kevin/dotfiles
1
0
Fork 0
mirror of https://github.com/Unkn0wnCat/dotfiles.git synced 2025-05-02 11:25:53 +02:00
Code Issues Projects Releases Wiki Activity

Switch to flake-based configuration

Browse source
This commit is contained in:
Kevin Kandlbinder 2023-02-27 13:34:57 +00:00
parent fad1c56a56
commit f17713236d
25 changed files with 578 additions and 216 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

152
flake.lock generated Normal file
View file

@ -0,0 +1,152 @@
{
"nodes": {
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1675933616,
"narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "47478a4a003e745402acf63be7f9a092d51b83d7",
"type": "github"
},
"original": {
"id": "flake-parts",
"type": "indirect"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1677499486,
"narHash": "sha256-1QbZfuF+3ACjb22ZTZ1nlCTNCvY370g0D6cPEDZk0CI=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "635bbcdd6f8e11799f31d004f933fdb9cd3fff5d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1677407201,
"narHash": "sha256-3blwdI9o1BAprkvlByHvtEm5HAIRn/XPjtcfiunpY7s=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7f5639fa3b68054ca0b062866dc62b22c3f11505",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"dir": "lib",
"lastModified": 1675183161,
"narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1677367679,
"narHash": "sha256-pOMXi7F9tcHls06Qv+7XCPASTJeXu47Jhd0Pk9du8T4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ea736343e4d4a052e023d54b23334cf685de479c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1677352614,
"narHash": "sha256-VYo1cSiCHDXZrHO8pb0c9EGob7C75lCPx1jBMi9UAlU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bf592ea571b11dfee17a74d022f0b481ca5f1319",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_2",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1677381477,
"narHash": "sha256-NLzWgll+Q0Af8gI1ha34OHt7Y1GtOMYhCWQWV9LXE9Y=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "83fe25c8019db8216f5c6ffc65b394707784b4f3",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

30
flake.nix Normal file
View file

@ -0,0 +1,30 @@
{
description = "Kevin's NixOS configurations";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix.url = github:Mic92/sops-nix;
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs@{ self, flake-parts, ... }:
(flake-parts.lib.evalFlakeModule
{ inherit inputs; }
{
imports = [
./nixos/flake-module.nix
];
systems = [ "x86_64-linux" ];
perSystem = { config, self', inputs', pkgs, system, ... }: {
# Per-system attributes can be defined here. The self' and inputs'
# module parameters provide easy access to attributes of the same
# system.
# Equivalent to inputs'.nixpkgs.legacyPackages.hello;
# packages.default = pkgs.hello;
};
}).config.flake;
}

34
nixos/flake-module.nix Normal file
View file

@ -0,0 +1,34 @@
{self, inputs, ...}:
let
inherit (inputs.nixpkgs) lib;
inherit (inputs) nixpkgs;
defaultModules = [
{
_module.args.self = self;
_module.args.inputs = self.inputs;
}
({ ... }: {
#srvos.flake = self;
#documentation.info.enable = false;
#services.envfs.enable = true;
imports = [
#inputs.sops-nix.nixosModules.sops
./modules/users.nix
./modules/common.nix
];
})
];
in
{
flake.nixosConfigurations = {
kevin-tp = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = defaultModules ++ [
inputs.home-manager.nixosModules.home-manager
./kevin-tp/configuration.nix
];
};
};
}

17
nixos/install.sh
View file

@ -11,16 +11,13 @@ DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
echo "Installing NixOS modules..." echo "Installing NixOS modules..."
if [ -d /etc/nixos/modules ]; then
echo "Directory /etc/nixos/modules exists - skipping."
else
sudo ln -s $DIR/modules /etc/nixos/modules || echo "Could not link modules"
fi
if [ -d /etc/nixos/ssh ]; then sudo cp -r $DIR/../* /etc/nixos/ || echo "Could not copy modules"
echo "Directory /etc/nixos/ssh exists - skipping."
else #if [ -d /etc/nixos/ssh ]; then
sudo ln -s $DIR/../ssh /etc/nixos/ssh || echo "Could not link ssh assets" # echo "Directory /etc/nixos/ssh exists - skipping."
fi #else
# sudo ln -s $DIR/../ssh /etc/nixos/ssh || echo "Could not link ssh assets"
#fi
echo "Done." echo "Done."

