# Pastebin 7zt0bQ2t { config, pkgs, lib, ... }: let options = import ./options.nix; nixpkgs = lib.cleanSource pkgs.path; channelSources = pkgs.runCommand "nixos-${config.system.nixos.version}" { preferLocalBuild = true; } '' mkdir -p $out cp -prd ${nixpkgs.outPath} $out/nixos chmod -R u+w $out/nixos if [ ! -e $out/nixos/nixpkgs ]; then ln -s . $out/nixos/nixpkgs fi echo -n ${config.system.nixos.revision} > $out/nixos/.git-revision echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix echo ${config.system.nixos.versionSuffix} | sed -e s/pre// > $out/nixos/svn-revision ''; in { # Bootloader is IPXE boot.loader.grub.enable = false; # Kernel boot.kernelPackages = pkgs.linuxPackages_4_19; boot.kernelParams = []; hardware.enableRedistributableFirmware = true; # Autoload kernel modules by scanning hardware boot.hardwareScan = true; # Kernel modules available for loading for stage 1 boot boot.initrd.supportedFilesystems = []; boot.initrd.kernelModules = [ "loop" "intel_agp" "i915" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "uas" "squashfs" ]; # Kernel modules boot.kernelModules = [ "kvm-intel" "coretemp" ]; boot.supportedFilesystems = [ "zfs" "nfs" ]; boot.postBootCommands = '' # After booting, register the contents of the Nix store in the Nix database in the tmpfs. ${config.nix.package}/bin/nix-store --load-db < /nix/store/nix-path-registration # nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag. touch /etc/NIXOS ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system # Setup the default nix channel if ! [ -e /var/lib/nixos/did-channel-init ]; then echo "unpacking the NixOS/Nixpkgs sources..." mkdir -p /nix/var/nix/profiles/per-user/root ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ -i ${channelSources} --quiet --option build-use-substitutes false mkdir -m 0700 -p /root/.nix-defexpr ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels mkdir -m 0755 -p /var/lib/nixos touch /var/lib/nixos/did-channel-init fi # Copy over the current configuration if ! [ -e /etc/nixos/configuration.nix ]; then cp -r -n ${./.}/. /etc/nixos fi ''; boot.runSize = "50%"; # /run boot.devShmSize = "50%"; # /dev/shm boot.devSize = "5%"; # /dev boot.zfs.devNodes = "/dev/disk/by-id"; boot.zfs.forceImportAll = true; boot.zfs.forceImportRoot = true; fileSystems = { "/" = { fsType = "tmpfs"; options = [ "mode=0755" ]; }; "/nix/.ro-store" = { fsType = "squashfs"; device = "../nix-store.squashfs"; options = [ "loop" ]; neededForBoot = true; }; "/nix/.rw-store" = { fsType = "tmpfs"; options = [ "mode=0755" ]; neededForBoot = true; }; "/nix/store" = { fsType = "unionfs-fuse"; device = "unionfs"; options = [ "allow_other" "cow" "nonempty" "chroot=/mnt-root" "max_files=32768" "hide_meta_files" "dirs=/nix/.rw-store=rw:/nix/.ro-store=ro" ]; }; "/srv" = { device = "rpool"; fsType = "zfs"; }; "/tmp" = { device = "rpool/tmp"; fsType = "zfs"; }; } // lib.optionalAttrs (options.bootDevice != null) { "/boot" = { device = options.bootDevice; fsType = "vfat"; }; }; swapDevices = builtins.map (p: { device = p; } ) options.swapDevices; # CPU hardware.cpu.intel.updateMicrocode = true; powerManagement.cpuFreqGovernor = "ondemand"; # Video acceleration hardware.opengl.enable = true; hardware.opengl.driSupport = true; hardware.opengl.driSupport32Bit = true; hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau pkgs.libvdpau-va-gl ]; # Audio sound.enable = false; sound.mediaKeys.enable = false; hardware.pulseaudio.enable = false; # Bluetooth hardware.bluetooth.enable = false; # Extra peripherals hardware.u2f.enable = true; hardware.sane.enable = false; # Networking networking = rec { hostName = options.systemName; hostId = builtins.substring 0 8 (builtins.hashString "sha256" hostName); defaultGateway = "43.245.163.41"; nameservers = import ./nameservers.nix; firewall = { enable = true; allowPing = true; pingLimit = "--limit 3/second --limit-burst 5"; allowedTCPPorts = [ 22 # ssh 55555 # five 5s for custom TCP ]; allowedUDPPorts = [ 53 # dnsmasq dns 67 # dnsmasq dhcp 22 # ssh 55555 # five 5s for custom UDP ]; rejectPackets = false; logRefusedConnections = true; logRefusedPackets = false; logRefusedUnicastsOnly = false; }; }; time.timeZone = "Australia/Sydney"; i18n = { consoleKeyMap = "us"; defaultLocale = "en_AU.UTF-8"; }; nix.maxJobs = 32; nix.buildCores = 0; nix.useSandbox = true; nix.readOnlyStore = true; nix.autoOptimiseStore = true; nix.extraOptions = '' fsync-metadata = true ''; nix.sandboxPaths = [ "/run/keys" ]; nixpkgs.config.allowUnfree = true; environment.variables = { GC_INITIAL_HEAP_SIZE = "1M"; }; environment.systemPackages = with pkgs; [ grub2_efi # needed for building us? coreutils # basic shell utilities gnused # sed gnugrep # grep gawk # awk ncurses # tput (terminal control) iw # wireless configuration iproute # ip, tc nettools # hostname, ifconfig dmidecode # dmidecode lshw # lshw pciutils # lspci, setpci usbutils # lsusb utillinux # linux system utilities cryptsetup # luks mtools # disk labelling smartmontools # disk monitoring lm_sensors # fan monitoring xorg.xbacklight # monitor brightness procps # ps, top, pidof, vmstat, slabtop, skill, w psmisc # fuser, killall, pstree, peekfd shadow # passwd, su mkpasswd # mkpasswd efibootmgr # efi management openssh # ssh gnupg # encryption/decryption/signing hdparm # disk info git # needed for content addressed nixpkgs ]; # Program configuration programs.zsh.enable = true; programs.zsh.enableCompletion = true; programs.bash.enableCompletion = true; programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; programs.mtr.enable = true; documentation.enable = false; documentation.nixos.enable = false; # Virtualisation virtualisation.libvirtd.enable = true; virtualisation.docker = { enable = true; enableNvidia = true; }; services = { mingetty = { greetingLine = ''[[[ \l @ \n (\s \r \m) ]]]''; autologinUser = options.operator; }; gpm.enable = true; avahi.enable = true; kmscon.enable = true; kmscon.hwRender = true; dbus.enable = true; haveged.enable = true; locate.enable = true; cron.enable = false; openssh = { enable = true; startWhenNeeded = true; permitRootLogin = "no"; passwordAuthentication = false; forwardX11 = true; allowSFTP = true; gatewayPorts = "clientspecified"; ports = [ 22 ]; extraConfig = '' PrintLastLog no ''; }; xserver = { enable = false; videoDrivers = [ "intel" "nvidia" ];}; }; users = { defaultUserShell = "/run/current-system/sw/bin/zsh"; enforceIdUniqueness = true; users = { "${options.operator}" = { isNormalUser = true; extraGroups = [ "wheel" "networkmanager" "video" "docker" ]; initialHashedPassword = ""; }; root = { initialHashedPassword = ""; }; }; }; # Security security.sudo.wheelNeedsPassword = false; security.sudo.extraConfig = '' Defaults umask = 0022 Defaults umask_override ''; environment.etc."os-release".text = pkgs.lib.mkForce '' NAME="${options.systemDesc}" ID="${options.systemName}" ''; system.nixos = { versionSuffix = lib.trivial.versionSuffix; revision = lib.removePrefix ".git." lib.trivial.versionSuffix; }; system.build = { squashfsStore = pkgs.callPackage (pkgs.path + "/nixos/lib/make-squashfs.nix") { storeContents = [ config.system.build.toplevel ]; }; netbootRamdisk = pkgs.makeInitrd { inherit (config.boot.initrd) compressor; prepend = [ "${config.system.build.initialRamdisk}/initrd" ]; contents = [ { object = config.system.build.squashfsStore; symlink = "/nix-store.squashfs"; } ]; }; netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" '' #!ipxe kernel ${pkgs.stdenv.hostPlatform.platform.kernelTarget} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} imgverify bzImage bzImage.sig initrd initrd imgverify initrd initrd.sig boot ''; }; }