(make-backup-files nil "Don't make backups")
(display-fill-column-indicator-column 150 "Draw a line at 100 characters")
(line-spacing 2 "Default line spacing")
-
- ;; Editor comments
(c-doc-comment-style '((c-mode . doxygen)
(c++-mode . doxygen)))
+
:hook ((text-mode . auto-fill-mode)
(text-mode . visual-line-mode)
(prog-mode . auto-fill-mode)
sops-nix.nixosModules.sops
{ nixpkgs.overlays = [ nur.overlays.default ]; }
{ home-manager.extraSpecialArgs = attrs; }
-
./systems/continuity/default.nix
];
};
sops-nix.nixosModules.sops
{ nixpkgs.overlays = [ nur.overlays.default ]; }
{ home-manager.extraSpecialArgs = attrs; }
-
./systems/affinity/default.nix
];
};
};
config = {
- home-manager.users."${config.monorepo.vars.userName}" = {
- programs.home-manager.enable = config.monorepo.profiles.home.enable;
- };
-
environment.systemPackages = lib.mkIf config.monorepo.profiles.documentation.enable (with pkgs; [
linux-manual
man-pages
}
#+end_src
** Home
-Time for my home user configuration, which is managed by home-manager. First we start off with
-this module to enter us into the home-manager namespace:
-#+begin_src nix :tangle ../nix/modules/home/home.nix
-{ config, sops-nix, ... }:
-{
- home-manager = {
- sharedModules = [
- sops-nix.homeManagerModules.sops
- ];
- useGlobalPkgs = true;
- useUserPackages = true;
- users."${config.monorepo.vars.userName}" = import ./default.nix;
- };
-}
-#+end_src
-as you can see, we import default.nix which puts us in the home-manager namespace. Everything
-in the top level from now on will implicitly be located at
-~users."${config.monorepo.vars.userName}".xxxxx~, and we will look at default.nix next.
*** Default Home Profile
As you can see, I have my installed home packages installed based on the profiles enabled. Also,
I have many imports that we'll go through next.
}
#+end_src
* Systems
+** Home
+This module dynamically imports the correct corresponding home.nix at
+the path.
+#+begin_src nix :tangle ../nix/systems/home.nix
+ { config, sops-nix, ... }:
+ {
+ home-manager = {
+ sharedModules = [
+ sops-nix.homeManagerModules.sops
+ ];
+ useGlobalPkgs = true;
+ useUserPackages = true;
+ users."${config.monorepo.vars.userName}" = import (./. + "/${config.monorepo.vars.hostName}/home.nix");
+ };
+ }
+#+end_src
** Continuity
This is pretty understandable, if you understand all the above.
#+begin_src nix :tangle ../nix/systems/continuity/default.nix
{
imports = [
../../modules/default.nix
- ../../modules/home/home.nix
../../modules/sda-simple.nix
+ ../home.nix
+ ];
+ }
+#+end_src
+*** Home
+Each system has a corresponding home configuration in order to set
+monorepo home options.
+#+begin_src nix :tangle ../nix/systems/continuity/home.nix
+ { lib, config, pkgs, ... }:
+ {
+ imports = [
+ ../../modules/home/default.nix
];
}
#+end_src
{
imports = [
../../modules/default.nix
- ../../modules/home/home.nix
../../modules/nvme-simple.nix
+ ../home.nix
];
- config.monorepo = {
- profiles = {
- server.enable = true;
- cuda.enable = true;
+ config = {
+ monorepo = {
+ profiles = {
+ server.enable = true;
+ cuda.enable = true;
+ };
+ vars.hostName = "affinity";
};
- vars.hostName = "affinity";
};
- config.home-manager.users."${config.monorepo.vars.userName}".monorepo.profiles.cuda.enable = true;
+ }
+#+end_src
+*** Home
+#+begin_src nix :tangle ../nix/systems/affinity/home.nix
+ { lib, config, pkgs, ... }:
+ {
+ imports = [
+ ../../modules/home/default.nix
+ ];
+ config.monorepo = {
+ profiles.cuda.enable = true;
+ };
}
#+end_src
** Spontaneity
imports = [
../../modules/default.nix
../../modules/vda-simple.nix
+ ../home.nix
];
+
config.monorepo = {
profiles = {
server.enable = true;
ttyonly.enable = true;
- home.enable = false;
};
vars.hostName = "spontaneity";
};
}
#+end_src
+*** Home
+#+begin_src nix :tangle ../nix/systems/spontaneity/home.nix
+ { lib, config, pkgs, ... }:
+ {
+ imports = [
+ ../../modules/home/default.nix
+ ];
+ }
+#+end_src
** Installer
My installer installs my systems almost completely without interaction. You can also make them
install the exact version of the system that you want it to by pinning the commits to make it
sops-nix.nixosModules.sops
{ nixpkgs.overlays = [ nur.overlays.default ]; }
{ home-manager.extraSpecialArgs = attrs; }
-
./systems/continuity/default.nix
];
};
sops-nix.nixosModules.sops
{ nixpkgs.overlays = [ nur.overlays.default ]; }
{ home-manager.extraSpecialArgs = attrs; }
-
./systems/affinity/default.nix
];
};
environment = {
etc = {
- securetty.text = ''
+ securetty.text = ''
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
'';
coredump.enable = false;
network.config.networkConfig.IPv6PrivacyExtensions = "kernel";
tmpfiles.settings = {
- "restricthome"."/home/*".Z.mode = "~0700";
+ "restricthome"."/home/*".Z.mode = "~0700";
- "restrictetcnixos"."/etc/nixos/*".Z = {
- mode = "0000";
- user = "root";
- group = "root";
- };
+ "restrictetcnixos"."/etc/nixos/*".Z = {
+ mode = "0000";
+ user = "root";
+ group = "root";
+ };
};
};
extraModulePackages = [ ];
initrd = {
- availableKernelModules = [
- "xhci_pci"
- "ahci"
- "usb_storage"
- "sd_mod"
- "nvme"
- "sd_mod"
- "ehci_pci"
- "rtsx_pci_sdmmc"
- "usbhid"
- ];
-
- kernelModules = [ ];
+ availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usb_storage"
+ "sd_mod"
+ "nvme"
+ "sd_mod"
+ "ehci_pci"
+ "rtsx_pci_sdmmc"
+ "usbhid"
+ ];
+
+ kernelModules = [ ];
};
lanzaboote = {
- enable = config.monorepo.profiles.secureBoot.enable;
- pkiBundle = "/etc/secureboot";
+ enable = config.monorepo.profiles.secureBoot.enable;
+ pkiBundle = "/etc/secureboot";
};
loader = {
- systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable);
- efi.canTouchEfiVariables = true;
+ systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable);
+ efi.canTouchEfiVariables = true;
};
kernelModules = [
- "snd-seq"
- "snd-rawmidi"
- "xhci_hcd"
- "kvm_intel"
+ "snd-seq"
+ "snd-rawmidi"
+ "xhci_hcd"
+ "kvm_intel"
];
kernelParams = [
- "debugfs=off"
- "page_alloc.shuffle=1"
- "slab_nomerge"
- "page_poison=1"
-
- # madaidan
- "pti=on"
- "randomize_kstack_offset=on"
- "vsyscall=none"
- "module.sig_enforce=1"
- "lockdown=confidentiality"
-
- # cpu
- "spectre_v2=on"
- "spec_store_bypass_disable=on"
- "tsx=off"
- "tsx_async_abort=full,nosmt"
- "mds=full,nosmt"
- "l1tf=full,force"
- "nosmt=force"
- "kvm.nx_huge_pages=force"
-
- # hardened
- "extra_latent_entropy"
-
- # mineral
- "init_on_alloc=1"
- "random.trust_cpu=off"
- "random.trust_bootloader=off"
- "intel_iommu=on"
- "amd_iommu=force_isolation"
- "iommu=force"
- "iommu.strict=1"
- "init_on_free=1"
- "quiet"
- "loglevel=0"
+ "debugfs=off"
+ "page_alloc.shuffle=1"
