etcnixos -> system

system/common.nix

@@ -0,0 +1,285 @@
+{
+  config,
+  pkgs,
+  lib,
+  username,
+  system,
+  hostname,
+  inputs,
+  niri-package,
+  ...
+}:
+{
+  imports = [
+    ./declarative-nm.nix
+    # ./vm.nix
+    ./steam.nix
+    ./networking.nix
+
+    inputs.nixos-hardware.nixosModules.common-pc-ssd
+    inputs.disko.nixosModules.disko
+    inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  # use tuned instead of tlp or ppd
+  services.power-profiles-daemon.enable = false;
+  services.tlp.enable = false;
+  services.tuned.enable = true;
+
+  # allow overclocking (I actually underclock but lol)
+  hardware.amdgpu.overdrive.ppfeaturemask = "0xFFF7FFFF";
+
+  hardware.enableRedistributableFirmware = true;
+  hardware.cpu.amd.updateMicrocode = true;
+
+  services.kmscon.enable = true;
+
+  # Add niri to display manager session packages
+  services.displayManager.sessionPackages = [ niri-package ];
+
+  # Gamescope configuration for Steam Deck-like experience
+  programs = {
+    gamescope = {
+      enable = true;
+      capSysNice = true;
+    };
+    steam = {
+      enable = true;
+      gamescopeSession.enable = true;
+    };
+  };
+
+  system.activationScripts = {
+    # FIX: https://github.com/NixOS/nix/issues/2982
+    "profile-channel-dummy".text = ''
+      #!/bin/sh
+      mkdir -p /nix/var/nix/profiles/per-user/root/channels
+    '';
+
+    # extract all my secureboot keys
+    # TODO! proper secrets management
+    "secureboot-keys".text = ''
+      #!/usr/bin/env sh
+      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+      mkdir -p ${config.boot.lanzaboote.pkiBundle}
+      ${lib.getExe pkgs.gnutar} xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
+      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+      chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+    '';
+  };
+
+  swapDevices = [ ];
+
+  nix = {
+    # optimize the store
+    optimise.automatic = false;
+
+    # enable flakes!
+    settings.experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+  };
+
+  # allow unfree packages for jovian-nixos
+  nixpkgs.config.allowUnfree = true;
+
+  # kernel options
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    # kernelPackages = pkgs.linuxPackages;
+
+    lanzaboote = {
+      enable = true;
+      # TODO: proper secrets management so this is not stored in nix store
+      pkiBundle = "/var/lib/sbctl";
+    };
+
+    # Bootloader.
+    loader = {
+      efi.canTouchEfiVariables = true;
+
+      timeout = 1;
+      /*
+        Lanzaboote currently replaces the systemd-boot module.
+        This setting is usually set to true in configuration.nix
+        generated at installation time. So we force it to false
+        for now.
+      */
+      systemd-boot.enable = lib.mkForce false;
+      systemd-boot.configurationLimit = 10;
+    };
+
+    initrd = {
+      compressor = "zstd";
+      availableKernelModules = [
+        "xhci_pci"
+        "thunderbolt"
+        "nvme"
+        "usbhid"
+        "amdgpu"
+      ];
+    };
+
+    kernelModules = [
+      "kvm-amd"
+      "ip_tables"
+      "iptable_nat"
+      "msr"
+      "btusb"
+    ];
+  };
+
+  environment.etc = {
+    # override default nixos /etc/issue
+    "issue".text = "";
+  };
+
+  services = {
+    # fwupd for updating firmware
+    fwupd = {
+      enable = true;
+      extraRemotes = [ "lvfs-testing" ];
+    };
+
+    # auto detect network printers
+    avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+    };
+
+    # Enable CUPS to print documents.
+    printing = {
+      enable = true;
+      drivers = with pkgs; [ hplip ];
+    };
+
+    # I don't want fingerprint login
+    fprintd.enable = false;
+
+    # Making sure mullvad works on boot
+    mullvad-vpn.enable = true;
+
+    # power statistics
+    upower.enable = true;
+  };
+
+  # EST
+  time.timeZone = "America/New_York";
+
+  security = {
+    # lets use doas and not sudo!
+    doas.enable = true;
+    sudo.enable = false;
+    # Configure doas
+    doas.extraRules = [
+      {
+        users = [ username ];
+        keepEnv = true;
+        persist = true;
+      }
+    ];
+  };
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  # Enable Bluetooth
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true;
+
+    # Enable experimental features for battery % of bluetooth devices
+    settings.General.Experimental = true;
+  };
+
+  # Apply gtk themes by enabling dconf
+  programs.dconf.enable = true;
+
+  # Enable sound with pipewire.
+  services.pulseaudio.enable = false; # pipewire >>>>>>> pulseaudio
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+
+  # Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`)
+  users.users.${username} = {
+    isNormalUser = true;
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+      "video"
+      "camera"
+      "adbusers"
+    ];
+    # TODO! this is really bad :( I should really figure out how to do proper secrets management
+    hashedPasswordFile = "${./secrets/password-hash}";
+  };
+
+  services.gvfs.enable = true;
+  programs.gphoto2.enable = true;
+
+  programs.adb.enable = true;
+
+  # Enable thermal data
+  services.thermald.enable = true;
+
+  services.pcscd.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryPackage = pkgs.pinentry-curses;
+    enableSSHSupport = false;
+  };
+
+  # System packages
+  environment.systemPackages = with pkgs; [
+    mullvad-vpn
+
+    #secureboot ctl
+    sbctl
+
+    dmidecode
+
+    doas-sudo-shim
+
+    glib
+    usbutils
+    libmtp
+    man-pages
+    man-pages-posix
+
+    # needed for home-manager
+    git
+  ];
+
+  # wayland with electron/chromium applications
+  environment.sessionVariables.NIXOS_OZONE_WL = "1";
+
+  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
+  programs.fish.enable = true;
+  programs.bash = {
+    interactiveShellInit = ''
+      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
+      then
+        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
+        exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
+      fi
+    '';
+  };
+
+  # port 53317 for localsend
+  networking.firewall.allowedUDPPorts = [ 53317 ];
+  networking.firewall.allowedTCPPorts = [ 53317 ];
+
+  system.stateVersion = "25.05";
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  documentation.enable = true;
+  documentation.man.enable = true;
+  documentation.dev.enable = true;
+}

system/declarative-nm.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+# from: https://discourse.nixos.org/t/imperative-declarative-wifi-networks-with-wpa-supplicant/12394/6
+let
+  cfg = config.networking.networkmanager;
+
+  getFileName = lib.stringAsChars (x: if x == " " then "-" else x);
+
+  createWifi = ssid: opt: {
+    name = "NetworkManager/system-connections/${getFileName ssid}.nmconnection";
+    value = {
+      mode = "0400";
+      source = pkgs.writeText "${ssid}.nmconnection" ''
+        [connection]
+        id=${ssid}
+        type=wifi
+
+        [wifi]
+        ssid=${ssid}
+
+        [wifi-security]
+        ${lib.optionalString (opt.psk != null) ''
+          key-mgmt=wpa-psk
+          psk=${opt.psk}''}
+      '';
+    };
+  };
+
+  keyFiles = lib.mapAttrs' createWifi config.networking.wireless.networks;
+in
+{
+  config = lib.mkIf cfg.enable {
+    environment.etc = keyFiles;
+
+    systemd.services.NetworkManager-predefined-connections = {
+      restartTriggers = lib.mapAttrsToList (name: value: value.source) keyFiles;
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "${pkgs.coreutils}/bin/true";
+        ExecReload = "${pkgs.networkmanager}/bin/nmcli connection reload";
+      };
+      reloadIfChanged = true;
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+}

system/hardware_laptop.nix

@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-path/pci-0000:01:00.0-nvme-1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                passwordFile = "${./secrets/disk-password}";
+                content = {
+                  type = "filesystem";
+                  format = "f2fs";
+                  mountpoint = "/";
+                  extraArgs = [
+                    "-O"
+                    "extra_attr,inode_checksum,sb_checksum,compression"
+                  ];
+                  mountOptions = [
+                    "compress_algorithm=zstd:6,compress_chksum,atgc,gc_merge,lazytime,nodiscard"
+                  ];
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+}

system/impermanence-disk-config.nix

@@ -0,0 +1,52 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            persistent = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "f2fs";
+                mountpoint = "/persistent";
+              };
+            };
+            nix = {
+              size = "200G";
+              content = {
+                type = "filesystem";
+                format = "f2fs";
+                mountpoint = "/nix";
+              };
+            };
+          };
+        };
+      };
+    };
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "defaults"
+          "size=2G"
+          "mode=755"
+        ];
+      };
+    };
+  };
+
+  fileSystems."/persistent".neededForBoot = true;
+  fileSystems."/nix".neededForBoot = true;
+}

system/impermanence.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  username,
+  ...
+}:
+{
+  environment.persistence."/persistent" = {
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/systemd/coredump"
+      "/var/lib/nixos"
+      "/var/lib/systemd/timers"
+    ];
+
+    files = [
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/machine-id"
+    ];
+
+    users.${username} = {
+      directories = [
+        "."
+      ];
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /etc 755 root"
+  ];
+}

