asmir/nixos_flake_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a939121996
nixos_flake_config/nixy/configuration.nix

422 lines
9.6 KiB
Nix
Raw Normal View History

create public release
2023-07-03 22:35:58 +02:00
{
config,
pkgs,
nix-xilinx,
nixy: x86_64-linux -> ${system}
2024-01-28 16:48:17 +01:00
system,
nixy/overlays: add nvim
2024-03-16 11:22:01 +01:00
nvim,
flake: add zremap, hosts: update
2023-09-20 19:43:01 +02:00
zremap,
create public release
2023-07-03 22:35:58 +02:00
...
}: {
imports = [];
system.stateVersion = "23.05";
system.autoUpgrade.enable = false;
sops: use ssh key
2023-07-29 21:32:14 +02:00
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
create public release
2023-07-03 22:35:58 +02:00
sops.secrets."peerix/private" = {
sopsFile = ./secrets/peerix.yaml;
flake: add zremap, hosts: update
2023-09-20 19:43:01 +02:00
mode = "0400";
owner = config.users.users.nobody.name;
group = config.users.users.nobody.group;
create public release
2023-07-03 22:35:58 +02:00
};
nixy/wireguard: add client
2024-04-04 21:31:53 +02:00
sops.secrets."wg_privkey" = {
sopsFile = ./secrets/wg_privkey.yaml;
};
all: wireguard add preshared keys and update hierarchy
2024-04-20 20:44:36 +02:00
sops.secrets."wg_preshared/nixy" = {
sopsFile = ../common/secrets/wg_preshared.yaml;
nixy/wireguard: add preshared key
2024-04-20 20:13:27 +02:00
};
nixy/borgbackup: add service
2024-04-06 23:07:41 +02:00
sops.secrets."borgbase_enc_key" = {
sopsFile = ./secrets/borgbase_enc_key.yaml;
owner = config.users.users.akill.name;
};
sops.secrets."borgbase_ssh_key" = {
sopsFile = ./secrets/borgbase_ssh_key.yaml;
owner = config.users.users.akill.name;
};
create public release
2023-07-03 22:35:58 +02:00
nix = {
optimise.automatic = true;
gc.automatic = true;
gc.options = "--delete-older-than 7d";
package = pkgs.nixUnstable;
settings = {
nixy/nix: enable sandbox
2023-10-30 23:58:49 +01:00
sandbox = true;
create public release
2023-07-03 22:35:58 +02:00
experimental-features = ["nix-command" "flakes"];
};
};
boot = {
nixy: add v4l2loopback module
2024-03-14 15:07:47 +01:00
extraModulePackages = with config.boot.kernelPackages; [usbip v4l2loopback];
create public release
2023-07-03 22:35:58 +02:00
initrd.compressor = "zstd";
initrd.kernelModules = ["amdgpu"];
nixy: set mem_sleep_default to deep in kernel cmd line; enable wasi and x64-windows binfmt emulation
2023-10-03 23:55:01 +02:00
binfmt.emulatedSystems = ["wasm32-wasi" "x86_64-windows"];
create public release
2023-07-03 22:35:58 +02:00
kernelPackages = pkgs.linuxPackages_latest;
nixy: set mem_sleep_default to deep in kernel cmd line; enable wasi and x64-windows binfmt emulation
2023-10-03 23:55:01 +02:00
kernelParams = ["psmouse.synaptics_intertouch=0" "mem_sleep_default=deep"];
nixy/sysctl: set BRR congestion control
2023-11-06 22:30:39 +01:00
kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
create public release
2023-07-03 22:35:58 +02:00
loader.efi.canTouchEfiVariables = true;
all systems: enable memtest86; blue/nix_store: set read only
2023-10-01 21:14:30 +02:00
loader.systemd-boot = {
editor = false;
enable = true;
memtest86.enable = true;
};
create public release
2023-07-03 22:35:58 +02:00
readOnlyNixStore = true;
nixy/nfs: enable rpcbind, add nfs to initrd
2024-04-05 22:52:20 +02:00
supportedFilesystems = ["btrfs" "nfs"];
create public release
2023-07-03 22:35:58 +02:00
tmp.useTmpfs = true;
};
security = {
rtkit.enable = true;
allowSimultaneousMultithreading = true;
sudo.enable = true;
doas.enable = true;
doas.extraRules = [
{
users = ["akill"];
keepEnv = true;
persist = true;
}
];
};
powerManagement = {
enable = true;
};
networking = {
firewall = {
enable = true;
nixy/wireguard: add client
2024-04-04 21:31:53 +02:00
allowedTCPPorts = [80 443 51820];
create public release
2023-07-03 22:35:58 +02:00
};
hostName = "nixy";
nameservers = ["127.0.0.1" "::1"];
dhcpcd.extraConfig = "nohook resolv.conf";
extraHosts = ''
flake: add zremap, hosts: update
2023-09-20 19:43:01 +02:00
192.168.88.171 jellyfin.mediabox.lan
nixy/hosts: add jellyseerr.mediabox.lan
2023-10-05 22:53:56 +02:00
192.168.88.171 jellyseerr.mediabox.lan
flake: add zremap, hosts: update
2023-09-20 19:43:01 +02:00
192.168.88.171 mediabox.lan
192.168.88.171 qbittorrent.mediabox.lan
create public release
2023-07-03 22:35:58 +02:00
192.168.88.1 router.lan
flake: add zremap, hosts: update
2023-09-20 19:43:01 +02:00
192.168.88.231 workstation.lan
nixy/hosts: add ender.lan
2024-01-19 20:03:33 +01:00
192.168.88.121 ender.lan
create public release
2023-07-03 22:35:58 +02:00
'';
networkmanager = {
enable = true;
dns = "none";
wifi.backend = "iwd";
};
wireless.iwd = {
enable = true;
settings = {
General = {
AddressRandomization = "network";
#EnableNetworkConfiguration = true;
};
};
};
nixy/wireguard: add client
2024-04-04 21:31:53 +02:00
wireguard.interfaces = {
wg0 = {
ips = ["10.100.0.6/24"];
listenPort = 51820;
privateKeyFile = config.sops.secrets."wg_privkey".path;
peers = [
{
publicKey = builtins.readFile ../magpie/wg_pubkey;
all: wireguard add preshared keys and update hierarchy
2024-04-20 20:44:36 +02:00
presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path;
{nixy,mediabox}/wireguard: add ip range for allowedIPs
2024-04-14 22:23:08 +02:00
allowedIPs = ["10.100.0.0/24"];
nixy/wireguard: add client
2024-04-04 21:31:53 +02:00
endpoint = "5.75.229.224:51820";
persistentKeepalive = 25;
}
];
};
};
create public release
2023-07-03 22:35:58 +02:00
};
time.timeZone = "Europe/Sarajevo";
nixpkgs.config.allowUnfree = true;
nixy/overlays: add nvim
2024-03-16 11:22:01 +01:00
nixpkgs.overlays = [nix-xilinx.overlay nvim.overlays.${system}.overlay];
create public release
2023-07-03 22:35:58 +02:00
environment = {
nixy/environment: remove SSH_ASKPASS from env
2023-10-31 21:23:16 +01:00
extraInit = ''
unset -v SSH_ASKPASS
'';
create public release
2023-07-03 22:35:58 +02:00
homeBinInPath = true;
variables = {
PATH = "$HOME/.cargo/bin";
};
};
programs = {
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
zsh.enable = true;
firejail.enable = true;
adb.enable = true;
wireshark.enable = true;
sway.enable = true;
};
# List services that you want to enable:
systemd = {
services = {
flake: add zremap, hosts: update
2023-09-20 19:43:01 +02:00
"zremap" = {
create public release
2023-07-03 22:35:58 +02:00
description = "Intercepts keyboard udev events";
wants = ["systemd-udevd.service"];
wantedBy = ["multi-user.target"];
serviceConfig.Nice = -20;
script = ''
meta: format files with alejandra
2023-09-30 12:45:55 +02:00
sleep 1
nixy: x86_64-linux -> ${system}
2024-01-28 16:48:17 +01:00
${zremap.defaultPackage.${system}}/bin/zremap \
flake: add zremap, hosts: update
2023-09-20 19:43:01 +02:00
/dev/input/by-path/platform-i8042-serio-0-event-kbd
create public release
2023-07-03 22:35:58 +02:00
'';
};
};
extraConfig = ''
DefaultTimeoutStartSec=30s
DefaultTimeoutStopSec=30s
'';
};
services = {
acpid.enable = true;
btrfs.autoScrub.enable = true;
dbus.enable = true;
fstrim.enable = true;
fwupd.enable = true;
ntp.enable = true;
openssh.enable = true;
printing.enable = true;
nixy/nfs: enable rpcbind, add nfs to initrd
2024-04-05 22:52:20 +02:00
rpcbind.enable = true;
create public release
2023-07-03 22:35:58 +02:00
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
xserver = {
nixy: reenable xserver
2023-12-25 18:46:11 +01:00
enable = true;
create public release
2023-07-03 22:35:58 +02:00
dpi = 144;
libinput.enable = true;
desktopManager.xterm.enable = false;
displayManager = {
lightdm.enable = false;
startx.enable = true;
defaultSession = "none+i3";
};
nixy: disable xserver and i3
2023-11-12 13:47:36 +01:00
windowManager.i3.enable = false;
create public release
2023-07-03 22:35:58 +02:00
};
udev = {
nixy: append openocd udev rules
2023-11-16 19:44:37 +01:00
packages = [pkgs.rtl-sdr pkgs.openhantek6022 pkgs.openocd];
create public release
2023-07-03 22:35:58 +02:00
extraRules = ''
nixy/wireguard: add client
2024-04-04 21:31:53 +02:00
#Xilinx FTDI
ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Xilinx", MODE:="666"
create public release
2023-07-03 22:35:58 +02:00
nixy/wireguard: add client
2024-04-04 21:31:53 +02:00
#Xilinx Digilent
ATTR{idVendor}=="1443", MODE:="666"
ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Digilent", MODE:="666"
nixy: append openocd udev rules
2023-11-16 19:44:37 +01:00
nixy/wireguard: add client
2024-04-04 21:31:53 +02:00
#Arduino UNO r4
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", MODE:="0666"
create public release
2023-07-03 22:35:58 +02:00
'';
};
tlp = {
enable = true;
};
nixy: enable battery notifier
2023-11-12 13:47:10 +01:00
batteryNotifier = {
enable = true;
notifyCapacity = 20;
suspendCapacity = 10;
};
create public release
2023-07-03 22:35:58 +02:00
actkbd = {
enable = true;
bindings = [
{
keys = [113];
events = ["key"];
command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master toggle'";
}
{
keys = [114];
events = ["key" "rep"];
command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%- unmute'";
}
{
keys = [115];
events = ["key" "rep"];
command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%+ unmute'";
}
{
keys = [224];
events = ["key"];
command = "${pkgs.light}/bin/light -U 5";
}
{
keys = [225];
events = ["key"];
command = "${pkgs.light}/bin/light -A 5";
}
];
};
dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
};
nixy/borgbackup: add service
2024-04-06 23:07:41 +02:00
borgbackup.jobs."borgbase" = let
user = config.users.users.akill;
home = user.home;
in {
user = user.name;
paths = [
(home + "/pic/priv")
(home + "/pproj")
(home + "/videos/priv")
];
exclude = [
"**/.ccls_cache"
"**/*.d"
"**/*.map"
"**/*.o"
"**/zig-cache"
"**/zig-out"
];
repo = "ssh://oda929rv@oda929rv.repo.borgbase.com/./repo";
encryption = {
mode = "repokey-blake2";
passCommand = "${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgbase_enc_key".path}";
};
environment.BORG_RSH = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgbase_ssh_key".path}";
compression = "auto,zstd";
startAt = "daily";
};
create public release
2023-07-03 22:35:58 +02:00
nix-serve = {
enable = false;
secretKeyFile = "/var/cache-priv-key.pem";
};
journald.extraConfig = ''
SystemMaxUse=50M
'';
logind.extraConfig = ''
KillUserProcesses=yes
'';
};
fonts = {
fontconfig = {
cache32Bit = true;
allowBitmaps = true;
useEmbeddedBitmaps = true;
defaultFonts = {
monospace = ["JetBrainsMono"];
};
};
reemove openocd udev rules, update fonts.fonts to fonts.packages
2023-08-08 16:07:01 +02:00
packages = with pkgs; [
create public release
2023-07-03 22:35:58 +02:00
dejavu_fonts
dina-font
fira-code
fira-code-symbols
font-awesome
font-awesome_4
inconsolata
iosevka
jetbrains-mono
liberation_ttf
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
proggyfonts
siji
terminus_font
terminus_font_ttf
ubuntu_font_family
];
};
virtualisation = {
containers.storage.settings = {
storage = {
driver = "btrfs";
graphroot = "/var/lib/containers/storage";
runroot = "/run/containers/storage";
};
};
podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
};
sound.enable = true;
hardware = {
bluetooth = {
enable = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
extraPackages = with pkgs; [];
};
};
zramSwap = {
enable = false;
algorithm = "zstd";
};
users.users.akill = {
isNormalUser = true;
shell = pkgs.zsh;
extraGroups = ["wireshark" "kvm" "tty" "audio" "sound" "adbusers" "dialout" "wheel"];
};
}
Reference in New Issue Copy Permalink