titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add 'legacy/dotfiles/' from commit 'e9a44f677d2852fd5856cecc49ecb984efeba66c'

Browse Source 
git-subtree-dir: legacy/dotfiles
git-subtree-mainline: 382887df65
git-subtree-split: e9a44f677d
This commit is contained in:
primary
2026-04-18 00:45:25 -04:00
parent 382887df65 e9a44f677d
commit dc481c24b0
58 changed files with 5354 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

498
legacy/dotfiles/system/common.nix Normal file
View File

@@ -0,0 +1,498 @@
{
config,
options,
pkgs,
lib,
username,
system,
hostname,
inputs,
niri-package,
...
}:
{
imports = [
./vm.nix
./steam.nix
./networking.nix
inputs.disko.nixosModules.disko
inputs.lanzaboote.nixosModules.lanzaboote
inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
inputs.nixos-hardware.nixosModules.common-pc-ssd
];
# allow overclocking (I actually underclock but lol)
hardware.amdgpu.overdrive.ppfeaturemask = "0xFFFFFFFF";
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
services.kmscon.enable = true;
# Add niri to display manager session packages
services.displayManager.sessionPackages = [ niri-package ];
programs = {
gamescope = {
enable = true;
capSysNice = true;
};
steam = {
enable = true;
gamescopeSession.enable = true;
};
};
system.activationScripts = {
# FIX: https://github.com/NixOS/nix/issues/2982
"profile-channel-dummy".text = ''
#!/bin/sh
mkdir -p /nix/var/nix/profiles/per-user/root/channels
'';
# extract all my secureboot keys
# TODO! proper secrets management
"secureboot-keys".text = ''
#!/usr/bin/env sh
rm -fr ${config.boot.lanzaboote.pkiBundle} || true
mkdir -p ${config.boot.lanzaboote.pkiBundle}
${lib.getExe pkgs.gnutar} xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
'';
};
swapDevices = [ ];
nix = {
# optimize the store
optimise.automatic = true;
# auto garbage collect old generations
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
settings = {
# enable flakes!
experimental-features = [
"nix-command"
"flakes"
];
# Use muffin server as a binary cache
substituters = [ "https://nix-cache.sigkill.computer" ];
trusted-public-keys = [
"nix-cache.sigkill.computer-1:ONtQC9gUjL+2yNgMWB68NudPySXhyzJ7I3ra56/NPgk="
];
netrc-file = "${./secrets/nix-cache-netrc}";
};
};
# cachyos kernel overlay
nixpkgs.overlays = [ inputs.nix-cachyos-kernel.overlays.default ];
# kernel options
boot = {
# cachyos kernel: bore scheduler, full lto, x86_64-v3 (common to zen 3 + zen 5)
kernelPackages =
let
helpers = pkgs.callPackage "${inputs.nix-cachyos-kernel}/helpers.nix" { };
kernel = pkgs.cachyosKernels.linux-cachyos-bore-lto.override {
lto = "full";
processorOpt = "x86_64-v3";
};
in
helpers.kernelModuleLLVMOverride (pkgs.linuxKernel.packagesFor kernel);
# disable legacy subsystems neither host will ever use
kernelPatches = [
{
name = "disable-legacy-subsystems";
patch = null;
structuredExtraConfig = with lib.kernel; {
# ancient bus/card standards
PCMCIA = lib.mkForce no;
PCCARD = lib.mkForce no;
PARPORT = lib.mkForce no;
GAMEPORT = lib.mkForce module;
FIREWIRE = lib.mkForce no;
AGP = lib.mkForce no;
# legacy networking
ATM = lib.mkForce no;
FDDI = lib.mkForce no;
ISDN = lib.mkForce no;
CAN = lib.mkForce no;
NFC = lib.mkForce no;
INFINIBAND = lib.mkForce no;
# amateur radio (HAMRADIO is the umbrella but these are separate symbols)
HAMRADIO = lib.mkForce no;
AX25 = lib.mkForce no;
NETROM = lib.mkForce no;
ROSE = lib.mkForce no;
# dead protocols
PHONET = lib.mkForce no;
IEEE802154 = lib.mkForce no;
"6LOWPAN" = lib.mkForce no;
NET_9P = lib.mkForce no;
BATMAN_ADV = lib.mkForce no;
# tv tuners / digital video broadcasting
MEDIA_ANALOG_TV_SUPPORT = lib.mkForce no;
