From 504b765606f02b610d74d259ddf2c85292e1f6c0 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Sat, 8 Feb 2025 03:19:30 -0800 Subject: add nix-topology; make configuration options less bad; restructure project a bit; add flake system looping --- nix/modules/configuration.nix | 297 +++++++++++++++++++++--------------------- nix/modules/default.nix | 1 + nix/modules/home/default.nix | 17 +-- nix/modules/home/hyprland.nix | 6 + nix/modules/home/user.nix | 11 +- nix/modules/nginx.nix | 4 +- nix/modules/nvme-simple.nix | 35 ----- nix/modules/ollama.nix | 2 +- nix/modules/sda-simple.nix | 35 ----- nix/modules/vars.nix | 7 - nix/modules/vda-simple.nix | 27 ---- 11 files changed, 168 insertions(+), 274 deletions(-) delete mode 100644 nix/modules/nvme-simple.nix delete mode 100644 nix/modules/sda-simple.nix delete mode 100644 nix/modules/vda-simple.nix (limited to 'nix/modules') diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index 36a1702..1d175dc 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -24,10 +24,10 @@ environment = { etc = { - securetty.text = '' - # /etc/securetty: list of terminals on which root is allowed to login. - # See securetty(5) and login(1). - ''; + securetty.text = '' + # /etc/securetty: list of terminals on which root is allowed to login. + # See securetty(5) and login(1). + ''; }; }; @@ -35,13 +35,13 @@ coredump.enable = false; network.config.networkConfig.IPv6PrivacyExtensions = "kernel"; tmpfiles.settings = { - "restricthome"."/home/*".Z.mode = "~0700"; + "restricthome"."/home/*".Z.mode = "~0700"; - "restrictetcnixos"."/etc/nixos/*".Z = { - mode = "0000"; - user = "root"; - group = "root"; - }; + "restrictetcnixos"."/etc/nixos/*".Z = { + mode = "0000"; + user = "root"; + group = "root"; + }; }; }; @@ -50,138 +50,137 @@ extraModulePackages = [ ]; initrd = { - availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "nvme" - "sd_mod" - "ehci_pci" - "rtsx_pci_sdmmc" - "usbhid" - ]; - - kernelModules = [ ]; + availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "nvme" + "sd_mod" + "ehci_pci" + "rtsx_pci_sdmmc" + "usbhid" + ]; + + kernelModules = [ ]; }; lanzaboote = { - enable = config.monorepo.profiles.secureBoot.enable; - pkiBundle = "/etc/secureboot"; + enable = config.monorepo.profiles.secureBoot.enable; + pkiBundle = "/etc/secureboot"; }; loader = { - systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.grub.enable); - efi.canTouchEfiVariables = lib.mkDefault (! config.monorepo.profiles.grub.enable); + systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.grub.enable); + efi.canTouchEfiVariables = lib.mkDefault (! config.monorepo.profiles.grub.enable); }; kernelModules = [ - "snd-seq" - "snd-rawmidi" - "xhci_hcd" - "kvm_intel" + "snd-seq" + "snd-rawmidi" + "xhci_hcd" + "kvm_intel" ]; kernelParams = [ - "debugfs=off" - "page_alloc.shuffle=1" - "slab_nomerge" - "page_poison=1" - - # madaidan - "pti=on" - "randomize_kstack_offset=on" - "vsyscall=none" - "module.sig_enforce=1" - "lockdown=confidentiality" - - # cpu - "spectre_v2=on" - "spec_store_bypass_disable=on" - "tsx=off" - "tsx_async_abort=full,nosmt" - "mds=full,nosmt" - "l1tf=full,force" - "nosmt=force" - "kvm.nx_huge_pages=force" - - # hardened - "extra_latent_entropy" - - # mineral - "init_on_alloc=1" - "random.trust_cpu=off" - "random.trust_bootloader=off" - "intel_iommu=on" - "amd_iommu=force_isolation" - "iommu=force" - "iommu.strict=1" - "init_on_free=1" - "quiet" - "loglevel=0" + "debugfs=off" + "page_alloc.shuffle=1" + "slab_nomerge" + "page_poison=1" + + # madaidan + "pti=on" + "randomize_kstack_offset=on" + "vsyscall=none" + "module.sig_enforce=1" + "lockdown=confidentiality" + + # cpu + "spectre_v2=on" + "spec_store_bypass_disable=on" + "tsx=off" + "tsx_async_abort=full,nosmt" + "mds=full,nosmt" + "l1tf=full,force" + "nosmt=force" + "kvm.nx_huge_pages=force" + + # hardened + "extra_latent_entropy" + + # mineral + "init_on_alloc=1" + "random.trust_cpu=off" + "random.trust_bootloader=off" + "intel_iommu=on" + "amd_iommu=force_isolation" + "iommu=force" + "iommu.strict=1" + "init_on_free=1" + "quiet" + "loglevel=0" ]; blacklistedKernelModules = [ - "netrom" - "rose" - - "adfs" - "affs" - "bfs" - "befs" - "cramfs" - "efs" - "erofs" - "exofs" - "freevxfs" - "f2fs" - "hfs" - "hpfs" - "jfs" - "minix" - "nilfs2" - "ntfs" - "omfs" - "qnx4" - "qnx6" - "sysv" - "ufs" + "netrom" + "rose" + + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" ]; kernel.sysctl = { - "kernel.ftrace_enabled" = false; - "net.core.bpf_jit_enable" = false; - "kernel.kptr_restrict" = 2; - - # madaidan - "vm.swappiness" = 1; - "vm.unprivileged_userfaultfd" = 0; - "dev.tty.ldisc_autoload" = 0; - "kernel.kexec_load_disabled" = 1; - "kernel.sysrq" = 4; - "kernel.perf_event_paranoid" = 3; - - # net - "net.ipv4.icmp_echo_ignore_broadcasts" = true; - - "net.ipv4.conf.all.accept_redirects" = false; - "net.ipv4.conf.all.secure_redirects" = false; - "net.ipv4.conf.default.accept_redirects" = false; - "net.ipv4.conf.default.secure_redirects" = false; - "net.ipv6.conf.all.accept_redirects" = false; - "net.ipv6.conf.default.accept_redirects" = false; + "kernel.ftrace_enabled" = false; + "net.core.bpf_jit_enable" = false; + "kernel.kptr_restrict" = 2; + + # madaidan + "vm.swappiness" = 1; + "vm.unprivileged_userfaultfd" = 0; + "dev.tty.ldisc_autoload" = 0; + "kernel.kexec_load_disabled" = 1; + "kernel.sysrq" = 4; + "kernel.perf_event_paranoid" = 3; + + # net + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + + "net.ipv4.conf.all.accept_redirects" = false; + "net.ipv4.conf.all.secure_redirects" = false; + "net.ipv4.conf.default.accept_redirects" = false; + "net.ipv4.conf.default.secure_redirects" = false; + "net.ipv6.conf.all.accept_redirects" = false; + "net.ipv6.conf.default.accept_redirects" = false; }; }; networking = { useDHCP = lib.mkDefault true; - hostName = config.monorepo.vars.hostName; networkmanager = { - enable = true; + enable = true; }; firewall = { - allowedTCPPorts = [ 22 11434 ]; - allowedUDPPorts = [ ]; + allowedTCPPorts = [ 22 11434 ]; + allowedUDPPorts = [ ]; }; }; @@ -192,16 +191,16 @@ pulseaudio.enable = ! config.monorepo.profiles.pipewire.enable; bluetooth = { - enable = true; - powerOnBoot = true; + enable = true; + powerOnBoot = true; }; }; services = { chrony = { - enable = true; - enableNTS = true; - servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ]; + enable = true; + enableNTS = true; + servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ]; }; jitterentropy-rngd.enable = true; @@ -214,12 +213,12 @@ # Misc. udev = { - extraRules = ''''; - packages = with pkgs; [ - platformio-core - platformio-core.udev - openocd - ]; + extraRules = ''''; + packages = with pkgs; [ + platformio-core + platformio-core.udev + openocd + ]; }; printing.enable = true; @@ -236,20 +235,20 @@ nixpkgs = { hostPlatform = lib.mkDefault "x86_64-linux"; config = { - allowUnfree = true; - cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable; + allowUnfree = true; + cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable; }; }; security = { apparmor = { - enable = true; - killUnconfinedConfinables = true; + enable = true; + killUnconfinedConfinables = true; }; pam.loginLimits = [ - { domain = "*"; item = "nofile"; type = "-"; value = "32768"; } - { domain = "*"; item = "memlock"; type = "-"; value = "32768"; } + { domain = "*"; item = "nofile"; type = "-"; value = "32768"; } + { domain = "*"; item = "memlock"; type = "-"; value = "32768"; } ]; rtkit.enable = true; @@ -259,9 +258,9 @@ forcePageTableIsolation = true; tpm2 = { - enable = true; - pkcs11.enable = true; - tctiEnvironment.enable = true; + enable = true; + pkcs11.enable = true; + tctiEnvironment.enable = true; }; auditd.enable = true; @@ -274,9 +273,9 @@ enable = true; wlr.enable = true; extraPortals = with pkgs; [ - xdg-desktop-portal-gtk - xdg-desktop-portal - xdg-desktop-portal-hyprland + xdg-desktop-portal-gtk + xdg-desktop-portal + xdg-desktop-portal-hyprland ]; config.common.default = "*"; }; @@ -289,23 +288,25 @@ curl ]; + users.groups.git = {}; users.users = { root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" ]; git = { - isSystemUser = true; - home = "/srv/git"; - shell = "${pkgs.git}/bin/git-shell"; + isSystemUser = true; + home = "/srv/git"; + shell = "${pkgs.git}/bin/git-shell"; + group = "git"; }; "${config.monorepo.vars.userName}" = { - initialPassword = "${config.monorepo.vars.userName}"; - isNormalUser = true; - description = config.monorepo.vars.fullName; - extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ]; - shell = pkgs.zsh; - packages = []; + initialPassword = "${config.monorepo.vars.userName}"; + isNormalUser = true; + description = config.monorepo.vars.fullName; + extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ]; + shell = pkgs.zsh; + packages = []; }; }; diff --git a/nix/modules/default.nix b/nix/modules/default.nix index 50e5a1b..00a188b 100644 --- a/nix/modules/default.nix +++ b/nix/modules/default.nix @@ -17,6 +17,7 @@ server.enable = lib.mkEnableOption "Enables server services"; ttyonly.enable = lib.mkEnableOption "TTY only, no xserver"; grub.enable = lib.mkEnableOption "Enables grub instead of