556 lines
14 KiB
Nix
556 lines
14 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
nix-xilinx,
|
|
nvim,
|
|
pkgs,
|
|
system,
|
|
zremap,
|
|
...
|
|
}: {
|
|
imports = [];
|
|
|
|
system.stateVersion = "23.05";
|
|
system.autoUpgrade.enable = false;
|
|
|
|
sops = {
|
|
age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
|
secrets = {
|
|
"peerix/private" = {
|
|
sopsFile = ./secrets/peerix.yaml;
|
|
mode = "0400";
|
|
owner = config.users.users.nobody.name;
|
|
group = config.users.users.nobody.group;
|
|
};
|
|
|
|
"wg_privkey" = {
|
|
sopsFile = ./secrets/wg_privkey.yaml;
|
|
};
|
|
|
|
"wg_preshared/nixy" = {
|
|
sopsFile = ../common/secrets/wg_preshared.yaml;
|
|
};
|
|
|
|
"wg_privkey_proton" = {
|
|
sopsFile = ./secrets/wg_privkey_proton.yaml;
|
|
};
|
|
|
|
"wg_endpoint_proton" = {
|
|
sopsFile = ./secrets/wg_privkey_proton.yaml;
|
|
};
|
|
|
|
"borgbase_enc_key" = {
|
|
sopsFile = ./secrets/borgbase_enc_key.yaml;
|
|
owner = config.users.users.akill.name;
|
|
};
|
|
|
|
"borgbase_ssh_key" = {
|
|
sopsFile = ./secrets/borgbase_ssh_key.yaml;
|
|
owner = config.users.users.akill.name;
|
|
};
|
|
};
|
|
};
|
|
|
|
nix = {
|
|
optimise.automatic = true;
|
|
gc.automatic = true;
|
|
gc.options = "--delete-older-than 7d";
|
|
package = pkgs.nixVersions.latest;
|
|
settings = {
|
|
sandbox = true;
|
|
experimental-features = ["nix-command" "flakes"];
|
|
};
|
|
};
|
|
|
|
boot = {
|
|
extraModulePackages = with config.boot.kernelPackages; [usbip v4l2loopback];
|
|
initrd.compressor = "zstd";
|
|
initrd.kernelModules = ["amdgpu"];
|
|
binfmt.emulatedSystems = ["wasm32-wasi" "x86_64-windows"];
|
|
kernelPackages = pkgs.linuxPackages_latest;
|
|
kernelParams = ["psmouse.synaptics_intertouch=0" "mem_sleep_default=deep"];
|
|
kernel.sysctl = {
|
|
"net.core.default_qdisc" = "fq";
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
|
};
|
|
loader.efi.canTouchEfiVariables = true;
|
|
loader.systemd-boot = {
|
|
editor = false;
|
|
enable = true;
|
|
memtest86.enable = true;
|
|
};
|
|
readOnlyNixStore = true;
|
|
supportedFilesystems = ["f2fs" "xfs"];
|
|
tmp.useTmpfs = true;
|
|
};
|
|
|
|
security = {
|
|
rtkit.enable = true;
|
|
allowSimultaneousMultithreading = true;
|
|
sudo.enable = true;
|
|
doas.enable = true;
|
|
doas.extraRules = [
|
|
{
|
|
users = ["akill"];
|
|
keepEnv = true;
|
|
persist = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
powerManagement = {
|
|
enable = true;
|
|
};
|
|
|
|
networking = {
|
|
firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [80 443 51820 8020];
|
|
};
|
|
|
|
hostName = "nixy";
|
|
nameservers = ["127.0.0.1" "::1"];
|
|
dhcpcd.extraConfig = "nohook resolv.conf";
|
|
|
|
extraHosts = ''
|
|
192.168.88.171 jellyfin.mediabox.lan
|
|
192.168.88.171 jellyseerr.mediabox.lan
|
|
192.168.88.171 mediabox.lan
|
|
192.168.88.171 qbittorrent.mediabox.lan
|
|
192.168.88.1 router.lan
|
|
192.168.88.231 workstation.lan
|
|
192.168.88.121 ender.lan
|
|
'';
|
|
|
|
networkmanager = {
|
|
enable = true;
|
|
dns = "none";
|
|
wifi.backend = "iwd";
|
|
};
|
|
|
|
wireless.iwd = {
|
|
enable = true;
|
|
settings = {
|
|
General = {
|
|
AddressRandomization = "network";
|
|
#EnableNetworkConfiguration = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
