From c93cdf6990fcc28bd366446d3d9d4e2ba5e87262 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 17 Nov 2020 18:45:32 +0100 Subject: [PATCH 1/1] init --- .envrc | 10 + .git-crypt/.gitattributes | 4 + ...E027182397AC0775714F2AD15AF7F467E8299B.gpg | Bin 0 -> 725 bytes .gitattributes | 1 + .gitignore | 2 + Makefile | 161 ++++++++++ flake.lock | 43 +++ flake.nix | 75 +++++ install | 2 + machines/oignon.nix | 274 ++++++++++++++++++ machines/oignon/hardware.nix | 143 +++++++++ nixpkgs/overlays.nix | 3 + secrets/julm/hashedPassword | Bin 0 -> 56 bytes shell.nix | 20 ++ 14 files changed, 738 insertions(+) create mode 100644 .envrc create mode 100644 .git-crypt/.gitattributes create mode 100644 .git-crypt/keys/default/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 Makefile create mode 100644 flake.lock create mode 100644 flake.nix create mode 100755 install create mode 100644 machines/oignon.nix create mode 100644 machines/oignon/hardware.nix create mode 100644 nixpkgs/overlays.nix create mode 100644 secrets/julm/hashedPassword create mode 100644 shell.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..61d5578 --- /dev/null +++ b/.envrc @@ -0,0 +1,10 @@ +use_flake() { + watch_file flake.nix + watch_file flake.lock + eval "$(nix print-dev-env --show-trace)" + #mkdir -p "$(direnv_layout_dir)" + #eval "$(nix print-dev-env --show-trace --profile "$(direnv_layout_dir)/flake-profile")" + #nix-store --indirect --add-root "$(direnv_layout_dir)/flake-profile.root" \ + # --realise "$(direnv_layout_dir)/flake-profile" +} +use flake diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes new file mode 100644 index 0000000..665b10e --- /dev/null +++ b/.git-crypt/.gitattributes @@ -0,0 +1,4 @@ +# Do not edit this file. To specify the files to encrypt, create your own +# .gitattributes file in the directory where your files are. +* !filter !diff +*.gpg binary diff --git a/.git-crypt/keys/default/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg b/.git-crypt/keys/default/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg new file mode 100644 index 0000000000000000000000000000000000000000..0b51f7323af67da16252f7bd4d8a4fcbe9e6b7e2 GIT binary patch literal 725 zcmV;`0xJE50t^FH%z$9=A^iRU5C2<&&@0qZFqU8y0~GuF#r;QioToSVwxH(xpH|5Y zB?wB27gl+ktC3N&VeRV*6YmUcGXv=XC;;~-I~=I&iVnHLTejgRQ8421AD7IAqf zT>PW$2g9nENXvGgi4IRu6?-uT9(jHmCF;b=GjnmTLsf#=a7!T(6uDg{WbfG$B9C}j zPe7oHFNVd)+zCY1-uA~WVKW!eJl9U`9bobrL14DZ9tqf0irdrQT0Bcg{W~f{+G-!^ zxkI1}G-wma210Fd>z(bGt`$XIr&m*UDd*zKWkM@o3F$$v5H|%+6&Q~g4L*ye0?d>{ z4U*)LtgeG75FBW0p3Sj|0EAdhjFJvn-|vM1u|JWAU+JX_;E8v?qj$^-if-Js4RzLm=htJR8e$IJRBH@s~A z@77oHFm)Kh=UoDy_I1E&Jiz1X3T%=T=GvuKW`A~D-s6#v7y z5U!h)++0;ALM$Iost$7=G%1EeM=1q#kH_@agiAQoLPTtovo#XWq7kMxc2^bimo(v3 HDIL;mVb)vB literal 0 HcmV?d00001 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..45b5ca3 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +secrets/** filter=git-crypt diff=git-crypt diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6c506dc --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.sgdisk +.direnv diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..73be24b --- /dev/null +++ b/Makefile @@ -0,0 +1,161 @@ +#cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))) +machine := oignon +disk_ssd := /dev/disk/by-id/ata-Samsung_SSD_850_PRO_128GB_S1SMNSAFC36436X +zpool := $(machine) +cipher := aes-128-gcm +autotrim := on +reservation := 1G + +wipe: + sudo modprobe zfs + sudo zpool labelclear -f /dev/disk/by-partlabel/$(machine)_ssd_zpool || true + sudo $$(which sgdisk) --zap-all $(disk_ssd) + +part: wipe + # https://wiki.archlinux.org/index.php/BIOS_boot_partition + sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(machine)_ssd_bios" $(disk_ssd) + sudo $$(which sgdisk) -n0:1M:+32M -t0:EF00 -c0:"$(machine)_ssd_efi" $(disk_ssd) + sudo $$(which sgdisk) -n0:0:+256M -t0:8300 -c0:"$(machine)_ssd_boot" $(disk_ssd) + sudo $$(which sgdisk) -n0:0:+4G -t0:8200 -c0:"$(machine)_ssd_swap" $(disk_ssd) + sudo $$(which sgdisk) -n0:0:0 -t0:BF01 -c0:"$(machine)_ssd_zpool" $(disk_ssd) + # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT + printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_ssd) bs=1 seek=462 + sudo $$(which sgdisk) --randomize-guids $(disk_ssd) + sudo $$(which sgdisk) --backup=$(machine)_ssd.sgdisk $(disk_ssd) + +format: umount format-efi format-boot format-zpool +format-efi: + sudo blkid /dev/disk/by-partlabel/$(machine)_ssd_efi -t TYPE=vfat || \ + sudo mkfs.vfat -F 16 -s 1 -n EFI /dev/disk/by-partlabel/$(machine)_ssd_efi +format-boot: + sudo mkdir -p /mnt/$(machine) + sudo blkid -t TYPE=ext2 /dev/disk/by-partlabel/$(machine)_ssd_boot; test $$? != 2 || \ + sudo mkfs.ext2 /dev/disk/by-partlabel/$(machine)_ssd_boot +format-zpool: + sudo zpool list $(zpool) 2>/dev/null || \ + sudo zpool create -o ashift=12 \ + -O utf8only=yes \ + $(if $(cipher),-O encryption=$(cipher) \ + -O keyformat=passphrase \ + -O keylocation=prompt) \ + -R /mnt/$(machine) $(zpool) /dev/disk/by-partlabel/$(machine)_ssd_zpool + sudo zpool set \ + autotrim=$(autotrim) \ + $(zpool) + sudo zfs set \ + acltype=off \ + atime=off \ + canmount=off \ + compression=lz4 \ + dnodesize=auto \ + relatime=on \ + xattr=off \ + mountpoint=/ \ + $(zpool) + # https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations + sudo zfs list $(zpool)/reserved 2>/dev/null || \ + sudo zfs create -o canmount=off -o mountpoint=none $(zpool)/reserved + sudo zfs set reservation=$(reservation) $(zpool)/reserved + # / + # mountpoint=legacy is required to let NixOS mount the ZFS filesystems. + sudo zfs list $(zpool)/root 2>/dev/null || \ + sudo zfs create \ + -o canmount=on \ + -o mountpoint=legacy \ + $(zpool)/root + # /* + for p in \ + home \ + home/documents \ + nix \ + var \ + ; do \ + sudo zfs list $(zpool)/"$$p" 2>/dev/null || \ + sudo zfs create \ + -o canmount=on \ + -o mountpoint=legacy \ + $(zpool)/"$$p" ; \ + done + #sudo zfs set sync=disabled $(zpool)/var/tmp + sudo zfs set copies=2 $(zpool)/home/documents + +mount: mount-zpool mount-boot mount-efi +mount-zpool: + # scan needed zpools + sudo zpool list $(zpool) || \ + sudo zpool import -f $(zpool) + # load encryption key + sudo zfs get -H encryption $(zpool) | \ + grep -q '^$(zpool)\s*encryption\s*off' || \ + sudo zfs get -H keystatus $(zpool) | \ + grep -q '^$(zpool)\s*keystatus\s*available' || \ + sudo zfs load-key $(zpool) + # / + sudo mkdir -p /mnt/$(machine) + sudo mountpoint /mnt/$(machine) || \ + sudo mount -v -t zfs $(zpool)/root /mnt/$(machine) + # /* + for p in \ + home \ + nix \ + var \ + ; do \ + sudo mkdir -p /mnt/$(machine)/"$$p"; \ + sudo mountpoint /mnt/$(machine)/"$$p" || \ + sudo mount -v -t zfs $(zpool)/"$$p" /mnt/$(machine)/"$$p" ; \ + done + #sudo chmod 1777 /mnt/$(machine)/var/tmp +mount-boot: + sudo mkdir -p /mnt/$(machine)/boot + sudo mountpoint /mnt/$(machine)/boot || \ + sudo mount -v /dev/disk/by-partlabel/$(machine)_ssd_boot /mnt/$(machine)/boot + #sudo mount -v -t zfs bpool/boot /mnt/$(machine)/boot +mount-efi: | mount-boot + sudo mkdir -p /mnt/$(machine)/boot/efi + sudo mountpoint /mnt/$(machine)/boot/efi || \ + sudo mount -v /dev/disk/by-partlabel/$(machine)_ssd_efi /mnt/$(machine)/boot/efi + +bootstrap: mount + # Workaround https://dev.gnupg.org/T3908 + chmod o+rw $$GPG_TTY $$XAUTHORITY + + sudo --preserve-env \ + $$(which nixos-install) \ + --root /mnt/$(machine) \ + --flake '.