unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hosts/legion: init

Browse Source 
Signed-off-by: unexplrd <unexplrd@linerds.us>
This commit is contained in:
unexplrd
2025-04-14 23:56:47 +03:00
parent 84080b8952
commit 6d393175f6
14 changed files with 631 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
hosts/legion/boot.nix Normal file
View File

@ -0,0 +1,56 @@
{
pkgs,
config,
inputs,
...
}: {
imports = with inputs; [
chaotic.nixosModules.default
lanzaboote.nixosModules.lanzaboote
];
boot = {
# kernelPackages = pkgs.linuxPackages_latest;
consoleLogLevel = 0;
kernelPackages = pkgs.linuxPackages_cachyos;
kernelModules = ["kvm-amd"];
kernelParams = [
# "mitigations=auto"
# "spectre_v2=on"
# "spectre_v2_user=on"
# "spectre_bhi=on"
# "spec_store_bypass_disable=on"
# "tsx=off"
# "kvm.nx_huge_pages=force"
# "l1d_flush=on"
"amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma"
"gather_data_sampling=force"
# "ia32_emulation=0"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
# "lockdown=confidentiality"
# "module.sig_enforce=1"
"page_alloc.shuffle=1"
# "reg_file_data_sampling=on"
# "spec_rstack_overflow=safe-ret"
"vsyscall=none"
];
initrd = {
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
systemd.enable = true; # needed for auto-unlocking with TPM
};
loader.efi.canTouchEfiVariables = true;
loader.systemd-boot = {
enable = !config.boot.lanzaboote.enable;
consoleMode = "auto";
};
lanzaboote = {
enable = false;
pkiBundle = "/var/lib/sbctl";
};
plymouth.enable = true;
};
}

39
hosts/legion/configuration.nix Normal file
View File

@ -0,0 +1,39 @@
{inputs, ...}: {
imports = with inputs; [
self.nixosModules.desktop
self.nixosModules.system
./boot.nix
./disko.nix
./hardware.nix
./networking.nix
./nix.nix
./programs.nix
./services.nix
./sops.nix
./users.nix
];
desktop.niri.enable = true;
environment.memoryAllocator.provider = "mimalloc";
locale.ukrainian.enable = true;
module.stylix = {
enable = true;
theme = "nord";
};
opentabletdriver.enable = false;
qmk-vial.enable = true;
security.basic.enable = true;
system.stateVersion = "25.05";
time.timeZone = "Europe/Kyiv";
virtual.libvirt.enable = true;
wireless = {
bluetooth.enable = true;
bluetooth.enableBlueman = true;
};
swapDevices = [
{
device = "/swap/swapfile";
size = 8 * 1024;
}
];
}

112
hosts/legion/disko.nix Normal file
View File

@ -0,0 +1,112 @@
{inputs, ...}: {
imports = with inputs; [
disko.nixosModules.disko
];
disko.devices.nodev = {
"/tmp" = {
fsType = "tmpfs";
mountOptions = ["rw" "nosuid" "nodev"];
};
};
disko.devices.disk.main = {
type = "disk";
device = "/dev/disk/by-id/nvme-INTEL_SSDPEKKF256G8L_BTHH81460QC2256B";
content = {
type = "gpt";
partitions = {
ESP = {
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"umask=0077"
"fmask=0022"
"dmask=0022"
"noexec"
"nosuid"
"nodev"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "luks-main";
initrdUnlock = true;
settings.allowDiscards = true;
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"@root-nixos" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"noatime"
# "noexec"
];
};
"@home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"@swap" = {
mountpoint = "/swap";
mountOptions = [
# "compress=zstd"
"noatime"
];
};
# "@nix" = {
# mountpoint = "/nix";
# mountOptions = [
# "compress-force=zstd"
# "noatime"
# ];
# };
};
};
};
};
};
};
};
disko.devices.disk.second = {
type = "disk";
device = "/dev/disk/by-id/nvme-WDC_PC_SN730_SDBPNTY-1T00-1101_21114D802446";
content = {
type = "gpt";
partitions = {
luks = {
size = "100%";
content = {
type = "luks";
name = "luks-second";
initrdUnlock = true;
settings.allowDiscards = true;
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"@storage" = {
mountpoint = "/storage";
mountOptions = [
"compress=zstd"
"noatime"
];
};
};
};
};
};
};
};
};
}

35
hosts/legion/hardware.nix Normal file
View File

@ -0,0 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
inputs,
lib,
modulesPath,
...
}: {
imports = with inputs.nixos-hardware.nixosModules; [
(modulesPath + "/installer/scan/not-detected.nix")
lenovo-legion-15ach6h
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.enableRedistributableFirmware = true;
hardware.nvidia-container-toolkit.enable = true;
services.keyd = {
enable = true;
keyboards.laptop = {
ids = ["048d:c101"];
settings.main = {
a = "lettermod(alt, a, 200, 150)";
s = "lettermod(meta, s, 200, 150)";
d = "lettermod(control, d, 200, 150)";
f = "lettermod(shift, f, 200, 150)";
j = "lettermod(shift, j, 200, 150)";
k = "lettermod(control, k, 200, 150)";
l = "lettermod(meta, l, 200, 150)";
";" = "lettermod(alt, ;, 200, 150)";
};
};
};
}

7
hosts/legion/networking.nix Normal file
View File

@ -0,0 +1,7 @@
{
networking = {
# hostId = "c7f6c4a1";
hostName = "legion";
networkmanager.enable = true;
};
}

14
hosts/legion/nix.nix Normal file
View File

@ -0,0 +1,14 @@
# TODO: better file name
{
config,
pkgs,
...
}: {
nixpkgs.config.allowUnfree = true;
nix = {
package = pkgs.lix;
channel.enable = false;
settings.experimental-features = ["nix-command" "flakes"];
daemonCPUSchedPolicy = "idle";
};
}

19
hosts/legion/programs.nix Normal file
View File

@ -0,0 +1,19 @@
{
pkgs,
lib,
...
}: {
programs = {
fish.enable = true;
mosh.enable = true;
nh = {
enable = true;
flake = "/home/user/.config/nixos";
};
};
environment.systemPackages = with pkgs; [
(lib.hiPrio uutils-coreutils-noprefix)
helix
nushell
];
}

34
hosts/legion/services.nix Normal file
View File

@ -0,0 +1,34 @@
{
services = {
# hardware.openrgb.enable = true;
flatpak.enable = true;
fwupd.enable = true;
openssh.enable = true;
syncthing.openDefaultPorts = true;
dnscrypt-proxy2 = {
enable = true;
settings = {
require_dnssec = true;
server_names = ["mullvad-doh"];
bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
};
};
opensnitch = {
enable = false;
settings = {
DefaultAaction = "deny";
Firewall = "iptables";
InterceptUnknown = true;
ProcMonitorMethod = "ebpf";
};
};
scx = {
enable = true;
scheduler = "scx_flash";
};
logind = {
lidSwitch = "ignore";
powerKey = "suspend";
};
};
}

64
hosts/legion/sops.nix Normal file
View File

@ -0,0 +1,64 @@
{
config,
inputs,
...
}: let
inherit (inputs) mysecrets;
hostName =
if (config.networking.hostName == "vylxae")
then "sarien"
else config.networking.hostName;
sopsFile = mysecrets + "/hosts/${hostName}.yaml";
dotSsh = name: "/home/user/.ssh/" + name;
sshKey = {
mode = "0400";
owner = "user";
};
in {
imports = with inputs; [
sops-nix.nixosModules.sops
];
sops = {
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
defaultSopsFile = mysecrets + "/common.yaml";
secrets = {
"user-password-hashed".neededForUsers = true;
"ssh-config" = {
path = dotSsh "config";
mode = "0400";
owner = "user";
};
"ssh-${hostName}-user" = {
inherit sopsFile;
inherit (sshKey) mode owner;
path = dotSsh "id_ed25519";
};
"ssh-${hostName}-user.pub" = {
inherit sopsFile;
inherit (sshKey) mode owner;
path = dotSsh "id_ed25519.pub";
};
"ssh-unexplrd" = {
inherit (sshKey) mode owner;
path = dotSsh "id_unexplrd_ed25519";
};
"ssh-unexplrd.pub" = {
inherit (sshKey) mode owner;
path = dotSsh "id_unexplrd_ed25519.pub";
};
"ssh-uni" = {
inherit (sshKey) mode owner;
path = dotSsh "id_uni_ed25519";
};
"ssh-uni.pub" = {
inherit (sshKey) mode owner;
path = dotSsh "id_uni_ed25519.pub";
};
};
};
}

