diff --git a/homes/x86_64-linux/matt@desktop/default.nix b/homes/x86_64-linux/matt@desktop/default.nix index 630ed8a..316bf8a 100755 --- a/homes/x86_64-linux/matt@desktop/default.nix +++ b/homes/x86_64-linux/matt@desktop/default.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, namespace, ... }: let shellAliases = { update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3"; diff --git a/modules/home/sops/default.nix b/modules/home/sops/default.nix index 583c2cd..4473c09 100644 --- a/modules/home/sops/default.nix +++ b/modules/home/sops/default.nix @@ -1,41 +1,25 @@ -{ config, lib, ... }: +{ config, lib, namespace, ... }: let cfg = config.mjallen.sops; + + user = config.${namespace}.user.name; + hostname = config.${namespace}.network.hostname; in { imports = [ ./options.nix ]; config = lib.mkIf cfg.enable { sops = { - age.keyFile = "/home/admin/.config/sops/age/keys.txt"; + age.keyFile = "/home/${user}/.config/sops/age/keys.txt"; defaultSopsFile = "/etc/nixos/secrets/secrets.yaml"; validateSopsFiles = false; secrets = { - "ssh-keys-public/jallen-nas" = { - path = "/home/admin/.ssh/id_ed25519.pub"; + "ssh-keys-public/desktop-nixos" = { + path = "/home/${user}/.ssh/id_ed25519.pub"; mode = "0644"; }; - "ssh-keys-private/jallen-nas" = { - path = "/home/admin/.ssh/id_ed25519"; - mode = "0600"; - }; - "ssh-keys-public/desktop-nixos" = { - path = "/home/admin/.ssh/authorized_keys"; - mode = "0600"; - }; - - "ssh-keys-public/desktop-nixos-root" = { - path = "/home/admin/.ssh/authorized_keys2"; - mode = "0600"; - }; - - "ssh-keys-public/desktop-windows" = { - path = "/home/admin/.ssh/authorized_keys3"; - mode = "0600"; - }; - - "ssh-keys-public/macbook-macos" = { - path = "/home/admin/.ssh/authorized_keys4"; + "ssh-keys-private/desktop-nixos" = { + path = "/home/${user}/.ssh/id_ed25519"; mode = "0600"; }; }; diff --git a/modules/nixos/boot/default.nix b/modules/nixos/boot/default.nix new file mode 100644 index 0000000..b5197c4 --- /dev/null +++ b/modules/nixos/boot/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + boot = { + kernelParams = [ + "quiet" + ]; + }; + + zramSwap.enable = true; +} \ No newline at end of file diff --git a/modules/nixos/boot/plymouth/default.nix b/modules/nixos/boot/plymouth/default.nix new file mode 100644 index 0000000..702105c --- /dev/null +++ b/modules/nixos/boot/plymouth/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + boot.plymouth = { + enable = true; + }; +} \ No newline at end of file diff --git a/modules/nixos/disko/aarch64-linux/default.nix b/modules/nixos/disko/aarch64-linux/default.nix index 7147b44..5984491 100644 --- a/modules/nixos/disko/aarch64-linux/default.nix +++ b/modules/nixos/disko/aarch64-linux/default.nix @@ -87,6 +87,13 @@ in ]; mountpoint = "/etc"; }; + "tmp" = { + mountOptions = [ + "compress=zstd" + "noatime" + ]; + mountpoint = "/tmp"; + }; "log" = { mountOptions = [ "compress=zstd" diff --git a/modules/nixos/hardware/btrfs/default.nix b/modules/nixos/hardware/btrfs/default.nix new file mode 100644 index 0000000..f5366bb --- /dev/null +++ b/modules/nixos/hardware/btrfs/default.nix @@ -0,0 +1,14 @@ +{ lib, ... }: +{ + services.btrfs = { + autoScrub.enable = lib.mkDefault true; + autoScrub.fileSystems = lib.mkDefault [ + "/nix" + "/root" + "/etc" + "/tmp" + "/var/log" + "/home" + ]; + }; +} \ No newline at end of file diff --git a/modules/nixos/network/default.nix b/modules/nixos/network/default.nix index 3011cd5..2465f6e 100644 --- a/modules/nixos/network/default.nix +++ b/modules/nixos/network/default.nix @@ -43,6 +43,8 @@ in # Enable Network Manager networkmanager = { enable = true; + wifi.powersave = lib.mkDefault false; + settings.connectivity.uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt"; ensureProfiles = { environmentFiles = [ config.sops.secrets.wifi.path diff --git a/modules/nixos/user/default.nix b/modules/nixos/user/default.nix index 85ed43f..a0ce583 100644 --- a/modules/nixos/user/default.nix +++ b/modules/nixos/user/default.nix @@ -36,6 +36,11 @@ in default = "matt"; description = "The name to use for the user account."; }; + passwordFile = lib.mkOption { + type = nullOr path; + default = null; + description = "Path to the password file for this user account"; + }; }; config = { @@ -44,6 +49,10 @@ in extraGroups = [ "wheel" + "keys" + "networkmanager" + "ratbagd" + "scanner" "systemd-journal" "mpd" "audio" @@ -54,13 +63,15 @@ in "tss" "power" "nix" + "i2c" ] ++ cfg.extraGroups; group = "users"; home = "/home/${cfg.name}"; isNormalUser = true; - shell = lib.mkDefault pkgs.zsh; + shell = lib.mkForce pkgs.zsh; uid = 1000; + hashedPasswordFile = cfg.passwordFile; } // cfg.extraOptions; }; } \ No newline at end of file diff --git a/systems/x86_64-linux/desktop/boot.nix b/systems/x86_64-linux/desktop/boot.nix index b61978a..793c606 100755 --- a/systems/x86_64-linux/desktop/boot.nix +++ b/systems/x86_64-linux/desktop/boot.nix @@ -1,7 +1,5 @@ -{ config, pkgs, namespace, ... }: +{ config, pkgs, ... }: let - configLimit = 5; - # default = "@saved"; kernel = pkgs.linuxPackages_cachyos; pkgsVersion = pkgs; #.unstable; in @@ -36,14 +34,9 @@ in ]; }; - plymouth = { - enable = true; - }; - kernelPackages = kernel; kernelParams = [ - "quiet" # needed cause ssd powersaving is broken af I guess "nvme_core.default_ps_max_latency_us=0" "pcie_aspm=off" @@ -53,8 +46,6 @@ in bootspec.enable = true; }; - zramSwap.enable = true; - environment.systemPackages = with pkgsVersion; [ edk2-uefi-shell ]; diff --git a/systems/x86_64-linux/desktop/configuration.nix b/systems/x86_64-linux/desktop/configuration.nix index 31b9778..9b912f4 100755 --- a/systems/x86_64-linux/desktop/configuration.nix +++ b/systems/x86_64-linux/desktop/configuration.nix @@ -5,7 +5,6 @@ { lib, pkgs, - inputs, ... }: let diff --git a/systems/x86_64-linux/desktop/default.nix b/systems/x86_64-linux/desktop/default.nix index 40c6053..6eff834 100644 --- a/systems/x86_64-linux/desktop/default.nix +++ b/systems/x86_64-linux/desktop/default.nix @@ -1,33 +1,35 @@ { # Snowfall Lib provides a customized `lib` instance with access to your flake's library # as well as the libraries available from your flake's inputs. - lib, - # An instance of `pkgs` with your overlays and packages applied is also available. - pkgs, - # You also have access to your flake's inputs. - inputs, + # lib, + # # An instance of `pkgs` with your overlays and packages applied is also available. + # pkgs, + # # You also have access to your flake's inputs. + # inputs, # Additional metadata is provided by Snowfall Lib. namespace, # The namespace used for your flake, defaulting to "internal" if not set. - system, # The system architecture for this host (eg. `x86_64-linux`). - target, # The Snowfall Lib target for this system (eg. `x86_64-iso`). - format, # A normalized name for the system target (eg. `iso`). - virtual, # A boolean to determine whether this system is a virtual target using nixos-generators. - systems, # An attribute map of your defined hosts. + # system, # The system architecture for this host (eg. `x86_64-linux`). + # target, # The Snowfall Lib target for this system (eg. `x86_64-iso`). + # format, # A normalized name for the system target (eg. `iso`). + # virtual, # A boolean to determine whether this system is a virtual target using nixos-generators. + # systems, # An attribute map of your defined hosts. # All other arguments come from the system system. config, ... - }: - { +}: +let + passwordFile = config.sops.secrets."desktop/matt_password".path; +in +{ imports = [ ./boot.nix ./configuration.nix ./filesystems.nix ./hardware-configuration.nix - ./networking.nix + # ./networking.nix ./nix.nix ./sops.nix - ./users.nix ./specialisations/hyprland @@ -36,5 +38,11 @@ ${namespace} = { bootloader.lanzaboote.enable = true; desktop.gnome.enable = true; + network = { + hostName = "matt-nixos"; + }; + user = { + passwordFile = passwordFile; + }; }; } \ No newline at end of file diff --git a/systems/x86_64-linux/desktop/sops.nix b/systems/x86_64-linux/desktop/sops.nix index 7b63580..0877383 100755 --- a/systems/x86_64-linux/desktop/sops.nix +++ b/systems/x86_64-linux/desktop/sops.nix @@ -1,6 +1,8 @@ -{ config, ... }: +{ config, lib, ... }: let user = "matt"; + desktopSopsFile = (lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml"); + commonSopsFile = (lib.snowfall.fs.get-file "secrets/secrets.yaml"); in { # Permission modes are in octal representation (same as chmod), @@ -18,7 +20,7 @@ in # Either the group id or group name representation of the secret group # It is recommended to get the group name from `config.users.users..group` to avoid misconfiguration sops = { - defaultSopsFile = ../../../secrets/desktop-secrets.yaml; + defaultSopsFile = desktopSopsFile; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # ------------------------------ @@ -44,34 +46,34 @@ in mode = "0600"; }; "wifi" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; }; # ------------------------------ # SSH keys # ------------------------------ "ssh-keys-public/desktop-nixos" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; mode = "0644"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; restartUnits = [ "sshd.service" ]; }; "ssh-keys-private/desktop-nixos" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; mode = "0600"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; restartUnits = [ "sshd.service" ]; }; "ssh-keys-public/desktop-nixos-root" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; path = "/root/.ssh/id_ed25519.pub"; mode = "0600"; restartUnits = [ "sshd.service" ]; }; "ssh-keys-private/desktop-nixos-root" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; path = "/root/.ssh/id_ed25519"; mode = "0600"; restartUnits = [ "sshd.service" ]; @@ -81,37 +83,37 @@ in # Secureboot keys # ------------------------------ "secureboot/GUID" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; path = "/etc/secureboot/GUID"; mode = "0600"; }; "secureboot/keys/db-key" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; path = "/etc/secureboot/keys/db/db.key"; mode = "0600"; }; "secureboot/keys/db-pem" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; path = "/etc/secureboot/keys/db/db.pem"; mode = "0600"; }; "secureboot/keys/KEK-key" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; path = "/etc/secureboot/keys/KEK/KEK.key"; mode = "0600"; }; "secureboot/keys/KEK-pem" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; path = "/etc/secureboot/keys/KEK/KEK.pem"; mode = "0600"; }; "secureboot/keys/PK-key" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; path = "/etc/secureboot/keys/PK/PK.key"; mode = "0600"; }; "secureboot/keys/PK-pem" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = commonSopsFile; path = "/etc/secureboot/keys/PK/PK.pem"; mode = "0600"; }; diff --git a/systems/x86_64-linux/desktop/specialisations/hyprland/home/default.nix b/systems/x86_64-linux/desktop/specialisations/hyprland/home/default.nix index 56f1433..09c1ff3 100644 --- a/systems/x86_64-linux/desktop/specialisations/hyprland/home/default.nix +++ b/systems/x86_64-linux/desktop/specialisations/hyprland/home/default.nix @@ -1,6 +1,6 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: let - theme = import ../../../../../../modules/home/desktop/theme/nord.nix; + theme = import (lib.snowfall.fs.get-file "modules/home/desktop/theme/nord.nix"); fontName = "JetBrainsMono NFM"; fontPackage = pkgs.nerd-fonts.jetbrains-mono; in diff --git a/systems/x86_64-linux/desktop/users.nix b/systems/x86_64-linux/desktop/users.nix index cad7be0..68b3046 100644 --- a/systems/x86_64-linux/desktop/users.nix +++ b/systems/x86_64-linux/desktop/users.nix @@ -1,26 +1,9 @@ -{ config, lib, pkgs, ... }: +{ config, namespace, ... }: let - user = "matt"; passwordFile = config.sops.secrets."desktop/matt_password".path; - pkgsVersion = pkgs; #.unstable; in { - users.users."${user}" = { - isNormalUser = lib.mkDefault true; - extraGroups = [ - "wheel" - "keys" - "networkmanager" - "ratbagd" - "input" - "scanner" - "lp" - "video" - "i2c" - ]; # Enable ‘sudo’ for the user. - hashedPasswordFile = passwordFile; - shell = pkgsVersion.zsh; + ${namespace}.user = { + passwordFile = passwordFile; }; - - users.users.root.shell = pkgsVersion.zsh; } \ No newline at end of file