├── .github
└── workflows
│ ├── buildiso.yaml
│ └── check.yaml
├── .gitignore
├── LICENSE
├── README.md
├── configuration.nix
├── flake.lock
├── flake.nix
├── hardware-configuration.nix
├── install.sh
├── niximg.nix
├── secrets
├── clash.yaml
└── keyfile.bin
├── src
├── devices
│ └── x1c7
│ │ └── default.nix
├── jupyter.nix
├── minecraft-server.nix
├── modules
│ ├── ash-profile
│ │ └── default.nix
│ └── x-os
│ │ ├── boot.nix
│ │ ├── default.nix
│ │ ├── desktop.nix
│ │ ├── general.nix
│ │ ├── i18n.nix
│ │ ├── networking.nix
│ │ ├── packages.nix
│ │ ├── security.nix
│ │ └── service.nix
├── networking.nix
└── users.nix
└── sync.sh
/.github/workflows/buildiso.yaml:
--------------------------------------------------------------------------------
1 | name: "Build customized NixOS LiveCD ISO"
2 | on:
3 | push:
4 | schedule:
5 | - cron: '30 1 * * 1'
6 | jobs:
7 | buildiso:
8 | if: (startsWith(github.event.head_commit.message, 'buildiso:') || (github.event_name == 'schedule'))
9 | runs-on: ubuntu-latest
10 | steps:
11 | - name: Get current date
12 | id: date
13 | run: echo "::set-output name=date::$(date +'%Y%m%d%H')"
14 | - name: Checkout
15 | uses: actions/checkout@v2
16 | with:
17 | # Nix Flakes doesn't work on shallow clones
18 | fetch-depth: 0
19 | - name: Install nixFlake
20 | uses: cachix/install-nix-action@v12
21 | with:
22 | install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-2.4pre20210126_f15f0b8/install
23 | - name: Configure Nix to enable flake
24 | run: echo "experimental-features = nix-command flakes" | sudo tee -a /etc/nix/nix.conf
25 | - name: Update flake.lock, show drv, and calculate the hashes
26 | id: update
27 | run: |
28 | nix flake update --recreate-lock-file
29 | nix show-derivation ".#niximg" > niximg.drv
30 | cat ./flake.lock
31 | cat ./niximg.drv
32 | echo "::set-output name=flake::$(sha512sum ./flake.lock|cut -d " " -f 1)"
33 | echo "::set-output name=niximg-drv::$(sha512sum ./niximg.drv|cut -d " " -f 1)"
34 | - name: Send starting message to the telegram channel
35 | uses: appleboy/telegram-action@master
36 | with:
37 | to: ${{ secrets.TELEGRAM_TO }}
38 | token: ${{ secrets.TELEGRAM_TOKEN }}
39 | format: markdown
40 | message: |
41 | The `${{ github.workflow }}` workflow at `${{ steps.date.outputs.date }}` has started.
42 | - triggered by `${{ github.event_name }}`
43 | - `flake.lock` SHA-512: `${{ steps.update.outputs.flake }}`
44 | - derivation SHA-512: `${{ steps.update.outputs.niximg-drv }}`
45 | #niximg #started
46 | - name: Cache flake.lock
47 | id: cache-flake
48 | uses: actions/cache@v2
49 | with:
50 | path: ./niximg.drv
51 | key: ${{ runner.os }}-nix-${{ steps.update.outputs.niximg-drv }}
52 | - name: Build LiveCD ISO image
53 | id: iso
54 | if: steps.cache-flake.outputs.cache-hit != 'true'
55 | run: |
56 | nix build ".#niximg"
57 | cp "result/iso/$(ls "$(readlink result)/iso/")" ./niximg.iso
58 | echo "::set-output name=niximg-iso::$(sha512sum ./niximg.iso|cut -d " " -f 1)"
59 | - name: Create Release
60 | id: create_release
61 | if: steps.cache-flake.outputs.cache-hit != 'true'
62 | uses: actions/create-release@v1
63 | env:
64 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
65 | with:
66 | tag_name: ${{steps.date.outputs.date}}
67 | release_name: ${{ steps.date.outputs.date }}
68 | body: |
69 | This is an automated LiveCD build built on ${{ steps.date.outputs.date }}.
70 | The SHA-512 checksum of the image is ${{ steps.iso.outputs.niximg-iso }}.
71 | See [homepage](https://github.com/LEXUGE/nixos) for more information.
72 | draft: false
73 | prerelease: false
74 | - name: Upload Release Asset
75 | id: upload-release-asset
76 | if: steps.cache-flake.outputs.cache-hit != 'true'
77 | uses: actions/upload-release-asset@v1
78 | env:
79 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
80 | with:
81 | upload_url: ${{ steps.create_release.outputs.upload_url }}
82 | asset_path: ./niximg.iso
83 | asset_name: niximg-${{ steps.date.outputs.date }}.iso
84 | asset_content_type: application/x-iso9660-image
85 | - name: Clean-up releases
86 | uses: dev-drprasad/delete-older-releases@v0.1.0
87 | with:
88 | keep_latest: 3
89 | env:
90 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
91 | - name: Push release to the Telegram channel
92 | if: steps.cache-flake.outputs.cache-hit != 'true'
93 | uses: appleboy/telegram-action@master
94 | with:
95 | to: ${{ secrets.TELEGRAM_TO }}
96 | token: ${{ secrets.TELEGRAM_TOKEN }}
97 | format: markdown
98 | message: |
99 | The `${{ github.workflow }}` workflow at `${{ steps.date.outputs.date }}` has created a new [release](${{ steps.create_release.outputs.html_url }}).
100 | - triggered by `${{ github.event_name }}`
101 | The SHA-512 checksum of the image is `${{ steps.iso.outputs.niximg-iso }}`.
102 | See [homepage](https://github.com/LEXUGE/nixos) for more information.
103 | #niximg #released
104 | - name: Push cached message to the Telegram channel
105 | if: steps.cache-flake.outputs.cache-hit == 'true'
106 | uses: appleboy/telegram-action@master
107 | with:
108 | to: ${{ secrets.TELEGRAM_TO }}
109 | token: ${{ secrets.TELEGRAM_TOKEN }}
110 | format: markdown
111 | message: |
112 | The `${{ github.workflow }}` workflow at `${{ steps.date.outputs.date }}` hits a cache. No further build proceeds.
113 | - triggered by `${{ github.event_name }}`
114 | - `flake.lock` SHA-512: `${{ steps.update.outputs.flake }}`
115 | - derivation SHA-512: `${{ steps.update.outputs.niximg-drv }}`
116 | #niximg #cached
117 |
--------------------------------------------------------------------------------
/.github/workflows/check.yaml:
--------------------------------------------------------------------------------
1 | name: "Nix Flake Check"
2 | on:
3 | pull_request:
4 | push:
5 | jobs:
6 | check:
7 | runs-on: ubuntu-latest
8 | steps:
9 | - uses: actions/checkout@v2
10 | with:
11 | # Nix Flakes doesn't work on shallow clones
12 | fetch-depth: 0
13 | - uses: cachix/install-nix-action@v12
14 | with:
15 | install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-2.4pre20210126_f15f0b8/install
16 | # Configure Nix to enable flakes
17 | - run: echo "experimental-features = nix-command flakes" | sudo tee -a /etc/nix/nix.conf
18 | # Run the general flake checks
19 | - run: nix flake check
20 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # -*- mode: gitignore; -*-
2 | result
3 |
4 | # emacs gitignore
5 | *~
6 | \#*\#
7 | /.emacs.desktop
8 | /.emacs.desktop.lock
9 | *.elc
10 | auto-save-list
11 | tramp
12 | .\#*
13 |
14 | # Org-mode
15 | .org-id-locations
16 | *_archive
17 |
18 | # flymake-mode
19 | *_flymake.*
20 |
21 | # eshell files
22 | /eshell/history
23 | /eshell/lastdir
24 |
25 | # elpa packages
26 | /elpa/
27 |
28 | # reftex files
29 | *.rel
30 |
31 | # AUCTeX auto folder
32 | /auto/
33 |
34 | # cask packages
35 | .cask/
36 | dist/
37 |
38 | # Flycheck
39 | flycheck_*.el
40 |
41 | # server auth directory
42 | /server/
43 |
44 | # projectiles files
45 | .projectile
46 |
47 | # directory configuration
48 | .dir-locals.el
49 |
50 | # network security
51 | /network-security.data
52 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # NixOS
2 |   
3 |
4 | **This repo is deprecated. See my new config at [flake](https://github.com/LEXUGE/flake/)**
5 |
6 | A fully automated replicable nixos configuration flake that provides re-usable modules, and pre-configured system configuration.
7 |
8 | [CI Channel](https://t.me/harry_nixosci_channel)
9 |
10 | # Features
11 | - A customized LiveCD ISO that you can try environment out and speed up your installation!
12 | - Full-disk encryption including `/boot`. Support hibernate.
13 | - An almost automated one-liner installation script.
14 | - Transparent proxy and de-polluted DNS server using Clash and [netkit.nix flake](https://github.com/icebox-nix/netkit.nix) (support shadowsocks, Vmess, trojan). rules are written in order to maximize the performance.
15 | - CapsLock as Ctrl! No emacs pinky anymore! (Surely I am
16 | an emacs user).
17 | - zsh with oh-my-zsh builtin, in addition to a git plugin which makes your life
18 | easier.
19 | - GTK with builtin dark variant.
20 |
21 | # How do I install pre-configured system configuration?
22 | [Download](https://github.com/LEXUGE/nixos/releases) and boot in *customized* LiveCD, and then:
23 |
24 | ``
25 | sudo install-script
26 | ``
27 |
28 | Follow the instructions and there you go. Above installation script will automatically install ThinkPad X1 Carbon 7th Gen specified configuration, but it should be fine for modern laptops.
29 |
30 | ## Notes
31 | If you are on a NVMe SSD, use `sudo install-script -n` instead.
32 |
33 | If you are **outside** of Mainland China, please edit the `configuration.nix` to use official binary cache only instead of TUNA's. You may also need to adapt the `binaryCaches` setting in `system/options.nix` to your own network.
34 |
35 | See [wiki page](https://github.com/LEXUGE/nixos/wiki) for details.
36 |
37 | # Security details
38 | As for me, I am on my best to ensure that the system is convenient to use and secure. But here are some concerns:
39 | - `services.fstrim.enable` is set to `true` which means that attacker may be able to perceive the data usage of the fully encrypted disk.
40 | - There is a keyfile added to `/` partition encryption in order to eliminate the twice keying in of the LUKS passphrase.
41 |
42 | # How do I re-use parts of it?