25
hosts/legion/users.nix Normal file
View File

@ -0,0 +1,25 @@
{
inputs,
config,
pkgs,
...
}: let
inherit (config.sops) secrets;
inherit (inputs) mysecrets;
in {
nix.settings.trusted-users = ["user" "nix-ssh"];
users.mutableUsers = false;
users.users = {
user = {
hashedPasswordFile = secrets."user-password-hashed".path;
extraGroups = ["wheel" "video" "libvirtd" "dialout"];
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = map (f: "${mysecrets}/ssh/user/${f}") [
"id_dunamis_ed25519.pub"
"id_eldrid_ed25519.pub"
"id_sarien_ed25519.pub"
];
};
};
}

14
hosts/legion/users/user/common.nix Normal file
View File

@ -0,0 +1,14 @@
{
inputs,
osConfig,
...
}: {
imports = with inputs; [
nix-index-database.hmModules.nix-index
self.homeModules.desktop
self.homeModules.programs
];
inherit (osConfig) desktop;
home.stateVersion = osConfig.system.stateVersion;
home.sessionPath = ["$HOME/.local/bin"];
}

117
hosts/legion/users/user/flatpak.nix Normal file
View File

@ -0,0 +1,117 @@
{inputs, ...}: {
imports = with inputs; [
nix-flatpak.homeManagerModules.nix-flatpak
];
services.flatpak = {
enable = true;
uninstallUnmanaged = true;
update.auto = {
enable = true;
onCalendar = "weekly";
};
remotes = [
{
name = "flathub";
location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
}
{
name = "hero-persson";
location = "https://hero-persson.github.io/unmojang-flatpak/index.flatpakrepo";
}
];
packages = [
# browsers
"app.zen_browser.zen"
"io.github.ungoogled_software.ungoogled_chromium"
"net.mullvad.MullvadBrowser"
"org.torproject.torbrowser-launcher"
# misc
"com.bitwarden.desktop"
"com.github.tchx84.Flatseal"
"com.logseq.Logseq"
"com.obsproject.Studio"
"com.usebottles.bottles"
"de.capypara.FieldMonitor"
"de.haeckerfelix.Fragments"
"org.nicotine_plus.Nicotine"
# chatting
"im.riot.Riot"
"io.github.spacingbat3.webcord"
"org.mozilla.Thunderbird"
"org.signal.Signal"
"org.telegram.desktop"
"io.github.kukuruzka165.materialgram"
# media
"io.freetubeapp.FreeTube"
#music
"io.bassi.Amberol"
"org.atheme.audacious"
# gaming
"com.heroicgameslauncher.hgl"
"com.valvesoftware.Steam"
"net.lutris.Lutris"
{
appId = "org.unmojang.FjordLauncher";
origin = "hero-persson";
}
"org.freedesktop.Platform.VulkanLayer.MangoHud//24.08"
"org.freedesktop.Platform.VulkanLayer.gamescope//24.08"
];
overrides = {
"global" = {
# Force Wayland by default
Context = {
sockets = ["wayland" "!x11" "!fallback-x11"];
filesystems = [
"!home"
"!host"
"!~/.ssh"
"/nix/store:ro"
"xdg-config/gtk-3.0:ro"
"xdg-config/gtk-4.0:ro"
"xdg-run/pipewire-0"
"~/.local/share/icons:ro"
];
};
Environment = {
ELECTRON_OZONE_PLATFORM_HINT = "wayland";
};
};
"com.valvesoftware.Steam" = {
Context = {
sockets = ["x11" "wayland"];
filesystems = ["/storage/games/steam"];
};
Environment.STEAM_FORCE_DESKTOPUI_SCALING = "1.3";
};
"org.signal.Signal" = {
Environment.SIGNAL_PASSWORD_STORE = "gnome-libsecret";
};
"com.obsproject.Studio" = {
Context.filesystems = ["~/vids"];
};
"com.logseq.Logseq" = {
Context.filesystems = [
"~/docs/logseq"
"~/docs/nure/2025/logseq"
"~/syncthing/logseq"
];
};
"net.lutris.Lutris".Context = {
sockets = ["x11" "wayland"];
filesystems = ["/storage/games/lutris" "~/games/lutris"];
};
"com.heroicgameslauncher.hgl".Context = {
sockets = ["x11" "wayland"];
filesystems = ["/storage/games/heroic" "~/games/heroic"];
};
"com.usebottles.Bottles" = {
Context.sockets = ["x11" "wayland"];
};
};
};
}