124
nixos/kevin-tp/configuration.nix Normal file
View file

@ -0,0 +1,124 @@
{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
../modules/gnome.nix
../modules/pipewire.nix
../modules/avahi.nix
../modules/firewall/kde-connect.nix
../modules/firewall/syncthing.nix
../modules/firewall/wireguard.nix
../modules/power/thinkpad.nix
../modules/yubikey.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/0412bb67-c6c7-42fd-a532-ced413d1203d";
preLVM = true;
};
};
boot.initrd.kernelModules = [
"aesni_intel"
"cryptd"
"essiv"
];
networking.hostName = "kevin-tp";
networking.hostId = "2d62d680";
boot.kernelPackages = pkgs.linuxPackages_latest;
networking.networkmanager.enable = true;
environment.systemPackages = with pkgs; [
firefox
league-of-moveable-type
hunspell
hunspellDicts.de_DE
];
programs.gnupg.agent = {
enable = true;
# enableSSHSupport = true;
};
services.xserver.libinput.enable = true;
hardware.opengl.extraPackages = with pkgs; [
vaapiIntel
libvdpau-va-gl
intel-media-driver
];
boot.kernel.sysctl = {
"vm.swappiness" = 1;
"vm.vfs_cache_pressure" = 50;
"vm.dirty_background_ratio" = 20;
"vm.dirty_ratio" = 50;
# these are the zen-kernel tweaks to CFS defaults (mostly)
"kernel.sched_latency_ns" = 4000000;
# should be one-eighth of sched_latency (this ratio is not
# configurable, apparently -- so while zen changes that to
# one-tenth, we cannot):
"kernel.sched_min_granularity_ns" = 500000;
"kernel.sched_wakeup_granularity_ns" = 50000;
"kernel.sched_migration_cost_ns" = 250000;
"kernel.sched_cfs_bandwidth_slice_us" = 3000;
"kernel.sched_nr_migrate" = 128;
};
systemd = {
extraConfig = ''
DefaultCPUAccounting=yes
DefaultMemoryAccounting=yes
DefaultIOAccounting=yes
'';
user.extraConfig = ''
DefaultCPUAccounting=yes
DefaultMemoryAccounting=yes
DefaultIOAccounting=yes
'';
services."user@".serviceConfig.Delegate = true;
};
systemd.services.nix-daemon.serviceConfig = {
CPUWeight = 20;
IOWeight = 20;
};
boot.kernelParams = ["cgroup_no_v1=all" "systemd.unified_cgroup_hierarchy=yes"];
services.syncthing = {
enable = true;
user = "kevin";
dataDir = "/home/kevin/Syncthing";
configDir = "/home/kevin/Syncthing/.config/syncthing";
};
services.fwupd.enable = true;
hardware.cpu.intel.updateMicrocode = true;
boot.supportedFilesystems = [ "ntfs" ];
services.printing.enable = true;
virtualisation.docker.enable = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
#kevin.defaults = "laptop";
#system.copySystemConfiguration = true;
system.stateVersion = "23.05"; # No touchy. Locks defaults.
}

42
nixos/kevin-tp/hardware-configuration.nix Normal file
View file

@ -0,0 +1,42 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/e67b8d34-06ca-4a6e-a82c-9a8eafa38d0d";
fsType = "ext4";
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/BD90-5288";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/603d952f-99a3-413d-b499-c15b8b91eebf"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.docker0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

0
nixos/modules/default.nix → nixos/legacy/modules/default.nix
View file

10
nixos/modules/kevin/default.nix → nixos/legacy/modules/kevin/default.nix
View file

