wanderer/infra
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
development
infra/nix/hosts/nixurtur/configuration.nix
nixurtur e5b76c2d85
many stuffzz...
2026-01-05 23:09:19 +01:00

1091 lines
28 KiB
Nix
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
config,
lib,
pkgs,
username,
...
}:
let
hostName = "nixurtur";
tailnet = "tail530c7.ts.net";
in
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./disko-config.nix
# ./modules/podman.nix
../../modules/base.nix
../../modules/dnscrypt.nix
../../modules/firejail.nix
# ../../modules/waydroid.nix
../../modules/sanoid.nix
../../modules/zram.nix
./modules/promtail/promtail.nix
];
sops = {
defaultSopsFile = ./secrets.yaml;
gnupg.sshKeyPaths = [ ];
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
generateKey = false;
};
secrets.rootPassphrase = {
neededForUsers = true;
};
secrets.usrPassphrase = {
neededForUsers = true;
};
# used as "cloaking_rules"
secrets.extraHosts = {
owner = "dnscrypt-proxy";
group = "dnscrypt-proxy";
restartUnits = [ "dnscrypt-proxy2.service" ];
};
secrets.dnscrypt-proxy-forwardingRules = {
sopsFile = lib.mkForce ./secrets.yaml;
restartUnits = [ "dnscrypt-proxy2.service" ];
};
secrets.dnscrypt-proxy-cloaked = {
owner = "dnscrypt-proxy";
group = "dnscrypt-proxy";
restartUnits = [ "dnscrypt-proxy2.service" ];
};
secrets.sopsFile.owner = "root";
templates.sopsFile = {
owner = config.users.users."${username}".name;
content = ''
${config.sops.placeholder.sopsFile}
'';
};
secrets.domainName = {
sopsFile = ../../secrets/net.yaml;
restartUnits = [ "promtail.service" ];
};
# secrets."attic/netrc" = {};
# secrets."wireless.env" = {};
templates = {
#promtail.content = ''
# server:
# http_listen_port: 28183
# grpc_listen_port: 0
# positions:
# filename: /tmp/positions.yaml
# clients:
# - url: https://logs.${config.sops.placeholder.domainName}/loki/api/v1/push
# tenant_id: fakeorg
# backoff_config:
# min_period: 1000ms
# max_period: 10s
# max_retries: 10000
# scrape_configs:
# - job_name: journal
# journal:
# max_age: 168h
# labels:
# job: systemd-journal
# relabel_configs:
# - source_labels: ["__journal__systemd_unit"]
# target_label: "unit"
# - source_labels: ['__journal__hostname']
# target_label: nodename
# - source_labels: ['__journal_syslog_identifier']
# target_label: syslog_identifier
# # drop these because of excessive logging
# - action: drop
# regex: '.*tailscale.*'
# source_labels: ['__journal__systemd_unit', 'unit']
# - action: drop
# regex: '.*zfs-zed.*'
# source_labels: ['__journal__systemd_unit', 'unit', 'syslog_identifier']
# - action: drop
# regex: '.*zed.*'
# source_labels: ['__journal__systemd_unit', 'unit', 'syslog_identifier']
#'';
};
};
# nixpkgs.currentSystem = "x86_64-linux";
nix.settings.trusted-users = [
"@wheel"
"root"
"${username}"
];
nix.settings.extra-trusted-public-keys = [ "infra:Ge7J2D669WFh1t1JFUye4Jd65MBbM1ej22KwGhi/tlc=" ];
# nix.settings.netrc-file = config.sops.secrets."attic/netrc".path;
nix.settings.builders = lib.mkForce "ssh://caelum x86_64-linux";
boot.consoleLogLevel = 3;
boot.kernelParams = [
# "thinkpad_acpi.fan_control=1"
# "spl.spl_hostid=deadb33f"
"psmouse.synaptics_intertouch=1"
"consoleblank=600"
