christoph/flake-nixinator
1
Fork 0
Code Activity
Files
2b84b026c111d31cb1f663a4e2ef309e08e3e05b
flake-nixinator/system/default.nix

453 lines
11 KiB
Nix
Raw Blame History

{
inputs,
hostname,
lib,
mylib,
config,
pkgs,
system,
username,
headless,
...
}:
with mylib.networking; {
imports = [
# Import my system modules
./modules
# Import the host-specific system config
./${hostname}
./cachix.nix
];
modules = {
bootloader = {
enable = true;
loader =
if headless
then "grub"
else "systemd-boot";
systemd-boot.bootDevice = "/boot";
grub.bootDevice = "/dev/sda";
};
desktopportal = {
enable = !headless;
termfilechooser.enable = true;
hyprland.enable = config.programs.hyprland.enable;
};
docker = {
enable = true;
# Use podman on the desktops, the servers are
# already configured using docker though...
# TODO: Use podman on the servers
podman = !headless;
docker.rootless = true;
};
fonts = {
enable = !headless;
defaultSerifFont = "Noto Serif CJK SC";
defaultSansSerifFont = "Noto Sans CJK SC";
defaultMonoFont = "MonoLisa Alt Script";
};
mime = {
enable = !headless;
defaultTextEditor = "neovide.desktop";
defaultFileBrowser = "yazi.desktop";
defaultWebBrowser = "firefox.desktop";
defaultPdfViewer = "org.pwmt.zathura.desktop";
defaultImageViewer = "imv-dir.desktop";
defaultAudioPlayer = "vlc.desktop";
defaultVideoPlayer = "vlc.desktop";
};
network = {
inherit hostname;
enable = true;
networks = {
# Default wildcard ethernet network for all hosts
"50-ether" = mkSystemdNetwork "enp*" false;
};
allowedTCPPorts = [
22 # SSH
80 # HTTP
443 # HTTPS
];
allowedUDPPorts = [
9918 # Wireguard
];
};
polkit.enable = true;
sops-nix.bootSecrets.${username} = [
"user-password"
];
sops-nix.secrets.${username} = [
"ssh-private-key"
"nix-github-token"
"docker-password"
];
};
# Write the nix user config file here so we have secrets access
sops.templates."nix.conf" = {
owner = config.users.users.${username}.name;
group = config.users.users.${username}.group;
content = ''
access-tokens = github.com=${config.sops.placeholder.nix-github-token}
'';
};
# Enable flakes
nix = {
package = pkgs.nixVersions.stable;
extraOptions = ''
experimental-features = nix-command flakes pipe-operators
'';
settings.trusted-users = ["root" "${username}"];
# Auto garbage-collect and optimize store
gc.automatic = false; # Done by nh.clean.enable;
gc.options = "--delete-older-than 5d";
settings.auto-optimise-store = true;
optimise.automatic = true;
# This will add your inputs as registries, making operations with them (such
# as nix shell nixpkgs#name) consistent with your flake inputs.
# (Registry contains flakes)
registry = lib.mapAttrs' (n: v: lib.nameValuePair n {flake = v;}) inputs;
# Set NIX_PATH to find nixpgks
nixPath = [
"nixpkgs=${inputs.nixpkgs.outPath}"
"home-manager=${inputs.home-manager.outPath}"
];
};
# Bootloader/Kernel stuff
boot = {
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
kernelParams = ["mitigations=off"]; # I don't care
# Make /tmp volatile
# NOTE: Setting this to true can lead to large derivations running out of tmp space
tmp.useTmpfs = false;
};
security = {
protectKernelImage = true;
rtkit.enable = true;
pam.services = {
# Allow Hyprlock to unlock the system
hyprlock = {};
};
sudo.enable = true;
sudo.extraRules = [
{
users = ["${username}"];
commands = [
# We allow running flatpak without password
# so flatpaks can be installed from the hm config
{
command = "/run/current-system/sw/bin/flatpak";
options = ["SETENV" "NOPASSWD"];
}
];
}
];
};
documentation = {
# NOTE: Disable this while configuring stuff, it's slow
enable = true;
man.enable = config.documentation.enable;
man.generateCaches = true; # Slow but needed for neovim man picker
info.enable = config.documentation.enable;
dev.enable = config.documentation.enable;
doc.enable = config.documentation.enable;
nixos = {
enable = config.documentation.enable;
includeAllModules = true;
};
};
# Set your time zone.
time = {
timeZone = "Europe/Berlin";
hardwareClockInLocalTime = false;
};