MEDIA_DIGITAL_TV_SUPPORT = lib.mkForce no;
DVB_CORE = lib.mkForce no;
# hypervisor guest support (bare metal only)
HYPERV = lib.mkForce no;
XEN = lib.mkForce no;
VMWARE_VMCI = lib.mkForce no;
VMWARE_BALLOON = lib.mkForce no;
VMWARE_PVSCSI = lib.mkForce no;
VMWARE_VMCI_VSOCKETS = lib.mkForce no;
VMXNET3 = lib.mkForce no;
DRM_VMWGFX = lib.mkForce no;
VBOXGUEST = lib.mkForce no;
VBOXSF_FS = lib.mkForce no;
# staging drivers (experimental/unmaintained)
STAGING = lib.mkForce no;
# SND_PCI stays — SND_HDA_INTEL (AMD HDA audio) lives under it
ACCESSIBILITY = lib.mkForce no;
MTD = lib.mkForce no;
MEDIA_RC_SUPPORT = lib.mkForce no;
# legacy storage (AHCI for modern SATA is independent)
ATA_SFF = lib.mkForce no;
SCSI_LOWLEVEL = lib.mkForce no;
FUSION = lib.mkForce no;
# misc legacy
MOST = lib.mkForce no;
PPDEV = lib.mkForce no;
PHANTOM = lib.mkForce no;
X86_ANDROID_TABLETS = lib.mkForce no;
# CHROME_PLATFORMS stays — Framework laptops use CrOS EC
SURFACE_PLATFORMS = lib.mkForce no;
MCTP = lib.mkForce no;
GPIB = lib.mkForce no;
SIOX = lib.mkForce no;
SLIMBUS = lib.mkForce no;
WWAN = lib.mkForce no;
# nvidia gpu
DRM_NOUVEAU = lib.mkForce no;
# other gpus not present
DRM_RADEON = lib.mkForce no;
DRM_GMA500 = lib.mkForce no;
DRM_AST = lib.mkForce no;
DRM_MGAG200 = lib.mkForce no;
DRM_HISI_HIBMC = lib.mkForce no;
DRM_APPLETBDRM = lib.mkForce no;
# intel gpu
DRM_I915 = lib.mkForce no;
DRM_XE = lib.mkForce no;
# intel cpu / platform
INTEL_IOMMU = lib.mkForce no;
INTEL_IDLE = lib.mkForce no;
INTEL_HFI_THERMAL = lib.mkForce no;
INTEL_TCC_COOLING = lib.mkForce no;
INTEL_SOC_DTS_THERMAL = lib.mkForce no;
INTEL_PCH_THERMAL = lib.mkForce no;
INTEL_POWERCLAMP = lib.mkForce no;
X86_PKG_TEMP_THERMAL = lib.mkForce no;
X86_INTEL_LPSS = lib.mkForce no;
INTEL_MEI = lib.mkForce no;
INTEL_TH = lib.mkForce no;
INTEL_VSEC = lib.mkForce no;
INTEL_IDXD = lib.mkForce no;
INTEL_IOATDMA = lib.mkForce no;
EDAC_E752X = lib.mkForce no;
EDAC_I82975X = lib.mkForce no;
EDAC_I3000 = lib.mkForce no;
EDAC_I3200 = lib.mkForce no;
EDAC_IE31200 = lib.mkForce no;
EDAC_X38 = lib.mkForce no;
EDAC_I5400 = lib.mkForce no;
EDAC_I7CORE = lib.mkForce no;
EDAC_I5100 = lib.mkForce no;
EDAC_I7300 = lib.mkForce no;
EDAC_SBRIDGE = lib.mkForce no;
EDAC_SKX = lib.mkForce no;
EDAC_I10NM = lib.mkForce no;
EDAC_IMH = lib.mkForce no;
EDAC_PND2 = lib.mkForce no;
EDAC_IGEN6 = lib.mkForce no;
# intel audio
SND_SOC_SOF_INTEL_TOPLEVEL = lib.mkForce no;
SND_SOC_INTEL_SST_TOPLEVEL = lib.mkForce no;
# mellanox networking
MLX4_CORE = lib.mkForce no;
MLX5_CORE = lib.mkForce no;
MLXSW_CORE = lib.mkForce no;
MLX_PLATFORM = lib.mkForce no;
# fpga
FPGA = lib.mkForce no;
# old x86 cpufreq / platform (both systems are modern Zen)
AMD_NUMA = lib.mkForce no;
X86_POWERNOW_K8 = lib.mkForce no;
X86_P4_CLOCKMOD = lib.mkForce no;
X86_SPEEDSTEP_LIB = lib.mkForce no;
# cxl (datacenter memory expansion)
CXL_BUS = lib.mkForce no;
# embedded SoC peripherals (not present on desktop/laptop)
INPUT_TOUCHSCREEN = lib.mkForce no;
INPUT_TABLET = lib.mkForce no;
INPUT_JOYSTICK = lib.mkForce no;
MEDIA_PLATFORM_DRIVERS = lib.mkForce no;
MEDIA_TEST_SUPPORT = lib.mkForce no;
# deprecated userland compat
SGETMASK_SYSCALL = lib.mkForce no;
UID16 = lib.mkForce no;
X86_X32_ABI = lib.mkForce no;
};
}
];
# aes_generic is built-in as of linux 7.0, no longer a loadable module
initrd.luks.cryptoModules = lib.mkForce (
lib.filter (m: m != "aes_generic") options.boot.initrd.luks.cryptoModules.default
);
# some default initrd modules (ata_piix etc) don't exist with ATA_SFF=n
initrd.allowMissingModules = true;
lanzaboote = {
enable = true;
