swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 00:57:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: new system

Browse source
This commit is contained in:
Swarsel 2024-08-01 18:50:10 +02:00
parent 6e52a06201
commit 829992e3d8
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
14 changed files with 552 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

305
SwarselSystems.org
View file

@ -481,6 +481,9 @@ A short overview over each input and what it does:
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
impermanence.url = "github:nix-community/impermanence";
#+end_src
*** let
:PROPERTIES:
@ -521,6 +524,8 @@ Lastly I define some common module lists that I can simply load depending on the
# # NixOS modules that can only be used on NixOS systems
nixModules = [
inputs.stylix.nixosModules.stylix
inputs.lanzaboote.nixosModules.lanzaboote
inputs.impermanence.nixosModules.impermanence
inputs.sops-nix.nixosModules.sops
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
./profiles/common/nixos
@ -613,20 +618,27 @@ This section is the biggest pain point of the configuration. For every system, I
];
};
winters = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; };
nbl-imba-2 = lib.nixosSystem {
specialArgs = { inherit inputs outputs; };
modules = nixModules ++ [
inputs.nixos-hardware.nixosModules.framework-16-inch-7040-amd
./profiles/winters/nixos.nix
inputs.home-manager.nixosModules.home-manager
{
home-manager.users.swarsel.imports = mixedModules ++ [
./profiles/winters/home.nix
];
}
./profiles/nbl-imba-2
];
};
# winters = nixpkgs.lib.nixosSystem {
# specialArgs = { inherit inputs; };
# modules = nixModules ++ [
# inputs.nixos-hardware.nixosModules.framework-16-inch-7040-amd
# ./profiles/winters/nixos.nix
# inputs.home-manager.nixosModules.home-manager
# {
# home-manager.users.swarsel.imports = mixedModules ++ [
# ./profiles/winters/home.nix
# ];
# }
# ];
# };
nginx = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; };
modules = [
@ -2130,6 +2142,126 @@ This is basically just adjusted to the core count, path to the =hwmon= (this was
}
#+end_src
**** nbl-imba-2 (Framework Laptop 16)
:PROPERTIES:
:CUSTOM_ID: h:6c6e9261-dfa1-42d8-ab2a-8b7c227be6d9
:END:
My work machine.
#+begin_src nix :tangle profiles/nbl-imba-2/default.nix
{ inputs, outputs, config, pkgs, ... }:
{
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./hardware-configuration.nix
../optional/nixos/steam.nix
# ../optional/nixos/virtualbox.nix
../optional/nixos/autologin.nix
../optional/nixos/nswitch-rcm.nix
../optional/nixos/work.nix
inputs.home-manager.nixosModules.home-manager
{
home-manager.users.swarsel.imports = outputs.mixedModules ++ [
../optional/home/gaming.nix
../optional/home/work.nix
] ++ (builtins.attrValues outputs.homeManagerModules);
}
] ++ (builtins.attrValues outputs.nixosModules);
nixpkgs = {
inherit (outputs) overlays;
config = {
allowUnfree = true;
};
};
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "btrfs" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelParams = [
"resume_offset=533760"
];
resumeDevice = "/dev/disk/by-label/nixos";
};
networking = {
hostName = "nbl-imba-2";
fqdn = "nbl-imba-2.imp.univie.ac.at";
firewall.enable = true;
};
hardware.graphics.extraPackages = with pkgs; [
vulkan-loader
vulkan-validation-layers
vulkan-extension-layer
];
services = {
fwupd.enable = true;
};
swarselsystems = {
wallpaper = ../../wallpaper/lenovowp.png;
hasBluetooth = true;
hasFingerprint = true;
initialSetup = true;
};
home-manager.users.swarsel.swarselsystems = {
isLaptop = true;
isNixos = true;
# temperatureHwmon = {
# isAbsolutePath = true;
# path = "/sys/devices/platform/thinkpad_hwmon/hwmon/";
# input-filename = "temp1_input";
# };
# ------ -----
# | DP-4 | |eDP-1|
# ------ -----
# monitors = {
# main = {
# name = "California Institute of Technology 0x1407 Unknown";
# mode = "1920x1080"; # TEMPLATE
# scale = "1";
# position = "2560,0";
# workspace = "2:二";
# output = "eDP-1";
# };
# homedesktop = {
# name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320";
# mode = "2560x1440";
# scale = "1";
# position = "0,0";
# workspace = "1:一";
# output = "DP-4";
# };
# };
# inputs = {
# "1:1:AT_Translated_Set_2_keyboard" = {
# xkb_layout = "us";
# xkb_options = "grp:win_space_toggle";
# xkb_variant = "altgr-intl";
# };
# };
keybindings = {
};