+ "slab_nomerge"
+ "page_poison=1"
+
+ # madaidan
+ "pti=on"
+ "randomize_kstack_offset=on"
+ "vsyscall=none"
+ "module.sig_enforce=1"
+ "lockdown=confidentiality"
+
+ # cpu
+ "spectre_v2=on"
+ "spec_store_bypass_disable=on"
+ "tsx=off"
+ "tsx_async_abort=full,nosmt"
+ "mds=full,nosmt"
+ "l1tf=full,force"
+ "nosmt=force"
+ "kvm.nx_huge_pages=force"
+
+ # hardened
+ "extra_latent_entropy"
+
+ # mineral
+ "init_on_alloc=1"
+ "random.trust_cpu=off"
+ "random.trust_bootloader=off"
+ "intel_iommu=on"
+ "amd_iommu=force_isolation"
+ "iommu=force"
+ "iommu.strict=1"
+ "init_on_free=1"
+ "quiet"
+ "loglevel=0"
];
blacklistedKernelModules = [
- "netrom"
- "rose"
-
- "adfs"
- "affs"
- "bfs"
- "befs"
- "cramfs"
- "efs"
- "erofs"
- "exofs"
- "freevxfs"
- "f2fs"
- "hfs"
- "hpfs"
- "jfs"
- "minix"
- "nilfs2"
- "ntfs"
- "omfs"
- "qnx4"
- "qnx6"
- "sysv"
- "ufs"
+ "netrom"
+ "rose"
+
+ "adfs"
+ "affs"
+ "bfs"
+ "befs"
+ "cramfs"
+ "efs"
+ "erofs"
+ "exofs"
+ "freevxfs"
+ "f2fs"
+ "hfs"
+ "hpfs"
+ "jfs"
+ "minix"
+ "nilfs2"
+ "ntfs"
+ "omfs"
+ "qnx4"
+ "qnx6"
+ "sysv"
+ "ufs"
];
kernel.sysctl = {
- "kernel.ftrace_enabled" = false;
- "net.core.bpf_jit_enable" = false;
- "kernel.kptr_restrict" = 2;
-
- # madaidan
- "vm.swappiness" = 1;
- "vm.unprivileged_userfaultfd" = 0;
- "dev.tty.ldisc_autoload" = 0;
- "kernel.kexec_load_disabled" = 1;
- "kernel.sysrq" = 4;
- "kernel.perf_event_paranoid" = 3;
-
- # net
- "net.ipv4.icmp_echo_ignore_broadcasts" = true;
-
- "net.ipv4.conf.all.accept_redirects" = false;
- "net.ipv4.conf.all.secure_redirects" = false;
- "net.ipv4.conf.default.accept_redirects" = false;
- "net.ipv4.conf.default.secure_redirects" = false;
- "net.ipv6.conf.all.accept_redirects" = false;
- "net.ipv6.conf.default.accept_redirects" = false;
+ "kernel.ftrace_enabled" = false;
+ "net.core.bpf_jit_enable" = false;
+ "kernel.kptr_restrict" = 2;
+
+ # madaidan
+ "vm.swappiness" = 1;
+ "vm.unprivileged_userfaultfd" = 0;
+ "dev.tty.ldisc_autoload" = 0;
+ "kernel.kexec_load_disabled" = 1;
+ "kernel.sysrq" = 4;
+ "kernel.perf_event_paranoid" = 3;
+
+ # net
+ "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+ "net.ipv4.conf.all.accept_redirects" = false;
+ "net.ipv4.conf.all.secure_redirects" = false;
+ "net.ipv4.conf.default.accept_redirects" = false;
+ "net.ipv4.conf.default.secure_redirects" = false;
+ "net.ipv6.conf.all.accept_redirects" = false;
+ "net.ipv6.conf.default.accept_redirects" = false;
};
};
useDHCP = lib.mkDefault true;
hostName = config.monorepo.vars.hostName;
networkmanager = {
- enable = true;
- # wifi.macAddress = "";
+ enable = true;
};
firewall = {
- allowedTCPPorts = [ 22 11434 ];
- allowedUDPPorts = [ ];
+ allowedTCPPorts = [ 22 11434 ];
+ allowedUDPPorts = [ ];
};
};
hardware = {
enableAllFirmware = true;
cpu.intel.updateMicrocode = true;
- graphics.enable = true;
+ graphics.enable = ! config.monorepo.profiles.ttyonly.enable;
pulseaudio.enable = ! config.monorepo.profiles.pipewire.enable;
bluetooth = {
- enable = true;
- powerOnBoot = true;
+ enable = true;
+ powerOnBoot = true;
};
};
services = {
chrony = {
- enable = true;
- enableNTS = true;
- servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ];
+ enable = true;
+ enableNTS = true;
+ servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ];
};
jitterentropy-rngd.enable = true;
# Misc.
udev = {
- extraRules = '''';
- packages = with pkgs; [
- platformio-core
- platformio-core.udev
- openocd
- ];
+ extraRules = '''';
+ packages = with pkgs; [
+ platformio-core
+ platformio-core.udev
+ openocd
+ ];
};
printing.enable = true;
nixpkgs = {
hostPlatform = lib.mkDefault "x86_64-linux";
config = {
- allowUnfree = true;
- cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ allowUnfree = true;
+ cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable;
};
};
security = {
apparmor = {
- enable = true;
- killUnconfinedConfinables = true;
+ enable = true;
+ killUnconfinedConfinables = true;
};
pam.loginLimits = [
- { domain = "*"; item = "nofile"; type = "-"; value = "32768"; }
- { domain = "*"; item = "memlock"; type = "-"; value = "32768"; }
+ { domain = "*"; item = "nofile"; type = "-"; value = "32768"; }
+ { domain = "*"; item = "memlock"; type = "-"; value = "32768"; }
];
rtkit.enable = true;
forcePageTableIsolation = true;
tpm2 = {
- enable = true;
- pkcs11.enable = true;
- tctiEnvironment.enable = true;
+ enable = true;
+ pkcs11.enable = true;
+ tctiEnvironment.enable = true;
};
auditd.enable = true;
enable = true;
wlr.enable = true;
extraPortals = with pkgs; [
- xdg-desktop-portal-gtk
- xdg-desktop-portal
- xdg-desktop-portal-hyprland
+ xdg-desktop-portal-gtk
+ xdg-desktop-portal
+ xdg-desktop-portal-hyprland
];
config.common.default = "*";
};
];
git = {
- isSystemUser = true;
- home = "/srv/git";
- shell = "${pkgs.git}/bin/git-shell";
+ isSystemUser = true;
+ home = "/srv/git";
+ shell = "${pkgs.git}/bin/git-shell";
};
"${config.monorepo.vars.userName}" = {
- initialPassword = "${config.monorepo.vars.userName}";
- isNormalUser = true;
- description = config.monorepo.vars.fullName;
- extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ];
- shell = pkgs.zsh;
- packages = [];
+ initialPassword = "${config.monorepo.vars.userName}";
+ isNormalUser = true;
+ description = config.monorepo.vars.fullName;
+ extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ];
+ shell = pkgs.zsh;
+ packages = [];
};
};
{ config, lib, pkgs, ... }:
{
- environment.systemPackages = with pkgs; [
+ environment.systemPackages = (if config.monorepo.profiles.cuda.enable then with pkgs; [
cudatoolkit
cudaPackages.cudnn
cudaPackages.libcublas
linuxPackages.nvidia_x11
- ];
+ ] else []);
}
options = {
monorepo = {
- profiles = {
- cuda.enable = lib.mkEnableOption "Enables CUDA support";
- documentation.enable = lib.mkEnableOption "Enables documentation on system.";
- secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl.";
- pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup";
- tor.enable = lib.mkEnableOption "Enables tor along with torsocks";
- home.enable = lib.mkEnableOption "Enables home user";
- server.enable = lib.mkEnableOption "Enables server services";
- };
+ profiles = {
+ cuda.enable = lib.mkEnableOption "Enables CUDA support";
+ documentation.enable = lib.mkEnableOption "Enables documentation on system.";
+ secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl.";
+ pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup";
+ tor.enable = lib.mkEnableOption "Enables tor along with torsocks";
+ home.enable = lib.mkEnableOption "Enables home user";
+ server.enable = lib.mkEnableOption "Enables server services";
+ ttyonly.enable = lib.mkEnableOption "TTY only, no xserver";
+ };
};
};
config = {
- home-manager.users."${config.monorepo.vars.userName}" = {
- programs.home-manager.enable = config.monorepo.profiles.home.enable;
- };
-
environment.systemPackages = lib.mkIf config.monorepo.profiles.documentation.enable (with pkgs; [
- linux-manual
- man-pages
- man-pages-posix
+ linux-manual
+ man-pages
+ man-pages-posix
]);
monorepo = {
- profiles = {
