surtur
10243fe4eb
meaning reencrypt shared secrets to the new key... also, make use of nixos-hardware's module for t14
375 lines
8.8 KiB
Nix
375 lines
8.8 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}: {
|
|
imports = [
|
|
# Include the results of the hardware scan.
|
|
./hardware-configuration.nix
|
|
./disko-config.nix
|
|
|
|
# ./modules/podman.nix
|
|
|
|
../../modules/base.nix
|
|
../../modules/dnscrypt.nix
|
|
];
|
|
|
|
sops = {
|
|
defaultSopsFile = ./secrets.yaml;
|
|
age = {
|
|
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
|
generateKey = false;
|
|
};
|
|
|
|
secrets.rootPassphrase.owner = "root";
|
|
secrets.mkoPassphrase.owner = "root";
|
|
# used as "cloaking_rules"
|
|
secrets.extraHosts.owner = "dnscrypt-proxy";
|
|
};
|
|
|
|
# nixpkgs.currentSystem = "x86_64-linux";
|
|
nix.settings.trusted-users = ["@wheel" "root" "mko"];
|
|
|
|
# forbid hibernation due to zfs-on-root.
|
|
boot.kernelParams = ["amd_pstate=active" "nohibernate"];
|
|
|
|
# Use the systemd-boot EFI boot loader.
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.systemd-boot.configurationLimit = 42;
|
|
boot.loader.systemd-boot.netbootxyz.enable = false;
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
boot.supportedFilesystems = ["zfs"];
|
|
boot.zfs.forceImportRoot = true;
|
|
|
|
boot.initrd.kernelModules = ["zfs" "e1000e"];
|
|
|
|
boot.binfmt = {
|
|
emulatedSystems = [
|
|
"wasm32-wasi"
|
|
"aarch64-linux"
|
|
];
|
|
};
|
|
|
|
environment.etc = {
|
|
"greetd/environments".text = ''
|
|
sway
|
|
'';
|
|
"walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg".source = ./walls/2020-August-11-Churning-Clouds-on-Jupiter.jpg;
|
|
};
|
|
|
|
sound = {
|
|
enable = true;
|
|
mediaKeys = {enable = true;};
|
|
};
|
|
hardware.pulseaudio.enable = false;
|
|
|
|
fonts = {
|
|
packages = with pkgs; [
|
|
# font-awesome
|
|
# google-fonts
|
|
noto-fonts
|
|
noto-fonts-cjk
|
|
noto-fonts-emoji
|
|
fira-code
|
|
cascadia-code
|
|
(nerdfonts.override {
|
|
fonts = ["FiraCode" "JetBrainsMono" "CascadiaCode"];
|
|
})
|
|
];
|
|
|
|
enableDefaultPackages = true;
|
|
fontDir.enable = true;
|
|
|
|
fontconfig = {
|
|
enable = true;
|
|
defaultFonts = {
|
|
monospace = ["FiraCode Nerd Font"];
|
|
sansSerif = ["Noto Sans"];
|
|
serif = ["Noto Serif"];
|
|
emoji = ["Noto Color Emoji"];
|
|
};
|
|
};
|
|
};
|
|
|
|
environment = {
|
|
variables = {
|
|
EDITOR = "vim";
|
|
VISUAL = "vim";
|
|
MOZ_ENABLE_WAYLAND = "1";
|
|
NIXOS_OZONE_WL = "1";
|
|
NIXPKGS_ALLOW_UNFREE = "0";
|
|
TERMINAL = "kitty";
|
|
WLR_NO_HARDWARE_CURSORS = "1";
|
|
XCURSOR_SIZE = "16";
|
|
XDG_CURRENT_DESKTOP = "sway";
|
|
XDG_SESSION_TYPE = "wayland";
|
|
_JAVA_AWT_WM_NONREPARENTING = "1";
|
|
};
|
|
systemPackages = with pkgs; [
|
|
home-manager
|
|
openssl
|
|
libinput
|
|
dmidecode
|
|
pamixer
|
|
git
|
|
wol
|
|
vim
|
|
wget
|
|
curl
|
|
kitty
|
|
brave
|
|
go_1_21
|
|
cargo
|
|
chainsaw
|
|
topgrade
|
|
];
|
|
};
|
|
|
|
networking = {
|
|
# hostId = pkgs.lib.mkForce "00000000";
|
|
hostId = "deadb33f";
|
|
hostName = "t14";
|
|
|
|
nftables.enable = true;
|
|
|
|
networkmanager.enable = true;
|
|
# interfaces.enp0s25.wakeOnLan.enable = true;
|
|
|
|
firewall = {
|
|
allowPing = true;
|
|
};
|
|
|
|
# Configure network proxy if necessary
|
|
# networking.proxy.default = "http://user:password@proxy:port/";
|
|
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
|
};
|
|
|
|
users.users = {
|
|
root = {
|
|
shell = pkgs.zsh;
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
|
|
];
|
|
# hashedPasswordFile = config.sops.secrets.rootPassphrase.path;
|
|
hashedPassword = "$y$j9T$yNhN6CYvKBWz/HnLv2gp//$0fFgtV4xzBijxWxUg1oTH74GoekdMK6UZUQWby5fZi4";
|
|
subUidRanges = [
|
|
{
|
|
count = 65535;
|
|
startUid = 65536 * 28; # 1835008, docker
|
|
}
|
|
];
|
|
};
|
|
|
|
mko = {
|
|
isNormalUser = true;
|
|
createHome = true;
|
|
shell = pkgs.zsh;
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
|
|
];
|
|
