From e57e5c4f13b1f6e5cca28ad163d4f7871696cab9 Mon Sep 17 00:00:00 2001 From: Alexander Szczepanski Date: Tue, 3 Dec 2024 09:50:14 +0100 Subject: [PATCH] MacBook.local-2024-12-03-09-50-14 --- configs/common-linux.nix | 286 +++++++++++++++++++++ configs/common.nix | 271 +------------------ configs/develop.nix | 2 +- configs/home.nix | 0 machine/desktop/configuration.nix | 2 +- machine/framework/configuration.nix | 2 +- machine/macbook/configuration.nix | 13 +- machine/mini/configuration.nix | 2 +- machine/nixos-virtualbox/configuration.nix | 2 +- machine/nixos-vm/configuration.nix | 2 +- machine/vps-arm/configuration.nix | 2 +- 11 files changed, 308 insertions(+), 276 deletions(-) create mode 100644 configs/common-linux.nix create mode 100644 configs/home.nix diff --git a/configs/common-linux.nix b/configs/common-linux.nix new file mode 100644 index 0000000..c51254a --- /dev/null +++ b/configs/common-linux.nix @@ -0,0 +1,286 @@ +{ + config, + pkgs, + lib, + inputs, + ... +}: { + imports = [ + ../../configs/common.nix + ]; + + boot = { + loader = { + efi.canTouchEfiVariables = true; + grub = { + enable = true; + device = "nodev"; + efiSupport = true; + configurationLimit = 5; + enableCryptodisk = true; + useOSProber = true; + }; + }; + + tmp = { + useTmpfs = lib.mkDefault true; + cleanOnBoot = true; + }; + consoleLogLevel = 0; + kernel.sysctl = {"vm.max_map_count" = 262144;}; + supportedFilesystems = ["ntfs" "btrfs"]; + + initrd = { + postDeviceCommands = pkgs.lib.mkBefore '' + mkdir -p /mnt + + # We first mount the btrfs root to /mnt + # so we can manipulate btrfs subvolumes. + mount -o subvol=/ /dev/mapper/lvm-root /mnt + + # While we're tempted to just delete /root and create + # a new snapshot from /root-blank, /root is already + # populated at this point with a number of subvolumes, + # which makes `btrfs subvolume delete` fail. + # So, we remove them first. + # + # /root contains subvolumes: + # - /root/var/lib/portables + # - /root/var/lib/machines + # + # I suspect these are related to systemd-nspawn, but + # since I don't use it I'm not 100% sure. + # Anyhow, deleting these subvolumes hasn't resulted + # in any issues so far, except for fairly + # benign-looking errors from systemd-tmpfiles. + btrfs subvolume list -o /mnt/root | + cut -f9 -d' ' | + while read subvolume; do + echo "deleting /$subvolume subvolume..." + btrfs subvolume delete "/mnt/$subvolume" + done && + echo "deleting /root subvolume..." && + btrfs subvolume delete /mnt/root + + echo "restoring blank /root subvolume..." + btrfs subvolume snapshot /mnt/root-blank /mnt/root + + # Once we're done rolling back to a blank snapshot, + # we can unmount /mnt and continue on the boot process. + umount /mnt + ''; + }; + }; + + sops = { + defaultSopsFile = lib.mkDefault ../secrets/secrets.yaml; + validateSopsFiles = true; + age = { + sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"]; + keyFile = "/persist/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + + secrets = { + hashedPassword = { + neededForUsers = true; + sopsFile = ../secrets/secrets.yaml; + }; + }; + }; + + environment = { + # Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs. + ldso32 = null; + + shells = with pkgs; [bashInteractive zsh]; + + systemPackages = with pkgs; [ + btrfs-progs # utils for btrfs + + nethogs + iotop + nmon + + lm_sensors + + hdparm + ]; + + persistence."/persist" = { + directories = [ + "/var/lib/nixos" + "/var/lib/tailscale" + "/var/lib/tuptime" + "/var/lib/vnstat" + ]; + files = [ + "/etc/machine-id" + "/etc/NIXOS" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + }; + + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { + LANGUAGE = "en_US.UTF-8"; + LC_ALL = "en_US.UTF-8"; + }; + supportedLocales = [ + "en_US.UTF-8/UTF-8" + "de_DE.UTF-8/UTF-8" + "de_DE/ISO-8859-1" + ]; + }; + + networking = { + nameservers = ["127.0.0.1"]; + # If using dhcpcd: + dhcpcd.extraConfig = "nohook resolv.conf"; + # If using NetworkManager: + networkmanager.dns = "none"; + + firewall = { + # Allow PMTU / DHCP + allowPing = true; + + # Keep dmesg/journalctl -k output readable by NOT logging + # each refused connection on the open internet. + logRefusedConnections = false; + }; + + # useNetworkd = true; + }; + + nix = { + nixPath = ["nixpkgs=${inputs.nixpkgs-unstable}"]; + channel.enable = false; + settings = { + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + connect-timeout = 5; + log-lines = 25; + max-free = 3000 * 1024 * 1024; + min-free = 512 * 1024 * 1024; + builders-use-substitutes = true; + }; + + daemonCPUSchedPolicy = "batch"; + daemonIOSchedClass = "idle"; + daemonIOSchedPriority = 7; + }; + + programs = { + nh = { + enable = true; + clean = { + enable = true; + extraArgs = "--keep-since 14d"; + }; + flake = "/home/alex/nixos-config"; + }; + }; + + services = { + vnstat.enable = true; + tuptime.enable = true; + locate.enable = true; + tailscale.enable = true; + + openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + X11Forwarding = false; + KbdInteractiveAuthentication = false; + UseDns = false; + # unbind gnupg sockets if they exists + StreamLocalBindUnlink = true; + + # Use key exchange algorithms recommended by `nixpkgs#ssh-audit` + KexAlgorithms = [ + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group16-sha512" + "diffie-hellman-group18-sha512" + "sntrup761x25519-sha512@openssh.com" + ]; + }; + openFirewall = true; + }; + + dnscrypt-proxy2 = { + enable = true; + settings = { + ipv6_servers = true; + require_dnssec = true; + + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + + # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md + # server_names = [ ... ]; + }; + }; + + journald = {extraConfig = "SystemMaxUse=500M";}; + }; + + # The notion of "online" is a broken concept + # https://github.com/systemd/systemd/blob/e1b45a756f71deac8c1aa9a008bd0dab47f64777/NEWS#L13 + systemd = { + services.NetworkManager-wait-online.enable = false; + network.wait-online.enable = false; + + # FIXME: Maybe upstream? + # Do not take down the network for too long when upgrading, + # This also prevents failures of services that are restarted instead of stopped. + # It will use `systemctl restart` rather than stopping it with `systemctl stop` + # followed by a delayed `systemctl start`. + services.systemd-networkd.stopIfChanged = false; + # Services that are only restarted might be not able to resolve when resolved is stopped before + # services.systemd-resolved.stopIfChanged = false; + + services.nix-gc.serviceConfig = { + CPUSchedulingPolicy = "batch"; + IOSchedulingClass = "idle"; + IOSchedulingPriority = 7; + }; + + services.nix-daemon.serviceConfig.OOMScoreAdjust = 250; + + # default is something like vt220... however we want to get alt least some colors... + # services."serial-getty@".environment.TERM = "xterm-256color"; + }; + + system.activationScripts.update-diff = { + supportsDryActivation = true; + text = '' + if [[ -e /run/current-system ]]; then + echo "--- diff to current-system" + ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" + echo "---" + fi + ''; + }; + + # Turn off sudo lecture + security = { + sudo.extraConfig = '' + # rollback results in sudo lectures after each reboot + Defaults lecture = never + ''; + }; +} diff --git a/configs/common.nix b/configs/common.nix index dd49bf1..a2c1b8b 100644 --- a/configs/common.nix +++ b/configs/common.nix @@ -11,95 +11,10 @@ }; }; - boot = { - loader = { - efi.canTouchEfiVariables = true; - grub = { - enable = true; - device = "nodev"; - efiSupport = true; - configurationLimit = 5; - enableCryptodisk = true; - useOSProber = true; - }; - }; - - tmp = { - useTmpfs = lib.mkDefault true; - cleanOnBoot = true; - }; - consoleLogLevel = 0; - kernel.sysctl = {"vm.max_map_count" = 262144;}; - supportedFilesystems = ["ntfs" "btrfs"]; - - initrd = { - postDeviceCommands = pkgs.lib.mkBefore '' - mkdir -p /mnt - - # We first mount the btrfs root to /mnt - # so we can manipulate btrfs subvolumes. - mount -o subvol=/ /dev/mapper/lvm-root /mnt - - # While we're tempted to just delete /root and create - # a new snapshot from /root-blank, /root is already - # populated at this point with a number of subvolumes, - # which makes `btrfs subvolume delete` fail. - # So, we remove them first. - # - # /root contains subvolumes: - # - /root/var/lib/portables - # - /root/var/lib/machines - # - # I suspect these are related to systemd-nspawn, but - # since I don't use it I'm not 100% sure. - # Anyhow, deleting these subvolumes hasn't resulted - # in any issues so far, except for fairly - # benign-looking errors from systemd-tmpfiles. - btrfs subvolume list -o /mnt/root | - cut -f9 -d' ' | - while read subvolume; do - echo "deleting /$subvolume subvolume..." - btrfs subvolume delete "/mnt/$subvolume" - done && - echo "deleting /root subvolume..." && - btrfs subvolume delete /mnt/root - - echo "restoring blank /root subvolume..." - btrfs subvolume snapshot /mnt/root-blank /mnt/root - - # Once we're done rolling back to a blank snapshot, - # we can unmount /mnt and continue on the boot process. - umount /mnt - ''; - }; - }; - - sops = { - defaultSopsFile = lib.mkDefault ../secrets/secrets.yaml; - validateSopsFiles = true; - age = { - sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"]; - keyFile = "/persist/var/lib/sops-nix/key.txt"; - generateKey = true; - }; - - secrets = { - hashedPassword = { - neededForUsers = true; - sopsFile = ../secrets/secrets.yaml; - }; - }; - }; - environment = { - # Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs. - ldso32 = null; - - shells = with pkgs; [bashInteractive zsh]; - systemPackages = with pkgs; [ borgbackup - btrfs-progs # utils for btrfs + # btrfs-progs # utils for btrfs doggo # DNS Resolver du-dust ncdu @@ -117,16 +32,14 @@ btop htop glances - nethogs - iotop nmap - nmon bandwhich lsof - lm_sensors + + gping gnupg - hdparm + # hdparm inxi # hardware list kitty.terminfo @@ -142,7 +55,7 @@ pciutils progress unixtools.xxd - usbutils + # usbutils wget broot @@ -161,85 +74,9 @@ man-pages man-pages-posix ]; - - persistence."