diff --git a/flake.lock b/flake.lock index 2067e040..6453851f 100644 --- a/flake.lock +++ b/flake.lock @@ -179,6 +179,21 @@ } }, "flake-compat_3": { + "locked": { + "lastModified": 1688025799, + "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1696426674, @@ -490,13 +505,30 @@ "type": "github" } }, + "my-asahi-firmware": { + "flake": false, + "locked": { + "lastModified": 1752336609, + "narHash": "sha256-PeJXDQgKwmu6PEjEA+68I7nIOTTpwUUyO1b5PpQg4gc=", + "ref": "refs/heads/main", + "rev": "981583c8e101967ef6a66388ade54cab751f3a02", + "shallow": true, + "type": "git", + "url": "ssh://git@github.com/ryan4yin/asahi-firmware.git" + }, + "original": { + "shallow": true, + "type": "git", + "url": "ssh://git@github.com/ryan4yin/asahi-firmware.git" + } + }, "mysecrets": { "flake": false, "locked": { - "lastModified": 1749276041, - "narHash": "sha256-K7+0mEQidqSilW9Q2vgZpEoK+a+oVlVP21aTui8GDjw=", + "lastModified": 1752342599, + "narHash": "sha256-T447GS/UoNgqTsm286Fv3X5mpLFcx6SocoUn2OMOW08=", "ref": "refs/heads/main", - "rev": "6339faf0195d803c9ff4a2df6f6810be8101bf96", + "rev": "a914c8281a8ad1df332cfcaf9a1024ecb7ccd9d3", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" @@ -563,6 +595,28 @@ "type": "github" } }, + "nixos-apple-silicon": { + "inputs": { + "flake-compat": "flake-compat_3", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1751622568, + "narHash": "sha256-EE3NBsej517VRa1x+ylAghrvngftxf1KgfHlE9OYyXE=", + "owner": "nix-community", + "repo": "nixos-apple-silicon", + "rev": "eba4b40c816e5aff8951ae231ac237e8aab8ec1d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-apple-silicon", + "rev": "eba4b40c816e5aff8951ae231ac237e8aab8ec1d", + "type": "github" + } + }, "nixos-generators": { "inputs": { "nixlib": "nixlib", @@ -584,22 +638,6 @@ "type": "github" } }, - "nixos-hardware": { - "locked": { - "lastModified": 1752048960, - "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" - } - }, "nixpak": { "inputs": { "flake-parts": "flake-parts_4", @@ -805,7 +843,7 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "gitignore": "gitignore_2", "nixpkgs": [ "nixpkgs" @@ -878,11 +916,12 @@ "haumea": "haumea", "home-manager": "home-manager_2", "lanzaboote": "lanzaboote", + "my-asahi-firmware": "my-asahi-firmware", "mysecrets": "mysecrets", "nix-darwin": "nix-darwin", "nix-gaming": "nix-gaming", + "nixos-apple-silicon": "nixos-apple-silicon", "nixos-generators": "nixos-generators", - "nixos-hardware": "nixos-hardware", "nixpak": "nixpak", "nixpkgs": "nixpkgs_2", "nixpkgs-darwin": "nixpkgs-darwin", diff --git a/flake.nix b/flake.nix index 672641d5..e4cb6c5f 100644 --- a/flake.nix +++ b/flake.nix @@ -48,7 +48,6 @@ url = "github:lnl7/nix-darwin"; inputs.nixpkgs.follows = "nixpkgs-darwin"; }; - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; # home-manager, used for managing user configuration home-manager = { @@ -138,6 +137,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-apple-silicon = { + # 2025-07-04 + url = "github:nix-community/nixos-apple-silicon/eba4b40c816e5aff8951ae231ac237e8aab8ec1d"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + ######################## Some non-flake repositories ######################################### polybar-themes = { @@ -154,6 +159,11 @@ flake = false; }; + my-asahi-firmware = { + url = "git+ssh://git@github.com/ryan4yin/asahi-firmware.git?shallow=1"; + flake = false; + }; + # my wallpapers wallpapers = { url = "github:ryan4yin/wallpapers"; diff --git a/hardening/bwraps/wechat.nix b/hardening/bwraps/wechat.nix index c407e583..7e8ed177 100644 --- a/hardening/bwraps/wechat.nix +++ b/hardening/bwraps/wechat.nix @@ -9,14 +9,30 @@ { appimageTools, fetchurl, + stdenvNoCC, }: let pname = "wechat"; # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat/package.nix - version = "4.0.1.11"; - src = fetchurl { - url = "https://web.archive.org/web/20250512110825if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage"; - hash = "sha256-gBWcNQ1o1AZfNsmu1Vi1Kilqv3YbR+wqOod4XYAeVKo="; + sources = { + aarch64-linux = { + version = "4.0.1.11"; + src = fetchurl { + url = "https://web.archive.org/web/20250512112413if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_arm64.AppImage"; + hash = "sha256-Rg+FWNgOPC02ILUskQqQmlz1qNb9AMdvLcRWv7NQhGk="; + }; + }; + x86_64-linux = { + version = "4.0.1.11"; + src = fetchurl { + url = "https://web.archive.org/web/20250512110825if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage"; + hash = "sha256-gBWcNQ1o1AZfNsmu1Vi1Kilqv3YbR+wqOod4XYAeVKo="; + }; + }; }; + + inherit (stdenvNoCC.hostPlatform) system; + inherit (sources.${system} or (throw "Unsupported system: ${system}")) version src; + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/we/wechat/linux.nix appimageContents = appimageTools.extract { inherit pname version src; diff --git a/home/base/core/shells/default.nix b/home/base/core/shells/default.nix index 65adccf4..19138774 100644 --- a/home/base/core/shells/default.nix +++ b/home/base/core/shells/default.nix @@ -19,7 +19,7 @@ in { programs.nushell = { enable = true; - package = pkgs-unstable.nushell; + # package = pkgs-unstable.nushell; configFile.source = ./config.nu; inherit shellAliases; }; diff --git a/home/base/gui/dev-tools.nix b/home/base/gui/dev-tools.nix index b3975d0c..3ddc70a1 100644 --- a/home/base/gui/dev-tools.nix +++ b/home/base/gui/dev-tools.nix @@ -3,17 +3,20 @@ nur-ryan4yin, ... }: { - home.packages = with pkgs; [ - mitmproxy # http/https proxy tool - insomnia # REST client - wireshark # network analyzer + home.packages = with pkgs; + [ + mitmproxy # http/https proxy tool + wireshark # network analyzer - # IDEs - # jetbrains.idea-community + # IDEs + # jetbrains.idea-community - # AI cli tools - nur-ryan4yin.packages.${pkgs.system}.gemini-cli - k8sgpt - kubectl-ai # an ai helper opensourced by google - ]; + # AI cli tools + nur-ryan4yin.packages.${pkgs.system}.gemini-cli + k8sgpt + kubectl-ai # an ai helper opensourced by google + ] + ++ (lib.optionals pkgs.stdenv.isx86_64 [ + insomnia # REST client + ]); } diff --git a/home/base/gui/terminal/alacritty/default.nix b/home/base/gui/terminal/alacritty/default.nix index 73fe8719..903af212 100644 --- a/home/base/gui/terminal/alacritty/default.nix +++ b/home/base/gui/terminal/alacritty/default.nix @@ -26,7 +26,7 @@ { programs.alacritty = { enable = true; - package = pkgs-unstable.alacritty; + # package = pkgs-unstable.alacritty; # https://alacritty.org/config-alacritty.html settings = { window = { diff --git a/home/base/gui/terminal/foot.nix b/home/base/gui/terminal/foot.nix index b832f4d3..bb133b3c 100644 --- a/home/base/gui/terminal/foot.nix +++ b/home/base/gui/terminal/foot.nix @@ -17,7 +17,7 @@ main = { term = "foot"; # or "xterm-256color" for maximum compatibility font = "Maple Mono NF CN:size=14"; - dpi-aware = "yes"; + dpi-aware = "no"; # scale via window manager instead # Spawn a nushell in login mode via `bash` shell = "${pkgs.bash}/bin/bash --login -c 'nu --login --interactive'"; diff --git a/home/base/tui/dev-tools.nix b/home/base/tui/dev-tools.nix index 2bc8793b..274b0107 100644 --- a/home/base/tui/dev-tools.nix +++ b/home/base/tui/dev-tools.nix @@ -18,8 +18,8 @@ colmena # nixos's remote deployment tool # db related - pkgs-unstable.mycli - pkgs-unstable.pgcli + mycli + pgcli mongosh sqlite @@ -27,10 +27,10 @@ minicom # ai related - pkgs-unstable.python313Packages.huggingface-hub # huggingface-cli + python313Packages.huggingface-hub # huggingface-cli # misc - pkgs-unstable.devbox + devbox bfg-repo-cleaner # remove large files from git history k6 # load testing tool protobuf # protocol buffer compiler diff --git a/home/base/tui/encryption/default.nix b/home/base/tui/encryption/default.nix index 3ecaa864..01052571 100644 --- a/home/base/tui/encryption/default.nix +++ b/home/base/tui/encryption/default.nix @@ -5,7 +5,7 @@ }: { home.packages = with pkgs; [ age - pkgs-unstable.sops + sops rclone ]; } diff --git a/home/linux/gui/base/creative.nix b/home/linux/gui/base/creative.nix index c2aeb03c..d381269b 100644 --- a/home/linux/gui/base/creative.nix +++ b/home/linux/gui/base/creative.nix @@ -1,4 +1,5 @@ { + lib, pkgs, pkgs-unstable, # pkgs-stable, @@ -6,62 +7,69 @@ blender-bin, ... }: { - home.packages = with pkgs; [ - # creative - # https://github.com/edolstra/nix-warez/blob/master/blender/flake.nix - blender-bin.packages.${pkgs.system}.blender_4_2 # 3d modeling - # gimp # image editing, I prefer using figma in browser instead of this one - inkscape # vector graphics - krita # digital painting - musescore # music notation - # reaper # audio production - # sonic-pi # music programming + home.packages = with pkgs; + [ + # creative + # gimp # image editing, I prefer using figma in browser instead of this one + inkscape # vector graphics + krita # digital painting + musescore # music notation + # reaper # audio production + # sonic-pi # music programming - # 2d game design - ldtk # A modern, versatile 2D level editor - # aseprite # Animated sprite editor & pixel art tool + # 2d game design + # aseprite # Animated sprite editor & pixel art tool - # this app consumes a lot of storage, so do not install it currently - # kicad # 3d printing, eletrical engineering + # this app consumes a lot of storage, so do not install it currently + # kicad # 3d printing, eletrical engineering + ] + ++ (lib.optionals pkgs.stdenv.isx86_64 [ + # https://github.com/edolstra/nix-warez/blob/master/blender/flake.nix + blender-bin.packages.${pkgs.system}.blender_4_2 # 3d modeling - # fpga - pkgs-unstable.python313Packages.apycula # gowin fpga - pkgs-unstable.yosys # fpga synthesis - pkgs-unstable.nextpnr # fpga place and route - pkgs-unstable.openfpgaloader # fpga programming - # nur-ryan4yin.packages.${pkgs.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ... - ]; + ldtk # A modern, versatile 2D level editor + + # fpga + python313Packages.apycula # gowin fpga + yosys # fpga synthesis + nextpnr # fpga place and route + openfpgaloader # fpga programming + # nur-ryan4yin.packages.${pkgs.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ... + ]); programs = { # live streaming obs-studio = { - enable = true; - plugins = with pkgs.obs-studio-plugins; [ - # screen capture - wlrobs - # obs-ndi - obs-vaapi - # obs-nvfbc - obs-teleport - # obs-hyperion - droidcam-obs - obs-vkcapture - obs-gstreamer - obs-3d-effect - input-overlay - obs-multi-rtmp - obs-source-clone - obs-shaderfilter - obs-source-record - obs-livesplit-one - looking-glass-obs - obs-vintage-filter - obs-command-source - obs-move-transition - obs-backgroundremoval - # advanced-scene-switcher - obs-pipewire-audio-capture - ]; + enable = pkgs.stdenv.isx86_64; + plugins = with pkgs.obs-studio-plugins; + [ + # screen capture + wlrobs + # obs-ndi + # obs-nvfbc + obs-teleport + # obs-hyperion + droidcam-obs + obs-vkcapture + obs-gstreamer + input-overlay + obs-multi-rtmp + obs-source-clone + obs-shaderfilter + obs-source-record + obs-livesplit-one + looking-glass-obs + obs-vintage-filter + obs-command-source + obs-move-transition + obs-backgroundremoval + # advanced-scene-switcher + obs-pipewire-audio-capture + ] + ++ (lib.optionals pkgs.stdenv.isx86_64 [ + obs-vaapi + obs-3d-effect + ]); }; }; } diff --git a/home/linux/gui/base/media.nix b/home/linux/gui/base/media.nix index c825877d..c3df5e56 100644 --- a/home/linux/gui/base/media.nix +++ b/home/linux/gui/base/media.nix @@ -6,22 +6,24 @@ }: # media - control and enjoy audio/video { - home.packages = with pkgs; [ - # audio control - pavucontrol - playerctl - pulsemixer - imv # simple image viewer + home.packages = with pkgs; + [ + # audio control + pavucontrol + playerctl + pulsemixer + imv # simple image viewer - # video/audio tools - libva-utils - vdpauinfo - vulkan-tools - glxinfo - nvitop - - (zoom-us.override {hyprlandXdgDesktopPortalSupport = true;}) - ]; + # video/audio tools + libva-utils + vdpauinfo + vulkan-tools + glxinfo + nvitop + ] + ++ (lib.optionals pkgs.stdenv.isx86_64 [ + (zoom-us.override {hyprlandXdgDesktopPortalSupport = true;}) + ]); programs.mpv = { enable = true; diff --git a/home/linux/gui/base/note-taking.nix b/home/linux/gui/base/note-taking.nix index 0330540a..ec38a623 100644 --- a/home/linux/gui/base/note-taking.nix +++ b/home/linux/gui/base/note-taking.nix @@ -1,7 +1,7 @@ -{pkgs-stable, ...}: { - home.packages = with pkgs-stable; [ +{pkgs, ...}: { + home.packages = with pkgs; (lib.optionals pkgs.stdenv.isx86_64 [ # https://joplinapp.org/help/ joplin # joplin-cli joplin-desktop - ]; + ]); } diff --git a/home/linux/gui/hyprland/values/wayland-apps.nix b/home/linux/gui/hyprland/values/wayland-apps.nix index c5032089..98375cb2 100644 --- a/home/linux/gui/hyprland/values/wayland-apps.nix +++ b/home/linux/gui/hyprland/values/wayland-apps.nix @@ -12,7 +12,7 @@ programs = { # source code: https://github.com/nix-community/home-manager/blob/master/modules/programs/chromium.nix google-chrome = { - enable = true; + enable = pkgs.stdenv.isx86_64; package = pkgs-stable.google-chrome; # https://wiki.archlinux.org/title/Chromium#Native_Wayland_support diff --git a/hosts/12kingdoms-shoukei/README.md b/hosts/12kingdoms-shoukei/README.md index 05981f25..049758ad 100644 --- a/hosts/12kingdoms-shoukei/README.md +++ b/hosts/12kingdoms-shoukei/README.md @@ -1,16 +1,8 @@ # Host - Shoukei -This is NixOS's configuration for my Macbook Pro 2022 Intel i5, 13.3-inch, 16G RAM + 512G SSD. +This is NixOS's configuration for my Macbook Pro 2022 M2, 16G RAM. Related: - [/nixos-installer/README.shoukei.md](/nixos-installer/README.shoukei.md) -- -- - -TODOs: - -- [ ] Resume from suspend(close the lid) doesn't work -- [ ] Show battery percentage in i3blocks/waybar -- [ ] Touchbar unusable some times - - It works on boot, but after a while it stops working +- https://github.com/nix-community/nixos-apple-silicon/blob/main/docs/uefi-standalone.md diff --git a/hosts/12kingdoms-shoukei/apple-set-os-loader.nix b/hosts/12kingdoms-shoukei/apple-set-os-loader.nix deleted file mode 100644 index ceaff3b3..00000000 --- a/hosts/12kingdoms-shoukei/apple-set-os-loader.