wanderer/infra
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
development
infra/nix/hosts/z/configuration.nix
nixurtur e5b76c2d85
many stuffzz...
2026-01-05 23:09:19 +01:00

900 lines
24 KiB
Nix
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
config,
lib,
pkgs,
...
}: let
tailnet = "tail530c7.ts.net";
usr = "wan";
hostName = "z";
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(let username = "${usr}"; in with username; ./disko-config.nix)
./modules/promtail/promtail.nix
../../modules/base.nix
../../modules/dnscrypt.nix
../../modules/firejail.nix
# ../../modules/waydroid.nix
../../modules/sanoid.nix
../../modules/zram.nix
];
sops = {
defaultSopsFile = ./secrets.yaml;
gnupg.sshKeyPaths = [];
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
generateKey = false;
};
secrets = {
rootPassphrase = {neededForUsers = true;};
wanPassphrase = {neededForUsers = true;};
dnscrypt-proxy-forwardingRules = {
sopsFile = lib.mkForce ./secrets.yaml;
restartUnits = ["dnscrypt-proxy2.service"];
};
dnscrypt-proxy-cloaked = {
#owner = "dnscrypt-proxy";
#group = "dnscrypt-proxy";
owner = config.systemd.services.dnscrypt-proxy2.serviceConfig.User;
group = config.systemd.services.dnscrypt-proxy2.serviceConfig.User;
restartUnits = ["dnscrypt-proxy2.service"];
};
sopsFile.owner = "root";
};
templates.sopsFile = {
owner = config.users.users.wan.name;
content = ''
${config.sops.placeholder.sopsFile}
'';
};
secrets.domainName = {
sopsFile = ../../secrets/net.yaml;
restartUnits = ["promtail.service"];
};
secrets."attic/netrc" = {};
# secrets."wireless.env" = {};
};
# nixpkgs.currentSystem = "x86_64-linux";
nix.settings = {
trusted-users = ["@wheel" "root" usr];
netrc-file = config.sops.secrets."attic/netrc".path;
};
boot = {
enableContainers = true;
consoleLogLevel = 3;
kernelParams = [
# "spl.spl_hostid=deadb33f"
"ip=dhcp"
"i915.enable_guc=2" # for 9th GPU generation and upwards, likely skylake.
"psmouse.synaptics_intertouch=1"
"consoleblank=600"
## forbid hibernation due to zfs-on-root --> no need to manually specify
## this as NixOS does adds by default when booting from zfs.
# "nohibernate" #
"systemd.log_level=notice"
"rd.udev.log_level=3"
"udev.log_priority=3"
# "boot.shell_on_fail"
];
# kernelPackages = pkgs.linuxPackages_6_12;
kernelPackages = pkgs.linuxPackages_6_17;
# kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernel.sysctl = {
"dev.i915.perf_stream_paranoid" = 0;
};
loader = {
timeout = 7;
# Use the systemd-boot EFI boot loader.
systemd-boot = {
enable = true;
configurationLimit = 75;
netbootxyz.enable = true;
memtest86.enable = true;
};
efi.canTouchEfiVariables = true;
};
plymouth.enable = false;
tmp.useTmpfs = true;
tmp.cleanOnBoot = true;
supportedFilesystems = ["zfs"];
zfs.forceImportRoot = true;
kernelModules = ["zfs" "i915" "kvm-intel" "r8169" "br_netfilter"];
initrd = {
kernelModules = ["zfs" "i915" "r8169"];
# initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "thinkpad_acpi" ];
availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "r8169" "igb" "e1000e" "i915" ];
network = {
# This will use udhcp to get an ip address.
# Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
# so your initrd can load it!
# Static ip addresses might be configured using the ip argument in kernel command line:
# https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
enable = true;
ssh = {
enable = true;
# To prevent ssh clients from freaking out because a different host key is used,
# a different port for ssh is useful (assuming the same host has also a regular sshd running)
port = 2222;
# hostKeys paths must be unquoted strings, otherwise you'll run into issues with boot.initrd.secrets
# the keys are copied to initrd from the path specified; multiple keys can be set
# you can generate any number of host keys using
# `ssh-keygen -t ed25519 -N "" -f /path/to/ssh_host_ed25519_key`
# hostKeys = [/root/.initrd-ssh_host_ed25519_key];
hostKeys = [ /etc/secrets/initrd/ssh_host_ed25519_key ];
ignoreEmptyHostKeys = true;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODmLwtQj6ylgdTPo1/H5jW7jsLzwaCTGdIsTQAdc896"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPLzZkzWM+iiwRqbLX4+iyXSUqewojm74L7Zn2nSrAU"
];
};
};
};
# extraModprobeConfig = "options kvm_amd nested=1";
binfmt = {
emulatedSystems = [
"wasm32-wasi"
"aarch64-linux"
];
};
};
# environment.memoryAllocator.provider = "graphene-hardened"; # default is libc, alt scudo.
# environment.memoryAllocator.provider = "scudo"; # default is libc, alt scudo.
environment.memoryAllocator.provider = "libc";
# environment.noXlibs = true; # graphical stuff breaks...
environment.etc = {
"walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg".source = ./walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg;
"walls/PIA06254.jpg".source = ./walls/PIA06254.jpg;
"walls/PIA20522enceladus.jpg".source = ./walls/PIA20522enceladus.jpg;
};
#sound = {
# enable = true;
# mediaKeys = {enable = true;};
#};
fonts = {
packages = with pkgs; [
# font-awesome
# google-fonts
noto-fonts
# XXX: deprecated in 24.11
# noto-fonts-cjk
noto-fonts-cjk-sans
# noto-fonts-emoji
noto-fonts-color-emoji
fira-code
cascadia-code
material-design-icons
nerd-fonts.fira-code
nerd-fonts.iosevka
nerd-fonts.jetbrains-mono
nerd-fonts.caskaydia-cove
# XXX 2505
#(nerdfonts.override {
# fonts = ["FiraCode" "JetBrainsMono" "CascadiaCode" "Iosevka"];
#})
];
enableDefaultPackages = true;
fontDir.enable = true;
fontconfig = {
enable = true;
defaultFonts = {
monospace = ["FiraCode Nerd Font" "Iosevka" "CascadiaCode"];
sansSerif = ["Noto Sans"];
serif = ["Noto Serif"];
emoji = ["Noto Color Emoji"];
};
};
};
environment = {
variables = {
EDITOR = "vim";
VISUAL = "vim";
MOZ_ENABLE_WAYLAND = "1";
NIXOS_OZONE_WL = "1";
NIXPKGS_ALLOW_UNFREE = "0";
TERMINAL = "kitty";
WLR_NO_HARDWARE_CURSORS = "1";
# XCURSOR_SIZE = "24";
XCURSOR_SIZE = "20";
# XDG_CURRENT_DESKTOP = "sway";
XDG_SESSION_TYPE = "wayland";
GDK_BACKEND = "wayland";
_JAVA_AWT_WM_NONREPARENTING = "1";
};
systemPackages = with pkgs;
[
home-manager
openssl
libinput
dmidecode
fwupd
incron
bridge-utils
moreutils # moar better
wol
vim
helix
ranger
# zed-editor
git
fio
viddy # watch reimplementation
intel-gpu-tools
# XXX: renamed in 24.11
# onevpl-intel-gpu
vpl-gpu-rt
passage # pass w/ support for age encryption
pass-wayland
# passExtensions.pass-tomb
btrfs-progs
ntfs3g
cryptsetup
squashfsTools
sasquatch
libguestfs
gphoto2fs
# gnome's archive manager.
file-roller
httm # zfs time machine-like tool
htmlq # like jq, but for html
# httplz # a basic http server for hosting a folder
htmldoc # convert html top postscript and pdf
# http-prompt # An interactive command-line HTTP client featuring autocomplete and syntax highlighting
wireguard-tools
wget
curl
inetutils # telnet
httpx
traceroute
dublin-traceroute
mtr # a network diagnostic tool
kitty
starship
zellij
zoxide
ripgrep-all # provides rga with support for pdfs, zip files and such.
fzf
fzy # a better fuzzy finder
skim # a command-line fuzzy finder written in Rust
ddh # a fast duplicate file finder
docfd # a multiline fuzzy document finder
zf # a fuzzy finder that prioritizes matches on filenames
skim # a rust fuzzy finder
fuzzel
nodePackages.json-diff
pandoc
fastfetch
freshfetch
ghfetch
brave
firefox # renamed from firefox-wayland in 25.11
w3m
lynx
# go_1_23
go_1_25
rustc
cargo
sccache
python3.pkgs.pip
python3.pkgs.numpy
python3.pkgs.pandas
keepassxc
# bitwarden # XXX: issues on 2505
bitwarden-cli
rbw
rofi-rbw-wayland
pinentry-curses # a dep of rbw. can also use pinentry (gtk2?).
bsd-finger
# poppler_utils
poppler-utils
zbar
qrencode
flatpak
# drawio
libreoffice
# XXX: renamed in 24.11
# kdeconnect
# plasma5Packages.kdeconnect-kde
quickemu
virt-manager
remmina
sshpass
ssh-audit
sshchecker
ssh-key-confirmer
ssh-mitm
sshesame
pssh
ssh-to-age
localsend
lychee
notcurses
msgviewer # convert .msg to .eml
libpst # read outlook profile files
cmatrix
# qbittorrent
immich-go
sdcv # console version of StarDict
tmux
tmate
circumflex # hackernews in the terminal
obfs4 # tor client-bridge transport mechanism
sysstat
ioztat # storage load analysis fro openzfs
turbovnc
pciutils
libva-utils
];
};
console.keyMap = "uk";
networking = {
# hostId = pkgs.lib.mkForce "00000000";
hostId = "de47b33f";
inherit hostName;
# hostName = "z";
nftables.enable = true;
networkmanager.enable = true;
networkmanager.dns = "none";
dhcpcd.extraConfig = "nohook resolv.conf";
nameservers = [
"127.0.0.1"
"::1"
];
resolvconf.dnsSingleRequest = true;
resolvconf.extraOptions = [
"single-request-reopen"
"attempts:5"
"timeout:5"
# "rotate"
"ndots:1"
# Sets RES_NOCHECKNAME in _res.options, which disables the modern BIND
# checking of incoming hostnames and mail names for invalid characters such
# as underscore (_), non-ASCII, or control characters.
"no-check-names"
"trust-ad"
];
# interfaces.enp0s25.wakeOnLan.enable = true;
stevenblack.enable = true;
stevenblack.block = ["fakenews" "gambling"];
firewall = {
allowPing = true;
checkReversePath = lib.mkForce false; # FIXME: fix the root issue instead.
logReversePathDrops = true;
logRefusedConnections = true;
trustedInterfaces = [
"virbr0"
# "bro"
"tailscale0"
];
};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
#wireless.networks = {
# "@homewlan_ssid@" = {
# psk = "@homewlan_psk@";
# };
#};
};
users.users = {
root = {
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5u4sBsu4ZpVRHJ9J2CfQ4JoojsdfsS0WzaFgiMCOe5 loki's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPLzZkzWM+iiwRqbLX4+iyXSUqewojm74L7Zn2nSrAU"
];
# hashedPasswordFile = config.sops.secrets.rootPassphrase.path;
hashedPassword = "$y$j9T$yNhN6CYvKBWz/HnLv2gp//$0fFgtV4xzBijxWxUg1oTH74GoekdMK6UZUQWby5fZi4";
autoSubUidGidRange = true;
};
wan = {
isNormalUser = true;
createHome = true;
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrlXIj3oWbWrFUZnhccd/uqM2D/yRiKOEwfD6xbngJ7 syncoid pull backups"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPLzZkzWM+iiwRqbLX4+iyXSUqewojm74L7Zn2nSrAU"
];
hashedPasswordFile = config.sops.secrets.wanPassphrase.path;
extraGroups = [
"systemd-journal"
"wheel"
"networkmanager"
"kvm"
"lp"
"scanner"
"libvirtd"
"render"
"adbusers"
"wireshark"
];
autoSubUidGidRange = true;
group = usr;
};
};
users.groups = {
wan = {};
wheel.members = [usr];
};
nix.registry = {
nixpkgs.to = {
type = "github";
owner = "nixos";
repo = "nixpkgs";
};
};
# # services.xserver.displayManager.defaultSession = "plasmawayland";
# services.xserver.displayManager.defaultSession = "sway";
# services.xserver.desktopManager = {
# xterm.enable = false;
# # xfce.enable = true;
# # gnome.enable = true;
# plasma5.enable = true;
# };
qt = {
enable = true;
platformTheme = "gnome"; # gnome/kde
style = "adwaita-dark";
};
programs = {
adb.enable = true;
# https://nixos.wiki/wiki/Appimage
appimage.binfmt = true;
# responsiveness over 9000.
cfs-zen-tweaks.enable = true;
dconf.enable = true;
gnupg.agent = {
enable = true;
# pinentryFlavor = "curses"; # or "gnome3"
pinentryPackage = pkgs.pinentry-curses;
enableSSHSupport = false;
};
# ssh.startAgent = true;
kdeconnect.enable = true;
gphoto2.enable = true;
# enabled in home-manager
# captive-browser.enable = true;
chromium = {
enable = true;
extensions = [
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
];
extraOpts = {
"BrowserSignin" = 0;
"SyncDisabled" = true;
"PasswordManagerEnabled" = false;
"BuiltInDnsClientEnabled" = false;
"DnsOverHttpsMode" = "secure";
"NameServer" = "https://dns.dotya.ml/dns-query";
"MetricsReportingEnabled" = false; # was true?
"SafeBrowsingProtectionLevel" = 0;
"ShowFullUrlsInAddressBar" = 1;
# disable punycode.
"DisableIdnEncoding" = true;
"SpellcheckEnabled" = true;
"SpellcheckLanguage" = [
"en-GB"
"en-US"
"en"
];
"CloudPrintSubmitEnabled" = false;
# ref: https://chromeenterprise.google/policies/#ExtensionManifestV2Availability
"ExtensionManifestV2Availability" = 2; # 2 = Manifestv2 is enabled.
};
};
corectrl.enable = true;
# macOS compatibility;
# darling.enable = true;
direnv.enable = true;
# deprecated in 25.11
# file-roller.enable = true;
firefox = {
enable = true;
# package = pkgs.firefox-wayland;
package = pkgs.firefox;
# https://mozilla.github.io/policy-templates/
#extraPolicies = {
# DisableFirefoxStudies = true;
# DisablePocket = true;
#};
preferences = {
# "widget.use-xdg-desktop-portal.file-picker" = 1;
"extensions.pocket.enabled" = false;
# "privacy.fingerprintingProtection" = true;
# "privacy.trackingprotection.enabled" = true;
"privacy.trackingprotection.socialtracking.enabled" = true;
"gfx.webrender.all" = true;
"gfx.webrender.compositor" = true;
"browser.cache.disk.enable" = false;
"browser.cache.memory.enable" = true;
"browser.cache.memory.max_entry_size" = 51200;
"devtools.cache.disabled" = true;
"network.dns.echconfig.enabled" = true;
# ideally should be 2.
"network.trr.mode" = 5;
"network.trr.custom_uri" = "https://dns.dotya.ml/dns-query";
"network.trr.excluded-domains" = "example.com";
"network.http.http3.enable_kyber" = true; # PQ.
"security.tls.enable_kyber" = true; # PQ.
};
nativeMessagingHosts.packages = with pkgs; [
tridactyl-native
];
};
gnome-disks.enable = true;
seahorse.enable = true;
nano.enable = false;
vim.defaultEditor = true;
nm-applet.enable = true;
wireshark.enable = true;
wshowkeys.enable = true;
};
security = {
sudo = {
enable = true;
# prevent's CVE-2021-3156-style exploits.
execWheelOnly = true;
# for wheel and root, kitty likes this.
keepTerminfo = true;
#extraConfig = ''
# Defaults lecture=always
# Defaults lecture_file=${./misc/groot.txt}
#'';
extraRules = [
{
commands = [
{
command = "${pkgs.systemd}/bin/systemctl suspend";
options = ["NOPASSWD"];
}
{
command = "${pkgs.systemd}/bin/reboot";
options = ["NOPASSWD"];
}
{
command = "${pkgs.systemd}/bin/poweroff";
options = ["NOPASSWD"];
}
];
groups = ["wheel"];
}
];
};
pam.services = {
# swaylock = {};
# login.fprintAuth = true;
login.enableGnomeKeyring = true;
# xscreensaver.fprintAuth = true;
};
polkit.enable = true;
rtkit.enable = true;
};
systemd.services = {
zfs-zed.serviceConfig = {
LogLevelMax = "notice";
# StandardOutput = lib.mkForce "/dev/null";
StandardOutput = lib.mkForce "null";
StandardError = lib.mkForce "null";
};
tailscaled.serviceConfig = {
LogLevelMax = "notice";
# StandardOutput = "null";
LogsDirectory = "tailscaled";
StandardOutput = "append:%L/stdout.log";
};
NetworkManager-wait-online.serviceConfig.ExecStart = "${pkgs.coreutils}/bin/true";
};
services = {
atd.enable = true;
fstrim.enable = true;
# deprecated in 25.11
#logind = {
# lidSwitch = "ignore";
# lidSwitchDocked = "ignore";
# extraConfig = "HandlePowerKey=suspend";
#};
# 25.11
logind.settings.Login = {
# don’t shutdown when power button is short-pressed.
HandleLidSwitch = "ignore";
HandlePowerKey = "ignore";
};
# nixos-cli.enable = true;
udev.extraRules = ''
# wol
ACTION=="add", SUBSYSTEM=="net", NAME=="en*", RUN+="${pkgs.ethtool}/bin/ethtool -s $name wol g"
'';
pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
wireplumber.enable = true;
};
gnome.gnome-keyring.enable = true;
# gnome.tracker.enable = false;
gnome.tinysparql.enable = false;
gvfs.enable = true;
printing.enable = true;
# printing.enable = false;
geoclue2.enable = true; # geolocation.
blueman.enable = true;
dbus.enable = true;
# dnscrypt-proxy2.settings.cloaking_rules = config.sops.secrets.dnscrypt-proxy-cloaked.path;
dnscrypt-proxy2.settings.forwarding_rules = config.sops.secrets.dnscrypt-proxy-forwardingRules.path;
flatpak.enable = true;
#greetd = {
# enable = true;
# settings = {
# default_session.command = ''
# ${pkgs.greetd.tuigreet}/bin/tuigreet \
# --time \
# --asterisks \
# --user-menu \
# --cmd sway
# '';
# };
#};
power-profiles-daemon.enable = true;
prometheus = {
enable = false;
exporters = {
node = {
enable = true;
enabledCollectors = [
"logind"
"systemd"
"sysctl"
"network_route"
"zfs"
];
disabledCollectors = [
"arp"
"tapestats"
];
listenAddress = "${hostName}.${tailnet}";
port = 9100;
};
smartctl = {
enable = true;
listenAddress = "${hostName}.${tailnet}";
devices = ["/dev/nvme0n1"];
};
};
};
pulseaudio = {
enable = false;
# extraModules = [ pkgs.pulseaudio-modules-bt ];
};
sanoid = {
enable = true;
interval = "*:0/5";
datasets = {
"zroot/userdata" = {
useTemplate = ["frequent"];
# recursive = "zfs";
recursive = true;
};
"zroot/system/nixos" = {
useTemplate = ["production"];
# recursive = "zfs";
recursive = true;
};
"zroot/local/nix" = {
useTemplate = ["production"];
};
};
};
syncthing = {
enable = true;
openDefaultPorts = true;
dataDir = "/home/${usr}/sync";
configDir = "/home/${usr}/.config/syncthing";
user = usr;
group = usr;
guiAddress = "127.0.0.1:8384";
};
SystemdJournal2Gelf = {
enable = false;
graylogServer = "loki.tail530c7.ts.net:12201";
};
# TS is enabled in the imported module, this is additional config.
tailscale = {
useRoutingFeatures = "both";
# accept-routes = true;
};
libinput.enable = true;
displayManager.defaultSession = "gnome";
xserver = {
enable = true;
displayManager.gdm = {
enable = true;
banner = ''
The mystery of life isn't a problem to solve, but a reality to experience
'';
autoSuspend = false;
};
desktopManager = {
gnome.enable = true;
# plasma6.enable = true;
kodi = {
enable = true;
package = pkgs.kodi-wayland.withPackages (p: with p; [
jellyfin
jellycon
pvr-iptvsimple
vfs-sftp
youtube
inputstream-adaptive
inputstream-ffmpegdirect
]);
};
};
};
zfs = {
trim.enable = true;
autoScrub = {
enable = true;
interval = "monthly";
};
};
};
virtualisation.libvirtd.enable = true;
# virtualisation.useSecureBoot = true;
# virtualisation.useBootLoader = true; # allows for testing of bootloader.
virtualisation.podman.enable = true;
# virtualisation.podman.storageDriver = "zfs";
hardware = {
cpu.intel.updateMicrocode = true;
enableRedistributableFirmware = true;
mcelog.enable = true;
bluetooth = {
enable = true;
# HSP & HFP daemon (apparently needs to be false now because of wire plumber)
hsphfpd.enable = false;
settings = {General = {Enable = "Source,Sink,Media,Socket";};};
};
intel-gpu-tools.enable = true;
# XXX: deprecated in 24.11
# opengl = {
graphics = {
# Mesa
enable = true;
# Vulkan
# XXX: deprecated in 24.11
# driSupport = true;
# extraPackages = with pkgs; [
# vaapiVdpau
# libvdpau-va-gl
# ];
# extraPackages = [
# pkgs.amdvlk
# ];
extraPackages = with pkgs; [
vpl-gpu-rt # for newer GPUs on NixOS >24.05 or unstable
# onevpl-intel-gpu # for newer GPUs on NixOS <= 24.05
intel-media-driver
# intel-media-sdk # for older GPUs
];
};
};
xdg = {
portal = {
enable = true;
wlr.enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
# xdg-desktop-portal-gtk
xdg-desktop-portal-gnome
];
};
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# Does not work with flakes - yetâ„¢.
system.copySystemConfiguration = false;
# system.stateVersion = lib.mkForce "23.11";
}
Reference in New Issue View Git Blame Copy Permalink