asmir/nixos_flake_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fuji: add nixos configuration

Browse Source
This commit is contained in:
Asmir A
2026-01-03 21:13:09 +01:00
parent 80b587e7fd
commit 48b82135ea
12 changed files with 878 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

701
fuji/configuration.nix Normal file
View File

@@ -0,0 +1,701 @@
{ config
, nvim
, pkgs
, system
, zremap
, lib
, ...
}:
let
USER = "akill";
in
{
imports = [ ];
system = {
stateVersion = "23.05";
autoUpgrade.enable = false;
etc.overlay.enable = true;
nixos-init.enable = true;
};
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
"peerix/private" = {
sopsFile = ./secrets/peerix.yaml;
mode = "0400";
owner = config.users.users.nobody.name;
group = config.users.users.nobody.group;
};
"wg_privkey" = {
sopsFile = ./secrets/wg_privkey.yaml;
};
"wg_preshared/nixy" = {
sopsFile = ../common/secrets/wg_preshared.yaml;
};
"wg_privkey_proton" = {
sopsFile = ./secrets/wg_privkey_proton.yaml;
};
"wg_endpoint_proton" = {
sopsFile = ./secrets/wg_privkey_proton.yaml;
};
"borgbase_enc_key" = {
sopsFile = ./secrets/borgbase_enc_key.yaml;
owner = config.users.users.${USER}.name;
};
"borgbase_ssh_key" = {
sopsFile = ./secrets/borgbase_ssh_key.yaml;
owner = config.users.users.${USER}.name;
};
};
};
nix = {
optimise.automatic = true;
gc.automatic = true;
gc.options = "--delete-older-than 7d";
package = pkgs.nixVersions.latest;
settings = {
sandbox = true;
experimental-features = [
"nix-command"
"flakes"
];
};
};
boot = {
extraModulePackages = with config.boot.kernelPackages; [
usbip
v4l2loopback
];
extraModprobeConfig = ''
options snd_sof ipc_type=1 tplg_path=intel/sof-ipc4-tplg tplg_filename=sof-hda-generic-cavs25-2ch.tplg
'';
blacklistedKernelModules = [ ];
initrd.compressor = "zstd";
initrd.kernelModules = [ ];
initrd.systemd.enable = true;
binfmt.emulatedSystems = [
"wasm32-wasi"
"x86_64-windows"
];
kernelParams = [
"xe.force_probe=a7a0"
"i915.force_probe=!a7a0"
];
kernelPackages = pkgs.linuxPackages_latest;
kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
"kernel.unprivileged_userns_clone" = "1"; /* Needed with harderned kernel */
};
loader.efi.canTouchEfiVariables = true;
loader.systemd-boot = {
editor = false;
enable = true;
memtest86.enable = true;
};
nixStoreMountOpts = [ "ro" ];
supportedFilesystems = [
"xfs"
];
tmp.useTmpfs = true;
};
security = {
rtkit.enable = true;
allowSimultaneousMultithreading = true;
sudo.enable = true;
doas.enable = true;
doas.extraRules = [
{
users = [ USER ];
keepEnv = true;
persist = true;
}
];
};
powerManagement = {
enable = true;
};
networking = {
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [
80
443
51820
8020
];
};
hostName = "fuji";
nameservers = [
"127.0.0.1"
"::1"
];
dhcpcd.extraConfig = "nohook resolv.conf";
extraHosts = ''
192.168.88.171 jellyfin.mediabox.lan
192.168.88.171 jellyseerr.mediabox.lan
192.168.88.171 mediabox.lan
192.168.88.171 qbittorrent.mediabox.lan
192.168.88.1 router.lan
192.168.88.231 workstation.lan
192.168.88.121 ender.lan
'';
networkmanager = {
enable = true;
dns = "none";
wifi.backend = "iwd";
};
wireless.iwd = {
enable = true;
settings = {
General = {
AddressRandomization = "network";
#EnableNetworkConfiguration = true;
};
};
};
wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.6/24" ];
privateKeyFile = config.sops.secrets."wg_privkey".path;
peers = [
{
publicKey = builtins.readFile ../magpie/wg_pubkey;
presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path;
allowedIPs = [ "10.100.0.0/24" ];
endpoint = "5.75.229.224:51820";
persistentKeepalive = 25;
}
];
};
};
};
time.timeZone = "Europe/Sarajevo";
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays = [
nvim.overlays.${system}.overlay
];
environment = {
systemPackages = with pkgs; [ alsa-ucm-conf maliit-keyboard ];
variables.ALSA_CONFIG_UCM2 = "${pkgs.alsa-ucm-conf}/share/alsa/ucm2";
sessionVariables = {
LIBVA_DRIVER_NAME = "iHD";
KWIN_COMPOSE = "O2ES";
};
etc = {
"firejail/qutebrowser.local".text = ''
whitelist ''${RUNUSER}/qutebrowser
'';
"xdg/autostart/powerdevil.desktop".text = ''
[Desktop Entry]
Hidden=true
'';
};
extraInit = ''
unset -v SSH_ASKPASS
'';
homeBinInPath = true;
variables = {
PATH = "$HOME/.cargo/bin";
};
};
programs = {
steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = false;
localNetworkGameTransfers.openFirewall = true;
};
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
appimage = {
enable = true;
binfmt = true;
};
nix-ld = {
enable = false;
libraries = with pkgs; [
stdenv.cc.cc.lib
zlib
];
};
zsh.enable = true;
firejail.enable = true;
adb.enable = true;
wireshark.enable = true;
sway.enable = true;
};
documentation.dev.enable = true;
systemd = {
#sysusers.enable = true;
services = {
# Fix issue where systemd-vconsole-setup failes to find keymap
systemd-vconsole-setup = {
unitConfig = {
After = "local-fs.target";
};
};
"zremap@" = {
enable = true;
restartIfChanged = true;
serviceConfig.Nice = -20;
unitConfig = {
Description = "zremap on %I";
ConditionPathExists = "%I";
};
serviceConfig = {
Type = "simple";
ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I";
};
};
"netns@" = {
description = "%I network namespace";
before = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
};
};
"wg_proton" = {
description = "wg network interface";
bindsTo = [ "netns@wg.service" ];
requires = [ "network-online.target" ];
wants = [ "dnscrypt-proxy_proton.service" ];
after = [ "netns@wg.service" ];
before = [ "dnscrypt-proxy_proton.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writers.writeBash "wg-up" ''
set -e
ENDPOINT_IP=$(${pkgs.coreutils-full}/bin/cat "${config.sops.secrets."wg_endpoint_proton".path}")
${pkgs.iproute2}/bin/ip link add proton_wg type wireguard
${pkgs.iproute2}/bin/ip link set proton_wg netns wg
${pkgs.iproute2}/bin/ip -n wg address add 10.2.0.2/32 dev proton_wg
${pkgs.iproute2}/bin/ip netns exec wg \
${pkgs.wireguard-tools}/bin/wg set "proton_wg" private-key "${
config.sops.secrets."wg_privkey_proton".path
}"
${pkgs.iproute2}/bin/ip netns exec wg \
${pkgs.wireguard-tools}/bin/wg set "proton_wg" peer "g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=" \
endpoint "$ENDPOINT_IP:51820" \
persistent-keepalive "25" \
allowed-ips "0.0.0.0/0"
${pkgs.iproute2}/bin/ip -n wg link set lo up
${pkgs.iproute2}/bin/ip -n wg link set proton_wg up
${pkgs.iproute2}/bin/ip -n wg route add default dev proton_wg
'';
ExecStop = pkgs.writers.writeBash "wg-down" ''
${pkgs.iproute2}/bin/ip -n wg route del default dev proton_wg
${pkgs.iproute2}/bin/ip -n wg link del proton_wg
'';
};
};
"dnscrypt-proxy_proton" = {
description = "DNSCrypt-proxy client proton";
wants = [
"network-online.target"
"nss-lookup.target"
];
before = [ "nss-lookup.target" ];
after = [ "wg_proton.service" ];
partOf = [ "wg_proton.service" ];
serviceConfig = {
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CacheDirectory = "dnscrypt-proxy";
DynamicUser = true;
ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${config.services.dnscrypt-proxy.configFile}";
LockPersonality = true;
LogsDirectory = "dnscrypt-proxy";
MemoryDenyWriteExecute = true;
NetworkNamespacePath = "/var/run/netns/wg";
NonBlocking = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
Restart = "always";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RuntimeDirectory = "dnscrypt-proxy";
StateDirectory = "dnscrypt-proxy";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@chown"
"~@aio"
"~@keyring"
"~@memlock"
"~@setuid"
"~@timer"
];
};
};
};
coredump.enable = false;
settings.Manager = {
DefaultTimeoutStartSec = "30s";
DefaultTimeoutStopSec = "30s";
};
};
services = {
acpid.enable = true;
dbus.enable = true;
dbus.implementation = "broker";
envfs.enable = true;
fstrim.enable = true;
fwupd.enable = true;
ntp.enable = true;
openssh.enable = true;
printing.enable = true;
userborn.enable = true;
power-profiles-daemon.enable = false;
greetd = {
enable = true;
settings = {
default_session = {
command = ''
${pkgs.tuigreet}/bin/tuigreet \
--time \
--remember \
--remember-session \
--greeting 'Welcome to NixOS' \
--cmd sway
'';
user = "greeter";
};
};
};
logind = {
powerKey = "suspend";
};
desktopManager.plasma6.enable = false;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
libinput.enable = true;
xserver = {
enable = true;
dpi = 144;
