Fully separate hosts from hardwares

Now hosts/ and hardware/ live under different directories and their
joined system configurations are permutated and exposed throught the
host-hardware outputs

9 files changed, 418 insertions, 0 deletions

diff --git a/hardware/chromebook/default.nix b/hardware/chromebook/default.nix
new file mode 100644
index 0000000..b0125ee
--- /dev/null
+++ b/hardware/chromebook/default.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  imports = [ ./hardware.nix ];
+}
diff --git a/hardware/chromebook/disks.nix b/hardware/chromebook/disks.nix
new file mode 100644
index 0000000..ad0e014
--- /dev/null
+++ b/hardware/chromebook/disks.nix
@@ -0,0 +1,152 @@
+{ inputs, lib, config, pkgs, ... }:
+let
+  MMC = "/dev/disk/by-id/mmc-AGND3R_0x48d44fdc";
+  SD = "/dev/disk/by-id/usb-Generic_STORAGE_DEVICE_000000000208-0:0";
+
+  partitionsCreateScript = ''
+    parted -s "${MMC}" mklabel gpt
+    parted -s "${MMC}" mkpart "efi" fat32 1024KiB 64M
+    parted -s "${MMC}" set 1 esp on
+    parted -s -a optimal "${MMC}" mkpart  "boot" 64M 264M
+    parted -s -a optimal "${MMC}" mkpart "nix" 264M 100%
+
+    parted -s "${SD}" mklabel gpt
+    parted -s -a optimal "${SD}" mkpart "home_and_persist" 1024KiB 100%
+
+    udevadm trigger --subsystem-match=block; udevadm settle
+  '';
+  partitionsFormatScript = ''
+    mkfs.vfat "${MMC}"-part1
+    cryptsetup -q luksFormat "${MMC}"-part2  --type luks1
+    cryptsetup open --type luks "${MMC}"-part2 encrypted_boot
+    mkfs.ext4 /dev/mapper/encrypted_boot
+    cryptsetup close encrypted_boot
+    cryptsetup -q luksFormat "${MMC}"-part3  --type luks2
+    cryptsetup open --type luks "${MMC}"-part3 encrypted_nix
+    mkfs.btrfs -f /dev/mapper/encrypted_nix
+    cryptsetup close encrypted_nix
+
+    cryptsetup -q luksFormat "${SD}"-part1  --type luks2
+    cryptsetup open --type luks "${SD}"-part1 encrypted_home_and_persist
+    pvcreate /dev/mapper/encrypted_home_and_persist
+    vgcreate encrypted_home_and_persist_pool /dev/mapper/encrypted_home_and_persist
+    lvcreate -L 4G -n persist encrypted_home_and_persist_pool
+    mkfs.btrfs -f /dev/mapper/encrypted_home_and_persist_pool-persist
+    lvcreate -l 100%FREE -n home encrypted_home_and_persist_pool
+    mkfs.btrfs -f /dev/mapper/encrypted_home_and_persist_pool-home
+    vgchange -a n encrypted_home_and_persist_pool
+    cryptsetup close encrypted_home_and_persist
+  '';
+  partitionsMountScript = ''
+    mount -t tmpfs none /mnt
+    mkdir -p /mnt/{boot,nix,persist,home}
+    
+    cryptsetup open --type luks /dev/disk/by-partlabel/boot encrypted_boot
+    mount /dev/mapper/encrypted_boot /mnt/boot
+    mkdir -p /mnt/boot/efi
+    mount /dev/disk/by-partlabel/efi /mnt/boot/efi
+    cryptsetup open --type luks /dev/disk/by-partlabel/nix encrypted_nix
+    mount -o compress-force=zstd,noatime /dev/mapper/encrypted_nix /mnt/nix
+    cryptsetup open --type luks /dev/disk/by-partlabel/home_and_persist encrypted_home_and_persist
+    vgchange -ay encrypted_home_and_persist_pool
+    mount -o compress-force=zstd /dev/mapper/encrypted_home_and_persist_pool-home /mnt/home
+    mount -o compress-force=zstd,noatime /dev/mapper/encrypted_home_and_persist_pool-persist /mnt/persist
+  '';
+in
+{
+  config = {
+
+    environment.persistence."/persist" = {
+      directories = [
+        "/var/log"
+        "/var/lib"
+      ];
+      files = [
+        "/etc/machine-id"
+        "/etc/nix/id_rsa"
+      ];
+    };
+
+    fileSystems."/" = {
+      device = "none";
+      fsType = "tmpfs";
+    };
+
+    boot.initrd.luks.devices."encrypted_boot" = {
+      device = "/dev/disk/by-partlabel/boot";
+      preLVM = true;
+    };
+
+    fileSystems."/boot" = {
+      device = "/dev/mapper/encrypted_boot";
+      fsType = "ext4";
+    };
+
+    fileSystems."/boot/efi" = {
+      device = "/dev/disk/by-partlabel/efi";
+      fsType = "vfat";
+    };
+
+    boot.initrd.luks.devices."encrypted_nix".device = "/dev/disk/by-partlabel/nix";
+
+    fileSystems."/nix" = {
+      device = "/dev/mapper/encrypted_nix";
+      fsType = "btrfs";
+      neededForBoot = true;
+      options = [ "compress-force=zstd" "noatime" ];
+    };
+
+    boot.initrd.luks.devices."encrypted_home_and_persist".device = "/dev/disk/by-partlabel/home_and_persist";
+
+    fileSystems."/persist" = {
+      device = "/dev/mapper/encrypted_home_and_persist_pool-persist";
+      fsType = "btrfs";
+      neededForBoot = true;
+      options = [ "compress-force=zstd" "noatime" ];
+    };
+
+    fileSystems."/home" = {
+      device = "/dev/mapper/encrypted_home_and_persist_pool-home";
+      fsType = "btrfs";
+      options = [ "compress-force=zstd" ];
+    };
+
+    services.btrfs.autoScrub.enable = true;
+
+    swapDevices = [ ];
+
+    zramSwap.enable = true;
+
+
+    environment.systemPackages = [
+      config.disks-create
+      config.disks-format
+      config.disks-mount
+    ];
+  };
+
+  options.disks-create = with lib; mkOption rec {
+    type = types.package;
+    default = with pkgs; symlinkJoin {
+      name = "disks-create";
+      paths = [ (writeScriptBin default.name partitionsCreateScript) parted ];
+    };
+  };
+
+  options.disks-format = with lib; mkOption rec {
+    type = types.package;
+    default = with pkgs; symlinkJoin {
+      name = "disks-format";
+      paths = [ (writeScriptBin default.name partitionsFormatScript) cryptsetup lvm2 dosfstools e2fsprogs btrfs-progs ];
+    };
+  };
+
+  options.disks-mount = with lib; mkOption rec {
+    type = types.package;
+    default = with pkgs; symlinkJoin {
+      name = "disks-mount";
+      paths = [ (writeScriptBin default.name partitionsMountScript) cryptsetup lvm2 ];
+    };
+  };
+
+}
diff --git a/hardware/chromebook/hardware.nix b/hardware/chromebook/hardware.nix
new file mode 100644
index 0000000..85b7227
--- /dev/null
+++ b/hardware/chromebook/hardware.nix
@@ -0,0 +1,54 @@
+{ config, lib, inputs, pkgs, modulesPath, ... }:
+let
+  powerMode = "schedutil";
+in
+{
+  imports = [
+    ./disks.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "usb_storage" "sd_mod" "sdhci_acpi" "aesni_intel" "cryptd" ];
+      kernelModules = [ "i915" ];
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelModules = [ "kvm_intel" ];
+    extraModulePackages = [ ];
+    kernelParams = [ "net.ifnames=0" "biosdevname=0" "iomem=relaxed" "mitigations=off" ];
+  };
+
+  powerManagement.cpuFreqGovernor = powerMode;
+
+  services = {
+    xserver = {
+      videoDrivers = [ "intel" ];
+
+      # Enable touchpad support (enabled default in most desktopManager).
+      synaptics = {
+        enable = true;
+        palmDetect = true;
+        twoFingerScroll = true;
+        minSpeed = "1.0";
+        maxSpeed = "1.12";
+        accelFactor = "0.01";
+      };
+    };
+    fstrim.enable = true;
+    tlp.enable = true;
+  };
+
+  hardware = {
+    opengl = {
+      enable = true;
+      driSupport = true;
+      extraPackages = with pkgs; [
+        intel-media-driver # LIBVA_DRIVER_NAME=iHD
+        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        vaapiVdpau
+        libvdpau-va-gl
+      ];
+    };
+  };
+
+}
diff --git a/hardware/laptop/default.nix b/hardware/laptop/default.nix
new file mode 100644
index 0000000..b0125ee
--- /dev/null
+++ b/hardware/laptop/default.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  imports = [ ./hardware.nix ];
+}
diff --git a/hardware/laptop/disks.nix b/hardware/laptop/disks.nix
new file mode 100644
index 0000000..07618df
--- /dev/null
+++ b/hardware/laptop/disks.nix
@@ -0,0 +1,52 @@
+{ config, lib, inputs, pkgs, modulesPath, isIso, ... }:
+{
+
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/log"
+      "/var/lib"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/nix/id_rsa"
+    ];
+  };
+
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/0A8B-3968";
+    fsType = "vfat";
+  };
+
+  boot.initrd.luks.devices."encrypted_root".device = "/dev/disk/by-uuid/6db0e43d-f73f-4cf0-81f6-9391f9d03ca0";
+
+  fileSystems."/persist" = {
+    device = "/dev/mapper/encrypted_root";
+    fsType = "btrfs";
+    neededForBoot = true;
+    options = [ "subvol=persist" "compress-force=zstd" "noatime" ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/mapper/encrypted_root";
+    fsType = "btrfs";
+    options = [ "subvol=nix" "compress-force=zstd" "noatime" ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/mapper/encrypted_root";
+    fsType = "btrfs";
+    options = [ "subvol=home" "compress-force=zstd" ];
+  };
+
+  swapDevices = [ ];
+
+  services.btrfs.autoScrub.enable = true;
+
+  zramSwap.enable = true;
+
+}
diff --git a/hardware/laptop/hardware.nix b/hardware/laptop/hardware.nix
new file mode 100644
index 0000000..cbec828
--- /dev/null
+++ b/hardware/laptop/hardware.nix
@@ -0,0 +1,58 @@
+{ config, lib, inputs, pkgs, modulesPath, ... }:
+let
+  powerMode = "performance";
+in
+{
+  imports = [
+    ./disks.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "sdhci_pci" ];
+      kernelModules = [ ];
+    };
+    kernelPackages = pkgs.linuxPackages_zen;
+    kernelModules = [ "kvm_intel" ];
+    extraModulePackages = [ ];
+    kernelParams = [ "net.ifnames=0" "biosdevname=0" "iomem=relaxed" "mitigations=off" ];
+  };
+
+  powerManagement.cpuFreqGovernor = powerMode;
+
+  services = {
+    xserver = {
+      videoDrivers = [ "nvidia" ];
+
+      # Enable touchpad support (enabled default in most desktopManager).
+      synaptics = {
+        enable = true;
+        palmDetect = true;
+        twoFingerScroll = true;
+        minSpeed = "1.0";
+        maxSpeed = "1.12";
+        accelFactor = "0.01";
+      };
+    };
+  };
+
+  hardware = {
+    opengl = {
+      enable = true;
+      driSupport = true;
+    };
+
+    nvidia = {
+      prime = {
+        sync.enable = true;
+
+        # Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA
+        nvidiaBusId = "PCI:1:0:0";
+
+        # Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA
+        intelBusId = "PCI:0:2:0";
+      };
+    };
+  };
+
+}
diff --git a/hardware/virtualbox/default.nix b/hardware/virtualbox/default.nix
new file mode 100644
index 0000000..b0125ee
--- /dev/null
+++ b/hardware/virtualbox/default.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  imports = [ ./hardware.nix ];
+}
diff --git a/hardware/virtualbox/disks.nix b/hardware/virtualbox/disks.nix
new file mode 100644
index 0000000..6ba15ec
--- /dev/null
+++ b/hardware/virtualbox/disks.nix
@@ -0,0 +1,57 @@
+{ config, lib, inputs, pkgs, modulesPath, ... }:
+{
+
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/log"
+      "/var/lib"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/nix/id_rsa"
+    ];
+  };
+
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+  };
+
+  boot.initrd.luks.devices."encrypted_boot".device = "/dev/disk/by-partlabel/boot";
+
+  fileSystems."/boot" = {
+    device = "/dev/mapper/encrypted_boot";
+    fsType = "vfat";
+  };
+
+  fileSystems."/boot/efi" = {
+    device = "/dev/disk/by-partlabel/efi";
+    fsType = "vfat";
+  };
+
+  boot.initrd.luks.devices."encrypted_root".device = "/dev/disk/by-partlabel/root";
+
+  fileSystems."/nix" = {
+    device = "/dev/mapper/encrypted_root";
+    fsType = "btrfs";
+    options = [ "subvol=nix" "compress-force=zstd" "noatime" ];
+  };
+
+  fileSystems."/persist" = {
+    device = "/dev/mapper/encrypted_root";
+    fsType = "btrfs";
+    neededForBoot = true;
+    options = [ "subvol=persist" "compress-force=zstd" "noatime" ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/mapper/encrypted_root";
+    fsType = "btrfs";
+    options = [ "subvol=home" "compress-force=zstd" ];
+  };
+
+  swapDevices = [ ];
+
+  zramSwap.enable = true;
+
+}
diff --git a/hardware/virtualbox/hardware.nix b/hardware/virtualbox/hardware.nix
new file mode 100644
index 0000000..470f733
--- /dev/null
+++ b/hardware/virtualbox/hardware.nix
@@ -0,0 +1,33 @@
+{ config, lib, inputs, pkgs, modulesPath, ... }:
+{
+  imports = [
+    ./disks.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules =
+        [ "ata_piix" "ohci_pci" "sd_mod" "sr_mod" ];
+      kernelModules = [ ];
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+    kernelParams = [ "net.ifnames=0" "biosdevname=0" "mitigations=off" ];
+  };
+
+  services.xserver = {
+    # Enable touchpad support (enabled default in most desktopManager).
+    libinput.enable = true;
+  };
+
+  hardware = {
+    opengl = {
+      enable = true;
+      driSupport = true;
+    };
+  };
+
+  virtualisation.virtualbox.guest.enable = true;
+
+}