Warning
Still learning and trying out nix
Flake configuration for my system.
Highlights are mainly:
- btrfs with lzo compression
- zram
- impermanence
- root on tmpfs,
/homeand/nixon btrfs subvolumes - LUKS encryption
- hjem
Other minor changes are
- dbus-broker instead of regular dbus
- systemd in initrd stage 1
- iwd and resolved for networking
- nftables instead iptables for firewall
These notes are for me, yes me. Note that the sector-size=4096 is not always
available. There is also a risk with TRIM regarding encrypted SSD drives.
- luks encryption with
--sector-size=4096 --perf-no_read_workqueue --allow-discardssee this - create two partitions,
/bootand/ - format
bootwith fat32 - format
/with btrfs and lzo compression andnoatime - create subvolumes for
/nixand/home - no swap since zram is used
- continue as usual with nix flake installation
The root directory is then mounted on tmpfs while /nix and /home are on
persistent subvolumes (this means enough memory should be available).
Warning
Passwords are done using a password file stored under
/nix/persist/passwords/<username> and have to be manually created and
edited! Enter mkpasswd -m help to see a list of encryption methods.
Important
Symlinks are used for neovim config and scripts, set the environmental
variable FLAKE to point to the root flake directory.
- Since btrfs has
discard=asyncenabled by default since 6.2, should fstrim be disabled? - Decide if autofragment (use autodefrag? maybe not) and scrub should be enabled.
- Set battery thresholds for thinkpads?
- often discharge < 20%: start charging at 95%, stop charging at 100%
- between 50% and 100%: start charging at 75%, stop charging at 80%
- mostly on AC: start charging at 45%, stop charging at 50%
- echo values to /sys/class/power_supply/BAT0/charge_control_{start,end}_threshold
- these might reset on reboot so a systemd service might be a good idea
- Set stricter umask?
- Configure swappiness?
kernel.unprivileged_userns_clone=1?kernel.kexec_load_disabled = 1?