infrastructure/hosts/neodymium/configuration.nix

227 lines
5.5 KiB
Nix
Raw Normal View History

2023-04-08 13:53:58 +00:00
{ config, pkgs, lib, ... }: {
imports = [ ./hardware-configuration.nix ];
2022-12-19 22:35:54 +00:00
2022-12-20 22:58:57 +00:00
# networking
2022-12-20 10:33:21 +00:00
networking.hostName = "neodymium";
2022-12-20 22:58:57 +00:00
networking.networkmanager.enable = true;
2022-12-23 14:27:43 +00:00
networking.firewall.enable = true;
2022-12-23 14:32:11 +00:00
networking.firewall.allowedTCPPorts = [ ];
networking.firewall.allowedUDPPorts = [ ];
2022-12-20 10:33:21 +00:00
2022-12-31 15:39:06 +00:00
# bluetooth
hardware.bluetooth.enable = true;
services.blueman.enable = true;
# wireguard vpn
2022-12-26 22:27:13 +00:00
networking.wg-quick.interfaces = {
wg0 = {
2022-12-27 13:11:24 +00:00
privateKeyFile = "/root/wireguard-keys/private";
address = [ "10.0.0.3/24" "fd02:002:002::3/64" ];
2022-12-26 22:27:13 +00:00
dns = [ "10.0.0.1" ];
peers = [{
publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
2022-12-26 22:27:13 +00:00
endpoint = "fainsin.bzh:5553";
persistentKeepalive = 30;
2022-12-26 22:27:13 +00:00
}];
};
};
systemd.services.wg-quick-wg0 = {
serviceConfig = {
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "10s";
};
unitConfig = {
StartLimitIntervalSec = 0; # ensure Restart= is always honoured
};
};
2022-12-26 22:27:13 +00:00
2023-04-23 13:38:34 +00:00
# This should already be here from switching to bootspec earlier.
# It's not required anymore, but also doesn't do any harm.
2023-04-20 16:57:12 +00:00
boot.bootspec.enable = true;
2023-04-23 13:38:34 +00:00
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
2022-12-19 22:35:54 +00:00
2022-12-24 17:45:08 +00:00
# enable NTFS disk mounting
2023-04-23 13:38:34 +00:00
boot.loader.efi.canTouchEfiVariables = true;
2022-12-24 17:45:08 +00:00
boot.supportedFilesystems = [ "ntfs" ];
2022-12-23 14:28:01 +00:00
# clean /tmp at each boot
2023-04-19 19:37:04 +00:00
boot.tmp.cleanOnBoot = true;
2022-12-23 14:28:01 +00:00
2022-12-23 14:39:43 +00:00
# use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
2022-12-23 14:28:14 +00:00
# restrict nix command to sudoers
2023-04-19 19:37:04 +00:00
nix.settings.allowed-users = [ "@wheel" ];
2022-12-23 14:28:14 +00:00
2022-12-20 22:58:57 +00:00
# hardware
2022-12-20 18:02:03 +00:00
hardware = {
enableRedistributableFirmware = true;
opengl = {
enable = true;
driSupport = true;
};
};
2022-12-19 22:35:54 +00:00
2023-01-01 17:18:05 +00:00
# logind configuration
services.logind = {
lidSwitch = "ignore";
extraConfig = ''
HandlePowerKey=suspend
'';
};
2023-01-01 17:18:27 +00:00
services.tlp.enable = true;
# programs.regreet = { enable = true; };
2022-12-20 18:02:03 +00:00
# internationalisation
2022-12-19 22:35:54 +00:00
time.timeZone = "Europe/Paris";
2022-12-20 18:02:03 +00:00
i18n.defaultLocale = "en_DK.UTF-8";
2022-12-21 19:29:15 +00:00
console.keyMap = "fr";
2022-12-19 22:35:54 +00:00
2022-12-20 22:58:57 +00:00
# fonts
2022-12-19 22:35:54 +00:00
fonts.fonts = with pkgs; [
2022-12-21 17:41:57 +00:00
noto-fonts
noto-fonts-cjk
noto-fonts-extra
noto-fonts-emoji
fira-code
fira-code-symbols
2022-12-19 22:35:54 +00:00
(nerdfonts.override { fonts = [ "FiraCode" ]; })
];
2023-03-19 13:27:25 +00:00
# udev
services.udev.packages = [ pkgs.android-udev-rules ];
2022-12-20 22:58:57 +00:00
# audio
2022-12-19 22:35:54 +00:00
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
};
2022-12-31 15:18:29 +00:00
services.gnome.gnome-keyring.enable = true;
2022-12-19 22:35:54 +00:00
services.dbus.enable = true;
xdg.portal = {
enable = true;
wlr.enable = true;
2022-12-21 19:29:15 +00:00
extraPortals = [ pkgs.xdg-desktop-portal-gtk pkgs.xdg-desktop-portal-wlr ];
2022-12-19 22:35:54 +00:00
};
programs.light.enable = true;
2022-12-20 11:40:34 +00:00
users.mutableUsers = false;
2022-12-19 22:35:54 +00:00
users.users.laurent = {
isNormalUser = true;
2022-12-20 11:40:34 +00:00
initialPassword = "laurent";
2023-03-19 13:27:25 +00:00
extraGroups = [ "wheel" "video" "docker" "adbusers" ];
2022-12-20 15:17:00 +00:00
shell = pkgs.zsh;
2022-12-20 11:40:34 +00:00
};
programs.zsh.enable = true;
2022-12-20 18:04:02 +00:00
home-manager = { users.laurent = ./home; };
2022-12-20 10:33:21 +00:00
2023-03-14 13:10:09 +00:00
# enable docker
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
enableOnBoot = false;
autoPrune.enable = true;
};
# enable gnome virtual file system
services.gvfs.enable = true;
# enable gpg agent
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gnome3";
};
2022-12-19 22:35:54 +00:00
2022-12-20 18:02:03 +00:00
# enable polkit
2022-12-19 22:35:54 +00:00
security.polkit.enable = true;
2023-01-17 14:27:51 +00:00
# allow swaylock to use pam
2023-01-10 19:22:27 +00:00
security.pam.services.swaylock = { };
2022-12-20 18:02:03 +00:00
# enable unfree
nixpkgs.config.allowUnfree = true;
# experimental features
nix.settings.experimental-features = [ "nix-command" "flakes" ];
2022-12-27 13:11:24 +00:00
# optimizations
nix.settings.auto-optimise-store = true;
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
age.secrets.borgbackup = {
file = "/home/laurent/infrastructure/secrets/borgbackup.age";
owner = "laurent";
group = "users";
};
age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
services.borgbackup.jobs.home = {
paths = "/home/laurent/";
repo = "/mnt/home_backup";
exclude = [
# Largest cache dirs
".cache"
".compose-cache"
"*/cache"
"*/cache2" # firefox
"*/Cache"
"*/Code Cache"
".config/Slack/logs"
".config/Code/CachedData"
".container-diff"
".npm/_cacache"
# Work related dirs
"*/node_modules"
"*/bower_components"
"*/build"
"*/_build"
"*/.tox"
"*/venv"
"*/.venv"
];
encryption = {
mode = "repokey";
passCommand = "cat ${config.age.secrets.borgbackup.path}";
};
compression = "auto,zstd";
startAt = [ ];
};
2022-12-19 22:35:54 +00:00
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}