janezicmatej/matej.nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: janezicmatej:main
Branches Tags
janezicmatej:main janezicmatej:bootloader-fix
..
compare: janezicmatej:dff72f07032ce524b4a89048ef8c95c58e8e28d6
Branches Tags
janezicmatej:main janezicmatej:bootloader-fix

6 Commits
main ... dff72f0703

Author SHA1 Message Date
Matej Janežič
dff72f0703 merge: harden ephvm 2026-04-24 14:13:24 +02:00
Matej Janežič
0c17996d16 feat: tighten ephvm perms, zstd compress qcow2 
lock /home/matej/.config to 0700 (was 0755). post-process qcow2
with parallel zstd on qcow2 v3 via qemu-img convert; smaller
image and faster decompress than the built-in qcow2-compressed.
 2026-04-23 21:32:04 +00:00
Matej Janežič
9ffc640c44 feat: prune vm-guest module 
drop services.qemuGuest.enable (unused — serial + ssh cover
everything), drop sshfs package (unused), drop boot.kernelModules
for 9p since initrd availableKernelModules autoloads on first
mount.
 2026-04-23 21:30:32 +00:00
Matej Janežič
fbcded1f9d feat: ephvm-run.sh virtio devices, require kvm 
explicit virtio-blk-pci (cache=writeback, discard=unmap,
detect-zeroes=unmap, aio=threads), virtio-net-pci, virtio-rng-pci
for guest entropy. hard-require /dev/kvm and always pass -cpu host;
drop the tcg fallback since this host always has kvm.
 2026-04-23 21:29:57 +00:00
Matej Janežič
082057226d feat: ephvm-run.sh resilience 
poll for real SSH banner instead of TCP accept (qemu's user-mode
nic accepts before guest sshd is listening), preserve qemu log
on abnormal exit for inspection, use a throwaway ed25519 key
since the guest accepts any key.
 2026-04-23 21:29:24 +00:00
Matej Janežič
620acf68a6 feat: harden ephvm-run.sh 
reject running as root, bind ssh hostfwd to 127.0.0.1 only,
reject commas in --mount and claude paths (prevents -virtfs csv
injection), pre-check --mount path exists, enable qemu seccomp
sandbox.
 2026-04-23 21:28:51 +00:00
16 changed files with 266 additions and 263 deletions
Expand all files Collapse all files

