2023-05-17 07:16:03 +07:00
|
|
|
{ lib
|
|
|
|
, pkgs
|
|
|
|
, config
|
|
|
|
, ... }:
|
|
|
|
|
2023-01-24 02:24:40 +07:00
|
|
|
let
|
2023-02-11 23:30:19 +07:00
|
|
|
efiPart = "/dev/disk/by-uuid/D77D-8CE0";
|
|
|
|
|
|
|
|
encPart = "/dev/disk/by-uuid/ce6ccdf0-7b6a-43ae-bfdf-10009a55041a";
|
2023-01-26 03:41:45 +07:00
|
|
|
cryptrootUuid = "f4edc0df-b50b-42f6-94ed-1c8f88d6cdbb";
|
|
|
|
cryptroot = "/dev/disk/by-uuid/${cryptrootUuid}";
|
2023-02-11 23:30:19 +07:00
|
|
|
|
|
|
|
dataPart = "/dev/disk/by-uuid/f1447692-fa7c-4bd6-9cb5-e44c13fddfe3";
|
|
|
|
datarootUuid = "fa754b1e-ac83-4851-bf16-88efcd40b657";
|
|
|
|
dataroot = "/dev/disk/by-uuid/${datarootUuid}";
|
2023-05-10 16:42:56 +07:00
|
|
|
/*
|
|
|
|
# for old kernel versions
|
|
|
|
zenKernels = pkgs.callPackage "${nixpkgs}/pkgs/os-specific/linux/kernel/zen-kernels.nix";
|
|
|
|
zenKernel = (version: sha256: (zenKernels {
|
|
|
|
kernelPatches = [
|
|
|
|
pkgs.linuxKernel.kernelPatches.bridge_stp_helper
|
|
|
|
pkgs.linuxKernel.kernelPatches.request_key_helper
|
|
|
|
];
|
|
|
|
argsOverride = {
|
|
|
|
src = pkgs.fetchFromGitHub {
|
|
|
|
owner = "zen-kernel";
|
|
|
|
repo = "zen-kernel";
|
|
|
|
rev = "v${version}-zen1";
|
|
|
|
inherit sha256;
|
|
|
|
};
|
|
|
|
inherit version;
|
|
|
|
modDirVersion = lib.versions.pad 3 "${version}-zen1";
|
|
|
|
};
|
|
|
|
}).zen);
|
|
|
|
zenKernelPackages = version: sha256: pkgs.linuxPackagesFor (zenKernel version sha256);
|
|
|
|
*/
|
2023-01-24 02:24:40 +07:00
|
|
|
in {
|
|
|
|
system.stateVersion = "22.11";
|
|
|
|
|
|
|
|
### SECTION 1: HARDWARE/BOOT PARAMETERS ###
|
2023-04-11 00:58:02 +07:00
|
|
|
|
2023-01-24 02:24:40 +07:00
|
|
|
boot = {
|
|
|
|
initrd = {
|
|
|
|
# insert crypto_keyfile into initrd so that grub can tell the kernel the
|
|
|
|
# encryption key once I unlock the /boot partition
|
|
|
|
secrets."/crypto_keyfile.bin" = "/boot/initrd/crypto_keyfile.bin";
|
|
|
|
luks.devices."cryptroot" = {
|
|
|
|
device = encPart;
|
|
|
|
# idk whether this is needed but it works
|
|
|
|
preLVM = true;
|
|
|
|
# see https://asalor.blogspot.de/2011/08/trim-dm-crypt-problems.html before enabling
|
|
|
|
allowDiscards = true;
|
|
|
|
# improve SSD performance
|
|
|
|
bypassWorkqueues = true;
|
|
|
|
keyFile = "/crypto_keyfile.bin";
|
|
|
|
};
|
2023-02-11 23:30:19 +07:00
|
|
|
luks.devices."dataroot" = {
|
|
|
|
device = dataPart;
|
|
|
|
preLVM = true;
|
|
|
|
allowDiscards = true;
|
|
|
|
bypassWorkqueues = true;
|
|
|
|