43 | I have kept "stealing" in mind while I am writing the whole configuration. Use `nix flake show 'github:LEXUGE/nixos'` to see what are available. For example,
44 | ```
45 | github:LEXUGE/nixos/dd59c772a9bd0503da3c775427bbfed64d6dfc61
46 | │ ├───ash-profile: NixOS module
47 | │ └───x-os: NixOS module
48 | ```
49 | - `ash-profile` is my user space configuration (stuff like zsh, git, emacs config, etc).
50 | - `x-os` my universal core system config.
51 | Also, you can check out related flake repos ([netkit.nix](https://github.com/icebox-nix/netkit.nix), [std](https://github.com/icebox-nix/std)) which I use a lot here as well.
52 |
53 | # CI
54 | I use GitHub Actions here to build LiveCD actions third times a week (with all flake inputs up-to-date). This means by using the latest ISO image, you are likely to copy a trunk of stuff directly from CD (which is good because you don't need to download them!). After every successful build, my telegram bot would post newly-built release to the [CI telegram channel](https://t.me/harry_nixosci_channel). To save storage that others could otherwise use, only last three images are kept.
55 |
56 | # See also
57 | - [netkit.nix flake](https://github.com/icebox-nix/netkit.nix): Verstile tools for advanced networking scenarios in NixOS, including Clash, wifi-to-wifi hotspot, on demand minecraft server, frpc modules.
58 | - [std](https://github.com/icebox-nix/std): Standard library used by my flakes.
59 | - [iceberg](https://github.com/icebox-nix/iceberg): My personal package collection. Currently, it includes Wolfram Engine package and modules.
60 |
61 | # Acknowledgments
62 | Thanks to following repositories:
63 | - [Jollheef - localhost](https://github.com/jollheef/localhost). It inspired me
64 | the general structure of the config and how to use home-manager.
65 | - [Ninlives - nixos-config](https://github.com/Ninlives/nixos-config). It
66 | inspired me to implement the transparent proxy functionality.
67 | - [nrdxp - nixflk](https://github.com/nrdxp/nixflk/). It helps me to implement the customized ISO building.
68 | - [abcdw - rde](https://github.com/abcdw/rde/). Installation techniques.
69 |
--------------------------------------------------------------------------------
/configuration.nix:
--------------------------------------------------------------------------------
1 | { config, pkgs, lib, ... }:
2 |
3 | {
4 | imports = [
5 | ./hardware-configuration.nix
6 | ./src/minecraft-server.nix
7 | ./src/users.nix
8 | ./src/networking.nix
9 | ./src/jupyter.nix
10 | ];
11 |
12 | home-manager.useUserPackages = true;
13 |
14 | std.interface = {
15 | system = {
16 | dirs = {
17 | secrets = {
18 | clash = "/etc/nixos/secrets/clash.yaml";
19 | keyfile = "/etc/nixos/secrets/keyfile.bin";
20 | };
21 | };
22 | bluetooth = {
23 | # Force enable/disable bluetooth
24 | # enable = true;
25 | # Choose default bluetooth service
26 | service = null;
27 | };
28 | };
29 | devices = {
30 | # resume_offset value. Obtained by filefrag -v /var/swapFile | awk '{ if($1=="0:"){print $4} }'
31 | # If you want to hibernate, you MUST set it properly.
32 | # swapResumeOffset = 13742080;
33 | };
34 | };
35 |
36 | system.stateVersion = "20.09";
37 |
38 | x-os = {
39 | enable = true;
40 | enableSwap = false;
41 | enableVirtualisation = false;
42 | enableXow = true;
43 | # Use SJTU Mirror together with original cache because SJTU has better performance inside Mainland China.
44 | # Use Cachix to reduce repeated builds.
45 | # Set the list to `[ ]` to use official cache only.
46 | binaryCaches = [
47 | "https://mirror.sjtu.edu.cn/nix-channels/store"
48 | "https://cache.nixos.org/"
49 | "https://dcompass.cachix.org/"
50 | "https://lexuge.cachix.org/"
51 | "https://dram.cachix.org"
52 | ];
53 | # Choose ibus engines to apply
54 | ibus-engines = with pkgs.ibus-engines; [ libpinyin typing-booster ];
55 | # iwdConfig = { General = { UseDefaultInterface = true; }; };
56 | };
57 | }
58 |
--------------------------------------------------------------------------------
/flake.lock:
--------------------------------------------------------------------------------
1 | {
2 | "nodes": {
3 | "ash-emacs": {
4 | "inputs": {
5 | "emacs-overlay": "emacs-overlay",
6 | "flake-utils": "flake-utils",
7 | "nixos": "nixos"
8 | },
9 | "locked": {
10 | "lastModified": 1619069923,
11 | "narHash": "sha256-39/18yJQQCKjgvH+YsE9a2R/lmJ0+ppS9IXFy7jzybI=",
12 | "owner": "LEXUGE",
13 | "repo": "emacs.d",
14 | "rev": "bf93c31c4e0a0dfe46a033e848bfadd3f1b492ec",
15 | "type": "github"
16 | },
17 | "original": {
18 | "owner": "LEXUGE",
19 | "repo": "emacs.d",
20 | "type": "github"
21 | }
22 | },
23 | "dcompass": {
24 | "inputs": {
25 | "naersk": "naersk",
26 | "nixpkgs": "nixpkgs_2",
27 | "rust-overlay": "rust-overlay",
28 | "utils": "utils"
29 | },
30 | "locked": {
31 | "lastModified": 1619587846,
32 | "narHash": "sha256-Bdyt9jW0zG7tzdmIkvp5gDlbZWj0JISXP7W7u4fFyzg=",
33 | "owner": "LEXUGE",
34 | "repo": "dcompass",
35 | "rev": "b20acf0cb03cab0b1e9677f7b6b3d90fecacc230",
36 | "type": "github"
37 | },
38 | "original": {
39 | "owner": "LEXUGE",
40 | "repo": "dcompass",
41 | "type": "github"
42 | }
43 | },
44 | "emacs-overlay": {
45 | "locked": {
46 | "lastModified": 1619061393,
47 | "narHash": "sha256-ChWmgta7i24xYPuAlvmzVR8nvPhT0Y2FrKM3/H3n1pU=",
48 | "owner": "nix-community",
49 | "repo": "emacs-overlay",
50 | "rev": "f0e75e8530efdfd9ac5cf2d5324ec6191aea8893",
51 | "type": "github"
52 | },
53 | "original": {
54 | "owner": "nix-community",
55 | "repo": "emacs-overlay",
56 | "type": "github"
57 | }
58 | },
59 | "flake-utils": {
60 | "locked": {
61 | "lastModified": 1618868421,
62 | "narHash": "sha256-vyoJhLV6cJ8/tWz+l9HZLIkb9Rd9esE7p+0RL6zDR6Y=",
63 | "owner": "numtide",
64 | "repo": "flake-utils",
65 | "rev": "eed214942bcfb3a8cc09eb3b28ca7d7221e44a94",
66 | "type": "github"
67 | },
68 | "original": {
69 | "owner": "numtide",
70 | "repo": "flake-utils",
71 | "type": "github"
72 | }
73 | },
74 | "flake-utils_2": {
75 | "locked": {
76 | "lastModified": 1614513358,
77 | "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
78 | "owner": "numtide",
79 | "repo": "flake-utils",
80 | "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
81 | "type": "github"
82 | },
83 | "original": {
84 | "owner": "numtide",
85 | "repo": "flake-utils",
86 | "type": "github"
87 | }
88 | },
89 | "flake-utils_3": {
90 | "locked": {
91 | "lastModified": 1618217525,
92 | "narHash": "sha256-WGrhVczjXTiswQaoxQ+0PTfbLNeOQM6M36zvLn78AYg=",
93 | "owner": "numtide",
94 | "repo": "flake-utils",
95 | "rev": "c6169a2772643c4a93a0b5ac1c61e296cba68544",
96 | "type": "github"
97 | },
98 | "original": {
99 | "owner": "numtide",
100 | "repo": "flake-utils",
101 | "type": "github"
102 | }
103 | },
104 | "flake-utils_4": {
105 | "locked": {
106 | "lastModified": 1610051610,
107 | "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=",
108 | "owner": "numtide",
109 | "repo": "flake-utils",
110 | "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc",
111 | "type": "github"
112 | },
113 | "original": {
114 | "owner": "numtide",
115 | "repo": "flake-utils",
116 | "type": "github"
117 | }
118 | },
119 | "flake-utils_5": {
120 | "locked": {
121 | "lastModified": 1620759905,
122 | "narHash": "sha256-WiyWawrgmyN0EdmiHyG2V+fqReiVi8bM9cRdMaKQOFg=",
123 | "owner": "numtide",
124 | "repo": "flake-utils",
125 | "rev": "b543720b25df6ffdfcf9227afafc5b8c1fabfae8",
126 | "type": "github"
127 | },
128 | "original": {
129 | "owner": "numtide",
130 | "repo": "flake-utils",
131 | "type": "github"
132 | }
133 | },
134 | "home": {
135 | "inputs": {
136 | "nixpkgs": [
137 | "nixos"
138 | ]
139 | },
140 | "locked": {
141 | "lastModified": 1620692082,
142 | "narHash": "sha256-s/eBXs4OI47yPWNTKoAg4f/H7wMLyO+VEMmobXkzfI8=",
143 | "owner": "nix-community",
144 | "repo": "home-manager",
145 | "rev": "23769994e8f7b212d9a257799173b120ed87736b",
146 | "type": "github"
147 | },
148 | "original": {
149 | "owner": "nix-community",
150 | "repo": "home-manager",
151 | "type": "github"
152 | }
153 | },
154 | "iceberg": {
155 | "inputs": {
156 | "flake-utils": "flake-utils_3",
157 | "nixos": "nixos_2"
158 | },
159 | "locked": {
160 | "lastModified": 1618666875,
161 | "narHash": "sha256-7+Aa6yeRgQYUWdU8wm9VEEWBTNGaepMY6lfFbRlFLvw=",
162 | "owner": "icebox-nix",
163 | "repo": "iceberg",
164 | "rev": "d0eb27e076fae522a0ab3a72e66bb50f6b1ebd5f",
165 | "type": "github"
166 | },
167 | "original": {
168 | "owner": "icebox-nix",
169 | "repo": "iceberg",
170 | "type": "github"
171 | }
