diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9e9eea8 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +*~ + +secrets.nix + +.DS_Store diff --git a/README.md b/README.md new file mode 100644 index 0000000..207f03e --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# nixos config for my twinkpad t495 + +dont bully me i know my config sucks + +also i use flakes diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..deae75d --- /dev/null +++ b/configuration.nix @@ -0,0 +1,412 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +# To rebuild/apply changes, run `sudo nixos-rebuild switch --flake .` +# To update, run `nix flake update` + +{ config, pkgs, ... }: +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "strawberry"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/New_York"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + + # Enable the X11 windowing system. + # You can disable this if you're only using the Wayland session. + # services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.displayManager.sddm.enable = true; + services.displayManager.sddm.wayland.enable = true; + services.desktopManager.plasma6.enable = true; + + services.tailscale.enable = true; + # disable MagicDNS + services.tailscale.extraUpFlags = [ "--accept-dns=false" ]; + + services.nextdns.enable = true; + services.nextdns.arguments = [ + "-cache-size=20MB" + "-profile=6ae877" + ]; + services.fwupd.enable = true; + services.fstrim.enable = true; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + # bluetooth audio improvements; i have sony xm4s + services.pipewire.wireplumber.extraConfig.bluetoothEnhancements = { + "monitor.bluez.properties" = { + "bluez5.enable-sbc-xq" = true; + "bluez5.enable-msbc" = true; + "bluez5.enable-hw-volume" = true; + "bluez5.roles" = [ "hsp_hs" "hsp_ag" "hfp_hf" "hfp_ag" ]; + }; + }; + + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.adm-clementine = { + isNormalUser = true; + description = "June Clementine Strawberry"; + extraGroups = [ "networkmanager" "wheel" "audio" "adbusers" ]; + packages = with pkgs; [ + kdePackages.kate + # thunderbird + ]; + shell = pkgs.zsh; + }; + + environment.sessionVariables = rec { + RUSTC_WRAPPER = "sccache"; + SCCACHE_BUCKET = "sccache"; + SCCACHE_REGION = "garage"; + SCCACHE_ENDPOINT = "https://sccache.s3.garage.kennel.girlcock.ceo"; + SCCACHE_ALLOW_CORE_DUMPS = "true"; + SCCACHE_S3_USE_SSL = "true"; + SCCACHE_CACHE_MULTIARCH = "true"; + SCCACHE_LOG = "warn"; + AWS_DEFAULT_REGION = "garage"; + AWS_ENDPOINT_URL = "https://s3.garage.kennel.girlcock.ceo"; + ATTIC_ENDPOINT = "https://attic.kennel.juneis.dog/conduwuit"; + + # TODO: how to add these in here safely for committing to git + #AWS_ACCESS_KEY_ID = ""; + #AWS_SECRET_ACCESS_KEY= ""; + #ATTIC_TOKEN = ""; + + GOPATH = "$HOME/go"; + LIBCLANG_PATH = "${pkgs.llvmPackages_19.libclang.lib}/lib"; + + XDG_CACHE_HOME = "$HOME/.cache"; + XDG_CONFIG_HOME = "$HOME/.config"; + XDG_DATA_HOME = "$HOME/.local/share"; + XDG_STATE_HOME = "$HOME/.local/state"; + # not official + XDG_BIN_HOME = "$HOME/.local/bin"; + PATH = [ + "${GOPATH}/bin" + "${XDG_BIN_HOME}" + ]; + }; + + # Install firefox. + programs.firefox.enable = true; + + # fuck + programs.thefuck.enable = true; + + programs.kdeconnect.enable = true; + + programs.git.enable = true; + programs.git.lfs.enable = true; + programs.git.prompt.enable = true; + programs.git.config = [ + { + init = { defaultBranch = "main"; }; + url = { + "https://github.com/" = { + insteadOf = [ "gh:" "github:" ]; + }; + }; + global = { gpgsign = true; }; + user = { + name = "June Clementine Strawberry"; + email = "strawberry@puppygock.gay"; + signingkey = "~/.ssh/id_ed25519"; + }; + core = { compression = 9; }; + alias = { + # i use this for conduwuit so i can push to all my mirrors easily + pushall = "!git remote | grep -E 'origin' | xargs -L1 -P 0 git push"; + fetchall = "!git remote | grep -E 'origin' | xargs -L1 -P 0 git fetch"; + }; + + # no meme gpg pls + gpg.format = "ssh"; + } + ]; + + programs.adb.enable = true; + + # appimage support + programs.appimage = { + enable = true; + binfmt = true; + }; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + fonts = { + enableDefaultPackages = true; + packages = with pkgs; [ + twitter-color-emoji + noto-fonts + noto-fonts-cjk-sans + noto-fonts-cjk-serif + corefonts + + # woozy + monocraft + ]; + }; + + nix = { + # awa + package = pkgs.lix; + settings = { + experimental-features = ["nix-command" "flakes"]; + substituters = [ + "https://attic.kennel.juneis.dog/conduwuit" + "https://nix-community.cachix.org" + "https://aseipp-nix-cache.freetls.fastly.net" + "https://conduwuit.cachix.org" + "https://cache.lix.systems/" + "https://cache.nixos.org/" + ]; + trusted-public-keys = [ + "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" + "conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE=" + "conduwuit.cachix.org-1:MFRm6jcnfTf0jSAbmvLfhO3KBMt4px+1xaereWXp8Xg=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + p7zip + moreutils + git + pv + htop + nvme-cli + smartmontools + vscode + go + neovim + wget + curl + zip + unzip + signal-desktop + spotify + kitty + kitty-img + bitwarden-desktop + bitwarden-cli + ktailctl + nodejs_22 + corepack_22 + thunderbird + vesktop + hyfetch + fastfetch + nextdns + microcode-amd + nix-output-monitor + nix-fast-build + real_time_config_quick_scan + sccache + qbittorrent-enhanced + cargo-mommy # awoozy + bison + flex + fontforge + makeWrapper + pkg-config + pkgconf + libpkgconf + liburing + gcc14 + gcc14Stdenv + libgcc + libiconv + clang_19 + binutils + llvmPackages_19.libcxxClang + llvmPackages_19.libllvm + llvmPackages_19.stdenv + llvmPackages_19.libcxx + llvmPackages_19.libcxxStdenv + llvmPackages_19.compiler-rt + llvmPackages_19.clangUseLLVM + autoconf + automake + libtool + gnumake + awscli2 + ]; + + programs.zsh = { + enable = true; + enableCompletion = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + vteIntegration = true; + histSize = 10000; + + shellAliases = { + lix = "nix"; + grep = "grep --color=auto"; + ssh = "kitten ssh"; + neofetch = "hyfetch"; + cargo = "cargo-mommy"; # awoozy + }; + + ohMyZsh = { + enable = true; + plugins = [ "git" "thefuck" "command-not-found" ]; + theme = "alanpeabody"; + }; + }; + + programs.direnv = { + enable = true; + nix-direnv.enable = true; + enableZshIntegration = true; + }; + + # enable nix-ld so random binaries are more likely to work + programs.nix-ld.enable = true; + programs.nix-ld.libraries = with pkgs; [ + # put libraries needed by random binaries you download here + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + + # we only accept ed25519 connections, so only make ed25519 hostkey + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + + settings = { + # + # + # + # Service class: af21 Low-latency data , af11 High-throughput data + IPQoS = "af21 af11"; + + # we only accept modern, ed25519 key, and ChaCha20/AES-256-GCM connections + # also AES-GCM and ChaCha20 are already inherently authenticated + Macs = [ "-*" ]; + KexAlgorithms = [ "sntrup761x25519-sha512@openssh.com" "curve25519-sha256" ]; + PubkeyAcceptedKeyTypes = "ssh-ed25519,sk-ssh-ed25519@openssh.com"; + Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ]; + + PasswordAuthentication = false; + PermitEmptyPasswords = false; + AllowUsers = [ "adm-clementine" ]; + UseDns = true; + X11Forwarding = false; + PermitRootLogin = "prohibit-password"; + }; + }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + nix.settings.allowed-users = [ "@wheel" ]; + security.sudo.execWheelOnly = true; + + services.udev.packages = [ pkgs.android-udev-rules ]; + + # when can we get a realtime-privileges package in nixos so i aint gotta do allat + security.pam.loginLimits = [ + { domain = "@users"; item = "rtprio" ; type = "-" ; value = "1" ; } + { domain = "@audio"; item = "memlock"; type = "-" ; value = "unlimited"; } + { domain = "@audio"; item = "rtprio" ; type = "-" ; value = "99" ; } + { domain = "@audio"; item = "nofile" ; type = "soft"; value = "99999999" ; } + { domain = "@audio"; item = "nofile" ; type = "hard"; value = "99999999" ; } + ]; + services.udev.extraRules = '' + KERNEL=="rtc0", GROUP="audio" + KERNEL=="hpet", GROUP="audio" + ''; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..bcd769c --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1734424634, + "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..815a952 --- /dev/null +++ b/flake.nix @@ -0,0 +1,11 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = inputs@{ self, nixpkgs, ... }: { + nixosConfigurations.strawberry = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./configuration.nix ]; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..ac180d4 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,164 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "nvme" + "ehci_pci" + "xhci_pci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + # just in case, but my lsmod said these