🌱 Initial configuration for Framework 16

2 years ago · 7fefebc5d1
commit 7fefebc5d1
3 changed files with 316 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -0,0 +1,135 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      "${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix"
+      ./disko.nix
+    ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "nix-f16"; # Define your hostname.
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Zurich";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  #   useXkbConfig = true; # use xkb.options in tty.
+  # };
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+
+
+  # Enable the GNOME Desktop Environment.
+  services.xserver.displayManager.gdm.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+  
+
+  # Configure keymap in X11
+  # services.xserver.xkb.layout = "us";
+  # services.xserver.xkb.options = "eurosign:e,caps:escape";
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  services.xserver.libinput = {
+    enable = true;
+    touchpad.tapping = true;
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.chrigi = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    initialPassword = "password";
+    packages = with pkgs; [
+      firefox
+      tree
+    ];
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    #vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    neofetch
+    wget
+    curl
+    btop
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "23.11"; # Did you read the comment?
+  
+  nix = {
+    package = pkgs.nixFlakes;
+    extraOptions = "experimental-features = nix-command flakes";
+  };t
+
+}
+
--- a/disko.nix
+++ b/disko.nix
@ -0,0 +1,115 @@
+{
+  # https://github.com/nix-community/disko/blob/master/docs/quickstart.md
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme1n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "2G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "defaults"
+                ];
+              };
+            };
+            luks = {
+              # start = "2G";
+              size = "2004G";
+              content = {
+                type = "luks";
+                name = "crypted_root";
+                settings = {
+                  allowDiscards = true;
+                  bypassWorkqueues = true;
+                  keyFile = "/tmp/yk/yk_mini.key";
+                };
+                additionalKeyFiles = [ "/tmp/yk/yk_the_big_one.key" "/tmp/yk/yk_on_key.key" "/tmp/yk/yk_round.key" ];
+                # https://github.com/sgillespie/nixos-yubikey-luks
+                extraFormatArgs = [ "--cipher=aes-xts-plain64" "--key-size=512" "--hash=sha512" ];
+                initrdUnlock = false; # we have to add it manually because of the yubikeys
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "/root" = {
+                      mountpoint = "/";
+                      # https://unix.stackexchange.com/questions/752741/what-is-the-mount-option-space-cache-v2
+                      mountOptions = [ "compress=zstd" "noatime" "space_cache=v2" "commit=120"];
+                    };
+                    "/home" = {
+                      mountpoint = "/home";
+                      mountOptions = [ "compress=zstd" "noatime" "space_cache=v2" "commit=120"];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd" "noatime" "space_cache=v2" "commit=120"];
+                    };
+                    "/var" = {
+                      mountpoint = "/var";
+                      mountOptions = [ "compress=zstd" "noatime" "space_cache=v2" "commit=120"];
+                    };
+                    "/docker-btrfs" = {
+                      mountpoint = "/var/lib/docker/btrfs";
+                      mountOptions = [ "compress=zstd" "noatime" "space_cache=v2" "commit=120"];
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+      backup = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "40M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+              };
+            };
+            luks = {
+              size = "1024G";
+              content = {
+                type = "luks";
+                name = "crypted_backup";
+                
+                settings = {
+                  allowDiscards = true;
+                  bypassWorkqueues = true;
+                  keyFile = "/tmp/yk/yk_mini.key";
+                };
+                additionalKeyFiles = [ "/tmp/yk/yk_the_big_one.key" "/tmp/yk/yk_on_key.key" "/tmp/yk/yk_round.key" ];
+                extraFormatArgs = [ "--cipher=aes-xts-plain64" "--key-size=512" "--hash=sha512" ];
+                initrdUnlock = false; # we have to add it manually because of the yubikeys
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "/backup" = {
+                      mountpoint = "/backup";
+                      mountOptions = [ "compress=zstd" "noatime" "space_cache=v2" "commit=120"];
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -0,0 +1,66 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd = {
+    kernelModules = ["vfat" "nls_cp437" "nls_iso8859-1" "usbhid"];
+  
+    luks = {
+      yubikeySupport = true;
+      reusePassphrases = true;
+      devices."crypted_root" = {
+        device = "/dev/disk/by-partlabel/disk-main-luks";
+      
+        yubikey = {
+          slot = 2;
+          twoFactor = true;
+          gracePeriod = 30;
+          keyLength = 64;
+          saltLength = 16;
+        
+          storage = {
+            device = "/dev/disk/by-partlabel/disk-main-ESP";
+            fsType = "vfat";
+            path = "/crypt-storage/default";
+          };
+        };
+      };
+      devices."crypted_backup" = {
+        device = "/dev/disk/by-partlabel/disk-backup-luks";
+      
+        yubikey = {
+          slot = 2;
+          twoFactor = true;
+          gracePeriod = 30;
+          keyLength = 64;
+          saltLength = 16;
+        
+          storage = {
+            device = "/dev/disk/by-partlabel/disk-backup-ESP";
+            fsType = "vfat";
+            path = "/crypt-storage/default";
+          };
+        };
+      };
+    };
+  };
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp196s0f3u1u4.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}