summaryrefslogtreecommitdiff
path: root/hosts/sif/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/sif/default.nix')
-rw-r--r--hosts/sif/default.nix305
1 files changed, 171 insertions, 134 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index b90e7162..5ed4e05e 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -1,4 +1,4 @@
1{ flake, pkgs, customUtils, lib, config, path, ... }: 1{ flake, flakeInputs, pkgs, customUtils, lib, config, path, ... }:
2let 2let
3 mwnSubnetsPublic = 3 mwnSubnetsPublic =
4 [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16" 4 [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16"
@@ -13,8 +13,10 @@ in {
13 imports = with flake.nixosModules.systemProfiles; [ 13 imports = with flake.nixosModules.systemProfiles; [
14 ./hw.nix 14 ./hw.nix
15 ./mail 15 ./mail
16 initrd-all-crypto-modules default-locale openssh rebuild-machines 16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines
17 networkmanager 17 networkmanager
18 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
19 flakeInputs.impermanence.nixosModules.impermanence
18 ]; 20 ];
19 21
20 config = { 22 config = {
@@ -31,12 +33,12 @@ in {
31 boot = { 33 boot = {
32 initrd = { 34 initrd = {
33 systemd = { 35 systemd = {
34 enable = true; 36 enable = false;
35 emergencyAccess = config.users.users.root.hashedPassword; 37 emergencyAccess = config.users.users.root.hashedPassword;
36 }; 38 };
37 luks.devices = { 39 luks.devices = {
38 nvm0 = { device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb"; bypassWorkqueues = true; }; 40 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
39 nvm1 = { device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a"; bypassWorkqueues = true; }; 41 nvm1 = { device = "/dev/disk/by-uuid/2884e98d-5afd-4965-91c9-88ffb5ec58bc"; bypassWorkqueues = true; };
40 }; 42 };
41 availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; 43 availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
42 kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ]; 44 kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ];
@@ -59,7 +61,6 @@ in {
59 plymouth.enable = true; 61 plymouth.enable = true;
60 62
61 kernelPackages = pkgs.linuxPackages_latest; 63 kernelPackages = pkgs.linuxPackages_latest;
62 kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
63 extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; 64 extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
64 kernelModules = ["v4l2loopback"]; 65 kernelModules = ["v4l2loopback"];
65 kernelPatches = [ 66 kernelPatches = [
@@ -187,12 +188,10 @@ in {
187 # FirewallMark = 1; 188 # FirewallMark = 1;
188 }; 189 };
189 wireguardPeers = [ 190 wireguardPeers = [
190 { wireguardPeerConfig = { 191 { AllowedIPs = [ "10.200.116.1/32" "10.163.88.40/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic;
191 AllowedIPs = [ "10.200.116.1/32" "10.163.88.40/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic; 192 PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI=";
192 PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI="; 193 PersistentKeepalive = 25;
193 PersistentKeepalive = 25; 194 Endpoint = "wg.math.lmu.de:51820";
194 Endpoint = "wg.math.lmu.de:51820";
195 };
196 } 195 }
197 ]; 196 ];
198 }; 197 };
@@ -211,43 +210,34 @@ in {
211 Name = "wgrz"; 210 Name = "wgrz";
212 }; 211 };
213 address = ["10.200.116.128/24"]; 212 address = ["10.200.116.128/24"];
214 routes = map (Destination: { routeConfig = { 213 routes = map (Destination: {
