faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

added stuff

Browse source
This commit is contained in:
Charlie Root 2024-04-09 23:11:33 +02:00
commit 9d0ebdfbd0
907 changed files with 70990 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

33
nyx/hosts/README.md Normal file
View file

@ -0,0 +1,33 @@
# Design Considerations
## Imports
> Guidelines for importing files within the `hosts` directory
- Only importing downwards. This means **no** `imports = [ ../../foo/bar/some-module.nix ];` - this is a
classic pattern in NixOS configurations, but only gets more out of hand in time.
- Only one level of imports. Which means `imports = [./foo.nix]` is fine, but `imports = [ ./foo/bar/baz.nix ]` **is not**.
- Do not import defined modules outside `hosts/default.nix`. Meaning `hosts/enyo/default.nix`
**cannot** have `../../../modules/..` in its configurations.
## Module System
> Guidelines for using the local module system for enabling or disabling services and programs
- Hosts should properly define their type and equipment.
This means adequately defined `device.type`, `device.cpu` and `device.gpu` at the very least
- A host should contain at least **2** files/directories: `modules/` and `default.nix` importing the rest of the files
- `modules/` should follow my local module system: `config.modules.{device,system,usrEnv,theme}` where applicable
- `default.nix` may not contain anything other than an `imports = [ ... ]` importing rest of the files
- Additional host-specific configurations may either go into `system.nix` (e.g. kernel configuration)
or have their own file (i.e Wireguard or hardware mount configurations) with their own file (i.e `mounts.nix`)
## Per-host hardware
> Guidelines for using `hardware-configuration.nix`
Previously I have required `hardware-configuration.nix` to be available (under the name `hardware.nix`) for each host. This is
no longer a requirement as almost all host-specific hardware configuration have been moved to hardware mixins located in `modules/`.
This further reinforces the requirement for the local module system, meaning hosts **must** specify things like CPU vendors
or hardware specific kernel modules under `modules.device` or `modules.system`.

5
nyx/hosts/apollon/default.nix Normal file
View file

@ -0,0 +1,5 @@
_: {
imports = [
./system.nix
];
}

85
nyx/hosts/apollon/system.nix Normal file
View file

@ -0,0 +1,85 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/virtualisation/qemu-vm.nix")
];
config = {
modules.device.type = "vm";
zramSwap.enable = lib.mkForce false;
services.thermald.enable = lib.mkForce false;
boot = {
initrd = {
supportedFilesystems = ["bcachefs"]; # make bcachefs work
availableKernelModules = ["bcache"];
};
kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_testing;
};
environment = {
systemPackages = [
pkgs.bcachefs-tools
];
};
programs.zsh = {
enable = true;
enableCompletion = true;
promptInit = ''
eval "$(${lib.getExe pkgs.starship} init zsh)"
'';
};
users.users."user" = {
description = "Testing user with sudo access and no password";
isNormalUser = true;
password = "";
extraGroups = ["wheel" "networkmanager"];
shell = pkgs.zsh;
};
security.sudo.wheelNeedsPassword = false;
virtualisation = {
memorySize = 2048;
diskSize = 4096;
cores = 3;
useDefaultFilesystems = false;
rootDevice = "/dev/vda1";
fileSystems = {
"/" = {
device = "${config.virtualisation.rootDevice}:/dev/vda2";
fsType = lib.mkForce "bcachefs";
};
};
interfaces = {
vm0 = {
vlan = 1;
};
};
};
boot.initrd.postDeviceCommands = with pkgs; ''
if ! test -b /dev/vda1; then
${parted}/bin/parted --script /dev/vda -- mklabel gpt
${parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB 50%
${parted}/bin/parted --script /dev/vda -- mkpart primary 50% 100%
sync
fi
FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
if test -z "$FSTYPE"; then
${bcachefs-tools}/bin/bcachefs format /dev/vda1 /dev/vda2 --replicas=2 --label=root
fi
'';
};
}

5
nyx/hosts/artemis/default.nix Normal file
View file

@ -0,0 +1,5 @@
_: {
imports = [
./system.nix
];
}

87
nyx/hosts/artemis/system.nix Normal file
View file

@ -0,0 +1,87 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/virtualisation/qemu-vm.nix")
];
config = {
modules.device.type = "vm";
zramSwap.enable = lib.mkForce false;
boot = {
initrd = {
supportedFilesystems = ["bcachefs"]; # make bcachefs work
availableKernelModules = ["bcache"];
};
kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
};
environment = {
shells = with pkgs; [bash zsh];
systemPackages = with pkgs; [
bcachefs-tools
starship # having starship here means pkgs.startship will be stored during build and not during promptInit
];
};
programs.zsh = {
enable = true;
enableCompletion = true;
promptInit = ''
eval "$(${lib.getExe pkgs.starship} init zsh)"
'';
};
users.users."user" = {
description = "Testing user with sudo access and no password";
isNormalUser = true;
password = "";
extraGroups = ["wheel" "networkmanager"];
shell = pkgs.zsh;
};
security.sudo.wheelNeedsPassword = false;
virtualisation = {
memorySize = 2048;
diskSize = 4096;
cores = 3;
useDefaultFilesystems = false;
rootDevice = "/dev/vda1";
fileSystems = {
"/" = {
device = "${config.virtualisation.rootDevice}:/dev/vda2";
fsType = lib.mkForce "bcachefs";
};
};
interfaces = {
vm0 = {
vlan = 1;
};
};
};
boot.initrd.postDeviceCommands = with pkgs; ''
if ! test -b /dev/vda1; then
${parted}/bin/parted --script /dev/vda -- mklabel gpt
${parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB 25%
${parted}/bin/parted --script /dev/vda -- mkpart primary 25% 100%
sync
fi
FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
if test -z "$FSTYPE"; then
${bcachefs-tools}/bin/bcachefs format /dev/vda1 /dev/vda2 --replicas=2 --label=root
fi
'';
};
}

8
nyx/hosts/atlas/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./fs
./modules
./system.nix
];
}

9
nyx/hosts/atlas/fs/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = ["noatime"];
};
swapDevices = [];
}

7
nyx/hosts/atlas/modules/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./device.nix
./system.nix
./usrEnv.nix
];
}

11
nyx/hosts/atlas/modules/device.nix Normal file
View file

@ -0,0 +1,11 @@
{
config.modules.device = {
type = "server";
cpu.type = "pi";
gpu.type = "pi";
monitors = ["HDMI-A-1"];
hasBluetooth = false;
hasSound = false;
hasTPM = false;
};
}

39
nyx/hosts/atlas/modules/system.nix Normal file
View file

@ -0,0 +1,39 @@
{
config.modules.system = {
mainUser = "notashelf";
fs = ["ext4" "vfat" "ntfs" "exfat"];
autoLogin = false;
boot = {
loader = "none";
enableKernelTweaks = true;
initrd.enableTweaks = true;
tmpOnTmpfs = false;
};
video.enable = false;
sound.enable = false;
bluetooth.enable = false;
printing.enable = false;
emulation.enable = false;
virtualization.enable = false;
networking = {
optimizeTcp = true;
nftables.enable = true;
tailscale = {
enable = true;
isClient = true;
isServer = false;
};
};
security = {
tor.enable = true;
fixWebcam = false;
lockModules = true;
auditd.enable = true;
};
};
}

7
nyx/hosts/atlas/modules/usrEnv.nix Normal file
View file

@ -0,0 +1,7 @@
{
config.modules.usrEnv = {
isWayland = false;
desktop = "Hyprland";
useHomeManager = true;
};
}

49
nyx/hosts/atlas/system.nix Normal file
View file

@ -0,0 +1,49 @@
{
modulesPath,
config,
pkgs,
lib,
...
}: let
inherit (lib) mkForce;
in {
config = {
environment.systemPackages = with pkgs; [
libraspberrypi
raspberrypi-eeprom
git
neovim
];
hardware = {
raspberry-pi."4" = {
# Enable GPU acceleration
fkms-3d.enable = true;
apply-overlays-dtmerge.enable = true;
};
deviceTree.enable = true;
opengl = {
# this only takes effect in 64 bit systems
driSupport32Bit = mkForce false;
};
};
boot = {
kernelModules = lib.mkForce ["bridge" "macvlan" "tap" "tun" "loop" "atkbd" "ctr"];
supportedFilesystems = lib.mkForce ["ext4" "vfat"];
loader.grub.enable = mkForce false;
};
nixpkgs = {
config.allowUnsupportedSystem = true;
hostPlatform.system = "armv7l-linux";
buildPlatform.system = "x86_64-linux";
};
console.enable = false;
system.stateVersion = "24.05";
};
}

255
nyx/hosts/default.nix Normal file
View file

@ -0,0 +1,255 @@
{
withSystem,
inputs,
...
}: let
# self.lib is an extended version of nixpkgs.lib
# mkNixosIso and mkNixosSystem are my own builders for assembling a nixos system
# provided by my local extended library
inherit (inputs.self) lib;
inherit (lib) concatLists mkNixosIso mkNixosSystem;
## flake inputs ##
hw = inputs.nixos-hardware.nixosModules; # hardware compat for pi4 and other quirky devices
agenix = inputs.agenix.nixosModules.default; # secret encryption via age
hm = inputs.home-manager.nixosModules.home-manager; # home-manager nixos module
# serializing the modulePath to a variable
# this is in case the modulePath changes depth (i.e modules becomes nixos/modules)
modulePath = ../modules;
coreModules = modulePath + /core; # the path where common modules reside
extraModules = modulePath + /extra; # the path where extra modules reside
options = modulePath + /options; # the module that provides the options for my system configuration
# common modules
# to be shared across all systems without exception
common = coreModules + /common; # the self-proclaimed sane defaults for all my systems
profiles = coreModules + /profiles; # force defaults based on selected profile
# roles
iso = coreModules + /roles/iso; # for providing a uniform ISO configuration for live systems - only the build setup
headless = coreModules + /roles/headless; # for devices that are of the headless type - provides no GUI
graphical = coreModules + /roles/graphical; # for devices that are of the graphical type - provides a GUI
workstation = coreModules + /roles/workstation; # for devices that are of workstation type - any device that is for daily use
server = coreModules + /roles/server; # for devices that are of the server type - provides online services
laptop = coreModules + /roles/laptop; # for devices that are of the laptop type - provides power optimizations
# extra modules - optional but likely critical to a successful build
sharedModules = extraModules + /shared; # the path where shared modules reside
# home-manager #
homesDir = ../homes; # home-manager configurations for hosts that need home-manager
homes = [hm homesDir]; # combine hm flake input and the home module to be imported together
# a list of shared modules that ALL systems need
shared = [
common # the "sane" default shared across systems
options # provide options for defined modules across the system
sharedModules # consume my flake's own nixosModules
agenix # age encryption for secrets
profiles # profiles program overrides per-host
];
in {
# My main desktop boasting a RX 6700XT and a Ryzen 5 3600x
# fully free from nvidia
# fuck nvidia - Linus "the linux" Torvalds
enyo = mkNixosSystem {
inherit withSystem;
hostname = "enyo";
system = "x86_64-linux";
modules =
[
./enyo
graphical
workstation
]
++ concatLists [shared homes];
specialArgs = {inherit lib;};
};
# HP Pavillion from 2016
# superseded by epimetheus
prometheus = mkNixosSystem {
inherit withSystem;
hostname = "prometheus";
system = "x86_64-linux";
modules =
[
./prometheus
graphical
workstation
laptop
]
++ concatLists [shared homes];
specialArgs = {inherit lib;};
};
# Identical twin host for Prometheus
# provides full disk encryption
# with passkey/USB authentication
epimetheus = mkNixosSystem {
inherit withSystem;
hostname = "epimetheus";
system = "x86_64-linux";
modules =
[
./epimetheus
graphical
workstation
laptop
]
++ concatLists [shared homes];
specialArgs = {inherit lib;};
};
# HP Pavillion laptop from 2023
# equipped a Ryzen 7 7730U
# usually acts as my portable workstation
# similar to epimetheus, has full disk
# encryption with ephemeral root using impermanence
hermes = mkNixosSystem {
inherit withSystem;
hostname = "hermes";
system = "x86_64-linux";
modules =
[
./hermes
graphical
workstation
laptop
]
++ concatLists [shared homes];
specialArgs = {inherit lib;};
};
# Hetzner VPS to replace my previous server machines
# hosts some of my infrastructure
helios = mkNixosSystem {
inherit withSystem;
hostname = "helios";
system = "x86_64-linux";
modules =
[
./helios
server
headless
]
++ concatLists [shared homes];
specialArgs = {inherit lib;};
};
# Lenovo Ideapad from 2014
# Hybrid device
# acts as a portable server and a "workstation"
icarus = mkNixosSystem {
inherit withSystem;
hostname = "icarus";
system = "x86_64-linux";
modules =
[
./icarus
graphical
workstation
laptop
server
]
++ concatLists [shared homes];
specialArgs = {inherit lib;};
};
# Raspberry Pi 400
# My Pi400 homelab
# used mostly for testing networking/cloud services
atlas = mkNixosSystem {
inherit withSystem;
hostname = "atlas";
system = "aarch64-linux";
modules =
[
./atlas
server
headless
# get raspbery pi 4 modules from nixos-hardware
hw.raspberry-pi-4
]
++ shared;
specialArgs = {inherit lib;};
};
# Self-made live recovery environment that overrides or/and configures certain default programs
# provides tools and fixes the keymaps for my keyboard
gaea = mkNixosIso {
hostname = "gaea";
system = "x86_64-linux";
modules = [
./gaea
iso
headless
];
specialArgs = {inherit lib;};
};
# An air-gapped NixOS live media to deal with
# sensitive tooling (e.g. Yubikey, GPG, etc.)
# isolated from all networking
erebus = mkNixosIso {
inherit withSystem;
hostname = "erebus";
system = "x86_64-linux";
modules = [
./erebus
iso
];
specialArgs = {inherit lib;};
};
# Pretty beefy VM running on my dedicated server
# is mostly for testing, but can run services at will
leto = mkNixosSystem {
inherit withSystem;
hostname = "leto";
system = "x86_64-linux";
modules =
[
./leto
server
headless
]
++ concatLists [shared homes];
specialArgs = {inherit lib;};
};
# Twin virtual machine hosts
# Artemis is x86_64-linux
artemis = mkNixosSystem {
inherit withSystem;
hostname = "artemis";
system = "x86_64-linux";
modules =
[
./artemis
server
headless
]
++ shared;
specialArgs = {inherit lib;};
};
# Apollon is also x86_64-linux
# but is for testing server-specific services
apollon = mkNixosSystem {
inherit withSystem;
hostname = "apollon";
system = "aarch64-linux";
modules =
[
./apollon
server
headless
]
++ shared;
specialArgs = {inherit lib;};
};
}

46
nyx/hosts/enyo/btrfs.nix Normal file
View file

@ -0,0 +1,46 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf;
inherit (lib.attrsets) filterAttrs;
btrfsMounts = filterAttrs (_: mount: mount.fsType == "btrfs") config.fileSystems;
hasHomeSubvolume = (filterAttrs (_: mount: mount.mountPoint == "/home") btrfsMounts) != {};
in {
config = mkIf (btrfsMounts != {}) {
systemd = {
# create the snapshots directory
# it will linger for 30 days before it's dropped
# this serves as an easy way to persist the snapshots
# for a set amount of time
tmpfiles.settings."10-snapshots"."/var/lib/snapshots".d = {
user = "root";
group = "root";
age = "30d";
};
# run the snapshots on a weekly timer
timers.snapshot-home = {
enable = hasHomeSubvolume;
description = "snapshot home subvolume";
wantedBy = ["multi-user.target"];
timerConfig = {
OnCalendar = "weekly";
Persistent = true;
};
};
# create a snapshot of the /home subvolume
# it will be stored in /var/lib/snapshots with a timestamp
# %s - seconds since the Epoch (1970-01-01 00:00 UTC)
services.snapshot-home = {
enable = hasHomeSubvolume;
path = [pkgs.btrfs-progs];
script = "btrfs subvolume snapshot /home /var/lib/snapshots/$(date +%s)";
};
};
};
}

12
nyx/hosts/enyo/default.nix Normal file
View file

@ -0,0 +1,12 @@
{
imports = [
./fs
./kernel
./modules
./btrfs.nix
./networking.nix
./system.nix
./wireguard.nix # TODO: abstract
];
}

44
nyx/hosts/enyo/fs/default.nix Normal file
View file

@ -0,0 +1,44 @@
{
imports = [./external.nix];
config = {
fileSystems = {
"/boot" = {
device = "/dev/disk/by-uuid/E20E-9940";
fsType = "vfat";
};
"/" = {
device = "/dev/disk/by-uuid/e1f1186b-2143-4bf7-8b99-8da1434520c6";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd" "noatime"];
};
"/nix" = {
device = "/dev/disk/by-uuid/e1f1186b-2143-4bf7-8b99-8da1434520c6";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
};
"/home" = {
device = "/dev/disk/by-uuid/e1f1186b-2143-4bf7-8b99-8da1434520c6";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
};
"/persist" = {
device = "/dev/disk/by-uuid/e1f1186b-2143-4bf7-8b99-8da1434520c6";
fsType = "btrfs";
options = ["subvol=persist" "compress=zstd" "noatime"];
};
"/var/log" = {
device = "/dev/disk/by-uuid/e1f1186b-2143-4bf7-8b99-8da1434520c6";
fsType = "btrfs";
options = ["subvol=log" "compress=zstd" "noatime"];
};
};
# Swap Devices
swapDevices = [{device = "/dev/disk/by-uuid/62fc1f62-55ae-432d-8623-74ea6511410c";}];
};
}

42
nyx/hosts/enyo/fs/external.nix Normal file
View file

@ -0,0 +1,42 @@
let
homeDir = "/home/notashelf";
in {
fileSystems = {
# External Devices
"/mnt/SLib1" = {
label = "SteamLib1";
device = "/dev/disk/by-uuid/4345570b-2bd6-4cb8-8ca1-eb05bcf12c05";
fsType = "btrfs";
options = ["nofail" "rw" "compress=zstd"];
};
"/mnt/SLib2" = {
label = "SteamLib2";
device = "/dev/disk/by-uuid/080006fe-b012-4363-b596-c183b012c1de";
fsType = "btrfs";
options = ["nofail" "rw" "compress=zstd"];
};
"/mnt/Storage" = {
label = "Storage";
device = "/dev/disk/by-uuid/eb25f034-e5de-4c6c-89e9-f3dea10159a5";
fsType = "btrfs";
options = ["nofail" "rw" "compress=zstd"];
};
"/mnt/Expansion" = {
label = "Expansion";
device = "/dev/disk/by-uuid/9381fba0-e9b5-4574-9007-a0911cae4a08";
fsType = "btrfs";
options = ["nofail" "rw" "compress=zstd"];
};
"${homeDir}/Media/Music" = {
label = "Music";
device = "/dev/disk/by-uuid/68a2203f-5ecd-4ddb-b66a-76eb8dcf328c";
fsType = "btrfs";
options = ["nofail" "rw" "compress=zstd"];
noCheck = true;
};
};
}

33
nyx/hosts/enyo/kernel/config/amd.nix Normal file
View file

@ -0,0 +1,33 @@
{lib, ...}: let
inherit (lib.kernel) yes no;
inherit (lib.attrsets) mapAttrs;
inherit (lib.modules) mkForce;
in {
boot.kernelPatches = [
{
# recompile with AMD platform specific optimizations
name = "amd-platform-patches";
patch = null; # no patch is needed, just apply the options
extraStructuredConfig = mapAttrs (_: mkForce) {
# enable compiler optimizations for AMD
MNATIVE_AMD = yes;
X86_USE_PPRO_CHECKSUM = yes;
X86_AMD_PSTATE = yes;
X86_EXTENDED_PLATFORM = no; # disable support for other x86 platforms
X86_MCE_INTEL = no; # disable support for intel mce
# multigen LRU
LRU_GEN = yes;
LRU_GEN_ENABLED = yes;
# collect CPU frequency statistics
CPU_FREQ_STAT = yes;
# Optimized for performance
# this is already set on the Xanmod kernel
# CC_OPTIMIZE_FOR_PERFORMANCE_O3 = yes;
};
}
];
}

31
nyx/hosts/enyo/kernel/config/base.nix Normal file
View file

@ -0,0 +1,31 @@
{lib, ...}: let
inherit (lib.kernel) yes no module;
inherit (lib.attrsets) mapAttrs;
inherit (lib.modules) mkForce;
in {
boot.kernelPatches = [
{
# <https://www.phoronix.com/news/Google-BBRv3-Linux>
# <https://github.com/google/bbr/blob/v3/README.md>
name = "bbr-and-cake";
patch = null;
extraStructuredConfig = mapAttrs (_: mkForce) {
TCP_CONG_CUBIC = module;
NET_SCH_CAKE = module;
# xanmod defaults
TCP_CONG_BBR = yes;
DEFAULT_BBR = yes;
};
}
{
name = "zstd-module-compression";
patch = null;
extraStructuredConfig = mapAttrs (_: mkForce) {
KERNEL_ZSTD = yes;
MODULE_COMPRESS_ZSTD = yes;
MODULE_COMPRESS_XZ = no;
};
}
];
}

8
nyx/hosts/enyo/kernel/config/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./amd.nix
./base.nix
./security.nix
./unused.nix
];
}

26
nyx/hosts/enyo/kernel/config/security.nix Normal file
View file

@ -0,0 +1,26 @@
{lib, ...}: let
inherit (lib.kernel) yes;
inherit (lib.attrsets) mapAttrs;
inherit (lib.modules) mkForce;
in {
boot.kernelPatches = [
{
# enable lockdown LSM
name = "kernel-lockdown-lsm";
patch = null;
extraStructuredConfig = mapAttrs (_: mkForce) {
SECURITY_LOCKDOWN_LSM = yes;
LOCKDOWN_LSM_EARLY = yes;
LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = yes;
MODULE_SIG = yes;
MODULE_SIG_SHA512 = yes;
MODULE_SIG_FORCE = yes;
# used to avoid a systemd error:
# systemd[1]: bpf-lsm: Failed to load BPF object: Invalid argument
BPF_LSM = yes;
};
}
];
}

239
nyx/hosts/enyo/kernel/config/unused.nix Normal file
View file

@ -0,0 +1,239 @@
{lib, ...}: let
inherit (lib.kernel) no;
inherit (lib.attrsets) mapAttrs;
inherit (lib.modules) mkForce;
in {
boot.kernelPatches = [
{
name = "disable-unused-features";
patch = null;
extraStructuredConfig = mapAttrs (_: mkForce) {
CRYPTO_842 = no;
DEBUG_MISC = no;
DEBUG_PREEMPT = no;
HIBERNATION = no;
KEXEC = no;
KEXEC_FILE = no;
"60XX_WDT" = no;
"6LOWPAN" = no;
"8139CP" = no;
"8139TOO" = no;
"8139TOO_8129" = no;
ALIENWARE_WMI = no;
ALIM1535_WDT = no;
ALIM7101_WDT = no;
ALTERA_MBOX = no;
ALTERA_MSGDMA = no;
ALTERA_TSE = no;
ALX = no;
CONFIG_GENERIC_ADC_BATTERY = no;
CONFIG_IP5XXX_POWER = no;
CONFIG_TEST_POWER = no;
CONFIG_CHARGER_ADP5061 = no;
CONFIG_BATTERY_CW2015 = no;
CONFIG_BATTERY_DS2760 = no;
CONFIG_BATTERY_DS2780 = no;
CONFIG_BATTERY_DS2781 = no;
CONFIG_BATTERY_DS2782 = no;
CONFIG_BATTERY_SAMSUNG_SDI = no;
CONFIG_BATTERY_SBS = no;
CONFIG_CHARGER_SBS = no;
CONFIG_MANAGER_SBS = no;
CONFIG_BATTERY_BQ27XXX = no;
CONFIG_BATTERY_BQ27XXX_I2C = no;
CONFIG_BATTERY_BQ27XXX_HDQ = no;
CONFIG_BATTERY_BQ27XXX_DT_UPDATES_NVM = no;
CONFIG_CHARGER_DA9150 = no;
CONFIG_BATTERY_AXP20X = no;
CONFIG_AXP20X_POWER = no;
CONFIG_AXP288_CHARGER = no;
CONFIG_AXP288_FUEL_GAUGE = no;
CONFIG_BATTERY_MAX17040 = no;
CONFIG_BATTERY_MAX17042 = no;
CONFIG_BATTERY_MAX1721X = no;
CONFIG_CHARGER_PCF50633 = no;
CONFIG_CHARGER_ISP1704 = no;
CONFIG_CHARGER_MAX8903 = no;
CONFIG_CHARGER_LP8727 = no;
CONFIG_CHARGER_GPIO = no;
CONFIG_CHARGER_MANAGER = no;
CONFIG_CHARGER_LT3651 = no;
CONFIG_CHARGER_LTC4162L = no;
CONFIG_CHARGER_MAX14577 = no;
CONFIG_CHARGER_MAX77693 = no;
CONFIG_CHARGER_MAX77976 = no;
CONFIG_CHARGER_MP2629 = no;
CONFIG_CHARGER_MT6360 = no;
CONFIG_CHARGER_MT6370 = no;
CONFIG_CHARGER_BQ2415X = no;
CONFIG_CHARGER_BQ24190 = no;
CONFIG_CHARGER_BQ24257 = no;
CONFIG_CHARGER_BQ24735 = no;
CONFIG_CHARGER_BQ2515X = no;
CONFIG_CHARGER_BQ25890 = no;
CONFIG_CHARGER_BQ25980 = no;
CONFIG_CHARGER_BQ256XX = no;
CONFIG_CHARGER_SMB347 = no;
CONFIG_BATTERY_GAUGE_LTC2941 = no;
CONFIG_BATTERY_GOLDFISH = no;
CONFIG_BATTERY_RT5033 = no;
CONFIG_CHARGER_RT5033 = no;
CONFIG_CHARGER_RT9455 = no;
CONFIG_CHARGER_RT9467 = no;
CONFIG_CHARGER_RT9471 = no;
CONFIG_CHARGER_CROS_USBPD = no;
CONFIG_CHARGER_CROS_PCHG = no;
CONFIG_CHARGER_BD99954 = no;
CONFIG_CHARGER_WILCO = no;
CONFIG_BATTERY_SURFACE = no;
CONFIG_CHARGER_SURFACE = no;
CONFIG_BATTERY_UG3105 = no;
CONFIG_FUEL_GAUGE_MM8013 = no;
CONFIG_GENERIC_IRQ_DEBUGFS = no;
# Remove samba support
CONFIG_CIFS = no;
CONFIG_CIFS_ROOT = no;
# Disable AMDGPU CIK support
CONFIG_DRM_AMDGPU_CIK = no;
# Disable radeon drivers
CONFIG_DRM_RADEON = no;
CONFIG_FB_RADEON = no;
CONFIG_FB_RADEON_I2C = no;
CONFIG_FB_RADEON_BACKLIGHT = no;
# Disable ngreedia drivers
CONFIG_NET_VENDOR_NVIDIA = no;
CONFIG_I2C_NVIDIA_GPU = no;
CONFIG_FB_NVIDIA = no;
CONFIG_FB_NVIDIA_I2C = no;
CONFIG_FB_NVIDIA_BACKLIGHT = no;
CONFIG_HID_NVIDIA_SHIELD = no;
CONFIG_TYPEC_NVIDIA_ALTMODE = no;
CONFIG_NVIDIA_WMI_EC_BACKLIGHT = no;
# Firewire
CONFIG_FIREWIRE = no;
CONFIG_FIREWIRE_OHCI = no;
CONFIG_FIREWIRE_SBP2 = no;
CONFIG_FIREWIRE_NET = no;
CONFIG_FIREWIRE_NOSY = no;
# MS surface HID
CONFIG_SURFACE_AGGREGATOR = no;
DELL_RBTN = no;
DELL_RBU = no;
DELL_SMBIOS = no;
DELL_WMI = no;
DELL_WMI_AIO = no;
DELL_WMI_DESCRIPTOR = no;
DELL_WMI_LED = no;
DELL_WMI_SYSMAN = no;
HID_A4TECH = no;
HID_ACRUX = no;
HID_ALPS = no;
HID_APPLEIR = no;
HID_ASUS = no;
HID_AUREAL = no;
HID_BETOP_FF = no;
HID_BIGBEN_FF = no;
HID_CMEDIA = no;
HID_COUGAR = no;
HID_CREATIVE_SB0540 = no;
HID_CYPRESS = no;
HID_DRAGONRISE = no;
HID_ELAN = no;
HID_ELECOM = no;
HID_ELO = no;
HID_EMS_FF = no;
HID_EZKEY = no;
HID_GEMBIRD = no;
HID_GFRM = no;
HID_GOOGLE_HAMMER = no;
HID_GREENASIA = no;
HID_GT683R = no;
HID_GYRATION = no;
HID_HOLTEK = no;
HID_HYPERV_MOUSE = no;
HID_ICADE = no;
HID_ITE = no;
HID_KEYTOUCH = no;
HID_KYE = no;
HID_LCPOWER = no;
HID_LED = no;
HID_MALTRON = no;
HID_MCP2221 = no;
HID_MONTEREY = no;
HID_MULTITOUCH = no;
HID_NTI = no;
HID_NTRIG = no;
HID_PANTHERLORD = no;
HID_PENMOUNT = no;
HID_PETALYNX = no;
HID_PICOLCD = no;
HID_PLAYSTATION = no;
HID_PRIMAX = no;
HID_REDRAGON = no;
HID_RETRODE = no;
HID_RMI = no;
HID_RMI4 = no;
HID_SAITEK = no;
HID_SAMSUNG = no;
HID_SEMITEK = no;
HID_SMARTJOYPLUS = no;
HID_SONY = no;
HID_SPEEDLINK = no;
HID_SUNPLUS = no;
HID_THINGM = no;
HID_THRUSTMASTER = no;
HID_TIVO = no;
HID_TOPSEED = no;
HID_TWINHAN = no;
HID_U2FZERO = no;
HID_UCLOGIC = no;
HID_UDRAW_PS3 = no;
HID_VIEWSONIC = no;
HID_VIVALDI = no;
HID_WALTOP = no;
HID_WIIMOTE = no;
HID_XINMO = no;
HID_ZEROPLUS = no;
HID_ZYDACRON = no;
# Disable unused SOC modules
SND_SOC_CHV3_I2S = no;
SND_SOC_ADI = no;
SND_SOC_APPLE_MCA = no;
SND_ATMEL_SOC = no;
SND_DESIGNWARE_I2S = no;
SND_SOC_FSL_ASRC = no;
SND_SOC_FSL_SAI = no;
SND_SOC_FSL_MQS = no;
SND_SOC_FSL_AUDMIX = no;
SND_SOC_FSL_SSI = no;
SND_SOC_FSL_SPDIF = no;
SND_SOC_FSL_ESAI = no;
SND_SOC_FSL_MICFIL = no;
SND_SOC_FSL_EASRC = no;
SND_SOC_FSL_XCVR = no;
SND_SOC_FSL_UTILS = no;
SND_SOC_FSL_RPMSG = no;
SND_I2S_HI6210_I2S = no;
SND_SOC_IMG = no;
SND_SOC_STI = no;
SND_SOC_XILINX_I2S = no;
SND_SOC_XILINX_AUDIO_FORMATTER = no;
SND_SOC_XILINX_SPDIF = no;
SND_XEN_FRONTEND = no;
};
}
];
}

13
nyx/hosts/enyo/kernel/default.nix Normal file
View file

@ -0,0 +1,13 @@
{
config,
pkgs,
...
}: let
inherit (config.networking) hostname;
inherit (pkgs.callPackage ./package.nix {inherit hostname;}) xanmod_custom;
in {
imports = [./config];
config = {
modules.system.boot.kernel = pkgs.linuxPackagesFor xanmod_custom;
};
}

48
nyx/hosts/enyo/kernel/package.nix Normal file
View file

@ -0,0 +1,48 @@
{
lib,
fetchFromGitHub,
linuxKernel,
hostname ? "",
...
}: let
inherit (lib.kernel) yes no freeform;
inherit (lib.attrsets) mapAttrs;
inherit (lib.modules) mkForce;
version = "6.8.4";
suffix = "xanmod1";
modDirVersion = "${version}-${suffix}";
xanmod_custom = linuxKernel.kernels.linux_xanmod_latest.override {
inherit version suffix modDirVersion;
# https://github.com/xanmod/linux
src = fetchFromGitHub {
owner = "xanmod";
repo = "linux";
rev = "refs/tags/${version}-xanmod1";
hash = "sha256-NQeUz50aBRvbHqhoOGv5CFQKKlKeCUEkCA8uf9W0f0k=";
};
extraMakeFlags = ["KCFLAGS=-DAMD_PRIVATE_COLOR"];
ignoreConfigErrors = true;
# after booting to the new kernel
# use zcat /proc/config.gz | grep -i "<value>"
# to check if the kernel options are set correctly
extraStructuredConfig = mapAttrs (_: mkForce) {
EXPERT = yes;
DEBUG_KERNEL = no;
WERROR = no;
GCC_PLUGINS = yes;
BUG_ON_DATA_CORRUPTION = yes;
CONFIG_LOCALVERSION = freeform "-${suffix}";
CONFIG_LOCALVERSION_AUTO = yes;
CONFIG_DEFAULT_HOSTNAME = freeform "${hostname}";
};
};
in {
inherit xanmod_custom;
}

9
nyx/hosts/enyo/modules/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./device.nix
./profiles.nix
./system.nix
./usrEnv.nix
./style.nix
];
}

11
nyx/hosts/enyo/modules/device.nix Normal file
View file

@ -0,0 +1,11 @@
{
config.modules.device = {
type = "desktop";
cpu.type = "amd";
gpu.type = "amd";
monitors = ["DP-1" "HDMI-A-1"];
hasBluetooth = true;
hasSound = true;
hasTPM = true;
};
}

6
nyx/hosts/enyo/modules/profiles.nix Normal file
View file

@ -0,0 +1,6 @@
{
config.modules.profiles = {
workstation.enable = true;
gaming.enable = true;
};
}

49
nyx/hosts/enyo/modules/style.nix Normal file
View file

@ -0,0 +1,49 @@
{
config,
pkgs,
...
}: {
config.modules.style = {
forceGtk = true;
useKvantum = true;
gtk = {
usePortal = true;
theme = {
name = "Catppuccin-Mocha-Standard-Blue-Dark";
package = pkgs.catppuccin-gtk.override {
size = "standard";
accents = ["blue"];
variant = "mocha";
tweaks = ["normal"];
};
};
iconTheme = {
name = "Papirus-Dark";
package = pkgs.catppuccin-papirus-folders.override {
accent = "blue";
flavor = "mocha";
};
};
font = {
name = "Lexend";
size = 14;
};
};
qt = {
theme = {
name = "Catppuccin-Mocha-Dark";
package = pkgs.catppuccin-kde.override {
flavour = ["mocha"];
accents = ["blue"];
winDecStyles = ["modern"];
};
};
kdeglobals.source = "${config.modules.style.qt.theme.package}" + "/share/color-schemes/CatppuccinMochaBlue.colors";
};
};
}

74
nyx/hosts/enyo/modules/system.nix Normal file
View file

@ -0,0 +1,74 @@
{pkgs, ...}: {
config.modules.system = {
mainUser = "notashelf";
fs = ["btrfs" "vfat" "ntfs" "exfat"];
autoLogin = true;
boot = {
loader = "systemd-boot";
secureBoot = false;
enableKernelTweaks = true;
initrd.enableTweaks = true;
loadRecommendedModules = true;
tmpOnTmpfs = false;
plymouth = {
enable = true;
withThemes = false;
};
};
containers = {
enabledContainers = ["alpha"];
};
yubikeySupport.enable = true;
video.enable = true;
sound.enable = true;
bluetooth.enable = false;
printing.enable = false;
emulation.enable = true;
virtualization = {
enable = true;
qemu.enable = true;
docker.enable = true;
};
networking = {
optimizeTcp = true;
nftables.enable = true;
tailscale = {
enable = true;
isClient = true;
isServer = false;
};
};
security = {
tor.enable = true;
fixWebcam = false;
lockModules = true;
auditd.enable = true;
};
programs = {
cli.enable = true;
gui.enable = true;
spotify.enable = true;
git.signingKey = "0x02D1DD3FA08B6B29";
gaming = {
enable = true;
};
default = {
terminal = "foot";
};
libreoffice.enable = true;
};
};
}

18
nyx/hosts/enyo/modules/usrEnv.nix Normal file
View file

@ -0,0 +1,18 @@
{
config.modules.usrEnv = {
desktop = "Hyprland";
desktops."i3".enable = true;
useHomeManager = true;
programs = {
media.mpv.enable = true;
launchers = {
anyrun.enable = true;
tofi.enable = true;
};
screenlock.swaylock.enable = true;
};
};
}

91
nyx/hosts/enyo/networking.nix Normal file
View file

@ -0,0 +1,91 @@
{
# we don't want the kernel setting up interfaces magically for us
boot.extraModprobeConfig = "options bonding max_bonds=0";
networking = {
useDHCP = false;
useNetworkd = false;
};
systemd.network = {
enable = true;
wait-online = {
enable = false;
anyInterface = true;
extraArgs = ["--ipv4"];
};
networks = {
# leave the kernel dummy devies unmanagaed
"10-dummy" = {
matchConfig.Name = "dummy*";
networkConfig = {};
# linkConfig.ActivationPolicy = "always-down";
linkConfig.Unmanaged = "yes";
};
# let me configure tailscale manually
"20-tailscale-ignore" = {
matchConfig.Name = "tailscale*";
linkConfig = {
Unmanaged = "yes";
RequiredForOnline = false;
};
};
# wired interfaces e.g. ethernet
"30-network-defaults-wired" = {
# matchConfig.Name = "en* | eth* | usb*";
matchConfig.Type = "ether";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
IPForward = "yes";
IPMasquerade = "no";
};
dhcpV4Config = {
ClientIdentifier = "duid"; # "mac"
Use6RD = "yes";
RouteMetric = 512;
UseDNS = false;
DUIDType = "link-layer";
};
dhcpV6Config = {
RouteMetric = 512;
PrefixDelegationHint = "::64";
UseDNS = false;
DUIDType = "link-layer";
};
};
# wireless interfaces e.g. network cards
"30-network-defaults-wireless" = {
# matchConfig.Name = "wl*";
matchConfig.Type = "wlan";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
IPForward = "yes";
IPMasquerade = "no";
};
dhcpV4Config = {
ClientIdentifier = "mac";
RouteMetric = 1500;
UseDNS = true;
DUIDType = "link-layer";
Use6RD = "yes";
};
dhcpV6Config = {
RouteMetric = 1500;
UseDNS = true;
DUIDType = "link-layer";
PrefixDelegationHint = "::64";
};
};
};
};
}

6
nyx/hosts/enyo/system.nix Normal file
View file

@ -0,0 +1,6 @@
{self, ...}: {
system = {
stateVersion = "23.05";
configurationRevision = self.rev or "dirty";
};
}

