unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hosts/legion: move to new structure

Browse Source 
Signed-off-by: unexplrd <unexplrd@linerds.us>
This commit is contained in:
unexplrd
2025-05-07 17:23:45 +03:00
parent 75990ccc86
commit 7f073e121c
18 changed files with 239 additions and 380 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
hosts/legion/boot.nix
View File

@ -1,56 +0,0 @@
{
pkgs,
config,
inputs,
...
}: {
imports = with inputs; [
chaotic.nixosModules.default
lanzaboote.nixosModules.lanzaboote
];
boot = {
# kernelPackages = pkgs.linuxPackages_latest;
consoleLogLevel = 0;
kernelPackages = pkgs.linuxPackages_cachyos;
kernelModules = ["kvm-amd"];
kernelParams = [
# "mitigations=auto"
# "spectre_v2=on"
# "spectre_v2_user=on"
# "spectre_bhi=on"
# "spec_store_bypass_disable=on"
# "tsx=off"
# "kvm.nx_huge_pages=force"
# "l1d_flush=on"
"amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma"
"gather_data_sampling=force"
# "ia32_emulation=0"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
# "lockdown=confidentiality"
# "module.sig_enforce=1"
"page_alloc.shuffle=1"
# "reg_file_data_sampling=on"
# "spec_rstack_overflow=safe-ret"
"vsyscall=none"
];
initrd = {
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
systemd.enable = true; # needed for auto-unlocking with TPM
};
loader.efi.canTouchEfiVariables = true;
loader.systemd-boot = {
enable = !config.boot.lanzaboote.enable;
consoleMode = "auto";
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
plymouth.enable = true;
};
}

57
hosts/legion/configuration.nix
View File

@ -1,40 +1,39 @@
{inputs, ...}: { {
config,
inputs,
...
}: {
imports = with inputs; [ imports = with inputs; [
self.nixosModules.config
self.nixosModules.desktop self.nixosModules.desktop
self.nixosModules.system self.nixosModules.system
../dunamis/programs.nix ./disko
./boot.nix ./hardware
./disko.nix
./hardware.nix
./networking.nix
./nix.nix
./power-saving.nix
./services.nix
./sops.nix
./users.nix
]; ];
desktop.niri.enable = true; networking = {
environment.memoryAllocator.provider = "mimalloc"; networkmanager.enable = true;
locale.ukrainian.enable = true; hostName = "legion";
module.stylix = {
enable = true;
theme = "helios";
}; };
opentabletdriver.enable = false;
qmk-vial.enable = true;
environment.memoryAllocator.provider = "mimalloc";
system.stateVersion = "25.05"; system.stateVersion = "25.05";
time.timeZone = "Europe/Kyiv"; time.timeZone = "Europe/Kyiv";
virtual.libvirt.enable = true;
wireless = { desktop.niri.enable = true;
bluetooth.enable = true;
bluetooth.enableBlueman = true; module = {
config = {
# secureBoot = true;
# tpmDiskUnlock = true;
vaapi = "nvidia";
};
stylix = {
enable = true;
theme = "helios";
};
}; };
swapDevices = [
{ locale.ukrainian.enable = true;
device = "/swap/swapfile"; virtual.libvirt.enable = true;
size = 8 * 1024;
}
];
} }

115
hosts/legion/disko.nix
View File

@ -1,115 +0,0 @@
{inputs, ...}: let
disk = "/dev/disk/by-id/nvme-INTEL_SSDPEKKF256G8L_BTHH81460QC2256B";
disk1 = "/dev/disk/by-id/nvme-WDC_PC_SN730_SDBPNTY-1T00-1101_21114D802446";
in {
imports = with inputs; [
disko.nixosModules.disko
];
disko.devices.nodev = {
"/tmp" = {
fsType = "tmpfs";
mountOptions = ["rw" "nosuid" "nodev"];
};
};
disko.devices.disk.main = {
type = "disk";
device = disk;
content = {
type = "gpt";
partitions = {
ESP = {
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"umask=0077"
"fmask=0022"
"dmask=0022"
"noexec"
"nosuid"
"nodev"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "luks-main";
initrdUnlock = true;
settings.allowDiscards = true;
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"@root-nixos" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"noatime"
# "noexec"
];
};
"@home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"@swap" = {
mountpoint = "/swap";
mountOptions = [
# "compress=zstd"
"noatime"
];
};
# "@nix" = {
# mountpoint = "/nix";
# mountOptions = [
# "compress-force=zstd"
# "noatime"
# ];
# };
};
};
};
};
};
};
};
disko.devices.disk.second = {
type = "disk";
device = disk1;
content = {
type = "gpt";
partitions = {
luks = {
size = "100%";
content = {
type = "luks";
name = "luks-second";
initrdUnlock = true;
settings.allowDiscards = true;
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"@storage" = {
mountpoint = "/storage";
mountOptions = [
"compress=zstd"
"noatime"
];
};
};
};
};
};
};
};
};
}

16
hosts/legion/disko/default.nix Normal file
View File

@ -0,0 +1,16 @@
{inputs, ...}: let
disk-main = "/dev/disk/by-id/nvme-INTEL_SSDPEKKF256G8L_BTHH81460QC2256B";
disk-second = "/dev/disk/by-id/nvme-WDC_PC_SN730_SDBPNTY-1T00-1101_21114D802446";
in {
imports = with inputs; [
disko.nixosModules.disko
];
disko.devices.nodev = {
"/tmp" = {
fsType = "tmpfs";
mountOptions = ["rw" "nosuid" "nodev"];
};
};
disko.devices.disk.main = import ./disk-main.nix {inherit disk-main;};
disko.devices.disk.second = import ./disk-second.nix {inherit disk-second;};
}

70
hosts/legion/disko/disk-main.nix Normal file
View File

@ -0,0 +1,70 @@
{disk-main}: {
type = "disk";
device = disk-main;
content = {
type = "gpt";
partitions = {
ESP = {
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"umask=0077"
"fmask=0022"
"dmask=0022"
"noexec"
"nosuid"
"nodev"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "luks-main";
initrdUnlock = true;
settings.allowDiscards = true;
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"@root-nixos" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"noatime"
# "noexec"
];
};
"@home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"@swap" = {
mountpoint = "/swap";
mountOptions = [
# "compress=zstd"
"noatime"
];
};
# "@nix" = {
# mountpoint = "/nix";
# mountOptions = [
# "compress-force=zstd"
# "noatime"
# ];
# };
};
};
};
};
};
};
}

31
hosts/legion/disko/disk-second.nix Normal file
View File

@ -0,0 +1,31 @@
{disk-second}: {
type = "disk";
device = disk-second;
content = {
type = "gpt";
partitions = {
luks = {
size = "100%";
content = {
type = "luks";
name = "luks-second";
initrdUnlock = true;
settings.allowDiscards = true;
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"@storage" = {
mountpoint = "/storage";
mountOptions = [
"compress=zstd"
"noatime"
];
};
};
};
};
};
};
};
}

38
hosts/legion/hardware.nix
View File

@ -1,24 +1,28 @@
# Do not modify this file! It was generated by nixos-generate-config {config, ...}: {
# and may be overwritten by future invocations. Please make changes services.xserver.videoDrivers = ["nvidia"];
# to /etc/nixos/configuration.nix instead.
{
inputs,
lib,
modulesPath,
...
}: {
imports = with inputs.nixos-hardware.nixosModules; [
(modulesPath + "/installer/scan/not-detected.nix")
lenovo-legion-15ach6h
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware = { hardware = {
enableRedistributableFirmware = true;
nvidia-container-toolkit.enable = true; nvidia-container-toolkit.enable = true;
nvidia = { nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.beta;
open = true;
modesetting.enable = true;
nvidiaSettings = false;
dynamicBoost.enable = true; dynamicBoost.enable = true;
powerManagement.finegrained = false; powerManagement = {
enable = false;
# finegrained = true;
};
prime = {
# sync.enable = true;
# reverseSync.enable = true;
# allowExternalGpu = true;
offload = {
enable = true;
enableOffloadCmd = true;
};
amdgpuBusId = "PCI:6:0:0";
nvidiaBusId = "PCI:1:0:0";
};
}; };
}; };

12
hosts/legion/hardware/default.nix Normal file
View File

@ -0,0 +1,12 @@
{
imports = [
./laptop
./nvidia.nix
];
services = {
logind = {
lidSwitch = "ignore";
powerKey = "suspend";
};
};
}

6
hosts/legion/hardware/laptop/default.nix Normal file
View File

@ -0,0 +1,6 @@
{
imports = [
./home-row-mods.nix
./power-saving.nix
];
}

20
hosts/legion/hardware/laptop/home-row-mods.nix Normal file
View File

@ -0,0 +1,20 @@
{
services.keyd = {
enable = true;
keyboards = {
internal = {
ids = ["0001:0001" "048d:c101"];
settings.main = {
a = "lettermod(alt, a, 200, 150)";
s = "lettermod(meta, s, 200, 150)";
d = "lettermod(control, d, 200, 150)";
f = "lettermod(shift, f, 200, 150)";
j = "lettermod(shift, j, 200, 150)";
k = "lettermod(control, k, 200, 150)";
l = "lettermod(meta, l, 200, 150)";
";" = "lettermod(alt, ;, 200, 150)";
};
};
};
};
}

