starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-24 09:48:30 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

refactor: hosts

Browse Source
This commit is contained in:
Ryan Yin
2024-01-21 15:16:39 +08:00
parent 489f82f24b
commit a76daab3ce
32 changed files with 34 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
hosts/idols_ai/README.md Normal file
View File

@@ -0,0 +1,81 @@
# Host - AI
Related:
- [/nixos-installer/README.md](/nixos-installer/README.md)
## Info
disk status & mountpoints:
```bash
df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 1.6G 0 1.6G 0% /dev
tmpfs tmpfs 16G 8.0K 16G 1% /dev/shm
tmpfs tmpfs 7.8G 7.9M 7.8G 1% /run
tmpfs tmpfs 16G 1.1M 16G 1% /run/wrappers
tmpfs tmpfs 16G 87M 16G 1% /
/dev/mapper/crypted-nixos btrfs 1.9T 630G 1.3T 34% /persistent
/dev/mapper/crypted-nixos btrfs 1.9T 630G 1.3T 34% /nix
tmpfs tmpfs 4.0M 0 4.0M 0% /sys/fs/cgroup
efivarfs efivarfs 256K 108K 144K 43% /sys/firmware/efi/efivars
/dev/mapper/crypted-nixos btrfs 1.9T 630G 1.3T 34% /snapshots
/dev/mapper/crypted-nixos btrfs 1.9T 630G 1.3T 34% /swap
/dev/nvme0n1p1 vfat 597M 108M 490M 19% /boot
tmpfs tmpfs 3.2G 48K 3.2G 1% /run/user/1000
//192.168.5.194/Downloads cifs 3.7T 3.0T 699G 82% /home/ryan/SMB-Downloads
tmpfs tmpfs 100K 0 100K 0% /var/lib/lxd/shmounts
tmpfs tmpfs 100K 0 100K 0% /var/lib/lxd/devlxd
/dev/mapper/crypted-nixos btrfs 1.9T 630G 1.3T 34% /tmp
~
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
zram0 253:0 0 15.6G 0 disk [SWAP]
nvme0n1 259:0 0 1.8T 0 disk
├─nvme0n1p1 259:2 0 598M 0 part /boot
└─nvme0n1p2 259:3 0 1.8T 0 part
└─crypted-nixos 254:0 0 1.8T 0 crypt /tmp
/swap/swapfile
/swap
/snapshots
/home/ryan/tmp
/home/ryan/nix-config
/home/ryan/go
/home/ryan/codes
/home/ryan/Videos
/home/ryan/Pictures
/home/ryan/Music
/home/ryan/Downloads
/home/ryan/Documents
/home/ryan/.wakatime
/home/ryan/.ssh
/home/ryan/.pki
/home/ryan/.npm
/home/ryan/.mozilla
/home/ryan/.local/state
/home/ryan/.local/share
/home/ryan/.kube
/home/ryan/.gnupg
/home/ryan/.docker
/home/ryan/.config/remmina
/home/ryan/.config/pulse
/home/ryan/.config/google-chrome
/home/ryan/.config/github-copilot
/home/ryan/.config/freerdp
/home/ryan/.aws
/etc/ssh
/etc/secureboot
/etc/nix/inputs
/etc/agenix
/etc/NetworkManager/system-connections
/etc/machine-id
/home/ryan/.config/nushell/history.txt
/home/ryan/.wakatime.cfg
/nix/store
/var/log
/var/lib
/nix
/persistent
```

14
hosts/idols_ai/cifs-mount.nix Normal file
View File

@@ -0,0 +1,14 @@
{
config,
username,
...
}: {
# mount a smb/cifs share
fileSystems."/home/${username}/SMB-Downloads" = {
device = "//192.168.5.194/Downloads";
fsType = "cifs";
options = [
"vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=${config.age.secrets.smb-credentials.path},nofail"
];
};
}

