chore: Add base configuration.

2025-05-04 23:29:29 -04:00 · 2025-05-04 23:29:29 -04:00 · 612c7e2f16
commit 612c7e2f16
parent a92de43a60
18 changed files with 700 additions and 10 deletions
--- a/system/avahifixes.nix
+++ b/system/avahifixes.nix
@ -0,0 +1,17 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  # local name resolution
+  services.avahi = {
+    enable = true;
+    openFirewall = true;
+    nssmdns4 = true;
+  };
+  system.nssModules = lib.optional true pkgs.nssmdns;
+  system.nssDatabases.hosts = lib.optionals true (pkgs.lib.mkMerge [
+    (lib.mkBefore ["mdns4_minimal [NOTFOUND=return]"]) # before resolution
+    (lib.mkAfter ["mdns4"]) # after dns
+  ]);
+}
--- a/system/disko.nix
+++ b/system/disko.nix
@ -0,0 +1,47 @@
+{device ? throw "Set this to your disk device, e.g. /dev/disk/by-id/...", ...}: {
+  disko.devices = {
+    disk = {
+      main = {
+        inherit device;
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              name = "ESP";
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            rootfs = {
+              size = "100%";
+              content = {
+                "/root" = {
+                  mountpoint = "/";
+                  # mountOptions = ["compress=zstd" "noatime"];
+                };
+                "/persist" = {
+                  mountpoint = "/persist";
+                  # mountOptions = ["compress=zstd" "subvol=persist" "noatime"];
+                  mountOptions = ["subvol=persist" "noatime"];
+                };
+                "/home" = {
+                  mountpoint = "/home";
+                  mountOptions = ["compress=zstd" "subvol=home" "noatime"];
+                };
+                "/nix" = {
+                  mountpoint = "/nix";
+                  mountOptions = ["compress=zstd" "subvol=nix" "noatime"];
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/system/i18n.nix
+++ b/system/i18n.nix
@ -0,0 +1,4 @@
+{...}: {
+  time.timeZone = "America/Indiana/Indianapolis";
+  i18n.defaultLocale = "en_US.UTF-8";
+}
--- a/system/impermanence.nix
+++ b/system/impermanence.nix
@ -0,0 +1,45 @@
+{lib, ...}: {
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/nix".neededForBoot = true;
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    mkdir /btrfs_tmp
+    mount /dev/root_vg/root /btrfs_tmp
+    if [[ -e /btrfs_tmp/root ]]; then
+      mkdir -p /btrfs_tmp/old_roots
+      timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+      mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+    fi
+
+    delete_subvolume_recursively() {
+      IFS=$'\n'
+      for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+        delete_subvolume_recursively "/btrfs_tmp/$i"
+      done
+      btrfs subvolume delete "$1"
+    }
+
+    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
+      delete_subvolume_recursively "$i"
+    done
+
+    btrfs subvolume create /btrfs_tmp/root
+    umount /btrfs_tmp
+  '';
+  environment.persistence."/persist" = {
+    enable = true;
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/etc/nixos"
+      "/etc/NetworkManager"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      #"/var/lib/sops-nix/key.txt"
+    ];
+  };
+}
--- a/system/nix.nix
+++ b/system/nix.nix
@ -0,0 +1,52 @@
+{
+  lib,
+  config,
+  outputs,
+  inputs,
+  ...
+}: {
+  nixpkgs.config = {
+    allowUnfree = true;
+    allowUnfreePredicate = _: true;
+    cudaSupport = true;
+  };
+  nixpkgs.overlays = [
+    outputs.overlays.additions
+    outputs.overlays.modifications
+    outputs.overlays.unstable-packages
+  ];
+  nix = let
+    flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+  in {
+    settings = {
+      # Enable flakes and new 'nix' command
+      experimental-features = "nix-command flakes";
+      # Opinionated: disable global registry
+      flake-registry = "";
+      # Workaround for https://github.com/NixOS/nix/issues/9574
+      nix-path = config.nix.nixPath;
+      # allowUnfree = true;
+      auto-optimise-store = true;
+      builders-use-substitutes = true;
+      keep-derivations = true;
+      keep-outputs = true;
+      trusted-users = ["root" "@wheel"];
+
+      substituters = [
+        "https://cache.nixos.org"
+        "https://nix-community.cachix.org"
+      ];
+
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+    # Opinionated: disable channels
+    channel.enable = false;
+
+    # Opinionated: make flake registry and nix path match flake inputs
+    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
+    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+}
--- a/system/sops.nix
+++ b/system/sops.nix
@ -0,0 +1,12 @@
+{inputs, ...}: {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops.defaultSopsFile = "${../secrets/secrets.yaml}";
+  sops.validateSopsFiles = false;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/persist/var/lib/sops-nix/key.txt";
+  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+  sops.age.generateKey = true;
+}
--- a/system/sshd.nix
+++ b/system/sshd.nix
@ -0,0 +1,12 @@
+{lib, ...}: {
+  services.openssh = {
+    enable = true;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      UseDns = true;
+      X11Forwarding = false;
+    };
+  };
+}