From b68ac28949cc583e75877ea7d271273763113e17 Mon Sep 17 00:00:00 2001 From: Lgmrszd Date: Sat, 9 Sep 2023 17:31:01 +0300 Subject: [PATCH] Initial commit (current config) --- .gitignore | 2 + configuration.nix | 308 +++++++++++++++++++++++++++++ flake.lock | 66 +++++++ flake.nix | 58 ++++++ hardware-configurations/laptop.nix | 64 ++++++ home.nix | 208 +++++++++++++++++++ mounts.nix | 34 ++++ secrets/default.nix | 4 + 8 files changed, 744 insertions(+) create mode 100644 .gitignore create mode 100644 configuration.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hardware-configurations/laptop.nix create mode 100644 home.nix create mode 100644 mounts.nix create mode 100644 secrets/default.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ffd26a6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +secrets/* +!secrets/default.nix \ No newline at end of file diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..8ac2543 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,308 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running `nixos-help`). + +{ config, pkgs, pkgs-stable, secrets, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configurations/laptop.nix + ]; + + # Use the systemd-boot EFI boot loader. + # NOT! Let's use GRUB instead + # https://nixos.org/manual/nixos/stable/#sec-installation + # boot.loader.efi.efiSysMountPoint = "/boot"; + boot.loader.systemd-boot.enable = false; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub = { + enable = true; + device = "nodev"; + efiSupport = true; + theme = "/home/lgm/minegrub/minegrub-theme/minegrub/"; + efiInstallAsRemovable = false; + # useOSProber = true; + extraEntries = + '' + menuentry 'Windows 10' --class windows --class os { + insmod part_gpt + insmod fat + set root='hd0,gpt4' + if [ x$feature_platform_search_hint = xy ]; then + search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt4 --hint-efi=hd0,gpt4 --hint-baremetal=ahci0,gpt4 ${secrets.drive-ids.volumes.windows_efi_uuid} + else + search --no-floppy --fs-uuid --set=root ${secrets.drive-ids.volumes.windows_efi_uuid} + fi + chainloader /EFI/Microsoft/Boot/bootmgfw.efi + } + menuentry 'Ventoy' { + insmod part_gpt + insmod fat + # set root='hd0,gpt4' + # if [ x$feature_platform_search_hint = xy ]; then + # search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt4 --hint-efi=hd0,gpt4 --hint-baremetal=ahci0,gpt4 ${secrets.drive-ids.volumes.ventoy_efi_uuid} + # else + # search --no-floppy --fs-uuid --set=root ${secrets.drive-ids.volumes.ventoy_efi_uuid} + # fi + search --no-floppy --fs-uuid --set=root ${secrets.drive-ids.volumes.ventoy_efi_uuid} + chainloader /EFI/BOOT/BOOTX64.EFI + } + ''; + }; + + # NTFS support + + boot.supportedFilesystems = [ "ntfs" ]; + + # btrfs options + fileSystems = { + "/".options = [ "compress=zstd" ]; + "/home".options = [ "compress=zstd" ]; + "/nix".options = [ "compress=zstd" "noatime" ]; + }; + + boot.kernel.sysctl."kernel.sysrq" = 244; + + # ==[SECURITY]== + # LUKS options + boot.initrd.luks.devices = with secrets.drive-ids.luks; { + crypted = { + inherit device; + inherit header; + preLVM = true; + }; + }; + + # sudo and doas + security.doas = { + enable = true; + extraRules = [{ + users = [ "lgm" ]; + persist = true; + }]; + }; + + # PAM + security.pam.services = { + login.u2fAuth = true; + sudo.u2fAuth = true; + doas.u2fAuth = true; + }; + security.pam.u2f = { + enable = true; + cue = true; + interactive = true; + }; + + + # Make sure opengl is enabled + hardware.opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + # Tell Xorg to use the nvidia driver (also valid for Wayland) + services.xserver.videoDrivers = ["nvidia"]; + + hardware.nvidia = { + # Modesetting is needed for most Wayland compositors + modesetting.enable = true; + # Use the open source version of the kernel module + # Only available on driver 515.43.04+ + open = false; + # Enable the nvidia settings menu + nvidiaSettings = true; + # Optionally, you may need to select the appropriate driver version for your specific GPU. + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + # NVIDIA + + hardware.nvidia.prime = { + offload = { + enable = true; + enableOffloadCmd = true; + }; + + intelBusId = "PCI:0:2:0"; + nvidiaBusId = "PCI:1:0:0"; + }; + + programs.gamemode.enable = true; + + # VirtualBox + virtualisation.virtualbox.host.enable = true; + virtualisation.virtualbox.host.enableExtensionPack = true; + users.extraGroups.vboxusers.members = [ "lgm" ]; + + networking.hostName = "lgm-nixos"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + time.timeZone = "Europe/Volgograd"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkbOptions in tty. + # }; + + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { +# LC_ADDRESS = "ru_RU.UTF-8"; +# LC_IDENTIFICATION = "ru_RU.UTF-8"; +# LC_MEASUREMENT = "ru_RU.UTF-8"; +# LC_MONETARY = "ru_RU.UTF-8"; +# LC_NAME = "ru_RU.UTF-8"; +# LC_NUMERIC = "ru_RU.UTF-8"; +# LC_PAPER = "ru_RU.UTF-8"; +# LC_TELEPHONE = "ru_RU.UTF-8"; + LC_TIME = "ru_RU.UTF-8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + + # Enable the Plasma 5 Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + services.xserver.displayManager.defaultSession = "plasmawayland"; + + # fish + programs.fish = { + enable = true; + }; + + # KDE Programs + programs.partition-manager.enable = true; + programs.kdeconnect.enable = true; + + programs.adb.enable = true; + + # Steam + programs.steam = { + enable = true; +# remotePlay.openFirewall = true; +# dedicatedServer.openFirewall = true; + }; + + # Configure keymap in X11 + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + + # Enable touchpad support (enabled default in most desktopManager). + services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.lgm = { + isNormalUser = true; + description = "lgm"; + extraGroups = [ "networkmanager" "wheel" "adbusers"]; + shell = pkgs.fish; + }; + + nixpkgs.config.allowUnfree = true; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # OnlyKey + hardware.onlykey.enable = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + curl + python3 + # more stuff + parted + exfatprogs + gparted + tmux + graalvm17-ce + jetbrains.jdk + + (let base = pkgs.appimageTools.defaultFhsEnvArgs; in + pkgs.buildFHSUserEnv (base // { + name = "fhs"; + targetPkgs = pkgs: ( + (base.targetPkgs pkgs) ++ [ + pkg-config + ncurses + ] + ); + profile = "export FHS=1"; + runScript = "bash"; + extraOutputsToInstall = ["dev"]; + })) + ]; + + environment.variables.EDITOR = "vim"; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..82ef6d8 --- /dev/null +++ b/flake.lock @@ -0,0 +1,66 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1693208669, + "narHash": "sha256-hHFaaUsZ860wvppPeiu7nJn/nXZjJfnqAQEu9SPFE9I=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "5bac4a1c06cd77cf8fc35a658ccb035a6c50cd2c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1693377291, + "narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e7f38be3775bab9659575f192ece011c033655f0", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1693341273, + "narHash": "sha256-wrsPjsIx2767909MPGhSIOmkpGELM9eufqLQOPxmZQg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2ab91c8d65c00fd22a441c69bbf1bc9b420d5ea1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..fcabbfe --- /dev/null +++ b/flake.nix @@ -0,0 +1,58 @@ +{ + description = "Lgm's NixOS Flake"; + + inputs = { + # There are many ways to reference flake inputs. + # The most widely used is `github:owner/name/reference`, + # which represents the GitHub repository URL + branch/commit-id/tag. + + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.05"; + # nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + # home-manager, used for managing user configuration + home-manager = { + url = "github:nix-community/home-manager/release-23.05"; + # The `follows` keyword in inputs is used for inheritance. + # Here, `inputs.nixpkgs` of home-manager is kept consistent with + # the `inputs.nixpkgs` of the current flake, + # to avoid problems caused by different versions of nixpkgs. + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = inputs@{ + nixpkgs, + nixpkgs-stable, + home-manager, + ... + }: { + nixosConfigurations.lgm-nixos = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + specialArgs = { + pkgs-stable = import nixpkgs-stable { + system = system; + config.allowUnfree = true; + }; + secrets = import ./secrets {}; + }; + modules = [ + ./configuration.nix + ./mounts.nix + + # make home-manager as a module of nixos + # so that home-manager configuration will be deployed automatically when executing `nixos-rebuild switch` + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + + home-manager.users.lgm = import ./home.nix; + + home-manager.extraSpecialArgs = with specialArgs; { + inherit pkgs-stable; + }; + } + ]; + }; + }; +} diff --git a/hardware-configurations/laptop.nix b/hardware-configurations/laptop.nix new file mode 100644 index 0000000..3e11edc --- /dev/null +++ b/hardware-configurations/laptop.nix @@ -0,0 +1,64 @@ +# Originally made with `nixos-generate-config`, now part of manual config +# Original disclaimer left here just for fun :) +# ========================= +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, secrets, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = secrets.drive-ids.volumes.root; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + fileSystems."/nix" = + { device = secrets.drive-ids.volumes.root; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + fileSystems."/home" = + { device = secrets.drive-ids.volumes.root; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + fileSystems."