73
hosts/idols_ai/default.nix Normal file
View File

@@ -0,0 +1,73 @@
#############################################################
#
# Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
#
#############################################################
{
imports = [
./cifs-mount.nix
# Include the results of the hardware scan.
./hardware-configuration.nix
./impermanence.nix
./secureboot.nix
];
networking = {
hostName = "ai";
wireless.enable = false; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# proxy.default = "http://user:password@proxy:port/";
# proxy.noProxy = "127.0.0.1,localhost,internal.domain";
networkmanager.enable = true;
enableIPv6 = false; # disable ipv6
interfaces.enp5s0 = {
useDHCP = false;
ipv4.addresses = [
{
address = "192.168.5.100";
prefixLength = 24;
}
];
};
defaultGateway = "192.168.5.201";
nameservers = [
"119.29.29.29" # DNSPod
"223.5.5.5" # AliDNS
];
};
# conflict with feature: containerd-snapshotter
# virtualisation.docker.storageDriver = "btrfs";
# for Nvidia GPU
services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default
hardware.nvidia = {
# Optionally, you may need to select the appropriate driver version for your specific GPU.
# package = config.boot.kernelPackages.nvidiaPackages.stable;
# required by most wayland compositors!
modesetting.enable = true;
powerManagement.enable = true;
};
virtualisation.docker.enableNvidia = true; # for nvidia-docker
hardware.opengl = {
enable = true;
# if hardware.opengl.driSupport is enabled, mesa is installed and provides Vulkan for supported hardware.
driSupport = true;
# needed by nvidia-docker
driSupport32Bit = true;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}

140
hosts/idols_ai/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,140 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
# Use the EFI boot loader.
boot.loader.efi.canTouchEfiVariables = true;
# depending on how you configured your disk mounts, change this to /boot or /boot/efi.
boot.loader.efi.efiSysMountPoint = "/boot";
boot.loader.systemd-boot.enable = true;
# boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.kernelParams = ["nvidia.NVreg_PreserveVideoMemoryAllocations=1"];
boot.extraModulePackages = [];
# clear /tmp on boot to get a stateless /tmp directory.
boot.tmp.cleanOnBoot = true;
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
# supported fil systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
"btrfs"
"xfs"
"ntfs"
"fat"
"vfat"
"cifs" # mount windows share
];
boot.initrd = {
# unlocked luks devices via a keyfile or prompt a passphrase.
luks.devices."crypted-nixos" = {
# NOTE: DO NOT use device name here(like /dev/sda, /dev/nvme0n1p2, etc), use the UUID instead.
# https://github.com/ryan4yin/nix-config/issues/43
device = "/dev/disk/by-uuid/a21ca82a-9ee6-4e5c-9d3f-a93e84e4e0f4";
# the keyfile(or device partition) that should be used as the decryption key for the encrypted device.
# if not specified, you will be prompted for a passphrase instead.
#keyFile = "/root-part.key";
# whether to allow TRIM requests to the underlying device.
# it's less secure, but faster.
allowDiscards = true;
};
};
# equal to `mount -t tmpfs tmpfs /`
fileSystems."/" = {
device = "tmpfs";
fsType = "tmpfs";
# set mode to 755, otherwise systemd will set it to 777, which cause problems.
# relatime: Update inode access times relative to modify or change time.
options = ["relatime" "mode=755"];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@nix" "noatime" "compress-force=zstd:1"];
};
# for guix store, which use `/gnu/store` as its store directory.
fileSystems."/gnu" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@guix" "noatime" "compress-force=zstd:1"];
};
fileSystems."/persistent" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@persistent" "compress-force=zstd:1"];
# impermanence's data is required for booting.
neededForBoot = true;
};
fileSystems."/snapshots" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@snapshots" "compress-force=zstd:1"];
};
fileSystems."/tmp" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@tmp" "compress-force=zstd:1"];
};
# mount swap subvolume in readonly mode.
fileSystems."/swap" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@swap" "ro"];
};
# remount swapfile in read-write mode
fileSystems."/swap/swapfile" = {
# the swapfile is located in /swap subvolume, so we need to mount /swap first.
depends = ["/swap"];
device = "/swap/swapfile";
fsType = "none";
options = ["bind" "rw"];
};
fileSystems."/boot" = {
device = "/dev/nvme0n1p1";
fsType = "vfat";
};
swapDevices = [
{device = "/swap/swapfile";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

31
hosts/idols_ai/home.nix Normal file
View File

@@ -0,0 +1,31 @@
{
modules.desktop = {
hyprland = {
nvidia = true;
settings = {
# Configure your Display resolution, offset, scale and Monitors here, use `hyprctl monitors` to get the info.
# highres: get the best possible resolution
# auto: postition automatically
# 1.5: scale to 1.5 times
# bitdepth,10: enable 10 bit support
monitor = "DP-2,highres,auto,1.5,bitdepth,10";
};
};
i3.nvidia = true;
};
modules.editors.emacs = {
enable = true;
};
programs.ssh = {
enable = true;
extraConfig = ''
Host github.com
# github is controlled by gluttony~
IdentityFile ~/.ssh/gluttony
# Specifies that ssh should only use the identity file explicitly configured above
# required to prevent sending default identity files first.
IdentitiesOnly yes
'';
};
}

122
hosts/idols_ai/impermanence.nix Normal file
View File

@@ -0,0 +1,122 @@
{
impermanence,
pkgs,
...
}: {
imports = [
impermanence.nixosModules.impermanence
];
environment.systemPackages = [
# `sudo ncdu -x /`
pkgs.ncdu
];
# There are two ways to clear the root filesystem on every boot:
## 1. use tmpfs for /
## 2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
## boot.initrd.postDeviceCommands = ''
## mkdir -p /run/mymount
## mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
## btrfs subvolume delete /run/mymount
## btrfs subvolume snapshot / /run/mymount
## '';
#
# See also https://grahamc.com/blog/erase-your-darlings/
# NOTE: impermanence only mounts the directory/file list below to /persistent
# If the directory/file already exists in the root filesystem, you should
# move those files/directories to /persistent first!
environment.persistence."/persistent" = {
# sets the mount option x-gvfs-hide on all the bind mounts
# to hide them from the file manager
hideMounts = true;
directories = [
"/etc/NetworkManager/system-connections"
"/etc/ssh"
"/etc/nix/inputs"
"/etc/secureboot" # lanzaboote - secure boot
# my secrets
"/etc/agenix/"
"/var/log"
"/var/lib"
# created by modules/nixos/misc/fhs-fonts.nix
# for flatpak apps
# "/usr/share/fonts"
# "/usr/share/icons"
];
files = [
"/etc/machine-id"
];
# the following directories will be passed to /persistent/home/$USER
users.ryan = {
directories = [
"codes"
"nix-config"
"tmp"
"Downloads"
"Music"
"Pictures"
"Documents"
"Videos"
{
directory = ".gnupg";
mode = "0700";
}
{
directory = ".ssh";
mode = "0700";
}
{
directory = ".aws";
mode = "0700";
}
{
directory = ".docker";
mode = "0700";
}
{
directory = ".kube";
mode = "0700";
}
# misc
".config/pulse"
".pki"
# remote desktop
".config/remmina"
".config/freerdp"
# doom-emacs
".config/emacs"
"org" # org files
# browsers
".mozilla"
".config/google-chrome"
# neovim / remmina / flatpak / ...
".local/share"
".local/state"
# language package managers
".npm"
"go"
# neovim plugins(wakatime & copilot)
".wakatime"
".config/github-copilot"
];
files = [
".wakatime.cfg"
".config/nushell/history.txt"
];
};
};
}

34
hosts/idols_ai/secureboot.nix Normal file
View File

@@ -0,0 +1,34 @@
{
pkgs,
lib,
lanzaboote,
...
}: {
# How to enter setup mode - msi motherboard
## 1. enter BIOS via [Del] Key
## 2. <Advance mode> => <Settings> => <Security> => <Secure Boot>
## 3. enable <Secure Boot>
## 4. set <Secure Boot Mode> to <Custom>
## 5. enter <Key Management>
## 6. select <Delete All Secure Boot Variables>, and then select <No> for <Reboot Without Saving>
## 7. Press F10 to saving and reboot.
imports = [
lanzaboote.nixosModules.lanzaboote
];
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
}