diff --git a/flake.lock b/flake.lock index 9fabdc6..a3ed534 100644 --- a/flake.lock +++ b/flake.lock @@ -174,15 +174,16 @@ "locked": { "lastModified": 1780203844, "narHash": "sha256-K5sT4jTpGs15ADhviMKNBH38REpPf5Q6mM1+N6cArVE=", - "owner": "NixOS", + "owner": "nixos", "repo": "nixpkgs", "rev": "b51242d7d43689db2f3be91bd05d5b24fbb469c4", "type": "github" }, "original": { - "id": "nixpkgs", + "owner": "nixos", "ref": "nixos-26.05", - "type": "indirect" + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-unstable": { diff --git a/flake.nix b/flake.nix index fefc2b6..4823d75 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ inputs = { # Pinned stable channel; the single source of truth for every host. - nixpkgs.url = "nixpkgs/nixos-26.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-26.05"; # Bleeding-edge channel, used only to pull individual packages via overlay. nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; # Home-manager release matched to the stable nixpkgs; `follows` keeps a single nixpkgs eval. @@ -74,6 +74,7 @@ # Shared scaffolding for every NixOS host: common user, settings, home-manager. baseModules = [ ./lyrathorpe/user.nix + ./system/modules/common-nixos.nix commonModule home-manager.nixosModules.home-manager { @@ -163,6 +164,7 @@ fullName = "Lyra Thorpe"; modules = [ ./system/machine/MBP-Asahi/configuration.nix + ./system/modules/laptop.nix nixos-apple-silicon.nixosModules.default ./lyrathorpe/swaywm.nix ]; @@ -178,6 +180,7 @@ fullName = "Lyra Thorpe"; modules = [ ./system/machine/X1/configuration.nix + ./system/modules/laptop.nix ./lyrathorpe/swaywm.nix ]; homeModules = [ diff --git a/lyrathorpe/user.nix b/lyrathorpe/user.nix index b8a677e..a0dbdc3 100644 --- a/lyrathorpe/user.nix +++ b/lyrathorpe/user.nix @@ -1,7 +1,6 @@ { config, pkgs, - inputs, lib, username, fullName, diff --git a/system/machine/MBP-Asahi/configuration.nix b/system/machine/MBP-Asahi/configuration.nix index 069696a..07bbb62 100644 --- a/system/machine/MBP-Asahi/configuration.nix +++ b/system/machine/MBP-Asahi/configuration.nix @@ -1,94 +1,26 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: +# MacBook Pro (Apple Silicon, Asahi NixOS). Shared laptop options live in +# ../../modules/laptop.nix; only host-specific settings are here. +{ pkgs, ... }: { imports = [ - # Include the results of the hardware scan. ./hardware-configuration.nix ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; + # Asahi manages the EFI vars from macOS; do not touch them from NixOS. boot.loader.efi.canTouchEfiVariables = false; - networking.hostName = "Emma-Asahi"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.hostName = "Emma-Asahi"; - networking.wireless.iwd = { - enable = true; - settings.General.EnableNetworkConfiguration = true; - }; - - # Set your time zone. - time.timeZone = "Europe/London"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_GB.UTF-8"; - console = { - # font = "Lat2-Terminus16"; - keyMap = "dvorak"; - # useXkbConfig = true; # use xkb.options in tty. - }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - features.swayDesktop.enable = true; - - # Allow swaylock to authenticate (no fingerprint reader on this machine). + # No fingerprint reader on this machine; empty service still lets swaylock + # authenticate via password. security.pam.services.swaylock = { }; - # Specify path to peripheral firmware files. + # Apple peripheral firmware (Wi-Fi/Bluetooth). The directory is gitignored and + # populated out-of-band -- see README. hardware.asahi.peripheralFirmwareDirectory = ../../modules/firmware; - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # services.pulseaudio.enable = true; - # OR - # services.pipewire = { - # enable = true; - # pulse.enable = true; - # }; - - # Enable touchpad support (enabled default in most desktopManager). - # services.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.alice = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # packages = with pkgs; [ - # tree - # ]; - # }; - - # programs.firefox.enable = true; - - # List packages installed in system profile. To search, run: - # $ nix search wget environment.systemPackages = with pkgs; [ - # wget - git asahi-bless asahi-nvram asahi-btsync @@ -98,47 +30,6 @@ iptables ]; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - #system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "25.05"; # Did you read the comment? - + # See `man configuration.nix` / the stateVersion docs before changing. + system.stateVersion = "25.05"; } diff --git a/system/machine/X1/configuration.nix b/system/machine/X1/configuration.nix index ef1c8ea..bb31107 100644 --- a/system/machine/X1/configuration.nix +++ b/system/machine/X1/configuration.nix @@ -1,134 +1,33 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: +# ThinkPad X1 (NixOS). Shared laptop options live in ../../modules/laptop.nix; +# only host-specific settings are here. +{ ... }: { imports = [ - # Include the results of the hardware scan. ./hardware-configuration.nix ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "X1-NixOS"; # Define your hostname. + networking.hostName = "X1-NixOS"; networking.domain = "client.cbg.emmaisvery.gay"; - features.swayDesktop.enable = true; - # Pick only one of the below networking options. - networking.wireless.iwd = { - enable = true; - settings.General.EnableNetworkConfiguration = true; - }; - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - # Set your time zone. - time.timeZone = "Europe/London"; + console.font = "Lat2-Terminus16"; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_GB.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "dvorak"; - # useXkbConfig = true; # use xkb.options in tty. - }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # hardware.pulseaudio.enable = true; - # OR services.pipewire = { enable = true; pulse.enable = true; }; - # Enable touchpad support (enabled default in most desktopManager). - # services.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.alice = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # packages = with pkgs; [ - # tree - # ]; - # }; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git - fastfetch - # wget - ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. + # This host accepts SSH, so open 22 (the firewall itself is enabled in + # laptop.nix with a default-deny policy). services.openssh.enable = true; + networking.firewall.allowedTCPPorts = [ 22 ]; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - #system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.11"; # Did you read the comment? - - # TODO: Move to fprint security module to import anywhere + # Fingerprint reader: allow swaylock to authenticate via fprintd. services.fprintd.enable = true; - security.pam.services.swaylock = { - fprintAuth = true; - }; + security.pam.services.swaylock.fprintAuth = true; + # See `man configuration.nix` / the stateVersion docs before changing. + system.stateVersion = "24.11"; } diff --git a/system/modules/common-nixos.nix b/system/modules/common-nixos.nix new file mode 100644 index 0000000..5c4a78d --- /dev/null +++ b/system/modules/common-nixos.nix @@ -0,0 +1,15 @@ +# Options shared by every NixOS host (laptops and the WSL box). Imported via +# baseModules in flake.nix. Host- and platform-specific settings stay in the +# per-machine configs; laptop-only settings live in ./laptop.nix. +{ pkgs, ... }: +{ + time.timeZone = "Europe/London"; + i18n.defaultLocale = "en_GB.UTF-8"; + + # Minimal system-level CLI available before the home-manager profile loads + # (e.g. early boot / rescue). User-level tooling lives in home-manager. + environment.systemPackages = with pkgs; [ + git + fastfetch + ]; +} diff --git a/system/modules/laptop.nix b/system/modules/laptop.nix new file mode 100644 index 0000000..38910c0 --- /dev/null +++ b/system/modules/laptop.nix @@ -0,0 +1,21 @@ +# Shared configuration for the physical NixOS laptops (X1, MBP-Asahi). Imported +# from the host table in flake.nix. Platform-specific bits (bootloader EFI var +# touching, firmware, audio, hostname, sshd) stay in the per-machine configs. +{ ... }: +{ + boot.loader.systemd-boot.enable = true; + + features.swayDesktop.enable = true; + + console.keyMap = "dvorak"; + + # Wi-Fi via iwd with its built-in DHCP/network configuration. + networking.wireless.iwd = { + enable = true; + settings.General.EnableNetworkConfiguration = true; + }; + + # Default-deny inbound. Hosts that run a listening service open their own + # ports next to where the service is enabled (e.g. sshd -> 22 on X1). + networking.firewall.enable = true; +} diff --git a/system/modules/work/default.nix b/system/modules/work/default.nix index cbefba8..936468e 100644 --- a/system/modules/work/default.nix +++ b/system/modules/work/default.nix @@ -1,10 +1,4 @@ -{ - config, - pkgs, - inputs, - lib, - ... -}: +{ pkgs, ... }: { programs.git = {