keyFile = "/crypto_keyfile.bin";
|
|
|
|
};
|
2023-01-24 02:24:40 +07:00
|
|
|
};
|
|
|
|
resumeDevice = cryptroot;
|
|
|
|
kernelParams = [
|
|
|
|
"resume=/@swap/swapfile"
|
2023-01-24 15:42:51 +07:00
|
|
|
# resume_offset = $(btrfs inspect-internal map-swapfile -r path/to/swapfile)
|
2023-01-24 02:24:40 +07:00
|
|
|
"resume_offset=533760"
|
|
|
|
];
|
|
|
|
loader = {
|
|
|
|
grub = {
|
|
|
|
enable = true;
|
|
|
|
enableCryptodisk = true;
|
|
|
|
efiSupport = true;
|
2023-01-24 15:42:51 +07:00
|
|
|
# nodev = disable bios support
|
2023-01-24 02:24:40 +07:00
|
|
|
device = "nodev";
|
|
|
|
};
|
|
|
|
efi.canTouchEfiVariables = true;
|
|
|
|
efi.efiSysMountPoint = "/boot/efi";
|
|
|
|
};
|
2023-01-24 15:42:51 +07:00
|
|
|
kernel.sysctl = {
|
|
|
|
"vm.dirty_ratio" = 4;
|
|
|
|
"vm.dirty_background_ratio" = 2;
|
|
|
|
"vm.swappiness" = 40;
|
|
|
|
};
|
2023-05-30 10:02:36 +07:00
|
|
|
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
2023-05-10 16:42:56 +07:00
|
|
|
/*kernelPackages = zenKernelPackages "6.1.9" "0fsmcjsawxr32fxhpp6sgwfwwj8kqymy0rc6vh4qli42fqmwdjgv";*/
|
2023-01-24 02:24:40 +07:00
|
|
|
};
|
2023-04-11 00:58:02 +07:00
|
|
|
|
|
|
|
# for testing different zen kernel versions:
|
2023-05-10 16:42:56 +07:00
|
|
|
# specialisation = {
|
|
|
|
# zen619.configuration.boot.kernelPackages = zenKernelPackages "6.1.9" "0fsmcjsawxr32fxhpp6sgwfwwj8kqymy0rc6vh4qli42fqmwdjgv";
|
2023-02-13 21:56:34 +07:00
|
|
|
# };
|
2023-04-11 00:58:02 +07:00
|
|
|
|
2023-05-25 11:34:27 +07:00
|
|
|
nixpkgs.config.allowUnfreePredicate = pkg: (lib.getName pkg) == "steam-original";
|
2023-01-24 02:24:40 +07:00
|
|
|
hardware = {
|
|
|
|
steam-hardware.enable = true;
|
2023-02-03 13:07:57 +07:00
|
|
|
opengl.driSupport32Bit = true;
|
2023-04-11 00:58:02 +07:00
|
|
|
# needed for sway WLR_RENDERER=vulkan
|
2023-02-21 16:36:44 +07:00
|
|
|
opengl.extraPackages = with pkgs; [ vulkan-validation-layers ];
|
2023-02-03 13:07:57 +07:00
|
|
|
};
|
|
|
|
|
2023-05-13 20:32:35 +07:00
|
|
|
# services.openssh.enable = true;
|
2023-05-11 05:33:08 +07:00
|
|
|
|
2023-05-10 16:42:56 +07:00
|
|
|
services.tlp.enable = true;
|
2023-05-13 20:32:35 +07:00
|
|
|
# fix for my realtek usb ethernet adapter
|
|
|
|
services.tlp.settings.USB_DENYLIST = "0bda:8156";
|
2023-01-24 02:24:40 +07:00
|
|
|
|
2023-04-12 16:04:07 +07:00
|
|
|
# see modules/vfio.nix
|
2023-01-24 02:24:40 +07:00
|
|
|
vfio.enable = true;
|
2023-05-17 07:16:03 +07:00
|
|
|
vfio.libvirtdGroup = [ config.common.mainUsername ];
|
2023-04-12 16:04:07 +07:00
|
|
|
|
|
|
|
# because libvirtd's nat is broken for some reason...
|
|
|
|
networking.nat = {
|
|
|
|
enable = true;
|
|
|
|
internalInterfaces = [ "virbr0" ];
|
|
|
|
externalInterface = "enp7s0f4u1c2";
|
|
|
|
};
|
2023-01-24 02:24:40 +07:00
|
|
|
|
|
|
|
fileSystems = let
|
|
|
|
device = cryptroot;
|
|
|
|
fsType = "btrfs";
|
|
|
|
# max compression! my cpu is pretty good anyway
|
|
|
|
compress = "compress=zstd:15";
|
2023-01-24 15:42:51 +07:00
|
|
|
discard = "discard=async";
|
2023-02-03 13:07:57 +07:00
|
|
|
neededForBoot = true;
|
2023-01-24 02:24:40 +07:00
|
|
|
in {
|
2023-02-03 13:07:57 +07:00
|
|
|
# mount root on tmpfs
|
|
|
|
"/" = { device = "none"; fsType = "tmpfs"; inherit neededForBoot;
|
|
|
|
options = [ "defaults" "size=2G" "mode=755" ]; };
|
|
|
|
"/persist" =
|
|
|
|
{ inherit device fsType neededForBoot;
|
2023-01-24 15:42:51 +07:00
|
|
|
options = [ discard compress "subvol=@" ]; };
|
2023-02-03 13:07:57 +07:00
|
|
|
"/nix" = { inherit device fsType neededForBoot;
|
2023-01-24 15:42:51 +07:00
|
|
|
options = [ discard compress "subvol=@nix" "noatime" ]; };
|
2023-02-03 13:07:57 +07:00
|
|
|
"/swap" = { inherit device fsType neededForBoot;
|
2023-01-24 15:42:51 +07:00
|
|
|
options = [ discard "subvol=@swap" "noatime" ]; };
|
2023-01-24 02:24:40 +07:00
|
|
|
"/home" = { inherit device fsType;
|
2023-01-24 15:42:51 +07:00
|
|
|
options = [ discard compress "subvol=@home" ]; };
|
2023-04-11 00:58:02 +07:00
|
|
|
# why am I even bothering with creating this subvolume every time if I don't use snapshots anyway?
|
2023-01-24 02:24:40 +07:00
|
|
|
"/.snapshots" =
|
|
|
|
{ inherit device fsType;
|
2023-01-24 15:42:51 +07:00
|
|
|
options = [ discard compress "subvol=@snapshots" ]; };
|
2023-02-03 13:07:57 +07:00
|
|
|
"/boot" = { inherit device fsType neededForBoot;
|
|
|
|
options = [ discard compress "subvol=@boot" ]; };
|
2023-01-24 02:24:40 +07:00
|
|
|
"/boot/efi" =
|
2023-02-03 13:07:57 +07:00
|
|
|
{ device = efiPart; fsType = "vfat"; inherit neededForBoot; };
|
2023-02-11 23:30:19 +07:00
|
|
|
"/data" =
|
|
|
|
{ device = dataroot; fsType = "btrfs";
|
|
|
|
options = [ discard compress ]; };
|
2023-02-03 13:07:57 +07:00
|
|
|
};
|
|
|
|
|
2023-04-16 23:59:24 +07:00
|
|
|
impermanence = {
|
|
|
|
enable = true;
|
|
|
|
path = /persist;
|
2023-01-24 02:24:40 +07:00
|
|
|
};
|
|
|
|
|
|
|
|
swapDevices = [ { device = "/swap/swapfile"; } ];
|
|
|
|
|
2023-04-11 00:58:02 +07:00
|
|
|
# dedupe
|
|
|
|
services.beesd = {
|
|
|
|
# i have a lot of ram :tonystark:
|
|
|
|
filesystems.cryptroot = {
|
|
|
|
spec = "UUID=${cryptrootUuid}";
|
|
|
|
hashTableSizeMB = 128;
|
|
|
|
extraOptions = [ "--loadavg-target" "8.0" ];
|
|
|
|
};
|
|
|
|
filesystems.dataroot = {
|
|
|
|
spec = "UUID=${datarootUuid}";
|
|
|
|
hashTableSizeMB = 256;
|
|
|
|
extraOptions = [ "--loadavg-target" "8.0" ];
|
|
|
|
};
|
|
|
|
};
|
2023-02-19 19:09:38 +07:00
|
|
|
|
2023-01-24 02:24:40 +07:00
|
|
|
### SECTION 2: SYSTEM CONFIG/ENVIRONMENT ###
|
2023-04-11 00:58:02 +07:00
|
|
|
console.font = "${pkgs.terminus_font}/share/consolefonts/ter-v32n.psf.gz";
