diff options
Diffstat (limited to 'hardware')
-rw-r--r-- | hardware/thinkpad/default.nix | 4 | ||||
-rw-r--r-- | hardware/thinkpad/disks.nix | 176 | ||||
-rw-r--r-- | hardware/thinkpad/hardware.nix | 55 |
3 files changed, 235 insertions, 0 deletions
diff --git a/hardware/thinkpad/default.nix b/hardware/thinkpad/default.nix new file mode 100644 index 0000000..b0125ee --- /dev/null +++ b/hardware/thinkpad/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + imports = [ ./hardware.nix ]; +} diff --git a/hardware/thinkpad/disks.nix b/hardware/thinkpad/disks.nix new file mode 100644 index 0000000..543c24c --- /dev/null +++ b/hardware/thinkpad/disks.nix @@ -0,0 +1,176 @@ +{ config, lib, inputs, pkgs, modulesPath, isIso, ... }: +let + HDD = "/dev/disk/by-id/ata-CT250MX500SSD1_1918E2006A3A"; + + partitionsCreateScript = '' + parted -s "${HDD}" mklabel gpt + parted -s "${HDD}" mkpart "efi" fat32 1024KiB 64M + parted -s "${HDD}" set 1 esp on + parted -s -a optimal "${HDD}" mkpart "boot" 64M 264M + parted -s -a optimal "${HDD}" mkpart "root" 264M 100% + + udevadm trigger --subsystem-match=block; udevadm settle + ''; + partitionsFormatScript = '' + mkfs.vfat "${HDD}"-part1 + cryptsetup -q luksFormat "${HDD}"-part2 --type luks1 + cryptsetup open --type luks "${HDD}"-part2 encrypted_boot + mkfs.ext4 /dev/mapper/encrypted_boot + cryptsetup close encrypted_boot + cryptsetup -q luksFormat "${HDD}"-part3 --type luks2 + cryptsetup open --type luks "${HDD}"-part3 encrypted_root + pvcreate /dev/mapper/encrypted_root + vgcreate encrypted_root_pool /dev/mapper/encrypted_root + lvcreate -L 4G -n persist encrypted_root_pool + mkfs.btrfs -f /dev/mapper/encrypted_root_pool-persist + lvcreate -L 128G -n nix encrypted_root_pool + mkfs.btrfs -f /dev/mapper/encrypted_root_pool-nix + lvcreate -l 100%FREE -n home encrypted_root_pool + mkfs.btrfs -f /dev/mapper/encrypted_root_pool-home + vgchange -a n encrypted_root_pool + cryptsetup close encrypted_root + ''; + partitionsMountScript = '' + mount -t tmpfs none /mnt + mkdir -p /mnt/{boot,nix,persist,home} + + cryptsetup open --type luks /dev/disk/by-partlabel/boot encrypted_boot + mount /dev/mapper/encrypted_boot /mnt/boot + mkdir -p /mnt/boot/efi + mount /dev/disk/by-partlabel/efi /mnt/boot/efi + cryptsetup open --type luks /dev/disk/by-partlabel/root encrypted_root + vgchange -ay encrypted_root_pool + mount -o compress-force=zstd /dev/mapper/encrypted_root_pool-home /mnt/home + mount -o compress-force=zstd,noatime /dev/mapper/encrypted_root_pool-persist /mnt/persist + mount -o compress-force=zstd,noatime /dev/mapper/encrypted_root_pool-nix /mnt/nix + ''; + + # Utility to save a snapshot of the root tree + save-root = pkgs.writers.writeDashBin "save-root" '' + ${pkgs.findutils}/bin/find \ + / -xdev \( -path /tmp -o -path /var/tmp -o -path /var/log/journal \) \ + -prune -false -o -print0 | sort -z | tr '\0' '\n' > "$1" + ''; + + # Utility to compare the root tree + diff-root = pkgs.writers.writeDashBin "diff-root" '' + export PATH=${with pkgs; lib.makeBinPath [ diffutils less ]}:$PATH + current="$(mktemp current-root.XXX --tmpdir)" + trap 'rm "$current"' EXIT INT HUP + ${save-root}/bin/save-root "$current" + diff -u /run/initial-root "$current" --color=always | ''${PAGER:-less -R} + ''; +in +{ + config = { + + environment.persistence."/persist" = { + directories = [ + "/var/log" + "/var/lib" + "/root" + ]; + files = [ + "/etc/machine-id" + "/etc/nix/id_rsa" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + ]; + }; + + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "mode=755" ]; + }; + + boot.initrd.luks.devices."encrypted_boot" = { + device = "/dev/disk/by-partlabel/boot"; + preLVM = true; + }; + + fileSystems."/boot" = { + device = "/dev/mapper/encrypted_boot"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = { + device = "/dev/disk/by-partlabel/efi"; + fsType = "vfat"; + }; + + boot.initrd.luks.devices."encrypted_root".device = "/dev/disk/by-partlabel/root"; + + fileSystems."/nix" = { + device = "/dev/mapper/encrypted_root_pool-nix"; + fsType = "btrfs"; + neededForBoot = true; + options = [ "compress-force=zstd" "noatime" ]; + }; + + fileSystems."/persist" = { + device = "/dev/mapper/encrypted_root_pool-persist"; + fsType = "btrfs"; + neededForBoot = true; + options = [ "compress-force=zstd" "noatime" ]; + }; + + fileSystems."/home" = { + device = "/dev/mapper/encrypted_root_pool-home"; + fsType = "btrfs"; + options = [ "compress-force=zstd" ]; + }; + + swapDevices = [ ]; + + services.btrfs.autoScrub.enable = true; + + zramSwap.enable = true; + + + environment.systemPackages = [ + config.disks-create + config.disks-format + config.disks-mount + + diff-root + ]; + + systemd.services.save-root-snapshot = { + description = "save a snapshot of the initial root tree"; + wantedBy = [ "sysinit.target" ]; + requires = [ "-.mount" ]; + after = [ "-.mount" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + serviceConfig.ExecStart = ''${save-root}/bin/save-root /run/initial-root''; + }; + }; + + options.disks-create = with lib; mkOption rec { + type = types.package; + default = with pkgs; symlinkJoin { + name = "disks-create"; + paths = [ (writeScriptBin default.name partitionsCreateScript) parted ]; + }; + }; + + options.disks-format = with lib; mkOption rec { + type = types.package; + default = with pkgs; symlinkJoin { + name = "disks-format"; + paths = [ (writeScriptBin default.name partitionsFormatScript) cryptsetup lvm2 dosfstools e2fsprogs btrfs-progs ]; + }; + }; + + options.disks-mount = with lib; mkOption rec { + type = types.package; + default = with pkgs; symlinkJoin { + name = "disks-mount"; + paths = [ (writeScriptBin default.name partitionsMountScript) cryptsetup lvm2 ]; + }; + }; + +} diff --git a/hardware/thinkpad/hardware.nix b/hardware/thinkpad/hardware.nix new file mode 100644 index 0000000..5fe7a19 --- /dev/null +++ b/hardware/thinkpad/hardware.nix @@ -0,0 +1,55 @@ +{ config, lib, inputs, pkgs, modulesPath, ... }: +let + powerMode = "schedutil"; +in +{ + imports = [ + ./disks.nix + ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "usb_storage" "sd_mod" "sdhci_acpi" "aesni_intel" "cryptd" ]; + kernelModules = [ "i915" ]; + }; + kernelPackages = pkgs.linuxPackages_latest; + kernelModules = [ "kvm_intel" ]; + extraModulePackages = [ ]; + kernelParams = [ "net.ifnames=0" "biosdevname=0" "iomem=relaxed" "mitigations=off" ]; + }; + + powerManagement.cpuFreqGovernor = powerMode; + + services = { + xserver = { + videoDrivers = [ "intel" ]; + + # Enable touchpad support (enabled default in most desktopManager). + synaptics = { + enable = true; + palmDetect = true; + twoFingerScroll = true; + minSpeed = "1.0"; + maxSpeed = "1.12"; + accelFactor = "0.01"; + }; + }; + fstrim.enable = true; + tlp.enable = true; + }; + + hardware = { + cpu.intel.updateMicrocode = true; + opengl = { + enable = true; + driSupport = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; + }; + }; + +} |