2023-04-08 13:53:58 +00:00
|
|
|
|
{ config, pkgs, lib, ... }: {
|
2022-12-23 14:56:01 +00:00
|
|
|
|
imports = [ ./hardware-configuration.nix ];
|
2022-12-19 22:35:54 +00:00
|
|
|
|
|
2022-12-20 22:58:57 +00:00
|
|
|
|
# networking
|
2022-12-20 10:33:21 +00:00
|
|
|
|
networking.hostName = "neodymium";
|
2022-12-20 22:58:57 +00:00
|
|
|
|
networking.networkmanager.enable = true;
|
2022-12-23 14:27:43 +00:00
|
|
|
|
networking.firewall.enable = true;
|
2022-12-23 14:32:11 +00:00
|
|
|
|
networking.firewall.allowedTCPPorts = [ ];
|
|
|
|
|
networking.firewall.allowedUDPPorts = [ ];
|
2022-12-20 10:33:21 +00:00
|
|
|
|
|
2022-12-31 15:39:06 +00:00
|
|
|
|
# bluetooth
|
|
|
|
|
hardware.bluetooth.enable = true;
|
|
|
|
|
services.blueman.enable = true;
|
|
|
|
|
|
|
|
|
|
# wireguard vpn
|
2022-12-26 22:27:13 +00:00
|
|
|
|
networking.wg-quick.interfaces = {
|
|
|
|
|
wg0 = {
|
2022-12-27 13:11:24 +00:00
|
|
|
|
privateKeyFile = "/root/wireguard-keys/private";
|
2023-04-26 18:49:54 +00:00
|
|
|
|
address = [ "10.0.0.3/24" "fd02:002:002::3/64" ];
|
2022-12-26 22:27:13 +00:00
|
|
|
|
dns = [ "10.0.0.1" ];
|
|
|
|
|
peers = [{
|
|
|
|
|
publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
|
2023-04-26 18:07:25 +00:00
|
|
|
|
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
2022-12-26 22:27:13 +00:00
|
|
|
|
endpoint = "fainsin.bzh:5553";
|
2023-04-25 18:53:03 +00:00
|
|
|
|
persistentKeepalive = 30;
|
2022-12-26 22:27:13 +00:00
|
|
|
|
}];
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-04-25 18:53:03 +00:00
|
|
|
|
systemd.services.wg-quick-wg0 = {
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = lib.mkForce "simple";
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
RestartSec = "10s";
|
|
|
|
|
};
|
|
|
|
|
unitConfig = {
|
|
|
|
|
StartLimitIntervalSec = 0; # ensure Restart= is always honoured
|
|
|
|
|
};
|
|
|
|
|
};
|
2022-12-26 22:27:13 +00:00
|
|
|
|
|
2023-04-23 13:38:34 +00:00
|
|
|
|
# This should already be here from switching to bootspec earlier.
|
|
|
|
|
# It's not required anymore, but also doesn't do any harm.
|
2023-04-20 16:57:12 +00:00
|
|
|
|
boot.bootspec.enable = true;
