primrose/.files
1
0
Fork 0
mirror of https://codeberg.org/leana8959/.files.git synced 2025-12-18 00:49:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

iron: init

Browse source 
add installer for macbook-pro-2009

repurpose tungsten disko config for iron

installer-macbook-pro-2009: enable b43 driver

README: document how to wipe filesystem

iron: generate hardware-configuration

iron: discard unused modules

iron: include macbook specific modules

iron: remove custom fs configurations
This commit is contained in:
Primrose 2025-10-23 10:46:05 +08:00
parent 1e63c7bb53
commit 99b1dda7ba
Signed by: primrose
GPG key ID: 4E887A4CA9714ADA
19 changed files with 761 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -4,6 +4,7 @@ This repo is managed with Nix + GNU stow
- Generate image & boot - Generate image & boot
We do this because the default one doesn't have all the utilities we want (e.g. disko). We do this because the default one doesn't have all the utilities we want (e.g. disko).
- generate image `nom-build --attr nixosConfigurations.installer.config.system.build.isoImage` - generate image `nom-build --attr nixosConfigurations.installer.config.system.build.isoImage`
- wipe the disk's fs with `wipefs`
- `dd` the image to a flash drive (remember to `sync`) - `dd` the image to a flash drive (remember to `sync`)
- boot off that flash drive - boot off that flash drive
@ -29,7 +30,7 @@ This repo is managed with Nix + GNU stow
disko -m disko ./disko.nix # format the drive disko -m disko ./disko.nix # format the drive
# optional for unknown hard ware # optional for unknown hard ware
nixos-generate-config --no-filesystems --root /mnt --dir . # disko will take care of the file system configuration nixos-generate-config --no-filesystems --dir . # disko will take care of the file system configuration
# put the generated config in the right path and import it # put the generated config in the right path and import it
# We do -j 1 because otherwise the kernel or the fonts might use too much # We do -j 1 because otherwise the kernel or the fonts might use too much

15
default.nix
View file

@ -17,10 +17,25 @@
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ ./nix/configurations/hydrogen.nix ]; modules = [ ./nix/configurations/hydrogen.nix ];
}; };
iron = {
system = "x86_64-linux";
modules = [ ./nix/configurations/iron.nix ];
};
installer = { installer = {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./nix/configurations/installer.nix ]; modules = [ ./nix/configurations/installer.nix ];
}; };
# Specialized with patches for the GPU
installer-macbook-pro-2009 = {
system = "x86_64-linux";
modules = [
./nix/configurations/installer.nix
./nix/nixosModules/extra/macbook-pro-radeon.nix
./nix/nixosModules/extra/macbook-swap-cmd-opt.nix
./nix/nixosModules/extra/macbook-swap-fn-ctrl.nix
./nix/nixosModules/extra/macbook-broacom-b43.nix
];
};
# Not mine, rented on hetzner # Not mine, rented on hetzner
hetzner_benchmark = { hetzner_benchmark = {

163
nix/configurations/iron.nix Normal file
View file

@ -0,0 +1,163 @@
# Entry point to cherry pick modules
let
sources = import ../../npins;
hostname = "iron";
username = "leana";
in
{
config,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkAliasOptionModule;
in {
imports = [
#
# Shorthands
#
(mkAliasOptionModule ["me"] ["users" "users" username])
(mkAliasOptionModule ["hm"] ["home-manager" "users" username])
#
# hostname
#
{_module.args = {inherit hostname;};}
#
# nixpkgs
#
{
# affect the generated nix.conf, doesn't need to be turned off during nixos-install
nix = {
distributedBuilds = true;
settings.builders-use-substitutes = true;
};
nixpkgs = {
overlays =
map import
[
../overlays/agenix.nix
../overlays/disko.nix
../overlays/nur.nix
../overlays/nix-tree.nix
../overlays/nil.nix
../overlays/dix.nix
../packages/overlay.nix
]
# use lix everywhere and wrap it with nom
++ [
(import (sources.lix-module + "/overlay.nix") {inherit (sources) lix;})
(import ../overlays/nix-monitored.nix)
];
# Set NIX_PATH and flake registry at the same time
# https://github.com/NixOS/nixpkgs/pull/254405
flake.source = sources.nixpkgs;
};
nix.package = pkgs.nix-monitored;
system.nixos.version = lib.substring 0 8 sources.nixpkgs.revision;
}
#
# NixOS modules
#
./iron/nixos/hardware-configuration.nix # generated
./iron/nixos/fs.nix
./iron/nixos/battery.nix
./iron/nixos/connectivity.nix
./iron/nixos/secure_dns.nix
./iron/nixos/input.nix
./iron/nixos/misc.nix
./iron/nixos/display.nix
./iron/nixos/locale.nix
./iron/nixos/programs.nix
../nixosModules/common/disable-command-not-found.nix
../nixosModules/common/network.nix
../nixosModules/common/sudo-conf.nix
../nixosModules/common/system-nixconf.nix
../nixosModules/extra/leana.nix
#
# Extern modules
#
(sources.disko + "/module.nix")
../disko/iron/btrfs.nix
(sources.agenix + "/modules/age.nix")
../nixosModules/extra/macbook-pro-radeon.nix
../nixosModules/extra/macbook-swap-cmd-opt.nix
../nixosModules/extra/macbook-swap-fn-ctrl.nix
../nixosModules/extra/macbook-broacom-b43.nix
#
# home-manager
#
(sources.home-manager + "/nixos")
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
sharedModules = [{home.stateVersion = lib.mkDefault config.system.stateVersion;}];
};
hm.imports = [
#
# hostname
#
{_module.args = {inherit hostname;};}
#
# home modules
#
./iron/home/programs.nix
../homeModules/common/btop
../homeModules/common/fish
../homeModules/common/starship
../homeModules/common/tmux
../homeModules/common/vim
../homeModules/common/direnv.nix
../homeModules/common/fzf.nix
../homeModules/common/git.nix
../homeModules/common/gpg.nix
../homeModules/common/leana.nix
../homeModules/common/locale.nix
../homeModules/common/lazygit.nix
../homeModules/common/packages.nix
../homeModules/common/password-store.nix
../homeModules/common/tealdeer.nix
../homeModules/common/user-nixconf.nix
../homeModules/extra/tmux-fish-integration.nix
#
# Extern modules
#
(sources.agenix + "/modules/age-home.nix")
];
}
#
# Secrets
#
{
age.secrets = {
wpa_password.file = "${../secrets/wpa_password.age}";
};
}
];
}

75
nix/configurations/iron/home/programs.nix Normal file
View file

@ -0,0 +1,75 @@
{
pkgs,
lib,
config,
...
}: {
home.sessionPath = [
"${config.home.homeDirectory}/.local/bin"
];
home.sessionVariables = let
fishCfg = config.programs.fish;
in {
"SHELL" = lib.mkIf fishCfg.enable (lib.getExe fishCfg.package);
};
home.packages = [
pkgs.nmap
pkgs.stow
pkgs.zip
pkgs.unzip
pkgs.gnutar
pkgs.p7zip
pkgs.bc
pkgs.dig
pkgs.hutils
pkgs.miniserve
pkgs.agenix
pkgs.nix-which
# pretty tui tools
pkgs.du-dust
pkgs.tokei
pkgs.hyperfine
pkgs.watchexec
pkgs.onefetch
pkgs.just
# nix tools
pkgs.alejandra
pkgs.nurl
pkgs.dix
pkgs.niv
pkgs.npins
pkgs.nix-tree
pkgs.nh
];
programs = {
neovim = {
enable = true;
defaultEditor = true;
};
lazygit.enable = true;
fish = {
enable = true;
shellAbbrs = {
"fdoc" = "find ~/Documents -name";
};
};
starship.enable = true;
tmux.enable = true;
direnv.enable = true;
ripgrep.enable = true;
password-store.enable = true;
tealdeer.enable = true;
btop.enable = true;
cmus.enable = true;
};
services = {
gpg-agent.enable = true;
};
}

11
nix/configurations/iron/nixos/battery.nix Normal file
View file

@ -0,0 +1,11 @@
{
systemd.sleep.extraConfig = ''
HibernateDelaySec=1d
'';
services.logind = {
powerKey = "hibernate";
lidSwitch = "suspend-then-hibernate"; # won't happen there's no battery anyway
lidSwitchDocked = "ignore";
};
}