29
nyx/hosts/enyo/wireguard.nix Normal file
View file

@ -0,0 +1,29 @@
{config, ...}: {
networking.firewall = {
allowedUDPPorts = [51820];
};
boot.kernelModules = ["wireguard"];
# Wireguard Client Peer Setup
networking.wireguard = {
enable = true;
interfaces = {
wg0 = {
# General Settings
privateKeyFile = config.age.secrets.wg-client.path;
allowedIPsAsRoutes = true;
listenPort = 51820;
ips = ["10.255.255.11/32" "2a01:4f9:c010:2cf9:f::11/128"];
peers = [
{
allowedIPs = ["10.255.255.0/24" "2a01:4f9:c010:2cf9:f::/80"];
endpoint = "128.140.91.216:51820";
publicKey = "v3ol3QsgLPudVEtbETByQ0ABAOrJE2WcFfQ/PQAD8FM=";
persistentKeepalive = 30;
}
];
};
};
};
}

9
nyx/hosts/epimetheus/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./fs
./modules
./system.nix
./encryption.nix
];
}

19
nyx/hosts/epimetheus/encryption.nix Normal file
View file

@ -0,0 +1,19 @@
{
# mildly improves performance for the disk encryption
boot.initrd.availableKernelModules = [
"aesni_intel"
"cryptd"
"usb_storage"
];
boot.initrd.luks.devices."enc" = {
# improve performance on ssds
bypassWorkqueues = true;
keyFileSize = 4096;
# the device with the maching id will be searched for the key file
keyFile = "/dev/disk/by-id/usb-Generic_Flash_Disk_B314B63E-0:0";
preLVM = true;
# if keyfile is not there, fall back to cryptsetup password
# fallbackToPassword = true; # IMPLIED BY config.boot.initrd.systemd.enable
};
}

46
nyx/hosts/epimetheus/fs/default.nix Normal file
View file

@ -0,0 +1,46 @@
{
boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/82144284-cf1d-4d65-9999-2e7cdc3c75d4";
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
fsType = "btrfs";
options = ["subvol=root"];
};
"/home" = {
device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
fsType = "btrfs";
options = ["subvol=home"];
};
"/nix" = {
device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
fsType = "btrfs";
options = ["subvol=nix"];
};
"/persist" = {
device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
fsType = "btrfs";
options = ["subvol=persist"];
neededForBoot = true;
};
"/var/log" = {
device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
fsType = "btrfs";
options = ["subvol=log"];
neededForBoot = true;
};
"/boot" = {
device = "/dev/disk/by-uuid/FDED-3BCF";
fsType = "vfat";
};
};
swapDevices = [
{device = "/dev/disk/by-uuid/0d1fc824-623b-4bb8-bf7b-63a3e657889d";}
];
}

7
nyx/hosts/epimetheus/modules/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./device.nix
./system.nix
./usrEnv.nix
];
}

11
nyx/hosts/epimetheus/modules/device.nix Normal file
View file

@ -0,0 +1,11 @@
{
config.modules.device = {
type = "laptop";
cpu.type = "intel";
gpu.type = "hybrid-nv"; # nvidia drivers :b:roke
monitors = ["eDP-1"];
hasBluetooth = true;
hasSound = true;
hasTPM = true;
};
}

57
nyx/hosts/epimetheus/modules/system.nix Normal file
View file

@ -0,0 +1,57 @@
{
config.modules.system = {
mainUser = "notashelf";
fs = ["btrfs" "ext4" "vfat"];
autoLogin = true;
boot = {
secureBoot = false;
loader = "systemd-boot";
enableKernelTweaks = true;
initrd.enableTweaks = true;
loadRecommendedModules = true;
tmpOnTmpfs = true;
};
encryption = {
enable = true;
device = "enc";
};
video.enable = true;
sound.enable = true;
bluetooth.enable = false;
printing.enable = false;
emulation.enable = true;
networking = {
optimizeTcp = true;
};
security = {
fixWebcam = false;
};
virtualization = {
enable = true;
docker.enable = false;
qemu.enable = true;
podman.enable = false;
};
programs = {
git.signingKey = "0x05A3BD53FEB32B81";
cli.enable = true;
gui.enable = true;
gaming = {
enable = false;
chess.enable = false;
};
default = {
terminal = "foot";
};
};
};
}

7
nyx/hosts/epimetheus/modules/usrEnv.nix Normal file
View file

@ -0,0 +1,7 @@
{
config.modules.usrEnv = {
isWayland = true;
desktop = "Hyprland";
useHomeManager = true;
};
}

59
nyx/hosts/epimetheus/system.nix Normal file
View file

@ -0,0 +1,59 @@
{
config,
lib,
...
}: let
inherit (lib) mkIf mkForce optionals;
dev = config.modules.device;
in {
config = {
fileSystems = {
"/".options = ["compress=zstd" "noatime"];
"/home".options = ["compress=zstd"];
"/nix".options = ["compress=zstd" "noatime"];
"/var/log".options = ["compress=zstd" "noatime"];
"/persist".options = ["compress=zstd" "noatime"];
};
hardware = {
nvidia = mkIf (builtins.elem dev.gpu ["nvidia" "hybrid-nv"]) {
nvidiaPersistenced = mkForce false;
open = mkForce false;
prime = {
offload.enable = mkForce true;
# Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA
intelBusId = "PCI:0:2:0";
# Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA
nvidiaBusId = "PCI:1:0:0";
};
};
};
boot = {
kernelParams =
[
"nohibernate"
# The passive default severely degrades performance.
"intel_pstate=active"
]
++ optionals ((dev.cpu == "intel") && (dev.gpu != "hybrid-nv")) [
"i915.enable_fbc=1"
"i915.enable_psr=2"
];
kernelModules = [
"sdhci" # fix microsd cards
];
};
services.btrfs.autoScrub = {fileSystems = ["/"];};
home-manager.users.notashelf.systemd.user.startServices = "legacy";
console.earlySetup = true;
};
}

11
nyx/hosts/erebus/default.nix Normal file
View file

@ -0,0 +1,11 @@
{
imports = [
./system # system configuration
./virtualization.nix # configure virtual machine
./yubikey.nix # configure yubikey toolkit
];
config = {
system.stateVersion = "23.11";
};
}

56
nyx/hosts/erebus/system/default.nix Normal file
View file

@ -0,0 +1,56 @@
# NixOS livesystem to generate yubikeys in an air-gapped manner
# $ nix build .#images.erebus
{
config,
lib,
pkgs,
...
}: {
# Secure defaults
nixpkgs.config = {allowBroken = false;}; # false breaks zfs kernel - but we don't care about zfs
# Always copytoram so that, if the image is booted from, e.g., a
# USB stick, nothing is mistakenly written to persistent storage.
boot = {
kernelParams = ["copytoram"];
tmp.cleanOnBoot = true;
kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;};
};
# make sure we are air-gapped
networking = {
wireless.enable = false;
dhcpcd.enable = false;
};
services.getty.helpLine = "The 'root' account has an empty password.";
isoImage.isoBaseName = lib.mkForce config.networking.hostName;
# words cannot express how much I hate zfs
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
environment = {
# needed for i3blocks
pathsToLink = ["/libexec"];
# fix an annoying warning
etc."mdadm.conf".text = ''
MAILADDR root
'';
};
fonts = {
fontDir = {
enable = true;
decompressFonts = true;
};
fontconfig.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-color-emoji
];
};
}

46
nyx/hosts/erebus/system/desktop.nix Normal file
View file

@ -0,0 +1,46 @@
{pkgs, ...}: {
security.sudo.wheelNeedsPassword = false;
users.users.yubikey = {
isNormalUser = true;
extraGroups = ["wheel"];
shell = pkgs.zsh;
};
programs.dconf.enable = true;
services = {
gvfs.enable = true;
autorandr.enable = true;
xserver = {
enable = true;
layout = "tr";
displayManager = {
autoLogin.enable = true;
autoLogin.user = "yubikey";
defaultSession = "none+i3";
};
desktopManager = {
xterm.enable = false;
};
# i3 for window management
windowManager.i3 = {
enable = true;
package = pkgs.i3-gaps;
extraPackages = with pkgs; [
st # suckless terminal that sucks, pretty minimal though
rofi # alternative to dmenu, usually better
dmenu # application launcher most people use
i3status # gives you the default i3 status bar
i3lock # default i3 screen locker
i3blocks # if you are planning on using i3blocks over i3status
];
};
};
};
}

9
nyx/hosts/erebus/virtualization.nix Normal file
View file

@ -0,0 +1,9 @@
{
virtualisation.vmVariant = {
# let the built VM be more responsive
virtualisation = {
memorySize = 4096;
cores = 3;
};
};
}

127
nyx/hosts/erebus/yubikey.nix Normal file
View file

@ -0,0 +1,127 @@
{
config,
lib,
pkgs,
...
}: let
drduhConfig = pkgs.fetchFromGitHub {
owner = "drduh";
repo = "config";
rev = "6bea1fdaa8732ec8625f4bac7022b25e14b15ffe";
hash = "sha256-Fto8FCVYeKviMz0VmCiXHrgMT1pVopJGGDHF0s3K4ts=";
};
gpg-conf = "${drduhConfig}/gpg.conf";
yubico-guide = pkgs.stdenv.mkDerivation {
name = "yubikey-guide.html";
src = pkgs.fetchFromGitHub {
owner = "drduh";
repo = "YubiKey-Guide";
rev = "fec6e92b8f05c899eccc7f2f2b273d609ed6094e";
hash = "sha256-N76e/yhXUoWUK6EQZHGyTs0DcbZqAlI5xtQMf0squR8=";
};
buildInputs = [pkgs.pandoc];
installPhase = "pandoc --highlight-style pygments -s --toc README.md -o $out";
};
guide = "${yubico-guide}/README.md";
contrib = "${yubico-guide}/contrib";
# Instead of hard-coding the pinentry program, chose the appropriate one
# based on the environment of the image the user has chosen to build.
gpg-agent-conf = pkgs.runCommand "gpg-agent.conf" {} ''
sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out
echo "pinentry-program ${pkgs.pinentry.${pinentryFlavour}}/bin/pinentry" >> $out
'';
xserverCfg = config.services.xserver;
pinentryFlavour =
if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable
then "qt"
else if xserverCfg.desktopManager.xfce.enable
then "gtk2"
else if xserverCfg.enable || config.programs.sway.enable
then "gnome3"
else "curses";
view-yubikey-guide = pkgs.writeShellScriptBin "view-yubikey-guide" ''
viewer="$(type -P xdg-open || true)"
if [ -z "$viewer" ]; then
viewer="${pkgs.glow}/bin/glow -p"
fi
exec $viewer "${guide}"
'';
shortcut = pkgs.makeDesktopItem {
name = "yubikey-guide";
icon = "${pkgs.yubikey-manager-qt}/share/ykman-gui/icons/ykman.png";
desktopName = "drduh's YubiKey Guide";
genericName = "Guide to using YubiKey for GPG and SSH";
comment = "Open the guide in a reader program";
categories = ["Documentation"];
exec = "${view-yubikey-guide}/bin/view-yubikey-guide";
};
yubikey-guide = pkgs.symlinkJoin {
name = "yubikey-guide";
paths = [view-yubikey-guide shortcut];
};
in {
environment.interactiveShellInit = ''
# unset HISTFILE
export GNUPGHOME="/run/user/$(id -u)/gnupg"
if [ ! -d "$GNUPGHOME" ]; then
echo "Creating \$GNUPGHOME"
install --verbose -m=0700 --directory="$GNUPGHOME"
fi
[ ! -f "$GNUPGHOME/gpg.conf" ] && cp --verbose ${gpg-conf} "$GNUPGHOME/gpg.conf"
[ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp --verbose ${gpg-agent-conf} "$GNUPGHOME/gpg-agent.conf"
echo "\$GNUPGHOME is \"$GNUPGHOME\""
'';
# Yubikey Tooling
environment.systemPackages = with pkgs; [
yubikey-personalization
cryptsetup
pwgen
midori
paperkey
gnupg
ctmg
];
services = {
udev.packages = with pkgs; [yubikey-personalization];
pcscd.enable = true;
};
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
services.xserver.displayManager.sessionCommands = ''
${lib.getExe pkgs.zathura} ${guide} &
${lib.getExe pkgs.kitty} &
'';
# Copy the contents of contrib to the home directory, add a shortcut to
# the guide on the desktop, and link to the whole repo in the documents
# folder.
system.activationScripts.yubikeyGuide = let
homeDir = "/home/nixos/";
desktopDir = homeDir + "Desktop/";
documentsDir = homeDir + "Documents/";
in ''
mkdir -p ${desktopDir} ${documentsDir}
chown nixos ${homeDir} ${desktopDir} ${documentsDir}
cp -R ${contrib}/* ${homeDir}
ln -sf ${yubikey-guide}/share/applications/yubikey-guide.desktop ${desktopDir}
ln -sfT ${yubikey-guide} ${documentsDir}/YubiKey-Guide
'';
}

30
nyx/hosts/gaea/default.nix Normal file
View file

@ -0,0 +1,30 @@
{
config,
lib,
...
}: let
inherit (lib) optionalString;
in {
imports = [
./system
];
services.getty.helpLine =
''
The "nixos" and "root" accounts have empty passwords.
An ssh daemon is running. You then must set a password
for either "root" or "nixos" with `passwd` or add an ssh key
to /home/nixos/.ssh/authorized_keys be able to login.
If you need a wireless connection, you may use networkmanager
by invoking `nmcli` or `nmtui`, the ncurses interface.
''
+ optionalString config.services.xserver.enable ''
Type `sudo systemctl start display-manager' to
start the graphical user interface.
'';
# since we don't inherit the core module, this needs to be set here manually
# otherwise we'll see the stateVersion error - which doesn't actually matter inside the ISO
# but still annoying and slows down nix flake check
system.stateVersion = "23.11";
}

5
nyx/hosts/gaea/system/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./programs
];
}

7
nyx/hosts/gaea/system/programs/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./neovim
./git.nix
];
}

6
nyx/hosts/gaea/system/programs/git.nix Normal file
View file

@ -0,0 +1,6 @@
{
programs.git = {
enable = true;
lfs.enable = true;
};
}

71
nyx/hosts/gaea/system/programs/neovim/config/init.vim Normal file
View file

@ -0,0 +1,71 @@
"vi:filetype=vim
" add ~/.vim to the beginning of the runtimepath
set runtimepath^=~/.vim
" set the packpath to the runtimepath
let &packpath = &runtimepath
" for plugins to load correctly
filetype plugin indent on
" don't try to be vi compatible
set nocompatible
" use system clipboard
set clipboard+=unnamedplus
" syntax highlighting
syntax enable
" display line numbers
set number relativenumber
" enable mouse support in all modes
set mouse=a
" set indentation to spaces instead of tabs
set noexpandtab
" number of spaces to use for each step of (auto)indent
set shiftwidth=2
" number of spaces that a <Tab> in the file counts for
set tabstop=2
" C-style indenting
set cindent
" 'smart' indenting
set smartindent
" set the indent of new lines
set autoindent
" set the folding method based on syntax
set foldmethod=syntax
" spaces instead of tabs for indentation
set expandtab
" 'smart' tabs that respects 'shiftwidth' for indentation
set smarttab
" number of spaces a <Tab> in the file counts for
set tabstop=4
" number of spaces to use for each step of (auto)indent
set shiftwidth=0
" define backspace behavior in insert mode:
" - 'indent': allows backspace to delete auto-indentation at the start of a line
" - 'eol': enables backspace to delete the end-of-line character, acting as line deletion
" - 'start': allows backspace to delete past the start of insert or typeahead
set backspace=indent,eol,start
" spell Checking
set spelllang=en " spell check langs
set spellsuggest=best,9 " suggestions for spelling corrections

9
nyx/hosts/gaea/system/programs/neovim/config/maps.vim Normal file
View file

@ -0,0 +1,9 @@
" map key <F2> to toggle between hiding/showing current line
nmap <F2> zA
" map key <F3> to toggle between reducing/enlarging fold level
nmap <F3> zR
" map key <F4> to fold everything except the cursor line
nmap <F4> zM

16
nyx/hosts/gaea/system/programs/neovim/config/plugins.vim Normal file
View file

@ -0,0 +1,16 @@
" customize label for vim-sneak
let g:sneak#label = 1
" Toggle spell checking in normal mode
nnoremap <silent> <F3> :set spell!<CR>
" Toggle spell checking in insert mode
inoremap <silent> <F3> <C-O>:set spell!<CR>
lua << EOF
require('nvim-treesitter.configs').setup {
highlight = {
enable = true
}
}
EOF

73
nyx/hosts/gaea/system/programs/neovim/default.nix Normal file
View file

@ -0,0 +1,73 @@
{pkgs, ...}: let
inherit (builtins) readFile;
in {
programs = {
neovim = {
enable = true;
viAlias = true;
vimAlias = true;
defaultEditor = true;
configure = {
customRC = ''
" -- init --
${readFile ./config/init.vim}
" -- mappings --
${readFile ./config/maps.vim}
" -- plugin configs --
${readFile ./config/plugins.vim}
'';
packages.myVimPackage = with pkgs.vimPlugins; {
start = [
# general utils
direnv-vim # direnv for vim
dressing-nvim # better UI components
leap-nvim # navigation
lualine-nvim # statusline
tabular # align text according to regexp
undotree # undo history
vim-css-color # highlight CSS colors
vim-signature # marks on signcolumn
which-key-nvim # mapping manager and cheatsheet
vim-sneak
# completion
nvim-cmp
cmp-buffer
cmp-cmdline
cmp-nvim-lsp
cmp-path
cmp_luasnip
comment-nvim
todo-comments-nvim
luasnip
friendly-snippets
nvim-lspconfig
nvim-lint
fidget-nvim
aerial-nvim
telescope-nvim # list of files interface
telescope-file-browser-nvim
telescope-fzy-native-nvim
vim-fugitive # git in vim
gitsigns-nvim
targets-vim # text objects
vim-surround
vim-expand-region
nvim-treesitter.withAllGrammars # better highlighting
];
};
};
};
};
}

9
nyx/hosts/helios/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./fs
./modules
./system.nix
./nftables.nix
];
}

13
nyx/hosts/helios/fs/default.nix Normal file
View file

@ -0,0 +1,13 @@
{
imports = [./external.nix];
config = {
fileSystems."/" = {
device = "/dev/disk/by-uuid/783e926f-acd7-4684-a7b3-f5b1ecefa11b";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/d1d77f8e-7c77-40c9-a5e8-59d962f4d397";}
];
};
}

6
nyx/hosts/helios/fs/external.nix Normal file
View file

@ -0,0 +1,6 @@
{
fileSystems."/srv/storage" = {
device = "/dev/disk/by-uuid/19ea8fad-b930-4a48-99e1-04633b2142f8";
fsType = "ext4";
};
}

8
nyx/hosts/helios/modules/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./device.nix
./system.nix
./usrEnv.nix
./services.nix
];
}

10
nyx/hosts/helios/modules/device.nix Normal file
View file

@ -0,0 +1,10 @@
{
config.modules.device = {
type = "server";
cpu.type = "amd";
gpu.type = null;
hasBluetooth = false;
hasSound = false;
hasTPM = false;
};
}

39
nyx/hosts/helios/modules/services.nix Normal file
View file

@ -0,0 +1,39 @@
{
config.modules.system.services = {
nextcloud.enable = true;
mailserver.enable = true;
vaultwarden.enable = true;
forgejo.enable = true;
searxng.enable = true;
reposilite.enable = true;
social = {
mastodon.enable = true;
matrix.enable = true;
};
bincache = {
harmonia.enable = true;
};
networking = {
headscale.enable = true;
wireguard.enable = true;
};
monitoring = {
grafana.enable = true;
prometheus.enable = true;
loki.enable = true;
uptime-kuma.enable = true;
};
database = {
mysql.enable = false;
mongodb.enable = false;
redis.enable = true;
postgresql.enable = true;
garage.enable = true;
};
};
}

