kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-10 04:49:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

refactor: get rid of config folder

Browse source
This commit is contained in:
Kat Inskip 2022-07-08 17:53:16 -07:00
parent 2606e1d874
commit cb3ae5f434
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
254 changed files with 79 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

36
profiles/base/access.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, pkgs, meta, ... }:
{
security.sudo.wheelNeedsPassword = lib.mkForce false;
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
'';
imports = with meta; [
users.kat.base
];
users.motd = ''
${config.networking.hostName}.${config.networking.domain}
'';
users.users.root = {
shell = pkgs.zsh;
hashedPassword =
"$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB.";
openssh.authorizedKeys.keys = with pkgs.lib;
[ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi" ] ++ (concatLists (mapAttrsToList
(name: user:
if elem "wheel" user.extraGroups then
user.openssh.authorizedKeys.keys
else
[ ])
config.users.users));
};
}

11
profiles/base/base16.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, ... }:
{
base16 = {
inherit (config.home-manager.users.kat.base16) schemes alias;
console = {
enable = true;
scheme = config.home-manager.users.kat.base16.alias.default;
};
};
}

3
profiles/base/documentation.nix Normal file
View file

@ -0,0 +1,3 @@
{ config, ... }: {
documentation.nixos.enable = false;
}

22
profiles/base/home.nix Normal file
View file

@ -0,0 +1,22 @@
{ meta, config, lib, inputs, tf, ... }:
with lib;
{
options.home-manager.users = mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton meta.modules.home;
specialArgs = {
inherit inputs tf meta;
nixos = config;
};
});
};
config = {
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
};
};
}

5
profiles/base/kitty.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
environment.systemPackages = [ pkgs.buildPackages.buildPackages.kitty.terminfo ];
}

13
profiles/base/locale.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, ... }:
{
fonts.fonts = [
pkgs.tamzen
];
i18n.defaultLocale = "en_GB.UTF-8";
time.timeZone = "Europe/London";
console = {
packages = [ pkgs.tamzen ];
keyMap = "uk";
};
}

14
profiles/base/network.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, ... }: with lib;
{
networking.nftables.enable = true;
network = {
enable = true;
dns = {
enable = mkDefault true;
email = "acme@kittywit.ch";
zone = "kittywit.ch.";
};
};
}

34
profiles/base/nix.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, lib, pkgs, inputs, ... }:
{
boot.loader.grub.configurationLimit = 8;
boot.loader.systemd-boot.configurationLimit = 8;
nix = {
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"nur=${inputs.nur}"
"arc=${inputs.arcexprs}"
"ci=${inputs.ci}"
];
registry = {
nixpkgs.flake = inputs.nixpkgs;
nur.flake = inputs.nur;
arc.flake = inputs.arcexprs;
ci.flake = inputs.ci;
};
settings = {
experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
substituters = [ "https://arc.cachix.org" "https://kittywitch.cachix.org" "https://nix-community.cachix.org" ];
trusted-public-keys =
[ "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=" "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ];
auto-optimise-store = true;
trusted-users = [ "root" "@wheel" ];
};
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 7d";
};
};
}

11
profiles/base/packages.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
neofetch
smartmontools
hddtemp
lm_sensors
gnupg
] ++ (lib.optional config.programs.gnupg.agent.enable pinentry-curses);
}

109
profiles/base/profiles.nix Normal file
View file

@ -0,0 +1,109 @@
{ config, lib, meta, ... }:
with lib;
{
options = {
deploy.profile = {
gui = mkEnableOption "Graphical System";
sway = mkEnableOption "Sway WM";
i3 = mkEnableOption "i3 WM";
vfio = mkEnableOption "VFIO";
shared = mkEnableOption "Shared System";
trusted = mkEnableOption "Trusted Submodule";
light = mkEnableOption "Light mode";
cross = {
enable = mkEnableOption "cross/emulated compilation";
aarch64 = mkOption {
type = types.bool;
default = false;
};
armv6l = mkOption {
type = types.bool;
default = false;
};
armv7l = mkOption {
type = types.bool;
default = false;
};
};
hardware = {
acs-override = mkEnableOption "ACS IOMMU Override";
amdgpu = mkEnableOption "AMD GPU";
hcloud-imperative = mkEnableOption "Imperative Hetzner Cloud Setup";
intel = mkEnableOption "Intel CPU";
laptop = mkEnableOption "Laptop";
wifi = mkEnableOption "WiFi, home network";
ryzen = mkEnableOption "AMD Ryzen CPU";
ms-7b86 = mkEnableOption "MSI B450-A Pro Max";
rm-310 = mkEnableOption "Intel DQ67OW";
raspi = mkEnableOption "Raspberry Pi 1 Model B+";
oracle = {
common = mkEnableOption "OCI";
ubuntu = mkEnableOption "Canonical Ubuntu Base Image";
oracle = mkEnableOption "Oracle Linux Base Image";
};
eeepc-1015pem = mkEnableOption "Asus Eee PC 1015PEM";
v330-14arr = mkEnableOption "Lenovo Ideapad v330-14ARR";
x270 = mkEnableOption "Lenovo Thinkpad x270";
};
};
home-manager.users = mkOption {
type = types.attrsOf (types.submoduleWith {
modules = [
({ nixos, ... }: {
options.deploy.profile = {
gui = mkEnableOption "Graphical System";
sway = mkEnableOption "Sway WM";
i3 = mkEnableOption "i3 WM";
vfio = mkEnableOption "VFIO";
shared = mkEnableOption "Shared System";
trusted = mkEnableOption "Trusted Submodule" // {
default = meta.trusted ? secrets;
};
light = mkEnableOption "Light mode";
cross = {
enable = mkEnableOption "cross/emulated compilation";
aarch64 = mkOption {
type = types.bool;
default = false;
};
armv6l = mkOption {
type = types.bool;
default = false;
};
armv7l = mkOption {
type = types.bool;
default = false;
};
};
hardware = {
acs-override = mkEnableOption "ACS IOMMU Override";
amdgpu = mkEnableOption "AMD GPU";
hcloud-imperative = mkEnableOption "Imperative Hetzner Cloud Setup";
intel = mkEnableOption "Intel CPU";
laptop = mkEnableOption "Laptop";
wifi = mkEnableOption "WiFi, home network";
ryzen = mkEnableOption "AMD Ryzen CPU";
ms-7b86 = mkEnableOption "MSI B450-A Pro Max";
rm-310 = mkEnableOption "Intel DQ67OW";
raspi = mkEnableOption "Raspberry Pi 1 Model B+";
oracle = {
common = mkEnableOption "OCI";
ubuntu = mkEnableOption "Canonical Ubuntu Base Image";
oracle = mkEnableOption "Oracle Linux Base Image";
};
eeepc-1015pem = mkEnableOption "Asus Eee PC 1015PEM";
v330-14arr = mkEnableOption "Lenovo Ideapad v330-14ARR";
x270 = mkEnableOption "Lenovo Thinkpad x270";
};
};
config = {
deploy.profile = nixos.deploy.profile;
};
})
];
});
};
};
}

11
profiles/base/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, meta, inputs, lib, pkgs, ... }:
{
imports = lib.optional (meta.trusted ? secrets) meta.trusted.secrets;
secrets = {
root = "/var/lib/kat/secrets";
persistentRoot = "/var/lib/kat/secrets";
external = true;
};
}

8
profiles/base/shell.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, ... }:
{
programs.zsh = {
enable = true;
enableCompletion = true;
};
}

43
profiles/base/ssh.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
with lib;
{
network.firewall = {
public = {
tcp.ports = singleton 62954;
udp.ranges = [{
from = 60000;
to = 61000;
}];
};
private = {
tcp.ports = singleton 62954;
udp.ranges = [{
from = 60000;
to = 61000;
}];
};
};
/*
security.pam.services.sshd.text = mkDefault (mkAfter ''
session required pam_exec.so ${katnotify}/bin/notify
'');
*/
services.openssh = {
enable = true;
ports = lib.mkDefault [ 62954 ];
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
permitRootLogin = lib.mkDefault "prohibit-password";
kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
extraConfig = ''
PubkeyAcceptedAlgorithms +ssh-rsa
StreamLocalBindUnlink yes
LogLevel VERBOSE
'';
};
programs.mosh.enable = true;
}

18
profiles/base/system.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }: with lib;
{
boot.kernelPackages = mkIf (elem "zfs" config.boot.supportedFilesystems) (mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages);
hardware.enableRedistributableFirmware = lib.mkDefault true;
boot.tmpOnTmpfs = true;
boot.zfs.enableUnstable = mkIf (elem "zfs" config.boot.supportedFilesystems) true;
boot.kernel.sysctl = {
"fs.inotify.max_user_watches" = "524288";
"net.core.rmem_max" = "16777216";
"net.core.wmem_max" = "16777216";
"net.ipv4.tcp_rmem" = "4096 87380 16777216";
"net.ipv4.tcp_wmem" = "4096 65536 16777216";
};
services.journald.extraConfig = "SystemMaxUse=512M";
users.mutableUsers = false;
boot.tmpOnTmpfsSize = "80%";
}

10
profiles/cross/aarch64.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, config, lib, ... }: with lib; {
boot.binfmt = {
emulatedSystems = [ "aarch64-linux" ];
/*
registrations.aarch64-linux = {
interpreter = mkForce "${pkgs.qemu-vfio or pkgs.qemu}/bin/qemu-aarch64";
};
*/
};
}

6
profiles/cross/arm-common.nix Normal file
View file

@ -0,0 +1,6 @@
{ config, ... }: {
nix.settings = {
substituters = [ "https://thefloweringash-armv7.cachix.org/" ];
trusted-public-keys = [ "thefloweringash-armv7.cachix.org-1:v+5yzBD2odFKeXbmC+OPWVqx4WVoIVO6UXgnSAWFtso=" ];
};
}

9
profiles/cross/armv6.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, ... }: {
nix.settings = {
substituters = [ "https://arm.cachix.org/" ];
trusted-public-keys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ];
};
boot.binfmt = {
emulatedSystems = [ "armv6l-linux" ];
};
}

9
profiles/cross/armv7.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, ... }: {
nix.settings = {
substituters = [ "https://arm.cachix.org/" ];
trusted-public-keys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ];
};
boot.binfmt = {
emulatedSystems = [ "armv7l-linux" ];
};
}

35
profiles/cross/default.nix Normal file
View file

@ -0,0 +1,35 @@
{ lib, tree, ... }: with lib; let
profiles = tree.prev;
appendedProfiles = with profiles; {
aarch64 = {
deploy.profile.cross = {
enable = true;
aarch64 = true;
};
imports = [
aarch64
];
};
armv7l = {
deploy.profile.cross = {
enable = true;
armv7l = true;
};
imports = [
arm-common
armv7
];
};
armv6l = {
deploy.profile.cross = {
enable = true;
armv6l = true;
};
imports = [
arm-common
armv6
];
};
};
in
profiles // appendedProfiles

17
profiles/darwin/home.nix Normal file
View file

@ -0,0 +1,17 @@
{ meta, config, inputs, tf, lib, ... }: with lib; {
options.home-manager.users = mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton meta.modules.home;
specialArgs = {
inherit inputs tf meta;
nixos = config;
};
});
};
config = {
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
};
};
}

5
profiles/darwin/homebrew.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, ... }: {
homebrew = {
enable = true;
};
}

17
profiles/darwin/nix.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, pkgs, inputs, ... }: {
services.nix-daemon.enable = true;
nix = {
registry = {
nixpkgs.flake = inputs.nixpkgs;
nur.flake = inputs.nur;
arc.flake = inputs.arcexprs;
ci.flake = inputs.ci;
};
package = pkgs.nixUnstable;
extraOptions = ''
experimental-features = nix-command flakes
keep-derivations = true
keep-outputs = true
'';
};
}

5
profiles/darwin/shell.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, ... }: {
programs.zsh = {
enable = true;
};
}

39
profiles/gnome/gnome.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, pkgs, lib, ... }: {
services = {
xserver = {
enable = true;
desktopManager.gnome = {
enable = true;
};
displayManager.gdm = {
enable = true;
};
};
mullvad-vpn.enable = true;
};
hardware.pulseaudio.enable = lib.mkForce false;
xdg.portal.enable = lib.mkForce false;
environment.systemPackages = (with pkgs.gnomeExtensions; [
gsconnect
vitals
switcher
espresso
impatience
noannoyance
arcmenu
tweaks-in-system-menu
activities-icons
random-wallpaper
mullvad-indicator
tray-icons-reloaded
noannoyance-2
dash-to-panel
]) ++ (with pkgs; [
mullvad-vpn
ytmdesktop
pkgs.gnome.gnome-shell-extensions
pkgs.gnome.gnome-tweaks
]);
}

4
profiles/gui/adb.nix Normal file
View file

@ -0,0 +1,4 @@
{ config, ... }: {
programs.adb.enable = true;
users.users.kat.extraGroups = [ "adbusers" ];
}

5
profiles/gui/filesystems.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ ntfs3g exfat ];
}

25
profiles/gui/fonts.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, pkgs, lib, ... }:
{
fonts = {
enableDefaultFonts = true;
fontDir.enable = true;
fontconfig = {
enable = true;
allowBitmaps = true;
defaultFonts = {
emoji = [
"Twitter Color Emoji"
];
};
};
};
fonts.fonts = with pkgs; [
cantarell-fonts
emacs-all-the-icons-fonts
font-awesome
cozette
twitter-color-emoji
] ++ map (variant: iosevka-bin.override { inherit variant; } ) [ "" "ss10" "aile" ];
}

12
profiles/gui/gpg.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, pkgs, lib, ... }:
{
services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization ];
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gtk2";
};
}

46
profiles/gui/mingetty.nix Normal file
View file

@ -0,0 +1,46 @@
{ config, lib, pkgs, ... }:
let
c1 = "\\e[22;34m";
c2 = "\\e[1;35m";
nixos = [
" ${c1} ::::. ${c2}'::::: ::::' "
" ${c1} '::::: ${c2}':::::. ::::' "
" ${c1} ::::: ${c2}'::::.::::: "
" ${c1} .......:::::..... ${c2}:::::::: "
" ${c1} ::::::::::::::::::. ${c2}:::::: ${c1}::::. "
" ${c1} ::::::::::::::::::::: ${c2}:::::. ${c1}.::::' "
" ${c2} ..... ::::' ${c1}:::::' "
" ${c2} ::::: '::' ${c1}:::::' "
" ${c2} ........::::: ' ${c1}:::::::::::. "
" ${c2}::::::::::::: ${c1}::::::::::::: "
" ${c2} ::::::::::: ${c1}.. ${c1}::::: "
" ${c2} .::::: ${c1}.::: ${c1}::::: "
" ${c2} .::::: ${c1}::::: ${c1}''''' ${c2}..... "
" ${c2} ::::: ${c1}':::::. ${c2}......:::::::::::::' "
" ${c2} ::: ${c1}::::::. ${c2}':::::::::::::::::' "
" ${c1} .:::::::: ${c2}':::::::::: "
" ${c1} .::::''::::. ${c2}'::::. "
" ${c1} .::::' ::::. ${c2}'::::. "
" ${c1} .:::: :::: ${c2}'::::. "
];
in
{
console = {
font = "Tamzen7x14";
earlySetup = true;
getty = {
greetingPrefix =
''\e[H\e[2J'' + # topleft
''\e[9;10]''; # setterm blank/powersave = 10 minutes
greeting =
"\n" +
lib.concatStringsSep "\n" nixos +
"\n\n" +
''\e[1;32m>>> NixOS ${config.system.nixos.label} (Linux \r) - \l\e[0m'';
};
};
services.getty = {
helpLine = lib.mkForce "";
};
}

29
profiles/gui/nfs.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, meta, ... }:
{
boot.supportedFilesystems = [ "nfs" ];
/*
fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "yukari") {
device = "${meta.network.nodes.nixos.yukari.network.addresses.w.domain}:/mnt/zraw/media";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" "nfsvers=4" "soft" "retrans=2" "timeo=60" ];
};
fileSystems."/mnt/hex-corn" = {
device = "storah.net.lilwit.ch:/data/cornbox";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
fileSystems."/mnt/hex-tor" = {
device = "storah.net.lilwit.ch:/data/torrents";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
*/
systemd.services.nfs-mountd = {
wants = [ "network-online.target" "yggdrassil.service" ];
};
}

10
profiles/gui/profile.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, meta, ... }: {
imports = with meta; [
services.dnscrypt-proxy
];
environment.systemPackages = with pkgs; [
lyx
texlive.combined.scheme-full
];
}

9
profiles/gui/qt.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, ... }:
{
qt5 = {
enable = true;
style = "adwaita-dark";
platformTheme = "gnome";
};
}

43
profiles/gui/sound.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
{
sound = {
enable = true;
extraConfig = ''
defaults.pcm.rate_converter "speexrate_best"
'';
};
environment.systemPackages = with pkgs; [ pulsemixer ];
security.rtkit.enable = true;
services.pipewire = {
enable = true;
config = {
pipewire = {
"context.properties" = {
"log.level" = 2;
"default.clock.min-quantum" =
32; # default; going lower may cause crackles and distorted audio
};
pipewire-pulse = {
"context.modules" = [{
name = "libpipewire-module-protocol-pulse";
args = {
"pulse.min.quantum" = 32; # controls minimum playback quant
"pulse.min.req" = 32; # controls minimum recording quant
"pulse.min.frag" = 32; # controls minimum fragment size
"server.address" =
[ "unix:native" ]; # the default address of the server
};
}];
};
};
};
pulse.enable = true;
alsa.support32Bit = true;
jack.enable = true;
alsa.enable = true;
};
}

10
profiles/gui/sway.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, lib, ... }:
with lib;
{
programs.sway = {
enable = any (user: user.wayland.windowManager.sway.enable) (attrValues config.home-manager.users);
extraPackages = with pkgs; mkForce [ xwayland swaylock swayidle swaylock-fancy wmctrl ];
};
}

7
profiles/gui/udev.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, ... }: {
services.udev.extraRules = ''
# SteelSeries Arctis (1) Wireless
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1038", ATTRS{idProduct}=="12b3", GROUP="users", MODE="0666"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1038", ATTRS{idProduct}=="12b6", GROUP="users", MODE="0666"
'';
}

14
profiles/gui/xdg-portals.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
xdg = {
portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
gtkUsePortal = true;
};
};
}

3
profiles/hardware/aarch64-darwin.nix Normal file
View file

@ -0,0 +1,3 @@
{ config, lib, ... }: with lib; {
nixpkgs.system = "aarch64-darwin";
}

5
profiles/hardware/aarch64-linux.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, lib, ... }: with lib; {
nixpkgs.localSystem = systems.examples.aarch64-multiplatform // {
system = "aarch64-linux";
};
}

10
profiles/hardware/amdgpu.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, lib, ... }:
with lib;
{
deploy.profile.hardware.amdgpu = true;
boot.initrd.availableKernelModules = [ "amdgpu" ];
hardware.opengl.extraPackages = with pkgs; [ libvdpau-va-gl vaapiVdpau ];
}

30
profiles/hardware/bamboo.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, ... }: with lib; {
options = {
hardware.bamboo.display = mkOption {
type = types.str;
};
home-manager.users = let
userBambooExtend = { config, nixos, ... }: {
config = mkIf config.wayland.windowManager.sway.enable {
wayland.windowManager.sway.config.input = {
"1386:215:Wacom_BambooPT_2FG_Small_Pen" = {
map_to_output = nixos.hardware.bamboo.display;
};
"1386:215:Wacom_BambooPT_2FG_Small_Finger" = {
natural_scroll = "enabled";
middle_emulation = "enabled";
tap = "enabled";
dwt = "enabled";
accel_profile = "flat";
pointer_accel = "0.05";
};
};
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userBambooExtend;
});
};
};
}

44
profiles/hardware/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ lib, tree, ... }: with lib; let
profiles = tree.prev;
appendedProfiles = with profiles; {
ms-7b86 = {
imports = [
ms-7b86
ryzen
amdgpu
];
};
rm-310 = {
imports = [
rm-310
intel
];
};
v330-14arr = {
imports = [
v330-14arr
ryzen
amdgpu
laptop
networkmanager
];
};
x270 = {
imports = [
x270
intel
laptop
networkmanager
intel-gpu
];
};
eeepc-1015pem = {
imports = [
eeepc-1015pem
intel
laptop
];
};
};
in
profiles // appendedProfiles

19
profiles/hardware/eeepc-1015pem.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, ... }:
{
deploy.profile.hardware.eeepc-1015pem = true;
boot = {
initrd = {
availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
kernelParams = [
"usbcore.autosuspend=-1"
"acpi_osi=Linux"
"acpi_enforce_resources=lax"
];
};
}

14
profiles/hardware/hcloud-imperative.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, inputs, ... }:
/*
This hardware profile corresponds with the imperatively provisioned hetzner cloud box.
*/
with lib;
{
deploy.profile.hardware.hcloud-imperative = true;
imports = [ (inputs.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
}

11
profiles/hardware/intel-gpu.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, pkgs, ... }: {
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl
];
};
}

15
profiles/hardware/intel.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, ... }:
/*
This hardware profile corresponds to any machine which has an Intel processor.
*/
{
deploy.profile.hardware.intel = true;
hardware.cpu.intel.updateMicrocode = true;
boot = {
kernelModules = [ "kvm-intel" ];
};
}

11
profiles/hardware/laptop/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }: {
imports = [
({ config, ... }: {
deploy.profile.hardware.laptop = true;
imports = [
./light.nix
];
})
];
}

5
profiles/hardware/laptop/light.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, lib, pkgs, ... }:
{
programs.light.enable = true;
}

14
profiles/hardware/ms-7b86.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, ... }:
/*
This hardware profile corresponds to the MSI B450-A PRO MAX system.
*/
with lib;
{
deploy.profile.hardware.ms-7b86 = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.kernelModules = [ "nct6775" ];
}

59
profiles/hardware/networkmanager.nix Normal file
View file

@ -0,0 +1,59 @@
{ config, lib, pkgs, ... }: with lib; {
options = {
home-manager.users = let
applets = { config, nixos, ... }: {
xsession.preferStatusNotifierItems = true;
services = {
network-manager-applet.enable = true;
blueman-applet.enable = true;
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton applets;
});
};
};
config = {
systemd.services.NetworkManager-wait-online = {
serviceConfig.ExecStart = [ "" "${pkgs.networkmanager}/bin/nm-online -q" ];
};
hardware.bluetooth = {
enable = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
services.blueman.enable = true;
services.pipewire.media-session.config.bluez-monitor = {
properties = { };
rules = [
{
actions = {
update-props = {
"bluez5.a2dp-source-role" = "input";
"bluez5.auto-connect" = [ "hfp_hf" "hsp_hs" "a2dp_sink" "a2dp_source" "hsp_ag" "hfp_ag" ];
};
};
matches = [ { "device.name" = "~bluez_card.*"; } ];
}
{
actions = {
update-props = { "node.pause-on-idle" = false; };
};
matches = [ { "node.name" = "~bluez_input.*"; } { "node.name" = "~bluez_output.*"; } ];
}
];
};
networking = {
networkmanager = {
enable = true;
connectionConfig = {
"ipv6.ip6-privacy" = mkForce 0;
};
};
};
};
}

287
profiles/hardware/oracle/common.nix Normal file
View file

@ -0,0 +1,287 @@
{ config, tf, meta, kw, pkgs, lib, inputs, ... }: with lib; let
oci-root = meta.deploy.targets.oci-root.tf;
cfg = config.kw.oci;
in
{
options.kw.oci = {
base = mkOption {
description = ''
Canonical Ubuntu provides an EXT4 root filesystem.
Oracle Linux provides an XFS root filesystem.
'';
type = with types; enum [
"Canonical Ubuntu"
"Oracle Linux"
];
default = "Canonical Ubuntu";
};
specs = {
shape = mkOption {
type = with types; nullOr str;
default = null;
};
cores = mkOption {
type = with types; nullOr int;
default = null;
};
ram = mkOption {
type = with types; nullOr int;
default = null;
};
space = mkOption {
type = with types; nullOr int;
default = null;
};
};
network = {
privateV4 = mkOption {
type = with types; nullOr int;
default = null;
};
publicV6 = mkOption {
type = with types; nullOr int;
default = null;
};
};
ad = mkOption {
description = ''
Availability Domain.
Important because, for example: EPYC instances can only be provisioned on AD2 in London.
'';
type = with types; nullOr int;
default = null;
};
};
imports = with import (inputs.tf-nix + "/modules"); [
nixos.oracle
];
config =
let
interface = attrByPath [ cfg.specs.shape ] (throw "Unsupported shape") {
"VM.Standard.A1.Flex" = "enp0s3";
"VM.Standard.E2.1.Micro" = "ens3";
};
in
{
networking.interfaces =
{
${interface} = {
useDHCP = true;
ipv6 = {
addresses = mkIf (config.network.addresses.public.nixos.ipv6.enable) [{
address = config.network.addresses.public.nixos.ipv6.address;
prefixLength = 64;
}];
routes = [{
address = "::";
prefixLength = 0;
}];
};
};
};
network = {
addresses = {
public =
let
addr_ipv6_nix =
let
prefix = head (splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"));
in
assert hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6;
in
{
enable = true;
nixos.ipv6.address = mkIf tf.state.enable addr_ipv6_nix;
nixos.ipv6.selfaddress = mkIf tf.state.enable addr_ipv6_nix;
tf.ipv6.address = tf.resources."${config.networking.hostName}_ipv6".refAttr "ip_address";
};
};
firewall.public.interfaces = singleton interface;
tf = {
enable = true;
ipv4_attr = "public_ip";
};
};
deploy.tf =
let
compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id";
inherit (tf.lib.tf) terraformExpr;
in
{
deploy.systems."${config.networking.hostName}" = {
lustrate = {
enable = true;
connection = tf.resources."${config.networking.hostName}".connection.set;
};
connection = {
port = head config.services.openssh.ports;
};
};
providers.oci = {
inputs = {
tenancy_ocid = oci-root.outputs.oci_tenancy.import;
user_ocid = oci-root.resources.oci_kw_user.importAttr "id";
fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint";
region = oci-root.outputs.oci_region.import;
private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename";
};
};
resources = mkMerge [{
cloudinit = {
provider = "cloudinit";
type = "config";
dataSource = true;
inputs = {
part = singleton {
content_type = "text/cloud-config";
content = "#cloud-config\n" + builtins.toJSON {
disable_root = false;
};
};
};
};
availability_domain = {
provider = "oci";
type = "identity_availability_domain";
dataSource = true;
inputs = {
inherit compartment_id;
ad_number = cfg.ad;
};
};
generic_image = {
provider = "oci";
type = "core_images";
dataSource = true;
inputs = {
inherit compartment_id;
inherit (tf.resources."${config.networking.hostName}".inputs) shape;
operating_system = cfg.base;
sort_by = "TIMECREATED";
sort_order = "DESC";
};
};
"${config.networking.hostName}_vnic" = {
provider = "oci";
type = "core_vnic_attachments";
dataSource = true;
inputs = {
inherit compartment_id;
instance_id = tf.resources."${config.networking.hostName}".refAttr "id";
};
};
"${config.networking.hostName}_ipv6" = {
provider = "oci";
type = "core_ipv6";
inputs = {
vnic_id = tf.resources."${config.networking.hostName}_vnic".refAttr "vnic_attachments[0].vnic_id";
display_name = config.networking.hostName;
ip_address = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"}", ${toString cfg.network.publicV6})'';
};
};
"${config.networking.hostName}" = {
provider = "oci";
type = "core_instance";
inputs = {
inherit compartment_id;
extended_metadata = { };
metadata = {
ssh_authorized_keys = concatStringsSep "\n" config.users.users.root.openssh.authorizedKeys.keys;
user_data = tf.resources.cloudinit.refAttr "rendered";
};
shape = cfg.specs.shape;
shape_config = {
ocpus = cfg.specs.cores;
memory_in_gbs = cfg.specs.ram;
};
source_details = {
source_type = "image";
source_id = tf.resources.generic_image.refAttr "images[0].id";
boot_volume_size_in_gbs = cfg.specs.space; # min 50GB, up to 200GB free
};
create_vnic_details = [
{
assign_public_ip = true;
subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id";
private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", ${toString cfg.network.privateV4})'';
nsg_ids = [
(tf.resources.firewall_group.refAttr "id")
];
}
];
availability_domain = tf.resources.availability_domain.refAttr "name";
};
lifecycle.ignoreChanges = [
"source_details[0].source_id"
"create_vnic_details[0].defined_tags"
"defined_tags"
"metadata"
];
connection = {
type = "ssh";
user = "root";
host = tf.lib.tf.terraformSelf "public_ip";
timeout = "5m";
};
};
firewall_group = {
provider = "oci";
type = "core_network_security_group";
inputs = {
display_name = "${config.networking.hostName} firewall group";
inherit compartment_id;
vcn_id = oci-root.resources.oci_vcn.importAttr "id";
};
};
}
(
let
protoValues = {
TCP = 6;
UDP = 17;
};
inherit (config.networking) firewall;
ipv4 = "0.0.0.0/0";
ipv6 = "::/0";
mapPort = source: protocol: port: {
provider = "oci";
type = "core_network_security_group_security_rule";
inputs = {
network_security_group_id = tf.resources.firewall_group.refAttr "id";
inherit protocol source;
direction = "INGRESS";
${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = {
destination_port_range =
if isAttrs port then {
min = port.from;
max = port.to;
} else {
min = port;
max = port;
};
};
};
};
sourceProtos = cartesianProductOfSets {
source = [ ipv4 ipv6 ];
protocol = [ protoValues.TCP protoValues.UDP ];
};
mapPortswheeee = port: map ({ source, protocol }: mapPort source protocol port) sourceProtos;
rules = mapPortswheeee { from = 1; to = 65535; };
/*mapAll = protocol: port: [ (mapPort ipv4 protocol port) (mapPort ipv6 protocol port) ];
mapAllForInterface =
let
protos = [ "TCP" "UDP" ];
types = [ "Ports" "PortRanges" ];
in
interface: concatMap (type: concatMap (proto: (concatMap (port: (mapAll protoValues.${proto}) port) interface."allowed${proto}${type}")) protos) types;
rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces);*/
# TODO: use `count` and index into a fancy json or something?
in
listToAttrs (imap0 (i: rule: nameValuePair "firewall${toString i}" rule) rules)
)];
};
};
}

28
profiles/hardware/oracle/default.nix Normal file
View file

@ -0,0 +1,28 @@
{ lib, inputs, tree, ... }: with lib; let
profiles = tree.prev;
appendedProfiles = with profiles; {
ubuntu = { config, ... }: {
deploy.profile.hardware.oracle = {
ubuntu = true;
common = true;
};
kw.oci.base = "Canonical Ubuntu";
imports = with import (inputs.tf-nix + "/modules"); [
nixos.ubuntu-linux
common
];
};
oracle = { config, ... }: {
deploy.profile.hardware.oracle = {
oracle = true;
common = true;
};
kw.oci.base = "Oracle Linux";
imports = with import (inputs.tf-nix + "/modules"); [
nixos.oracle-linux
common
];
};
};
in
profiles // appendedProfiles

68
profiles/hardware/raspi.nix Normal file
View file

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }: with lib; {
deploy.profile.hardware.raspi = true;
nixpkgs.crossOverlays = [
(import ../../../overlays/pi)
];
boot = {
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
consoleLogLevel = lib.mkDefault 7;
kernelModules = mkForce [ "loop" "atkbd" ];
initrd = {
includeDefaultModules = false;
availableKernelModules = mkForce [
"mmc_block"
"usbhid"
"ext4"
"hid_generic"
"hid_lenovo"
"hid_apple"
"hid_roccat"
"hid_logitech_hidpp"
"hid_logitech_dj"
"hid_microsoft"
];
};
};
services.udev.extraRules = ''
SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio", MODE="0660"
SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", PROGRAM="${pkgs.runtimeShell} -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'"
SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add", PROGRAM="${pkgs.runtimeShell} -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'"
T
'';
users.groups.gpio = { };
environment.noXlibs = true;
documentation.info.enable = false;
documentation.man.enable = false;
programs.command-not-found.enable = false;
security.polkit.enable = false;
security.audit.enable = false;
services.udisks2.enable = false;
boot.enableContainers = false;
home-manager.users.kat.manual = {
json.enable = false;
manpages.enable = false;
};
services.logrotate.enable = false;
nixpkgs.crossSystem = systems.examples.raspberryPi // {
system = "armv6l-linux";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
}

20
profiles/hardware/razer.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, ... }: with lib; {
options = {
home-manager.users = let
userRazerExtend = { config, nixos, ... }: {
config = mkIf (config.wayland.windowManager.sway.enable && nixos.hardware.openrazer.enable) {
wayland.windowManager.sway.config.input = {
"5426:103:Razer_Razer_Naga_Trinity" = {
accel_profile = "adaptive";
pointer_accel = "-0.5";
};
};
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userRazerExtend;
});
};
};
}

14
profiles/hardware/rm-310.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, ... }:
/*
This hardware profile corresponds with the RM DESKTOP 310 system, which is actually just an Intel DQ67OW motherboard.
*/
{
deploy.profile.hardware.rm-310 = true;
boot.initrd.availableKernelModules = [ "ata_generic" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
}

56
profiles/hardware/ryzen.nix Normal file
View file

@ -0,0 +1,56 @@
{ config, pkgs, lib, ... }: with lib; {
/*
This hardware profile corresponds to any machine which has an AMD Ryzen processor.
*/
options.home-manager.users = let
waybarExtend = { config, ... }: {
options = {
programs.waybar.settings = mkOption {
type = with types; listOf (submodule waybarExtend2);
};
};
};
waybarExtend2 = { config, ... }: {
config = {
modules."temperature#icon".hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp2_input";
modules.temperature.hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp2_input";
};
};
polybarExtend = { config, ... }: {
services.polybar.settings."module/temp".hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp1_input";
};
/*
polybarExtend2 = { config, ... }: {
config = {
modules."temperature#icon".hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp2_input";
modules.temperature.hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp2_input";
};
};*/
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = [ waybarExtend polybarExtend ];
});
};
config = {
deploy.profile.hardware.ryzen = true;
boot = {
kernelModules = [
"msr"
"ryzen_smu"
"kvm-amd"
];
kernelParams = [ "amd_iommu=on" ];
};
hardware.cpu.amd.updateMicrocode = true;
environment.systemPackages = with pkgs; [
lm_sensors
ryzen-smu-monitor_cpu
ryzen-monitor
];
};
}

33
profiles/hardware/v330-14arr.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, lib, ... }: with lib;
/*
This hardware profile corresponds to the Lenovo IdeaPad v330-14ARR.
*/
{
options.home-manager.users = let
userTouchpadExtend = { config, nixos, ... }: {
wayland.windowManager.sway.config.input."1739:33362:Synaptics_TM3336-002" = {
dwt = "enabled";
tap = "enabled";
natural_scroll = "enabled";
middle_emulation = "enabled";
click_method = "clickfinger";
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userTouchpadExtend;
});
};
config = {
deploy.profile.hardware.v330-14arr = true;
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
};
}

32
profiles/hardware/wifi.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, tf, lib, ... }: with lib;
{
kw.secrets.variables = mapListToAttrs
(field:
nameValuePair "wireless-${field}" {
path = "secrets/wifi";
inherit field;
}) [ "ssid" "psk" ];
deploy.tf.resources = {
wireless-credentials = {
provider = "null";
type = "data_source";
dataSource = true;
inputs.inputs = {
ssid = tf.variables.wireless-ssid.ref;
psk = tf.variables.wireless-psk.ref;
};
};
};
deploy.profile.hardware.wifi = true;
networking.wireless = {
enable = true;
networks = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) {
${builtins.unsafeDiscardStringContext (tf.resources.wireless-credentials.getAttr "outputs.ssid")} = {
pskRaw = tf.resources.wireless-credentials.getAttr "outputs.psk";
};
};
};
}

45
profiles/hardware/x270.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, lib, ... }: with lib;
/*
This hardware profile corresponds to the Lenovo Thinkpad x270.
*/
{
options.home-manager.users = let
userTouchpadExtend = { config, nixos, ... }: {
wayland.windowManager.sway.config.input."2:7:SynPS/2_Synaptics_TouchPad" = {
dwt = "enabled";
tap = "enabled";
natural_scroll = "enabled";
middle_emulation = "enabled";
click_method = "clickfinger";
};
};
waybarExtend = { config, ... }: {
options = {
programs.waybar.settings = mkOption {
type = with types; either (listOf (submodule waybarExtend2)) (attrsOf (submodule waybarExtend2));
};
};
};
waybarExtend2 = { config, ... }: {
config = {
modules.temperature.hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp2_input";
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = [ userTouchpadExtend waybarExtend ];
});
};
config = {
deploy.profile.hardware.x270 = true;
boot = {
initrd.availableKernelModules =
[ "xhci_pci" "nvme" "usb_storage" "sd_mod" "sr_mod" "rtsx_usb_sdmmc" ];
kernelModules = [ "kvm-intel" ];
};
};
}

19
profiles/light.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, ... }: with lib; {
options.home-manager.users = let
lightModeExtend = { config, nixos, ... }: {
gtk.iconTheme.name = mkForce "Papirus-Light";
base16 = {
alias.default = "atelier.atelier-cave-light";
defaultSchemeName = "atelier.atelier-cave-light";
};
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton lightModeExtend;
});
};
config = {
deploy.profile.light = true;
};
}

78
profiles/network.nix Normal file
View file

@ -0,0 +1,78 @@
{ config, lib, tf, pkgs, meta, ... }: with lib;
{
options.network = with lib; {
routeDefault = mkOption {
default = true;
type = types.bool;
};
};
config = {
network.yggdrasil.extern = let
in {
pubkeys = {
satorin =
"cbadeaa973b051cf66e23dcb014ab5be59e55a1c98ef541345520868e3bcf9f7";
shanghai =
"5aba9ba2ac7a54ffef19dea9e39881bd977f76032db81a2c82c4674ed475c95b";
grimoire =
"2a1567a2848540070328c9e938c58d40f2b1a3f08982c15c7edc5dcabfde3330";
boline =
"89684441745467da0d1bf7f47dc74ec3ca65e05c72f752298ef3c22a22024d43";
okami =
"f8fd12c6ed924048e93a7bd7dd63c2464813c9edddfef7415c4574518ecd4757";
amaterasu =
"ab9a4a78df124a8413c3a6576332d7739a44c036e14b7b0b4ea4558373ddda97";
duck-powerduck =
"9475274dcd43f0f3f397d56168efd436b0db58e58f4c068f75ab93ba3f51e405";
duck-nagoya =
"0000001a24b38f4341e356e7efc98dd31e259669242e0a82ba86971317b94954";
};
};
kw.secrets.variables.tailscale-authkey = {
path = "secrets/tailscale";
field = "password";
};
deploy.tf.variables.tailscale-authkey.export = true;
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
# allow the Tailscale UDP port through the firewall
allowedTCPPorts = [ 5200 ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
services.tailscale.enable = true;
systemd.services.tailscale-autoconnect = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey ${tf.variables.tailscale-authkey.get}
'';
};
};
}

6
profiles/shared.nix Normal file
View file

@ -0,0 +1,6 @@
{ config, meta, ... }: {
imports = with meta; [
users.hexchen
users.arc
];
}

