diff --git a/Makefile b/Makefile index f2ff05f0..ff9d4d0f 100644 --- a/Makefile +++ b/Makefile @@ -13,9 +13,15 @@ i3: nixos-rebuild switch --flake .#ai_i3 --use-remote-sudo +s-i3: + nixos-rebuild switch --flake .#shoekei_i3 --use-remote-sudo + hypr: nixos-rebuild switch --flake .#ai_hyprland --use-remote-sudo +s-hypr: + nixos-rebuild switch --flake .#shoukei_hyprland --use-remote-sudo + i3-debug: nixos-rebuild switch --flake .#ai_i3 --use-remote-sudo --show-trace --verbose diff --git a/README.md b/README.md index ce17748e..894b5da5 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ See [./secrets](./secrets) for details. For NixOS: -> To deploy this flake from NixOS's official ISO image(purest installation method), please refer to [./hosts/idols/ai/nixos-installer/](./hosts/idols/ai/nixos-installer/) +> To deploy this flake from NixOS's official ISO image(purest installation method), please refer to [./nixos-installer/](./nixos-installer/) > Need to restart the machine when switching between `wayland` and `xorg`. diff --git a/flake.lock b/flake.lock index c8f4a385..34978d6b 100644 --- a/flake.lock +++ b/flake.lock @@ -533,6 +533,22 @@ "type": "github" } }, + "nixos-hardware": { + "locked": { + "lastModified": 1702453208, + "narHash": "sha256-0wRi9SposfE2wHqjuKt8WO2izKB/ASDOV91URunIqgo=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "7763c6fd1f299cb9361ff2abf755ed9619ef01d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixos-licheepi4a": { "inputs": { "nixpkgs": "nixpkgs", @@ -836,6 +852,7 @@ "mysecrets": "mysecrets", "nix-darwin": "nix-darwin", "nixos-generators": "nixos-generators", + "nixos-hardware": "nixos-hardware", "nixos-licheepi4a": "nixos-licheepi4a", "nixos-rk3588": "nixos-rk3588", "nixpkgs": "nixpkgs_3", diff --git a/flake.nix b/flake.nix index 63993d43..256afd83 100644 --- a/flake.nix +++ b/flake.nix @@ -95,18 +95,13 @@ # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - # add git hooks to format nix code before commit - pre-commit-hooks = { - url = "github:cachix/pre-commit-hooks.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - # for macos nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-23.11-darwin"; nix-darwin = { url = "github:lnl7/nix-darwin"; inputs.nixpkgs.follows = "nixpkgs-darwin"; }; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; # home-manager, used for managing user configuration home-manager = { @@ -153,6 +148,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # add git hooks to format nix code before commit + pre-commit-hooks = { + url = "github:cachix/pre-commit-hooks.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + ######################## Some non-flake repositories ######################################### # AstroNvim is an aesthetic and feature-rich neovim config. diff --git a/hosts/12kingdoms/shoukei/brcm-firmware/default.nix b/hosts/12kingdoms/shoukei/brcm-firmware/default.nix new file mode 100644 index 00000000..8f09952b --- /dev/null +++ b/hosts/12kingdoms/shoukei/brcm-firmware/default.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: +pkgs.stdenvNoCC.mkDerivation { + name = "brcm-firmware"; + nativeBuildInputs = with pkgs; [gnutar xz]; + buildCommand = '' + dir="$out/lib/" + mkdir -p "$dir" + tar -axvf ${./firmware.tar.xz} -C "$dir" + ''; +} diff --git a/hosts/12kingdoms/shoukei/brcm-firmware/firmware.tar.xz b/hosts/12kingdoms/shoukei/brcm-firmware/firmware.tar.xz new file mode 100644 index 00000000..f0b219d6 Binary files /dev/null and b/hosts/12kingdoms/shoukei/brcm-firmware/firmware.tar.xz differ diff --git a/hosts/12kingdoms/shoukei/brcm-firmware/flake.lock b/hosts/12kingdoms/shoukei/brcm-firmware/flake.lock new file mode 100644 index 00000000..5e0824ec --- /dev/null +++ b/hosts/12kingdoms/shoukei/brcm-firmware/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1703068421, + "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/12kingdoms/shoukei/brcm-firmware/flake.nix b/hosts/12kingdoms/shoukei/brcm-firmware/flake.nix new file mode 100644 index 00000000..a2c58def --- /dev/null +++ b/hosts/12kingdoms/shoukei/brcm-firmware/flake.nix @@ -0,0 +1,10 @@ +{ + # a flake for testing + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + outputs = {nixpkgs, ...}: let + system = "x86_64-linux"; + pkgs = import nixpkgs {inherit system;}; + in { + packages."