# TODO: proper secrets management so this is not stored in nix store
pkiBundle = "/var/lib/sbctl";
};
# Bootloader.
loader = {
efi.canTouchEfiVariables = true;
timeout = 1;
/*
Lanzaboote currently replaces the systemd-boot module.
This setting is usually set to true in configuration.nix
generated at installation time. So we force it to false
for now.
*/
systemd-boot.enable = lib.mkForce false;
systemd-boot.configurationLimit = 10;
};
initrd = {
systemd.enable = true;
compressor = "zstd";
availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"amdgpu"
];
};
kernelModules = [
"kvm-amd"
"ip_tables"
"iptable_nat"
"msr"
"btusb"
];
kernelParams = [
# 1gb huge pages
"hugepagesz=1G"
"hugepages=3"
];
};
environment.etc = {
# override default nixos /etc/issue
"issue".text = "";
};
services = {
# fwupd for updating firmware
fwupd = {
enable = true;
extraRemotes = [ "lvfs-testing" ];
};
# auto detect network printers
avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
# Enable CUPS to print documents.
printing = {
enable = true;
drivers = with pkgs; [ hplip ];
};
# I don't want fingerprint login
fprintd.enable = false;
# Making sure mullvad works on boot
mullvad-vpn.enable = true;
# power statistics
upower.enable = true;
# power profiles for noctalia shell
power-profiles-daemon.enable = true;
# geolocation (uses beacondb.net by default)
geoclue2 = {
enable = true;
appConfig.zen-twilight = {
isAllowed = true;
isSystem = false;
};
};
};
# EST
time.timeZone = "America/New_York";
security = {
# lets use doas and not sudo!
doas.enable = true;
sudo.enable = false;
# Configure doas
doas.extraRules = [
{
users = [ username ];
keepEnv = true;
persist = true;
}
];
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable Bluetooth
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
# Enable experimental features for battery % of bluetooth devices
settings.General.Experimental = true;
};
# Apply gtk themes by enabling dconf
programs.dconf.enable = true;
# Enable sound with pipewire.
services.pulseaudio.enable = false; # pipewire >>>>>>> pulseaudio
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
# Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`)
users.users.${username} = {
isNormalUser = true;
extraGroups = [
"networkmanager"
"wheel"
"video"
"camera"
"adbusers"
];
# TODO! this is really bad :( I should really figure out how to do proper secrets management
hashedPasswordFile = "${./secrets/password-hash}";
};
services.gvfs.enable = true;
programs.gphoto2.enable = true;
# Enable thermal data
services.thermald.enable = true;
services.pcscd.enable = true;
programs.gnupg.agent = {
enable = true;
pinentryPackage = pkgs.pinentry-curses;
enableSSHSupport = false;
};
# System packages
environment.systemPackages = with pkgs; [
# mullvad-vpn is provided by services.mullvad-vpn.enable
#secureboot ctl
sbctl
dmidecode
doas-sudo-shim
glib
usbutils
libmtp
man-pages
man-pages-posix
# needed for home-manager
git
tmux
android-tools
];
# wayland with electron/chromium applications
environment.sessionVariables.NIXOS_OZONE_WL = "1";
# https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
programs.fish.enable = true;
programs.bash = {
interactiveShellInit = ''
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
then
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
fi
'';
};
# port 53317 for localsend
networking.firewall.allowedUDPPorts = [ 53317 ];
networking.firewall.allowedTCPPorts = [ 53317 ];
system.stateVersion = "25.05";
nixpkgs.hostPlatform = "x86_64-linux";
documentation.enable = true;
documentation.man.enable = true;
documentation.dev.enable = true;
}

53
legacy/dotfiles/system/disk_mreow.nix Normal file
View File

@@ -0,0 +1,53 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-path/pci-0000:01:00.0-nvme-1";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
passwordFile = "${./secrets/disk-password}";
content = {
type = "filesystem";
format = "f2fs";
mountpoint = "/";
extraArgs = [
"-O"
"extra_attr,inode_checksum,sb_checksum,compression"
];
mountOptions = [
"compress_algorithm=zstd:6,compress_chksum,atgc,gc_merge,lazytime,nodiscard"
];
};
};
};
};
};
};
};
};
}

52
legacy/dotfiles/system/disk_yarn.nix Normal file
View File

@@ -0,0 +1,52 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
persistent = {
size = "100%";
content = {
type = "filesystem";
format = "f2fs";
mountpoint = "/persistent";
};
};
nix = {
size = "200G";
content = {
type = "filesystem";
format = "f2fs";
mountpoint = "/nix";
};
};
};
};
};
};
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"defaults"
"size=2G"
"mode=755"
];
};
};
};
fileSystems."/persistent".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
}

38
legacy/dotfiles/system/impermanence.nix Normal file
View File

@@ -0,0 +1,38 @@
{
config,
lib,
username,
...
}:
{
environment.persistence."/persistent" = {
hideMounts = true;
directories = [
"/var/log"
"/var/lib/systemd/coredump"
"/var/lib/nixos"
"/var/lib/systemd/timers"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/machine-id"
];
};
# Bind mount entire home directory from persistent storage
# (impermanence doesn't support "." so we do this directly)
fileSystems."/home/${username}" = {
device = "/persistent/home/${username}";
fsType = "none";
options = [ "bind" ];
neededForBoot = true;
};
systemd.tmpfiles.rules = [
"d /etc 755 root"
];
}

26
legacy/dotfiles/system/networking.nix Normal file
View File

@@ -0,0 +1,26 @@
{ hostname, ... }:
{
# speed up boot times (by about three seconds)
systemd.services.NetworkManager-wait-online.enable = false;
networking = {
hostName = hostname;
networkmanager = {
enable = true;
appendNameservers = [
"1.1.1.1"
"9.9.9.9"
];
wifi = {
scanRandMacAddress = true;
# fix suspend issue
# powersave = false;
};
ensureProfiles.profiles = import ./secrets/wifi-passwords.nix;
};
};
}

