{ config, lib, nix-xilinx, nvim, pkgs, system, zremap, ... }: { imports = []; system.stateVersion = "23.05"; system.autoUpgrade.enable = false; sops = { age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; secrets = { "peerix/private" = { sopsFile = ./secrets/peerix.yaml; mode = "0400"; owner = config.users.users.nobody.name; group = config.users.users.nobody.group; }; "wg_privkey" = { sopsFile = ./secrets/wg_privkey.yaml; }; "wg_preshared/nixy" = { sopsFile = ../common/secrets/wg_preshared.yaml; }; "wg_privkey_proton" = { sopsFile = ./secrets/wg_privkey_proton.yaml; }; "wg_endpoint_proton" = { sopsFile = ./secrets/wg_privkey_proton.yaml; }; "borgbase_enc_key" = { sopsFile = ./secrets/borgbase_enc_key.yaml; owner = config.users.users.akill.name; }; "borgbase_ssh_key" = { sopsFile = ./secrets/borgbase_ssh_key.yaml; owner = config.users.users.akill.name; }; }; }; nix = { optimise.automatic = true; gc.automatic = true; gc.options = "--delete-older-than 7d"; package = pkgs.nixVersions.latest; settings = { sandbox = true; experimental-features = ["nix-command" "flakes"]; }; }; boot = { extraModulePackages = with config.boot.kernelPackages; [usbip v4l2loopback]; initrd.compressor = "zstd"; initrd.kernelModules = ["amdgpu"]; binfmt.emulatedSystems = ["wasm32-wasi" "x86_64-windows"]; kernelPackages = pkgs.linuxPackages_latest; kernelParams = ["psmouse.synaptics_intertouch=0" "mem_sleep_default=deep"]; kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; }; loader.efi.canTouchEfiVariables = true; loader.systemd-boot = { editor = false; enable = true; memtest86.enable = true; }; readOnlyNixStore = true; supportedFilesystems = ["btrfs"]; tmp.useTmpfs = true; }; security = { rtkit.enable = true; allowSimultaneousMultithreading = true; sudo.enable = true; doas.enable = true; doas.extraRules = [ { users = ["akill"]; keepEnv = true; persist = true; } ]; }; powerManagement = { enable = true; }; networking = { firewall = { enable = true; allowedTCPPorts = [80 443 51820]; }; hostName = "nixy"; nameservers = ["127.0.0.1" "::1"]; dhcpcd.extraConfig = "nohook resolv.conf"; extraHosts = '' 192.168.88.171 jellyfin.mediabox.lan 192.168.88.171 jellyseerr.mediabox.lan 192.168.88.171 mediabox.lan 192.168.88.171 qbittorrent.mediabox.lan 192.168.88.1 router.lan 192.168.88.231 workstation.lan 192.168.88.121 ender.lan ''; networkmanager = { enable = true; dns = "none"; wifi.backend = "iwd"; }; wireless.iwd = { enable = true; settings = { General = { AddressRandomization = "network"; #EnableNetworkConfiguration = true; }; }; }; wireguard.interfaces = { wg0 = { ips = ["10.100.0.6/24"]; privateKeyFile = config.sops.secrets."wg_privkey".path; peers = [ { publicKey = builtins.readFile ../magpie/wg_pubkey; presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path; allowedIPs = ["10.100.0.0/24"]; endpoint = "5.75.229.224:51820"; persistentKeepalive = 25; } ]; }; }; }; time.timeZone = "Europe/Sarajevo"; nixpkgs.config.allowUnfree = true; nixpkgs.overlays = [nix-xilinx.overlay nvim.overlays.${system}.overlay]; environment = { extraInit = '' unset -v SSH_ASKPASS ''; homeBinInPath = true; variables = { PATH = "$HOME/.cargo/bin"; }; }; programs = { gnupg.agent = { enable = true; enableSSHSupport = true; }; zsh.enable = true; firejail.enable = true; adb.enable = true; wireshark.enable = true; sway.enable = true; }; documentation.dev.enable = true; # List services that you want to enable: systemd = { services = { "zremap@" = { enable = true; restartIfChanged = true; serviceConfig.Nice = -20; unitConfig = { Description = "zremap on %I"; ConditionPathExists = "%I"; }; serviceConfig = { Type = "simple"; ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I"; }; }; "netns@" = { description = "%I network namespace"; before = ["network.target"]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStart = "${pkgs.iproute}/bin/ip netns add %I"; ExecStop = "${pkgs.iproute}/bin/ip netns del %I"; }; }; "wg_proton" = { description = "wg network interface"; bindsTo = ["netns@wg.service"]; requires = ["network-online.target"]; after = ["netns@wg.service"]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStart = pkgs.writers.writeBash "wg-up" '' set -e ENDPOINT_IP=$(${pkgs.coreutils-full}/bin/cat "${config.sops.secrets."wg_endpoint_proton".path}") ${pkgs.iproute}/bin/ip link add proton_wg type wireguard ${pkgs.iproute}/bin/ip link set proton_wg netns wg ${pkgs.iproute}/bin/ip -n wg address add 10.2.0.2/32 dev proton_wg ${pkgs.iproute}/bin/ip netns exec wg \ ${pkgs.wireguard-tools}/bin/wg set "proton_wg" private-key "${config.sops.secrets."wg_privkey_proton".path}" ${pkgs.iproute}/bin/ip netns exec wg \ ${pkgs.wireguard-tools}/bin/wg set "proton_wg" peer "g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=" \ endpoint "$ENDPOINT_IP:51820" \ persistent-keepalive "25" \ allowed-ips "0.0.0.0/0" ${pkgs.iproute}/bin/ip -n wg link set lo up ${pkgs.iproute}/bin/ip -n wg link set proton_wg up ${pkgs.iproute}/bin/ip -n wg route add default dev proton_wg ''; ExecStop = pkgs.writers.writeBash "wg-down" '' ${pkgs.iproute}/bin/ip -n wg route del