@ -46,7 +46,7 @@ in {
kevin.audio.enable = true; kevin.audio.enable = true;
kevin.desktop.enable = true; kevin.desktop.enable = true;
kevin.desktop.type = "gnome"; kevin.desktop.type = "gnome";
kevin.yubikey.enable = true; #kevin.yubikey.enable = true;
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
@ -98,7 +98,7 @@ in {
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest; hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
}) })
(mkIf (cfg.defaults == "laptop") { (mkIf (cfg.defaults == "laptop") {
kevin.power.mode = "laptop"; #kevin.power.mode = "laptop";
networking.hostName = "kevin-tp-l580"; networking.hostName = "kevin-tp-l580";
services.xserver.libinput.enable = true; services.xserver.libinput.enable = true;
@ -110,9 +110,9 @@ in {
]; ];
specialisation.xmonad.configuration = { #specialisation.xmonad.configuration = {
kevin.desktop.type = mkForce "xmonad"; # kevin.desktop.type = mkForce "xmonad";
}; #};
boot.kernel.sysctl = { boot.kernel.sysctl = {

0
nixos/modules/kevin/desktop.nix → nixos/legacy/modules/kevin/desktop.nix
View file

0
nixos/modules/kevin/xmonad/polybar/config.ini → nixos/legacy/modules/kevin/xmonad/polybar/config.ini
View file

13
nixos/modules/avahi.nix Normal file
View file

@ -0,0 +1,13 @@
{
services.avahi = {
enable = true;
nssmdns = true;
publish.enable = true;
publish.domain = true;
publish.addresses = true;
publish.workstation = true;
publish.userServices = true;
};
networking.firewall.allowedUDPPorts = [ 5353 ];
}

23
nixos/modules/common.nix Normal file
View file

@ -0,0 +1,23 @@
{ pkgs, ... }: {
imports = [ ./ssh.nix ];
nixpkgs.config.allowUnfree = true;
i18n.defaultLocale = "en_US.UTF-8";
kevin.ssh.server.enable = true;
console = {
font = "Lat2-Terminus16";
keyMap = "de";
};
services.xserver.layout = "de";
environment.systemPackages = with pkgs; [
vim
wget
curl
tmux
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
}

5
nixos/modules/firewall/kde-connect.nix Normal file
View file

@ -0,0 +1,5 @@
{
networking.firewall.allowedUDPPortRanges = [
{ from = 1714; to = 1764; }
];
}

4
nixos/modules/firewall/syncthing.nix Normal file
View file

@ -0,0 +1,4 @@
{
networking.firewall.allowedTCPPorts = [ 22000 ];
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
}

22
nixos/modules/firewall/wireguard.nix Normal file
View file

@ -0,0 +1,22 @@
{ lib, ... }:
let
wireguardPort = 51820;
in
{
networking.firewall = {
# if packets are still dropped, they will show up in dmesg
logReversePathDrops = true;
allowedUDPPorts = [ wireguardPort ];
# wireguard trips rpfilter up
extraCommands = ''
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${toString wireguardPort} -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${toString wireguardPort} -j RETURN
'';
extraStopCommands = ''
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${toString wireguardPort} -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${toString wireguardPort} -j RETURN || true
'';
};
}

12
nixos/modules/gnome.nix Normal file
View file

@ -0,0 +1,12 @@
{pkgs, ...}:
{
services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.flatpak.enable = true;
environment.systemPackages = [
pkgs.gnome.gnome-tweaks
pkgs.gnome.dconf-editor
];
}

23
nixos/modules/kevin/audio.nix
View file

@ -1,23 +0,0 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.kevin.audio;
in {
options.kevin.audio = {
enable = mkEnableOption "kevins audio";
};
config = mkIf cfg.enable (mkMerge [
({
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
})
]);
}

