add radish configuration

2024-11-04 12:43:09 +02:00
parent 89d7e656f9
commit 3558aeecda
26 changed files with 657 additions and 5 deletions
--- a/radish/boot.nix
+++ b/radish/boot.nix
@@ -0,0 +1,31 @@
+{ lib, pkgs, ... }:
+{
+  boot = {
+    loader.systemd-boot.enable = lib.mkForce false;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+      configurationLimit = 10;
+      settings = {
+        editor = false;
+      };
+    };
+    loader.efi.canTouchEfiVariables = true;
+    bootspec.enable = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelParams = [
+      "amdgpu.sg_display=0"
+      "resume_offset=533760"
+    ];
+
+    resumeDevice = "/dev/disk/by-uuid/a331b669-f5c5-42f7-be58-434873c1b689";
+    tmp.useTmpfs = true;
+    kernel.sysctl = {
+      "vm.max_map_count" = 262144;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    efibootmgr
+  ];
+}
--- a/radish/configuration.nix
+++ b/radish/configuration.nix
@@ -0,0 +1,39 @@
+{ ... }:
+{
+  nix = {
+    settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+      auto-optimise-store = true;
+    };
+
+    gc = {
+      automatic = true;
+      dates = "daily";
+      options = "--delete-older-than 7d";
+    };
+  };
+
+  networking.extraHosts = ''
+    10.10.0.1 warden.apu.repomaa.com
+  '';
+
+  networking.nftables.enable = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
--- a/radish/containers.nix
+++ b/radish/containers.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+  virtualisation.docker.storageDriver = "btrfs";
+  virtualisation.docker.rootless = {
+    enable = true;
+    setSocketVariable = true;
+  };
+}
--- a/radish/default.nix
+++ b/radish/default.nix
@@ -0,0 +1,13 @@
+{ ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+    ./host.nix
+    ./boot.nix
+    ./hardware.nix
+    ./packages.nix
+    ./containers.nix
+    ./desktop.nix
+    ./users.nix
+  ];
+}
--- a/radish/desktop.nix
+++ b/radish/desktop.nix
@@ -0,0 +1,25 @@
+{ ... }:
+{
+  services.xserver = {
+    enable = true;
+    displayManager.gdm.enable = true;
+    desktopManager.gnome.enable = true;
+  };
+
+  services.printing.enable = true;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  hardware.pulseaudio.enable = false;
+
+  programs.steam = {
+    enable = true;
+    remotePlay.openFirewall = true;
+    dedicatedServer.openFirewall = true;
+  };
+}
--- a/radish/flake.lock
+++ b/radish/flake.lock
@@ -0,0 +1,277 @@
+{
+  "nodes": {
+    "auto-cpufreq": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726162350,
+        "narHash": "sha256-SI2pDWGKqRJh48wGLovsVT4xPXTZZjM2zaOP3HpUPTE=",
+        "owner": "AdnanHodzic",
+        "repo": "auto-cpufreq",
+        "rev": "7b03630a5e094fc2ef58492d6be35bf64c387815",
+        "type": "github"
+      },
+      "original": {
+        "owner": "AdnanHodzic",
+        "repo": "auto-cpufreq",
+        "type": "github"
+      }
+    },
+    "crane": {
+      "locked": {
+        "lastModified": 1730060262,
+        "narHash": "sha256-RMgSVkZ9H03sxC+Vh4jxtLTCzSjPq18UWpiM0gq6shQ=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "498d9f122c413ee1154e8131ace5a35a80d8fa76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1727826117,
+        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "ksoloti-pr": {
+      "locked": {
+        "lastModified": 1718526298,
+        "narHash": "sha256-Ew3ebuFbMVOkHsGNTwD7g4Bm/ODRtJCRUWYd1Ub4J7k=",
+        "owner": "repomaa",
+        "repo": "nixpkgs",
+        "rev": "2ee854727a514069c8369bce5d3dbd7ca1f32d99",
+        "type": "github"
+      },
+      "original": {
+        "owner": "repomaa",
+        "ref": "pkg/ksoloti",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs",
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1730107060,
+        "narHash": "sha256-EnVVq1oNcimZmQYl6UlLYs0jhC6aLah0bsFMy2syEak=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "0ad4ce46649b390da8bebcc229917f9863c98fe2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1730368399,
+        "narHash": "sha256-F8vJtG389i9fp3k2/UDYHMed3PLCJYfxCqwiVP7b9ig=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "da14839ac5f38ee6adbdb4e6db09b5eef6d6ccdc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1730025694,
+        "narHash": "sha256-Isj+5RY86+N+JrotqpaXqi6hUAABcF6pIOlIWy2leC8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "23664a7358c599dd4f975f16cea0865bf423e83d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-small": {
+      "locked": {
+        "lastModified": 1730403368,
+        "narHash": "sha256-b+whD5HBiD4niTz67HtOv8lMg3fnYdAxHgi52rsAGFA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "20499cc102964a175b595bd459f447d25abd6130",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1720386169,
+        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1730200266,
+        "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1729104314,
+        "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "auto-cpufreq": "auto-cpufreq",
+        "ksoloti-pr": "ksoloti-pr",
+        "lanzaboote": "lanzaboote",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-small": "nixpkgs-small"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729996302,
+        "narHash": "sha256-QEU1NQq1+7s1na69Chig9K0iDDTKN0O4Zreo9A9rccA=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "a1b337569f334ff0a01b57627f17b201d746d24c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/radish/hardware-configuration.nix
+++ b/radish/hardware-configuration.nix
@@ -0,0 +1,64 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/a331b669-f5c5-42f7-be58-434873c1b689";
+      fsType = "btrfs";
+      options = [ "subvol=@" ];
+    };
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/43895585-8899-4e94-a413-889127c214f8";
+    allowDiscards = true;
+  };
+
+  fileSystems."/var/log" =
+    { device = "/dev/disk/by-uuid/a331b669-f5c5-42f7-be58-434873c1b689";
+      fsType = "btrfs";
+      options = [ "subvol=@var_log" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/a331b669-f5c5-42f7-be58-434873c1b689";
+      fsType = "btrfs";
+      options = [ "subvol=@home" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/01E6-6258";
+      fsType = "vfat";
+    };
+
+  fileSystems."/swap" =
+    { device = "/dev/disk/by-uuid/a331b669-f5c5-42f7-be58-434873c1b689";
+      fsType = "btrfs";
+      options = [ "subvol=@swap" ];
+    };
+
+  swapDevices = [ {
+    device = "/swap/swapfile";
+    size = 64*1024;
+  } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/radish/hardware.nix
+++ b/radish/hardware.nix
@@ -0,0 +1,87 @@
+{ pkgs, ksoloti-pr, lib, config, ... }:
+{
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+
+  services.pcscd = {
+    enable = true;
+    plugins = [
+      pkgs.ccid
+    ];
+  };
+  services.udev.packages = [
+    pkgs.zsa-udev-rules
+    pkgs.yubikey-personalization
+    ksoloti-pr.ksoloti
+  ];
+  services.usbmuxd = {
+    enable = true;
+    package = pkgs.usbmuxd;
+  };
+  services.fwupd = {
+    enable = true;
+  };
+  services.fprintd.enable = true;
+  services.fstrim.enable = true;
+
+  security.pam.services.login.fprintAuth = false;
+  # similarly to how other distributions handle the fingerprinting login
+  security.pam.services.gdm-fingerprint = lib.mkIf (config.services.fprintd.enable) {
+    text = ''
+      auth       required                    pam_shells.so
+      auth       requisite                   pam_nologin.so
+      auth       requisite                   pam_faillock.so      preauth
+      auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
+      auth       optional                    pam_permit.so
+      auth       required                    pam_env.so
+      auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
+      auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
+
+      account    include                     login
+
+      password   required                    pam_deny.so
+
+      session    include                     login
+      session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
+    '';
+  };
+
+  hardware.keyboard.zsa.enable = true;
+
+  services.logind = {
+    lidSwitch = "suspend";
+    powerKey = "suspend";
+    extraConfig = ''
+      IdleAction=suspend
+    '';
+  };
+
+  powerManagement = {
+    enable = true;
+    powerDownCommands = "${pkgs.networkmanager}/bin/nmcli radio wifi off";
+    powerUpCommands = "${pkgs.networkmanager}/bin/nmcli radio wifi on";
+  };
+
+  services.power-profiles-daemon.enable = false;
+
+  services.tlp = {
+    enable = true;
+    settings = {
+      CPU_BOOST_ON_BAT = 0;
+      CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave";
+      START_CHARGE_THRESH_BATx = 85;
+      STOP_CHARGE_THRES_BATx = 90;
+      RUNTIME_PM_ON_BAT = "auto";
+    };
+  };
+
+  programs.auto-cpufreq.enable = true;
+
+  hardware.amdgpu.opencl.enable = true;
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [ rocmPackages.clr.icd ];
+  };
+  networking.networkmanager.wifi.backend = "iwd";
+  security.tpm2.enable = true;
+}
--- a/radish/host.nix
+++ b/radish/host.nix
@@ -0,0 +1,10 @@
+{ lib, ... }:
+{
+  networking.hostName = "radish";
+  time.timeZone = lib.mkForce null; # allow TZ to be set by desktop user
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+}
--- a/radish/packages.nix
+++ b/radish/packages.nix
@@ -0,0 +1,54 @@
+{ pkgs, ... }:
+{
+  nixpkgs.config.allowUnfree = true;
+
+  environment = {
+    systemPackages = with pkgs; [
+      vim
+      wget
+      curl
+      htop
+      tmux
+      libimobiledevice
+      ripgrep
+      fd
+      (pkgs.buildGoModule {
+        name = "meilindex";
+        src = pkgs.fetchFromGitHub {
+          owner = "tryffel";
+          repo = "meilindex";
+          rev = "v0.2.0";
+          sha256 = "sha256-Lecni3cqkWOQjSjjJZLyWKz2eFR5MS8gNPVXRTwrciA=";
+        };
+        vendorHash = "sha256-eBIfyffQK5gYYPBuAvpZKnjRbpmY3GKS47QoMtbetS8=";
+      })
+    ];
+
+    pathsToLink = [ "/share/zsh" ];
+  };
+
+  services = {
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "client";
+    };
+
+    ollama = {
+      enable = true;
+      acceleration = "rocm";
+      environmentVariables = {
+        HSA_OVERRIDE_GFX_VERSION = "11.0.3";
+      };
+    };
+    meilisearch.enable = true;
+  };
+
+  programs = {
+    zsh.enable = true;
+    _1password-gui = {
+      enable = true;
+      polkitPolicyOwners = [ "moco" ];
+    };
+    _1password.enable = true;
+  };
+}
--- a/radish/users.nix
+++ b/radish/users.nix
@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.jokke = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    shell = pkgs.zsh;
+  };
+
+  users.users.moco = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    shell = pkgs.zsh;
+    subUidRanges = [{ startUid = 10000; count = 65536; }];
+    subGidRanges = [{ startGid = 10000; count = 65536; }];
+  };
+}