};
}
#+end_src
**** Winters (Framwork Laptop 16)
@ -4657,6 +4789,8 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
{
wallpaper = import ./wallpaper.nix;
hardware = import ./hardware.nix;
setup = import ./setup.nix;
impermanence = import ./impermanence.nix;
}
#+end_src
@ -4691,6 +4825,26 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
}
#+end_src
***** Setup
#+begin_src nix :tangle modules/nixos/setup.nix
{ lib, ... }:
{
options.swarselsystems.initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
}
#+end_src
***** Impermanence
#+begin_src nix :tangle modules/nixos/impermanence.nix
{ lib, ... }:
{
options.swarselsystems.impermanence = lib.mkEnableOption "use impermanence on this system";
}
#+end_src
**** home-manager
@ -4830,7 +4984,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
options.swarselsystems.kyria = mkOption {
type = types.attrsOf (types.attrsOf types.str );
default = {
"36125:53060:splitkb.com_Kyria_rev3" = {
"36125:53060:splitkb.com_splitkb.com_Kyria_rev3" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};
@ -4970,6 +5124,7 @@ First, we enable the use of =home-manager= as a NixoS module
./login.nix
./stylix.nix
./power-profiles-daemon.nix
./impermanence.nix
];
nix.settings.trusted-users = [ "swarsel" ];
@ -5016,14 +5171,14 @@ Next, we setup the keymap in case we are not in a graphical session. At this poi
This ensures that all user-configuration happens here in the config file.
#+begin_src nix :tangle profiles/common/nixos/users.nix
{ pkgs, config, ... }:
{ pkgs, config, lib, ... }:
{
users = {
mutableUsers = false;
mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
users.swarsel = {
isNormalUser = true;
description = "Leon S";
hashedPasswordFile = config.sops.secrets.swarseluser.path;
hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ];
packages = with pkgs; [ ];
};
@ -5887,6 +6042,102 @@ This section houses the greetd related settings. I do not really want to use a d
'';
}
#+end_src
**** Impermanence
#+begin_src nix :tangle profiles/common/nixos/impermanence.nix
{ config, lib, ... }:
{
security.sudo.extraConfig = lib.mkIf config.swarselsystems.impermanence ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
# This script does the actual wipe of the system
# So if it doesn't run, the btrfs system effectively acts like a normal system
# Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
boot.initrd.systemd.services.rollback = lib.mkIf config.swarselsystems.impermanence {
description = "Rollback BTRFS root subvolume to a pristine state";
wantedBy = ["initrd.target"];
# make sure it's done after encryption
# i.e. LUKS/TPM process
after = ["systemd-cryptsetup@enc.service"];
# mount the root fs before clearing
before = ["sysroot.mount"];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvol=/ /dev/mapper/enc /mnt
btrfs subvolume list -o /mnt/root
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
# btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
# btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
# btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
};
environment.persistence."/persist" = lib.mkIf config.swarselsystems.impermanence {
directories =
[
"/.cache/nix/"
"/srv"
"/etc/nixos"
"/etc/nix"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
"/var/db/sudo/"
"/var/cache/"
"/var/lib/"
];
files = [
# important state
"/etc/machine-id"
# ssh stuff
/*
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
,*/
];
};
}
#+end_src
*** Optional
**** gaming
@ -5965,6 +6216,16 @@ This section houses the greetd related settings. I do not really want to use a d
}
#+end_src
**** work
#+begin_src nix :tangle profiles/optional/nixos/work.nix
{ pkgs, ... }:
{
programs._1password.enable = true;
programs._1password-gui.enable = true;
}
#+end_src
** Home-manager
*** Common
:PROPERTIES:
@ -6064,6 +6325,7 @@ Programming languages and default lsp's are defined here: [[#h:0e7e8bea-ec58-499
picard-tools
audacity
sox
google-chrome
# printing
cups
@ -7928,6 +8190,21 @@ Currently, I am too lazy to explain every option here, but most of it is very se
#+end_src
**** Work
#+begin_src nix :tangle profiles/optional/home/work.nix
{ pkgs, ... }:
{
home.packages = with pkgs; [
teams-for-linux
google-chrome
];
}
#+end_src
** flake.nix template
:PROPERTIES:
:CUSTOM_ID: h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b