|
|
|
|
|
2023-01-24 02:24:40 +07:00
|
|
|
networking.useDHCP = true;
|
|
|
|
# networking.firewall.enable = false;
|
2023-04-11 00:58:02 +07:00
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
27015
|
|
|
|
25565
|
|
|
|
7777
|
|
|
|
]
|
|
|
|
# kde connect
|
|
|
|
++ (lib.range 1714 1764);
|
|
|
|
networking.firewall.allowedUDPPorts = lib.range 1714 1764;
|
2023-04-12 16:04:07 +07:00
|
|
|
|
2023-01-24 02:24:40 +07:00
|
|
|
networking.wireless.iwd.enable = true;
|
|
|
|
|
2023-04-11 00:58:02 +07:00
|
|
|
services.ratbagd.enable = true;
|
|
|
|
|
2023-01-24 02:24:40 +07:00
|
|
|
services.mullvad-vpn.enable = true;
|
|
|
|
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
|
|
|
|
2023-04-11 00:58:02 +07:00
|
|
|
# System76 scheduler (not actually a scheduler, just a renice daemon) for improved responsiveness
|
2023-05-30 10:02:36 +07:00
|
|
|
/*services.dbus.packages = [ pkgs.system76-scheduler ];
|
2023-05-26 06:22:33 +07:00
|
|
|
systemd.services."system76-scheduler" = {
|
|
|
|
description = "Automatically configure CPU scheduler for responsiveness on AC";
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "dbus";
|
|
|
|
BusName= "com.system76.Scheduler";
|
|
|
|
ExecStart = "${pkgs.system76-scheduler}/bin/system76-scheduler daemon";
|
|
|
|
ExecReload = "${pkgs.system76-scheduler}/bin/system76-scheduler daemon reload";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
environment.etc."system76-scheduler/assignments.ron".source =
|
|
|
|
"${pkgs.system76-scheduler}/etc/system76-scheduler/assignments.ron";
|
|
|
|
environment.etc."system76-scheduler/config.ron".source =
|
|
|
|
"${pkgs.system76-scheduler}/etc/system76-scheduler/config.ron";
|
|
|
|
environment.etc."system76-scheduler/exceptions.ron".source =
|
2023-05-30 10:02:36 +07:00
|
|
|
"${pkgs.system76-scheduler}/etc/system76-scheduler/exceptions.ron";*/
|
|
|
|
services.system76-scheduler.enable = true;
|
2023-06-12 20:12:15 +07:00
|
|
|
services.system76-scheduler.assignments = {
|
|
|
|
games.matchers = [ "osu!" ];
|
|
|
|
};
|
2023-04-11 00:58:02 +07:00
|
|
|
|
2023-05-13 20:32:35 +07:00
|
|
|
common.workstation = true;
|
|
|
|
common.gettyAutologin = true;
|
|
|
|
# programs.firejail.enable = true;
|
2023-05-10 16:42:56 +07:00
|
|
|
# doesn't work:
|
|
|
|
# programs.wireshark.enable = true;
|
2023-05-17 07:16:03 +07:00
|
|
|
# users.groups.wireshark.members = [ config.common.mainUsername"];
|
2023-01-24 02:24:40 +07:00
|
|
|
services.printing.enable = true;
|
2023-05-13 20:32:35 +07:00
|
|
|
# from nix-gaming
|
|
|
|
services.pipewire.lowLatency = {
|
2023-02-19 19:09:38 +07:00
|
|
|
enable = true;
|
2023-05-13 20:32:35 +07:00
|
|
|
# 96 is mostly fine but has some xruns
|
|
|
|
# 128 has xruns every now and then too, but is overall fine
|
|
|
|
quantum = 128;
|
|
|
|
rate = 48000;
|
2023-02-19 19:09:38 +07:00
|
|
|
};
|
2023-01-24 02:24:40 +07:00
|
|
|
|
2023-02-19 19:09:38 +07:00
|
|
|
programs.ccache.enable = true;
|
2023-06-11 18:02:38 +07:00
|
|
|
services.sshd.enable = true;
|
|
|
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
2023-01-24 02:24:40 +07:00
|
|
|
}
|
|
|
|
|