global: rename from faucet

2024-01-07 22:01:31 +08:00 · 2024-01-07 22:01:31 +08:00 · b75a0a482a
commit b75a0a482a
parent f4d419eb0e
31 changed files with 40 additions and 40 deletions
--- a/global/android/default.nix
+++ b/global/android/default.nix
@ -0,0 +1,17 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.android;
+in {
+  options.global.android = {
+    enable = mkEnableOption "android tools";
+  };
+
+  config = mkIf cfg.enable {
+    programs.adb.enable = true;
+
+    # allow device access by admin users
+    users.adminGroups = [ "adbusers" ];
+  };
+}
--- a/global/asusd/default.nix
+++ b/global/asusd/default.nix
@ -0,0 +1,18 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.asusd;
+in {
+  options.global.asusd = {
+    enable = mkEnableOption "ASUS laptop userland support daemon";
+  };
+
+  config = mkIf cfg.enable {
+    services.asusd.enable = true;
+
+    environment.persistence."/nix/persist/fhs".directories = [
+      "/etc/asusd"
+    ];
+  };
+}
--- a/global/auth/default.nix
+++ b/global/auth/default.nix
@ -0,0 +1,49 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.auth;
+  pub = lib.pipe ./pub [
+    builtins.readDir
+    (lib.filterAttrs (n: ty: ty == "regular"))
+    (lib.mapAttrsToList (n: _: builtins.readFile ./pub/${n}))
+  ];
+in {
+  options.global.auth = {
+    enable = mkEnableOption "identity authentication in various software" // { default = true; };
+    openssh = {
+      enable = mkEnableOption "openssh server";
+      password = mkEnableOption "password authentication";
+      publicKeys = mkOption {
+        type = with types; listOf str;
+        default = pub;
+        description = "list of trusted openssh keys";
+      };
+      addr = mkOption {
+        type = with types; nullOr str;
+        default = "0.0.0.0";
+        description = "Host, IPv4 or IPv6 address to listen to.";
+      };
+      port = mkOption {
+        type = with types; nullOr int;
+        default = 22;
+        description = "Port to listen to.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = mkIf cfg.openssh.enable {
+      enable = true;
+      listenAddresses = [ { inherit (cfg.openssh) addr port; } ];
+      settings.KbdInteractiveAuthentication = cfg.openssh.password;
+      settings.PasswordAuthentication = cfg.openssh.password;
+    };
+
+    networking.firewall.allowedTCPPorts = [ ] ++
+    optional (cfg.openssh.enable && (cfg.openssh.port != null)) cfg.openssh.port;
+
+    environment.persistence."/nix/persist/fhs".directories = [ ] ++
+    optional cfg.openssh.enable "/etc/ssh";
+  };
+}
--- a/global/auth/pub/chireiden.pub
+++ b/global/auth/pub/chireiden.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwC8nsbZN9WOOPhCC8DJKCTqsi6J0RaAKcDC72GiWNX koishi@chireiden
--- a/global/auth/pub/diag.pub
+++ b/global/auth/pub/diag.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvi83M2V/DHUthDPzoiYgLhc8wlWNBFaBsYOWi115f4 diag
--- a/global/boot/default.nix
+++ b/global/boot/default.nix
@ -0,0 +1,29 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.boot;
+in {
+  options.global.boot = {
+    enable = mkEnableOption "bootloader installation and maintenance" // { default = true; };
+    systemd-boot = mkEnableOption "generation selection via systemd-boot" // { default = !cfg.lanzaboote; };
+    lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";
+  };
+
+  config = let
+    sbPath = "/nix/persist/lanzaboote";
+  in mkIf cfg.enable {
+    boot = {
+      initrd.systemd.enable = true;
+      lanzaboote.enable = cfg.lanzaboote;
+      lanzaboote.pkiBundle = sbPath;
+      loader.systemd-boot.enable = cfg.systemd-boot;
+      loader.efi.canTouchEfiVariables = true;
+      tmp.cleanOnBoot = true;
+    };
+
+    # symlink for sbctl
+    environment.etc.secureboot.source = sbPath;
+    environment.systemPackages = [ pkgs.sbctl ];
+  };
+}
--- a/global/default.nix
+++ b/global/default.nix
@ -0,0 +1,7 @@
+{ lib, ... }: {
+  imports = lib.pipe ./. [
+    builtins.readDir
+    (lib.filterAttrs (n: ty: ty == "directory" && builtins.pathExists ./${n}/default.nix))
+    (lib.mapAttrsToList (n: _: ./${n}))
+  ];
+}
--- a/global/fs/btrfs.nix
+++ b/global/fs/btrfs.nix
@ -0,0 +1,22 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs;
+in {
+  options.global.fs.btrfs = {
+    options = mkOption {
+      type = with types; listOf str;
+      default = [ "noatime" "compress=zstd" ];
+      description = "btrfs mount options";
+    };
+  };
+
+  config = mkIf (cfg.type == "btrfs") {
+    fileSystems."/nix" =
+    { inherit (cfg.btrfs) options;
+      device = "/dev/disk/by-uuid/${cfg.store}";
+      fsType = "btrfs";
+    };
+  };
+}
--- a/global/fs/default.nix
+++ b/global/fs/default.nix
@ -0,0 +1,92 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs;
+in {
+  imports = [
+    ./ext4.nix
+    ./xfs.nix
+    #./bcachefs.nix
+    ./btrfs.nix
+  ];
+
+  options.global.fs = {
+    type = mkOption {
+      type = with types; enum [ "ext4" "xfs" "bcachefs" "btrfs" ];
+      default = "bcachefs";
+      description = "filesystem type to use for persistent state storage";
+    };
+    store = mkOption {
+      type = with types; str;
+      description = "UUID/dataset of nix store backing device";
+    };
+    esp = {
+      enable = mkEnableOption "EFI system partition" // { default = true; };
+      uuid = mkOption {
+        type = with types; str;
+        default = "CAFE-BABE";
+        description = "vfat serial number of EFI system partition";
+      };
+    };
+    extPersist = {
+      enable = mkEnableOption "external persist filesystem";
+      # this wraps the standard fileSystems module
+      # since some attrs have to be unconditionally set
+      device = mkOption {
+        default = null;
+        type = with types; nullOr str;
+        description = "Location of the device.";
+      };
+      fsType = mkOption {
+        default = "auto";
+        type = with types; str;
+        description = "Type of the file system.";
+      };
+      options = mkOption {
+        default = [ "defaults" ];
+        description = "Options used to mount the file system.";
+        type = with types; nonEmptyListOf str;
+      };
+    };
+    cryptsetup = {
+      enable = mkEnableOption "full disk encryption device early setup";
+      allowDiscards = mkEnableOption "allow discards via device-mapper" // { default = true; };
+      bypassWorkqueues = mkEnableOption "bypass dm-crypt's internal workqueues" // { default = true; };
+      uuids = mkOption {
+        type = with types; attrsOf str;
+        description = "device-mapper name to encrypted block device UUID mapping";
+      };
+    };
+  };
+
+  config = {
+    fileSystems."/" =
+    { device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "size=2G" "mode=755" ];
+    };
+    fileSystems."/boot" = mkIf cfg.esp.enable
+    { device = "/dev/disk/by-uuid/${cfg.esp.uuid}";
+      fsType = "vfat";
+    };
+    fileSystems."/nix/persist" = mkIf cfg.extPersist.enable
+    { inherit (cfg.extPersist) device fsType options;
+      neededForBoot = true;
+      depends = [ "/nix" ];
+    };
+    fileSystems."/tmp" =
+    { device = "/nix/tmp";
+      options = [ "bind" ];
+      depends = [ "/nix/tmp" ];
+    };
+
+    services.fstrim.enable = mkIf ((cfg.type == "ext4") || (cfg.type == "xfs")) true;
+
+    boot.initrd.luks.devices = mkIf cfg.cryptsetup.enable (
+    mapAttrs' (name: uuid: nameValuePair "luks-${name}" {
+      inherit (cfg.cryptsetup) allowDiscards bypassWorkqueues;
+      device = "/dev/disk/by-uuid/${uuid}";
+    }) cfg.cryptsetup.uuids);
+  };
+}
--- a/global/fs/ext4.nix
+++ b/global/fs/ext4.nix
@ -0,0 +1,10 @@
+{ lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs;
+in mkIf (cfg.type == "ext4") {
+  fileSystems."/nix" =
+  { device = "/dev/disk/by-uuid/${cfg.store}";
+    fsType = "ext4";
+  };
+}
--- a/global/fs/xfs.nix
+++ b/global/fs/xfs.nix
