framework

2025-10-10 19:29:55 +02:00 · 2025-10-10 19:29:55 +02:00 · aca4caf02c
commit aca4caf02c
parent 42099d49b4
17 changed files with 279 additions and 33 deletions
--- a/common/boot.nix
+++ b/common/boot.nix
@ -1,18 +0,0 @@
-{ pkgs, ... }:
-{
-  boot = {
-    loader = {
-      efi.canTouchEfiVariables = true;
-      grub = {
-        enable = true;
-        efiSupport = true;
-        device = "nodev";
-      };
-    };
-
-    kernelPackages = pkgs.linuxPackages_6_12;
-    kernel.sysctl."kernel.sysrq" = 1;
-
-    initrd.systemd.network.wait-online.enable = false;
-  };
-}
--- a/common/default.nix
+++ b/common/default.nix
@ -4,7 +4,6 @@
    inputs.agenix.nixosModules.default
    ../mod
    ../desktop
-    ./boot.nix
    ./locale.nix
    ./nix.nix
    ./security.nix
--- a/desktop/default.nix
+++ b/desktop/default.nix
@ -33,15 +33,15 @@ in

  config = mkIf cfg.enable {
    hd.desktop = {
-      accounts.enable = true;
-      audio.enable = true;
-      fonts.enable = true;
-      gpg.enable = true;
-      network.enable = true;
-      security.enable = true;
-      services.enable = true;
-      software.enable = true;
-      wm.enable = true;
+      accounts.enable = lib.mkDefault true;
+      audio.enable = lib.mkDefault true;
+      fonts.enable = lib.mkDefault true;
+      gpg.enable = lib.mkDefault true;
+      network.enable = lib.mkDefault true;
+      security.enable = lib.mkDefault true;
+      services.enable = lib.mkDefault true;
+      software.enable = lib.mkDefault true;
+      wm.enable = lib.mkDefault true;
    };

    nixpkgs.config.allowUnfreePredicate =
--- a/flake.lock
+++ b/flake.lock
@ -49,6 +49,27 @@
        "type": "github"
      }
    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746728054,
+        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "ff442f5d1425feb86344c028298548024f21256d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -181,6 +202,7 @@
      "inputs": {
        "agenix": "agenix",
        "colmena": "colmena",
+        "disko": "disko",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager_2",
        "nixos-hardware": "nixos-hardware",
--- a/flake.nix
+++ b/flake.nix
@ -22,6 +22,10 @@
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs =
@ -29,6 +33,7 @@
      self,
      agenix,
      colmena,
+      disko,
      flake-utils,
      home-manager,
      nixos-hardware,
@ -78,6 +83,19 @@
            overlays
          ];
        };
+
+        "fw" = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = specialArgs // {
+            host = "fw";
+          };
+          modules = [
+            ./host/fw
+            ./home
+            ./common
+            overlays
+          ];
+        };
      };

      colmenaHive = colmena.lib.makeHive {
--- a/host/c2/default.nix
+++ b/host/c2/default.nix
@ -1,4 +1,4 @@
-{ inputs, ... }:
+{ inputs, pkgs, ... }:
 {
  networking.hostName = "c2";

@ -13,8 +13,24 @@
    common-pc-laptop-ssd
  ];

-  boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  boot.resumeDevice = "/dev/disk/by-label/nixswap";
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot/efi";
+      grub = {
+        enable = true;
+        efiSupport = true;
+        device = "nodev";
+      };
+    };
+
+    resumeDevice = "/dev/disk/by-label/nixswap";
+
+    kernelPackages = pkgs.linuxPackages_6_12;
+    kernel.sysctl."kernel.sysrq" = 1;
+
+    initrd.systemd.network.wait-online.enable = false;
+  };

  # Fix for touchpad physical click not working
  boot.kernelParams = [ "psmouse.synaptics_intertouch=0" ];
--- a/host/fw/default.nix
+++ b/host/fw/default.nix
@ -0,0 +1,43 @@
+{ inputs, pkgs, ... }:
+{
+  networking.hostName = "fw";
+
+  age.identityPaths = [
+    "/root/.ssh/id_ed25519"
+  ];
+
+  imports = [
+    ./hardware-configuration.nix
+    inputs.disko.nixosModules.disko
+    ./disko.nix
+  ];
+
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      grub = {
+        enable = true;
+        efiSupport = true;
+      };
+    };
+
+    kernelPackages = pkgs.linuxPackages_6_12;
+    kernel.sysctl."kernel.sysrq" = 1;
+
+    initrd.systemd.network.wait-online.enable = false;
+  };
+
+  powerManagement = {
+    enable = true;
+    cpuFreqGovernor = "ondemand";
+  };
+
+  hd.desktop.enable = true;
+
+  networking.firewall = {
+    enable = true;
+  };
+
+  # ====== DON'T CHANGE ======
+  system.stateVersion = "25.05";
+}
--- a/host/fw/disko.nix
+++ b/host/fw/disko.nix
@ -0,0 +1,97 @@
+let
+  rootfs = {
+    type = "btrfs";
+    extraArgs = [
+      "-f"
+      "-L"
+      "nixroot"
+    ];
+    subvolumes = {
+      "/root" = {
+        mountpoint = "/";
+        mountOptions = [
+          "compress=zstd"
+          "noatime"
+        ];
+      };
+      "/home" = {
+        mountpoint = "/home";
+        mountOptions = [
+          "compress=zstd"
+          "noatime"
+        ];
+      };
+      "/nix" = {
+        mountpoint = "/nix";
+        mountOptions = [
+          "compress=zstd"
+          "noatime"
+        ];
+      };
+    };
+  };
+in
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02";
+            };
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              label = "crypt";
+              content = {
+                type = "luks";
+                name = "cryptlvm";
+                settings = {
+                  allowDiscards = true;
+                };
+                content = {
+                  type = "lvm_pv";
+                  vg = "pool";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%";
+            content = rootfs;
+          };
+          swap = {
+            size = "48G";
+            content = {
+              extraArgs = [ "-L nixswap" ];
+              type = "swap";
+              resumeDevice = true;
+            };
+          };
+
+        };
+      };
+    };
+  };
+}
--- a/host/fw/hardware-configuration.nix
+++ b/host/fw/hardware-configuration.nix
@ -0,0 +1,28 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/host/roam/default.nix
+++ b/host/roam/default.nix
@ -1,4 +1,5 @@
-_: {
+{ pkgs, ... }:
+{
  networking.hostName = "roam";

  age.identityPaths = [
@ -14,6 +15,21 @@ _: {
    ./services.nix
  ];

+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      grub = {
+        enable = true;
+        efiSupport = true;
+        device = "nodev";
+      };
+    };
+
+    kernelPackages = pkgs.linuxPackages_6_12;
+
+    initrd.systemd.network.wait-online.enable = false;
+  };
+
  security = {
    acme = {
      acceptTerms = true;
--- a/host/solo/default.nix
+++ b/host/solo/default.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 {
  networking = {
    hostName = "solo";
@ -21,6 +21,22 @@
    ./nvidia-gpu.nix
  ];

+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      grub = {
+        enable = true;
+        efiSupport = true;
+        device = "nodev";
+      };
+    };
+
+    kernelPackages = pkgs.linuxPackages_6_12;
+    kernel.sysctl."kernel.sysrq" = 1;
+
+    initrd.systemd.network.wait-online.enable = false;
+  };
+
  powerManagement = {
    enable = true;
    cpuFreqGovernor = "performance";
--- a/secrets/hd-password.age
+++ b/secrets/hd-password.age
--- a/secrets/roam/firefox-sync-secret.age
+++ b/secrets/roam/firefox-sync-secret.age
--- a/secrets/roam/rclone-conf.age
+++ b/secrets/roam/rclone-conf.age
--- a/secrets/tlskey.age
+++ b/secrets/tlskey.age
--- a/var/ssh-keys.nix
+++ b/var/ssh-keys.nix
@ -8,10 +8,12 @@ mkKeys {
    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY";
    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB";
    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc";
+    "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmxhDwylLlklpgiUWHc0BPSCkNkuAIrXLNOHpAcgXiL";
  };
  root = {
    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o";
    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ";
+    "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjfPXDS3UvVGXzJYXU8TyP5q0WDzb0anx4Std40AT+j";
  };
 }
--- a/var/wg.nix
+++ b/var/wg.nix
@ -4,6 +4,7 @@ rec {
    "roam" = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs=";
    "solo" = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk=";
    "c2" = "yJ1vrI9+qzUHuQJxeRDLCDCMRCIhF+0UNPwz3agyxTk=";
+    "fw" = "xpiJJMPhZEIEvNDBYRbnOsBeDCdKN1cHdYM95b9+rUY=";
  };
  wireguard-network = {
    "roam" = {
@ -25,6 +26,12 @@ rec {
      allowedIPs = [ "10.10.11.3/32" ];
      persistentKeepalive = 19;
    };
+    "fw" = {
+      publicKey = publicKey."fw";
+      ips = [ "10.10.11.4/32" ];
+      allowedIPs = [ "10.10.11.4/32" ];
+      persistentKeepalive = 23;
+    };
  };
  keyFile = "/var/secrets/wg.key";