74
nixos/modules/kevin/networking.nix
View file

@ -1,74 +0,0 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.kevin.networking;
in {
options.kevin.networking = {
enable = mkEnableOption "kevins networking";
avahi.enable = mkEnableOption "avahi";
ssh.enable = mkEnableOption "ssh";
firewall.wireguard = mkEnableOption "wireguard exceptions";
firewall.wireguardPort = mkOption {
type = types.int;
default = 51820;
description = "Port used by your Wireguard";
};
firewall.syncthing = mkEnableOption "syncthing exceptions";
firewall.kdeConnect = mkEnableOption "KDE Connect exceptions";
};
config = mkIf cfg.enable (mkMerge [
(mkIf cfg.avahi.enable {
services.avahi = {
enable = true;
nssmdns = true;
publish.enable = true;
publish.domain = true;
publish.addresses = true;
publish.workstation = true;
publish.userServices = true;
};
networking.firewall.allowedUDPPorts = [ 5353 ];
})
(mkIf cfg.ssh.enable {
services.openssh = {
enable = true;
# require public key authentication for better security
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
#permitRootLogin = "yes";
};
networking.firewall.allowedTCPPorts = [ 22 ];
})
(mkIf cfg.firewall.wireguard {
networking.firewall = {
# if packets are still dropped, they will show up in dmesg
logReversePathDrops = true;
allowedUDPPorts = [ cfg.firewall.wireguardPort ];
# wireguard trips rpfilter up
extraCommands = ''
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.firewall.wireguardPort} -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.firewall.wireguardPort} -j RETURN
'';
extraStopCommands = ''
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.firewall.wireguardPort} -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.firewall.wireguardPort} -j RETURN || true
'';
};
})
(mkIf cfg.firewall.syncthing {
networking.firewall.allowedTCPPorts = [ 22000 ];
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
})
(mkIf cfg.firewall.kdeConnect {
networking.firewall.allowedUDPPortRanges = [
{ from = 1714; to = 1764; }
];
})
]);
}

78
nixos/modules/kevin/power.nix
View file

@ -1,78 +0,0 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.kevin.power;
in {
options.kevin.power = {
mode = mkOption {
type = types.enum [ "desktop" "laptop" ];
default = "desktop";
};
};
config = mkMerge [
(mkIf (cfg.mode == "laptop") {
powerManagement.powertop.enable = true;
services.thermald.enable = true;
services.power-profiles-daemon.enable = false;
services.tlp = {
enable = true;
settings = {
START_CHARGE_THRESH_BAT0 = 85;
STOP_CHARGE_THRESH_BAT0 = 90;
CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
CPU_SCALING_MIN_FREQ_ON_AC = 800000;
CPU_SCALING_MAX_FREQ_ON_AC = 2201000;
CPU_SCALING_MIN_FREQ_ON_BAT = 400000;
CPU_SCALING_MAX_FREQ_ON_BAT = 2100000;
# Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
# A value of 0 disables, >=1 enables power saving (recommended: 1).
# Default: 0 (AC), 1 (BAT)
SOUND_POWER_SAVE_ON_AC = 0;
SOUND_POWER_SAVE_ON_BAT = 1;
# Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable.
# Default: on (AC), auto (BAT)
RUNTIME_PM_ON_AC = "on";
RUNTIME_PM_ON_BAT = "auto";
# Battery feature drivers: 0=disable, 1=enable
# Default: 1 (all)
NATACPI_ENABLE = 1;
TPACPI_ENABLE = 1;
TPSMAPI_ENABLE = 1;
};
};
boot.extraModprobeConfig = lib.mkMerge [
# idle audio card after one second
"options snd_hda_intel power_save=1"
# enable wifi power saving (keep uapsd off to maintain low latencies)
"options iwlwifi power_save=1 uapsd_disable=1"
];
boot.initrd.availableKernelModules = [
"thinkpad_acpi"
];
boot.kernelParams = ["intel_pstate=disable"];
boot.kernelModules = ["acpi_call" "coretemp" "cpuid"];
services.udev.extraRules = lib.mkMerge [
# autosuspend USB devices
''ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="auto"''
# autosuspend PCI devices
''ACTION=="add", SUBSYSTEM=="pci", TEST=="power/control", ATTR{power/control}="auto"''
# disable Ethernet Wake-on-LAN
''ACTION=="add", SUBSYSTEM=="net", NAME=="enp*", RUN+="${pkgs.ethtool}/sbin/ethtool -s $name wol d"''
];
services.upower.enable = true;
})
];
}

21
nixos/modules/kevin/yubikey.nix
View file

@ -1,21 +0,0 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.kevin.yubikey;
in {
options.kevin.yubikey = {
enable = mkEnableOption "yubikey setup";
};
config = mkIf cfg.enable (mkMerge [
({
security.pam.yubico = {
enable = true;
debug = false;
mode = "challenge-response";
};
services.udev.packages = [ pkgs.yubikey-personalization ];
})
]);
}

11
nixos/modules/pipewire.nix Normal file
View file

@ -0,0 +1,11 @@
{
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
}

63
nixos/modules/power/thinkpad.nix Normal file
View file

@ -0,0 +1,63 @@
{ lib, pkgs, ... }: {
powerManagement.powertop.enable = true;
services.thermald.enable = true;
services.power-profiles-daemon.enable = false;
services.tlp = {
enable = true;
settings = {
START_CHARGE_THRESH_BAT0 = 85;
STOP_CHARGE_THRESH_BAT0 = 90;
CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
CPU_SCALING_MIN_FREQ_ON_AC = 800000;
CPU_SCALING_MAX_FREQ_ON_AC = 2201000;
CPU_SCALING_MIN_FREQ_ON_BAT = 400000;
CPU_SCALING_MAX_FREQ_ON_BAT = 2100000;
# Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
# A value of 0 disables, >=1 enables power saving (recommended: 1).
# Default: 0 (AC), 1 (BAT)
SOUND_POWER_SAVE_ON_AC = 0;
SOUND_POWER_SAVE_ON_BAT = 1;
# Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable.
# Default: on (AC), auto (BAT)
RUNTIME_PM_ON_AC = "on";
RUNTIME_PM_ON_BAT = "auto";
# Battery feature drivers: 0=disable, 1=enable
# Default: 1 (all)
NATACPI_ENABLE = 1;
TPACPI_ENABLE = 1;
TPSMAPI_ENABLE = 1;
};
};
boot.extraModprobeConfig = lib.mkMerge [
# idle audio card after one second
"options snd_hda_intel power_save=1"
# enable wifi power saving (keep uapsd off to maintain low latencies)
"options iwlwifi power_save=1 uapsd_disable=1"
];
boot.initrd.availableKernelModules = [
"thinkpad_acpi"
];
boot.kernelParams = ["intel_pstate=disable"];
boot.kernelModules = ["acpi_call" "coretemp" "cpuid"];
services.udev.extraRules = lib.mkMerge [
# autosuspend USB devices
''ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="auto"''
# autosuspend PCI devices
''ACTION=="add", SUBSYSTEM=="pci", TEST=="power/control", ATTR{power/control}="auto"''
# disable Ethernet Wake-on-LAN
''ACTION=="add", SUBSYSTEM=="net", NAME=="enp*", RUN+="${pkgs.ethtool}/sbin/ethtool -s $name wol d"''
];
services.upower.enable = true;
}

16
nixos/modules/kevin/ssh.nix → nixos/modules/ssh.nix
View file

@ -4,10 +4,6 @@ let
cfg = config.kevin.ssh; cfg = config.kevin.ssh;
authorizedOpts = {name, config, ...}: { authorizedOpts = {name, config, ...}: {
options = { options = {
/*name = mkOption {
type = types.passwdEntry types.str;
description = "Name of the user. Must be the name of a directory in /etc/nixos/ssh";
};*/
users = mkOption { users = mkOption {
type = with types; listOf types.str; type = with types; listOf types.str;
default = []; default = [];
@ -37,7 +33,17 @@ in {
config = mkMerge [ config = mkMerge [
(mkIf cfg.server.enable { (mkIf cfg.server.enable {
kevin.networking.ssh.enable = true; services.openssh = {
enable = true;
# require public key authentication for better security
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
#permitRootLogin = "yes";
};
networking.firewall.allowedTCPPorts = [ 22 ];
}) })
{ {
users.users = mkMerge (map (name: ( users.users = mkMerge (map (name: (

11
nixos/modules/users.nix Normal file
View file

@ -0,0 +1,11 @@
{
imports = [ ./ssh.nix ];
users.users.kevin = {
isNormalUser = true;
description = "Kevin Kandlbinder";
extraGroups = [ "wheel" "docker" "dialout" "networkmanager" "floppy" "audio" "lp" "cdrom" "tape" "video" "render" ];
};
kevin.ssh.authorized.kevin.users = ["kevin" "root"];
}

9
nixos/modules/yubikey.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }: {
security.pam.yubico = {
enable = true;
debug = false;
mode = "challenge-response";
};
services.udev.packages = [ pkgs.yubikey-personalization ];
}