142
features/bootloader.nix
View File

@@ -3,23 +3,11 @@
{
config,
lib,
pkgs,
inputs,
...
}:
let
cfg = config.features.bootloader;
keyDir = "/etc/secrets/initrd";
mkIpString =
{
address,
gateway,
netmask,
interface,
...
}:
"${address}::${gateway}:${netmask}::${interface}:none";
in
{
imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
@@ -35,92 +23,15 @@
default = "systemd-boot";
};
configurationLimit = lib.mkOption {
type = lib.types.int;
default = 10;
};
consoleFont = lib.mkOption {
type = lib.types.str;
default = "ter-v32n";
};
resumeDevice = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
initrdSsh = {
enable = lib.mkEnableOption "remote LUKS unlock via ssh in initrd";
networkModule = lib.mkOption {
type = lib.types.str;
};
ip = {
enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
address = lib.mkOption {
type = lib.types.str;
};
gateway = lib.mkOption {
type = lib.types.str;
};
netmask = lib.mkOption {
type = lib.types.str;
default = "255.255.255.0";
};
interface = lib.mkOption {
type = lib.types.str;
};
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
plymouth.enable = lib.mkEnableOption "plymouth boot splash";
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
boot.loader.efi.canTouchEfiVariables = true;
# lanzaboote inherits editor + configurationLimit from systemd-boot.*
boot.loader.systemd-boot = {
editor = false;
inherit (cfg) configurationLimit;
};
boot.initrd.systemd.enable = true;
# wait forever at the luks prompt instead of timing out the device
# job; applies whether the prompt is local or forwarded via initrd ssh
boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
# block simpledrm so fbcon defers until the gpu driver binds; avoids
# the simpledrm -> real-driver fbcon transition that mangles console
# text and leaves the luks prompt typing offset from the visible
# surface. hosts must put the gpu driver in initrd (nixos-hardware
# does this for amd; manual hardware.amdgpu.initrd.enable on others)
boot.kernelParams = [ "initcall_blacklist=simpledrm_platform_driver_init" ];
# verbose boot: kernel messages and systemd unit lines visible end
# to end. trade-off: the luks prompt will be interleaved with the
# last few "Starting/Started ..." lines (no upstream fix exists
# without plymouth). boot.initrd.verbose is a no-op under
# systemd-initrd, so not set here.
# readable luks prompt at panel-native dpi
console = {
earlySetup = true;
font = cfg.consoleFont;
packages = [ pkgs.terminus_font ];
};
# request the largest framebuffer uefi offers; plymouth inherits it
boot.loader.systemd-boot.consoleMode = "max";
}
(lib.mkIf (cfg.mode == "systemd-boot") {
@@ -135,39 +46,26 @@
};
})
(lib.mkIf (cfg.resumeDevice != null) {
boot.resumeDevice = cfg.resumeDevice;
})
(lib.mkIf cfg.plymouth.enable {
# plymouth needs systemd-initrd to render the luks prompt cleanly
boot.initrd.systemd.enable = true;
(lib.mkIf cfg.initrdSsh.enable {
boot.initrd.availableKernelModules = [ cfg.initrdSsh.networkModule ];
# host is responsible for early-KMS so plymouth lands on the gpu driver,
# not simpledrm (e.g. hardware.amdgpu.initrd.enable on amd hosts)
boot.plymouth.enable = true;
stylix.targets.plymouth.logoAnimated = false;
boot.kernelParams = lib.mkIf cfg.initrdSsh.ip.enable [
"ip=${mkIpString cfg.initrdSsh.ip}"
boot.kernelParams = [
"quiet"
"splash"
"loglevel=3"
"rd.systemd.show_status=false"
"rd.udev.log_level=3"
"udev.log_priority=3"
"plymouth.force-scale=1"
];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
hostKeys = [
"${keyDir}/ssh_host_rsa_key"
"${keyDir}/ssh_host_ed25519_key"
];
inherit (cfg.initrdSsh) authorizedKeys;
};
};
# forward LUKS password prompt to the ssh session (systemd-initrd idiom)
boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
boot.initrd.systemd.network.networks = lib.mkIf (!cfg.initrdSsh.ip.enable) {
"10-initrd" = {
matchConfig.Driver = cfg.initrdSsh.networkModule;
networkConfig.DHCP = "yes";
};
};
boot.consoleLogLevel = 0;
boot.initrd.verbose = false;
})
]
);

5
features/desktop.nix
View File

@@ -87,9 +87,6 @@
inherit (cfg.theme) polarity;
image = cfg.theme.wallpaper;
base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme.scheme}.yaml";
# TEMP:(@janezicmatej) stylix kmscon target sets nixpkgs-removed options
targets.kmscon.enable = false;
};
}
@@ -127,7 +124,7 @@
rocketchat-desktop
telegram-desktop
slack
jellyfin-desktop
jellyfin-media-player
cider-2
mpv
ffmpeg