@ -0,0 +1,11 @@
+{ lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs;
+in mkIf (cfg.type == "xfs") {
+  # NOTE: -m reflink=1
+  fileSystems."/nix" =
+  { device = "/dev/disk/by-uuid/${cfg.store}";
+    fsType = "xfs";
+  };
+}
--- a/global/gui/default.nix
+++ b/global/gui/default.nix
@ -0,0 +1,68 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.gui;
+
+  intel = cfg.type == "intel" || (cfg.type == "prime" && config.hardware.nvidia.prime.intelBusId != "");
+  amdgpu = cfg.type == "amdgpu" || (cfg.type == "prime" && config.hardware.nvidia.prime.amdgpuBusId != "");
+  nvidia = cfg.type == "nvidia" || cfg.type == "prime";
+in {
+  imports = [
+    ./plymouth.nix
+    ./greetd.nix
+  ];
+
+  options.global.gui = {
+    enable = mkEnableOption "various setup required for GUI and support software";
+    session = mkEnableOption "software required for a graphical session" // { default = true; };
+    type = mkOption {
+      type = with types; enum [ "intel" "amdgpu" "nvidia" "prime" ];
+      description = "type of graphics acceleration used";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    hardware.opengl = {
+      enable = true;
+      driSupport = true;
+      driSupport32Bit = true;
+
+      # https://nixos.wiki/wiki/Accelerated_Video_Playback
+      extraPackages = with pkgs; optionals intel [
+        intel-media-driver # LIBVA_DRIVER_NAME=iHD
+        vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        vaapiVdpau
+        libvdpau-va-gl
+      ] ++ optional nvidia nvidia-vaapi-driver;
+    };
+
+    services.xserver.videoDrivers =
+    optional nvidia "nvidia" ++
+    optional (cfg.type == "amdgpu") "amdgpu";
+    # inhibits default display manager
+    services.xserver.displayManager.startx.enable = mkDefault true;
+
+    hardware.nvidia = mkIf nvidia {
+      modesetting.enable = true;
+      nvidiaSettings = true;
+
+      prime = mkIf (cfg.type == "prime") {
+        offload = {
+          enable = true;
+          enableOffloadCmd = true;
+        };
+      };
+
+      powerManagement.enable = false;
+      powerManagement.finegrained = false;
+      open = false;
+    };
+
+    boot.initrd.kernelModules =
+    optional amdgpu "amdgpu" ++
+    optional intel "i915";
+
+    boot.kernelParams = optional intel "i915.fastboot=1";
+  };
+}
--- a/global/gui/greetd.nix
+++ b/global/gui/greetd.nix
@ -0,0 +1,23 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.gui;
+in mkIf (cfg.enable && cfg.session) {
+  programs.regreet = {
+    enable = true;
+    cageArgs = [ "-s" "-d" "-m" "last" ];
+    settings = {
+      background.path = ../../share/54345906_p0.jpg;
+      background.fit = "Fill";
+      GTK = {
+        application_prefer_dark_theme = true;
+        cursor_theme_name = "Bibata-Modern-Classic";
+        icon_theme_name = "WhiteSur-dark";
+        theme_name = "WhiteSur-Dark";
+      };
+    };
+  };
+
+  environment.persistence."/nix/persist/fhs".directories = [ "/var/cache/regreet" ];
+}
--- a/global/gui/plymouth.nix
+++ b/global/gui/plymouth.nix
@ -0,0 +1,22 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.gui;
+in mkIf cfg.enable {
+  boot = {
+    loader.timeout = lib.mkDefault 0;
+    consoleLogLevel = 0;
+    initrd.verbose = false;
+    initrd.systemd.enable = true;
+    plymouth.enable = true;
+    kernelParams = [
+      "quiet"
+      "splash"
+      "loglevel=3"
+      "rd.systemd.show_status=false"
+      "rd.udev.log_level=3"
+      "udev.log_priority=3"
+    ];
+  };
+}
--- a/global/id/default.nix
+++ b/global/id/default.nix
@ -0,0 +1,16 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.id;
+in {
+  options.global.id = mkOption {
+    type = with types; str;
+    description = "systemd machine id";
+  };
+
+  config = {
+    environment.etc.machine-id.text = cfg + "\n";
+    networking.hostId = substring 0 8 cfg;
+  };
+}
--- a/global/io/default.nix
+++ b/global/io/default.nix
