about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2020-06-11T11·21+0100
committerVincent Ambo <tazjin@google.com>2020-06-11T11·21+0100
commiteda161624213b17b7e1fc36e1aed1926bbfc9163 (patch)
treefc0cb19de12b3cba2ba8a84b52914d6ba030b37c
parent3407baa7561af2fc8cb68afa995eaed35f08b5dc (diff)
feat(ops/nixos): Initial NixOS configuration for frog r/890
This is mostly based on the nugget configuration, because frog
replaces nugget.
-rw-r--r--ops/nixos/README.md1
-rw-r--r--ops/nixos/default.nix5
-rw-r--r--ops/nixos/frog/default.nix234
3 files changed, 240 insertions, 0 deletions
diff --git a/ops/nixos/README.md b/ops/nixos/README.md
index 9e88193dad..fc90cb4b43 100644
--- a/ops/nixos/README.md
+++ b/ops/nixos/README.md
@@ -15,5 +15,6 @@ hostname.
 
 ## Configured hosts:
 
+* `frog` - weapon of mass computation at home
 * `nugget` - desktop computer at home
 * ~~`urdhva` - T470s~~ (currently with edef)
diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix
index 040bfeb6e2..6f0655f34e 100644
--- a/ops/nixos/default.nix
+++ b/ops/nixos/default.nix
@@ -25,6 +25,10 @@ let
       echo "Rebuilding NixOS for //ops/nixos/camden"
       system=$(nix-build -E '(import <depot> {}).ops.nixos.camdenSystem' --no-out-link)
       ;;
+    frog)
+      echo "Rebuilding NixOS for //ops/nixos/frog"
+      system=$(nix-build -E '(import <depot> {}).ops.nixos.frogSystem' --no-out-link)
+      ;;
     *)
       echo "$HOSTNAME is not a known NixOS host!" >&2
       exit 1
@@ -39,4 +43,5 @@ in {
 
   nuggetSystem = systemFor [ depot.ops.nixos.nugget ];
   camdenSystem = systemFor [ depot.ops.nixos.camden ];
+  frogSystem = systemFor [ depot.ops.nixos.frog ];
 }
diff --git a/ops/nixos/frog/default.nix b/ops/nixos/frog/default.nix
new file mode 100644
index 0000000000..03ed5ae6e8
--- /dev/null
+++ b/ops/nixos/frog/default.nix
@@ -0,0 +1,234 @@
+{ depot, lib, ... }:
+
+config: let
+  nixpkgs = import depot.third_party.stableNixpkgsSrc {
+    config.allowUnfree = true;
+  };
+
+  unstable = import depot.third_party.nixpkgsSrc {};
+  lieer = (depot.third_party.lieer {});
+
+  # add google-c-style here because other machines get it from, eh,
+  # elsewhere.
+  frogEmacs = (depot.tools.emacs.overrideEmacs(epkgs: epkgs ++ [
+    depot.third_party.emacsPackages.google-c-style
+  ]));
+in depot.lib.fix(self: {
+  # TODO(tazjin): v4l2loopback
+
+  boot = {
+    tmpOnTmpfs = true;
+    kernelModules = [ "kvm-amd" ];
+
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    initrd = {
+      luks.devices.frog-crypt.device = "/dev/disk-by-label/frog-crypt";
+      availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+      kernelModules = [ "dm-snapshot" ];
+    };
+
+    kernel.sysctl = {
+      "kernel.perf_event_paranoid" = 1;
+    };
+  };
+
+  hardware = {
+    pulseaudio.enable = true;
+    u2f.enable = true;
+  };
+
+  nix = {
+    maxJobs = 48;
+    nixPath = [
+      "depot=/depot"
+      "nixpkgs=${depot.third_party.nixpkgsSrc}"
+    ];
+  };
+
+  nixpkgs.pkgs = nixpkgs;
+
+  networking = {
+    hostName = "frog";
+    useDHCP = false;
+    interfaces.enp67s0.useDHCP = true;
+
+    # Don't use ISP's DNS servers:
+    nameservers = [
+      "8.8.8.8"
+      "8.8.4.4"
+    ];
+
+    firewall.enable = false;
+  };
+
+  # Generate an immutable /etc/resolv.conf from the nameserver settings
+  # above (otherwise DHCP overwrites it):
+  environment.etc."resolv.conf" = with lib; {
+    source = depot.third_party.writeText "resolv.conf" ''
+      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
+      options edns0
+    '';
+  };
+
+  time.timeZone = "Europe/London";
+
+  fileSystems = {
+    "/".device = "/dev/disk/by-label/frog-root";
+    "/boot".device = "/dev/disk/by-label/BOOT";
+    "/home".device = "/dev/disk/by-label/frog-home";
+  };
+
+  # Configure user account
+  users.extraUsers.tazjin = {
+    extraGroups = [ "wheel" "audio" ];
+    isNormalUser = true;
+    uid = 1000;
+    shell = nixpkgs.fish;
+  };
+
+  security.sudo = {
+    enable = true;
+    extraConfig = "wheel ALL=(ALL:ALL) SETENV: ALL";
+  };
+
+  fonts = {
+    fonts = with nixpkgs; [
+      corefonts
+      dejavu_fonts
+      jetbrains-mono
+      noto-fonts-cjk
+      noto-fonts-emoji
+    ];
+
+    fontconfig = {
+      hinting.enable = true;
+      subpixel.lcdfilter = "light";
+
+      defaultFonts = {
+        monospace = [ "JetBrains Mono" ];
+      };
+    };
+  };
+
+  # Configure location (Vauxhall, London) for services that need it.
+  location = {
+    latitude = 51.4819109;
+    longitude = -0.1252998;
+  };
+
+  programs.fish.enable = true;
+  programs.ssh.startAgent = true;
+
+  services.redshift.enable = true;
+  services.openssh.enable = true;
+  services.fstrim.enable = true;
+
+  # Required for Yubikey usage as smartcard
+  services.pcscd.enable = true;
+  services.udev.packages = [
+    nixpkgs.yubikey-personalization
+  ];
+
+  services.xserver = {
+    enable = true;
+    layout = "us";
+    xkbOptions = "caps:super";
+    exportConfiguration = true;
+    videoDrivers = [ "amdgpu" "amdgpu-pro" ];
+
+    displayManager = {
+      # Give EXWM permission to control the session.
+      sessionCommands = "${nixpkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";
+
+      lightdm.enable = true;
+      lightdm.greeters.gtk.clock-format = "%H·%M"; # TODO(tazjin): TZ?
+    };
+
+    windowManager.session = lib.singleton {
+      name = "exwm";
+      start = "${frogEmacs}/bin/tazjins-emacs";
+    };
+  };
+
+  # Do not restart the display manager automatically
+  systemd.services.display-manager.restartIfChanged = lib.mkForce false;
+
+  # clangd needs more than ~2GB in the runtime directory to start up
+  services.logind.extraConfig = ''
+    RuntimeDirectorySize=16G
+  '';
+
+  environment.systemPackages =
+    # programs from the depot
+    (with depot; [
+      fun.idual.script
+      lieer
+      frogEmacs
+      ops.kontemplate
+      third_party.ffmpeg
+      third_party.git
+    ]) ++
+
+    # programs from nixpkgs
+    (with nixpkgs; [
+      age
+      bat
+      chromium
+      clang-manpages
+      clang-tools
+      clang_10
+      curl
+      direnv
+      dnsutils
+      emacs26 # mostly for emacsclient
+      exa
+      fd
+      gnupg
+      go
+      google-chrome
+      google-cloud-sdk
+      htop
+      hyperfine
+      i3lock
+      imagemagick
+      jq
+      kubectl
+      linuxPackages.perf
+      miller
+      msmtp
+      nix-prefetch-github
+      notmuch
+      openssh
+      openssl
+      pass
+      pavucontrol
+      pinentry
+      pinentry-emacs
+      pwgen
+      ripgrep
+      rr
+      rustup
+      scrot
+      spotify
+      steam
+      tokei
+      tree
+      unzip
+      vlc
+      xclip
+      yubico-piv-tool
+      yubikey-personalization
+    ]) ++
+
+    # programs from unstable nixpkgs
+    (with unstable; [
+      zoxide
+    ]);
+
+  # ... and other nonsense.
+  system.stateVersion = "20.03";
+})