commit 03f9a9de88ba38c4736e1d57b897ee7e379d444d Author: Paul-Mathias Logue Date: Fri Dec 12 12:02:26 2025 +0100 Initial commit diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..f20c590 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,273 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ inputs, config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.systemd-boot.xbootldrMountPoint = "/boot"; + boot.loader.efi.efiSysMountPoint = "/efi"; + boot.initrd.luks.devices.cryptroot = { + device = "/dev/disk/by-uuid/9aaac705-2737-4222-9887-51131acec90c"; + }; + + networking.hostName = "hermes"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.wireless.iwd.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + services.avahi.enable = true; + hardware.graphics.enable = true; + services.xserver.videoDrivers = [ "modesetting" "nvidia" ]; + hardware.nvidia.open = true; + hardware.nvidia.nvidiaSettings = true; + hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.stable; + + hardware.graphics.extraPackages = with pkgs; [ + intel-media-driver # VA-API (iHD) userspace + vpl-gpu-rt # oneVPL (QSV) runtime + ]; + programs.nix-ld.enable = true; + + environment.sessionVariables = { + LIBVA_DRIVER_NAME = "iHD"; # Prefer the modern iHD backend + # VDPAU_DRIVER = "va_gl"; # Only if using libvdpau-va-gl + }; + + hardware.nvidia.prime = { + # offload.enable = true; + intelBusId = "PCI:0:2:0"; + nvidiaBusId = "PCI:2:0:0"; + }; + + # May help if FFmpeg/VAAPI/QSV init fails (esp. on Arc with i915): + hardware.enableRedistributableFirmware = true; + boot.kernelParams = [ "i915.enable_guc=3" ]; + + programs.niri.enable = true; + + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # services.pulseaudio.enable = true; + # OR + # services.pipewire = { + # enable = true; + # pulse.enable = true; + # }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.pml = { + isNormalUser = true; + extraGroups = [ "i2c" "wheel" ]; # Enable ‘sudo’ for the user. + }; + + # programs.firefox.enable = true; + + # List packages installed in system profile. + # You can use https://search.nixos.org/ to find more packages (and options). + environment.systemPackages = with pkgs; [ + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + sbctl + alacritty + fuzzel + libva-utils + firefox + (openrgb.overrideAttrs (old: { + src = pkgs.fetchFromGitLab { + owner = "CalcProgrammer1"; + repo="OpenRGB"; + rev = "release_candidate_1.0rc2"; + sha256 = "vdIA9i1ewcrfX5U7FkcRR+ISdH5uRi9fz9YU5IkPKJQ="; + }; + patches = [ + ./remove_systemd_service.patch + ]; + postPatch = '' + patchShebangs scripts/build-udev-rules.sh + substituteInPlace scripts/build-udev-rules.sh \ + --replace-fail /usr/bin/env "${pkgs.coreutils}/bin/env" + ''; + version = "1.0rc2"; + })) + + i2c-tools + ]; + fonts.fontconfig = { + enable = true; + antialias = true; + hinting = { + enable = true; + style = "slight"; + }; + subpixel = { + rgba = "rgb"; + lcdfilter = "default"; + }; + + defaultFonts = { + serif = [ "SF Pro" "DejaVu Serif" ]; + sansSerif = [ "SF Pro" "DejaVu Sans" ]; + monospace = [ "Iosevka" "DejaVu Sans Mono" ]; + emoji = [ "Noto Color Emoji" ]; + }; + }; + + fonts.packages = with pkgs; [ + noto-fonts-color-emoji + (iosevka.override { + set = "cavalier"; + + privateBuildPlan = { + family = "Iosevka Cavalier"; + spacing = "normal"; + serifs = "sans"; + noCvSs = false; + exportGlyphNames = true; + + variants.inherits = "ss08"; + + variants.weights.Regular = { + shape = 400; + menu = 400; + css = 400; + }; + + variants.weights.Bold = { + shape = 700; + menu = 700; + css = 700; + }; + + variants.weights.Italic = { + angle = 9.4; + shape = "italic"; + menu = "italic"; + css = "italic"; + }; + + variants.weights.Upright = { + angle = 0; + shape = "upright"; + menu = "upright"; + css = "upright"; + }; + }; + }) + ]; + + programs._1password.enable = true; + programs._1password-gui = { + enable = true; + # Certain features, including CLI integration and system authentication support, + # require enabling PolKit integration on some desktop environments (e.g. Plasma). + polkitPolicyOwners = [ "pml" ]; + }; + + #services.hardware.openrgb.enable = true; + services.udev.packages = [ pkgs.openrgb ]; + boot.kernelModules = [ "i2c-dev" ]; + hardware.i2c.enable = true; + + environment.etc = { + "1password/custom_allowed_browsers" = { + text = '' + firefox + ''; + mode = "0755"; + }; + }; + hardware.bluetooth.enable = true; + security.rtkit.enable = true; + services.pipewire = { + enable = true; # if not already enabled + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment the following + jack.enable = true; + }; + + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? + +} + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..e73360a --- /dev/null +++ b/flake.lock @@ -0,0 +1,272 @@ +{ + "nodes": { + "apple-fonts": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "ny": "ny", + "sf-arabic": "sf-arabic", + "sf-armenian": "sf-armenian", + "sf-compact": "sf-compact", + "sf-georgian": "sf-georgian", + "sf-hebrew": "sf-hebrew", + "sf-mono": "sf-mono", + "sf-pro": "sf-pro" + }, + "locked": { + "lastModified": 1758228441, + "narHash": "sha256-3mA9oFuhJ1EHyhPd17g/EuJi4jDYPGhyxkEitdh3Kmc=", + "owner": "Lyndeno", + "repo": "apple-fonts.nix", + "rev": "aba9944f6606a69ebedf7bfb723316139eec3f72", + "type": "github" + }, + "original": { + "owner": "Lyndeno", + "repo": "apple-fonts.nix", + "type": "github" + } + }, + "crane": { + "locked": { + "lastModified": 1765145449, + "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=", + "owner": "ipetkov", + "repo": "crane", + "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1765382359, + "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v1.0.0", + "repo": "lanzaboote", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1765311797, + "narHash": "sha256-mSD5Ob7a+T2RNjvPvOA1dkJHGVrNVl8ZOrAwBjKBDQo=", + "rev": "09eb77e94fa25202af8f3e81ddc7353d9970ac1b", + "revCount": 903162, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2511.903162%2Brev-09eb77e94fa25202af8f3e81ddc7353d9970ac1b/019b095a-7dde-7122-8fd5-afa2e9e17894/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/NixOS/nixpkgs/%2A" + } + }, + "ny": { + "flake": false, + "locked": { + "narHash": "sha256-3257NAH4qlan2YHVLpNRy7x8IJqR2pal3OzFo/ykqXs=", + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/NY.dmg" + }, + "original": { + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/NY.dmg" + } + }, + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765016596, + "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "apple-fonts": "apple-fonts", + "lanzaboote": "lanzaboote", + "nixpkgs": "nixpkgs" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765075567, + "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "sf-arabic": { + "flake": false, + "locked": { + "narHash": "sha256-/0gjRimqvZyE60xYxxPdlU+7Q2LJnnvtbmwOP0YmS9U=", + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Arabic.dmg" + }, + "original": { + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Arabic.dmg" + } + }, + "sf-armenian": { + "flake": false, + "locked": { + "narHash": "sha256-rRoDkbNMYkzOHZmQm96Zv80TZvRlAeoxkv4pMHP5nUg=", + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Armenian.dmg" + }, + "original": { + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Armenian.dmg" + } + }, + "sf-compact": { + "flake": false, + "locked": { + "narHash": "sha256-WeqT80cdK/XzTLSaJs5DHodzxoeAzwL/xTgdq0YwQbM=", + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Compact.dmg" + }, + "original": { + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Compact.dmg" + } + }, + "sf-georgian": { + "flake": false, + "locked": { + "narHash": "sha256-IevVNOC28IiR45YfI3PsZzXLMRxuB5u7UiE53Zn6tRU=", + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Georgian.dmg" + }, + "original": { + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Georgian.dmg" + } + }, + "sf-hebrew": { + "flake": false, + "locked": { + "narHash": "sha256-Dw84kYwMpCtKKKqm8cZcQ9TZ7GayU5MO7W0LJw0Rcwk=", + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Hebrew.dmg" + }, + "original": { + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Hebrew.dmg" + } + }, + "sf-mono": { + "flake": false, + "locked": { + "narHash": "sha256-ICdHRFdNL7PM/fXJUzS7LgZxZiqcyIuCMHLze4En4vg=", + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Mono.dmg" + }, + "original": { + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Mono.dmg" + } + }, + "sf-pro": { + "flake": false, + "locked": { + "narHash": "sha256-vprahHpCUf9O8RualBrEuLEfuLfzI/2d8AQmwlCGPPk=", + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Pro.dmg" + }, + "original": { + "type": "file", + "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Pro.dmg" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..0c54f1c --- /dev/null +++ b/flake.nix @@ -0,0 +1,60 @@ +{ + description = "A SecureBoot-enabled NixOS configurations"; + + inputs = { + nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/*"; + + lanzaboote = { + url = "github:nix-community/lanzaboote/v1.0.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + apple-fonts.url= "github:Lyndeno/apple-fonts.nix"; + apple-fonts.inputs.nixpkgs.follows = "nixpkgs"; + }; + + + outputs = { self, nixpkgs, lanzaboote, apple-fonts, ...}: { + nixosConfigurations = { + hermes = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + modules = [ + # This is not a complete NixOS configuration and you need to reference + # your normal configuration here. + + lanzaboote.nixosModules.lanzaboote + + ./configuration.nix + ./hardware-configuration.nix + + ({ pkgs, lib, ... }: { + nixpkgs.config.allowUnfree = true; + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + fonts.packages = [ + apple-fonts.packages."x86_64-linux".sf-pro + ]; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.bootspec.enable = true; + boot.initrd.systemd.enable = true; + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }) + ]; + }; + }; + }; +} + diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..5652968 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,95 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/9d76cce0-7e9a-4828-8de2-aab9e07badae"; + fsType = "btrfs"; + options = [ "subvol=@root" ]; + }; + + boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/9aaac705-2737-4222-9887-51131acec90c"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/afbb025b-f483-4b79-9702-645cfca09e8b"; + fsType = "ext4"; + }; + + fileSystems."/efi" = + { device = "/dev/disk/by-uuid/5E49-BE19"; + fsType = "vfat"; + options = [ "fmask=0137" "dmask=0027" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/9d76cce0-7e9a-4828-8de2-aab9e07badae"; + fsType = "btrfs"; + options = [ "subvol=@home" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/9d76cce0-7e9a-4828-8de2-aab9e07badae"; + fsType = "btrfs"; + options = [ "subvol=@nix" ]; + }; + + fileSystems."/var/cache" = + { device = "/dev/disk/by-uuid/9d76cce0-7e9a-4828-8de2-aab9e07badae"; + fsType = "btrfs"; + options = [ "subvol=@var_cache" ]; + }; + + fileSystems."/var/log" = + { device = "/dev/disk/by-uuid/9d76cce0-7e9a-4828-8de2-aab9e07badae"; + fsType = "btrfs"; + options = [ "subvol=@var_log" ]; + }; + + fileSystems."/var/spool" = + { device = "/dev/disk/by-uuid/9d76cce0-7e9a-4828-8de2-aab9e07badae"; + fsType = "btrfs"; + options = [ "subvol=@var_spool" ]; + }; + + fileSystems."/var/tmp" = + { device = "/dev/disk/by-uuid/9d76cce0-7e9a-4828-8de2-aab9e07badae"; + fsType = "btrfs"; + options = [ "subvol=@var_tmp" ]; + }; + + fileSystems."/var/lib/machines" = + { device = "/dev/disk/by-uuid/9d76cce0-7e9a-4828-8de2-aab9e07badae"; + fsType = "btrfs"; + options = [ "subvol=@var_lib_machines" ]; + }; + + fileSystems."/var/lib/portables" = + { device = "/dev/disk/by-uuid/9d76cce0-7e9a-4828-8de2-aab9e07badae"; + fsType = "btrfs"; + options = [ "subvol=@var_lib_portables" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp131s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp132s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/remove_systemd_service.patch b/remove_systemd_service.patch new file mode 100644 index 0000000..bc9fbdf --- /dev/null +++ b/remove_systemd_service.patch @@ -0,0 +1,17 @@ +diff --git a/OpenRGB.pro b/OpenRGB.pro +index df7082b6..0022e5fa 100644 +--- a/OpenRGB.pro ++++ b/OpenRGB.pro +@@ -588,9 +588,9 @@ contains(QMAKE_PLATFORM, linux) { + icon.files+=qt/org.openrgb.OpenRGB.png + metainfo.path=$$PREFIX/share/metainfo/ + metainfo.files+=qt/org.openrgb.OpenRGB.metainfo.xml +- systemd_service.path=/etc/systemd/system +- systemd_service.files+=qt/openrgb.service +- INSTALLS += target desktop icon metainfo udev_rules systemd_service ++ # systemd_service.path=/etc/systemd/system ++ # systemd_service.files+=qt/openrgb.service ++ INSTALLS += target desktop icon metainfo udev_rules # systemd_service + } + + #-----------------------------------------------------------------------------------------------#