commit 2b3213c3f8449558238e1a6b8fbb233a94f3f73d Author: Ameya Shenoy Date: Mon Nov 11 01:47:02 2024 +0530 feat: init Signed-off-by: Ameya Shenoy diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8806f88 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ + +# project specific +.env.nix + diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..be7ba4c --- /dev/null +++ b/flake.nix @@ -0,0 +1,86 @@ +{ + description = "CodingCoffee's Flakes!"; + + inputs = { + nixpkgs = { url = "github:NixOS/nixpkgs/nixos-unstable"; }; + + # The name "snowfall-lib" is required due to how Snowfall Lib processes your + # flake's inputs. + snowfall-lib = { + url = "github:snowfallorg/lib"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + home-manager = { + url = "github:nix-community/home-manager/master"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-hardware = { url = "github:NixOS/nixos-hardware/master"; }; + + darwin-nixpkgs = { url = "github:NixOS/nixpkgs/nixpkgs-unstable"; }; + + nix-darwin = { + url = "github:LnL7/nix-darwin"; + inputs.nixpkgs.follows = "darwin-nixpkgs"; + }; + + wezterm = { + url = "github:wez/wezterm?dir=nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-needtoreboot = { + url = "github:thefossguy/nixos-needsreboot"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = inputs: + let + lib = inputs.snowfall-lib.mkLib { + # You must provide our flake inputs to Snowfall Lib. + inherit inputs; + + # The `src` must be the root of the flake. See configuration + # in the next section for information on how you can move your + # Nix files to a separate directory. + src = ./.; + + # Configure Snowfall Lib, all of these settings are optional. + snowfall = { + # Tell Snowfall Lib to look in the `./nix/` directory for your + # Nix files. + root = ./nix; + + # Choose a namespace to use for your flake's packages, library, + # and overlays. + namespace = "snowflake"; + + # Add flake metadata that can be processed by tools like Snowfall Frost. + meta = { + # A slug to use in documentation when displaying things like file paths. + name = "cc-nix-snowflake"; + + # A title to show for your flake, typically the name. + title = "CodingCoffee's Flakes!"; + }; + }; + }; + in lib.mkFlake { + channels-config = { allowUnfree = true; }; + systems = { + modules = { + nixos = with inputs; [ + home-manager.nixosModules.home-manager + disko.nixosModules.disko + ]; + }; + }; + }; +} diff --git a/nix/Makefile b/nix/Makefile new file mode 100644 index 0000000..81f2e7d --- /dev/null +++ b/nix/Makefile @@ -0,0 +1,7 @@ +.DEFAULT_GOAL := default + +default: + @sudo nixos-rebuild switch --flake path:./#$(hostname) + +watergate: + @nixos-rebuild --build-host art@192.168.122.15 --target-host art@192.168.122.15 --use-remote-sudo switch --flake path:./#watergate diff --git a/nix/homes/x86_64-linux/cc@thinkpad/default.nix b/nix/homes/x86_64-linux/cc@thinkpad/default.nix new file mode 100644 index 0000000..58dd0bb --- /dev/null +++ b/nix/homes/x86_64-linux/cc@thinkpad/default.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: { + snowflake.home = { + programs = { + chromium.enable = true; + firefox.enable = true; + wezterm.enable = true; + }; + autostart = { + enable = true; + pkgs = [ + pkgs.firefox + pkgs.spotify + pkgs.wezterm + # pkgs.kitty + ]; + }; + desktop = { + gnome.dconf.enable = true; + xdg.mimeapps.enable = true; + }; + }; + + home.stateVersion = "23.11"; +} diff --git a/nix/homes/x86_64-linux/cc@zephyrus/default.nix b/nix/homes/x86_64-linux/cc@zephyrus/default.nix new file mode 100644 index 0000000..135e514 --- /dev/null +++ b/nix/homes/x86_64-linux/cc@zephyrus/default.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: { + snowflake.home = { + programs = { + chromium.enable = true; + firefox.enable = true; + wezterm.enable = false; + }; + autostart = { + enable = true; + pkgs = [ pkgs.firefox pkgs.spotify pkgs.wezterm ]; + }; + desktop = { + gnome.dconf.enable = true; + xdg.mimeapps.enable = true; + }; + }; + + home.stateVersion = "23.11"; +} diff --git a/nix/modules/home/autostart/default.nix b/nix/modules/home/autostart/default.nix new file mode 100644 index 0000000..d596888 --- /dev/null +++ b/nix/modules/home/autostart/default.nix @@ -0,0 +1,32 @@ +{ config, lib, ... }: + +{ + options.snowflake.home.autostart = { + enable = lib.mkEnableOption "enable autostart module"; + pkgs = lib.mkOption { + type = lib.types.listOf lib.types.package; + default = [ ]; + description = "packages to autostart"; + }; + }; + + config = lib.mkIf config.snowflake.home.autostart.enable { + home.file = builtins.listToAttrs (map (pkg: { + name = ".config/autostart/" + pkg.pname + ".desktop"; + value = if pkg ? desktopItem then { + # Application has a desktopItem entry. + # Assume that it was made with makeDesktopEntry, which exposes a + # text attribute with the contents of the .desktop file + text = pkg.desktopItem.text; + } else if pkg.pname == "wezterm" then { + # custom handling for wezterm since for its desktop file + source = (pkg + "/share/applications/" + "org.wezfurlong.wezterm" + + ".desktop"); + } else { + # Application does *not* have a desktopItem entry. Try to find a + # matching .desktop name in /share/apaplications + source = (pkg + "/share/applications/" + pkg.pname + ".desktop"); + }; + }) config.snowflake.home.autostart.pkgs); + }; +} diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix new file mode 100644 index 0000000..49dd01a --- /dev/null +++ b/nix/modules/home/default.nix @@ -0,0 +1,10 @@ +{ inputs, pkgs, ... }: { + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; + + # Show activation change diff for new builds. + home.activation.report-changes = + inputs.home-manager.lib.hm.dag.entryAnywhere '' + ${pkgs.nvd}/bin/nvd diff $oldGenPath $newGenPath + ''; +} diff --git a/nix/modules/home/desktop/gnome/dconf/default.nix b/nix/modules/home/desktop/gnome/dconf/default.nix new file mode 100644 index 0000000..d5c148a --- /dev/null +++ b/nix/modules/home/desktop/gnome/dconf/default.nix @@ -0,0 +1,228 @@ +{ config, lib, inputs, ... }: { + options.snowflake.home.desktop.gnome.dconf.enable = + lib.mkEnableOption "manage gnome with dconf"; + + config = lib.mkIf config.snowflake.home.desktop.gnome.dconf.enable { + dconf.settings = { + "org/gnome/desktop/interface" = { + color-scheme = "prefer-dark"; + show-battery-percentage = true; + clock-show-weekday = true; + clock-show-seconds = true; + }; + + "org/gnome/desktop/peripherals/touchpad" = { tap-to-click = true; }; + + "org/gnome/desktop/input-sources" = { + xkb-options = [ "caps:swapescape" ]; + }; + + "org/gnome/desktop/peripherals/touchpad" = { speed = 1.0; }; + + "org/gnome/desktop/session" = { + idle-delay = inputs.home-manager.lib.hm.gvariant.mkUint32 60; + }; + + "org/gnome/settings-daemon/plugins/power" = { + sleep-inactive-battery-type = "nothing"; + sleep-inactive-ac-type = "nothing"; + power-button-action = "nothing"; + }; + + "org/gnome/desktop/wm/preferences" = { num-workspaces = 10; }; + + "org/gnome/desktop/notifications" = { show-in-lock-screen = false; }; + + "org/gnome/desktop/wm/keybindings" = { + close = [ "q" ]; + + # start window resize using mouse: defaults to "F8" + begin-resize = [ "r" ]; + + # sticky windows across all workspaces ("Always on Visible Workspace") + toggle-on-all-workspaces = [ "s" ]; + + switch-to-workspace-1 = [ "1" ]; + move-to-workspace-1 = [ "1" ]; + + switch-to-workspace-2 = [ "2" ]; + move-to-workspace-2 = [ "2" ]; + + switch-to-workspace-3 = [ "3" ]; + move-to-workspace-3 = [ "3" ]; + + switch-to-workspace-4 = [ "4" ]; + move-to-workspace-4 = [ "4" ]; + + switch-to-workspace-5 = [ "5" ]; + move-to-workspace-5 = [ "5" ]; + + switch-to-workspace-6 = [ "6" ]; + move-to-workspace-6 = [ "6" ]; + + switch-to-workspace-7 = [ "7" ]; + move-to-workspace-7 = [ "7" ]; + + switch-to-workspace-8 = [ "8" ]; + move-to-workspace-8 = [ "8" ]; + + switch-to-workspace-9 = [ "9" ]; + move-to-workspace-9 = [ "9" ]; + + switch-to-workspace-10 = [ "0" ]; + move-to-workspace-10 = [ "0" ]; + }; + + "org/gnome/shell/keybindings" = { + # NITE: this was bound to 'n' for opening the nth application + # pinned in the bottom bar. Removing it to remap it to shwitch to the nth + # workspace + switch-to-application-1 = [ ]; + switch-to-application-2 = [ ]; + switch-to-application-3 = [ ]; + switch-to-application-4 = [ ]; + switch-to-application-5 = [ ]; + switch-to-application-6 = [ ]; + switch-to-application-7 = [ ]; + switch-to-application-8 = [ ]; + switch-to-application-9 = [ ]; + switch-to-application-0 = [ ]; + + # removing keybinding for toggle-on-all-workspaces: defaults to "s" + toggle-quick-settings = [ ]; + + show-screenshot-ui = [ "s" ]; + }; + + "org/gnome/desktop/media-handling" = { + automount = false; + automount-open = false; + autorun-never = false; + }; + + "org/gnome/desktop/wm/preferences" = { focus-mode = "sloppy"; }; + + "org/gnome/shell" = { + enabled-extensions = [ + # tiling window manager + "forge@jmmaranan.com" + + # to lock a window to an application on first start + "auto-move-windows@gnome-shell-extensions.gcampax.github.com" + + # to move the clock to the right side on the top bar + "just-perfection-desktop@just-perfection" + + # to launch a new instanc of an application rather than switching to + # the exising instance when invoking from GNOME shell + "launch-new-instance@gnome-shell-extensions.gcampax.github.com" + + # GSConnect - KDE Connect reimplementation in GNOME + "gsconnect@andyholmes.github.io" + + # blurtooth battery + "bluetooth-battery@michalw.github.com" + + # netspeed + "netspeedsimplified@prateekmedia.extension" + + # bedtime mode + "gnomebedtime@ionutbortis.gmail.com" + + # caffeine + "caffeine@patapon.info" + ]; + }; + + "org/gnome/shell/extensions/just-perfection" = { + clock-menu-position = 1; + clock-menu-position-offset = 20; + }; + + "org/gnome/shell/extensions/forge" = { focus-border-toggle = false; }; + + "org/gnome/shell/extensions/forge/keybindings" = { + window-toggle-float = [ "f" ]; + + # this is bound to Super+l by default. Removing to bind this to lock screen + window-focus-right = [ "" ]; + + # this is bound to ``s`` by default. Removing to bind this to lock screen + con-stacked-layout-toggle = [ "" ]; + + # makes the window always float and enables "Always on Top" mode + window-toggle-always-float = [ "c" ]; + }; + + "org/gnome/shell/extensions/auto-move-windows" = { + application-list = [ + "kitty.desktop:2" + "org.wezfurlong.wezterm.desktop:2" + "firefox.desktop:4" + "org.telegram.desktop.desktop:7" + "spotify.desktop:9" + "mpv.desktop:10" + "audio-recorder.desktop:8" + ]; + }; + + "org/gnome/settings-daemon/plugins/color" = { + night-light-enabled = true; + night-light-temperature = 2000; + }; + + # NOTE: if keybinding not working search in `dconf dump /` + "org/gnome/settings-daemon/plugins/media-keys" = { + custom-keybindings = [ + "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/" + "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1/" + "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom2/" + "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom3/" + ]; + }; + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = + { + name = "Bookmenu"; + binding = "b"; + command = "/home/cc/.scripts/popup.sh bookmenu.sh"; + }; + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1" = + { + name = "AURA Play Pause"; + binding = "Launch3"; + command = "playerctl play-pause"; + }; + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom2" = + { + name = "Toggle Speech to Text"; + binding = "m"; + command = "sh /home/cc/.scripts/speech-to-text.sh"; + }; + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom3" = + { + name = "Lock Screen"; + binding = "l"; + command = "xdg-screensaver lock"; + }; + + "org/virt-manager/virt-manager/connections" = { + autoconnect = [ "qemu:///system" ]; + uris = [ "qemu:///system" ]; + }; + + "org/gnome/desktop/background" = { + picture-uri = + "file:///run/current-system/sw/share/backgrounds/gnome/blobs-l.svg"; + picture-uri-dark = + "file:///run/current-system/sw/share/backgrounds/gnome/blobs-d.svg"; + primary-color = "#241f31"; + }; + + "org/gnome/desktop/screensaver" = { + picture-uri = + "file:///run/current-system/sw/share/backgrounds/gnome/blobs-l.svg"; + primary-color = "#241f31"; + }; + }; + }; +} diff --git a/nix/modules/home/desktop/xdg/mimeapps/default.nix b/nix/modules/home/desktop/xdg/mimeapps/default.nix new file mode 100644 index 0000000..76c953d --- /dev/null +++ b/nix/modules/home/desktop/xdg/mimeapps/default.nix @@ -0,0 +1,25 @@ +{ config, lib, ... }: { + options.snowflake.home.desktop.xdg.mimeapps.enable = + lib.mkEnableOption "manage default applications"; + + config = lib.mkIf config.snowflake.home.desktop.xdg.mimeapps.enable { + xdg.mimeApps = { + enable = true; + associations.added = { + "application/pdf" = [ "firefox.desktop" "org.gnome.Evince.desktop" ]; + "image/png" = [ "org.gnome.Loupe.desktop" ]; + "x-scheme-handler/sms" = + [ "org.gnome.Shell.Extensions.GSConnect.desktop;" ]; + "x-scheme-handler/tel" = + [ "org.gnome.Shell.Extensions.GSConnect.desktop;" ]; + }; + defaultApplications = { + "application/pdf" = [ "org.gnome.Evince.desktop" ]; + "image/png" = [ "org.gnome.Loupe.desktop" ]; + "x-scheme-handler/tg" = [ "org.telegram.desktop.desktop" ]; + "x-scheme-handler/http" = [ "firefox.desktop" ]; + "x-scheme-handler/https" = [ "firefox.desktop" ]; + }; + }; + }; +} diff --git a/nix/modules/home/programs/chromium/default.nix b/nix/modules/home/programs/chromium/default.nix new file mode 100644 index 0000000..596c650 --- /dev/null +++ b/nix/modules/home/programs/chromium/default.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: { + options.snowflake.home.programs.chromium.enable = + lib.mkEnableOption "enable custom chromium"; + + config = lib.mkIf config.snowflake.home.programs.chromium.enable { + # not to be heavily customized. to be only used for developing webapps and + # if any website is not available on firefox + programs.chromium = { + enable = true; + extensions = [ + "fmkadmapgofadopljbjfkapdkoienihi" # React Developer Tools + ]; + package = pkgs.ungoogled-chromium; + }; + + }; +} diff --git a/nix/modules/home/programs/firefox/default.nix b/nix/modules/home/programs/firefox/default.nix new file mode 100644 index 0000000..6cbf1c4 --- /dev/null +++ b/nix/modules/home/programs/firefox/default.nix @@ -0,0 +1,729 @@ +{ config, lib, pkgs, ... }: { + options.snowflake.home.programs.firefox.enable = + lib.mkEnableOption "enable custom firefox"; + + config = lib.mkIf config.snowflake.home.programs.firefox.enable { + programs.firefox = { + enable = true; + # Policies apply at firefox global level + policies = { + "3rdparty" = + { # Set policies that WebExtensions can access via chrome.storage.managed. + Extensions = { + # "uBlock0@raymondhill.net" = { + # adminSettings = { + # selectedFilterLists = [ + # "ublock-privacy" + # "ublock-badware" + # "ublock-filters" + # "user-filters" + # ]; + # }; + # }; + }; + }; + # AllowedDomainsForApps = ""; # Define domains allowed to access Google Workspace. + AllowFileSelectionDialogs = true; # Allow file selection dialogs. + AppAutoUpdate = false; # Enable or disable automatic application update. + # AppUpdatePin = ""; # Prevent Firefox from being updated beyond the specified version. + # AppUpdateURL = ""; # Change the URL for application update. + # Authentication = ""; # Configure sites that support integrated authentication. + AutoLaunchProtocolsFromOrigins = + [ # Define a list of external protocols that can be used from listed origins without prompting the user. + { + protocol = "zoommtg"; + allowed_origins = [ "https://asu.zoom.us" ]; + } + ]; + BackgroundAppUpdate = + false; # Enable or disable the background updater (Windows only). + # BlockAboutAddons = true; # Block access to the Add-ons Manager (about:addons). + # BlockAboutConfig = true; # Block access to about:config. + # BlockAboutProfiles = true; # Block access to About Profiles (about:profiles). + # BlockAboutSupport = true; # Block access to Troubleshooting Information (about:support). + # Bookmarks = ""; # use ManagedBookmarks instead - Add bookmarks in either the bookmarks toolbar or menu. + # CaptivePortal = ""; # Enable or disable the detection of captive portals. + # Certificates = { + # ImportEnterpriseRoots = ""; # Trust certificates that have been added to the operating system certificate store by a user or administrator. + # Install = ""; # Install certificates into the Firefox certificate store. + # }; + # Containers = { # Set policies related to containers. - doesn't work, managing via individual profile + # quasar = [ + # { + # name = "TheFourHorsemen"; + # color = "orange"; + # icon = "fingerprint"; + # } + # { + # name = "Grapevine-Ameya"; + # color = "purple"; + # icon = "briefcase"; + # } + # { + # name = "Grapevine"; + # color = "pink"; + # icon = "dollar"; + # } + # { + # name = "Trized"; + # color = "green"; + # icon = "tree"; + # } + # ]; + # }; + # Cookies = { # Configure cookie preferences. + # Allow = ["http://example.org/"]; + # AllowSession = ["http://example.edu/"]; + # Block = ["http://example.edu/"]; + # Default = true; + # AcceptThirdParty = "never"; + # RejectTracker = true; + # Locked = true; + # Behavior = "reject-tracker"; + # BehaviorPrivateBrowsing = "accept"; + # }; + # DefaultDownloadDirectory = ""; # Set the default download directory. + DisableAppUpdate = true; # Turn off application updates. + DisableBuiltinPDFViewer = + true; # Disable the built in PDF viewer. said to have vulnerabilities; using PDFjs instead + # DisabledCiphers = { # Disable ciphers. + # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = true; + # TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = true; + # TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = true; + # TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = true; + # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = true; + # TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = true; + # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = true; + # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = true; + # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = true; + # TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = true; + # TLS_DHE_RSA_WITH_AES_128_CBC_SHA = true; + # TLS_DHE_RSA_WITH_AES_256_CBC_SHA = true; + # TLS_RSA_WITH_AES_128_GCM_SHA256 = true; + # TLS_RSA_WITH_AES_256_GCM_SHA384 = true; + # TLS_RSA_WITH_AES_128_CBC_SHA = true; + # TLS_RSA_WITH_AES_256_CBC_SHA = true; + # TLS_RSA_WITH_3DES_EDE_CBC_SHA = true; + # }; + # DisableDefaultBrowserAgent = ""; # Prevent the default browser agent from taking any actions (Windows only). + DisableDeveloperTools = false; # Remove access to all developer tools. + # DisableFeedbackCommands = false; # Disable the menus for reporting sites. + DisableFirefoxAccounts = + true; # Disable Firefox Accounts integration (Sync). + DisableFirefoxScreenshots = + true; # Remove access to Firefox Screenshots. + DisableFirefoxStudies = true; # Disable Firefox studies (Shield). + # DisableForgetButton = ""; # Disable the “Forget” button. + # DisableFormHistory = false; # Turn off saving information on web forms and the search bar. + DisableMasterPasswordCreation = + true; # Remove the master password functionality. + # DisablePasswordReveal = false; # Do not allow passwords to be revealed in saved logins. + DisablePocket = true; # Remove Pocket in the Firefox UI. + DisablePrivateBrowsing = false; # Remove access to private browsing. + DisableProfileImport = + true; # Disables the “Import data from another browser” option in the bookmarks window. + DisableProfileRefresh = + true; # Disable the Refresh Firefox button on about:support and support.mozilla.org + DisableSafeMode = false; # Disable safe mode within the browser. + # DisableSecurityBypass = { # Prevent the user from bypassing security in certain cases. + # InvalidCertificate = true; + # SafeBrowsing = true; + # }; + DisableSetDesktopBackground = + true; # Remove the “Set As Desktop