43
legacy/dotfiles/system/no-rgb.nix Normal file
View File

@@ -0,0 +1,43 @@
{ pkgs, lib, ... }:
{
systemd.services.no-rgb =
let
no-rgb = (
pkgs.writeShellApplication {
name = "no-rgb";
runtimeInputs = with pkgs; [
openrgb
coreutils
gnugrep
];
text = ''
#!/bin/sh
set -e
NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ')
for i in $(seq 0 $((NUM_DEVICES - 1))); do
openrgb --noautoconnect --device "$i" --mode direct --color 000000
done
'';
}
);
in
{
description = "disable rgb";
serviceConfig = {
ExecStart = "${lib.getExe no-rgb}";
Type = "oneshot";
};
wantedBy = [ "multi-user.target" ];
};
services.hardware.openrgb.enable = true;
services.udev.packages = [ pkgs.openrgb ];
hardware.i2c.enable = true;
environment.systemPackages = with pkgs; [
openrgb-with-all-plugins
];
}

BIN
legacy/dotfiles/system/secrets/disk-password Normal file
View File

Binary file not shown.

BIN
legacy/dotfiles/system/secrets/nix-cache-netrc Normal file
View File

Binary file not shown.

BIN
legacy/dotfiles/system/secrets/password-hash Normal file
View File

Binary file not shown.

BIN
legacy/dotfiles/system/secrets/secureboot.tar Normal file
View File

Binary file not shown.

BIN
legacy/dotfiles/system/secrets/wifi-passwords.nix Normal file
View File

Binary file not shown.

28
legacy/dotfiles/system/steam.nix Normal file
View File

@@ -0,0 +1,28 @@
{
pkgs,
config,
lib,
...
}:
{
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"steam"
"steam-original"
"steam-unwrapped"
"steam-run"
];
programs.steam = {
enable = true;
extraCompatPackages = with pkgs; [ proton-ge-bin ];
};
environment.systemPackages = with pkgs; [
steamtinkerlaunch
mangohud
goverlay
yad
];
}

60
legacy/dotfiles/system/system-mreow.nix Normal file
View File

@@ -0,0 +1,60 @@
{
config,
pkgs,
lib,
username,
inputs,
...
}:
{
imports = [
./common.nix
./disk_mreow.nix
inputs.nixos-hardware.nixosModules.framework-amd-ai-300-series
];
hardware.framework.laptop13.audioEnhancement.rawDeviceName =
lib.mkDefault "alsa_output.pci-0000_c1_00.6.analog-stereo";
# PST
# time.timeZone = lib.mkForce "America/Los_Angeles";
# weird hack to get swaylock working? idk, if you don't put this here, password entry doesnt work
# if I move to another lock screen program, i will have to replace `swaylock`
security.pam.services.swaylock = { };
# Kernel-level power tuning. These are boot-time / module-load-time settings
# that power-profiles-daemon (in common.nix) does not manage. ppd handles
# governor and EPP at runtime; these cover everything else.
boot.kernelParams = [
# Disable NMI watchdog. Eliminates periodic perf-counter interrupts
# across all cores (~1 W). Kernel softlockup watchdog remains active.
"nmi_watchdog=0"
# Route kernel work items to already-busy CPUs rather than waking idle
# ones. Reduces C-state exit frequency -- significant on battery where
# cores idle often.
"workqueue.power_efficient=1"
];
boot.kernel.sysctl."kernel.nmi_watchdog" = 0;
# Power-gate the HDA codec between audio activity. 1-second inactivity
# timeout; controller powers down fully. Wakes transparently on next
# audio event -- no audible artifacts on Framework 13 AMD.
boot.extraModprobeConfig = ''
options snd_hda_intel power_save=1 power_save_controller=Y
'';
# Greetd display manager
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${lib.getExe pkgs.tuigreet} --time";
user = username;
};
};
};
}

276
legacy/dotfiles/system/system-yarn.nix Normal file
View File

@@ -0,0 +1,276 @@
{
config,
pkgs,
lib,
username,
inputs,
...
}:
{
imports = [
./disk_yarn.nix
./common.nix
./impermanence.nix
./no-rgb.nix
./vr.nix
inputs.impermanence.nixosModules.impermanence
inputs.jovian-nixos.nixosModules.default
];
fileSystems."/media/games" = {
device = "/dev/disk/by-uuid/1878136e-765d-4784-b204-3536ab4fdac8";
fsType = "f2fs";
options = [ "nofail" ];
};
systemd.targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
networking.hostId = "abf570f9";
# Static IP for consistent SSH access
networking.networkmanager.ensureProfiles.profiles.enp7s0-static = {
connection = {
id = "enp7s0-static";
type = "ethernet";
interface-name = "enp7s0";
autoconnect = true;
};
ipv4 = {
method = "manual";
address1 = "192.168.1.223/24,192.168.1.1";
dns = "1.1.1.1;9.9.9.9;";
};
ipv6.method = "disabled";
};
services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "yes";
};
};
users.users.${username}.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin"
];
programs.steam = {
remotePlay.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
};
# LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT
environment.systemPackages = with pkgs; [
lact
jovian-stubs
];
systemd.packages = with pkgs; [ lact ];
systemd.services.lactd.wantedBy = [ "multi-user.target" ];
systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
# root-level service that applies a pending update. Triggered by
# steamos-update (via systemctl start) when the user accepts an update.
# Runs as root so it can write the system profile and boot entry.
systemd.services.pull-update-apply = {
description = "Apply pending NixOS update pulled from binary cache";
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "pull-update-apply" ''
set -uo pipefail
export PATH=${
pkgs.lib.makeBinPath [
pkgs.curl
pkgs.coreutils
pkgs.nix
]
}
STORE_PATH=$(curl -sf --max-time 30 "https://nix-cache.sigkill.computer/deploy/yarn" || true)
if [ -z "$STORE_PATH" ]; then
echo "server unreachable"
exit 1
fi
echo "applying $STORE_PATH"
nix-store -r "$STORE_PATH" || { echo "fetch failed"; exit 1; }
nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "profile set failed"; exit 1; }
"$STORE_PATH/bin/switch-to-configuration" boot || { echo "boot entry failed"; exit 1; }
echo "update applied; reboot required"
'';
};
};
# Allow primary user to start pull-update-apply.service without a password
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "pull-update-apply.service" &&
subject.user == "${username}") {
return polkit.Result.YES;
}
});
'';
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"steamdeck-hw-theme"
"steam-jupiter-unwrapped"
"steam"
"steam-original"
"steam-unwrapped"
"steam-run"
];
# Override jovian-stubs to disable steamos-update kernel check
# This prevents Steam from requesting reboots for "system updates"
# Steam client updates will still work normally
nixpkgs.overlays = [
(
final: prev:
let
deploy-url = "https://nix-cache.sigkill.computer/deploy/yarn";
steamos-update-script = final.writeShellScript "steamos-update" ''
export PATH=${
final.lib.makeBinPath [
final.curl
final.coreutils
final.systemd
]
}
STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
if [ -z "$STORE_PATH" ]; then
>&2 echo "[steamos-update] server unreachable"
exit 7
fi
CURRENT=$(readlink -f /nix/var/nix/profiles/system)
if [ "$CURRENT" = "$STORE_PATH" ]; then
>&2 echo "[steamos-update] no update available"
exit 0
fi
# check-only mode: just report that an update exists
if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
>&2 echo "[steamos-update] update available"
exit 0
fi
# apply: trigger the root-running systemd service to install the update
>&2 echo "[steamos-update] applying update..."
if systemctl start --wait pull-update-apply.service; then
>&2 echo "[steamos-update] update installed, reboot to apply"
exit 0
else
>&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
exit 1
fi
'';
in
{
jovian-stubs = prev.stdenv.mkDerivation {
name = "jovian-stubs";
dontUnpack = true;
installPhase = ''
mkdir -p $out/bin
ln -s ${steamos-update-script} $out/bin/steamos-update
ln -s ${steamos-update-script} $out/bin/steamos-mandatory-update
# jupiter-initial-firmware-update: no-op (not a real steam deck)
cat > $out/bin/jupiter-initial-firmware-update << 'STUB'
#!/bin/sh
exit 0
STUB
# jupiter-biosupdate: no-op (not a real steam deck)
cat > $out/bin/jupiter-biosupdate << 'STUB'
#!/bin/sh
exit 0
STUB
# steamos-reboot: reboot the system
cat > $out/bin/steamos-reboot << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
systemctl reboot
STUB
# steamos-select-branch: no-op stub
cat > $out/bin/steamos-select-branch << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
exit 0
STUB
# steamos-factory-reset-config: no-op stub
cat > $out/bin/steamos-factory-reset-config << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
exit 0
STUB
# steamos-firmware-update: no-op stub
cat > $out/bin/steamos-firmware-update << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
exit 0
STUB
# pkexec: pass through to real pkexec
cat > $out/bin/pkexec << 'STUB'
#!/bin/sh
exec /run/wrappers/bin/pkexec "$@"
STUB
# sudo: strip flags and run the command directly (no escalation).
# privileged ops are delegated to root systemd services via systemctl.
cat > $out/bin/sudo << 'STUB'
#!/bin/sh
while [ $# -gt 0 ]; do
case "$1" in
-*) shift ;;
*) break ;;
esac
done
exec "$@"
STUB
find $out/bin -type f -exec chmod 755 {} +
'';
};
}
)
];
jovian = {
devices.steamdeck.enable = false;
steam = {
enable = true;
autoStart = true;
desktopSession = "niri";
user = username;
};
};
# Jovian-NixOS requires sddm
# https://github.com/Jovian-Experiments/Jovian-NixOS/commit/52f140c07493f8bb6cd0773c7e1afe3e1fd1d1fa
services.displayManager.sddm.wayland.enable = true;
# Disable gamescope from common.nix to avoid conflict with jovian-nixos
programs.gamescope.enable = lib.mkForce false;
}

39
legacy/dotfiles/system/vm.nix Normal file
View File

@@ -0,0 +1,39 @@
{
pkgs,
username,
lib,
...
}:
{
# android virtualization
virtualisation.waydroid = {
enable = true;
# https://github.com/NixOS/nixpkgs/pull/466473
package = pkgs.waydroid-nftables;
};
programs.virt-manager.enable = true;
users.groups.libvirtd.members = [ username ];
virtualisation.libvirtd = {
enable = true;
package = pkgs.libvirt;
};
virtualisation.spiceUSBRedirection.enable = true;
users.users."${username}".extraGroups = [ "libvirtd" ];
# boot.kernelPatches = [
# {
# name = "undetected-kvm";
# patch = pkgs.fetchurl {
# url = "https://raw.githubusercontent.com/Scrut1ny/Hypervisor-Phantom/d09d66813570704e2b05440f290d6f9bdf2d26c7/Hypervisor-Phantom/patches/Kernel/linux-6.13-svm.patch";
# sha256 = "zz18xerutulLGzlHhnu26WCY8rVQXApyeoDtCjbejIk=";
# };
# }
# ];
}

45
legacy/dotfiles/system/vr.nix Normal file
View File

@@ -0,0 +1,45 @@
{
pkgs,
inputs,
lib,
...
}:
{
# for FO4 VR:
# doesn't work. it's like the wivrn stuff doesn't transfer past MO2
# `echo "PRESSURE_VESSEL_FILESYSTEMS_RW=$XDG_RUNTIME_DIR/wivrn/comp_ipc %command%" | sed -r "s/proton waitforexitandrun .*/proton waitforexitandrun \/media\/games\/fallout4vr_essentials_overhaul\/ModOrganizer.exe \"moshortcut:\/\/:Play Fallout Essentials\" /" | sh`
services.wivrn = {
enable = true;
openFirewall = true;
# Executing it through the systemd service executes WiVRn w/ CAP_SYS_NICE
# Resulting in no stutters!
autoStart = true;
# Config for WiVRn
config = {
enable = true;
json = {
# 1.0x display scaling
scale = 1.0;
# 100 Mb/s
bitrate = 100000000;
encoders = [
{
encoder = "vaapi";
codec = "h265";
# 1.0 x 1.0 scaling
width = 1.0;
height = 1.0;
offset_x = 0.0;
offset_y = 0.0;
}
];
application = [ pkgs.wayvr ];
};
};
};
}