unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

do the same for two other hosts

Browse Source 
Signed-off-by: unexplrd <unexplrd@linerds.us>
This commit is contained in:
unexplrd
2025-03-28 18:22:51 +02:00
parent b7f95a14c3
commit 2745bd1e35
20 changed files with 297 additions and 286 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
hosts/dunamis/boot.nix Normal file
View File

@ -0,0 +1,55 @@
{
pkgs,
inputs,
...
}: {
imports = with inputs; [
chaotic.nixosModules.default
];
boot = {
# kernelPackages = pkgs.linuxPackages_latest;
kernelPackages = pkgs.linuxPackages_cachyos;
kernelModules = ["kvm-amd"];
kernelParams = [
# "mitigations=auto"
# "spectre_v2=on"
# "spectre_v2_user=on"
# "spectre_bhi=on"
# "spec_store_bypass_disable=on"
# "tsx=off"
# "kvm.nx_huge_pages=force"
# "l1d_flush=on"
"amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma"
"gather_data_sampling=force"
# "ia32_emulation=0"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
"lockdown=confidentiality"
"module.sig_enforce=1"
"page_alloc.shuffle=1"
"reg_file_data_sampling=on"
"spec_rstack_overflow=safe-ret"
"vsyscall=none"
];
initrd = {
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
kernelModules = ["i915"];
systemd.enable = true; # needed for auto-unlocking with TPM
};
loader.efi.canTouchEfiVariables = true;
loader.systemd-boot = {
enable = true;
consoleMode = "auto";
};
plymouth.enable = true;
};
console = {
earlySetup = true;
packages = [pkgs.terminus_font];
font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz";
};
}

111
hosts/dunamis/configuration.nix
View File

@ -1,104 +1,39 @@
{ {inputs, ...}: {
pkgs,
config,
inputs,
...
}: {
imports = with inputs; [ imports = with inputs; [
chaotic.nixosModules.default
lix.nixosModules.default
self.nixosModules.desktop self.nixosModules.desktop
self.nixosModules.system self.nixosModules.system
./hardware.nix ./boot.nix
./programs.nix
./stylix.nix
# ./stylix-light.nix
./disko.nix ./disko.nix
./users.nix ./hardware.nix
./networking.nix
./nix.nix
./programs.nix
./services.nix
./sops.nix ./sops.nix
./stylix.nix
./users.nix
]; ];
desktop = { desktop.niri.enable = true;
niri.enable = true;
};
nix = { environment.memoryAllocator.provider = "mimalloc";
channel.enable = false;
settings.experimental-features = ["nix-command" "flakes"]; locale.ukrainian.enable = true;
daemonCPUSchedPolicy = "idle";
sshServe.enable = true; opentabletdriver.enable = false;
sshServe.write = true;
sshServe.keys = map (f: builtins.readFile f) config.users.users.user.openssh.authorizedKeys.keyFiles; qmk-vial.enable = true;
};
security.basic.enable = true;
system.stateVersion = "25.05"; system.stateVersion = "25.05";
time.timeZone = "Europe/Kyiv"; time.timeZone = "Europe/Kyiv";
locale.ukrainian.enable = true;
networking = { virtual.libvirt.enable = true;
networkmanager.enable = true;
hostName = "dunamis";
};
boot = { wireless = {
kernelPackages = pkgs.linuxPackages_cachyos; bluetooth.enable = true;
# kernelPackages = pkgs.linuxPackages_latest; bluetooth.enableBlueman = true;
plymouth.enable = true;
loader.efi.canTouchEfiVariables = true;
loader.systemd-boot = {
enable = true;
consoleMode = "auto";
}; };
};
console = {
earlySetup = true;
packages = [pkgs.terminus_font];
font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz";
};
environment.memoryAllocator.provider = "mimalloc";
services = {
# hardware.openrgb.enable = true;
flatpak.enable = true;
fstrim.enable = true;
fwupd.enable = true;
openssh.enable = true;
syncthing.openDefaultPorts = true;
dnscrypt-proxy2 = {
enable = true;
settings = {
require_dnssec = true;
server_names = ["mullvad-doh"];
bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
};
};
opensnitch = {
enable = false;
settings = {
DefaultAaction = "deny";
Firewall = "iptables";
InterceptUnknown = true;
ProcMonitorMethod = "ebpf";
};
};
};
services.scx = {
enable = true;
scheduler = "scx_flash";
};
security.basic.enable = true;
virtual = {
libvirt.enable = true;
podman.enable = false;
};
wireless.bluetooth.enableBlueman = true;
opentabletdriver.enable = false;
qmk-vial.enable = true;
} }

