From 1006e41bfbe10cb1c8634e947b0c06926e53b5d6 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Thu, 30 Apr 2020 05:49:19 +0100 Subject: [PATCH] ops/nixos/porcorosso: create Summary: Adds porcorosso to the depot, and also adds the supporting Nix architecture required to make this work. This also tests that encryption is working correctly. Reviewers: tazjin Reviewed By: tazjin Subscribers: tazjin Differential Revision: https://phab.lukegb.com/D8 --- .hgignore | 1 + default.nix | 18 +++ ops/default.nix | 4 + ops/nixos/default.nix | 25 ++++ ops/nixos/porcorosso/README.md | 9 ++ ops/nixos/porcorosso/default.nix | 223 +++++++++++++++++++++++++++++++ third_party/default.nix | 6 + 7 files changed, 286 insertions(+) create mode 100644 .hgignore create mode 100644 default.nix create mode 100644 ops/default.nix create mode 100644 ops/nixos/default.nix create mode 100644 ops/nixos/porcorosso/README.md create mode 100644 ops/nixos/porcorosso/default.nix create mode 100644 third_party/default.nix diff --git a/.hgignore b/.hgignore new file mode 100644 index 0000000000..2014ef0cc5 --- /dev/null +++ b/.hgignore @@ -0,0 +1 @@ +ops/secrets/ diff --git a/default.nix b/default.nix new file mode 100644 index 0000000000..fed95addc8 --- /dev/null +++ b/default.nix @@ -0,0 +1,18 @@ +{ ... }: + +let + fix = f: let x = f x; in x; + config = depot: { + inherit depot; + pkgs = depot.third_party.nixpkgs; + }; +in fix (self: + let ch = (self.config // { inherit (self) lib; }); + in { + config = config self; + + third_party = import ./third_party ch; + ops = import ./ops ch; + + lib = self.third_party.nixpkgs.lib; + }) diff --git a/ops/default.nix b/ops/default.nix new file mode 100644 index 0000000000..6311c00454 --- /dev/null +++ b/ops/default.nix @@ -0,0 +1,4 @@ +args: { + nixos = import ./nixos args; + secrets = import ./secrets args; +} diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix new file mode 100644 index 0000000000..cb4a0fb1c7 --- /dev/null +++ b/ops/nixos/default.nix @@ -0,0 +1,25 @@ +{ depot, lib, pkgs, ... }@args: +let + inherit (builtins) foldl' mapAttrs; + systemFor = configs: + (depot.third_party.nixos { + configuration = lib.fix + (config: foldl' lib.recursiveUpdate { } (map (c: c config) configs)); + }).system; + systems = [ "porcorosso" ]; + rebuilder = system: + pkgs.writeShellScriptBin "rebuilder" '' + set -ue + if [[ $EUID -ne 0 ]]; then + exec sudo "$0" "$@" + fi + + system="$(nix-build -E '(import {}).ops.nixos.${system}' --no-out-link)" + nix-env -p /nix/var/nix/profiles/system --set "$system" + "$system/bin/switch-to-configuration" switch + ''; + systemCfgs = lib.genAttrs systems + (name: import (./. + "/${name}") (args // { rebuilder = rebuilder name; })); + mapAttrValues = (f: set: mapAttrs (name: f) set); + systemDrvs = mapAttrValues (systemCfg: systemFor [ systemCfg ]) systemCfgs; +in systemDrvs diff --git a/ops/nixos/porcorosso/README.md b/ops/nixos/porcorosso/README.md new file mode 100644 index 0000000000..326f722c40 --- /dev/null +++ b/ops/nixos/porcorosso/README.md @@ -0,0 +1,9 @@ +# porcorosso.roam.lukegb.net + +Dual-booted Windows/NixOS laptop. + +* Base: Dell Precision 7540 +* 32 GiB RAM (4x8GiB 3200MHz Fujitsu AO1P32MC8T1-BW3S DIMMs) +* Intel i7-9850H +* 1080p touchscreen +* NVIDIA Quadro RTX 4000 Mobile GPU, configured in DP-owner mode in firmware diff --git a/ops/nixos/porcorosso/default.nix b/ops/nixos/porcorosso/default.nix new file mode 100644 index 0000000000..1729c73042 --- /dev/null +++ b/ops/nixos/porcorosso/default.nix @@ -0,0 +1,223 @@ +{ depot, lib, pkgs, rebuilder, ... }: +config: +let + inherit (depot.ops) secrets; + nvidia-offload-profile = '' + export __NV_PRIME_RENDER_OFFLOAD=1 + export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0 + export __GLX_VENDOR_LIBRARY_NAME=nvidia + export __VK_LAYER_NV_optimus=NVIDIA_only + ''; + nvidia-offload = pkgs.writeShellScriptBin "nvidia-offload" + (nvidia-offload-profile + '' + exec -a "$0" "$@" + ''); +in lib.fix (self: { + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; + boot.kernelModules = [ "kvm-intel" "tcp_bbr" ]; + + fileSystems = let + zfs = device: { + device = device; + fsType = "zfs"; + }; + in { + "/" = zfs "zpool/local/root"; + "/nix" = zfs "zpool/local/nix"; + "/tmp" = zfs "zpool/local/tmp"; + + "/var" = zfs "zpool/safe/var"; + "/home" = zfs "zpool/safe/home"; + "/persist" = zfs "zpool/safe/persist"; + + "/boot" = { + device = "/dev/disk/by-label/NIXBOOT"; + fsType = "vfat"; + }; + }; + + nix.maxJobs = lib.mkDefault 12; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.enableRedistributableFirmware = true; + + nixpkgs.config = { allowUnfree = true; }; + + nix.nixPath = [ "depot=/home/lukegb/depot/" ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Nuke everything on boot. + boot.initrd.postDeviceCommands = lib.mkAfter '' + zfs rollback -r zpool/local/root@blank + ''; + + # Enable ZFS. + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.devNodes = "/dev/disk/by-partuuid"; + services.zfs.autoScrub.enable = true; + services.zfs.autoSnapshot = { + enable = true; + monthly = 1; + }; + + # Enable HyperV guesting + virtualisation.hypervGuest.enable = true; + + networking.hostName = "porcorosso"; + networking.hostId = "1ee729a4"; + + # Boot faster. + systemd.services.systemd-udev-settle.enable = false; + systemd.services.NetworkManager-wait-online.enable = false; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + # Use NetworkManager instead. + networking.useDHCP = false; + networking.interfaces.eno1.useDHCP = false; + networking.networkmanager.enable = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_GB.UTF-8"; + console.keyMap = "us"; + + # Set your time zone. + time.timeZone = "Europe/London"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + pciutils + nvidia-offload + (steam.override { extraProfile = nvidia-offload-profile; }) + rebuilder + blackbox + mercurial + arcanist + age + ]; + + #hardware.nvidia.prime.offload.enable = true; + #hardware.nvidia.prime = { + # intelBusId = "PCI:0:2:0"; + # nvidiaBusId = "PCI:1:0:0"; + #}; + + hardware.u2f.enable = true; + services.udev.packages = [ pkgs.libu2f-host ]; + services.pcscd.enable = true; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.mtr.enable = true; + # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + sound.enable = true; + hardware.pulseaudio.enable = true; + + # Enable the X11 windowing system. + services.xserver.enable = true; + services.xserver.layout = "us"; + services.xserver.libinput.enable = true; + services.xserver.windowManager.i3.enable = true; + services.xserver.videoDrivers = [ "nvidia" ]; + services.xserver.displayManager.gdm = { + enable = true; + wayland = true; + }; + + programs.sway = { + enable = true; + extraPackages = with pkgs; [ + swaylock # lockscreen + swayidle + xwayland # for legacy apps + waybar # status bar + mako # notification daemon + kanshi # autorandr + ]; + }; + programs.waybar.enable = true; + + hardware.opengl.driSupport32Bit = true; + hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ]; + hardware.pulseaudio.support32Bit = true; + + # Define a user account. + users.mutableUsers = false; + users.users = { + root.hashedPassword = secrets.passwordHashes.root; + lukegb = { + isNormalUser = true; + uid = 1000; + extraGroups = [ "wheel" "networkmanager" ]; + hashedPassword = secrets.passwordHashes.root; + }; + }; + + boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; + boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel"; + + # Things to persist. + services.openssh.hostKeys = [ + { + path = "/persist/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + environment.etc = { + "NetworkManager/system-connections" = { + source = "/persist/etc/NetworkManager/system-connections/"; + }; + "nixos" = { source = "/persist/etc/nixos/"; }; + }; + systemd.tmpfiles.rules = [ + #"L /etc/nixos - - - - /persist/etc/nixos" + ]; + + # Enable Thunderbolt device management. + services.hardware.bolt.enable = true; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "19.09"; # Did you read the comment? + +}) diff --git a/third_party/default.nix b/third_party/default.nix new file mode 100644 index 0000000000..0ee5a3edea --- /dev/null +++ b/third_party/default.nix @@ -0,0 +1,6 @@ +{ ... }: + +{ + nixpkgs = import ./nixpkgs { config.allowUnfree = true; }; + nixos = import ./nixpkgs/nixos; +}