/persist" = { - directories = [ - "/var/lib/nixos" - "/var/lib/tailscale" - "/var/lib/tuptime" - "/var/lib/vnstat" - ]; - files = [ - "/etc/machine-id" - "/etc/NIXOS" - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; - }; - }; - - i18n = { - defaultLocale = "en_US.UTF-8"; - extraLocaleSettings = { - LANGUAGE = "en_US.UTF-8"; - LC_ALL = "en_US.UTF-8"; - }; - supportedLocales = [ - "en_US.UTF-8/UTF-8" - "de_DE.UTF-8/UTF-8" - "de_DE/ISO-8859-1" - ]; - }; - - networking = { - nameservers = ["127.0.0.1"]; - # If using dhcpcd: - dhcpcd.extraConfig = "nohook resolv.conf"; - # If using NetworkManager: - networkmanager.dns = "none"; - - firewall = { - # Allow PMTU / DHCP - allowPing = true; - - # Keep dmesg/journalctl -k output readable by NOT logging - # each refused connection on the open internet. - logRefusedConnections = false; - }; - - # useNetworkd = true; - }; - - nix = { - nixPath = ["nixpkgs=${inputs.nixpkgs-unstable}"]; - channel.enable = false; - settings = { - auto-optimise-store = true; - experimental-features = ["nix-command" "flakes"]; - connect-timeout = 5; - log-lines = 25; - max-free = 3000 * 1024 * 1024; - min-free = 512 * 1024 * 1024; - builders-use-substitutes = true; - }; - - daemonCPUSchedPolicy = "batch"; - daemonIOSchedClass = "idle"; - daemonIOSchedPriority = 7; }; programs = { - nh = { - enable = true; - clean = { - enable = true; - extraArgs = "--keep-since 14d"; - }; - flake = "/home/alex/nixos-config"; - }; - ssh.knownHosts = { "github.com" = { hostNames = ["github.com"]; @@ -272,102 +109,4 @@ }; }; }; - - services = { - vnstat.enable = true; - tuptime.enable = true; - locate.enable = true; - tailscale.enable = true; - - openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - X11Forwarding = false; - KbdInteractiveAuthentication = false; - UseDns = false; - # unbind gnupg sockets if they exists - StreamLocalBindUnlink = true; - - # Use key exchange algorithms recommended by `nixpkgs#ssh-audit` - KexAlgorithms = [ - "curve25519-sha256" - "curve25519-sha256@libssh.org" - "diffie-hellman-group16-sha512" - "diffie-hellman-group18-sha512" - "sntrup761x25519-sha512@openssh.com" - ]; - }; - openFirewall = true; - }; - - dnscrypt-proxy2 = { - enable = true; - settings = { - ipv6_servers = true; - require_dnssec = true; - - sources.public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; - }; - - # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md - # server_names = [ ... ]; - }; - }; - - journald = {extraConfig = "SystemMaxUse=500M";}; - }; - - # The notion of "online" is a broken concept - # https://github.com/systemd/systemd/blob/e1b45a756f71deac8c1aa9a008bd0dab47f64777/NEWS#L13 - systemd = { - services.NetworkManager-wait-online.enable = false; - network.wait-online.enable = false; - - # FIXME: Maybe upstream? - # Do not take down the network for too long when upgrading, - # This also prevents failures of services that are restarted instead of stopped. - # It will use `systemctl restart` rather than stopping it with `systemctl stop` - # followed by a delayed `systemctl start`. - services.systemd-networkd.stopIfChanged = false; - # Services that are only restarted might be not able to resolve when resolved is stopped before - # services.systemd-resolved.stopIfChanged = false; - - services.nix-gc.serviceConfig = { - CPUSchedulingPolicy = "batch"; - IOSchedulingClass = "idle"; - IOSchedulingPriority = 7; - }; - - services.nix-daemon.serviceConfig.OOMScoreAdjust = 250; - - # default is something like vt220... however we want to get alt least some colors... - # services."serial-getty@".environment.TERM = "xterm-256color"; - }; - - system.activationScripts.update-diff = { - supportsDryActivation = true; - text = '' - if [[ -e /run/current-system ]]; then - echo "--- diff to current-system" - ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" - echo "---" - fi - ''; - }; - - # Turn off sudo lecture - security = { - sudo.extraConfig = '' - # rollback results in sudo lectures after each reboot - Defaults lecture = never - ''; - }; } diff --git a/configs/develop.nix b/configs/develop.nix index bd7f287..48a8437 100644 --- a/configs/develop.nix +++ b/configs/develop.nix @@ -7,7 +7,7 @@ insomnia meld - #rust + # rust cargo nodejs diff --git a/configs/home.nix b/configs/home.nix new file mode 100644 index 0000000..e69de29 diff --git a/machine/desktop/configuration.nix b/machine/desktop/configuration.nix index f5b3c16..be0c614 100644 --- a/machine/desktop/configuration.nix +++ b/machine/desktop/configuration.nix @@ -10,7 +10,7 @@ in { imports = [ ./hardware-configuration.nix ../../configs/browser.nix - ../../configs/common.nix + ../../configs/common-linux.nix ../../configs/docker.nix ../../configs/games.nix ../../configs/develop.nix diff --git a/machine/framework/configuration.nix b/machine/framework/configuration.nix index 0a6f6f3..7b37f71 100644 --- a/machine/framework/configuration.nix +++ b/machine/framework/configuration.nix @@ -11,7 +11,7 @@ in { imports = [ ./hardware-configuration.nix ../../configs/browser.nix - ../../configs/common.nix + ../../configs/common-linux.nix ../../configs/docker.nix ../../configs/games.nix ../../configs/virtualization.nix diff --git a/machine/macbook/configuration.nix b/machine/macbook/configuration.nix index 8baecd2..93e146c 100644 --- a/machine/macbook/configuration.nix +++ b/machine/macbook/configuration.nix @@ -8,21 +8,28 @@ }: { nixpkgs.hostPlatform = "aarch64-darwin"; + imports = [ + ../../configs/common.nix + ]; + system.defaults = { dock.autohide = true; dock.mru-spaces = false; # finder.AppleShowAllExtensions = true; # finder.FXPreferredViewStyle = "clmv"; - screencapture.location = "~/Pictures/screenshots"; + # screencapture.location = "~/Pictures/screenshots"; screensaver.askForPasswordDelay = 10; }; - services.nix-daemon.enable = true; + services = { + nix-daemon.enable = true; + }; + nix.settings.experimental-features = "nix-command flakes"; nix = { configureBuildUsers = true; - useDaemon = true; + useDaemon = true; }; homebrew.enable = true; diff --git a/machine/mini/configuration.nix b/machine/mini/configuration.nix index 7180e78..fec9a9e 100644 --- a/machine/mini/configuration.nix +++ b/machine/mini/configuration.nix @@ -8,7 +8,7 @@ imports = [ ./hardware-configuration.nix ../../configs/docker.nix - ../../configs/common.nix + ../../configs/common-linux.nix ../../configs/user.nix ]; diff --git a/machine/nixos-virtualbox/configuration.nix b/machine/nixos-virtualbox/configuration.nix index bac55db..6b19016 100644 --- a/machine/nixos-virtualbox/configuration.nix +++ b/machine/nixos-virtualbox/configuration.nix @@ -7,7 +7,7 @@ }: { imports = [ ./hardware-configuration.nix - ../../configs/common.nix + ../../configs/common-linux.nix ../../configs/docker.nix ../../configs/user.nix ]; diff --git a/machine/nixos-vm/configuration.nix b/machine/nixos-vm/configuration.nix index 5db9c11..6817615 100755 --- a/machine/nixos-vm/configuration.nix +++ b/machine/nixos-vm/configuration.nix @@ -16,7 +16,7 @@ imports = [ ./hardware-configuration.nix - ../../configs/common.nix + ../../configs/common-linux.nix ../../configs/docker.nix ../../configs/plasma.nix ../../configs/user.nix diff --git a/machine/vps-arm/configuration.nix b/machine/vps-arm/configuration.nix index 176ad50..9aa85f1 100644 --- a/machine/vps-arm/configuration.nix +++ b/machine/vps-arm/configuration.nix @@ -11,7 +11,7 @@ in { imports = [ ./hardware-configuration.nix - ../../configs/common.nix + ../../configs/common-linux.nix ../../configs/docker.nix ../../configs/user.nix