feat: new host - shoukei

2026-04-25 10:18:37 +02:00 · 2023-12-24 00:36:20 +08:00
parent 73a746cebd
commit 03c1d14ed9
25 changed files with 869 additions and 197 deletions
--- a/hosts/12kingdoms/shoukei/brcm-firmware/default.nix
+++ b/hosts/12kingdoms/shoukei/brcm-firmware/default.nix
@@ -0,0 +1,10 @@
+{pkgs, ...}:
+pkgs.stdenvNoCC.mkDerivation {
+  name = "brcm-firmware";
+  nativeBuildInputs = with pkgs; [gnutar xz];
+  buildCommand = ''
+    dir="$out/lib/"
+    mkdir -p "$dir"
+    tar -axvf ${./firmware.tar.xz} -C "$dir"
+  '';
+}
--- a/hosts/12kingdoms/shoukei/brcm-firmware/firmware.tar.xz
+++ b/hosts/12kingdoms/shoukei/brcm-firmware/firmware.tar.xz
--- a/hosts/12kingdoms/shoukei/brcm-firmware/flake.lock
+++ b/hosts/12kingdoms/shoukei/brcm-firmware/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1703068421,
+        "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/hosts/12kingdoms/shoukei/brcm-firmware/flake.nix
+++ b/hosts/12kingdoms/shoukei/brcm-firmware/flake.nix
@@ -0,0 +1,10 @@
+{
+  # a flake for testing
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+  outputs = {nixpkgs, ...}: let
+    system = "x86_64-linux";
+    pkgs = import nixpkgs {inherit system;};
+  in {
+    packages."${system}".default = pkgs.callPackage ./default.nix {};
+  };
+}
--- a/hosts/12kingdoms/shoukei/default.nix
+++ b/hosts/12kingdoms/shoukei/default.nix
@@ -0,0 +1,48 @@
+{
+  pkgs,
+  nixos-hardware,
+  ...
+} @ args:
+#############################################################
+#
+#  Shoukei - NixOS running on Macbook Pro 2020 I5 16G
+#   https://github.com/NixOS/nixos-hardware/tree/master/apple/t2
+#
+#############################################################
+{
+  imports = [
+    nixos-hardware.nixosModules.apple-t2
+    {hardware.apple-t2.enableAppleSetOsLoader = true;}
+
+    ./hardware-configuration.nix
+    ./impermanence.nix
+  ];
+
+  networking = {
+    hostName = "shoukei"; # Define your hostname.
+    # configures the network interface(include wireless) via `nmcli` & `nmtui`
+    networkmanager.enable = true;
+
+    # Configure network proxy if necessary
+    # proxy.default = "http://user:password@proxy:port/";
+    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+    # Configure network proxy if necessary
+    # proxy.default = "http://user:password@proxy:port/";
+    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+    defaultGateway = "192.168.5.201";
+    nameservers = [
+      "119.29.29.29" # DNSPod
+      "223.5.5.5" # AliDNS
+    ];
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
--- a/hosts/12kingdoms/shoukei/hardware-configuration.nix
+++ b/hosts/12kingdoms/shoukei/hardware-configuration.nix
@@ -0,0 +1,130 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  hardware.firmware = [
+    (import ./brcm-firmware { inherit pkgs;})
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  # Use the EFI boot loader.
+  boot.loader.efi.canTouchEfiVariables = true;
+  # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
+  boot.loader.efi.efiSysMountPoint = "/boot";
+  boot.loader.systemd-boot.enable = true;
+
+  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
+  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
+  # supported fil systems, so we can mount any removable disks with these filesystems
+  boot.supportedFilesystems = lib.mkForce [
+    "ext4"
+    "btrfs"
+    "xfs"
+    "ntfs"
+    "fat"
+    "vfat"
+    "cifs" # mount windows share
+  ];
+
+  # clear /tmp on boot to get a stateless /tmp directory.
+  boot.tmp.cleanOnBoot = true;
+  boot.initrd = {
+    # unlocked luks devices via a keyfile or prompt a passphrase.
+    luks.devices."crypted-nixos" = {
+      device = "/dev/nvme0n1p4";
+      # the keyfile(or device partition) that should be used as the decryption key for the encrypted device.
+      # if not specified, you will be prompted for a passphrase instead.
+      #keyFile = "/root-part.key";
+
+      # whether to allow TRIM requests to the underlying device.
+      # it's less secure, but faster.
+      allowDiscards = true;
+    };
+  };
+
+  # equal to `mount -t tmpfs tmpfs /`
+  fileSystems."/" = {
+    device = "tmpfs";
+    fsType = "tmpfs";
+    # set mode to 755, otherwise systemd will set it to 777, which cause problems.
+    # relatime: Update inode access times relative to modify or change time.
+    options = ["relatime" "mode=755"];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/nvme0n1p1";
+    fsType = "vfat";
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    fsType = "btrfs";
+    options = ["subvol=@nix" "noatime" "compress-force=zstd:1"];
+  };
+
+  fileSystems."/tmp" = {
+    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    fsType = "btrfs";
+    options = ["subvol=@tmp" "noatime" "compress-force=zstd:1"];
+  };
+
+  fileSystems."/persistent" = {
+    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    fsType = "btrfs";
+    options = ["subvol=@persistent" "noatime" "compress-force=zstd:1"];
+    # impermanence's data is required for booting.
+    neededForBoot = true;
+  };
+
+  fileSystems."/snapshots" = {
+    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    fsType = "btrfs";
+    options = ["subvol=@snapshots" "noatime" "compress-force=zstd:1"];
+  };
+
+  # mount swap subvolume in readonly mode.
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef";
+    fsType = "btrfs";
+    options = ["subvol=@swap" "ro"];
+  };
+
+  # remount swapfile in read-write mode
+  fileSystems."/swap/swapfile" = {
+    # the swapfile is located in /swap subvolume, so we need to mount /swap first.
+    depends = ["/swap"];
+
+    device = "/swap/swapfile";
+    fsType = "none";
+    options = ["bind" "rw"];
+  };
+
+  swapDevices = [
+    {device = "/swap/swapfile";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp230s0f1u1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp229s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/12kingdoms/shoukei/impermanence.nix
+++ b/hosts/12kingdoms/shoukei/impermanence.nix
@@ -0,0 +1,118 @@
+{
+  impermanence,
+  pkgs,
+  ...
+}: {
+  imports = [
+    impermanence.nixosModules.impermanence
+  ];
+
+  environment.systemPackages = [
+    # `sudo ncdu -x /`
+    pkgs.ncdu
+  ];
+
+  # There are two ways to clear the root filesystem on every boot:
+  ##  1. use tmpfs for /
+  ##  2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
+  ##     boot.initrd.postDeviceCommands = ''
+  ##       mkdir -p /run/mymount
+  ##       mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
+  ##       btrfs subvolume delete /run/mymount
+  ##       btrfs subvolume snapshot / /run/mymount
+  ##     '';
+  #
+  #  See also https://grahamc.com/blog/erase-your-darlings/
+
+  # NOTE: impermanence only mounts the directory/file list below to /persistent
+  # If the directory/file already exists in the root filesystem, you should
+  # move those files/directories to /persistent first!
+  environment.persistence."/persistent" = {
+    # sets the mount option x-gvfs-hide on all the bind mounts
+    # to hide them from the file manager
+    hideMounts = true;
+    directories = [
+      "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
+      "/etc/nix/inputs"
+      "/etc/secureboot" # lanzaboote - secure boot
+      # my secrets
+      "/etc/agenix/"
+
+      "/var/log"
+      "/var/lib"
+
+      # created by modules/nixos/misc/fhs-fonts.nix
+      # for flatpak apps
+      # "/usr/share/fonts"
+      # "/usr/share/icons"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+
+    # the following directories will be passed to /persistent/home/$USER
+    users.ryan = {
+      directories = [
+        "codes"
+        "nix-config"
+        "tmp"
+
+        "Downloads"
+        "Music"
+        "Pictures"
+        "Documents"
+        "Videos"
+
+        {
+          directory = ".gnupg";
+          mode = "0700";
+        }
+        {
+          directory = ".ssh";
+          mode = "0700";
+        }
+        {
+          directory = ".aws";
+          mode = "0700";
+        }
+        {
+          directory = ".docker";
+          mode = "0700";
+        }
+        {
+          directory = ".kube";
+          mode = "0700";
+        }
+
+        # misc
+        ".config/pulse"
+        ".pki"
+
+        # remote desktop
+        ".config/remmina"
+        ".config/freerdp"
+
+        # browsers
+        ".mozilla"
+        ".config/google-chrome"
+
+        # neovim / remmina / flatpak / ...
+        ".local/share"
+        ".local/state"
+
+        # language package managers
+        ".npm"
+        "go"
+
+        # neovim plugins(wakatime & copilot)
+        ".wakatime"
+        ".config/github-copilot"
+      ];
+      files = [
+        ".wakatime.cfg"
+        ".config/nushell/history.txt"
+      ];
+    };
+  };
+}
--- a/hosts/12kingdoms/suzu/default.nix
+++ b/hosts/12kingdoms/suzu/default.nix
@@ -1,6 +1,4 @@
 {
-  config,
-  username,
  nixos-rk3588,
  ...
 }:
@@ -15,8 +13,6 @@
    nixos-rk3588.nixosModules.orangepi5
  ];

-  users.users.root.openssh.authorizedKeys.keys = config.users.users."${username}".openssh.authorizedKeys.keys;
-
  networking = {
    hostName = "suzu"; # Define your hostname.
    wireless.enable = false; # Enables wireless support via wpa_supplicant.