200
profiles/vfio/profile.nix Normal file
View file

@ -0,0 +1,200 @@
{ config, pkgs, lib, ... }: with lib; let
win10-toggler = pkgs.writeShellScriptBin "win10-toggle" ''
REQUEST="$0"
if [[ "REQUEST" = "on" ]]; then
sudo win10-vm-pinning $(cat $XDG_RUNTIME_DIR/win10-vm.pid)
systemctl --user stop konawall-rotation.timer
else
sudo win10-vm-pinning
systemctl --user start konawall-rotation.timer
fi
'';
win10-start-pane = pkgs.writeShellScriptBin "win10-start-pane" ''
sudo disk-mapper-part /dev/disk/by-id/ata-ST2000DM008-2FR102_WK301C3H-part2
sudo chown kat:users /dev/mapper/ata-ST2000DM008-2FR102_WK301C3H-part2
echo 3 | sudo tee /proc/sys/vm/drop_caches > /dev/null || true; echo 1 | sudo tee /proc/sys/vm/compact_memory > /dev/null || true
win10-vm -pidfile $XDG_RUNTIME_DIR/win10-vm.pid
'';
win10-start = pkgs.writeShellScriptBin "win10-start" ''
tmux new-session -ds vm "${win10-start-pane}/bin/win10-start-pane" \; split-window -h 'sleep 10; screenstub x'
'';
in {
options.home-manager.users = let
userVFIOExtend = { config, ... }: {
config = mkMerge [
(mkIf config.wayland.windowManager.sway.enable {
wayland.windowManager.sway.config.input = mapListToAttrs (t:
nameValuePair "5824:1503:screenstub-${t}" ({ events = "disabled"; })
) [ "tablet" "mouse" "kbd" ];
})
{
programs.screenstub = {
enable = true;
settings = {
exit_events = [ "show_host" ];
hotkeys = [
{
events = [
{ toggle_grab = { x = { mouse = false; }; }; }
{
toggle_grab = {
evdev = {
devices = [
"/dev/input/by-id/usb-Razer_Razer_Naga_Trinity_00000000001A-event-mouse"
];
evdev_ignore = [ "button" ];
exclusive = false;
xcore_ignore = [ "absolute" ];
};
};
}
"unstick_host"
];
modifiers = [ "LeftMeta" ];
triggers = [ "Esc" ];
}
{
events = [ "toggle_show" ];
modifiers = [ "LeftMeta" ];
on_release = false;
triggers = [ "T" ];
}
];
key_remap = {
LeftMeta = "Reserved";
RightAlt = "LeftMeta";
};
qemu = {
absolute_driver = { virtio = { bus = "pci.21"; }; };
ga_socket = "/tmp/vfio-qga";
keyboard_driver = { virtio = { bus = "pci.23"; }; };
qmp_socket = "/tmp/vfio-qmp";
relative_driver = { virtio = { bus = "pci.22"; }; };
routing = "virtio-host";
};
screens = [{
ddc = {
guest = [ "ddc" ];
host = [ "ddc" ];
};
guest_source = { name = "HDMI-1"; };
host_source = { name = "HDMI-2"; };
monitor = {
manufacturer = "BNQ";
model = "BenQ GW2270";
};
}];
};
};
}
];
};
in mkOption {
type = types.attrsOf (types.submoduleWith {
modules = singleton userVFIOExtend;
});
};
config = {
deploy.profile.vfio = true;
environment.systemPackages = with pkgs; [
win10-toggler
vfio-vm
vfio-vm-pinning
vfio-disk-mapper
win10-start
ddcutil
];
systemd.mounts = let
hugepages = { where, options }: {
before = ["sysinit.target"];
unitConfig = {
DefaultDependencies = "no";
ConditionPathExists = "/sys/kernel/mm/hugepages";
ConditionCapability = "CAP_SYS_ADMIN";
ConditionVirtualization = "!private-users";
};
what = "hugetlbfs";
inherit where options;
type = "hugetlbfs";
mountConfig = {
Group = "vfio";
};
wantedBy = ["sysinit.target"];
};
in [
(hugepages { where = "/dev/hugepages"; options = "mode=0775"; })
(hugepages { where = "/dev/hugepages1G"; options = "pagesize=1GB,mode=0775"; })
];
/* fileSystems."/sys/fs/cgroup/cpuset" = {
device = "cpuset";
fsType = "cgroup";
noCheck = true;
}; */
systemd.services.preallocate-huggies = {
wantedBy = singleton "multi-user.target";
serviceConfig = {
Type = "oneshot";
};
script = ''
echo 12 > /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages
'';
};
users.groups = { uinput = { }; vfio = { }; };
boot = lib.mkMerge [{
initrd.kernelModules = mkBefore [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
kernelParams = [
];
kernelModules = [ "i2c-dev" ]; # i2c-dev is required for DDC/CI for screenstub
kernelPatches = with pkgs.kernelPatches; [
(mkIf config.deploy.profile.hardware.acs-override acs-override)
];
}
(mkIf (config.deploy.profile.hardware.amdgpu) {
kernelParams = [
"video=efifb:off"
];
extraModulePackages = [
(pkgs.linuxPackagesFor config.boot.kernelPackages.kernel).vendor-reset
];
})
(mkIf (config.deploy.profile.hardware.acs-override) {
kernelParams = [
"pci=noats"
"pcie_acs_override=downstream,multifunction"
];
})];
environment.etc."qemu/bridge.conf".text = "allow br";
security.wrappers = {
qemu-bridge-helper = {
source = "${pkgs.qemu-vfio}/libexec/qemu-bridge-helper";
capabilities = "cap_net_admin+ep";
owner = "root";
group = "root";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="i2c-dev", GROUP="vfio", MODE="0660"
SUBSYSTEM=="misc", KERNEL=="uinput", OPTIONS+="static_node=uinput", MODE="0660", GROUP="uinput"
SUBSYSTEM=="vfio", OWNER="root", GROUP="vfio"
'';
security.pam.loginLimits = [{
domain = "@vfio";
type = "-";
item = "memlock";
value = "unlimited";
}];
systemd.extraConfig = "DefaultLimitMEMLOCK=infinity";
};
}

26
profiles/vfio/tsc-tolerance.patch Normal file
View file

@ -0,0 +1,26 @@
From 5cac0c3c4383010f0579028de8decd6ede4bd460 Mon Sep 17 00:00:00 2001
From: Stefan Springer <stefanspr94@gmail.com>
Date: Sun, 3 Oct 2021 23:26:40 +0200
Subject: [PATCH] clocksource: set WATCHDOG_MAX_SKEW to 60
in order to find a more relaxed middleground between the old default (100) and the new one(50)
---
kernel/time/clocksource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index b8a14d2fb..f8f848d13 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -107,7 +107,7 @@ static u64 suspend_start;
* This delay could be due to SMIs, NMIs, or to VCPU preemptions. Used as
* a lower bound for cs->uncertainty_margin values when registering clocks.
*/
-#define WATCHDOG_MAX_SKEW (50 * NSEC_PER_USEC)
+#define WATCHDOG_MAX_SKEW (80 * NSEC_PER_USEC)
#ifdef CONFIG_CLOCKSOURCE_WATCHDOG
static void clocksource_watchdog_work(struct work_struct *work);
--
2.32.0

7
profiles/x11/layout.xkb Normal file
View file

@ -0,0 +1,7 @@
default partial alphanumeric_keys
xkb_symbols "basic" {
include "us(altgr-intl)"
name[Group1] = "English (US, international with pound sign)";
key <AD03> { [ e, E, EuroSign, cent ] };
key <AE03> { [ 3, numbersign, sterling] };
};

21
profiles/x11/profile.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, ... }: {
services.xserver = {
enable = true;
autorun = false;
exportConfiguration = true;
displayManager = let
compiledLayout = pkgs.runCommand "keyboard-layout" {} ''
${pkgs.xorg.xkbcomp}/bin/xkbcomp ${./layout.xkb} $out
'';
in {
sessionCommands = "${pkgs.xorg.xkbcomp}/bin/xkbcomp ${compiledLayout} $DISPLAY";
startx.enable = true;
};
};
environment.systemPackages = with pkgs; [
xorg.xinit
xsel
scrot
];
}