From 3c49bbaf708762b0dcaa5499c9439d6f733916a4 Mon Sep 17 00:00:00 2001
From: Chris Thompson <chris@agaric.com>
Date: Fri, 15 Nov 2024 16:23:15 -0500
Subject: [PATCH 1/6] Add packages, enable hardware monitoring and controls,
add additional volume decryption
---
hosts/default/configuration.nix | 52 +++++++++++++++++++++++----------
1 file changed, 37 insertions(+), 15 deletions(-)
diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index 4d206c9..7e6ed97 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -2,6 +2,12 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
+# New TODO:
+# - investigate tmux-session-wizard, and tpm
+# - see if zoxide can import .z file (from z.sh)
+# - so far, have added aliases and bashrc directly, along with bin folder and ssh setup.
+# - aaaaaah! so much
+
{ config, pkgs, inputs, ... }:
{
@@ -23,10 +29,11 @@
# fsType = "btrfs";
# options = [ "subvol=5" ];
# };
- boot.initrd.luks.devices."nvme0n1p2_crypt".device = "/dev/disk/by-uuid/93922f23-d0ba-4405-adbb-9789d37e5985";
boot.initrd.luks.devices."nvme2n1p2_oldcrypt".device = "/dev/disk/by-uuid/44235dca-99e8-4ea8-9516-97d9f5a2d702";
-
-
+ boot.kernelModules = [ "kvm-amd" "nct6775" ];
+
+ services.fwupd.enable = true;
+ services.hardware.openrgb.enable = true
# Add flakes
nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -133,17 +140,32 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
- neovim
- wget
- curl
- tmux
- whois
- git
- wl-clipboard-rs
- dogdns
- bat
- nix-search-cli
- lsof
+ neovim # next gen vim w/lua
+ wget # url fetcher/spider
+ curl # url fetcher
+ tmux # terminal multiplexer
+ whois # net ip/dns lookup
+ git # version control
+ meld # file diff'r
+ wl-clipboard-rs # rust implementation of wayland clipboard cli
+ dogdns # a better dig cmd
+ bat # a better cat command
+ nix-search-cli # search the nix repo
+ lsof # show open file handles
+ eza # a better ls
+ lm_sensors # hardware monitoring (e.g. temps)
+ btop # cli sys monitor
+ direnv # autoload .envrc files
+ zoxide # directory navigator (z)
+ nextcloud-client # next cloud UI
+ file # show file types
+ tldr # cli command summary
+ stress # system workload generator
+ dmidecode # system settings provider (e.g. bios)
+ jq # json query
+ niv # dependency cli for nix-shell
+ openrgb-with-all-plugins # colors hardware control
+ just # command runner like make
];
nixpkgs.config.permittedInsecurePackages = [
@@ -189,7 +211,7 @@
};
programs.java.enable = true;
- programs.steam.package = pkgs.steam.override { withJava = true; };
+ #programs.steam.package = pkgs.steam.override { withJava = true; };
programs.steam.gamescopeSession.enable = true;
From 4f66b47ae51c8f33f03ffe8d41e4db426c185c75 Mon Sep 17 00:00:00 2001
From: Chris Thompson <chris@agaric.com>
Date: Wed, 20 Nov 2024 11:36:47 -0500
Subject: [PATCH 2/6] Add additional mount mappings (not active yet)
---
hosts/default/configuration.nix | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index 7e6ed97..42c4c74 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -18,17 +18,24 @@
./main-user.nix
];
- #fileSystems."/mnt" =
+ #fileSystems."/mnt/arch" =
# { device = "/dev/disk/by-uuid/72db20ba-4dbd-4fb7-891c-b457e2cf9648";
# fsType = "btrfs";
# options = [ "subvol=5" ];
# };
-
- #fileSystems."/mnt/home" =
+ #fileSystems."/mnt/arch/home" =
# { device = "/dev/disk/by-uuid/4eda05c2-d434-495d-97a0-8a81e8a533ec";
# fsType = "btrfs";
# options = [ "subvol=5" ];
# };
+ #fileSystems."/mnt/bulk" =
+ # { device = "/dev/disk/by-uuid/xxxx";
+ # fsType = "ext4";
+ # };
+ #fileSystems."/mnt/slow" =
+ # { device = "/dev/disk/by-uuid/xxxx";
+ # fsType = "etx4";
+ # };
boot.initrd.luks.devices."nvme2n1p2_oldcrypt".device = "/dev/disk/by-uuid/44235dca-99e8-4ea8-9516-97d9f5a2d702";
boot.kernelModules = [ "kvm-amd" "nct6775" ];
From b95a578a9b130fbeca856e448b7a663bcb4c6d46 Mon Sep 17 00:00:00 2001
From: Chris Thompson <chris@agaric.com>
Date: Wed, 20 Nov 2024 11:37:17 -0500
Subject: [PATCH 3/6] Enable rgb control
---
hosts/default/configuration.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index 42c4c74..5a40f7b 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -40,7 +40,7 @@
boot.kernelModules = [ "kvm-amd" "nct6775" ];
services.fwupd.enable = true;
- services.hardware.openrgb.enable = true
+ services.hardware.openrgb.enable = true;
# Add flakes
nix.settings.experimental-features = [ "nix-command" "flakes" ];
From 26d0f14bf39cae43e2556d9c8a4e3515cbded4c5 Mon Sep 17 00:00:00 2001
From: Chris Thompson <chris@agaric.com>
Date: Wed, 20 Nov 2024 11:40:14 -0500
Subject: [PATCH 4/6] XDEBUG needs this port...determine how to limit this, if
possible
---
hosts/default/configuration.nix | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index 5a40f7b..0b667fc 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -141,6 +141,8 @@
virtualisation.docker.storageDriver = "btrfs"; # Only when using BTRFS! (wolcen approved!)
# Required for DDEV to add hosts files, if your DNS will not resolve addresses to localhost.
environment.etc.hosts.mode = "0644";
+ # For xdebug...verify actual necessity (...I still doubt it)
+ networking.firewall.allowedTCPPorts = [ 9003 ];
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
From f48580c7f21e89bc7eb48a4f29c261460814c5ca Mon Sep 17 00:00:00 2001
From: Chris Thompson <chris@agaric.com>
Date: Wed, 20 Nov 2024 11:41:07 -0500
Subject: [PATCH 5/6] Move git package: use programs.* for additional settings
---
hosts/default/configuration.nix | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index 0b667fc..e1acc00 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -154,7 +154,6 @@
curl # url fetcher
tmux # terminal multiplexer
whois # net ip/dns lookup
- git # version control
meld # file diff'r
wl-clipboard-rs # rust implementation of wayland clipboard cli
dogdns # a better dig cmd
@@ -176,7 +175,10 @@
openrgb-with-all-plugins # colors hardware control
just # command runner like make
];
-
+ programs.git = {
+ enable = true;
+ lfs.enable = true;
+ };
nixpkgs.config.permittedInsecurePackages = [
"electron-27.3.11"
];
From ae9036f47f2240e74d76b1e7708d5a1bc6bffa12 Mon Sep 17 00:00:00 2001
From: Chris Thompson <chris@agaric.com>
Date: Sat, 7 Dec 2024 22:17:13 -0500
Subject: [PATCH 6/6] Lazy bulk update after a number of things
---
flake.lock | 12 +++---
hosts/default/configuration.nix | 73 ++++++++++++++++++++++++++++++---
hosts/default/main-user.nix | 36 ++++++++++++----
3 files changed, 101 insertions(+), 20 deletions(-)
diff --git a/flake.lock b/flake.lock
index c9c4de9..d07c620 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
]
},
"locked": {
- "lastModified": 1730837930,
- "narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
+ "lastModified": 1733484277,
+ "narHash": "sha256-i5ay20XsvpW91N4URET/nOc0VQWOAd4c4vbqYtcH8Rc=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
+ "rev": "d00c6f6d0ad16d598bf7e2956f52c1d9d5de3c3a",
"type": "github"
},
"original": {
@@ -22,11 +22,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1730785428,
- "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
+ "lastModified": 1733392399,
+ "narHash": "sha256-kEsTJTUQfQFIJOcLYFt/RvNxIK653ZkTBIs4DG+cBns=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
+ "rev": "d0797a04b81caeae77bcff10a9dde78bc17f5661",
"type": "github"
},
"original": {
diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index e1acc00..64191cf 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -46,6 +46,9 @@
# Feel like I should be sure this is safe w/flakes first:
#system.autoUpgrade.enable = true;
+ # sets up things so envs can do shebang whatever
+ # instead of #!/usr/bin/env whatever
+ #services.envfs.enable = true;
# Bootloader.
boot.loader.systemd-boot.enable = true;
@@ -96,6 +99,8 @@
#};
# Enable CUPS to print documents.
+ # ...no. Recent security issues, prefer disabled
+ # apps like e.g. LibreOffice can still generate pdf's (e.g. to stand in [generally] for Print to pdf)
# services.printing.enable = true;
# Enable sound with pipewire.
@@ -117,6 +122,7 @@
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with ‘passwd’.
+ # Note that extraGroups overrides the module defaults entirely (they don't merge...probably a lib.* thing for that?)
# Pull defaults from main-user:
main-user.enable = true;
main-user.userName = "wolcen";
@@ -124,7 +130,7 @@
users.users.wolcen = {
description = "Chris Thompson";
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdxdKYrlwOolJpYxvWu6gW/60pzT6aKN6JHhnTSBFqN wolcen@typhoon" ];
- extraGroups = [ "networkmanager" "wheel" ];
+ extraGroups = [ "networkmanager" "wheel" "docker" "dialout" ];
};
home-manager = {
@@ -139,9 +145,16 @@
# Add docker!
virtualisation.docker.enable = true;
virtualisation.docker.storageDriver = "btrfs"; # Only when using BTRFS! (wolcen approved!)
- # Required for DDEV to add hosts files, if your DNS will not resolve addresses to localhost.
- environment.etc.hosts.mode = "0644";
- # For xdebug...verify actual necessity (...I still doubt it)
+
+ # Required for DDEV to add hosts files, if your DNS will not resolve addresses to localhost.
+ # Some firewall DNS resolvers will NOT allow an externally resolved domain name to resolve to a reserved IP (e.g. localhost).
+ # This is a security protection method that can assist attackers with discovery of a LAN.
+ # With fpSense, you can tell unbound (or dnsmasq) to resolve *.ddev.site to 127.0.0.1 and remove this mode statement
+ # See https://docs.netgate.com/pfsense/en/latest/services/dns/wildcards.html
+ # environment.etc.hosts.mode = "0644";
+
+ # For xdebug...verify actual necessity
+ # Have had to use this, but I think it can be disabled still - perhaps w/xdebug binding setting...don't know.
networking.firewall.allowedTCPPorts = [ 9003 ];
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
@@ -163,6 +176,7 @@
eza # a better ls
lm_sensors # hardware monitoring (e.g. temps)
btop # cli sys monitor
+ amdgpu_top # top-like monitor for AMD GPUs
direnv # autoload .envrc files
zoxide # directory navigator (z)
nextcloud-client # next cloud UI
@@ -174,15 +188,48 @@
niv # dependency cli for nix-shell
openrgb-with-all-plugins # colors hardware control
just # command runner like make
+ #ansible # configuration management system/automation tool
+ kdePackages.kcachegrind # analyze xdebug output
+ libreoffice-qt # libreoffice - qt is best for KDE
+ hunspell # spell checking
+ hunspellDicts.en_US # spell check dictionary
+ #corectl # this doesn't exist????
+ magic-wormhole # transfer files with ease
+ screen # terminal multiplexer...from GNU
+ gnumake # build automation tool
+ #git-open # open the url of the project in web
+ diffr # another diff hilighting tool
+ brave # privacy oriented browser
+ zig # the zig language
];
programs.git = {
enable = true;
lfs.enable = true;
};
+ # Orchestrator for FOSS VR stack
+ #programs.envision = {
+ # enable = true;
+ # openFirewall = true; # This is set true by default
+ #};
nixpkgs.config.permittedInsecurePackages = [
"electron-27.3.11"
];
+ #fonts = {
+ # fontconfig.enable = true;
+ # enableFontDir = true;
+ # enableGhostscriptFonts = true;
+ # fonts = with pkgs; [
+ # corefonts
+ # dejavu_fonts
+ # inconsolata
+ # source-han-sans-japanese
+ # source-han-sans-korean
+ # source-han-sans-simplified-chinese
+ # source-han-sans-traditional-chinese
+ # ubuntu_font_family
+ # ];
+ #};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
@@ -195,6 +242,9 @@
# Enable the OpenSSH daemon.
services.openssh.enable = true;
+ services.openssh.ports = [ 2112 ]; # must be a list...for some reason.
+ # Enable mobile shell (for roaming, intermittent connectivity, etc)
+ programs.mosh.enable = true;
# RX 6700 XT setup
hardware.graphics.extraPackages = [
@@ -220,8 +270,18 @@
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
};
-
- programs.java.enable = true;
+ # VR
+ #Commmand: `renice -20 -p $(pgrep monado)` may help w/issues
+ services.monado = {
+ enable = true;
+ defaultRuntime = true; # Register as default OpenXR runtime
+ #environment.WMR_HANDTRACKING = "1"; # Enable for hand tracking
+ #environment.U_PACING_COMP_MIN_TIME_MS = "5"; # This is a tweak for something...I forgot
+ };
+ # allow clock adjustments/priority change, etc (gamemoderun ./game)
+ # https://wiki.nixos.org/wiki/GameMode
+ programs.gamemode.enable = true; # for performance mode
+ #programs.java.enable = true;
#programs.steam.package = pkgs.steam.override { withJava = true; };
programs.steam.gamescopeSession.enable = true;
@@ -241,3 +301,4 @@
system.stateVersion = "24.05"; # Did you read the comment?
}
+
diff --git a/hosts/default/main-user.nix b/hosts/default/main-user.nix
index 0543bd0..a123ae3 100644
--- a/hosts/default/main-user.nix
+++ b/hosts/default/main-user.nix
@@ -19,17 +19,37 @@ in
isNormalUser = true;
initialPassword = "B@dC0d3MangFIX|T";
description = lib.mkDefault "Just a normal admin";
+ # groups: wheel => sudo access, dialout => serial access
extraGroups = [ "wheel" "networkmanager" "docker" ];
packages = with pkgs; [
- kdePackages.kate
- thunderbird
- keepassxc
- macchina
- z-lua
+ #kdePackages.kate # ... why did I add this?
+ thunderbird # email client
+ keepassxc # passwords!
+ macchina # like *fetch - display basics
+ z-lua # jump around directories (be careful with same-named ones!)
logseq # REQUIRES TEMPORARY INSECURE ELECTRON
- signal-desktop
- ddev
- vscodium
+ signal-desktop # messaging
+ ddev # local docker dev awesome
+ vscodium # vs code editor, but free
+ # go to 2.17 when no more servers w/python issues (elizabeth)
+ ansible_2_16 # deployment/automation
+ #python311Full # troubleshooting ansible things.
+ #python311Packages.ansible
+ # php added for ansible composer build temporarily
+ # switch to an ansible build environment instead.
+ php81
+ php81Packages.composer
+ php81Packages.composer
+ php81Extensions.zip
+ php81Extensions.xml
+ php81Extensions.dom
+ php81Extensions.bz2
+ php81Extensions.yaml
+ php81Extensions.zlib
+ php81Extensions.zstd
+ php81Extensions.intl
+ php81Extensions.curl
+ php81Extensions.posix
];
};
};