70
nix/configurations/iron/nixos/connectivity.nix Normal file
View file

@ -0,0 +1,70 @@
{
config,
lib,
...
}: {
users.users.root.openssh.authorizedKeys.keys = let
# TODO: put iron keys in identities
ids = import ../../../identities.nix;
in
builtins.concatMap builtins.attrValues (builtins.attrValues ids);
networking = {
networkmanager.enable = lib.mkForce false;
firewall.allowedTCPPorts = [
8080
# For 'localsend'
# https://github.com/localsend/localsend?tab=readme-ov-file#setup
53317
];
# To enable roaming https://wiki.archlinux.org/title/Wpa_supplicant#Roaming
wireless = {
enable = true;
userControlled.enable = true;
secretsFile = config.age.secrets.wpa_password.path;
scanOnLowSignal = false;
networks = let
# wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
escapePwdKey = lib.replaceStrings ["="] ["_"];
fromList = ns: let
go = networkArgs @ {
ssid,
# Custom fields wrapping nixpkgs module options
hasPassword ? false,
scanOnLowSignal ? false,
randomizeMac ? false,
...
}: {
${ssid} = lib.mkMerge [
(builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"])
(lib.optionalAttrs hasPassword {
pskRaw = "ext:${escapePwdKey ssid}";
})
(lib.optionalAttrs scanOnLowSignal {
extraConfig = ''
bgscan="simple:30:-70:3600"
'';
})
(lib.optionalAttrs randomizeMac {
extraConfig = ''
mac_addr=1
'';
})
];
};
in
lib.mkMerge (map go ns);
in
# TODO: move this upward like identities
fromList (import ./connectivity/networks.nix);
};
};
services.mullvad-vpn.enable = true;
hardware.bluetooth.enable = true;
}

97
nix/configurations/iron/nixos/connectivity/networks.nix Normal file
View file

@ -0,0 +1,97 @@
let
privatePriority = 10;
limitedPriority = -10;
in [
{
ssid = "~";
priority = privatePriority;
hasPassword = true;
}
{
ssid = "Peis Wifi";
priority = privatePriority;
hasPassword = true;
}
{
ssid = "girlypop-net";
priority = privatePriority;
hasPassword = true;
}
{
ssid = "annapurna";
priority = privatePriority;
hasPassword = true;
scanOnLowSignal = true;
}
{
ssid = "5526-1"; # TODO: set bssid preference ?
priority = privatePriority;
hasPassword = true;
scanOnLowSignal = true;
}
{
ssid = "eduroam";
priority = privatePriority;
scanOnLowSignal = true;
authProtocols = ["WPA-EAP"];
auth = ''
pairwise=CCMP
group=CCMP TKIP
eap=PEAP
ca_cert="${./universite_de_rennes.pem}"
identity="ychiang@etudiant.univ-rennes.fr"
altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr"
phase2="auth=MSCHAPV2"
password=ext:EDUROAM
anonymous_identity="anonymous@univ-rennes.fr"
'';
}
{
ssid = "A-WAY";
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{
ssid = "CAT.jpgcafe";
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{
ssid = "LOUISA"; # 區公所
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{
ssid = "LouisaCoffee"; # 七張
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{
ssid = "MetroTaipei x Louisa"; # 大安
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{ssid = "_SNCF_WIFI_INOUI";}
{ssid = "_WIFI_LYRIA";}
{ssid = "EurostarTrainsWiFi";}
{ssid = "SBB-FREE";}
{ssid = "AOT Airport Free Wi-Fi by NT";}
{ssid = "NewTaipei";}
{ssid = "Fami-WiFi";}
{
ssid = "iPhone de Léana ";
priority = limitedPriority;
hasPassword = true;
}
]

97
nix/configurations/iron/nixos/connectivity/universite_de_rennes.pem Normal file
View file

