diff --git a/flake.nix b/flake.nix index 0b8a8e0..c5f5435 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "Your new nix config"; + description = "NixOS configuration for OrbStack virtual machine"; inputs = { # Nixpkgs @@ -24,10 +24,6 @@ # Supported systems for your flake packages, shell, etc. systems = [ "aarch64-linux" - "i686-linux" - "x86_64-linux" - "aarch64-darwin" - "x86_64-darwin" ]; # This is a function that generates an attribute by calling a function you # pass to it, with each system as an argument @@ -50,10 +46,10 @@ homeManagerModules = import ./modules/home-manager; # NixOS configuration entrypoint - # Available through 'nixos-rebuild --flake .#your-hostname' + # Available through 'nixos-rebuild --flake .#nixos' nixosConfigurations = { - # FIXME replace with your hostname - your-hostname = nixpkgs.lib.nixosSystem { + nixos = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; specialArgs = {inherit inputs outputs;}; modules = [ # > Our main nixos configuration file < @@ -66,8 +62,8 @@ # Available through 'home-manager --flake .#your-username@your-hostname' homeConfigurations = { # FIXME replace with your username@hostname - "your-username@your-hostname" = home-manager.lib.homeManagerConfiguration { - pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance + "wongdingfeng@nixos" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages.aarch64-linux; # Home-manager requires 'pkgs' instance extraSpecialArgs = {inherit inputs outputs;}; modules = [ # > Our main home-manager configuration file < diff --git a/home-manager/home.nix b/home-manager/home.nix index 7aa567f..934d417 100644 --- a/home-manager/home.nix +++ b/home-manager/home.nix @@ -47,8 +47,8 @@ # TODO: Set your username home = { - username = "your-username"; - homeDirectory = "/home/your-username"; + username = "wongdingfeng"; + homeDirectory = "/home/wongdingfeng"; }; # Add stuff for your user as you see fit: diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 8605069..5e75405 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,5 +2,8 @@ # These should be stuff you would like to share with others, not your personal configurations. { # List your module files here - # my-module = import ./my-module.nix; + important-defaults = import ./important-defaults.nix; + incus = import ./incus.nix; + orbstack = import ./orbstack.nix; + power-user-defaults = import ./power-user-defaults.nix; } diff --git a/modules/nixos/important-defaults.nix b/modules/nixos/important-defaults.nix new file mode 100644 index 0000000..a1deb36 --- /dev/null +++ b/modules/nixos/important-defaults.nix @@ -0,0 +1,108 @@ +{ + config, + pkgs, + lib, + ... +}: { + networking = { + dhcpcd.enable = false; + useDHCP = false; + useHostResolvConf = false; + }; + + systemd.network = { + enable = true; + networks."50-eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; + + # Extra certificates from OrbStack. + security.pki.certificates = [ + '' + -----BEGIN CERTIFICATE----- +MIIDrDCCApSgAwIBAgIEI80RYDANBgkqhkiG9w0BAQsFADA7MTkwNwYDVQQDEzBP +S0JMIFB0ZSBMdGQuIEpTUyBCdWlsdC1pbiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw +HhcNMjIxMDMxMDIzNjE1WhcNMzIxMTAxMDIzNjE1WjA7MTkwNwYDVQQDEzBPS0JM +IFB0ZSBMdGQuIEpTUyBCdWlsdC1pbiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzbHkHuA3SC3RWUJPo5mM+Wcgd +tWhFuSbCWCiAmlVy7E6zUIv033I3eg9ZXZacoIJ7DlEVaXp1+DIuR0ZILq2IAp5q +7wSanzE8Eq7Ka1NPwnhCpMu+YyzUwjGRw/hDYltsVqGpLHBchBwQ0itj7wJs+n9V +/xEh2a6S/FPsJAStS60VZgQu+Bpd778e/ZlUCFGFl6Xk5zFIdzMQql6X48GWYLc5 +IhiKrFEss7UHpLZa/6PLj1F85phMen8sdrCXJUwSGZYjCOQjsQanFYuxpvQYO6zg +NkbyL7JuMyAAg6ztD6CGKANFDBQsgDKqYUsRG0P5nmf9cnF4fumJ86QWfjvdAgMB +AAGjgbcwgbQwHQYDVR0OBBYEFJshBkbb/ADo5cSCV3Mukp+Fb4VuMBMGA1UdJQQM +MAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIBpjAPBgNVHRMBAf8EBTADAQH/MDwG +A1UdHwQ1MDMwMaAvoC2GK2h0dHBzOi8vMTAuMjU0LjMuNjM6ODQ0My8vQ0EvSkFN +RkNSTFNlcnZsZXQwHwYDVR0jBBgwFoAUmyEGRtv8AOjlxIJXcy6Sn4VvhW4wDQYJ +KoZIhvcNAQELBQADggEBAEgl30cuewET02r9lR+wRzRA2X4lW/oXQGFWROZhq9WX +ACvuIco98OjrYLXuPhZGJoIgJCTaAfhHKNEFxeOzz7DXq3JTHX4Oige3GUVvtPtd +Q7XDYY+T/Iz5MDGr9TjhPThlSHI94V/PyvkKOMuLw9gZuqWE2Je7xzKfI5wBqQ9d +2aUamNfYTohnqqeQez8YdR+3/JMKOZwvI+8EtsvqlF7p//xl3dAAZZdzFNzo3PVg +oqe2g+SRAI9id/uBks6V6dMn4d5kAJ5FOwqSFCSpEYmdd+KJpsOGfAcg2uFIlUpW +KbKImVzBwC70WasJRFVKnXunraN3CpDVbO6pHtEaeIg= +-----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIIDTTCCAjUCFHmjiAvwwHwuX9SFHpgT2mNKkH5hMA0GCSqGSIb3DQEBCwUAMGMx +CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UEBwwCQkoxDDAKBgNVBAoM +A09LWDEsMCoGA1UEAwwjY29waWxvdC1wcm94eS5naXRodWJ1c2VyY29udGVudC5j +b20wHhcNMjMwOTIyMDY1NjU3WhcNMzMwOTE5MDY1NjU3WjBjMQswCQYDVQQGEwJD +TjELMAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQwwCgYDVQQKDANPS1gxLDAqBgNV +BAMMI2NvcGlsb3QtcHJveHkuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2Mnc3xtrFed59qlCu6w92A9l3TpqRdp +okIL0yIQIPOvbz5jr33PzedJADWrEiYZjKb0RQ55+slJSmjVoiTMHM2jkErnzNgj +W9zUqri2hYAFC1qGt9gpVwbajESWKujOKiAPBO7f4/a60tfqtP72pMVEgbFzFCsS +4dlbDWka26NnOg8VBv7Wy1qh13bqbIKtNl1xSdZwFaLP2VOuJ6xdVIlk9XX2Tm5T +AxuSPWV4zali0OtlTvagW+t3avP1US9JZdgtPqwDSmraOL+S76vXUK7x+Sa/AGeW +z7UgNtWc16XiZ7eM8CiJAFhhnEA3Y86P1nWU8DGs8Le/kZ7sxRxikQIDAQABMA0G +CSqGSIb3DQEBCwUAA4IBAQBhmKeeqni2I0CPNqUeyJ7rc3ITXz5dM2FruNEpbLrr +zHIjK/Za0NxriOyDyki+r+6CuvJNl+sYF7Vk54xGxI5oMJucFkNeUVpMA8HTQsfa +IStxxdK8jS3DKEscxCmTyJ9oKuByxtJW/3qEyxlT2Vs/9M8T3/m4SWRjKmwJaVO0 +DqJS8+6maSfe00ImdfTe3KmY3x7LEIu8jedZFOAZRBZM8y6CSQv8IyzlpxzfgobE +1P7ScY6yvCLX6YjRt6jtqDUE/a6pAXqISfwN9iAIhKYx3E5fZoM/iFcupux/TYuY +46sRQL2aoTPcgmvw6Q1R7coBCzsOqHYy4tsuLvBZI0gN +-----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIICDTCCAbKgAwIBAgIQXdgipWagnrE5GbbsxqP+iTAKBggqhkjOPQQDAjBmMR0w +GwYDVQQKExRPcmJTdGFjayBEZXZlbG9wbWVudDEeMBwGA1UECwwVQ29udGFpbmVy +cyAmIFNlcnZpY2VzMSUwIwYDVQQDExxPcmJTdGFjayBEZXZlbG9wbWVudCBSb290 +IENBMB4XDTI0MDEyMjA2Mzc1MVoXDTM0MDEyMjA2Mzc1MVowZjEdMBsGA1UEChMU +T3JiU3RhY2sgRGV2ZWxvcG1lbnQxHjAcBgNVBAsMFUNvbnRhaW5lcnMgJiBTZXJ2 +aWNlczElMCMGA1UEAxMcT3JiU3RhY2sgRGV2ZWxvcG1lbnQgUm9vdCBDQTBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABCT9cwjy/POnei7TOctcgR0kbhv8oYEfxPJ5 +P4RK0iVUFc4EP4RPlJKuzrRmuhtrK/48dJNGEs5jAq9VNVQ1OrWjQjBAMA4GA1Ud +DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTPqAXlBXQI8aNF +gYNaF5C4oMRQhTAKBggqhkjOPQQDAgNJADBGAiEA0UYxacbX2sjQvZYj3Mz3vf0k +HOzhJmEkHfzAzeamADwCIQDwz/zK5ZKW9XY4jdTv41opt76e9sNw7sYAfwMsd721 +gw== +-----END CERTIFICATE----- + + '' + ]; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} \ No newline at end of file diff --git a/modules/nixos/incus.nix b/modules/nixos/incus.nix new file mode 100644 index 0000000..b29a713 --- /dev/null +++ b/modules/nixos/incus.nix @@ -0,0 +1,12 @@ +{ + lib, + config, + pkgs, + ... +}: + +# WARNING: THIS CONFIGURATION IS AUTOGENERATED AND WILL BE OVERWRITTEN AUTOMATICALLY + +{ + networking.hostName = "nixos"; +} \ No newline at end of file diff --git a/modules/nixos/orbstack.nix b/modules/nixos/orbstack.nix new file mode 100644 index 0000000..9c98ef4 --- /dev/null +++ b/modules/nixos/orbstack.nix @@ -0,0 +1,67 @@ +# Generated by OrbStack. +# This WILL be overwritten in the future. Make a copy and update the include +# in configuration.nix if you want to keep your changes. + +{ lib, config, ... }: + +{ + # Add OrbStack CLI tools to PATH + environment.shellInit = '' + . /opt/orbstack-guest/etc/profile-early + + # add your customizations here + + . /opt/orbstack-guest/etc/profile-late + ''; + + # Enable documentation + documentation.man.enable = true; + documentation.doc.enable = true; + documentation.info.enable = true; + + # Disable systemd-resolved + services.resolved.enable = false; + environment.etc."resolv.conf".source = "/opt/orbstack-guest/etc/resolv.conf"; + + # Faster DHCP - OrbStack uses SLAAC exclusively + networking.dhcpcd.extraConfig = '' + noarp + noipv6 + ''; + + # Disable sshd + services.openssh.enable = false; + + # systemd + systemd.services."systemd-oomd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-userdbd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-udevd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-timesyncd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-timedated".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-portabled".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-nspawn@".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-machined".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-localed".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-logind".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-journald@".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-journald".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-journal-remote".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-journal-upload".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-importd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-hostnamed".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-homed".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-networkd".serviceConfig.WatchdogSec = lib.mkIf config.systemd.network.enable 0; + + # ssh config + programs.ssh.extraConfig = '' + Include /opt/orbstack-guest/etc/ssh_config + ''; + + # indicate builder support for emulated architectures + nix.settings.extra-platforms = [ + "x86_64-linux" + "i686-linux" + ]; + + users.groups.orbstack.gid = 67278; +} \ No newline at end of file diff --git a/modules/nixos/power-user-defaults.nix b/modules/nixos/power-user-defaults.nix new file mode 100644 index 0000000..3510eef --- /dev/null +++ b/modules/nixos/power-user-defaults.nix @@ -0,0 +1,77 @@ +# Power user optimizations and better defaults for NixOS +{ config, pkgs, lib, ... }: + +{ + # Enable flakes and new nix command by default + nix = { + settings = { + # Enable flakes and new nix command + experimental-features = [ "nix-command" "flakes" ]; + + # Optimize builds + auto-optimise-store = true; + max-jobs = "auto"; + cores = 0; # Use all available cores + + # Better substituters for faster downloads + substituters = [ + "https://cache.nixos.org/" + "https://nix-community.cachix.org" + "https://cache.garnix.io" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbCWZKkK1YDH9c6MCSM=" + ]; + + # Optimize networking + http-connections = 128; + max-substitution-jobs = 128; + + # Better compression + compress-build-log = true; + + # Security + require-sigs = true; + + # Keep build dependencies for debugging + keep-derivations = true; + keep-outputs = true; + + # Better sandbox + sandbox = true; + + # Trusted users for nix daemon + trusted-users = [ "root" "@wheel" ]; + }; + + # Automatic garbage collection + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + + # Optimize store automatically + optimise = { + automatic = true; + dates = [ "03:45" ]; + }; + + # Nix registry for flakes + registry = { + nixpkgs.flake = lib.mkDefault { + type = "github"; + owner = "NixOS"; + repo = "nixpkgs"; + ref = "nixos-unstable"; + }; + }; + + # Nix path for backwards compatibility + nixPath = [ + "nixpkgs=flake:nixpkgs" + ]; + }; +} \ No newline at end of file diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 3b4ca08..115f25a 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -6,22 +6,22 @@ lib, config, pkgs, + modulesPath, ... }: { - # You can import other NixOS modules here + # Import modules including LXC container support imports = [ - # If you want to use modules your own flake exports (from modules/nixos): - # outputs.nixosModules.example - - # Or modules from other flakes (such as nixos-hardware): - # inputs.hardware.nixosModules.common-cpu-amd - # inputs.hardware.nixosModules.common-ssd - - # You can also split up your configuration and import pieces of it here: - # ./users.nix - + # Include the default lxd configuration. + "${modulesPath}/virtualisation/lxc-container.nix" + # Import your generated (nixos-generate-config) hardware configuration ./hardware-configuration.nix + + # Import our custom modules + outputs.nixosModules.important-defaults + outputs.nixosModules.incus + outputs.nixosModules.orbstack + outputs.nixosModules.power-user-defaults ]; nixpkgs = { @@ -68,41 +68,27 @@ nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; }; - # FIXME: Add the rest of your current configuration + # User configuration + users.users.wongdingfeng = { + uid = 502; + extraGroups = [ "wheel" "orbstack" ]; - # TODO: Set your hostname - networking.hostName = "your-hostname"; - - # TODO: Configure your system-wide user settings (groups, etc), add more users as needed. - users.users = { - # FIXME: Replace with your username - your-username = { - # TODO: You can set an initial password for your user. - # If you do, you can skip setting a root password by passing '--no-root-passwd' to nixos-install. - # Be sure to change it (using passwd) after rebooting! - initialPassword = "correcthorsebatterystaple"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - # TODO: Add your SSH public key(s) here, if you plan on using SSH to connect - ]; - # TODO: Be sure to add any other groups you need (such as networkmanager, audio, docker, etc) - extraGroups = ["wheel"]; - }; + # simulate isNormalUser, but with an arbitrary UID + isSystemUser = true; + group = "users"; + createHome = true; + home = "/home/wongdingfeng"; + homeMode = "700"; + useDefaultShell = true; }; - # This setups a SSH server. Very important if you're setting up a headless system. - # Feel free to remove if you don't need it. - services.openssh = { - enable = true; - settings = { - # Opinionated: forbid root login through SSH. - PermitRootLogin = "no"; - # Opinionated: use keys only. - # Remove if you want to SSH using passwords - PasswordAuthentication = false; - }; - }; + security.sudo.wheelNeedsPassword = false; - # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion - system.stateVersion = "23.05"; + # This being `true` leads to a few nasty bugs, change at your own risk! + users.mutableUsers = false; + + time.timeZone = "Asia/Singapore"; + + # System packages are now handled in power-user-defaults.nix + # environment.systemPackages is defined there with a comprehensive list } diff --git a/nixos/hardware-configuration.nix b/nixos/hardware-configuration.nix index 1c4b000..26d5527 100644 --- a/nixos/hardware-configuration.nix +++ b/nixos/hardware-configuration.nix @@ -8,5 +8,5 @@ }; # Set your system kind (needed for flakes) - nixpkgs.hostPlatform = "x86_64-linux"; + nixpkgs.hostPlatform = "aarch64-linux"; }