blob: a3bed87162de317b2035b6ce67f38914b6c09aca (
plain) (
tree)
|
|
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
./common.nix
#./kde.nix
#./95theme.nix
#./gnome.nix
#./fdn-vpn.nix
./sway.nix
./wayfire.nix
];
networking.hostName = "lindy";
networking.hostId = "b8149765";
# Driver config
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" "wl" ];
boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
# ZFS config
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.devNodes = "/dev/mapper";
boot.zfs.extraPools = [ "Zonz" ];
services.zfs.autoScrub.enable = true;
services.zfs.autoScrub.pools = [ "Zonz" ];
services.zfs.autoScrub.interval = "quarterly";
# Use Grub
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "nodev";
boot.loader.grub.extraGrubInstallArgs = [ "--bootloader-id=NixOS" ];
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.luks.devices = {
cryptssd = {
device = "/dev/disk/by-uuid/a5aad0b3-fb8c-4711-80db-d8fdcc832f83";
allowDiscards = true;
};
};
fileSystems."/" =
{ device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=6G" "mode=755" ];
};
fileSystems."/var" =
{ device = "lindy/nixos/var";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "lindy/home";
fsType = "zfs";
neededForBoot = true; # because contains password files used below
};
fileSystems."/nix" =
{ device = "lindy/nixos/nix";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/b9f80731-ac5a-476e-9454-32fef4ebc40f";
fsType = "ext4";
options = [ "discard" ];
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/02D0-F1C6";
fsType = "vfat";
};
fileSystems."/root" = # /root contains the Borg cache for the backup script
{ device = "/nix/persist/root";
fsType = "none";
options = [ "bind" ];
};
fileSystems."/etc/NetworkManager/system-connections" =
{ device = "/nix/persist/etc/NetworkManager/system-connections";
fsType = "none";
options = [ "bind" ];
};
environment.etc."machine-id".source = "/nix/persist/etc/machine-id";
environment.etc."ssh/ssh_host_rsa_key".source = "/nix/persist/etc/ssh/ssh_host_rsa_key";
environment.etc."ssh/ssh_host_rsa_key.pub".source = "/nix/persist/etc/ssh/ssh_host_rsa_key.pub";
environment.etc."ssh/ssh_host_ed25519_key".source = "/nix/persist/etc/ssh/ssh_host_ed25519_key";
environment.etc."ssh/ssh_host_ed25519_key.pub".source = "/nix/persist/etc/ssh/ssh_host_ed25519_key.pub";
# ---- zonz (encrypted zfs) ----
environment.etc.crypttab = {
enable = true;
text = ''
Kogami UUID=61534c91-df18-4c71-9244-54e677f5d4fa /nix/persist/root/kogami_key
Komaru UUID=caf8496f-006b-4762-bb20-506d4c7bdb51 /nix/persist/root/komaru_key
'';
};
# ---- immutable user config ----
users.mutableUsers = false;
users.users.lx.hashedPasswordFile = "/home/lx/.password";
users.users.lx.uid = 1000;
# ----
# Zram
zramSwap.enable = true;
# Local backup (borg to Zonz)
services.cron.enable = true;
services.cron.systemCronJobs = [ "0 20 * * * root /media/Zonz/lindy/do-backup.sh" ];
# Remote backup (restic to infracoll)
services.restic.backups."infracoll" = {
repository = "s3:http://garage.isomorphis.me:3900/restic-lx";
environmentFile = "/nix/persist/etc/secrets/restic/infracoll/credentials";
passwordFile = "/nix/persist/etc/secrets/restic/infracoll/password";
paths = [
"/nix/persist"
"/home/lx"
"/media/Zonz/Private"
"/media/Zonz/Stuff"
];
exclude = [
"/home/lx/.cache"
"/home/lx/.cargo"
"/home/lx/.local/share/Steam"
"/home/lx/Deuxfleurs/garage/tmp"
];
timerConfig = {
OnCalendar = "21:30";
Persistent = true;
};
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
# Graphics
specialisation = {
nvidia.configuration = {
boot.kernelParams = [ "i915.modeset=0" ];
hardware.nvidia.modesetting.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
};
intelVfio.configuration = {
boot.blacklistedKernelModules = [ "nouveau" "nvidia" "nvidia_modeset" "nvidia_uvm" "nvidia_drm" ];
boot.kernelParams = [ "intel_iommu=on" "iommu=pt" "vfio-pci.ids=10de:17c2,10de:0fb0,8086:0c01" ];
boot.initrd.availableKernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
services.xserver.videoDrivers = [ "modesetting" ];
systemd.tmpfiles.rules = [
"f /dev/shm/looking-glass 0660 lx kvm -"
];
environment.systemPackages = with pkgs; [
looking-glass-client
];
};
};
hardware.opengl.enable = true;
# Docker, VirtualBox
virtualisation.docker.enable = true;
virtualisation.virtualbox.host.enable = true;
users.users.lx.extraGroups = [ "docker" "vboxusers" ];
# Use resolver from network
services.resolved.enable = false;
# Making dev work available outside
networking.firewall.allowedTCPPorts = [
# 8910 8920 # web dev
4317 4318 # jaeger container
];
networking.firewall.allowedUDPPorts = [
4010 # scream
];
# Work around ipv6 peering issue
networking.extraHosts = ''
109.136.139.78 git.deuxfleurs.fr
'';
# GnuPG agent at system level, if at home level conflicts with arch
programs.gnupg.agent = {
enable = true;
enableSSHSupport = false;
pinentryFlavor = "gnome3";
};
environment.systemPackages = with pkgs; [
zfs
docker-compose
pinentry.gnome3
];
nix.gc.automatic = false;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}
|