172 | },
173 | "naersk": {
174 | "inputs": {
175 | "nixpkgs": "nixpkgs"
176 | },
177 | "locked": {
178 | "lastModified": 1618068541,
179 | "narHash": "sha256-enxg0QB53Zis0VJWfJsrX7zCjurpi7lW78EKXbJdzpQ=",
180 | "owner": "nmattia",
181 | "repo": "naersk",
182 | "rev": "b3b099d669fc8b18d361c249091c9fe95d57ebbb",
183 | "type": "github"
184 | },
185 | "original": {
186 | "owner": "nmattia",
187 | "repo": "naersk",
188 | "type": "github"
189 | }
190 | },
191 | "netkit": {
192 | "inputs": {
193 | "flake-utils": "flake-utils_4",
194 | "nixpkgs": "nixpkgs_4"
195 | },
196 | "locked": {
197 | "lastModified": 1619744036,
198 | "narHash": "sha256-49QzY0BelXr8WObsj/dBMKMRUgw4HudMx0ItUpMbAk4=",
199 | "owner": "icebox-nix",
200 | "repo": "netkit.nix",
201 | "rev": "ccc79d2377c4bfec206cdfa1f927db350aed7f69",
202 | "type": "github"
203 | },
204 | "original": {
205 | "owner": "icebox-nix",
206 | "repo": "netkit.nix",
207 | "type": "github"
208 | }
209 | },
210 | "nixos": {
211 | "locked": {
212 | "lastModified": 1618801528,
213 | "narHash": "sha256-1ru9LzP33ElEAZcDzYLgJQG3/uHhAg0LFJEfVZSOPZg=",
214 | "owner": "NixOS",
215 | "repo": "nixpkgs",
216 | "rev": "0a5f5bab0e08e968ef25cff393312aa51a3512cf",
217 | "type": "github"
218 | },
219 | "original": {
220 | "owner": "NixOS",
221 | "ref": "nixos-unstable",
222 | "repo": "nixpkgs",
223 | "type": "github"
224 | }
225 | },
226 | "nixos-cn": {
227 | "inputs": {
228 | "flake-utils": "flake-utils_5",
229 | "nixpkgs": "nixpkgs_5"
230 | },
231 | "locked": {
232 | "lastModified": 1620781992,
233 | "narHash": "sha256-wN7CT1/YE86str7AWNbFo8VQHVrgr4BOJE7QWerbWCw=",
234 | "owner": "nixos-cn",
235 | "repo": "flakes",
236 | "rev": "a6af2bec7ac77f35945157076e30bd7d858de7a0",
237 | "type": "github"
238 | },
239 | "original": {
240 | "owner": "nixos-cn",
241 | "repo": "flakes",
242 | "type": "github"
243 | }
244 | },
245 | "nixos_2": {
246 | "locked": {
247 | "lastModified": 1618447066,
248 | "narHash": "sha256-2f9ydxgdW2igSIe1vmV8buTEpAVQPVhV+OxvlFRTA+Y=",
249 | "owner": "NixOS",
250 | "repo": "nixpkgs",
251 | "rev": "dcdf30a78a523296b5f9d44fb67afac485b64737",
252 | "type": "github"
253 | },
254 | "original": {
255 | "owner": "NixOS",
256 | "ref": "nixos-unstable",
257 | "repo": "nixpkgs",
258 | "type": "github"
259 | }
260 | },
261 | "nixos_3": {
262 | "locked": {
263 | "lastModified": 1620387763,
264 | "narHash": "sha256-cR6e92q0fMMol0K5a+e472F2ojjEoaEighs51pKF99I=",
265 | "owner": "NixOS",
266 | "repo": "nixpkgs",
267 | "rev": "ae1c8ede09b53007ba9b3c32f926c9c03547ae8b",
268 | "type": "github"
269 | },
270 | "original": {
271 | "owner": "NixOS",
272 | "ref": "nixos-unstable",
273 | "repo": "nixpkgs",
274 | "type": "github"
275 | }
276 | },
277 | "nixpkgs": {
278 | "locked": {
279 | "lastModified": 1618619705,
280 | "narHash": "sha256-+yBGazqJxjT+BR00oCNamOgiEFPHBOPkqak7MUYcpBA=",
281 | "owner": "NixOS",
282 | "repo": "nixpkgs",
283 | "rev": "e5cc06a1e806070693add4f231060a62b962fc44",
284 | "type": "github"
285 | },
286 | "original": {
287 | "id": "nixpkgs",
288 | "type": "indirect"
289 | }
290 | },
291 | "nixpkgs_2": {
292 | "locked": {
293 | "lastModified": 1618447066,
294 | "narHash": "sha256-2f9ydxgdW2igSIe1vmV8buTEpAVQPVhV+OxvlFRTA+Y=",
295 | "owner": "nixos",
296 | "repo": "nixpkgs",
297 | "rev": "dcdf30a78a523296b5f9d44fb67afac485b64737",
298 | "type": "github"
299 | },
300 | "original": {
301 | "owner": "nixos",
302 | "ref": "nixos-unstable",
303 | "repo": "nixpkgs",
304 | "type": "github"
305 | }
306 | },
307 | "nixpkgs_3": {
308 | "locked": {
309 | "lastModified": 1617325113,
310 | "narHash": "sha256-GksR0nvGxfZ79T91UUtWjjccxazv6Yh/MvEJ82v1Xmw=",
311 | "owner": "nixos",
312 | "repo": "nixpkgs",
313 | "rev": "54c1e44240d8a527a8f4892608c4bce5440c3ecb",
314 | "type": "github"
315 | },
316 | "original": {
317 | "owner": "NixOS",
318 | "repo": "nixpkgs",
319 | "type": "github"
320 | }
321 | },
322 | "nixpkgs_4": {
323 | "locked": {
324 | "lastModified": 1613761605,
325 | "narHash": "sha256-lUF6UPR96ZzQC0faNXBHLoLhNAdxZqYqDwz0PaIZ/7Y=",
326 | "owner": "NixOS",
327 | "repo": "nixpkgs",
328 | "rev": "9816b99e71c3504b0b4c1f8b2e004148460029d4",
329 | "type": "github"
330 | },
331 | "original": {
332 | "owner": "NixOS",
333 | "ref": "nixos-unstable",
334 | "repo": "nixpkgs",
335 | "type": "github"
336 | }
337 | },
338 | "nixpkgs_5": {
339 | "locked": {
340 | "lastModified": 1620387763,
341 | "narHash": "sha256-cR6e92q0fMMol0K5a+e472F2ojjEoaEighs51pKF99I=",
342 | "owner": "NixOS",
343 | "repo": "nixpkgs",
344 | "rev": "ae1c8ede09b53007ba9b3c32f926c9c03547ae8b",
345 | "type": "github"
346 | },
347 | "original": {
348 | "owner": "NixOS",
349 | "ref": "nixos-unstable",
350 | "repo": "nixpkgs",
351 | "type": "github"
352 | }
353 | },
354 | "root": {
355 | "inputs": {
356 | "ash-emacs": "ash-emacs",
357 | "dcompass": "dcompass",
358 | "home": "home",
359 | "iceberg": "iceberg",
360 | "netkit": "netkit",
361 | "nixos": "nixos_3",
362 | "nixos-cn": "nixos-cn",
363 | "std": "std"
364 | }
365 | },
366 | "rust-overlay": {
367 | "inputs": {
368 | "flake-utils": "flake-utils_2",
369 | "nixpkgs": "nixpkgs_3"
370 | },
371 | "locked": {
372 | "lastModified": 1618595381,
373 | "narHash": "sha256-pA/JtiP8HefPOnaAoje0nwVzjM9weJ64xgVIkElADEM=",
374 | "owner": "oxalica",
375 | "repo": "rust-overlay",
376 | "rev": "dbf78f49fe3d882e00ccb5ddad1102c66266b7c3",
377 | "type": "github"
378 | },
379 | "original": {
380 | "owner": "oxalica",
381 | "repo": "rust-overlay",
382 | "type": "github"
383 | }
384 | },
385 | "std": {
386 | "locked": {
387 | "lastModified": 1602140592,
388 | "narHash": "sha256-XRFv8L7axOuFf2pCsX/YNQ4Y7VwMuhZ8kjbHyNOs0wI=",
389 | "owner": "icebox-nix",
390 | "repo": "std",
391 | "rev": "86d9e8966205afdb940abf46f1f9cff6d03a3f5c",
392 | "type": "github"
393 | },
394 | "original": {
395 | "owner": "icebox-nix",
396 | "repo": "std",
397 | "type": "github"
398 | }
399 | },
400 | "utils": {
401 | "locked": {
402 | "lastModified": 1618217525,
403 | "narHash": "sha256-WGrhVczjXTiswQaoxQ+0PTfbLNeOQM6M36zvLn78AYg=",
404 | "owner": "numtide",
405 | "repo": "flake-utils",
406 | "rev": "c6169a2772643c4a93a0b5ac1c61e296cba68544",
407 | "type": "github"
408 | },
409 | "original": {
410 | "owner": "numtide",
411 | "repo": "flake-utils",
412 | "type": "github"
413 | }
414 | }
415 | },
416 | "root": "root",
417 | "version": 7
418 | }
419 |
--------------------------------------------------------------------------------
/flake.nix:
--------------------------------------------------------------------------------
1 | {
2 | description = "Harry Ying's NixOS configuration";
3 |
4 | inputs = {
5 | nixos.url = "github:NixOS/nixpkgs/nixos-unstable";
6 | home = {
7 | url = "github:nix-community/home-manager";
8 | inputs.nixpkgs.follows = "nixos";
9 | };
10 | # We may have multiple flakes using std, but we only may use one version of std. So we declare it here and let others which depend on it follow.
11 | std.url = "github:icebox-nix/std";
12 | #url = "/home/ash/Documents/git/netkit.nix";
13 | netkit.url = "github:icebox-nix/netkit.nix";
14 | dcompass.url = "github:LEXUGE/dcompass";
15 | nixos-cn.url = "github:nixos-cn/flakes";
16 | #ash-emacs.url = "/home/ash/Documents/git/emacs.d";
17 | ash-emacs.url = "github:LEXUGE/emacs.d";
18 | iceberg.url = "github:icebox-nix/iceberg";
19 | # nix-dram.url = "github:dramforever/nix-dram";
20 | };
21 |
22 | outputs = { self, nixos, home, std, netkit, ash-emacs, iceberg, nixos-cn
23 | , dcompass, ... }@inputs: {
24 | x1c7-toplevel =
25 | self.nixosConfigurations.x1c7.config.system.build.toplevel;
26 | niximg = self.nixosConfigurations.niximg.config.system.build.isoImage;
27 |
28 | nixosModules = {
29 | ash-profile = (import ./src/modules/ash-profile);
30 | x-os = (import ./src/modules/x-os);
31 | };
32 |
33 | nixosConfigurations = {
34 | x1c7 = nixos.lib.nixosSystem {
35 | system = "x86_64-linux";
36 | modules = [
37 | {
38 | x-os.publicKeys = [
39 | dcompass.publicKey
40 | netkit.publicKey
41 | "dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY="
42 | ];
43 | nixpkgs.overlays = [
44 | ash-emacs.overlay
45 | iceberg.overlay
46 | nixos-cn.overlay
47 | dcompass.overlay
48 | # nix-dram.overlay
49 | ];
50 | }
51 | ./configuration.nix
52 | ./src/devices/x1c7
53 | std.nixosModule
54 | self.nixosModules.x-os
55 | self.nixosModules.ash-profile
56 | home.nixosModules.home-manager
57 | netkit.nixosModule
58 | iceberg.nixosModules.wolfram-jupyter
59 | # FIXME: Currently, nixos-generate-config by defualt writes out modulePath which is unsupported by flake.