- documentation.enable = lib.mkDefault true;
- pipewire.enable = lib.mkDefault true;
- tor.enable = lib.mkDefault true;
- home.enable = lib.mkDefault true;
- };
+ profiles = {
+ documentation.enable = lib.mkDefault true;
+ pipewire.enable = lib.mkDefault true;
+ tor.enable = lib.mkDefault true;
+ home.enable = lib.mkDefault true;
+ };
};
};
}
packages = with pkgs; [
# wikipedia
kiwix kiwix-tools
+
# passwords
age sops
acpilight
pfetch
libnotify
+ htop
];
};
{ config, lib, pkgs, ... }:
{
hardware = {
- graphics.extraPackages = with pkgs; [
- vaapiVdpau
- libvdpau-va-gl
- nvidia-vaapi-driver
- ];
+ graphics.extraPackages = (if config.monorepo.profiles.cuda.enable
+ then with pkgs; [
+ vaapiVdpau
+ libvdpau-va-gl
+ nvidia-vaapi-driver
+ ] else []);
nvidia = {
- modesetting.enable = true;
- powerManagement = {
- enable = true;
- finegrained = false;
- };
- nvidiaSettings = true;
- open = false;
- package = config.boot.kernelPackages.nvidiaPackages.stable;
+ modesetting.enable = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ powerManagement = {
+ enable = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ finegrained = false;
+ };
+ nvidiaSettings = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ open = lib.mkDefault false;
+ package = config.boot.kernelPackages.nvidiaPackages.stable;
};
};
}
{ config, lib, ... }:
{
services.postfix = {
- enable = true;
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
config = {
};
};
settings = {
PasswordAuthentication = true;
AllowUsers = [ config.monorepo.vars.userName ];
- PermitRootLogin = "no";
+ PermitRootLogin = "prohibit-password";
KbdInteractiveAuthentication = false;
};
};
services.xserver = {
enable = lib.mkDefault true;
displayManager = {
- startx.enable = true;
+ startx.enable = true;
};
windowManager = {
- i3 = {
- enable = true;
- package = pkgs.i3-gaps;
- };
+ i3 = {
+ enable = ! config.monorepo.profiles.ttyonly.enable;
+ package = pkgs.i3-gaps;
+ };
};
desktopManager = {
- runXdgAutostartIfNone = true;
+ runXdgAutostartIfNone = true;
};
xkb = {
- layout = "us";
- variant = "";
- options = "caps:escape";
+ layout = "us";
+ variant = "";
+ options = "caps:escape";
};
videoDrivers = (if config.monorepo.profiles.cuda.enable then [ "nvidia" ] else []);
{
imports = [
../../modules/default.nix
- ../../modules/home/home.nix
../../modules/nvme-simple.nix
+ ../home.nix
];
- config.monorepo = {
- profiles = {
- server.enable = true;
- cuda.enable = true;
+ config = {
+ monorepo = {
+ profiles = {
+ server.enable = true;
+ cuda.enable = true;
+ };
+ vars.hostName = "affinity";
};
- vars.hostName = "affinity";
};
- config.home-manager.users."${config.monorepo.vars.userName}".monorepo.profiles.cuda.enable = true;
}
--- /dev/null
+{ lib, config, pkgs, ... }:
+{
+ imports = [
+ ../../modules/home/default.nix
+ ];
+ config.monorepo = {
+ profiles.cuda.enable = true;
+ };
+}
{
imports = [
../../modules/default.nix
- ../../modules/home/home.nix
../../modules/sda-simple.nix
+ ../home.nix
];
}
--- /dev/null
+{ lib, config, pkgs, ... }:
+{
+ imports = [
+ ../../modules/home/default.nix
+ ];
+}
--- /dev/null
+{ config, sops-nix, ... }:
+{
+ home-manager = {
+ sharedModules = [
+ sops-nix.homeManagerModules.sops
+ ];
+ useGlobalPkgs = true;
+ useUserPackages = true;
+ users."${config.monorepo.vars.userName}" = import (./. + "/${config.monorepo.vars.hostName}/home.nix");
+ };
+}
imports = [
../../modules/default.nix
../../modules/vda-simple.nix
+ ../home.nix
];
+
config.monorepo = {
profiles = {
server.enable = true;
- home.enable = false;
+ ttyonly.enable = true;
};
vars.hostName = "spontaneity";
};
--- /dev/null
+{ lib, config, pkgs, ... }:
+{
+ imports = [
+ ../../modules/home/default.nix
+ ];
+}
projects / monorepo.git / commitdiff