7
hosts/legion/hardware/laptop/power-saving.nix Normal file
View File

@ -0,0 +1,7 @@
{
powerManagement.enable = true;
powerManagement.powertop.enable = true;
services.power-profiles-daemon.enable = true;
services.thermald.enable = true;
services.upower.enable = true;
}

28
hosts/legion/hardware/nvidia.nix Normal file
View File

@ -0,0 +1,28 @@
{config, ...}: {
services.xserver.videoDrivers = ["nvidia"];
hardware = {
nvidia-container-toolkit.enable = true;
nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.beta;
open = true;
modesetting.enable = true;
nvidiaSettings = false;
dynamicBoost.enable = true;
powerManagement = {
enable = false;
# finegrained = true;
};
prime = {
# sync.enable = true;
# reverseSync.enable = true;
# allowExternalGpu = true;
offload = {
enable = true;
enableOffloadCmd = true;
};
amdgpuBusId = "PCI:6:0:0";
nvidiaBusId = "PCI:1:0:0";
};
};
};
}

6
hosts/legion/networking.nix
View File

@ -1,6 +0,0 @@
{
networking = {
hostName = "legion";
networkmanager.enable = true;
};
}

14
hosts/legion/nix.nix
View File

@ -1,14 +0,0 @@
# TODO: better file name
{
config,
pkgs,
...
}: {
nixpkgs.config.allowUnfree = true;
nix = {
package = pkgs.lix;
channel.enable = false;
settings.experimental-features = ["nix-command" "flakes"];
daemonCPUSchedPolicy = "idle";
};
}

19
hosts/legion/programs.nix
View File

@ -1,19 +0,0 @@
{
pkgs,
lib,
...
}: {
programs = {
fish.enable = true;
mosh.enable = true;
nh = {
enable = true;
flake = "/home/user/.config/nixos";
};
};
environment.systemPackages = with pkgs; [
(lib.hiPrio uutils-coreutils-noprefix)
helix
nushell
];
}

34
hosts/legion/services.nix
View File

@ -1,34 +0,0 @@
{
services = {
# hardware.openrgb.enable = true;
flatpak.enable = true;
fwupd.enable = true;
openssh.enable = true;
syncthing.openDefaultPorts = true;
dnscrypt-proxy2 = {
enable = true;
settings = {
require_dnssec = true;
server_names = ["mullvad-doh"];
bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
};
};
opensnitch = {
enable = false;
settings = {
DefaultAaction = "deny";
Firewall = "iptables";
InterceptUnknown = true;
ProcMonitorMethod = "ebpf";
};
};
scx = {
enable = false;
scheduler = "scx_flash";
};
logind = {
lidSwitch = "ignore";
powerKey = "suspend";
};
};
}

64
hosts/legion/sops.nix
View File

@ -1,64 +0,0 @@
{
config,
inputs,
...
}: let
inherit (inputs) mysecrets;
hostName =
if (config.networking.hostName == "vylxae")
then "sarien"
else config.networking.hostName;
sopsFile = mysecrets + "/hosts/${hostName}.yaml";
dotSsh = name: "/home/user/.ssh/" + name;
sshKey = {
mode = "0400";
owner = "user";
};
in {
imports = with inputs; [
sops-nix.nixosModules.sops
];
sops = {
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
defaultSopsFile = mysecrets + "/common.yaml";
secrets = {
"user-password-hashed".neededForUsers = true;
"ssh-config" = {
path = dotSsh "config";
mode = "0400";
owner = "user";
};
"ssh-${hostName}-user" = {
inherit sopsFile;
inherit (sshKey) mode owner;
path = dotSsh "id_ed25519";
};
"ssh-${hostName}-user.pub" = {
inherit sopsFile;
inherit (sshKey) mode owner;
path = dotSsh "id_ed25519.pub";
};
"ssh-unexplrd" = {
inherit (sshKey) mode owner;
path = dotSsh "id_unexplrd_ed25519";
};
"ssh-unexplrd.pub" = {
inherit (sshKey) mode owner;
path = dotSsh "id_unexplrd_ed25519.pub";
};
"ssh-uni" = {
inherit (sshKey) mode owner;
path = dotSsh "id_uni_ed25519";
};
"ssh-uni.pub" = {
inherit (sshKey) mode owner;
path = dotSsh "id_uni_ed25519.pub";
};
};
};
}

26
hosts/legion/users.nix
View File

@ -1,26 +0,0 @@
{
inputs,
config,
pkgs,
...
}: let
inherit (config.sops) secrets;
inherit (inputs) mysecrets;
in {
nix.settings.trusted-users = ["user" "nix-ssh"];
users.mutableUsers = false;
users.users = {
user = {
hashedPasswordFile = secrets."user-password-hashed".path;
extraGroups = ["wheel" "video" "libvirtd" "dialout"];
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = map (f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub") [
"dunamis"
"eldrid"
"sarien"
"legion"
];
};
};
}