Background…” menuitem when right clicking on an image. + DisableSystemAddonUpdate = + true; # Prevent system add-ons from being installed or updated. + DisableTelemetry = true; # DisableTelemetry + # DisableThirdPartyModuleBlocking = ""; # Do not allow blocking third-party modules (windows only) + DisplayBookmarksToolbar = + "never"; # Set the initial state of the bookmarks toolbar. + DisplayMenuBar = "default-off"; # Set the state of the menubar. + DNSOverHTTPS = + { # Configure DNS over HTTPS - test using -> https://one.one.one.one/help/ + Enabled = true; # determines whether DNS over HTTPS is enabled + ProviderURL = + "https://mozilla.cloudflare-dns.com/dns-query"; # is a URL to another provider + Locked = + true; # prevents the user from changing DNS over HTTPS preferences + ExcludedDomains = + [ "example.com" ]; # excludes domains from DNS over HTTPS + Fallback = + true; # determines whether or not Firefox will use your default DNS resolver if there is a problem with the secure DNS provider + }; + DontCheckDefaultBrowser = + true; # Don’t check if Firefox is the default browser at startup. + # DownloadDirectory = "/home/cc/Downloads/"; # Set and lock the download directory. + EnableTrackingProtection = { # Configure tracking protection. + Value = true; + Locked = true; + Cryptomining = true; + Fingerprinting = true; + EmailTracking = true; + # Exceptions = [ + # "https://example.com" + # ]; + }; + EncryptedMediaExtensions = + { # Enable or disable Encrypted Media Extensions (like widevine) and optionally lock it. + Enabled = true; + Locked = true; + }; + # EnterprisePoliciesEnabled = ""; # Enable policy support on macOS. + # ExemptDomainFileTypePairsFromFileTypeDownloadWarnings = [ # Disable warnings based on file extension for specific file types on domains. + # { + # file_extension = "jnlp"; + # domains = ["example.com"]; + # } + # ]; + # Extensions = ""; # use ExtensionSettings instead - Control the installation, uninstallation and locking of extensions. + # you can find the extension names in about:support -> Add-ons + ExtensionSettings = { # Manage all aspects of extensions. + "*" = { + installation_mode = "blocked"; + blocked_install_message = + "You cannot install additional extensions without a declarative config! :)"; + }; + # "addons-search-detection@mozilla.com" = { + # installation_mode = "force_installed"; + # install_url = ""; + # }; + # "bing@search.mozilla.org" = { + # installation_mode = "force_installed"; + # install_url = ""; + # }; + # "ddg@search.mozilla.org" = { + # installation_mode = "force_installed"; + # install_url = ""; + # }; + # "google@search.mozilla.org" = { + # installation_mode = "force_installed"; + # install_url = ""; + # }; + # Vimium + "{d7742d87-e61d-4b78-b8a1-b469842139fa}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4259790/vimium_ff-2.1.2.xpi"; # vimium-ff + }; + # "wikipedia@search.mozilla.org" = { + # installation_mode = "force_installed"; + # install_url = ""; + # }; + # "default-theme@mozilla.org" = { + # installation_mode = "force_installed"; + # install_url = ""; + # }; + + # 'Improve YouTube!' 🎧 (for YouTube & Videos)' + "{3c6bf0cc-3ae2-42fb-9993-0d33104fdcaf}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4375372/youtube_addon-4.1122.xpi"; # youtube-addon + }; + # Tampermonkey + "firefox@tampermonkey.net" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4379021/tampermonkey-5.3.2.xpi"; # tampermonkey + }; + # AI-based Grammar Checker & Paraphraser – LanguageTool + "languagetool-webextension@languagetool.org" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4341696/languagetool-8.11.8.xpi"; # languagetool + }; + + # Auto Discard Tab + "{c2c003ee-bd69-42a2-b0e9-6f34222cb046}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4045009/auto_tab_discard-0.6.7.xpi"; # auto-tab-discard + }; + # Bitwarden - Free Password Manager + "{446900e4-71c2-419f-a6a7-df9c091e268b}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4371752/bitwarden_password_manager-2024.10.1.xpi"; # bitwarden-password-manager + }; + # TODO: Bypass Paywalls Clean - not working, need to debug + "magnolia@12.34" = { + installation_mode = "force_installed"; + install_url = + "https://gitflic.ru/project/magnolia1234/bpc_uploads/blob/raw?file=bypass_paywalls_clean-3.8.9.0.xpi"; # bypass paywalls clean + }; + # CanvasBlocker + "CanvasBlocker@kkapsner.de" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4262820/canvasblocker-1.10.1.xpi"; # canvasblocker + }; + # ClearURLs + "{74145f27-f039-47ce-a470-a662b129930a}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4064884/clearurls-1.26.1.xpi"; # clearurls + }; + # Dark Reader + "addon@darkreader.org" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4378073/darkreader-4.9.96.xpi"; # darkreader + }; + # Decentraleyes + "jid1-BoFifL9Vbdl2zQ@jetpack" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4255788/decentraleyes-2.0.19.xpi"; # decentraleyes + }; + # Firefox Multi-Account Containers + "@testpilot-containers" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4355970/multi_account_containers-8.2.0.xpi"; # multi-account-containers + }; + # Open external links in a container + "{f069aec0-43c5-4bbf-b6b4-df95c4326b98}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/3566167/open_url_in_container-1.0.3.xpi"; # open-url-in-container + }; + # Privacy Badger + "jid1-MnnxcxisBPnSXQ@jetpack" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4321653/privacy_badger17-2024.7.17.xpi"; # privacy-badger17 + }; + # React Developer Tools + "@react-devtools" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4360002/react_devtools-6.0.0.xpi"; # react-devtools + }; + # Read Aloud: A Text to Speech Voice Reader + "{ddc62400-f22d-4dd3-8b4a-05837de53c2e}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4350883/read_aloud-1.73.0.xpi"; # read-aloud + }; + # Return YouTube Dislike + "{762f9885-5a13-4abd-9c77-433dcd38b8fd}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4371820/return_youtube_dislikes-3.0.0.18.xpi"; # return-youtube-dislikes + }; + # Search by Image + "{2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/2821476/search-2.0.xpi"; # search_by_image + }; + # Sidebery + "{3c078156-979c-498b-8990-85f7987dd929}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4246774/sidebery-5.2.0.xpi"; # sidebery + }; + # SponsorBlock for YouTube - Skip Sponsorships + "sponsorBlocker@ajay.app" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4372080/sponsorblock-5.9.5.xpi"; # sponsorblock + }; + # GSConnect + "gsconnect@andyholmes.github.io" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/3626312/gsconnect-8.xpi"; # gsconnect + }; + # # DeArrow + # # removing this since it's not that useful and also slows down the loading speed of youtube + # "deArrow@ajay.app" = { + # installation_mode = "force_installed"; + # install_url = "https://addons.mozilla.org/firefox/downloads/file/4254118/dearrow-1.5.11.xpi"; + # }; + # Stylebot + "{52bda3fd-dc48-4b3d-a7b9-58af57879f1e}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/3979493/stylebot_web-3.1.3.xpi"; # stylebot-web + }; + # Tab Stash + "tab-stash@condordes.net" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4361352/tab_stash-3.1.1.xpi"; # tab-stash + }; + # Tabliss + "extension@tabliss.io" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/3940751/tabliss-2.6.0.xpi"; # tabliss + }; + # uBlacklist + "@ublacklist" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4327308/ublacklist-8.9.2.xpi"; # ublacklist + }; + # uBlock Origin + "uBlock0@raymondhill.net" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4359936/ublock_origin-1.60.0.xpi"; # ublock-origin + }; + # User-Agent Switcher and Manager + "{a6c4a591-f1b2-4f03-b3ff-767e5bedf4e7}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4098688/user_agent_string_switcher-0.5.0.xpi"; # user-agent-string-switcher + }; + # Video Speed Controller + "{7be2ba16-0f1e-4d93-9ebc-5164397477a9}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/3756025/videospeed-0.6.3.3.xpi"; # videospeed + }; + # Web Archives + "{d07ccf11-c0cd-4938-a265-2a4d6ad01189}" = { + installation_mode = "force_installed"; + install_url = + "https://addons.mozilla.org/firefox/downloads/file/4361316/view_page_archive-7.0.0.xpi"; # view-page-archive + }; + # "firefox-compact-dark@mozilla.org" = { + # installation_mode = "force_installed"; + # install_url = ""; + # }; + # "firefox-alpenglow@mozilla.org" = { + # installation_mode = "force_installed"; + # install_url = ""; + # }; + # "firefox-compact-light@mozilla.org" = { + # installation_mode = "force_installed"; + # install_url = ""; + # }; + + # "uBlock0@raymondhill.net": { + # "installation_mode": "force_installed", + # "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" + # }, + # "https-everywhere@eff.org": { + # "installation_mode": "allowed", + # "updates_disabled": false + # } + }; + ExtensionUpdate = false; # Control extension updates. + FirefoxHome = { # Customize the Firefox Home page. + Search = false; + TopSites = false; + SponsoredTopSites = false; + Highlights = false; + Pocket = false; + SponsoredPocket = false; + Snippets = false; + # Locked = true; + }; + FirefoxSuggest = { # Customize Firefox Suggest. + WebSuggestions = false; + SponsoredSuggestions = false; + ImproveSuggest = false; + # Locked = true; + }; + GoToIntranetSiteForSingleWordEntryInAddressBar = + false; # Force direct intranet site navigation instead of searching when typing single word entries in the address bar. + Handlers = { # Configure default application handlers. + # mimeTypes = { + # "application/msword" = { + # action = "useSystemDefault"; + # ask = false; + # }; + # }; + schemes = { + mailto = { + action = "useHelperApp"; + ask = true; + handlers = [{ + name = "Gmail"; + uriTemplate = + "https://mail.google.com/mail/?extsrc=mailto&url=%s"; + }]; + }; + }; + # extensions = { + # pdf = { + # action = "useHelperApp"; + # ask = true; + # handlers = [ + # { + # name = "Adobe Acrobat"; + # path = "/usr/bin/acroread"; + # } + # ]; + # }; + # }; + }; + + # Control hardware acceleration. + # - this exposis points for fingerprinting, so disabling it helps + # - but when enabled it gives a massive performace improvement + # To check: See about:support. If your compositor is WebRender without any caveats (like software), your Firefox is hardware accelerated + HardwareAcceleration = true; + + Homepage = { # Configure the default homepage and how Firefox starts. + # URL = "http://example.com/"; + # Locked = true; + # Additional = [ + # "http://example.org/" + # "http://example.edu/" + # ]; + StartPage = "previous-session"; + }; + # InstallAddonsPermission = { # Configure the default extension install policy as well as origins for extension installs are allowed. + # Allow = []; + # Default = false; + # }; + # LegacyProfiles = ""; # Disable the feature enforcing a separate profile for each installation. + # LegacySameSiteCookieBehaviorEnabled = ""; # Enable default legacy SameSite cookie behavior setting. + # LegacySameSiteCookieBehaviorEnabledForDomainList = ""; # Revert to legacy SameSite behavior for cookies on specified sites. + # LocalFileLinks = ""; # Enable linking to local files by origin. + ManagedBookmarks = + [ # Configures a list of bookmarks managed by an administrator that cannot be changed by the user. + { toplevel_name = "My managed bookmarks folder"; } + { + url = "codingcoffee.dev"; + name = "CodingCoffee"; + } + { + name = "LLM"; + children = [ + { + url = "https://claude.ai/chats"; + name = "Claude"; + } + { + url = "https://chat.openai.com/chats"; + name = "ChatGPT"; + } + ]; + } + ]; + ManualAppUpdateOnly = + true; # Allow manual updates only and do not notify the user about updates. + NetworkPrediction = + true; # Enable or disable network prediction (DNS prefetching). + # NewTabPage = true; # Enable or disable the New Tab page. + NoDefaultBookmarks = true; # Disable the creation of default bookmarks. + OfferToSaveLogins = + false; # Control whether or not Firefox offers to save passwords. Managed by KeepAss instead + # OfferToSaveLoginsDefault = false; # ignored because OfferToSaveLogins is present - Set the default value for whether or not Firefox offers to save passwords. + # OverrideFirstRunPage = ""; # Override the first run page. + # OverridePostUpdatePage = ""; # Override the upgrade page. + PasswordManagerEnabled = + false; # Remove (some) access to the password manager. + # PasswordManagerExceptions = []; # Prevent Firefox from saving passwords for specific sites. + PDFjs = { # Disable or configure PDF.js, the built-in PDF viewer. + Enabled = true; + EnablePermissions = false; + }; + Permissions = + { # Set permissions associated with camera, microphone, location, and notifications. + Camera = { + Allow = [ "https://meet.google.com" ]; + Block = [ ]; + BlockNewRequests = false; + Locked = false; + }; + Microphone = { + Allow = [ "https://meet.google.com" ]; + Block = [ ]; + BlockNewRequests = false; + Locked = false; + }; + Location = { + Allow = [ ]; + Block = [ ]; + BlockNewRequests = false; + Locked = false; + }; + Notification = { + Allow = [ ]; + Block = [ ]; + BlockNewRequests = false; + Locked = false; + }; + Autoplay = { + Allow = [ ]; + Block = [ ]; + Default = "block-audio-video"; + Locked = false; + }; + }; + PictureInPicture = { # Enable or disable Picture-in-Picture. + Enabled = false; + Locked = true; + }; + PopupBlocking = + { # Configure the default pop-up window policy as well as origins for which pop-up windows are allowed. + Allow = [ "https://mail.google.com" ]; + Default = false; + Locked = true; + }; + # Preferences = ""; # Set and lock preferences. + # PrimaryPassword = ""; # Require or prevent using a primary (formerly master) password. + PrintingEnabled = true; # Enable or disable printing. + PromptForDownloadLocation = + true; # Ask where to save each file before downloading. + # Proxy = ""; # Configure proxy settings. + # RequestedLocales = "en-US"; # Set the the list of requested locales for the application in order of preference. + SearchBar = "unified"; # Set whether or not search bar is displayed. + SearchSuggestEnabled = false; # Enable search suggestions. + # SecurityDevices = ""; # Install PKCS #11 modules. + ShowHomeButton = false; # Show the home button on the toolbar. + # SSLVersionMax = ""; # Set and lock the maximum version of TLS. + # SSLVersionMin = ""; # Set and lock the minimum version of TLS. + StartDownloadsInTempDirectory = + true; # Force downloads to start off in a local, temporary location rather than the default download directory. + # SupportMenu = ""; # Add a menuitem to the help menu for specifying support information. + UserMessaging = { # Don’t show certain messages to the user. + WhatsNew = false; + ExtensionRecommendations = true; + FeatureRecommendations = true; + UrlbarInterventions = true; + SkipOnboarding = true; + MoreFromMozilla = true; + Locked = true; + }; + UseSystemPrintDialog = + false; # Print using the system print dialog instead of print preview. + # WebsiteFilter = { # Block websites from being visited. + # Block = [ + # "" + # ]; + # Exceptions = [ + # "http://example.org/*" + # ]; + # }; + # WindowsSSO = ""; # Allow Windows single sign-on for Microsoft, work, and school accounts. + }; + profiles = { + quasar = { + id = 0; + name = "quasar"; + isDefault = true; + + # to remove the file containers.json and force replace it with a symlink + containersForce = true; + + containers = { + "TheFourHorsemen" = { + id = 1; + color = "orange"; + icon = "fingerprint"; + }; + "Grapevine-Ameya" = { + id = 2; + color = "purple"; + icon = "briefcase"; + }; + "Grapevine" = { + id = 3; + color = "pink"; + icon = "dollar"; + }; + "Trized" = { + id = 5; + color = "green"; + icon = "tree"; + }; + }; + + # NOTE: the way to figure this out is to + # 1. take a backup of the prefs.js file + # 2. make the change manually in firefox setting + # 3. see the diff of the backed up pref.js file with the new pref.js file + # These will apply at the individual profile level. Policies apply at firefox global level + settings = { + # Open previous windows and tabs + "browser.startup.page" = 3; + # Confirm before closing multiple tabs + "browser.tabs.warnOnClose" = true; + # When you open a link, image or media in a new tab, switch to it + # immediately within firefox, not when coming from outside of firefox + "browser.tabs.loadInBackground" = true; + # What should Firefox do with other files? + "browser.download.always_ask_before_handling_new_types" = true; + # Play DRM-controlled content + "media.eme.enabled" = true; + # Show search suggestions ahead of browsing history in address bar results + "browser.urlbar.showSearchSuggestionsFirst" = false; + # Tell websites not to sell or share my data + "privacy.donottrackheader.enabled" = true; + # Send websites a “Do Not Track” request + "privacy.globalprivacycontrol.enabled" = true; + "privacy.globalprivacycontrol.was_ever_enabled" = true; + # Allow Firefox to install and run studies + "app.shield.optoutstudies.enabled" = false; + # Allow Firefox to send technical and interaction data to Mozilla + "datareporting.healthreport.uploadEnabled" = false; + # Pocket - Recommend Stories + "browser.newtabpage.activity-stream.feeds.section.topstories" = + false; + + "browser.disableResetPrompt" = true; + "browser.download.panel.shown" = true; + "browser.download.useDownloadDir" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.shell.checkDefaultBrowser" = false; + # "browser.shell.defaultBrowserCheckCount" = 1; + # "browser.startup.homepage" = "https://start.duckduckgo.com"; + "browser.uiCustomization.state" = '' + {"placements":{"widget-overflow-fixed-list":[],"unified-extensions-area":["_3c6bf0cc-3ae2-42fb-9993-0d33104fdcaf_-browser-action","sponsorblocker_ajay_app-browser-action","jid1-mnnxcxisbpnsxq_jetpack-browser-action","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","_762f9885-5a13-4abd-9c77-433dcd38b8fd_-browser-action","_74145f27-f039-47ce-a470-a662b129930a_-browser-action","_7be2ba16-0f1e-4d93-9ebc-5164397477a9_-browser-action","_c2c003ee-bd69-42a2-b0e9-6f34222cb046_-browser-action","_react-devtools-browser-action","_a6c4a591-f1b2-4f03-b3ff-767e5bedf4e7_-browser-action","_ublacklist-browser-action","canvasblocker_kkapsner_de-browser-action","magnolia_12_34-browser-action","jid1-bofifl9vbdl2zq_jetpack-browser-action","firefox_tampermonkey_net-browser-action","languagetool-webextension_languagetool_org-browser-action"],"nav-bar":["back-button","forward-button","stop-reload-button","customizableui-special-spring1","urlbar-container","customizableui-special-spring2","downloads-button","fxa-toolbar-menu-button","_testpilot-containers-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","_d7742d87-e61d-4b78-b8a1-b469842139fa_-browser-action","addon_darkreader_org-browser-action","_52bda3fd-dc48-4b3d-a7b9-58af57879f1e_-browser-action","_ddc62400-f22d-4dd3-8b4a-05837de53c2e_-browser-action","ublock0_raymondhill_net-browser-action","unified-extensions-button","_3c078156-979c-498b-8990-85f7987dd929_-browser-action","tab-stash_condordes_net-browser-action"],"toolbar-menubar":["menubar-items"],"TabsToolbar":["firefox-view-button","tabbrowser-tabs","new-tab-button","alltabs-button"],"PersonalToolbar":["managed-bookmarks","import-button","personal-bookmarks"]},"seen":["save-to-pocket-button","developer-button","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","_3c078156-979c-498b-8990-85f7987dd929_-browser-action","_762f9885-5a13-4abd-9c77-433dcd38b8fd_-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","_74145f27-f039-47ce-a470-a662b129930a_-browser-action","_7be2ba16-0f1e-4d93-9ebc-5164397477a9_-browser-action","_c2c003ee-bd69-42a2-b0e9-6f34222cb046_-browser-action","_d7742d87-e61d-4b78-b8a1-b469842139fa_-browser-action","_react-devtools-browser-action","_a6c4a591-f1b2-4f03-b3ff-767e5bedf4e7_-browser-action","addon_darkreader_org-browser-action","_ublacklist-browser-action","canvasblocker_kkapsner_de-browser-action","_testpilot-containers-browser-action","jid1-mnnxcxisbpnsxq_jetpack-browser-action","sponsorblocker_ajay_app-browser-action","magnolia_12_34-browser-action","tab-stash_condordes_net-browser-action","jid1-bofifl9vbdl2zq_jetpack-browser-action","ublock0_raymondhill_net-browser-action","firefox_tampermonkey_net-browser-action","languagetool-webextension_languagetool_org-browser-action","_3c6bf0cc-3ae2-42fb-9993-0d33104fdcaf_-browser-action","_52bda3fd-dc48-4b3d-a7b9-58af57879f1e_-browser-action","_ddc62400-f22d-4dd3-8b4a-05837de53c2e_-browser-action"],"dirtyAreaCache":["nav-bar","PersonalToolbar","unified-extensions-area","toolbar-menubar","TabsToolbar"],"currentVersion":20,"newElementCount":7}''; + "dom.security.https_only_mode" = true; + "identity.fxaccounts.enabled" = false; + "privacy.trackingprotection.enabled" = true; + "signon.rememberSignons" = false; + + # ensure hardware video decoding on ff to save battery + "media.hardware-video-decoding.enabled" = true; + }; + search = { + force = true; + default = "Google"; + order = [ "Google" ]; + engines = { + "Nix Packages" = { + urls = [{ + template = "https://search.nixos.org/packages"; + params = [ + { + name = "type"; + value = "packages"; + } + { + name = "query"; + value = "{searchTerms}"; + } + ]; + }]; + icon = + "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@np" ]; + }; + "NixOS Wiki" = { + urls = [{ + template = + "https://nixos.wiki/index.php?search={searchTerms}"; + }]; + iconUpdateURL = "https://nixos.wiki/favicon.png"; + updateInterval = 24 * 60 * 60 * 1000; # every day + definedAliases = [ "@nw" ]; + }; + "Bing".metaData.hidden = true; + "Google".metaData.alias = + "@g"; # builtin engines only support specifying one additional alias + }; + }; + }; + }; + }; + }; +} diff --git a/nix/modules/home/programs/qemu/default.nix b/nix/modules/home/programs/qemu/default.nix new file mode 100644 index 0000000..30725f8 --- /dev/null +++ b/nix/modules/home/programs/qemu/default.nix @@ -0,0 +1,5 @@ +# Enabling this by default since its nothing more than a config file. If kvm +# exists, it'll be utilized, otherwise not +_: { + xdg.configFile."libvirt/qemu.conf".source = ./qemu.conf; +} diff --git a/nix/modules/home/programs/qemu/qemu.conf b/nix/modules/home/programs/qemu/qemu.conf new file mode 100644 index 0000000..85fe5be --- /dev/null +++ b/nix/modules/home/programs/qemu/qemu.conf @@ -0,0 +1,4 @@ +# Adapted from /var/lib/libvirt/qemu.conf +# Note that AAVMF and OVMF are for Aarch64 and x86 respectively +nvram = [ "/run/libvirt/nix-ovmf/AAVMF_CODE.fd:/run/libvirt/nix-ovmf/AAVMF_VARS.fd", "/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd" ] + diff --git a/nix/modules/home/programs/wezterm/default.nix b/nix/modules/home/programs/wezterm/default.nix new file mode 100644 index 0000000..9d33dd9 --- /dev/null +++ b/nix/modules/home/programs/wezterm/default.