7
hosts/legion/users/user/home-configuration.nix Normal file
View File

@ -0,0 +1,7 @@
{
imports = [
./common.nix
./flatpak.nix
./programs.nix
];
}

88
hosts/legion/users/user/programs.nix Normal file
View File

@ -0,0 +1,88 @@
{pkgs, ...}: {
console.yazi.enable = true;
editor.helix.enable = true;
shell = {
fish.enable = true;
oh-my-posh.enable = true;
};
syncthing.enable = true;
terminal.wezterm.enable = true;
terminal.ghostty.enable = true;
services = {
pueue.enable = true; # process queue in rust
ssh-agent.enable = true;
};
programs = {
bat.enable = true; # cat in rust
btop = {
enable = true;
settings.update_ms = 200;
};
direnv.enable = true;
direnv.silent = true;
eza.enable = true; # ls in rust
fd.enable = true; # find in rust
fzf.enable = true; # fuzzy finder in rust
git = {
enable = true;
delta.enable = true; # diff in rust
signing.format = "ssh";
aliases = {
cl = "clone";
co = "checkout";
pom = "push origin main";
};
};
gitui.enable = true; # git ui in rust
jujutsu.enable = true; # vcs in rust
keychain = {
enable = true;
keys = ["id_ed25519"];
};
nix-index-database.comma.enable = true;
nix-index.enable = true;
nix-your-shell.enable = true;
pay-respects.enable = true; # thefuck in rust
ripgrep.enable = true; # grep in rust
zoxide.enable = true;
};
home.packages = with pkgs; [
alejandra # nix formatter in rust
devenv # programming deps in rust
dua # disk space usage in rust
fend # calculator in rust
flatpak # flatpak cli
jj-fzf # fuzzy finder jujutsu tui
just # make in rust
mprocs # process runner in rust
ouch # archive manager in rust
overskride # bluetooth gui in rust
pika-backup # borg gui in rust
pinentry-qt # pinentry for rbw
procs # ps in rust
rbw # bitwarden cli in rust
sd # sed in rust
silicon # create code pics in rust
trashy # trash cli in rust
# vial # qmk keyboard configuring app
virt-manager # libvirt gui
waycheck # check wayland protocols
];
xdg.desktopEntries = {
uni = {
actions."Copy".exec = "fish -c \"~/.local/bin/uni --copy\"";
categories = ["Utility" "X-Launch" "Network"];
comment = "Select and open or copy URLs from a list.";
exec = "fish -c \"~/.local/bin/uni\"";
icon = "web-browser";
name = "Uni URL Handler";
startupNotify = true;
terminal = false;
type = "Application";
};
};
}