16
flake.lock generated
View file

@ -449,6 +449,21 @@
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1719091691,
"narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
@ -988,6 +1003,7 @@
"disko": "disko",
"emacs-overlay": "emacs-overlay",
"home-manager": "home-manager",
"impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"nix-alien": "nix-alien",
"nix-index-database": "nix-index-database_2",

32
flake.nix
View file

@ -85,6 +85,9 @@
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
impermanence.url = "github:nix-community/impermanence";
};
outputs =
@ -124,6 +127,8 @@
# # NixOS modules that can only be used on NixOS systems
nixModules = [
inputs.stylix.nixosModules.stylix
inputs.lanzaboote.nixosModules.lanzaboote
inputs.impermanence.nixosModules.impermanence
inputs.sops-nix.nixosModules.sops
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
./profiles/common/nixos
@ -212,20 +217,27 @@
];
};
winters = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; };
nbl-imba-2 = lib.nixosSystem {
specialArgs = { inherit inputs outputs; };
modules = nixModules ++ [
inputs.nixos-hardware.nixosModules.framework-16-inch-7040-amd
./profiles/winters/nixos.nix
inputs.home-manager.nixosModules.home-manager
{
home-manager.users.swarsel.imports = mixedModules ++ [
./profiles/winters/home.nix
];
}
./profiles/nbl-imba-2
];
};
# winters = nixpkgs.lib.nixosSystem {
# specialArgs = { inherit inputs; };
# modules = nixModules ++ [
# inputs.nixos-hardware.nixosModules.framework-16-inch-7040-amd
# ./profiles/winters/nixos.nix
# inputs.home-manager.nixosModules.home-manager
# {
# home-manager.users.swarsel.imports = mixedModules ++ [
# ./profiles/winters/home.nix
# ];
# }
# ];
# };
nginx = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; };
modules = [

2
modules/home/input.nix
View file

@ -10,7 +10,7 @@ in
options.swarselsystems.kyria = mkOption {
type = types.attrsOf (types.attrsOf types.str);
default = {
"36125:53060:splitkb.com_Kyria_rev3" = {
"36125:53060:splitkb.com_splitkb.com_Kyria_rev3" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};

2
modules/nixos/default.nix
View file

@ -1,4 +1,6 @@
{
wallpaper = import ./wallpaper.nix;
hardware = import ./hardware.nix;
setup = import ./setup.nix;
impermanence = import ./impermanence.nix;
}

5
modules/nixos/impermanence.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib, ... }:
{
options.swarselsystems.impermanence = lib.mkEnableOption "use impermanence on this system";
}

5
modules/nixos/setup.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib, ... }:
{
options.swarselsystems.initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
}

1
profiles/common/home/packages.nix
View file

@ -12,6 +12,7 @@
picard-tools
audacity
sox
google-chrome
# printing
cups

1
profiles/common/nixos/default.nix
View file

@ -25,6 +25,7 @@
./login.nix
./stylix.nix
./power-profiles-daemon.nix
./impermanence.nix
];
nix.settings.trusted-users = [ "swarsel" ];

87
profiles/common/nixos/impermanence.nix Normal file
View file

@ -0,0 +1,87 @@
{ config, lib, ... }:
{
security.sudo.extraConfig = lib.mkIf config.swarselsystems.impermanence ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
# This script does the actual wipe of the system
# So if it doesn't run, the btrfs system effectively acts like a normal system
# Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
boot.initrd.systemd.services.rollback = lib.mkIf config.swarselsystems.impermanence {
description = "Rollback BTRFS root subvolume to a pristine state";
wantedBy = [ "initrd.target" ];
# make sure it's done after encryption
# i.e. LUKS/TPM process
after = [ "systemd-cryptsetup@enc.service" ];
# mount the root fs before clearing
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvol=/ /dev/mapper/enc /mnt
btrfs subvolume list -o /mnt/root
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
# btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
# btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
# btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
};
environment.persistence."/persist" = lib.mkIf config.swarselsystems.impermanence {
directories =
[
"/.cache/nix/"
"/srv"
"/etc/nixos"
"/etc/nix"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
"/var/db/sudo/"
"/var/cache/"
"/var/lib/"
];
files = [
# important state
"/etc/machine-id"
# ssh stuff
/*
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
*/
];
};
}

6
profiles/common/nixos/users.nix
View file

@ -1,11 +1,11 @@
{ pkgs, config, ... }:
{ pkgs, config, lib, ... }:
{
users = {
mutableUsers = false;
mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
users.swarsel = {
isNormalUser = true;
description = "Leon S";
hashedPasswordFile = config.sops.secrets.swarseluser.path;
hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ];
packages = with pkgs; [ ];
};

105
profiles/nbl-imba-2/default.nix Normal file
View file

@ -0,0 +1,105 @@
{ inputs, outputs, config, pkgs, ... }:
{
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./hardware-configuration.nix
../optional/nixos/steam.nix
# ../optional/nixos/virtualbox.nix
../optional/nixos/autologin.nix
../optional/nixos/nswitch-rcm.nix
../optional/nixos/work.nix
inputs.home-manager.nixosModules.home-manager
{
home-manager.users.swarsel.imports = outputs.mixedModules ++ [
../optional/home/gaming.nix
../optional/home/work.nix
] ++ (builtins.attrValues outputs.homeManagerModules);
}
] ++ (builtins.attrValues outputs.nixosModules);
nixpkgs = {
inherit (outputs) overlays;
config = {
allowUnfree = true;
};
};
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "btrfs" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelParams = [
"resume_offset=533760"
];
resumeDevice = "/dev/disk/by-label/nixos";
};
networking = {
hostName = "nbl-imba-2";
fqdn = "nbl-imba-2.imp.univie.ac.at";
firewall.enable = true;
};
hardware.graphics.extraPackages = with pkgs; [
vulkan-loader
vulkan-validation-layers
vulkan-extension-layer
];
services = {
fwupd.enable = true;
};
swarselsystems = {
wallpaper = ../../wallpaper/lenovowp.png;
hasBluetooth = true;
hasFingerprint = true;
initialSetup = true;
};
home-manager.users.swarsel.swarselsystems = {
isLaptop = true;
isNixos = true;
# temperatureHwmon = {
# isAbsolutePath = true;
# path = "/sys/devices/platform/thinkpad_hwmon/hwmon/";
# input-filename = "temp1_input";
# };
# ------ -----
# | DP-4 | |eDP-1|
# ------ -----
# monitors = {
# main = {
# name = "California Institute of Technology 0x1407 Unknown";
# mode = "1920x1080"; # TEMPLATE
# scale = "1";
# position = "2560,0";
# workspace = "2:二";
# output = "eDP-1";
# };
# homedesktop = {
# name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320";
# mode = "2560x1440";
# scale = "1";
# position = "0,0";
# workspace = "1:一";
# output = "DP-4";
# };
# };
# inputs = {
# "1:1:AT_Translated_Set_2_keyboard" = {
# xkb_layout = "us";
# xkb_options = "grp:win_space_toggle";
# xkb_variant = "altgr-intl";
# };
# };
keybindings = { };
};
}

8
profiles/optional/home/work.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }:
{
home.packages = with pkgs; [
teams-for-linux
google-chrome
];
}

5
profiles/optional/nixos/work.nix Normal file
View file

@ -0,0 +1,5 @@
{ pkgs, ... }:
{
programs._1password.enable = true;
programs._1password-gui.enable = true;
}