system/networking.nix

@@ -0,0 +1,26 @@
+{ hostname, ... }:
+{
+  # speed up boot times (by about three seconds)
+  systemd.services.NetworkManager-wait-online.enable = false;
+
+  networking = {
+    hostName = hostname;
+
+    networkmanager = {
+      enable = true;
+
+      insertNameservers = [
+        "1.1.1.1"
+        "9.9.9.9"
+      ];
+
+      wifi = {
+        scanRandMacAddress = true;
+        # fix suspend issue
+        powersave = false;
+      };
+    };
+
+    wireless.networks = import ./secrets/wifi-passwords.nix;
+  };
+}

system/no-rgb.nix

@@ -0,0 +1,43 @@
+{ pkgs, lib, ... }:
+{
+  systemd.services.no-rgb =
+    let
+      no-rgb = (
+        pkgs.writeShellApplication {
+          name = "no-rgb";
+          runtimeInputs = with pkgs; [
+            openrgb
+            coreutils
+            gnugrep
+          ];
+
+          text = ''
+            #!/bin/sh
+            set -e
+
+            NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ')
+
+            for i in $(seq 0 $((NUM_DEVICES - 1))); do
+              openrgb --noautoconnect --device "$i" --mode direct --color 000000
+            done
+          '';
+        }
+      );
+    in
+    {
+      description = "disable rgb";
+      serviceConfig = {
+        ExecStart = "${lib.getExe no-rgb}";
+        Type = "oneshot";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
+  services.hardware.openrgb.enable = true;
+  services.udev.packages = [ pkgs.openrgb ];
+  hardware.i2c.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    openrgb-with-all-plugins
+  ];
+}

system/steam.nix

@@ -0,0 +1,28 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  nixpkgs.config.allowUnfreePredicate =
+    pkg:
+    builtins.elem (lib.getName pkg) [
+      "steam"
+      "steam-original"
+      "steam-unwrapped"
+      "steam-run"
+    ];
+
+  programs.steam = {
+    enable = true;
+    extraCompatPackages = with pkgs; [ proton-ge-bin ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    steamtinkerlaunch
+    mangohud
+    goverlay
+    yad
+  ];
+}

system/system-mreow.nix

@@ -0,0 +1,58 @@
+{
+  config,
+  pkgs,
+  lib,
+  username,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    ./common.nix
+    ./hardware_laptop.nix
+
+    inputs.nixos-hardware.nixosModules.framework-amd-ai-300-series
+  ];
+
+  # completely and utterly broken
+  /*
+    hardware.framework.laptop13.audioEnhancement = {
+      enable = true;
+
+      # seems audio doesn't work without this
+      hideRawDevice = false;
+    };
+  */
+
+  # PST
+  # time.timeZone = lib.mkForce "America/Los_Angeles";
+
+  # weird hack to get swaylock working? idk, if you don't put this here, password entry doesnt work
+  # if I move to another lock screen program, i will have to replace `swaylock`
+  security.pam.services.swaylock = { };
+
+  # disable framework kernel module
+  # https://github.com/NixOS/nixos-hardware/issues/1330
+  hardware.framework.enableKmod = false;
+
+  # Greetd display manager
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        command = "${lib.getExe pkgs.tuigreet} --sessions /etc/xdg/wayland-sessions/ --time";
+        user = username;
+      };
+      terminal.vt = lib.mkForce 2;
+    };
+  };
+
+  environment.etc."xdg/wayland-sessions/niri-session.desktop".text = ''
+    [Desktop Entry]
+    Name=Niri Session
+    Comment=Niri Wayland compositor
+    Exec=niri-session
+    Type=Application
+    DesktopNames=niri
+  '';
+}

system/system-yarn.nix

@@ -0,0 +1,75 @@
+{
+  config,
+  pkgs,
+  lib,
+  username,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    ./impermanence-disk-config.nix
+    ./common.nix
+    ./impermanence.nix
+    ./no-rgb.nix
+    ./vr.nix
+
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
+    inputs.impermanence.nixosModules.impermanence
+    inputs.disko.nixosModules.disko
+    inputs.jovian-nixos.nixosModules.default
+  ];
+
+  fileSystems."/media/games" = {
+    device = "/dev/disk/by-uuid/1878136e-765d-4784-b204-3536ab4fdac8";
+    fsType = "f2fs";
+    options = [ "nofail" ];
+  };
+
+  networking.hostId = "abf570f9";
+
+  services.openssh = {
+    enable = true;
+    ports = [ 22 ];
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "yes";
+    };
+  };
+
+  users.users.${username}.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+  ];
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+  ];
+
+  programs.steam = {
+    remotePlay.openFirewall = true;
+    localNetworkGameTransfers.openFirewall = true;
+  };
+
+  # LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT
+  environment.systemPackages = with pkgs; [
+    lact
+  ];
+  systemd.packages = with pkgs; [ lact ];
+  systemd.services.lactd.wantedBy = [ "multi-user.target" ];
+
+  systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
+
+  jovian = {
+    devices.steamdeck.enable = false;
+    steam = {
+      enable = true;
+      autoStart = true;
+      desktopSession = "niri";
+      user = username;
+    };
+  };
+
+  # Disable gamescope from common.nix to avoid conflict with jovian-nixos
+  programs.gamescope.enable = lib.mkForce false;
+}

system/vm.nix

@@ -0,0 +1,61 @@
+{
+  pkgs,
+  username,
+  lib,
+  ...
+}:
+{
+  programs.virt-manager.enable = true;
+
+  users.groups.libvirtd.members = [ username ];
+
+  virtualisation.libvirtd = {
+    enable = true;
+
+    package = pkgs.libvirt;
+
+    qemu = {
+      package = (
+        pkgs.qemu_kvm.overrideAttrs (old: {
+          patches = old.patches ++ [
+            # amd?
+            (pkgs.fetchpatch {
+              url = "https://github.com/Scrut1ny/Hypervisor-Phantom/raw/d09d66813570704e2b05440f290d6f9bdf2d26c7/Hypervisor-Phantom/patches/QEMU/amd-qemu-9.2.0.patch";
+              sha256 = "BbzgjRa3qaYH1yXXqU6M/S68SxXWpAc9ObTG5qXu6YA=";
+            })
+
+            # or intel!
+            /*
+              (pkgs.fetchpatch {
+                url = "https://github.com/Scrut1ny/Hypervisor-Phantom/raw/d09d66813570704e2b05440f290d6f9bdf2d26c7/Hypervisor-Phantom/patches/QEMU/intel-qemu-9.2.0.patch";
+                sha256 = "kXY6R/0Tsotf0mGUIevDLlLWHEznnF1dt0K2ayX7XAg=";
+              })
+            */
+          ];
+        })
+      );
+
+      ovmf.packages = lib.mkForce [
+        (pkgs.OVMF.overrideAttrs (old: {
+          secureBoot = true;
+          tpmSupport = true;
+          # TODO! add patches from: https://github.com/Scrut1ny/Hypervisor-Phantom/tree/main/Hypervisor-Phantom/patches/EDK2
+        })).fd
+      ];
+    };
+  };
+
+  virtualisation.spiceUSBRedirection.enable = true;
+
+  users.users."${username}".extraGroups = [ "libvirtd" ];
+
+  # boot.kernelPatches = [
+  #   {
+  #     name = "undetected-kvm";
+  #     patch = pkgs.fetchurl {
+  #       url = "https://raw.githubusercontent.com/Scrut1ny/Hypervisor-Phantom/d09d66813570704e2b05440f290d6f9bdf2d26c7/Hypervisor-Phantom/patches/Kernel/linux-6.13-svm.patch";
+  #       sha256 = "zz18xerutulLGzlHhnu26WCY8rVQXApyeoDtCjbejIk=";
+  #     };
+  #   }
+  # ];
+}

system/vr.nix

@@ -0,0 +1,49 @@
+{
+  pkgs,
+  inputs,
+  lib,
+  ...
+}:
+{
+
+  # for FO4 VR:
+  # doesn't work. it's like the wivrn stuff doesn't transfer past MO2
+  # `echo "PRESSURE_VESSEL_FILESYSTEMS_RW=$XDG_RUNTIME_DIR/wivrn/comp_ipc %command%" | sed -r "s/proton waitforexitandrun .*/proton waitforexitandrun \/media\/games\/fallout4vr_essentials_overhaul\/ModOrganizer.exe \"moshortcut:\/\/:Play Fallout Essentials\" /" | sh`
+
+  services.wivrn = {
+    enable = true;
+    openFirewall = true;
+
+    # Write information to /etc/xdg/openxr/1/active_runtime.json, VR applications
+    # will automatically read this and work with wivrn
+    defaultRuntime = true;
+
+    # Executing it through the systemd service executes WiVRn w/ CAP_SYS_NICE
+    # Resulting in no stutters!
+    autoStart = true;
+
+    # Config for WiVRn
+    config = {
+      enable = true;
+      json = {
+        # 1.0x display scaling
+        scale = 1.0;
+        # 100 Mb/s
+        bitrate = 100000000;
+        encoders = [
+          {
+            encoder = "vaapi";
+            codec = "h265";
+            # 1.0 x 1.0 scaling
+            width = 1.0;
+            height = 1.0;
+            offset_x = 0.0;
+            offset_y = 0.0;
+          }
+        ];
+
+        application = [ pkgs.wlx-overlay-s ];
+      };
+    };
+  };
+}