wireguard.interfaces = {
|
|
wg0 = {
|
|
ips = ["10.100.0.6/24"];
|
|
privateKeyFile = config.sops.secrets."wg_privkey".path;
|
|
peers = [
|
|
{
|
|
publicKey = builtins.readFile ../magpie/wg_pubkey;
|
|
presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path;
|
|
allowedIPs = ["10.100.0.0/24"];
|
|
endpoint = "5.75.229.224:51820";
|
|
persistentKeepalive = 25;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
time.timeZone = "Europe/Sarajevo";
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
nixpkgs.overlays = [nix-xilinx.overlay nvim.overlays.${system}.overlay];
|
|
environment = {
|
|
extraInit = ''
|
|
unset -v SSH_ASKPASS
|
|
'';
|
|
homeBinInPath = true;
|
|
variables = {
|
|
PATH = "$HOME/.cargo/bin";
|
|
};
|
|
};
|
|
|
|
programs = {
|
|
gnupg.agent = {
|
|
enable = true;
|
|
enableSSHSupport = true;
|
|
};
|
|
zsh.enable = true;
|
|
firejail.enable = true;
|
|
adb.enable = true;
|
|
wireshark.enable = true;
|
|
sway.enable = true;
|
|
};
|
|
|
|
documentation.dev.enable = true;
|
|
|
|
# List services that you want to enable:
|
|
systemd = {
|
|
services = {
|
|
"zremap@" = {
|
|
enable = true;
|
|
restartIfChanged = true;
|
|
serviceConfig.Nice = -20;
|
|
unitConfig = {
|
|
Description = "zremap on %I";
|
|
ConditionPathExists = "%I";
|
|
};
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I";
|
|
};
|
|
};
|
|
|
|
"netns@" = {
|
|
description = "%I network namespace";
|
|
before = ["network.target"];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = "${pkgs.iproute}/bin/ip netns add %I";
|
|
ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
|
|
};
|
|
};
|
|
|
|
"wg_proton" = {
|
|
description = "wg network interface";
|
|
bindsTo = ["netns@wg.service"];
|
|
requires = ["network-online.target"];
|
|
wants = ["dnscrypt-proxy2_proton.service"];
|
|
after = ["netns@wg.service"];
|
|
before = ["dnscrypt-proxy2_proton.service"];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = pkgs.writers.writeBash "wg-up" ''
|
|
set -e
|
|
ENDPOINT_IP=$(${pkgs.coreutils-full}/bin/cat "${config.sops.secrets."wg_endpoint_proton".path}")
|
|
${pkgs.iproute}/bin/ip link add proton_wg type wireguard
|
|
${pkgs.iproute}/bin/ip link set proton_wg netns wg
|
|
${pkgs.iproute}/bin/ip -n wg address add 10.2.0.2/32 dev proton_wg
|
|
${pkgs.iproute}/bin/ip netns exec wg \
|
|
${pkgs.wireguard-tools}/bin/wg set "proton_wg" private-key "${config.sops.secrets."wg_privkey_proton".path}"
|
|
${pkgs.iproute}/bin/ip netns exec wg \
|
|
${pkgs.wireguard-tools}/bin/wg set "proton_wg" peer "g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=" \
|
|
endpoint "$ENDPOINT_IP:51820" \
|
|
persistent-keepalive "25" \
|
|
allowed-ips "0.0.0.0/0"
|
|
${pkgs.iproute}/bin/ip -n wg link set lo up
|
|
${pkgs.iproute}/bin/ip -n wg link set proton_wg up
|
|
${pkgs.iproute}/bin/ip -n wg route add default dev proton_wg
|
|
'';
|
|
ExecStop = pkgs.writers.writeBash "wg-down" ''
|
|
${pkgs.iproute}/bin/ip -n wg route del default dev proton_wg
|
|
${pkgs.iproute}/bin/ip -n wg link del proton_wg
|
|
'';
|
|
};
|
|
};
|
|
|
|
"dnscrypt-proxy2_proton" = {
|
|
description = "DNSCrypt-proxy client proton";
|
|
wants = [
|
|
"network-online.target"
|
|
"nss-lookup.target"
|
|
];
