNSOverTLS=yes + CacheFromLocalhost=no + Cache=yes + ''; + }; + networking = { + hostName = "${hostname}"; + wireless.iwd.enable = true; + }; + +} diff --git a/hosts/orion/modules/nix.nix b/hosts/orion/modules/nix.nix new file mode 100644 index 0000000..edf6fa7 --- /dev/null +++ b/hosts/orion/modules/nix.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: + +{ + nix = { + settings = { + experimental-features = [ "nix-command" "flakes" ]; + auto-optimise-store = true; + trusted-users = ["@wheel"]; + }; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + }; +} diff --git a/hosts/orion/modules/power.nix b/hosts/orion/modules/power.nix new file mode 100644 index 0000000..9b0522a --- /dev/null +++ b/hosts/orion/modules/power.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + powerManagement.enable = true; + powerManagement.powertop.enable = true; + services.thermald.enable = true; +} diff --git a/hosts/orion/modules/user.nix b/hosts/orion/modules/user.nix new file mode 100644 index 0000000..1b69a50 --- /dev/null +++ b/hosts/orion/modules/user.nix @@ -0,0 +1,37 @@ +{ pkgs, user, ... }: + +let + user = "price"; +in +{ + programs = { + zsh.enable = true; + }; + + nixpkgs.config.allowUnfree = true; + + users.users = { + root.initialPassword = "pass"; + "${user}" = { + initialPassword = "pass"; + shell = pkgs.zsh; + isNormalUser = true; + description = "${user}"; + extraGroups = [ + "wheel" + "docker" + "nix-users" + "libvirt" + "log" + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + ungoogled-chromium + wezterm + yamllint + stylua + eza + ]; +} diff --git a/hosts/orion/os/filesystem.nix b/hosts/orion/os/filesystem.nix new file mode 100644 index 0000000..f87fce4 --- /dev/null +++ b/hosts/orion/os/filesystem.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + kernelModules = [ ]; + luks.devices = { + "luksroot" = { + device = "/dev/disk/by-label/NixOS-Crypt"; + allowDiscards = true; + }; + }; + }; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + + swapDevices = [{ device = "/dev/disk/by-label/NixOS-Swap"; }]; + + fileSystems = { + "/" = { + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "noatime" "mode=755" ]; + }; + + "/boot" = { + device = "/dev/disk/by-label/NixOS-Boot"; + fsType = "vfat"; + options = [ "defaults" "noatime" ]; + depends = [ "/" ]; + }; + + "/nix" = { + device = "/dev/disk/by-label/NixOS-Primary"; + fsType = "btrfs"; + options = [ "subvol=@nix" "compress=zstd" "noatime" ]; + }; + + "/home" = { + device = "/dev/disk/by-label/NixOS-Primary"; + fsType = "btrfs"; + options = [ "subvol=@home" "compress=zstd" "noatime" ]; + }; + }; + + + environment.persistence = { + "/nix/persist" = { + hideMounts = true; + directories = [ + "/var/lib" + "/var/log" + "/etc/nixos" + ]; + files = [ + "/etc/machine-id" + "/etc/nix/id_rsa" + ]; + users.price = { + directories = [ + "Git" + "ISOs" + "Downloads" + "Keep" + "Notes" + ".local/share" + { directory = ".gnupg"; mode = "0700"; } + { directory = ".ssh"; mode = "0700"; } + ]; + files = [ + ".zsh_history" + ]; + }; + }; + }; +} diff --git a/install.bash b/install.bash new file mode 100644 index 0000000..d789002 --- /dev/null +++ b/install.bash @@ -0,0 +1,82 @@ +#!/usr/env/bin bash + +set -euox pipefail + +export DISK="/dev/vda" +export DISK_EXT="${DISK}" + # The size is large because I'd like to be able to hibernate my laptop in its entirety. I have 64 GB of ram. +export SWAP_SIZE="32" +export SWAP_OFFSET="$(( SWAP_SIZE + 1 ))" + +export LABEL_CRYPT_LUKS="NixOS-Crypt" +export LABEL_SWAP="NixOS-Swap" +export LABEL_BTRFS="NixOS-Primary" +export LABEL_BOOT="NixOS-Boot" + +swapoff -a || true +umount /mnt/**/* || true +umount /mnt/* || true +umount /mnt || true +cryptsetup close enc || true +dd if=/dev/zero of="${DISK}" bs=512 count=1024 || true + +### Partition The Disk +parted "${DISK}" -- mklabel gpt +# Boot partition +parted -a optimal "${DISK}" -- mkpart ESP fat32 1MiB 1GiB +parted "${DISK}" -- set 1 boot on +mkfs.vfat "${DISK_EXT}1" +fatlabel "${DISK_EXT}1" "${LABEL_BOOT}" +# Swap Partition +parted -a optimal "${DISK}" -- mkpart "${LABEL_SWAP}" linux-swap 1Gib "${SWAP_OFFSET}GB" +mkswap -L "${LABEL_SWAP}" "${DISK_EXT}2" +swapon "${DISK_EXT}2" +# Nix Partition, where the OS will reside with our data +parted -a optimal "${DISK}" -- mkpart "${LABEL_BTRFS}" "${SWAP_OFFSET}GiB" 100% + +### Encrypt +cryptsetup --verify-passphrase -v luksFormat "${DISK_EXT}3" +cryptsetup config "${DISK_EXT}3" --label "${LABEL_CRYPT_LUKS}" +# Have to decrypt it so we can actually get other things setup +export CRYPT_OPEN_NAME="enc" +export CRYPT_PATH="/dev/mapper/${CRYPT_OPEN_NAME}" +cryptsetup open "${DISK_EXT}3" "${CRYPT_OPEN_NAME}" + +### BTRFS Setup +# Go ahead and make the unerypted BTRFS +mkfs.btrfs -L "${LABEL_BTRFS}" "${CRYPT_PATH}" + +# Mount it +mount -t btrfs "${CRYPT_PATH}" /mnt + +# Create our subvolumes +for subvol in "home" "nix"; do + btrfs subvolume create "/mnt/@${subvol}" +done +umount /mnt + +### Final Mountings +# Mount tmpfs to mnt +mount -t tmpfs -o mode=755 none /mnt + +# Create our directories +mkdir /mnt/{"boot","nix","home"} +# Mount our boot partition +mount -t vfat -o defaults,noatime "${DISK_EXT}1" /mnt/boot + +# Mount our btrfs subvolumes individually with some btrfs options +# NOTE: On high performance NVME SSDs with a beefy CPU it may be worth considering ZLO compression instead of ZSTD. In +# many cases ZLO is more performant, especially when writing, than ZSTD while having a somewhat worse comrpession ratio. +# WARN: ZLO *may* be a good solution, it can be VERY slow on incompressible data. Something to keep in mind. +mount -t btrfs -o noatime,compress=zstd,subvol=@nix "${CRYPT_PATH}" /mnt/nix +mount -t btrfs -o noatime,compress=zstd,subvol=@home "${CRYPT_PATH}" /mnt/home + +mkdir -p /mnt/nix/persist +### Install NixOS +# Gotta make sure current working tree isn't dirty for the flake +git config --global user.email "m@m.com"; git config --global user.name "name"; git add .; git commit -m "Shit" >/dev/null 2>&1; \ +# Clone the flake into place +git clone . /mnt/nix/persist/etc/nixos && cd /mnt/nix/persist/etc/nixos +# Finally, actually install NixOS +nixos-install --flake "git+file:.#orion" +