From 6d393175f6b18fb24517af72d90e11b033ba590c Mon Sep 17 00:00:00 2001 From: unexplrd Date: Mon, 14 Apr 2025 23:56:47 +0300 Subject: [PATCH] hosts/legion: init Signed-off-by: unexplrd --- hosts/legion/boot.nix | 56 +++++++++ hosts/legion/configuration.nix | 39 ++++++ hosts/legion/disko.nix | 112 +++++++++++++++++ hosts/legion/hardware.nix | 35 ++++++ hosts/legion/networking.nix | 7 ++ hosts/legion/nix.nix | 14 +++ hosts/legion/programs.nix | 19 +++ hosts/legion/services.nix | 34 +++++ hosts/legion/sops.nix | 64 ++++++++++ hosts/legion/users.nix | 25 ++++ hosts/legion/users/user/common.nix | 14 +++ hosts/legion/users/user/flatpak.nix | 117 ++++++++++++++++++ .../legion/users/user/home-configuration.nix | 7 ++ hosts/legion/users/user/programs.nix | 88 +++++++++++++ 14 files changed, 631 insertions(+) create mode 100644 hosts/legion/boot.nix create mode 100644 hosts/legion/configuration.nix create mode 100644 hosts/legion/disko.nix create mode 100644 hosts/legion/hardware.nix create mode 100644 hosts/legion/networking.nix create mode 100644 hosts/legion/nix.nix create mode 100644 hosts/legion/programs.nix create mode 100644 hosts/legion/services.nix create mode 100644 hosts/legion/sops.nix create mode 100644 hosts/legion/users.nix create mode 100644 hosts/legion/users/user/common.nix create mode 100644 hosts/legion/users/user/flatpak.nix create mode 100644 hosts/legion/users/user/home-configuration.nix create mode 100644 hosts/legion/users/user/programs.nix diff --git a/hosts/legion/boot.nix b/hosts/legion/boot.nix new file mode 100644 index 0000000..d979c33 --- /dev/null +++ b/hosts/legion/boot.nix @@ -0,0 +1,56 @@ +{ + pkgs, + config, + inputs, + ... +}: { + imports = with inputs; [ + chaotic.nixosModules.default + lanzaboote.nixosModules.lanzaboote + ]; + boot = { + # kernelPackages = pkgs.linuxPackages_latest; + consoleLogLevel = 0; + kernelPackages = pkgs.linuxPackages_cachyos; + kernelModules = ["kvm-amd"]; + kernelParams = [ + # "mitigations=auto" + # "spectre_v2=on" + # "spectre_v2_user=on" + # "spectre_bhi=on" + # "spec_store_bypass_disable=on" + # "tsx=off" + # "kvm.nx_huge_pages=force" + # "l1d_flush=on" + "amd_iommu=force_isolation" + "debugfs=off" + "efi=disable_early_pci_dma" + "gather_data_sampling=force" + # "ia32_emulation=0" + "intel_iommu=on" + "iommu.passthrough=0" + "iommu.strict=1" + "iommu=force" + # "lockdown=confidentiality" + # "module.sig_enforce=1" + "page_alloc.shuffle=1" + # "reg_file_data_sampling=on" + # "spec_rstack_overflow=safe-ret" + "vsyscall=none" + ]; + initrd = { + availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"]; + systemd.enable = true; # needed for auto-unlocking with TPM + }; + loader.efi.canTouchEfiVariables = true; + loader.systemd-boot = { + enable = !config.boot.lanzaboote.enable; + consoleMode = "auto"; + }; + lanzaboote = { + enable = false; + pkiBundle = "/var/lib/sbctl"; + }; + plymouth.enable = true; + }; +} diff --git a/hosts/legion/configuration.nix b/hosts/legion/configuration.nix new file mode 100644 index 0000000..f68dd2d --- /dev/null +++ b/hosts/legion/configuration.nix @@ -0,0 +1,39 @@ +{inputs, ...