|
|
before = ["nss-lookup.target"];
|
|
after = ["wg_proton.service"];
|
|
partOf = ["wg_proton.service"];
|
|
serviceConfig = {
|
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
CacheDirectory = "dnscrypt-proxy";
|
|
DynamicUser = true;
|
|
ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${config.services.dnscrypt-proxy2.configFile}";
|
|
LockPersonality = true;
|
|
LogsDirectory = "dnscrypt-proxy";
|
|
MemoryDenyWriteExecute = true;
|
|
NetworkNamespacePath = "/var/run/netns/wg";
|
|
NonBlocking = true;
|
|
NoNewPrivileges = true;
|
|
PrivateDevices = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectSystem = "strict";
|
|
Restart = "always";
|
|
RestrictAddressFamilies = [
|
|
"AF_INET"
|
|
"AF_INET6"
|
|
];
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RuntimeDirectory = "dnscrypt-proxy";
|
|
StateDirectory = "dnscrypt-proxy";
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"@chown"
|
|
"~@aio"
|
|
"~@keyring"
|
|
"~@memlock"
|
|
"~@setuid"
|
|
"~@timer"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
extraConfig = ''
|
|
DefaultTimeoutStartSec=30s
|
|
DefaultTimeoutStopSec=30s
|
|
'';
|
|
};
|
|
|
|
services = {
|
|
acpid.enable = true;
|
|
btrfs.autoScrub.enable = false;
|
|
dbus.enable = true;
|
|
fstrim.enable = true;
|
|
fwupd.enable = true;
|
|
ntp.enable = true;
|
|
openssh.enable = true;
|
|
printing.enable = true;
|
|
|
|
pipewire = {
|
|
enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
pulse.enable = true;
|
|
};
|
|
|
|
libinput.enable = true;
|
|
xserver = {
|
|
enable = true;
|
|
dpi = 144;
|
|
desktopManager.xterm.enable = false;
|
|
displayManager = {
|
|
lightdm.enable = false;
|
|
startx.enable = true;
|
|
};
|
|
windowManager.i3.enable = false;
|
|
};
|
|
|
|
udev = {
|
|
packages = [pkgs.openhantek6022 pkgs.openocd];
|
|
extraRules = ''
|
|
#Xilinx FTDI
|
|
ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Xilinx", MODE:="666"
|
|
|
|
#Xilinx Digilent
|
|
ATTR{idVendor}=="1443", MODE:="666"
|
|
ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Digilent", MODE:="666"
|
|
|
|
#Arduino UNO r4
|
|
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", MODE:="0666"
|
|
|
|
#zremap on new keyboard
|
|
ACTION=="add", SUBSYSTEM=="input", ATTRS{phys}!="", KERNEL=="event[0-9]*", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}=="1", TAG+="systemd", ENV{SYSTEMD_WANTS}+="zremap@$env{DEVNAME}.service"
|
|
'';
|
|
};
|
|
|
|
tlp = {
|
|
enable = true;
|
|
};
|
|
|
|
batteryNotifier = {
|
|
enable = true;
|
|
notifyCapacity = 20;
|
|
suspendCapacity = 10;
|
|
};
|
|
|
|
actkbd = {
|
|
enable = true;
|
|
bindings = [
|
|
{
|
|
keys = [113];
|
|
events = ["key"];
|
|
command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master toggle'";
|
|
}
|
|
|
|
{
|
|
keys = [114];
|
|
events = ["key" "rep"];
|
|
command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%- unmute'";
|
|
}
|
|
|
|
{
|
|
keys = [115];
|
|
events = ["key" "rep"];
|
|
command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%+ unmute'";
|
|
}
|
|
|
|
{
|
|
keys = [224];
|
|
events = ["key"];
|
|
command = "${pkgs.light}/bin/light -U 5";
|
|
}
|
|
|
|
{
|
|
keys = [225];
|
|
events = ["key"];
|
|
command = "${pkgs.light}/bin/light -A 5";
|
|
}
|
|
