2021-12-02 19:48:45 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
let
|
2023-01-21 02:59:40 +00:00
|
|
|
inherit (config) host;
|
2024-01-24 08:53:24 +00:00
|
|
|
inherit (lib) escapeShellArg mkOption removePrefix;
|
2023-06-16 18:11:55 +00:00
|
|
|
inherit (lib.types) path;
|
2024-01-24 08:53:24 +00:00
|
|
|
inherit (import ./resources/lib.nix { inherit lib; }) frame;
|
2022-06-21 21:13:32 +00:00
|
|
|
|
2023-05-18 01:45:47 +00:00
|
|
|
identity = import ./resources/identity.nix;
|
2023-08-17 03:48:50 +00:00
|
|
|
palette = import ./resources/palette.nix { inherit lib; };
|
2021-12-02 19:48:45 +00:00
|
|
|
in
|
|
|
|
{
|
|
|
|
imports = [
|
2023-12-10 23:17:45 +00:00
|
|
|
./components/applications.system.nix
|
2023-05-17 18:40:54 +00:00
|
|
|
./components/backup.system.nix
|
2023-05-18 02:05:13 +00:00
|
|
|
./components/desktop.system.nix
|
2023-05-17 18:40:54 +00:00
|
|
|
./components/keyboard.system.nix
|
|
|
|
./components/locale.system.nix
|
2024-02-19 23:42:48 +00:00
|
|
|
./components/logs.system.nix
|
2023-05-17 18:40:54 +00:00
|
|
|
./components/mail.system.nix
|
|
|
|
./components/networking.system.nix
|
|
|
|
./components/nix.system.nix
|
2023-05-18 02:05:13 +00:00
|
|
|
./components/openpgp.system.nix
|
2023-05-17 18:40:54 +00:00
|
|
|
./components/printer.system.nix
|
|
|
|
./components/scanner.system.nix
|
|
|
|
./components/users.system.nix
|
|
|
|
./components/virtualization.system.nix
|
2023-11-02 04:44:52 +00:00
|
|
|
./components/wireguard.system.nix
|
2021-12-02 19:48:45 +00:00
|
|
|
];
|
|
|
|
|
2022-06-21 21:13:32 +00:00
|
|
|
options.host = {
|
2023-06-16 18:11:55 +00:00
|
|
|
local = mkOption { type = path; };
|
|
|
|
resources = mkOption { type = path; };
|
2022-06-21 21:13:32 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
config = {
|
|
|
|
# Boot
|
2022-10-24 23:26:00 +00:00
|
|
|
allowedUnfree = [ "memtest86-efi" ];
|
2022-06-21 21:13:32 +00:00
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
boot.loader.systemd-boot.memtest86.enable = true;
|
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
boot.plymouth.enable = true;
|
2024-01-24 08:53:24 +00:00
|
|
|
boot.initrd.preDeviceCommands = with palette.ansiFormat; ''
|
|
|
|
info $'\n'${escapeShellArg (frame magenta ''
|
|
|
|
${magenta "If found, please contact:"}
|
|
|
|
|
|
|
|
${cyan "Name:"} ${identity.name.long}
|
|
|
|
${cyan "Email:"} ${identity.email}
|
|
|
|
${cyan "Phone:"} ${identity.phone}
|
|
|
|
'')}$'\n'
|
|
|
|
'';
|
2022-06-21 21:13:32 +00:00
|
|
|
|
|
|
|
# Swap
|
|
|
|
zramSwap.enable = true;
|
2022-06-20 18:23:42 +00:00
|
|
|
|
2022-06-21 21:13:32 +00:00
|
|
|
# Filesystems
|
|
|
|
boot.initrd.luks = {
|
|
|
|
gpgSupport = true;
|
|
|
|
devices.pv = {
|
|
|
|
device = "/dev/disk/by-partlabel/pv-enc";
|
|
|
|
allowDiscards = true;
|
|
|
|
fallbackToPassword = true;
|
|
|
|
gpgCard.encryptedPass = ./local/resources/luks-passphrase.gpg;
|
2023-05-18 01:45:47 +00:00
|
|
|
gpgCard.publicKey = identity.openpgp.asc;
|
2022-06-21 21:13:32 +00:00
|
|
|
};
|
2021-12-02 19:48:45 +00:00
|
|
|
};
|
2022-06-21 21:13:32 +00:00
|
|
|
fileSystems."/".options = [ "compress=zstd:2" "discard=async" "noatime" ];
|
2023-12-19 22:04:10 +00:00
|
|
|
fileSystems."/boot".options = [ "umask=0077" ];
|
2022-06-21 21:13:32 +00:00
|
|
|
services.btrfs.autoScrub.enable = true;
|
2023-06-01 06:03:19 +00:00
|
|
|
boot.tmp.cleanOnBoot = true;
|
2021-12-02 19:48:45 +00:00
|
|
|
|
2022-06-21 21:13:32 +00:00
|
|
|
# Console
|
|
|
|
console.packages = with pkgs; [ terminus_font ];
|
|
|
|
console.font = "ter-v32n";
|
2024-04-23 04:58:34 +00:00
|
|
|
console.colors = map (removePrefix "#") (with palette.hex; [
|
2024-01-13 19:26:03 +00:00
|
|
|
"#000000" red green yellow blue orange purple light-gray
|
2022-06-21 21:13:32 +00:00
|
|
|
gray red green yellow blue orange purple white
|
|
|
|
]);
|
|
|
|
|
|
|
|
# Power
|
|
|
|
systemd.ctrlAltDelUnit = "poweroff.target";
|
2022-09-08 23:31:57 +00:00
|
|
|
services.irqbalance.enable = true;
|
2021-12-02 19:48:45 +00:00
|
|
|
|
2022-06-21 21:13:32 +00:00
|
|
|
# Authentication
|
|
|
|
security.pam.u2f = {
|
|
|
|
enable = true;
|
|
|
|
appId = "pam://${host.name}";
|
2023-12-01 07:20:01 +00:00
|
|
|
authFile = "/etc/u2f-mappings";
|
2022-06-21 21:13:32 +00:00
|
|
|
control = "sufficient";
|
|
|
|
cue = true;
|
|
|
|
};
|
2022-04-13 16:36:13 +00:00
|
|
|
|
2022-06-21 21:13:32 +00:00
|
|
|
# Authorization
|
|
|
|
security.sudo.extraRules = [
|
|
|
|
{
|
|
|
|
groups = [ "wheel" ];
|
|
|
|
commands = [
|
|
|
|
{ command = "/run/current-system/sw/bin/btrfs balance start --enqueue -dusage=50 -musage=50 /"; options = [ "NOPASSWD" ]; }
|
|
|
|
{ command = "/run/current-system/sw/bin/nix-channel --update"; options = [ "NOPASSWD" ]; }
|
|
|
|
{ command = "/run/current-system/sw/bin/nixos-rebuild boot"; options = [ "NOPASSWD" ]; }
|
|
|
|
{ command = "/run/current-system/sw/bin/nixos-rebuild switch"; options = [ "NOPASSWD" ]; }
|
|
|
|
{ command = "/run/current-system/sw/bin/poweroff"; options = [ "NOPASSWD" ]; }
|
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
2021-12-02 19:48:45 +00:00
|
|
|
|
2022-06-21 21:13:32 +00:00
|
|
|
# SSH
|
2023-01-13 19:19:41 +00:00
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
2023-06-01 06:03:19 +00:00
|
|
|
settings.PasswordAuthentication = false;
|
2022-06-21 21:13:32 +00:00
|
|
|
};
|
2021-12-02 19:48:45 +00:00
|
|
|
|
2022-06-21 21:13:32 +00:00
|
|
|
# SMART monitoring
|
|
|
|
services.smartd = {
|
|
|
|
enable = true;
|
|
|
|
notifications.mail.enable = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
# Firmware updates
|
2022-09-08 23:38:41 +00:00
|
|
|
hardware.enableRedistributableFirmware = true;
|
2022-06-21 21:13:32 +00:00
|
|
|
services.fwupd.enable = true;
|
2023-12-21 19:56:04 +00:00
|
|
|
|
|
|
|
# Profiling
|
|
|
|
services.sysprof.enable = true;
|
2021-12-02 19:48:45 +00:00
|
|
|
};
|
|
|
|
}
|