init

2025-12-11 17:17:21 +01:00
commit 3add673455
43 changed files with 2799 additions and 0 deletions
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -0,0 +1,316 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.resumeDevice = "/dev/mapper/luksroot";
+  # Pin Linux kernel to 6.12
+  boot.kernelPackages = pkgs.linuxPackages_6_12;
+
+  boot.extraModprobeConfig = ''
+    options mt7921_common disable_clc=1
+    options atkbd reset=1 softrepeat=1
+    options i8042 nomux=1 reset=1 nopnp=1 kbdreset=1 direct=1 dumbkbd=1
+  '';
+
+  # Kernel parameters for power saving
+    boot.kernelParams = [
+      # CRITICAL FIX: Disable ACPI for i8042 (ASUS BIOS bug workaround)
+      "i8042.noacpi"                         # Disable buggy ASUS ACPI keyboard controller
+      "i8042.reset=1"                        # Force reset i8042
+      "i8042.nomux=1"                        # No multiplexing
+      "i8042.nopnp=1"                        # Ignore PnP detection
+      "atkbd.softrepeat=1"                   # Software key repeat
+      "amd_pstate=active"                    # Use AMD P-State driver for better power management
+      "amd_pstate.shared_mem=1"
+      "pcie_aspm.policy=powersupersave"      # Aggressive PCIe power management
+      "amdgpu.gpu_recovery=1"                # Enable automatic GPU recovery
+      #"amdgpu.runpm=0"                      # Disable runtime PM (major hang cause)
+      ###"amdgpu.dcdebugmask=0x400" 
+      #"amdgpu.dcdebugmask=0x10"             # Disable PSR (panel self-refresh)
+    #"amdgpu.ppfeaturemask=0xf7fff"        # Disable GFXOFF
+  ]; 
+
+  # Disable TPM
+  systemd.tpm2.enable = false;
+  boot.initrd.systemd.tpm2.enable = false;
+
+  #swapDevices = [{ file = "/swap/swapfile"; }];
+
+  # Override btrfs mount options from hardware-configuration.nix
+  fileSystems."/" = {
+    options = [ "subvol=@" "compress=zstd" "space_cache=v2" "noatime"
+  "autodefrag" "ssd" "discard=async" ];
+  };
+
+  fileSystems."/home" = {
+    options = [ "subvol=@home" "compress=zstd" "space_cache=v2" "noatime"
+   "autodefrag" "ssd" "discard=async" ];
+  };
+
+  fileSystems."/var/log" = {
+    options = [ "subvol=@log" "compress=zstd" "space_cache=v2" "noatime"
+  "autodefrag" "ssd" "discard=async" ];
+  };
+
+  fileSystems."/swap" = {
+    options = [ "subvol=@swap" "noatime" "ssd" "discard=async" ];
+  };
+
+  # Enable NetworkManager and set network host name
+  networking.networkmanager.enable = true;
+  networking.hostName = "lusia-laptop";
+
+  # NetworkManager power saving for WiFi
+  networking.networkmanager.wifi.powersave = true;
+
+  # Enable Tailscale
+  services.tailscale.enable = true;
+
+  # Trust the Tailscale interface
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+
+  # Disable reverse path filtering for Tailscale                                                                                                 ╎│
+  boot.kernel.sysctl."net.ipv4.conf.tailscale0.rp_filter" = 0; 
+
+  # Enable resolved
+  services.resolved.enable = true;
+
+  # OpenVPN services
+  # VSTech VPN (with DNS for bgs.local domain)
+  services.openvpn.servers.vstech = {
+    config = ''
+      client
+      remote 51.83.143.81
+      proto udp
+      port 649
+      dev tun
+      topology subnet
+      ca /home/lusia/VSTech-vpn/ca.crt
+      cert /home/lusia/VSTech-vpn/Klient251.crt
+      key /home/lusia/VSTech-vpn/Klient251.key
+      tls-crypt /home/lusia/VSTech-vpn/ta.key
+
+      auth sha512
+      data-ciphers aes-256-cbc
+      data-ciphers-fallback aes-256-cbc
+      key-direction 1
+      keepalive 10 120
+    '';
+    updateResolvConf = false;
+
+    # Manually set DNS after connection
+    up = ''
+      ${pkgs.systemd}/bin/resolvectl dns $dev 10.10.10.1
+      ${pkgs.systemd}/bin/resolvectl domain $dev bgs.local
+    '';
+
+    down = ''
+      ${pkgs.systemd}/bin/resolvectl revert $dev
+    '';
+  }; 
+
+  # CAT VPN
+  services.openvpn.servers.cat = {
+    config = ''
+      client
+      remote 79.133.193.211
+      proto tcp
+      port 1194
+      dev tun
+      topology subnet
+      ca /home/lusia/vpn/ca.crt
+      cert /home/lusia/vpn/client18.crt
+      key /home/lusia/vpn/client18.key
+
+      auth sha256
+      data-ciphers AES-256-CBC
+      key-direction 1
+    '';
+    updateResolvConf = true;
+  };
+
+  # Enable upower service
+  services.upower.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Warsaw";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    keyMap = "pl";
+  };
+
+  # Enable niri
+  # programs.niri.enable = true;
+
+  # Enable fish
+  programs.fish.enable = true;
+
+  # Enable greetd with tuigreet
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd niri-session";
+        user = "greeter";
+      };
+    };
+  };
+
+  # Essential for niri
+  security.polkit.enable = true;
+  services.gnome.gnome-keyring.enable = true;
+
+  # XDG Portal for file pickers or screen sharing
+  xdg.portal = {
+    enable = true;
+    extraPortals = [ pkgs.xdg-desktop-portal-gtk
+                     pkgs.xdg-desktop-portal-gnome ];
+    config = {
+      common = {
+        default = [ "gtk" ];
+        "org.freedesktop.impl.portal.ScreenCast" = [ "gnome" ];
+        "org.freedesktop.impl.portal.Screenshot" = [ "gnome" ];
+      };
+    };
+  };
+
+  # Enable dconf
+  programs.dconf.enable = true;
+
+  users.users.lusia = {
+    isNormalUser = true;
+    description = "Lukrecja";
+    extraGroups = [ "wheel" "networkmanager" "docker" ];
+    initialPassword = "pass";
+    shell = pkgs.fish;
+  };
+
+  hardware.enableAllFirmware = true;
+  services.openssh.enable = true;
+  security.sudo.enable = true;
+
+  # Enable xwayland
+  programs.xwayland.enable = true;
+
+  # Set a session variable for icon theme
+  environment.sessionVariables = rec {
+    QT_QPA_PLATFORMTHEME = "qt5ct";
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    curl
+    wget
+    vim
+    fish
+    kitty
+    #asusctl
+    powertop  # For monitoring power consumption
+    openvpn
+    nodejs
+    gnumake
+    gcc
+    cmake
+    xwayland-satellite
+    busybox
+    libdecor
+    file
+    cifs-utils
+    samba
+    gvfs
+  ];
+
+  # Fonts
+  fonts.packages = with pkgs; [
+    noto-fonts
+    noto-fonts-cjk-sans
+    noto-fonts-color-emoji
+    pkgs.nerd-fonts.fira-code
+  ];
+
+  # For SMB shares
+  services.gvfs.enable = true;
+
+  # Printers
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    openFirewall = true;
+  };
+
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [
+      cups-filters
+      cups-browsed
+    ];
+  };
+
+  # Enable Flatpaks
+  services.flatpak.enable = true;
+
+  # Enable Docker
+  virtualisation.docker.enable = true;
+  virtualisation.docker.storageDriver = "btrfs";
+
+  nixpkgs.config.allowUnfree = true;
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # Enable Bluetooth (but it will be blocked by default to save power)
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = false;  # Don't power on bluetooth at boot
+ 
+  # Enable OpenTabletDriver
+  hardware.opentabletdriver.enable = true;
+  hardware.uinput.enable = true;
+  boot.kernelModules = [ "uinput" ];
+
+  # Enable PPD for power options
+  services.power-profiles-daemon.enable = true;
+
+  # Enable AMD GPU graphics acceleration
+  hardware.graphics = {
+    enable = true;
+    enable32Bit = true;  # For 32-bit applications/games
+  };
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.11"; # Did you read the comment?
+
+}
--- a/nixos/flake.lock
+++ b/nixos/flake.lock
@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1765461410,
+        "narHash": "sha256-AVZ1y5tfTGqf5zJx6uY52KHN2pP9gGF9RMQ3meBVKIg=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "7b34e428f31ce52baabda53e52bf14002e1c0625",
+        "type": "github"
+      },
+      "original": {
+        "id": "home-manager",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1764950072,
+        "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "f61125a668a320878494449750330ca58b78c557",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1765311797,
+        "narHash": "sha256-mSD5Ob7a+T2RNjvPvOA1dkJHGVrNVl8ZOrAwBjKBDQo=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "09eb77e94fa25202af8f3e81ddc7353d9970ac1b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs_2"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@@ -0,0 +1,18 @@
+{
+  description = "NixOS configuration";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
+  };
+
+  outputs = inputs@{ nixpkgs, home-manager, ... }: {
+    nixosConfigurations = {
+      lusia-laptop = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./configuration.nix
+        ];
+      };
+    };
+  };  
+}
--- a/nixos/hardware-configuration.nix
+++ b/nixos/hardware-configuration.nix
@@ -0,0 +1,59 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f240d6d8-b1e2-418d-96ed-9b9c11ab4ea9";
+      fsType = "btrfs";
+      options = [ "subvol=@" ];
+    };
+
+  boot.initrd.luks.devices."luksroot".device = "/dev/disk/by-uuid/a5725fbc-c25f-4e29-aa8d-3808b85ee586";
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/f240d6d8-b1e2-418d-96ed-9b9c11ab4ea9";
+      fsType = "btrfs";
+      options = [ "subvol=@home" ];
+    };
+
+  fileSystems."/var/log" =
+    { device = "/dev/disk/by-uuid/f240d6d8-b1e2-418d-96ed-9b9c11ab4ea9";
+      fsType = "btrfs";
+      options = [ "subvol=@log" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/532C-C315";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/swap" =
+    { device = "/dev/disk/by-uuid/f240d6d8-b1e2-418d-96ed-9b9c11ab4ea9";
+      fsType = "btrfs";
+      options = [ "subvol=@swap" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/nixos/home.nix
+++ b/nixos/home.nix
@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  home.username = "lusia";
+  home.homeDirectory = "/home/lusia";
+  home.stateVersion = "24.11";
+
+  programs.kitty = {
+    enable = true;
+  };
+
+  programs.home-manager.enable = true;
+}