123

machines/AMD-Workstation/boot.nix

@@ -52,13 +52,19 @@ in {
 
   persist = {
     enable = true;
-    cache.clean.enable = false;
+    cache.clean.enable = true;
     # state.files = [
     #   "/etc/machine-id"
     #   "/etc/NIXOS"
     # ];
   };
 
+  fileSystems."/" = lib.mkForce {
+    device = "none";
+    options = [ "defaults" "size=4G" "mode=755" ];
+    fsType = "tmpfs";
+  };
+
   fileSystems."/home".neededForBoot = true;
   fileSystems."/persist".neededForBoot = true;
   boot.initrd.postDeviceCommands = lib.mkAfter ''

machines/AMD-Workstation/hardware-configuration.nix

@@ -13,10 +13,10 @@
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  # fileSystems."/" =
-    { device = "rpool/nixos/root";
+  #   { device = "rpool/nixos/root";
-      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+  #     fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
-    };
+  #   };
 
   fileSystems."/home" =
     { device = "rpool/user/home";

modules/autoinstall/install.nix

@@ -264,7 +264,9 @@ in ''
   zfs create -o canmount=on -o mountpoint=/media/bittorrent -o atime=off -o recordsize=16K -o compression=lz4 rpool/persistent/bittorrent
   chown 1000:100 /mnt/media/bittorrent
   chmod 775 /mnt/media/bittorrent
-  zfs create -o canmount=on -o mountpoint=/media/libvirt -o atime=off -o recordsize=16K -o compression=lz4 rpool/persistent/libvirt
+  zfs create -o canmount=on -o mountpoint=/var/lib/libvirt rpool/persistent/libvirt
+  zfs create -o canmount=on -o mountpoint=/media/libvirt rpool/persistent/libvirt-user
+  zfs create -o canmount=on -o mountpoint=/media/libvirt/images -o atime=off -o recordsize=16K -o compression=lz4 rpool/persistent/libvirt-user/images
   chown 1000:67 /mnt/media/libvirt
   chmod 775 /mnt/media/libvirt
 
@@ -285,6 +287,9 @@ in ''
   zfs snapshot rpool/persistent/nixos-containers@empty
   zfs snapshot rpool/persistent/bittorrent@empty
   zfs snapshot rpool/persistent/libvirt@empty
+  zfs snapshot rpool/persistent/libvirt-user@empty
+  zfs snapshot rpool/persistent/libvirt-user/images@empty
+
 
   if [ "${cfg.createBootPool}" = "true" ]; then
     pprint "Create ZFS boot pool on $bootPool"

modules/passthrough/default.nix

@@ -1,8 +1,3 @@
 {
-  # Add your NixOS modules here
+  imports = [ ./virtualisation.nix ./vfio.nix ];
-  #
-  # libvirt = ./libvirt.nix;
-  # vfio = ./vfio.nix;
-  # virtualisation.nix = ./virtualisation.nix;
-  imports = [ ./virtualisation.nix ./vfio.nix ./libvirt.nix ];
 }

modules/passthrough/libvirt.nix

@@ -1,37 +0,0 @@
-{ lib, pkgs, config, ... }:
-with lib;
-let
-  cfg = config.virtualisation.libvirtd;
-
-  boolToZeroOne = x: if x then "1" else "0";
-
-  aclString = with lib.strings;
-    concatMapStringsSep ''
-      ,
-        '' escapeNixString cfg.deviceACL;
-in {
-  options.virtualisation.libvirtd = {
-    deviceACL = mkOption {
-      type = types.listOf types.str;
-      default = [ ];
-    };
-    clearEmulationCapabilities = mkOption {
-      type = types.bool;
-      default = true;
-    };
-  };
-
-  config.users.users."qemu-libvirtd" = {
-    extraGroups = optionals (!cfg.qemu.runAsRoot) [ "kvm" "input" ];
-    isSystemUser = true;
-  };
-
-  config.virtualisation.libvirtd.qemu.verbatimConfig = ''
-    clear_emulation_capabilities = ${
-      boolToZeroOne cfg.clearEmulationCapabilities
-    }
-    cgroup_device_acl = [
-      ${aclString}
-    ]
-  '';
-}

modules/passthrough/vfio.nix

@@ -2,48 +2,55 @@
 with lib;
 let
   cfg = config.virtualisation.vfio;
-  acscommit = "1ec4cb0753488353e111496a90bdfbe2a074827e";
+  cfg-libvirtd = config.virtualisation.libvirtd;
+  boolToZeroOne = x: if x then "1" else "0";
+  aclString = with lib.strings;
+    concatMapStringsSep ''
+      ,
+        '' escapeNixString cfg.deviceACL;
 in {
-  options.virtualisation.vfio = {
+  options.virtualisation = {
-    enable = mkEnableOption "VFIO Configuration";
+    vfio = {
-    IOMMUType = mkOption {
+      enable = mkEnableOption "VFIO Configuration";
-      type = types.enum [ "intel" "amd" ];
+      IOMMUType = mkOption {
-      example = "intel";
+        type = types.enum [ "intel" "amd" ];
-      description = "Type of the IOMMU used";
+        example = "intel";
+        description = "Type of the IOMMU used";
+      };
+      devices = mkOption {
+        type = types.listOf (types.strMatching "[0-9a-f]{4}:[0-9a-f]{4}");
+        default = [ ];
+        example = [ "10de:1b80" "10de:10f0" ];
+        description = "PCI IDs of devices to bind to vfio-pci";
+      };
+      disableEFIfb = mkOption {
+        type = types.bool;
+        default = false;
+        example = true;
+        description = "Disables the usage of the EFI framebuffer on boot.";
+      };
+      blacklistNvidia = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Add Nvidia GPU modules to blacklist";
+      };
+      ignoreMSRs = mkOption {
+        type = types.bool;
+        default = false;
+        example = true;
+        description =
+          "Enables or disables kvm guest access to model-specific registers";
+      };
     };
-    devices = mkOption {
+    libvirtd = {
-      type = types.listOf (types.strMatching "[0-9a-f]{4}:[0-9a-f]{4}");
+      deviceACL = mkOption {
-      default = [ ];
+        type = types.listOf types.str;
-      example = [ "10de:1b80" "10de:10f0" ];
+        default = [ ];
-      description = "PCI IDs of devices to bind to vfio-pci";
+      };
-    };
+      clearEmulationCapabilities = mkOption {
-    disableEFIfb = mkOption {
+        type = types.bool;
-      type = types.bool;
+        default = true;
-      default = false;
+      };
-      example = true;
-      description = "Disables the usage of the EFI framebuffer on boot.";
-    };
-    blacklistNvidia = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Add Nvidia GPU modules to blacklist";
-    };
-    ignoreMSRs = mkOption {
-      type = types.bool;
-      default = false;
-      example = true;
-      description =
-        "Enables or disables kvm guest access to model-specific registers";
-    };
-    applyACSpatch = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        If set, the following things will happen:
-          - The ACS override patch is applied
-          - Applies the i915-vga-arbiter patch
-          - Adds pcie_acs_override=downstream to the command line
-      '';
     };
   };
 
@@ -55,8 +62,8 @@ in {
     boot.kernelParams = (if cfg.IOMMUType == "intel" then [
       "intel_iommu=on"
       "intel_iommu=igfx_off"
-    ] else
+    ] else [ "amd_iommu=on" ])
-      [ "amd_iommu=on" ]) ++ (optional (builtins.length cfg.devices > 0)
+      ++ (optional (builtins.length cfg.devices > 0)
         ("vfio-pci.ids=" + builtins.concatStringsSep "," cfg.devices))
       ++ (optionals cfg.applyACSpatch [
         "pcie_acs_override=downstream,multifunction"
@@ -68,35 +75,21 @@ in {
       ]);
 
     boot.kernelModules = [ "vfio_virqfd" "vfio_pci" "vfio_iommu_type1" "vfio" ];
-
     boot.initrd.kernelModules =
       [ "vfio_virqfd" "vfio_pci" "vfio_iommu_type1" "vfio" ];
     boot.blacklistedKernelModules =
       optionals cfg.blacklistNvidia [ "nvidia" "nouveau" ];
 
-    boot.kernelPatches = optionals cfg.applyACSpatch [
+    users.users."qemu-libvirtd" = {
-      {
+      extraGroups = optionals (!cfg-libvirtd.qemu.runAsRoot) [ "kvm" "input" ];
-        name = "add-acs-overrides";
+    };
-        patch = pkgs.fetchurl {
+    virtualisation.libvirtd.qemu.verbatimConfig = ''
-          name = "add-acs-overrides.patch";
+      clear_emulation_capabilities = ${
-          url =
+        boolToZeroOne cfg-libvirtd.clearEmulationCapabilities
-            "https://raw.githubusercontent.com/slowbro/linux-vfio/v5.5.4-arch1/add-acs-overrides.patch";
-          #url =
-          #  "https://aur.archlinux.org/cgit/aur.git/plain/add-acs-overrides.patch?h=linux-vfio&id=${acscommit}";
-          sha256 = "0nbmc5bwv7pl84l1mfhacvyp8vnzwhar0ahqgckvmzlhgf1n1bii";
-        };
       }
-      {
+      cgroup_device_acl = [
-        name = "i915-vga-arbiter";
+        ${aclString}
-        patch = pkgs.fetchurl {
+      ]
-          name = "i915-vga-arbiter.patch";
+    '';
-          url =
-            "https://raw.githubusercontent.com/slowbro/linux-vfio/v5.5.4-arch1/i915-vga-arbiter.patch";
-          #url =
-          #  "https://aur.archlinux.org/cgit/aur.git/plain/i915-vga-arbiter.patch?h=linux-vfio&id=${acscommit}";
-          sha256 = "1m5nn9pfkf685g31y31ip70jv61sblvxgskqn8a0ca60mmr38krk";
-        };
-      }
-    ];
   };
 }

profiles/applications/packages.nix

@@ -114,7 +114,6 @@ with config.deviceSpecific; {
     ".config/pcmanfm"
     # ".config/Pinta"
     ".config/qBittorrent"
-    ".config/rclone"
     # ".config/qimgv"
     ".config/SchildiChat"
     ".config/Sonixd"

profiles/applications/rclone.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, lib, ... }: {
+  home-manager.users.${config.mainuser}.home.packages = [
+    pkgs.rclone
+  ];
+
+  persist.state.homeDirectories = [
+    ".config/rclone"
+  ];
+}

profiles/applications/steam.nix

@@ -18,6 +18,10 @@
 
   persist.state.homeDirectories = [
     ".local/share/Steam"
+    ".steam"
+  ] ++ [
+    # Games configs
+    ".config/WarThunder"
   ];
 
   # Start Steam only after the network is up

profiles/security/user.nix

@@ -1,4 +1,5 @@
 { config, pkgs, lib, ... }: {
+  security.apparmor.enable = true;
   programs.firejail.enable = true;
 
   users.mutableUsers = false;

profiles/virtualisation.nix

@@ -49,10 +49,14 @@ with config.deviceSpecific; {
         qemu = {
           ovmf.enable = true;
           ovmf.packages = [
-            pkgs.OVMFFull.fd
+            (pkgs.OVMFFull.override {
+              secureBoot = true;
+              tpmSupport = true;
+            }).fd
             pkgs.pkgsCross.aarch64-multiplatform.OVMF.fd
           ];
           runAsRoot = false;
+          swtpm.enable = true;
         };
         onBoot = "ignore";
         onShutdown = "shutdown";
@@ -61,6 +65,12 @@ with config.deviceSpecific; {
       spiceUSBRedirection.enable = true;
     };
 
+    users.users."qemu-libvirtd" = {
+      extraGroups =
+        lib.optionals (!config.virtualisation.libvirtd.qemu.runAsRoot)
+        [ "kvm" "input" ];
+    };
+
     security.unprivilegedUsernsClone = true;
 
     home-manager.users.${config.mainuser} = {
@@ -68,6 +78,12 @@ with config.deviceSpecific; {
         [storage]
         driver = "overlay2"
       '';
+      home.file.".config/libvirt/libvirt.conf".text = ''
+        uri_default = "qemu:///system"
+      '';
+      home.packages = lib.mkIf (!isServer) [
+        pkgs.virt-manager
+      ];
     };
 
     # users.users.${config.mainuser} = {

profiles/workspace/gtk.nix

@@ -57,4 +57,7 @@ in {
     # home.sessionVariables.GTK_THEME = "Generated";
     home.sessionVariables.GTK_THEME = "Rosepine-BL";
   };
+  persist.state.homeDirectories = [
+    ".config/dconf"
+  ];
 }

roles/desktop.nix

@@ -21,6 +21,7 @@
     mpv
     # ncmpcpp
     packages
+    rclone
     rofi
     spotify
     steam

todo.md

@@ -2,14 +2,15 @@
 
 * config qbittorrent
 * telegram theme
-* use theme engine from https://github.com/SenchoPens/senixos
+* use theme engine from https://github.com/SenchoPens/base16.nix (?)
-* update waybar
+* fix waybar config
-* Firejail all the things
+* Firejail all the things (maybe not...)
 * change writeShellScript and writeShellScriptBin to writeShellApplication
 * add asserts to autoinstall module
-* fix mime, fix xray (update on vps), fix aria2
+* fix mime, fix aria2
 * add updateScript to my packages
 * move overlay and packages to root folder
+* fix global hotkeys for obs (use hyprland pass dispatcher)
 
 ## Tips: