diff --git a/hosts/dunamis/boot.nix b/hosts/dunamis/boot.nix new file mode 100644 index 0000000..7ab401b --- /dev/null +++ b/hosts/dunamis/boot.nix @@ -0,0 +1,55 @@ +{ + pkgs, + inputs, + ... +}: { + imports = with inputs; [ + chaotic.nixosModules.default + ]; + boot = { + # kernelPackages = pkgs.linuxPackages_latest; + kernelPackages = pkgs.linuxPackages_cachyos; + kernelModules = ["kvm-amd"]; + kernelParams = [ + # "mitigations=auto" + # "spectre_v2=on" + # "spectre_v2_user=on" + # "spectre_bhi=on" + # "spec_store_bypass_disable=on" + # "tsx=off" + # "kvm.nx_huge_pages=force" + # "l1d_flush=on" + "amd_iommu=force_isolation" + "debugfs=off" + "efi=disable_early_pci_dma" + "gather_data_sampling=force" + # "ia32_emulation=0" + "intel_iommu=on" + "iommu.passthrough=0" + "iommu.strict=1" + "iommu=force" + "lockdown=confidentiality" + "module.sig_enforce=1" + "page_alloc.shuffle=1" + "reg_file_data_sampling=on" + "spec_rstack_overflow=safe-ret" + "vsyscall=none" + ]; + initrd = { + availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"]; + kernelModules = ["i915"]; + systemd.enable = true; # needed for auto-unlocking with TPM + }; + loader.efi.canTouchEfiVariables = true; + loader.systemd-boot = { + enable = true; + consoleMode = "auto"; + }; + plymouth.enable = true; + }; + console = { + earlySetup = true; + packages = [pkgs.terminus_font]; + font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz"; + }; +} diff --git a/hosts/dunamis/configuration.nix b/hosts/dunamis/configuration.nix index c3fa924..7654ea6 100644 --- a/hosts/dunamis/configuration.nix +++ b/hosts/dunamis/configuration.nix @@ -1,104 +1,39 @@ -{ - pkgs, - config, - inputs, - ... -}: { +{inputs, ...}: { imports = with inputs; [ - chaotic.nixosModules.default - lix.nixosModules.default self.nixosModules.desktop self.nixosModules.system - ./hardware.nix - ./programs.nix - ./stylix.nix - # ./stylix-light.nix + ./boot.nix ./disko.nix - ./users.nix + ./hardware.nix + ./networking.nix + ./nix.nix + ./programs.nix + ./services.nix ./sops.nix + ./stylix.nix + ./users.nix ]; - desktop = { - niri.enable = true; - }; + desktop.niri.enable = true; - nix = { - channel.enable = false; - settings.experimental-features = ["nix-command" "flakes"]; - daemonCPUSchedPolicy = "idle"; - sshServe.enable = true; - sshServe.write = true; - sshServe.keys = map (f: builtins.readFile f) config.users.users.user.openssh.authorizedKeys.keyFiles; - }; + environment.memoryAllocator.provider = "mimalloc"; + + locale.ukrainian.enable = true; + + opentabletdriver.enable = false; + + qmk-vial.enable = true; + + security.basic.enable = true; system.stateVersion = "25.05"; time.timeZone = "Europe/Kyiv"; - locale.ukrainian.enable = true; - networking = { - networkmanager.enable = true; - hostName = "dunamis"; + virtual.libvirt.enable = true; + + wireless = { + bluetooth.enable = true; + bluetooth.enableBlueman = true; }; - - boot = { - kernelPackages = pkgs.linuxPackages_cachyos; - # kernelPackages = pkgs.linuxPackages_latest; - plymouth.enable = true; - loader.efi.canTouchEfiVariables = true; - loader.systemd-boot = { - enable = true; - consoleMode = "auto"; - }; - }; - - console = { - earlySetup = true; - packages = [pkgs.terminus_font]; - font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz"; - }; - - environment.memoryAllocator.provider = "mimalloc"; - - services = { - # hardware.openrgb.enable = true; - flatpak.enable = true; - fstrim.enable = true; - fwupd.enable = true; - openssh.enable = true; - syncthing.openDefaultPorts = true; - dnscrypt-proxy2 = { - enable = true; - settings = { - require_dnssec = true; - server_names = ["mullvad-doh"]; - bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"]; - }; - }; - opensnitch = { - enable = false; - settings = { - DefaultAaction = "deny"; - Firewall = "iptables"; - InterceptUnknown = true; - ProcMonitorMethod = "ebpf"; - }; - }; - }; - services.scx = { - enable = true; - scheduler = "scx_flash"; - }; - - security.basic.enable = true; - - virtual = { - libvirt.enable = true; - podman.enable = false; - }; - - wireless.bluetooth.enableBlueman = true; - - opentabletdriver.enable = false; - qmk-vial.enable = true; } diff --git a/hosts/dunamis/disko.nix b/hosts/dunamis/disko.nix index b058942..d62611d 100644 --- a/hosts/dunamis/disko.nix +++ b/hosts/dunamis/disko.nix @@ -10,7 +10,7 @@ }; disko.devices.disk.main = { type = "disk"; - device = "/dev/nvme0n1"; + device = "/dev/disk/by-id/nvme-eui.000000000000000100a075244b5d6185"; content = { type = "gpt"; partitions = { @@ -26,6 +26,8 @@ "fmask=0022" "dmask=0022" "noexec" + "nosuid" + "nodev" ]; }; }; @@ -33,7 +35,7 @@ size = "100%"; content = { type = "luks"; - name = "luks-fe586da4-b164-4362-bcdf-9c5dd6c69a2b"; + name = "luks-main"; initrdUnlock = true; settings.allowDiscards = true; content = { diff --git a/hosts/dunamis/hardware.nix b/hosts/dunamis/hardware.nix index e751efd..76cd780 100644 --- a/hosts/dunamis/hardware.nix +++ b/hosts/dunamis/hardware.nix @@ -9,50 +9,6 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - wireless.bluetooth.enable = true; - - services.logind = { - lidSwitch = "ignore"; - powerKey = "suspend"; - }; - - boot = { - kernelModules = ["kvm-amd"]; - extraModulePackages = []; - initrd = { - systemd.enable = true; # needed for auto-unlocking with TPM - availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"]; - kernelModules = [ - "i915" - ]; - }; - }; - boot.kernelParams = [ - # "mitigations=auto" - # "spectre_v2=on" - # "spectre_v2_user=on" - # "spectre_bhi=on" - # "spec_store_bypass_disable=on" - # "tsx=off" - # "kvm.nx_huge_pages=force" - # "l1d_flush=on" - "amd_iommu=force_isolation" - "debugfs=off" - "efi=disable_early_pci_dma" - "gather_data_sampling=force" - # "ia32_emulation=0" - "intel_iommu=on" - "iommu.passthrough=0" - "iommu.strict=1" - "iommu=force" - "lockdown=confidentiality" - "module.sig_enforce=1" - "page_alloc.shuffle=1" - "reg_file_data_sampling=on" - "spec_rstack_overflow=safe-ret" - "vsyscall=none" - ]; - hardware.graphics = { enable = true; extraPackages = with pkgs; [ diff --git a/hosts/dunamis/networking.nix b/hosts/dunamis/networking.nix new file mode 100644 index 0000000..a7f313d --- /dev/null +++ b/hosts/dunamis/networking.nix @@ -0,0 +1,6 @@ +{ + networking = { + networkmanager.enable = true; + hostName = "dunamis"; + }; +} diff --git a/hosts/dunamis/nix.nix b/hosts/dunamis/nix.nix new file mode 100644 index 0000000..488e915 --- /dev/null +++ b/hosts/dunamis/nix.nix @@ -0,0 +1,20 @@ +# TODO: better file name +{ + config, + inputs, + ... +}: { + imports = with inputs; [ + lix.nixosModules.default + ]; + nix = { + channel.enable = false; + settings.experimental-features = ["nix-command" "flakes"]; + daemonCPUSchedPolicy = "idle"; + sshServe = { + enable = true; + write = true; + keys = map (f: builtins.readFile f) config.users.users.user.openssh.authorizedKeys.keyFiles; + }; + }; +} diff --git a/hosts/dunamis/services.nix b/hosts/dunamis/services.nix new file mode 100644 index 0000000..5a7e2f8 --- /dev/null +++ b/hosts/dunamis/services.nix @@ -0,0 +1,35 @@ +{ + services = { + # hardware.openrgb.enable = true; + flatpak.enable = true; + fstrim.enable = true; + fwupd.enable = true; + openssh.enable = true; + syncthing.openDefaultPorts = true; + dnscrypt-proxy2 = { + enable = true; + settings = { + require_dnssec = true; + server_names = ["mullvad-doh"]; + bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"]; + }; + }; + opensnitch = { + enable = false; + settings = { + DefaultAaction = "deny"; + Firewall = "iptables"; + InterceptUnknown = true; + ProcMonitorMethod = "ebpf"; + }; + }; + scx = { + enable = true; + scheduler = "scx_flash"; + }; + logind = { + lidSwitch = "ignore"; + powerKey = "suspend"; + }; + }; +} diff --git a/hosts/dunamis/sops.nix b/hosts/dunamis/sops.nix index cf39eb2..8c20272 100644 --- a/hosts/dunamis/sops.nix +++ b/hosts/dunamis/sops.nix @@ -1,8 +1,7 @@ {inputs, ...}: let - secretsPath = builtins.toString inputs.mysecrets; in { - imports = [ - inputs.sops-nix.nixosModules.sops + imports = with inputs; [ + sops-nix.nixosModules.sops ]; sops = { @@ -11,7 +10,7 @@ in { keyFile = "/var/lib/sops-nix/key.txt"; generateKey = true; }; - defaultSopsFile = "${secretsPath}/secrets.yaml"; + defaultSopsFile = "${toString inputs.mysecrets}/secrets.yaml"; secrets = { "user-password-hashed".neededForUsers = true; "ssh-config" = { diff --git a/hosts/dunamis/users.nix b/hosts/dunamis/users.nix index 1218067..69188d0 100644 --- a/hosts/dunamis/users.nix +++ b/hosts/dunamis/users.nix @@ -5,7 +5,6 @@ ... }: let sopSec = config.sops.secrets; - secrets = inputs.mysecrets; in { nix.settings.trusted-users = [ "user" @@ -15,12 +14,12 @@ in { users.users = { user = { hashedPasswordFile = sopSec."user-password-hashed".path; - isNormalUser = true; extraGroups = ["wheel" "video" "libvirtd" "dialout"]; + isNormalUser = true; shell = pkgs.fish; - openssh.authorizedKeys.keyFiles = [ - "${secrets}/ssh/id_ed25519_sarien_user.pub" - "${secrets}/ssh/id_ed25519_eldrid_user.pub" + openssh.authorizedKeys.keyFiles = map (f: "${inputs.mysecrets}/ssh/" + f) [ + "id_ed25519_sarien_user.pub" + "id_ed25519_eldrid_user.pub" ]; }; }; diff --git a/hosts/dunamis/users/user/flatpak.nix b/hosts/dunamis/users/user/flatpak.nix index 1e06e06..d064ac5 100644 --- a/hosts/dunamis/users/user/flatpak.nix +++ b/hosts/dunamis/users/user/flatpak.nix @@ -18,37 +18,34 @@ packages = [ # misc "app.zen_browser.zen" - "net.mullvad.MullvadBrowser" "io.github.ungoogled_software.ungoogled_chromium" - "com.obsproject.Studio" + "net.mullvad.MullvadBrowser" "com.bitwarden.desktop" "com.github.tchx84.Flatseal" + "com.logseq.Logseq" + "com.obsproject.Studio" + "com.usebottles.bottles" "de.haeckerfelix.Fragments" "org.qbittorrent.qBittorrent" - # "com.transmissionbt.Transmission" - "com.usebottles.bottles" - "com.logseq.Logseq" - "org.octave.Octave" - # chatting - "org.signal.Signal" "im.riot.Riot" - "org.telegram.desktop" "io.github.spacingbat3.webcord" "org.mozilla.Thunderbird" + "org.signal.Signal" + "org.telegram.desktop" # media "io.bassi.Amberol" "io.freetubeapp.FreeTube" - #"io.github.celluloid_player.Celluloid" # "io.mpv.Mpv" + #"io.github.celluloid_player.Celluloid" # gaming #"com.github._0negal.Viper" + "com.heroicgameslauncher.hgl" "com.valvesoftware.Steam" "net.lutris.Lutris" - "com.heroicgameslauncher.hgl" { appId = "org.unmojang.FjordLauncher"; origin = "hero-persson"; @@ -62,14 +59,14 @@ Context = { sockets = ["wayland" "!x11" "!fallback-x11"]; filesystems = [ - "!host" "!home" + "!host" "!~/.ssh" - "xdg-run/pipewire-0" + "/nix/store:ro" "xdg-config/gtk-3.0:ro" "xdg-config/gtk-4.0:ro" + "xdg-run/pipewire-0" "~/.local/share/icons:ro" - "/nix/store:ro" ]; }; Environment = { @@ -86,6 +83,16 @@ "org.signal.Signal" = { Environment.SIGNAL_PASSWORD_STORE = "gnome-libsecret"; }; + "com.obsproject.Studio" = { + Context.filesystems = ["~/vids"]; + }; + "com.logseq.Logseq" = { + Context.filesystems = [ + "~/docs/logseq" + "~/docs/nure/2025/logseq" + "~/syncthing/logseq" + ]; + }; "net.lutris.Lutris".Context = { sockets = ["x11" "wayland"]; filesystems = ["/storage/games/lutris" "~/games/lutris"]; diff --git a/hosts/dunamis/users/user/home-configuration.nix b/hosts/dunamis/users/user/home-configuration.nix index 128acc8..c6f10cd 100644 --- a/hosts/dunamis/users/user/home-configuration.nix +++ b/hosts/dunamis/users/user/home-configuration.nix @@ -1,4 +1,8 @@ -{inputs, ...}: { +{ + inputs, + osConfig, + ... +}: { imports = with inputs; [ nix-index-database.hmModules.nix-index self.homeModules.desktop @@ -6,13 +10,10 @@ ./programs.nix ./flatpak.nix ]; - desktop = { - niri.enable = true; - }; home = { - stateVersion = "25.05"; - sessionPath = [ - "$HOME/.local/bin" - ]; + stateVersion = osConfig.system.stateVersion; + sessionPath = ["$HOME/.local/bin"]; }; + + desktop.niri.enable = true; } diff --git a/hosts/dunamis/users/user/programs.nix b/hosts/dunamis/users/user/programs.nix index f2429d8..a8e621b 100644 --- a/hosts/dunamis/users/user/programs.nix +++ b/hosts/dunamis/users/user/programs.nix @@ -49,7 +49,6 @@ editor = { helix.enable = true; - # zed.enable = true; }; home.packages = with pkgs; [ diff --git a/hosts/eldrid/boot.nix b/hosts/eldrid/boot.nix index 8c21e6e..388a21d 100644 --- a/hosts/eldrid/boot.nix +++ b/hosts/eldrid/boot.nix @@ -10,12 +10,12 @@ boot = { # kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_cachyos; - plymouth.enable = true; loader.efi.canTouchEfiVariables = true; loader.systemd-boot = { enable = !config.boot.lanzaboote.enable; consoleMode = "auto"; }; + plymouth.enable = true; initrd = { availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" "xe" "i915"]; kernelModules = []; diff --git a/hosts/eldrid/users/user/home-configuration.nix b/hosts/eldrid/users/user/home-configuration.nix index 2296af1..c6f10cd 100644 --- a/hosts/eldrid/users/user/home-configuration.nix +++ b/hosts/eldrid/users/user/home-configuration.nix @@ -10,11 +10,10 @@ ./programs.nix ./flatpak.nix ]; - desktop.niri.enable = true; home = { stateVersion = osConfig.system.stateVersion; - sessionPath = [ - "$HOME/.local/bin" - ]; + sessionPath = ["$HOME/.local/bin"]; }; + + desktop.niri.enable = true; } diff --git a/hosts/sarien/boot.nix b/hosts/sarien/boot.nix new file mode 100644 index 0000000..d3cafd1 --- /dev/null +++ b/hosts/sarien/boot.nix @@ -0,0 +1,31 @@ +{ + pkgs, + config, + inputs, + ... +}: { + imports = with inputs; [ + chaotic.nixosModules.default + ]; + boot = { + # kernelPackages = pkgs.linuxPackages_latest; + kernelPackages = pkgs.linuxPackages_cachyos; + kernelModules = ["kvm-intel"]; + kernelParams = [ + "i915.enable_guc=2" + "i915.enable_fbc=1" + "i915.enable_psr=2" + ]; + loader.efi.canTouchEfiVariables = true; + loader.systemd-boot = { + enable = true; + consoleMode = "auto"; + }; + plymouth.enable = true; + }; + console = { + earlySetup = true; + packages = [pkgs.terminus_font]; + font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz"; + }; +} diff --git a/hosts/sarien/configuration.nix b/hosts/sarien/configuration.nix index a51508d..4c5275b 100644 --- a/hosts/sarien/configuration.nix +++ b/hosts/sarien/configuration.nix @@ -1,106 +1,38 @@ -# device-specific setup -{ - pkgs, - config, - inputs, - ... -}: { +{inputs, ...}: { imports = with inputs; [ - chaotic.nixosModules.default - lix.nixosModules.default self.nixosModules.desktop self.nixosModules.system - ./hardware.nix - ./programs.nix - ./stylix.nix + ./boot.nix ./disko.nix - ./users.nix + ./hardware.nix + ./networking.nix + ./nix.nix + ./programs.nix + ./services.nix ./sops.nix + ./stylix.nix + ./users.nix ]; - desktop = { - niri.enable = true; - }; + desktop.niri.enable = true; - nix = { - channel.enable = false; - daemonCPUSchedPolicy = "idle"; - settings = { - experimental-features = ["nix-command" "flakes"]; - builders-use-substitutes = true; - }; - distributedBuilds = true; - buildMachines = [ - { - hostName = "dunamis"; - sshUser = "nix-ssh"; - system = "x86_64-linux"; - sshKey = config.sops.secrets."ssh-sarien-user".path; - supportedFeatures = ["nixos-test" "big-parallel" "kvm" "benchmark"]; - publicHostKey = builtins.readFile "${inputs.mysecrets}/ssh/ssh_host_ed25519_dunamis.base64"; - } - ]; - }; + locale.ukrainian.enable = true; + + opentabletdriver.enable = false; + + qmk-vial.enable = true; + + security.basic.enable = true; system.stateVersion = "25.05"; time.timeZone = "Europe/Kyiv"; - locale.ukrainian.enable = true; - networking = { - networkmanager.enable = true; - hostName = "vylxae"; - hosts = { - "192.168.1.42" = ["dunamis"]; - }; + virtual.libvirt.enable = true; + + wireless = { + wifi.enable = true; + bluetooth.enable = true; + bluetooth.enableBlueman = true; }; - - boot = { - # kernelPackages = pkgs.linuxPackages_latest; - kernelPackages = pkgs.linuxPackages_cachyos; - plymouth.enable = true; - loader.efi.canTouchEfiVariables = true; - loader.systemd-boot = { - enable = true; - consoleMode = "auto"; - }; - }; - - console = { - earlySetup = true; - packages = [pkgs.terminus_font]; - font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz"; - }; - - services = { - power-profiles-daemon.enable = true; - flatpak.enable = true; - fstrim.enable = true; - openssh.enable = true; - syncthing.openDefaultPorts = true; - dnscrypt-proxy2 = { - enable = true; - settings = { - require_dnssec = true; - server_names = ["mullvad-doh"]; - bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"]; - }; - }; - }; - services.scx = { - enable = true; - scheduler = "scx_flash"; - }; - - security.basic.enable = true; - - virtual = { - libvirt.enable = true; - podman.enable = false; - }; - - wireless.bluetooth.enableBlueman = true; - - opentabletdriver.enable = false; - qmk-vial.enable = true; } diff --git a/hosts/sarien/hardware.nix b/hosts/sarien/hardware.nix index 33eb600..deae072 100644 --- a/hosts/sarien/hardware.nix +++ b/hosts/sarien/hardware.nix @@ -8,37 +8,14 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - wireless = { - wifi.enable = true; - bluetooth.enable = true; - }; - services.logind = { lidSwitch = "ignore"; powerKey = "suspend"; }; - boot = { - kernelModules = ["kvm-intel"]; - kernelParams = [ - "i915.enable_guc=2" - "i915.enable_fbc=1" - "i915.enable_psr=2" - ]; - initrd = { - availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" "rtsx_pci_sdmmc"]; - kernelModules = ["i915"]; - }; - }; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - services.thermald.enable = true; - services.upower.enable = true; - powerManagement.powertop.enable = true; - hardware.graphics = { enable = true; extraPackages = with pkgs; [ diff --git a/hosts/sarien/networking.nix b/hosts/sarien/networking.nix new file mode 100644 index 0000000..28fa79f --- /dev/null +++ b/hosts/sarien/networking.nix @@ -0,0 +1,9 @@ +{ + networking = { + networkmanager.enable = true; + hostName = "vylxae"; + hosts = { + "192.168.1.42" = ["dunamis"]; + }; + }; +} diff --git a/hosts/sarien/nix.nix b/hosts/sarien/nix.nix new file mode 100644 index 0000000..e8bcb7d --- /dev/null +++ b/hosts/sarien/nix.nix @@ -0,0 +1,28 @@ +{ + config, + inputs, + ... +}: { + imports = with inputs; [ + lix.nixosModules.default + ]; + nix = { + channel.enable = false; + daemonCPUSchedPolicy = "idle"; + settings = { + experimental-features = ["nix-command" "flakes"]; + builders-use-substitutes = true; + }; + distributedBuilds = true; + buildMachines = [ + { + hostName = "dunamis"; + sshUser = "nix-ssh"; + system = "x86_64-linux"; + sshKey = config.sops.secrets."ssh-sarien-user".path; + supportedFeatures = ["nixos-test" "big-parallel" "kvm" "benchmark"]; + publicHostKey = builtins.readFile "${inputs.mysecrets}/ssh/ssh_host_ed25519_dunamis.base64"; + } + ]; + }; +} diff --git a/hosts/sarien/services.nix b/hosts/sarien/services.nix new file mode 100644 index 0000000..7fa3eab --- /dev/null +++ b/hosts/sarien/services.nix @@ -0,0 +1,21 @@ +{ + services = { + flatpak.enable = true; + fstrim.enable = true; + openssh.enable = true; + power-profiles-daemon.enable = true; + syncthing.openDefaultPorts = true; + dnscrypt-proxy2 = { + enable = true; + settings = { + require_dnssec = true; + server_names = ["mullvad-doh"]; + bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"]; + }; + }; + scx = { + enable = true; + scheduler = "scx_flash"; + }; + }; +}