systemd-boot"; + workstation.enable = lib.mkEnableOption "Enables workstation services"; }; }; }; diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix index 45b0890..13966da 100644 --- a/nix/modules/home/default.nix +++ b/nix/modules/home/default.nix @@ -42,23 +42,8 @@ music.enable = lib.mkEnableOption "Enables mpd"; workstation.enable = lib.mkEnableOption "Enables workstation packages (music production and others)"; cuda.enable = lib.mkEnableOption "Enables CUDA user package builds"; + hyprland.enable = lib.mkEnableOption "Enables hyprland"; - hyprland = { - enable = lib.mkEnableOption "Enables hyprland"; - monitors = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ - "HDMI-A-1" - "eDP-1" - "DP-2" - "DP-3" - "LVDS-1" - "DP-4" - ]; - example = []; - description = "Hyprland monitors"; - }; - }; email = { email = lib.mkOption { type = lib.types.str; diff --git a/nix/modules/home/hyprland.nix b/nix/modules/home/hyprland.nix index 36e1621..1463f90 100644 --- a/nix/modules/home/hyprland.nix +++ b/nix/modules/home/hyprland.nix @@ -7,6 +7,12 @@ systemd.enable = true; settings = { "$mod" = "SUPER"; + bezier = [ + "overshot,0,1,0,0.95" + ]; + animation = [ + "workspaces, 1, 10, overshot" + ]; exec-once = [ "waybar" "swww-daemon --format xrgb" diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix index 882041b..85b6a70 100644 --- a/nix/modules/home/user.nix +++ b/nix/modules/home/user.nix @@ -62,12 +62,17 @@ pfetch libnotify htop - (writeShellScriptBin "install_vps" + (writeShellScriptBin "remote-build" '' #!/bin/bash -nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config ./systems/spontaneity/hardware-configuration.nix --flake .#spontaneity --target-host "$1" - '' +nixos-rebuild --target-host "$1" switch --flake .#spontaneity +'' ) + (writeShellScriptBin "install-vps" + '' +#!/bin/bash +nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config ./systems/spontaneity/hardware-configuration.nix --flake .#spontaneity --target-host "$1" + '') ] else [ pfetch diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix index e8c4682..bcc213a 100644 --- a/nix/modules/nginx.nix +++ b/nix/modules/nginx.nix @@ -1,7 +1,7 @@ -{ config, services, ... }: +{ config, lib, services, ... }: { services.nginx = { - enable = true; + enable = lib.mkDefault config.monorepo.profiles.server.enable; # Use recommended settings recommendedGzipSettings = true; diff --git a/nix/modules/nvme-simple.nix b/nix/modules/nvme-simple.nix deleted file mode 100644 index 665c17e..0000000 --- a/nix/modules/nvme-simple.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - disko.devices = { - disk = { - my-disk = { - device = "/dev/nvme0n1"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - ESP = { - type = "EF00"; - size = "500M"; - priority = 1; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - root = { - size = "100%"; - priority = 2; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/modules/ollama.nix b/nix/modules/ollama.nix index f9f4dc9..96ee918 100644 --- a/nix/modules/ollama.nix +++ b/nix/modules/ollama.nix @@ -1,7 +1,7 @@ { config, lib, ... }: { services.ollama = { - enable = lib.mkDefault config.monorepo.profiles.server.enable; + enable = lib.mkDefault config.monorepo.profiles.workstation.enable; acceleration = "cuda"; host = "0.0.0.0"; }; diff --git a/nix/modules/sda-simple.nix b/nix/modules/sda-simple.nix deleted file mode 100644 index fdf6556..0000000 --- a/nix/modules/sda-simple.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - disko.devices = { - disk = { - my-disk = { - device = "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - ESP = { - type = "EF00"; - size = "500M"; - priority = 1; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - root = { - size = "100%"; - priority = 2; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/modules/vars.nix b/nix/modules/vars.nix index 5652a93..5d22584 100644 --- a/nix/modules/vars.nix +++ b/nix/modules/vars.nix @@ -1,13 +1,6 @@ { lib, ... }: { options.monorepo.vars = { - hostName = lib.mkOption { - type = lib.types.str; - default = "continuity"; - example = "hostname"; - description = "system hostname"; - }; - userName = lib.mkOption { type = lib.types.str; default = "preston"; diff --git a/nix/modules/vda-simple.nix b/nix/modules/vda-simple.nix deleted file mode 100644 index 32fa28d..0000000 --- a/nix/modules/vda-simple.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ - disko.devices = { - disk = { - main = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; - }; - root = { - size = "100%"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; - }; -} -- cgit