Skip to content

Instantly share code, notes, and snippets.

@Shou

Shou/README.md

Last active November 27, 2019 22:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Shou/046d0dc18b27564e57118c50f04f98ed to your computer and use it in GitHub Desktop.
Save Shou/046d0dc18b27564e57118c50f04f98ed to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Gets you a functional GNOME3 on Xorg. The only unusual option otherwise is that Pulseaudio broadcasting is possible (may require additional configuration through paprefs).

Following the NixOS install with encrypted /boot /root with single password unlock Gist instructions for installation.

In the future, I may use this guide instead, because it uses LUKS on LVM instead of vice versa (LVM on LUKS). LUKS on LVM is more flexible, according to the Arch wiki linked in that post:

Tip: Unlike LVM on LUKS, this method allows normally spanning the logical volumes over multiple disks.

Raw
configuration.nix
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, ... }:
let all-hies = import (fetchTarball "https://github.com/infinisil/all-hies/tarball/81e51c7b1acfabab8b2b75c31ad684e20df6f67f") {};
in {
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./hardware-personal.nix
];
nixpkgs.config = {
# Disappoint Stallman
allowUnfree = true;
firefox = {
enableGoogleTalkPlugin = true;
# enableAdobeFlash = true;
enableGnomeExtensions = true;
};
chromium = {
# enablePepperFlash = true;
};
};
nix.trustedUsers = [ "root" "benedict" "@sudo" ];
nix.nrBuildUsers = 128;
networking = {
hostName = "peril";
networkmanager.enable = true;
firewall.enable = false;
# nameservers = [ "127.0.0.1:53535" ];
};
services.dnscrypt-proxy = {
enable = true;
localPort = 53;
resolverName = "cloudflare";
};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n = {
consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
inputMethod = {
enabled = "ibus";
ibus.engines = with pkgs.ibus-engines; [
uniemoji
mozc
];
};
};
fonts.fonts = with pkgs; [
noto-fonts noto-fonts-cjk noto-fonts-emoji emojione lmodern
carlito ipafont kochi-substitute
];
# Set your time zone.
time.timeZone = "Europe/London";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
neovim tmux firefox spotify paprefs pavucontrol hexchat bat ripgrep fd
mpv smplayer docker chrome-gnome-shell fish nix-index docker_compose git
noto-fonts-emoji emojione xsel bazel gnumake imagemagick curl direnv
stack xvfb_run jq pcre kdiff3 postgresql_10 poppler_utils xmlstarlet
libssh2 libxml2 tree gcc binutils autoconf automake gparted alacritty
haskellPackages.ghcid hlint gimp chromium wine ghc flatpak
# Haskell IDE Engine – specific versions
# Install stable HIE for GHC 8.6.4, 8.6.3 and 8.4.3
# (all-hies.selection { selector = p: { inherit (p) ghc864 ghc863 ghc843; }; })
google-chrome gnome3.dconf-editor
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
programs.fish.enable = true;
# List services that you want to enable:
services.gnome3.chrome-gnome-shell.enable = true;
#services.xserver.displayManager.gdm.autoLogin.user = "benedict";
# Enable the OpenSSH daemon.
services.openssh.enable = false;
services.flatpak.enable = true;
services.nginx = {
enable = true;
user = "benedict";
group = "users";
virtualHosts = {
"localhost" = {
default = true;
root = "/home/benedict/Public";
locations."/" = {
extraConfig = ''
autoindex on;
'';
};
};
};
};
# Enable Docker daemon.
virtualisation.docker.enable = true;
virtualisation.virtualbox.host.enable = false;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# Enable CUPS to print documents.
services.printing = {
enable = true;
drivers = [
pkgs.gutenprint
pkgs.gutenprintBin
];
};
# Enable sound.
sound.enable = true;
hardware.pulseaudio = {
enable = true;
zeroconf = {
publish.enable = true;
discovery.enable = true;
};
tcp.anonymousClients.allowAll = true;
# Full Pulseaudio for Bluetooth support.
package = pkgs.pulseaudioFull;
# Good codecs; NOT IN 18.03; try 19.03
extraModules = [ pkgs.pulseaudio-modules-bt ];
# This seems to fix popping audio
configFile = pkgs.runCommand "default.pa" {} ''
sed 's/module-udev-detect$/module-udev-detect tsched=0/' \
${pkgs.pulseaudio}/etc/pulse/default.pa > $out
'';
};
hardware.bluetooth.enable = true;
# Enable A2DP sink.
hardware.bluetooth.extraConfig = "
[General]
Enable=Source,Sink,Media,Socket
";
services.xserver = {
enable = true;
layout = "us";
libinput = {
enable = true;
tapping = true;
};
desktopManager = {
gnome3.enable = true;
};
displayManager = {
job.preStart = ''
mkdir -p /run/gdm/.config/pulse
ln -sf ${pulseConfig} /run/gdm/.config/pulse/default.pa
chown -R gdm:gdm /run/gdm/.config
'';
gdm = {
enable = true;
wayland = false;
autoLogin = {
enable = true;
user = "benedict";
};
};
lightdm = {
enable = false;
autoLogin = {
enable = true;
user = "benedict";
};
};
};
videoDrivers = [ "nvidia" ];
};
# Define user accounts
users = {
users = {
benedict = {
isNormalUser = true;
uid = 1000;
extraGroups = [ "sudo" "docker" "networkmanager" "libvirtd" "kvm" "qemu" ];
shell = pkgs.fish;
};
work = {
isNormalUser = false;
uid = 1001;
extraGroups = [ "sudo" "docker" ];
shell = pkgs.fish;
};
};
groups = {
sudo.gid = 707;
};
};
# Set up sudoers group
security.sudo.configFile = ''%sudo ALL=(ALL) ALL'';
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "19.03"; # Did you read the comment? no lol
system.autoUpgrade.channel = "https://nixos.org/channels/nixos-20.03/";
# Satisfy Elasticsearch requirement
boot.kernel.sysctl = {
"vm.max_map_count" = 262144;
};
### Virtualisation
boot.kernelModules = [
"kvm-amd" "kvm-intel"
# Add VFIO kernel modules
"vfio_virqfd" "vfio_pci" "vfio_iommu_type1" "vfio"
];
# Enable IOMMU
boot.kernelParams = [ "amd_iommu=on" ];
# Blacklist GPU drivers
boot.blacklistedKernelModules = [ "nvidia" "nouveau" ];
# Attach GPU to VFIO driver
boot.extraModprobeConfig = "options vfio-pci ids=10de:1c03,10de:10f1";
systemd.extraConfig = ''
LimitNOFILE=65536
DefaultLimitNOFILE=65536
LimitMEMLOCK=infinity
DefaultLimitMEMLOCK=infinity
'';
}
Raw
hardware-personal.nix
# Manually modified hardware config. This may be ignored if you aren't
# following the outlined guide and instead just want the configuration.nix.
{ config, lib, pkgs, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.grub = {
enable = true;
device = "nodev";
version = 2;
efiSupport = true;
enableCryptodisk = true;
extraInitrd = /boot/initrd.keys.gz;
};
# Encryption
boot.initrd.luks.devices = [
{
name = "root";
device = "/dev/disk/by-uuid/fe1a9bac-29f8-44a3-a0dc-3232d87737ab";
preLVM = true;
keyFile = "/keyfile0.bin";
allowDiscards = true;
}
];
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment