diff --git a/flake.nix b/flake.nix index b6352e8..c14540e 100755 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "my nixos setup"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/release-24.05"; + nixpkgs.url = "github:nixos/nixpkgs/release-24.11"; pkgsUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; disko.url = "github:nix-community/disko/latest"; @@ -17,6 +17,13 @@ in { nixosConfigurations = { + vm = lib.nixosSystem { + inherit system; + specialArgs = { inherit unstable; }; + modules = [ + ./system/vm/configuration.nix + ]; + }; my-hp = lib.nixosSystem { inherit system; specialArgs = { inherit unstable; }; diff --git a/system/vm/configuration.nix b/system/vm/configuration.nix new file mode 100755 index 0000000..5b1702a --- /dev/null +++ b/system/vm/configuration.nix @@ -0,0 +1,323 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, unstable, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # legacy boot + #boot.loader.grub.enable = true; + #boot.loader.grub.device = "/dev/vda"; + #boot.loader.grub.useOSProber = true; + + # UEFI boot + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + #boot.loader.efi.efiSysMountPoint = "/boot/efi"; + + boot.binfmt.registrations.appimage = { + interpreter = "${pkgs.appimage-run}/bin/appimage-run"; + recognitionType = "magic"; + offset = 0; + mask = ''\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff''; + magicOrExtension = ''\x7fELF....AI\x02''; + }; + + # boot logo + boot.plymouth.enable = true; + + # ZRAM + zramSwap.enable = true; + zramSwap.memoryPercent = 50; + boot.kernel.sysctl = { + "vm.swappiness" = 10; + "vm.vsf_cache_pressure" = 50; + }; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + boot.kernelPackages = pkgs.linuxPackages_xanmod_stable; + boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; + + networking.hostName = "vincents-chonky-hp"; # Define your hostname. + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/New_York"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + useXkbConfig = true; + }; + fonts.packages = [ pkgs.corefonts ]; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # displaylink + #services.xserver.videoDrivers = [ "displaylink" "modesetting" ]; + + # waydroid + virtualisation.waydroid.enable = true; + + # Enable the Cinnamon Desktop Environment. + services.displayManager.sddm.enable = true; + services.desktopManager.plasma6.enable = true; + programs.kdeconnect.enable = true; + + # Configure keymap in X11 + services.xserver = { + xkb.layout = "us"; + #xkb.variant = "colemak"; + #xkb.model = "chromebook"; + }; + services.xserver.xkb.options = "grp:win_space_toggle"; + + # Enable CUPS to print documents. + services.printing.enable = true; + services.printing.openFirewall = true; + services.avahi.enable = true; + services.avahi.nssmdns4 = true; + services.avahi.openFirewall = true; + services.printing.drivers = [ pkgs.hplip ]; + + # Enable sound with pipewire. + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + jack.enable = true; + + # use the example session manager (no others are packaged yet so this is en> + # no need to redefine it in your config for now) + wireplumber.enable = true; + }; + programs.noisetorch.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + services.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.vincent = { + isNormalUser = true; + shell = pkgs.fish; + initialHashedPassword = "$y$j9T$0PPbSXGEwyGq6ZFvJMhmE/$D5ZlKOwR/4NCDD8eaxWiQiG1TTRSK4PfbQe/Tm60Id/"; + extraGroups = [ "wheel" "networkmanager" "uniput" "lp" "audio" "video" "cdrom" "input" "libvirtd" "dialout" ]; + }; + programs.fish.enable = true; + + nix.extraOptions = ''experimental-features = nix-command flakes''; + + nixpkgs.config.permittedInsecurePackages = [ + "electron-12.2.3" + "electron-27.3.11" + ]; + + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment = { + systemPackages = with pkgs; [ + tailscale + bleachbit + btop + git + rpi-imager + neofetch + clamtk + trayscale + topgrade + appimage-run + unstable.gearlever + # kde apps + kdePackages.discover + kdePackages.sddm-kcm + kdePackages.ark + kdePackages.qtmultimedia + # editors + kdePackages.kate + nano + # vm + unstable.quickemu + # containers + podman + podman-compose + distrobox + boxbuddy + # office apps + bottles + onlyoffice-bin_latest + logseq + zoom-us + orca-slicer + gpodder + # package manager + wget + # web browser + librewolf + ungoogled-chromium + ]; + }; + + services = { + syncthing = { + enable = true; + user = "vincent"; + openDefaultPorts = true; + dataDir = "/home/vincent/logseq"; # Default folder for new synced folders + configDir = "/home/vincent/Documents/.config/syncthing"; # Folder for Syncthing's settings and keys + }; + }; + + # flatpak + xdg.portal.enable = true; + services.flatpak.enable = true; + systemd.services.configure-flathub-repo = { + wantedBy = ["multi-user.target"]; + path = [ pkgs.flatpak ]; + script = '' + flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + ''; + }; + + # podman + virtualisation.containers.enable = true; + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # Required for containers under podman-compose to be able to talk to each other. + defaultNetwork.settings.dns_enabled = true; + }; + }; + + # bluetooth + hardware.bluetooth.enable = true; + + # dconf + programs.dconf.enable = true; + + # enable the tailscale service + services.tailscale.enable = true; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # List services that you want to enable: + + # preload + services.preload.enable = true; + + # schedualer + services.system76-scheduler.enable = true; + + # Enable the OpenSSH daemon. + services.openssh.enable = false; + + # auto clean + nix.optimise.automatic = true; + + # enable fwupd + services.fwupd.enable = true; + + # captive browser + programs.captive-browser.enable = true; + programs.captive-browser.bindInterface = false; + + + # auto update + system.autoUpgrade.enable = true; + system.autoUpgrade.allowReboot = true; + system.autoUpgrade.rebootWindow = { + lower = "01:00"; + upper = "05:00"; + }; + + #clamav + services.clamav.updater.enable = true; + services.clamav.daemon.enable = true; + + + # audit + security.auditd.enable = true; + security.audit.enable = true; + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ + 22 + 8384 + 22000 + 24800 + 21116 + 7236 + 7250 + 47984 + 47989 + 47990 + 48010 + ]; + networking.firewall.allowedUDPPorts = [ + 22000 + 21027 + 24800 + 5353 + 5900 + 3689 + 5353 + 7236 + 47998 + 47999 + 48000 + 48002 + ]; + networking.firewall.allowedTCPPortRanges = [ + { + from = 1714; + to = 1764; + } + ]; + networking.firewall.allowedUDPPortRanges = [ + { + from = 1714; + to = 1764; + } + ]; + networking.firewall.rejectPackets = true; + # networking.firewall.allowedUDPPorts = [ 21116 ]; + # Or disable the firewall altogether. + networking.firewall.trustedInterfaces = [ "tailscale0" ]; + + services.fail2ban.enable = true; + networking.firewall.enable = true; + + # This value determines the NixOS release from which the default settings for stateful data, like file locations and database versions on your system were + # taken. It‘s perfectly fine and recommended to leave this value at the release version of the first install of this system. Before changing this value read + # the documentation for this option (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? + +} + diff --git a/system/vm/disk.nix b/system/vm/disk.nix new file mode 100755 index 0000000..e34e2e1 --- /dev/null +++ b/system/vm/disk.nix @@ -0,0 +1,73 @@ +{ + disko.devices = { + disk = { + sda = { + type = "disk"; + device = "/dev/vda"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "boot"; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + label = "luks"; + content = { + type = "luks"; + name = "cryptroot"; + extraOpenArgs = [ + "--allow-discards" + "--perf-no_read_workqueue" + "--perf-no_write_workqueue" + ]; + # https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html + settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];}; + content = { + type = "btrfs"; + extraArgs = ["-L" "nixos" "-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = ["subvol=root" "compress=zstd:5" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["subvol=home" "compress=zstd:5" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["subvol=nix" "compress=zstd:5" "noatime"]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = ["subvol=persist" "compress=zstd:5" "noatime"]; + }; + "/log" = { + mountpoint = "/var/log"; + mountOptions = ["subvol=log" "compress=zstd:5" "noatime"]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = true; + fileSystems."/var/log".neededForBoot = true; +} diff --git a/system/vm/hardware-configuration.nix b/system/vm/hardware-configuration.nix new file mode 100644 index 0000000..75777f5 --- /dev/null +++ b/system/vm/hardware-configuration.nix @@ -0,0 +1,66 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "firewire_ohci" "xhci_pci" "usb_storage" "sd_mod" "sr_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/vda2"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + boot.initrd.luks.devices."cryptroot".device = "/dev/vda2"; + + fileSystems."/boot" = + { device = "/dev/vda1"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + fileSystems."/home" = + { device = "/dev/vda2"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd:5" "noatime" ]; + }; + + fileSystems."/nix" = + { device = "/dev/vda2"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd:5" "noatime" ]; + }; + + fileSystems."/persist" = + { device = "/dev/vda2"; + fsType = "btrfs"; + options = [ "subvol=persist" "compress=zstd:5" "noatime" ]; + }; + + fileSystems."/var/log" = + { device = "/dev/vda2"; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd:5" "noatime" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}