diff --git a/modules/home/gpg/default.nix b/modules/home/gpg/default.nix index 3dcaa5c..e8b2ac4 100644 --- a/modules/home/gpg/default.nix +++ b/modules/home/gpg/default.nix @@ -7,6 +7,7 @@ { text = '' -----BEGIN PGP PUBLIC KEY BLOCK----- + mQINBGipyhUBEADCal3wKbTCJHZ7qBTxe2zrJPGV9vu6V4+x/MBQq07jd33RrdgI 5R/YSviZLyTjY84xk+XTpxWe6PNxcrNlPrJgqR48UNYiG7rH2VWg073KQZaAEeX4 DRmfANtds9m9N9CadMv1XcHvVkEz+UlD3yYGNwrd1ZnWVBpUobIyZvFrVjpGBtOg diff --git a/modules/nixos/disko/x86_64-linux/default.nix b/modules/nixos/disko/x86_64-linux/default.nix index 0823b48..a0e92f7 100644 --- a/modules/nixos/disko/x86_64-linux/default.nix +++ b/modules/nixos/disko/x86_64-linux/default.nix @@ -75,6 +75,14 @@ in config = lib.mkIf (!isArm && cfg.enable) { disko.devices = lib.mkMerge [ { + nodev."/" = { + fsType = "tmpfs"; + mountOptions = [ + "mode=755" + "defaults" + "size=25%" + ]; + }; disk = { main = { device = rootDisk; @@ -108,35 +116,37 @@ in "--compression=zstd" ]; subvolumes = { - "subvolumes/root" = { - mountpoint = "/"; + "root" = { + mountpoint = "/root"; mountOptions = [ - "verbose" + "noatime" ]; }; - "subvolumes/persistent" = { - mountpoint = "/persistent"; + "etc" = { + mountOptions = [ + "noatime" + ]; + mountpoint = "/etc"; }; - "subvolumes/nix" = { + "nix" = { mountOptions = [ "noatime" ]; mountpoint = "/nix"; }; + "log" = { + mountOptions = [ + "noatime" + ]; + mountpoint = "/var/log"; + }; + "home" = { + mountpoint = "/home"; + }; }; }; }; } - (lib.mkIf (cfg.filesystem == "btrfs") { - nodev."/" = { - fsType = "tmpfs"; - mountOptions = [ - "mode=755" - "defaults" - "size=25%" - ]; - }; - }) ]; }; } diff --git a/modules/nixos/impermanence/default.nix b/modules/nixos/impermanence/default.nix index 6c5de07..bb8752f 100755 --- a/modules/nixos/impermanence/default.nix +++ b/modules/nixos/impermanence/default.nix @@ -12,126 +12,7 @@ in imports = [ ./options.nix ]; config = mkIf cfg.enable { - security.sudo.extraConfig = '' - # rollback results in sudo lectures after each reboot - Defaults lecture = never - ''; - - system.activationScripts = { - "var-lib-private-permissions" = { - deps = [ "createPersistentStorageDirs" ]; - text = '' - mkdir -p /var/lib/private - chmod 0700 /var/lib/private - ''; - }; - }; - - boot.initrd.systemd.services.rootfs-cleanup = { - description = "Clean file system root"; - wantedBy = [ - "initrd.target" - ]; - after = [ - "initrd-root-device.target" - ]; - before = [ - "sysroot.mount" - ]; - unitConfig.DefaultDependencies = "no"; - serviceConfig.Type = "oneshot"; - script = - if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "btrfs") then - '' - # workaround for machines without working rtc battery - # The time may not yet be correctly set, so wait until it is - if [[ $(date '+%s') -lt 1730469314 ]]; then - sleep 30 # this should hopefully be enough - fi - mkdir /btrfs_tmp - mount ${config.fileSystems."/".device} -t btrfs /btrfs_tmp - if [[ -e /btrfs_tmp/root ]]; then - mkdir -p /btrfs_tmp/old_roots - timestamp=$(date --date="@$(stat -c %X /btrfs_tmp/root)" "+%Y-%m-%d_%H:%M:%S") - mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" - fi - - delete_subvolume_recursively() { - IFS=$'\n' - for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do - delete_subvolume_recursively "/btrfs_tmp/$i" - done - btrfs subvolume delete "$1" || rm -rf "$1" - } - - for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -atime +30); do - delete_subvolume_recursively "$i" - done - - btrfs subvolume create /btrfs_tmp/root - umount /btrfs_tmp - '' - else if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "bcachefs") then - '' - # workaround for machines without working rtc battery - # The time may not yet be correctly set, so wait until it is - if [[ $(date '+%s') -lt 1730469314 ]]; then - sleep 30 # this should hopefully be enough - fi - if [[ -e /root_tmp/root ]]; then - mkdir -p /root_tmp/old_roots - timestamp=$(date --date="@$(stat -c %X /root_tmp/root)" "+%Y-%m-%d_%H:%M:%S") - mv /root_tmp/root "/root_tmp/old_roots/$timestamp" - fi - - for i in $(find /root_tmp/old_roots/ -maxdepth 1 -atime +30); do - bcachefs subvolume delete $i - done - - bcachefs subvolume create /root_tmp/root - '' - else - # For tmpfs or other filesystems, do nothing - ""; - }; - - assertions = [ - { - assertion = hasAttr "/" config.fileSystems; - message = "To use impermanence, you need to define a root volume"; - } - - { - assertion = - if hasAttr "/" config.fileSystems then - config.fileSystems."/".fsType == "btrfs" - || config.fileSystems."/".fsType == "bcachefs" - || config.fileSystems."/".fsType == "tmpfs" - else - false; - message = "rootfs must be btrfs, bcachefs, or tmpfs; not " + config.fileSystems."/".fsType; - } - - { - assertion = - if - hasAttr "/" config.fileSystems - && (config.fileSystems."/".fsType == "btrfs" || config.fileSystems."/".fsType == "bcachefs") - then - any ( - t: t == "subvol=root" || t == "subvol=/root" || t == "X-mount.subdir=subvolumes/root" - ) config.fileSystems."/".options - else - true; - message = "btrfs or bcachefs rootfs must mount subvolume root"; - } - { - assertion = !config.boot.isContainer; - message = "impermanence is not supported in containers"; - } - ]; - - environment.persistence.${cfg.persistencePath} = { + environment.persistence."/nix/persist/system" = { hideMounts = true; directories = [ "/var/lib/bluetooth" @@ -192,5 +73,186 @@ in "/etc/machine-id" ]; }; + + security.sudo.extraConfig = '' + # rollback results in sudo lectures after each reboot + Defaults lecture = never + ''; + + # system.activationScripts = { + # "var-lib-private-permissions" = { + # deps = [ "createPersistentStorageDirs" ]; + # text = '' + # mkdir -p /var/lib/private + # chmod 0700 /var/lib/private + # ''; + # }; + # }; + + # boot.initrd.systemd.services.rootfs-cleanup = { + # description = "Clean file system root"; + # wantedBy = [ + # "initrd.target" + # ]; + # after = [ + # "initrd-root-device.target" + # ]; + # before = [ + # "sysroot.mount" + # ]; + # unitConfig.DefaultDependencies = "no"; + # serviceConfig.Type = "oneshot"; + # script = + # if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "btrfs") then + # '' + # # workaround for machines without working rtc battery + # # The time may not yet be correctly set, so wait until it is + # if [[ $(date '+%s') -lt 1730469314 ]]; then + # sleep 30 # this should hopefully be enough + # fi + # mkdir /btrfs_tmp + # mount ${config.fileSystems."/".device} -t btrfs /btrfs_tmp + # if [[ -e /btrfs_tmp/root ]]; then + # mkdir -p /btrfs_tmp/old_roots + # timestamp=$(date --date="@$(stat -c %X /btrfs_tmp/root)" "+%Y-%m-%d_%H:%M:%S") + # mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + # fi + + # delete_subvolume_recursively() { + # IFS=$'\n' + # for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + # delete_subvolume_recursively "/btrfs_tmp/$i" + # done + # btrfs subvolume delete "$1" || rm -rf "$1" + # } + + # for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -atime +30); do + # delete_subvolume_recursively "$i" + # done + + # btrfs subvolume create /btrfs_tmp/root + # umount /btrfs_tmp + # '' + # else if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "bcachefs") then + # '' + # # workaround for machines without working rtc battery + # # The time may not yet be correctly set, so wait until it is + # if [[ $(date '+%s') -lt 1730469314 ]]; then + # sleep 30 # this should hopefully be enough + # fi + # if [[ -e /root_tmp/root ]]; then + # mkdir -p /root_tmp/old_roots + # timestamp=$(date --date="@$(stat -c %X /root_tmp/root)" "+%Y-%m-%d_%H:%M:%S") + # mv /root_tmp/root "/root_tmp/old_roots/$timestamp" + # fi + + # for i in $(find /root_tmp/old_roots/ -maxdepth 1 -atime +30); do + # bcachefs subvolume delete $i + # done + + # bcachefs subvolume create /root_tmp/root + # '' + # else + # # For tmpfs or other filesystems, do nothing + # ""; + # }; + + # assertions = [ + # { + # assertion = hasAttr "/" config.fileSystems; + # message = "To use impermanence, you need to define a root volume"; + # } + + # { + # assertion = + # if hasAttr "/" config.fileSystems then + # config.fileSystems."/".fsType == "btrfs" + # || config.fileSystems."/".fsType == "bcachefs" + # || config.fileSystems."/".fsType == "tmpfs" + # else + # false; + # message = "rootfs must be btrfs, bcachefs, or tmpfs; not " + config.fileSystems."/".fsType; + # } + + # { + # assertion = + # if + # hasAttr "/" config.fileSystems + # && (config.fileSystems."/".fsType == "btrfs" || config.fileSystems."/".fsType == "bcachefs") + # then + # any ( + # t: t == "subvol=root" || t == "subvol=/root" || t == "X-mount.subdir=root" + # ) config.fileSystems."/".options + # else + # true; + # message = "btrfs or bcachefs rootfs must mount subvolume root"; + # } + # { + # assertion = !config.boot.isContainer; + # message = "impermanence is not supported in containers"; + # } + # ]; + + # environment.persistence.${cfg.persistencePath} = { + # hideMounts = true; + # directories = [ + # "/var/lib/bluetooth" + # "/var/lib/iwd" + # "/var/lib/nixos" + # "/var/lib/libvirt" + # "/var/lib/waydroid" + # "/var/lib/systemd/coredump" + # "/etc/NetworkManager/system-connections" + # "/var/lib/tailscale" + # "/var/lib/homeassistant" + # "/var/lib/mosquitto" + # "/var/lib/music-assistant" + # "/var/lib/postgresql" + # "/var/lib/zigbee2mqtt" + # { + # directory = "/var/lib/colord"; + # user = "colord"; + # group = "colord"; + # mode = "u=rwx,g=rx,o="; + # } + # { + # directory = "/etc/nix"; + # user = "root"; + # group = "root"; + # mode = "u=rwx,g=rx,o=rx"; + # } + # { + # directory = "/var/lib/private/authentik/media"; + # user = "authentik"; + # group = "authentik"; + # mode = "u=rwx,g=,o="; + # } + # { + # directory = "/var/lib/private"; + # mode = "u=rwx,g=rx,o="; + # } + # { + # directory = "/media/nas"; + # user = "nas-apps"; + # group = "jallen-nas"; + # mode = "u=rwx,g=rx,o=rx"; + # } + # { + # directory = "/var/lib/crowdsec"; + # user = "crowdsec"; + # group = "crowdsec"; + # mode = "u=rwx,g=rwx,o=rx"; + # } + # { + # directory = "/plugins-storage"; + # user = "traefik"; + # group = "traefik"; + # mode = "u=rwx,g=rwx,o=rx"; + # } + # ]; + # files = [ + # "/etc/machine-id" + # ]; + # }; }; } diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 34598f4..c68c610 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ config, lib, namespace, ... }: { nix = { settings = { @@ -29,6 +29,7 @@ nixpkgs = { config = { allowUnfree = lib.mkForce true; + cudaSupport =lib.mkDefault config.${namespace}.hardware.nvidia.enable; allowUnsupportedSystem = true; permittedInsecurePackages = [ # ... diff --git a/modules/nixos/wyoming/default.nix b/modules/nixos/wyoming/default.nix index cd5b4c7..7f67c51 100755 --- a/modules/nixos/wyoming/default.nix +++ b/modules/nixos/wyoming/default.nix @@ -16,7 +16,7 @@ in faster-whisper.servers.hass-whisper = { enable = true; useTransformers = false; - device = "cuda"; + device = lib.mkForce "cuda"; language = "en"; model = "distil-large-v3"; uri = "tcp://0.0.0.0:10300"; diff --git a/qemu.nix b/qemu.nix new file mode 100644 index 0000000..38bb837 --- /dev/null +++ b/qemu.nix @@ -0,0 +1,25 @@ +with import {}; + +writeShellApplication { + name = "test-image"; + runtimeInputs = [ qemu ]; + text = '' + if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 + fi + tmpFile=$(mktemp /tmp/test-image.XXXXXX) + trap 'rm -f $tmpFile' EXIT + cp "$1" "$tmpFile" + qemu-system-x86_64 \ + -enable-kvm \ + -m 2G \ + -cpu max \ + -smp 2 \ + -netdev user,id=net0,hostfwd=tcp::2222-:22 \ + -device virtio-net-pci,netdev=net0 \ + -drive if=pflash,format=raw,readonly=on,file=${OVMF.firmware} \ + -drive if=pflash,format=raw,readonly=on,file=${OVMF.variables} \ + -drive "if=virtio,format=raw,file=$tmpFile" + ''; +} diff --git a/systems/x86_64-linux/nuc/default.nix b/systems/x86_64-linux/nuc/default.nix index 0417dd7..b6b6f2f 100644 --- a/systems/x86_64-linux/nuc/default.nix +++ b/systems/x86_64-linux/nuc/default.nix @@ -18,7 +18,7 @@ services.home-assistant.enable = true; hardware.disko = { enable = true; - # filesystem = "bcachefs"; + filesystem = "bcachefs"; }; impermanence.enable = true; network = {