#$(machine)' \ + --no-root-passwd \ + --no-channel-copy \ + --option allow-import-from-derivation true \ + --show-trace + + # End workaround https://dev.gnupg.org/T3908 + chmod o-rw $$GPG_TTY $$XAUTHORITY + +umount: + for p in \ + boot/efi \ + boot \ + home \ + home/documents \ + nix \ + var \ + "" \ + ; do \ + ! sudo mountpoint /mnt/$(machine)/"$$p" || \ + sudo umount -v /mnt/$(machine)/"$$p" ; \ + done + ! sudo zpool list $(zpool) 2>/dev/null || \ + zfs get -H encryption $(zpool) | \ + grep -q '^$(zpool)\s*encryption\s*off' || \ + zfs get -H keystatus $(zpool) | \ + grep -q '^$(zpool)\s*keystatus\s*unavailable' || \ + sudo zfs unload-key $(zpool) + #! sudo zpool list bpool 2>/dev/null || \ + #sudo zpool export bpool + ! sudo zpool list $(zpool) 2>/dev/null || \ + sudo zpool export $(zpool) + +unlock: + pass machines/$(machine)/zfs/zpool | \ + NIXOPS_DEPLOYMENT="$${NIXOPS_DEPLOYMENT:-$(LOSURDO_DEPLOYMENT)}" \ + nixops ssh $(machine) -p 2222 'zfs load-key $(zpool) && pkill zfs' diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..72de178 --- /dev/null +++ b/flake.lock @@ -0,0 +1,43 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1597053966, + "narHash": "sha256-f9lbPS/GJ1His8fsDqM6gfa8kSqREU4eKiMCS5hrKg4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ec20f52e2ff61e9c36c2b894b62fc1b4bd04c71b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1603880574, + "narHash": "sha256-z4neduBjpnRzhoR04i3T3Hu3ze9bYr/2U7Iem1vM9Cg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b69f140a8028e4718bde4e5082f8df38e50b7971", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b69f140a8028e4718bde4e5082f8df38e50b7971", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..5ffa8fa --- /dev/null +++ b/flake.nix @@ -0,0 +1,75 @@ +{ +inputs.nixpkgs.url = "github:NixOS/nixpkgs/b69f140a8028e4718bde4e5082f8df38e50b7971"; +inputs.flake-utils.url = "github:numtide/flake-utils"; +outputs = inputs: let + remoteNixpkgsPatches = [ + /* + { meta.description = "nixos-install: add support for inputs"; + url = "https://github.com/NixOS/nixpkgs/pull/95194.diff"; + sha256 = "sha256-R6LAHDM8FNQxsql5fiV16aDapKtZ7H/Q04pz1wjnSqQ"; + } + */ + ]; + localNixpkgsPatches = [ + ]; + originPkgs = inputs.nixpkgs.legacyPackages."x86_64-linux"; + nixpkgsPath = originPkgs.applyPatches { + name = "nixpkgs-patched"; + src = inputs.nixpkgs.outPath; + patches = map originPkgs.fetchpatch remoteNixpkgsPatches ++ localNixpkgsPatches; + postPatch = '' + patch=$(printf '%s\n' ${builtins.concatStringsSep " " + (map (p: p.sha256) remoteNixpkgsPatches ++ localNixpkgsPatches)} | + sort | sha256sum | cut -c -7) + echo "+patch-$patch" >.version-suffix + ''; + }; + lib = originPkgs.lib; + in { + nixosConfigurations.oignon = + let machineName = "oignon"; in + #import (nixpkgsPath + "/nixos/lib/eval-config.nix") { + inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + extraArgs = { + inherit machineName inputs; + machines = inputs.self.nixosConfigurations; + }; + modules = [ + ({ pkgs, ... }: { + nix.registry.nixpkgs.flake = inputs.nixpkgs; + nix.package = pkgs.nixFlakes; + nix.extraOptions = "experimental-features = nix-command flakes"; + #nixpkgs.overlays = import nixpkgs/overlays.nix; + /* + system.nixos.versionSuffix = ".${ + lib.substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${ + inputs.self.shortRev or "dirty"}"; + system.nixos.revision = lib.mkIf (inputs.self ? rev) inputs.self.rev; + */ + # Let 'nixos-version --json' know about the Git revision of this flake. + system.configurationRevision = lib.mkIf (inputs.self ? rev) inputs.self.rev; + /* + system.configurationRevision = + if inputs.self ? rev + then inputs.self.rev + else throw "Refusing to build from a dirty Git tree!"; + */ + }) + (import (./machines + "/${machineName}.nix")) + inputs.nixpkgs.nixosModules.notDetected + ]; + }; + } // + inputs.flake-utils.lib.eachDefaultSystem (system: + #let pkgs = inputs.nixpkgs.legacyPackages.${system}; in + let + pkgs = import nixpkgsPath { + inherit system; + config = {}; # Make the config pure, ignoring user's config. + #overlays = import nixpkgs/overlays.nix; + }; in { + devShell = import ./shell.nix { inherit pkgs; }; + } + ); +} diff --git a/install b/install new file mode 100755 index 0000000..53c427f --- /dev/null +++ b/install @@ -0,0 +1,2 @@ +#!/bin/sh -eux +sudo nixos-rebuild switch --flake . diff --git a/machines/oignon.nix b/machines/oignon.nix new file mode 100644 index 0000000..3d58b39 --- /dev/null +++ b/machines/oignon.nix @@ -0,0 +1,274 @@ +{ config, pkgs, inputs, machineName, ... }: +let + inherit (config.users) users; +in +{ +imports = [ + oignon/hardware.nix +]; + +users.mutableUsers = false; +users.users.julm = { + isNormalUser = true; + uid = 1000; + # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd + # which is already world readable. + hashedPassword = builtins.readFile ../secrets/julm/hashedPassword; + extraGroups = [ + "wheel" + "networkmanager" + #"vboxusers" + ]; + # If created, zfs-mount.service would require: + # zfs set overlay=yes ${machineName}/home + createHome = false; +}; + +nix = { + extraOptions = '' + auto-optimise-store = true + ''; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + nixPath = [ + "nixpkgs=/etc/nixpkgs" + "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix" + ]; + trustedUsers = [ users.julm.name ]; +}; +environment.etc."nixpkgs".source = pkgs.path; +environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs"; + +nixpkgs.config = { + allowUnfree = false; +}; + +time.timeZone = "Europe/Paris"; +i18n.defaultLocale = "fr_FR.UTF-8"; +console.font = "Lat2-Terminus16"; +console.keyMap = "fr"; + +networking = { + hostName = machineName; + domain = "localdomain"; + networkmanager = { + enable = true; + #dhcp = "dhcpcd"; + logLevel = "INFO"; + wifi = { + #backend = "iwd"; + #backend = "wpa_supplicant"; + powersave = false; + }; + }; + firewall = { + enable = true; + }; +}; + +sound.enable = true; +hardware.pulseaudio.enable = true; + +environment.variables = { + EDITOR = "gvim"; + PAGER = "less -R"; + SYSTEMD_LESS = "FKMRX"; +}; +environment.systemPackages = with pkgs; [ + acpi + binutils + bmon + coreutils + cryptsetup + curl + direnv + dstat + e2fsprogs + file + glib # gio + gvfs + gnumake + gnupg + gparted + hicolor-icon-theme + home-manager + htop + less + libfaketime + lsof + man + miniupnpc + mosh + ncdu + ncurses + nmon + ntfs3g + pasystray + pavucontrol + pciutils + powertop + procps + python + sudo + tig + tmux + tree + utillinux + vim + wget + which + xdg_utils + xsel + zfs +]; + +programs = { + bash = { + interactiveShellInit = '' + bind '"\e[A":history-search-backward' + bind '"\e[B":history-search-forward' + + # Ignore duplicate commands, ignore commands starting with a space + export HISTCONTROL=erasedups:ignorespace + export HISTSIZE=42000 + # Append to the history instead of overwriting (good for multiple connections) + shopt -s histappend + fan () { + if [ $# -gt 0 ] + then sudo tee /proc/acpi/ibm/fan <<<"level $1" + else grep '^\(level\|speed\):' /proc/acpi/ibm/fan + fi + acpi -t + } + ''; + shellAliases = { + cl = "clear"; + l = "ls -alh"; + ll = "ls -al"; + ls = "ls --color=tty"; + mem = "ps -e -orss=,user=,args= | sort -b -k1,1n"; + + s="sudo systemctl"; + st="sudo systemctl status"; + s-u="systemctl --user"; + j="sudo journalctl -u"; + + nix-clean="sudo nix-collect-garbage -d"; + nix-catalog="sudo nix-channel --list"; + nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system"; + nix-rollback="sudo nixos-rebuild switch --rollback"; + nix-update="sudo nix-channel --update"; + nix-upgrade="sudo nixos-rebuild switch"; + nix-upstream="sudo nix-channel --list"; + nix-config="gvim ~/.config/nixos/*.nix"; + }; + }; + dconf.enable = true; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + mtr.enable = true; +}; + +services = { + avahi = { + enable = true; + nssmdns = true; + }; + dbus = { + packages = [ pkgs.gnome3.dconf ]; + }; + gvfs = { + enable = true; + }; + journald = { + extraConfig = '' + Compress=true + MaxRetentionSec=1month + Storage=persistent + SystemMaxUse=100M + ''; + }; + physlock = { + enable = true; + allowAnyUser = true; + # NOTE: xfconf-query -c xfce4-session -p /general/LockCommand -s "physlock" --create -t string + }; + printing = { + enable = true; + drivers = [ + pkgs.gutenprint + pkgs.hplip + ]; + }; + sanoid = { + enable = true; + extraArgs = [ "--verbose" ]; + datasets = { + "${machineName}/home" = { + autosnap = true; + autoprune = true; + hourly = 12; + daily = 7; + monthly = 0; + yearly = 0; + recursive = true; + }; + "${machineName}/var" = { + autosnap = true; + autoprune = true; + hourly = 12; + daily = 7; + monthly = 0; + yearly = 0; + recursive = true; + }; + }; + }; + xserver = { + enable = true; + layout = "fr"; + xkbOptions = "eurosign:e"; + libinput.enable = true; + desktopManager = { + session = [ + # Let the session be generated by home-manager + { name = "home-manager"; + start = '' + ${pkgs.runtimeShell} $HOME/.hm-xsession & + waitPID=$! + ''; + } + ]; + xfce = { + enable = false; + /* + thunarPlugins = [ + pkgs.xfce.thunar-archive-plugin + ]; + */ + }; + xterm.enable = false; + }; + displayManager = { + defaultSession = "home-manager"; + #defaultSession = "none+xmonad"; + autoLogin = { + enable = true; + user = users.julm.name; + }; + }; + }; +}; + +#virtualisation.virtualbox.host.enable = true; + +# This value determines the NixOS release with which your system is to be +# compatible, in order to avoid breaking some software such as database +# servers. You should change this only after NixOS release notes say you should. +system.stateVersion = "20.09"; # Did you read the comment? +} diff --git a/machines/oignon/hardware.nix b/machines/oignon/hardware.nix new file mode 100644 index 0000000..ee01753 --- /dev/null +++ b/machines/oignon/hardware.nix @@ -0,0 +1,143 @@ +{ config, lib, pkgs, machineName, ... }: +{ +hardware.cpu.intel.updateMicrocode = true; +powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +nix.maxJobs = lib.mkDefault 2; +services.thinkfan = { + enable = true; + levels = '' + (0, 0, 52) + (1, 50, 58) + (2, 56, 60) + (3, 58, 62) + (6, 60, 72) + (7, 70, 85) + (127, 80, 32767) + ''; +}; + +# https://bugzilla.kernel.org/show_bug.cgi?id=110941 +boot.kernelParams = [ "intel_pstate=no_hwp" ]; +boot.kernelModules = [ "kvm-intel" ]; +boot.cleanTmpDir = true; +boot.tmpOnTmpfs = true; +boot.extraModulePackages = [ + config.boot.kernelPackages.exfat-nofuse +]; +boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_128GB_S1SMNSAFC36436X"; + configurationLimit = 3; + #zfsSupport = true; + /* + efiSupport = true; + efi = { + canTouchEfiVariables = false; + efiSysMountPoint = "/boot/efi"; + }; + */ + #enableCryptodisk = true; +}; + +fileSystems."/boot" = + { device = "/dev/disk/by-partlabel/${machineName}_ssd_boot"; + fsType = "ext2"; + }; +fileSystems."/boot/efi" = + { device = "/dev/disk/by-partlabel/${machineName}_ssd_efi"; + fsType = "vfat"; + }; +swapDevices = [ + { device = "/dev/disk/by-partlabel/${machineName}_ssd_swap"; + randomEncryption = { + enable = true; + cipher = "aes-xts-plain64"; + source = "/dev/urandom"; + }; + } +]; +zramSwap = { + enable = true; + algorithm = lib.mkDefault "zstd"; + # There is little point creating a zram of greater + # than twice the size of memory + # since we expect a 2:1 compression ratio. + # Note that zram uses about 0.1% of the size of the disk + # when not in use so a huge zram is wasteful. + memoryPercent = lib.mkDefault 150; + # Linux supports multithreaded compression for 1 device since 3.15. + # See https://lkml.org/lkml/2014/2/28/404 for details. + swapDevices = lib.mkDefault 1; +}; +boot.kernel.sysctl = { + # Increase cache pressure, which increases the tendency of the kernel to + # reclaim memory used for caching of directory and inode objects. You will use + # less memory over a longer period of time. The performance hit is negated by + # the downside of swapping sooner. + "vm.vfs_cache_pressure" = lib.mkDefault 500; + + # Increasing how aggressively the kernel will swap memory pages since we are + # using ZRAM first. + "vm.swappiness" = lib.mkDefault 100; + + # Background processes will start writing right away when it hits the 1% limit + "vm.dirty_background_ratio" = lib.mkDefault 1; + + # The system won’t force synchronous I/O until it gets to 50% dirty_ratio. + "vm.dirty_ratio" = lib.mkDefault 50; +}; + +# The 32-bit host id of the machine, formatted as 8 hexadecimal characters. +# You should try to make this id unique among your machines. +# Manually generated with : head -c4 /dev/urandom | od -A none -t x4 | cut -d ' ' -f 2 +networking.hostId = "ce53d0c3"; + +# none is the recommended elevator with ZFS (which has its own I/O scheduler) +# and/or for SSD, whereas HDD could use mq-deadline. +services.udev.extraRules = '' + # set none scheduler for non-rotating disks + ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="none" +''; + +boot.supportedFilesystems = [ "zfs" ]; +boot.initrd.supportedFilesystems = [ "zfs" ]; +boot.initrd.availableKernelModules = [ + "ahci" + "drbg" + "ehci_pci" + "gf128mul" + "hmac" + "sd_mod" +]; + +boot.zfs.forceImportAll = false; +boot.zfs.forceImportRoot = false; +boot.zfs.enableUnstable = false; +boot.zfs.requestEncryptionCredentials = true; +services.zfs.autoScrub.enable = true; + +fileSystems."/" = + { device = "${machineName}/root"; + fsType = "zfs"; + }; +fileSystems."/nix" = + { device = "${machineName}/nix"; + fsType = "zfs"; + }; +/* Mounted by zfs-mount.service +fileSystems."/home" = + { device = "${machineName}/home"; + fsType = "zfs"; + }; +fileSystems."/home/julm/documents" = + { device = "${machineName}/home/documents"; + fsType = "zfs"; + }; +*/ +fileSystems."/var" = + { device = "${machineName}/var"; + fsType = "zfs"; + }; + +} diff --git a/nixpkgs/overlays.nix b/nixpkgs/overlays.nix new file mode 100644 index 0000000..c208680 --- /dev/null +++ b/nixpkgs/overlays.nix @@ -0,0 +1,3 @@ +map import +[ +] diff --git a/secrets/julm/hashedPassword b/secrets/julm/hashedPassword new file mode 100644 index 0000000000000000000000000000000000000000..3268dcac11acbc6492c671278140641171f8d45c GIT binary patch literal 56 zcmZQ@_Y83kiVO&0nCf&2 "nix: running shellHook" + + PATH=$NIX_SHELL_PATH:$PATH + export NIX_PATH="${pkgs.lib.concatStringsSep ":" [ + "nixpkgs=${toString pkgs.path}" + #"nixpkgs-overlays=$PWD/nixpkgs/overlays.nix" + ]}" + ''; +} -- 2.47.0