60 | # FIXME: This means on installation, we need to MANUALLY edit the generated hardware-configuration.nix
61 | # COMMENT: Seems like it is causing no problem.
62 | nixos.nixosModules.notDetected
63 | ];
64 | };
65 | niximg = nixos.lib.nixosSystem {
66 | system = "x86_64-linux";
67 | modules = [
68 | "${nixos}/nixos/modules/installer/cd-dvd/installation-cd-base.nix"
69 | {
70 | nixpkgs.overlays =
71 | [ ash-emacs.overlay dcompass.overlay ]; # nix-dram.overlay
72 | x-os.publicKeys = [ dcompass.publicKey netkit.publicKey ];
73 | }
74 | ./niximg.nix
75 | std.nixosModule
76 | self.nixosModules.x-os
77 | self.nixosModules.ash-profile
78 | home.nixosModules.home-manager
79 | netkit.nixosModule
80 | ];
81 | };
82 | };
83 | };
84 | }
85 |
--------------------------------------------------------------------------------
/hardware-configuration.nix:
--------------------------------------------------------------------------------
1 | # Do not modify this file! It was generated by ‘nixos-generate-config’
2 | # and may be overwritten by future invocations. Please make changes
3 | # to /etc/nixos/configuration.nix instead.
4 | { config, lib, pkgs, modulesPath, ... }:
5 |
6 | {
7 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
8 |
9 | boot.initrd.availableKernelModules =
10 | [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
11 | boot.initrd.kernelModules = [ ];
12 | boot.kernelModules = [ "kvm-intel" ];
13 | boot.extraModulePackages = [ ];
14 |
15 | fileSystems."/" = {
16 | device = "/dev/disk/by-uuid/aaeb0f05-6a35-4c13-aaf6-2c1b203c17a3";
17 | fsType = "ext4";
18 | };
19 |
20 | boot.initrd.luks.devices."cryptroot".device =
21 | "/dev/disk/by-uuid/9ad30f82-6af0-4f8c-91fb-9b95467ecb11";
22 |
23 | fileSystems."/boot/efi" = {
24 | device = "/dev/disk/by-uuid/DBAF-374B";
25 | fsType = "vfat";
26 | };
27 |
28 | swapDevices = [ ];
29 |
30 | powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
31 | # high-resolution display
32 | hardware.video.hidpi.enable = lib.mkDefault true;
33 | }
34 |
--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -e
4 |
5 | prompt1="Enter your option: "
6 | ESP="/boot/efi"
7 | MOUNTPOINT="/mnt"
8 |
9 | contains_element() {
10 | #check if an element exist in a string
11 | for e in "${@:2}"; do [[ $e == "$1" ]] && break; done
12 | }
13 |
14 | #SELECT DEVICE
15 | select_device() {
16 | devices_list=($(lsblk -d | awk '{print "/dev/" $1}' | grep 'sd\|hd\|vd\|nvme\|mmcblk'))
17 | PS3="$prompt1"
18 | echo -e "Attached Devices:\n"
19 | lsblk -lnp -I 2,3,8,9,22,34,56,57,58,65,66,67,68,69,70,71,72,91,128,129,130,131,132,133,134,135,259 | awk '{print $1,$4,$6,$7}' | column -t
20 | echo -e "\n"
21 | echo -e "Select device to partition:\n"
22 | select device in "${devices_list[@]}"; do
23 | if contains_element "${device}" "${devices_list[@]}"; then
24 | break
25 | else
26 | exit 1
27 | fi
28 | done
29 | if [ "$1" = "-n" ]; then
30 | ROOT_PARTITION="${device}p2"
31 | ESP_PARTITION="${device}p1"
32 | else
33 | ROOT_PARTITION="${device}2"
34 | ESP_PARTITION="${device}1"
35 | fi
36 | echo "Root partition: ${ROOT_PARTITION}"
37 | echo "ESP partition: ${ESP_PARTITION}"
38 | }
39 |
40 | #CREATE_PARTITION
41 | create_partition() {
42 | wipefs -a "${device}"
43 | # Set GPT scheme
44 | parted "${device}" mklabel gpt &>/dev/null
45 | # Create ESP for /efi
46 | parted "${device}" mkpart primary fat32 1MiB 512MiB &>/dev/null
47 | parted "${device}" set 1 esp on &>/dev/null
48 | # Create /
49 | parted "${device}" mkpart primary 512MiB 100% &>/dev/null
50 | }
51 |
52 | #FORMAT_PARTITION
53 | format_partition() {
54 | mkfs.fat -F32 "${ESP_PARTITION}" >/dev/null
55 | echo "LUKS Setup for '/' partition"
56 | cryptsetup luksFormat --type luks1 -s 512 -h sha512 -i 3000 "${ROOT_PARTITION}"
57 | echo "Open '/' partition"
58 | cryptsetup open "${ROOT_PARTITION}" cryptroot
59 | mkfs.ext4 /dev/mapper/cryptroot >/dev/null
60 | }
61 |
62 | #MOUNT_PARTITION
63 | mount_partition() {
64 | mount /dev/mapper/cryptroot "${MOUNTPOINT}"
65 | mkdir -p "${MOUNTPOINT}"${ESP}
66 | mount "${ESP_PARTITION}" "${MOUNTPOINT}"${ESP}
67 | }
68 |
69 | #CREATE_KEYFILE
70 | create_keyfile() {
71 | dd bs=512 count=4 if=/dev/random of=${MOUNTPOINT}/etc/nixos/secrets/keyfile.bin iflag=fullblock
72 | echo "Add key to root partition"
73 | cryptsetup luksAddKey "${ROOT_PARTITION}" ${MOUNTPOINT}/etc/nixos/secrets/keyfile.bin
74 | chmod 600 ${MOUNTPOINT}/etc/nixos/secrets/keyfile.bin
75 | }
76 |
77 | # NIXOS_INSTALL
78 | nixos_install() {
79 | git clone https://github.com/LEXUGE/nixos ${MOUNTPOINT}/etc/nixos/
80 |
81 | rm ${MOUNTPOINT}/etc/nixos/secrets/keyfile.bin
82 | rm ${MOUNTPOINT}/etc/nixos/hardware-configuration.nix
83 |
84 | create_keyfile
85 | reset
86 |
87 | # Create new options.nix and open it to let user customize.
88 | echo "Generate and open build options for configuration..."
89 | read -n 1 -s -r -p "[CONFIG] Adapt whatever on your needs. Press any key to continue"
90 | nano ${MOUNTPOINT}/etc/nixos/configuration.nix
91 | reset
92 | read -n 1 -s -r -p "[USERS] In the next step, you MUST change the user passwords, else you are gonna to be locked out. Press any key to continue"
93 | nano ${MOUNTPOINT}/etc/nixos/src/users.nix
94 | reset
95 | read -n 1 -s -r -p "[CLASH] In the next step, you'd better set up the appropriate proxy if you are not in a free Internet. Press any key to continue"
96 | nano ${MOUNTPOINT}/etc/nixos/secrets/clash.yaml
97 | reset
98 | nixos-generate-config --root ${MOUNTPOINT}
99 |
100 | # FIXME: Don't know why we need no-check-sigs
101 | nix copy --to ${MOUNTPOINT} "nixpkgs#nixFlakes" --no-check-sigs
102 |
103 | # We need to have both source in /nix/store and /mnt/nixos/store due to current buggy implementation of upstream tools.
104 | nix flake archive "${MOUNTPOINT}/etc/nixos"
105 |
106 | # Impure flag is needed because nix thinks `/mnt/nix/store` as a non-store path
107 | nix build "${MOUNTPOINT}/etc/nixos#x1c7-toplevel" --option store ${MOUNTPOINT} --impure
108 |
109 | # Install NixOS. We don't need root password.
110 | # Use `-f` to follow the coding style in `nixos-install`.
111 | # The `nixos-install`'s implementation has already specified `--store /mnt` for us.
112 | nixos-install --system "$(readlink -f ./result)" --no-root-passwd
113 |
114 | reboot
115 | }
116 |
117 | # INSTALLATION
118 | select_device "$@"
119 | create_partition
120 | format_partition
121 | mount_partition
122 | nixos_install
123 |
--------------------------------------------------------------------------------
/niximg.nix:
--------------------------------------------------------------------------------
1 | { config, lib, pkgs, ... }:
2 | with lib; {
3 |
4 | home-manager.useUserPackages = true;
5 |
6 | isoImage.edition = "gnome";
7 |
8 | # Whitelist wheel users to do anything
9 | # This is useful for things like pkexec
10 | #
11 | # WARNING: this is dangerous for systems
12 | # outside the installation-cd and shouldn't
13 | # be used anywhere else.
14 | security.polkit.extraConfig = ''
15 | polkit.addRule(function(action, subject) {
16 | if (subject.isInGroup("wheel")) {
17 | return polkit.Result.YES;
18 | }
19 | });
20 | '';
21 |
22 | networking.wireless.enable = mkForce false;
23 |
24 | services.xserver.displayManager = {
25 | gdm = {
26 | # autoSuspend makes the machine automatically suspend after inactivity.
27 | # It's possible someone could/try to ssh'd into the machine and obviously
28 | # have issues because it's inactive.
29 | # See:
30 | # * https://github.com/NixOS/nixpkgs/pull/63790
31 | # * https://gitlab.gnome.org/GNOME/gnome-control-center/issues/22
32 | autoSuspend = false;
33 | };
34 | autoLogin = {
35 | enable = true;
36 | user = "nixos";
37 | };
38 | };
39 |
40 | x-os = {
41 | enable = true;
42 | isoMode = true;
43 | hostname = "niximg";
44 | # Use SJTU Mirror together with original cache because SJTU has better performance inside Mainland China.
45 | # Use Cachix to reduce repeated builds.
46 | # Set the list to `[ ]` to use official cache only.
47 | binaryCaches = [
48 | "https://mirror.sjtu.edu.cn/nix-channels/store"
49 | "https://cache.nixos.org/"
50 | "https://dcompass.cachix.org/"
51 | "https://lexuge.cachix.org/"
52 | "https://dram.cachix.org"
53 | ];
54 | # Choose ibus engines to apply
55 | ibus-engines = with pkgs.ibus-engines; [ libpinyin ];
56 | # Add installation script into LiveCD.
57 | extraPackages = [
58 | (pkgs.writeShellScriptBin "install-script"
59 | (builtins.readFile ./install.sh))
60 | ];
61 | };
62 |
63 | std.interface = {
64 | system = { dirs = { secrets.clash = "${./secrets/clash.yaml}"; }; };
65 | };
66 |
67 | # Networking
68 | netkit = {
69 | clash = {
70 | enable = true;
71 | redirPort = 7892; # This must be the same with the one in your clash.yaml
72 | afterUnits = [ "dcompass.service" ];
73 | };
74 | };
75 |
76 | # User related section.
77 | users.users.nixos.shell = pkgs.zsh;
78 | ash-profile.nixos = {
79 | extraPackages = with pkgs; [
80 | htop
81 | firefox-wayland
82 | tdesktop
83 | gparted
84 | etcher
85 | # torbrowser
86 | pavucontrol
87 | ];
88 | emacsPackages = with pkgs; [
89 | (hunspellWithDicts [ hunspellDicts.en-us hunspellDicts.en-us-large ])
90 | emacs-all-the-icons-fonts
91 | ash-emacs-x86_64-linux
92 | ];
93 | };
94 | }
95 |
--------------------------------------------------------------------------------
/secrets/clash.yaml:
--------------------------------------------------------------------------------
1 | # port of HTTP
2 | port: 7890
3 |
4 | # port of SOCKS5
5 | socks-port: 7891
6 |
7 | # redir port for Linux and macOS
8 | redir-port: 7892
9 |
10 | allow-lan: false
11 |
12 | # Rule / Global / Direct (default is Rule)
13 | mode: Rule
14 |
15 | # set log level to stdout (default is info)
16 | # info / warning / error / debug / silent
17 | log-level: info
18 |
19 | # RESTful API for clash
20 | external-controller: 127.0.0.1:9090
21 |
22 | # experimental feature
23 | experimental:
24 | ignore-resolve-fail: true # ignore dns resolve fail, default value is true
25 | # interface-name: en0 # outbound interface name
26 |
27 | proxies:
28 | # shadowsocks
29 | # The supported ciphers(encrypt methods):
30 | # aes-128-gcm aes-192-gcm aes-256-gcm
31 | # aes-128-cfb aes-192-cfb aes-256-cfb
32 | # aes-128-ctr aes-192-ctr aes-256-ctr
33 | # rc4-md5 chacha20-ietf xchacha20
34 | # chacha20-ietf-poly1305 xchacha20-ietf-poly1305
35 |
36 | - name: "jms3"
37 | type: vmess
38 | server: cxxs3.jamjams.net
39 | port: 100
40 | uuid: a496805f-a8a0-416a-8ab7-759edbf4860f
41 | alterId: 0
42 | cipher: auto
43 |
44 | - name: "jms4"
45 | type: vmess
46 | server: cxxs3.jamjams.net
47 | port: 100
48 | uuid: a496805f-a8a0-416a-8ab7-759edbf4860f
49 | alterId: 0
50 | cipher: auto
51 |
52 | - name: "jms5"
53 | type: vmess
54 | server: cxxs3.jamjams.net
55 | port: 100
56 | uuid: a496805f-a8a0-416a-8ab7-759edbf4860f
57 | alterId: 0
58 | cipher: auto
59 |
60 | - name: "frankfurt"
61 | type: trojan
62 | server: example.com
63 | port: 443
64 | password: password
65 | # udp: true
66 | sni: example.com
67 | # alpn:
68 | # - h2
69 | # - http/1.1
70 | # skip-cert-verify: true
71 |
72 | proxy-groups:
73 | - name: "select"
74 | type: select
75 | proxies:
76 | - auto
77 | - DIRECT
78 | - jms3
79 | - jms4
80 | - jms5
81 | - frankfurt
82 |
83 | - name: "auto"
84 | type: fallback
85 | proxies:
86 | - DIRECT
87 | - jms4
88 | - frankfurt
89 | - jms5
90 | - jms3
91 | url: 'http://clients6.google.com/generate_204'
92 | interval: 5
93 |
94 | rules:
95 | # Ad block functionality
96 | - DOMAIN-SUFFIX,ad.com,REJECT
97 | - DOMAIN-KEYWORD,admarvel,REJECT
98 | - DOMAIN-KEYWORD,admaster,REJECT
99 | - DOMAIN-KEYWORD,adsage,REJECT
100 | - DOMAIN-KEYWORD,adsmogo,REJECT
101 | - DOMAIN-KEYWORD,adsrvmedia,REJECT
102 | - DOMAIN-KEYWORD,adwords,REJECT
103 | - DOMAIN-KEYWORD,adservice,REJECT
104 | - DOMAIN-KEYWORD,domob,REJECT
105 | - DOMAIN-KEYWORD,duomeng,REJECT
106 | - DOMAIN-KEYWORD,dwtrack,REJECT
107 | - DOMAIN-KEYWORD,guanggao,REJECT
108 | - DOMAIN-KEYWORD,lianmeng,REJECT
109 | - DOMAIN-SUFFIX,mmstat.com,REJECT
110 | - DOMAIN-KEYWORD,omgmta,REJECT
111 | - DOMAIN-KEYWORD,openx,REJECT
112 | - DOMAIN-KEYWORD,partnerad,REJECT
113 | - DOMAIN-KEYWORD,pingfore,REJECT
114 | - DOMAIN-KEYWORD,supersonicads,REJECT
115 | - DOMAIN-KEYWORD,uedas,REJECT
116 | - DOMAIN-KEYWORD,umeng,REJECT
117 | - DOMAIN-KEYWORD,usage,REJECT
118 | - DOMAIN-KEYWORD,wlmonitor,REJECT
119 | - DOMAIN-KEYWORD,zjtoolbar,REJECT
120 | # Don't route domestic inquiries
121 | - IP-CIDR,127.0.0.0/8,DIRECT
122 | - IP-CIDR,172.16.0.0/12,DIRECT
123 | - IP-CIDR,192.168.0.0/16,DIRECT
124 | - IP-CIDR,10.0.0.0/8,DIRECT
125 | - IP-CIDR,17.0.0.0/8,DIRECT
126 | - IP-CIDR,100.64.0.0/10,DIRECT
127 | - IP-CIDR,1.1.1.3/32,DIRECT
128 | - IP-CIDR,1.1.1.1/32,DIRECT
129 | - IP-CIDR,8.8.8.8/32,DIRECT
130 | - IP-CIDR,1.0.0.1/32,DIRECT
131 | - IP-CIDR,96.113.151.145/32,DIRECT
132 | - IP-CIDR,185.228.168.9/32,DIRECT
133 | - GEOIP,CN,DIRECT
134 | # Proxy rest of the inquiries
135 | - MATCH,select
136 |
--------------------------------------------------------------------------------
/secrets/keyfile.bin:
--------------------------------------------------------------------------------
1 | # A blank placeholder for keyfile.bin
2 |
--------------------------------------------------------------------------------
/src/devices/x1c7/default.nix:
--------------------------------------------------------------------------------
1 | # Device specific configuration for ThinkPad X1 Carbon 7th Gen (20R1)
2 | { config, pkgs, lib, ... }:
3 | with lib; {
4 | config = {
5 | # Set device hostname
6 | x-os.hostname = "x1c7";
7 |
8 | # Activate acpi_call module for TLP ThinkPad features
9 | boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
10 |
11 | hardware.enableAllFirmware = true;
12 |
13 | netkit.xmm7360 = {
14 | enable = true;
15 | autoStart = true;
16 | config = {
17 | apn = "3gnet";
18 | nodefaultroute = false;
19 | noresolv = true;
20 | };
21 | package = pkgs.netkit.xmm7360-pci_latest;
22 | };
23 |
24 | # Set hardware related attributes
25 | std.interface = {
26 | devices = {
27 | power = [ "AC" ];
28 | battery = [ "BAT0" ];
29 | ramSize = 16384;
30 | network-interface = [ "wlp0s20f3" ];
31 | };
32 | system = {
33 | # Set DPi to 200% scale
34 | scale = 2;
35 | # Enable Bluetuooth by default
36 | bluetooth.enable = mkDefault true;
37 | };
38 | };
39 |
40 | # Update Intel CPU Microcode
41 | hardware.cpu.intel.updateMicrocode = true;
42 |
43 | # Intel UHD 620 Hardware Acceleration
44 | hardware.opengl = {
45 | enable = true;
46 | extraPackages = with pkgs; [
47 | vaapiIntel
48 | vaapiVdpau
49 | libvdpau-va-gl
50 | intel-media-driver # only available starting nixos-19.03 or the current nixos-unstable
51 | ];
52 | };
53 |
54 | # Enable TLP Power Management
55 | services.tlp = {
56 | # enable = true;
57 | settings = {
58 | START_CHARGE_THRESH_BAT0 = 85;
59 | STOP_CHARGE_THRESH_BAT0 = 90;
60 | };
61 | };
62 |
63 | # Enable fprintd
64 | services.fprintd.enable = true;
65 |
66 | # To debug fprintd
67 | services.xserver.displayManager.gdm.debug = true;
68 | services.xserver.desktopManager.gnome3.debug = true;
69 | systemd.services.fprintd.environment.G_MESSAGES_DEBUG = "all";
70 | };
71 | }
72 |
--------------------------------------------------------------------------------
/src/jupyter.nix:
--------------------------------------------------------------------------------
1 | {
2 | services.jupyter = {
3 | # enable = true;
4 | # ashbreaker-jupyter
5 | password =
6 | "'argon2:$argon2id$v=19$m=10240,t=10,p=8$uJSGQO/EvkoTl3wmX2689Q$wx12odaM/+VXo8uWaa54pw'";
7 | };
8 | iceberg.wolfram-jupyter = {
9 | # enable = true;
10 | mathpass =
11 | "x1c7 6500-68922-92421 4314-3240-7WWGH9 2514-034-511:2,0,8,8:80001:20201119";
12 | };
13 | }
14 |
--------------------------------------------------------------------------------
/src/minecraft-server.nix:
--------------------------------------------------------------------------------
1 | { pkgs, ... }: {
2 | netkit.minecraft-server = {
3 | enable = true;
4 | eula = true;
5 | openFirewall = true;
6 |
7 | onDemand = {
8 | enable = true;
9 | idleIfTime = 60;
10 | serverPort = 33333;
11 | };
12 |
13 | ops = [
14 | {
15 | # Offline UUID Generated for AshBreaker1: 94f4d16b-0e0b-39e3-9a92-a26bf4f7a0dc
16 | uuid = "94f4d16b-0e0b-39e3-9a92-a26bf4f7a0dc";
17 | name = "AshBreaker1";
18 | level = 4;
19 | }
20 | {
21 | # Official UUID issued by Mojang: 65bec9be-2cb8-46c8-bab5-2a5219759a4a
22 | uuid = "65bec9be-2cb8-46c8-bab5-2a5219759a4a";
23 | name = "AshBreaker1";
24 | level = 4;
25 | }
26 | {
27 | uuid = "5f18149d-a806-3491-b5fc-75fadee9154f"; # Simon Shu - Offline
28 | name = "SIMON1314520";
29 | level = 4;
30 | }
31 | ];
32 |
33 | whitelist = {
34 | TonyChen1926 =
35 | "afc9fb43-68de-36a9-b7c3-d317a4098bb1"; # Tony Chen - Offline
36 | SIMON1314520 =
37 | "5f18149d-a806-3491-b5fc-75fadee9154f"; # Simon Shu - Offline
38 | # btbtbt = "36866b49-0e29-3b96-b80c-c8eda7cfe3ff"; # Newt Chen - Offline
39 | AshBreaker1 = "94f4d16b-0e0b-39e3-9a92-a26bf4f7a0dc"; # Offline
40 | Ju_Mao_Qiu =
41 | "e50f94f7-9fe0-3b89-85fe-240964188a37"; # Cindy Fang - Offline
42 | york_Ying = "421a1e44-6280-3e85-97c9-e2029145b1c6"; # York Ying - Offline
43 | Mac-GM = "e261565d-0856-3d15-b3ae-401014fc10fd"; # Billy Xu - Offline
44 | # AshBreaker1 = "65bec9be-2cb8-46c8-bab5-2a5219759a4a"; # Online
45 | mick233 = "d32170e2-5cd8-35b5-9fac-2c71854318ef";
46 | sam_shen = "c83f7303-19fa-350c-a94f-d5dca5a03c52"; # Sam Shen - Offline
47 | };
48 |
49 | serverProperties = {
50 | online-mode = false;
51 | max-players = 30;
52 | level-name = "newera3";
53 | white-list = true;
54 | level-type = "amplified";
55 | #enable-rcon = true;
56 | difficulty = "hard";
57 | #"rcon.password" = "nixos";
58 | network-compression-threshold =
59 | 64; # Compress any packets larger than 64 bytes
60 | # max-world-size = 2000;
61 | motd =
62 | "\\u00A76NewEra \\u00A77Vanilla \\u00A7cSurvival\\u00A7r\\n\\u00A7bt.me/NewEraMinecraft";
63 | };
64 | };
65 | }
66 |
--------------------------------------------------------------------------------
/src/modules/ash-profile/default.nix:
--------------------------------------------------------------------------------
1 | { pkgs, lib, config, ... }:
2 |
3 | with lib;
4 |
5 | let
6 | inherit (config.std.interface) system;
7 | gnomeEnable = config.services.xserver.desktopManager.gnome3.enable;
8 | gtkSettings = pkgs.writeText "gtk-settings.ini" ''
9 | [Settings]
10 | gtk-application-prefer-dark-theme = true
11 | '';
12 | cfg = config.ash-profile;
13 | mkUserConfigs = f: (attrsets.mapAttrs (n: c: (f n c)) cfg);
14 | in {
15 | options.ash-profile = mkOption {
16 | type = with types;
17 | attrsOf (submodule {
18 | options = {
19 | extraPackages = mkOption {
20 | type = with types; nullOr (listOf package);
21 | default = null;
22 | description =
23 | "Extra packages to install for user ash.";
24 | };
25 | emacsPackages = mkOption {
26 | type = with types; listOf package;
27 | default = [ pkgs.emacs ];
28 | description = "Packages being installed for Emacs.";
29 | };
30 | };
31 | });
32 | default = { };
33 | };
34 |
35 | config.home-manager.users = mkUserConfigs (n: c:
36 | { lib, ... }:
37 | let inherit (lib.hm.gvariant) mkTuple;
38 | in {
39 | # Use 20.09 as stateVersion in order to use flake functionality
40 | home.stateVersion = "20.09";
41 |
42 | # Home-manager settings.
43 | # User-layer packages
44 | home.packages = with pkgs;
45 | c.emacsPackages ++ optionals (c.extraPackages != null) c.extraPackages;
46 |
47 | # FIXME: manpage is blocking niximg building
48 | manual.manpages.enable = false;
49 |
50 | # Allow fonts to be discovered
51 | fonts.fontconfig.enable = true;
52 |
53 | # Package settings
54 | programs = {
55 | # GnuPG
56 | gpg = {
57 | enable = true;
58 | settings = { throw-keyids = false; };
59 | };
60 |
61 | # Git
62 | git = {
63 | enable = true;
64 | userName = "Harry Ying";
65 | userEmail = "lexugeyky@outlook.com";
66 | signing = {
67 | signByDefault = true;
68 | key = "0xAE53B4C2E58EDD45";
69 | };
70 | extraConfig = {
71 | credential = { helper = "store"; };
72 | pull.ff = "only"; # Use fast-forward only for git pull.
73 | };
74 | };
75 |
76 | gnome-terminal = mkIf (gnomeEnable) {
77 | enable = true;
78 | profile.aba3fa9f-5aab-4ce9-9775-e2c46737d9b8 = {
79 | default = true;
80 | visibleName = "Ash";
81 | font = "Fira Code weight=450 10";
82 | };
83 | };
84 |
85 | # zsh
86 | zsh = {
87 | enable = true;
88 | # This would make C-p, C-n act exactly the same as what up/down arrows do.
89 | initExtra = ''
90 | bindkey "^P" up-line-or-search
91 | bindkey "^N" down-line-or-search
92 | '';
93 | envExtra = "";
94 | defaultKeymap = "emacs";
95 | oh-my-zsh = {
96 | enable = true;
97 | theme = "agnoster";
98 | plugins = [ "git" ];
99 | };
100 | };
101 | };
102 |
103 | # Setting GNOME Dconf settings
104 | dconf.settings = mkIf (gnomeEnable) {
105 | # Input sources
106 | "org/gnome/desktop/input-sources".sources = map mkTuple [
107 | [ "xkb" "us" ]
108 | [ "ibus" "libpinyin" ]
109 | [ "ibus" "typing-booster" ]
110 | ];
111 | # Touchpad settings
112 | "org/gnome/desktop/peripherals/touchpad" = {
113 | disable-while-typing = false;
114 | tap-to-click = true;
115 | two-finger-scrolling-enabled = true;
116 | };
117 | # Don't suspend on power
118 | "org/gnome/settings-daemon/plugins/power".sleep-inactive-ac-type =
119 | "nothing";
120 | # Always show logout
121 | "org/gnome/shell".always-show-log-out = true;
122 | # Keybindings
123 | "org/gnome/settings-daemon/plugins/media-keys".custom-keybindings = [
124 | "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/"
125 | ];
126 | "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" =
127 | {
128 | binding = "Return";
129 | command = "gnome-terminal";
130 | name = "Open Terminal";
131 | };
132 | "org/gnome/desktop/wm/keybindings" = {
133 | close = [ "q" ];
134 | show-desktop = [ "d" ];
135 | toggle-fullscreen = [ "f" ];
136 | };
137 | # Favorite apps
138 | "org/gnome/shell" = {
139 | favorite-apps = [
140 | "firefox.desktop"
141 | "telegramdesktop.desktop"
142 | "org.gnome.Nautilus.desktop"
143 | "org.gnome.Terminal.desktop"
144 | "emacs.desktop"
145 | ];
146 | };
147 | };
148 |
149 | # Handwritten configs
150 | home.file = {
151 | ".config/gtk-3.0/settings.ini".source = gtkSettings;
152 | ".emacs.d/init.el".source = "${pkgs.ash-emacs-source}/init.el";
153 | ".emacs.d/elisp/".source = "${pkgs.ash-emacs-source}/elisp";
154 | };
155 | });
156 | }
157 |
--------------------------------------------------------------------------------
/src/modules/x-os/boot.nix:
--------------------------------------------------------------------------------
1 | { config, pkgs, lib, ... }:
2 |
3 | let
4 | inherit (config.std.interface) devices system;
5 | cfg = config.x-os;
6 | in with lib; {
7 | options.x-os.enableBoot = mkOption {
8 | type = types.bool;
9 | default = true;
10 | description = "Include boot-related configuration.";
11 | };
12 | config = mkIf (cfg.enable && cfg.enableBoot) (mkMerge [
13 | ({
14 | # Enable plymouth for better experience of booting
15 | boot.plymouth.enable = true;
16 |
17 | # Use Keyfile to unlock the root partition to avoid keying in twice.
18 | # Allow fstrim to work on it.
19 | boot.initrd = {
20 | secrets = { "/keyfile.bin" = system.dirs.secrets.keyfile; };
21 | luks.devices."cryptroot" = {
22 | keyFile = "/keyfile.bin";
23 | allowDiscards = true;
24 | fallbackToPassword = true;
25 | };
26 | };
27 |
28 | # Use GRUB with encrypted /boot under EFI env.
29 | boot.loader = {
30 | efi = {
31 | efiSysMountPoint = "/boot/efi";
32 | canTouchEfiVariables = true;
33 | };
34 | grub = {
35 | enable = true;
36 | version = 2;
37 | device = "nodev";
38 | efiSupport = true;
39 | enableCryptodisk = true;
40 | };
41 | };
42 | })
43 |
44 | # Resume kernel parameter
45 | # If there is no swapResumeOffset defined, then we simply skip it.
46 | (mkIf (devices.swapResumeOffset != null) {
47 | boot.resumeDevice = "/dev/mapper/cryptroot";
48 | boot.kernelParams =
49 | [ "resume_offset=${toString devices.swapResumeOffset}" ];
50 | })
51 | ]);
52 | }
53 |
--------------------------------------------------------------------------------
/src/modules/x-os/default.nix:
--------------------------------------------------------------------------------
1 | { ... }: {
2 | imports = [
3 | ./boot.nix
4 | ./general.nix
5 | ./desktop.nix
6 | ./i18n.nix
7 | ./networking.nix
8 | ./packages.nix
9 | ./service.nix
10 | ./security.nix
11 | ];
12 | }
13 |
--------------------------------------------------------------------------------
/src/modules/x-os/desktop.nix:
--------------------------------------------------------------------------------
1 | { config, pkgs, lib, ... }:
2 |
3 | let cfg = config.x-os;
4 | in lib.mkIf cfg.enable {
5 | services.xserver = {
6 | # Start X11
7 | enable = true;
8 |
9 | # Capslock as Control
10 | xkbOptions = "ctrl:nocaps";
11 |
12 | # Configure touchpad
13 | libinput = {
14 | enable = true;
15 | touchpad.naturalScrolling = true;
16 | };
17 | };
18 | services.xserver = {
19 | displayManager.gdm.enable = true;
20 | desktopManager.gnome3.enable = true;
21 | };
22 |
23 | # Some of the GNOME Packages are unwanted
24 | programs.geary.enable = false;
25 | environment.gnome3.excludePackages = with pkgs.gnome3; [
26 | epiphany
27 | gnome-software
28 | gnome-characters
29 | ];
30 | # Fix "a stop job is runnig" issue, see also https://gitlab.gnome.org/GNOME/gnome-session/-/merge_requests/55/diffs. This should be removed once `gnome-session is upgraded.
31 | # systemd.user.services.gnome-session-restart-dbus.serviceConfig.Slice= "-.slice";
32 | }
33 |
--------------------------------------------------------------------------------
/src/modules/x-os/general.nix:
--------------------------------------------------------------------------------
1 | { config, pkgs, lib, ... }:
2 |
3 | with lib;
4 |
5 | let cfg = config.x-os;
6 | in {
7 | options.x-os = {
8 | enable = mkOption {
9 | type = types.bool;
10 | default = false;
11 | };
12 | enableSwap = mkOption {
13 | type = types.bool;
14 | default = true;
15 | description = "Enable Swap related configurations.";
16 | };
17 | isoMode = mkOption {
18 | type = types.bool;
19 | default = false;
20 | description =
21 | "Disable anything extraneous in order to build ISO image upon `installation-cd-base.nix`";
22 | };
23 | };
24 | config = mkIf cfg.enable (mkMerge [
25 | ({
26 | boot.kernelPackages = pkgs.linuxPackages_latest;
27 |
28 | # Support NTFS
29 | boot.supportedFilesystems = [ "ntfs" ];
30 |
31 | # Auto upgrade
32 | # system.autoUpgrade.enable = true;
33 |
34 | # Use nix-unstable
35 | nix.package = pkgs.nixUnstable;
36 | nix.extraOptions = ''
37 | experimental-features = nix-command flakes
38 | '';
39 |
40 | # setup default registry for nix-dram
41 | # nix.registry.default = {
42 | # to = {type= "github"; owner= "NixOS"; repo= "nixpkgs"; ref = "nixos-unstable";};
43 | # from = {type = "indirect"; id = "default";};
44 | # };
45 |
46 | # Auto gc and optimise
47 | nix.optimise.automatic = true;
48 | nix.gc.automatic = false;
49 | nix.gc.options = "--delete-older-than 7d";
50 | })
51 | (mkIf (cfg.isoMode) {
52 | x-os = {
53 | enableBoot = false;
54 | enableExtraServices = false;
55 | enableSwap = false;
56 | };
57 | })
58 | (mkIf (cfg.enableSwap) {
59 | # Add swap file
60 | swapDevices = [{
61 | device = "/var/swapFile";
62 | size = (config.std.interface.devices.ramSize * 2);
63 | }];
64 | })
65 | ]);
66 | }
67 |
--------------------------------------------------------------------------------
/src/modules/x-os/i18n.nix:
--------------------------------------------------------------------------------
1 | { config, pkgs, lib, ... }:
2 |
3 | with lib;
4 |
5 | let cfg = config.x-os;
6 | in {
7 | options.x-os.ibus-engines = mkOption {
8 | type = types.listOf types.package;
9 | default = [ ];
10 | example = literalExample "with pkgs.ibus-engines; [ mozc hangul ]";
11 | description = "List of ibus engines to apply";
12 | };
13 |
14 | config = mkIf cfg.enable {
15 | # Set your time zone.
16 | time.timeZone = "Asia/Shanghai";
17 |
18 | # Select internationalisation properties.
19 | console = {
20 | font = "Lat2-Terminus16";
21 | useXkbConfig = true;
22 | };
23 | i18n = {
24 | defaultLocale = "en_US.UTF-8";
25 | inputMethod = {
26 | enabled = "ibus";
27 | ibus.engines = cfg.ibus-engines;
28 | };
29 | };
30 | };
31 | }
32 |
--------------------------------------------------------------------------------
/src/modules/x-os/networking.nix:
--------------------------------------------------------------------------------
1 | { config, pkgs, lib, ... }:
2 |
3 | with lib;
4 |
5 | let
6 | cfg = config.x-os;
7 | zonefile = pkgs.writeText "a.cn.zone" ''
8 | ; replace the trust-dns.org with your own name
9 | @ IN SOA trust-dns.org. root.trust-dns.org. (
10 | 2021031306 ; Serial
11 | 28800 ; Refresh
12 | 7200 ; Retry
13 | 604800 ; Expire
14 | 86400) ; Minimum TTL
15 |
16 | NS bbb
17 |
18 | MX 1 alias
19 |
20 | ANAME www
21 |
22 | www A 175.24.191.112
23 |
24 | *.wildcard CNAME www
25 |
26 | no-service 86400 IN MX 0 .
27 | '';
28 | in {
29 | options.x-os = {
30 | hostname = mkOption {
31 | type = types.str;
32 | description = "The hostname of the system";
33 | };
34 | binaryCaches = mkOption {
35 | type = types.listOf types.str;
36 | default = [ ];
37 | description = "Binary caches to use.";
38 | };
39 | publicKeys = mkOption {
40 | type = types.listOf types.str;
41 | default = [ ];
42 | description = "Public keys of binary caches.";
43 | };
44 | iwdConfig = mkOption {
45 | type = with types; nullOr (attrsOf (attrsOf (oneOf [ bool int str ])));
46 | default = null;
47 | description = "Configuratoin of iNet Wireless Daemon.";
48 | };
49 | };
50 | config = mkIf cfg.enable (mkMerge [
51 | ({
52 | networking.hostName = cfg.hostname; # Define hostname
53 |
54 | networking.networkmanager = {
55 | # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
56 | enable = true;
57 | # Don't use DNS advertised by connected network. Use local configuration
58 | dns = "none";
59 | # Use the MAC Address same as my iPad
60 | wifi = {
61 | macAddress = "3c:7d:0a:be:5c:98";
62 | scanRandMacAddress = true;
63 | };
64 | };
65 |
66 | # Customized binary caches list (with fallback to official binary cache)
67 | nix.binaryCaches = lib.mkForce cfg.binaryCaches;
68 | nix.binaryCachePublicKeys = cfg.publicKeys;
69 |
70 | # Use local DNS server all the time
71 | networking.resolvconf.useLocalResolver = true;
72 |
73 | # Setup our local DNS
74 | netkit.dcompass = {
75 | enable = true;
76 | package = pkgs.dcompass.dcompass-maxmind;
77 | settings = {
78 | # ratelimit = 150;
79 | cache_size = 4096;
80 | upstreams = {
81 | domestic = { hybrid = [ "114DNS" "ali" ]; };
82 |
83 | secure = { hybrid = [ "cloudflare" "quad9" "ahadns" ]; };
84 |
85 | "114DNS" = { udp = { addr = "114.114.114.114:53"; }; };
86 |
87 | ali = { udp = { addr = "223.5.5.5:53"; }; };
88 |
89 | ahadns = {
90 | https = {
91 | timeout = 4;
92 | no_sni = true;
93 | name = "doh.la.ahadns.net";
94 | addr = "45.67.219.208:443";
95 | };
96 | };
97 |
98 | cloudflare = {
99 | https = {
100 | timeout = 4;
101 | no_sni = true;
102 | name = "cloudflare-dns.com";
103 | addr = "1.1.1.1:443";
104 | };
105 | };
106 |
107 | local = {
108 | zone = {
109 | origin = "a.cn";
110 | path = "${zonefile}";
111 | };
112 | };
113 |
114 | quad9 = {
115 | https = {
116 | timeout = 4;
117 | no_sni = true;
118 | name = "dns.quad9.net";
119 | addr = "9.9.9.9:443";
120 | };
121 | };
122 |
123 | };
124 | table = {
125 | start = {
126 | "if".qtype = [ "AAAA" ];
127 | "then" = [ "blackhole" "end" ];
128 | "else" = [ "local" ];
129 | };
130 | local = {
131 | "if".domain = [{ qname = "a.cn"; }];
132 | "then" = [ { query = "local"; } "end" ];
133 | "else" = [ "dispatch" ];
134 | };
135 | dispatch = {
136 | "if".domain = [
137 | { file = "${pkgs.netkit.chinalist}/google.china.raw.txt"; }
138 | { file = "${pkgs.netkit.chinalist}/apple.china.raw.txt"; }
139 | { qname = "arubanetworks.com"; }
140 | {
141 | file =
142 | "${pkgs.netkit.chinalist}/accelerated-domains.china.raw.txt";
143 | }
144 | ];
145 | "then" = [ { query = "domestic"; } "end" ];
146 | "else" = [
147 | {
148 | query = {
149 | tag = "secure";
150 | cache_policy = "persistent";
151 | };
152 | }
153 | "end"
154 | ];
155 | };
156 | };
157 | address = "0.0.0.0:53";
158 | verbosity = "info";
159 | };
160 | };
161 | })
162 |
163 | (mkIf (cfg.iwdConfig != null) {
164 | environment.etc."iwd/main.conf".text = generators.toINI { } cfg.iwdConfig;
165 | networking.networkmanager.wifi.backend = "iwd";
166 | })
167 | ]);
168 | }
169 |
--------------------------------------------------------------------------------
/src/modules/x-os/packages.nix:
--------------------------------------------------------------------------------
1 | { config, lib, pkgs, ... }:
2 |
3 | with lib;
4 |
5 | let cfg = config.x-os;
6 | in {
7 | options.x-os.extraPackages = mkOption {
8 | type = with types; nullOr (listOf package);
9 | default = null;
10 | description = "Extra packages to install for the whole system.";
11 | };
12 | config = mkIf cfg.enable {
13 | nixpkgs.config.allowUnfree = true;
14 | # List packages installed in system profile. To search, run:
15 | # $ nix search wget
16 | environment.systemPackages = with pkgs;
17 | [
18 | wget
19 | nixfmt
20 | git
21 | gnupg
22 | neofetch
23 | bind
24 | busybox
25 | shfmt
26 | shellcheck
27 | smartmontools
28 | efibootmgr
29 | rsync
30 | ncdu
31 | ] ++ optionals (cfg.extraPackages != null) cfg.extraPackages;
32 |
33 | # Fonts
34 | fonts.fonts = with pkgs; [
35 | noto-fonts
36 | noto-fonts-cjk
37 | noto-fonts-emoji
38 | fira-code
39 | fira-code-symbols
40 | ];
41 |
42 | # Setup zsh
43 | programs.zsh.enable = true;
44 | };
45 | }
46 |
--------------------------------------------------------------------------------
/src/modules/x-os/security.nix:
--------------------------------------------------------------------------------
1 | { config, lib, ... }: {
2 | # We don't want fingerprint auth on login (It is awkward to have multiple failed attempts on unlocking, and someone may inflict me to press and unlock.
3 | # Even if fprintd is not enabled, following rules make sense as well.
4 | security.pam.services = builtins.listToAttrs
5 | (map (n: lib.attrsets.nameValuePair (n) ({ fprintAuth = false; })) [
6 | "login" # GDM's gdm-password pam config includes login file, so it works for both.
