Initial commit

README.md

@@ -0,0 +1,8 @@
+# Kevin's Dotfiles
+
+This repo contains my personal dotfiles and configurations for my computers.
+
+## NixOS
+
+I use NixOS as my main OS, and for that I have written a few modules in [`nixos/modules`](./nixos/modules).
+Are those settings perfect? No, but they are my opinionated defaults. :stuck_out_tongue_winking_eye:

nixos/install.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+# Source: https://stackoverflow.com/questions/59895/how-do-i-get-the-directory-where-a-bash-script-is-located-from-within-the-script
+SOURCE=${BASH_SOURCE[0]}
+while [ -L "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
+  DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
+  SOURCE=$(readlink "$SOURCE")
+  [[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+done
+DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
+
+echo "Installing NixOS modules..."
+
+if [ -d /etc/nixos/modules ]; then
+  echo "Directory /etc/nixos/modules exists - exiting."
+  exit 2
+fi
+
+sudo ln -s $DIR/modules /etc/nixos/modules
+
+echo "Done."

nixos/modules/audio.nix

@@ -0,0 +1,23 @@
+{ lib, pkgs, config, ... }:
+with lib;                      
+let
+  cfg = config.kevin.audio;
+in {
+  options.kevin.audio = {
+    enable = mkEnableOption "kevins audio";
+  };
+
+  config = mkIf cfg.enable (mkMerge [
+    ({
+      hardware.pulseaudio.enable = false;
+      security.rtkit.enable = true;
+      services.pipewire = {
+        enable = true;
+        alsa.enable = true;
+        alsa.support32Bit = true;
+        pulse.enable = true;
+        jack.enable = true;
+      };
+    })
+  ]);
+}

nixos/modules/default.nix

@@ -0,0 +1,132 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let cfg = config.kevin;
+in {
+  imports = [
+    ./power.nix
+    ./networking.nix
+    ./audio.nix
+    ./desktop.nix
+    ./yubikey.nix
+  ];
+
+  options.kevin = {
+    defaults = mkOption {
+      type = types.enum [ "none" "laptop" "desktop" ];
+      default = "none";
+    };
+  };
+
+  config = mkIf (cfg.defaults != "none") (mkMerge [
+    ({
+      nixpkgs.config.allowUnfree = true;
+      i18n.defaultLocale = "en_US.UTF-8";
+      
+      console = {
+        font = "Lat2-Terminus16";
+        keyMap = "de";
+      };
+
+      services.xserver.layout = "de";
+      
+      environment.systemPackages = with pkgs; [
+        vim
+        wget
+        curl
+        tmux
+      ];
+    })
+    (mkIf (cfg.defaults == "laptop" || cfg.defaults == "desktop") {
+      kevin.networking.enable = true;
+      kevin.networking.avahi.enable = true;
+      kevin.networking.firewall.wireguard = true;
+      kevin.audio.enable = true;
+      kevin.desktop.enable = true;
+      kevin.desktop.type = "gnome";
+      kevin.yubikey.enable = true;
+
+      environment.systemPackages = with pkgs; [
+        firefox
+        league-of-moveable-type
+      ];
+
+      programs.gnupg.agent = {
+        enable = true;
+        # enableSSHSupport = true;
+      };
+
+      kevin.networking.firewall.syncthing = true;
+      services.syncthing = {
+        enable = true;
+        user = "kevin";
+        dataDir = "/home/kevin/Syncthing";
+        configDir = "/home/kevin/Syncthing/.config/syncthing";
+      };
+
+      services.fwupd.enable = true;
+      hardware.cpu.intel.updateMicrocode = true;
+
+      boot.supportedFilesystems = [ "ntfs" ];
+
+      services.printing.enable = true;
+
+      virtualisation.docker.enable = true;
+
+      users.users.kevin = {
+        isNormalUser = true;
+        description = "Kevin Kandlbinder";
+        extraGroups = [ "wheel" "docker" "dialout" ]; 
+      };
+    })
+    (mkIf (cfg.defaults == "laptop") {
+      kevin.power.mode = "laptop";
+      networking.hostName = "kevin-tp-l580";
+
+      services.xserver.libinput.enable = true;
+
+      hardware.opengl.extraPackages = with pkgs; [
+        vaapiIntel
+        libvdpau-va-gl
+        intel-media-driver
+      ];
+
+      boot.kernel.sysctl = {
+        "vm.swappiness" = 1;
+        "vm.vfs_cache_pressure" = 50;
+        "vm.dirty_background_ratio" = 20;
+        "vm.dirty_ratio" = 50;
+        # these are the zen-kernel tweaks to CFS defaults (mostly)
+        "kernel.sched_latency_ns" = 4000000;
+        # should be one-eighth of sched_latency (this ratio is not
+        # configurable, apparently -- so while zen changes that to
+        # one-tenth, we cannot):
+        "kernel.sched_min_granularity_ns" = 500000;
+        "kernel.sched_wakeup_granularity_ns" = 50000;
+        "kernel.sched_migration_cost_ns" = 250000;
+        "kernel.sched_cfs_bandwidth_slice_us" = 3000;
+        "kernel.sched_nr_migrate" = 128;
+      };
+
+      systemd = {
+        extraConfig = ''
+          DefaultCPUAccounting=yes
+          DefaultMemoryAccounting=yes
+          DefaultIOAccounting=yes
+        '';
+        user.extraConfig = ''
+          DefaultCPUAccounting=yes
+          DefaultMemoryAccounting=yes
+          DefaultIOAccounting=yes
+        ''; 
+        services."user@".serviceConfig.Delegate = true;
+      };
+  
+      systemd.services.nix-daemon.serviceConfig = {
+        CPUWeight = 20;
+        IOWeight = 20;
+      };
+
+      boot.kernelParams = ["cgroup_no_v1=all" "systemd.unified_cgroup_hierarchy=yes"];
+    })
+  ]);
+}

nixos/modules/desktop.nix

@@ -0,0 +1,22 @@
+{ lib, pkgs, config, ... }:
+with lib;                      
+let
+  cfg = config.kevin.desktop;
+in {
+  options.kevin.desktop = {
+    enable = mkEnableOption "kevins desktop";
+    type = mkOption {
+      type = types.enum [ "gnome" ];
+      default = "gnome";
+    };
+  };
+
+  config = mkIf cfg.enable (mkMerge [
+    (mkIf (cfg.type == "gnome") {
+      services.xserver.enable = true;
+      services.xserver.displayManager.gdm.enable = true;
+      services.xserver.desktopManager.gnome.enable = true;
+      services.flatpak.enable = true;
+    })
+  ]);
+}

nixos/modules/networking.nix

@@ -0,0 +1,51 @@
+{ lib, pkgs, config, ... }:
+with lib;                      
+let
+  cfg = config.kevin.networking;
+in {
+  options.kevin.networking = {
+    enable = mkEnableOption "kevins networking";
+    avahi.enable = mkEnableOption "avahi";
+    firewall.wireguard = mkEnableOption "wireguard exceptions";
+    firewall.syncthing = mkEnableOption "syncthing exceptions";
+  };
+
+  config = mkIf cfg.enable (mkMerge [
+    (mkIf cfg.avahi.enable {
+      services.avahi = {
+        enable = true;
+        nssmdns = true;
+        publish.enable = true;
+        publish.domain = true;
+        publish.addresses = true;
+        publish.workstation = true;
+        publish.userServices = true;
+      };
+ 
+      networking.firewall.allowedUDPPorts = [ 5353 ];
+    })
+    (mkIf cfg.firewall.wireguard {
+      networking.firewall = {
+        # if packets are still dropped, they will show up in dmesg
+        logReversePathDrops = true;
+
+        allowedUDPPorts = [ 51820 ];
+
+
+        # wireguard trips rpfilter up
+        extraCommands = ''
+          ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
+          ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
+        '';
+        extraStopCommands = ''
+          ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
+          ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
+        '';
+      };
+    })
+    (mkIf cfg.firewall.syncthing {
+      networking.firewall.allowedTCPPorts = [ 22000 ];
+      networking.firewall.allowedUDPPorts = [ 22000 21027 ];
+    })
+  ]);
+}

nixos/modules/power.nix

@@ -0,0 +1,78 @@
+{ lib, pkgs, config, ... }:
+with lib;                      
+let
+  cfg = config.kevin.power;
+in {
+  options.kevin.power = {
+    mode = mkOption {
+      type = types.enum [ "desktop" "laptop" ];
+      default = "desktop";
+    };
+  };
+
+  config = mkMerge [
+    (mkIf (cfg.mode == "laptop") {
+      powerManagement.powertop.enable = true;
+      services.thermald.enable = true;
+      services.power-profiles-daemon.enable = false;
+
+      services.tlp = {
+        enable = true;
+        settings = {
+            START_CHARGE_THRESH_BAT0 = 85;
+            STOP_CHARGE_THRESH_BAT0 = 90;
+
+            CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
+            CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
+
+            CPU_SCALING_MIN_FREQ_ON_AC = 800000;
+            CPU_SCALING_MAX_FREQ_ON_AC = 2201000;
+            CPU_SCALING_MIN_FREQ_ON_BAT = 400000;
+            CPU_SCALING_MAX_FREQ_ON_BAT = 2100000;
+
+            # Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
+            # A value of 0 disables, >=1 enables power saving (recommended: 1).
+            # Default: 0 (AC), 1 (BAT)
+            SOUND_POWER_SAVE_ON_AC = 0;
+            SOUND_POWER_SAVE_ON_BAT = 1;
+
+            # Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable.
+            # Default: on (AC), auto (BAT)
+            RUNTIME_PM_ON_AC = "on";
+            RUNTIME_PM_ON_BAT = "auto";
+
+            # Battery feature drivers: 0=disable, 1=enable
+            # Default: 1 (all)
+            NATACPI_ENABLE = 1;
+            TPACPI_ENABLE = 1;
+            TPSMAPI_ENABLE = 1;
+        };
+
+      };
+
+      boot.extraModprobeConfig = lib.mkMerge [
+        # idle audio card after one second
+        "options snd_hda_intel power_save=1"
+        # enable wifi power saving (keep uapsd off to maintain low latencies)
+        "options iwlwifi power_save=1 uapsd_disable=1"
+      ];
+      
+      boot.initrd.availableKernelModules = [
+        "thinkpad_acpi"
+      ];
+      
+      boot.kernelParams = ["intel_pstate=disable"];
+      boot.kernelModules = ["acpi_call" "coretemp" "cpuid"];
+
+      services.udev.extraRules = lib.mkMerge [
+        # autosuspend USB devices
+        ''ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="auto"''
+        # autosuspend PCI devices
+        ''ACTION=="add", SUBSYSTEM=="pci", TEST=="power/control", ATTR{power/control}="auto"''
+        # disable Ethernet Wake-on-LAN
+        ''ACTION=="add", SUBSYSTEM=="net", NAME=="enp*", RUN+="${pkgs.ethtool}/sbin/ethtool -s $name wol d"''
+      ];
+      services.upower.enable = true;
+    })
+  ];
+}

nixos/modules/yubikey.nix

@@ -0,0 +1,21 @@
+{ lib, pkgs, config, ... }:
+with lib;                      
+let
+  cfg = config.kevin.yubikey;
+in {
+  options.kevin.yubikey = {
+    enable = mkEnableOption "yubikey setup";
+  };
+
+  config = mkIf cfg.enable (mkMerge [
+    ({
+      security.pam.yubico = {
+        enable = true;
+        debug = false;
+        mode = "challenge-response";
+      };
+
+      services.udev.packages = [ pkgs.yubikey-personalization ];
+    })
+  ]);
+}