## forbid hibernation due to zfs-on-root --> no need to manually specify
## this as NixOS does adds by default when booting from zfs.
# "nohibernate" #
"systemd.log_level=notice"
"rd.udev.log_level=3"
"udev.log_priority=3"
"i915.perf_stream_paranoid=0"
# "boot.shell_on_fail"
];
# boot.kernelPackages = pkgs.linuxPackages_6_12;
boot.kernelPackages = pkgs.linuxPackages_6_17;
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.configurationLimit = 75;
boot.loader.systemd-boot.netbootxyz.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.timeout = 7;
boot.loader.systemd-boot.memtest86.enable = true;
boot.plymouth.enable = false;
boot.tmp.useTmpfs = true;
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = true;
boot.initrd.kernelModules = [ "zfs" ];
# boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "thinkpad_acpi" ];
boot.kernelModules = [ "kvm-intel" ];
boot.binfmt = {
emulatedSystems = [
"wasm32-wasi"
"aarch64-linux"
];
};
#sound = {
# enable = true;
# mediaKeys = {enable = true;};
#};
# hardware.pulseaudio.enable = false;
fonts = {
packages = with pkgs; [
# font-awesome
# google-fonts
noto-fonts
# XXX: deprecated in 24.11
# noto-fonts-cjk
noto-fonts-cjk-sans
# noto-fonts-emoji
noto-fonts-color-emoji
fira-code
cascadia-code
material-design-icons
nerd-fonts.fira-code
nerd-fonts.iosevka
nerd-fonts.jetbrains-mono
nerd-fonts.caskaydia-cove
# XXX 2505
#(nerdfonts.override {
# fonts = ["FiraCode" "JetBrainsMono" "CascadiaCode" "Iosevka"];
#})
];
enableDefaultPackages = true;
fontDir.enable = true;
fontconfig = {
enable = true;
defaultFonts = {
monospace = [
"FiraCode Nerd Font"
"Iosevka"
"CascadiaCode"
];
sansSerif = [ "Noto Sans" ];
serif = [ "Noto Serif" ];
emoji = [ "Noto Color Emoji" ];
};
};
};
environment = {
# memoryAllocator.provider = "graphene-hardened"; # default is libc, alt scudo.
# memoryAllocator.provider = "scudo"; # default is libc, alt scudo.
memoryAllocator.provider = "libc";
# noXlibs = true; # graphical stuff breaks...
etc = {
"greetd/environments".text = ''
sway
'';
"walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg".source =
../../walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg;
"walls/PIA06254.jpg".source = ../../walls/PIA06254.jpg;
"walls/PIA20522enceladus.jpg".source = ../../walls/PIA20522enceladus.jpg;
};
variables = {
EDITOR = "vim";
VISUAL = "vim";
MOZ_ENABLE_WAYLAND = "1";
NIXOS_OZONE_WL = "1";
NIXPKGS_ALLOW_UNFREE = "0";
TERMINAL = "kitty";
WLR_NO_HARDWARE_CURSORS = "1";
XCURSOR_SIZE = "20";
XDG_CURRENT_DESKTOP = "sway";
XDG_SESSION_TYPE = "wayland";
_JAVA_AWT_WM_NONREPARENTING = "1";
};
systemPackages =
with pkgs;