${system}".default = pkgs.callPackage ./default.nix {}; + }; +} diff --git a/hosts/12kingdoms/shoukei/default.nix b/hosts/12kingdoms/shoukei/default.nix new file mode 100644 index 00000000..ec8ba49d --- /dev/null +++ b/hosts/12kingdoms/shoukei/default.nix @@ -0,0 +1,48 @@ +{ + pkgs, + nixos-hardware, + ... +} @ args: +############################################################# +# +# Shoukei - NixOS running on Macbook Pro 2020 I5 16G +# https://github.com/NixOS/nixos-hardware/tree/master/apple/t2 +# +############################################################# +{ + imports = [ + nixos-hardware.nixosModules.apple-t2 + {hardware.apple-t2.enableAppleSetOsLoader = true;} + + ./hardware-configuration.nix + ./impermanence.nix + ]; + + networking = { + hostName = "shoukei"; # Define your hostname. + # configures the network interface(include wireless) via `nmcli` & `nmtui` + networkmanager.enable = true; + + # Configure network proxy if necessary + # proxy.default = "http://user:password@proxy:port/"; + # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Configure network proxy if necessary + # proxy.default = "http://user:password@proxy:port/"; + # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + defaultGateway = "192.168.5.201"; + nameservers = [ + "119.29.29.29" # DNSPod + "223.5.5.5" # AliDNS + ]; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/12kingdoms/shoukei/hardware-configuration.nix b/hosts/12kingdoms/shoukei/hardware-configuration.nix new file mode 100644 index 00000000..52e91bd9 --- /dev/null +++ b/hosts/12kingdoms/shoukei/hardware-configuration.nix @@ -0,0 +1,130 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + hardware.firmware = [ + (import ./brcm-firmware { inherit pkgs;}) + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + # Use the EFI boot loader. + boot.loader.efi.canTouchEfiVariables = true; + # depending on how you configured your disk mounts, change this to /boot or /boot/efi. + boot.loader.efi.efiSysMountPoint = "/boot"; + boot.loader.systemd-boot.enable = true; + + # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. + boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; + # supported fil systems, so we can mount any removable disks with these filesystems + boot.supportedFilesystems = lib.mkForce [ + "ext4" + "btrfs" + "xfs" + "ntfs" + "fat" + "vfat" + "cifs" # mount windows share + ]; + + # clear /tmp on boot to get a stateless /tmp directory. + boot.tmp.cleanOnBoot = true; + boot.initrd = { + # unlocked luks devices via a keyfile or prompt a passphrase. + luks.devices."crypted-nixos" = { + device = "/dev/nvme0n1p4"; + # the keyfile(or device partition) that should be used as the decryption key for the encrypted device. + # if not specified, you will be prompted for a passphrase instead. + #keyFile = "/root-part.key"; + + # whether to allow TRIM requests to the underlying device. + # it's less secure, but faster. + allowDiscards = true; + }; + }; + + # equal to `mount -t tmpfs tmpfs /` + fileSystems."/" = { + device = "tmpfs"; + fsType = "tmpfs"; + # set mode to 755, otherwise systemd will set it to 777, which cause problems. + # relatime: Update inode access times relative to modify or change time. + options = ["relatime" "mode=755"]; + }; + + fileSystems."/boot" = { + device = "/dev/nvme0n1p1"; + fsType = "vfat"; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + fsType = "btrfs"; + options = ["subvol=@nix" "noatime" "compress-force=zstd:1"]; + }; + + fileSystems."/tmp" = { + device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + fsType = "btrfs"; + options = ["subvol=@tmp" "noatime" "compress-force=zstd:1"]; + }; + + fileSystems."/persistent" = { + device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + fsType = "btrfs"; + options = ["subvol=@persistent" "noatime" "compress-force=zstd:1"]; + # impermanence's data is required for booting. + neededForBoot = true; + }; + + fileSystems."/snapshots" = { + device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + fsType = "btrfs"; + options = ["subvol=@snapshots" "noatime" "compress-force=zstd:1"]; + }; + + # mount swap subvolume in readonly mode. + fileSystems."/swap" = { + device = "/dev/disk/by-uuid/2f4db246-e65d-4808-8ab4-5365f9dea1ef"; + fsType = "btrfs"; + options = ["subvol=@swap" "ro"]; + }; + + # remount swapfile in read-write mode + fileSystems."/swap/swapfile" = { + # the swapfile is located in /swap subvolume, so we need to mount /swap first. + depends = ["/swap"]; + + device = "/swap/swapfile"; + fsType = "none"; + options = ["bind" "rw"]; + }; + + swapDevices = [ + {device = "/swap/swapfile";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp230s0f1u1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp229s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/12kingdoms/shoukei/impermanence.nix b/hosts/12kingdoms/shoukei/impermanence.nix new file mode 100644 index 00000000..3e98a5e0 --- /dev/null +++ b/hosts/12kingdoms/shoukei/impermanence.nix @@ -0,0 +1,118 @@ +{ + impermanence, + pkgs, + ... +}: { + imports = [ + impermanence.nixosModules.impermanence + ]; + + environment.systemPackages = [ + # `sudo ncdu -x /` + pkgs.ncdu + ]; + + # There are two ways to clear the root filesystem on every boot: + ## 1. use tmpfs for / + ## 2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via: + ## boot.initrd.postDeviceCommands = '' + ## mkdir -p /run/mymount + ## mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount + ## btrfs subvolume delete /run/mymount + ## btrfs subvolume snapshot / /run/mymount + ## ''; + # + # See also https://grahamc.com/blog/erase-your-darlings/ + + # NOTE: impermanence only mounts the directory/file list below to /persistent + # If the directory/file already exists in the root filesystem, you should + # move those files/directories to /persistent first! + environment.persistence."/persistent" = { + # sets the mount option x-gvfs-hide on all the bind mounts + # to hide them from the file manager + hideMounts = true; + directories = [ + "/etc/NetworkManager/system-connections" + "/etc/ssh" + "/etc/nix/inputs" + "/etc/secureboot" # lanzaboote - secure boot + # my secrets + "/etc/agenix/" + + "/var/log" + "/var/lib" + + # created by modules/nixos/misc/fhs-fonts.nix + # for flatpak apps + # "/usr/share/fonts" + # "/usr/share/icons" + ]; + files = [ + "/etc/machine-id" + ]; + + # the following directories will be passed to /persistent/home/$USER + users.ryan = { + directories = [ + "codes" + "nix-config" + "tmp" + + "Downloads" + "Music" + "Pictures" + "Documents" + "Videos" + + { + directory = ".gnupg"; + mode = "0700"; + } + { + directory = ".ssh"; + mode = "0700"; + } + { + directory = ".aws"; + mode = "0700"; + } + { + directory = ".docker"; + mode = "0700"; + } + { + directory = ".kube"; + mode = "0700"; + } + + # misc + ".config/pulse" + ".pki" + + # remote desktop + ".config/remmina" + ".config/freerdp" + + # browsers + ".mozilla" + ".config/google-chrome" + + # neovim / remmina / flatpak / ... + ".local/share" + ".local/state" + + # language package managers + ".npm" + "go" + + # neovim plugins(wakatime & copilot) + ".wakatime" + ".config/github-copilot" + ]; + files = [ + ".wakatime.cfg" + ".config/nushell/history.txt" + ]; + }; + }; +} diff --git a/hosts/12kingdoms/suzu/default.nix b/hosts/12kingdoms/suzu/default.nix index 62719e56..ce41bcfd 100644 --- a/hosts/12kingdoms/suzu/default.nix +++ b/hosts/12kingdoms/suzu/default.nix @@ -1,6 +1,4 @@ { - config, - username, nixos-rk3588, ... }: @@ -15,8 +13,6 @@ nixos-rk3588.nixosModules.orangepi5 ]; - users.users.root.openssh.authorizedKeys.keys = config.users.users."${username}".openssh.authorizedKeys.keys; - networking = { hostName = "suzu"; # Define your hostname. wireless.enable = false; # Enables wireless support via wpa_supplicant. diff --git a/hosts/idols/ai/hardware-configuration.nix b/hosts/idols/ai/hardware-configuration.nix index 583c6172..cfebc643 100644 --- a/hosts/idols/ai/hardware-configuration.nix +++ b/hosts/idols/ai/hardware-configuration.nix @@ -61,6 +61,7 @@ device = "tmpfs"; fsType = "tmpfs"; # set mode to 755, otherwise systemd will set it to 777, which cause problems. + # relatime: Update inode access times relative to modify or change time. options = ["relatime" "mode=755"]; }; diff --git a/hosts/idols/ai/nixos-installer/.gitignore b/hosts/idols/ai/nixos-installer/.gitignore deleted file mode 100644 index 29f4f2fa..00000000 --- a/hosts/idols/ai/nixos-installer/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -result -result/ -.DS_Store diff --git a/hosts/idols/ai/nixos-installer/configuration.nix b/hosts/idols/ai/nixos-installer/configuration.nix deleted file mode 100644 index 3b9db392..00000000 --- a/hosts/idols/ai/nixos-installer/configuration.nix +++ /dev/null @@ -1,8 +0,0 @@ -_: { - networking = { - hostName = "ai"; - defaultGateway = "192.168.5.201"; - networkmanager.enable = true; - }; - system.stateVersion = "23.11"; -} diff --git a/hosts/idols/ai/nixos-installer/flake.lock b/hosts/idols/ai/nixos-installer/flake.lock deleted file mode 100644 index afab0785..00000000 --- a/hosts/idols/ai/nixos-installer/flake.lock +++ /dev/null @@ -1,43 +0,0 @@ -{ - "nodes": { - "impermanence": { - "locked": { - "lastModified": 1697303681, - "narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "0f317c2e9e56550ce12323eb39302d251618f5b5", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1701389149, - "narHash": "sha256-rU1suTIEd5DGCaAXKW6yHoCfR1mnYjOXQFOaH7M23js=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5de0b32be6e85dc1a9404c75131316e4ffbc634c", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "impermanence": "impermanence", - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/hosts/idols/ai/nixos-installer/flake.nix b/hosts/idols/ai/nixos-installer/flake.nix deleted file mode 100644 index 5868b97a..00000000 --- a/hosts/idols/ai/nixos-installer/flake.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - description = "NixOS configuration of Ryan Yin"; - - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - impermanence.url = "github:nix-community/impermanence"; - }; - - outputs = inputs @ {nixpkgs, ...