by their powers combined...comes foryog ?

2023-04-07 21:48:47 +01:00 · 2023-04-07 21:48:47 +01:00 · a1f70e48a3
parent e63e1d9bef
commit a1f70e48a3
9 changed files with 367 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -127,6 +127,7 @@

      nixosConfigurations = {
        foureighty = mkWorkstation nixpkgs-stable "x86_64-linux" "foureighty";
+        foryog = mkWorkstation nixpkgs-stable "x86_64-linux" "foryog";
        skinnyv = mkWorkstation nixpkgs-stable "x86_64-linux" "skinnyv";
        thinky = mkWorkstation nixpkgs-stable "x86_64-linux" "thinky";
        bolty = mkServer nixpkgs-stable "x86_64-linux" "bolty";
--- a/nixos/boxes/foryog/boot.png
+++ b/nixos/boxes/foryog/boot.png
--- a/nixos/boxes/foryog/custom-kernel.nix
+++ b/nixos/boxes/foryog/custom-kernel.nix
@ -0,0 +1,100 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  nixpkgs.overlays = [
+    (self: super: {
+      buildLinux = x:
+        super.buildLinux ({
+            ignoreConfigErrors = true;
+            enableParallelBuilding = true;
+          }
+          // x);
+    })
+  ];
+  boot.kernelPatches = [
+    {
+      name = "foureighty";
+      patch = null;
+      extraConfig = ''
+        ACPI_CUSTOM_METHOD  n
+        ACPI_DPTF y
+        BUG y
+        CC_STACKPROTECTOR_STRONG y
+        CPU_IDLE_GOV_HALTPOLL y
+        CPU_IDLE_GOV_TEO y
+        DEBUG_CREDENTIALS     y
+        DEBUG_NOTIFIERS       y
+        DEBUG_PI_LIST         y
+        DEBUG_PLIST           y
+        DEBUG_RODATA        y
+        DEBUG_SET_MODULE_RONX y
+        DEBUG_SG              y
+        DEVMEM y
+        DPTF_PCH_FIVR m
+        DPTF_POWER m
+        ENERGY_MODEL y
+        FORTIFY_SOURCE y
+        GCC_PLUGINS  y
+        GCC_PLUGIN_LATENT_ENTROPY  y
+        GCC_PLUGIN_RANDSTRUCT y
+        GCC_PLUGIN_RANDSTRUCT_PERFORMANCE  y
+        GCC_PLUGIN_STACKLEAK  y
+        GCC_PLUGIN_STRUCTLEAK  y
+        GCC_PLUGIN_STRUCTLEAK_BYREF_ALL  y
+        HARDENED_USERCOPY y
+        HARDENED_USERCOPY_FALLBACK y
+        HARDLOCKUP_DETECTOR y
+        HZ_300 y
+        INET_DIAG           n
+        INET_DIAG_DESTROY  option no
+        INET_MPTCP_DIAG    option no
+        INET_RAW_DIAG      option no
+        INET_TCP_DIAG      option no
+        INET_UDP_DIAG      option no
+        INIT_ON_ALLOC_DEFAULT_ON y
+        INIT_ON_FREE_DEFAULT_ON y
+        INTEL_TXT y
+        KEXEC n
+        KFENCE y
+        LEGACY_VSYSCALL_NONE y
+        LOCKUP_DETECTOR y
+        MCORE2 y
+        NR_CPUS 16
+        NUMA_BALANCING y
+        NUMA_BALANCING_DEFAULT_ENABLED y
+        PAGE_POISONING            y
+        PAGE_POISONING_NO_SANITY  y
+        PAGE_POISONING_ZERO       y
+        PANIC_TIMEOUT  -1
+        PM_AUTOSLEEP y
+        POWER_EFFICIENT_DEFAULT y
+        PREEMPT y
+        PREEMPTION y
+        PREEMPT_COUNT y
+        PREEMPT_DYNAMIC y
+        PREEMPT_RCU y
+        PROC_KCORE          n
+        RANDOMIZE_KSTACK_OFFSET_DEFAULT y
+        SCHED_CORE y
+        SCHED_STACK_END_CHECK  y
+        SECURITY_SAFESETID  y
+        SECURITY_SELINUX_DISABLE  n
+        SECURITY_WRITABLE_HOOKS  n
+        SHUFFLE_PAGE_ALLOCATOR  y
+        SLAB_FREELIST_HARDENED y
+        SLAB_FREELIST_RANDOM y
+        SLUB_DEBUG y
+        STRICT_DEVMEM y
+        STRICT_KERNEL_RWX  y
+        UNINLINE_SPIN_UNLOCK y
+        WATCH_QUEUE y
+        X86_INTEL_TSX_MODE_AUTO y
+        X86_SGX y
+        X86_SGX_KVM y
+      '';
+    }
+  ];
+}
--- a/nixos/boxes/foryog/default.nix
+++ b/nixos/boxes/foryog/default.nix
@ -0,0 +1,78 @@
+{ config, pkgs, inputs, lib, nixpkgs-nixos-unstable-and-unfree, ... }: {
+  networking.hostName = "foryog";
+
+  imports = [
+    ./hardware-configuration.nix
+    ../../backups.nix
+    ../../boot.nix
+    ../../gfx-intel-dri2.nix
+    ../../git
+    ../../gnome
+    ../../gui
+    ../../libvirt.nix
+    ../../mercurial
+    ../../vim
+    ../../sdr.nix
+  ];
+
+  fileSystems."/" = { options = [ "compress=zstd" ]; };
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  boot.plymouth = {
+    enable = true;
+    logo = ./boot.png;
+  };
+
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    memoryPercent = 75;
+  };
+
+  time.timeZone = "Europe/London";
+
+  virtualisation.kvmgt = {
+    enable = true;
+    device = "0000:00:02.0";
+  };
+  hardware.trackpoint.enable = true;
+
+  services.xserver = {
+    libinput = {
+      enable = true;
+      touchpad = {
+        tapping = true;
+        naturalScrolling = false;
+        middleEmulation = false;
+        disableWhileTyping = true;
+      };
+    };
+  };
+  services.fprintd = { enable = true; };
+  programs.ccache.enable = true;
+  hardware.opengl.extraPackages = with pkgs; [ libva ];
+  programs.steam.enable = true;
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) [
+      "steam"
+      "steam-original"
+      "steam-runtime"
+      "steam-run"
+      "vscode-with-extensions"
+      "vscode"
+    ];
+
+  home-manager.users.cyryl = { ... }: {
+    imports =
+      [ ../../home-manager/programs/alacritty.nix ../../gui/vscode.nix ];
+    home.packages =
+      with inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux";
+      [ bisq-desktop ] ++
+
+      (with pkgs; [ lutris ])
+      ++ (with inputs.endless-sky.legacyPackages."x86_64-linux";
+        [ endless-sky ]);
+  };
+}
--- a/nixos/boxes/foryog/hardware-configuration.nix
+++ b/nixos/boxes/foryog/hardware-configuration.nix
@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  boot = {
+    kernelModules = ["kvm-intel"];
+
+    initrd = {
+      kernelModules = ["dm-snapshot"];
+      availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+    };
+
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+    loader.efi.efiSysMountPoint = "/boot/efi";
+  };
+
+  boot.initrd.secrets = {"/crypto_keyfile.bin" = null;};
+  boot.initrd.luks.devices."luks-43a80125-4089-45be-9561-fab93f984916".device = "/dev/disk/by-uuid/43a80125-4089-45be-9561-fab93f984916";
+
+  fileSystems."/boot/efi" = {
+    device = "/dev/disk/by-uuid/D6C0-1A9D";
+    fsType = "vfat";
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/98f3597c-183a-45fb-b2a4-b598c18d089a";
+    fsType = "btrfs";
+    options = ["subvol=@"];
+  };
+
+  swapDevices = [];
+
+  nix.settings = {
+    max-jobs = 7;
+    cores = 4;
+  };
+}
--- a/nixos/boxes/foryog/lte-modem.nix
+++ b/nixos/boxes/foryog/lte-modem.nix
@ -0,0 +1,9 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = with pkgs; [libqmi];
+  boot.extraModulePackages = with pkgs; [libqmi];
+  boot.kernelModules = ["qmi_wwan" "qcserial"];
+}
--- a/nixos/boxes/foryog/modem.sh
+++ b/nixos/boxes/foryog/modem.sh
@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+
+###
+# This script automate the setup of QMI supported wwan devices.
+#
+# Tested on following environment:
+#   * Lenovo ThinkPad X220 (4286-CTO)
+#   * Gentoo/Linux, Linux Kernel 3.9.6
+#   * NTT Docomo UIM card (Xi LTE SIM)
+#   * Sierra Wireless, Inc. Gobi 3000 wireless wan module
+#     (FRU 60Y3257, vendor and device id is 1199:9013)
+#     memo:
+#       I recommend to check if your wwan module works fine
+#       for your mobile broadband provider with Windows
+#       especially if you imported the device from other country.
+#       You may have to initialize your device for your region.
+#   * Required kernel config (other modules may be also required):
+#     - qmi_wwan (CONFIG_USB_NET_QMI_WWAN)
+#     - qcserial (CONFIG_USB_SERIAL_QUALCOMM)
+#   * Required settings:
+#     - you may have to create /etc/qmi-network.conf.
+#       My qmi-network.conf has only a line "APN=mopera.net".
+#
+
+# your wwan device name created by qmi_wwan kernel module
+# check it with "ip a" or "ifconfig -a". it may be wwan0?
+WWAN_DEV=wwp0s29u1u4
+# your cdc_wdm modem location
+CDC_WDM=/dev/cdc-wdm0
+# this script uses following qmi commands
+QMICLI=/usr/bin/qmicli
+QMI_NETWORK=/usr/bin/qmi-network
+# the places of following commands vary depending on your distribution
+IFCONFIG=/bin/ifconfig
+DHCPCD=/sbin/dhcpcd
+SUDO=/usr/bin/sudo
+
+function helpmsg {
+  echo "usage: $0 {start|stop|restart|status}"
+  exit 1
+}
+
+function qmi_start {
+  $COMMAND_PREFIX $IFCONFIG $WWAN_DEV up
+  $COMMAND_PREFIX $QMICLI -d $CDC_WDM --dms-set-operating-mode=online
+  if [ $? -ne 0 ]; then
+    echo "your wwan device may be RFKilled?"
+    exit 1
+  fi
+  $COMMAND_PREFIX $QMI_NETWORK $CDC_WDM start
+  $COMMAND_PREFIX $DHCPCD $WWAN_DEV
+}
+
+function qmi_stop {
+  $COMMAND_PREFIX $QMI_NETWORK $CDC_WDM stop
+  $COMMAND_PREFIX kill `cat /var/run/dhcpcd-${WWAN_DEV}.pid`
+  $COMMAND_PREFIX $IFCONFIG $WWAN_DEV down
+}
+
+function qmi_strength {
+  dbm=`$COMMAND_PREFIX $QMICLI -d $CDC_WDM --nas-get-signal-strength | tr "'" " " | grep Network | head -1 | awk '{print $4}'`
+  echo -n "Signal strength is "
+  if [ $dbm -ge -73 ]; then
+    echo -n 'Excellent'
+  elif [ $dbm -ge -83 ]; then
+    echo -n 'Good'
+  elif [ $dbm -ge -93 ]; then
+    echo -n 'OK'
+  elif [ $dbm -ge -109 ]; then
+    echo -n 'Marginal'
+  else
+    echo Unknown
+  fi
+  echo " (${dbm} dBm)"
+}
+
+function qmi_status {
+  $COMMAND_PREFIX $QMI_NETWORK $CDC_WDM status
+  qmi_strength
+}
+
+# check argument number
+if [ $# -ne 1 ]
+then
+  helpmsg
+fi
+
+# check permission
+if [ `whoami` != 'root' ]
+then
+  echo "warning: root permission required. setting command prefix to 'sudo'."
+  COMMAND_PREFIX=$SUDO
+fi
+
+# run commands
+case $1 in
+  start) qmi_start ;;
+  stop) qmi_stop ;;
+  restart) qmi_stop; qmi_start ;;
+  status) qmi_status ;;
+  *) helpmsg ;;
+esac
+
+
+
--- a/nixos/boxes/foryog/nvidia.nix
+++ b/nixos/boxes/foryog/nvidia.nix
@ -0,0 +1,30 @@
+{pkgs, ...}: let
+  nvidia-offload = pkgs.writeShellScriptBin "nvidia-offload" ''
+    export __NV_PRIME_RENDER_OFFLOAD=1
+    export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
+    export __GLX_VENDOR_LIBRARY_NAME=nvidia
+    export __VK_LAYER_NV_optimus=NVIDIA_only
+    exec -a "$0" "$@"
+  '';
+  whichgpu = pkgs.writeShellScriptBin "whichgpu" "glxinfo | grep vendor";
+  nvidiaon = pkgs.writeShellScriptBin "nvidiaon" ''
+    export __NV_PRIME_RENDER_OFFLOAD=1;
+    export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0;
+    export __GLX_VENDOR_LIBRARY_NAME=nvidia;
+    export __VK_LAYER_NV_optimus=NVIDIA_only;
+    glxinfo | grep vendor; echo OK!;
+  '';
+in {
+  environment.systemPackages = [nvidia-offload whichgpu nvidiaon];
+  hardware.opengl.enable = true;
+  hardware.opengl.driSupport32Bit = true;
+  hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [libva];
+  services.xserver.videoDrivers = ["nvidia"];
+  hardware.nvidia.prime = {
+    offload.enable = true;
+    # Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA
+    intelBusId = "PCI:0:2:0";
+    # Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA
+    nvidiaBusId = "PCI:1:0:0";
+  };
+}
--- a/nixos/tailscale/keys.sops.yaml
+++ b/nixos/tailscale/keys.sops.yaml
@ -1,4 +1,5 @@
 tailscale-key-foureighty: ENC[AES256_GCM,data:xb7EZ4TDLGXpstO2OTa+8gvK4206ik+DVQe2ZGqe+zxrhGsrkPu3MpjJYlL9vqakC4dzpRxwKN4=,iv:2Sq25zysjc2gS7SLi7QeFaIOtvKuBbNwADVyj7Hil50=,tag:65jC+Rk96s8xO+dKTo8uJg==,type:str]
+tailscale-key-foryog: ENC[AES256_GCM,data:4/hVMrEokFs7lAbQZy+HBNzQRSEOhOGeaXRks1+mY5ySZoIpuhiHURJ0H0hmx8rK5noZJtryNBg=,iv:TKLckLrloS713T6ASPTSkRrUonXcNX7sqe3WxWssdW0=,tag:PUrAQobqkxMyHd+8Y9CWug==,type:str]
 tailscale-key-bolty: ENC[AES256_GCM,data:c1OC6WgYr18I2mP9NQQ1+ibqN28VNcxNMLanLdv6wnbqBLFUSUqJ8tlHgCI81qS1kzlvuCvZui4=,iv:YuNLgEfvBezS1+P/sKN96h1/88e2xU/gyfkzjIy3vNI=,tag:kY2jqCMgiF++sVISDiU7KA==,type:str]
 tailscale-key-vpsfree1: ENC[AES256_GCM,data:RRfWVNXUumS9HuzqTjp/OYwwUy4Ljxd+ymaFWGSuCjWYy5uMyKDyF7FnyzLXD1jeegViM6sXJS2L,iv:b+zNGOP1lAQ7BRg6JetKCvo91hzZhqoYgwiQZzqMnKo=,tag:w+dVamXo3fM7AAyuzKtSjQ==,type:str]
 tailscale-key-vultr1: ENC[AES256_GCM,data:8QKYuSY0/6jtIpaizGpgfyulESqPczw/J/qCDDpYpO/LS+ppRX5avg==,iv:QsKL4NqOUTCWSIxlaXqXbfzhFcAbJTkYXjkc1eCJv8M=,tag:g0vcE23ghCYevEpQsFh50A==,type:str]
@ -111,8 +112,8 @@ sops:
            eDU3UnhLZWZnYkpwVWd1RWxSOWh3d2sKhtvrXSDt+IU6R9c/kJ9bM1lbmzPZmiXh
            UYMyAqjLY906HafUf6GkbDTmdVA0CI11jcxtLPxb95tP1IvsG/YFKg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-07T20:28:35Z"
-    mac: ENC[AES256_GCM,data:XOHyakwvoL4/YCIbM57pBa/mg8v7BRGF+iV1iCZ4jl+L4TgT5LfA32pQBr46Tuj2eiW9lJUTgk6+09WdEUQiH0CitBe2hciVWVEtc0cKXidw6wh/hrwchuzj9lDGUaROsRuczWon5Md0QolHEzvE9DDJHFguuJw8rK+q0qkRp8w=,iv:3BRBw3ZjqUlx7hH8SW5MrBCbI/8/OGLnFwppXo+nfX8=,tag:WlDhO/Z6UqoCRxHUyKvT8w==,type:str]
+    lastmodified: "2023-04-07T20:38:34Z"
+    mac: ENC[AES256_GCM,data:zz4hABI3uMdJonwvjSjhsPhLWjRfaaiHxH1C+d5wbR8gpQooCBxTRXOjP/Cxjbni3XKU8h575xlVPKPeJVsDd7MaQf4MG0njQmo4eEEBjOhqLF6t83aXqZhKCVBA/Pr/vFqcdnEqLGQF3K6XSHMWC+J8H95PM+kxZibVchcR9Q4=,iv:25PKL/5wB5EfonqE4unOuRoRTIkfHjsKiGnoW2QCxPI=,tag:R//j8Fmd5hr4jEp+bky8pA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3