asmir/nixos_flake_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos_flake_config/mediabox/configuration.nix

475 lines
10 KiB
Nix
Raw Blame History

{ config
, nvim
, pkgs
, system
, zremap
, ...
}:
let
USER = "akill";
in
{
imports = [ ];
system.stateVersion = "23.05";
system.autoUpgrade.enable = false;
system.switch = {
enable = true;
enableNg = true;
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."peerix/private" = {
sopsFile = ./secrets/peerix.yaml;
mode = "0400";
owner = config.users.users.nobody.name;
group = config.users.users.nobody.group;
};
sops.secrets."wg_privkey" = {
sopsFile = ./secrets/wg_privkey.yaml;
};
sops.secrets."wg_preshared/mediabox" = {
sopsFile = ../common/secrets/wg_preshared.yaml;
};
nix = {
optimise.automatic = true;
gc.automatic = true;
gc.options = "--delete-older-than 7d";
package = pkgs.nixVersions.latest;
settings = {
experimental-features = [
"nix-command"
"flakes"
];
trusted-users = [ "akill" "root" ];
};
};
boot = {
initrd = {
compressor = "zstd";
availableKernelModules = [ "e1000e" ];
network = {
enable = true;
udhcpc.enable = true;
ssh = {
enable = true;
hostKeys = [ /etc/ssh_dummy_ed25519_key ];
authorizedKeys = [ (builtins.readFile ../nixy/ssh_pubkey) ];
};
};
};
kernelModules = [ "acpi_call" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelParams = [ "msr.allow_writes=on" ];
kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
loader.systemd-boot = {
editor = false;
enable = true;
memtest86.enable = true;
};
readOnlyNixStore = true;
supportedFilesystems = [ "btrfs" ];
tmp.useTmpfs = true;
};
security = {
rtkit.enable = true;
allowSimultaneousMultithreading = true;
sudo.enable = true;
doas.enable = true;
doas.extraRules = [
{
users = [ USER ];
keepEnv = true;
persist = true;
}
];
};
powerManagement = {
enable = true;
};
networking = {
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [
80
443
51820
8020
];
};
hostName = "mediabox";
interfaces.enp0s25.useDHCP = true;
interfaces.wlp3s0.useDHCP = false;
useDHCP = false;
wireless.enable = false;
wireless.interfaces = [ "wlp3s0" ];
nameservers = [
"127.0.0.1"
"::1"
];
dhcpcd.extraConfig = "nohook resolv.conf";
extraHosts = ''
192.168.1.173 nixy.lan
192.168.88.171 jellyfin.mediabox.lan
192.168.88.171 jellyseerr.mediabox.lan
192.168.88.171 mediabox.lan
192.168.88.171 qbittorrent.mediabox.lan
192.168.88.1 router.lan
192.168.88.231 workstation.lan
192.168.88.121 ender.lan
'';
wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.5/24" ];
privateKeyFile = config.sops.secrets."wg_privkey".path;
peers = [
{
publicKey = builtins.readFile ../magpie/wg_pubkey;
presharedKeyFile = config.sops.secrets."wg_preshared/mediabox".path;
allowedIPs = [ "10.100.0.0/24" ];
endpoint = "5.75.229.224:51820";
persistentKeepalive = 25;
}
];
};
};
};
time.timeZone = "Europe/Sarajevo";
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays = [ nvim.overlays.${system}.overlay ];
environment = {
homeBinInPath = true;
variables = {
PATH = "$HOME/.cargo/bin";
};
};
programs = {
steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = false;
localNetworkGameTransfers.openFirewall = true;
};
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
appimage = {
enable = true;
binfmt = true;
};
nix-ld = {
enable = false;
libraries = with pkgs; [
stdenv.cc.cc.lib
zlib
];
};
zsh.enable = true;
firejail.enable = true;
};
# List services that you want to enable:
systemd = {
services = {
"zremap@" = {
enable = true;
restartIfChanged = true;
serviceConfig.Nice = -20;
unitConfig = {
Description = "zremap on %I";
ConditionPathExists = "%I";
};
serviceConfig = {
Type = "simple";
ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I";
};
};
"wakeonlan" = {
description = "Reenable wake on lan every boot";
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.ethtool}/sbin/ethtool -s enp0s25 wol m";
};
wantedBy = [
"default.target"
"suspend.target"
"shutdown.target"
];
};
};
coredump.enable = false;
extraConfig = ''
DefaultTimeoutStartSec=30s
DefaultTimeoutStopSec=30s
'';
};
services = {
acpid.enable = true;
btrfs.autoScrub.enable = true;
dbus.enable = true;
dbus.implementation = "broker";
envfs.enable = true;
fstrim.enable = true;
fwupd.enable = true;
ntp.enable = true;
openssh.enable = true;
openssh.settings.PermitRootLogin = "yes";
thinkfan.enable = false;
xrdp = {
enable = true;
defaultWindowManager = "icewm";
openFirewall = true;
};
logind = {
lidSwitch = "ignore";
};
jellyfin = {
enable = false;
user = "akill";
openFirewall = true;
};
jellyseerr = {
enable = false;
openFirewall = true;
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
avahi = {
enable = false;
nssmdns4 = false;
openFirewall = true;
};
libinput.enable = true;
xserver = {
enable = true;
dpi = 144;
desktopManager.xterm.enable = false;
desktopManager.plasma5.bigscreen.enable = true;
#desktopManager.plasma6.enable = true;
displayManager = {
lightdm.enable = false;
startx.enable = true;
sddm.enable = true;
sddm.wayland.enable = true;
};
windowManager.i3.enable = false;
};
udev = {
packages = [ ];
extraRules = ''
#zremap on new keyboard
ACTION=="add", SUBSYSTEM=="input", ATTRS{phys}!="", KERNEL=="event[0-9]*", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}=="1", TAG+="systemd", ENV{SYSTEMD_WANTS}+="zremap@$env{DEVNAME}.service"
'';
};
tlp = {
enable = false;
};
batteryNotifier = {
enable = false;
notifyCapacity = 20;
suspendCapacity = 10;
};
actkbd = {
enable = true;
bindings = [
{
keys = [ 115 ];
events = [ "key" ];
command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+";
}
{
keys = [ 114 ];
events = [
"key"
"rep"
];
command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-";
}
{
keys = [ 113 ];
events = [
"key"
"rep"
];
command = "XDG_RUNTIME_DIR=/run/user/$(id -u ${USER}) ${pkgs.wireplumber}/bin/wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle";
}
{
keys = [ 224 ];
events = [ "key" ];
command = "${pkgs.light}/bin/light -U 5";
}
{
keys = [ 225 ];
events = [ "key" ];
command = "${pkgs.light}/bin/light -A 5";
}
];
};
dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
require_nolog = true;
require_nofilter = true;
http3 = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
};
journald.extraConfig = ''
SystemMaxUse=50M
'';
logind.extraConfig = ''
KillUserProcesses=yes
'';
};
fonts = {
fontconfig = {
cache32Bit = true;
allowBitmaps = true;
useEmbeddedBitmaps = true;
defaultFonts = {
monospace = [ "JetBrainsMono" ];
};
};
packages = with pkgs; [
dejavu_fonts
dina-font
fira-code
fira-code-symbols
font-awesome_6
inconsolata
iosevka
jetbrains-mono
liberation_ttf
libertine
noto-fonts
noto-fonts-cjk-sans
noto-fonts-color-emoji
noto-fonts-emoji
proggyfonts
siji
terminus_font
terminus_font_ttf
ubuntu_font_family
vistafonts
];
};
virtualisation = {
podman = {
enable = false;
autoPrune.enable = true;
dockerCompat = true;
};
};
hardware = {
bluetooth = {
enable = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
graphics = {
enable = true;
extraPackages = [ ];
};
};
zramSwap = {
enable = false;
algorithm = "zstd";
};
users.users.${USER} = {
isNormalUser = true;
shell = pkgs.zsh;
extraGroups = [
"wheel"
"tty"
"audio"
"sound"
];
openssh.authorizedKeys.keys = [
(builtins.readFile ../nixy/ssh_pubkey)
];
};
users.users.ado = {
isNormalUser = true;
shell = pkgs.zsh;
extraGroups = [
"wheel"
"tty"
"audio"
"sound"
];
};
users.users.mediauser = {
isNormalUser = true;
shell = pkgs.bash;
extraGroups = [ ];
};
}
Reference in New Issue View Git Blame Copy Permalink