hashedPasswordFile = config.sops.secrets.mkoPassphrase.path;
|
|
extraGroups = [
|
|
"wheel"
|
|
"networkmanager"
|
|
"audio"
|
|
"camera"
|
|
"kvm"
|
|
"lp"
|
|
"scanner"
|
|
"video"
|
|
"console"
|
|
];
|
|
subUidRanges = [
|
|
{
|
|
count = 65535;
|
|
startUid = 65536 * 28; # 1835008, docker
|
|
}
|
|
];
|
|
};
|
|
};
|
|
users.users.mko.group = "mko";
|
|
users.groups.mko = {};
|
|
|
|
users.groups.wheel.members = ["mko"];
|
|
|
|
programs.gnupg.agent = {
|
|
enable = true;
|
|
enableSSHSupport = true;
|
|
};
|
|
|
|
security = {
|
|
doas = {
|
|
enable = false;
|
|
extraRules = [
|
|
{
|
|
users = ["mko"];
|
|
keepEnv = true; # Optional, retains environment variables while running commands
|
|
persist = true; # Optional, only require password verification a single time
|
|
}
|
|
];
|
|
};
|
|
sudo = {
|
|
enable = true;
|
|
extraRules = [
|
|
{
|
|
commands = [
|
|
{
|
|
command = "${pkgs.systemd}/bin/systemctl suspend";
|
|
options = ["NOPASSWD"];
|
|
}
|
|
{
|
|
command = "${pkgs.systemd}/bin/reboot";
|
|
options = ["NOPASSWD"];
|
|
}
|
|
{
|
|
command = "${pkgs.systemd}/bin/poweroff";
|
|
options = ["NOPASSWD"];
|
|
}
|
|
];
|
|
groups = ["wheel"];
|
|
}
|
|
];
|
|
};
|
|
pam.services.swaylock = {};
|
|
polkit.enable = true;
|
|
};
|
|
|
|
services = {
|
|
atd.enable = true;
|
|
|
|
udev.extraRules = ''
|
|
# wol
|
|
ACTION=="add", SUBSYSTEM=="net", NAME=="en*", RUN+="${pkgs.ethtool}/bin/ethtool -s $name wol g"
|
|
'';
|
|
|
|
pipewire = {
|
|
enable = true;
|
|
alsa = {
|
|
enable = true;
|
|
support32Bit = true;
|
|
};
|
|
pulse.enable = true;
|
|
};
|
|
|
|
blueman.enable = true;
|
|
|
|
dbus.enable = true;
|
|
|
|
dnscrypt-proxy2.settings.cloaking_rules = config.sops.secrets.extraHosts.path;
|
|
|
|
greetd = {
|
|
enable = true;
|
|
settings = {
|
|
default_session.command = ''
|
|
${pkgs.greetd.tuigreet}/bin/tuigreet \
|
|
--time \
|
|
--asterisks \
|
|
--user-menu \
|
|
--cmd sway
|
|
'';
|
|
};
|
|
};
|
|
|
|
power-profiles-daemon.enable = true;
|
|
#tlp.enable =
|
|
# lib.mkDefault ((lib.versionOlder (lib.versions.majorMinor lib.version) "23.11")
|
|
# || !config.services.power-profiles-daemon.enable);
|
|
#auto-cpufreq.enable = true;
|
|
#auto-cpufreq.settings = {
|
|
# battery = {
|
|
# governor = "powersave";
|
|
# turbo = "never";
|
|
# };
|
|
# charger = {
|
|
# governor = "schedutil";
|
|
# turbo = "auto";
|
|
# };
|
|
#};
|
|
|
|
prometheus = {
|
|
# WIP.
|
|
enable = true;
|
|
# openFirewall = true;
|
|
port = 9090;
|
|
exporters = {
|
|
node = {
|
|
enable = true;
|
|
enabledCollectors = [
|
|
"logind"
|
|
"systemd"
|
|
];
|
|
port = 9100;
|
|
};
|
|
};
|
|
|
|
scrapeConfigs = [
|
|
{
|
|
job_name = "node";
|
|
static_configs = [
|
|
{
|
|
targets = [
|
|
"${config.networking.hostName}.local:${toString config.services.prometheus.exporters.node.port}"
|
|
];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
|
|
# TS is enabled in the imported module, this is additional config.
|
|
tailscale = {
|
|
useRoutingFeatures = "both";
|
|
# accept-routes = true;
|
|
};
|
|
|
|
zfs = {
|
|
autoScrub = {
|
|
enable = true;
|
|
interval = "weekly";
|
|
};
|
|
trim.enable = true;
|
|
};
|
|
};
|
|
|
|
hardware = {
|
|
bluetooth = {
|
|
enable = true;
|
|
# HSP & HFP daemon (apparently needs to be false now because of wire plumber)
|
|
hsphfpd.enable = false;
|
|
settings = {General = {Enable = "Source,Sink,Media,Socket";};};
|
|
};
|
|
opengl = {
|
|
enable = true;
|
|
extraPackages = with pkgs; [
|
|
vaapiVdpau
|
|
libvdpau-va-gl
|
|
];
|
|
};
|
|
};
|
|
|
|
xdg = {
|
|
portal = {
|
|
enable = true;
|
|
wlr.enable = true;
|
|
extraPortals = with pkgs; [
|
|
xdg-desktop-portal-wlr
|
|
xdg-desktop-portal-gtk
|
|
];
|
|
};
|
|
};
|
|
|
|
# Copy the NixOS configuration file and link it from the resulting system
|
|
# (/run/current-system/configuration.nix). This is useful in case you
|
|
# accidentally delete configuration.nix.
|
|
# Does not work with flakes - yetâ„¢.
|
|
system.copySystemConfiguration = false;
|
|
}
|