215 inherit Destination; 214 inherit Destination;
216 Gateway = "10.200.116.1"; 215 Gateway = "10.200.116.1";
217 GatewayOnLink = true; 216 GatewayOnLink = true;
218 Table = "wgrz"; 217 Table = "wgrz";
219 };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic ++ ["10.163.88.40/32"]); 218 }) (mwnSubnetsPrivate ++ mwnSubnetsPublic ++ ["10.163.88.40/32"]);
220 routingPolicyRules = [ 219 routingPolicyRules = [
221 { routingPolicyRuleConfig = { 220 { Table = "main";
222 Table = "main"; 221 # FirewallMark = 1;
223 # FirewallMark = 1; 222 To = "129.187.111.225";
224 To = "129.187.111.225"; 223 Priority = 100;
225 Priority = 100;
226 };
227 } 224 }
228 { routingPolicyRuleConfig = { 225 { Table = "main";
229 Table = "main"; 226 To = "10.153.91.204";
230 To = "10.153.91.204"; 227 Priority = 100;
231 Priority = 100;
232 };
233 } 228 }
234 { routingPolicyRuleConfig = { 229 { Table = "wgrz";
235 Table = "wgrz"; 230 From = "10.200.116.128";
236 From = "10.200.116.128"; 231 Priority = 200;
237 Priority = 200;
238 };
239 } 232 }
240 { routingPolicyRuleConfig = { 233 { Table = "wgrz";
241 Table = "wgrz"; 234 To = "10.163.88.40";
242 To = "10.163.88.40"; 235 Priority = 200;
243 Priority = 200;
244 };
245 } 236 }
246 ] ++ map (To: { routingPolicyRuleConfig = { 237 ] ++ map (To: { Table = "wgrz";
247 Table = "wgrz"; 238 inherit To;
248 inherit To; 239 Priority = 200;
249 Priority = 200; 240 }) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
250 };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
251 linkConfig = { 241 linkConfig = {
252 RequiredForOnline = false; 242 RequiredForOnline = false;
253 }; 243 };
@@ -328,7 +318,7 @@ in {
328 }; 318 };
329 319
330 environment.systemPackages = with pkgs; [ 320 environment.systemPackages = with pkgs; [
331 nvtop brightnessctl config.boot.kernelPackages.v4l2loopback s-tui uhk-agent 321 nvtopPackages.full brightnessctl config.boot.kernelPackages.v4l2loopback s-tui uhk-agent
332 ]; 322 ];
333 323
334 services = { 324 services = {
@@ -375,9 +365,27 @@ in {
375 xserver = { 365 xserver = {
376 enable = true; 366 enable = true;
377 367
378 layout = "us"; 368 xkb = {
379 xkbVariant = "dvp"; 369 layout = "us";
380 xkbOptions = "compose:caps"; 370 variant = "dvp";
371 options = "compose:caps";
372 };
373
374 wacom.enable = true;
375
376 dpi = 282;
377
378 videoDrivers = [ "nvidia" ];
379
380 screenSection = ''
381 Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
382 '';
383
384 deviceSection = ''
385 Option "TearFree" "True"
386 '';
387
388 exportConfiguration = true;
381 389
382 displayManager.lightdm = { 390 displayManager.lightdm = {
383 enable = true; 391 enable = true;
@@ -403,26 +411,21 @@ in {
403 ''; 411 '';
404 }; 412 };
405 }; 413 };
406
407 wacom.enable = true;
408 libinput.enable = true;
409
410 dpi = 282;
411
412 videoDrivers = [ "nvidia" ];
413
414 screenSection = ''
415 Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
416 '';
417
418 deviceSection = ''
419 Option "TearFree" "True"
420 '';
421
422 exportConfiguration = true;
423 }; 414 };
415 libinput.enable = true;
424 }; 416 };
425 417
418 systemd.tmpfiles.rules = [
419 "d /var/lib/lightdm/.cache/lightdm-gtk-greeter 1770 lightdm lightdm -"
420 "L /var/lib/lightdm/.cache/lightdm-gtk-greeter/state - - - - ${pkgs.writeText "state" ''
421 [greeter]
422 last-user=gkleen
423 last-session=none+xmonad
424 ''}"
425
426 "L /etc/localtime - - - - /.bcachefs/etc/localtime"
427 ];
428
426 users = { 429 users = {