44
nyx/hosts/helios/modules/system.nix Normal file
View file

@ -0,0 +1,44 @@
{pkgs, ...}: {
config.modules.system = {
mainUser = "notashelf";
fs = ["vfat" "exfat" "ext4"];
video.enable = false;
sound.enable = false;
bluetooth.enable = false;
printing.enable = false;
boot = {
secureBoot = false;
kernel = pkgs.linuxPackages_latest;
loader = "grub";
enableKernelTweaks = true;
initrd.enableTweaks = true;
loadRecommendedModules = true;
tmpOnTmpfs = false;
};
virtualization = {
enable = true;
qemu.enable = true;
docker.enable = true;
};
networking = {
optimizeTcp = false;
tarpit.enable = true;
nftables.enable = true;
tailscale = {
enable = true;
isServer = true;
isClient = false;
};
};
programs = {
git.signingKey = "";
cli.enable = true;
gui.enable = false;
};
};
}

5
nyx/hosts/helios/modules/usrEnv.nix Normal file
View file

@ -0,0 +1,5 @@
{
config.modules.usrEnv = {
useHomeManager = true;
};
}

47
nyx/hosts/helios/nftables.nix Normal file
View file

@ -0,0 +1,47 @@
{lib, ...}: let
inherit (lib) entryBetween;
in {
networking.nftables.rules = {
inet.filter.input = {
# endlessh
endlessh = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
protocol = "tcp";
field = "dport";
value = [22];
policy = "accept";
};
# this allows nginx to respond to the domain challenges without passing each service through the firewall
https = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
protocol = "tcp";
field = "dport";
value = [443];
policy = "accept";
};
headscale = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
protocol = "udp";
field = "dport";
value = [8344];
policy = "accept";
};
# NOTE: snm has an option to enable firewall ports by default, but my nftables abstractions
# do not allow for us to use that option, so we'll just open the ports manually
# I could probably add an entry that propagates the tcpPorts option to the firewall
# but that doesn not seem like a very good option since we'll not be able to control policies
simple-nixos-mailserver = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
protocol = "tcp";
field = "dport";
value = [
25 # smtp
80 # used for acme-nginx domain challenges
143 # imap
993 # imapSsl
465 # smtpSsl
];
policy = "accept";
};
};
};
}

25
nyx/hosts/helios/system.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
lib,
...
}: {
config = {
networking.domain = "notashelf.dev";
services.smartd.enable = lib.mkForce false;
boot = {
growPartition = !config.boot.initrd.systemd.enable;
loader.grub = {
enable = true;
useOSProber = lib.mkForce false;
efiSupport = lib.mkForce false;
enableCryptodisk = false;
theme = null;
backgroundColor = null;
splashImage = null;
device = lib.mkForce "/dev/disk/by-label/nixos";
forceInstall = true;
};
};
};
}

10
nyx/hosts/hermes/default.nix Normal file
View file

@ -0,0 +1,10 @@
{
imports = [
./fs
./modules
./encryption.nix
./networking.nix
./system.nix
];
}

27
nyx/hosts/hermes/encryption.nix Normal file
View file

@ -0,0 +1,27 @@
{
config,
lib,
...
}: {
# mildly improves performance for the disk encryption
boot.initrd.availableKernelModules = [
"aesni_intel"
"cryptd"
"usb_storage"
];
services.lvm.enable = lib.mkForce true;
boot.initrd.luks.devices."enc" = {
# improve performance on ssds
bypassWorkqueues = true;
preLVM = true;
# the device with the maching id will be searched for the key file
# keyFile = "/dev/disk/by-id/usb-Generic_Flash_Disk_B314B63E-0:0";
# keyFileSize = 4096;
# if keyfile is not there, fall back to cryptsetup password
fallbackToPassword = !config.boot.initrd.systemd.enable; # IMPLIED BY config.boot.initrd.systemd.enable
};
}

46
nyx/hosts/hermes/fs/default.nix Normal file
View file

@ -0,0 +1,46 @@
{
boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/0eb8b547-3644-4d49-a4e9-c28c395b8568";
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/c9527aaf-947d-4dc0-88ab-3af438e3f5b1";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd" "noatime"];
};
"/boot" = {
device = "/dev/disk/by-uuid/4F12-E737";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-uuid/c9527aaf-947d-4dc0-88ab-3af438e3f5b1";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
};
"/persist" = {
device = "/dev/disk/by-uuid/c9527aaf-947d-4dc0-88ab-3af438e3f5b1";
fsType = "btrfs";
neededForBoot = true;
options = ["subvol=persist" "compress=zstd" "noatime"];
};
"/var/log" = {
device = "/dev/disk/by-uuid/c9527aaf-947d-4dc0-88ab-3af438e3f5b1";
fsType = "btrfs";
neededForBoot = true;
options = ["subvol=log" "compress=zstd" "noatime"];
};
"/home" = {
device = "/dev/disk/by-uuid/c9527aaf-947d-4dc0-88ab-3af438e3f5b1";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
};
};
swapDevices = [
{device = "/dev/disk/by-uuid/b55b09f2-b567-4fbf-9150-b05b91710ca2";}
];
}

9
nyx/hosts/hermes/modules/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./device.nix
./profiles.nix
./system.nix
./usrEnv.nix
./style.nix
];
}

15
nyx/hosts/hermes/modules/device.nix Normal file
View file

@ -0,0 +1,15 @@
{
modules.device = {
type = "laptop";
cpu = {
type = "amd";
amd.pstate.enable = true;
amd.zenpower.enable = true;
};
gpu.type = "amd";
monitors = ["eDP-1"];
hasBluetooth = true;
hasSound = true;
hasTPM = true;
};
}

6
nyx/hosts/hermes/modules/profiles.nix Normal file
View file

@ -0,0 +1,6 @@
{
config.modules.profiles = {
workstation.enable = true;
gaming.enable = true;
};
}

48
nyx/hosts/hermes/modules/style.nix Normal file
View file

@ -0,0 +1,48 @@
{
config,
pkgs,
...
}: {
config.modules.style = {
forceGtk = true;
gtk = {
usePortal = true;
theme = {
name = "Catppuccin-Mocha-Standard-Blue-Dark";
package = pkgs.catppuccin-gtk.override {
size = "standard";
accents = ["blue"];
variant = "mocha";
tweaks = ["normal"];
};
};
iconTheme = {
name = "Papirus-Dark";
package = pkgs.catppuccin-papirus-folders.override {
accent = "blue";
flavor = "mocha";
};
};
font = {
name = "Lexend";
size = 14;
};
};
qt = {
theme = {
name = "Catppuccin-Mocha-Dark";
package = pkgs.catppuccin-kde.override {
flavour = ["mocha"];
accents = ["blue"];
winDecStyles = ["modern"];
};
};
kdeglobals.source = "${config.modules.style.qt.theme.package}" + "/share/color-schemes/CatppuccinMochaBlue.colors";
};
};
}

71
nyx/hosts/hermes/modules/system.nix Normal file
View file

@ -0,0 +1,71 @@
{pkgs, ...}: {
modules.system = {
mainUser = "notashelf";
fs = ["btrfs" "ext4" "vfat"];
impermanence.root.enable = true;
boot = {
secureBoot = false;
kernel = pkgs.linuxPackages_xanmod_latest;
plymouth.enable = true;
loader = "systemd-boot";
enableKernelTweaks = true;
initrd.enableTweaks = true;
loadRecommendedModules = true;
tmpOnTmpfs = true;
};
encryption = {
enable = true;
device = "enc";
};
yubikeySupport.enable = true;
autoLogin = true;
video.enable = true;
sound.enable = true;
bluetooth.enable = true;
printing.enable = true;
emulation.enable = true;
networking = {
optimizeTcp = true;
nftables.enable = true;
tailscale = {
enable = true;
isClient = true;
};
};
security = {
fixWebcam = false;
lockModules = true;
usbguard.enable = true;
};
virtualization = {
enable = true;
docker.enable = false;
qemu.enable = true;
podman.enable = false;
};
programs = {
cli.enable = true;
gui.enable = true;
spotify.enable = true;
git.signingKey = "0x02D1DD3FA08B6B29";
gaming = {
enable = true;
};
default = {
terminal = "foot";
};
};
};
}

17
nyx/hosts/hermes/modules/usrEnv.nix Normal file
View file

@ -0,0 +1,17 @@
{
modules.usrEnv = {
desktop = "Hyprland";
useHomeManager = true;
programs = {
media.mpv.enable = true;
launchers = {
anyrun.enable = true;
tofi.enable = true;
};
screenlock.swaylock.enable = true;
};
};
}

93
nyx/hosts/hermes/networking.nix Normal file
View file

@ -0,0 +1,93 @@
{
# we don't want the kernel setting up interfaces magically for us
boot.extraModprobeConfig = "options bonding max_bonds=0";
networking = {
useDHCP = false;
useNetworkd = false;
};
systemd.network = {
enable = true;
wait-online = {
enable = false;
anyInterface = true;
extraArgs = ["--ipv4"];
};
networks = {
# leave the kernel dummy devies unmanagaed
"10-dummy" = {
matchConfig.Name = "dummy*";
networkConfig = {};
# linkConfig.ActivationPolicy = "always-down";
linkConfig.Unmanaged = "yes";
};
# let me configure tailscale manually
"20-tailscale-ignore" = {
matchConfig.Name = "tailscale*";
linkConfig = {
Unmanaged = "yes";
RequiredForOnline = false;
};
};
"30-network-defaults-wired" = {
# matchConfig.Name = "en* | eth* | usb*";
matchConfig.Type = "ether";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
IPForward = "yes";
IPMasquerade = "no";
};
dhcpV4Config = {
ClientIdentifier = "duid"; # "mac"
Use6RD = "yes";
RouteMetric = 512;
UseDNS = false;
DUIDType = "link-layer";
};
dhcpV6Config = {
RouteMetric = 512;
PrefixDelegationHint = "::64";
UseDNS = false;
DUIDType = "link-layer";
};
};
"30-network-defaults-wireless" = {
# matchConfig.Name = "wl*";
matchConfig.Type = "wlan";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
IPForward = "yes";
IPMasquerade = "no";
};
dhcpV4Config = {
ClientIdentifier = "mac";
RouteMetric = 1500;
UseDNS = true;
DUIDType = "link-layer";
Use6RD = "yes";
};
dhcpV6Config = {
RouteMetric = 1500;
UseDNS = true;
DUIDType = "link-layer";
# routes = [
# { routeConfig = { Gateway = "_dhcp4"; Metric = 1500; }; }
# { routeConfig = { Gateway = "_ipv6ra"; Metric = 1500; }; }
# ];
PrefixDelegationHint = "::64";
};
};
};
};
}