}: { + imports = with inputs; [ + self.nixosModules.desktop + self.nixosModules.system + ./boot.nix + ./disko.nix + ./hardware.nix + ./networking.nix + ./nix.nix + ./programs.nix + ./services.nix + ./sops.nix + ./users.nix + ]; + + desktop.niri.enable = true; + environment.memoryAllocator.provider = "mimalloc"; + locale.ukrainian.enable = true; + module.stylix = { + enable = true; + theme = "nord"; + }; + opentabletdriver.enable = false; + qmk-vial.enable = true; + security.basic.enable = true; + system.stateVersion = "25.05"; + time.timeZone = "Europe/Kyiv"; + virtual.libvirt.enable = true; + wireless = { + bluetooth.enable = true; + bluetooth.enableBlueman = true; + }; + swapDevices = [ + { + device = "/swap/swapfile"; + size = 8 * 1024; + } + ]; +} diff --git a/hosts/legion/disko.nix b/hosts/legion/disko.nix new file mode 100644 index 0000000..d04dcd8 --- /dev/null +++ b/hosts/legion/disko.nix @@ -0,0 +1,112 @@ +{inputs, ...}: { + imports = with inputs; [ + disko.nixosModules.disko + ]; + disko.devices.nodev = { + "/tmp" = { + fsType = "tmpfs"; + mountOptions = ["rw" "nosuid" "nodev"]; + }; + }; + disko.devices.disk.main = { + type = "disk"; + device = "/dev/disk/by-id/nvme-INTEL_SSDPEKKF256G8L_BTHH81460QC2256B"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "umask=0077" + "fmask=0022" + "dmask=0022" + "noexec" + "nosuid" + "nodev" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "luks-main"; + initrdUnlock = true; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "@root-nixos" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + # "noexec" + ]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "@swap" = { + mountpoint = "/swap"; + mountOptions = [ + # "compress=zstd" + "noatime" + ]; + }; + # "@nix" = { + # mountpoint = "/nix"; + # mountOptions = [ + # "compress-force=zstd" + # "noatime" + # ]; + # }; + }; + }; + }; + }; + }; + }; + }; + disko.devices.disk.second = { + type = "disk"; + device = "/dev/disk/by-id/nvme-WDC_PC_SN730_SDBPNTY-1T00-1101_21114D802446"; + content = { + type = "gpt"; + partitions = { + luks = { + size = "100%"; + content = { + type = "luks"; + name = "luks-second"; + initrdUnlock = true; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "@storage" = { + mountpoint = "/storage"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/legion/hardware.nix b/hosts/legion/hardware.nix new file mode 100644 index 0000000..64258fd --- /dev/null +++ b/hosts/legion/hardware.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + inputs, + lib, + modulesPath, + ... +}: { + imports = with inputs.nixos-hardware.nixosModules; [ + (modulesPath + "/installer/scan/not-detected.nix") + lenovo-legion-15ach6h + ]; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + hardware.enableRedistributableFirmware = true; + hardware.nvidia-container-toolkit.enable = true; + + services.keyd = { + enable = true; + keyboards.laptop = { + ids = ["048d:c101"]; + settings.main = { + a = "lettermod(alt, a, 200, 150)"; + s = "lettermod(meta, s, 200, 150)"; + d = "lettermod(control, d, 200, 150)"; + f = "lettermod(shift, f, 200, 150)"; + j = "lettermod(shift, j, 200, 150)"; + k = "lettermod(control, k, 200, 150)"; + l = "lettermod(meta, l, 200, 150)"; + ";" = "lettermod(alt, ;, 200, 150)"; + }; + }; + }; +} diff --git a/hosts/legion/networking.nix b/hosts/legion/networking.nix new file mode 100644 index 0000000..0f99789 --- /dev/null +++ b/hosts/legion/networking.nix @@ -0,0 +1,7 @@ +{ + networking = { + # hostId = "c7f6c4a1"; + hostName = "legion"; + networkmanager.enable = true; + }; +} diff --git a/hosts/legion/nix.nix b/hosts/legion/nix.nix new file mode 100644 index 0000000..53341c5 --- /dev/null +++ b/hosts/legion/nix.nix @@ -0,0 +1,14 @@ +# TODO: better file name +{ + config, + pkgs, + ... +}: { + nixpkgs.config.allowUnfree = true; + nix = { + package = pkgs.lix; + channel.enable = false; + settings.experimental-features = ["nix-command" "flakes"]; + daemonCPUSchedPolicy = "idle"; + }; +} diff --git a/hosts/legion/programs.nix b/hosts/legion/programs.nix new file mode 100644 index 0000000..57f8168 --- /dev/null +++ b/hosts/legion/programs.nix @@ -0,0 +1,19 @@ +{ + pkgs, + lib, + ... +}: { + programs = { + fish.enable = true; + mosh.enable = true; + nh = { + enable = true; + flake = "/home/user/.config/nixos"; + }; + }; + environment.systemPackages = with pkgs; [ + (lib.hiPrio uutils-coreutils-noprefix) + helix + nushell + ]; +} diff --git a/hosts/legion/services.nix b/hosts/legion/services.nix new file mode 100644 index 0000000..a17583b --- /dev/null +++ b/hosts/legion/services.nix @@ -0,0 +1,34 @@ +{ + services = { + # hardware.openrgb.enable = true; + flatpak.enable = true; + fwupd.enable = true; + openssh.enable = true; + syncthing.openDefaultPorts = true; + dnscrypt-proxy2 = { + enable = true; + settings = { + require_dnssec = true; + server_names = ["mullvad-doh"]; + bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"]; + }; + }; + opensnitch = { + enable = false; + settings = { + DefaultAaction = "deny"; + Firewall = "iptables"; + InterceptUnknown = true; + ProcMonitorMethod = "ebpf"; + }; + }; + scx = { + enable = true; + scheduler = "scx_flash"; + }; + logind = { + lidSwitch = "ignore"; + powerKey = "suspend"; + }; + }; +} diff --git a/hosts/legion/sops.nix b/hosts/legion/sops.nix new file mode 100644 index 0000000..68ca709 --- /dev/null +++ b/hosts/legion/sops.nix @@ -0,0 +1,64 @@ +{ + config, + inputs, + ... +}: let + inherit (inputs) mysecrets; + hostName = + if (config.networking.hostName == "vylxae") + then "sarien" + else config.networking.hostName; + sopsFile = mysecrets + "/hosts/${hostName}.yaml"; + dotSsh = name: "/home/user/.ssh/" + name; + sshKey = { + mode = "0400"; + owner = "user"; + }; +in { + imports = with inputs; [ + sops-nix.nixosModules.sops + ]; + + sops = { + age = { + sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + defaultSopsFile = mysecrets + "/common.yaml"; + secrets = { + "user-password-hashed".neededForUsers = true; + "ssh-config" = { + path = dotSsh "config"; + mode = "0400"; + owner = "user"; + }; + "ssh-${hostName}-user" = { + inherit sopsFile; + inherit (sshKey) mode owner; + path = dotSsh "id_ed25519"; + }; + "ssh-${hostName}-user.pub" = { + inherit sopsFile; + inherit (sshKey) mode owner; + path = dotSsh "id_ed25519.pub"; + }; + "ssh-unexplrd" = { + inherit (sshKey) mode owner; + path = dotSsh "id_unexplrd_ed25519"; + }; + "ssh-unexplrd.pub" = { + inherit (sshKey) mode owner; + path = dotSsh "id_unexplrd_ed25519.pub"; + }; + "ssh-uni" = { + inherit (sshKey) mode owner; + path = dotSsh "id_uni_ed25519"; + }; + "ssh-uni.pub" = { + inherit (sshKey) mode owner; + path = dotSsh "id_uni_ed25519.pub"; + }; + }; + }; +} diff --git a/hosts/legion/users.nix b/hosts/legion/users.nix new file mode 100644 index 0000000..312a291 --- /dev/null +++ b/hosts/legion/users.nix @@ -0,0 +1,25 @@ +{ + inputs, + config, + pkgs, + ... +}: let + inherit (config.sops) secrets; + inherit (inputs) mysecrets; +in { + nix.settings.trusted-users = ["user" "nix-ssh"]; + users.mutableUsers = false; + users.users = { + user = { + hashedPasswordFile = secrets."user-password-hashed".path; + extraGroups = ["wheel" "video" "libvirtd" "dialout"]; + isNormalUser = true; + shell = pkgs.fish; + openssh.authorizedKeys.keyFiles = map (f: "${mysecrets}/ssh/user/${f}") [ + "id_dunamis_ed25519.pub" + "id_eldrid_ed25519.pub" + "id_sarien_ed25519.pub" + ]; + }; + }; +} diff --git a/hosts/legion/users/user/common.nix b/hosts/legion/users/user/common.nix new file mode 100644 index 0000000..71c96e3 --- /dev/null +++ b/hosts/legion/users/user/common.nix @@ -0,0 +1,14 @@ +{ + inputs, + osConfig, + ... +}: { + imports = with inputs; [ + nix-index-database.hmModules.nix-index + self.homeModules.desktop + self.homeModules.programs + ]; + inherit (osConfig) desktop; + home.stateVersion = osConfig.system.stateVersion; + home.sessionPath = ["$HOME/.local/bin"]; +} diff --git a/hosts/legion/users/user/flatpak.nix b/hosts/legion/users/user/flatpak.nix new file mode 100644 index 0000000..c683c8f --- /dev/null +++ b/hosts/legion/users/user/flatpak.nix @@ -0,0 +1,117 @@ +{inputs, ...}: { + imports = with inputs; [ + nix-flatpak.homeManagerModules.nix-flatpak + ]; + services.flatpak = { + enable = true; + uninstallUnmanaged = true; + update.auto = { + enable = true; + onCalendar = "weekly"; + }; + remotes = [ + { + name = "flathub"; + location = "https://dl.flathub.org/repo/flathub.flatpakrepo"; + } + { + name = "hero-persson"; + location = "https://hero-persson.github.io/unmojang-flatpak/index.flatpakrepo"; + } + ]; + packages = [ + # browsers + "app.zen_browser.zen" + "io.github.ungoogled_software.ungoogled_chromium" + "net.mullvad.MullvadBrowser" + "org.torproject.torbrowser-launcher" + + # misc + "com.bitwarden.desktop" + "com.github.tchx84.Flatseal" + "com.logseq.Logseq" + "com.obsproject.Studio" + "com.usebottles.bottles" + "de.capypara.FieldMonitor" + "de.haeckerfelix.Fragments" + "org.nicotine_plus.Nicotine" + + # chatting + "im.riot.Riot" + "io.github.spacingbat3.webcord" + "org.mozilla.Thunderbird" + "org.signal.Signal" + "org.telegram.desktop" + "io.github.kukuruzka165.materialgram" + + # media + "io.freetubeapp.FreeTube" + #music + "io.bassi.Amberol" + "org.atheme.audacious" + + # gaming + "com.heroicgameslauncher.hgl" + "com.valvesoftware.Steam" + "net.lutris.Lutris" + { + appId = "org.unmojang.FjordLauncher"; + origin = "hero-persson"; + } + "org.freedesktop.Platform.VulkanLayer.MangoHud//24.08" + "org.freedesktop.Platform.VulkanLayer.gamescope//24.08" + ]; + overrides = { + "global" = { + # Force Wayland by default + Context = { + sockets = ["wayland" "!x11" "!fallback-x11"]; + filesystems = [ + "!home" + "!host" + "!