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, inputs, ... }: { + options.snowflake.home.programs.wezterm.enable = + lib.mkEnableOption "enable custom wezterm"; + + config = lib.mkIf config.snowflake.home.programs.wezterm.enable { + programs.wezterm = { + enable = true; + package = inputs.wezterm.packages.${pkgs.system}.default; + + # can use this for managing the config inside nix, but I'd rather use stow + # to manage config, since that way the config can be easily used on non nix + # systems as well + extraConfig = builtins.readFile ./wezterm.lua; + }; + }; +} diff --git a/nix/modules/home/programs/wezterm/wezterm.lua b/nix/modules/home/programs/wezterm/wezterm.lua new file mode 100644 index 0000000..5a4dfde --- /dev/null +++ b/nix/modules/home/programs/wezterm/wezterm.lua @@ -0,0 +1,49 @@ +-- Pull in the wezterm API +local wezterm = require 'wezterm' + +-- This table will hold the configuration. +local config = {} + +-- In newer versions of wezterm, use the config_builder which will +-- help provide clearer error messages +if wezterm.config_builder then + config = wezterm.config_builder() +end + +-- This is where you actually apply your config choices + +config.color_scheme = 'Monokai (terminal.sexy)' + +config.window_background_opacity = 0.5 + +config.window_decorations = "RESIZE" + +config.use_fancy_tab_bar = false +config.show_tabs_in_tab_bar = false +config.show_new_tab_button_in_tab_bar = false + +config.font = wezterm.font 'Iosevka Nerd Font' +config.font_size = 13.0 + +local xcursor_size = nil +local xcursor_theme = nil + +local success, stdout, stderr = wezterm.run_child_process({"gsettings", "get", "org.gnome.desktop.interface", "cursor-theme"}) +if success then + xcursor_theme = stdout:gsub("'(.+)'\n", "%1") +end + +local success, stdout, stderr = wezterm.run_child_process({"gsettings", "get", "org.gnome.desktop.interface", "cursor-size"}) +if success then + xcursor_size = tonumber(stdout) +end + +config.xcursor_theme = xcursor_theme +config.xcursor_size = xcursor_size + +-- workaround for showing cursor on wezterm +config.enable_wayland = false + +-- and finally, return the configuration to wezterm +return config + diff --git a/nix/modules/nixos/core/default.nix b/nix/modules/nixos/core/default.nix new file mode 100644 index 0000000..ae02de5 --- /dev/null +++ b/nix/modules/nixos/core/default.nix @@ -0,0 +1,142 @@ +{ config, lib, pkgs, system, inputs, ... }: { + options.snowflake = { + extraPackages = lib.mkOption { + type = lib.types.listOf lib.types.package; + default = [ ]; + description = "Extra packages to be installed system-wide"; + }; + }; + + config = { + # roots ssh keys + users.users.root.openssh.authorizedKeys.keys = [ + # change this to your ssh key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell" + ]; + + # base packages required everywhere + environment = { + shells = with pkgs; [ bash zsh fish ]; + systemPackages = with pkgs; + map lib.lowPrio [ + # base packages + ## ssl + openssl + + ## data transfer + rsync + curl + wget + aria2 # torrent + + ## editor + neovim + + ## version management + git + + ## disk space utility management + ncdu + + ## disk utility management + gptfdisk + + ## monitoring utility + htop + btop + + ## battery management + acpi + + ## system info + neofetch + inxi + + ## networking utility + inetutils # for telnet + mtr # for latency and network path monitoring + dig # for dns query + whois # for domain name ownership query + prettyping # for latency monitoring + ethtool # for network interface monitoring + wol # for wakeonlan + + ## file interaction + fzf + ripgrep + jq + file + tree + eza + + ## generic linux utils + coreutils + unixtools.xxd # for generating uuid + file # for checking filetype + + ## pci utilities + pciutils + lshw + + ## usb utilities + usbutils + + ## nix specific + # nix-output-monitor # pretty build outputs # removing since taken care of by nh + ] ++ config.snowflake.extraPackages; + }; + + programs.bash.shellAliases = { + d = "docker"; + v = "nvim"; + dco = "docker compose"; + }; + + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + }; + + nix = { + settings = { + experimental-features = [ "nix-command" "flakes" ]; + sandbox = true; + auto-optimise-store = true; + }; + }; + + # higher openssh security + services.openssh = { + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + }; + + documentation = { + enable = true; + man = { + enable = true; + man-db.enable = false; + mandoc.enable = true; + generateCaches = true; + }; + }; + + programs.nh = { + enable = true; + clean.enable = true; + clean.extraArgs = "--keep-since 7d --keep 7"; + }; + + system.activationScripts.diff = { + supportsDryActivation = true; + text = '' + ${pkgs.nvd}/bin/nvd --nix-bin-dir=${pkgs.nix}/bin diff /run/current-system "$systemConfig" + "${ + inputs.nixos-needtoreboot.packages."${system}".default + }/bin/nixos-needsreboot" + ''; + }; + }; +} diff --git a/nix/modules/nixos/core/latestKernel/default.nix b/nix/modules/nixos/core/latestKernel/default.nix new file mode 100644 index 0000000..0a6d8a5 --- /dev/null +++ b/nix/modules/nixos/core/latestKernel/default.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: { + options.snowflake.core.latestKernel = + lib.mkEnableOption "enable latest kernel"; + + config = lib.mkIf config.snowflake.core.latestKernel { + boot.kernelPackages = pkgs.linuxPackages_latest; + }; +} diff --git a/nix/modules/nixos/core/locale/default.nix b/nix/modules/nixos/core/locale/default.nix new file mode 100644 index 0000000..653db0c --- /dev/null +++ b/nix/modules/nixos/core/locale/default.nix @@ -0,0 +1,24 @@ +{ config, lib, ... }: { + options.snowflake = { + locale = lib.mkOption { + type = lib.types.str; + description = "locale"; + }; + }; + + config = { + # Select internationalisation properties. + i18n.defaultLocale = config.snowflake.locale; + i18n.extraLocaleSettings = { + LC_ADDRESS = config.snowflake.locale; + LC_IDENTIFICATION = config.snowflake.locale; + LC_MEASUREMENT = config.snowflake.locale; + LC_MONETARY = config.snowflake.locale; + LC_NAME = config.snowflake.locale; + LC_NUMERIC = config.snowflake.locale; + LC_PAPER = config.snowflake.locale; + LC_TELEPHONE = config.snowflake.locale; + LC_TIME = config.snowflake.locale; + }; + }; +} diff --git a/nix/modules/nixos/core/openssh/default.nix b/nix/modules/nixos/core/openssh/default.nix new file mode 100644 index 0000000..3ff9e0c --- /dev/null +++ b/nix/modules/nixos/core/openssh/default.nix @@ -0,0 +1,9 @@ +{ config, lib, ... }: { + options.snowflake.core.openssh = { + enable = lib.mkEnableOption "enable openssh"; + }; + + config = lib.mkIf config.snowflake.core.openssh.enable { + services.openssh.enable = true; + }; +} diff --git a/nix/modules/nixos/core/usbguard/default.nix b/nix/modules/nixos/core/usbguard/default.nix new file mode 100644 index 0000000..74bc85b --- /dev/null +++ b/nix/modules/nixos/core/usbguard/default.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: { + options.snowflake.core.usbguard = { + ### WARNING ### + # NOTE: be very careful before turning on usbguard. It'll has the potential + # to disable your keyboard and render your system useless. To use this + # module follow the following steps. + # + # 1. Enable this module while keeping the serviceEnable option set to false. + # This will only install usbguard onto your system without enabling the + # usbguard systemd service. + # 2. Do not connect any USB devices to your laptop. Or only connect + # trusted, frequently used devices + # 3. use the command `usbguard generate-policy` to generate the usbguard + # "rules". This will generate a list of devices which are trusted and can + # be interfaced with the system without explicit approval. This include + # your inbuilt keyboard, webcam etc + # 4. set the output of this command as the value for the "rules" option, + # and set the "serviceEnable" option to true + # + # Ref: + # - https://github.com/USBGuard/usbguard/blob/main/doc/man/usbguard-rules.conf.5.adoc + ### WARNING ### + + # FAQ + # - to connect a new USB device + # - run `sudo usbguard watch` in a tty + # - connect your device + # - find the device ID from the tty running `usbguard watch` + # - run `sudo usbguard allow-device {device_id}` to allow the device to + # interface with the system + + enable = + lib.mkEnableOption "enable usbguard module and only install usbguard"; + + serviceEnable = lib.mkOption { + type = lib.types.bool; + default = false; + description = "explicitly enable the usbguard service"; + }; + + rules = lib.mkOption { + type = lib.types.str; + default = ""; + description = + "usbguard rules for default devices which are allowed to be connected"; + }; + }; + + config = lib.mkIf config.snowflake.core.usbguard.enable { + environment.systemPackages = with pkgs; [ usbguard ]; + + services.usbguard.enable = config.snowflake.core.usbguard.serviceEnable; + services.usbguard.rules = config.snowflake.core.usbguard.rules; + }; +} diff --git a/nix/modules/nixos/hardware/default.nix b/nix/modules/nixos/hardware/default.nix new file mode 100644 index 0000000..c8f1748 --- /dev/null +++ b/nix/modules/nixos/hardware/default.nix @@ -0,0 +1,75 @@ +{ config, lib, ... }: { + options.snowflake.hardware = { + isEfi = + lib.mkEnableOption "pick systemd-boot if an EFI system or grub otherwise"; + diskDevice = lib.mkOption { + type = lib.types.str; + description = "path to disk device eg. /dev/sda"; + }; + isInitrdLuksUnlockingEnabled = + lib.mkEnableOption "enable SSH in initrd to remotely unlock LUKS device"; + xbootldrMountPoint = lib.mkOption { + type = lib.types.str; + default = ""; + description = "mount point for boot"; + }; + efiSysMountPoint = lib.mkOption { + type = lib.types.str; + default = ""; + description = "mount point for efi"; + }; + }; + + config = { + boot = { + loader = if config.snowflake.hardware.isEfi then { + systemd-boot = { + enable = true; + xbootldrMountPoint = + if config.snowflake.hardware.xbootldrMountPoint != "" then + config.snowflake.hardware.xbootldrMountPoint + else + null; + }; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = + if config.snowflake.hardware.efiSysMountPoint != "" then + config.snowflake.hardware.efiSysMountPoint + else + "/boot"; + }; + } else { + grub = { + enable = true; + device = config.snowflake.hardware.diskDevice; + useOSProber = true; + efiSupport = true; + efiInstallAsRemovable = true; + }; + }; + + # Enable remote LUKS unlocking. This allows remote SSH to unlock LUKS + # encrypted root. $ ssh root@ While in the shell, run + # `cryptsetup-askpass` to trigger the unlock prompt. + initrd = lib.mkIf config.snowflake.hardware.isInitrdLuksUnlockingEnabled { + network = { + flushBeforeStage2 = true; + enable = true; + ssh = { + enable = true; + port = 22; + hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ]; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell" + ]; + }; + }; + }; + # Use DHCP to figure out the IP address. + kernelParams = + lib.mkIf config.snowflake.hardware.isInitrdLuksUnlockingEnabled + [ "ip=dhcp" ]; + }; + }; +} diff --git a/nix/modules/nixos/hardware/laptop/default.nix b/nix/modules/nixos/hardware/laptop/default.nix new file mode 100644 index 0000000..e0a6b7d --- /dev/null +++ b/nix/modules/nixos/hardware/laptop/default.nix @@ -0,0 +1,17 @@ +{ config, lib, ... }: { + options.snowflake.hardware.laptop = { + enable = lib.mkEnableOption "enable laptop module"; + + lidSwitch = lib.mkOption { + type = lib.types.str; + default = "ignore"; + description = "action to take on lidSwitch (lid close / open)"; + }; + }; + + config = lib.mkIf config.snowflake.hardware.laptop.enable { + # prevent sleeping on lid close + # NOTE: this only works after a reboot + services.logind.lidSwitch = config.snowflake.hardware.laptop.lidSwitch; + }; +} diff --git a/nix/modules/nixos/hardware/nvidia/default.nix b/nix/modules/nixos/hardware/nvidia/default.nix new file mode 100644 index 0000000..885e4bc --- /dev/null +++ b/nix/modules/nixos/hardware/nvidia/default.nix @@ -0,0 +1,45 @@ +{ config, lib, ... }: { + options.snowflake.hardware.nvidia = { + enable = lib.mkEnableOption "enable nvidia"; + }; + + config = lib.mkIf config.snowflake.hardware.nvidia.enable { + # Enable OpenGL + hardware.graphics.enable = true; + + # Load nvidia driver for Xorg and Wayland + services.xserver.videoDrivers = [ "nvidia" ]; + + hardware.nvidia = { + + # Modesetting is required. + modesetting.enable = true; + + # Nvidia power management. Experimental, and can cause sleep/suspend to fail. + # Enable this if you have graphical corruption issues or application crashes after waking + # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead + # of just the bare essentials. + powerManagement.enable = false; + + # Fine-grained power management. Turns off GPU when not in use. + # Experimental and only works on modern Nvidia GPUs (Turing or newer). + powerManagement.finegrained = false; + + # Use the NVidia open source kernel module (not to be confused with the + # independent third-party "nouveau" open source driver). + # Support is limited to the Turing and later architectures. Full list of + # supported GPUs is at: + # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus + # Only available from driver 515.43.04+ + # Currently alpha-quality/buggy, so false is currently the recommended setting. + open = false; + + # Enable the Nvidia settings menu, + # accessible via `nvidia-settings`. + nvidiaSettings = true; + + # Optionally, you may need to select the appropriate driver version for your specific GPU. + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + }; +} diff --git a/nix/modules/nixos/networking/netbird/default.nix b/nix/modules/nixos/networking/netbird/default.nix new file mode 100644 index 0000000..96c5dd7 --- /dev/null +++ b/nix/modules/nixos/networking/netbird/default.nix @@ -0,0 +1,9 @@ +{ config, lib, ... }: { + options.snowflake.networking.netbirdClient = { + enable = lib.mkEnableOption "enable netbird client"; + }; + + config = lib.mkIf config.snowflake.networking.netbirdClient.enable { + services.netbird.enable = true; + }; +} diff --git a/nix/modules/nixos/networking/networkmanager/default.nix b/nix/modules/nixos/networking/networkmanager/default.nix new file mode 100644 index 0000000..558e6e8 --- /dev/null +++ b/nix/modules/nixos/networking/networkmanager/default.nix @@ -0,0 +1,14 @@ +{ config, lib, ... }: { + options.snowflake.networking.networkmanager = { + enable = lib.mkEnableOption "enable networkmanager"; + }; + + config = lib.mkIf config.snowflake.networking.networkmanager.enable { + networking.networkmanager.enable = true; + networking.networkmanager.insertNameservers = [ + "1.1.1.1" # cloudflare + "8.8.8.8" # google + "8.8.4.4" # google + ]; + }; +} diff --git a/nix/modules/nixos/networking/wakeonlan/default.nix b/nix/modules/nixos/networking/wakeonlan/default.nix new file mode 100644 index 0000000..209b6cb --- /dev/null +++ b/nix/modules/nixos/networking/wakeonlan/default.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: { + options.snowflake.networking.wakeOnLan = { + enable = lib.mkEnableOption "enable wake on LAN"; + interface = lib.mkOption { + type = lib.types.str; + description = "interface name for wakeon lan"; + }; + }; + + config = lib.mkIf config.snowflake.networking.wakeOnLan.enable { + # will start working on the 2nd reboot + networking.interfaces = { + "${config.snowflake.networking.wakeOnLan.interface}" = { + wakeOnLan.enable = true; + }; + }; + }; +} diff --git a/nix/modules/nixos/services/asus/default.nix b/nix/modules/nixos/services/asus/default.nix new file mode 100644 index 0000000..85c38ea --- /dev/null +++ b/nix/modules/nixos/services/asus/default.nix @@ -0,0 +1,17 @@ +{ config, lib, ... }: { + options.snowflake.services.asus.enable = + lib.mkEnableOption "enable asus specific modules"; + + config = lib.mkIf config.snowflake.services.asus.enable { + # specific to Asus laptop + # already included in flake.nix from https://github.com/NixOS/nixos-hardware/blob/master/asus/zephyrus/ga402x/shared.nix still overwiting it + # source: https://asus-linux.org/guides/nixos/ + services = { + supergfxd.enable = true; + asusd = { + enable = true; + enableUserService = true; + }; + }; + }; +} diff --git a/nix/modules/nixos/services/cloud-init/default.nix b/nix/modules/nixos/services/cloud-init/default.nix new file mode 100644 index 0000000..ac1e475 --- /dev/null +++ b/nix/modules/nixos/services/cloud-init/default.nix @@ -0,0 +1,10 @@ +{ config, lib, ... }: { + options.snowflake.services.cloud-init.enable = + lib.mkEnableOption "enable cloud-init module"; + + config = lib.mkIf config.snowflake.services.cloud-init.enable { + services.cloud-init.enable = true; + systemd.services.cloud-config.serviceConfig = { Restart = "on-failure"; }; + services.cloud-init.network.enable = true; + }; +} diff --git a/nix/modules/nixos/services/containerised/clickhouse/config.xml b/nix/modules/nixos/services/containerised/clickhouse/config.xml new file mode 100644 index 0000000..c2e4374 --- /dev/null +++ b/nix/modules/nixos/services/containerised/clickhouse/config.xml @@ -0,0 +1,114 @@ + + + :: + 0.0.0.0 + 1 + + + + + 9181 + ${SERVER_ID} + /var/lib/clickhouse/coordination/log + /var/lib/clickhouse/coordination/snapshots + + + 10000 + 30000 + trace + + + + + 1 + clickhouse-blue-1 + 9234 + + + 2 + clickhouse-blue-2 + 9234 + + + 3 + clickhouse-green-1 + 9234 + + + + + + + + /clickhouse/task_queue/ddl + + + events + ${SHARD} + ${REPLICA} + + + + + + + + true + + clickhouse-blue-1 + 9000 + + + clickhouse-blue-2 + 9000 + + + + true + + clickhouse-green-1 + 9000 + + + clickhouse-green-2 + 9000 + + + + true + + clickhouse-orange-1 + 9000 + + + clickhouse-orange-2 + 9000 + + + + + + + + + + + clickhouse-blue-1 + 9181 + + + clickhouse-blue-2 + 9181 + + + clickhouse-green-1 + 9181 + + + + + diff --git a/nix/modules/nixos/services/containerised/clickhouse/default.nix b/nix/modules/nixos/services/containerised/clickhouse/default.nix new file mode 100644 index 0000000..7104c78 --- /dev/null +++ b/nix/modules/nixos/services/containerised/clickhouse/default.nix @@ -0,0 +1,41 @@ +{ config, lib, ... }: { + options.snowflake.services.containerised.clickhouse = { + enable = lib.mkEnableOption "enable clickhouse"; + + servers = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options = { + version = lib.mkOption { + type = lib.types.str; + description = "clickhouse version to use"; + }; + ports = { + native = lib.mkOption { type = lib.types.port; }; + http = lib.mkOption { type = lib.types.port; }; + keeper = lib.mkOption { type = lib.types.port; }; + }; + }; + }); + }; + }; + + config = lib.mkIf config.snowflake.services.containerised.clickhouse.enable { + virtualisation.oci-containers.containers = lib.mapAttrs + (clickhouseName: clickhouseCfg: { + autoStart = true; + image = + "docker.io/clickhouse/clickhouse-server:${clickhouseCfg.version}"; + volumes = [ + "/var/lib/clickhouse/${clickhouseName}/data:/var/lib/clickhouse" + "/var/lib/clickhouse/${clickhouseName}/config/:/etc/clickhouse-server/config.d/" + ]; + ports = [ + "127.0.0.1:${builtins.toString clickhouseCfg.ports.native}:9000" + "127.0.0.1:${builtins.toString clickhouseCfg.ports.http}:8123" + "127.0.0.1:${builtins.toString clickhouseCfg.ports.keeper}:9181" + ]; + extraOptions = + [ "--ulimit=nofile=262144:262144" "--ulimit=nproc=65535" ]; + }) config.snowflake.services.containerised.clickhouse.servers; + }; +} diff --git a/nix/modules/nixos/services/containerised/default.nix b/nix/modules/nixos/services/containerised/default.nix new file mode 100644 index 0000000..13de5b1 --- /dev/null +++ b/nix/modules/nixos/services/containerised/default.nix @@ -0,0 +1,2 @@ +{ ... }: { config = { virtualisation.oci-containers.backend = "docker"; }; } + diff --git a/nix/modules/nixos/services/containerised/envoy/default.nix b/nix/modules/nixos/services/containerised/envoy/default.nix new file mode 100644 index 0000000..7b896a7 --- /dev/null +++ b/nix/modules/nixos/services/containerised/envoy/default.nix @@ -0,0 +1,31 @@ +{ config, lib, ... }: { + options.snowflake.services.containerised.envoy = { + enable = lib.mkEnableOption "enable envoy"; + + version = lib.mkOption { + type = lib.types.str; + description = "envoy version to use"; + }; + ports = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = "ports to expose"; + }; + configSource = lib.mkOption { + type = lib.types.path; + description = "envoy config"; + }; + }; + + config = lib.mkIf config.snowflake.services.containerised.envoy.enable { + environment.etc."envoy/envoy.yaml".source = + config.snowflake.services.containerised.envoy.configSource; + virtualisation.oci-containers.containers.envoy = { + autoStart = true; + image = + "docker.io/envoyproxy/envoy:${config.snowflake.services.containerised.envoy.version}"; + ports = config.snowflake.services.containerised.envoy.ports; + volumes = [ "/etc/envoy/envoy.yaml:/etc/envoy/envoy.yaml:ro" ]; + }; + }; +} diff --git a/nix/modules/nixos/services/containerised/gokapi/default.nix b/nix/modules/nixos/services/containerised/gokapi/default.nix new file mode 100644 index 0000000..b628ebd --- /dev/null +++ b/nix/modules/nixos/services/containerised/gokapi/default.nix @@ -0,0 +1,36 @@ +{ config, lib, ... }: { + options.snowflake.services.containerised.gokapi = { + enable = lib.mkEnableOption "enable gokapi"; + + domain = lib.mkOption { + type = lib.types.str; + description = "domain name to host gokapi on"; + }; + version = lib.mkOption { + type = lib.types.str; + description = "gokapi version to use"; + }; + + }; + + config = lib.mkIf config.snowflake.services.containerised.gokapi.enable { + virtualisation.oci-containers.containers.gokapi = { + autoStart = true; + image = + "docker.io/f0rc3/gokapi:${config.snowflake.services.containerised.gokapi.version}"; + volumes = [ + "/var/lib/gokapi/data:/app/data" + "/var/lib/gokapi/config:/app/config" + ]; + ports = [ "127.0.0.1:53842:53842" ]; + }; + + services.nginx.virtualHosts."${config.snowflake.services.containerised.gokapi.domain}" = + { + serverName = config.snowflake.services.containerised.gokapi.domain; + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:53842/"; }; + }; + }; +} diff --git a/nix/modules/nixos/services/containerised/imgproxy/default.nix b/nix/modules/nixos/services/containerised/imgproxy/default.nix new file mode 100644 index 0000000..1e312e1 --- /dev/null +++ b/nix/modules/nixos/services/containerised/imgproxy/default.nix @@ -0,0 +1,36 @@ +{ config, lib, ... }: { + options.snowflake.services.containerised.imgproxy = { + enable = lib.mkEnableOption "enable imgproxy"; + + domain = lib.mkOption { + type = lib.types.str; + description = "domain name to host imgproxy on"; + }; + version = lib.mkOption { + type = lib.types.str; + description = "imgproxy version to use"; + }; + + }; + + config = lib.mkIf config.snowflake.services.containerised.imgproxy.enable { + virtualisation.oci-containers.containers.imgproxy = { + autoStart = true; + image = + "docker.io/darthsim/imgproxy:${config.snowflake.services.containerised.imgproxy.version}"; + ports = [ "127.0.0.1:8080:8080" ]; + environment = { + IMGPROXY_MAX_ANIMATION_FRAMES = "10"; + IMGPROXY_USER_AGENT = "Mozilla/5.0"; + }; + }; + + services.nginx.virtualHosts."${config.snowflake.services.containerised.imgproxy.domain}" = + { + serverName = config.snowflake.services.containerised.imgproxy.domain; + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:8080/"; }; + }; + }; +} diff --git a/nix/modules/nixos/services/containerised/nvsample/default.nix b/nix/modules/nixos/services/containerised/nvsample/default.nix new file mode 100644 index 0000000..df61a9c --- /dev/null +++ b/nix/modules/nixos/services/containerised/nvsample/default.nix @@ -0,0 +1,15 @@ +{ config, lib, ... }: { + options.snowflake.services.containerised.nvsample = { + enable = lib.mkEnableOption "enable nvsample"; + }; + + config = lib.mkIf config.snowflake.services.containerised.nvsample.enable { + virtualisation.oci-containers.containers.nvsample = { + autoStart = true; + cmd = [ "-c" "while true; do nvidia-smi; sleep 1; done" ]; + entrypoint = "sh"; + image = "docker.io/ubuntu"; + extraOptions = [ "--device=nvidia.com/gpu=all" ]; + }; + }; +} diff --git a/nix/modules/nixos/services/containerised/qdrant/config.yaml b/nix/modules/nixos/services/containerised/qdrant/config.yaml new file mode 100644 index 0000000..77bab61 --- /dev/null +++ b/nix/modules/nixos/services/containerised/qdrant/config.yaml @@ -0,0 +1,317 @@ +log_level: INFO + +# Logging configuration +# Qdrant logs to stdout. You may configure to also write logs to a file on disk. +# Be aware that this file may grow indefinitely. +# logger: +# on_disk: +# enabled: true +# log_file: path/to/log/file.log +# log_level: INFO + +storage: + # Where to store all the data + storage_path: ./storage + + # Where to store snapshots + snapshots_path: ./snapshots + + snapshots_config: + # "local" or "s3" - where to store snapshots + snapshots_storage: local + # s3_config: + # bucket: "" + # region: "" + # access_key: "" + # secret_key: "" + + # Where to store temporary files + # If null, temporary snapshot are stored in: storage/snapshots_temp/ + temp_path: null + + # If true - point's payload will not be stored in memory. + # It will be read from the disk every time it is requested. + # This setting saves RAM by (slightly) increasing the response time. + # Note: those payload values that are involved in filtering and are indexed - remain in RAM. + on_disk_payload: true + + # Maximum number of concurrent updates to shard replicas + # If `null` - maximum concurrency is used. + update_concurrency: null + + # Write-ahead-log related configuration + wal: + # Size of a single WAL segment + wal_capacity_mb: 32 + + # Number of WAL segments to create ahead of actual data requirement + wal_segments_ahead: 0 + + # Normal node - receives all updates and answers all queries + node_type: "Normal" + + # Listener node - receives all updates, but does not answer search/read queries + # Useful for setting up a dedicated backup node + # node_type: "Listener" + + performance: + # Number of parallel threads used for search operations. If 0 - auto selection. + max_search_threads: 0 + + # Max number of threads (jobs) for running optimizations across all collections, each thread runs one job. + # If 0 - have no limit and choose dynamically to saturate CPU. + # Note: each optimization job will also use `max_indexing_threads` threads by itself for index building. + max_optimization_threads: 0 + + # CPU budget, how many CPUs (threads) to allocate for an optimization job. + # If 0 - auto selection, keep 1 or more CPUs unallocated depending on CPU size + # If negative - subtract this number of CPUs from the available CPUs. + # If positive - use this exact number of CPUs. + optimizer_cpu_budget: 0 + + # Prevent DDoS of too many concurrent updates in distributed mode. + # One external update usually triggers multiple internal updates, which breaks internal + # timings. For example, the health check timing and consensus timing. + # If null - auto selection. + update_rate_limit: null + + # Limit for number of incoming automatic shard transfers per collection on this node, does not affect user-requested transfers. + # The same value should be used on all nodes in a cluster. + # Default is to allow 1 transfer. + # If null - allow unlimited transfers. + #incoming_shard_transfers_limit: 1 + + # Limit for number of outgoing automatic shard transfers per collection on this node, does not affect user-requested transfers. + # The same value should be used on all nodes in a cluster. + # Default is to allow 1 transfer. + # If null - allow unlimited transfers. + #outgoing_shard_transfers_limit: 1 + + # Enable async scorer which uses io_uring when rescoring. + # Only supported on Linux, must be enabled in your kernel. + # See: + #async_scorer: false + + optimizers: + # The minimal fraction of deleted vectors in a segment, required to perform segment optimization + deleted_threshold: 0.2 + + # The minimal number of vectors in a segment, required to perform segment optimization + vacuum_min_vector_number: 1000 + + # Target amount of segments optimizer will try to keep. + # Real amount of segments may vary depending on multiple parameters: + # - Amount of stored points + # - Current write RPS + # + # It is recommended to select default number of segments as a factor of the number of search threads, + # so that each segment would be handled evenly by one of the threads. + # If `default_segment_number = 0`, will be automatically selected by the number of available CPUs + default_segment_number: 0 + + # Do not create segments larger this size (in KiloBytes). + # Large segments might require disproportionately long indexation times, + # therefore it makes sense to limit the size of segments. + # + # If indexation speed have more priority for your - make this parameter lower. + # If search speed is more important - make this parameter higher. + # Note: 1Kb = 1 vector of size 256 + # If not set, will be automatically selected considering the number of available CPUs. + max_segment_size_kb: null + + # Maximum size (in KiloBytes) of vectors to store in-memory per segment. + # Segments larger than this threshold will be stored as read-only memmaped file. + # To enable memmap storage, lower the threshold + # Note: 1Kb = 1 vector of size 256 + # To explicitly disable mmap optimization, set to `0`. + # If not set, will be disabled by default. + memmap_threshold_kb: null + + # Maximum size (in KiloBytes) of vectors allowed for plain index. + # Default value based on https://github.com/google-research/google-research/blob/master/scann/docs/algorithms.md + # Note: 1Kb = 1 vector of size 256 + # To explicitly disable vector indexing, set to `0`. + # If not set, the default value will be used. + indexing_threshold_kb: 20000 + + # Interval between forced flushes. + flush_interval_sec: 5 + + # Max number of threads (jobs) for running optimizations per shard. + # Note: each optimization job will also use `max_indexing_threads` threads by itself for index building. + # If null - have no limit and choose dynamically to saturate CPU. + # If 0 - no optimization threads, optimizations will be disabled. + max_optimization_threads: null + + # This section has the same options as 'optimizers' above. All values specified here will overwrite the collections + # optimizers configs regardless of the config above and the options specified at collection creation. + #optimizers_overwrite: + # deleted_threshold: 0.2 + # vacuum_min_vector_number: 1000 + # default_segment_number: 0 + # max_segment_size_kb: null + # memmap_threshold_kb: null + # indexing_threshold_kb: 20000 + # flush_interval_sec: 5 + # max_optimization_threads: null + + # Default parameters of HNSW Index. Could be overridden for each collection or named vector individually + hnsw_index: + # Number of edges per node in the index graph. Larger the value - more accurate the search, more space required. + m: 16 + + # Number of neighbours to consider during the index building. Larger the value - more accurate the search, more time required to build index. + ef_construct: 100 + + # Minimal size (in KiloBytes) of vectors for additional payload-based indexing. + # If payload chunk is smaller than `full_scan_threshold_kb` additional indexing won't be used - + # in this case full-scan search should be preferred by query planner and additional indexing is not required. + # Note: 1Kb = 1 vector of size 256 + full_scan_threshold_kb: 10000 + + # Number of parallel threads used for background index building. + # If 0 - automatically select. + # Best to keep between 8 and 16 to prevent likelihood of building broken/inefficient HNSW graphs. + # On small CPUs, less threads are used. + max_indexing_threads: 0 + + # Store HNSW index on disk. If set to false, index will be stored in RAM. Default: false + on_disk: false + + # Custom M param for hnsw graph built for payload index. If not set, default M will be used. + payload_m: null + + # Default shard transfer method to use if none is defined. + # If null - don't have a shard transfer preference, choose automatically. + # If stream_records, snapshot or wal_delta - prefer this specific method. + # More info: https://qdrant.tech/documentation/guides/distributed_deployment/#shard-transfer-method + shard_transfer_method: null + + # Default parameters for collections + collection: + # Number of replicas of each shard that network tries to maintain + replication_factor: 2 + + # How many replicas should apply the operation for us to consider it successful + write_consistency_factor: 1 + + # Default parameters for vectors. + vectors: + # Whether vectors should be stored in memory or on disk. + on_disk: null + + # shard_number_per_node: 1 + + # Default quantization configuration. + # More info: https://qdrant.tech/documentation/guides/quantization + quantization: null + + # Default strict mode parameters for newly created collections. + strict_mode: + # Whether strict mode is enabled for a collection or not. + enabled: false + + # Max allowed `limit` parameter for all APIs that don't have their own max limit. + max_query_limit: null + + # Max allowed `timeout` parameter. + max_timeout: null + + # Allow usage of unindexed fields in retrieval based (eg. search) filters. + unindexed_filtering_retrieve: null + + # Allow usage of unindexed fields in filtered updates (eg. delete by payload). + unindexed_filtering_update: null + + # Max HNSW value allowed in search parameters. + search_max_hnsw_ef: null + + # Whether exact search is allowed or not. + search_allow_exact: null + + # Max oversampling value allowed in search. + search_max_oversampling: null + +service: + # Maximum size of POST data in a single request in megabytes + max_request_size_mb: 32 + + # Number of parallel workers used for serving the api. If 0 - equal to the number of available cores. + # If missing - Same as storage.max_search_threads + max_workers: 0 + + # Host to bind the service on + host: 0.0.0.0 + + # HTTP(S) port to bind the service on + http_port: 6333 + + # gRPC port to bind the service on. + # If `null` - gRPC is disabled. Default: null + # Comment to disable gRPC: + grpc_port: null + + # Enable CORS headers in REST API. + # If enabled, browsers would be allowed to query REST endpoints regardless of query origin. + # More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS + # Default: true + enable_cors: true + + # Enable HTTPS for the REST and gRPC API + enable_tls: false + + # Check user HTTPS client certificate against CA file specified in tls config + verify_https_client_certificate: false + + # Set an api-key. + # If set, all requests must include a header with the api-key. + # example header: `api-key: ` + # + # If you enable this you should also enable TLS. + # (Either above or via an external service like nginx.) + # Sending an api-key over an unencrypted channel is insecure. + # + # Uncomment to enable. + # api_key: your_secret_api_key_here + + # Set an api-key for read-only operations. + # If set, all requests must include a header with the api-key. + # example header: `api-key: ` + # + # If you enable this you should also enable TLS. + # (Either above or via an external service like nginx.) + # Sending an api-key over an unencrypted channel is insecure. + # + # Uncomment to enable. + # read_only_api_key: your_secret_read_only_api_key_here + + # Uncomment to enable JWT Role Based Access Control (RBAC). + # If enabled, you can generate JWT tokens with fine-grained rules for access control. + # Use generated token instead of API key. + # + # jwt_rbac: true + +cluster: + # Use `enabled: true` to run Qdrant in distributed deployment mode + enabled: true + + # Configuration of the inter-cluster communication + p2p: + # Port for internal communication between peers + port: 6335 + + # Use TLS for communication between peers + enable_tls: false + + # Configuration related to distributed consensus algorithm + consensus: + # How frequently peers should ping each other. + # Setting this parameter to lower value will allow consensus + # to detect disconnected nodes earlier, but too frequent + # tick period may create significant network and CPU overhead. + # We encourage you NOT to change this parameter unless you know what you are doing. + tick_period_ms: 100 + +# Set to true to prevent service from sending usage statistics to the developers. +# Read more: https://qdrant.tech/documentation/guides/telemetry +telemetry_disabled: true diff --git a/nix/modules/nixos/services/containerised/qdrant/default.nix b/nix/modules/nixos/services/containerised/qdrant/default.nix new file mode 100644 index 0000000..767b39f --- /dev/null +++ b/nix/modules/nixos/services/containerised/qdrant/default.nix @@ -0,0 +1,44 @@ +{ config, lib, ... }: { + options.snowflake.services.containerised.qdrant = { + enable = lib.mkEnableOption "enable qdrant"; + + version = lib.mkOption { + type = lib.types.str; + description = "qdrant version to use"; + }; + + uri = lib.mkOption { + type = lib.types.str; + description = "domain name to host qdrant on"; + }; + bootstrap = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "bootstrap name for qdrant cluster"; + }; + }; + + config = lib.mkIf config.snowflake.services.containerised.qdrant.enable { + environment.etc."qdrant/config.yaml".source = ./config.yaml; + virtualisation.oci-containers.containers.qdrant = { + autoStart = true; + image = + "docker.io/qdrant/qdrant:${config.snowflake.services.containerised.qdrant.version}"; + ports = [ + "6333:6333" # REST API + Web UI + # "6333:6333" # GRPC API - unused + "6335:6335" # p2p API for cluster communication + ]; + volumes = [ + "/mnt/disk1/storage:/qdrant/storage" + "/etc/qdrant/config.yaml:/qdrant/config/config.yaml:ro" + ]; + cmd = [ + "./qdrant" + "--uri=http://${config.snowflake.services.containerised.qdrant.uri}:6335" + ] ++ lib.optional + (config.snowflake.services.containerised.qdrant.bootstrap != null) + "--bootstrap=http://${config.snowflake.services.containerised.qdrant.bootstrap}:6335"; + }; + }; +} diff --git a/nix/modules/nixos/services/containerised/traefik/default.nix b/nix/modules/nixos/services/containerised/traefik/default.nix new file mode 100644 index 0000000..76822ca --- /dev/null +++ b/nix/modules/nixos/services/containerised/traefik/default.nix @@ -0,0 +1,39 @@ +{ config, lib, ... }: { + options.snowflake.services.containerised.traefik = { + enable = lib.mkEnableOption "enable traefik"; + + version = lib.mkOption { + type = lib.types.str; + description = "traefik version to use"; + }; + ports = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = "ports to expose"; + }; + configSource = lib.mkOption { + type = lib.types.path; + description = "traefik config"; + }; + environment = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + description = "traefik config"; + }; + }; + + config = lib.mkIf config.snowflake.services.containerised.traefik.enable { + environment.etc."traefik/traefik.yml".source = + config.snowflake.services.containerised.traefik.configSource; + virtualisation.oci-containers.containers.traefik = { + autoStart = true; + image = + "docker.io/traefik:${config.snowflake.services.containerised.traefik.version}"; + ports = config.snowflake.services.containerised.traefik.ports; + volumes = [ + "/etc/traefik/traefik.yml:/etc/traefik/traefik.yml:ro" + "/etc/letsencrypt/:/etc/letsencrypt/" + ]; + environment = config.snowflake.services.containerised.traefik.environment; + }; + }; +} diff --git a/nix/modules/nixos/services/frp/default.nix b/nix/modules/nixos/services/frp/default.nix new file mode 100644 index 0000000..cb57a2c --- /dev/null +++ b/nix/modules/nixos/services/frp/default.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: { + options.snowflake.services.frp = { + enable = lib.mkEnableOption "enable frp"; + }; + + config = lib.mkIf config.snowflake.services.frp.enable { + services.frp = { + enable = true; + role = "server"; + settings = { bindPort = 7001; }; + }; + }; +} diff --git a/nix/modules/nixos/services/gotenberg/default.nix b/nix/modules/nixos/services/gotenberg/default.nix new file mode 100644 index 0000000..f8ddf4e --- /dev/null +++ b/nix/modules/nixos/services/gotenberg/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: { + options.snowflake.services.gotenberg = { + enable = lib.mkEnableOption "enable gotenberg"; + }; + + config = lib.mkIf config.snowflake.services.gotenberg.enable { + # gottenberg systemctl service is failing for some reason + # running the Exec function manually works, however the service fails + # need to debug deeper + services.gotenberg = { + enable = true; + port = 3000; + + chromium.package = pkgs.ungoogled-chromium; + chromium.disableJavascript = true; + + libreoffice.package = pkgs.libreoffice; + + logLevel = "debug"; + + # this doesn't work: https://github.com/NixOS/nixpkgs/issues/340447 + extraArgs = [ "--chromium-allow-list=file:///tmp/.*" ]; + }; + environment.systemPackages = with pkgs; [ ungoogled-chromium libreoffice ]; + }; +} diff --git a/nix/modules/nixos/services/nginx/default.nix b/nix/modules/nixos/services/nginx/default.nix new file mode 100644 index 0000000..e80178c --- /dev/null +++ b/nix/modules/nixos/services/nginx/default.nix @@ -0,0 +1,43 @@ +{ config, lib, ... }: { + options.snowflake.services.nginx = { + enable = lib.mkEnableOption "enable nginx"; + acmeEmail = lib.mkOption { + type = lib.types.str; + description = "email address ACME for nginx"; + }; + clientMaxBodySize = lib.mkOption { + type = lib.types.str; + default = "10m"; + }; + }; + + config = lib.mkIf config.snowflake.services.nginx.enable { + security.acme.defaults.email = config.snowflake.services.nginx.acmeEmail; + security.acme.acceptTerms = true; + + security.dhparams = { + enable = true; + params.nginx = { }; + }; + services.nginx = { + enable = true; + clientMaxBodySize = config.snowflake.services.nginx.clientMaxBodySize; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + sslDhparam = config.security.dhparams.params.nginx.path; + + # Disable default_server access and return HTTP 444. + appendHttpConfig = '' + server { + listen 80 default_server; + listen 443 ssl default_server; + + ssl_reject_handshake on; + return 444; + } + ''; + }; + }; +} diff --git a/nix/modules/nixos/services/openvpn/default.nix b/nix/modules/nixos/services/openvpn/default.nix new file mode 100644 index 0000000..b277465 --- /dev/null +++ b/nix/modules/nixos/services/openvpn/default.nix @@ -0,0 +1,73 @@ +{ config, pkgs, lib, ... }: { + options.snowflake.services.openvpn.enable = + lib.mkEnableOption "enable openvpn"; + + config = let + # generate via `openvpn --genkey secret openvpn-laptop.key` + client-key = "/root/openvpn-laptop.key"; + domain = "nixvpn.codingcoffee.me"; + vpn-dev = "tun0"; + port = 443; + in lib.mkIf config.snowflake.services.openvpn.enable { + # sudo systemctl start nat + networking.nat = { + enable = true; + externalInterface = lib.mkDefault "enp1s0"; + internalInterfaces = [ vpn-dev ]; + }; + networking.firewall.trustedInterfaces = [ vpn-dev ]; + # networking.firewall.allowedUDPPorts = [ port ]; + networking.firewall.allowedTCPPorts = [ port ]; + environment.systemPackages = [ pkgs.openvpn ]; # for key generation + services.openvpn.servers.smartphone.config = '' + dev ${vpn-dev} + proto tcp-server + ifconfig 10.8.0.1 10.8.0.2 + secret ${client-key} + port ${toString port} + + cipher AES-256-CBC + auth-nocache + + comp-lzo + keepalive 10 60 + ping-timer-rem + persist-tun + persist-key + ''; + + environment.etc."openvpn/smartphone-client.ovpn" = { + text = '' + dev tun + proto tcp-client + remote "${domain}" + ifconfig 10.8.0.2 10.8.0.1 + port ${toString port} + redirect-gateway def1 + + cipher AES-256-CBC + auth-nocache + + comp-lzo + keepalive 10 60 + resolv-retry infinite + nobind + persist-key + persist-tun + secret [inline] + + ''; + mode = "600"; + }; + system.activationScripts.openvpn-addkey = '' + f="/etc/openvpn/smartphone-client.ovpn" + if ! grep -q '' $f; then + echo "appending secret key" + echo "" >> $f + cat ${client-key} >> $f + echo "" >> $f + fi + ''; + }; +} + diff --git a/nix/modules/nixos/services/paperless/default.nix b/nix/modules/nixos/services/paperless/default.nix new file mode 100644 index 0000000..3460176 --- /dev/null +++ b/nix/modules/nixos/services/paperless/default.nix @@ -0,0 +1,55 @@ +{ config, lib, ... }: { + options.snowflake.services.paperless = { + enable = lib.mkEnableOption "enable paperless"; + + domain = lib.mkOption { + type = lib.types.str; + description = "domain name to host paperless on"; + }; + }; + + config = lib.mkIf config.snowflake.services.paperless.enable { + services.paperless = { + enable = true; + user = "paperless"; + port = 28981; + dataDir = "/var/lib/paperless"; + address = "localhost"; + passwordFile = "/root/paperless-password"; + + settings = { + PAPERLESS_CONSUMER_IGNORE_PATTERN = [ ".DS_STORE/*" "desktop.ini" ]; + PAPERLESS_OCR_USER_ARGS = { + optimize = 1; + pdfa_image_compression = "lossless"; + }; + PAPERLESS_OCR_LANGUAGE = "eng+fra+nld+ita+spa+cat"; + + PAPERLESS_URL = config.snowflake.services.paperless.domain; + PAPERLESS_ADMIN_USER = "admin"; + # cannot use PAPERLESS_ADMIN_PASSWORD: https://github.com/NixOS/nixpkgs/issues/249767 + # PAPERLESS_ADMIN_PASSWORD = "UWi303OcNd6Au7HlnFpf3D33aROuT1"; + + PAPERLESS_FILENAME_FORMAT = "{created_year}/{document_type}/{title}"; + + # config to enable tika + gotenberg, but is blocked on getting gotenberg + # to function + # PAPERLESS_TIKA_ENABLED = true; + # PAPERLESS_TIKA_ENDPOINT = "http://localhost:9998"; + # PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3000"; + }; + }; + + services.nginx.virtualHosts."${config.snowflake.services.paperless.domain}" = + { + serverName = config.snowflake.services.paperless.domain; + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = + "http://127.0.0.1:${toString config.services.paperless.port}/"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/nix/modules/nixos/services/postgres/default.nix b/nix/modules/nixos/services/postgres/default.nix new file mode 100644 index 0000000..917ee60 --- /dev/null +++ b/nix/modules/nixos/services/postgres/default.nix @@ -0,0 +1,12 @@ +{ config, lib, ... }: { + options.snowflake.services.postgresql = { + enable = lib.mkEnableOption "enable postgresql"; + }; + + config = lib.mkIf config.snowflake.services.postgresql.enable { + services.postgresql = { + enable = true; + settings = { port = 5432; }; + }; + }; +} diff --git a/nix/modules/nixos/services/redis/default.nix b/nix/modules/nixos/services/redis/default.nix new file mode 100644 index 0000000..e23e2d0 --- /dev/null +++ b/nix/modules/nixos/services/redis/default.nix @@ -0,0 +1,28 @@ +{ config, lib, ... }: { + options.snowflake.services.redis = { + enable = lib.mkEnableOption "Enable redis configuration"; + + servers = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = "whether to enable this particular redis server."; + }; + port = lib.mkOption { + type = lib.types.port; + description = "port number to host this redis on."; + }; + }; + }); + }; + }; + + config = lib.mkIf config.snowflake.services.redis.enable { + services.redis.servers = lib.mapAttrs (redisname: redisCfg: { + enable = redisCfg.enable; + port = redisCfg.port; + }) config.snowflake.services.redis.servers; + }; +} diff --git a/nix/modules/nixos/services/restic/default.nix b/nix/modules/nixos/services/restic/default.nix new file mode 100644 index 0000000..383c36c --- /dev/null +++ b/nix/modules/nixos/services/restic/default.nix @@ -0,0 +1,38 @@ +{ config, lib, ... }: { + options.snowflake.services.restic = { + enable = lib.mkEnableOption "enable restic"; + + name = lib.mkOption { + type = lib.types.str; + description = "name to backup under, preferably use hostname"; + }; + }; + + config = lib.mkIf config.snowflake.services.restic.enable { + # TODO: potentially use a security wrapper on the restic binay, instead of + # running it as root + services.restic.backups = { + kryo = { + user = "root"; + repository = + "sftp:cc@kryo.v2.n1.codingcoffee.me:/home/cc/${config.snowflake.services.restic.name}-backup"; + initialize = + true; # initializes the repo, don't set if you want manual control + timerConfig = { + # backup daily + OnCalendar = "daily"; + # to take care of backup if system was turned off during designated + # backup time + Persistent = true; + }; + passwordFile = "/home/cc/.dotfiles/nix/conf/restic/password"; + extraBackupArgs = [ + # "--dry-run" + "--exclude-file=/home/cc/.dotfiles/autorestic/.autoresticignore" + ]; + pruneOpts = [ "--keep-last 10" ]; + paths = [ "/home/cc" ]; + }; + }; + }; +} diff --git a/nix/modules/nixos/services/syncthing/default.nix b/nix/modules/nixos/services/syncthing/default.nix new file mode 100644 index 0000000..e659d4e --- /dev/null +++ b/nix/modules/nixos/services/syncthing/default.nix @@ -0,0 +1,49 @@ +{ config, lib, ... }: { + options.snowflake.services.syncthing = { + enable = lib.mkEnableOption "enable garbage collection"; + password = lib.mkOption { type = lib.types.str; }; + user = lib.mkOption { type = lib.types.str; }; + dataDir = lib.mkOption { type = lib.types.str; }; + configDir = lib.mkOption { type = lib.types.str; }; + }; + + config = lib.mkIf config.snowflake.services.syncthing.enable { + services = { + syncthing = { + enable = true; + user = config.snowflake.services.syncthing.user; + dataDir = config.snowflake.services.syncthing.dataDir; + configDir = config.snowflake.services.syncthing.configDir; + overrideDevices = + false; # overrides any devices added or deleted through the WebUI + overrideFolders = + false; # overrides any folders added or deleted through the WebUI + settings = { + options = { + urAccepted = -1; # prevent reporting anonymous usage analytics + }; + gui = { + user = config.snowflake.services.syncthing.user; + password = config.snowflake.services.syncthing.password; + }; + # unable to get the devices and folders bit working concistently. + # hence choosing to not do it manually for now + # reproducibility is the core issue, syncthing after every load asks if it can add the new device + # and it doesn't even request a sync of the folder + # devices = { + # "Kryo" = { + # id = "7EDU5MA-M3FEL4F-QWA35PH-MMW2KAL-6GS5CSH-2P7EIW0-4ZQNL37-I5F7CAM"; + # }; + # }; + # folders = { + # "pkb-personal" = { # Name of folder in Syncthing, also the folder ID + # id = "kj6tu-lfx9f"; + # path = "/home/cc/.pkb/personal"; # Which folder to add to Syncthing + # devices = [ "Kryo" ]; # Which devices to share the folder with + # }; + # }; + }; + }; + }; + }; +} diff --git a/nix/modules/nixos/services/tika/default.nix b/nix/modules/nixos/services/tika/default.nix new file mode 100644 index 0000000..64c2cc1 --- /dev/null +++ b/nix/modules/nixos/services/tika/default.nix @@ -0,0 +1,14 @@ +{ config, lib, ... }: { + options.snowflake.services.tika = { + enable = lib.mkEnableOption "enable tika"; + }; + + config = lib.mkIf config.snowflake.services.tika.enable { + services.tika = { + enable = true; + listenAddress = "127.0.0.1"; + port = 9998; + enableOcr = true; + }; + }; +} diff --git a/nix/modules/nixos/user/default.nix b/nix/modules/nixos/user/default.nix new file mode 100644 index 0000000..26a2816 --- /dev/null +++ b/nix/modules/nixos/user/default.nix @@ -0,0 +1,64 @@ +{ config, lib, ... }: { + options.snowflake.user = { + enable = lib.mkEnableOption "Enable user configuration"; + + users = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options = { + isNormalUser = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Whether the user is a normal user."; + }; + + shell = lib.mkOption { + type = lib.types.package; + description = "the shell package for the user."; + }; + + description = lib.mkOption { + type = lib.types.str; + description = "full name for the user."; + }; + + extraGroups = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = "system groups to add this user to."; + }; + + initialHashedPassword = lib.mkOption { + type = lib.types.str; + description = + "hashed password for the user, can be generated using `mkpasswd -m bcrypt -R 10`"; + }; + + authorizedKeys = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = "SSH authorized keys for the user."; + }; + }; + }); + }; + }; + + config = lib.mkIf config.snowflake.user.enable { + # make users immutable + users.mutableUsers = false; + # Configure the user account. + # NOTE: hashedPasswordFile has an issue. If the auth method is changed from `hashedPassword` + # to `hashedPasswordFile`, /etc/shadow gets messed up and login does not work. To fix this + # we need to remove all the users' entries from /etc/shadow and run nixos-rebuild. Seems to be + # a one-time thing. + # ref: https://github.com/NixOS/nixpkgs/issues/99433 + users.users = lib.mapAttrs (username: userCfg: { + isNormalUser = userCfg.isNormalUser; + shell = userCfg.shell; + description = userCfg.description; + extraGroups = userCfg.extraGroups; + initialHashedPassword = userCfg.initialHashedPassword; + openssh.authorizedKeys.keys = userCfg.authorizedKeys; + }) config.snowflake.user.users; + }; +} diff --git a/nix/modules/nixos/virtualisation/docker/default.nix b/nix/modules/nixos/virtualisation/docker/default.nix new file mode 100644 index 0000000..c658747 --- /dev/null +++ b/nix/modules/nixos/virtualisation/docker/default.nix @@ -0,0 +1,24 @@ +{ config, lib, ... }: { + options.snowflake.virtualisation.docker = { + enable = lib.mkEnableOption "enable docker daemon"; + extraOptions = lib.mkOption { + type = lib.types.str; + default = ""; + description = "extra options to pass to docker compose"; + }; + # Notes: You can use the following command to use GPU inside docker container + # docker run -it --rm --device nvidia.com/gpu=all ubuntu nvidia-smi + enableNvidia = lib.mkEnableOption "enable nvidia with docker"; + }; + + config = lib.mkIf config.snowflake.virtualisation.docker.enable { + hardware.nvidia-container-toolkit.enable = + config.snowflake.virtualisation.docker.enableNvidia; + virtualisation = { + docker = { + enable = true; + extraOptions = config.snowflake.virtualisation.docker.extraOptions; + }; + }; + }; +} diff --git a/nix/modules/nixos/virtualisation/kvm/default.nix b/nix/modules/nixos/virtualisation/kvm/default.nix new file mode 100644 index 0000000..d5c299e --- /dev/null +++ b/nix/modules/nixos/virtualisation/kvm/default.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: { + options.snowflake.virtualisation.kvm.enable = + lib.mkEnableOption "enable kvm vms"; + options.snowflake.virtualisation.kvm.ovmf.enable = + lib.mkEnableOption "enable ovmf module for vms"; + + config = lib.mkIf config.snowflake.virtualisation.kvm.enable { + + # to enable nested virtualization + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + options kvm_intel emulate_invalid_guest_state=0 + options kvm ignore_msrs=1 + ''; + + virtualisation = { + libvirtd = { + enable = true; + qemu = { + package = pkgs.qemu_kvm; + runAsRoot = true; + swtpm.enable = true; + ovmf = lib.mkIf config.snowflake.virtualisation.kvm.ovmf.enable { + enable = true; + packages = [ + (pkgs.OVMF.override { + secureBoot = true; + tpmSupport = true; + }).fd + ]; + }; + }; + }; + }; + programs.virt-manager.enable = true; + }; +} diff --git a/nix/modules/nixos/workstation/default.nix b/nix/modules/nixos/workstation/default.nix new file mode 100644 index 0000000..63c599f --- /dev/null +++ b/nix/modules/nixos/workstation/default.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: { + options.snowflake.workstation = { + enable = lib.mkEnableOption "enable workstation mode"; + isDevMachine = lib.mkEnableOption "packages for coding development"; + isOfficeMachine = lib.mkEnableOption "packages for doc processing"; + isGamingMachine = lib.mkEnableOption "packages for gaming"; + }; + + config = lib.mkIf config.snowflake.workstation.enable { + programs.zsh.enable = true; + + # base packages required everywhere + environment = { + shells = with pkgs; [ bash zsh fish ]; + systemPackages = with pkgs; [ + # text editor + nano # fallback in case neovim fails + emacs # for orgmode + ]; + }; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = false; + pinentryPackage = pkgs.pinentry-curses; + }; + }; +} diff --git a/nix/modules/nixos/workstation/desktop/default.nix b/nix/modules/nixos/workstation/desktop/default.nix new file mode 100644 index 0000000..3cac1d8 --- /dev/null +++ b/nix/modules/nixos/workstation/desktop/default.nix @@ -0,0 +1,132 @@ +{ config, lib, pkgs, ... }: { + options.snowflake.workstation.desktop = { + enable = lib.mkEnableOption "enable gnome desktop"; + autoLoginUser = lib.mkOption { + type = lib.types.str; + description = "user to autostart gnome with"; + }; + }; + + config = lib.mkIf config.snowflake.workstation.desktop.enable { + # base packages required everywhere + environment = { + systemPackages = with pkgs; [ + # video player + mpv + # ani-skip # to skip anime intros # doesn't work, hence removing + + # file sharing + localsend + + # libraries + x265 # HEVC support for firefox / mpv + ]; + + gnome.excludePackages = (with pkgs; [ + gnome-photos + gnome-tour + gedit # text editor + cheese # webcam tool + gnome-terminal + epiphany # web browser + geary # email reader + totem # video player + gnome-calendar + gnome-music + gnome-characters + tali # poker game + iagno # go game + hitori # sudoku game + atomix # puzzle game + ]); + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + # Enable the GNOME Desktop Environment. + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + # prevent sleeping on lid close + services.displayManager.autoLogin.enable = true; + services.displayManager.autoLogin.user = + config.snowflake.workstation.desktop.autoLoginUser; + + # tap to click across app using libinput + services.libinput.enable = true; + services.libinput.touchpad.tapping = true; + # workaround for autologin - https://nixos.wiki/wiki/GNOME#automatic%20login + systemd.services."getty@tty1".enable = false; + systemd.services."autovt@tty1".enable = false; + + # Configure keymap in X11 + services.xserver = { + xkb.layout = "us"; + + # swap Escape key with CapsLock (requires reboot, since done at system + # level), but this will not apply at user level in gnome since that is + # taken care of by gnome + # will only work in gdm right now as of writing this + xkb.options = "caps:swapescape"; + + xkb.variant = ""; + }; + + fonts.packages = with pkgs; [ + noto-fonts + noto-fonts-cjk-sans + noto-fonts-emoji + + # fira-code + fira-code-symbols + + # jetbrains-mono # font for neovim + + (nerdfonts.override { fonts = [ "FiraCode" "Iosevka" "JetBrainsMono" ]; }) + ]; + + # Enable Bluetooth + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + }; + + # mouse configurator + services.ratbagd.enable = true; + + # higher openssh security + services.openssh = { + settings.PermitRootLogin = "no"; + }; + + # Allow unfree packages + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + # sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + wireplumber.enable = true; + # If you want to use JACK applications, uncomment this + jack.enable = true; + }; + + programs.dconf.enable = true; + + # Enable OpenGL + hardware.graphics = { + enable = true; + enable32Bit = true; + }; + + services.fwupd.enable = true; + }; +} diff --git a/nix/modules/nixos/workstation/desktop/dev/default.nix b/nix/modules/nixos/workstation/desktop/dev/default.nix new file mode 100644 index 0000000..2dec49e --- /dev/null +++ b/nix/modules/nixos/workstation/desktop/dev/default.nix @@ -0,0 +1,79 @@ +{ lib, config, pkgs, ... }: { + config = lib.mkIf config.snowflake.workstation.isDevMachine { + environment = { + systemPackages = with pkgs; [ + ## music + spotify + + ## flipper zero + qFlipper + + ## terminals + alacritty + kitty # fallback for wezterm + + ## messenger + telegram-desktop + + ## gnome + gnome-tweaks + dconf-editor + gnome-power-manager # for battery power stats + gnomeExtensions.forge + gnomeExtensions.just-perfection + gnomeExtensions.gsconnect + gnomeExtensions.launch-new-instance + gnomeExtensions.auto-move-windows + gnomeExtensions.bluetooth-battery + gnomeExtensions.net-speed-simplified + gnomeExtensions.gnome-bedtime # for grayscale screen + gnomeExtensions.caffeine # to prevent laptop from screen off temporarily + libnotify + + ## system libs + libGL # used while developing GUI apps for libgl1.so + xorg.xhost # to grant apps permission to use X display + # x11docker # to help run GUI apps from within docker. DO NOT USE. Sucks! + + ## audio + pavucontrol # fine grained control over what audio plays where + playerctl # cli version of pavucontrol of sorts, for use with scripts + sox + # easyeffects # uses deepfilternet, which is broken, hence removing this Ref: https://github.com/NixOS/nixpkgs/issues/335551 + # rnnoise-plugin # bad experience, and battery drain + + ## anime + ani-cli # waiting for this PR to land in unstable -> https://nixpk.gs/pr-tracker.html?pr=337503 + + ## design + # figma-linux # removing since its very laggy. firefox experience is much better + + ## kubernetes + seabird + + ## mouse + piper # gtk tool to configure logitech g502 mouse + + ## bluetooth + # bluez + # blueman + + ## api tooling + postman + + ## mongo dashboard + mongodb-compass + + ## redis tooling + # redisinsight + + ## automation + audio-recorder # downloaded for speech to text audio recording + xdotool # fake keyboard/mouse input, window management, and more + + ## color + eyedropper + ]; + }; + }; +} diff --git a/nix/modules/nixos/workstation/desktop/gaming/default.nix b/nix/modules/nixos/workstation/desktop/gaming/default.nix new file mode 100644 index 0000000..49d0bc9 --- /dev/null +++ b/nix/modules/nixos/workstation/desktop/gaming/default.nix @@ -0,0 +1,12 @@ +{ lib, config, pkgs, ... }: { + config = lib.mkIf config.snowflake.workstation.isGamingMachine { + environment = { + systemPackages = with pkgs; [ + # gaming + bottles # wrapper over wine to wun Windows software and games on Linux + heroic # games launcher for GOG, Amazon and Epic Games + mangohud # Vulkan and OpenGL overlay for monitoring FPS, temperatures, CPU/GPU load and more during gaming + ]; + }; + }; +} diff --git a/nix/modules/nixos/workstation/desktop/office/default.nix b/nix/modules/nixos/workstation/desktop/office/default.nix new file mode 100644 index 0000000..0974ce8 --- /dev/null +++ b/nix/modules/nixos/workstation/desktop/office/default.nix @@ -0,0 +1,17 @@ +{ lib, config, pkgs, ... }: { + config = lib.mkIf config.snowflake.workstation.isOfficeMachine { + environment = { + systemPackages = with pkgs; [ + # office suite + # TODO: use onlyoffice-desktopeditors, but its not working since for some reason its taking 24.04 version instead of nixos-unstable from nixpkgs. check why + onlyoffice-bin_latest + + # libreoffice + libreoffice + hunspell + hunspellDicts.uk_UA + hunspellDicts.th_TH + ]; + }; + }; +} diff --git a/nix/modules/nixos/workstation/dev/default.nix b/nix/modules/nixos/workstation/dev/default.nix new file mode 100644 index 0000000..6d23a1a --- /dev/null +++ b/nix/modules/nixos/workstation/dev/default.nix @@ -0,0 +1,153 @@ +{ lib, config, pkgs, ... }: { + config = lib.mkIf config.snowflake.workstation.isDevMachine { + environment = { + systemPackages = with pkgs; [ + ## system libs + gnumake # for Makefile executions + + ## terminal tools + dnsutils + git + zip + sshfs + glxinfo + lshw + stow + wl-clipboard + bc # basic calculator + htmlq # html parser like jq + litecli # for exploring sql databases in the cli + moreutils # for sponge to allow inplace editing using jq + xorg.xev + wev + unzip + arp-scan # for finding devices on network + + ## cli enhancers + ripgrep # grep in rust + eza # ls alternative + zoxide # cd alternative + difftastic # syntactic diff + + ## terminal multiplexer + tmux + tmuxinator # pre determined layout maker for tmux + + ## battery + powertop + + ## video player + yt-dlp # for mpv_quick + # # disabling streamlink because of build failure + # streamlink # cli for streaming from youtube or google drive + + ## torrent + # nodePackages.webtorrent-cli # commenting out, waiting on this issue: https://github.com/NixOS/nixpkgs/issues/321300 + # qbittorrent # torrent + + ## kubernetes + kubectl + k9s + kubernetes-helm + cmctl # cert manager cli tool for k8s + kubelogin # for azure kubernetes login + + atuin # shell history in sqlite + + pinentry-curses # choosing this since it is the default package - https://search.nixos.org/options?channel=unstable&show=programs.gnupg.agent.pinentryPackage&from=0&size=50&sort=relevance&type=packages&query=programs.gnupg.agent.pinentryPackage + + ## neovim deps + tree-sitter # for parser + gcc # for neovim + fzf # terminal reverse search + nvim-telescope + fd # nvim-telescope + black # code formatter for python in neovim + isort # code formatter for python in neovim + nixpkgs-review # fore reviewing PRs + pyright # lsp server for python in neovim + nodePackages.prettier # code formatter for js/ts in neovim + pgformatter # code formatter for sql in neovim + jq # code formatter for json in neovim + lua-language-server # lsp for lua in neovim + stylua # code formatter for lua in neovim + nodePackages.fixjson # code formatter for json in neovim + shellcheck + shellharden + shfmt + ruff # code formatter for python in neovim + nodePackages.bash-language-server + vscode-langservers-extracted # lsp for markdown in neovim + dockerfile-language-server-nodejs # for dockerfiles + nodePackages.typescript-language-server # lsp for typescript in neovim + emmet-ls # lsp for tsx files in neovim + terraform-ls # lsp for terraform files in neovim + pciutils # for lspci + # rubocop # code formatter for ruby + + ## nix tools + nixd + nix-index + nixpkgs-fmt + nixfmt-classic + nvd # Nix/NixOS package version diff tool + + ## docker + # dive # to analyze container images # never used + + ## backups + restic + + ## work + # azure-cli # breaking because of some nacl modulenotfound error + azure-storage-azcopy # to create and push vhd image to azure + + ## emacs + ispell # dictionary for doom emacs + graphviz # for org-roam in doom emacs + sqlite # for lookup in doom emacs + + ## android + android-tools + + ## speech to text + ffmpeg + # openai-whisper # won't work with GPU because of mismatching version + # openai-whisper-cpp + + ## try out other OSes + # distrobox # useless, not using + + ## vpn tools + wireguard-tools + openvpn + + ## kvm + # libguestfs + # p7zip + # dmg2img + # tesseract + # cdrkit + # libvirt-glib + + # red teaming + # mitmproxy # use in docker container + + ## marshal - ads + # oauth2l # interfacing with Google API + + ## devops + # terraformer # use in docker container + + ## bitwardel cli for secrets + bitwarden-cli + + ## cli + apacheHttpd # for htpasswd + aichat # for chatgpt in terminal + + ## removing as unable to use, will add back when can use it + # deepfilternet # for noise supressions + ]; + }; + }; +} diff --git a/nix/modules/nixos/workstation/networking/profiles/default.nix b/nix/modules/nixos/workstation/networking/profiles/default.nix new file mode 100644 index 0000000..e2b45e2 --- /dev/null +++ b/nix/modules/nixos/workstation/networking/profiles/default.nix @@ -0,0 +1,72 @@ +{ config, lib, ... }: +let + mkWifiProfile = { type, ssid, username, password, priority ? null }: { + connection = { + id = ssid; + permissions = ""; + type = "wifi"; + } // (if priority != null then { + autoconnect-priority = priority; + } else + { }); + wifi = { + mac-address-blacklist = ""; + mode = "infrastructure"; + inherit ssid; + }; + wifi-security = { } // (if type == "wpa-psk" then { + key-mgmt = type; + auth-alg = "open"; + psk = password; + } else if type == "wpa-eap" then { + key-mgmt = type; + } else + { }); + "802-1x" = { } // (if type == "wpa-eap" then { + eap = "peap"; + identity = username; + password = password; + phase2-auth = "mschapv2"; + } else + { }); + ipv4 = { + dns-search = ""; + method = "auto"; + }; + ipv6 = { + addr-gen-mode = "stable-privacy"; + dns-search = ""; + method = "auto"; + }; + }; + + # List of WiFi networks + wifiNetworks = [ + # Add more networks here as needed + { + type = "wpa-psk"; + ssid = "SAMPLE_WIFI_NAME"; + password = "SAMPLE_WIFI_PASSWORD"; + priority = 20; + } + ]; + +in { + options.snowflake.workstation.networking.profiles.enable = + lib.mkEnableOption "populate WiFi creds"; + + config = lib.mkIf config.snowflake.workstation.networking.profiles.enable { + networking.networkmanager.ensureProfiles.profiles = builtins.listToAttrs + (map (network: { + name = network.ssid; + value = mkWifiProfile { + type = network.type; + ssid = network.ssid; + username = network.username or null; + password = network.password; + priority = network.priority or null; + }; + }) wifiNetworks); + }; +} + diff --git a/nix/overlays/mpv/default.nix b/nix/overlays/mpv/default.nix new file mode 100644 index 0000000..3864ccc --- /dev/null +++ b/nix/overlays/mpv/default.nix @@ -0,0 +1,11 @@ +_: _self: super: { + mpv = super.mpv.override { + scripts = [ + super.mpvScripts.mpris # to play pause mpv with system keys + super.mpvScripts.uosc # required for thumbfast + super.mpvScripts.thumbfast # to show thumbnails on hover + super.mpvScripts.sponsorblock-minimal # to skip sponsor section while playing youtube links + super.mpvScripts.webtorrent-mpv-hook # to stream torrents + ]; + }; +} diff --git a/nix/systems/x86_64-linux/apollo/default.nix b/nix/systems/x86_64-linux/apollo/default.nix new file mode 100644 index 0000000..3845d47 --- /dev/null +++ b/nix/systems/x86_64-linux/apollo/default.nix @@ -0,0 +1,104 @@ +{ +# An instance of `pkgs` with your overlays and packages applied is also available. +pkgs, inputs, ... }: { + imports = [ # Include the results of the hardware scan. + ./hardware-configuration.nix + inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t480 + ]; + + # basic setup + time.timeZone = "Asia/Kolkata"; + networking = { + hostName = "apollo"; + firewall = { + enable = true; + allowedTCPPorts = [ + 53317 # localsend + ]; + allowedUDPPorts = [ + 53317 # localsend + ]; + allowedTCPPortRanges = [ + # KDE Connect + { + from = 1714; + to = 1764; + } + ]; + }; + }; + + snowflake = { + locale = "en_US.UTF-8"; + # Bhur@108 + + extraPackages = with pkgs; [ firefox ungoogled-chromium ]; + core = { + openssh.enable = true; + latestKernel = true; + gc = true; + }; + + networking = { + networkmanager = { enable = true; }; + netbird = { enable = true; }; + }; + + hardware = { + isEfi = true; + xbootldrMountPoint = "/boot"; + efiSysMountPoint = "/efi"; + diskDevice = "/dev/nvme0n1"; + isInitrdLuksUnlockingEnabled = true; + }; + + workstation = { + enable = true; + desktop = { + enable = true; + autoLoginUser = "girish"; + }; + isOfficeMachine = true; + networking.profiles.enable = true; + }; + + user = { + enable = true; + users = { + girish = { + isNormalUser = true; + shell = pkgs.bash; + description = "Girish Shenoy"; + extraGroups = [ + "audio" + "networkmanager" # for modifying WiFi without sudo + "input" + ]; + initialHashedPassword = + "$2b$10$2WDIg5cJVcAUhUNLdDOC2.jgh81Xdgbj.mtrdVDs/3qWSk/LlSPYC"; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell" + ]; + }; + cc = { + isNormalUser = true; + shell = pkgs.bash; + description = "Ameya Shenoy"; + extraGroups = [ + "wheel" # for sudo access + "audio" + "networkmanager" # for modifying WiFi without sudo + "input" + ]; + initialHashedPassword = + "$y$j9T$cfmQcJ67WPKPEhsIbH2aC.$m8bDYq5dZrfx8NdU57jKbRc1nFuSB7iKdnAka6/u9R0"; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell" + ]; + }; + }; + }; + }; + + system.stateVersion = "24.05"; +} diff --git a/nix/systems/x86_64-linux/apollo/disko-config.nix b/nix/systems/x86_64-linux/apollo/disko-config.nix new file mode 100644 index 0000000..5b138a1 --- /dev/null +++ b/nix/systems/x86_64-linux/apollo/disko-config.nix @@ -0,0 +1,139 @@ +{ ... }: { + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + priority = 1; + }; + + efi = { + name = "EFI"; + size = "512M"; + type = "EF00"; + priority = 2; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/efi"; + mountOptions = [ "fmask=0137" "dmask=0027" ]; + }; + }; + xbootldr = { + name = "XBOOTLDR"; + size = "512M"; + type = "EA00"; + priority = 3; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + + # encryptedSwap = { + # size = "34G"; + # content = { + # type = "swap"; + # randomEncryption = true; + # priority = 100; # prefer to encrypt as long as we have space for it + # }; + # }; + + cryptswap = { + size = "34G"; + label = "luksswap"; + priority = 4; + content = { + type = "luks"; + name = "cryptswap"; + settings = { allowDiscards = true; }; + content = { + type = "swap"; + randomEncryption = true; + }; + }; + }; + + cryptroot = { + size = "100%"; + label = "luksroot"; + priority = 5; + content = { + type = "luks"; + name = "cryptroot"; + # passwordFile = "/tmp/secret.key"; # Interactive; you can use this directive to automate the process. Populate using: `echo "password" >/tmp/secret.key` on the remote machine + settings = { allowDiscards = true; }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; + subvolumes = { + "@" = { + mountpoint = "/"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@" + ]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@home" + ]; + }; + "@log" = { + mountpoint = "/var/log"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@log" + ]; + }; + "@docker" = { + mountpoint = "/var/lib/docker"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@docker" + ]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@nix" + ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/systems/x86_64-linux/apollo/flake.lock b/nix/systems/x86_64-linux/apollo/flake.lock new file mode 100644 index 0000000..d4ba1c2 --- /dev/null +++ b/nix/systems/x86_64-linux/apollo/flake.lock @@ -0,0 +1,367 @@ +{ + "nodes": { + "darwin-nixpkgs": { + "locked": { + "lastModified": 1729850857, + "narHash": "sha256-WvLXzNNnnw+qpFOmgaM3JUlNEH+T4s22b5i2oyyCpXE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "41dea55321e5a999b17033296ac05fe8a8b5a257", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729712798, + "narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=", + "owner": "nix-community", + "repo": "disko", + "rev": "09a776702b004fdf9c41a024e1299d575ee18a7d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "freetype2": { + "flake": false, + "locked": { + "lastModified": 1687587065, + "narHash": "sha256-+Fh+/k+NWL5Ow9sDLtp8Cv/8rLNA1oByQQCIQS/bysY=", + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + }, + "original": { + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + } + }, + "harfbuzz": { + "flake": false, + "locked": { + "lastModified": 1711722720, + "narHash": "sha256-GdxcAPx5QyniSHPAN1ih28AD9JLUPR0ItqW9JEsl3pU=", + "owner": "harfbuzz", + "repo": "harfbuzz", + "rev": "63973005bc07aba599b47fdd4cf788647b601ccd", + "type": "github" + }, + "original": { + "owner": "harfbuzz", + "ref": "8.4.0", + "repo": "harfbuzz", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729894599, + "narHash": "sha256-nL9nzNE5/re/P+zOv7NX6bRm5e+DeS1HIufQUJ01w20=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "93435d27d250fa986bfec6b2ff263161ff8288cb", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "libpng": { + "flake": false, + "locked": { + "lastModified": 1549245649, + "narHash": "sha256-1+cRp0Ungme/OGfc9kGJbklYIWAFxk8Il1M+NV4KSgw=", + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + }, + "original": { + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + } + }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "darwin-nixpkgs" + ] + }, + "locked": { + "lastModified": 1729826725, + "narHash": "sha256-w3WNlYxqWYsuzm/jgFPyhncduoDNjot28aC8j39TW0U=", + "owner": "LnL7", + "repo": "nix-darwin", + "rev": "7840909b00fbd5a183008a6eb251ea307fe4a76e", + "type": "github" + }, + "original": { + "owner": "LnL7", + "repo": "nix-darwin", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1729742320, + "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1729665710, + "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "darwin-nixpkgs": "darwin-nixpkgs", + "disko": "disko", + "home-manager": "home-manager", + "nix-darwin": "nix-darwin", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs", + "snowfall-lib": "snowfall-lib", + "wezterm": "wezterm" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "wezterm", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1726280639, + "narHash": "sha256-YfLRPlFZWrT2oRLNAoqf7G3+NnUTDdlIJk6tmBU7kXM=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "e9f8641c92f26fd1e076e705edb12147c384171d", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "snowfall-lib": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719005984, + "narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "c6238c83de101729c5de3a29586ba166a9a65622", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "wezterm": { + "inputs": { + "flake-utils": "flake-utils_2", + "freetype2": "freetype2", + "harfbuzz": "harfbuzz", + "libpng": "libpng", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay", + "zlib": "zlib" + }, + "locked": { + "dir": "nix", + "lastModified": 1729006311, + "narHash": "sha256-1xtKJHu6CFnOhp4snof+WSTwcdPgwIaD6mBODP/cv3w=", + "owner": "wez", + "repo": "wezterm", + "rev": "9ddca7bde92090792dbcdc65c1e9897c362196d7", + "type": "github" + }, + "original": { + "dir": "nix", + "owner": "wez", + "repo": "wezterm", + "type": "github" + } + }, + "zlib": { + "flake": false, + "locked": { + "lastModified": 1484501380, + "narHash": "sha256-j5b6aki1ztrzfCqu8y729sPar8GpyQWIrajdzpJC+ww=", + "owner": "madler", + "repo": "zlib", + "rev": "cacf7f1d4e3d44d871b605da3b647f07d718623f", + "type": "github" + }, + "original": { + "owner": "madler", + "ref": "v1.2.11", + "repo": "zlib", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/systems/x86_64-linux/apollo/hardware-configuration.nix b/nix/systems/x86_64-linux/apollo/hardware-configuration.nix new file mode 100644 index 0000000..79f9258 --- /dev/null +++ b/nix/systems/x86_64-linux/apollo/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, inputs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ./disko-config.nix + inputs.disko.nixosModules.disko + ]; + + boot.initrd.availableKernelModules = + [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nix/systems/x86_64-linux/hashirama/default.nix b/nix/systems/x86_64-linux/hashirama/default.nix new file mode 100644 index 0000000..b4ad7e0 --- /dev/null +++ b/nix/systems/x86_64-linux/hashirama/default.nix @@ -0,0 +1,80 @@ +{ modulesPath, pkgs, inputs, ... }: { + imports = [ # Include the results of the hardware scan. + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disko-config.nix + inputs.disko.nixosModules.disko + ]; + + # basic setup + time.timeZone = "Asia/Kolkata"; + networking = { + hostName = "hashirama"; + firewall = { + enable = true; + allowedTCPPorts = [ + 80 # paperless + 443 # paperless + ]; + }; + + }; + + snowflake = { + locale = "en_US.UTF-8"; + extraPackages = [ ]; + core = { + openssh.enable = true; + latestKernel = true; + }; + + hardware = { + isEfi = false; + diskDevice = "/dev/sda"; + isInitrdLuksUnlockingEnabled = true; + }; + + user = { + enable = true; + users = { + cc = { + isNormalUser = true; + shell = pkgs.bash; + description = "Ameya Shenoy"; + extraGroups = [ + "wheel" # Enable ‘sudo’ for the user. + "docker" + ]; + initialHashedPassword = + "$y$j9T$cfmQcJ67WPKPEhsIbH2aC.$m8bDYq5dZrfx8NdU57jKbRc1nFuSB7iKdnAka6/u9R0"; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell" + ]; + }; + }; + }; + + services = { + tika = { enable = true; }; + redis = { + enable = true; + servers = { + saturobi = { + enable = true; + port = 6379; + }; + }; + }; + paperless = { + enable = true; + domain = "paperless.codingcoffee.me"; + }; + nginx = { + enable = true; + acmeEmail = "letsencrypt@codingcoffee.me"; + }; + }; + }; + + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/nix/systems/x86_64-linux/hashirama/disko-config.nix b/nix/systems/x86_64-linux/hashirama/disko-config.nix new file mode 100644 index 0000000..ca7610d --- /dev/null +++ b/nix/systems/x86_64-linux/hashirama/disko-config.nix @@ -0,0 +1,78 @@ +{ config, ... }: { + disko.devices = { + disk = { + main = { + type = "disk"; + device = config.snowflake.hardware.diskDevice; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + label = "luks"; + content = { + type = "luks"; + name = "cryptroot"; + # passwordFile = "/tmp/secret.key"; # Interactive; you can use this directive to automate the process. Populate using: `echo "password" >/tmp/secret.key` on the remote machine + settings = { allowDiscards = true; }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; + subvolumes = { + "@" = { + mountpoint = "/"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@" + ]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@home" + ]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@nix" + ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/systems/x86_64-linux/hashirama/flake.lock b/nix/systems/x86_64-linux/hashirama/flake.lock new file mode 100644 index 0000000..6abe5b6 --- /dev/null +++ b/nix/systems/x86_64-linux/hashirama/flake.lock @@ -0,0 +1,388 @@ +{ + "nodes": { + "darwin-nixpkgs": { + "locked": { + "lastModified": 1729850857, + "narHash": "sha256-WvLXzNNnnw+qpFOmgaM3JUlNEH+T4s22b5i2oyyCpXE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "41dea55321e5a999b17033296ac05fe8a8b5a257", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729712798, + "narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=", + "owner": "nix-community", + "repo": "disko", + "rev": "09a776702b004fdf9c41a024e1299d575ee18a7d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "freetype2": { + "flake": false, + "locked": { + "lastModified": 1687587065, + "narHash": "sha256-+Fh+/k+NWL5Ow9sDLtp8Cv/8rLNA1oByQQCIQS/bysY=", + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + }, + "original": { + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + } + }, + "harfbuzz": { + "flake": false, + "locked": { + "lastModified": 1711722720, + "narHash": "sha256-GdxcAPx5QyniSHPAN1ih28AD9JLUPR0ItqW9JEsl3pU=", + "owner": "harfbuzz", + "repo": "harfbuzz", + "rev": "63973005bc07aba599b47fdd4cf788647b601ccd", + "type": "github" + }, + "original": { + "owner": "harfbuzz", + "ref": "8.4.0", + "repo": "harfbuzz", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729894599, + "narHash": "sha256-nL9nzNE5/re/P+zOv7NX6bRm5e+DeS1HIufQUJ01w20=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "93435d27d250fa986bfec6b2ff263161ff8288cb", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "libpng": { + "flake": false, + "locked": { + "lastModified": 1549245649, + "narHash": "sha256-1+cRp0Ungme/OGfc9kGJbklYIWAFxk8Il1M+NV4KSgw=", + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + }, + "original": { + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + } + }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "darwin-nixpkgs" + ] + }, + "locked": { + "lastModified": 1729826725, + "narHash": "sha256-w3WNlYxqWYsuzm/jgFPyhncduoDNjot28aC8j39TW0U=", + "owner": "LnL7", + "repo": "nix-darwin", + "rev": "7840909b00fbd5a183008a6eb251ea307fe4a76e", + "type": "github" + }, + "original": { + "owner": "LnL7", + "repo": "nix-darwin", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1729742320, + "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixos-needtoreboot": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715010630, + "narHash": "sha256-zOMZDSAd3w1Dd5Jcs3nYae7aNomb3qfMJmCQl2ucZok=", + "owner": "thefossguy", + "repo": "nixos-needsreboot", + "rev": "8a3f64cc3c246cc6311485ad96ee9db0989c1377", + "type": "github" + }, + "original": { + "owner": "thefossguy", + "repo": "nixos-needsreboot", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1729665710, + "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "darwin-nixpkgs": "darwin-nixpkgs", + "disko": "disko", + "home-manager": "home-manager", + "nix-darwin": "nix-darwin", + "nixos-hardware": "nixos-hardware", + "nixos-needtoreboot": "nixos-needtoreboot", + "nixpkgs": "nixpkgs", + "snowfall-lib": "snowfall-lib", + "wezterm": "wezterm" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "wezterm", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1726280639, + "narHash": "sha256-YfLRPlFZWrT2oRLNAoqf7G3+NnUTDdlIJk6tmBU7kXM=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "e9f8641c92f26fd1e076e705edb12147c384171d", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "snowfall-lib": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719005984, + "narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "c6238c83de101729c5de3a29586ba166a9a65622", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "wezterm": { + "inputs": { + "flake-utils": "flake-utils_2", + "freetype2": "freetype2", + "harfbuzz": "harfbuzz", + "libpng": "libpng", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay", + "zlib": "zlib" + }, + "locked": { + "dir": "nix", + "lastModified": 1729006311, + "narHash": "sha256-1xtKJHu6CFnOhp4snof+WSTwcdPgwIaD6mBODP/cv3w=", + "owner": "wez", + "repo": "wezterm", + "rev": "9ddca7bde92090792dbcdc65c1e9897c362196d7", + "type": "github" + }, + "original": { + "dir": "nix", + "owner": "wez", + "repo": "wezterm", + "type": "github" + } + }, + "zlib": { + "flake": false, + "locked": { + "lastModified": 1484501380, + "narHash": "sha256-j5b6aki1ztrzfCqu8y729sPar8GpyQWIrajdzpJC+ww=", + "owner": "madler", + "repo": "zlib", + "rev": "cacf7f1d4e3d44d871b605da3b647f07d718623f", + "type": "github" + }, + "original": { + "owner": "madler", + "ref": "v1.2.11", + "repo": "zlib", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/systems/x86_64-linux/predator/default.nix b/nix/systems/x86_64-linux/predator/default.nix new file mode 100644 index 0000000..9ba737c --- /dev/null +++ b/nix/systems/x86_64-linux/predator/default.nix @@ -0,0 +1,75 @@ +{ +# An instance of `pkgs` with your overlays and packages applied is also available. +pkgs, ... }: { + imports = [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # basic setup + time.timeZone = "Asia/Kolkata"; + networking = { + hostName = "predator"; + firewall = { enable = true; }; + }; + + snowflake = { + locale = "en_US.UTF-8"; + extraPackages = [ ]; + core = { + openssh.enable = true; + usbguard = { + enable = true; + serviceEnable = true; + rules = '' + allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" + allow id 04ca:3016 serial "" name "" hash "sWyd7TOtgnEsF2goHz8YArmVFOJ2oPOaXymfNvIlfX4=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used" + allow id 04f2:b5f7 serial "" name "HD WebCam" hash "qQuh2zlQME9E1ToJeITgPbgnlVw4GNizEh9S36RoDEw=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-9" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type "hardwired" + ''; + }; + latestKernel = true; + }; + + networking = { + wakeOnLan = { + enable = true; + interface = "enp3s0f1"; + }; + netbirdClient = { enable = true; }; + }; + + hardware = { + isEfi = true; + xbootldrMountPoint = "/boot"; + efiSysMountPoint = "/efi"; + diskDevice = "/dev/sda"; + isInitrdLuksUnlockingEnabled = true; + laptop = { + enable = true; + lidSwitch = "ignore"; + }; + }; + + user = { + enable = true; + users = { + cc = { + isNormalUser = true; + shell = pkgs.bash; + description = "Ameya Shenoy"; + extraGroups = [ + "wheel" # Enable ‘sudo’ for the user. + "docker" + ]; + initialHashedPassword = + "$y$j9T$cfmQcJ67WPKPEhsIbH2aC.$m8bDYq5dZrfx8NdU57jKbRc1nFuSB7iKdnAka6/u9R0"; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell" + ]; + }; + }; + }; + }; + + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/nix/systems/x86_64-linux/predator/disko-config.nix b/nix/systems/x86_64-linux/predator/disko-config.nix new file mode 100644 index 0000000..6fac651 --- /dev/null +++ b/nix/systems/x86_64-linux/predator/disko-config.nix @@ -0,0 +1,167 @@ +{ config, ... }: { + disko.devices = { + disk = { + main = { + type = "disk"; + device = config.snowflake.hardware.diskDevice; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + priority = 1; + }; + + efi = { + name = "EFI"; + size = "512M"; + type = "EF00"; + priority = 2; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/efi"; + mountOptions = [ "fmask=0137" "dmask=0027" ]; + }; + }; + xbootldr = { + name = "XBOOTLDR"; + size = "512M"; + type = "EA00"; + priority = 3; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + + cryptswap = { + size = "34G"; + label = "luksswap"; + priority = 4; + content = { + type = "luks"; + name = "cryptswap"; + settings = { allowDiscards = true; }; + content = { + type = "swap"; + randomEncryption = true; + }; + }; + }; + + cryptroot = { + size = "100%"; + label = "luksroot"; + priority = 5; + content = { + type = "luks"; + name = "cryptroot"; + # passwordFile = "/tmp/secret.key"; # Interactive; you can use this directive to automate the process. Populate using: `echo "password" >/tmp/secret.key` on the remote machine + settings = { allowDiscards = true; }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; + subvolumes = { + "@" = { + mountpoint = "/"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@" + ]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@home" + ]; + }; + "@log" = { + mountpoint = "/var/log"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@log" + ]; + }; + "@docker" = { + mountpoint = "/var/lib/docker"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@docker" + ]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@nix" + ]; + }; + }; + }; + }; + }; + }; + }; + }; + storage = { + type = "disk"; + device = "/dev/sdb"; + content = { + type = "gpt"; + partitions = { + cryptroot = { + size = "100%"; + label = "luksdata"; + priority = 5; + content = { + type = "luks"; + name = "cryptdata"; + # passwordFile = "/tmp/secret.key"; # Interactive; you can use this directive to automate the process. Populate using: `echo "password" >/tmp/secret.key` on the remote machine + settings = { allowDiscards = true; }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-L" "DISK1" "-f" ]; + subvolumes = { + "@data" = { + mountpoint = "/mnt/disk1"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@" + ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/systems/x86_64-linux/predator/flake.lock b/nix/systems/x86_64-linux/predator/flake.lock new file mode 100644 index 0000000..9e1a6d0 --- /dev/null +++ b/nix/systems/x86_64-linux/predator/flake.lock @@ -0,0 +1,388 @@ +{ + "nodes": { + "darwin-nixpkgs": { + "locked": { + "lastModified": 1730958623, + "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "85f7e662eda4fa3a995556527c87b2524b691933", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731060864, + "narHash": "sha256-aYE7oAYZ+gPU1mPNhM0JwLAQNgjf0/JK1BF1ln2KBgk=", + "owner": "nix-community", + "repo": "disko", + "rev": "5e40e02978e3bd63c2a6a9fa6fa8ba0e310e747f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "freetype2": { + "flake": false, + "locked": { + "lastModified": 1687587065, + "narHash": "sha256-+Fh+/k+NWL5Ow9sDLtp8Cv/8rLNA1oByQQCIQS/bysY=", + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + }, + "original": { + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + } + }, + "harfbuzz": { + "flake": false, + "locked": { + "lastModified": 1711722720, + "narHash": "sha256-GdxcAPx5QyniSHPAN1ih28AD9JLUPR0ItqW9JEsl3pU=", + "owner": "harfbuzz", + "repo": "harfbuzz", + "rev": "63973005bc07aba599b47fdd4cf788647b601ccd", + "type": "github" + }, + "original": { + "owner": "harfbuzz", + "ref": "8.4.0", + "repo": "harfbuzz", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730837930, + "narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "2f607e07f3ac7e53541120536708e824acccfaa8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "libpng": { + "flake": false, + "locked": { + "lastModified": 1549245649, + "narHash": "sha256-1+cRp0Ungme/OGfc9kGJbklYIWAFxk8Il1M+NV4KSgw=", + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + }, + "original": { + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + } + }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "darwin-nixpkgs" + ] + }, + "locked": { + "lastModified": 1731153869, + "narHash": "sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc=", + "owner": "LnL7", + "repo": "nix-darwin", + "rev": "5c74ab862c8070cbf6400128a1b56abb213656da", + "type": "github" + }, + "original": { + "owner": "LnL7", + "repo": "nix-darwin", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1730919458, + "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "e1cc1f6483393634aee94514186d21a4871e78d7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixos-needtoreboot": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715010630, + "narHash": "sha256-zOMZDSAd3w1Dd5Jcs3nYae7aNomb3qfMJmCQl2ucZok=", + "owner": "thefossguy", + "repo": "nixos-needsreboot", + "rev": "8a3f64cc3c246cc6311485ad96ee9db0989c1377", + "type": "github" + }, + "original": { + "owner": "thefossguy", + "repo": "nixos-needsreboot", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1730785428, + "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "darwin-nixpkgs": "darwin-nixpkgs", + "disko": "disko", + "home-manager": "home-manager", + "nix-darwin": "nix-darwin", + "nixos-hardware": "nixos-hardware", + "nixos-needtoreboot": "nixos-needtoreboot", + "nixpkgs": "nixpkgs", + "snowfall-lib": "snowfall-lib", + "wezterm": "wezterm" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "wezterm", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729477859, + "narHash": "sha256-r0VyeJxy4O4CgTB/PNtfQft9fPfN1VuGvnZiCxDArvg=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "ada8266712449c4c0e6ee6fcbc442b3c217c79e1", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "snowfall-lib": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730136121, + "narHash": "sha256-tfVayj13Zw+zzOKrmJhnvBod7Hdb9ixBR6/4GUlyMA0=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "dd348182c1a010993e68004eada86cf0341fe2c4", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "wezterm": { + "inputs": { + "flake-utils": "flake-utils_2", + "freetype2": "freetype2", + "harfbuzz": "harfbuzz", + "libpng": "libpng", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay", + "zlib": "zlib" + }, + "locked": { + "dir": "nix", + "lastModified": 1730734444, + "narHash": "sha256-lNgCAphrq3/bYGjgDxEl2rVcer6GnmfWXDhxc+kdYOk=", + "owner": "wez", + "repo": "wezterm", + "rev": "51c794ac500a2033b9dc570c71810518bfa667a9", + "type": "github" + }, + "original": { + "dir": "nix", + "owner": "wez", + "repo": "wezterm", + "type": "github" + } + }, + "zlib": { + "flake": false, + "locked": { + "lastModified": 1484501380, + "narHash": "sha256-j5b6aki1ztrzfCqu8y729sPar8GpyQWIrajdzpJC+ww=", + "owner": "madler", + "repo": "zlib", + "rev": "cacf7f1d4e3d44d871b605da3b647f07d718623f", + "type": "github" + }, + "original": { + "owner": "madler", + "ref": "v1.2.11", + "repo": "zlib", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/systems/x86_64-linux/predator/hardware-configuration.nix b/nix/systems/x86_64-linux/predator/hardware-configuration.nix new file mode 100644 index 0000000..91b277c --- /dev/null +++ b/nix/systems/x86_64-linux/predator/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, inputs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + inputs.disko.nixosModules.disko + ./disko-config.nix + ]; + + boot.initrd.availableKernelModules = + [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "r8169" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nix/systems/x86_64-linux/thinkpad/default.nix b/nix/systems/x86_64-linux/thinkpad/default.nix new file mode 100644 index 0000000..87fc7a8 --- /dev/null +++ b/nix/systems/x86_64-linux/thinkpad/default.nix @@ -0,0 +1,153 @@ +{ +# An instance of `pkgs` with your overlays and packages applied is also available. +pkgs, inputs, ... }: { + imports = [ # Include the results of the hardware scan. + ./hardware-configuration.nix + inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t480 + ]; + + # basic setup + time.timeZone = "Asia/Kolkata"; + networking = { + hostName = "thinkpad"; + firewall = { + enable = true; + allowedTCPPorts = [ + 53317 # localsend + ]; + allowedUDPPorts = [ + 53317 # localsend + ]; + allowedTCPPortRanges = [ + # KDE Connect + { + from = 1714; + to = 1764; + } + ]; + }; + }; + + snowflake = { + locale = "en_US.UTF-8"; + + extraPackages = with pkgs; [ + # try airdrop + opendrop + owl + wirelesstools + # # put in monitor mode + # sudo ifconfig wlp3s0 down + # sudo iwconfig wlp3s0 mode monitor + # sudo owl -i wlp3s0 -N + # # revert + # sudo ifconfig wlp3s0 down + # ip link set wlp3s0 up + ]; + core = { + openssh.enable = true; + usbguard = { + enable = true; + serviceEnable = true; + rules = '' + allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0002 serial "0000:3c:00.0" name "xHCI Host Controller" hash "+k9gUUE6Cnbob2WB/I//KMZ1hZ1UgvI6RrqNkIDvdmQ=" parent-hash "zCxLdr73Tn0YoKg15XR1ttIXizl8vMD+KtVAQnBZO8I=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:3c:00.0" name "xHCI Host Controller" hash "f/j0P3jeotLSPQLacl0JEBDT/k4mgTo84SKV39leYSc=" parent-hash "zCxLdr73Tn0YoKg15XR1ttIXizl8vMD+KtVAQnBZO8I=" with-interface 09:00:00 with-connect-type "" + allow id 8087:0a2b serial "" name "" hash "TtRMrWxJil9GOY/JzidUEOz0yUiwwzbLm8D7DJvGxdg=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used" + allow id 04f2:b604 serial "0001" name "Integrated Camera" hash "Sra5Do2lULxlGqcVOc0E68CJLWT1st8KiYXu4dbUQoQ=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type "not used" + allow id 0bda:0316 serial "20120501030900000" name "USB3.0-CRW" hash "WG1MSC3YZsmCslTNGpjTTjT2lUvhNfU4gEVvD3gIuV4=" parent-hash "3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=" with-interface 08:06:50 with-connect-type "not used" + ''; + }; + latestKernel = true; + }; + + networking = { + networkmanager = { enable = true; }; + netbirdClient = { enable = true; }; + }; + + hardware = { + isEfi = true; + xbootldrMountPoint = "/boot"; + efiSysMountPoint = "/efi"; + diskDevice = "/dev/sda"; + isInitrdLuksUnlockingEnabled = true; + laptop = { + enable = true; + lidSwitch = "lock"; + }; + }; + + services = { + syncthing = { + enable = true; + user = "cc"; + password = "xxxxxxxxxx"; + dataDir = "/home/cc/Documents"; + configDir = "/home/cc/.config/syncthing"; + }; + restic = { + enable = true; + name = "thinkpad"; + }; + }; + + workstation = { + enable = true; + isDevMachine = true; + desktop = { + enable = true; + autoLoginUser = "cc"; + }; + networking.profiles.enable = true; + }; + + virtualisation = { + docker.enable = true; + kvm = { + enable = true; + ovmf.enable = false; + }; + }; + + user = { + enable = true; + users = { + cc = { + isNormalUser = true; + shell = pkgs.zsh; + description = "Ameya Shenoy"; + extraGroups = [ + "wheel" # for sudo access + "audio" + "networkmanager" # for modifying WiFi without sudo + "docker" # for docker cli without root + "input" + "kvm" # for kvm VMs + "libvirtd" # for kvm VMs + ]; + initialHashedPassword = + "$y$j9T$cfmQcJ67WPKPEhsIbH2aC.