#let jupyterWithStuff = jupyter.override {
# definitions = {
# python3 = let
# env = pypy39.withPackages(ps: with ps; [
# pip
# notebook
# ipython
# numpy
# matplotlib
# # matplotlib-venn
# pandas
# seaborn
# scipy
# ]);
# #python3.withPackages(ps: with ps; [
# # pip
# # notebook
# # ipython
# # numpy
# # matplotlib
# # # matplotlib-venn
# # # pypy3.pkgs.matplotlib_venn
# # pandas
# # seaborn
# # scipy
# # ]);
# in {
# displayName = "Python 3";
# argv = [
# "${env.interpreter}"
# "-m"
# "ipykernel_launcher"
# "-f"
# "{connection_file}"
# ];
# language = "python";
# logo32 = "${env.sitePackages}/ipykernel/resources/logo-32x32.png";
# logo64 = "${env.sitePackages}/ipykernel/resources/logo-64x64.png";
# # extraLibs = with pypy3.
# packagesExtra = [
#"https://files.pythonhosted.org/packages/ca/e8/53441d7feb29ab10de3bd46c05358c41f0ba2f57395e88ffbb62d6b69df3/matplotlib-venn-0.11.6.tar.gz"
#];
# };
# };
#};
let
pp = python3.withPackages (
ps: with ps; [
xlsxgrep
]
);
secPkgs = [
wireshark
wireshark-cli
chainsaw
topgrade
vulnix
hexdino
hexd
pixd
hexyl
hex
pwntools
subfinder
plecost # wordpress fingerprinter
rsbkb
thc-hydra
ghidra
# ghidra-extensions.machinelearning
# ghidra-extensions.gnudisassemble
gdb
strace
ltrace
bpftrace
sigma-cli
zircolite # sigma-based detection tool for evtx, auditd and sysmon
unicorn # qemu-based instruction emulator
cyberchef
spike
aflplusplus
iodine
# rarcrack
unar
crunch
cyberchef
binocle
sqlmap
unhide
elf-info
trufflehog
autopsy
enum4linux
smbmap
smbscan
smbcrawler
ntlm-challenger
responder # fake SQLserver, etc...
proxychains
];
in
secPkgs
++ [
home-manager
openssl
thinkfan
libinput
dmidecode
fwupd
incron
bridge-utils
wol
vim
git
fio
yaegi
wireguard-tools
wget
curl
w3m
kitty
starship
zellij
fastfetch
fzf
fzy # a better fuzzy finder
skim # a command-line fuzzy finder written in Rust
ddh # a fast duplicate file finder
docfd # a multiline fuzzy document finder
zf # a fuzzy finder that prioritizes matches on filenames
skim # a rust fuzzy finder
fuzzel
ripgrep-all # provides rga with support for pdfs, zip files and such.
nodePackages.json-diff
httpx
pandoc
zoxide
sshpass
brave
# firefox-wayland
firefox
# XXX: deprecated in 24.11
# go_1_21
# go_1_23
go_1_25
rustc
cargo
sccache
# jupyterWithStuff
python3.pkgs.pip
python3.pkgs.numpy
python3.pkgs.pandas
# pp
keepassxc
# bitwarden
bitwarden-desktop
bitwarden-cli
rbw
rofi-rbw-wayland
pinentry-curses # a dep of rbw. can also use pinentry (gtk2?).
bsd-finger
# poppler_utils
poppler-utils
logger # syslog client
zbar
qrencode
# flatpak
# thunderbird
# evolution
aerc
libreoffice
# kdeconnect
quickemu
virt-manager
remmina
# trilium-desktop
# gnome's archive manager.
file-roller
ioztat
pciutils
sysfsutils
lshw
sanoid
hdparm
turbovnc
powershell
perl
exiftool
exiflooter
msgviewer # convert .msg to .eml
libpst # read outlook profile files
lychee
notcurses
gnat15 # contains `strings` and other useful commands.
localsend
rquickshare
#openldap
#python3.pkgs.python-ldap
#gsasl
# python-ldap build deps
openldap.dev
cyrus_sasl.dev
sshpass
ssh-audit
sshchecker
ssh-key-confirmer
ssh-mitm
sshesame
pssh
ssh-to-age
rusty-diceware
pwgen
pwgen-secure
signalbackup-tools
picard
termsonic
feishin
minicom
sshfs
nvme-cli
qbittorrent
gnome-online-accounts-gtk
switcheroo # image converter
darktable
sdcv # console version of StarDict
];
};
networking = {
# hostId = pkgs.lib.mkForce "00000000";
hostId = "d34dbe3f";
hostName = "nixurtur";
nftables.enable = true;
networkmanager.enable = true;
networkmanager.dns = "none";
dhcpcd.extraConfig = "nohook resolv.conf";
nameservers = [
"127.0.0.1"
"::1"
];
resolvconf.dnsSingleRequest = true;
resolvconf.extraOptions = [
"ndots:1"
"trust_ad"
"attempts:10"
"timeout:1"
"rotate"
];
# interfaces.enp0s25.wakeOnLan.enable = true;
stevenblack.enable = true;
stevenblack.block = [
"fakenews"
"gambling"
];
firewall = {
allowPing = true;
## spice
# allowedTCPPortRanges = [
# { from = 5900; to = 5999; }
# ];
checkReversePath = lib.mkForce false; # FIXME: fix the root issue instead.
logReversePathDrops = true;
logRefusedConnections = true;
trustedInterfaces = [
"virbr0"
# "bro"
"tailscale0"
];
};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
#wireless.networks = {
# "@homewlan_ssid@" = {
# psk = "@homewlan_psk@";
# };
#};
};
users.users = {
root = {
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPLzZkzWM+iiwRqbLX4+iyXSUqewojm74L7Zn2nSrAU"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5u4sBsu4ZpVRHJ9J2CfQ4JoojsdfsS0WzaFgiMCOe5 loki's nixbldr key"
];
# hashedPasswordFile = config.sops.secrets.rootPassphrase.path;
hashedPassword = "$y$j9T$yNhN6CYvKBWz/HnLv2gp//$0fFgtV4xzBijxWxUg1oTH74GoekdMK6UZUQWby5fZi4";
subUidRanges = [
{
count = 65535;
startUid = 65536 * 28; # 1835008, docker
}
];
};
"${username}" = {
isNormalUser = true;
createHome = true;
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrlXIj3oWbWrFUZnhccd/uqM2D/yRiKOEwfD6xbngJ7 syncoid pull backups"
];
hashedPasswordFile = config.sops.secrets.usrPassphrase.path;
extraGroups = [
"systemd-journal"
"wheel"
"networkmanager"
"audio"
"camera"
"kvm"
"lp"
"scanner"
"video"
"console"
"dialout"
"docker"
"libvirtd"
"render"
"adbusers"
"wireshark"
# "dbus"
];
autoSubUidGidRange = true;
#subUidRanges = [
# {
# count = 65535;
# startUid = 65536 * 29;
# }
#];
#subGidRanges = [
# {
# count = 65535;
# startGid = 65536 * 29;
# }
#];
};
# group = "${username}";
};
# users.users."${username}".group = "${username}";
users.groups."${username}" = { };
users.groups.wheel.members = [ "${username}" ];
nix.registry = {
nixpkgs.to = {
type = "github";
owner = "nixos";
repo = "nixpkgs";
};
};
# services.xserver.enable = true;
# services.xserver.displayManager.gdm.enable = true;
# # services.xserver.displayManager.defaultSession = "plasmawayland";
# services.xserver.displayManager.defaultSession = "sway";
# services.xserver.desktopManager = {
# xterm.enable = false;
# # xfce.enable = true;
# # gnome.enable = true;
# plasma5.enable = true;
# };
# environment.plasma5.excludePackages = with pkgs.libsForQt5; [
# elisa
# gwenview
# okular
# oxygen
# khelpcenter
# konsole
# # plasma-browser-integration
# print-manager
# ];
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita-dark";
};
programs = {
adb.enable = true;
cfs-zen-tweaks.enable = true;
dconf.enable = true;
gnupg.agent = {
enable = true;
# pinentryFlavor = "curses"; # or "gnome3"
pinentryPackage = pkgs.pinentry-curses;
enableSSHSupport = false;
};
ssh.startAgent = true;
ssh.extraConfig = ''
Host caelum
Hostname caelum.${tailnet}
User root
IdentityFile /home/${username}/.ssh/surtur
'';
kdeconnect.enable = true;
#sway = {
# enable = false;
# wrapperFeatures.gtk = true;
# package = pkgs.swayfx;
# # systemd.enable = true;
# # checkConfig = false;
# # config = null; # clean slate
#};
# captive-browser.enable = true;
chromium = {
enable = true;
extensions = [
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
];
extraOpts = {
"BrowserSignin" = 0;
"SyncDisabled" = true;
"PasswordManagerEnabled" = false;
"BuiltInDnsClientEnabled" = false;
"DnsOverHttpsMode" = "secure";
"MetricsReportingEnabled" = true;
"SafeBrowsingProtectionLevel" = 0;
"ShowFullUrlsInAddressBar" = 1;
"NameServer" = "https://dns.dotya.ml/dns-query";
# disable punycode.
"DisableIdnEncoding" = true;
"SpellcheckEnabled" = true;
"SpellcheckLanguage" = [
"en-GB"
"en-US"
"en"
];
"CloudPrintSubmitEnabled" = false;
};
};
corectrl.enable = true;
# macOS compatibility;
# darling.enable = true;
direnv.enable = true;
# not needed since 25.11
# file-roller.enable = true;
firefox = {
enable = true;
# package = pkgs.firefox-wayland;
package = pkgs.firefox;
# https://mozilla.github.io/policy-templates/
#extraPolicies = {
# DisableFirefoxStudies = true;
# DisablePocket = true;
#};
nativeMessagingHosts.packages = with pkgs; [
tridactyl-native
];
};
gnome-disks.enable = true;
seahorse.enable = true;
nano.enable = false;
vim.defaultEditor = true;
# nm-applet.enable = true;
wireshark.enable = true;
wshowkeys.enable = true;
};
security = {
doas = {
enable = false;
extraRules = [
{
users = [ "${username}" ];
keepEnv = true; # Optional, retains environment variables while running commands
persist = true; # Optional, only require password verification a single time
}
];
};
sudo = {
enable = true;
extraRules = [
{
commands = [
{
command = "${pkgs.systemd}/bin/systemctl suspend";
options = [ "NOPASSWD" ];
}
{
command = "${pkgs.systemd}/bin/reboot";
options = [ "NOPASSWD" ];
}
{
command = "${pkgs.systemd}/bin/poweroff";
options = [ "NOPASSWD" ];
}
];
groups = [ "wheel" ];
}
];
};
pam.services = {
swaylock = { };
login.fprintAuth = true;
login.enableGnomeKeyring = true;
xscreensaver.fprintAuth = true;
};
polkit.enable = true;
rtkit.enable = true;
};
fileSystems = {
# ext4 zvol, technically important but not enough to fall to emergency shell.
"/home/${username}/.local/share/atuin".options = [
"x-systemd.device-timeout=20s,x-systemd.mount-timeout=30s,nofail"
];
};
systemd.services = {
zfs-zed.serviceConfig = {
LogLevelMax = "notice";
StandardOutput = lib.mkForce "/dev/null";
StandardError = lib.mkForce "null";
};
tailscaled.serviceConfig = {
LogLevelMax = "notice";
# StandardOutput = "null";
LogsDirectory = "tailscaled";
StandardOutput = "append:%L/stdout.log";
};
NetworkManager-wait-online.serviceConfig.ExecStart = "${pkgs.coreutils}/bin/true";
#promtail = {
# description = "Promtail service for Loki";
# wantedBy = ["multi-user.target"];
# serviceConfig = {
# ExecStart = ''
# ${pkgs.grafana-loki}/bin/promtail --config.file ${config.sops.templates.promtail.path}
# '';
# };
#};
};
services = {
# fprintd.enable = true;
# fprintd.tod.enable = true;
# fprintd.tod.driver = pkgs.libfprint-2-tod1-vfs0090;
#vsftpd = {
# enable = false;
# anonymousUser = true;
# anonymousMkdirEnable = true;
#};
atd.enable = true;
gnome.gcr-ssh-agent.enable = lib.mkForce false;
logind = {
# XXX: deprecated in 25.11
#lidSwitch = "ignore";
#lidSwitchDocked = "ignore";
#extraConfig = "HandlePowerKey=suspend";
settings.Login = {
# don’t shutdown when power button is short-pressed.
HandleLidSwitch = "ignore";
HandleLidSwitchDocked = "ignore";
HandlePowerKey = "ignore";
};
};
udev.extraRules = ''
# wol
ACTION=="add", SUBSYSTEM=="net", NAME=="en*", RUN+="${pkgs.ethtool}/bin/ethtool -s $name wol g"
'';
pcscd.enable = true;
pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
wireplumber.enable = true;
};
gnome = {
# XXX: deprecated in 24.11
# gnome.tracker.enable = false;
tinysparql.enable = false;
gnome-keyring.enable = true;
# optional to use google/nextcloud calendar
gnome-online-accounts.enable = true;
# optional to use google/nextcloud calendar
evolution-data-server.enable = true;
gnome-settings-daemon.enable = true;
};
gvfs.enable = true;
printing.enable = true;
geoclue2.enable = true; # geolocation.
blueman.enable = true;
dbus.enable = true;
# dnscrypt-proxy2.settings.cloaking_rules = config.sops.secrets.extraHosts.path;
# dnscrypt-proxy2.settings.cloaking_rules = config.sops.secrets.dnscrypt-proxy-cloaked.path;
dnscrypt-proxy2.settings.forwarding_rules = config.sops.secrets.dnscrypt-proxy-forwardingRules.path;
flatpak.enable = true;
fstrim.enable = true;
fwupd.enable = true;
greetd = {
enable = true;
settings = {
# 25.11 renamed
# ${pkgs.greetd.tuigreet}/bin/tuigreet \
default_session.command = ''
${pkgs.tuigreet}/bin/tuigreet \
--time \
--asterisks \
--user-menu \
--cmd sway
'';
};
};
power-profiles-daemon.enable = true;
#tlp.enable =
# lib.mkDefault ((lib.versionOlder (lib.versions.majorMinor lib.version) "23.11")
# || !config.services.power-profiles-daemon.enable);
#auto-cpufreq.enable = true;
#auto-cpufreq.settings = {
# battery = {
# governor = "powersave";
# turbo = "never";
# };
# charger = {
# governor = "schedutil";
# turbo = "auto";
# };
#};
prometheus = {
enable = false;
exporters = {
node = {
enable = true;
enabledCollectors = [
"logind"
"systemd"
"sysctl"
"network_route"
"zfs"
];
disabledCollectors = [
"arp"
"tapestats"
];
port = 9100;
};
smartctl = {
enable = true;
# listenAddress = "nixurtur.${tailnet}";
devices = [ "/dev/sda" ];
};
};
};
sanoid = {
enable = true;
interval = "*:0/5";
datasets = {
"zroot/userdata" = {
useTemplate = [ "frequent" ];
recursive = "zfs";
};
"zroot/system/nixos" = {
useTemplate = [ "production" ];
recursive = "zfs";
};
"zroot/local/nix" = {
useTemplate = [ "production" ];
};
#"zroot/local/home/mko/xper" = {
# useTemplate = ["production"];
#};
};
};
syncthing = {
enable = true;
openDefaultPorts = true;
dataDir = "/home/${username}/sync";
configDir = "/home/${username}/.config/syncthing";
user = "${username}";
group = "${username}";
guiAddress = "127.0.0.1:8384";
};
# TS is enabled in the imported module, this is additional config.
tailscale = {
useRoutingFeatures = "both";
# accept-routes = true;
};
zfs = {
autoScrub = {
enable = true;
interval = "weekly";
};
trim.enable = true;
};
# systemd-lock-handler.enable = true;
};
# virtualisation.virtualbox.host.enable = true;
# virtualisation.virtualbox.host.enableHardening = true;
# users.extraGroups.vboxusers.members = [ "mko" ];
virtualisation.libvirtd.enable = true;
# virtualisation.useSecureBoot = true;
# virtualisation.useBootLoader = true; # allows for testing of bootloader.
virtualisation.docker.enable = false;
virtualisation.docker.storageDriver = "zfs";
#virtualisation.docker.daemon.settings = {userns-remap = "dockremap:dockremap";};
## rootless.
#virtualisation.docker.rootless = {
# enable = true;
# setSocketVariable = true;
#};
#users.users.dockremap = {
# isNormalUser = false;
# isSystemUser = true;
# createHome = false;
# shell = pkgs.zsh;
# extraGroups = [
# "docker"
# ];
# subUidRanges = [
# {
# count = 65535;
# startUid = 65536 * 30;
# }
# ];
# subGidRanges = [
# {
# count = 65535;
# startGid = 65536 * 30;
# }
# ];
#};
#users.users.dockremap.group = "dockremap";
#users.groups.dockremap = {};
hardware = {
cpu.intel.updateMicrocode = true;
enableRedistributableFirmware = true;
mcelog.enable = true;
bluetooth = {
enable = true;
# HSP & HFP daemon (apparently needs to be false now because of wire plumber)
hsphfpd.enable = false;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
graphics = {
# Mesa
enable = true;
# XXX: deprecated in 24.11
# driSupport = true;
extraPackages = with pkgs; [
libva-vdpau-driver # renamed in 25.11 from vaapiVdpau
libvdpau-va-gl
];
};
};
services.pulseaudio.enable = false;
xdg = {
portal = {
enable = true;
wlr.enable = true;
config = {
common = {
default = [
# "gtk"
"wlr"
"gtk"
];
};
};
#extraPortals = with pkgs; [
# xdg-desktop-portal-wlr
# xdg-desktop-portal-gtk
#];
};
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# Does not work with flakes - yetâ„¢.
system.copySystemConfiguration = false;
# system.stateVersion = lib.mkForce "23.11";
}
Reference in New Issue View Git Blame Copy Permalink