desktopManager.xterm.enable = false;
displayManager = {
lightdm.enable = false;
startx.enable = true;
};
windowManager.i3.enable = false;
};
udev = {
packages = [
pkgs.openhantek6022
pkgs.openocd
];
extraRules = ''
#Xilinx FTDI
ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Xilinx", MODE:="666"
#Xilinx Digilent
ATTR{idVendor}=="1443", MODE:="666"
ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Digilent", MODE:="666"
#Arduino UNO r4
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", MODE:="0666"
#zremap on new keyboard
ACTION=="add", SUBSYSTEM=="input", ATTRS{phys}!="", KERNEL=="event[0-9]*", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}=="1", TAG+="systemd", ENV{SYSTEMD_WANTS}+="zremap@$env{DEVNAME}.service"
'';
};
tlp = {
enable = true;
settings = {
START_CHARGE_THRESH_BAT0 = 70;
STOP_CHARGE_THRESH_BAT0 = 94;
#CPU_SCALING_GOVERNOR_ON_AC = "performance";
#CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
# For your Fujitsu U9313X - Intel 13th gen
#CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
#CPU_ENERGY_PERF_POLICY_ON_BAT = "balance_power";
# Optional: CPU boost control
CPU_BOOST_ON_AC = 1;
CPU_BOOST_ON_BAT = 0;
};
};
batteryNotifier = {
enable = true;
notifyCapacity = 12;
suspendCapacity = 5;
};
actkbd = {
enable = true;
bindings = [
{
keys = [ 115 ];
events = [ "key" ];
command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+";
}
{
keys = [ 114 ];
events = [
"key"
"rep"
];
command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-";
}
{
keys = [ 113 ];
events = [
"key"
"rep"
];
command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle";
}
{
keys = [ 224 ];
events = [ "key" ];
command = "${pkgs.light}/bin/light -U 5";
}
{
keys = [ 225 ];
events = [ "key" ];
command = "${pkgs.light}/bin/light -A 5";
}
];
};
dnscrypt-proxy = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
require_nolog = true;
require_nofilter = true;
http3 = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
};
borgbackup.jobs."borgbase" =
let
user = config.users.users.${USER};
home = user.home;
in
{
user = user.name;
paths = [
(home + "/pic/priv")
(home + "/pproj")
(home + "/videos/priv")
];
exclude = [
"**/.ccls_cache"
"**/*.d"
"**/*.map"
"**/*.o"
"**/zig-cache"
"**/zig-out"
];
repo = "ssh://oda929rv@oda929rv.repo.borgbase.com/./repo";
encryption = {
mode = "repokey-blake2";
passCommand = "${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgbase_enc_key".path}";
};
environment.BORG_RSH = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgbase_ssh_key".path}";
compression = "auto,zstd";
startAt = "daily";
};
nix-serve = {
enable = false;
secretKeyFile = "/var/cache-priv-key.pem";
};
journald.extraConfig = ''
SystemMaxUse=50M
'';
logind.settings.Login = {
KillUserProcesses = true;
};
};
fonts = {
fontconfig = {
cache32Bit = true;
allowBitmaps = true;
useEmbeddedBitmaps = true;
defaultFonts = {
monospace = [ "JetBrainsMono" ];
};
};
packages = with pkgs; [
dejavu_fonts
dina-font
fira-code
fira-code-symbols
font-awesome_6
inconsolata
iosevka
jetbrains-mono
liberation_ttf
libertine
noto-fonts
noto-fonts-cjk-sans
noto-fonts-color-emoji
proggyfonts
siji
terminus_font
terminus_font_ttf
ubuntu-classic
vista-fonts
];
};
virtualisation = {
waydroid.enable = false;
libvirtd = {
enable = true;
allowedBridges = [
"virbr0"
"br0"
];
};
spiceUSBRedirection.enable = true;
containers.storage.settings = {
storage = {
graphroot = "/var/lib/containers/storage";
runroot = "/run/containers/storage";
};
};
podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
};
hardware = {
bluetooth = {
enable = true;
settings = {
General = {
Experimental = true;
Enable = "Source,Sink,Media,Socket";
};
};
};
graphics = {
enable = true;
extraPackages = with pkgs; [ intel-media-driver ];
};
rtl-sdr.enable = true;
firmware = [ pkgs.sof-firmware ];
sensor.iio.enable = true;
};
zramSwap = {
enable = true;
algorithm = "zstd";
};
users.users.${USER} = {
isNormalUser = true;
initialHashedPassword = "$y$j9T$FZnEcCEMIC0Fjj4dZi5t8.$D8ygvO19dR5nyTZxWwDgjEimHutD.sKnD1DLAyhU8.B";
shell = pkgs.zsh;
extraGroups = [
"adbusers"
"audio"
"dialout"
"input"
"kvm"
"plugdev"
"sound"
"tty"
"wheel"
"wireshark"
];
};
}