];
|
|
};
|
|
|
|
dnscrypt-proxy2 = {
|
|
enable = true;
|
|
settings = {
|
|
ipv6_servers = true;
|
|
require_dnssec = true;
|
|
require_nolog = true;
|
|
require_nofilter = true;
|
|
http3 = true;
|
|
|
|
sources.public-resolvers = {
|
|
urls = [
|
|
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
|
|
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
|
|
];
|
|
cache_file = "public-resolvers.md";
|
|
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
|
|
};
|
|
};
|
|
};
|
|
|
|
borgbackup.jobs."borgbase" = let
|
|
user = config.users.users.akill;
|
|
home = user.home;
|
|
in {
|
|
user = user.name;
|
|
paths = [
|
|
(home + "/pic/priv")
|
|
(home + "/pproj")
|
|
(home + "/videos/priv")
|
|
];
|
|
exclude = [
|
|
"**/.ccls_cache"
|
|
"**/*.d"
|
|
"**/*.map"
|
|
"**/*.o"
|
|
"**/zig-cache"
|
|
"**/zig-out"
|
|
];
|
|
repo = "ssh://oda929rv@oda929rv.repo.borgbase.com/./repo";
|
|
encryption = {
|
|
mode = "repokey-blake2";
|
|
passCommand = "${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgbase_enc_key".path}";
|
|
};
|
|
environment.BORG_RSH = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgbase_ssh_key".path}";
|
|
compression = "auto,zstd";
|
|
startAt = "daily";
|
|
};
|
|
|
|
nix-serve = {
|
|
enable = false;
|
|
secretKeyFile = "/var/cache-priv-key.pem";
|
|
};
|
|
|
|
journald.extraConfig = ''
|
|
SystemMaxUse=50M
|
|
'';
|
|
|
|
logind.extraConfig = ''
|
|
KillUserProcesses=yes
|
|
'';
|
|
|
|
seafile = {
|
|
enable = false;
|
|
initialAdminPassword = "admin";
|
|
adminEmail = "asmir.abdulahovic@gmail.com";
|
|
ccnetSettings = {
|
|
General = {
|
|
SERVICE_URL = "http://127.0.0.1:8020";
|
|
};
|
|
};
|
|
seafileSettings = {
|
|
fileserver = {
|
|
host = "0.0.0.0";
|
|
port = 8082;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
fonts = {
|
|
fontconfig = {
|
|
cache32Bit = true;
|
|
allowBitmaps = true;
|
|
useEmbeddedBitmaps = true;
|
|
defaultFonts = {
|
|
monospace = ["JetBrainsMono"];
|
|
};
|
|
};
|
|
|
|
packages = with pkgs; [
|
|
dejavu_fonts
|
|
dina-font
|
|
fira-code
|
|
fira-code-symbols
|
|
font-awesome
|
|
font-awesome_4
|
|
inconsolata
|
|
iosevka
|
|
jetbrains-mono
|
|
liberation_ttf
|
|
noto-fonts
|
|
noto-fonts-cjk
|
|
noto-fonts-emoji
|
|
proggyfonts
|
|
siji
|
|
terminus_font
|
|
terminus_font_ttf
|
|
ubuntu_font_family
|
|
];
|
|
};
|
|
|
|
virtualisation = {
|
|
containers.storage.settings = {
|
|
storage = {
|
|
#driver = lib.mkForce "btrfs";
|
|
graphroot = "/var/lib/containers/storage";
|
|
runroot = "/run/containers/storage";
|
|
};
|
|
};
|
|
podman = {
|
|
enable = true;
|
|
autoPrune.enable = true;
|
|
dockerCompat = true;
|
|
};
|
|
};
|
|
|
|
sound.enable = true;
|
|
|
|
hardware = {
|
|
bluetooth = {
|
|
enable = true;
|
|
settings = {
|
|
General = {
|
|
Enable = "Source,Sink,Media,Socket";
|
|
};
|
|
};
|
|
};
|
|
|
|
opengl = {
|
|
enable = true;
|
|
driSupport = true;
|
|
driSupport32Bit = true;
|
|
extraPackages = [];
|
|
};
|
|
rtl-sdr.enable = true;
|
|
};
|
|
|
|
zramSwap = {
|
|
enable = false;
|
|
algorithm = "zstd";
|
|
};
|
|
|
|
users.users.akill = {
|
|
isNormalUser = true;
|
|
shell = pkgs.zsh;
|
|
extraGroups = ["wireshark" "kvm" "tty" "audio" "sound" "adbusers" "dialout" "wheel"];
|
|
};
|
|
}
|