diff --git a/hosts/legion/boot.nix b/hosts/legion/boot.nix deleted file mode 100644 index c17c65e..0000000 --- a/hosts/legion/boot.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - pkgs, - config, - inputs, - ... -}: { - imports = with inputs; [ - chaotic.nixosModules.default - lanzaboote.nixosModules.lanzaboote - ]; - boot = { - # kernelPackages = pkgs.linuxPackages_latest; - consoleLogLevel = 0; - kernelPackages = pkgs.linuxPackages_cachyos; - kernelModules = ["kvm-amd"]; - kernelParams = [ - # "mitigations=auto" - # "spectre_v2=on" - # "spectre_v2_user=on" - # "spectre_bhi=on" - # "spec_store_bypass_disable=on" - # "tsx=off" - # "kvm.nx_huge_pages=force" - # "l1d_flush=on" - "amd_iommu=force_isolation" - "debugfs=off" - "efi=disable_early_pci_dma" - "gather_data_sampling=force" - # "ia32_emulation=0" - "intel_iommu=on" - "iommu.passthrough=0" - "iommu.strict=1" - "iommu=force" - # "lockdown=confidentiality" - # "module.sig_enforce=1" - "page_alloc.shuffle=1" - # "reg_file_data_sampling=on" - # "spec_rstack_overflow=safe-ret" - "vsyscall=none" - ]; - initrd = { - availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"]; - systemd.enable = true; # needed for auto-unlocking with TPM - }; - loader.efi.canTouchEfiVariables = true; - loader.systemd-boot = { - enable = !config.boot.lanzaboote.enable; - consoleMode = "auto"; - }; - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - plymouth.enable = true; - }; -} diff --git a/hosts/legion/configuration.nix b/hosts/legion/configuration.nix index 831b3d6..4e9c447 100644 --- a/hosts/legion/configuration.nix +++ b/hosts/legion/configuration.nix @@ -1,40 +1,39 @@ -{inputs, ...}: { +{ + config, + inputs, + ... +}: { imports = with inputs; [ + self.nixosModules.config self.nixosModules.desktop self.nixosModules.system - ../dunamis/programs.nix - ./boot.nix - ./disko.nix - ./hardware.nix - ./networking.nix - ./nix.nix - ./power-saving.nix - ./services.nix - ./sops.nix - ./users.nix + ./disko + ./hardware ]; - desktop.niri.enable = true; - environment.memoryAllocator.provider = "mimalloc"; - locale.ukrainian.enable = true; - module.stylix = { - enable = true; - theme = "helios"; + networking = { + networkmanager.enable = true; + hostName = "legion"; }; - opentabletdriver.enable = false; - qmk-vial.enable = true; + environment.memoryAllocator.provider = "mimalloc"; system.stateVersion = "25.05"; time.timeZone = "Europe/Kyiv"; - virtual.libvirt.enable = true; - wireless = { - bluetooth.enable = true; - bluetooth.enableBlueman = true; + + desktop.niri.enable = true; + + module = { + config = { + # secureBoot = true; + # tpmDiskUnlock = true; + vaapi = "nvidia"; + }; + stylix = { + enable = true; + theme = "helios"; + }; }; - swapDevices = [ - { - device = "/swap/swapfile"; - size = 8 * 1024; - } - ]; + + locale.ukrainian.enable = true; + virtual.libvirt.enable = true; } diff --git a/hosts/legion/disko.nix b/hosts/legion/disko.nix deleted file mode 100644 index 3d40953..0000000 --- a/hosts/legion/disko.nix +++ /dev/null @@ -1,115 +0,0 @@ -{inputs, ...}: let - disk = "/dev/disk/by-id/nvme-INTEL_SSDPEKKF256G8L_BTHH81460QC2256B"; - disk1 = "/dev/disk/by-id/nvme-WDC_PC_SN730_SDBPNTY-1T00-1101_21114D802446"; -in { - imports = with inputs; [ - disko.nixosModules.disko - ]; - disko.devices.nodev = { - "/tmp" = { - fsType = "tmpfs"; - mountOptions = ["rw" "nosuid" "nodev"]; - }; - }; - disko.devices.disk.main = { - type = "disk"; - device = disk; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "2G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ - "umask=0077" - "fmask=0022" - "dmask=0022" - "noexec" - "nosuid" - "nodev" - ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "luks-main"; - initrdUnlock = true; - settings.allowDiscards = true; - content = { - type = "btrfs"; - extraArgs = ["-f"]; - subvolumes = { - "@root-nixos" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - # "noexec" - ]; - }; - "@home" = { - mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "@swap" = { - mountpoint = "/swap"; - mountOptions = [ - # "compress=zstd" - "noatime" - ]; - }; - # "@nix" = { - # mountpoint = "/nix"; - # mountOptions = [ - # "compress-force=zstd" - # "noatime" - # ]; - # }; - }; - }; - }; - }; - }; - }; - }; - disko.devices.disk.second = { - type = "disk"; - device = disk1; - content = { - type = "gpt"; - partitions = { - luks = { - size = "100%"; - content = { - type = "luks"; - name = "luks-second"; - initrdUnlock = true; - settings.allowDiscards = true; - content = { - type = "btrfs"; - extraArgs = ["-f"]; - subvolumes = { - "@storage" = { - mountpoint = "/storage"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/legion/disko/default.nix b/hosts/legion/disko/default.nix new file mode 100644 index 0000000..bf6d826 --- /dev/null +++ b/hosts/legion/disko/default.nix @@ -0,0 +1,16 @@ +{inputs, ...}: let + disk-main = "/dev/disk/by-id/nvme-INTEL_SSDPEKKF256G8L_BTHH81460QC2256B"; + disk-second = "/dev/disk/by-id/nvme-WDC_PC_SN730_SDBPNTY-1T00-1101_21114D802446"; +in { + imports = with inputs; [ + disko.nixosModules.disko + ]; + disko.devices.nodev = { + "/tmp" = { + fsType = "tmpfs"; + mountOptions = ["rw" "nosuid" "nodev"]; + }; + }; + disko.devices.disk.main = import ./disk-main.nix {inherit disk-main;}; + disko.devices.disk.second = import ./disk-second.nix {inherit disk-second;}; +} diff --git a/hosts/legion/disko/disk-main.nix b/hosts/legion/disko/disk-main.nix new file mode 100644 index 0000000..8f6b8a9 --- /dev/null +++ b/hosts/legion/disko/disk-main.nix @@ -0,0 +1,70 @@ +{disk-main}: { + type = "disk"; + device = disk-main; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "umask=0077" + "fmask=0022" + "dmask=0022" + "noexec" + "nosuid" + "nodev" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "luks-main"; + initrdUnlock = true; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "@root-nixos" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + # "noexec" + ]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "@swap" = { + mountpoint = "/swap"; + mountOptions = [ + # "compress=zstd" + "noatime" + ]; + }; + # "@nix" = { + # mountpoint = "/nix"; + # mountOptions = [ + # "compress-force=zstd" + # "noatime" + # ]; + # }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/legion/disko/disk-second.nix b/hosts/legion/disko/disk-second.nix new file mode 100644 index 0000000..060ab69 --- /dev/null +++ b/hosts/legion/disko/disk-second.nix @@ -0,0 +1,31 @@ +{disk-second}: { + type = "disk"; + device = disk-second; + content = { + type = "gpt"; + partitions = { + luks = { + size = "100%"; + content = { + type = "luks"; + name = "luks-second"; + initrdUnlock = true; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "@storage" = { + mountpoint = "/storage"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/legion/hardware.nix b/hosts/legion/hardware.nix index 9758a70..04b8829 100644 --- a/hosts/legion/hardware.nix +++ b/hosts/legion/hardware.nix @@ -1,24 +1,28 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - inputs, - lib, - modulesPath, - ... -}: { - imports = with inputs.nixos-hardware.nixosModules; [ - (modulesPath + "/installer/scan/not-detected.nix") - lenovo-legion-15ach6h - ]; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - +{config, ...}: { + services.xserver.videoDrivers = ["nvidia"]; hardware = { - enableRedistributableFirmware = true; nvidia-container-toolkit.enable = true; nvidia = { + package = config.boot.kernelPackages.nvidiaPackages.beta; + open = true; + modesetting.enable = true; + nvidiaSettings = false; dynamicBoost.enable = true; - powerManagement.finegrained = false; + powerManagement = { + enable = false; + # finegrained = true; + }; + prime = { + # sync.enable = true; + # reverseSync.enable = true; + # allowExternalGpu = true; + offload = { + enable = true; + enableOffloadCmd = true; + }; + amdgpuBusId = "PCI:6:0:0"; + nvidiaBusId = "PCI:1:0:0"; + }; }; }; diff --git a/hosts/legion/hardware/default.nix b/hosts/legion/hardware/default.nix new file mode 100644 index 0000000..fecaaf8 --- /dev/null +++ b/hosts/legion/hardware/default.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ./laptop + ./nvidia.nix + ]; + services = { + logind = { + lidSwitch = "ignore"; + powerKey = "suspend"; + }; + }; +} diff --git a/hosts/legion/hardware/laptop/default.nix b/hosts/legion/hardware/laptop/default.nix new file mode 100644 index 0000000..d363dea --- /dev/null +++ b/hosts/legion/hardware/laptop/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./home-row-mods.nix + ./power-saving.nix + ]; +} diff --git a/hosts/legion/hardware/laptop/home-row-mods.nix b/hosts/legion/hardware/laptop/home-row-mods.nix new file mode 100644 index 0000000..e597540 --- /dev/null +++ b/hosts/legion/hardware/laptop/home-row-mods.nix @@ -0,0 +1,20 @@ +{ + services.keyd = { + enable = true; + keyboards = { + internal = { + ids = ["0001:0001" "048d:c101"]; + settings.main = { + a = "lettermod(alt, a, 200, 150)"; + s = "lettermod(meta, s, 200, 150)"; + d = "lettermod(control, d, 200, 150)"; + f = "lettermod(shift, f, 200, 150)"; + j = "lettermod(shift, j, 200, 150)"; + k = "lettermod(control, k, 200, 150)"; + l = "lettermod(meta, l, 200, 150)"; + ";" = "lettermod(alt, ;, 200, 150)"; + }; + }; + }; + }; +} diff --git a/hosts/legion/hardware/laptop/power-saving.nix b/hosts/legion/hardware/laptop/power-saving.nix new file mode 100644 index 0000000..2aa9afb --- /dev/null +++ b/hosts/legion/hardware/laptop/power-saving.nix @@ -0,0 +1,7 @@ +{ + powerManagement.enable = true; + powerManagement.powertop.enable = true; + services.power-profiles-daemon.enable = true; + services.thermald.enable = true; + services.upower.enable = true; +} diff --git a/hosts/legion/hardware/nvidia.nix b/hosts/legion/hardware/nvidia.nix new file mode 100644 index 0000000..19188c5 --- /dev/null +++ b/hosts/legion/hardware/nvidia.nix @@ -0,0 +1,28 @@ +{config, ...}: { + services.xserver.videoDrivers = ["nvidia"]; + hardware = { + nvidia-container-toolkit.enable = true; + nvidia = { + package = config.boot.kernelPackages.nvidiaPackages.beta; + open = true; + modesetting.enable = true; + nvidiaSettings = false; + dynamicBoost.enable = true; + powerManagement = { + enable = false; + # finegrained = true; + }; + prime = { + # sync.enable = true; + # reverseSync.enable = true; + # allowExternalGpu = true; + offload = { + enable = true; + enableOffloadCmd = true; + }; + amdgpuBusId = "PCI:6:0:0"; + nvidiaBusId = "PCI:1:0:0"; + }; + }; + }; +} diff --git a/hosts/legion/networking.nix b/hosts/legion/networking.nix deleted file mode 100644 index d179cdb..0000000 --- a/hosts/legion/networking.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - networking = { - hostName = "legion"; - networkmanager.enable = true; - }; -} diff --git a/hosts/legion/nix.nix b/hosts/legion/nix.nix deleted file mode 100644 index 53341c5..0000000 --- a/hosts/legion/nix.nix +++ /dev/null @@ -1,14 +0,0 @@ -# TODO: better file name -{ - config, - pkgs, - ... -}: { - nixpkgs.config.allowUnfree = true; - nix = { - package = pkgs.lix; - channel.enable = false; - settings.experimental-features = ["nix-command" "flakes"]; - daemonCPUSchedPolicy = "idle"; - }; -} diff --git a/hosts/legion/programs.nix b/hosts/legion/programs.nix deleted file mode 100644 index 57f8168..0000000 --- a/hosts/legion/programs.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - pkgs, - lib, - ... -}: { - programs = { - fish.enable = true; - mosh.enable = true; - nh = { - enable = true; - flake = "/home/user/.config/nixos"; - }; - }; - environment.systemPackages = with pkgs; [ - (lib.hiPrio uutils-coreutils-noprefix) - helix - nushell - ]; -} diff --git a/hosts/legion/services.nix b/hosts/legion/services.nix deleted file mode 100644 index 97f86e0..0000000 --- a/hosts/legion/services.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - services = { - # hardware.openrgb.enable = true; - flatpak.enable = true; - fwupd.enable = true; - openssh.enable = true; - syncthing.openDefaultPorts = true; - dnscrypt-proxy2 = { - enable = true; - settings = { - require_dnssec = true; - server_names = ["mullvad-doh"]; - bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"]; - }; - }; - opensnitch = { - enable = false; - settings = { - DefaultAaction = "deny"; - Firewall = "iptables"; - InterceptUnknown = true; - ProcMonitorMethod = "ebpf"; - }; - }; - scx = { - enable = false; - scheduler = "scx_flash"; - }; - logind = { - lidSwitch = "ignore"; - powerKey = "suspend"; - }; - }; -} diff --git a/hosts/legion/sops.nix b/hosts/legion/sops.nix deleted file mode 100644 index 68ca709..0000000 --- a/hosts/legion/sops.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ - config, - inputs, - ... -}: let - inherit (inputs) mysecrets; - hostName = - if (config.networking.hostName == "vylxae") - then "sarien" - else config.networking.hostName; - sopsFile = mysecrets + "/hosts/${hostName}.yaml"; - dotSsh = name: "/home/user/.ssh/" + name; - sshKey = { - mode = "0400"; - owner = "user"; - }; -in { - imports = with inputs; [ - sops-nix.nixosModules.sops - ]; - - sops = { - age = { - sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - keyFile = "/var/lib/sops-nix/key.txt"; - generateKey = true; - }; - defaultSopsFile = mysecrets + "/common.yaml"; - secrets = { - "user-password-hashed".neededForUsers = true; - "ssh-config" = { - path = dotSsh "config"; - mode = "0400"; - owner = "user"; - }; - "ssh-${hostName}-user" = { - inherit sopsFile; - inherit (sshKey) mode owner; - path = dotSsh "id_ed25519"; - }; - "ssh-${hostName}-user.pub" = { - inherit sopsFile; - inherit (sshKey) mode owner; - path = dotSsh "id_ed25519.pub"; - }; - "ssh-unexplrd" = { - inherit (sshKey) mode owner; - path = dotSsh "id_unexplrd_ed25519"; - }; - "ssh-unexplrd.pub" = { - inherit (sshKey) mode owner; - path = dotSsh "id_unexplrd_ed25519.pub"; - }; - "ssh-uni" = { - inherit (sshKey) mode owner; - path = dotSsh "id_uni_ed25519"; - }; - "ssh-uni.pub" = { - inherit (sshKey) mode owner; - path = dotSsh "id_uni_ed25519.pub"; - }; - }; - }; -} diff --git a/hosts/legion/users.nix b/hosts/legion/users.nix deleted file mode 100644 index 2f87dda..0000000 --- a/hosts/legion/users.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - inputs, - config, - pkgs, - ... -}: let - inherit (config.sops) secrets; - inherit (inputs) mysecrets; -in { - nix.settings.trusted-users = ["user" "nix-ssh"]; - users.mutableUsers = false; - users.users = { - user = { - hashedPasswordFile = secrets."user-password-hashed".path; - extraGroups = ["wheel" "video" "libvirtd" "dialout"]; - isNormalUser = true; - shell = pkgs.fish; - openssh.authorizedKeys.keyFiles = map (f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub") [ - "dunamis" - "eldrid" - "sarien" - "legion" - ]; - }; - }; -}