default dev proton_wg ${pkgs.iproute}/bin/ip -n wg link del proton_wg ''; }; }; "dnscrypt-proxy2_proton" = { description = "DNSCrypt-proxy client proton"; wants = [ "network-online.target" "nss-lookup.target" ]; before = [ "nss-lookup.target" ]; after = ["wg_proton.service"]; bindsTo = ["netns@wg.service"]; serviceConfig = { AmbientCapabilities = "CAP_NET_BIND_SERVICE"; CacheDirectory = "dnscrypt-proxy"; DynamicUser = true; ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${config.services.dnscrypt-proxy2.configFile}"; LockPersonality = true; LogsDirectory = "dnscrypt-proxy"; MemoryDenyWriteExecute = true; NetworkNamespacePath = "/var/run/netns/wg"; NonBlocking = true; NoNewPrivileges = true; PrivateDevices = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; Restart = "always"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RuntimeDirectory = "dnscrypt-proxy"; StateDirectory = "dnscrypt-proxy"; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "@chown" "~@aio" "~@keyring" "~@memlock" "~@setuid" "~@timer" ]; }; }; }; extraConfig = '' DefaultTimeoutStartSec=30s DefaultTimeoutStopSec=30s ''; }; services = { acpid.enable = true; btrfs.autoScrub.enable = true; dbus.enable = true; fstrim.enable = true; fwupd.enable = true; ntp.enable = true; openssh.enable = true; printing.enable = true; pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; }; libinput.enable = true; xserver = { enable = true; dpi = 144; desktopManager.xterm.enable = false; displayManager = { lightdm.enable = false; startx.enable = true; }; windowManager.i3.enable = false; }; udev = { packages = [pkgs.openhantek6022 pkgs.openocd]; extraRules = '' #Xilinx FTDI ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Xilinx", MODE:="666" #Xilinx Digilent ATTR{idVendor}=="1443", MODE:="666" ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Digilent", MODE:="666" #Arduino UNO r4 SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", MODE:="0666" #zremap on new keyboard ACTION=="add", SUBSYSTEM=="input", ATTRS{phys}!="", KERNEL=="event[0-9]*", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}=="1", TAG+="systemd", ENV{SYSTEMD_WANTS}+="zremap@$env{DEVNAME}.service" ''; }; tlp = { enable = true; }; batteryNotifier = { enable = true; notifyCapacity = 20; suspendCapacity = 10; }; actkbd = { enable = true; bindings = [ { keys = [113]; events = ["key"]; command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master toggle'"; } { keys = [114]; events = ["key" "rep"]; command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%- unmute'"; } { keys = [115]; events = ["key" "rep"]; command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%+ unmute'"; } { keys = [224]; events = ["key"]; command = "${pkgs.light}/bin/light -U 5"; } { keys = [225]; events = ["key"]; command = "${pkgs.light}/bin/light -A 5"; } ]; }; dnscrypt-proxy2 = { enable = true; settings = { ipv6_servers = true; require_dnssec = true; require_nolog = true; require_nofilter = true; http3 = true; sources.public-resolvers = { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ]; cache_file = "public-resolvers.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; }; }; }; borgbackup.jobs."borgbase" = let user = config.users.users.akill; home = user.home; in { user = user.name; paths = [ (home + "/pic/priv") (home + "/pproj") (home + "/videos/priv") ]; exclude = [ "**/.ccls_cache" "**/*.d" "**/*.map" "**/*.o" "**/zig-cache" "**/zig-out" ]; repo = "ssh://oda929rv@oda929rv.repo.borgbase.com/./repo"; encryption = { mode = "repokey-blake2"; passCommand = "${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgbase_enc_key".path}"; }; environment.BORG_RSH = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgbase_ssh_key".path}"; compression = "auto,zstd"; startAt = "daily"; }; nix-serve = { enable = false; secretKeyFile = "/var/cache-priv-key.pem"; }; journald.extraConfig = '' SystemMaxUse=50M ''; logind.extraConfig = '' KillUserProcesses=yes ''; }; fonts = { fontconfig = { cache32Bit = true; allowBitmaps = true; useEmbeddedBitmaps = true; defaultFonts = { monospace = ["JetBrainsMono"]; }; }; packages = with pkgs; [ dejavu_fonts dina-font fira-code fira-code-symbols font-awesome font-awesome_4 inconsolata iosevka jetbrains-mono liberation_ttf noto-fonts noto-fonts-cjk noto-fonts-emoji proggyfonts siji terminus_font terminus_font_ttf ubuntu_font_family ]; }; virtualisation = { containers.storage.settings = { storage = { driver = lib.mkForce "btrfs"; graphroot = "/var/lib/containers/storage"; runroot = "/run/containers/storage"; }; }; podman = { enable = true; autoPrune.enable = true; dockerCompat = true; }; }; sound.enable = true; hardware = { bluetooth = { enable = true; settings = { General = { Enable = "Source,Sink,Media,Socket"; }; }; }; opengl = { enable = true; driSupport = true; driSupport32Bit = true; extraPackages = []; }; rtl-sdr.enable = true; }; zramSwap = { enable = false; algorithm = "zstd"; }; users.users.akill = { isNormalUser = true; shell = pkgs.zsh; extraGroups = ["wireshark" "kvm" "tty" "audio" "sound" "adbusers" "dialout" "wheel"]; }; }