427 users.gkleen.extraGroups = [ "media" "plugdev" "input" "rtkit" ]; 430 users.gkleen.extraGroups = [ "media" "plugdev" "input" "rtkit" ];
428 groups.media = {}; 431 groups.media = {};
@@ -438,72 +441,75 @@ in {
438 pulse.enable = true; 441 pulse.enable = true;
439 jack.enable = true; 442 jack.enable = true;
440 wireplumber.enable = true; 443 wireplumber.enable = true;
441 }; 444 extraConfig = {
442 environment.etc."pipewire/pipewire.conf.d/custom.conf".source = (pkgs.formats.json {}).generate "custom.conf" { 445 pipewire."10-custom" = {
443 "context.properties" = { 446 "context.properties" = {
444 "log.level" = 2; 447 "log.level" = 2;
445 "core.daemon" = true; 448 "core.daemon" = true;
446 "core.name" = "pipewire-0"; 449 "core.name" = "pipewire-0";
447 }; 450 "module.x11.bell" = false;
448 "context.modules" = [
449 {
450 name = "libpipewire-module-rtkit";
451 args = {
452 "nice.level" = -15;
453 "rt.prio" = 88;
454 "rt.time.soft" = 200000;
455 "rt.time.hard" = 200000;
456 }; 451 };
457 flags = [ "ifexists" "nofail" ]; 452 "context.modules" = [
458 } 453 {
459 # { name = "libpipewire-module-protocol-native"; } 454 name = "libpipewire-module-rtkit";
460 { name = "libpipewire-module-profiler"; } 455 args = {
461 # { name = "libpipewire-module-metadata"; } 456 "nice.level" = -15;
462 { name = "libpipewire-module-spa-device-factory"; } 457 "rt.prio" = 88;
463 { name = "libpipewire-module-spa-node-factory"; } 458 "rt.time.soft" = 200000;
464 # { name = "libpipewire-module-client-node"; } 459 "rt.time.hard" = 200000;
465 # { name = "libpipewire-module-client-device"; } 460 };
466 { 461 flags = [ "ifexists" "nofail" ];
467 name = "libpipewire-module-portal"; 462 }
468 flags = [ "ifexists" "nofail" ]; 463 # { name = "libpipewire-module-protocol-native"; }
469 } 464 { name = "libpipewire-module-profiler"; }
470 { 465 # { name = "libpipewire-module-metadata"; }
471 name = "libpipewire-module-access"; 466 { name = "libpipewire-module-spa-device-factory"; }
472 args = {}; 467 { name = "libpipewire-module-spa-node-factory"; }
473 } 468 # { name = "libpipewire-module-client-node"; }
474 { name = "libpipewire-module-adapter"; } 469 # { name = "libpipewire-module-client-device"; }
475 { name = "libpipewire-module-link-factory"; } 470 {
476 { name = "libpipewire-module-session-manager"; } 471 name = "libpipewire-module-portal";
477 ]; 472 flags = [ "ifexists" "nofail" ];
478 }; 473 }
479 environment.etc."pipewire/pipewire-pulse.conf.d/custom.conf".source = (pkgs.formats.json {}).generate "custom.conf" { 474 {
480 "context.properties" = { 475 name = "libpipewire-module-access";
481 "log.level" = 2; 476 args = {};
482 }; 477 }
483 "context.modules" = [ 478 { name = "libpipewire-module-adapter"; }
484 { 479 { name = "libpipewire-module-link-factory"; }
485 name = "libpipewire-module-rtkit"; 480 { name = "libpipewire-module-session-manager"; }
486 args = { 481 ];
487 "nice.level" = -15; 482 };
488 "rt.prio" = 88; 483 pipewire-pulse."10-custom" = {
489 "rt.time.soft" = 200000; 484 "context.properties" = {
490 "rt.time.hard" = 200000; 485 "log.level" = 2;
491 }; 486 };
492 flags = [ "ifexists" "nofail" ]; 487 "context.modules" = [
493 } 488 {
494 # { name = "libpipewire-module-protocol-native"; } 489 name = "libpipewire-module-rtkit";
495 # { name = "libpipewire-module-client-node"; } 490 args = {
496 { name = "libpipewire-module-adapter"; } 491 "nice.level" = -15;
497 # { name = "libpipewire-module-metadata"; } 492 "rt.prio" = 88;
498 # { 493 "rt.time.soft" = 200000;
499 # name = "libpipewire-module-protocol-pulse"; 494 "rt.time.hard" = 200000;
500 # args = { 495 };
501 # "server.address" = [ "unix:native" ]; 496 flags = [ "ifexists" "nofail" ];
502 # }; 497 }
503 # } 498 # { name = "libpipewire-module-protocol-native"; }
504 ]; 499 # { name = "libpipewire-module-client-node"; }
505 "stream.properties" = { 500 { name = "libpipewire-module-adapter"; }
506 "resample.quality" = 1; 501 # { name = "libpipewire-module-metadata"; }
502 # {
503 # name = "libpipewire-module-protocol-pulse";
504 # args = {
505 # "server.address" = [ "unix:native" ];
506 # };
507 # }
508 ];
509 "stream.properties" = {
510 "resample.quality" = 1;
511 };
512 };
507 }; 513 };
508 }; 514 };
509 515
@@ -531,14 +537,14 @@ in {
531 prime = { 537 prime = {
532 nvidiaBusId = "PCI:1:0:0"; 538 nvidiaBusId = "PCI:1:0:0";
533 intelBusId = "PCI:0:2:0"; 539 intelBusId = "PCI:0:2:0";
534 sync.enable = true; 540 reverseSync.enable = true;
535 }; 541 };
536 }; 542 };
537 543
538 opengl = { 544 graphics = {
539 enable = true; 545 enable = true;
540 driSupport32Bit = true; 546 enable32Bit = true;
541 setLdLibraryPath = true; 547 # setLdLibraryPath = true;
542 }; 548 };
543 549
544 firmware = [ pkgs.firmwareLinuxNonfree ]; 550 firmware = [ pkgs.firmwareLinuxNonfree ];
@@ -547,10 +553,13 @@ in {
547 nitrokey.enable = true; 553 nitrokey.enable = true;
548 }; 554 };
549 555
550 sound.enable = true; 556 # sound.enable = true;
551 557
552 nix = { 558 nix = {
553 settings.auto-optimise-store = true; 559 settings = {
560 auto-optimise-store = true;
561 max-jobs = 4;
562 };
554 daemonCPUSchedPolicy = "idle"; 563 daemonCPUSchedPolicy = "idle";
555 daemonIOSchedClass = "idle"; 564 daemonIOSchedClass = "idle";
556 565
@@ -564,6 +573,11 @@ in {
564 speedFactor = 4; 573 speedFactor = 4;
565 }; 574 };
566 }; 575 };
576 systemd.services."nix-daemon" = {
577 serviceConfig = {
578 CPUQuota = "400%";
579 };
580 };
567 581
568 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; 582 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
569 583
@@ -621,7 +635,7 @@ in {
621 zramSwap = { 635 zramSwap = {
622 enable = true; 636 enable = true;
623 algorithm = "zstd"; 637 algorithm = "zstd";
624 writebackDevice = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; 638 writebackDevice = "/dev/disk/by-label/swap";
625 }; 639 };
626 640
627 services.pcscd.enable = true; 641 services.pcscd.enable = true;
@@ -633,7 +647,10 @@ in {
633 group = "users"; 647 group = "users";
634 }; 648 };
635 649
636 i18n.inputMethod.enabled = "ibus"; 650 i18n.inputMethod = {
651 enable = true;
652 type = "ibus";
653 };
637 654
638 environment.sessionVariables."GTK_USE_PORTAL" = "1"; 655 environment.sessionVariables."GTK_USE_PORTAL" = "1";
639 xdg.portal = { 656 xdg.portal = {
@@ -653,6 +670,26 @@ in {
653 in [ gtk-portal ]; 670 in [ gtk-portal ];
654 }; 671 };
655 672
656 system.stateVersion = "20.03"; 673 environment.persistence."/.bcachefs" = {
674 hideMounts = true;
675 directories = [
676 "/nix"
677 "/root"
678 "/var/log"
679 "/var/lib/sops-nix"
680 "/var/lib/nixos"
681 "/var/lib/systemd"
682 "/home"
683 "/var/lib/chrony"
684 "/var/lib/fprint"
685 "/var/lib/bluetooth"
686 "/etc/NetworkManager/system-connections"
687 ];
688 files = [
689 "/etc/localtime"
690 ];
691 };
692
693 system.stateVersion = "24.11";
657 }; 694 };
658} 695}
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-19 05:51:48 +0000