~/.ssh" + "/nix/store:ro" + "xdg-config/gtk-3.0:ro" + "xdg-config/gtk-4.0:ro" + "xdg-run/pipewire-0" + "~/.local/share/icons:ro" + ]; + }; + Environment = { + ELECTRON_OZONE_PLATFORM_HINT = "wayland"; + }; + }; + "com.valvesoftware.Steam" = { + Context = { + sockets = ["x11" "wayland"]; + filesystems = ["/storage/games/steam"]; + }; + Environment.STEAM_FORCE_DESKTOPUI_SCALING = "1.3"; + }; + "org.signal.Signal" = { + Environment.SIGNAL_PASSWORD_STORE = "gnome-libsecret"; + }; + "com.obsproject.Studio" = { + Context.filesystems = ["~/vids"]; + }; + "com.logseq.Logseq" = { + Context.filesystems = [ + "~/docs/logseq" + "~/docs/nure/2025/logseq" + "~/syncthing/logseq" + ]; + }; + "net.lutris.Lutris".Context = { + sockets = ["x11" "wayland"]; + filesystems = ["/storage/games/lutris" "~/games/lutris"]; + }; + "com.heroicgameslauncher.hgl".Context = { + sockets = ["x11" "wayland"]; + filesystems = ["/storage/games/heroic" "~/games/heroic"]; + }; + "com.usebottles.Bottles" = { + Context.sockets = ["x11" "wayland"]; + }; + }; + }; +} diff --git a/hosts/legion/users/user/home-configuration.nix b/hosts/legion/users/user/home-configuration.nix new file mode 100644 index 0000000..8499b4a --- /dev/null +++ b/hosts/legion/users/user/home-configuration.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./common.nix + ./flatpak.nix + ./programs.nix + ]; +} diff --git a/hosts/legion/users/user/programs.nix b/hosts/legion/users/user/programs.nix new file mode 100644 index 0000000..ab9d4b0 --- /dev/null +++ b/hosts/legion/users/user/programs.nix @@ -0,0 +1,88 @@ +{pkgs, ...}: { + console.yazi.enable = true; + editor.helix.enable = true; + shell = { + fish.enable = true; + oh-my-posh.enable = true; + }; + syncthing.enable = true; + terminal.wezterm.enable = true; + terminal.ghostty.enable = true; + + services = { + pueue.enable = true; # process queue in rust + ssh-agent.enable = true; + }; + + programs = { + bat.enable = true; # cat in rust + btop = { + enable = true; + settings.update_ms = 200; + }; + direnv.enable = true; + direnv.silent = true; + eza.enable = true; # ls in rust + fd.enable = true; # find in rust + fzf.enable = true; # fuzzy finder in rust + git = { + enable = true; + delta.enable = true; # diff in rust + signing.format = "ssh"; + aliases = { + cl = "clone"; + co = "checkout"; + pom = "push origin main"; + }; + }; + gitui.enable = true; # git ui in rust + jujutsu.enable = true; # vcs in rust + keychain = { + enable = true; + keys = ["id_ed25519"]; + }; + nix-index-database.comma.enable = true; + nix-index.enable = true; + nix-your-shell.enable = true; + pay-respects.enable = true; # thefuck in rust + ripgrep.enable = true; # grep in rust + zoxide.enable = true; + }; + + home.packages = with pkgs; [ + alejandra # nix formatter in rust + devenv # programming deps in rust + dua # disk space usage in rust + fend # calculator in rust + flatpak # flatpak cli + jj-fzf # fuzzy finder jujutsu tui + just # make in rust + mprocs # process runner in rust + ouch # archive manager in rust + overskride # bluetooth gui in rust + pika-backup # borg gui in rust + pinentry-qt # pinentry for rbw + procs # ps in rust + rbw # bitwarden cli in rust + sd # sed in rust + silicon # create code pics in rust + trashy # trash cli in rust + # vial # qmk keyboard configuring app + virt-manager # libvirt gui + waycheck # check wayland protocols + ]; + + xdg.desktopEntries = { + uni = { + actions."Copy".exec = "fish -c \"~/.local/bin/uni --copy\""; + categories = ["Utility" "X-Launch" "Network"]; + comment = "Select and open or copy URLs from a list."; + exec = "fish -c \"~/.local/bin/uni\""; + icon = "web-browser"; + name = "Uni URL Handler"; + startupNotify = true; + terminal = false; + type = "Application"; + }; + }; +}