diff --git a/hosts/sarien/boot.nix b/hosts/sarien/boot.nix deleted file mode 100644 index 2da552d..0000000 --- a/hosts/sarien/boot.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ - pkgs, - config, - inputs, - ... -}: { - imports = with inputs; [ - chaotic.nixosModules.default - ]; - boot = { - # kernelPackages = pkgs.linuxPackages_latest; - kernelPackages = pkgs.linuxPackages_cachyos; - kernelModules = ["kvm-intel"]; - kernelParams = [ - "debugfs=off" - "efi=disable_early_pci_dma" - # "gather_data_sampling=force" - "intel_iommu=on" - "iommu.passthrough=0" - "iommu.strict=1" - "iommu=force" - # "lockdown=confidentiality" - # "module.sig_enforce=1" - "page_alloc.shuffle=1" - # "reg_file_data_sampling=on" - # "spec_rstack_overflow=safe-ret" - "vsyscall=none" - ]; - loader.efi.canTouchEfiVariables = true; - loader.systemd-boot = { - enable = true; - consoleMode = "auto"; - }; - plymouth.enable = true; - }; - console = { - earlySetup = true; - packages = [pkgs.terminus_font]; - font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz"; - }; -} diff --git a/hosts/sarien/boot/default.nix b/hosts/sarien/boot/default.nix new file mode 100644 index 0000000..86f5df8 --- /dev/null +++ b/hosts/sarien/boot/default.nix @@ -0,0 +1,39 @@ +{ + pkgs, + inputs, + ... +}: { + imports = with inputs; + [ + chaotic.nixosModules.default + lanzaboote.nixosModules.lanzaboote + ] + ++ [ + ./loader.nix + ]; + boot = { + # kernelPackages = pkgs.linuxPackages_latest; + plymouth.enable = true; + consoleLogLevel = 0; + kernelPackages = pkgs.linuxPackages_cachyos; + kernelParams = [ + "amd_iommu=force_isolation" + "debugfs=off" + "efi=disable_early_pci_dma" + "gather_data_sampling=force" + "intel_iommu=on" + "iommu.passthrough=0" + "iommu.strict=1" + "iommu=force" + "page_alloc.shuffle=1" + "vsyscall=none" + # "ia32_emulation=0" + # "lockdown=confidentiality" + # "module.sig_enforce=1" + ]; + initrd = { + systemd.enable = true; # needed for auto-unlocking with TPM + systemd.tpm2.enable = false; # no TPM + }; + }; +} diff --git a/hosts/sarien/boot/loader.nix b/hosts/sarien/boot/loader.nix new file mode 100644 index 0000000..7cd9220 --- /dev/null +++ b/hosts/sarien/boot/loader.nix @@ -0,0 +1,15 @@ +{config, ...}: { + boot = { + lanzaboote = { + enable = false; + pkiBundle = "/var/lib/sbctl"; + }; + loader = { + efi.canTouchEfiVariables = true; + systemd-boot = { + enable = !config.boot.lanzaboote.enable; + consoleMode = "auto"; + }; + }; + }; +} diff --git a/hosts/sarien/configuration.nix b/hosts/sarien/configuration.nix index ad7e5ac..9c21855 100644 --- a/hosts/sarien/configuration.nix +++ b/hosts/sarien/configuration.nix @@ -1,12 +1,17 @@ -{inputs, ...}: { +{ + inputs, + pkgs, + ... +}: { imports = with inputs; [ self.nixosModules.desktop self.nixosModules.system - ./boot.nix - ./disko.nix + ./boot + ./disko + ./facter ./hardware.nix ./networking.nix - ./nix.nix + ./nix ./power-saving.nix ../dunamis/programs.nix ./services.nix @@ -38,6 +43,10 @@ wireless = { wifi.enable = true; bluetooth.enable = true; - bluetooth.enableBlueman = true; }; + hardware.graphics.extraPackages = with pkgs; [ + intel-compute-runtime + intel-media-driver + vpl-gpu-rt + ]; } diff --git a/hosts/sarien/disko.nix b/hosts/sarien/disko.nix deleted file mode 100644 index a383de2..0000000 --- a/hosts/sarien/disko.nix +++ /dev/null @@ -1,81 +0,0 @@ -{inputs, ...}: let - disk = "/dev/disk/by-id/nvme-eui.0025385911b36714"; -in { - imports = with inputs; [ - disko.nixosModules.disko - ]; - disko.devices.nodev = { - "/tmp" = { - fsType = "tmpfs"; - mountOptions = ["rw" "nosuid" "nodev"]; - }; - }; - disko.devices.disk.main = { - type = "disk"; - device = disk; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "2G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ - "umask=0077" - "fmask=0022" - "dmask=0022" - "noexec" - ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "luks-main"; - initrdUnlock = true; - settings.allowDiscards = true; - content = { - type = "btrfs"; - extraArgs = ["-f"]; - subvolumes = { - "@nixos-root" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - "noexec" - ]; - }; - "@home" = { - mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "@nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "@storage" = { - mountpoint = "/storage"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/sarien/disko/default.nix b/hosts/sarien/disko/default.nix new file mode 100644 index 0000000..b43f6ed --- /dev/null +++ b/hosts/sarien/disko/default.nix @@ -0,0 +1,14 @@ +{inputs, ...}: let + disk = "/dev/disk/by-id/nvme-eui.0025385911b36714"; +in { + imports = with inputs; [ + disko.nixosModules.disko + ]; + disko.devices.nodev = { + "/tmp" = { + fsType = "tmpfs"; + mountOptions = ["rw" "nosuid" "nodev"]; + }; + }; + disko.devices.disk.main = import ./disk-main.nix {inherit disk;}; +} diff --git a/hosts/sarien/disko/disk-main.nix b/hosts/sarien/disko/disk-main.nix new file mode 100644 index 0000000..3ee66c5 --- /dev/null +++ b/hosts/sarien/disko/disk-main.nix @@ -0,0 +1,70 @@ +{disk, ...}: { + type = "disk"; + device = disk; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "umask=0077" + "fmask=0022" + "dmask=0022" + "noexec" + "nosuid" + "nodev" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "luks-main"; + initrdUnlock = true; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "@nixos-root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + "noexec" + ]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "@storage" = { + mountpoint = "/storage"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress-force=zstd" + "noatime" + ]; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/sarien/facter/default.nix b/hosts/sarien/facter/default.nix new file mode 100644 index 0000000..38bc812 --- /dev/null +++ b/hosts/sarien/facter/default.nix @@ -0,0 +1,14 @@ +{ + config, + inputs, + ... +}: let + inherit (inputs) mysecrets; + inherit (config.networking) hostName; +in { + imports = with inputs; [ + nixos-facter-modules.nixosModules.facter + ]; + facter.reportPath = "${mysecrets}/facter/${hostName}.json"; + systemd.network.wait-online.enable = false; +} diff --git a/hosts/sarien/hardware.nix b/hosts/sarien/hardware.nix index 7103bfb..e1aad9d 100644 --- a/hosts/sarien/hardware.nix +++ b/hosts/sarien/hardware.nix @@ -4,15 +4,15 @@ modulesPath, ... }: { - imports = with inputs.nixos-hardware.nixosModules; [ - (modulesPath + "/installer/scan/not-detected.nix") - common-cpu-intel - common-gpu-intel-kaby-lake - common-hidpi - common-pc-laptop-ssd - ]; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.enableRedistributableFirmware = true; + # imports = with inputs.nixos-hardware.nixosModules; [ + # (modulesPath + "/installer/scan/not-detected.nix") + # common-cpu-intel + # common-gpu-intel-kaby-lake + # common-hidpi + # common-pc-laptop-ssd + # ]; + # nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + # hardware.enableRedistributableFirmware = true; services = { logind = { diff --git a/hosts/sarien/nix.nix b/hosts/sarien/nix.nix deleted file mode 100644 index f37b92e..0000000 --- a/hosts/sarien/nix.nix +++ /dev/null @@ -1,35 +0,0 @@ -# TODO: better file name -{ - config, - inputs, - pkgs, - ... -}: let - hostName = - if (config.networking.hostName == "vylxae") - then "sarien" - else config.networking.hostName; - inherit (config.sops) secrets; - inherit (inputs) mysecrets; -in { - nix = { - package = pkgs.lix; - channel.enable = false; - daemonCPUSchedPolicy = "idle"; - settings = { - experimental-features = ["nix-command" "flakes"]; - builders-use-substitutes = true; - }; - distributedBuilds = true; - buildMachines = [ - { - hostName = "dunamis"; - sshUser = "nix-ssh"; - system = "x86_64-linux"; - sshKey = secrets."ssh-${hostName}-user".path; - supportedFeatures = ["nixos-test" "big-parallel" "kvm" "benchmark"]; - publicHostKey = builtins.readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64"; - } - ]; - }; -} diff --git a/hosts/sarien/nix/common.nix b/hosts/sarien/nix/common.nix new file mode 100644 index 0000000..b435541 --- /dev/null +++ b/hosts/sarien/nix/common.nix @@ -0,0 +1,11 @@ +{pkgs, ...}: { + nix = { + package = pkgs.lixPackageSets.latest.lix; + channel.enable = false; + daemonCPUSchedPolicy = "idle"; + settings = { + experimental-features = ["nix-command" "flakes"]; + builders-use-substitutes = true; + }; + }; +} diff --git a/hosts/sarien/nix/default.nix b/hosts/sarien/nix/default.nix new file mode 100644 index 0000000..1042b61 --- /dev/null +++ b/hosts/sarien/nix/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./common.nix + ./substituters.nix + ./distributed-build.nix + ]; +} diff --git a/hosts/sarien/nix/distributed-build.nix b/hosts/sarien/nix/distributed-build.nix new file mode 100644 index 0000000..b093581 --- /dev/null +++ b/hosts/sarien/nix/distributed-build.nix @@ -0,0 +1,30 @@ +{ + config, + inputs, + ... +}: let + inherit (builtins) readFile; + inherit (config.networking) hostName; + inherit (config.sops) secrets; + inherit (inputs) mysecrets; + pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64"; +in { + nix = { + distributedBuilds = true; + buildMachines = [ + { + hostName = "dunamis"; + publicHostKey = pubHost; + sshKey = secrets."ssh-${hostName}-user".path; + sshUser = "nix-ssh"; + supportedFeatures = [ + "benchmark" + "big-parallel" + "kvm" + "nixos-test" + ]; + system = "x86_64-linux"; + } + ]; + }; +} diff --git a/hosts/sarien/nix/ssh-serve.nix b/hosts/sarien/nix/ssh-serve.nix new file mode 100644 index 0000000..a730ef0 --- /dev/null +++ b/hosts/sarien/nix/ssh-serve.nix @@ -0,0 +1,10 @@ +{config, ...}: let + inherit (builtins) readFile; + inherit (config.users.users) user; +in { + nix.sshServe = { + enable = true; + write = true; + keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles; + }; +} diff --git a/hosts/sarien/nix/substituters.nix b/hosts/sarien/nix/substituters.nix new file mode 100644 index 0000000..fd4d5c1 --- /dev/null +++ b/hosts/sarien/nix/substituters.nix @@ -0,0 +1,16 @@ +{ + nix.settings = { + substituters = [ + "https://cache.nixos.org/" + "https://chaotic-nyx.cachix.org/" + "https://cosmic.cachix.org/" + "https://nix-community.cachix.org/" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8=" + "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; +} diff --git a/modules/nixos/system/misc/stylix/default.nix b/modules/nixos/system/misc/stylix/default.nix index aa16bcb..a424f88 100644 --- a/modules/nixos/system/misc/stylix/default.nix +++ b/modules/nixos/system/misc/stylix/default.nix @@ -87,9 +87,9 @@ polarity = "dark"; scheme = "${pkgs.base16-schemes}/share/themes/helios.yaml"; wallpaper = builtins.fetchurl { - url = "https://w.wallhaven.cc/full/we/wallhaven-wejkzx.jpg"; - name = "wallhaven-wejkzx.jpg"; - sha256 = "sha256:145q483q1yvs4pndh2r57gfvbd9jc15sry9qz31avqxyrn8ama52"; + url = "https://w.wallhaven.cc/full/lq/wallhaven-lqorw2.png"; + name = "wallhaven-lqorw2.png"; + sha256 = "sha256:1rjchjq4pc2jyq8dvpa17mmscv9qcm0h0zv468lsf8s51anpid6p"; }; serif = {