diff --git a/system/README.md b/system/README.md index 9ad5572..1a15e8b 100644 --- a/system/README.md +++ b/system/README.md @@ -1,12 +1,82 @@ # Auxolotl System Template -A (nearly) complete and ready-to-run NixOS template. +A ready-to-run NixOS template with sane defaults. ## Getting Started 1. Install a fresh copy of NixOS and boot into your new system. -2. Run [command] to generate your system's `hardware-configuration.nix` file. -3. Copy `hardware-configuration.nix` into the `hosts/myHost` folder. -4. Edit the `hosts/myHost/configuration.nix` file to suit your needs. This file is fully documented with all of the different options available in this template. -5. Run `nixos-rebuild boot --flake .` and restart. +2. Download, copy, or clone this repository onto your new system. +3. Run `nixos-generate-config --show-hardware-config` to generate your system's `hardware-configuration.nix` file. Copy this file into the `host` folder, overwriting the existing file. +4. Edit `flake.nix` and set the value of `hostName` to the host name you want to use for this system. +4. Edit the `host/configuration.nix` file to suit your needs. This file contains all of the available options and is fully documented. +5. Run `nixos-rebuild boot --flake .#` and restart. 6. Enjoy your new NixOS system! + +## Additional options + +This section is for options that require additional information or setup. + +### Hardware-specific options + +NixOS-Hardware is a community library of NixOS modules to work around quirks with specific kinds of hardware, especially laptops and SBCs like Raspberry Pis. If you know your system's model, you can see if it's available in [NixOS-Hardware by checking the project's flake.nix](https://github.com/NixOS/nixos-hardware/blob/master/flake.nix). If so, add its module to your host's `flake.nix` like so: + +```nix +modules = [ + ... + nixos-hardware.nixosModules.framework-13th-gen-intel + ... +] +``` + +### Secure Boot support + +This configuration supports [Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot) systems, but with some additional setup required. Secure Boot is a UEFI standard meant to prevent the pre-boot process by requiring boot images to be signed by a trusted authority. The goal is to prevent tampering, e.g. by a malicious third-party replacing your kernel image with a compromised image. In NixOS, Secure Boot support is provided by the [Lanzaboote](https://github.com/nix-community/lanzaboote) project. + +To enable Secure Boot support: + +1. Install NixOS using the default `systemd-boot` bootloader, and with Secure Boot disabled via UEFI. To confirm this, run `bootctl status` and look for output similar to the following: + ```sh + $ bootctl status + System: + Firmware: UEFI 2.70 (Lenovo 0.4720) + Secure Boot: disabled (disabled) + TPM2 Support: yes + Boot into FW: supported + + Current Boot Loader: + Product: systemd-boot 251.7 + ... + ``` +2. Generate a set of Secure Boot keys by running the following command: `sudo sbctl create-keys`. This creates a set of keys in `/etc/secureboot`. +3. Enable Secure Boot in your system configuration by setting `aux.bootloader.secureboot.enable = true;`. +4. Rebuild your system using `nixos-rebuild switch --flake .`. +5. Confirm that Secure Boot has been set up properly by running `sudo sbctl verify`: + ```sh + Verifying file database and EFI images in /boot... + ✓ /boot/EFI/BOOT/BOOTX64.EFI is signed + ✓ /boot/EFI/Linux/nixos-generation-355.efi is signed + ✓ /boot/EFI/Linux/nixos-generation-356.efi is signed + ✗ /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is not signed + ✓ /boot/EFI/systemd/systemd-bootx64.efi is signed + ``` +6. Reboot into your system's UEFI firmware. An easy way to do this from a running system is to run `systemctl reboot --firmware-setup`. In UEFI, set Secure Boot to setup mode. This will vary by system and UEFI vendor. On a ThinkPad, you can find these settings by selecting the "Security" tab, then the "Secure Boot" entry. Set "Secure Boot" to enabled, then select "Reset to Setup Mode". Save your changes and exit. + - On systems where there is no setup mode, choose the option to erase the existing Platform key, and/or to allow third-party keys. +7. Once you've rebooted into NixOS, run this command to enroll your keys: `sudo sbctl enroll-keys --microsoft`. You should see the following output: + ```sh + Enrolling keys to EFI variables... + With vendor keys from microsoft...✓ + Enrolled keys to the EFI variables! + ``` +8. Reboot your system, then verify your keys were installed correctly using `bootctl status`: + ```sh + System: + Firmware: UEFI 2.70 (Lenovo 0.4720) + Firmware Arch: x64 + Secure Boot: enabled (user) + TPM2 Support: yes + Boot into FW: supported + ``` + +#### Disabling Secure Boot + +To disable Secure Boot, just set `aux.bootloader.secureboot.enable = false;` and rebuild the system. \ No newline at end of file diff --git a/system/flake.nix b/system/flake.nix index 2125b01..f22b339 100644 --- a/system/flake.nix +++ b/system/flake.nix @@ -5,19 +5,34 @@ # Import Auxolotl libs auxlib.url = "https://git.auxolotl.org/auxolotl/labs/archive/main.tar.gz?dir=lib"; + # Flatpak support + nix-flatpak.url = "github:gmodena/nix-flatpak/v0.4.1"; + # Import the desired Nixpkgs repo. Defaults to unstable. nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; # SecureBoot support lanzaboote.url = "github:nix-community/lanzaboote/v0.4.0"; + + # NixOS hardware quirks + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + + # Add Home-manager support + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs@{ self, - nixpkgs, - lanzaboote, auxlib, + home-manager, + lanzaboote, + nix-flatpak, + nixos-hardware, + nixpkgs, ... }: let @@ -32,24 +47,38 @@ baseModules = [ ./modules/autoimport.nix + home-manager.nixosModules.home-manager lanzaboote.nixosModules.lanzaboote + nix-flatpak.nixosModules.nix-flatpak + # Set global home-manager settings + { + home-manager = { + /* + When running, Home Manager will use the global package cache. + It will also back up any files that it would otherwise overwrite. + The originals will have the extension ".home-manager_backup". + */ + useGlobalPkgs = true; + useUserPackages = true; + backupFileExtension = "home-manager_backup"; + }; + } ]; - - system = "x86_64-linux"; - hostName = builtins.abort "You need to fill in your hostName"; # Set this variable equal to your hostName + ###*** IMPORTANT: Please set your system's hostname here ***### + hostName = builtins.abort "Please set the hostName variable in flake.nix"; in { - nixosConfigurations."myHost" = nixpkgs.lib.nixosSystem { + nixosConfigurations."${hostName}" = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs; }; - system = "x86_64-linux"; modules = baseModules ++ [ + { networking.hostName = hostName; } ./host/configuration.nix - { - networking.hostName = hostName; - nixpkgs.hostPlatform = system; - } + + # NixOS-Hardware + # Add your model from this list: https://github.com/NixOS/nixos-hardware/blob/master/flake.nix + # nixos-hardware.nixosModules.framework-13th-gen-intel ]; }; diff --git a/system/host/configuration.nix b/system/host/configuration.nix index eb23f92..bedae99 100644 --- a/system/host/configuration.nix +++ b/system/host/configuration.nix @@ -5,38 +5,93 @@ ... }: +let + # Do not change this value! This tracks when NixOS was installed on your system. + stateVersion = "24.11"; +in { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ ./hardware-configuration.nix ]; - ###*** Please set these variables first. ***### - nixpkgs.hostPlatform = "x86_64-linux"; # This assumes this is a standard 64-bit Linux system. + system.stateVersion = stateVersion; + + ###*** Configure your system below this line. ***### + /* + What kind of system are you running NixOS on? + If you're not sure, leave this as the default. + + Options are: + x86_64-linux - (Default) 64-bit PCs. + aarch64-linux - 64-bit ARM PCs. + x86_64-darwin - Intel Macs. + aarch64-darwin - M-series Macs. + */ + nixpkgs.hostPlatform = "x86_64-linux"; # Set your time zone. + # To see all available timezones, run `timedatectl list-timezones`. time.timeZone = "Europe/Amsterdam"; - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.axol = { - isNormalUser = true; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - packages = with pkgs; [ ]; # Enter any additional packages specific to this user here. + # Define your user account(s). Don't forget to set a password with ‘passwd’. + users.users = { + # Replace "axol" with your preferred username. + "axol" = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + + # Enter any additional packages specific to this user here. + packages = with pkgs; [ ]; + }; }; - ###*** This is where you toggle options. ***### - ###*** To enable an option, set its value to "true". ***### + # Configure home-manager for your user. + # For configuration options, see https://nix-community.github.io/home-manager/#using-home-manager + home-manager.users.axol = { + # The state version is required and should stay at the version you originally installed. + home.stateVersion = stateVersion; + }; + + # Configure the system. aux = { - editor = "nano"; # Change the default text editor. Options are "emacs", "nano", or "vim". + # Enable to allow unfree (e.g. closed source) packages. + # https://nixos.org/manual/nixpkgs/stable/#sec-allow-unfree + allowUnfree = false; + + # Enable Secure Boot support. + # IMPORTANT: Read the README before enabling this option! + bootloader.secureboot.enable = false; + + # Enable or disable Bluetooth support. + bluetooth.enable = true; + + # Change the default text editor. Options are "emacs", "nano", or "vim". + editor = "nano"; + + # Change how long old generations are kept for. + retentionPeriod = "30d"; + ui.desktops = { - gnome.enable = false; # Enable the Gnome desktop environment. - kde.enable = false; # Enable the KDE desktop environment. + # Enable the Budgie desktop environment. + # https://buddiesofbudgie.org/ + budgie.enable = false; + + # Enables the Hyperland desktop environment. + # https://hyprland.org/ + hyprland.enable = false; + + # Enable the Gnome desktop environment. + # https://www.gnome.org/ + gnome.enable = false; + + # Enable the KDE desktop environment. + # https://kde.org/ + kde.enable = false; + + # Enable the XFCE desktop environment. + # https://xfce.org/ + xfce.enable = false; }; }; # Enable printing via CUPS services.printing.enable = false; - - # Do not change this value! - system.stateVersion = "24.11"; } diff --git a/system/modules/system/bluetooth.nix b/system/modules/system/bluetooth.nix new file mode 100644 index 0000000..76473ce --- /dev/null +++ b/system/modules/system/bluetooth.nix @@ -0,0 +1,37 @@ +# Configures bluetooth. +{ + lib, + config, + pkgs, + ... +}: + +let + cfg = config.aux.bluetooth; +in +{ + + options = { + aux.bluetooth = { + enable = lib.mkEnableOption (lib.mdDoc "Enables bluetooth"); + }; + }; + + config = lib.mkIf cfg.enable { + # Set up Bluetooth + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + settings = { + General = { + Enable = "Source,Sink,Media,Socket"; + Experimental = true; + KernelExperimental = true; + }; + }; + }; + + # Add Bluetooth LE audio support + environment.systemPackages = with pkgs; [ liblc3 ]; + }; +} diff --git a/system/modules/system/networking.nix b/system/modules/system/networking.nix new file mode 100644 index 0000000..ccee94f --- /dev/null +++ b/system/modules/system/networking.nix @@ -0,0 +1,11 @@ +# Configure basic networking options. +_: { + networking = { + # Enable networking via NetworkManager + networkmanager.enable = true; + + # Enable firewall + nftables.enable = true; + firewall.enable = true; + }; +} diff --git a/system/modules/system/nix.nix b/system/modules/system/nix.nix index 10c374b..0bb0eee 100644 --- a/system/modules/system/nix.nix +++ b/system/modules/system/nix.nix @@ -6,19 +6,46 @@ inputs, ... }: + +let + cfg = config.aux; +in { - nix = { - # Enable Flakes - settings.experimental-features = [ - "nix-command" - "flakes" - ]; - - # Enable periodic nix store optimization - optimise.automatic = true; - - # Configure NixOS to use the same software channel as Flakes - registry = lib.mapAttrs (_: value: { flake = value; }) inputs; - nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; + options = { + aux.allowUnfree = lib.mkEnableOption (lib.mdDoc "Allow unfree packages to install."); + aux.retentionPeriod = lib.mkOption { + description = "How long to retain NixOS generations. Defaults to 30 days (30d)."; + type = lib.types.str; + default = "30d"; + }; }; + config = lib.mkMerge [ + (lib.mkIf cfg.allowUnfree { nixpkgs.config.allowUnfree = true; }) + ({ + nix = { + # Enable Flakes + settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + # Enable periodic nix store optimization + optimise.automatic = true; + + # Enable weekly garbage collection. Delete generations that are older than two weeks. + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than ${cfg.retentionPeriod}"; + }; + + # Configure NixOS to use the same software channel as Flakes + registry = lib.mapAttrs (_: value: { flake = value; }) inputs; + nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; + }; + + # Support for standard, dynamically-linked executables + programs.nix-ld.enable = true; + }) + ]; } diff --git a/system/modules/system/system.nix b/system/modules/system/system.nix new file mode 100644 index 0000000..bceb4f2 --- /dev/null +++ b/system/modules/system/system.nix @@ -0,0 +1,35 @@ +# Base system settings and options +{ + pkgs, + config, + lib, + inputs, + ... +}: +{ + # Set up the environment + environment = { + # Install base packages + systemPackages = with pkgs; [ + bash + dconf # Needed to fix an issue with Home-manager. See https://github.com/nix-community/home-manager/issues/3113 + direnv + git + home-manager + p7zip + ]; + }; + services = { + # Enable fwupd (firmware updater) + fwupd.enable = true; + + # Enable trim on supported drives + fstrim.enable = true; + + # Enable disk monitoring + smartd = { + enable = true; + autodetect = true; + }; + }; +} diff --git a/system/modules/ui/desktops/budgie.nix b/system/modules/ui/desktops/budgie.nix new file mode 100644 index 0000000..a3c3c03 --- /dev/null +++ b/system/modules/ui/desktops/budgie.nix @@ -0,0 +1,32 @@ +# Enables the Budgie desktop environment. +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.aux.ui.desktops.budgie; +in +{ + options = { + aux.ui.desktops.budgie.enable = lib.mkEnableOption ( + lib.mdDoc "Enables the Budgie desktop environment." + ); + }; + + config = lib.mkIf cfg.enable { + aux.ui.desktops.enable = true; + + services.xserver = { + enable = true; + desktopManager.budgie.enable = true; + displayManager.lightdm.enable = lib.mkIf ( + !( + config.services.xserver.displayManager.gdm.enable + || config.services.xserver.displayManager.sddm.enable + ) + ) true; + }; + }; +} diff --git a/system/modules/ui/desktops/common.nix b/system/modules/ui/desktops/common.nix index 2080be3..a6912ae 100644 --- a/system/modules/ui/desktops/common.nix +++ b/system/modules/ui/desktops/common.nix @@ -27,6 +27,17 @@ in config = lib.mkIf cfg.enable { aux.ui.audio.enable = true; + boot = { + # Enable Plymouth for graphical bootsplash. + plymouth = { + enable = true; + theme = "bgrt"; + }; + + # Add kernel parameters + kernelParams = [ "quiet" ]; + }; + services = { # Configure the xserver xserver = { @@ -46,5 +57,24 @@ in enable = true; binfmt = true; }; + + # Install full GStreamer capabilities. + # References: + # https://wiki.nixos.org/wiki/GStreamer + # https://github.com/NixOS/nixpkgs/issues/195936 + environment = { + sessionVariables.GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" ( + with pkgs.gst_all_1; + [ + gstreamer + gst-plugins-base + gst-plugins-good + gst-plugins-bad + gst-plugins-ugly + gst-libav + gst-vaapi + ] + ); + }; }; } diff --git a/system/modules/ui/desktops/gnome.nix b/system/modules/ui/desktops/gnome.nix index 48ff972..aeb2b31 100644 --- a/system/modules/ui/desktops/gnome.nix +++ b/system/modules/ui/desktops/gnome.nix @@ -42,23 +42,6 @@ in gnome.gnome-tweaks # Gnome tweak tool gnome.gnome-themes-extra # Additional themes ]; - - # Install GStreamer plugins - # References: - # https://wiki.nixos.org/wiki/GStreamer - # https://github.com/NixOS/nixpkgs/issues/195936 - sessionVariables.GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" ( - with pkgs.gst_all_1; - [ - gstreamer - gst-plugins-base - gst-plugins-good - gst-plugins-bad - gst-plugins-ugly - gst-libav - gst-vaapi - ] - ); }; # Gnome UI integration for KDE apps diff --git a/system/modules/ui/desktops/hyprland.nix b/system/modules/ui/desktops/hyprland.nix new file mode 100644 index 0000000..b24ad64 --- /dev/null +++ b/system/modules/ui/desktops/hyprland.nix @@ -0,0 +1,28 @@ +# Enables the Hyprland desktop environment. +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.aux.ui.desktops.hyprland; +in +{ + options = { + aux.ui.desktops.hyprland.enable = lib.mkEnableOption ( + lib.mdDoc "Enables the Hyprland desktop environment." + ); + }; + + config = lib.mkIf cfg.enable { + aux.ui.desktops.enable = true; + + programs.hyprland = { + enable = true; + xwayland.enable = true; + }; + # Optional: hint Electron apps to use Wayland: + environment.sessionVariables.NIXOS_OZONE_WL = "1"; + }; +} diff --git a/system/modules/ui/desktops/kde.nix b/system/modules/ui/desktops/kde.nix index 6d67acd..d1bb84c 100644 --- a/system/modules/ui/desktops/kde.nix +++ b/system/modules/ui/desktops/kde.nix @@ -26,7 +26,12 @@ in xserver.displayManager = lib.mkIf cfg.useX11 { defaultSession = "plasmaX11"; - sddm.wayland.enable = true; + sddm.wayland.enable = lib.mkIf ( + !( + config.services.xserver.displayManager.gdm.enable + || config.services.xserver.displayManager.lightdm.enable + ) + ) true; }; }; diff --git a/system/modules/ui/desktops/xfce.nix b/system/modules/ui/desktops/xfce.nix new file mode 100644 index 0000000..2d40d0a --- /dev/null +++ b/system/modules/ui/desktops/xfce.nix @@ -0,0 +1,30 @@ +# Enables the XFCE desktop environment. +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.aux.ui.desktops.xfce; +in +{ + options = { + aux.ui.desktops.xfce.enable = lib.mkEnableOption ( + lib.mdDoc "Enables the XFCE desktop environment." + ); + }; + + config = lib.mkIf cfg.enable { + aux.ui.desktops.enable = true; + + services.xserver = { + enable = true; + desktopManager = { + xterm.enable = false; + xfce.enable = true; + }; + displayManager.defaultSession = "xfce"; + }; + }; +}