$m8bDYq5dZrfx8NdU57jKbRc1nFuSB7iKdnAka6/u9R0"; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell" + ]; + }; + }; + }; + }; + + environment.etc = { + # wireguaard config + "wireguard/gvine.conf".source = ../../../conf/wireguard/gvine.conf; + "wireguard/kryo.conf".source = ../../../conf/wireguard/kryo.conf; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/nix/systems/x86_64-linux/thinkpad/flake.lock b/nix/systems/x86_64-linux/thinkpad/flake.lock new file mode 100644 index 0000000..1d2813b --- /dev/null +++ b/nix/systems/x86_64-linux/thinkpad/flake.lock @@ -0,0 +1,388 @@ +{ + "nodes": { + "darwin-nixpkgs": { + "locked": { + "lastModified": 1730768919, + "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730751873, + "narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=", + "owner": "nix-community", + "repo": "disko", + "rev": "856a2902156ba304efebd4c1096dbf7465569454", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "freetype2": { + "flake": false, + "locked": { + "lastModified": 1687587065, + "narHash": "sha256-+Fh+/k+NWL5Ow9sDLtp8Cv/8rLNA1oByQQCIQS/bysY=", + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + }, + "original": { + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + } + }, + "harfbuzz": { + "flake": false, + "locked": { + "lastModified": 1711722720, + "narHash": "sha256-GdxcAPx5QyniSHPAN1ih28AD9JLUPR0ItqW9JEsl3pU=", + "owner": "harfbuzz", + "repo": "harfbuzz", + "rev": "63973005bc07aba599b47fdd4cf788647b601ccd", + "type": "github" + }, + "original": { + "owner": "harfbuzz", + "ref": "8.4.0", + "repo": "harfbuzz", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730633670, + "narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "libpng": { + "flake": false, + "locked": { + "lastModified": 1549245649, + "narHash": "sha256-1+cRp0Ungme/OGfc9kGJbklYIWAFxk8Il1M+NV4KSgw=", + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + }, + "original": { + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + } + }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "darwin-nixpkgs" + ] + }, + "locked": { + "lastModified": 1730779758, + "narHash": "sha256-5WI9AnsBwhLzVRnQm3Qn9oAbROnuLDQTpaXeyZCK8qw=", + "owner": "LnL7", + "repo": "nix-darwin", + "rev": "0e3f3f017c14467085f15d42343a3aaaacd89bcb", + "type": "github" + }, + "original": { + "owner": "LnL7", + "repo": "nix-darwin", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1730828750, + "narHash": "sha256-XrnZLkLiBYNlwV5gus/8DT7nncF1TS5la6Be7rdVOpI=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "2e78b1af8025108ecd6edaa3ab09695b8a4d3d55", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixos-needtoreboot": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715010630, + "narHash": "sha256-zOMZDSAd3w1Dd5Jcs3nYae7aNomb3qfMJmCQl2ucZok=", + "owner": "thefossguy", + "repo": "nixos-needsreboot", + "rev": "8a3f64cc3c246cc6311485ad96ee9db0989c1377", + "type": "github" + }, + "original": { + "owner": "thefossguy", + "repo": "nixos-needsreboot", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "darwin-nixpkgs": "darwin-nixpkgs", + "disko": "disko", + "home-manager": "home-manager", + "nix-darwin": "nix-darwin", + "nixos-hardware": "nixos-hardware", + "nixos-needtoreboot": "nixos-needtoreboot", + "nixpkgs": "nixpkgs", + "snowfall-lib": "snowfall-lib", + "wezterm": "wezterm" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "wezterm", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729477859, + "narHash": "sha256-r0VyeJxy4O4CgTB/PNtfQft9fPfN1VuGvnZiCxDArvg=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "ada8266712449c4c0e6ee6fcbc442b3c217c79e1", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "snowfall-lib": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730136121, + "narHash": "sha256-tfVayj13Zw+zzOKrmJhnvBod7Hdb9ixBR6/4GUlyMA0=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "dd348182c1a010993e68004eada86cf0341fe2c4", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "wezterm": { + "inputs": { + "flake-utils": "flake-utils_2", + "freetype2": "freetype2", + "harfbuzz": "harfbuzz", + "libpng": "libpng", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay", + "zlib": "zlib" + }, + "locked": { + "dir": "nix", + "lastModified": 1730734444, + "narHash": "sha256-lNgCAphrq3/bYGjgDxEl2rVcer6GnmfWXDhxc+kdYOk=", + "owner": "wez", + "repo": "wezterm", + "rev": "51c794ac500a2033b9dc570c71810518bfa667a9", + "type": "github" + }, + "original": { + "dir": "nix", + "owner": "wez", + "repo": "wezterm", + "type": "github" + } + }, + "zlib": { + "flake": false, + "locked": { + "lastModified": 1484501380, + "narHash": "sha256-j5b6aki1ztrzfCqu8y729sPar8GpyQWIrajdzpJC+ww=", + "owner": "madler", + "repo": "zlib", + "rev": "cacf7f1d4e3d44d871b605da3b647f07d718623f", + "type": "github" + }, + "original": { + "owner": "madler", + "ref": "v1.2.11", + "repo": "zlib", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/systems/x86_64-linux/thinkpad/hardware-configuration.nix b/nix/systems/x86_64-linux/thinkpad/hardware-configuration.nix new file mode 100644 index 0000000..878a184 --- /dev/null +++ b/nix/systems/x86_64-linux/thinkpad/hardware-configuration.nix @@ -0,0 +1,70 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = + [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/305421e4-ad68-4fb4-ad9e-dc0239d0fc3a"; + fsType = "btrfs"; + options = [ "subvol=@" ]; + }; + + boot.initrd.luks.devices."cryptroot".device = + "/dev/disk/by-uuid/8fd8ef17-6efb-4c59-a692-4a30e96aa06c"; + boot.initrd.luks.devices."cryptswap".device = + "/dev/disk/by-uuid/321a7b30-e4d9-458c-b2c6-3c9d586b7f95"; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/305421e4-ad68-4fb4-ad9e-dc0239d0fc3a"; + fsType = "btrfs"; + options = [ "subvol=@home" ]; + }; + + fileSystems."/efi" = { + device = "/dev/disk/by-uuid/29F3-6F90"; + fsType = "vfat"; + options = [ "fmask=0137" "dmask=0027" ]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2A29-82FE"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/305421e4-ad68-4fb4-ad9e-dc0239d0fc3a"; + fsType = "btrfs"; + options = [ "subvol=@nix" ]; + }; + + fileSystems."/var/log" = { + device = "/dev/disk/by-uuid/305421e4-ad68-4fb4-ad9e-dc0239d0fc3a"; + fsType = "btrfs"; + options = [ "subvol=@log" ]; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/d4ebc4af-c76b-4a16-999f-0e26b70b90aa"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nix/systems/x86_64-linux/zephyrus/default.nix b/nix/systems/x86_64-linux/zephyrus/default.nix new file mode 100644 index 0000000..63a502d --- /dev/null +++ b/nix/systems/x86_64-linux/zephyrus/default.nix @@ -0,0 +1,149 @@ +{ +# An instance of `pkgs` with your overlays and packages applied is also available. +pkgs, inputs, ... }: { + imports = [ + ./hardware-configuration.nix + inputs.nixos-hardware.nixosModules.asus-zephyrus-ga402x-nvidia + ]; + + specialisation = { + amd.configuration = { + imports = + [ inputs.nixos-hardware.nixosModules.asus-zephyrus-ga402x-amdgpu ]; + disabledModules = + [ inputs.nixos-hardware.nixosModules.asus-zephyrus-ga402x-nvidia ]; + environment.etc."specialisation".text = "amd"; + }; + }; + + # basic setup + time.timeZone = "Asia/Kolkata"; + networking = { + hostName = "zephyrus"; + firewall = { + enable = true; + allowedTCPPorts = [ + 53317 # localsend + ]; + allowedUDPPorts = [ + 53317 # localsend + ]; + allowedTCPPortRanges = [ + # KDE Connect + { + from = 1714; + to = 1764; + } + ]; + }; + }; + + snowflake = { + locale = "en_US.UTF-8"; + + core = { + openssh.enable = true; + usbguard = { + enable = true; + serviceEnable = true; + rules = '' + allow id 1d6b:0002 serial "0000:65:00.3" name "xHCI Host Controller" hash "WzNerMjWOkFgAWCzXluD4lHtKgE+JDIqv97YjnIaxVg=" parent-hash "+g49kFA/DLPqqT4vRVfh/J3qcZm1eDYtwEhM+g/uLPE=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:65:00.3" name "xHCI Host Controller" hash "mIzU4fq70wRZa1T12gqLMSw7U2q9oA7P9dJxsssOayY=" parent-hash "+g49kFA/DLPqqT4vRVfh/J3qcZm1eDYtwEhM+g/uLPE=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0002 serial "0000:65:00.4" name "xHCI Host Controller" hash "NmYNS6NdTvXYWgsPKd+yQpw3t1mmAxiU8d4XQUBkH3I=" parent-hash "Znd9qz9Qs25cZtzXKrrJ7cTtJEGnWeuCGwYOaXme9ek=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:65:00.4" name "xHCI Host Controller" hash "y9Nk9H3fHo5epOhAW7s82MOJnnWZ/yFxSfccOQ/9Qzs=" parent-hash "Znd9qz9Qs25cZtzXKrrJ7cTtJEGnWeuCGwYOaXme9ek=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0002 serial "0000:67:00.4" name "xHCI Host Controller" hash "Cc+/NRzwn5FbQnzCQnJg0Sk0j05oRhcuKMUgVhlscSo=" parent-hash "e1e8cr4KK9QwD6zkfzdDwCklou0xWP10uuDzXNbqcl8=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:67:00.4" name "xHCI Host Controller" hash "q/cXrlPF1ME1cca1ODj3Zw2+KvUlO/AyHWhLBLcXEY0=" parent-hash "e1e8cr4KK9QwD6zkfzdDwCklou0xWP10uuDzXNbqcl8=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0002 serial "0000:67:00.3" name "xHCI Host Controller" hash "vrNNUIIcgkYEpDuGVktyyzvajURe8f8q0r+bX4UUOAU=" parent-hash "vBDAY9DPeKU7PmpNjjQF6BFGmMMUf5GcWT7mUBq3V/w=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:67:00.3" name "xHCI Host Controller" hash "oH0wqHMpez4C8qzE5sAEzaOFyHBgpK0tboegCmyJUKQ=" parent-hash "vBDAY9DPeKU7PmpNjjQF6BFGmMMUf5GcWT7mUBq3V/w=" with-interface 09:00:00 with-connect-type "" + allow id 0b05:19b6 serial "" name "N-KEY Device" hash "uOF2q+JtR+N2zPqqjWBZF2mtj4k1P288Y14Bc3Ys5nw=" parent-hash "WzNerMjWOkFgAWCzXluD4lHtKgE+JDIqv97YjnIaxVg=" via-port "1-3" with-interface 03:01:01 with-connect-type "not used" + allow id 0b05:193b serial "" name "ITE Device(8295)" hash "ftvLuhqr/PFdJv9LZ1cPFK4Dsl7PKfHvYU5ppnsFwko=" parent-hash "WzNerMjWOkFgAWCzXluD4lHtKgE+JDIqv97YjnIaxVg=" via-port "1-4" with-interface 03:01:01 with-connect-type "not used" + allow id 0489:e0f6 serial "000000000" name "Wireless_Device" hash "2zGpttB3IyVW7/frL+KK/GcLAB1X5tL3KIC+iKRyWjs=" parent-hash "WzNerMjWOkFgAWCzXluD4lHtKgE+JDIqv97YjnIaxVg=" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "hardwired" + allow id 3277:0018 serial "" name "USB2.0 FHD UVC WebCam" hash "JlgFONxs2KZ0CHsZ+/w7pTukZMabSq1ATObpw8H6LbI=" parent-hash "NmYNS6NdTvXYWgsPKd+yQpw3t1mmAxiU8d4XQUBkH3I=" via-port "3-1" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type "hardwired" + ''; + }; + latestKernel = true; + }; + + networking = { + networkmanager = { enable = true; }; + netbirdClient = { enable = true; }; + }; + + hardware = { + isEfi = true; + xbootldrMountPoint = "/boot"; + efiSysMountPoint = "/efi"; + diskDevice = "/dev/nvme0n1"; + isInitrdLuksUnlockingEnabled = true; + laptop = { + enable = true; + lidSwitch = "lock"; + }; + }; + + services = { + asus.enable = true; + syncthing = { + enable = true; + user = "cc"; + password = "xxxxxxxxxx"; + dataDir = "/home/cc/Documents"; + configDir = "/home/cc/.config/syncthing"; + }; + }; + + workstation = { + enable = true; + isDevMachine = true; + desktop = { + enable = true; + autoLoginUser = "cc"; + }; + networking.profiles.enable = true; + }; + + virtualisation = { + docker.enable = true; + kvm.enable = true; + }; + + user = { + enable = true; + users = { + cc = { + isNormalUser = true; + shell = pkgs.zsh; + description = "Ameya Shenoy"; + extraGroups = [ + "wheel" # for sudo access + "audio" + "networkmanager" # for modifying WiFi without sudo + "docker" # for docker cli without root + "input" + "kvm" # for kvm VMs + "libvirtd" # for kvm VMs + ]; + initialHashedPassword = + "$y$j9T$cfmQcJ67WPKPEhsIbH2aC.$m8bDYq5dZrfx8NdU57jKbRc1nFuSB7iKdnAka6/u9R0"; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell" + ]; + }; + }; + }; + }; + + environment.etc = { + # wireguaard config + "wireguard/gvine.conf".source = ../../../conf/wireguard/gvine.conf; + "wireguard/kryo.conf".source = ../../../conf/wireguard/kryo.conf; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/nix/systems/x86_64-linux/zephyrus/disko-config.nix b/nix/systems/x86_64-linux/zephyrus/disko-config.nix new file mode 100644 index 0000000..de044ac --- /dev/null +++ b/nix/systems/x86_64-linux/zephyrus/disko-config.nix @@ -0,0 +1,130 @@ +{ ... }: { + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + priority = 1; + }; + + efi = { + name = "EFI"; + size = "512M"; + type = "EF00"; + priority = 2; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/efi"; + mountOptions = [ "fmask=0137" "dmask=0027" ]; + }; + }; + xbootldr = { + name = "XBOOTLDR"; + size = "512M"; + type = "EA00"; + priority = 3; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + + cryptswap = { + size = "34G"; + label = "luksswap"; + priority = 4; + content = { + type = "luks"; + name = "cryptswap"; + settings = { allowDiscards = true; }; + content = { + type = "swap"; + randomEncryption = true; + }; + }; + }; + + cryptroot = { + size = "100%"; + label = "luksroot"; + priority = 5; + content = { + type = "luks"; + name = "cryptroot"; + # passwordFile = "/tmp/secret.key"; # Interactive; you can use this directive to automate the process. Populate using: `echo "password" >/tmp/secret.key` on the remote machine + settings = { allowDiscards = true; }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; + subvolumes = { + "@" = { + mountpoint = "/"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@" + ]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@home" + ]; + }; + "@log" = { + mountpoint = "/var/log"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@log" + ]; + }; + "@docker" = { + mountpoint = "/var/lib/docker"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@docker" + ]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ + "ssd" + "noatime" + "compress=zstd:1" + "space_cache=v2" + "subvol=@nix" + ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/systems/x86_64-linux/zephyrus/flake.lock b/nix/systems/x86_64-linux/zephyrus/flake.lock new file mode 100644 index 0000000..d4ba1c2 --- /dev/null +++ b/nix/systems/x86_64-linux/zephyrus/flake.lock @@ -0,0 +1,367 @@ +{ + "nodes": { + "darwin-nixpkgs": { + "locked": { + "lastModified": 1729850857, + "narHash": "sha256-WvLXzNNnnw+qpFOmgaM3JUlNEH+T4s22b5i2oyyCpXE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "41dea55321e5a999b17033296ac05fe8a8b5a257", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729712798, + "narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=", + "owner": "nix-community", + "repo": "disko", + "rev": "09a776702b004fdf9c41a024e1299d575ee18a7d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "freetype2": { + "flake": false, + "locked": { + "lastModified": 1687587065, + "narHash": "sha256-+Fh+/k+NWL5Ow9sDLtp8Cv/8rLNA1oByQQCIQS/bysY=", + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + }, + "original": { + "owner": "wez", + "repo": "freetype2", + "rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d", + "type": "github" + } + }, + "harfbuzz": { + "flake": false, + "locked": { + "lastModified": 1711722720, + "narHash": "sha256-GdxcAPx5QyniSHPAN1ih28AD9JLUPR0ItqW9JEsl3pU=", + "owner": "harfbuzz", + "repo": "harfbuzz", + "rev": "63973005bc07aba599b47fdd4cf788647b601ccd", + "type": "github" + }, + "original": { + "owner": "harfbuzz", + "ref": "8.4.0", + "repo": "harfbuzz", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729894599, + "narHash": "sha256-nL9nzNE5/re/P+zOv7NX6bRm5e+DeS1HIufQUJ01w20=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "93435d27d250fa986bfec6b2ff263161ff8288cb", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "libpng": { + "flake": false, + "locked": { + "lastModified": 1549245649, + "narHash": "sha256-1+cRp0Ungme/OGfc9kGJbklYIWAFxk8Il1M+NV4KSgw=", + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + }, + "original": { + "owner": "glennrp", + "repo": "libpng", + "rev": "8439534daa1d3a5705ba92e653eda9251246dd61", + "type": "github" + } + }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "darwin-nixpkgs" + ] + }, + "locked": { + "lastModified": 1729826725, + "narHash": "sha256-w3WNlYxqWYsuzm/jgFPyhncduoDNjot28aC8j39TW0U=", + "owner": "LnL7", + "repo": "nix-darwin", + "rev": "7840909b00fbd5a183008a6eb251ea307fe4a76e", + "type": "github" + }, + "original": { + "owner": "LnL7", + "repo": "nix-darwin", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1729742320, + "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1729665710, + "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "darwin-nixpkgs": "darwin-nixpkgs", + "disko": "disko", + "home-manager": "home-manager", + "nix-darwin": "nix-darwin", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs", + "snowfall-lib": "snowfall-lib", + "wezterm": "wezterm" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "wezterm", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1726280639, + "narHash": "sha256-YfLRPlFZWrT2oRLNAoqf7G3+NnUTDdlIJk6tmBU7kXM=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "e9f8641c92f26fd1e076e705edb12147c384171d", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "snowfall-lib": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719005984, + "narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "c6238c83de101729c5de3a29586ba166a9a65622", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "wezterm": { + "inputs": { + "flake-utils": "flake-utils_2", + "freetype2": "freetype2", + "harfbuzz": "harfbuzz", + "libpng": "libpng", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay", + "zlib": "zlib" + }, + "locked": { + "dir": "nix", + "lastModified": 1729006311, + "narHash": "sha256-1xtKJHu6CFnOhp4snof+WSTwcdPgwIaD6mBODP/cv3w=", + "owner": "wez", + "repo": "wezterm", + "rev": "9ddca7bde92090792dbcdc65c1e9897c362196d7", + "type": "github" + }, + "original": { + "dir": "nix", + "owner": "wez", + "repo": "wezterm", + "type": "github" + } + }, + "zlib": { + "flake": false, + "locked": { + "lastModified": 1484501380, + "narHash": "sha256-j5b6aki1ztrzfCqu8y729sPar8GpyQWIrajdzpJC+ww=", + "owner": "madler", + "repo": "zlib", + "rev": "cacf7f1d4e3d44d871b605da3b647f07d718623f", + "type": "github" + }, + "original": { + "owner": "madler", + "ref": "v1.2.11", + "repo": "zlib", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/systems/x86_64-linux/zephyrus/hardware-configuration.nix b/nix/systems/x86_64-linux/zephyrus/hardware-configuration.nix new file mode 100644 index 0000000..1b743d2 --- /dev/null +++ b/nix/systems/x86_64-linux/zephyrus/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, modulesPath, inputs, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ./disko-config.nix + inputs.disko.nixosModules.disko + ]; + + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + "usbhid" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + "mt7921e" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +}