init2

2025-07-18 12:33:31 +08:00
parent cab865dff3
commit f21234790e
9 changed files with 307 additions and 58 deletions
@@ -2,5 +2,8 @@
 # These should be stuff you would like to share with others, not your personal configurations.
 {
  # List your module files here
-  # my-module = import ./my-module.nix;
+  important-defaults = import ./important-defaults.nix;
+  incus = import ./incus.nix;
+  orbstack = import ./orbstack.nix;
+  power-user-defaults = import ./power-user-defaults.nix;
 }
@@ -0,0 +1,108 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  networking = {
+    dhcpcd.enable = false;
+    useDHCP = false;
+    useHostResolvConf = false;
+  };
+
+  systemd.network = {
+    enable = true;
+    networks."50-eth0" = {
+      matchConfig.Name = "eth0";
+      networkConfig = {
+        DHCP = "ipv4";
+        IPv6AcceptRA = true;
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  # Extra certificates from OrbStack.
+  security.pki.certificates = [
+    ''
+      -----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIEI80RYDANBgkqhkiG9w0BAQsFADA7MTkwNwYDVQQDEzBP
+S0JMIFB0ZSBMdGQuIEpTUyBCdWlsdC1pbiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
+HhcNMjIxMDMxMDIzNjE1WhcNMzIxMTAxMDIzNjE1WjA7MTkwNwYDVQQDEzBPS0JM
+IFB0ZSBMdGQuIEpTUyBCdWlsdC1pbiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzbHkHuA3SC3RWUJPo5mM+Wcgd
+tWhFuSbCWCiAmlVy7E6zUIv033I3eg9ZXZacoIJ7DlEVaXp1+DIuR0ZILq2IAp5q
+7wSanzE8Eq7Ka1NPwnhCpMu+YyzUwjGRw/hDYltsVqGpLHBchBwQ0itj7wJs+n9V
+/xEh2a6S/FPsJAStS60VZgQu+Bpd778e/ZlUCFGFl6Xk5zFIdzMQql6X48GWYLc5
+IhiKrFEss7UHpLZa/6PLj1F85phMen8sdrCXJUwSGZYjCOQjsQanFYuxpvQYO6zg
+NkbyL7JuMyAAg6ztD6CGKANFDBQsgDKqYUsRG0P5nmf9cnF4fumJ86QWfjvdAgMB
+AAGjgbcwgbQwHQYDVR0OBBYEFJshBkbb/ADo5cSCV3Mukp+Fb4VuMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIBpjAPBgNVHRMBAf8EBTADAQH/MDwG
+A1UdHwQ1MDMwMaAvoC2GK2h0dHBzOi8vMTAuMjU0LjMuNjM6ODQ0My8vQ0EvSkFN
+RkNSTFNlcnZsZXQwHwYDVR0jBBgwFoAUmyEGRtv8AOjlxIJXcy6Sn4VvhW4wDQYJ
+KoZIhvcNAQELBQADggEBAEgl30cuewET02r9lR+wRzRA2X4lW/oXQGFWROZhq9WX
+ACvuIco98OjrYLXuPhZGJoIgJCTaAfhHKNEFxeOzz7DXq3JTHX4Oige3GUVvtPtd
+Q7XDYY+T/Iz5MDGr9TjhPThlSHI94V/PyvkKOMuLw9gZuqWE2Je7xzKfI5wBqQ9d
+2aUamNfYTohnqqeQez8YdR+3/JMKOZwvI+8EtsvqlF7p//xl3dAAZZdzFNzo3PVg
+oqe2g+SRAI9id/uBks6V6dMn4d5kAJ5FOwqSFCSpEYmdd+KJpsOGfAcg2uFIlUpW
+KbKImVzBwC70WasJRFVKnXunraN3CpDVbO6pHtEaeIg=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDTTCCAjUCFHmjiAvwwHwuX9SFHpgT2mNKkH5hMA0GCSqGSIb3DQEBCwUAMGMx
+CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UEBwwCQkoxDDAKBgNVBAoM
+A09LWDEsMCoGA1UEAwwjY29waWxvdC1wcm94eS5naXRodWJ1c2VyY29udGVudC5j
+b20wHhcNMjMwOTIyMDY1NjU3WhcNMzMwOTE5MDY1NjU3WjBjMQswCQYDVQQGEwJD
+TjELMAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQwwCgYDVQQKDANPS1gxLDAqBgNV
+BAMMI2NvcGlsb3QtcHJveHkuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2Mnc3xtrFed59qlCu6w92A9l3TpqRdp
+okIL0yIQIPOvbz5jr33PzedJADWrEiYZjKb0RQ55+slJSmjVoiTMHM2jkErnzNgj
+W9zUqri2hYAFC1qGt9gpVwbajESWKujOKiAPBO7f4/a60tfqtP72pMVEgbFzFCsS
+4dlbDWka26NnOg8VBv7Wy1qh13bqbIKtNl1xSdZwFaLP2VOuJ6xdVIlk9XX2Tm5T
+AxuSPWV4zali0OtlTvagW+t3avP1US9JZdgtPqwDSmraOL+S76vXUK7x+Sa/AGeW
+z7UgNtWc16XiZ7eM8CiJAFhhnEA3Y86P1nWU8DGs8Le/kZ7sxRxikQIDAQABMA0G
+CSqGSIb3DQEBCwUAA4IBAQBhmKeeqni2I0CPNqUeyJ7rc3ITXz5dM2FruNEpbLrr
+zHIjK/Za0NxriOyDyki+r+6CuvJNl+sYF7Vk54xGxI5oMJucFkNeUVpMA8HTQsfa
+IStxxdK8jS3DKEscxCmTyJ9oKuByxtJW/3qEyxlT2Vs/9M8T3/m4SWRjKmwJaVO0
+DqJS8+6maSfe00ImdfTe3KmY3x7LEIu8jedZFOAZRBZM8y6CSQv8IyzlpxzfgobE
+1P7ScY6yvCLX6YjRt6jtqDUE/a6pAXqISfwN9iAIhKYx3E5fZoM/iFcupux/TYuY
+46sRQL2aoTPcgmvw6Q1R7coBCzsOqHYy4tsuLvBZI0gN
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIICDTCCAbKgAwIBAgIQXdgipWagnrE5GbbsxqP+iTAKBggqhkjOPQQDAjBmMR0w
+GwYDVQQKExRPcmJTdGFjayBEZXZlbG9wbWVudDEeMBwGA1UECwwVQ29udGFpbmVy
+cyAmIFNlcnZpY2VzMSUwIwYDVQQDExxPcmJTdGFjayBEZXZlbG9wbWVudCBSb290
+IENBMB4XDTI0MDEyMjA2Mzc1MVoXDTM0MDEyMjA2Mzc1MVowZjEdMBsGA1UEChMU
+T3JiU3RhY2sgRGV2ZWxvcG1lbnQxHjAcBgNVBAsMFUNvbnRhaW5lcnMgJiBTZXJ2
+aWNlczElMCMGA1UEAxMcT3JiU3RhY2sgRGV2ZWxvcG1lbnQgUm9vdCBDQTBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABCT9cwjy/POnei7TOctcgR0kbhv8oYEfxPJ5
+P4RK0iVUFc4EP4RPlJKuzrRmuhtrK/48dJNGEs5jAq9VNVQ1OrWjQjBAMA4GA1Ud
+DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTPqAXlBXQI8aNF
+gYNaF5C4oMRQhTAKBggqhkjOPQQDAgNJADBGAiEA0UYxacbX2sjQvZYj3Mz3vf0k
+HOzhJmEkHfzAzeamADwCIQDwz/zK5ZKW9XY4jdTv41opt76e9sNw7sYAfwMsd721
+gw==
+-----END CERTIFICATE-----
+
+    ''
+  ];
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.05"; # Did you read the comment?
+} 
@@ -0,0 +1,12 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+# WARNING: THIS CONFIGURATION IS AUTOGENERATED AND WILL BE OVERWRITTEN AUTOMATICALLY
+
+{
+  networking.hostName = "nixos";
+} 
@@ -0,0 +1,67 @@
+# Generated by OrbStack.
+# This WILL be overwritten in the future. Make a copy and update the include
+# in configuration.nix if you want to keep your changes.
+
+{ lib, config, ... }:
+
+{
+  # Add OrbStack CLI tools to PATH
+  environment.shellInit = ''
+    . /opt/orbstack-guest/etc/profile-early
+
+    # add your customizations here
+
+    . /opt/orbstack-guest/etc/profile-late
+  '';
+
+  # Enable documentation
+  documentation.man.enable = true;
+  documentation.doc.enable = true;
+  documentation.info.enable = true;
+
+  # Disable systemd-resolved
+  services.resolved.enable = false;
+  environment.etc."resolv.conf".source = "/opt/orbstack-guest/etc/resolv.conf";
+
+  # Faster DHCP - OrbStack uses SLAAC exclusively
+  networking.dhcpcd.extraConfig = ''
+    noarp
+    noipv6
+  '';
+
+  # Disable sshd
+  services.openssh.enable = false;
+
+  # systemd
+  systemd.services."systemd-oomd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-userdbd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-udevd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-timesyncd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-timedated".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-portabled".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-nspawn@".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-machined".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-localed".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-logind".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-journald@".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-journald".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-journal-remote".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-journal-upload".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-importd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-hostnamed".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-homed".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-networkd".serviceConfig.WatchdogSec = lib.mkIf config.systemd.network.enable 0;
+
+  # ssh config
+  programs.ssh.extraConfig = ''
+    Include /opt/orbstack-guest/etc/ssh_config
+  '';
+
+  # indicate builder support for emulated architectures
+  nix.settings.extra-platforms = [
+    "x86_64-linux"
+    "i686-linux"
+  ];
+
+  users.groups.orbstack.gid = 67278;
+} 
@@ -0,0 +1,77 @@
+# Power user optimizations and better defaults for NixOS
+{ config, pkgs, lib, ... }:
+
+{
+  # Enable flakes and new nix command by default
+  nix = {
+    settings = {
+      # Enable flakes and new nix command
+      experimental-features = [ "nix-command" "flakes" ];
+      
+      # Optimize builds
+      auto-optimise-store = true;
+      max-jobs = "auto";
+      cores = 0; # Use all available cores
+      
+      # Better substituters for faster downloads
+      substituters = [
+        "https://cache.nixos.org/"
+        "https://nix-community.cachix.org"
+        "https://cache.garnix.io"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbCWZKkK1YDH9c6MCSM="
+      ];
+      
+      # Optimize networking
+      http-connections = 128;
+      max-substitution-jobs = 128;
+      
+      # Better compression
+      compress-build-log = true;
+      
+      # Security
+      require-sigs = true;
+      
+      # Keep build dependencies for debugging
+      keep-derivations = true;
+      keep-outputs = true;
+      
+      # Better sandbox
+      sandbox = true;
+      
+      # Trusted users for nix daemon
+      trusted-users = [ "root" "@wheel" ];
+    };
+    
+    # Automatic garbage collection
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+    
+    # Optimize store automatically
+    optimise = {
+      automatic = true;
+      dates = [ "03:45" ];
+    };
+    
+    # Nix registry for flakes
+    registry = {
+      nixpkgs.flake = lib.mkDefault {
+        type = "github";
+        owner = "NixOS";
+        repo = "nixpkgs";
+        ref = "nixos-unstable";
+      };
+    };
+    
+    # Nix path for backwards compatibility
+    nixPath = [
+      "nixpkgs=flake:nixpkgs"
+    ];
+  };
+}