were loaded anyways + "aesni_intel" + "cryptd" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a24c5ca6-aa90-4985-b598-28dd07b5f12e"; + fsType = "ext4"; + options = [ + # asynchronously flushes commit blocks to disk without waiting for descriptor block to be written. + # improves i/o perf + # + # must use data=writeback or data=journal + # + # this will prevent this drive being mounted on ancient kernels. + "journal_async_commit" + # highest safety guarantees, and theoretically higher throughput + "data=writeback" + # im on a laptop so 5 -> 15 second commit is fine + "commit=15" + # forcefully fsync()'s file replacements if not done by the bad application + "auto_da_alloc" + # 64-bit inode version support + "i_version" + # journal checksumming for e2fsck recovery support + # internally enabled if using journal_async_commit + "journal_checksum" + ]; + }; + + fileSystems."/nix/store" = + { device = "/dev/disk/by-uuid/a24c5ca6-aa90-4985-b598-28dd07b5f12e"; + fsType = "ext4"; + options = [ + # bind mount because this is under / already + "bind" + # /nix/store is I/O heavy and doesn't need access times + "noatime" + # nix default + "ro" + # asynchronously flushes commit blocks to disk without waiting for descriptor block to be written. + # improves i/o perf + # + # must use data=writeback or data=journal + # + # this will prevent this drive being mounted on ancient kernels. + "journal_async_commit" + # highest safety guarantees, and theoretically higher throughput + "data=writeback" + # im on a laptop so 5 -> 15 second commit is fine + "commit=15" + # forcefully fsync()'s file replacements if not done by the bad application + "auto_da_alloc" + # 64-bit inode version support + "i_version" + # journal checksumming for e2fsck recovery support + # internally enabled if using journal_async_commit + "journal_checksum" + ]; + }; + + boot.initrd.luks.devices."luks-9cff8e4d-0e9e-48a4-8dd4-1b48f68c2e19" = { + device = "/dev/disk/by-uuid/9cff8e4d-0e9e-48a4-8dd4-1b48f68c2e19"; + + # work queues dont make sense for fast hardware like SSDs, plus these + # are sync/blocking ops in linux which introduces kernel-thread deadlocks + # under extreme I/O load. + # + # check if this applies using luksDump after reboot. idk why this config option didnt work for me. + # sudo cryptsetup --perf-no_read_workqueue --perf-no_write_workqueue --allow-discards --persistent refresh luks-9cff8e4d-0e9e-48a4-8dd4-1b48f68c2e19 + bypassWorkqueues = true; + + # allow SSD TRIM ops; warning that this leaks metadata. this *may* expose FS-level ops + # on the physical SSD controller such as formatted FS type, amount of space used, etc. + # which *can* be of concern regarding forensics + allowDiscards = true; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/24C8-CDA5"; + fsType = "vfat"; + options = [ + # /boot doesn't need any of this + "noexec" + "nosuid" + "nodev" + + # /boot doesnt need access times + "noatime" + + # /boot is just used by root + "umask=0077" + "fmask=0077" + "dmask=0077" + ]; + }; + + swapDevices = [{ + device = "/dev/disk/by-partuuid/fc7bf131-5531-4673-a033-43bc892234e5"; + # on modern linux >=5.6; urandom and random both use CSPRNGs, but random will wait/block + # for CSPRNG init. urandom will try to init at the time of use. + # beyond that, they both behave the same and just better atp to use random. ancient + # advice to use urandom for everything. + # + # + randomEncryption.source = "/dev/random"; + + randomEncryption.enable = true; + + # nvme id-ns -H /dev/nvme0n1 | grep 'LBA Format' + # + # if you support more than 512 sector size and are currently not using it, + # then reinstall nixos and go through: + # then change this to your new sector size + randomEncryption.sectorSize = 512; + + # 512 instead of 256 default key size (for aes-xts-plain64) can't hurt + randomEncryption.keySize = 512; + + # allow SSD TRIM ops; warning that this leaks metadata. this *may* expose FS-level ops + # on the physical SSD controller such as formatted FS type, amount of space used, etc. + # which *can* be of concern regarding forensics + randomEncryption.allowDiscards = true; + }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + # i want all my firmware and microcode pls + hardware.enableAllFirmware = true; + + # i kinda question if this works because i don't see amd-ucode in /boot, but + # even nixos-hardware uses this so........ + hardware.enableRedistributableFirmware = true; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +}