171 lines
5.2 KiB
Nix
171 lines
5.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cryptroot = "/dev/disk/by-uuid/f4edc0df-b50b-42f6-94ed-1c8f88d6cdbb";
|
|
encPart = "/dev/disk/by-uuid/ce6ccdf0-7b6a-43ae-bfdf-10009a55041a";
|
|
efiPart = "/dev/disk/by-uuid/D77D-8CE0";
|
|
in {
|
|
system.stateVersion = "22.11";
|
|
|
|
### SECTION 1: HARDWARE/BOOT PARAMETERS ###
|
|
boot = {
|
|
initrd = {
|
|
availableKernelModules = [ "nvme" "xhci_pci" ];
|
|
# insert crypto_keyfile into initrd so that grub can tell the kernel the
|
|
# encryption key once I unlock the /boot partition
|
|
secrets."/crypto_keyfile.bin" = "/boot/initrd/crypto_keyfile.bin";
|
|
luks.devices."cryptroot" = {
|
|
device = encPart;
|
|
# idk whether this is needed but it works
|
|
preLVM = true;
|
|
# see https://asalor.blogspot.de/2011/08/trim-dm-crypt-problems.html before enabling
|
|
allowDiscards = true;
|
|
# improve SSD performance
|
|
bypassWorkqueues = true;
|
|
keyFile = "/crypto_keyfile.bin";
|
|
};
|
|
};
|
|
resumeDevice = cryptroot;
|
|
kernelParams = [
|
|
"resume=/@swap/swapfile"
|
|
"resume_offset=533760"
|
|
# offset = $(btrfs inspect-internal map-swapfile -r path/to/swapfile)
|
|
"fbcon=font:TER16x32"
|
|
];
|
|
cleanTmpDir = true;
|
|
loader = {
|
|
grub = {
|
|
enable = true;
|
|
enableCryptodisk = true;
|
|
efiSupport = true;
|
|
device = "nodev";
|
|
gfxmodeEfi = "1920x1080";
|
|
};
|
|
efi.canTouchEfiVariables = true;
|
|
efi.efiSysMountPoint = "/boot/efi";
|
|
};
|
|
kernelPackages = pkgs.linuxPackages_zen;
|
|
};
|
|
nixpkgs.config.allowUnfreePredicate = pkg: (lib.getName pkg) == "steam-original";
|
|
hardware = {
|
|
steam-hardware.enable = true;
|
|
video.hidpi.enable = true;
|
|
enableRedistributableFirmware = true;
|
|
};
|
|
|
|
# see common/vfio.nix
|
|
vfio.enable = true;
|
|
vfio.pciIDs = [ "1002:73df" "1002:ab28" ];
|
|
vfio.libvirtdGroup = [ "user" ];
|
|
vfio.lookingGlass.ivshmem = [{ owner = "user"; }];
|
|
|
|
fileSystems = let
|
|
device = cryptroot;
|
|
fsType = "btrfs";
|
|
# max compression! my cpu is pretty good anyway
|
|
compress = "compress=zstd:15";
|
|
in {
|
|
"/" = { inherit device fsType;
|
|
options = [ compress "subvol=@" ]; };
|
|
"/nix" = { inherit device fsType;
|
|
options = [ compress "subvol=@nix" "noatime" ]; };
|
|
"/swap" = { inherit device fsType;
|
|
options = [ compress "subvol=@swap" "noatime" ]; };
|
|
"/home" = { inherit device fsType;
|
|
options = [ compress "subvol=@home" ]; };
|
|
"/.snapshots" =
|
|
{ inherit device fsType;
|
|
options = [ compress "subvol=@snapshots" ]; };
|
|
"/boot/efi" =
|
|
{ device = efiPart;
|
|
fsType = "vfat"; };
|
|
};
|
|
|
|
swapDevices = [ { device = "/swap/swapfile"; } ];
|
|
|
|
### SECTION 2: SYSTEM CONFIG/ENVIRONMENT ###
|
|
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
|
|
i18n.supportedLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
|
|
networking.useDHCP = true;
|
|
# networking.firewall.enable = false;
|
|
networking.firewall.allowedTCPPorts = [ 27015 25565 7777 ];
|
|
# networking.firewall.allowedUDPPorts = [ ... ];
|
|
# networking.hostName = "nixmsi";
|
|
networking.wireless.iwd.enable = true;
|
|
#networking.networkmanager.enable = true;
|
|
|
|
services.mullvad-vpn.enable = true;
|
|
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
|
|
|
services.xserver = {
|
|
enable = true;
|
|
libinput.enable = true;
|
|
desktopManager.xterm.enable = false;
|
|
# I couldn't get lightdm to start sway, so let's just do this
|
|
displayManager.startx.enable = true;
|
|
windowManager.i3.enable = true;
|
|
};
|
|
programs.sway.enable = true;
|
|
programs.firejail.enable = true;
|
|
environment.systemPackages = with pkgs; [
|
|
vim
|
|
wget
|
|
git
|
|
];
|
|
services.dbus.enable = true;
|
|
security.polkit.enable = true;
|
|
services.printing.enable = true;
|
|
security.rtkit.enable = true;
|
|
services.pipewire = {
|
|
enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
pulse.enable = true;
|
|
jack.enable = true;
|
|
};
|
|
|
|
users.users.user = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "networkmanager" "wheel" ];
|
|
};
|
|
nix = {
|
|
settings.allowed-users = [ "user" ];
|
|
package = pkgs.nixFlakes;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
};
|
|
|
|
### RANDOM PATCHES ###
|
|
|
|
# I can't enable early KMS with VFIO, so this will have to do
|
|
# (amdgpu resets the font upon being loaded)
|
|
systemd.services."systemd-vconsole-setup2" = {
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = "${pkgs.systemd}/lib/systemd/systemd-vconsole-setup";
|
|
};
|
|
wantedBy = ["graphical.target"];
|
|
wants = ["multi-user.target"];
|
|
after = ["multi-user.target"];
|
|
};
|
|
|
|
# autologin once after boot
|
|
|
|
# --skip-login means directly call login instead of first asking for username
|
|
# (normally login asks for username too, but getty prefers to do it by itself for whatever reason)
|
|
services.getty.extraArgs = ["--skip-login"];
|
|
services.getty.loginProgram = with pkgs; writeScript "login-once" ''
|
|
#! ${bash}/bin/bash
|
|
LOCKFILE=/tmp/login-once.lock
|
|
if [ -f $LOCKFILE ]
|
|
then
|
|
exec ${shadow}/bin/login $@
|
|
else
|
|
${coreutils}/bin/touch $LOCKFILE
|
|
exec ${shadow}/bin/login -f user
|
|
fi
|
|
'';
|
|
}
|
|
|