# Select internationalisation properties.
i18n = let
en = "en_US.UTF-8";
de = "de_DE.UTF-8";
in {
defaultLocale = en;
extraLocaleSettings = {
LC_ADDRESS = de;
LC_IDENTIFICATION = de;
LC_MEASUREMENT = de;
LC_MONETARY = de;
LC_NAME = de;
LC_NUMERIC = de;
LC_PAPER = de;
LC_TELEPHONE = de;
LC_TIME = de;
};
# https://github.com/NixOS/nixpkgs/issues/179486
supportedLocales = ["en_US.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8"];
};
console = {
earlySetup = true;
useXkbConfig = true;
packages = [pkgs.terminus_font];
font = "ter-220b";
# Normal Bright
# -------- -------
# 0 Black 8 Black
# 1 Red 9 Red
# 2 Yellow 10 Yellow
# 3 Green 11 Green
# 4 Blue 12 Blue
# 5 Magenta 13 Magenta
# 6 Cyan 14 Cyan
# 7 White 15 White
colors = let
color = config.home-manager.users.${username}.modules.color;
in [
# 0 - 7
"000000" # Dark black
color.hex.red
color.hex.green
color.hex.yellow # Swapped with green for kitty consistency
color.hex.blue
color.hex.pink
color.hex.teal
color.hex.text # Dark white
# 8 - 15
color.hex.surface2 # Light black
color.hex.red
color.hex.green
color.hex.yellow # Swapped with green for kitty consistency
color.hex.blue
color.hex.pink
color.hex.teal
"ffffff" # Light white
];
};
# Define a user account. Password is set from sops-nix secrets automatically.
users.mutableUsers = false; # Users are always overridden by stuff defined here
users.users.${username} = {
isNormalUser = true;
hashedPasswordFile = config.sops.secrets.user-password.path;
description = "Christoph";
group = "users";
uid = 1000;
extraGroups = [
"networkmanager"
"wheel"
"audio"
"video"
"pipewire"
"realtime"
"gamemode"
"docker"
"podman"
"adbusers"
"scanner"
"lp"
"libvirtd"
];
shell = pkgs.fish;
# We do this with HomeManager
# packages = with pkgs; [];
};
users.groups."users".gid = 100;
# We want these packages to be available even when no user profile is active
# Empty since we basically only need git + editor which is enabled below
environment.systemPackages = with pkgs; [
iw
wget
mprocs # run multiple processes in single terminal window, screen alternative
parted # partition manager
exfat
exfatprogs
procs # Better ps
procps # pgrep, pkill
busybox
killall
slirp4netns # user network namespaces
wireguard-tools
man-pages
man-pages-posix
# iPhone tethering + mounting
libimobiledevice
ifuse
usbmuxd
];
# It is preferred to use the module (if it exists) over environment.systemPackages,
# as some extra configs are applied.
# I would prefer to use HomeManager for some of these but the modules don't exist (yet).
programs = {
adb.enable = true;
dconf.enable = !headless;
firejail.enable = true; # Use to run app in network namespace (e.g. through vpn)
fuse.userAllowOther = true; # Allow users to mount e.g. samba shares (cifs)
git.enable = true;
kdeconnect.enable = !headless; # Use this instead of HM for firewall setup
neovim.enable = true;
nix-ld.enable = true; # Load dynamically linked executables
fish = {
enable = true;
generateCompletions = config.documentation.enable;
};
gnupg.agent = {
enable = false;
enableBrowserSocket = true;
enableExtraSocket = true;
enableSSHSupport = true;
};
hyprland = {
enable = !headless;
xwayland.enable = true;
withUWSM = true;
};
nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep 3";
flake = "/home/${username}/NixFlake";
};
ssh.startAgent = true; # Use gnupg
starship.enable = true;
xwayland.enable = !headless;
};
# List services that you want to enable:
services = {
# Enable sound with pipewire.
pipewire = {
enable = !headless;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = false;
wireplumber.enable = true;
};
pulseaudio.enable = false; # Get off my lawn
# Enable the X11 windowing system.
xserver = {
enable = !headless;
# Startx replaces the displaymanager so default (lightdm) isn't used, start to shell
displayManager.startx.enable = true;
wacom.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
libinput.enable = !headless;
# Enable CUPS to print documents.
printing = {
enable = false;
drivers = with pkgs; [
gutenprint
gutenprintBin
foomatic-db-ppds-withNonfreeDb
dell-b1160w # TODO: Broken
];
};
avahi = {
enable = false; # Network printers
nssmdns4 = true;
};
# Enable the OpenSSH daemon.
openssh.enable = true;
# Trims the journal if too large
journald.extraConfig = ''
SystemMaxUse=50M
'';
acpid.enable = true;
dbus.enable = true;
flatpak.enable = !headless; # Not quite the nix style but useful for bottles/proprietary stuff/steam/gaming
fstrim.enable = true; # SSD
fwupd.enable = true; # Device firmware (I don't think I have any supported devices)
# locate.enable = true; # Periodically update index
ntp.enable = true; # Clock sync
gvfs.enable = true; # Network shares, spotify cover art caching, ...
udev = {
packages = with pkgs; [
usb-blaster-udev-rules # For Intel Quartus
];
};
gnome.gnome-keyring.enable = true; # Apps (e.g. nextcloud) require this
gnome.gcr-ssh-agent.enable = false; # TODO: Use this instead of ssh.startAgent?
};
systemd = {
# TODO: Technically this should be a user service if it runs as ${username}?
timers."refresh-nps-cache" = {
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "weekly"; # or however often you'd like
Persistent = true;
Unit = "refresh-nps-cache.service";
};
};
services."refresh-nps-cache" = {
# Make sure `nix` and `nix-env` are findable by systemd.services.
path = ["/run/current-system/sw/"];
serviceConfig = {
Type = "oneshot";
User = "${username}";
};
script = ''
set -eu
echo "Start refreshing nps cache..."
${inputs.nps.packages.${system}.default}/bin/nps -dddd -e -r
echo "... finished nps cache with exit code $?."
'';
};
};
}
View Git Blame Copy Permalink