@ -0,0 +1,42 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.io;
+in {
+  options.global.io = {
+    betaflight = mkEnableOption "betaflight udev rules" // { default = true; };
+    bluetooth = mkEnableOption "bluetooth daemons and state persistence" // { default = true; };
+    audio = mkEnableOption "pulseaudio server configuration" // { default = true; };
+    coredump = mkEnableOption "save coredumps handled by systemd";
+  };
+
+  config = {
+    services.udev.extraRules = "" + (if cfg.betaflight then ''
+      # DFU (Internal bootloader for STM32 and AT32 MCUs)
+      SUBSYSTEM=="usb", ATTRS{idVendor}=="2e3c", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
+      SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
+    '' else "");
+
+    networking.networkmanager.enable = mkDefault true;
+    hardware.bluetooth.enable = mkDefault cfg.bluetooth;
+
+    hardware.pulseaudio = mkIf cfg.audio {
+      enable = true;
+      support32Bit = true;
+    };
+    #nixpkgs.config.pulseaudio = mkIf cfg.audio;
+
+    security.pam.loginLimits = mkIf (!cfg.coredump) (singleton { domain = "*"; item = "core"; type = "hard"; value = "0"; });
+    systemd.coredump.extraConfig = mkIf (!cfg.coredump) "Storage=none";
+
+    environment.persistence."/nix/persist/fhs".directories = [
+      "/var/log"
+      "/var/lib/systemd/backlight"
+    ] ++
+    optional config.networking.networkmanager.enable "/etc/NetworkManager/system-connections" ++
+    optional cfg.bluetooth "/var/lib/bluetooth" ++
+    optional cfg.coredump "/var/lib/systemd/coredump";
+    environment.persistence."/nix/persist/fhs".hideMounts = true;
+  };
+}
--- a/global/kernel/default.nix
+++ b/global/kernel/default.nix
@ -0,0 +1,28 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.kernel;
+in {
+  options.global.kernel = {
+    enable = mkEnableOption "kernel version and configuration" // { default = true; };
+    lts = mkEnableOption "longterm kernel releases";
+    sysctl = {
+      enable = mkEnableOption "sysctl presets" // { default = true; };
+      harden = mkEnableOption "hardening sysctls" // { default = true; };
+      swappiness = mkOption {
+        type = with types; int;
+        default = 0;
+        description = "vm.swappiness value, should be zero for low memory SSD systems";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot.kernel.sysctl = {
+      "kernel.dmesg_restrict" = mkIf cfg.sysctl.harden 1;
+      "vm.swappiness" = cfg.sysctl.swappiness;
+    };
+    boot.kernelPackages = with pkgs; mkDefault (if cfg.lts then linuxPackages else linuxPackages_latest);
+  };
+}
--- a/global/libvirt/default.nix
+++ b/global/libvirt/default.nix
@ -0,0 +1,33 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.libvirt;
+in {
+  options.global.libvirt = {
+    enable = mkEnableOption "libvirt virtualisation daemon" // { default = true; };
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation.libvirtd = {
+      enable = true;
+      qemu.runAsRoot = false;
+      qemu.swtpm.enable = true;
+
+      # disable as much implicit state as possible
+      onBoot = "ignore";
+      onShutdown = "shutdown";
+      parallelShutdown = 5;
+    };
+
+    # USB redirection requires a setuid wrapper
+    virtualisation.spiceUSBRedirection.enable = true;
+
+    environment.persistence."/nix/persist/fhs".directories = [
+      "/var/lib/libvirt"
+    ];
+
+    # allow management by admin users
+    users.adminGroups = [ "libvirtd" ];
+  };
+}
--- a/global/util/default.nix
+++ b/global/util/default.nix
@ -0,0 +1,13 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.util;
+in {
+  options.global.util = { };
+
+  config = {
+    programs.zsh.enable = true;
+    environment.shells = singleton pkgs.zsh;
+  };
+}
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwC8nsbZN9WOOPhCC8DJKCTqsi6J0RaAKcDC72GiWNX koishi@chireiden`
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvi83M2V/DHUthDPzoiYgLhc8wlWNBFaBsYOWi115f4 diag`