}: { - nixosConfigurations = { - ai = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = inputs; - modules = [ - ./configuration.nix - ./system.nix - - ../hardware-configuration.nix - ../impermanence.nix - ]; - }; - }; - }; -} diff --git a/hosts/idols/ai/nixos-installer/system.nix b/hosts/idols/ai/nixos-installer/system.nix deleted file mode 100644 index 8f39eee7..00000000 --- a/hosts/idols/ai/nixos-installer/system.nix +++ /dev/null @@ -1,57 +0,0 @@ -{pkgs, ...}: { - # Set your time zone. - time.timeZone = "Asia/Shanghai"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "zh_CN.UTF-8"; - LC_IDENTIFICATION = "zh_CN.UTF-8"; - LC_MEASUREMENT = "zh_CN.UTF-8"; - LC_MONETARY = "zh_CN.UTF-8"; - LC_NAME = "zh_CN.UTF-8"; - LC_NUMERIC = "zh_CN.UTF-8"; - LC_PAPER = "zh_CN.UTF-8"; - LC_TELEPHONE = "zh_CN.UTF-8"; - LC_TIME = "zh_CN.UTF-8"; - }; - - # ssh-agent is used to pull my private secrets repo from github when depoloying my nixos config. - programs.ssh.startAgent = true; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - git - gnumake - wget - curl - nix-output-monitor - ]; - - users.groups = { - "ryan" = {}; - }; - - # Don't allow mutation of users outside the config. - users = { - mutableUsers = false; - # Define a user account. Don't forget to set a password with ‘passwd’. - users = { - ryan = { - # generated by `mkpasswd -m scrypt` - # we have to use initialHashedPassword here, if your'are using tmpfs for / - initialHashedPassword = "$7$CU..../....Sdl/JRH..9eIvZ6mE/52r.$xeR6lyvTcVVKt28Owcoc/vPOOECcYSiq1xjw/QCz2t0"; - isNormalUser = true; - description = "ryan"; - extraGroups = ["ryan" "networkmanager" "wheel"]; - }; - root.initialHashedPassword = "$7$CU..../....X6uvZYnFD.i1CqqFFNl4./$4vgqzIPyw5XBr0aCDFbY/UIRRJr7h5SMGoQ/ZvX3FP2"; - }; - }; - - # make ryan a trusted user so he can set custom nix substituters url(cache mirror) to speed up nixos-rebuild. - nix.settings.trusted-users = ["ryan"]; -} diff --git a/hosts/idols/ai/nixos-installer/README.md b/nixos-installer/README.ai.md similarity index 76% rename from hosts/idols/ai/nixos-installer/README.md rename to nixos-installer/README.ai.md index 5a538f9c..2dffc19b 100644 --- a/hosts/idols/ai/nixos-installer/README.md +++ b/nixos-installer/README.ai.md @@ -12,7 +12,7 @@ The configuration of the main flake, [/flake.nix](/flake.nix), is heavy, and it This simplified flake is tiny and can be deployed very quickly, it helps me to: 1. Adjust & verify my `hardware-configuration.nix` modification quickly before deploying the `main` flake. -2. Test some new filesystem related features on a NixOS virtual machine, such as impermanence, Secure Boot, TMP2, Encryption, etc. +2. Test some new filesystem related features on a NixOS virtual machine, such as impermanence, Secure Boot, TPM2, Encryption, etc. ## Steps to Deploying the `main` flake @@ -47,22 +47,24 @@ And the boot flow is: Partitioning the disk: ```bash +# NOTE: `cat README.ai.md | grep part-1 > part-1.sh` to generate this script + # Create a GPT partition table -parted /dev/nvme0n1 -- mklabel gpt +parted /dev/nvme0n1 -- mklabel gpt # part-1 # NixOS by default uses the ESP (EFI system partition) as its /boot partition # Create a 512MB EFI system partition -parted /dev/nvme0n1 -- mkpart ESP fat32 2MB 629MB +parted /dev/nvme0n1 -- mkpart ESP fat32 2MB 629MB # part-1 # set the boot flag on the ESP partition # Format: # set partition flag state -parted /dev/nvme0n1 -- set 1 esp on +parted /dev/nvme0n1 -- set 1 esp on # part-1 # Create the root partition using the rest of the disk # Format: # mkpart [part-type name fs-type] start end -parted /dev/nvme0n1 -- mkpart primary 630MB 100% +parted /dev/nvme0n1 -- mkpart primary 630MB 100% # part-1 # show disk status lsblk @@ -75,6 +77,7 @@ lsblk # show cryptsetup's compiled in defualts cryptsetup --help +# NOTE: `cat shoukei.md | grep luks > luks.sh` to generate this script # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition. cryptsetup luksFormat --type luks2 --pbkdf argon2id --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/nvme0n1p2 @@ -91,22 +94,21 @@ lsblk Formatting the root partition: ```bash -mkfs.fat -F 32 -n ESP /dev/nvme0n1p1 +# NOTE: `cat shoukei.md | grep create-btrfs > btrfs.sh` to generate this script +mkfs.fat -F 32 -n ESP /dev/nvme0n1p1 # create-btrfs # format the root partition with btrfs and label it -mkfs.btrfs -L crypted-nixos /dev/mapper/crypted-nixos +mkfs.btrfs -L crypted-nixos /dev/mapper/crypted-nixos # create-btrfs # mount the root partition and create subvolumes -mount /dev/mapper/crypted-nixos /mnt -btrfs subvolume create /mnt/@nix -btrfs subvolume create /mnt/@tmp -btrfs subvolume create /mnt/@swap -btrfs subvolume create /mnt/@persistent -btrfs subvolume create /mnt/@snapshots -umount /mnt - -# Use