6
hosts/dunamis/disko.nix
View File

@ -10,7 +10,7 @@
}; };
disko.devices.disk.main = { disko.devices.disk.main = {
type = "disk"; type = "disk";
device = "/dev/nvme0n1"; device = "/dev/disk/by-id/nvme-eui.000000000000000100a075244b5d6185";
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
@ -26,6 +26,8 @@
"fmask=0022" "fmask=0022"
"dmask=0022" "dmask=0022"
"noexec" "noexec"
"nosuid"
"nodev"
]; ];
}; };
}; };
@ -33,7 +35,7 @@
size = "100%"; size = "100%";
content = { content = {
type = "luks"; type = "luks";
name = "luks-fe586da4-b164-4362-bcdf-9c5dd6c69a2b"; name = "luks-main";
initrdUnlock = true; initrdUnlock = true;
settings.allowDiscards = true; settings.allowDiscards = true;
content = { content = {

44
hosts/dunamis/hardware.nix
View File

@ -9,50 +9,6 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
wireless.bluetooth.enable = true;
services.logind = {
lidSwitch = "ignore";
powerKey = "suspend";
};
boot = {
kernelModules = ["kvm-amd"];
extraModulePackages = [];
initrd = {
systemd.enable = true; # needed for auto-unlocking with TPM
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
kernelModules = [
"i915"
];
};
};
boot.kernelParams = [
# "mitigations=auto"
# "spectre_v2=on"
# "spectre_v2_user=on"
# "spectre_bhi=on"
# "spec_store_bypass_disable=on"
# "tsx=off"
# "kvm.nx_huge_pages=force"
# "l1d_flush=on"
"amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma"
"gather_data_sampling=force"
# "ia32_emulation=0"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
"lockdown=confidentiality"
"module.sig_enforce=1"
"page_alloc.shuffle=1"
"reg_file_data_sampling=on"
"spec_rstack_overflow=safe-ret"
"vsyscall=none"
];
hardware.graphics = { hardware.graphics = {
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [

6
hosts/dunamis/networking.nix Normal file
View File

@ -0,0 +1,6 @@
{
networking = {
networkmanager.enable = true;
hostName = "dunamis";
};
}

20
hosts/dunamis/nix.nix Normal file
View File

@ -0,0 +1,20 @@
# TODO: better file name
{
config,
inputs,
...
}: {
imports = with inputs; [
lix.nixosModules.default
];
nix = {
channel.enable = false;
settings.experimental-features = ["nix-command" "flakes"];
daemonCPUSchedPolicy = "idle";
sshServe = {
enable = true;
write = true;
keys = map (f: builtins.readFile f) config.users.users.user.openssh.authorizedKeys.keyFiles;
};
};
}

35
hosts/dunamis/services.nix Normal file
View File

@ -0,0 +1,35 @@
{
services = {
# hardware.openrgb.enable = true;
flatpak.enable = true;
fstrim.enable = true;
fwupd.enable = true;
openssh.enable = true;
syncthing.openDefaultPorts = true;
dnscrypt-proxy2 = {
enable = true;
settings = {
require_dnssec = true;
server_names = ["mullvad-doh"];
bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
};
};
opensnitch = {
enable = false;
settings = {
DefaultAaction = "deny";
Firewall = "iptables";
InterceptUnknown = true;
ProcMonitorMethod = "ebpf";
};
};
scx = {
enable = true;
scheduler = "scx_flash";
};
logind = {
lidSwitch = "ignore";
powerKey = "suspend";
};
};
}

7
hosts/dunamis/sops.nix
View File

@ -1,8 +1,7 @@
{inputs, ...}: let {inputs, ...}: let
secretsPath = builtins.toString inputs.mysecrets;
in { in {
imports = [ imports = with inputs; [
inputs.sops-nix.nixosModules.sops sops-nix.nixosModules.sops
]; ];
sops = { sops = {
@ -11,7 +10,7 @@ in {
keyFile = "/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true; generateKey = true;
}; };
defaultSopsFile = "${secretsPath}/secrets.yaml"; defaultSopsFile = "${toString inputs.mysecrets}/secrets.yaml";
secrets = { secrets = {
"user-password-hashed".neededForUsers = true; "user-password-hashed".neededForUsers = true;
"ssh-config" = { "ssh-config" = {

9
hosts/dunamis/users.nix
View File

@ -5,7 +5,6 @@
... ...
}: let }: let
sopSec = config.sops.secrets; sopSec = config.sops.secrets;
secrets = inputs.mysecrets;
in { in {
nix.settings.trusted-users = [ nix.settings.trusted-users = [
"user" "user"
@ -15,12 +14,12 @@ in {
users.users = { users.users = {
user = { user = {
hashedPasswordFile = sopSec."user-password-hashed".path; hashedPasswordFile = sopSec."user-password-hashed".path;
isNormalUser = true;
extraGroups = ["wheel" "video" "libvirtd" "dialout"]; extraGroups = ["wheel" "video" "libvirtd" "dialout"];
isNormalUser = true;
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = [ openssh.authorizedKeys.keyFiles = map (f: "${inputs.mysecrets}/ssh/" + f) [
"${secrets}/ssh/id_ed25519_sarien_user.pub" "id_ed25519_sarien_user.pub"
"${secrets}/ssh/id_ed25519_eldrid_user.pub" "id_ed25519_eldrid_user.pub"
]; ];
}; };
}; };

35
hosts/dunamis/users/user/flatpak.nix
View File

@ -18,37 +18,34 @@
packages = [ packages = [
# misc # misc
"app.zen_browser.zen" "app.zen_browser.zen"
"net.mullvad.MullvadBrowser"
"io.github.ungoogled_software.ungoogled_chromium" "io.github.ungoogled_software.ungoogled_chromium"
"com.obsproject.Studio" "net.mullvad.MullvadBrowser"
"com.bitwarden.desktop" "com.bitwarden.desktop"
"com.github.tchx84.Flatseal" "com.github.tchx84.Flatseal"
"com.logseq.Logseq"
"com.obsproject.Studio"
"com.usebottles.bottles"
"de.haeckerfelix.Fragments" "de.haeckerfelix.Fragments"
"org.qbittorrent.qBittorrent" "org.qbittorrent.qBittorrent"
# "com.transmissionbt.Transmission"
"com.usebottles.bottles"
"com.logseq.Logseq"
"org.octave.Octave"
# chatting # chatting
"org.signal.Signal"
"im.riot.Riot" "im.riot.Riot"
"org.telegram.desktop"
"io.github.spacingbat3.webcord" "io.github.spacingbat3.webcord"
"org.mozilla.Thunderbird" "org.mozilla.Thunderbird"
"org.signal.Signal"
"org.telegram.desktop"
# media # media
"io.bassi.Amberol" "io.bassi.Amberol"
"io.freetubeapp.FreeTube" "io.freetubeapp.FreeTube"
#"io.github.celluloid_player.Celluloid"
# "io.mpv.Mpv" # "io.mpv.Mpv"
#"io.github.celluloid_player.Celluloid"
# gaming # gaming
#"com.github._0negal.Viper" #"com.github._0negal.Viper"
"com.heroicgameslauncher.hgl"
"com.valvesoftware.Steam" "com.valvesoftware.Steam"
"net.lutris.Lutris" "net.lutris.Lutris"
"com.heroicgameslauncher.hgl"
{ {
appId = "org.unmojang.FjordLauncher"; appId = "org.unmojang.FjordLauncher";
origin = "hero-persson"; origin = "hero-persson";
@ -62,14 +59,14 @@
Context = { Context = {
sockets = ["wayland" "!x11" "!fallback-x11"]; sockets = ["wayland" "!x11" "!fallback-x11"];
filesystems = [ filesystems = [
"!host"
"!home" "!home"
"!host"
"!~/.ssh" "!~/.ssh"
"xdg-run/pipewire-0" "/nix/store:ro"
"xdg-config/gtk-3.0:ro" "xdg-config/gtk-3.0:ro"
"xdg-config/gtk-4.0:ro" "xdg-config/gtk-4.0:ro"
"xdg-run/pipewire-0"
"~/.local/share/icons:ro" "~/.local/share/icons:ro"
"/nix/store:ro"
]; ];
}; };
Environment = { Environment = {
@ -86,6 +83,16 @@
"org.signal.Signal" = { "org.signal.Signal" = {
Environment.SIGNAL_PASSWORD_STORE = "gnome-libsecret"; Environment.SIGNAL_PASSWORD_STORE = "gnome-libsecret";
}; };
"com.obsproject.Studio" = {
Context.filesystems = ["~/vids"];
};
"com.logseq.Logseq" = {
Context.filesystems = [
"~/docs/logseq"
"~/docs/nure/2025/logseq"
"~/syncthing/logseq"
];
};
"net.lutris.Lutris".Context = { "net.lutris.Lutris".Context = {
sockets = ["x11" "wayland"]; sockets = ["x11" "wayland"];
filesystems = ["/storage/games/lutris" "~/games/lutris"]; filesystems = ["/storage/games/lutris" "~/games/lutris"];

17
hosts/dunamis/users/user/home-configuration.nix
View File

@ -1,4 +1,8 @@
{inputs, ...}: { {
inputs,
osConfig,
...
}: {
imports = with inputs; [ imports = with inputs; [
nix-index-database.hmModules.nix-index nix-index-database.hmModules.nix-index
self.homeModules.desktop self.homeModules.desktop
@ -6,13 +10,10 @@
./programs.nix ./programs.nix
./flatpak.nix ./flatpak.nix
]; ];
desktop = {
niri.enable = true;
};
home = { home = {
stateVersion = "25.05"; stateVersion = osConfig.system.stateVersion;
sessionPath = [ sessionPath = ["$HOME/.local/bin"];
"$HOME/.local/bin"
];
}; };
desktop.niri.enable = true;
} }

1
hosts/dunamis/users/user/programs.nix
View File

@ -49,7 +49,6 @@
editor = { editor = {
helix.enable = true; helix.enable = true;
# zed.enable = true;
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [

2
hosts/eldrid/boot.nix
View File

@ -10,12 +10,12 @@
boot = { boot = {
# kernelPackages = pkgs.linuxPackages_latest; # kernelPackages = pkgs.linuxPackages_latest;
kernelPackages = pkgs.linuxPackages_cachyos; kernelPackages = pkgs.linuxPackages_cachyos;
plymouth.enable = true;
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
loader.systemd-boot = { loader.systemd-boot = {
enable = !config.boot.lanzaboote.enable; enable = !config.boot.lanzaboote.enable;
consoleMode = "auto"; consoleMode = "auto";
}; };
plymouth.enable = true;
initrd = { initrd = {
availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" "xe" "i915"]; availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" "xe" "i915"];
kernelModules = []; kernelModules = [];

7
hosts/eldrid/users/user/home-configuration.nix
View File

@ -10,11 +10,10 @@
./programs.nix ./programs.nix
./flatpak.nix ./flatpak.nix
]; ];
desktop.niri.enable = true;
home = { home = {
stateVersion = osConfig.system.stateVersion; stateVersion = osConfig.system.stateVersion;
sessionPath = [ sessionPath = ["$HOME/.local/bin"];
"$HOME/.local/bin"
];
}; };
desktop.niri.enable = true;
} }

31
hosts/sarien/boot.nix Normal file
View File

@ -0,0 +1,31 @@
{
pkgs,
config,
inputs,
...
}: {
imports = with inputs; [
chaotic.nixosModules.default
];
boot = {
# kernelPackages = pkgs.linuxPackages_latest;
kernelPackages = pkgs.linuxPackages_cachyos;
kernelModules = ["kvm-intel"];
kernelParams = [
"i915.enable_guc=2"
"i915.enable_fbc=1"
"i915.enable_psr=2"
];
loader.efi.canTouchEfiVariables = true;
loader.systemd-boot = {
enable = true;
consoleMode = "auto";
};
plymouth.enable = true;
};
console = {
earlySetup = true;
packages = [pkgs.terminus_font];
font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz";
};
}

112
hosts/sarien/configuration.nix
View File

@ -1,106 +1,38 @@
# device-specific setup {inputs, ...}: {
{
pkgs,
config,
inputs,
...
}: {
imports = with inputs; [ imports = with inputs; [
chaotic.nixosModules.default
lix.nixosModules.default
self.nixosModules.desktop self.nixosModules.desktop
self.nixosModules.system self.nixosModules.system
./hardware.nix ./boot.nix
./programs.nix
./stylix.nix
./disko.nix ./disko.nix
./users.nix ./hardware.nix
./networking.nix
./nix.nix
./programs.nix
./services.nix
./sops.nix ./sops.nix
./stylix.nix
./users.nix
]; ];
desktop = { desktop.niri.enable = true;
niri.enable = true;
};
nix = { locale.ukrainian.enable = true;
channel.enable = false;
daemonCPUSchedPolicy = "idle"; opentabletdriver.enable = false;
settings = {
experimental-features = ["nix-command" "flakes"]; qmk-vial.enable = true;
builders-use-substitutes = true;
}; security.basic.enable = true;
distributedBuilds = true;
buildMachines = [
{
hostName = "dunamis";
sshUser = "nix-ssh";
system = "x86_64-linux";
sshKey = config.sops.secrets."ssh-sarien-user".path;
supportedFeatures = ["nixos-test" "big-parallel" "kvm" "benchmark"];
publicHostKey = builtins.readFile "${inputs.mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
}
];
};
system.stateVersion = "25.05"; system.stateVersion = "25.05";
time.timeZone = "Europe/Kyiv"; time.timeZone = "Europe/Kyiv";
locale.ukrainian.enable = true;
networking = { virtual.libvirt.enable = true;
networkmanager.enable = true;
hostName = "vylxae";
hosts = {
"192.168.1.42" = ["dunamis"];
};
};
boot = { wireless = {
# kernelPackages = pkgs.linuxPackages_latest; wifi.enable = true;
kernelPackages = pkgs.linuxPackages_cachyos; bluetooth.enable = true;
plymouth.enable = true; bluetooth.enableBlueman = true;
loader.efi.canTouchEfiVariables = true;
loader.systemd-boot = {
enable = true;
consoleMode = "auto";
}; };
};
console = {
earlySetup = true;
packages = [pkgs.terminus_font];
font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz";
};
services = {
power-profiles-daemon.enable = true;
flatpak.enable = true;
fstrim.enable = true;
openssh.enable = true;
syncthing.openDefaultPorts = true;
dnscrypt-proxy2 = {
enable = true;
settings = {
require_dnssec = true;
server_names = ["mullvad-doh"];
bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
};
};
};
services.scx = {
enable = true;
scheduler = "scx_flash";
};
security.basic.enable = true;
virtual = {
libvirt.enable = true;
podman.enable = false;
};
wireless.bluetooth.enableBlueman = true;
opentabletdriver.enable = false;
qmk-vial.enable = true;
} }

23
hosts/sarien/hardware.nix
View File

@ -8,37 +8,14 @@
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
wireless = {
wifi.enable = true;
bluetooth.enable = true;
};
services.logind = { services.logind = {
lidSwitch = "ignore"; lidSwitch = "ignore";
powerKey = "suspend"; powerKey = "suspend";
}; };
boot = {
kernelModules = ["kvm-intel"];
kernelParams = [
"i915.enable_guc=2"
"i915.enable_fbc=1"
"i915.enable_psr=2"
];
initrd = {
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" "rtsx_pci_sdmmc"];
kernelModules = ["i915"];
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
services.thermald.enable = true;
services.upower.enable = true;
powerManagement.powertop.enable = true;
hardware.graphics = { hardware.graphics = {
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [

9
hosts/sarien/networking.nix Normal file
View File

@ -0,0 +1,9 @@
{
networking = {
networkmanager.enable = true;
hostName = "vylxae";
hosts = {
"192.168.1.42" = ["dunamis"];
};
};
}

28
hosts/sarien/nix.nix Normal file
View File

@ -0,0 +1,28 @@
{
config,
inputs,
...
}: {
imports = with inputs; [
lix.nixosModules.default
];
nix = {
channel.enable = false;
daemonCPUSchedPolicy = "idle";
settings = {
experimental-features = ["nix-command" "flakes"];
builders-use-substitutes = true;
};
distributedBuilds = true;
buildMachines = [
{
hostName = "dunamis";
sshUser = "nix-ssh";
system = "x86_64-linux";
sshKey = config.sops.secrets."ssh-sarien-user".path;
supportedFeatures = ["nixos-test" "big-parallel" "kvm" "benchmark"];
publicHostKey = builtins.readFile "${inputs.mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
}
];
};
}

21
hosts/sarien/services.nix Normal file
View File

@ -0,0 +1,21 @@
{
services = {
flatpak.enable = true;
fstrim.enable = true;
openssh.enable = true;
power-profiles-daemon.enable = true;
syncthing.openDefaultPorts = true;
dnscrypt-proxy2 = {
enable = true;
settings = {
require_dnssec = true;
server_names = ["mullvad-doh"];
bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
};
};
scx = {
enable = true;
scheduler = "scx_flash";
};
};
}