diff --git a/flake.nix b/flake.nix index 9b9e848..47c8def 100644 --- a/flake.nix +++ b/flake.nix @@ -115,6 +115,20 @@ ./hosts/infriltrator/configuration.nix ]; }; + "fighter" = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + specialArgs = { + pkgs-unstable = import nixpkgs-unstable { + inherit system; + config.allowUnfree = true; + config.allowUnfreePredicate = _: true; + }; + inherit inputs self; + }; + modules = [ + ./hosts/fighter/configuration.nix + ]; + }; "lost-home" = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/fighter/configuration.nix b/hosts/fighter/configuration.nix new file mode 100644 index 0000000..83b677a --- /dev/null +++ b/hosts/fighter/configuration.nix @@ -0,0 +1,116 @@ +{ + inputs, + lib, + pkgs, + self, + ... +}: { + imports = [ + ./disko.nix + inputs.disko.nixosModules.disko + ./impermanence.nix + + ./hardware-configuration.nix + ]; + + # Users + users.users."guz" = { + extraGroups = ["wheel" "guz"]; + isNormalUser = true; + password = "1313"; + # hashedPasswordFile = builtins.toString config.sops.secrets."guz/password".path; + shell = self.packages.${pkgs.stdenv.hostPlatform.system}.devkit.zsh; + }; + users.groups."guz" = {}; + + # GnuPG keyring + programs.gnupg.agent = { + enable = true; + pinentryPackage = pkgs.pinentry-gtk2; + settings.default-cache-ttl = 3600 * 24; + }; + + # Yet another nix cli helper + programs.nh = { + enable = true; + clean.enable = true; + clean.extraArgs = "--keep-since 7d --keep 3"; + flake = "/home/guz/Projects/dot013-nix"; + }; + + # QMK keyboard + hardware.keyboard.qmk.enable = true; + services.udev.packages = with pkgs; [via vial]; + + # Pipewire + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + # Tailscale + services.tailscale.enable = true; + + # Networking + networking.hostName = "lost-home"; + networking.networkmanager.enable = true; + + # Firewall + networking.firewall.enable = true; + networking.firewall.allowedUDPPorts = [53]; + networking.firewall.allowedTCPPorts = [80 433]; + + # SSH + services.openssh.enable = true; + services.openssh.settings = { + PasswordAuthentication = true; + PermitRootLogin = "forced-commands-only"; + }; + + # Locale + time.timeZone = "America/Sao_Paulo"; + i18n.defaultLocale = "en_US.UTF-8"; + i18n.extraLocaleSettings = let + locale = "pt_BR.UTF-8"; + in { + LC_ADDRESS = locale; + LC_IDENTIFICATION = locale; + LC_MEASUREMENT = locale; + LC_MONETARY = locale; + LC_NAME = locale; + LC_NUMERIC = locale; + LC_PAPER = locale; + LC_TELEPHONE = locale; + LC_TIME = locale; + }; + + # Keyboard + services.xserver.xkb.layout = "br"; + console.keyMap = "br-abnt2"; + + security.polkit.enable = true; + + # Nix + nix.settings.experimental-features = ["nix-command" "flakes"]; + nixpkgs.config.allowUnfreePredicate = pkg: + builtins.elem (lib.getName pkg) [ + "via" + ]; + + # Bootloader + boot.loader.grub.enable = lib.mkForce true; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = true; + boot.loader.grub.enableCryptodisk = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "25.11"; # Did you read the comment? +} diff --git a/hosts/fighter/disko.nix b/hosts/fighter/disko.nix new file mode 100644 index 0000000..6a080a8 --- /dev/null +++ b/hosts/fighter/disko.nix @@ -0,0 +1,74 @@ +{ + disko.devices = { + disk.main = { + device = "/dev/sdd"; # This will be overwritten by disko-install + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + loks = { + size = "100%"; + label = "luks"; + content = { + type = "luks"; + name = "cryptroot"; + extraOpenArgs = [ + "--allow-discards" + "--perf-no_read_workqueue" + "--perf-no_write_workqueue" + ]; + settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];}; + content = { + type = "btrfs"; + extraArgs = ["-L" "nixos" "-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = ["subvol=root" "compress=zstd" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["subvol=home" "compress=zstd" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["subvol=nix" "compress=zstd" "noatime"]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = ["subvol=persist" "compress=zstd" "noatime"]; + }; + "/log" = { + mountpoint = "/var/log"; + mountOptions = ["subvol=log" "compress=zstd" "noatime"]; + }; + "/swap" = { + mountpoint = "/swap"; + swap.swapfile.size = "6G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = true; + fileSystems."/home".neededForBoot = true; + fileSystems."/var/log".neededForBoot = true; +} diff --git a/hosts/fighter/hardware-configuration.nix b/hosts/fighter/hardware-configuration.nix new file mode 100644 index 0000000..e0f1989 --- /dev/null +++ b/hosts/fighter/hardware-configuration.nix @@ -0,0 +1,21 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "rtsx_pci_sdmmc"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/fighter/impermanence.nix b/hosts/fighter/impermanence.nix new file mode 100644 index 0000000..afe5b7f --- /dev/null +++ b/hosts/fighter/impermanence.nix @@ -0,0 +1,68 @@ +{ + config, + inputs, + lib, + pkgs, + ... +}: { + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + + environment.persistence."/persist" = { + enable = true; + hideMounts = true; + directories = [ + # config.services.minecraft-servers.dataDir + "/etc/nixos" + "/etc/NetworkManager/system-connections" + "/etc/secureboot" + "/var/db/sudo" + "/var/keys" + "/var/log" + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/var/lib/tailscale" + { + directory = "/var/lib/colord"; + user = "colord"; + group = "colord"; + mode = "u=rwx,g=rx,o="; + } + ]; + files = [ + "/etc/machine-id" + ]; + }; + + boot.initrd.postResumeCommands = let + # https://github.com/nix-community/impermanence?tab=readme-ov-file#btrfs-subvolumes + script = pkgs.writeShellScriptBin "rollback" '' + mkdir -p /btrfs_tmp + + mount -o subvol=/ /dev/mapper/cryptroot /btrfs_tmp + + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + in "${builtins.readFile (lib.getExe script)}"; +}