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: let - t2Cfg = config.hardware.myapple-t2; - efiPrefix = config.boot.loader.efi.efiSysMountPoint; - - apple-set-os-loader-installer = pkgs.stdenv.mkDerivation rec { - name = "apple-set-os-loader-installer-1.0"; - src = pkgs.fetchFromGitHub { - owner = "Redecorating"; - repo = "apple_set_os-loader"; - rev = "r33.9856dc4"; - sha256 = "hvwqfoF989PfDRrwU0BMi69nFjPeOmSaD6vR6jIRK2Y="; - }; - buildInputs = [pkgs.gnu-efi]; - buildPhase = '' - substituteInPlace Makefile --replace "/usr" '$(GNU_EFI)' - export GNU_EFI=${pkgs.gnu-efi} - make - ''; - installPhase = '' - install -D bootx64_silent.efi $out/bootx64.efi - ''; - }; -in { - options = { - hardware.myapple-t2.enableAppleSetOsLoader = lib.mkOption { - default = false; - type = lib.types.bool; - description = "Whether to enable the appleSetOsLoader activation script."; - }; - }; - - config = { - # Activation script to install apple-set-os-loader in order to unlock the iGPU - system.activationScripts.myappleSetOsLoader = lib.optionalString t2Cfg.enableAppleSetOsLoader '' - if [[ -e ${efiPrefix}/efi/boot/bootx64_original.efi ]]; then - true # It's already installed, no action required - elif [[ -e ${efiPrefix}/efi/boot/bootx64.efi ]]; then - # Copy the new bootloader to a temporary location - cp ${apple-set-os-loader-installer}/bootx64.efi ${efiPrefix}/efi/boot/bootx64_temp.efi - - # Rename the original bootloader - mv ${efiPrefix}/efi/boot/bootx64.efi ${efiPrefix}/efi/boot/bootx64_original.efi - - # Move the new bootloader to the final destination - mv ${efiPrefix}/efi/boot/bootx64_temp.efi ${efiPrefix}/efi/boot/bootx64.efi - else - echo "Error: ${efiPrefix}/efi/boot/bootx64.efi is missing" >&2 - fi - ''; - - # Enable the iGPU by default if present - environment.etc."modprobe.d/apple-gmux.conf".text = lib.optionalString t2Cfg.enableAppleSetOsLoader '' - options apple-gmux force_igd=y - ''; - }; -} diff --git a/hosts/12kingdoms-shoukei/brcm-firmware/default.nix b/hosts/12kingdoms-shoukei/brcm-firmware/default.nix deleted file mode 100644 index 8f09952b..00000000 --- a/hosts/12kingdoms-shoukei/brcm-firmware/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{pkgs, ...}: -pkgs.stdenvNoCC.mkDerivation { - name = "brcm-firmware"; - nativeBuildInputs = with pkgs; [gnutar xz]; - buildCommand = '' - dir="$out/lib/" - mkdir -p "$dir" - tar -axvf ${./firmware.tar.xz} -C "$dir" - ''; -} diff --git a/hosts/12kingdoms-shoukei/brcm-firmware/firmware.tar.xz b/hosts/12kingdoms-shoukei/brcm-firmware/firmware.tar.xz deleted file mode 100644 index f0b219d6..00000000 Binary files a/hosts/12kingdoms-shoukei/brcm-firmware/firmware.tar.xz and /dev/null differ diff --git a/hosts/12kingdoms-shoukei/brcm-firmware/flake.lock b/hosts/12kingdoms-shoukei/brcm-firmware/flake.lock deleted file mode 100644 index 6fff9dd3..00000000 --- a/hosts/12kingdoms-shoukei/brcm-firmware/flake.lock +++ /dev/null @@ -1,27 +0,0 @@ -{ - "nodes": { - "nixpkgs": { - "locked": { - "lastModified": 1703068421, - "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/hosts/12kingdoms-shoukei/brcm-firmware/flake.nix b/hosts/12kingdoms-shoukei/brcm-firmware/flake.nix deleted file mode 100644 index 93fc4d86..00000000 --- a/hosts/12kingdoms-shoukei/brcm-firmware/flake.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - # a flake for testing - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; - outputs = {nixpkgs, ...}: let - system = "x86_64-linux"; - pkgs = import nixpkgs {inherit system;}; - in { - packages."${system}".default = pkgs.callPackage ./default.nix {}; - }; -} diff --git a/hosts/12kingdoms-shoukei/default.nix b/hosts/12kingdoms-shoukei/default.nix index 3e047a98..501d33a4 100644 --- a/hosts/12kingdoms-shoukei/default.nix +++ b/hosts/12kingdoms-shoukei/default.nix @@ -1,32 +1,20 @@ -{ - nixos-hardware, - myvars, - ... -}: +{myvars, ...}: ############################################################# # -# Shoukei - NixOS running on Macbook Pro 2020 I5 16G -# https://github.com/NixOS/nixos-hardware/tree/master/apple/t2 +# Shoukei - NixOS running on Macbook Pro 2022 M2 16G # ############################################################# let hostName = "shoukei"; # Define your hostname. in { imports = [ - nixos-hardware.nixosModules.apple-t2 - ./apple-set-os-loader.nix - {hardware.myapple-t2.enableAppleSetOsLoader = true;} - ./hardware-configuration.nix ../idols-ai/preservation.nix ]; - boot.kernelModules = ["kvm-amd"]; - boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu - networking = { inherit hostName; - inherit (myvars.networking) defaultGateway nameservers; + inherit (myvars.networking) nameservers; # configures the network interface(include wireless) via `nmcli` & `nmtui` networkmanager.enable = true; @@ -38,5 +26,5 @@ in { # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.05"; # Did you read the comment? + system.stateVersion = "25.11"; # Did you read the comment? } diff --git a/hosts/12kingdoms-shoukei/hardware-configuration.nix b/hosts/12kingdoms-shoukei/hardware-configuration.nix index 55ba80dc..5947a59d 100644 --- a/hosts/12kingdoms-shoukei/hardware-configuration.nix +++ b/hosts/12kingdoms-shoukei/hardware-configuration.nix @@ -6,29 +6,36 @@ lib, pkgs, modulesPath, + nixos-apple-silicon, + my-asahi-firmware, ... -}: { +}: let + device = "/dev/disk/by-uuid/c2e8b249-240e-4eef-bf4e-81e7dbbf4887"; +in { imports = [ (modulesPath + "/installer/scan/not-detected.nix") + nixos-apple-silicon.nixosModules.default ]; - hardware.firmware = [ - (import ./brcm-firmware {inherit pkgs;}) - ]; + # Specify path to peripheral firmware files. + hardware.asahi.peripheralFirmwareDirectory = "${my-asahi-firmware}/macbook-pro-m2-a2338"; - boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; + networking.wireless.iwd = { + enable = true; + settings.General.EnableNetworkConfiguration = true; + }; - # Use the EFI boot loader. - boot.loader.efi.canTouchEfiVariables = true; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = false; # depending on how you configured your disk mounts, change this to /boot or /boot/efi. boot.loader.efi.efiSysMountPoint = "/boot"; - boot.loader.systemd-boot.enable = true; - # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. - boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; + # For ` to < and ~ to > (for those with US keyboards) + # boot.extraModprobeConfig = '' + # options hid_apple iso_layout=0 + # ''; + # supported file systems, so we can mount any removable disks with these filesystems boot.supportedFilesystems = lib.mkForce [ "ext4" @@ -45,7 +52,7 @@ boot.initrd = { # unlocked luks devices via a keyfile or prompt a passphrase. luks.devices."crypted-nixos" = { - device = "/dev/nvme0n1p4"; + device = "/dev/disk/by-uuid/1c37820e-2501-46e4-bec4-27c28691a5b4"; # the keyfile(or device partition) that should be used as the decryption key for the encrypted device. # if not specified, you will be prompted for a passphrase instead. #keyFile = "/root-part.key"; @@ -60,51 +67,77 @@ }; }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/01CE-1DFD"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + # equal to `mount -t tmpfs tmpfs /` fileSystems."/" = { device = "tmpfs"; fsType = "tmpfs"; # set mode to 755, otherwise systemd will set it to 777, which cause problems. # relatime: Update inode access times relative to modify or change time. - options = ["relatime" "mode=755"]; - }; - - fileSystems."/boot" = { - device = "/dev/nvme0n1p1"; - fsType = "vfat"; + options = [ + "relatime" + "mode=755" + ]; }; fileSystems."