90
features/initrd-ssh.nix Normal file
View File

@@ -0,0 +1,90 @@
{
nixos =
{ lib, config, ... }:
let
cfg = config.features.initrd-ssh;
keyDir = "/etc/secrets/initrd";
mkIpString =
{
address,
gateway,
netmask,
interface,
...
}:
"${address}::${gateway}:${netmask}::${interface}:none";
in
{
options.features.initrd-ssh = {
enable = lib.mkEnableOption "initrd ssh";
ip = {
enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
address = lib.mkOption {
type = lib.types.str;
};
gateway = lib.mkOption {
type = lib.types.str;
};
netmask = lib.mkOption {
type = lib.types.str;
default = "255.255.255.0";
};
interface = lib.mkOption {
type = lib.types.str;
};
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
networkModule = lib.mkOption {
type = lib.types.str;
};
};
config = lib.mkIf cfg.enable {
boot.initrd.availableKernelModules = [ cfg.networkModule ];
boot.initrd.kernelModules = [ cfg.networkModule ];
boot.kernelParams = lib.mkIf cfg.ip.enable [
"ip=${mkIpString cfg.ip}"
];
boot.initrd.systemd.enable = true;
# remote unlock may take a while; don't let device units give up
boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
hostKeys = [
"${keyDir}/ssh_host_rsa_key"
"${keyDir}/ssh_host_ed25519_key"
];
inherit (cfg) authorizedKeys;
};
};
# systemd-networkd retries DHCP indefinitely, unlike udhcpc
boot.initrd.systemd.network.networks = lib.mkIf (!cfg.ip.enable) {
"10-initrd" = {
matchConfig.Driver = cfg.networkModule;
networkConfig.DHCP = "yes";
};
};
# forward LUKS password prompt to the SSH session
boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
};
};
}

9
features/networkmanager.nix
View File

@@ -1,11 +1,6 @@
{
nixos =
{
config,
lib,
user,
...
}:
{ config, lib, ... }:
let
cfg = config.features.networkmanager;
in
@@ -18,8 +13,6 @@
"1.1.1.1"
"8.8.8.8"
];
users.users.${user}.extraGroups = [ "networkmanager" ];
};
};
}

7
features/power.nix
View File

@@ -8,6 +8,11 @@
options.features.power = {
enable = lib.mkEnableOption "laptop power management";
resumeDevice = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
lidSwitch = lib.mkOption {
type = lib.types.str;
default = "suspend-then-hibernate";
@@ -35,6 +40,8 @@
};
config = lib.mkIf cfg.enable {
boot.resumeDevice = lib.mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
services.logind.settings.Login = {
HandleLidSwitch = cfg.lidSwitch;
HandlePowerKey = cfg.powerKey;

144
flake.lock generated
View File

@@ -54,11 +54,11 @@
"base16-helix": {
"flake": false,
"locked": {
"lastModified": 1776754714,
"narHash": "sha256-E3OAK27smtATTmX45uoTSRsVD+Y+ZiVVfgM/tjpbtYg=",
"lastModified": 1760703920,
"narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
"owner": "tinted-theming",
"repo": "base16-helix",
"rev": "4d508123037e7851ad36ebf7d9c48b0e9e1eb581",
"rev": "d646af9b7d14bff08824538164af99d0c521b185",
"type": "github"
},
"original": {
@@ -106,11 +106,11 @@
]
},
"locked": {
"lastModified": 1781152676,
"narHash": "sha256-RxWs5ND31KzTG7wvMM+PMfUjyNpmIEr999lqNARaM5o=",
"lastModified": 1776613567,
"narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
"owner": "nix-community",
"repo": "disko",
"rev": "ff8702b4de27f72b4c78573dfb89ec74e36abdf1",
"rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
"type": "github"
},
"original": {
@@ -122,11 +122,11 @@
"firefox-gnome-theme": {
"flake": false,
"locked": {
"lastModified": 1779670703,
"narHash": "sha256-UdfMivNMwCCqQsYDg5pSz8X2IOaOrIZLIIy+Bg3CO2o=",
"lastModified": 1775176642,
"narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=",
"owner": "rafaelmardojai",
"repo": "firefox-gnome-theme",
"rev": "942159e73e40bf785816f7f1f5feed9ef3d7c8f9",
"rev": "179704030c5286c729b5b0522037d1d51341022c",
"type": "github"
},
"original": {
@@ -156,11 +156,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1778716662,
"narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
"lastModified": 1775087534,
"narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
"rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
"type": "github"
},
"original": {
@@ -177,11 +177,11 @@
]
},
"locked": {
"lastModified": 1778716662,
"narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
"lastModified": 1775087534,
"narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
"rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
"type": "github"
},
"original": {
@@ -198,11 +198,11 @@
]
},
"locked": {
"lastModified": 1778716662,
"narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
"lastModified": 1775087534,
"narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
"rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
"type": "github"
},
"original": {
@@ -273,11 +273,11 @@
]
},
"locked": {
"lastModified": 1781189114,
"narHash": "sha256-5inaamLgUMWy+MOBE9ChF9QAF1o/74LFuHkI0W/9rqc=",
"lastModified": 1776777932,
"narHash": "sha256-0R3Yow/NzSeVGUke5tL7CCkqmss4Vmi6BbV6idHzq/8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "486595d2cf49cfcd649b58a284fa11ac0e34da22",
"rev": "5d5640599a0050b994330328b9fd45709c909720",
"type": "github"
},
"original": {
@@ -317,11 +317,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1781247552,
"narHash": "sha256-WBnopP5Ln0BsEb1Ix2ylLuBvfV6YB5Zr4z6Hqo31Ccs=",
"lastModified": 1776729909,
"narHash": "sha256-wGu/N42PJqrj8ju9GoXdppg4rwaKzZqdAjsgxJbCvfY=",
"owner": "nix-community",
"repo": "neovim-nightly-overlay",
"rev": "2a8dddeeea5e6b98159a90c73deb65351b1748f9",
"rev": "ff21a18bde28b4c8ca0bc1f9a5b7186a1b89a3d1",
"type": "github"
},
"original": {
@@ -333,11 +333,11 @@
"neovim-src": {
"flake": false,
"locked": {
"lastModified": 1781212614,
"narHash": "sha256-ZJXg/EUJvbrMx8Qprs/Sg9EYsbXJc49NxVmHdzJn1s0=",
"lastModified": 1776727374,
"narHash": "sha256-iP5SviNXW5W+ay4ZmwjDFsfQjfM+fYlUxRlLPHjpwWI=",
"owner": "neovim",
"repo": "neovim",
"rev": "3ed78daf83aa88003f52234e6b493c9718b2d987",
"rev": "901b3f0c394a53961781ebeee682e64ad690a242",
"type": "github"
},
"original": {
@@ -347,15 +347,12 @@
}
},
"nixos-hardware": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1781168557,
"narHash": "sha256-LOnLQ2tpYF9gqIDDr3+j3DbpJJr/QCH6zPRT2GzEUOE=",
"lastModified": 1775490113,
"narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "6358ff76821101c178e3ab4919a62799bfe3652e",
"rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
"type": "github"
},
"original": {
@@ -367,11 +364,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1781173989,
"narHash": "sha256-fnzKKPvS+oieI/pTzotA5tkoM47EB1NpaBcgk4R97hE=",
"lastModified": 1776329215,
"narHash": "sha256-a8BYi3mzoJ/AcJP8UldOx8emoPRLeWqALZWu4ZvjPXw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8c91a71d13451abc40eb9dae8910f972f979852f",
"rev": "b86751bc4085f48661017fa226dee99fab6c651b",
"type": "github"
},
"original": {
@@ -383,11 +380,11 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1777168982,
"narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
"lastModified": 1774748309,
"narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14",
"rev": "333c4e0545a6da976206c74db8773a1645b5870a",
"type": "github"
},
"original": {
@@ -398,11 +395,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1781257547,
"narHash": "sha256-hJdOzVAu4sFVlVDmTO5nD1+71jqnp2bJDmd4fw1BrVg=",
"lastModified": 1776807375,
"narHash": "sha256-LDnHG0T54OEHyRydmGUlAND8ham0KrRNWjgoS+6GUd4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ac8a9daf3acf68ae5e259081204afa447b55f871",
"rev": "553ecb1686a2edb75dee44c9f72e1674e6adc26a",
"type": "github"
},
"original": {
@@ -414,11 +411,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1780952837,
"narHash": "sha256-Fwd1+spDtQ0hDyBwme6ufG3n4mY0UrjjFdYHv+G/Hds=",
"lastModified": 1776560675,
"narHash": "sha256-p68udKWWh7+V4ZPpcMDq0gTHWNZJnr4JPI+kHPPE40o=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e820eb4a444b46a19b2e03e8dfd2359439ff30fe",
"rev": "e07580dae39738e46609eaab8b154de2488133ce",
"type": "github"
},
"original": {
@@ -430,24 +427,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1767892417,
"narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
"rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
"url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1781074563,
"narHash": "sha256-md8WlXOlfnIeHeOScMTTHFyf2d6iaTwPl2apR5EQ3P4=",
"lastModified": 1776548001,
"narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9ae611a455b90cf061d8f332b977e387bda8e1ca",
"rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc",
"type": "github"
},
"original": {
@@ -469,11 +453,11 @@
]
},
"locked": {
"lastModified": 1780281641,
"narHash": "sha256-M/+hUKoKbHXpV0xGVfELbN1Ds1aoe3pL5p5/t46YhVo=",
"lastModified": 1775228139,
"narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=",
"owner": "nix-community",
"repo": "NUR",
"rev": "30f9ae2f04174de63ba8bcf3580ca90843b28a01",
"rev": "601971b9c89e0304561977f2c28fa25e73aa7132",
"type": "github"
},
"original": {
@@ -530,7 +514,7 @@
"lanzaboote": "lanzaboote",
"neovim-nightly-overlay": "neovim-nightly-overlay",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-stable": "nixpkgs-stable",
"nvim": "nvim",
@@ -566,11 +550,11 @@
]
},
"locked": {
"lastModified": 1780547341,
"narHash": "sha256-Gq8KNx5A7hBB3uGJaj6eQfLDIz5YdLu92gqBcvHvoUo=",
"lastModified": 1776771786,
"narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "9ed65852b6257fbeae4355bc24ecfea307ca759a",
"rev": "bef289e2248991f7afeb95965c82fbcd8ff72598",
"type": "github"
},
"original": {
@@ -599,11 +583,11 @@
"tinted-zed": "tinted-zed"
},
"locked": {
"lastModified": 1781018772,
"narHash": "sha256-C+cGIUaC6dqfwTbI+BwCd572PbESGA3WYxR1sLTqxkY=",
"lastModified": 1776170745,
"narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=",
"owner": "danth",
"repo": "stylix",
"rev": "a378e4c09031fb15a4d65da88aa628f71fc52f6b",
"rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9",
"type": "github"
},
"original": {
@@ -646,11 +630,11 @@
"tinted-schemes": {
"flake": false,
"locked": {
"lastModified": 1777806186,
"narHash": "sha256-PDF0/wObw4nIsSBeXVYLsloXOiphXCgIdsrNcVXguKs=",
"lastModified": 1772661346,
"narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=",
"owner": "tinted-theming",
"repo": "schemes",
"rev": "0c94645546f4f3ddac77a1a5fce54eb95bf50795",
"rev": "13b5b0c299982bb361039601e2d72587d6846294",
"type": "github"
},
"original": {
@@ -662,11 +646,11 @@
"tinted-tmux": {
"flake": false,
"locked": {
"lastModified": 1778379944,
"narHash": "sha256-wPDFzMGSlARlw0Sfsn48Q2+jPSfk6N0Ng6BC/d+7Q24=",
"lastModified": 1772934010,
"narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=",
"owner": "tinted-theming",
"repo": "tinted-tmux",
"rev": "fe0203a198690e71a5ff11e08812a4673de3678d",
"rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d",
"type": "github"
},
"original": {
@@ -678,11 +662,11 @@
"tinted-zed": {
"flake": false,
"locked": {
"lastModified": 1778378178,
"narHash": "sha256-OXPXRIQgGwV77HjYRryOHguh4ALX96jkg+tseLkGgHA=",
"lastModified": 1772909925,
"narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=",
"owner": "tinted-theming",
"repo": "base16-zed",
"rev": "9cd816033ff969415b190722cddf134e78a5665f",
"rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df",
"type": "github"
},
"original": {

6
flake/dev-components.nix
View File

@@ -14,9 +14,11 @@ let
mkNode = nodejs: {
packages = [
nodejs
(pkgs.pnpm.override { withNode = false; })
(pkgs.yarn.override { withNode = false; })
pkgs.corepack
];
env = {
COREPACK_ENABLE_STRICT = "0";
};
};
mkUv = python: {

2
flake/hosts.nix
View File

@@ -55,6 +55,7 @@ in
"git"
"gnupg"
"harmonia"
"initrd-ssh"
"localisation"
"neovim"
"networkmanager"
@@ -123,7 +124,6 @@ in
"localisation"
"networkmanager"
"nix-settings"
"onepassword"
"sway"
"udev"
"zsh"

6
flake/overlays.nix
View File

@@ -1,7 +1,5 @@
{ inputs, ... }:
_:
{
flake.overlays.default = final: _prev: {
inherit (inputs.nixpkgs-stable.legacyPackages.${final.stdenv.hostPlatform.system}) mcp-nixos;
};
flake.overlays.default = _: _: { };
}

5
hosts/fw16/configuration.nix
View File

@@ -10,13 +10,16 @@
inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
];
features.bootloader.resumeDevice = "/dev/mapper/vg0-swap";
features.bootloader.plymouth.enable = true;
features.desktop.bluetooth.enable = true;
features.gnupg.yubikey.enable = true;
features.udev = {
ledger.enable = true;
keyboard-zsa.enable = true;
};
features.power.resumeDevice = "/dev/disk/by-uuid/ff4750e7-3a9f-42c2-bb68-c458a6560540";
boot.kernelParams = [ "pcie_aspm.policy=powersupersave" ];
programs.nix-ld.libraries = options.programs.nix-ld.libraries.default;

5
hosts/fw16/hardware-configuration.nix
View File

@@ -37,7 +37,10 @@
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/42D9-FAFD";
fsType = "vfat";
options = [ "umask=0077" ];
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [

13
hosts/tower/configuration.nix
View File

@@ -8,11 +8,7 @@
features.nix-settings.towerCache.enable = false;
features.bootloader = {
mode = "lanzaboote";
initrdSsh = {
enable = true;
networkModule = "r8169";
authorizedKeys = userKeys.sshAuthorizedKeys;
};
plymouth.enable = true;
};
features.desktop.bluetooth.enable = true;
features.gnupg.yubikey.enable = true;
@@ -20,14 +16,17 @@
ledger.enable = true;
keyboard-zsa.enable = true;
};
features.initrd-ssh = {
networkModule = "r8169";
authorizedKeys = userKeys.sshAuthorizedKeys;
};
# nix store signing
sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
boot.kernelParams = [ "btusb.reset=1" ];
# pairs with bootloader's simpledrm initcall blacklist: amdgpu owns fbcon
# from the start, no driver-swap mode-set
# early kms so plymouth lands on amdgpu, not simpledrm
hardware.amdgpu.initrd.enable = true;
services.udisks2.enable = true;

33
justfile
View File

@@ -2,20 +2,31 @@
default:
@just --list
# rebuild the system
rebuild op="switch" host=`hostname`:
nixos-rebuild {{op}} --flake .#{{host}} --sudo
# rebuild and switch
switch config="":
nixos-rebuild switch --flake .{{ if config != "" { "#" + config } else { "" } }} --sudo
# fetch flake inputs
sync:
nix flake prefetch-inputs
# update flake inputs
update:
nix flake update
# update flake inputs, rebuild and switch
bump: update switch
# update a package to latest version
update-package pkg:
bash packages/{{pkg}}/update.sh
# update all packages with update scripts
update-package:
update-package-all:
@for script in packages/*/update.sh; do bash "$script"; done
# build all packages and hosts
check:
build:
nix flake check
# build installation iso
@@ -26,6 +37,10 @@ iso:
ephvm *ARGS:
bash scripts/ephvm-run.sh {{ARGS}}
# ssh into running ephemeral VM
ephvm-ssh port="2222":
ssh -p {{port}} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null matej@localhost
# provision a host with nixos-anywhere
provision host ip:
#!/usr/bin/env bash
@@ -44,9 +59,9 @@ provision host ip:
ssh root@{{ip}} reboot
# deploy config to a remote host
deploy op="switch" host=`hostname` remote=host:
nixos-rebuild {{op}} --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
deploy host remote=host:
nixos-rebuild switch --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
# garbage collect old generations
clean host=`hostname`:
sudo nix-collect-garbage $(nix eval --raw .#nixosConfigurations.{{host}}.config.nix.gc.options)
clean:
sudo nix-collect-garbage $(nix eval --raw -f ./nix.nix nix.gc.options)

19
lib/mkHost.nix
View File

@@ -87,25 +87,6 @@ nixpkgs.lib.nixosSystem {
{ nixpkgs.config.allowUnfree = true; }
{ networking.hostName = name; }
# TEMP:(@janezicmatej) temporary mitigation for dirty frag
# blocks esp4/esp6 (CVE-2026-43284) and rxrpc (CVE-2026-43500)
# remove once nixpkgs ships a kernel with f4c50a4034e6 and the rxrpc fix
{
boot.blacklistedKernelModules = [
"esp4"
"esp6"
"rxrpc"
];
}
# cap unit stop timeout so a single misbehaving app (electron, etc) can't
# block poweroff for the full 90s default. user-scope cap is required for
# session-N.scope to honor it. see discourse/49711
{
systemd.settings.Manager.DefaultTimeoutStopSec = "10s";
systemd.user.settings.Manager.DefaultTimeoutStopSec = "10s";
}
featureEnableModule
hostConfig
]

33
nix.nix Normal file
View File

@@ -0,0 +1,33 @@
{
nix = {
settings = {
experimental-features = [
"nix-command"
"flakes"
];
download-buffer-size = 2 * 1024 * 1024 * 1024;
warn-dirty = false;
substituters = [
"https://cache.nixos.org"
"https://nix-community.cachix.org?priority=45"
"http://tower:5000?priority=50"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"matej.nix-1:TdbemLVYblvAxqJcwb3mVKmmr3cfzXbMcZHE5ILnZDE="
];
};
gc = {
automatic = true;
dates = "monthly";
options = "--delete-older-than 30d";
};
optimise = {
automatic = true;
dates = [ "monthly" ];
};
};
}

10
packages/claude-code/package.nix
View File

@@ -2,7 +2,7 @@
let
inherit (pkgs) stdenv lib;
version = "2.1.175";
version = "2.1.116";
# upstream ships platform-native binaries as separate npm packages under
# @anthropic-ai/claude-code-<platform>; the wrapper package is just a
@@ -10,19 +10,19 @@ let
sources = {
"x86_64-linux" = {
slug = "linux-x64";
hash = "sha256-UtPkBFG+XoNunpJ6OECQNrlIooNVATOZpT2jPQd3iMk=";
hash = "sha256-QEjJ4CRk35TubDNW02Dzcu+EMRLLndJUXJeP3BFT3b8=";
};
"aarch64-linux" = {
slug = "linux-arm64";
hash = "sha256-xUdp09sTdMqWNdFXQbQDHdSvhrt4vPcO9loUFfEWSlo=";
hash = "sha256-/Hqp8GQx8Hub8K4w0Fnx/AksksY61vRC44XxrJVwF5w=";
};
"x86_64-darwin" = {
slug = "darwin-x64";
hash = "sha256-DbvJSEsXMPxXXjXbCf0NLabrhaV/Q83YLPPZI1ubPkM=";
hash = "sha256-O3J/ew2fWbUQePs6tHEhK0Q9E3Mx/BDSL7b7NL3FRc8=";
};
"aarch64-darwin" = {
slug = "darwin-arm64";
hash = "sha256-FUig303ozhhubYtq6FjIM3tGIwlESttQVS1khC4pLwA=";
hash = "sha256-O41sf7b05SJfXVjszMeTp838mja+PgZ+aEKykLsHeNo=";
};
};