18 changed files with 272 additions and 212 deletions

in {
devShells.default = pkgs.mkShell {
packages = [
pkgs.colmena # remote deployment
pkgs.nixfmt # formatting
pkgs.git # version control
pkgs.update-nix-fetchgit # auto update fetchs
agenix.packages.${system}.ragenix # secrets
pkgs.sbctl # secure boot
})) // {

{ config, pkgs, lib, ... }: {
imports = [ ./hardware-configuration.nix ];
# networking
networking.hostName = "neodymium";
networking.networkmanager.enable = true;
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ ];
networking.firewall.allowedUDPPorts = [ ];
# bluetooth
hardware.bluetooth.enable = true;
services.blueman.enable = true;
# wireguard vpn
networking.wg-quick.interfaces = {
wg0 = {
privateKeyFile = "/root/wireguard-keys/private";
address = [ "" "fd02:002:002::3/64" ];
dns = [ "" ];
peers = [{
publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
allowedIPs = [ "" "::0/0" ];
endpoint = "fainsin.bzh:5553";
persistentKeepalive = 30;
systemd.services.wg-quick-wg0 = {
serviceConfig = {
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "10s";
unitConfig = {
StartLimitIntervalSec = 0; # ensure Restart= is always honoured
# This should already be here from switching to bootspec earlier.
# It's not required anymore, but also doesn't do any harm.
boot.bootspec.enable = true;
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
# enable NTFS disk mounting
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "ntfs" ];
# clean /tmp at each boot
boot.tmp.cleanOnBoot = true;
# use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
# restrict nix command to sudoers
nix.settings.allowed-users = [ "@wheel" ];
{ pkgs, ... }: {
imports = [ ./hardware-configuration.nix ./system ];
# shorter timeout for systemd services
systemd.extraConfig = ''
# hardware
hardware = {
enableRedistributableFirmware = true;
opengl = {
enable = true;
driSupport = true;
# logind configuration
services.logind = {
lidSwitch = "ignore";
extraConfig = ''
services.tlp.enable = true;
# greeter
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
user = "greeter";
# internationalisation
time.timeZone = "Europe/Paris";
i18n.defaultLocale = "en_DK.UTF-8";
console.keyMap = "fr";
# fonts
fonts.fonts = with pkgs; [
(nerdfonts.override { fonts = [ "FiraCode" ]; })
# udev
services.udev.packages = [ pkgs.android-udev-rules ];
# audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
services.gnome.gnome-keyring.enable = true;
services.dbus.enable = true;
xdg.portal = {
enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-gtk pkgs.xdg-desktop-portal-wlr ];
programs.light.enable = true;
users = {
# disable user creation/deletion
mutableUsers = false;
users.mutableUsers = false;
users.users.laurent = {
isNormalUser = true;
initialPassword = "laurent";
extraGroups = [ "wheel" "video" "docker" "adbusers" ];
shell = pkgs.zsh;
# damn, who's this handsome guy?
users.laurent = {
isNormalUser = true;
initialPassword = "laurent";
extraGroups = [ "wheel" "video" "docker" "adbusers" ];
shell = pkgs.zsh;
programs.zsh.enable = true;
home-manager = { users.laurent = ./home; };
# enable docker
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
enableOnBoot = false;
autoPrune.enable = true;
# enable gnome virtual file system
services.gvfs.enable = true;
# enable gpg agent
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gnome3";
# enable polkit
security.polkit.enable = true;
# allow swaylock to use pam
security.pam.services.swaylock = { };
# enable unfree
nixpkgs.config.allowUnfree = true;
# experimental features
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# optimizations
nix.settings.auto-optimise-store = true;
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
age.secrets.borgbackup = {
file = "/home/laurent/infrastructure/secrets/borgbackup.age";
owner = "laurent";
group = "users";
age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
services.borgbackup.jobs.home = {
paths = "/home/laurent/";
repo = "/mnt/home_backup";
exclude = [
# Largest cache dirs
"*/cache2" # firefox
"*/Code Cache"
# Work related dirs
encryption = {
mode = "repokey";
passCommand = "cat ${config.age.secrets.borgbackup.path}";
compression = "auto,zstd";
startAt = [ ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

defaultTimeout = 5000;
extraConfig = builtins.readFile "${catppuccin-mako}/src/mocha";
wayland.windowManager.sway = {
enable = true;
{ ... }: {
age.secrets.borgbackup = {
file = "/home/laurent/infrastructure/secrets/borgbackup.age";
owner = "laurent";
group = "users";
age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];

