From 69cca39dc54821c05e1326f5d486402a1cde0be1 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 28 Oct 2018 11:21:37 +0100 Subject: [PATCH] nixos-config: add live-usb --- nixos-configuration/live-usb/boot.nix | 21 ++ .../live-usb/configuration.nix | 15 ++ nixos-configuration/live-usb/hw.nix | 59 +++++ nixos-configuration/live-usb/pkg.nix | 29 +++ nixos-configuration/live-usb/system.nix | 242 ++++++++++++++++++ nixos-configuration/live-usb/user.nix | 51 ++++ 6 files changed, 417 insertions(+) create mode 100644 nixos-configuration/live-usb/boot.nix create mode 100644 nixos-configuration/live-usb/configuration.nix create mode 100644 nixos-configuration/live-usb/hw.nix create mode 100644 nixos-configuration/live-usb/pkg.nix create mode 100644 nixos-configuration/live-usb/system.nix create mode 100644 nixos-configuration/live-usb/user.nix diff --git a/nixos-configuration/live-usb/boot.nix b/nixos-configuration/live-usb/boot.nix new file mode 100644 index 0000000..95780ab --- /dev/null +++ b/nixos-configuration/live-usb/boot.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +{ + boot.kernelPackages = pkgs.linuxPackages_latest; + + # Bootloader, initrd and Kernel + boot.loader.grub.enable = true; + boot.loader.grub.enableCryptodisk = true; + boot.loader.grub.version = 2; + + # workaround to disable CPU wining + # current CPU has 9 idle cstates. + + # Workaround for nm-pptp to enforce module load + boot.kernelModules = [ + "nf_conntrack_proto_gre" + "nf_conntrack_pptp" + ]; + + boot.tmpOnTmpfs = true; +} diff --git a/nixos-configuration/live-usb/configuration.nix b/nixos-configuration/live-usb/configuration.nix new file mode 100644 index 0000000..b49f937 --- /dev/null +++ b/nixos-configuration/live-usb/configuration.nix @@ -0,0 +1,15 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = [ + ./pkg.nix + ./hw.nix + ./system.nix + ./user.nix + ./boot.nix + ]; +} diff --git a/nixos-configuration/live-usb/hw.nix b/nixos-configuration/live-usb/hw.nix new file mode 100644 index 0000000..3eebc18 --- /dev/null +++ b/nixos-configuration/live-usb/hw.nix @@ -0,0 +1,59 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + nix.maxJobs = lib.mkDefault 3; + nix.buildCores = 3; + + hardware.enableAllFirmware = true; + hardware.trackpoint.emulateWheel = true; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModprobeConfig = '' + options kvm-intel nested=1 + options kvm-intel enable_shadow_vmcs=1 + options kvm-intel enable_apicv=1 + options kvm-intel ept=1 + ''; + boot.extraModulePackages = [ ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + fileSystems."/boot" = { + device = "/dev/disk/by-id/usb-SCSI_DISK_9E216FC57FBD4AE1-0:0-part2"; + fsType = "vfat"; + }; + + fileSystems."/" = { + device = "/dev/mapper/live--usb-live--usb--root"; + fsType = "btrfs"; + options = [ "subvol=nixos" ]; + }; + + fileSystems."/home" = { + device = "/dev/mapper/live--usb-live--usb--root"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + swapDevices = [ + { device = "/dev/mapper/live--usb-live--usb--root"; } + ]; + + boot.loader.grub = { + device = "/dev/disk/by-id/usb-SCSI_DISK_9E216FC57FBD4AE1-0:0"; + efiSupport = true; + }; + + boot.initrd.luks.devices = [ { + name = "crypt-live-usb"; + device = "/dev/disk/by-id/usb-SCSI_DISK_9E216FC57FBD4AE1-0:0-part3"; + preLVM = true; + allowDiscards = true; + } + ]; +} diff --git a/nixos-configuration/live-usb/pkg.nix b/nixos-configuration/live-usb/pkg.nix new file mode 100644 index 0000000..50145ca --- /dev/null +++ b/nixos-configuration/live-usb/pkg.nix @@ -0,0 +1,29 @@ +{ config, + pkgs, + ... }: + +let + +in +{ + nixpkgs.config = { + allowBroken = false; + allowUnfree = true; + + packageOverrides = pkgs: rec { + + }; + }; + + imports = + [ + ../common/pkg/default.nix + ]; + + environment.systemPackages = with pkgs; [ + firefox + gitFull + gpg2 + nvim + ]; +} diff --git a/nixos-configuration/live-usb/system.nix b/nixos-configuration/live-usb/system.nix new file mode 100644 index 0000000..691e3d1 --- /dev/null +++ b/nixos-configuration/live-usb/system.nix @@ -0,0 +1,242 @@ +{ config, lib, pkgs, ... }: + + +let + +in + +rec { + nix.binaryCachePublicKeys = [ + # "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" + ]; + nix.binaryCaches = [ + "https://cache.nixos.org" + # "https://hydra.nixos.org" + ]; + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + # "https://hydra.nixos.org" + ]; + + nix.daemonNiceLevel = 19; + nix.daemonIONiceLevel = 7; + + nix.useSandbox = true; + + # The NixOS release to be compatible with for stateful data such as databases. + # system.stateVersion = "unstable"; + networking.hostName = "steveej-liveusb"; # Define your hostname. + + networking.firewall.enable = true; + networking.firewall.checkReversePath = false; + + # Provide a NAT/DHCP Router + # + # networking.nat.enable = true; + # networking.nat.internalInterfaces = [ "enp0s20f0u4u1u3" ]; + # networking.nat.externalInterface = "wlp1s0"; + # networking.interfaces."enp0s20f0u4u1u3".ipv4.addresses = [ + # { address = "10.254.253.254"; prefixLength = 24; } + # ]; + # services.dnsmasq = { + # enable = true; + # servers = [ "8.8.8.8" "8.8.4.4" ]; + # extraConfig = '' + # domain=lan + # interface=enp0s20f0u4u1u3 + # bind-interfaces + # dhcp-range=10.254.253.100,10.254.253.199,1h + # ''; + # }; + + networking.networkmanager = { + enable = true; + dns = "dnsmasq"; + unmanaged = [ + "interface-name:veth*" + "interface-name:virbr*" + "interface-name:br*" + "interface-name:*vbox*" + "interface-name:*cni*" + ]; + }; + + programs.zsh = { + enable = false; + }; + + environment.sessionVariables = { + NIXPKGS_ALLOW_UNFREE = "1"; + + # Don't create .pyc files. + PYTHONDONTWRITEBYTECODE = "1"; + }; + + environment.etc."lvm/lvm.conf".text = '' + devices { + issue_discards = 1 + } + ''; + + environment.pathsToLink = [ "/share/zsh" ]; + + # Fonts, I18N, Date ... + fonts = { + enableCoreFonts = true; + }; + + i18n = { + consoleFont = "lat9w-16"; + defaultLocale = "en_US.UTF-8"; + }; + time.timeZone = "Europe/Berlin"; + #time.timeZone = "America/Los_Angeles"; + + # Services + services.gpm.enable = true; + services.openssh.enable = true; + services.openssh.permitRootLogin = "yes"; + + services.gnome3 = { + gnome-disks.enable = false; + gnome-documents.enable = false; + gnome-online-miners.enable = false; + gnome-user-share.enable = false; + gnome-terminal-server.enable = false; + gpaste.enable = false; + sushi.enable = false; + tracker.enable = false; + + # FIXME: gnome should be moved to user session + seahorse.enable = true; + gvfs.enable = true; + at-spi2-core.enable = true; + evolution-data-server.enable = true; + gnome-online-accounts.enable = true; + gnome-keyring.enable = true; + }; + + services.teamviewer.enable = false; + + services.printing = { + enable = false; + }; + + services.pcscd.enable = true; + services.xserver = { + enable = true; + libinput.enable = true; + libinput.naturalScrolling = true; + + videoDrivers = [ "qxl" "modesetting" "ati" "cirrus" "intel" "vesa" "vmware" "modesetting" ]; + xkbVariant = "altgr-intl"; + xkbOptions = "nodeadkeys"; + + desktopManager = { + # FIXME: gnome should be moved to user session + gnome3.enable = true; + + xterm.enable = true; + plasma5.enable = false; + }; + + displayManager = { + gdm.enable = false; + + lightdm = { + enable = true; + autoLogin = { + enable = true; + user = "steveej"; + }; + background = "${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png"; + }; + + sessionCommands = '' + ''; + }; + }; + + # Package configuration + environment.systemPackages = with pkgs; [ + ]; + + # More Services + services.udev.packages = [ + pkgs.libu2f-host + pkgs.yubikey-personalization + ]; + services.udev.extraRules = '' + # OnePlusOne + ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" + ATTR{idVendor}=="05c6", ATTR{idProduct}=="6765", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" + + # Plantronics BackBeat PRO + SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="011a", GROUP="users", MODE="0777" + SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="fffe", GROUP="users", MODE="0777" + SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="0001", GROUP="users", MODE="0777" + '' + ; + + services.packagekit.enable = true; + + services.resolved.enable = false; + services.nix-serve.enable = false; + + services.samba.enable = true; + services.samba.extraConfig = '' + client max protocol = SMB3 + ''; + + # hardware related services + services.illum.enable = true; + + hardware = { + bluetooth.enable = true; + pulseaudio = { + enable = true; + package = pkgs.pulseaudioFull; + support32Bit = true; + }; + }; + + services.fprintd.enable = true; + security.pam.services = { + login.fprintAuth = true; + sudo.fprintAuth = true; + }; + + # required for running blueman-applet in user sessions + services.dbus.packages = with pkgs; [ + blueman + ]; + + # Kubernetes + # services.kubernetes.roles = ["master" "node"]; + + # virtualization + virtualisation = { + libvirtd.enable = false; + virtualbox.enable = false; + docker.enable = true; + }; + + # Activation scripts for impure set up of paths in / + system.activationScripts.bin = '' + echo "setting up /bin..." + ln -sfT ${pkgs.bash}/bin/bash /bin/.bash + mv -Tf /bin/.bash /bin/bash + ''; + system.activationScripts.etcX11sessinos = '' + echo "setting up /etc/X11/sessions..." + mkdir -p /etc/X11 + ln -sfT ${config.services.xserver.displayManager.session.desktops} /etc/X11/.sessions + mv -Tf /etc/X11/.sessions /etc/X11/sessions + ''; + system.activationScripts.lib64 = '' + echo "setting up /lib64..." + mkdir -p /lib64 + ln -sfT ${pkgs.stdenv.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 + mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 + ''; +} diff --git a/nixos-configuration/live-usb/user.nix b/nixos-configuration/live-usb/user.nix new file mode 100644 index 0000000..6d53acd --- /dev/null +++ b/nixos-configuration/live-usb/user.nix @@ -0,0 +1,51 @@ +{ config +, pkgs +, ... }: + +let + passwords = import ../common/passwords.crypt.nix; + mkUser = {uid, hashedPassword, ... } @ args: args // { + inherit uid hashedPassword; + isNormalUser = true; + extraGroups = [ + "docker" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + ]; + }; + +in +{ + users.mutableUsers = false; + users.defaultUserShell = pkgs.zsh; + + users.extraUsers.root = { + hashedPassword = passwords.users.root; + openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"]; + }; + + users.extraUsers.steveej = mkUser { + uid = 1000; + hashedPassword = passwords.users.steveej; + }; + + users.extraUsers.steveej2 = mkUser { + uid = 1001; + hashedPassword = passwords.users.steveej2; + }; + + users.extraUsers.steveej3 = mkUser { + uid = 1002; + hashedPassword = passwords.users.steveej; + }; + + security.pam.enableU2F = true; + security.pam.services.steveej.u2fAuth = true; +}