/boot" = + { device = secrets.drive-ids.volumes.boot; + fsType = "vfat"; + options = [ + "noauto" + "x-systemd.automount" + "x-systemd.idle-timeout=1min" + "x-systemd.device-timeout=1s" + "x-systemd.mount-timeout=5s" + ]; + }; + + swapDevices = + [ { device = secrets.drive-ids.volumes.swap; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/home.nix b/home.nix new file mode 100644 index 0000000..a73a779 --- /dev/null +++ b/home.nix @@ -0,0 +1,208 @@ +{ config, pkgs, pkgs-stable, ... }: + +{ + home.username = "lgm"; + home.homeDirectory = "/home/lgm"; + + # https://nixos-and-flakes.thiscute.world/nixos-with-flakes/start-using-home-manager + + # Packages that should be installed to the user profile. + home.packages = with pkgs; [ + wineWowPackages.waylandFull + # web + firefox + # security + keepassxc + onlykey + onlykey-agent + libsForQt5.plasma-vault + gpgme.dev # For mainvelope + + neofetch + libsForQt5.yakuake + libsForQt5.kgpg + + # messaging + (discord.override { + withOpenASAR = true; + withVencord = true; + }) + telegram-desktop + libsForQt5.tokodon + libsForQt5.neochat +# pkgs-unstable.cinny-desktop +# pkgs-unstable.thunderbird # see programs.thunderbird + # graphics + gimp + krita + inkscape-with-extensions + blockbench-electron + # games + prismlauncher + xonotic + lutris + # dev + jetbrains.idea-community + # vscodium # see programs.vscode + rnix-lsp + #nnn # terminal file manager + + # archives +# zip +# xz +# unzip +# p7zip + + # utils + appimage-run + kate + ncdu + btdu + compsize +# ripgrep # recursively searches directories for a regex pattern + jq # A lightweight and flexible command-line JSON processor +# yq-go # yaml processer https://github.com/mikefarah/yq +# exa # A modern replacement for ‘ls’ + + # networking tools +# mtr # A network diagnostic tool +# iperf3 + dnsutils # `dig` + `nslookup` + ldns # replacement of `dig`, it provide the command `drill` + aria2 + socat # replacement of openbsd-netcat + nmap # A utility for network discovery and security auditing +# ipcalc # it is a calculator for the IPv4/v6 addresses + + # etc + vlc + qbittorrent + libsForQt5.qtstyleplugin-kvantum + # misc + cowsay +# file +# which + tree +# gnused +# gnutar +# gawk +# zstd + gnupg + # pinentry + + # nix related + # + # it provides the command `nom` works just like `nix` + # with more details log output + nix-output-monitor + + # productivity +# hugo # static site generator + glow # markdown previewer in terminal +# +# btop # replacement of htop/nmon +# iotop # io monitoring +# iftop # network monitoring +# +# # system call monitoring +# strace # system call monitoring +# ltrace # library call monitoring + lsof # list open files + + # system tools + file +# sysstat + lm_sensors # for `sensors` command +# ethtool + pciutils # lspci + usbutils # lsusb + # android-tools + + monero-gui + ]; + + services.nextcloud-client = { + enable = true; + }; + + programs.git = { + enable = true; + delta.enable = true; + signing = { + signByDefault = true; + key = "D3067BE844D3FC49535A47B29396B8BA6FBB14DE"; + }; + userName = "Lgmrszd"; + userEmail = "lgmrszd@disroot.org"; + }; + + programs.thunderbird = { + enable = true; + package = pkgs.thunderbird; + profiles.lgmrszd.isDefault = true; + }; + + programs.pazi = { + enable = true; + enableFishIntegration = true; + }; + + programs.fzf = { + enable = true; + enableFishIntegration = true; + }; + + + programs.vscode = { + enable = true; + package = pkgs.vscodium; + extensions = with pkgs.vscode-extensions; [ + jnoortheen.nix-ide + ]; + }; + + + programs.starship = { + enable = true; + # custom settings + settings = { + add_newline = false; + aws.disabled = true; + gcloud.disabled = true; + # line_break.disabled = true; + }; + }; + + + programs.fish = { + enable = true; + plugins = [ + { + name = "forgit"; + src = pkgs.fishPlugins.forgit.src; + } + { + name = "fzf"; + src = pkgs.fishPlugins.fzf.src; + } + ]; + }; + + programs.bash = { + enable = true; + enableCompletion = true; + }; + + # This value determines the home Manager release that your + # configuration is compatible with. This helps avoid breakage + # when a new home Manager release introduces backwards + # incompatible changes. + # + # You can update home Manager without changing this value. See + # the home Manager release notes for a list of state version + # changes in each release. + home.stateVersion = "23.05"; + + # Let home Manager install and manage itself. + programs.home-manager.enable = true; +} diff --git a/mounts.nix b/mounts.nix new file mode 100644 index 0000000..70be7d6 --- /dev/null +++ b/mounts.nix @@ -0,0 +1,34 @@ +{ secrets, ... }: +with secrets.drive-ids; { + systemd.mounts = [ + { + where = "/mounts/my_data"; + what = mounts.my_data; + type = "ntfs3"; + options = "defaults,exec,noauto,prealloc,uid=1000,gid=100"; + } + { + where = "/mounts/windows"; + what = mounts.windows; + type = "ntfs3"; + options = "defaults,exec,noauto,prealloc,uid=1000,gid=100"; + } + ]; + + systemd.automounts = [ + { + where = "/mounts/my_data"; + wantedBy = ["multi-user.target"]; + automountConfig = { + TimeoutIdleSec = 901; + }; + } + { + where = "/mounts/windows"; + wantedBy = ["multi-user.target"]; + automountConfig = { + TimeoutIdleSec = 901; + }; + } + ]; +} diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 0000000..6134f20 --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + drive-ids = import ./drive-ids.nix; +} \ No newline at end of file