{ ... }: {
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;

{ pkgs, ... }: {
# support for mounting windaube partitions
boot.supportedFilesystems = [ "ntfs" ];
boot.loader.efi.canTouchEfiVariables = true;
# clean /tmp at each boot
boot.tmp.cleanOnBoot = true;
# use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
imports = [ ./lanzaboot.nix ];

{ lib, ... }: {
# This should already be here from switching to bootspec earlier.
# It's not required anymore, but also doesn't do any harm.
boot.bootspec.enable = true;
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";

{ config, ... }: {
services.borgbackup.jobs.home = {
paths = "/home/laurent/";
repo = "/mnt/home_backup";
exclude = [
# Largest cache dirs
"*/cache2" # firefox
"*/Code Cache"
# Work related dirs
encryption = {
mode = "repokey";
passCommand = "cat ${config.age.secrets.borgbackup.path}";
compression = "auto,zstd";
startAt = [ ];

{ ... }: {
imports = [

{ ... }: {
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
enableOnBoot = false;
autoPrune.enable = true;

{ pkgs, ... }: {
fonts.fonts = with pkgs; [
# https://notofonts.github.io/
noto-fonts # standard characters
noto-fonts-lgc-plus # latin, greek, and cyrillic
noto-fonts-cjk # chinese, japanese, and korean
noto-fonts-emoji # emojis 🐢
# https://github.com/tonsky/FiraCode
fira-code # standard characters
fira-code-symbols # unicode ligature glyphs
# https://github.com/ryanoasis/nerd-fonts
(nerdfonts.override { fonts = [ "FiraCode" ]; })

{ pkgs, ... }: {
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
user = "greeter";

{ ... }: {
# hardware
hardware = {
enableRedistributableFirmware = true;
opengl = {
enable = true;
driSupport = true;
# logind configuration
services.logind = {
lidSwitch = "ignore";
extraConfig = ''
# tlp, power management
services.tlp.enable = true;
# bluetooth
hardware.bluetooth.enable = true;
services.blueman.enable = true;
# backlight intensity
programs.light.enable = true;

{ ... }: {
# FRANCE 🇫🇷 🥖 🥐
time.timeZone = "Europe/Paris";
# azerty keyboard
console.keyMap = "fr";
# english ISO metric system
i18n.defaultLocale = "en_DK.UTF-8";

{ ... }: {
# set hostname
networking.hostName = "neodymium";
# use networkManager, see nmcli
networking.networkmanager.enable = true;
# firewall
networking.firewall = {
enable = true;
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
imports = [ ./wireguard.nix ];

{ lib, ... }: {
networking.wg-quick.interfaces = {
wg0 = {
# client
privateKeyFile = "/root/wireguard-keys/private";
address = [ "" "fd02:002:002::3/64" ];
dns = [ "" ];
# server
peers = [{
publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
allowedIPs = [ "" "::0/0" ];
endpoint = "fainsin.bzh:5553";
persistentKeepalive = 30;
# modify the systemd service to restart on failure every 10 seconds
systemd.services.wg-quick-wg0 = {
serviceConfig = {
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "10s";
unitConfig = {
# ensures Restart= is always honoured
StartLimitIntervalSec = 0;

{ ... }: {
# restrict nix command to sudoers
nix.settings.allowed-users = [ "@wheel" ];
# experimental features
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# optimizations
nix.settings.auto-optimise-store = true;
# garbage collection
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
# enable unfree
nixpkgs.config.allowUnfree = true;

{ ... }: {
# enable polkit
security.polkit.enable = true;
# enable gpg agent
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gnome3";
# secrets keyring
services.gnome.gnome-keyring.enable = true;
# allow swaylock to use pam
security.pam.services.swaylock = { };