From 6784442e11967f6ee427fd4076496614450e31fe Mon Sep 17 00:00:00 2001 From: Alexander Szczepanski Date: Thu, 31 Oct 2024 13:41:42 +0100 Subject: [PATCH] desktop-2024-10-31-13-41-42 --- configs/borg-exclude.nix | 5 +- configs/common.nix | 1 + configs/games.nix | 2 + configs/user.nix | 20 +++ configs/virtualisation.nix | 4 +- flake.lock | 157 +++++++++++++++------ flake.nix | 33 ++++- machine/desktop/configuration.nix | 99 +++++++++---- machine/desktop/hardware-configuration.nix | 59 +++++--- 9 files changed, 281 insertions(+), 99 deletions(-) diff --git a/configs/borg-exclude.nix b/configs/borg-exclude.nix index ed53e75..0d57990 100755 --- a/configs/borg-exclude.nix +++ b/configs/borg-exclude.nix @@ -1,8 +1,11 @@ { borg-exclude = [ ".cache" + ".config/Nextcloud/logs" + ".local/share/baloo" + + # ".local/share/libvirt/images" - ".local/share/libvirt/images" ".local/share/Steam" ".local/share/Trash" diff --git a/configs/common.nix b/configs/common.nix index e120fd1..7f9331c 100755 --- a/configs/common.nix +++ b/configs/common.nix @@ -49,6 +49,7 @@ iotop nmap nmon + bandwhich gnupg gocryptfs diff --git a/configs/games.nix b/configs/games.nix index b7e2744..8741d0b 100755 --- a/configs/games.nix +++ b/configs/games.nix @@ -1,5 +1,7 @@ { config, pkgs, lib, outputs, ... }: { + users.extraGroups.gamemode.members = [ "alex" ]; + programs = { gamescope = { enable = true; diff --git a/configs/user.nix b/configs/user.nix index 0086eea..2082b86 100755 --- a/configs/user.nix +++ b/configs/user.nix @@ -1,4 +1,18 @@ { config, pkgs, lib, inputs, ... }: +let + serviceConfig = { + MountAPIVFS = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectKernelModules = true; + PrivateDevices = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectSystem = "full"; + RestrictSUIDSGID = true; + }; +in { imports = [ inputs.home-manager.nixosModules.home-manager @@ -15,6 +29,7 @@ users.alex = { isNormalUser = true; + uid = 1000; # hashedPassword = secrets.hashedPassword; hashedPasswordFile = config.sops.secrets.hashedPassword.path; extraGroups = [ @@ -36,6 +51,11 @@ }; }; + systemd.services = { + alex.serviceConfig = serviceConfig; + root.serviceConfig = serviceConfig; + }; + programs = { zsh.enable = true; nix-ld.enable = true; diff --git a/configs/virtualisation.nix b/configs/virtualisation.nix index c92ee3d..e4e324c 100755 --- a/configs/virtualisation.nix +++ b/configs/virtualisation.nix @@ -7,11 +7,13 @@ # "kvm" virtualisation = { - virtualbox.host ={ + virtualbox.host = { enable = true; enableExtensionPack = true; }; + vmware.host.enable = true; + # libvirtd = { # enable = true; # qemu = { diff --git a/flake.lock b/flake.lock index 4c1ea13..206c14a 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1729599319, - "narHash": "sha256-e/4JPcIRte5zkwqmGFrFo3763e0iHURX6N0apz4jbI0=", + "lastModified": 1730321876, + "narHash": "sha256-hG8dCERfiM1yUDRWvEplr9kMgEe79xWaeF1On4H5gcs=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "1b86b304c8eb1437d9337a760e7f930826fc4d6d", + "rev": "6d2d6b13f317bcc6ef0709974962b1d49dedb102", "type": "github" }, "original": { @@ -38,6 +38,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1717312683, + "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, "flake-schemas": { "locked": { "lastModified": 1721999734, @@ -56,7 +72,7 @@ "inputs": { "flake-compat": "flake-compat", "nixpkgs": [ - "nixpkgs" + "nixpkgs-unstable" ] }, "locked": { @@ -82,11 +98,11 @@ ] }, "locked": { - "lastModified": 1729414726, - "narHash": "sha256-Dtmm1OU8Ymiy9hVWn/a2B8DhRYo9Eoyx9veERdOBR4o=", + "lastModified": 1730016908, + "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=", "owner": "nix-community", "repo": "home-manager", - "rev": "fe56302339bb28e3471632379d733547caec8103", + "rev": "e83414058edd339148dc142a8437edb9450574c8", "type": "github" }, "original": { @@ -98,15 +114,15 @@ "home-manager_2": { "inputs": { "nixpkgs": [ - "nixpkgs" + "nixpkgs-unstable" ] }, "locked": { - "lastModified": 1729551526, - "narHash": "sha256-7LAGY32Xl14OVQp3y6M43/0AtHYYvV6pdyBcp3eoz0s=", + "lastModified": 1730016908, + "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=", "owner": "nix-community", "repo": "home-manager", - "rev": "5ec753a1fc4454df9285d8b3ec0809234defb975", + "rev": "e83414058edd339148dc142a8437edb9450574c8", "type": "github" }, "original": { @@ -125,11 +141,11 @@ ] }, "locked": { - "lastModified": 1729177642, - "narHash": "sha256-DdKal+ZhB9QD/tnEwFg4cZ4j4YnrkvSljBxnyG+3eE0=", + "lastModified": 1730248099, + "narHash": "sha256-Fl7BSdpLk0uTXF6ol/MR0q1EB4XQ8tn0ftig0pyYh5Y=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "bb69165ff372ddbd3228a03513922acd783040e8", + "rev": "c11bab124fc55a37cbd854ed28ea121ed609231f", "type": "github" }, "original": { @@ -141,16 +157,16 @@ "kwin-effects-forceblur": { "inputs": { "nixpkgs": [ - "nixpkgs" + "nixpkgs-unstable" ], "utils": "utils" }, "locked": { - "lastModified": 1727168404, - "narHash": "sha256-4fnKw1n9lwes6QGQY8QU1NVXaOFvR1UH+G1T114WURo=", + "lastModified": 1730108786, + "narHash": "sha256-HanZv/MCAcW2BMbe7Ns942ceMa2bTJUW48J654LiR/o=", "owner": "taj-ny", "repo": "kwin-effects-forceblur", - "rev": "4ca19d2e60cf69c3a876c7c378aeda25bbeb134c", + "rev": "523a7d714cc1c921ed9edb4a2bd6fd49817bc4bb", "type": "github" }, "original": { @@ -168,11 +184,11 @@ ] }, "locked": { - "lastModified": 1690328911, - "narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=", + "lastModified": 1729697500, + "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=", "owner": "zhaofengli", "repo": "nix-github-actions", - "rev": "96df4a39c52f53cb7098b923224d8ce941b64747", + "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf", "type": "github" }, "original": { @@ -182,13 +198,36 @@ "type": "github" } }, + "nixos-cosmic": { + "inputs": { + "flake-compat": "flake-compat_2", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-stable": "nixpkgs-stable", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1730338548, + "narHash": "sha256-wwAKXZr5GU36NrVy/gERRWuQjIKvZYrTD5mRahd87vI=", + "owner": "lilyinstarlight", + "repo": "nixos-cosmic", + "rev": "bb2350119400c47be764c348e67f1b38e858435f", + "type": "github" + }, + "original": { + "owner": "lilyinstarlight", + "repo": "nixos-cosmic", + "type": "github" + } + }, "nixos-hardware": { "locked": { - "lastModified": 1729624485, - "narHash": "sha256-iEffyT68tEU5kHQuyP05QRH+JhWNNLAwHfgZAzXFS7o=", + "lastModified": 1730365793, + "narHash": "sha256-XU41ts73mLV81CS+kGv7KTWjMeAQYReIRTRn9/WTjhs=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "22e8de2729f40d29a445c8baeaf22740b8b25daf", + "rev": "b486ff2d754c0c396f391f6b83cb048066de8332", "type": "github" }, "original": { @@ -200,11 +239,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729413321, - "narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=", + "lastModified": 1729880355, + "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26", + "rev": "18536bf04cd71abd345f9579158841376fdd0c5a", "type": "github" }, "original": { @@ -216,11 +255,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", + "lastModified": 1730137625, + "narHash": "sha256-9z8oOgFZiaguj+bbi3k4QhAD6JabWrnv7fscC/mt0KE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", + "rev": "64b80bfb316b57cdb8919a9110ef63393d74382a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1729973466, + "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950", "type": "github" }, "original": { @@ -230,13 +285,13 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs-unstable": { "locked": { - "lastModified": 1729413321, - "narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=", + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", "type": "github" }, "original": { @@ -252,24 +307,46 @@ "fw-fanctrl": "fw-fanctrl", "home-manager": "home-manager_2", "kwin-effects-forceblur": "kwin-effects-forceblur", + "nixos-cosmic": "nixos-cosmic", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "nixos-cosmic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730255392, + "narHash": "sha256-9pydem8OVxa0TwjUai1PJe0yHAJw556CWCEwyoAq8Ik=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "7509d76ce2b3d22b40bd25368b45c0a9f7f36c89", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ - "nixpkgs" + "nixpkgs-unstable" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1729669122, - "narHash": "sha256-SpS3rSwYcskdOpx+jeCv1lcZDdkT/K5qT8dlenCBQ8c=", + "lastModified": 1729999681, + "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=", "owner": "mic92", "repo": "sops-nix", - "rev": "a4c33bfecb93458d90f9eb26f1cf695b47285243", + "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 62b205b..09ad79d 100644 --- a/flake.nix +++ b/flake.nix @@ -2,29 +2,35 @@ description = "Your new nix config"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:nixos/nixos-hardware/master"; chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable"; sops-nix = { url = "github:mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; }; kwin-effects-forceblur = { url = "github:taj-ny/kwin-effects-forceblur"; - inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; }; # Home manager home-manager = { url = "github:nix-community/home-manager/master"; - inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; }; fw-fanctrl = { url = "github:TamtamHero/fw-fanctrl/packaging/nix"; - inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + + nixos-cosmic = { + url = "github:lilyinstarlight/nixos-cosmic"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; }; }; @@ -34,13 +40,15 @@ , fw-fanctrl , home-manager , nixos-hardware - , nixpkgs - # , nixpkgs-unstable + , nixpkgs-stable + , nixpkgs-unstable , sops-nix + , nixos-cosmic , ... } @ inputs: let inherit (self) outputs; + nixpkgs = nixpkgs-unstable; # Supported systems for your flake packages, shell, etc. systems = [ @@ -54,6 +62,17 @@ # This is a function that generates an attribute by calling a function you # pass to it, with each system as an argument forAllSystems = nixpkgs.lib.genAttrs systems; + + cosmic-modules = [ + { + nix.settings = { + substituters = [ "https://cosmic.cachix.org/" ]; + trusted-public-keys = [ "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" ]; + }; + } + nixos-cosmic.nixosModules.default + ]; + in { overlays = import ./overlays { inherit inputs; }; diff --git a/machine/desktop/configuration.nix b/machine/desktop/configuration.nix index 38b4373..45c1c69 100755 --- a/machine/desktop/configuration.nix +++ b/machine/desktop/configuration.nix @@ -68,7 +68,7 @@ in borg-key = { sopsFile = ../../secrets-desktop.yaml; owner = config.users.users.alex.name; - group = config.users.users.alex.group; + group = config.users.users.alex.group; }; hashedPassword = { @@ -77,7 +77,17 @@ in }; }; - nix.settings.system-features = [ "nixos-test" "benchmark" "big-parallel" "kvm" "gccarch-znver2" ]; + nix.settings = { + system-features = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + "gccarch-znver2" + ]; + trusted-substituters = [ "https://ai.cachix.org" ]; + trusted-public-keys = [ "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc=" ]; + }; boot = { loader = { @@ -92,16 +102,24 @@ in }; tmp.useTmpfs = false; - + supportedFilesystems = [ "btrfs" ]; kernelPackages = pkgs.pkgs.linuxPackages_cachyos-rc; kernelModules = [ "nct6775" ]; extraModulePackages = with pkgs.pkgs.linuxPackages_cachyos-rc; [ ryzen-smu ]; # kernelParams = [ "clearcpuid=514" ]; # kernelParams = [ "amdgpu.ppfeaturemask=0xffffffff" ]; - kernelPatches = [{ - name = "fix problems with netfilter in 6.11.4"; - patch = ../../kernelpatches/fix-netfilter-6.11.4.patch; - }]; + # kernelPatches = [{ + # name = "fix problems with netfilter in 6.11.4"; + # patch = ../../kernelpatches/fix-netfilter-6.11.4.patch; + # }]; + + initrd.luks.devices = { + root = { + # Use https://nixos.wiki/wiki/Full_Disk_Encryption + device = "/dev/disk/by-uuid/cc43f1eb-49c3-41a6-9279-6766de3659e7"; + preLVM = true; + }; + }; }; systemd.services = { @@ -176,8 +194,6 @@ in # printing.enable = true; fwupd.enable = true; - # xserver.videoDrivers = [ "amdgpu" ]; - pipewire = { enable = true; alsa.enable = true; @@ -227,32 +243,53 @@ in tailscale.enable = true; - borgbackup.jobs.home = rec { - compression = "auto,zstd"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat ${config.sops.secrets.borg-key.path}"; + borgbackup.jobs = { + home = rec { + compression = "auto,zstd"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets.borg-key.path}"; + }; + extraCreateArgs = "--checkpoint-interval 600 --exclude-caches"; + environment.BORG_RSH = "ssh -i ~/.ssh/id_borg_ed25519"; + paths = "/home/alex"; + repo = "ssh://u278697-sub2@u278697.your-storagebox.de:23/./borg"; + startAt = "daily"; + user = "alex"; + prune.keep = { + daily = 7; + weekly = 4; + monthly = 6; + }; + extraPruneArgs = "--save-space --list --stats"; + exclude = map (x: paths + "/" + x) be.borg-exclude; }; - extraCreateArgs = "--checkpoint-interval 600 --exclude-caches"; - environment.BORG_RSH = "ssh -i ~/.ssh/id_borg_ed25519"; - paths = "/home/alex"; - repo = "ssh://u278697-sub2@u278697.your-storagebox.de:23/./borg"; - startAt = "daily"; - user = "alex"; - prune.keep = { - daily = 7; - weekly = 4; - monthly = 6; + + home-external = rec { + compression = "auto,zstd"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets.borg-key.path}"; + }; + extraCreateArgs = "--checkpoint-interval 600 --exclude-caches"; + paths = "/home/alex"; + repo = "/run/media/alex/b6c33623-fc23-47ed-b6f5-e99455d5534a/borg"; + startAt = []; + user = "alex"; + prune.keep = { + daily = 7; + weekly = 4; + monthly = 6; + }; + extraPruneArgs = "--save-space --list --stats"; + exclude = map (x: paths + "/" + x) [ + ".cache" + ".config/Nextcloud/logs" + ".local/share/baloo" + ]; }; - extraPruneArgs = "--save-space --list --stats"; - exclude = map (x: paths + "/" + x) be.borg-exclude; }; }; - swapDevices = [{ - device = "/swapfile"; - size = 32 * 1024; - }]; - system.stateVersion = "24.11"; } diff --git a/machine/desktop/hardware-configuration.nix b/machine/desktop/hardware-configuration.nix index b81a9c4..578dc62 100644 --- a/machine/desktop/hardware-configuration.nix +++ b/machine/desktop/hardware-configuration.nix @@ -9,32 +9,53 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "uas" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = { - device = "/dev/disk/by-uuid/593a3e75-5479-4ee4-9797-d453c8841f8e"; - options = [ "discard" ]; - fsType = "ext4"; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" "noatime" ]; + }; + + "/home" = { + device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd" "noatime" ]; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; + + "/persist" = { + device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; + fsType = "btrfs"; + options = [ "subvol=persist" "compress=zstd" "noatime" ]; + }; + + "/var/log" = { + device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd" "noatime" ]; + neededForBoot = true; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/4339-5A4C"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; }; - boot.initrd.luks.devices."nixos" = { - device = "/dev/disk/by-uuid/56c16ba5-1a5f-4364-a663-6d924810f7e9"; - allowDiscards = true; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/28F0-919C"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - swapDevices = [ ]; + swapDevices = [{ device = "/dev/disk/by-uuid/831be7b8-5b1b-4bda-a27d-5a1c4efb2c4d"; }]; networking.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; }