13
nyx/hosts/hermes/system.nix Normal file
View file

@ -0,0 +1,13 @@
{self, ...}: {
config = {
boot.kernelParams = [
"i8042.nomux" # Don't check presence of an active multiplexing controller
"i8042.nopnp" # Don't use ACPIPn<P / PnPBIOS to discover KBD/AUX controllers
];
system = {
stateVersion = "23.05";
configurationRevision = self.rev or "dirty";
};
};
}

8
nyx/hosts/icarus/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./fs
./modules
./system.nix
];
}

38
nyx/hosts/icarus/fs/default.nix Normal file
View file

@ -0,0 +1,38 @@
{
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/5e652a20-9dc3-441a-9fc3-949d5263ee7a";
fsType = "btrfs";
options = ["subvol=root"];
};
"/home" = {
device = "/dev/disk/by-uuid/5e652a20-9dc3-441a-9fc3-949d5263ee7a";
fsType = "btrfs";
options = ["subvol=home"];
};
"/nix" = {
device = "/dev/disk/by-uuid/5e652a20-9dc3-441a-9fc3-949d5263ee7a";
fsType = "btrfs";
options = ["subvol=nix"];
};
"/persist" = {
device = "/dev/disk/by-uuid/5e652a20-9dc3-441a-9fc3-949d5263ee7a";
fsType = "btrfs";
options = ["subvol=persist"];
};
"/var/log" = {
device = "/dev/disk/by-uuid/5e652a20-9dc3-441a-9fc3-949d5263ee7a";
fsType = "btrfs";
options = ["subvol=log"];
};
"/boot" = {
device = "/dev/disk/by-uuid/6ABE-DA15";
fsType = "vfat";
};
};
}

7
nyx/hosts/icarus/modules/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./device.nix
./system.nix
./usrEnv.nix
];
}

11
nyx/hosts/icarus/modules/device.nix Normal file
View file

@ -0,0 +1,11 @@
{
config.modules.device = {
type = "hybrid";
cpu.type = "intel";
gpu.type = "intel";
monitors = ["eDP-1"];
hasBluetooth = false;
hasSound = true;
hasTPM = true;
};
}

57
nyx/hosts/icarus/modules/system.nix Normal file
View file

@ -0,0 +1,57 @@
{
config.modules.system = {
mainUser = "notashelf";
fs = ["btrfs" "ext4" "vfat"];
autoLogin = true;
boot = {
secureBoot = false;
loader = "systemd-boot";
enableKernelTweaks = true;
initrd.enableTweaks = true;
loadRecommendedModules = true;
tmpOnTmpfs = false;
};
video.enable = true;
sound.enable = true;
bluetooth.enable = false;
printing.enable = false;
emulation.enable = false;
networking = {
optimizeTcp = true;
tailscale = {
enable = true;
isClient = true;
};
};
security = {
fixWebcam = false;
};
virtualization = {
enable = false;
docker.enable = false;
qemu.enable = false;
podman.enable = false;
};
programs = {
cli.enable = true;
gui.enable = true;
git.signingKey = "0x148C61C40F80F8D6";
gaming = {
enable = false;
chess.enable = false;
};
default = {
terminal = "foot";
};
};
};
}

7
nyx/hosts/icarus/modules/usrEnv.nix Normal file
View file

@ -0,0 +1,7 @@
{
config.modules.usrEnv = {
isWayland = true;
desktop = "Hyprland";
useHomeManager = true;
};
}

25
nyx/hosts/icarus/system.nix Normal file
View file

@ -0,0 +1,25 @@
{
config = {
fileSystems = {
"/".options = ["compress=zstd" "noatime"];
"/home".options = ["compress=zstd"];
"/persist".options = ["compress=zstd"];
"/var/log".options = ["compress=zstd"];
"/nix".options = ["compress=zstd" "noatime"];
};
hardware = {
enableRedistributableFirmware = true;
enableAllFirmware = true;
};
boot = {
kernelModules = ["iwlwifi"];
kernelParams = [
"i915.enable_fbc=1"
"i915.enable_psr=2"
"nohibernate"
];
};
};
}

8
nyx/hosts/leto/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./fs
./modules
./system.nix
];
}

11
nyx/hosts/leto/fs/default.nix Normal file
View file

@ -0,0 +1,11 @@
{
fileSystems."/" = {
device = "/dev/disk/by-uuid/4e742f36-b005-4f3b-a25c-dd55ef1bda0a";
fsType = "btrfs";
options = ["compress=zstd" "noatime"];
};
swapDevices = [
{device = "/dev/disk/by-uuid/8d35941a-dcf0-4659-83f8-458c18d0bb4f";}
];
}

7
nyx/hosts/leto/modules/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./device.nix
./system.nix
./usrEnv.nix
];
}

10
nyx/hosts/leto/modules/device.nix Normal file
View file

@ -0,0 +1,10 @@
{
config.modules.device = {
type = "server";
cpu.type = "intel";
gpu.type = null;
hasBluetooth = false;
hasSound = false;
hasTPM = false;
};
}

34
nyx/hosts/leto/modules/system.nix Normal file
View file

@ -0,0 +1,34 @@
{
config.modules.system = {
mainUser = "notashelf";
fs = ["vfat" "exfat" "ext4"];
video.enable = false;
sound.enable = false;
bluetooth.enable = false;
printing.enable = false;
boot = {
secureBoot = false;
loader = "grub";
enableKernelTweaks = true;
initrd.enableTweaks = true;
loadRecommendedModules = true;
tmpOnTmpfs = false;
};
virtualization = {
enable = true;
qemu.enable = true;
docker.enable = true;
};
networking = {
optimizeTcp = false;
tailscale = {
enable = false;
isServer = true;
isClient = false;
};
};
};
}

6
nyx/hosts/leto/modules/usrEnv.nix Normal file
View file

@ -0,0 +1,6 @@
{
config.modules.usrEnv = {
useHomeManager = true;
isWayland = false;
};
}

33
nyx/hosts/leto/system.nix Normal file
View file

@ -0,0 +1,33 @@
{
modulesPath,
config,
lib,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
config = {
services.smartd.enable = lib.mkForce false;
boot = {
growPartition = !config.boot.initrd.systemd.enable;
initrd = {
availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk"];
kernelModules = [];
};
loader.grub = {
enable = true;
useOSProber = lib.mkForce false;
efiSupport = lib.mkForce false;
enableCryptodisk = false;
theme = null;
backgroundColor = null;
splashImage = null;
device = lib.mkForce "/dev/vda";
};
};
};
}

8
nyx/hosts/prometheus/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./fs
./modules
./system.nix
];
}

30
nyx/hosts/prometheus/fs/default.nix Normal file
View file

@ -0,0 +1,30 @@
{
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/b26ec8d8-8203-4252-8c32-0e0de3d90477";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd"];
};
"/nix" = {
device = "/dev/disk/by-uuid/b26ec8d8-8203-4252-8c32-0e0de3d90477";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
};
"/home" = {
device = "/dev/disk/by-uuid/b26ec8d8-8203-4252-8c32-0e0de3d90477";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
};
"/boot" = {
device = "/dev/disk/by-uuid/1EC3-9305";
fsType = "vfat";
};
};
swapDevices = [
{device = "/dev/disk/by-uuid/2691cd3d-8c61-415f-9260-395050884f02";}
];
}

7
nyx/hosts/prometheus/modules/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./device.nix
./system.nix
./usrEnv.nix
];
}

11
nyx/hosts/prometheus/modules/device.nix Normal file
View file

@ -0,0 +1,11 @@
{
config.modules.device = {
type = "laptop";
cpu.type = "intel";
gpu.type = "intel"; # nvidia drivers :b:roke
monitors = ["eDP-1" "HDMI-A-1"];
hasBluetooth = true;
hasSound = true;
hasTPM = true;
};
}

51
nyx/hosts/prometheus/modules/system.nix Normal file
View file

@ -0,0 +1,51 @@
{
config.modules.system = {
mainUser = "notashelf";
fs = ["btrfs" "vfat" "ntfs"];
autoLogin = true;
boot = {
loader = "systemd-boot";
enableKernelTweaks = true;
initrd.enableTweaks = true;
loadRecommendedModules = true;
tmpOnTmpfs = true;
};
video.enable = true;
sound.enable = true;
bluetooth.enable = false;
printing.enable = false;
networking = {
optimizeTcp = true;
tailscale = {
enable = true;
isClient = true;
};
};
virtualization = {
enable = false;
docker.enable = false;
qemu.enable = true;
podman.enable = false;
};
programs = {
cli.enable = true;
gui.enable = true;
git.signingKey = "419DBDD3228990BE";
gaming = {
enable = true;
chess.enable = true;
};
default = {
terminal = "foot";
};
};
};
}

7
nyx/hosts/prometheus/modules/usrEnv.nix Normal file
View file

@ -0,0 +1,7 @@
{
config.modules.usrEnv = {
isWayland = true;
desktop = "Hyprland";
useHomeManager = true;
};
}

30
nyx/hosts/prometheus/system.nix Normal file
View file

@ -0,0 +1,30 @@
{
config,
lib,
...
}: let
inherit (lib) optionals mkIf mkForce;
dev = config.modules.device;
in {
config = {
hardware = {
nvidia = mkIf (builtins.elem dev.gpu ["nvidia" "hybrid-nv"]) {
open = mkForce false;
prime = {
offload.enable = true;
intelBusId = "PCI:0:2:0";
nvidiaBusId = "PCI:1:0:0";
};
};
};
boot = {
kernelParams = optionals ((dev.cpu == "intel") && (dev.gpu != "hybrid-nv")) [
"i915.enable_fbc=1"
"i915.enable_psr=2"
];
};
};
}