/nix" = { - device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + inherit device; fsType = "btrfs"; - options = ["subvol=@nix" "noatime" "compress-force=zstd:1"]; + options = [ + "subvol=@nix" + "noatime" + "compress-force=zstd:1" + ]; }; fileSystems."/tmp" = { - device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + inherit device; fsType = "btrfs"; - options = ["subvol=@tmp" "noatime" "compress-force=zstd:1"]; + options = [ + "subvol=@tmp" + "noatime" + "compress-force=zstd:1" + ]; }; fileSystems."/persistent" = { - device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + inherit device; fsType = "btrfs"; - options = ["subvol=@persistent" "noatime" "compress-force=zstd:1"]; + options = [ + "subvol=@persistent" + "noatime" + "compress-force=zstd:1" + ]; # preservation's data is required for booting. neededForBoot = true; }; fileSystems."/snapshots" = { - device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + inherit device; fsType = "btrfs"; - options = ["subvol=@snapshots" "noatime" "compress-force=zstd:1"]; + options = [ + "subvol=@snapshots" + "noatime" + "compress-force=zstd:1" + ]; }; # mount swap subvolume in readonly mode. fileSystems."/swap" = { - device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + inherit device; fsType = "btrfs"; - options = ["subvol=@swap" "ro"]; + options = [ + "subvol=@swap" + "ro" + ]; }; # remount swapfile in read-write mode @@ -114,7 +147,10 @@ device = "/swap/swapfile"; fsType = "none"; - options = ["bind" "rw"]; + options = [ + "bind" + "rw" + ]; }; swapDevices = [ @@ -126,9 +162,7 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp230s0f1u1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp229s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; } diff --git a/hosts/12kingdoms-shoukei/home.nix b/hosts/12kingdoms-shoukei/home.nix index 78cb4ced..6c0d604f 100644 --- a/hosts/12kingdoms-shoukei/home.nix +++ b/hosts/12kingdoms-shoukei/home.nix @@ -1,17 +1,15 @@ -{config, ...}: let +{ config, ... }: +let hostName = "shoukei"; # Define your hostname. -in { +in +{ modules.desktop.hyprland = { nvidia = false; - settings = { - # Configure your Display resolution, offset, scale and Monitors here, use `hyprctl monitors` to get the info. - # highres: get the best possible resolution - # auto: position automatically - # 1.5: scale to 1.5 times - # bitdepth,10: enable 10 bit support - monitor = "eDP-1,highres,auto,1.5,bitdepth,10"; - }; + settings.source = [ + "${config.home.homeDirectory}/nix-config/hosts/12kingdoms-shoukei/hypr-hardware.conf" + ]; }; - programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}"; + programs.ssh.matchBlocks."github.com".identityFile = + "${config.home.homeDirectory}/.ssh/${hostName}"; } diff --git a/hosts/12kingdoms-shoukei/hypr-hardware.conf b/hosts/12kingdoms-shoukei/hypr-hardware.conf new file mode 100644 index 00000000..6b92a70e --- /dev/null +++ b/hosts/12kingdoms-shoukei/hypr-hardware.conf @@ -0,0 +1,9 @@ +# https://wiki.hyprland.org/Configuring/Monitors/ +# +# Configure your Display resolution, offset, scale and Monitors here, use `hyprctl monitors` to get the info. +# highres: get the best possible resolution +# auto: position automatically +# 1.25: scale to 1.25 times +# bitdepth,10: enable 10 bit support +monitor=eDP-1, highres@highrr, 0x0, 1.25, bitdepth,10 + diff --git a/hosts/darwin-harmonica/default.nix b/hosts/darwin-harmonica/default.nix deleted file mode 100644 index 550bcc2f..00000000 --- a/hosts/darwin-harmonica/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -_: -############################################################# -# -# Harmonica - MacBook Pro 2020 13-inch i5 16G, mainly for personal use -# -############################################################# -let - hostname = "harmonica"; -in { - networking.hostName = hostname; - networking.computerName = hostname; - system.defaults.smb.NetBIOSName = hostname; -} diff --git a/hosts/darwin-harmonica/home.nix b/hosts/darwin-harmonica/home.nix deleted file mode 100644 index 87a13d7f..00000000 --- a/hosts/darwin-harmonica/home.nix +++ /dev/null @@ -1,2 +0,0 @@ -_: { -} diff --git a/hosts/idols-ai/preservation.nix b/hosts/idols-ai/preservation.nix index 7248c2ec..aa2b8a0f 100644 --- a/hosts/idols-ai/preservation.nix +++ b/hosts/idols-ai/preservation.nix @@ -72,6 +72,7 @@ in { "/var/lib/tailscale" "/var/lib/bluetooth" "/var/lib/NetworkManager" + "/var/lib/iwd" ]; files = [ # auto-generated machine ID diff --git a/modules/base/nix.nix b/modules/base/nix.nix index cdd58f01..82f32f0f 100644 --- a/modules/base/nix.nix +++ b/modules/base/nix.nix @@ -39,8 +39,4 @@ ]; builders-use-substitutes = true; }; - - nix.extraOptions = '' - !include ${config.age.secrets.nix-access-tokens.path} - ''; } diff --git a/modules/darwin/nix-core.nix b/modules/darwin/nix-core.nix index 0b12ea73..419ccaed 100644 --- a/modules/darwin/nix-core.nix +++ b/modules/darwin/nix-core.nix @@ -1,4 +1,4 @@ -{ +{config, ...}: { ################################################################################### # # Core configuration for nix-darwin @@ -24,4 +24,8 @@ nix.gc.automatic = false; system.stateVersion = 5; + + nix.extraOptions = '' + !include ${config.age.secrets.nix-access-tokens.path} + ''; } diff --git a/modules/nixos/base/nix.nix b/modules/nixos/base/nix.nix index 12f5dad0..5e7c28e3 100644 --- a/modules/nixos/base/nix.nix +++ b/modules/nixos/base/nix.nix @@ -1,6 +1,6 @@ { + config, lib, - nixpkgs, ... }: { # to install chrome, you need to enable unfree packages @@ -18,4 +18,8 @@ nix.settings.auto-optimise-store = true; nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. + + nix.extraOptions = '' + !include ${config.age.secrets.nix-access-tokens.path} + ''; } diff --git a/modules/nixos/desktop/game/gamemode.nix b/modules/nixos/desktop/game/gamemode.nix index 8b3a524a..54908269 100644 --- a/modules/nixos/desktop/game/gamemode.nix +++ b/modules/nixos/desktop/game/gamemode.nix @@ -37,7 +37,7 @@ in { # 2. For others, launching the game through gamemoderun: `gamemoderun ./game` # 3. For steam: `gamemoderun steam-runtime` programs.gamemode = { - enable = true; + enable = pkgs.stdenv.isx86_64; settings = { general = { softrealtime = "auto"; diff --git a/modules/nixos/desktop/game/steam.nix b/modules/nixos/desktop/game/steam.nix index 45d8b4d2..62d99099 100644 --- a/modules/nixos/desktop/game/steam.nix +++ b/modules/nixos/desktop/game/steam.nix @@ -8,7 +8,7 @@ # ~/.local/share/Steam/steamapps/common - The default Game install location # ~/.steam/root - A symlink to ~/.local/share/Steam # ~/.steam - Some Symlinks & user info - enable = true; + enable = pkgs.stdenv.isx86_64; # https://github.com/ValveSoftware/gamescope # enables features such as resolution upscaling and stretched aspect ratios (such as 4:3) gamescopeSession.enable = true; diff --git a/modules/nixos/desktop/misc.nix b/modules/nixos/desktop/misc.nix index 9c0dbe8e..0d46ae0c 100644 --- a/modules/nixos/desktop/misc.nix +++ b/modules/nixos/desktop/misc.nix @@ -10,7 +10,7 @@ # add user's shell into /etc/shells environment.shells = with pkgs; [ bashInteractive - pkgs-unstable.nushell + nushell ]; # set user's default shell system-wide users.defaultUserShell = pkgs.bashInteractive; diff --git a/modules/nixos/desktop/remote-desktop/default.nix b/modules/nixos/desktop/remote-desktop/default.nix index 3ab750cd..044e87a6 100644 --- a/modules/nixos/desktop/remote-desktop/default.nix +++ b/modules/nixos/desktop/remote-desktop/default.nix @@ -8,6 +8,5 @@ environment.systemPackages = with pkgs; [ waypipe moonlight-qt # moonlight client, for streaming games/desktop from a PC - rustdesk # p2p remote desktop ]; } diff --git a/nixos-installer/.gitignore b/nixos-installer/.gitignore index ef03e874..4bdc6300 100644 --- a/nixos-installer/.gitignore +++ b/nixos-installer/.gitignore @@ -1,2 +1,2 @@ -# generate lock file every time +# ignore flake.lock here, generate a new one every time install a new host flake.lock diff --git a/nixos-installer/README.md b/nixos-installer/README.md index 62f35647..8a41a00a 100644 --- a/nixos-installer/README.md +++ b/nixos-installer/README.md @@ -179,8 +179,8 @@ Filename Type Size Used Priority Clone this repository: ```bash -# enter an shell with git/vim/ssh-agent/gnumake available -nix-shell -p git vim gnumake +# enter an shell with git/vim/ssh-agent available +nix-shell -p git vim just # clone this repository git clone https://github.com/ryan4yin/nix-config.git @@ -211,7 +211,7 @@ nixos-install --root /mnt --flake .#ai --no-root-password --show-trace --verbose # if you want to use a cache mirror, run this command instead # replace the mirror url with your own -nixos-install --root /mnt --flake .#ai --no-root-password --show-trace --verbose --option substituters "https://mirror.sjtu.edu.cn/nix-channels/store" # install-2 +nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose --option substituters "https://mirrors.ustc.edu.cn/nix-channels/store https://cache.nixos.org/" # install-2 # enter into the installed system, check password & users # `su ryan` => `sudo -i` => enter ryan's password => successfully login diff --git a/nixos-installer/README.shoukei.md b/nixos-installer/README.shoukei.md index 4d003e7b..ffc582eb 100755 --- a/nixos-installer/README.shoukei.md +++ b/nixos-installer/README.shoukei.md @@ -4,67 +4,118 @@ > machine :exclamation: Please write your own configuration from scratch, and use my configuration > and documentation for reference only.** -> https://wiki.t2linux.org/distributions/nixos/installation/ - -> https://github.com/NixOS/nixos-hardware/tree/master/apple/t2 - This flake prepares a Nix environment for setting my desktop -[/hosts/12kingdoms_shoukei](/hosts/12kingdoms_shoukei)(in main flake) up on a new machine. +[/hosts/12kingdoms-shoukei](/hosts/12kingdoms-shoukei)(in main flake) up on a new machine. ## Steps to Deploying -First, create a USB install medium from Apple T2's NixOS installer image: -https://github.com/t2linux/nixos-t2-iso.git +### 1. Prepare & boot into the nixos installer -### 2. Connecting to the Internet +Just follow this Guide: -1. configure wifi: -2. copy wifi firmware to the NixOS installer: +- https://github.com/nix-community/nixos-apple-silicon/blob/main/docs/uefi-standalone.md + +### 2. Connect to WiFi & SSH + +If you have another machine, configure the new host through a SSH connection will be much +comfortable than using the raw terminal of the nixos installer. So after booting into the nixos +installer, let's configure WiFi in the installer using `iwctl` first: + +> This is copied from +> ```bash -sudo mkdir -p /lib -sudo tar -axvf ../hosts/12kingdoms_shoukei/brcm-firmware/firmware.tar.gz -C /lib/ -sudo modprobe -r brcmfmac && sudo modprobe brcmfmac - -# check whether the wifi firmware is loaded -dmesg | tail - -# now start wpa_supplicant -sudo systemctl start wpa_supplicant +nixos# iwctl +NetworkConfigurationEnabled: enabled +StateDirectory: /var/lib/iwd +Version: 2.4 +[iwd]# station wlan0 scan +[iwd]# station wlan0 connect +Type the network passphrase for psk. +Passphrase: +[iwd]# station wlan0 show +[...] +[iwd] exit ``` -connect to wifi via `wpa_cli`: +And then set a password for the `root` user: ```bash -wpa_cli -i wlan0 -> scan -> scan_results -# add a new network, this command returns a network ID, which is 0 in this case. -> add_network -# associate the network with the network ID we just got -# NOTE: the quotes are required! -> set_network 0 ssid "" -# for a WPA2 network, set the passphrase -# NOTE: the quotes are required! -> set_network 0 psk "xxx" -# enable the network -> enable_network 0 -# save the configuration file -> save_config -# show the status -> status +# Switch to root +[nixos@nixos:~]$ sudo su + +# Change the password +[root@nixos:~]# passwd +New password: +Retype new password: +passwd: password updated successfully + +# Get the IP address +[root@nixos:~]# ip addr show wlan0 +2: wlan0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 + link/ether 9c:3e:53:6e:ef:8d brd ff:ff:ff:ff:ff:ff + inet 192.168.5.13/24 brd 192.168.5.255 scope global dynamic noprefixroute wlan0 + +# Change default router(if need) +ip route del default via 192.168.5.1 +ip route add default via 192.168.5.178 ``` -### 2. Encrypting with LUKS(everything except ESP) +The nixos installer has sshd service enabled by default, so we can now connect to it via ssh +directly. + +### 3. Encrypting with LUKS(everything except ESP) Disk layout before installation: -1. `/dev/nvme0n1p1`: EFI system partition, 300MB, contains macOS's bootloader. -2. `/dev/nvme0n1p2`: macOS's root partition. -3. `/dev/nvme0n1p3`: transfer area, 10GB, used to transfer files between macOS and NixOS. -4. `/dev/nvme0n1p4`: Empty partition, used to install NixOS. +```bash +[root@nixos:~]# sudo parted /dev/nvme0n1 print free +Model: APPLE SSD AP0256Z (nvme) +Disk /dev/nvme0n1: 251GB +Sector size (logical/physical): 4096B/4096B +Partition Table: gpt +Disk Flags: -Now let's recreate the 4th partition via `fdisk`, and then encrypting the root partition: +Number Start End Size File system Name Flags + 1 24.6kB 524MB 524MB iBootSystemContainer + 2 524MB 66.2GB 65.7GB + 3 66.2GB 68.7GB 2500MB + 4 68.7GB 69.2GB 500MB fat32 boot, esp + 69.2GB 246GB 176GB Free Space + 5 246GB 251GB 5369MB RecoveryOSContainer +``` + +1. `/dev/nvme0n1p1`: "iBootSystemContainer" - system-wide boot data +2. `/dev/nvme0n1p2`: macOS's root partition. +3. `/dev/nvme0n1p4`: The EFI partition for NixOS. +4. `/dev/nvme0n1p5`: "RecoveryOSContainer" - System RecoveryOS + +Now let's recreate the root partition via `sgdisk`: + +```bash +# Create the root partition to fill up the free space +# --new=partnum:start:end - 0 means calculate it automatically +[root@nixos:~]# sgdisk /dev/nvme0n1 --new=0:0:0 --change-name=0:"NixOS rootfs" + +The operation has completed successfully. + +[root@nixos:~]# sudo parted /dev/nvme0n1 print free +Model: APPLE SSD AP0256Z (nvme) +Disk /dev/nvme0n1: 251GB +Sector size (logical/physical): 4096B/4096B +Partition Table: gpt +Disk Flags: + +Number Start End Size File system Name Flags + 1 24.6kB 524MB 524MB iBootSystemContainer + 2 524MB 66.2GB 65.7GB + 3 66.2GB 68.7GB 2500MB + 4 68.7GB 69.2GB 500MB fat32 boot, esp + 6 69.2GB 246GB 176GB NixOS rootfs + 5 246GB 251GB 5369MB RecoveryOSContainer +``` + +And then encrypting the new partition via LUKS: ```bash lsblk @@ -73,13 +124,13 @@ cryptsetup --help # NOTE: `cat shoukei.md | grep luks > format.sh` to generate this script # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition. -cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 256 --pbkdf argon2id --use-random --verify-passphrase /dev/nvme0n1p4 +cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 256 --pbkdf argon2id --use-random --verify-passphrase /dev/nvme0n1p6 # show status -cryptsetup luksDump /dev/nvme0n1p4 +cryptsetup luksDump /dev/nvme0n1p6 # open(unlock) the device with the passphrase you just set -cryptsetup luksOpen /dev/nvme0n1p4 crypted-nixos +cryptsetup luksOpen /dev/nvme0n1p6 crypted-nixos # show disk status lsblk @@ -88,9 +139,13 @@ lsblk Formatting the root partition: ```bash +# If btrfs is not included in the liveos, run this before formatting +nix-shell -p btrfs-progs + # NOTE: `cat shoukei.md | egrep "create-btrfs" > create-btrfs.sh` to generate this script # format the root partition with btrfs and label it -mkfs.btrfs -L crypted-nixos /dev/mapper/crypted-nixos # create-btrfs +# set sectorsize to match the CPU page size +mkfs.btrfs --sectorsize 16384 -L crypted-nixos /dev/mapper/crypted-nixos # create-btrfs # mount the root partition and create subvolumes mount /dev/mapper/crypted-nixos /mnt # create-btrfs btrfs subvolume create /mnt/@nix # create-btrfs @@ -114,12 +169,13 @@ mount -o compress-force=zstd:1,subvol=@tmp /dev/mapper/crypted-nixos /mnt/tmp mount -o subvol=@swap /dev/mapper/crypted-nixos /mnt/swap # mount-1 mount -o compress-force=zstd:1,noatime,subvol=@persistent /dev/mapper/crypted-nixos /mnt/persistent # mount-1 mount -o compress-force=zstd:1,noatime,subvol=@snapshots /dev/mapper/crypted-nixos /mnt/snapshots # mount-1 -mount /dev/nvme0n1p1 /mnt/boot # mount-1 + +mount /dev/nvme0n1p4 /mnt/boot # mount-1 # create a swapfile on btrfs file system # This command will disable CoW / compression on the swap subvolume and then create a swapfile. # because the linux kernel requires that swapfile must not be compressed or have copy-on-write(CoW) enabled. -btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile # mount-1 +btrfs filesystem mkswapfile --size 16g --uuid clear /mnt/swap/swapfile # mount-1 # check whether the swap subvolume has CoW disabled # the output of `lsattr` for the swap subvolume should be: @@ -128,27 +184,37 @@ btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile # mount- lsattr /mnt/swap # mount the swapfile as swap area -swapon /mnt/swap/swapfile # mount-1 +swapon /mnt/swap/swapfile --fixpgsz # mount-1 ``` Now, the disk status should be: ```bash # show disk status -$ lsblk -nvme0n1 259:0 0 1.8T 0 disk -├─nvme0n1p1 259:2 0 600M 0 part /mnt/boot -└─nvme0n1p4 259:3 0 1.8T 0 part - └─crypted-nixos 254:0 0 1.8T 0 crypt /mnt/swap +[nix-shell:~]# lsblk +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS +loop0 7:0 0 302.1M 1 loop /nix/.ro-store +sda 8:0 1 0B 0 disk +sdb 8:16 1 58.2G 0 disk /iso +nvme0n1 259:0 0 233.8G 0 disk +├─nvme0n1p1 259:1 0 500M 0 part +├─nvme0n1p2 259:2 0 61.2G 0 part +├─nvme0n1p3 259:3 0 2.3G 0 part +├─nvme0n1p4 259:4 0 477M 0 part /mnt/boot +├─nvme0n1p5 259:5 0 5G 0 part +└─nvme0n1p6 259:14 0 164.3G 0 part + └─crypted-nixos 252:0 0 164.3G 0 crypt /mnt/snapshots /mnt/persistent - /mnt/snapshots - /mnt/nix + /mnt/swap /mnt/tmp + /mnt/nix +nvme0n2 259:6 0 3M 0 disk +nvme0n3 259:7 0 128M 0 disk # show swap status -$ swapon -s -Filename Type Size Used Priority -/swap/swapfile file 100663292 0 -2 +[nix-shell:~]# swapon -s +Filename Type Size Used Priority +/mnt/swap/swapfile file 16777200 0 -2 ``` ### 3. Generating the NixOS Configuration and Installing NixOS @@ -157,7 +223,7 @@ Clone this repository: ```bash # enter an shell with git/vim/ssh-agent/gnumake available -nix-shell -p git vim gnumake +nix-shell -p git neovim --option substituters "https://mirrors.ustc.edu.cn/nix-channels/store" # clone this repository git clone https://github.com/ryan4yin/nix-config.git @@ -171,13 +237,13 @@ nixos-generate-config --root /mnt # we need to update our filesystem configs in old hardware-configuration.nix according to the generated one. cp /etc/nixos/hardware-configuration.nix ./nix-config/hosts/12kingdoms_shoukei/hardware-configuration-new.nix -vim . +vim ./nix-config ``` Then, Install NixOS: ```bash -cd ~/nix-config/hosts/12kingdoms_shoukei/nixos-installer/ +cd ~/nix-config/nixos-installer/ # run this command if you're retrying to run nixos-install rm -rf /mnt/etc @@ -188,7 +254,7 @@ nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --ve # if you want to use a cache mirror, run this command instead # replace the mirror url with your own -nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose --option substituters "https://mirror.ustc.edu.cn/nix-channels/store" # install-2 +nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose --option substituters "https://mirrors.ustc.edu.cn/nix-channels/store https://cache.nixos.org/" # install-2 # enter into the installed system, check password & users # `su ryan` => `sudo -i` => enter ryan's password => successfully login @@ -221,7 +287,7 @@ cp -r ../nix-config /mnt/etc/nixos # sync the disk, unmount the partitions, and close the encrypted device sync swapoff /mnt/swap/swapfile -umount -R /mnt +umount -R /mnt/{nix,tmp,swap,persistent,snapshots,boot} cryptsetup close /dev/mapper/crypted-nixos reboot ``` @@ -235,7 +301,7 @@ that the new machine can pull my private secrets repo: ```bash # 1. Generate a new SSH key with a strong passphrase -ssh-keygen -t ed25519 -a 256 -C "ryan@idols-ai" -f ~/.ssh/shoukei +ssh-keygen -t ed25519 -a 256 -C "ryan@shoukei" -f ~/.ssh/shoukei # 2. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private secrets repo. ssh-add ~/.ssh/shoukei ``` diff --git a/nixos-installer/configuration.nix b/nixos-installer/configuration.nix index 6ab67a8d..f435f11e 100644 --- a/nixos-installer/configuration.nix +++ b/nixos-installer/configuration.nix @@ -16,7 +16,6 @@ networking = { # configures the network interface(include wireless) via `nmcli` & `nmtui` networkmanager.enable = true; - defaultGateway = "192.168.5.101"; }; - system.stateVersion = "25.05"; + system.stateVersion = "25.11"; } diff --git a/nixos-installer/flake.nix b/nixos-installer/flake.nix index 53d470fd..06fc9d94 100644 --- a/nixos-installer/flake.nix +++ b/nixos-installer/flake.nix @@ -4,25 +4,38 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; preservation.url = "github:nix-community/preservation"; - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nuenv.url = "github:DeterminateSystems/nuenv"; + + nixos-apple-silicon = { + url = "github:nix-community/nixos-apple-silicon/release-2025-05-30"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + my-asahi-firmware = { + url = "git+ssh://git@github.com/ryan4yin/asahi-firmware.git?shallow=1"; + flake = false; + }; }; outputs = inputs @ { nixpkgs, - nixos-hardware, - nuenv, + nixos-apple-silicon, + my-asahi-firmware, ... - }: { + }: let + inherit (inputs.nixpkgs) lib; + mylib = import ../lib {inherit lib;}; + myvars = import ../vars {inherit lib;}; + in { nixosConfigurations = { ai = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = inputs // { - myvars.username = "ryan"; - myvars.userfullname = "Ryan Yin"; + inherit mylib myvars; }; + modules = [ {networking.hostName = "ai";} @@ -31,7 +44,7 @@ ../modules/base ../modules/nixos/base/i18n.nix ../modules/nixos/base/user-group.nix - ../modules/nixos/base/networking.nix + ../modules/nixos/base/ssh.nix ../hosts/idols-ai/hardware-configuration.nix ../hosts/idols-ai/preservation.nix @@ -39,29 +52,22 @@ }; shoukei = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; + system = "aarch64-linux"; specialArgs = inputs // { - myvars.username = "ryan"; - myvars.userfullname = "Ryan Yin"; + inherit mylib myvars my-asahi-firmware; }; modules = [ - # Building on a USB installer is buggy, lack of disk space, memory, trublesome to setup substituteers, etc. - # so we disable apple-t2 module here to avoid build kernel during the initial installation, and enable it after the first boot. - # nixos-hardware.nixosModules.apple-t2 - ({pkgs, ...}: { - networking.hostName = "shoukei"; - boot.kernelPackages = pkgs.linuxPackages_latest; # Use latest kernel for the initial installation. - # hardware.apple-t2.enableAppleSetOsLoader = true; - }) + {networking.hostName = "shoukei";} + nixos-apple-silicon.nixosModules.default ./configuration.nix ../modules/base ../modules/nixos/base/i18n.nix ../modules/nixos/base/user-group.nix - ../modules/nixos/base/networking.nix + ../modules/nixos/base/ssh.nix ../hosts/12kingdoms-shoukei/hardware-configuration.nix ../hosts/idols-ai/preservation.nix diff --git a/outputs/aarch64-darwin/tests/home-manager/expected.nix b/outputs/aarch64-darwin/tests/home-manager/expected.nix index 50a9d707..0b160309 100644 --- a/outputs/aarch64-darwin/tests/home-manager/expected.nix +++ b/outputs/aarch64-darwin/tests/home-manager/expected.nix @@ -5,6 +5,7 @@ username = myvars.username; hosts = [ "fern" + "frieren" ]; in lib.genAttrs hosts (_: "/Users/${username}") diff --git a/outputs/aarch64-darwin/tests/home-manager/expr.nix b/outputs/aarch64-darwin/tests/home-manager/expr.nix index 0fa743ff..cf056984 100644 --- a/outputs/aarch64-darwin/tests/home-manager/expr.nix +++ b/outputs/aarch64-darwin/tests/home-manager/expr.nix @@ -6,6 +6,7 @@ username = myvars.username; hosts = [ "fern" + "frieren" ]; in lib.genAttrs diff --git a/outputs/aarch64-linux/default.nix b/outputs/aarch64-linux/default.nix new file mode 100644 index 00000000..92a0923a --- /dev/null +++ b/outputs/aarch64-linux/default.nix @@ -0,0 +1,37 @@ +{ + lib, + inputs, + ... +} @ args: let + inherit (inputs) haumea; + + # Contains all the flake outputs of this system architecture. + data = haumea.lib.load { + src = ./src; + inputs = args; + }; + # nix file names is redundant, so we remove it. + dataWithoutPaths = builtins.attrValues data; + + # Merge all the machine's data into a single attribute set. + outputs = { + nixosConfigurations = lib.attrsets.mergeAttrsList (map (it: it.nixosConfigurations or {}) dataWithoutPaths); + packages = lib.attrsets.mergeAttrsList (map (it: it.packages or {}) dataWithoutPaths); + # colmena contains some meta info, which need to be merged carefully. + colmenaMeta = { + nodeNixpkgs = lib.attrsets.mergeAttrsList (map (it: it.colmenaMeta.nodeNixpkgs or {}) dataWithoutPaths); + nodeSpecialArgs = lib.attrsets.mergeAttrsList (map (it: it.colmenaMeta.nodeSpecialArgs or {}) dataWithoutPaths); + }; + colmena = lib.attrsets.mergeAttrsList (map (it: it.colmena or {}) dataWithoutPaths); + }; +in + outputs + // { + inherit data; # for debugging purposes + + # NixOS's unit tests. + evalTests = haumea.lib.loadEvalTests { + src = ./tests; + inputs = args // {inherit outputs;}; + }; + } diff --git a/outputs/x86_64-linux/src/12kingdoms-shoukei.nix b/outputs/aarch64-linux/src/12kingdoms-shoukei.nix similarity index 87% rename from outputs/x86_64-linux/src/12kingdoms-shoukei.nix rename to outputs/aarch64-linux/src/12kingdoms-shoukei.nix index 1a277837..12f6102e 100644 --- a/outputs/x86_64-linux/src/12kingdoms-shoukei.nix +++ b/outputs/aarch64-linux/src/12kingdoms-shoukei.nix @@ -19,6 +19,10 @@ "modules/nixos/desktop.nix" # host specific "hosts/12kingdoms-${name}" + # nixos hardening + # "hardening/profiles/default.nix" + "hardening/nixpaks" + "hardening/bwraps" ]; home-modules = map mylib.relativeToRoot [ # common @@ -35,6 +39,9 @@ modules.desktop.wayland.enable = true; modules.secrets.desktop.enable = true; modules.secrets.preservation.enable = true; + + # TODO: remove this option + nixpkgs.config.allowUnsupportedSstem = true; } ] ++ base-modules.nixos-modules; diff --git a/outputs/x86_64-darwin/tests/home-manager/expected.nix b/outputs/aarch64-linux/tests/home-manager/expected.nix similarity index 52% rename from outputs/x86_64-darwin/tests/home-manager/expected.nix rename to outputs/aarch64-linux/tests/home-manager/expected.nix index f569ef0d..5bd2dc02 100644 --- a/outputs/x86_64-darwin/tests/home-manager/expected.nix +++ b/outputs/aarch64-linux/tests/home-manager/expected.nix @@ -4,7 +4,7 @@ }: let username = myvars.username; hosts = [ - "harmonica" + "shoukei-hyprland" ]; in - lib.genAttrs hosts (_: "/Users/${username}") + lib.genAttrs hosts (_: "/home/${username}") diff --git a/outputs/aarch64-linux/tests/home-manager/expr.nix b/outputs/aarch64-linux/tests/home-manager/expr.nix new file mode 100644 index 00000000..8f8bf767 --- /dev/null +++ b/outputs/aarch64-linux/tests/home-manager/expr.nix @@ -0,0 +1,15 @@ +{ + myvars, + lib, + outputs, +}: let + username = myvars.username; + hosts = [ + "shoukei-hyprland" + ]; +in + lib.genAttrs + hosts + ( + name: outputs.nixosConfigurations.${name}.config.home-manager.users.${username}.home.homeDirectory + ) diff --git a/outputs/aarch64-linux/tests/hostname/expected.nix b/outputs/aarch64-linux/tests/hostname/expected.nix new file mode 100644 index 00000000..e86fb1bc --- /dev/null +++ b/outputs/aarch64-linux/tests/hostname/expected.nix @@ -0,0 +1,14 @@ +{ + lib, + outputs, +}: let + specialExpected = { + "shoukei-hyprland" = "shoukei"; + }; + specialHostNames = builtins.attrNames specialExpected; + + otherHosts = builtins.removeAttrs outputs.nixosConfigurations specialHostNames; + otherHostsNames = builtins.attrNames otherHosts; + # other hosts's hostName is the same as the nixosConfigurations name + otherExpected = lib.genAttrs otherHostsNames (name: name); +in (specialExpected // otherExpected) diff --git a/outputs/aarch64-linux/tests/hostname/expr.nix b/outputs/aarch64-linux/tests/hostname/expr.nix new file mode 100644 index 00000000..6f6c291a --- /dev/null +++ b/outputs/aarch64-linux/tests/hostname/expr.nix @@ -0,0 +1,9 @@ +{ + lib, + outputs, +}: +lib.genAttrs +(builtins.attrNames outputs.nixosConfigurations) +( + name: outputs.nixosConfigurations.${name}.config.networking.hostName +) diff --git a/outputs/aarch64-linux/tests/kernel/expected.nix b/outputs/aarch64-linux/tests/kernel/expected.nix new file mode 100644 index 00000000..2ebb9486 --- /dev/null +++ b/outputs/aarch64-linux/tests/kernel/expected.nix @@ -0,0 +1,8 @@ +{ + lib, + outputs, +}: let + hostsNames = builtins.attrNames outputs.nixosConfigurations; + expected = lib.genAttrs hostsNames (_: "aarch64-linux"); +in + expected diff --git a/outputs/aarch64-linux/tests/kernel/expr.nix b/outputs/aarch64-linux/tests/kernel/expr.nix new file mode 100644 index 00000000..478781b0 --- /dev/null +++ b/outputs/aarch64-linux/tests/kernel/expr.nix @@ -0,0 +1,9 @@ +{ + lib, + outputs, +}: +lib.genAttrs +(builtins.attrNames outputs.nixosConfigurations) +( + name: outputs.nixosConfigurations.${name}.config.boot.kernelPackages.kernel.system +) diff --git a/outputs/default.nix b/outputs/default.nix index b53272f8..f9c2984a 100644 --- a/outputs/default.nix +++ b/outputs/default.nix @@ -34,12 +34,11 @@ # modules for each supported system nixosSystems = { x86_64-linux = import ./x86_64-linux (args // {system = "x86_64-linux";}); - # aarch64-linux = import ./aarch64-linux (args // {system = "aarch64-linux";}); + aarch64-linux = import ./aarch64-linux (args // {system = "aarch64-linux";}); # riscv64-linux = import ./riscv64-linux (args // {system = "riscv64-linux";}); }; darwinSystems = { aarch64-darwin = import ./aarch64-darwin (args // {system = "aarch64-darwin";}); - x86_64-darwin = import ./x86_64-darwin (args // {system = "x86_64-darwin";}); }; allSystems = nixosSystems // darwinSystems; allSystemNames = builtins.attrNames allSystems; diff --git a/outputs/x86_64-darwin/default.nix b/outputs/x86_64-darwin/default.nix deleted file mode 100644 index be8ddae7..00000000 --- a/outputs/x86_64-darwin/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - lib, - inputs, - ... -} @ args: let - inherit (inputs) haumea; - - # Contains all the flake outputs of this system architecture. - data = haumea.lib.load { - src = ./src; - inputs = args; - }; - # nix file names is redundant, so we remove it. - dataWithoutPaths = builtins.attrValues data; - - # Merge all the machine's data into a single attribute set. - outputs = { - darwinConfigurations = lib.attrsets.mergeAttrsList (map (it: it.darwinConfigurations or {}) dataWithoutPaths); - }; -in - outputs - // { - inherit data; # for debugging purposes - - # NixOS's unit tests. - evalTests = haumea.lib.loadEvalTests { - src = ./tests; - inputs = args // {inherit outputs;}; - }; - } diff --git a/outputs/x86_64-darwin/src/harnomica.nix b/outputs/x86_64-darwin/src/harnomica.nix deleted file mode 100644 index 551af524..00000000 --- a/outputs/x86_64-darwin/src/harnomica.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - # NOTE: the args not used in this file CAN NOT be removed! - # because haumea pass argument lazily, - # and these arguments are used in the functions like `mylib.nixosSystem`, `mylib.colmenaSystem`, etc. - inputs, - lib, - mylib, - myvars, - system, - genSpecialArgs, - ... -} @ args: let - name = "harmonica"; - - modules = { - darwin-modules = - (map mylib.relativeToRoot [ - # common - "secrets/darwin.nix" - "modules/darwin" - # host specific - "hosts/darwin-${name}" - ]) - ++ []; - - home-modules = map mylib.relativeToRoot [ - "hosts/darwin-${name}/home.nix" - "home/darwin" - ]; - }; - - systemArgs = modules // args; -in { - # macOS's configuration - darwinConfigurations.${name} = mylib.macosSystem systemArgs; -} diff --git a/outputs/x86_64-darwin/tests/home-manager/expr.nix b/outputs/x86_64-darwin/tests/home-manager/expr.nix deleted file mode 100644 index bfc15e8d..00000000 --- a/outputs/x86_64-darwin/tests/home-manager/expr.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - myvars, - lib, - outputs, -}: let - username = myvars.username; - hosts = [ - "harmonica" - ]; -in - lib.genAttrs - hosts - ( - name: outputs.darwinConfigurations.${name}.config.home-manager.users.${username}.home.homeDirectory - ) diff --git a/outputs/x86_64-darwin/tests/hostname/expected.nix b/outputs/x86_64-darwin/tests/hostname/expected.nix deleted file mode 100644 index 83f0a9b9..00000000 --- a/outputs/x86_64-darwin/tests/hostname/expected.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - lib, - outputs, -}: let - hostsNames = builtins.attrNames outputs.darwinConfigurations; - expected = lib.genAttrs hostsNames (name: name); -in - expected diff --git a/outputs/x86_64-darwin/tests/hostname/expr.nix b/outputs/x86_64-darwin/tests/hostname/expr.nix deleted file mode 100644 index 78f05d28..00000000 --- a/outputs/x86_64-darwin/tests/hostname/expr.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - lib, - outputs, -}: -lib.genAttrs -(builtins.attrNames outputs.darwinConfigurations) -( - name: outputs.darwinConfigurations.${name}.config.networking.hostName -) diff --git a/outputs/x86_64-linux/tests/home-manager/expected.nix b/outputs/x86_64-linux/tests/home-manager/expected.nix index 171d32e4..0da59c4e 100644 --- a/outputs/x86_64-linux/tests/home-manager/expected.nix +++ b/outputs/x86_64-linux/tests/home-manager/expected.nix @@ -5,7 +5,6 @@ username = myvars.username; hosts = [ "ai-hyprland" - "shoukei-hyprland" "ruby" "k3s-prod-1-master-1" ]; diff --git a/outputs/x86_64-linux/tests/home-manager/expr.nix b/outputs/x86_64-linux/tests/home-manager/expr.nix index 8a5f526b..416544a9 100644 --- a/outputs/x86_64-linux/tests/home-manager/expr.nix +++ b/outputs/x86_64-linux/tests/home-manager/expr.nix @@ -6,7 +6,6 @@ username = myvars.username; hosts = [ "ai-hyprland" - "shoukei-hyprland" "ruby" "k3s-prod-1-master-1" ]; diff --git a/outputs/x86_64-linux/tests/hostname/expected.nix b/outputs/x86_64-linux/tests/hostname/expected.nix index b92547ae..28300f28 100644 --- a/outputs/x86_64-linux/tests/hostname/expected.nix +++ b/outputs/x86_64-linux/tests/hostname/expected.nix @@ -4,7 +4,6 @@ }: let specialExpected = { "ai-hyprland" = "ai"; - "shoukei-hyprland" = "shoukei"; }; specialHostNames = builtins.attrNames specialExpected; diff --git a/secrets/README.md b/secrets/README.md index bc28f589..5f1004e7 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -56,7 +56,6 @@ let # If you do not have this file, you can generate all the host keys by command: # sudo ssh-keygen -A idol_ai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHZtzeaQyXwuRMLzoOAuTu8P9bu5yc5MBwo5LI3iWBV root@ai"; - fern = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMokXUYcUy7tysH4tRR6pevFjyOP4cXMjpBSgBZggm9X root@fern"; # A key for recovery purpose, generated by `ssh-keygen -t ed25519 -a 256 -C "ryan@agenix-recovery"` with a strong passphrase # and keeped it offline in a safe place. diff --git a/templates/bevy/flake.nix b/templates/bevy/flake.nix index ab9058b7..92f25ee0 100644 --- a/templates/bevy/flake.nix +++ b/templates/bevy/flake.nix @@ -18,7 +18,6 @@ systems = [ "x86_64-linux" "aarch64-linux" - "x86_64-darwin" "aarch64-darwin" ]; # Helper function to generate a set of attributes for each system diff --git a/vars/default.nix b/vars/default.nix index 1f4a593a..e02ade3e 100644 --- a/vars/default.nix +++ b/vars/default.nix @@ -13,13 +13,12 @@ # ```bash # # KDF: bcrypt with 256 rounds, takes 2s on Apple M2): # # Passphrase: digits + letters + symbols, 12+ chars - # ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx` + # ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx # ``` # 2. Never leave the device and never sent over the network. # 2. Or just use hardware security keys like Yubikey/CanoKey. mainSshAuthorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIznBmtZlMcVUL+uPFltLTNa8Y1J0aT1E36AXQV07su ryan@fern" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc1PNTXzzvd93E+e9LXvnEzqgUI5gMTEF/IitvzgmL+ ryan@frieren" ]; secondaryAuthorizedKeys = [