@ -0,0 +1,97 @@
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIG5TCCBM2gAwIBAgIRANpDvROb0li7TdYcrMTz2+AwDQYJKoZIhvcNAQEMBQAw
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIw
MDIxODAwMDAwMFoXDTMzMDUwMTIzNTk1OVowRDELMAkGA1UEBhMCTkwxGTAXBgNV
BAoTEEdFQU5UIFZlcmVuaWdpbmcxGjAYBgNVBAMTEUdFQU5UIE9WIFJTQSBDQSA0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApYhi1aEiPsg9ZKRMAw9Q
r8Mthsr6R20VSfFeh7TgwtLQi6RSRLOh4or4EMG/1th8lijv7xnBMVZkTysFiPmT
PiLOfvz+QwO1NwjvgY+Jrs7fSoVA/TQkXzcxu4Tl3WHi+qJmKLJVu/JOuHud6mOp
LWkIbhODSzOxANJ24IGPx9h4OXDyy6/342eE6UPXCtJ8AzeumTG6Dfv5KVx24lCF
TGUzHUB+j+g0lSKg/Sf1OzgCajJV9enmZ/84ydh48wPp6vbWf1H0O3Rd3LhpMSVn
TqFTLKZSbQeLcx/l9DOKZfBCC9ghWxsgTqW9gQ7v3T3aIfSaVC9rnwVxO0VjmDdP
FNbdoxnh0zYwf45nV1QQgpRwZJ93yWedhp4ch1a6Ajwqs+wv4mZzmBSjovtV0mKw
d+CQbSToalEUP4QeJq4Udz5WNmNMI4OYP6cgrnlJ50aa0DZPlJqrKQPGL69KQQz1
2WgxvhCuVU70y6ZWAPopBa1ykbsttpLxADZre5cH573lIuLHdjx7NjpYIXRx2+QJ
URnX2qx37eZIxYXz8ggM+wXH6RDbU3V2o5DP67hXPHSAbA+p0orjAocpk2osxHKo
NSE3LCjNx8WVdxnXvuQ28tKdaK69knfm3bB7xpdfsNNTPH9ElcjscWZxpeZ5Iij8
lyrCG1z0vSWtSBsgSnUyG/sCAwEAAaOCAYswggGHMB8GA1UdIwQYMBaAFFN5v1qq
K0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBRvHTVJEGwy+lmgnryK6B+VvnF6DDAO
BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwOAYDVR0gBDEwLzAtBgRVHSAAMCUwIwYIKwYBBQUH
AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMFAGA1UdHwRJMEcwRaBDoEGGP2h0
dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9u
QXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6
Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAl
BggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0B
AQwFAAOCAgEAUtlC3e0xj/1BMfPhdQhUXeLjb0xp8UE28kzWE5xDzGKbfGgnrT2R
lw5gLIx+/cNVrad//+MrpTppMlxq59AsXYZW3xRasrvkjGfNR3vt/1RAl8iI31lG
hIg6dfIX5N4esLkrQeN8HiyHKH6khm4966IkVVtnxz5CgUPqEYn4eQ+4eeESrWBh
AqXaiv7HRvpsdwLYekAhnrlGpioZ/CJIT2PTTxf+GHM6cuUnNqdUzfvrQgA8kt1/
ASXx2od/M+c8nlJqrGz29lrJveJOSEMX0c/ts02WhsfMhkYa6XujUZLmvR1Eq08r
48/EZ4l+t5L4wt0DV8VaPbsEBF1EOFpz/YS2H6mSwcFaNJbnYqqJHIvm3PLJHkFm
EoLXRVrQXdCT+3wgBfgU6heCV5CYBz/YkrdWES7tiiT8sVUDqXmVlTsbiRNiyLs2
bmEWWFUl76jViIJog5fongEqN3jLIGTG/mXrJT1UyymIcobnIGrbwwRVz/mpFQo0
vBYIi1k2ThVh0Dx88BbF9YiP84dd8Fkn5wbE6FxXYJ287qfRTgmhePecPc73Yrzt
apdRcsKVGkOpaTIJP/l+lAHRLZxk/dUtyN95G++bOSQqnOCpVPabUGl2E/OEyFrp
Ipwgu2L/WJclvd6g+ZA/iWkLSMcpnFb+uX6QBqvD6+RNxul1FaB5iHY=
-----END CERTIFICATE-----

4
nix/configurations/iron/nixos/display.nix Normal file
View file

@ -0,0 +1,4 @@
{
me.extraGroups = ["video"];
programs.light.enable = true;
}

23
nix/configurations/iron/nixos/fs.nix Normal file
View file

@ -0,0 +1,23 @@
{pkgs, ...}: {
services.btrfs.autoScrub = {
enable = true;
fileSystems = [
"/"
"/home"
"/nix"
];
};
systemd.tmpfiles.rules = [
# tmux-sessionizer directories
"d /home/leana/r 0700 leana leana - -"
"d /home/leana/pg 0700 leana leana 4w -"
"d /home/leana/wt 0700 leana leana - -"
];
environment.systemPackages = [
pkgs.lsof
pkgs.smartmontools
pkgs.compsize
];
}

30
nix/configurations/iron/nixos/hardware-configuration.nix Normal file
View file

@ -0,0 +1,30 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "firewire_ohci" "usbhid" "uas" "sd_mod" "sr_mod" "sdhci_pci"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0b1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

11
nix/configurations/iron/nixos/input.nix Normal file
View file

@ -0,0 +1,11 @@
{
services.xserver.xkb = {
layout = "us";
variant = "dvorak";
options = builtins.concatStringsSep "," [
"caps:swapescape"
"compose:ralt"
];
};
console.useXkbConfig = true;
}

