framework

2025-10-10 19:29:55 +02:00 · 2025-10-10 19:29:55 +02:00 · aca4caf02c
commit aca4caf02c
parent 42099d49b4
17 changed files with 279 additions and 33 deletions
--- a/common/boot.nix
+++ b/common/boot.nix
@ -1,18 +0,0 @@
 { pkgs, ... }:
 {
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      grub = {
        enable = true;
        efiSupport = true;
        device = "nodev";
      };
    };
    kernelPackages = pkgs.linuxPackages_6_12;
    kernel.sysctl."kernel.sysrq" = 1;
    initrd.systemd.network.wait-online.enable = false;
  };
 }
--- a/common/default.nix
+++ b/common/default.nix
@ -4,7 +4,6 @@
    inputs.agenix.nixosModules.default
    ../mod
    ../desktop
    ./boot.nix
    ./locale.nix
    ./nix.nix
    ./security.nix
--- a/desktop/default.nix
+++ b/desktop/default.nix
@ -33,15 +33,15 @@ in
  config = mkIf cfg.enable {
    hd.desktop = {
-      accounts.enable = true;
+      accounts.enable = lib.mkDefault true;
-      audio.enable = true;
+      audio.enable = lib.mkDefault true;
-      fonts.enable = true;
+      fonts.enable = lib.mkDefault true;
-      gpg.enable = true;
+      gpg.enable = lib.mkDefault true;
-      network.enable = true;
+      network.enable = lib.mkDefault true;
-      security.enable = true;
+      security.enable = lib.mkDefault true;
-      services.enable = true;
+      services.enable = lib.mkDefault true;
-      software.enable = true;
+      software.enable = lib.mkDefault true;
-      wm.enable = true;
+      wm.enable = lib.mkDefault true;
    };
    nixpkgs.config.allowUnfreePredicate =
--- a/flake.lock
+++ b/flake.lock
@ -49,6 +49,27 @@
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1746728054,
        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "ff442f5d1425feb86344c028298548024f21256d",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "latest",
        "repo": "disko",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -181,6 +202,7 @@
      "inputs": {
        "agenix": "agenix",
        "colmena": "colmena",
        "disko": "disko",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager_2",
        "nixos-hardware": "nixos-hardware",
--- a/flake.nix
+++ b/flake.nix
@ -22,6 +22,10 @@
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    disko = {
      url = "github:nix-community/disko/latest";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
@ -29,6 +33,7 @@
      self,
      agenix,
      colmena,
      disko,
      flake-utils,
      home-manager,
      nixos-hardware,
@ -78,6 +83,19 @@
            overlays
          ];
        };
        "fw" = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = specialArgs // {
            host = "fw";
          };
          modules = [
            ./host/fw
            ./home
            ./common
            overlays
          ];
        };
      };
      colmenaHive = colmena.lib.makeHive {
--- a/host/c2/default.nix
+++ b/host/c2/default.nix
@ -1,4 +1,4 @@
-{ inputs, ... }:
+{ inputs, pkgs, ... }:
 {
  networking.hostName = "c2";
@ -13,8 +13,24 @@
    common-pc-laptop-ssd
  ];
-  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  boot = {
-  boot.resumeDevice = "/dev/disk/by-label/nixswap";
+    loader = {
      efi.canTouchEfiVariables = true;
      efi.efiSysMountPoint = "/boot/efi";
      grub = {
        enable = true;
        efiSupport = true;
        device = "nodev";
      };
    };
    resumeDevice = "/dev/disk/by-label/nixswap";
    kernelPackages = pkgs.linuxPackages_6_12;
    kernel.sysctl."kernel.sysrq" = 1;
    initrd.systemd.network.wait-online.enable = false;
  };
  # Fix for touchpad physical click not working
  boot.kernelParams = [ "psmouse.synaptics_intertouch=0" ];
--- a/host/fw/default.nix
+++ b/host/fw/default.nix
@ -0,0 +1,43 @@
 { inputs, pkgs, ... }:
 {
  networking.hostName = "fw";
  age.identityPaths = [
    "/root/.ssh/id_ed25519"
  ];
  imports = [
    ./hardware-configuration.nix
    inputs.disko.nixosModules.disko
    ./disko.nix
  ];
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      grub = {
        enable = true;
        efiSupport = true;
      };
    };
    kernelPackages = pkgs.linuxPackages_6_12;
    kernel.sysctl."kernel.sysrq" = 1;
    initrd.systemd.network.wait-online.enable = false;
  };
  powerManagement = {
    enable = true;
    cpuFreqGovernor = "ondemand";
  };
  hd.desktop.enable = true;
  networking.firewall = {
    enable = true;
  };
  # ====== DON'T CHANGE ======
  system.stateVersion = "25.05";
 }
--- a/host/fw/disko.nix
+++ b/host/fw/disko.nix
@ -0,0 +1,97 @@
 let
  rootfs = {
    type = "btrfs";
    extraArgs = [
      "-f"
      "-L"
      "nixroot"
    ];
    subvolumes = {
      "/root" = {
        mountpoint = "/";
        mountOptions = [
          "compress=zstd"
          "noatime"
        ];
      };
      "/home" = {
        mountpoint = "/home";
        mountOptions = [
          "compress=zstd"
          "noatime"
        ];
      };
      "/nix" = {
        mountpoint = "/nix";
        mountOptions = [
          "compress=zstd"
          "noatime"
        ];
      };
    };
  };
 in
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            boot = {
              size = "1M";
              type = "EF02";
            };
            ESP = {
              size = "1G";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            luks = {
              size = "100%";
              label = "crypt";
              content = {
                type = "luks";
                name = "cryptlvm";
                settings = {
                  allowDiscards = true;
                };
                content = {
                  type = "lvm_pv";
                  vg = "pool";
                };
              };
            };
          };
        };
      };
    };
    lvm_vg = {
      pool = {
        type = "lvm_vg";
        lvs = {
          root = {
            size = "100%";
            content = rootfs;
          };
          swap = {
            size = "48G";
            content = {
              extraArgs = [ "-L nixswap" ];
              type = "swap";
              resumeDevice = true;
            };
          };
        };
      };
    };
  };
 }
--- a/host/fw/hardware-configuration.nix
+++ b/host/fw/hardware-configuration.nix
@ -0,0 +1,28 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "nvme"
    "xhci_pci"
    "thunderbolt"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/host/roam/default.nix
+++ b/host/roam/default.nix
@ -1,4 +1,5 @@
-_: {
+{ pkgs, ... }:
 {
  networking.hostName = "roam";
  age.identityPaths = [
@ -14,6 +15,21 @@ _: {
    ./services.nix
  ];
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      grub = {
        enable = true;
        efiSupport = true;
        device = "nodev";
      };
    };
    kernelPackages = pkgs.linuxPackages_6_12;
    initrd.systemd.network.wait-online.enable = false;
  };
  security = {
    acme = {
      acceptTerms = true;
--- a/host/solo/default.nix
+++ b/host/solo/default.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 {
  networking = {
    hostName = "solo";
@ -21,6 +21,22 @@
    ./nvidia-gpu.nix
  ];
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      grub = {
        enable = true;
        efiSupport = true;
        device = "nodev";
      };
    };
    kernelPackages = pkgs.linuxPackages_6_12;
    kernel.sysctl."kernel.sysrq" = 1;
    initrd.systemd.network.wait-online.enable = false;
  };
  powerManagement = {
    enable = true;
    cpuFreqGovernor = "performance";
--- a/secrets/hd-password.age
+++ b/secrets/hd-password.age
--- a/secrets/roam/firefox-sync-secret.age
+++ b/secrets/roam/firefox-sync-secret.age
--- a/secrets/roam/rclone-conf.age
+++ b/secrets/roam/rclone-conf.age
--- a/secrets/tlskey.age
+++ b/secrets/tlskey.age
--- a/var/ssh-keys.nix
+++ b/var/ssh-keys.nix
@ -8,10 +8,12 @@ mkKeys {
    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY";
    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB";
    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc";
    "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmxhDwylLlklpgiUWHc0BPSCkNkuAIrXLNOHpAcgXiL";
  };
  root = {
    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o";
    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ";
    "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjfPXDS3UvVGXzJYXU8TyP5q0WDzb0anx4Std40AT+j";
  };
 }
--- a/var/wg.nix
+++ b/var/wg.nix
@ -4,6 +4,7 @@ rec {
    "roam" = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs=";
    "solo" = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk=";
    "c2" = "yJ1vrI9+qzUHuQJxeRDLCDCMRCIhF+0UNPwz3agyxTk=";
    "fw" = "xpiJJMPhZEIEvNDBYRbnOsBeDCdKN1cHdYM95b9+rUY=";
  };
  wireguard-network = {
    "roam" = {
@ -25,6 +26,12 @@ rec {
      allowedIPs = [ "10.10.11.3/32" ];
      persistentKeepalive = 19;
    };
    "fw" = {
      publicKey = publicKey."fw";
      ips = [ "10.10.11.4/32" ];
      allowedIPs = [ "10.10.11.4/32" ];
      persistentKeepalive = 23;
    };
  };
  keyFile = "/var/secrets/wg.key";