7 | "i3lock"
8 | "i3lock-color"
9 | "xlock"
10 | "vlock"
11 | ]);
12 | }
13 |
--------------------------------------------------------------------------------
/src/modules/x-os/service.nix:
--------------------------------------------------------------------------------
1 | { config, pkgs, lib, ... }:
2 |
3 | with lib;
4 |
5 | let cfg = config.x-os;
6 | in {
7 | options.x-os = {
8 | enableVirtualisation = mkOption {
9 | type = types.bool;
10 | default = false;
11 | description =
12 | "Enable virtualisation toolkit (libvirt, vbox). Contents are subjected to change. Be sure to add users to groups.";
13 | };
14 | enableExtraServices = mkOption {
15 | type = types.bool;
16 | default = true;
17 | description =
18 | "Enable extra services. Disable this would inactivate all other service-related options like enableVirtualisation.";
19 | };
20 | enableXow = mkOption {
21 | type = types.bool;
22 | default = false;
23 | description = "Enable XOW service for Xbox One controller";
24 | };
25 | };
26 | config = mkIf cfg.enable (mkMerge [
27 | ({
28 | # Enable GVFS, implementing "trash" and so on.
29 | services.gvfs.enable = true;
30 |
31 | # Don't suspend if lid is closed with computer on power.
32 | services.logind.lidSwitchExternalPower = "lock";
33 |
34 | # Enable GNU Agent in order to make GnuPG works.
35 | programs.gnupg.agent.enable = true;
36 |
37 | # Enable sound.
38 | sound.enable = true;
39 |
40 | # Configuration of pulseaudio to facilitate bluetooth headphones and Steam.
41 | hardware.pulseaudio = {
42 | enable = true;
43 | # 32 bit support for steam.
44 | support32Bit = true;
45 | # NixOS allows either a lightweight build (default) or full build of PulseAudio to be installed.
46 | # Only the full build has Bluetooth support, so it must be selected here.
47 | package = pkgs.pulseaudioFull;
48 | };
49 | })
50 | (mkIf (cfg.enableXow) (mkMerge [({
51 | services.hardware.xow.enable = true;
52 | hardware.steam-hardware.enable = true;
53 | hardware.bluetooth.settings = {
54 | General = {
55 | ControllerMode = "dual";
56 | Privacy = "device";
57 | };
58 | };
59 | hardware.xpadneo.enable = true;
60 | })]))
61 | (mkIf (cfg.enableExtraServices) (mkMerge [
62 | ({
63 | # Enable WireShark
64 | programs.wireshark = {
65 | enable = true;
66 | package = pkgs.wireshark-qt;
67 | };
68 |
69 | # Enable TRIM Service (May have security concern here)
70 | services.fstrim.enable = true;
71 |
72 | # Enable usbmuxd for iOS devices.
73 | services.usbmuxd.enable = true;
74 |
75 | # Enable CUPS to print documents.
76 | services.printing.enable = true;
77 |
78 | # Libvirtd
79 | # We DON'T enable it because it uses dnsmasq which blocks clash's binding on 0.0.0.0:53
80 | # virtualisation.libvirtd.enable = true;
81 | # FIXME: Should we let users add them to group or other way around.
82 |
83 | # OpenGL 32 bit support for steam
84 | hardware.opengl.driSupport32Bit = true;
85 |
86 | # Enable fwupd service
87 | services.fwupd.enable = true;
88 |
89 | # Enable the OpenSSH daemon.
90 | # services.openssh.enable = true;
91 | })
92 | (mkIf (config.std.interface.system.bluetooth.enable) {
93 | hardware.bluetooth = {
94 | enable = true;
95 | disabledPlugins = [ "sap" ];
96 | };
97 | # Whether enable blueman or not
98 | services.blueman.enable =
99 | mkIf (config.std.interface.system.bluetooth.service == "blueman")
100 | true;
101 | })
102 |
103 | (mkIf (cfg.enableVirtualisation) {
104 | # Enable Vbox
105 | virtualisation.virtualbox.host.enable = true;
106 | })
107 | ]))
108 | ]);
109 | }
110 |
--------------------------------------------------------------------------------
/src/networking.nix:
--------------------------------------------------------------------------------
1 | { pkgs, ... }: {
2 | # Lower down the timeout values to reduce stress on conntrack.
3 | # https://security.stackexchange.com/questions/43205/nf-conntrack-table-full-dropping-packet
4 | boot.kernel.sysctl = {
5 | "net.netfilter.nf_conntrack_generic_timeout" = 60;
6 | "net.netfilter.nf_conntrack_tcp_timeout_established" = 54000;
7 | };
8 |
9 | services.v2ray = {
10 | enable = true;
11 | config = {
12 | log.loglevel = "info";
13 | inbounds = [{
14 | port = 1080;
15 | protocol = "socks";
16 | sniffing = {
17 | enabled = true;
18 | destOverride = [ "http" "tls" ];
19 | };
20 | settings = { auth = "noauth"; };
21 | }];
22 | outbounds = [{
23 | protocol = "vmess";
24 | settings = {
25 | vnext = [{
26 | address = "175.24.191.112";
27 | port = 53;
28 | users = [{
29 | id = "1e20eca6-8bd8-512d-596f-6067be9f3a17";
30 | alterId = 64;
31 | }];
32 | }];
33 | };
34 | streamSettings = {
35 | network = "mkcp";
36 | kcpSettings = {
37 | uplinkCapacity = 100;
38 | downlinkCapacity = 100;
39 | congestion = true;
40 | header = { type = "wechat-video"; };
41 | };
42 | };
43 | }];
44 | };
45 | };
46 |
47 | netkit = {
48 | clash = {
49 | enable = true;
50 | redirPort = 7892; # This must be the same with the one in your clash.yaml
51 | afterUnits = [ "dcompass.service" ];
52 | };
53 |
54 | snapdrop = {
55 | enable = true;
56 | package = pkgs.nixos-cn.snapdrop;
57 | };
58 |
59 | wifi-relay = {
60 | enable = true;
61 | interface = "wlp0s20f3";
62 | ssid = "AP-Freedom";
63 | passphrase = "88888888";
64 | # dns = "114.114.114.114, 8.8.8.8, 223.5.5.5";
65 | };
66 |
67 | frpc = {
68 | enable = true;
69 | frpcConfig = {
70 | common = {
71 | server_addr = "175.24.191.112";
72 | server_port = 7000;
73 | tls_enable = true;
74 | authentication_method = "token";
75 | token = "2007f015-fbae-438d-a348-73310678cd11";
76 | };
77 |
78 | minecraft-server = {
79 | type = "tcp";
80 | local_ip = "127.0.0.1";
81 | local_port = 33333;
82 | remote_port = 33333;
83 | use_compression = true;
84 | };
85 | };
86 | };
87 | };
88 | }
89 |
--------------------------------------------------------------------------------
/src/users.nix:
--------------------------------------------------------------------------------
1 | { config, pkgs, ... }: {
2 | users = {
3 | mutableUsers = false;
4 | users = {
5 | root.hashedPassword =
6 | "$6$TqNkihvO4K$x.qSUVbLQ9.IfAc9tOQawDzVdHJtQIcKrJpBCBR.wMuQ8qfbbbm9bN7JNMgneYnNPzAi2k9qXk0klhTlRgGnk0";
7 | ash = {
8 | hashedPassword =
9 | "$6$FAs.ZfxAkhAK0ted$/aHwa39iJ6wsZDCxoJVjedhfPZ0XlmgKcxkgxGDE.hw3JlCjPHmauXmQAZUlF8TTUGgxiOJZcbYSPsW.QBH5F.";
10 | shell = pkgs.zsh;
11 | isNormalUser = true;
12 | # wheel - sudo
13 | # networkmanager - manage network
14 | # video - light control
15 | # libvirtd - virtual manager controls.
16 | # docker - Docker control
17 | extraGroups = [ "wheel" "networkmanager" "wireshark" ];
18 | };
19 | };
20 | };
21 |
22 | ash-profile.ash = {
23 | emacsPackages = with pkgs; [
24 | (hunspellWithDicts [ hunspellDicts.en-us hunspellDicts.en-us-large ])
25 | emacs-all-the-icons-fonts
26 | ash-emacs-x86_64-linux
27 | ];
28 | extraPackages = with pkgs; [
29 | #(python3.withPackages (ps: [ ps.tkinter ]))
30 | htop
31 | qbittorrent
32 | zoom-us
33 | thunderbird-bin-78
34 | #tor-browser-bundle-bin
35 | spotify
36 | remmina
37 | firefox-wayland
38 | aria2
39 | # chromium
40 | tdesktop
41 | minecraft
42 | biber
43 | zotero
44 | (texlive.combine {
45 | inherit (texlive)
46 | scheme-basic chktex
47 | # org-mode
48 | wrapfig ulem capt-of metafont
49 | # MLA Formatted Paper
50 | setspace mla-paper thumbpdf times
51 | # BiBLaTeX
52 | biblatex-mla biblatex csquotes;
53 | })
54 | # Steam scaling seems to be broken, doing it manually
55 | (runCommand "steam-hidpi" { nativeBuildInputs = [ makeWrapper ]; } ''
56 | mkdir -p $out/bin
57 | makeWrapper ${steam}/bin/steam $out/bin/steam --set GDK_SCALE ${
58 | toString config.std.interface.system.scale
59 | }
60 | cp -r ${steam}/share $out/share/
61 | '')
62 | gparted
63 | etcher
64 | gnome-podcasts
65 | gnome3.gnome-sound-recorder
66 | frp
67 | vlc
68 | dogdns
69 | pavucontrol
70 | # torbrowser
71 | ifuse
72 | libimobiledevice
73 | onlyoffice-bin
74 | fawkes
75 | wolfram-engine
76 | dnsperf
77 | # nix-search
78 | ];
79 | };
80 | }
81 |
--------------------------------------------------------------------------------
/sync.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -e
4 |
5 | rm -rf ./modules/ \
6 | ./src/ \
7 | rm -f ./*.nix
8 | rm -f ./*.lock
9 |
10 | echo -n "Copying..."
11 | rsync -avP \
12 | --exclude "secrets/" \
13 | --include "*/" \
14 | --include "*.nix" \
15 | --include "*.patch" \
16 | --include "*.json" \
17 | --include "*.lock" \
18 | --exclude "*" \
19 | /etc/nixos/ .
20 |
21 | find . -type f -name '*.nix' -exec nixfmt {} +
22 | shellcheck ./*.sh || true
23 | shfmt -w ./*.sh
24 | nix flake update
25 | nix flake check
26 | echo "Done."
27 |
28 | echo -n "Adding to git..."
29 | git add --all
30 | echo "Done."
31 |
32 | git status
33 | read -n 1 -s -r -p "Press any key to continue"
34 |
35 | echo "Commiting..."
36 | echo "Enter commit message: "
37 | read -r commitMessage
38 | git commit -m "$commitMessage"
39 | echo "Done."
40 |
41 | echo -n "Pushing..."
42 | git push
43 | echo "Done."
44 |
--------------------------------------------------------------------------------