52
nix/configurations/iron/nixos/locale.nix Normal file
View file

@ -0,0 +1,52 @@
{lib, ...}: {
# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
# `timedatectl list-timezones`
time.timeZone = "Asia/Taipei";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocales = [
"en_US.UTF-8/UTF-8"
"fr_FR.UTF-8/UTF-8"
"zh_TW.UTF-8/UTF-8"
];
extraLocaleSettings =
# A list of env variables you might want to set
#
# "LC_CTYPE"
# "LC_NUMERIC"
# "LC_TIME"
# "LC_COLLATE"
# "LC_MONETARY"
# "LC_MESSAGES"
# "LC_PAPER"
# "LC_NAME"
# "LC_ADDRESS"
# "LC_TELEPHONE"
# "LC_MEASUREMENT"
# "LC_IDENTIFICATION"
let
genLocale = locale: lib.flip lib.genAttrs (_: locale);
in
# - xscreensaver freaks out on the time display
# - evolution add event becomes hard to use
# https://gitlab.gnome.org/GNOME/evolution/-/issues/3120
genLocale "fr_FR.UTF-8" [
"LC_TIME"
]
// genLocale "zh_TW.UTF-8" [
"LC_MONETARY"
"LC_ADDRESS"
];
};
# Wireless Regulatory Domain, uses ISO / IEC 3166 country code
#
# links:
# https://community.frame.work/t/framework-nixos-linux-users-self-help/31426/77
# https://wireless.docs.kernel.org/en/latest/en/developers/regulatory.html#the-ieee80211-regdom-module-parameter
hardware.wirelessRegulatoryDatabase = true;
boot.extraModprobeConfig = ''
options cfg80211 ieee80211_regdom="TW"
'';
}

11
nix/configurations/iron/nixos/misc.nix Normal file
View file

@ -0,0 +1,11 @@
{
system.stateVersion = "25.05";
boot.loader = {
systemd-boot = {
enable = true;
editor = false;
};
efi.canTouchEfiVariables = true;
};
}

16
nix/configurations/iron/nixos/programs.nix Normal file
View file

@ -0,0 +1,16 @@
{pkgs, ...}: {
environment.systemPackages = [
pkgs.man-pages
pkgs.man-pages-posix
];
#
# Programs
#
programs = {
vim.enable = true;
vim.defaultEditor = true;
git.enable = true;
};
}

80
nix/configurations/iron/nixos/secure_dns.nix Normal file
View file

@ -0,0 +1,80 @@
# https://nixos.wiki/wiki/Encrypted_DNS
{
lib,
pkgs,
...
}: {
networking = {
nameservers = ["127.0.0.1" "::1"];
dhcpcd.extraConfig = "nohook resolv.conf";
# networkmanager.dns = "none";
};
services.resolved.enable = false;
services.dnscrypt-proxy2 = {
enable = true;
# Settings reference:
# https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
settings = {
listen_addresses = ["127.0.0.1:53"];
ipv4_servers = true;
require_dnssec = true;
require_nolog = true;
require_nofilter = true;
lb_strategy = "p2";
lb_estimator = true;
# Blocklists are made of one pattern per line.
# https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75
blocked_names.blocked_names_file = let
# Prevent building up reliance on chatbots
# Gotta preserve that thinking ability of my smoof bwain
ai_list = let
src = pkgs.fetchFromGitHub {
owner = "laylavish";
repo = "uBlockOrigin-HUGE-AI-Blocklist";
rev = "9bb188e2701138e03f73bacebd6b19b181ca0012";
hash = "sha256-p3wfR28DH6V8BHn9DT10d09Yq3mdbBecWwlR1CdDYUA=";
};
in
lib.pipe (builtins.readFile "${src}/noai_hosts.txt") [
(lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
(lib.splitString "\n")
(builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
(builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0
];
hategroup_list = let
src = pkgs.fetchFromGitHub {
owner = "chigh";
repo = "hategroup-dnsbl";
rev = "cc19c050997d5f54014bb20c764b131e003dfb17";
hash = "sha256-SZBrjIBUw687MdrbOV7WrP5IhAAtKvPL2GqdcICHNvQ=";
};
in
lib.pipe (builtins.readFile "${src}/blocklist.txt") [
(lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
(lib.splitString "\n")
(builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
];
combined_lists = ai_list ++ hategroup_list;
in
pkgs.writeText "dnsblocklist" (builtins.concatStringsSep "\n" combined_lists);
# Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
# query_log.file = "/var/log/dnscrypt-proxy/query.log";
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
};
}

0
nix/disko/tungsten/btrfs.nix → nix/disko/iron/btrfs.nix
View file

0
nix/disko/tungsten/default.nix → nix/disko/iron/default.nix
View file

4
nix/nixosModules/extra/macbook-broacom-b43.nix Normal file
View file

@ -0,0 +1,4 @@
{
nixpkgs.config.allowUnfree = true;
networking.enableB43Firmware = true;
}