Skip to content

Instantly share code, notes, and snippets.

@robertodr

robertodr/configuration.nix

Last active January 4, 2024 15:04
Show Gist options
  • Save robertodr/acc5c1155ad29234235b91d31834a309 to your computer and use it in GitHub Desktop.
Save robertodr/acc5c1155ad29234235b91d31834a309 to your computer and use it in GitHub Desktop.
Download ZIP
kellanved
Raw
configuration.nix
{
config,
lib,
pkgs,
...
}: {
imports = [
./hardware-configuration.nix
"${builtins.fetchTarball "https://github.com/nix-community/disko/archive/aef9a509db64a081186af2dc185654d78dc8e344.tar.gz"}/module.nix"
./disko-config.nix
"${builtins.fetchTarball "https://github.com/NixOS/nixos-hardware/archive/a15b6e525f5737a47b4ce28445c836996fb2ea8c.tar.gz"}/framework/13-inch/12th-gen-intel"
"${builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/033643a45a4a920660ef91caa391fbffb14da466.tar.gz"}/nixos.nix"
];
boot = {
kernelParams = ["resume_offset=533760"]; # <-- CHANGE with output of btrfs inspect-internal map-swapfile -r /.swapvol/swapfile
resumeDevice = "/dev/disk/by-uuid/edc1b1c1-ae2e-462c-8390-fdf11cf81ea9"; # <-- CHANGE with output of findmnt -no UUID -T /.swapvol/swapfile
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
# the rollback service is from: https://discourse.nixos.org/t/impermanence-vs-systemd-initrd-w-tpm-unlocking/25167/3
initrd.systemd.services.root-rollback = {
description = "Rollback BTRFS root subvolume to a pristine state";
wantedBy = [
"initrd.target"
];
after = [
# LUKS/TPM process
"systemd-cryptsetup@encrypted.service"
];
before = [
"sysroot.mount"
];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvol=/ /dev/mapper/encrypted /mnt
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
#
# I suspect these are related to systemd-nspawn, but
# since I don't use it I'm not 100% sure.
# Anyhow, deleting these subvolumes hasn't resulted
# in any issues so far, except for fairly
# benign-looking errors from systemd-tmpfiles.
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
};
};
fileSystems."/nix".neededForBoot = true;
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/log"
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/nixos"
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
];
files = [
"/etc/machine-id"
{
file = "/var/keys/secret_file";
parentDirectory = {mode = "u=rwx,g=,o=";};
}
];
};
networking = {
hostName = "kellanved";
networkmanager.enable = true;
};
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
services = {
xserver = {
enable = true;
displayManager.gdm.enable = true;
displayManager.gdm.wayland = false;
desktopManager.gnome.enable = true;
xkb = {
layout = "us";
options = "eurosign:e,caps:escape";
};
libinput.enable = true;
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
};
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
users = {
groups = {
roberto = {gid = 1000;};
};
users = {
roberto = {
isNormalUser = true;
description = "Roberto Di Remigio Eikås";
group = "roberto";
uid = 1000;
extraGroups = ["users" "networkmanager" "wheel"];
shell = pkgs.fish;
hashedPassword = "$y$j9T$9CT7imGp.njKexGkzwsTh/$7y/T3A6cPIvy7CFKEBOJzil4sJmof0IaFR9BlJr2b15";
packages = with pkgs; [
];
};
};
};
nixpkgs = {
config.allowUnfree = true;
};
environment.systemPackages = with pkgs; [
alejandra
neovim
zoom-us
];
programs = {
_1password-gui = {
enable = true;
polkitPolicyOwners = ["roberto"];
};
_1password.enable = true;
firefox.enable = true;
fish.enable = true;
git.enable = true;
};
system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "23.11"; # Did you read the comment?
}
Raw
disko-config.nix
{
disko.devices = {
disk = {
nvme0n1 = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
ESP = {
label = "EFI";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "encrypted";
passwordFile = "/tmp/secret.key"; # path to file containing password for initial encryption
settings.allowDiscards = true;
content = {
type = "btrfs";
extraArgs = ["-f"];
postCreateHook = ''
MNTPOINT=$(mktemp -d)
mount /dev/mapper/encrypted "$MNTPOINT" -o subvol=/
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = ["compress=zstd" "noatime"];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = ["compress=zstd" "noatime"];
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "66G";
};
"/home" = {
mountpoint = "/home";
mountOptions = ["compress=zstd" "noatime"];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = ["compress=zstd" "noatime"];
};
};
};
};
};
};
};
};
};
};
}
Raw
hardware-configuration.nix
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp166s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment