diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..3050e38 --- /dev/null +++ b/flake.lock @@ -0,0 +1,152 @@ +{ + "nodes": { + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1675933616, + "narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "47478a4a003e745402acf63be7f9a092d51b83d7", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1677499486, + "narHash": "sha256-1QbZfuF+3ACjb22ZTZ1nlCTNCvY370g0D6cPEDZk0CI=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "635bbcdd6f8e11799f31d004f933fdb9cd3fff5d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1677407201, + "narHash": "sha256-3blwdI9o1BAprkvlByHvtEm5HAIRn/XPjtcfiunpY7s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7f5639fa3b68054ca0b062866dc62b22c3f11505", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1675183161, + "narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1677367679, + "narHash": "sha256-pOMXi7F9tcHls06Qv+7XCPASTJeXu47Jhd0Pk9du8T4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ea736343e4d4a052e023d54b23334cf685de479c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1677352614, + "narHash": "sha256-VYo1cSiCHDXZrHO8pb0c9EGob7C75lCPx1jBMi9UAlU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "bf592ea571b11dfee17a74d022f0b481ca5f1319", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-parts": "flake-parts", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1677381477, + "narHash": "sha256-NLzWgll+Q0Af8gI1ha34OHt7Y1GtOMYhCWQWV9LXE9Y=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "83fe25c8019db8216f5c6ffc65b394707784b4f3", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..aa713d1 --- /dev/null +++ b/flake.nix @@ -0,0 +1,30 @@ +{ + description = "Kevin's NixOS configurations"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + sops-nix.url = github:Mic92/sops-nix; + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = inputs@{ self, flake-parts, ... }: + (flake-parts.lib.evalFlakeModule + { inherit inputs; } + { + imports = [ + ./nixos/flake-module.nix + ]; + systems = [ "x86_64-linux" ]; + perSystem = { config, self', inputs', pkgs, system, ... }: { + # Per-system attributes can be defined here. The self' and inputs' + # module parameters provide easy access to attributes of the same + # system. + + # Equivalent to inputs'.nixpkgs.legacyPackages.hello; + # packages.default = pkgs.hello; + }; + }).config.flake; +} diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix new file mode 100644 index 0000000..a3cf1a8 --- /dev/null +++ b/nixos/flake-module.nix @@ -0,0 +1,34 @@ +{self, inputs, ...}: +let + inherit (inputs.nixpkgs) lib; + inherit (inputs) nixpkgs; + + defaultModules = [ + { + _module.args.self = self; + _module.args.inputs = self.inputs; + } + ({ ... }: { + #srvos.flake = self; + #documentation.info.enable = false; + #services.envfs.enable = true; + + imports = [ + #inputs.sops-nix.nixosModules.sops + ./modules/users.nix + ./modules/common.nix + ]; + }) + ]; +in +{ + flake.nixosConfigurations = { + kevin-tp = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = defaultModules ++ [ + inputs.home-manager.nixosModules.home-manager + ./kevin-tp/configuration.nix + ]; + }; + }; +} \ No newline at end of file diff --git a/nixos/install.sh b/nixos/install.sh index e807fcb..b5a4f33 100755 --- a/nixos/install.sh +++ b/nixos/install.sh @@ -11,16 +11,13 @@ DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd ) echo "Installing NixOS modules..." -if [ -d /etc/nixos/modules ]; then - echo "Directory /etc/nixos/modules exists - skipping." -else - sudo ln -s $DIR/modules /etc/nixos/modules || echo "Could not link modules" -fi -if [ -d /etc/nixos/ssh ]; then - echo "Directory /etc/nixos/ssh exists - skipping." -else - sudo ln -s $DIR/../ssh /etc/nixos/ssh || echo "Could not link ssh assets" -fi +sudo cp -r $DIR/../* /etc/nixos/ || echo "Could not copy modules" + +#if [ -d /etc/nixos/ssh ]; then +# echo "Directory /etc/nixos/ssh exists - skipping." +#else +# sudo ln -s $DIR/../ssh /etc/nixos/ssh || echo "Could not link ssh assets" +#fi echo "Done." diff --git a/nixos/kevin-tp/configuration.nix b/nixos/kevin-tp/configuration.nix new file mode 100644 index 0000000..3bc1296 --- /dev/null +++ b/nixos/kevin-tp/configuration.nix @@ -0,0 +1,124 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + + ../modules/gnome.nix + ../modules/pipewire.nix + ../modules/avahi.nix + ../modules/firewall/kde-connect.nix + ../modules/firewall/syncthing.nix + ../modules/firewall/wireguard.nix + ../modules/power/thinkpad.nix + ../modules/yubikey.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/0412bb67-c6c7-42fd-a532-ced413d1203d"; + preLVM = true; + }; + }; + + boot.initrd.kernelModules = [ + "aesni_intel" + "cryptd" + "essiv" + ]; + + networking.hostName = "kevin-tp"; + networking.hostId = "2d62d680"; + + boot.kernelPackages = pkgs.linuxPackages_latest; + + networking.networkmanager.enable = true; + + environment.systemPackages = with pkgs; [ + firefox + league-of-moveable-type + hunspell + hunspellDicts.de_DE + ]; + + programs.gnupg.agent = { + enable = true; + # enableSSHSupport = true; + }; + + services.xserver.libinput.enable = true; + + hardware.opengl.extraPackages = with pkgs; [ + vaapiIntel + libvdpau-va-gl + intel-media-driver + ]; + + boot.kernel.sysctl = { + "vm.swappiness" = 1; + "vm.vfs_cache_pressure" = 50; + "vm.dirty_background_ratio" = 20; + "vm.dirty_ratio" = 50; + # these are the zen-kernel tweaks to CFS defaults (mostly) + "kernel.sched_latency_ns" = 4000000; + # should be one-eighth of sched_latency (this ratio is not + # configurable, apparently -- so while zen changes that to + # one-tenth, we cannot): + "kernel.sched_min_granularity_ns" = 500000; + "kernel.sched_wakeup_granularity_ns" = 50000; + "kernel.sched_migration_cost_ns" = 250000; + "kernel.sched_cfs_bandwidth_slice_us" = 3000; + "kernel.sched_nr_migrate" = 128; + }; + + systemd = { + extraConfig = '' + DefaultCPUAccounting=yes + DefaultMemoryAccounting=yes + DefaultIOAccounting=yes + ''; + user.extraConfig = '' + DefaultCPUAccounting=yes + DefaultMemoryAccounting=yes + DefaultIOAccounting=yes + ''; + services."user@".serviceConfig.Delegate = true; + }; + + systemd.services.nix-daemon.serviceConfig = { + CPUWeight = 20; + IOWeight = 20; + }; + + boot.kernelParams = ["cgroup_no_v1=all" "systemd.unified_cgroup_hierarchy=yes"]; + + services.syncthing = { + enable = true; + user = "kevin"; + dataDir = "/home/kevin/Syncthing"; + configDir = "/home/kevin/Syncthing/.config/syncthing"; + }; + + services.fwupd.enable = true; + hardware.cpu.intel.updateMicrocode = true; + + boot.supportedFilesystems = [ "ntfs" ]; + + services.printing.enable = true; + + virtualisation.docker.enable = true; + + + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + + #kevin.defaults = "laptop"; + + #system.copySystemConfiguration = true; + + system.stateVersion = "23.05"; # No touchy. Locks defaults. + +} diff --git a/nixos/kevin-tp/hardware-configuration.nix b/nixos/kevin-tp/hardware-configuration.nix new file mode 100644 index 0000000..9cb5742 --- /dev/null +++ b/nixos/kevin-tp/hardware-configuration.nix @@ -0,0 +1,42 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/e67b8d34-06ca-4a6e-a82c-9a8eafa38d0d"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = + { device = "/dev/disk/by-uuid/BD90-5288"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/603d952f-99a3-413d-b499-c15b8b91eebf"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.docker0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nixos/modules/default.nix b/nixos/legacy/modules/default.nix similarity index 100% rename from nixos/modules/default.nix rename to nixos/legacy/modules/default.nix diff --git a/nixos/modules/kevin/default.nix b/nixos/legacy/modules/kevin/default.nix similarity index 95% rename from nixos/modules/kevin/default.nix rename to nixos/legacy/modules/kevin/default.nix index 0e64a59..81a852f 100644 --- a/nixos/modules/kevin/default.nix +++ b/nixos/legacy/modules/kevin/default.nix @@ -46,7 +46,7 @@ in { kevin.audio.enable = true; kevin.desktop.enable = true; kevin.desktop.type = "gnome"; - kevin.yubikey.enable = true; + #kevin.yubikey.enable = true; networking.networkmanager.enable = true; @@ -98,7 +98,7 @@ in { hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest; }) (mkIf (cfg.defaults == "laptop") { - kevin.power.mode = "laptop"; + #kevin.power.mode = "laptop"; networking.hostName = "kevin-tp-l580"; services.xserver.libinput.enable = true; @@ -110,9 +110,9 @@ in { ]; - specialisation.xmonad.configuration = { - kevin.desktop.type = mkForce "xmonad"; - }; + #specialisation.xmonad.configuration = { + # kevin.desktop.type = mkForce "xmonad"; + #}; boot.kernel.sysctl = { diff --git a/nixos/modules/kevin/desktop.nix b/nixos/legacy/modules/kevin/desktop.nix similarity index 100% rename from nixos/modules/kevin/desktop.nix rename to nixos/legacy/modules/kevin/desktop.nix diff --git a/nixos/modules/kevin/xmonad/polybar/config.ini b/nixos/legacy/modules/kevin/xmonad/polybar/config.ini similarity index 100% rename from nixos/modules/kevin/xmonad/polybar/config.ini rename to nixos/legacy/modules/kevin/xmonad/polybar/config.ini diff --git a/nixos/modules/avahi.nix b/nixos/modules/avahi.nix new file mode 100644 index 0000000..1ea39e3 --- /dev/null +++ b/nixos/modules/avahi.nix @@ -0,0 +1,13 @@ +{ + services.avahi = { + enable = true; + nssmdns = true; + publish.enable = true; + publish.domain = true; + publish.addresses = true; + publish.workstation = true; + publish.userServices = true; + }; + + networking.firewall.allowedUDPPorts = [ 5353 ]; +} \ No newline at end of file diff --git a/nixos/modules/common.nix b/nixos/modules/common.nix new file mode 100644 index 0000000..1d1f830 --- /dev/null +++ b/nixos/modules/common.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: { + imports = [ ./ssh.nix ]; + + nixpkgs.config.allowUnfree = true; + i18n.defaultLocale = "en_US.UTF-8"; + kevin.ssh.server.enable = true; + + console = { + font = "Lat2-Terminus16"; + keyMap = "de"; + }; + + services.xserver.layout = "de"; + + environment.systemPackages = with pkgs; [ + vim + wget + curl + tmux + ]; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; +} \ No newline at end of file diff --git a/nixos/modules/firewall/kde-connect.nix b/nixos/modules/firewall/kde-connect.nix new file mode 100644 index 0000000..8dfb420 --- /dev/null +++ b/nixos/modules/firewall/kde-connect.nix @@ -0,0 +1,5 @@ +{ + networking.firewall.allowedUDPPortRanges = [ + { from = 1714; to = 1764; } + ]; +} \ No newline at end of file diff --git a/nixos/modules/firewall/syncthing.nix b/nixos/modules/firewall/syncthing.nix new file mode 100644 index 0000000..d3d4ef1 --- /dev/null +++ b/nixos/modules/firewall/syncthing.nix @@ -0,0 +1,4 @@ +{ + networking.firewall.allowedTCPPorts = [ 22000 ]; + networking.firewall.allowedUDPPorts = [ 22000 21027 ]; +} \ No newline at end of file diff --git a/nixos/modules/firewall/wireguard.nix b/nixos/modules/firewall/wireguard.nix new file mode 100644 index 0000000..f6e9776 --- /dev/null +++ b/nixos/modules/firewall/wireguard.nix @@ -0,0 +1,22 @@ +{ lib, ... }: +let + wireguardPort = 51820; +in +{ + networking.firewall = { + # if packets are still dropped, they will show up in dmesg + logReversePathDrops = true; + + allowedUDPPorts = [ wireguardPort ]; + + # wireguard trips rpfilter up + extraCommands = '' + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${toString wireguardPort} -j RETURN + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${toString wireguardPort} -j RETURN + ''; + extraStopCommands = '' + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${toString wireguardPort} -j RETURN || true + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${toString wireguardPort} -j RETURN || true + ''; + }; +} \ No newline at end of file diff --git a/nixos/modules/gnome.nix b/nixos/modules/gnome.nix new file mode 100644 index 0000000..655d4eb --- /dev/null +++ b/nixos/modules/gnome.nix @@ -0,0 +1,12 @@ +{pkgs, ...}: +{ + services.xserver.enable = true; + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + services.flatpak.enable = true; + + environment.systemPackages = [ + pkgs.gnome.gnome-tweaks + pkgs.gnome.dconf-editor + ]; +} \ No newline at end of file diff --git a/nixos/modules/kevin/audio.nix b/nixos/modules/kevin/audio.nix deleted file mode 100644 index 27cb30c..0000000 --- a/nixos/modules/kevin/audio.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ lib, pkgs, config, ... }: -with lib; -let - cfg = config.kevin.audio; -in { - options.kevin.audio = { - enable = mkEnableOption "kevins audio"; - }; - - config = mkIf cfg.enable (mkMerge [ - ({ - hardware.pulseaudio.enable = false; - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - jack.enable = true; - }; - }) - ]); -} diff --git a/nixos/modules/kevin/networking.nix b/nixos/modules/kevin/networking.nix deleted file mode 100644 index a569563..0000000 --- a/nixos/modules/kevin/networking.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ lib, pkgs, config, ... }: -with lib; -let - cfg = config.kevin.networking; -in { - options.kevin.networking = { - enable = mkEnableOption "kevins networking"; - avahi.enable = mkEnableOption "avahi"; - ssh.enable = mkEnableOption "ssh"; - firewall.wireguard = mkEnableOption "wireguard exceptions"; - firewall.wireguardPort = mkOption { - type = types.int; - default = 51820; - description = "Port used by your Wireguard"; - }; - firewall.syncthing = mkEnableOption "syncthing exceptions"; - firewall.kdeConnect = mkEnableOption "KDE Connect exceptions"; - }; - - config = mkIf cfg.enable (mkMerge [ - (mkIf cfg.avahi.enable { - services.avahi = { - enable = true; - nssmdns = true; - publish.enable = true; - publish.domain = true; - publish.addresses = true; - publish.workstation = true; - publish.userServices = true; - }; - - networking.firewall.allowedUDPPorts = [ 5353 ]; - }) - (mkIf cfg.ssh.enable { - services.openssh = { - enable = true; - # require public key authentication for better security - passwordAuthentication = false; - kbdInteractiveAuthentication = false; - #permitRootLogin = "yes"; - }; - - networking.firewall.allowedTCPPorts = [ 22 ]; - }) - (mkIf cfg.firewall.wireguard { - networking.firewall = { - # if packets are still dropped, they will show up in dmesg - logReversePathDrops = true; - - allowedUDPPorts = [ cfg.firewall.wireguardPort ]; - - - # wireguard trips rpfilter up - extraCommands = '' - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.firewall.wireguardPort} -j RETURN - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.firewall.wireguardPort} -j RETURN - ''; - extraStopCommands = '' - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.firewall.wireguardPort} -j RETURN || true - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.firewall.wireguardPort} -j RETURN || true - ''; - }; - }) - (mkIf cfg.firewall.syncthing { - networking.firewall.allowedTCPPorts = [ 22000 ]; - networking.firewall.allowedUDPPorts = [ 22000 21027 ]; - }) - (mkIf cfg.firewall.kdeConnect { - networking.firewall.allowedUDPPortRanges = [ - { from = 1714; to = 1764; } - ]; - }) - ]); -} diff --git a/nixos/modules/kevin/power.nix b/nixos/modules/kevin/power.nix deleted file mode 100644 index 43814bd..0000000 --- a/nixos/modules/kevin/power.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ lib, pkgs, config, ... }: -with lib; -let - cfg = config.kevin.power; -in { - options.kevin.power = { - mode = mkOption { - type = types.enum [ "desktop" "laptop" ]; - default = "desktop"; - }; - }; - - config = mkMerge [ - (mkIf (cfg.mode == "laptop") { - powerManagement.powertop.enable = true; - services.thermald.enable = true; - services.power-profiles-daemon.enable = false; - - services.tlp = { - enable = true; - settings = { - START_CHARGE_THRESH_BAT0 = 85; - STOP_CHARGE_THRESH_BAT0 = 90; - - CPU_SCALING_GOVERNOR_ON_AC = "schedutil"; - CPU_SCALING_GOVERNOR_ON_BAT = "schedutil"; - - CPU_SCALING_MIN_FREQ_ON_AC = 800000; - CPU_SCALING_MAX_FREQ_ON_AC = 2201000; - CPU_SCALING_MIN_FREQ_ON_BAT = 400000; - CPU_SCALING_MAX_FREQ_ON_BAT = 2100000; - - # Enable audio power saving for Intel HDA, AC97 devices (timeout in secs). - # A value of 0 disables, >=1 enables power saving (recommended: 1). - # Default: 0 (AC), 1 (BAT) - SOUND_POWER_SAVE_ON_AC = 0; - SOUND_POWER_SAVE_ON_BAT = 1; - - # Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable. - # Default: on (AC), auto (BAT) - RUNTIME_PM_ON_AC = "on"; - RUNTIME_PM_ON_BAT = "auto"; - - # Battery feature drivers: 0=disable, 1=enable - # Default: 1 (all) - NATACPI_ENABLE = 1; - TPACPI_ENABLE = 1; - TPSMAPI_ENABLE = 1; - }; - - }; - - boot.extraModprobeConfig = lib.mkMerge [ - # idle audio card after one second - "options snd_hda_intel power_save=1" - # enable wifi power saving (keep uapsd off to maintain low latencies) - "options iwlwifi power_save=1 uapsd_disable=1" - ]; - - boot.initrd.availableKernelModules = [ - "thinkpad_acpi" - ]; - - boot.kernelParams = ["intel_pstate=disable"]; - boot.kernelModules = ["acpi_call" "coretemp" "cpuid"]; - - services.udev.extraRules = lib.mkMerge [ - # autosuspend USB devices - ''ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="auto"'' - # autosuspend PCI devices - ''ACTION=="add", SUBSYSTEM=="pci", TEST=="power/control", ATTR{power/control}="auto"'' - # disable Ethernet Wake-on-LAN - ''ACTION=="add", SUBSYSTEM=="net", NAME=="enp*", RUN+="${pkgs.ethtool}/sbin/ethtool -s $name wol d"'' - ]; - services.upower.enable = true; - }) - ]; -} diff --git a/nixos/modules/kevin/yubikey.nix b/nixos/modules/kevin/yubikey.nix deleted file mode 100644 index d54ab8a..0000000 --- a/nixos/modules/kevin/yubikey.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, pkgs, config, ... }: -with lib; -let - cfg = config.kevin.yubikey; -in { - options.kevin.yubikey = { - enable = mkEnableOption "yubikey setup"; - }; - - config = mkIf cfg.enable (mkMerge [ - ({ - security.pam.yubico = { - enable = true; - debug = false; - mode = "challenge-response"; - }; - - services.udev.packages = [ pkgs.yubikey-personalization ]; - }) - ]); -} diff --git a/nixos/modules/pipewire.nix b/nixos/modules/pipewire.nix new file mode 100644 index 0000000..1a2be1c --- /dev/null +++ b/nixos/modules/pipewire.nix @@ -0,0 +1,11 @@ +{ + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; +} \ No newline at end of file diff --git a/nixos/modules/power/thinkpad.nix b/nixos/modules/power/thinkpad.nix new file mode 100644 index 0000000..9e1bff4 --- /dev/null +++ b/nixos/modules/power/thinkpad.nix @@ -0,0 +1,63 @@ +{ lib, pkgs, ... }: { + powerManagement.powertop.enable = true; + services.thermald.enable = true; + services.power-profiles-daemon.enable = false; + + services.tlp = { + enable = true; + settings = { + START_CHARGE_THRESH_BAT0 = 85; + STOP_CHARGE_THRESH_BAT0 = 90; + + CPU_SCALING_GOVERNOR_ON_AC = "schedutil"; + CPU_SCALING_GOVERNOR_ON_BAT = "schedutil"; + + CPU_SCALING_MIN_FREQ_ON_AC = 800000; + CPU_SCALING_MAX_FREQ_ON_AC = 2201000; + CPU_SCALING_MIN_FREQ_ON_BAT = 400000; + CPU_SCALING_MAX_FREQ_ON_BAT = 2100000; + + # Enable audio power saving for Intel HDA, AC97 devices (timeout in secs). + # A value of 0 disables, >=1 enables power saving (recommended: 1). + # Default: 0 (AC), 1 (BAT) + SOUND_POWER_SAVE_ON_AC = 0; + SOUND_POWER_SAVE_ON_BAT = 1; + + # Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable. + # Default: on (AC), auto (BAT) + RUNTIME_PM_ON_AC = "on"; + RUNTIME_PM_ON_BAT = "auto"; + + # Battery feature drivers: 0=disable, 1=enable + # Default: 1 (all) + NATACPI_ENABLE = 1; + TPACPI_ENABLE = 1; + TPSMAPI_ENABLE = 1; + }; + + }; + + boot.extraModprobeConfig = lib.mkMerge [ + # idle audio card after one second + "options snd_hda_intel power_save=1" + # enable wifi power saving (keep uapsd off to maintain low latencies) + "options iwlwifi power_save=1 uapsd_disable=1" + ]; + + boot.initrd.availableKernelModules = [ + "thinkpad_acpi" + ]; + + boot.kernelParams = ["intel_pstate=disable"]; + boot.kernelModules = ["acpi_call" "coretemp" "cpuid"]; + + services.udev.extraRules = lib.mkMerge [ + # autosuspend USB devices + ''ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="auto"'' + # autosuspend PCI devices + ''ACTION=="add", SUBSYSTEM=="pci", TEST=="power/control", ATTR{power/control}="auto"'' + # disable Ethernet Wake-on-LAN + ''ACTION=="add", SUBSYSTEM=="net", NAME=="enp*", RUN+="${pkgs.ethtool}/sbin/ethtool -s $name wol d"'' + ]; + services.upower.enable = true; +} \ No newline at end of file diff --git a/nixos/modules/kevin/ssh.nix b/nixos/modules/ssh.nix similarity index 77% rename from nixos/modules/kevin/ssh.nix rename to nixos/modules/ssh.nix index 54fb5c2..49fde16 100644 --- a/nixos/modules/kevin/ssh.nix +++ b/nixos/modules/ssh.nix @@ -4,10 +4,6 @@ let cfg = config.kevin.ssh; authorizedOpts = {name, config, ...}: { options = { - /*name = mkOption { - type = types.passwdEntry types.str; - description = "Name of the user. Must be the name of a directory in /etc/nixos/ssh"; - };*/ users = mkOption { type = with types; listOf types.str; default = []; @@ -37,7 +33,17 @@ in { config = mkMerge [ (mkIf cfg.server.enable { - kevin.networking.ssh.enable = true; + services.openssh = { + enable = true; + # require public key authentication for better security + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + #permitRootLogin = "yes"; + }; + + networking.firewall.allowedTCPPorts = [ 22 ]; }) { users.users = mkMerge (map (name: ( diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix new file mode 100644 index 0000000..87bc56f --- /dev/null +++ b/nixos/modules/users.nix @@ -0,0 +1,11 @@ +{ + imports = [ ./ssh.nix ]; + + users.users.kevin = { + isNormalUser = true; + description = "Kevin Kandlbinder"; + extraGroups = [ "wheel" "docker" "dialout" "networkmanager" "floppy" "audio" "lp" "cdrom" "tape" "video" "render" ]; + }; + + kevin.ssh.authorized.kevin.users = ["kevin" "root"]; +} \ No newline at end of file diff --git a/nixos/modules/yubikey.nix b/nixos/modules/yubikey.nix new file mode 100644 index 0000000..30bcfdd --- /dev/null +++ b/nixos/modules/yubikey.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: { + security.pam.yubico = { + enable = true; + debug = false; + mode = "challenge-response"; + }; + + services.udev.packages = [ pkgs.yubikey-personalization ]; +} \ No newline at end of file