|
|
|
|
|
|
2023-04-23 13:38:34 +00:00
|
|
|
|
environment.systemPackages = [
|
|
|
|
|
# For debugging and troubleshooting Secure Boot.
|
|
|
|
|
pkgs.sbctl
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
# Lanzaboote currently replaces the systemd-boot module.
|
|
|
|
|
# This setting is usually set to true in configuration.nix
|
|
|
|
|
# generated at installation time. So we force it to false
|
|
|
|
|
# for now.
|
|
|
|
|
boot.loader.systemd-boot.enable = lib.mkForce false;
|
|
|
|
|
|
|
|
|
|
boot.lanzaboote = {
|
|
|
|
|
enable = true;
|
|
|
|
|
pkiBundle = "/etc/secureboot";
|
|
|
|
|
};
|
2022-12-19 22:35:54 +00:00
|
|
|
|
|
2022-12-24 17:45:08 +00:00
|
|
|
|
# enable NTFS disk mounting
|
2023-04-23 13:38:34 +00:00
|
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
2022-12-24 17:45:08 +00:00
|
|
|
|
boot.supportedFilesystems = [ "ntfs" ];
|
|
|
|
|
|
2022-12-23 14:28:01 +00:00
|
|
|
|
# clean /tmp at each boot
|
2023-04-19 19:37:04 +00:00
|
|
|
|
boot.tmp.cleanOnBoot = true;
|
2022-12-23 14:28:01 +00:00
|
|
|
|
|
2022-12-23 14:39:43 +00:00
|
|
|
|
# use latest kernel
|
|
|
|
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
|
|
|
|
|
2022-12-23 14:28:14 +00:00
|
|
|
|
# restrict nix command to sudoers
|
2023-04-19 19:37:04 +00:00
|
|
|
|
nix.settings.allowed-users = [ "@wheel" ];
|
2022-12-23 14:28:14 +00:00
|
|
|
|
|
2022-12-20 22:58:57 +00:00
|
|
|
|
# hardware
|
2022-12-20 18:02:03 +00:00
|
|
|
|
hardware = {
|
|
|
|
|
enableRedistributableFirmware = true;
|
|
|
|
|
opengl = {
|
|
|
|
|
enable = true;
|
|
|
|
|
driSupport = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
2022-12-19 22:35:54 +00:00
|
|
|
|
|
2023-01-01 17:18:05 +00:00
|
|
|
|
# logind configuration
|
|
|
|
|
services.logind = {
|
|
|
|
|
lidSwitch = "ignore";
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
HandlePowerKey=suspend
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2023-01-01 17:18:27 +00:00
|
|
|
|
services.tlp.enable = true;
|
|
|
|
|
|
2023-04-26 18:07:25 +00:00
|
|
|
|
# programs.regreet = { enable = true; };
|
|
|
|
|
|
2022-12-20 18:02:03 +00:00
|
|
|
|
# internationalisation
|
2022-12-19 22:35:54 +00:00
|
|
|
|
time.timeZone = "Europe/Paris";
|
2022-12-20 18:02:03 +00:00
|
|
|
|
i18n.defaultLocale = "en_DK.UTF-8";
|
2022-12-21 19:29:15 +00:00
|
|
|
|
console.keyMap = "fr";
|
2022-12-19 22:35:54 +00:00
|
|
|
|
|
2022-12-20 22:58:57 +00:00
|
|
|
|
# fonts
|
2022-12-19 22:35:54 +00:00
|
|
|
|
fonts.fonts = with pkgs; [
|
2022-12-21 17:41:57 +00:00
|
|
|
|
noto-fonts
|
|
|
|
|
noto-fonts-cjk
|
|
|
|
|
noto-fonts-extra
|
|
|
|
|
noto-fonts-emoji
|
|
|
|
|
fira-code
|
|
|
|
|
fira-code-symbols
|
2022-12-19 22:35:54 +00:00
|
|
|
|
(nerdfonts.override { fonts = [ "FiraCode" ]; })
|
|
|
|
|
];
|
|
|
|
|
|
2023-03-19 13:27:25 +00:00
|
|
|
|
# udev
|
|
|
|
|
services.udev.packages = [ pkgs.android-udev-rules ];
|
|
|
|
|
|
2022-12-20 22:58:57 +00:00
|
|
|
|
# audio
|
2022-12-19 22:35:54 +00:00
|
|
|
|
services.pipewire = {
|
|
|
|
|
enable = true;
|
|
|
|
|
alsa.enable = true;
|
|
|
|
|
pulse.enable = true;
|
|
|
|
|
};
|
|
|
|
|
|
2022-12-31 15:18:29 +00:00
|
|
|
|
services.gnome.gnome-keyring.enable = true;
|
|
|
|
|
|
2022-12-19 22:35:54 +00:00
|
|
|
|
services.dbus.enable = true;
|
|
|
|
|
xdg.portal = {
|
|
|
|
|
enable = true;
|
|
|
|
|
wlr.enable = true;
|
2022-12-21 19:29:15 +00:00
|
|
|
|
extraPortals = [ pkgs.xdg-desktop-portal-gtk pkgs.xdg-desktop-portal-wlr ];
|
2022-12-19 22:35:54 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
programs.light.enable = true;
|
|
|
|
|
|
2022-12-20 11:40:34 +00:00
|
|
|
|
users.mutableUsers = false;
|
2022-12-19 22:35:54 +00:00
|
|
|
|
users.users.laurent = {
|
|
|
|
|
isNormalUser = true;
|
2022-12-20 11:40:34 +00:00
|
|
|
|
initialPassword = "laurent";
|
2023-03-19 13:27:25 +00:00
|
|
|
|
extraGroups = [ "wheel" "video" "docker" "adbusers" ];
|
2022-12-20 15:17:00 +00:00
|
|
|
|
shell = pkgs.zsh;
|
2022-12-20 11:40:34 +00:00
|
|
|
|
};
|
2023-04-08 12:50:25 +00:00
|
|
|
|
programs.zsh.enable = true;
|
2022-12-20 18:04:02 +00:00
|
|
|
|
|
2023-04-14 20:30:43 +00:00
|
|
|
|
home-manager = { users.laurent = ./home; };
|
2022-12-20 10:33:21 +00:00
|
|
|
|
|
2023-03-14 13:10:09 +00:00
|
|
|
|
# enable docker
|
|
|
|
|
virtualisation.docker = {
|
|
|
|
|
enable = true;
|
|
|
|
|
storageDriver = "btrfs";
|
|
|
|
|
enableOnBoot = false;
|
|
|
|
|
autoPrune.enable = true;
|
|
|
|
|
};
|
|
|
|
|
|
2023-03-14 13:11:04 +00:00
|
|
|
|
# enable gnome virtual file system
|
|
|
|
|
services.gvfs.enable = true;
|
|
|
|
|
|
2023-05-04 18:41:32 +00:00
|
|
|
|
# enable gpg agent
|
|
|
|
|
programs.gnupg.agent = {
|
|
|
|
|
enable = true;
|
|
|
|
|
enableSSHSupport = true;
|
|
|
|
|
pinentryFlavor = "gnome3";
|
|
|
|
|
};
|
2022-12-19 22:35:54 +00:00
|
|
|
|
|
2022-12-20 18:02:03 +00:00
|
|
|
|
# enable polkit
|
2022-12-19 22:35:54 +00:00
|
|
|
|
security.polkit.enable = true;
|
|
|
|
|
|
2023-01-17 14:27:51 +00:00
|
|
|
|
# allow swaylock to use pam
|
2023-01-10 19:22:27 +00:00
|
|
|
|
security.pam.services.swaylock = { };
|
|
|
|
|
|
2022-12-20 18:02:03 +00:00
|
|
|
|
# enable unfree
|
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
|
|
|
|
|
|
# experimental features
|
|
|
|
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
|
|
|
|
2022-12-27 13:11:24 +00:00
|
|
|
|
# optimizations
|
|
|
|
|
nix.settings.auto-optimise-store = true;
|
|
|
|
|
nix.gc = {
|
|
|
|
|
automatic = true;
|
|
|
|
|
dates = "weekly";
|
|
|
|
|
options = "--delete-older-than 30d";
|
|
|
|
|
};
|
|
|
|
|
|
2023-03-14 13:12:21 +00:00
|
|
|
|
age.secrets.borgbackup = {
|
|
|
|
|
file = "/home/laurent/infrastructure/secrets/borgbackup.age";
|
|
|
|
|
owner = "laurent";
|
|
|
|
|
group = "users";
|
|
|
|
|
};
|
|
|
|
|
age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
|
|
|
|
|
|
|
|
|
|
services.borgbackup.jobs.home = {
|
|
|
|
|
paths = "/home/laurent/";
|
|
|
|
|
repo = "/mnt/home_backup";
|
|
|
|
|
exclude = [
|
|
|
|
|
# Largest cache dirs
|
|
|
|
|
".cache"
|
|
|
|
|
".compose-cache"
|
|
|
|
|
"*/cache"
|
|
|
|
|
"*/cache2" # firefox
|
|
|
|
|
"*/Cache"
|
|
|
|
|
"*/Code Cache"
|
|
|
|
|
".config/Slack/logs"
|
|
|
|
|
".config/Code/CachedData"
|
|
|
|
|
".container-diff"
|
|
|
|
|
".npm/_cacache"
|
|
|
|
|
# Work related dirs
|
|
|
|
|
"*/node_modules"
|
|
|
|
|
"*/bower_components"
|
|
|
|
|
"*/build"
|
|
|
|
|
"*/_build"
|
|
|
|
|
"*/.tox"
|
|
|
|
|
"*/venv"
|
|
|
|
|
"*/.venv"
|
|
|
|
|
];
|
|
|
|
|
encryption = {
|
|
|
|
|
mode = "repokey";
|
|
|
|
|
passCommand = "cat ${config.age.secrets.borgbackup.path}";
|
|
|
|
|
};
|
|
|
|
|
compression = "auto,zstd";
|
|
|
|
|
startAt = [ ];
|
|
|
|
|
};
|
|
|
|
|
|
2022-12-19 22:35:54 +00:00
|
|
|
|
# This value determines the NixOS release from which the default
|
|
|
|
|
# settings for stateful data, like file locations and database versions
|
|
|
|
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
|
|
|
# this value at the release version of the first install of this system.
|
|
|
|
|
# Before changing this value read the documentation for this option
|
|
|
|
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
|
|
|
system.stateVersion = "22.11"; # Did you read the comment?
|
|
|
|
|
}
|