Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

cleanup, reenable HT

Browse source
This commit is contained in:
Grimmauld 2025-01-27 10:38:55 +01:00
parent e6205dd705
commit faf2aadd23
No known key found for this signature in database
11 changed files with 259 additions and 6183 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
common/gaming.nix
View file

@ -17,7 +17,6 @@ in
config = mkIf (enable && gaming) { config = mkIf (enable && gaming) {
programs.steam = { programs.steam = {
enable = true; enable = true;
gamescopeSession.enable = true;
gamescopeSession.env = { gamescopeSession.env = {
DRI_PRIME = "1"; DRI_PRIME = "1";
}; };

40
common/hardware/laptop.nix
View file

@ -29,44 +29,15 @@ in
services.udev.packages = with pkgs; [ yubikey-personalization ]; services.udev.packages = with pkgs; [ yubikey-personalization ];
boot.bcache.enable = false; boot.bcache.enable = false;
# hardware.i2c.enable = true;
services.libinput.enable = true; services.libinput.enable = true;
hardware.opentabletdriver.enable = true;
systemd.user.services.opentabletdriver.after = [ "local-fs.target" ]; # hardware.opentabletdriver.enable = true;
# systemd.user.services.opentabletdriver.after = [ "local-fs.target" ];
services.udisks2.enable = true; services.udisks2.enable = true;
#services.udev.extraRules = ''
# SUBSYSTEM=="i2c-dev", ACTION=="add",\
# ATTR{name}=="NVIDIA i2c adapter*",\
# TAG+="ddcci",\
# TAG+="systemd",\
# ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service"
#'';
# systemd.services."ddcci@" = {
# scriptArgs = "%i";
# script = ''
# sleep 20
# echo Trying to attach ddcci to $1
# i=0
# id=$(echo $1 | cut -d "-" -f 2)
# if ${lib.getExe' pkgs.ddcutil "ddcutil"} getvcp 10 -b $id; then
# echo ddcci 0x37 > /sys/bus/i2c/devices/$1/new_device
# fi
# '';
# serviceConfig.Type = "oneshot";
#};
# systemd.enableCgroupAccounting = true;
# systemd.enableUnifiedCgroupHierarchy = false;
boot = { boot = {
kernelParams = [ kernelParams = [
# "intel_iommu=on"
"nohibernate" "nohibernate"
# "pcie_aspm=off"
]; ];
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [ initrd.availableKernelModules = [
@ -77,14 +48,7 @@ in
"usb_storage" "usb_storage"
"sd_mod" "sd_mod"
]; ];
# initrd.systemd.enable = true;
loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;
# extraModulePackages = [ config.boot.kernelPackages.ddcci-driver ];
kernelModules = [
# "ddcci_backlight"
# "i2c-dev"
# "ec_sys"
];
}; };
}; };

5785
custom/ncspot/Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

96
custom/ncspot/package.nix
View file

@ -1,96 +0,0 @@
{
stdenv,
lib,
fetchFromGitHub,
rustPlatform,
pkg-config,
ncurses,
openssl,
darwin,
withALSA ? stdenv.isLinux,
alsa-lib,
withClipboard ? true,
libxcb,
python3,
withCover ? false,
ueberzug,
withPulseAudio ? stdenv.isLinux,
libpulseaudio,
withPortAudio ? stdenv.isDarwin,
portaudio,
withMPRIS ? stdenv.isLinux,
withNotify ? true,
dbus,
withCrossterm ? true,
nix-update-script,
testers,
ncspot,
}:
let
inherit (darwin.apple_sdk.frameworks) Cocoa;
in
rustPlatform.buildRustPackage rec {
pname = "ncspot";
version = "1.1.1";
src = fetchFromGitHub {
owner = "hrkfdn";
repo = "ncspot";
rev = "4ac180816da1d5caab356e71c8c56570e26ba1e8";
hash = "sha256-2WGFvugH/U2GH6/a/uSG0sbuu14u2BItKlc9esvueQc=";
};
cargoLock = {
lockFile = ./Cargo.lock;
outputHashes = {
"librespot-audio-0.5.0-dev" = "sha256-0LjNHLgZ91UrC3qefXzR4Pl+eh6+vyrkG2qaPDwWpAg=";
};
};
nativeBuildInputs = [ pkg-config ] ++ lib.optional withClipboard python3;
buildInputs =
[ ncurses ]
++ lib.optional stdenv.isLinux openssl
++ lib.optional withALSA alsa-lib
++ lib.optional withClipboard libxcb
++ lib.optional withCover ueberzug
++ lib.optional withPulseAudio libpulseaudio
++ lib.optional withPortAudio portaudio
++ lib.optional (withMPRIS || withNotify) dbus
++ lib.optional stdenv.isDarwin Cocoa;
env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.isDarwin "-DNCURSES_UNCTRL_H_incl";
buildNoDefaultFeatures = true;
buildFeatures =
[ "cursive/pancurses-backend" ]
++ lib.optional withALSA "alsa_backend"
++ lib.optional withClipboard "share_clipboard"
++ lib.optional withCover "cover"
++ lib.optional withPulseAudio "pulseaudio_backend"
++ lib.optional withPortAudio "portaudio_backend"
++ lib.optional withMPRIS "mpris"
++ lib.optional withCrossterm "crossterm_backend"
++ lib.optional withNotify "notify";
postInstall = ''
install -D --mode=444 $src/misc/ncspot.desktop $out/share/applications/${pname}.desktop
install -D --mode=444 $src/images/logo.svg $out/share/icons/hicolor/scalable/apps/${pname}.png
'';
passthru = {
updateScript = nix-update-script { };
tests.version = testers.testVersion { package = ncspot; };
};
meta = with lib; {
description = "Cross-platform ncurses Spotify client written in Rust, inspired by ncmpc and the likes";
homepage = "https://github.com/hrkfdn/ncspot";
changelog = "https://github.com/hrkfdn/ncspot/releases/tag/v${version}";
license = licenses.bsd2;
maintainers = with maintainers; [ liff ];
mainProgram = "ncspot";
};
}

2
hardening/default.nix
View file

@ -23,6 +23,8 @@
virtualisation.vswitch.enable = false; virtualisation.vswitch.enable = false;
services.resolved.enable = false; services.resolved.enable = false;
security.unprivilegedUsernsClone = true; security.unprivilegedUsernsClone = true;
security.apparmor.enable = true;
security.allowSimultaneousMultithreading = true;
environment.defaultPackages = lib.mkForce [ ]; environment.defaultPackages = lib.mkForce [ ];
environment.systemPackages = with pkgs; [ nano ]; environment.systemPackages = with pkgs; [ nano ];
} }

4
hm/common/default.nix
View file

@ -129,8 +129,8 @@ in
}; };
gtk.theme = { gtk.theme = {
package = pkgs.gnome-themes-extra; package = pkgs.adw-gtk3;
name = "Adwaita-dark"; name = "adw-gtk3-dark";
}; };
gtk.enable = true; gtk.enable = true;

1
overlays/default.nix
View file

@ -40,7 +40,6 @@
./factorio.nix ./factorio.nix
./ranger.nix ./ranger.nix
./vesktop.nix ./vesktop.nix
# ./ncspot.nix
# ./grpcio-tools.nix # ./grpcio-tools.nix
]; ];
} }

28
specific/grimm-nixos-ssd/configuration.nix
View file

@ -7,30 +7,19 @@
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
# ./modules/kvm.nix ./filesystems.nix
./tmpfiles.nix
./../../sway ./../../sway
]; ];
age.identityPaths = [ ../../secrets/yubikey-identity.txt ]; age.identityPaths = [ ../../secrets/yubikey-identity.txt ];
services.zfs.trim.enable = true;
boot.supportedFilesystems.zfs = true;
# systemd.services = lib.mapAttrs' (n: v: { serviceConfig.ProtectHome = lib.mkDefault true; }) (filterAttrs: (n: v: false) config.systemd.services);
# security.pam.yubico.control = "required";
services.printing.cups-pdf.enable = true; # implies printing enable services.printing.cups-pdf.enable = true; # implies printing enable
# services.printing.enable = true; # services.printing.enable = true;
security.apparmor.enable = true;
# networking.hostId = "2ea79333";
# boot.kernelPackages = lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages;
grimmShared = { grimmShared = {
tooling = { tooling = {
enable = true; enable = true;
# pass = true;
}; };
gaming = true; gaming = true;
portals = true; portals = true;
@ -53,23 +42,10 @@
"shinigamieyes@shinigamieyes" = "shinigami-eyes"; "shinigamieyes@shinigamieyes" = "shinigami-eyes";
}; };
}; };
# cloudSync = {
# enable = true;
# username = "Grimmauld";
# server = "cloud.grimmauld.de";
# passwordFile = config.age.secrets.nextcloud_pass.path;
# };
spotify.enable = true; spotify.enable = true;
}; };
# age.secrets.nextcloud_pass = {
# file = ./../../secrets/nextcloud_pass.age;
# mode = "777";
# };
networking.hostName = "grimm-nixos-ssd"; networking.hostName = "grimm-nixos-ssd";
system.stateVersion = "24.05"; system.stateVersion = "24.05";
# nix.settings.extra-substituters = [ "https://nixcache.grimmauld.de" ]; # nix.settings.extra-substituters = [ "https://nixcache.grimmauld.de" ];

200
specific/grimm-nixos-ssd/filesystems.nix Normal file
View file

@ -0,0 +1,200 @@
{
lib,
pkgs,
...
}:
let
nix_build = "/nix/build-sandbox";
persist = "/nix/persist";
tmp-exec = "/tmp-exec";
in
{
systemd.tmpfiles.rules = [
"D! ${nix_build} 0755 root root 7d"
];
boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
boot.zfs = {
forceImportRoot = false;
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
package = pkgs.zfs_2_3;
};
boot.supportedFilesystems.zfs = true;
services.zfs.trim.enable = true;
# services.homed.enable = true;
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
"mode=755"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."${persist}" = {
device = "zpool/persistent";
fsType = "zfs";
options = [
"noexec"
"nosuid"
"nodev"
];
};
environment.etc =
lib.genAttrs
[
"machine-id"
"ssh/ssh_host_ed25519_key"
"ssh/ssh_host_ed25519_key.pub"
"ssh/ssh_host_rsa_key"
"ssh/ssh_host_rsa_key.pub"
]
(n: {
source = "${persist}/etc/${n}";
});
fileSystems."/nix/var" = {
device = "/nix/var";
options = [
"bind"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/etc/NetworkManager/system-connections" = {
device = "${persist}/etc/NetworkManager/system-connections";
options = [
"bind"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/nix" = {
device = "zpool/nix";
fsType = "zfs";
options = [
"exec"
"suid"
"nodev"
];
};
fileSystems."/var" = {
device = "zpool/var";
fsType = "zfs";
options = [
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."${nix_build}" = {
# can execute
device = "zpool/nix-build";
fsType = "zfs";
options = [
"exec"
"nosuid"
"nodev"
];
};
fileSystems."${tmp-exec}" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
"exec"
"nosuid"
"nodev"
"mode=1777"
];
};
systemd.services.nix-daemon.environment.TMPDIR = nix_build;
fileSystems."/etc/nixos" = {
device = "zpool/nix_conf";
fsType = "zfs";
options = [
"noacl"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"umask=077"
"noexec"
"nosuid"
"nodev"
];
# noCheck = true;
# neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out...
};
# fileSystems."/crypt-storage" =
# { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb";
# fsType = "ext4";
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
# };
security.pam = {
zfs = {
enable = true;
homes = "zpool/home";
};
};
boot.initrd.luks.yubikeySupport = true; # enable yubikey support
boot.initrd.luks.reusePassphrases = false;
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3
preLVM = true;
allowDiscards = true;
yubikey = {
slot = 2;
twoFactor = true; # Set to false for 1FA
gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted
keyLength = 64; # Set to $KEY_LENGTH/8
saltLength = 16; # Set to $SALT_LENGTH
storage = {
device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier
fsType = "ext4";
path = "/default";
};
};
};
swapDevices = [
#{
# device = "zpool/swap";
# device = "/dev/zvol/zpool/swap";
#}
];
}

232
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -5,13 +5,6 @@
modulesPath, modulesPath,
... ...
}: }:
let
nix_build = "/nix/build-sandbox";
persist = "/nix/persist";
tmp-exec = "/tmp-exec";
in
{ {
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
@ -51,194 +44,14 @@ in
security.lockKernelModules = false; # PAIN on an intended-portable setup security.lockKernelModules = false; # PAIN on an intended-portable setup
# security.protectKernelImage = false; # security.protectKernelImage = false;
boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
boot.loader.systemd-boot.consoleMode = "auto"; boot.loader.systemd-boot.consoleMode = "auto";
systemd.tmpfiles.settings."mount"."/mnt".d = {
group = "root";
mode = "755";
user = "root";
};
boot.zfs = {
forceImportRoot = false;
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
package = pkgs.zfs_2_3;
};
boot.supportedFilesystems.zfs = true;
networking.hostId = "40fa5ea8"; networking.hostId = "40fa5ea8";
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelPackages = pkgs.linuxPackages_6_12; boot.kernelPackages = pkgs.linuxPackages_6_12;
boot.extraModulePackages = [ ];
services.homed.enable = true;
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
"mode=755"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."${persist}" = {
device = "zpool/persistent";
fsType = "zfs";
options = [
"noexec"
"nosuid"
"nodev"
];
};
environment.etc =
lib.genAttrs
[
"machine-id"
"ssh/ssh_host_ed25519_key"
"ssh/ssh_host_ed25519_key.pub"
"ssh/ssh_host_rsa_key"
"ssh/ssh_host_rsa_key.pub"
]
(n: {
source = "${persist}/etc/${n}";
});
environment.memoryAllocator.provider = "libc"; environment.memoryAllocator.provider = "libc";
fileSystems."/nix/var" = {
device = "/nix/var";
options = [
"bind"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/etc/NetworkManager/system-connections" = {
device = "${persist}/etc/NetworkManager/system-connections";
options = [
"bind"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/nix" = {
device = "zpool/nix";
fsType = "zfs";
options = [
"exec"
"suid"
"nodev"
];
};
fileSystems."/var" = {
device = "zpool/var";
fsType = "zfs";
options = [
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."${nix_build}" = {
# can execute
device = "zpool/nix-build";
fsType = "zfs";
options = [
"exec"
"nosuid"
"nodev"
];
};
fileSystems."${tmp-exec}" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
"exec"
"nosuid"
"nodev"
"mode=1777"
];
};
# environment.sessionVariables."java.io.tmpdir" = tmp-exec;
# systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
systemd.tmpfiles.rules = [
"D! ${nix_build} 0755 root root 7d"
"D! /var/cache 0755 root root 7d"
"e! /var/.Trash-0 0755 root root 14d"
"D! /var/tmp 0755 root root 14d"
# "D! /root 0700 root root"
];
systemd.user.tmpfiles.users =
let
forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; };
in
lib.mergeAttrsList (
forEachUser (
name: user: {
"${name}".rules = [
# "d /home/${user}/Downloads - - - 14d"
"e ${user.home}/.vim/undodir - - - 7d"
"d ${user.home}/.cache - - - 7d"
"e ${user.home}/.java - - - 7d"
"e ${user.home}/.gradle - - - 7d"
"e ${user.home}/.cargo - - - 7d"
"e ${user.home}/.rustup - - - 7d"
"e ${user.home}/.templateengine - - - 7d"
"e ${user.home}/.sane - - - 7d"
"e ${user.home}/.dotnet - - - 7d"
"e ${user.home}/.nuget - - - 7d"
# "d /home/${user}/.local/state/mpv/watch_later - - - 14d"
];
}
)
);
systemd.services.nix-daemon.environment.TMPDIR = nix_build;
fileSystems."/etc/nixos" = {
device = "zpool/nix_conf";
fsType = "zfs";
options = [
"noacl"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"umask=077"
"noexec"
"nosuid"
"nodev"
];
# noCheck = true;
# neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out...
};
grimmShared = { grimmShared = {
screens = { screens = {
@ -258,53 +71,10 @@ in
laptop_hardware.enable = true; laptop_hardware.enable = true;
}; };
# fileSystems."/crypt-storage" =
# { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb";
# fsType = "ext4";
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
# };
security.pam = {
zfs = {
enable = true;
homes = "zpool/home";
};
};
boot.initrd.systemd.enable = false; # breaks with luks boot.initrd.systemd.enable = false; # breaks with luks
system.etc.overlay.enable = false; # requires systemd initrd1 system.etc.overlay.enable = false; # requires systemd initrd1
boot.initrd.luks.yubikeySupport = true; # enable yubikey support # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
boot.initrd.luks.reusePassphrases = false;
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3
preLVM = true;
allowDiscards = true;
yubikey = {
slot = 2;
twoFactor = true; # Set to false for 1FA
gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted
keyLength = 64; # Set to $KEY_LENGTH/8
saltLength = 16; # Set to $SALT_LENGTH
storage = {
device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier
fsType = "ext4";
path = "/default";
};
};
};
swapDevices = [
#{
# device = "zpool/swap";
# device = "/dev/zvol/zpool/swap";
#}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.

47
specific/grimm-nixos-ssd/tmpfiles.nix Normal file
View file

@ -0,0 +1,47 @@
{
config,
lib,
...
}:
{
# systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
systemd.tmpfiles.settings."mount"."/mnt".d = {
group = "root";
mode = "755";
user = "root";
};
systemd.tmpfiles.rules = [
"D! /var/cache 0755 root root 7d"
"e! /var/.Trash-0 0755 root root 14d"
"D! /var/tmp 0755 root root 14d"
# "D! /root 0700 root root"
];
systemd.user.tmpfiles.users =
let
forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; };
in
lib.mergeAttrsList (
forEachUser (
name: user: {
"${name}".rules = [
# "d /home/${user}/Downloads - - - 14d"
"e ${user.home}/.vim/undodir - - - 7d"
"d ${user.home}/.cache - - - 7d"
"e ${user.home}/.java - - - 7d"
"e ${user.home}/.gradle - - - 7d"
"e ${user.home}/.cargo - - - 7d"
"e ${user.home}/.rustup - - - 7d"
"e ${user.home}/.templateengine - - - 7d"
"e ${user.home}/.sane - - - 7d"
"e ${user.home}/.dotnet - - - 7d"
"e ${user.home}/.nuget - - - 7d"
# "d /home/${user}/.local/state/mpv/watch_later - - - 14d"
];
}
)
);
}