init

2025-04-20 11:16:39 +08:00
commit 61a1651cf0
90 changed files with 3861 additions and 0 deletions
--- a/modules/nixos/adb.nix
+++ b/modules/nixos/adb.nix
@@ -0,0 +1,5 @@
+{ username, ... }:
+{
+  programs.adb.enable = true;
+  users.users.${username}.extraGroups = [ "adbusers" ];
+}
--- a/modules/nixos/core.nix
+++ b/modules/nixos/core.nix
@@ -0,0 +1,70 @@
+{ lib, ... }:
+{
+  programs = {
+    git.enable = true;
+    dconf.enable = true;
+    vim = {
+      defaultEditor = true;
+    };
+  };
+
+
+  # This setups a SSH server. Very important if you're setting up a headless system.
+  # Feel free to remove if you don't need it.
+  services.openssh = {
+    enable = true;
+    # Forbid root login through SSH.
+    # Use keys only. Remove if you want to SSH using password (not recommended)
+    settings = {
+      # permitRootLogin = "no";
+      # passwordAuthentication = false;
+    };
+  };
+
+
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = lib.mkDefault false;
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "zh_CN.UTF-8";
+    LC_IDENTIFICATION = "zh_CN.UTF-8";
+    LC_MEASUREMENT = "zh_CN.UTF-8";
+    LC_MONETARY = "zh_CN.UTF-8";
+    LC_NAME = "zh_CN.UTF-8";
+    LC_NUMERIC = "zh_CN.UTF-8";
+    LC_PAPER = "zh_CN.UTF-8";
+    LC_TELEPHONE = "zh_CN.UTF-8";
+    LC_TIME = "zh_CN.UTF-8";
+  };
+
+  time.timeZone = "Asia/Shanghai";
+
+  nix = {
+    settings = {
+      # Enable flakes and new 'nix' command
+      experimental-features = "nix-command flakes";
+      # Deduplicate and optimize nix store
+      auto-optimise-store = true;
+      substituters = [
+        "https://mirrors.ustc.edu.cn/nix-channels/store"
+        "https://nixos-cn.cachix.org"
+        "https://nix-community.cachix.org"
+        "https://cache.nixos.org/"
+      ];
+      trusted-public-keys = [
+        "nixos-cn.cachix.org-1:L0jEaL6w7kwQOPlLoCR3ADx+E3Q8SEFEcB9Jaibl0Xg="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+    gc = {
+      automatic = true;
+      dates = "daily";
+      options = "--delete-older-than 31d";
+    };
+  };
+}
--- a/modules/nixos/fonts/default.nix
+++ b/modules/nixos/fonts/default.nix
@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./fhs-fonts.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    twemoji-color-font
+  ];
+
+  # all fonts are linked to /nix/var/nix/profiles/system/sw/share/X11/fonts
+  fonts = {
+    # use fonts specified by user rather than default ones
+    enableDefaultFonts = false;
+    fontDir.enable = true;
+
+    fonts = with pkgs; [
+      # icon fonts
+      material-design-icons
+      font-awesome
+
+      # Noto 系列字体是 Google 主导的，名字的含义是「没有豆腐」q（no tofu），因为缺字时显示的方框或者方框被叫作 tofu
+      # Noto 系列字族名只支持英文，命名规则是 Noto + Sans 或 Serif + 文字名称。
+      # 其中汉字部分叫 Noto Sans/Serif CJK SC/TC/HK/JP/KR，最后一个词是地区变种。
+      noto-fonts # 大部分文字的常见样式，不包含汉字
+      noto-fonts-cjk # 汉字部分
+      noto-fonts-emoji # 彩色的表情符号字体
+      noto-fonts-extra # 提供额外的字重和宽度变种
+
+      # 思源系列字体是 Adobe 主导的。其中汉字部分被称为「思源黑体」和「思源宋体」，是由 Adobe + Google 共同开发的
+      source-sans # 无衬线字体，不含汉字。字族名叫 Source Sans 3 和 Source Sans Pro，以及带字重的变体，加上 Source Sans 3 VF
+      source-serif # 衬线字体，不含汉字。字族名叫 Source Code Pro，以及带字重的变体
+      source-han-sans # 思源黑体
+      source-han-serif # 思源宋体
+
+      # nerdfonts
+      (nerdfonts.override {
+        fonts = [
+          # "FiraCode"
+          "JetBrainsMono"
+          # "Iosevka"
+        ];
+      })
+
+    ];
+  };
+}
--- a/modules/nixos/fonts/fhs-fonts.nix
+++ b/modules/nixos/fonts/fhs-fonts.nix
@@ -0,0 +1,33 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  ###################################################################################
+  #
+  #  Copy from https://github.com/NixOS/nixpkgs/issues/119433#issuecomment-1326957279
+  #  Mainly for flatpak
+  #    1. bindfs resolves all symlink,
+  #    2. allowing all fonts to be accessed at `/usr/share/fonts`
+  #    3. without letting /nix into the sandbox.
+  #
+  ###################################################################################
+
+  system.fsPackages = [pkgs.bindfs];
+  fileSystems = let
+    mkRoSymBind = path: {
+      device = path;
+      fsType = "fuse.bindfs";
+      options = ["ro" "resolve-symlinks" "x-gvfs-hide"];
+    };
+    aggregatedFonts = pkgs.buildEnv {
+      name = "system-fonts";
+      paths = config.fonts.fonts;
+      pathsToLink = ["/share/fonts"];
+    };
+  in {
+    # Create an FHS mount to support flatpak host icons/fonts
+    "/usr/share/icons" = mkRoSymBind (config.system.path + "/share/icons");
+    "/usr/share/fonts" = mkRoSymBind (aggregatedFonts + "/share/fonts");
+  };
+}
--- a/modules/nixos/gnome.nix
+++ b/modules/nixos/gnome.nix
@@ -0,0 +1,47 @@
+{ config, pkgs, ... }:
+{
+  services.xserver = {
+    enable = true;
+    displayManager.gdm.enable = true;
+    desktopManager.gnome.enable = true;
+  };
+
+  environment = {
+    systemPackages = (with pkgs;[
+      gnome.gnome-tweaks
+    ]) ++ (with pkgs.gnomeExtensions;[
+      dash-to-dock
+      captivate # cap button indicator
+      appindicator # tray icon
+    ]);
+
+    gnome.excludePackages = (with pkgs; [
+      gnome-photos
+      gnome-tour
+      gnome-text-editor
+    ]) ++ (with pkgs.gnome; [
+      atomix # puzzle game
+      cheese # webcam tool
+      epiphany # web browser
+      # geary # email reader
+      evince # document viewer
+      gedit # text editor
+      gnome-contacts
+      gnome-maps
+      gnome-weather
+      gnome-music
+      gnome-characters
+      # gnome-terminal
+      hitori # sudoku game
+      iagno # go game
+      simple-scan
+      totem # video player
+      tali # poker game
+      yelp # help viewer
+    ]);
+  };
+}
+
+
+
+
--- a/modules/nixos/hyprland.nix
+++ b/modules/nixos/hyprland.nix
@@ -0,0 +1,7 @@
+{inputs, pkgs, ...}:{
+  # programs.hyprland = {
+  #   enable = true;
+  #   package = inputs.hyprland.packages.${pkgs.system}.hyprland;
+  # };
+  security.pam.services.swaylock = { };
+}
--- a/modules/nixos/nvidia.nix
+++ b/modules/nixos/nvidia.nix
@@ -0,0 +1,31 @@
+{config, ...}:
+{
+# Make sure opengl is enabled
+  hardware.opengl = {
+    enable = true;
+    driSupport = true;
+    driSupport32Bit = true;
+  };
+
+  # Tell Xorg to use the nvidia driver (also valid for Wayland)
+  services.xserver.videoDrivers = ["nvidia"];
+
+  hardware.nvidia = {
+
+    # Modesetting is needed for most Wayland compositors
+    modesetting.enable = true;
+
+    # Use the open source version of the kernel module
+    # Only available on driver 515.43.04+
+    open = false;
+
+    # Enable the nvidia settings menu
+    nvidiaSettings = true;
+
+    powerManagement.enable = true;
+
+    # Optionally, you may need to select the appropriate driver version for your specific GPU.
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+  };
+
+}
--- a/modules/nixos/samba.nix
+++ b/modules/nixos/samba.nix
@@ -0,0 +1,50 @@
+{ username, pkgs, ... }:
+{
+
+  services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
+  networking.firewall.allowedTCPPorts = [
+    5357 # wsdd
+  ];
+  networking.firewall.allowedUDPPorts = [
+    3702 # wsdd
+  ];
+  services.samba = {
+    enable = true;
+    securityType = "user";
+    extraConfig = ''
+      workgroup = WORKGROUP
+      server string = smbnix
+      netbios name = smbnix
+      security = user 
+      #use sendfile = yes
+      #max protocol = smb2
+      # note: localhost is the ipv6 localhost ::1
+      hosts allow = 10.7.43. 127.0.0.1 localhost
+      hosts deny = 0.0.0.0/0
+      guest account = nobody
+      map to guest = bad user
+    '';
+    shares = {
+      tmp = {
+        path = "/home/alex/tmp";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "yes";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "alex";
+        "force group" = "users";
+      };
+      inst = {
+        path = "/home/alex/inst";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "alex";
+        "force group" = "users";
+      };
+    };
+  };
+}
--- a/modules/nixos/user-group.nix
+++ b/modules/nixos/user-group.nix
@@ -0,0 +1,62 @@
+{ pkgs, username, ... }:
+
+{
+  nix.settings.trusted-users = [ username ];
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users = {
+    groups = {
+      docker = { };
+    };
+    users."${username}" = {
+      # the hashed password with salt is generated by run `mkpasswd`.
+      hashedPassword = "$y$j9T$inkrp6FuM46uoPFVrOlbz1$igJed6pECf4AENVaLT4mk.Q4z02MmxjWnGo.OVvCyC.";
+      home = "/home/${username}";
+      isNormalUser = true;
+      description = username;
+      extraGroups = [
+        "users"
+        "wheel"
+        "networkmanager"
+        "audio"
+      ];
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQOn+imHUzz7KvNYE1mBTjwhMZ0HMyVNwkc6p/6Qak0ejzdyx6mNk9AlKOZB1UQvniWBT8z//u/8DqMT9OL8X0VZmQQTTIpSnvuYRxkH6thkoX9c0umo9GrMGWZN3WIsD71dfiJLMagqPxX7HWgkONBFxJHmBUfP4CXLgLdZs7dUMBm5tILx09zWU7Ttv120NuFdPYENAg8hNka3hjBbXbnDQdp2Y8TPY2Dbcg3MnVZ6Q7LMfKUkVYIoDHEiN6ZAJQaYIU+f2PeNxCb5WqRo2AiZwuzJtQO0VARRIf8hAs5wnX3gU68sWBvLr7payeaYsAyD+C7I4EpyNA8TrwKotrmripv+y5hjHiG7fL97vZEzSfIJH2KEAg7ojGDBbcwAcBKGn4PjwaCdUM7MGm6hj7cMHJf/32rXyc4u7LUZxTjXS5/dKWhF+sCycbBASRlSW93jlnxoUY/zPK4IRnzaF0WL7kUxfBglfFf8UMSgAZNncESNr36hsWFKcFqKUto48= alex@zion.xzdcbj.com.cn"
+      ];
+    };
+  };
+
+  # DO NOT promote the specified user to input password for `nix-store` and `nix-copy-closure`
+  security.sudo = {
+    # wheelNeedsPassword = false;
+    extraRules = [
+      {
+        users = [ username ];
+        commands =
+          [
+            {
+              command = "/run/current-system/sw/bin/nix-store";
+              options = [ "NOPASSWD" ];
+            }
+            {
+              command = "/run/current-system/sw/bin/nixos-rebuild";
+              options = [ "NOPASSWD" "SETENV" ];
+            }
+            {
+              command = "${pkgs.systemd}/bin/systemctl suspend";
+              options = [ "NOPASSWD" ];
+            }
+            {
+              command = "${pkgs.systemd}/bin/reboot";
+              options = [ "NOPASSWD" ];
+            }
+            {
+              command = "${pkgs.systemd}/bin/poweroff";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+      }
+    ];
+  };
+}
+  
--- a/modules/nixos/virtualize/android.nix
+++ b/modules/nixos/virtualize/android.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, lib, ... }:
+{
+  virtualisation.waydroid.enable = true; # need dns port
+  environment.systemPackages = [
+    pkgs.waydroid-script
+  ];
+}
--- a/modules/nixos/virtualize/appimage.nix
+++ b/modules/nixos/virtualize/appimage.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, lib, ... }: 
+{
+  config = {
+    environment.systemPackages = with pkgs; [
+      appimage-run
+    ];
+
+  };
+}
--- a/modules/nixos/virtualize/docker.nix
+++ b/modules/nixos/virtualize/docker.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, lib, username, ... }:
+{
+  # Enable Docker
+  virtualisation.docker.enable = true;
+
+  # Enable Podman
+  # virtualisation.podman.enable = true;
+  #virtualisation.podman.dockerCompat = true; # Create a `docker` alias for podman, to use it as a drop-in replacement
+
+  users.users.${username}.extraGroups = lib.mkIf config.virtualisation.docker.enable [ "docker" ];
+}
--- a/modules/nixos/virtualize/libvirtd/default.nix
+++ b/modules/nixos/virtualize/libvirtd/default.nix
@@ -0,0 +1,45 @@
+{ config, pkgs, lib, username, ... }:
+{
+
+  imports = [
+    ./hooks.nix
+  ];
+  
+  config = {
+
+    # Ref: https://nixos.wiki/wiki/NixOps/Virtualization
+
+    boot = {
+      kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
+      kernelParams = [ "intel_iommu=on" "iommu=pt" ];
+      # extraModprobeConfig = "options vfio-pci ids=8086:1901,10de:1b81,10de:10f0";
+    };
+    virtualisation.libvirtd = {
+      enable = true;
+      qemu = {
+        package = pkgs.qemu_kvm;
+        ovmf.enable = true;
+        ovmf.packages = [ pkgs.OVMFFull.fd ];
+        swtpm.enable = true;
+        runAsRoot = false;
+      };
+    };
+
+    # tpm
+    security.tpm2 = {
+      pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+      enable = true;
+      tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+    };
+
+    # Ref: https://nixos.wiki/wiki/Virt-manager
+
+    environment.systemPackages = with pkgs; [
+      virt-manager
+      virglrenderer
+      #virt-manager-qt
+    ];
+
+    users.users.${username}.extraGroups = lib.mkIf config.virtualisation.libvirtd.enable [ "libvirtd" "tss" ];
+  };
+}
--- a/modules/nixos/virtualize/libvirtd/hooks.nix
+++ b/modules/nixos/virtualize/libvirtd/hooks.nix
@@ -0,0 +1,37 @@
+{ pkgs, ... }:
+{
+  # Load Hooks for Libvirt
+  systemd.services.libvirtd.preStart = let
+    qemuHook = pkgs.writeScript "qemu-hook" ''
+      #!${pkgs.stdenv.shell}
+
+      GUEST_NAME="$1"
+      HOOK_NAME="$2"
+      STATE_NAME="$3"
+      MISC="$\{@:4}"
+
+      BASEDIR="$(dirname $0)"
+
+      HOOKPATH="$BASEDIR/qemu.d/$GUEST_NAME/$HOOK_NAME/$STATE_NAME"
+      set -e # If a script exits with an error, we should as well.
+
+      if [ -f "$HOOKPATH" ]; then
+      eval \""$HOOKPATH"\" "$@"
+      elif [ -d "$HOOKPATH" ]; then
+      while read file; do
+        eval \""$file"\" "$@"
+      done <<< "$(find -L "$HOOKPATH" -maxdepth 1 -type f -executable -print;)"
+      fi
+    '';
+  in ''
+    mkdir -p /var/lib/libvirt/hooks
+    chmod 755 /var/lib/libvirt/hooks
+
+    # Copy hook files
+    ln -sf ${qemuHook} /var/lib/libvirt/hooks/qemu
+    cp -rfT ${./qemu.d} /var/lib/libvirt/hooks/qemu.d
+
+    # Make executable
+    chmod -R +x /var/lib/libvirt/hooks/qemu.d/
+  '';
+}
--- a/modules/nixos/virtualize/libvirtd/qemu.d/win11/prepare/begin/start.sh
+++ b/modules/nixos/virtualize/libvirtd/qemu.d/win11/prepare/begin/start.sh
@@ -0,0 +1,44 @@
+#!/run/current-system/sw/bin/bash
+set -x
+
+# Xpad affects the work of the xbox controller and its wireless adapter
+# The xpad will shake hands with the handle/wireless adapter when it is plugged in. At this time, 
+# if you pass the usb device directly to the virtual machine, the xbox handle will not re-handshake with the root of windows,
+# which will eventually cause it to fail to work.
+# I can't find a way to make the usb device passthrough into the virtual machine from before/when it is plugged in,
+# so I suggest you disable this driver if you need to use the gamepad in virtual machine
+modprobe -r xpad
+
+# dGPU PCI slots
+pci_slot="01:00"
+
+# Determine whether the graphics card has been used by VFIO kernel modules
+if [ -z "$(lspci -k -s $pci_slot | grep vfio_pci)" ]; then
+    # Determine whether nvidia kernel modules has been loaded
+    lsmod_result=$(lsmod | grep nvidia)
+    if [ -n "$lsmod_result" ]; then
+        # Stop display manager
+        systemctl stop display-manager
+
+        sleep 2
+
+        # Unload NVIDIA kernel modules
+        modprobe -r nvidia_drm nvidia_modeset nvidia_uvm nvidia
+
+        # Unload AMD kernel module
+        # modprobe -r amdgpu
+    fi
+
+    # Detach GPU devices from host
+    # Use your GPU and HDMI Audio PCI host device
+    virsh nodedev-detach pci_0000_01_00_0
+    virsh nodedev-detach pci_0000_01_00_1
+
+    # Load vfio module
+    modprobe vfio_pci
+
+    if [ -n "$lsmod_result" ]; then
+        # Restart Display Manager
+        systemctl start display-manager
+    fi
+fi
--- a/modules/nixos/virtualize/libvirtd/qemu.d/win11/release/end/stop.sh
+++ b/modules/nixos/virtualize/libvirtd/qemu.d/win11/release/end/stop.sh
@@ -0,0 +1,13 @@
+#!/run/current-system/sw/bin/bash
+set -x
+
+# Load Xpad
+modprobe nvidia_drm nvidia_modeset nvidia_uvm nvidia xpad
+
+# Attach GPU devices to host
+# Use your GPU and HDMI Audio PCI host device
+virsh nodedev-reattach pci_0000_01_00_0
+virsh nodedev-reattach pci_0000_01_00_1
+
+# Unload vfio module
+modprobe -r vfio_pci
--- a/modules/nixos/virtualize/nixos-generators.nix
+++ b/modules/nixos/virtualize/nixos-generators.nix
@@ -0,0 +1,6 @@
+{ config, pkgs, lib, ... }: 
+{
+  environment.systemPackages = with pkgs; [
+    nixos-generators
+  ];
+}
--- a/modules/nixos/virtualize/virtualbox.nix
+++ b/modules/nixos/virtualize/virtualbox.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, lib, ... }: 
+{
+  config = {
+    # Enable virtualbox
+    # Ref: https://nixos.wiki/wiki/Virtualbox
+    #virtualisation.virtualbox.host.enable = true;
+    #virtualisation.virtualbox.host.enableExtensionPack = true; //NOTE: this is unfree
+    #users.extraGroups.vboxusers.members = [ config.owner ];
+
+    environment.systemPackages = with pkgs; [
+      #linuxPackages_latest.virtualboxGuestAdditions
+    ];
+
+  };
+}
--- a/modules/nixos/virtualize/wine.nix
+++ b/modules/nixos/virtualize/wine.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }: 
+{
+  config = {
+    environment.systemPackages = with pkgs; [
+      ## [wine] see: https://nixos.wiki/wiki/Wine
+      #wineWowPackages.staging
+      #wineWowPackages.fonts
+      #winetricks
+    ];
+
+  };
+}
--- a/modules/nixos/zfs.nix
+++ b/modules/nixos/zfs.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+{
+  boot = {
+    supportedFilesystems = [ "zfs" ];
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  };
+}