mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 21:08:44 +08:00
185 lines
5.2 KiB
Nix
185 lines
5.2 KiB
Nix
inputs:
|
|
{
|
|
config =
|
|
{
|
|
# filesystem mount
|
|
fileSystems."/" =
|
|
{
|
|
device = "/dev/mapper/root";
|
|
fsType = "btrfs";
|
|
options = [ "subvol=nix/rootfs/current" "compress-force=zstd" ];
|
|
};
|
|
# sudo btrfs fi mkswapfile --size 64g --uuid clear swap
|
|
# sudo btrfs inspect-internal map-swapfile -r swap
|
|
# sudo mdadm --create /dev/md/swap --level 0 --raid-devices 2 /dev/nvme1n1p5 /dev/nvme0n1p5
|
|
# sudo mkswap --uuid clear /dev/md/swap
|
|
# sudo cryptsetup luksFormat /dev/md/swap
|
|
# sudo systemd-cryptenroll --fido2-device=auto /dev/md/swap
|
|
# sudo systemd-cryptenroll --wipe-slot=0 /dev/md/swap
|
|
# sudo $(dirname $(realpath $(which systemctl)))/../lib/systemd/systemd-cryptsetup \
|
|
# attach swap /dev/md/swap - fido2-device=auto
|
|
# sudo mkswap --uuid clear /dev/mapper/swap
|
|
|
|
# kernel, modules, ucode
|
|
boot.kernelPackages = inputs.pkgs.linuxPackages_xanmod_latest;
|
|
hardware.cpu.intel.updateMicrocode = true;
|
|
# modules auto loaded in stage2
|
|
boot.kernelModules = [ "kvm-intel" "br_netfilter" ];
|
|
# modules install but not auto loaded
|
|
# boot.extraModulePackages = [ yourmodulename ];
|
|
boot.extraModprobeConfig =
|
|
''
|
|
options kvm_intel nested=1
|
|
options iwlmvm power_scheme=1
|
|
options iwlwifi uapsd_disable=1
|
|
'';
|
|
boot.kernelParams = [ "delayacct" "acpi_osi=Linux" ];
|
|
boot.kernelPatches =
|
|
[
|
|
{ name = "hdmi"; patch = ./hdmi.patch; }
|
|
{
|
|
name = "cjktty";
|
|
patch = inputs.pkgs.fetchurl
|
|
{
|
|
url = "https://raw.githubusercontent.com/zhmars/cjktty-patches/master/v6.x/cjktty-6.4.patch";
|
|
sha256 = "sha256-QnsWruzhtiZnqzTUXkPk9Hb19Iddr4VTWXyV4r+iLvE=";
|
|
};
|
|
extraStructuredConfig = { FONT_CJK_16x16 = inputs.lib.kernel.yes; FONT_CJK_32x32 = inputs.lib.kernel.yes; };
|
|
}
|
|
{
|
|
name = "custom config";
|
|
patch = null;
|
|
extraStructuredConfig =
|
|
{
|
|
GENERIC_CPU = inputs.lib.kernel.no;
|
|
MALDERLAKE = inputs.lib.kernel.yes;
|
|
PREEMPT_VOLUNTARY = inputs.lib.mkForce inputs.lib.kernel.no;
|
|
PREEMPT = inputs.lib.mkForce inputs.lib.kernel.yes;
|
|
HZ_500 = inputs.lib.mkForce inputs.lib.kernel.no;
|
|
HZ_1000 = inputs.lib.mkForce inputs.lib.kernel.yes;
|
|
HZ = inputs.lib.mkForce (inputs.lib.kernel.freeform "1000");
|
|
};
|
|
}
|
|
];
|
|
|
|
# grub
|
|
boot.loader =
|
|
{
|
|
timeout = 5;
|
|
efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot/efi"; };
|
|
grub =
|
|
{
|
|
enable = true;
|
|
# for BIOS, set disk to install; for EFI, set nodev
|
|
device = "nodev";
|
|
efiSupport = true;
|
|
useOSProber = false;
|
|
extraEntries =
|
|
''
|
|
menuentry "Windows" {
|
|
insmod part_gpt
|
|
insmod fat
|
|
insmod search_fs_uuid
|
|
insmod chain
|
|
search --fs-uuid --set=root 7317-1DB6
|
|
chainloader /EFI/Microsoft/Boot/bootmgfw.efi
|
|
}
|
|
menuentry "Windows for malware" {
|
|
insmod part_gpt
|
|
insmod fat
|
|
insmod search_fs_uuid
|
|
insmod chain
|
|
search --fs-uuid --set=root 7321-FA9C
|
|
chainloader /EFI/Microsoft/Boot/bootmgfw.efi
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
|
|
# initrd, luks
|
|
boot.initrd =
|
|
{
|
|
systemd =
|
|
{
|
|
enable = true;
|
|
services.create-current-rootfs =
|
|
{
|
|
wantedBy = [ "local-fs-pre.target" ];
|
|
after = [ "cryptsetup.target" ];
|
|
before = [ "local-fs-pre.target" ];
|
|
unitConfig.DefaultDependencies = false;
|
|
serviceConfig.Type = "oneshot";
|
|
script =
|
|
''
|
|
mount /dev/mapper/root /mnt -m
|
|
if [ -f /mnt/nix/rootfs/current/.timestamp ]
|
|
then
|
|
mv /mnt/nix/rootfs/current /mnt/nix/rootfs/$(cat /mnt/nix/rootfs/current/.timestamp)
|
|
fi
|
|
btrfs subvolume create /mnt/nix/rootfs/current
|
|
echo $(date '+%Y%m%d%H%M%S') > /mnt/nix/rootfs/current/.timestamp
|
|
umount /mnt
|
|
'';
|
|
};
|
|
};
|
|
# modules in initrd
|
|
# modprobe --show-depends
|
|
availableKernelModules =
|
|
[
|
|
"ahci" "bfq" "i915" "intel_cstate" "nls_cp437" "nls_iso8859-1" "nvidia" "nvidia_drm" "nvidia_modeset"
|
|
"nvidia_uvm" "nvme" "sr_mod" "usbhid" "usb_storage" "virtio_blk" "virtio_pci" "xhci_pci"
|
|
]
|
|
# speed up luks decryption
|
|
++ [ "aesni_intel" "cryptd" "crypto_simd" "libaes" ];
|
|
};
|
|
|
|
# impermanence
|
|
environment.persistence."/nix/persistent" =
|
|
{
|
|
hideMounts = true;
|
|
directories =
|
|
[
|
|
"/etc/NetworkManager/system-connections"
|
|
"/home"
|
|
"/root"
|
|
"/var"
|
|
];
|
|
files =
|
|
[
|
|
"/etc/machine-id"
|
|
"/etc/ssh/ssh_host_ed25519_key.pub"
|
|
"/etc/ssh/ssh_host_ed25519_key"
|
|
"/etc/ssh/ssh_host_rsa_key.pub"
|
|
"/etc/ssh/ssh_host_rsa_key"
|
|
];
|
|
};
|
|
|
|
# services
|
|
systemd.services =
|
|
{
|
|
nix-daemon = { environment = { TMPDIR = "/var/cache/nix"; }; serviceConfig = { CacheDirectory = "nix"; }; };
|
|
systemd-tmpfiles-setup = { environment = { SYSTEMD_TMPFILES_FORCE_SUBVOL = "0"; }; };
|
|
};
|
|
services =
|
|
{
|
|
snapper.configs.persistent =
|
|
{
|
|
SUBVOLUME = "/nix/persistent";
|
|
TIMELINE_CREATE = true;
|
|
TIMELINE_CLEANUP = true;
|
|
TIMELINE_MIN_AGE = 1800;
|
|
TIMELINE_LIMIT_HOURLY = "10";
|
|
TIMELINE_LIMIT_DAILY = "7";
|
|
TIMELINE_LIMIT_WEEKLY = "1";
|
|
TIMELINE_LIMIT_MONTHLY = "0";
|
|
TIMELINE_LIMIT_YEARLY = "0";
|
|
};
|
|
udev.extraRules =
|
|
''
|
|
ACTION=="add|change", KERNEL=="[sv]d[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq"
|
|
ACTION=="add|change", KERNEL=="nvme[0-9]n[0-9]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq"
|
|
'';
|
|
};
|
|
};
|
|
}
|