tmpfs for root - stateless -mount -t tmpfs tmpfs /mnt - +mount /dev/mapper/crypted-nixos /mnt # create-btrfs +btrfs subvolume create /mnt/@nix # create-btrfs +btrfs subvolume create /mnt/@tmp # create-btrfs +btrfs subvolume create /mnt/@swap # create-btrfs +btrfs subvolume create /mnt/@persistent # create-btrfs +btrfs subvolume create /mnt/@snapshots # create-btrfs +umount /mnt # create-btrfs + +# NOTE: `cat shoukei.md | grep mount-1 > mount-1.sh` to generate this script # Remount the root partition with the subvolumes you just created # # Enable zstd compression to: @@ -114,18 +116,18 @@ mount -t tmpfs tmpfs /mnt # 1. Extend the life of the SSD. # 2. improve the performance of disks with low IOPS / RW throughput, such as HDD and SATA SSD. # 2. Save the disk space. -mkdir /mnt/{nix,tmp,swap,persistent,snapshots,boot} -mount -o compress-force=zstd:1,noatime,subvol=@nix /dev/mapper/crypted-nixos /mnt/nix -mount -o compress-force=zstd:1,subvol=@tmp /dev/mapper/crypted-nixos /mnt/tmp -mount -o subvol=@swap /dev/mapper/crypted-nixos /mnt/swap -mount -o compress-force=zstd:1,noatime,subvol=@persistent /dev/mapper/crypted-nixos /mnt/persistent -mount -o compress-force=zstd:1,noatime,subvol=@snapshots /dev/mapper/crypted-nixos /mnt/snapshots -mount /dev/nvme0n1p1 /mnt/boot +mkdir /mnt/{nix,tmp,swap,persistent,snapshots,boot} # mount-1 +mount -o compress-force=zstd:1,noatime,subvol=@nix /dev/mapper/crypted-nixos /mnt/nix # mount-1 +mount -o compress-force=zstd:1,subvol=@tmp /dev/mapper/crypted-nixos /mnt/tmp # mount-1 +mount -o subvol=@swap /dev/mapper/crypted-nixos /mnt/swap # mount-1 +mount -o compress-force=zstd:1,noatime,subvol=@persistent /dev/mapper/crypted-nixos /mnt/persistent # mount-1 +mount -o compress-force=zstd:1,noatime,subvol=@snapshots /dev/mapper/crypted-nixos /mnt/snapshots # mount-1 +mount /dev/nvme0n1p1 /mnt/boot # mount-1 # create a swapfile on btrfs file system # This command will disable CoW / compression on the swap subvolume and then create a swapfile. # because the linux kernel requires that swapfile must not be compressed or have copy-on-write(CoW) enabled. -btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile +btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile # mount-1 # check whether the swap subvolume has CoW disabled # the output of `lsattr` for the swap subvolume should be: @@ -134,7 +136,7 @@ btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile lsattr /mnt/swap # mount the swapfile as swap area -swapon swapfile +swapon /mnt/swap/swapfile # mount-1 ``` Now, the disk status should be: @@ -183,22 +185,25 @@ vim . Then, Install NixOS: ```bash -cd ~/nix-config +cd ~/nix-config/hosts/idols/ai/nixos-installer # run this command if you're retrying to run nixos-install rm -rf /mnt/etc # install nixos # NOTE: the root password you set here will be discarded when reboot -nixos-install --root /mnt --flake .#ai --no-root-password +nixos-install --root /mnt --flake .#ai --no-root-password --show-trace # instlall-1 # if you want to use a cache mirror, run this command instead # replace the mirror url with your own -nixos-install --root /mnt --flake .#ai --no-root-password --option substituters "https://mirror.sjtu.edu.cn/nix-channels/store" +nixos-install --root /mnt --flake .#ai --no-root-password --show-trace --option substituters "https://mirror.sjtu.edu.cn/nix-channels/store" # install-2 # enter into the installed system, check password & users +# `su ryan` => `sudo -i` => enter ryan's password => successfully login +# if login failed, check the password you set in install-1, and try again nixos-enter +# NOTE: DO NOT skip this step!!! # copy the essential files into /persistent # otherwise the / will be cleared and data will lost ## NOTE: impermanence just create links from / to /persistent @@ -211,13 +216,21 @@ mv /etc/ssh /persistent/etc/ rm -f /mnt/etc/nixos rm ~/nix-config/hosts/idols/ai/hardware-configuration-new.nix +# NOTE: `cat shoukei.md | grep git-1 > git-1.sh` to generate this script # commit the changes after installing nixos successfully -git config --global user.email "ryan4yin@linux.com" -git config --global user.name "Ryan Yin" +git config --global user.email "ryan4yin@linux.com" # git-1 +git config --global user.name "Ryan Yin" # git-1 git commit -am "feat: update hardware-configuration" # copy our configuration to the installed file system cp -r ../nix-config /mnt/etc/nixos + +# sync the disk, unmount the partitions, and close the encrypted device +sync +swapoff /mnt/swap/swapfile +umount -R /mnt +cryptsetup close /dev/mapper/crypted-nixos +reboot ``` And then reboot. diff --git a/nixos-installer/README.shoukei.md b/nixos-installer/README.shoukei.md new file mode 100755 index 00000000..e66a9f1b --- /dev/null +++ b/nixos-installer/README.shoukei.md @@ -0,0 +1,240 @@ +# Nix Environment for Deploying my NixOS Configuration + +> https://wiki.t2linux.org/distributions/nixos/installation/ + +> https://github.com/NixOS/nixos-hardware/tree/master/apple/t2 + +## Steps to Deploying + +First, create a USB install medium from Apple T2's NixOS installer image: https://github.com/t2linux/nixos-t2-iso.git + +### 2. Connecting to the Internet + +1. configure wifi: +2. copy wifi firmware to the NixOS installer: + +```bash +sudo mkdir -p /lib +sudo tar -axvf ../hosts/12kingdoms/shoukei/brcm-firmware/firmware.tar.gz -C /lib/ +sudo modprobe -r brcmfmac && sudo modprobe brcmfmac + +# check whether the wifi firmware is loaded +dmesg | tail + +# now start wpa_supplicant +sudo systemctl start wpa_supplicant +``` + +connect to wifi via `wpa_cli`: + +```bash +wpa_cli -i wlan0 +> scan +> scan_results +# add a new network, this command returns a network ID, which is 0 in this case. +> add_network +# associate the network with the network ID we just got +# NOTE: the quotes are required! +> set_network 0 ssid "" +# for a WPA2 network, set the passphrase +# NOTE: the quotes are required! +> set_network 0 psk "xxx" +# enable the network +> enable_network 0 +# save the configuration file +> save_config +# show the status +> status +``` + +### 2. Encrypting with LUKS(everything except ESP) + +Disk layout before installation: + +1. `/dev/nvme0n1p1`: EFI system partition, 300MB, contains macOS's bootloader. +2. `/dev/nvme0n1p2`: macOS's root partition. +3. `/dev/nvme0n1p3`: transfer area, 10GB, used to transfer files between macOS and NixOS. +4. `/dev/nvme0n1p4`: Empty partition, used to install NixOS. + +Now let's recreate the 4th partition via `fdisk`, and then encrypting the root partition: + +```bash +lsblk +# show cryptsetup's compiled in defualts +cryptsetup --help + +# NOTE: `cat shoukei.md | grep luks > format.sh` to generate this script +# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition. +cryptsetup luksFormat --type luks2 --pbkdf argon2id --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/nvme0n1p4 + +# show status +cryptsetup luksDump /dev/nvme0n1p4 + +# open(unlock) the device with the passphrase you just set +cryptsetup luksOpen /dev/nvme0n1p4 crypted-nixos + +# show disk status +lsblk +``` + +Formatting the root partition: + +```bash +# NOTE: `cat shoukei.md | egrep "create-btrfs" > create-btrfs.sh` to generate this script +# format the root partition with btrfs and label it +mkfs.btrfs -L crypted-nixos /dev/mapper/crypted-nixos # create-btrfs +# mount the root partition and create subvolumes +mount /dev/mapper/crypted-nixos /mnt # create-btrfs +btrfs subvolume create /mnt/@nix # create-btrfs +btrfs subvolume create /mnt/@tmp # create-btrfs +btrfs subvolume create /mnt/@swap # create-btrfs +btrfs subvolume create /mnt/@persistent # create-btrfs +btrfs subvolume create /mnt/@snapshots # create-btrfs +umount /mnt # create-btrfs + +# NOTE: `cat shoukei.md | grep mount-1 > create-btrfs.sh` to generate this script +# Remount the root partition with the subvolumes you just created +# +# Enable zstd compression to: +# 1. Reduce the read/write operations, which helps to: +# 1. Extend the life of the SSD. +# 2. improve the performance of disks with low IOPS / RW throughput, such as HDD and SATA SSD. +# 2. Save the disk space. +mkdir /mnt/{nix,tmp,swap,persistent,snapshots,boot} # mount-1 +mount -o compress-force=zstd:1,noatime,subvol=@nix /dev/mapper/crypted-nixos /mnt/nix # mount-1 +mount -o compress-force=zstd:1,subvol=@tmp /dev/mapper/crypted-nixos /mnt/tmp # mount-1 +mount -o subvol=@swap /dev/mapper/crypted-nixos /mnt/swap # mount-1 +mount -o compress-force=zstd:1,noatime,subvol=@persistent /dev/mapper/crypted-nixos /mnt/persistent # mount-1 +mount -o compress-force=zstd:1,noatime,subvol=@snapshots /dev/mapper/crypted-nixos /mnt/snapshots # mount-1 +mount /dev/nvme0n1p1 /mnt/boot # mount-1 + +# create a swapfile on btrfs file system +# This command will disable CoW / compression on the swap subvolume and then create a swapfile. +# because the linux kernel requires that swapfile must not be compressed or have copy-on-write(CoW) enabled. +btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile # mount-1 + +# check whether the swap subvolume has CoW disabled +# the output of `lsattr` for the swap subvolume should be: +# ---------------C------ /swap/swapfile +# if not, delete the swapfile, and rerun the commands above. +lsattr /mnt/swap + +# mount the swapfile as swap area +swapon /mnt/swap/swapfile # mount-1 +``` + +Now, the disk status should be: + +```bash +# show disk status +$ lsblk +nvme0n1 259:0 0 1.8T 0 disk +├─nvme0n1p1 259:2 0 600M 0 part /mnt/boot +└─nvme0n1p4 259:3 0 1.8T 0 part + └─crypted-nixos 254:0 0 1.8T 0 crypt /mnt/swap + /mnt/persistent + /mnt/snapshots + /mnt/nix + /mnt/tmp + +# show swap status +$ swapon -s +Filename Type Size Used Priority +/swap/swapfile file 100663292 0 -2 +``` + +### 3. Generating the NixOS Configuration and Installing NixOS + +Clone this repository: + +```bash +# enter an shell with git/vim/ssh-agent/gnumake available +nix-shell -p git vim gnumake + +# clone this repository +git clone https://github.com/ryan4yin/nix-config.git +``` + +Then, generate the NixOS configuration: + +```bash +# nixos configurations +nixos-generate-config --root /mnt + +# we need to update our filesystem configs in old hardware-configuration.nix according to the generated one. +cp /etc/nixos/hardware-configuration.nix ./nix-config/hosts/12kingdoms/shoukei/hardware-configuration-new.nix +vim . +``` + +Then, Install NixOS: + +```bash +cd ~/nix-config/hosts/12kingdoms/shoukei/nixos-installer/ + +# run this command if you're retrying to run nixos-install +rm -rf /mnt/etc + +# install nixos +# NOTE: the root password you set here will be discarded when reboot +nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace # install-1 + +# if you want to use a cache mirror, run this command instead +# replace the mirror url with your own +nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --option substituters "https://mirror.sjtu.edu.cn/nix-channels/store" # install-2 + +# enter into the installed system, check password & users +# `su ryan` => `sudo -i` => enter ryan's password => successfully login +# if login failed, check the password you set in install-1, and try again +nixos-enter + + + +# NOTE: DO NOT skip this step!!! +# copy the essential files into /persistent +# otherwise the / will be cleared and data will lost +## NOTE: impermanence just create links from / to /persistent +## We need to copy files into /persistent manually!!! +mv /etc/machine-id /persistent/etc/ +mv /etc/ssh /persistent/etc/ + +# delte the generated configuration after editing +rm -f /mnt/etc/nixos +rm ~/nix-config/hosts/idols/ai/hardware-configuration-new.nix + +# NOTE: `cat shoukei.md | grep git-1 > git-1.sh` to generate this script +# commit the changes after installing nixos successfully +git config --global user.email "ryan4yin@linux.com" # git-1 +git config --global user.name "Ryan Yin" # git-1 +git commit -am "feat: update hardware-configuration" + +# copy our configuration to the installed file system +cp -r ../nix-config /mnt/etc/nixos + +# sync the disk, unmount the partitions, and close the encrypted device +sync +swapoff /mnt/swap/swapfile +umount -R /mnt +cryptsetup close /dev/mapper/crypted-nixos +reboot +``` + +And then reboot. + +## Deploying the main flake's NixOS configuration + +After rebooting, we can deploy the main flake's NixOS configuration by running: + +```bash +# 1. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private git repositories. +ssh-add ~/.ssh/xxx + +sudo mv /etc/nixos ~/nix-config +chown -R ryan:ryan ~/nix-config + +cd ~/nix-config + +# deploy the configuration +make s-hypr +``` + +Finally, to enable secure boot, follow the instructions in [lanzaboote - Quick Start](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md) and [nix-config/ai/secure-boot.nix](https://github.com/ryan4yin/nix-config/blob/main/hosts/idols/ai/secureboot.nix) diff --git a/nixos-installer/configuration.nix b/nixos-installer/configuration.nix new file mode 100644 index 00000000..1ef583f3 --- /dev/null +++ b/nixos-installer/configuration.nix @@ -0,0 +1,21 @@ +{pkgs, ...}: { + # ssh-agent is used to pull my private secrets repo from github when depoloying my nixos config. + programs.ssh.startAgent = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + git + gnumake + wget + curl + nix-output-monitor + ]; + networking = { + # configures the network interface(include wireless) via `nmcli` & `nmtui` + networkmanager.enable = true; + defaultGateway = "192.168.5.201"; + }; + system.stateVersion = "23.11"; +} diff --git a/nixos-installer/flake.lock b/nixos-installer/flake.lock new file mode 100644 index 00000000..bb27d90c --- /dev/null +++ b/nixos-installer/flake.lock @@ -0,0 +1,58 @@ +{ + "nodes": { + "impermanence": { + "locked": { + "lastModified": 1702984171, + "narHash": "sha256-reIUBrUXibohXmvXRsgpvtlCE0QQSvWSA+qQCKohgR0=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "123e94200f63952639492796b8878e588a4a2851", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1702453208, + "narHash": "sha256-0wRi9SposfE2wHqjuKt8WO2izKB/ASDOV91URunIqgo=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "7763c6fd1f299cb9361ff2abf755ed9619ef01d6", + "type": "github" + }, + "original": { + "id": "nixos-hardware", + "type": "indirect" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1703068421, + "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "impermanence": "impermanence", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nixos-installer/flake.nix b/nixos-installer/flake.nix new file mode 100644 index 00000000..dc8176a8 --- /dev/null +++ b/nixos-installer/flake.nix @@ -0,0 +1,60 @@ +{ + description = "NixOS configuration of Ryan Yin"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + impermanence.url = "github:nix-community/impermanence"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + }; + + outputs = inputs @ { + nixpkgs, + nixos-hardware, + ... + }: { + nixosConfigurations = { + ai = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = inputs // {username = "ryan";}; + modules = [ + {networking.hostName = "ai";} + + ./configuration.nix + + ../modules/base.nix + ../modules/nixos/base/i18n.nix + ../modules/nixos/base/user-group.nix + ../modules/nixos/base/networking.nix + + ../hosts/idols/ai/hardware-configuration.nix + ../hosts/idols/ai/impermanence.nix + ]; + }; + + shoukei = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = inputs // {username = "ryan";}; + modules = [ + # Building on a USB installer is buggy, lack of disk space, memory, trublesome to setup substituteers, etc. + # so we disable apple-t2 module here to avoid build kernel during the initial installation, and enable it after the first boot. + # nixos-hardware.nixosModules.apple-t2 + ({pkgs, ...}: { + networking.hostName = "shoukei"; + boot.kernelPackages = pkgs.linuxPackages_latest; # Use latest kernel for the initial installation. + # hardware.apple-t2.enableAppleSetOsLoader = true; + }) + + ./configuration.nix + + ../modules/base.nix + ../modules/nixos/base/i18n.nix + ../modules/nixos/base/user-group.nix + ../modules/nixos/base/networking.nix + + ../hosts/12kingdoms/shoukei/hardware-configuration.nix + ../hosts/12kingdoms/shoukei/impermanence.nix + ]; + }; + }; + }; +} diff --git a/systems/nixos.nix b/systems/nixos.nix index ee34f67a..8b159971 100644 --- a/systems/nixos.nix +++ b/systems/nixos.nix @@ -15,6 +15,10 @@ in { # ai with hyprland compositor ai_hyprland = nixosSystem (idol_ai_modules_hyprland // base_args); + # shoukei + shoukei_ie = nixosSystem (_12kingdoms_shoukei_modules_i3 // base_args); + shoukei_hyprland = nixosSystem (_12kingdoms_shoukei_modules_hyprland // base_args); + # three virtual machines without desktop environment. aquamarine = nixosSystem (idol_aquamarine_modules // base_args); ruby = nixosSystem (idol_ruby_modules // base_args); diff --git a/systems/vars.nix b/systems/vars.nix index 52ee8acc..a2bda253 100644 --- a/systems/vars.nix +++ b/systems/vars.nix @@ -1,30 +1,58 @@ -rec { - # 星野 アイ, Hoshino Ai - __idol_ai_base_nixos_modules = [ - ../hosts/idols/ai - ../secrets/nixos.nix - ../modules/nixos/desktop.nix - ]; - __idol_ai_base_home_modules = [ - ../home/linux/desktop.nix - ]; +let + _dekstop_bass_modules = { + nixos-modules = [ + ../secrets/nixos.nix + ../modules/nixos/desktop.nix + ]; + home-module.imports = [ + ../home/linux/desktop.nix + ]; + }; - idol_ai_modules_i3 = { + desktop_i3_modules = { nixos-modules = - [{modules.desktop.xorg.enable = true;}] - ++ __idol_ai_base_nixos_modules; + [ + {modules.desktop.xorg.enable = true;} + ] + ++ _dekstop_bass_modules.nixos-modules; home-module.imports = - [{modules.desktop.i3.enable = true;}] - ++ __idol_ai_base_home_modules; + [ + ../home/linux/desktop.nix + {modules.desktop.i3.enable = true;} + ] + ++ _dekstop_bass_modules.home-module.imports; + }; + desktop_hyprland_modules = { + nixos-modules = + [ + {modules.desktop.wayland.enable = true;} + ] + ++ _dekstop_bass_modules.nixos-modules; + home-module.imports = + [ + ../home/linux/desktop.nix + {modules.desktop.hyprland.enable = true;} + ] + ++ _dekstop_bass_modules.home-module.imports; + }; +in rec { + # 星野 アイ, Hoshino Ai + idol_ai_modules_i3 = { + nixos-modules = + [ + ../hosts/idols/ai + ] + ++ desktop_i3_modules.nixos-modules; + home-module = desktop_i3_modules.home-module; }; idol_ai_modules_hyprland = { nixos-modules = - [{modules.desktop.wayland.enable = true;}] - ++ __idol_ai_base_nixos_modules; - home-module.imports = - [{modules.desktop.hyprland.enable = true;}] - ++ __idol_ai_base_home_modules; + [ + ../hosts/idols/ai + ] + ++ desktop_hyprland_modules.nixos-modules; + home-module = desktop_hyprland_modules.home-module; }; # 星野 愛久愛海, Hoshino Akuamarin @@ -99,6 +127,25 @@ rec { }; _12kingdoms_suzu_tags = ["aarch" "suzu"]; + # Shoukei (祥瓊, Shōkei) + _12kingdoms_shoukei_modules_i3 = { + nixos-modules = + [ + ../hosts/12kingdoms/shoukei + ] + ++ desktop_i3_modules.nixos-modules; + home-module = desktop_i3_modules.home-module; + }; + + _12kingdoms_shoukei_modules_hyprland = { + nixos-modules = + [ + ../hosts/12kingdoms/shoukei + ] + ++ desktop_hyprland_modules.nixos-modules; + home-module = desktop_hyprland_modules.home-module; + }; + # darwin systems darwin_harmonica_modules = { darwin-modules = [