1f49c5893f
Related: - https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6235 - https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1177 - https://bugzilla.redhat.com/show_bug.cgi?id=1650221
237 lines
7.3 KiB
Nix
237 lines
7.3 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
# Module
|
|
host = config.host;
|
|
|
|
# Resources
|
|
palette = import ./resources/palette.nix;
|
|
in
|
|
{
|
|
imports = [
|
|
./components/backup.nix
|
|
./components/keyboard.nix
|
|
./components/locale.nix
|
|
./components/mail.nix
|
|
./components/printer.nix
|
|
./components/scanner.nix
|
|
];
|
|
|
|
# Pending NixOS/nixpkgs#55674
|
|
options.allowedUnfree = lib.mkOption { type = lib.types.listOf lib.types.str; };
|
|
|
|
options.host = {
|
|
name = lib.mkOption { type = lib.types.str; };
|
|
local = lib.mkOption { type = lib.types.path; };
|
|
resources = lib.mkOption { type = lib.types.path; };
|
|
wireguard = {
|
|
ip = lib.mkOption { type = lib.types.str; };
|
|
port = lib.mkOption { type = lib.types.int; };
|
|
peers = lib.mkOption {
|
|
type = lib.types.attrsOf (lib.types.submodule { options = {
|
|
ip = lib.mkOption { type = lib.types.str; };
|
|
key = lib.mkOption { type = lib.types.str; };
|
|
endpoint = lib.mkOption { type = lib.types.str; };
|
|
}; });
|
|
};
|
|
};
|
|
};
|
|
|
|
config = {
|
|
nixpkgs.overlays = [ (import ./packages.nix) ];
|
|
|
|
# Nix
|
|
nix.settings.auto-optimise-store = true;
|
|
nix.gc = { automatic = true; options = "--delete-older-than 7d"; };
|
|
nix.extraOptions = ''
|
|
# Recommended by nix-direnv
|
|
keep-outputs = true
|
|
keep-derivations = true
|
|
'';
|
|
nixpkgs.config.allowUnfreePredicate = p: builtins.elem (lib.getName p) config.allowedUnfree; # Pending NixOS/nixpkgs#55674
|
|
nix.daemonCPUSchedPolicy = "batch";
|
|
system.activationScripts.diff = ''
|
|
PATH="${lib.makeBinPath [ pkgs.nix ]}" \
|
|
${pkgs.nvd}/bin/nvd diff '/run/current-system' "$systemConfig"
|
|
'';
|
|
|
|
# Boot
|
|
allowedUnfree = [ "memtest86-efi" ];
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.systemd-boot.memtest86.enable = true;
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
boot.plymouth.enable = true;
|
|
|
|
# Swap
|
|
zramSwap.enable = true;
|
|
|
|
# Filesystems
|
|
boot.initrd.luks = {
|
|
gpgSupport = true;
|
|
devices.pv = {
|
|
device = "/dev/disk/by-partlabel/pv-enc";
|
|
allowDiscards = true;
|
|
fallbackToPassword = true;
|
|
gpgCard.encryptedPass = ./local/resources/luks-passphrase.gpg;
|
|
gpgCard.publicKey = ./resources/andrew.asc;
|
|
};
|
|
};
|
|
fileSystems."/".options = [ "compress=zstd:2" "discard=async" "noatime" ];
|
|
services.btrfs.autoScrub.enable = true;
|
|
boot.cleanTmpDir = true;
|
|
|
|
# Time
|
|
time.timeZone = "America/Los_Angeles";
|
|
|
|
# Networking
|
|
networking.hostName = host.name;
|
|
networking.domain = "home.arpa";
|
|
networking.search = [ "home.arpa" ];
|
|
networking.extraHosts = lib.concatStringsSep "\n"
|
|
(lib.mapAttrsToList (hostname: peer: "${peer.ip} ${hostname}") host.wireguard.peers);
|
|
systemd.network = {
|
|
enable = true;
|
|
netdevs."90-wg0" = {
|
|
netdevConfig = { Name = "wg0"; Kind = "wireguard"; };
|
|
wireguardConfig.PrivateKeyFile = "/var/lib/wireguard/wg0.key";
|
|
wireguardPeers = lib.mapAttrsToList (_: peer: {
|
|
wireguardPeerConfig = {
|
|
AllowedIPs = [ "${peer.ip}/32" ];
|
|
Endpoint = peer.endpoint;
|
|
PublicKey = peer.key;
|
|
};
|
|
}) host.wireguard.peers;
|
|
};
|
|
networks."90-wg0" = { name = "wg0"; address = [ "${host.wireguard.ip}/24" ]; };
|
|
};
|
|
# Workaround for https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6235
|
|
networking.networkmanager.unmanaged = [ "wg0" ];
|
|
|
|
# Workaround for `avahi-daemon[1234]: Failed to read /etc/avahi/services.`
|
|
# Upstream: https://github.com/lathiat/avahi/blob/v0.8/avahi-daemon/static-services.c#L917-L919
|
|
system.activationScripts.etcAvahiServices = "mkdir -p /etc/avahi/services";
|
|
|
|
# Console
|
|
console.packages = with pkgs; [ terminus_font ];
|
|
console.font = "ter-v32n";
|
|
console.colors = map (lib.removePrefix "#") (with palette; [
|
|
"#000000" red green yellow blue orange purple white
|
|
gray red green yellow blue orange purple white
|
|
]);
|
|
|
|
# Power
|
|
systemd.ctrlAltDelUnit = "poweroff.target";
|
|
services.irqbalance.enable = true;
|
|
|
|
# Authentication
|
|
security.pam.u2f = {
|
|
enable = true;
|
|
appId = "pam://${host.name}";
|
|
authFile = host.local + "/resources/andrew.u2f";
|
|
control = "sufficient";
|
|
cue = true;
|
|
};
|
|
|
|
# Authorization
|
|
security.sudo.extraRules = [
|
|
{
|
|
groups = [ "wheel" ];
|
|
commands = [
|
|
{ command = "/run/current-system/sw/bin/btrfs balance start --enqueue -dusage=50 -musage=50 /"; options = [ "NOPASSWD" ]; }
|
|
{ command = "/run/current-system/sw/bin/nix-channel --update"; options = [ "NOPASSWD" ]; }
|
|
{ command = "/run/current-system/sw/bin/nixos-rebuild boot"; options = [ "NOPASSWD" ]; }
|
|
{ command = "/run/current-system/sw/bin/nixos-rebuild switch"; options = [ "NOPASSWD" ]; }
|
|
{ command = "/run/current-system/sw/bin/poweroff"; options = [ "NOPASSWD" ]; }
|
|
];
|
|
}
|
|
];
|
|
|
|
# SSH
|
|
services.openssh = { enable = true; passwordAuthentication = false; };
|
|
|
|
# Service monitoring
|
|
systemd.services."alert@" = {
|
|
description = "Alert of failed %I";
|
|
serviceConfig.SyslogIdentifier = "%p";
|
|
serviceConfig.Type = "oneshot";
|
|
serviceConfig.ExecStart = with pkgs; ''
|
|
${bash}/bin/bash -c "${system-sendmail}/bin/sendmail -i root \
|
|
<<< $'Subject: %I failed\n\n'\"$(systemctl --full status %I)\""
|
|
'';
|
|
};
|
|
|
|
# SMART monitoring
|
|
services.smartd = {
|
|
enable = true;
|
|
notifications.mail.enable = true;
|
|
};
|
|
|
|
# Firmware updates
|
|
hardware.enableRedistributableFirmware = true;
|
|
services.fwupd.enable = true;
|
|
|
|
# Audio
|
|
hardware.pulseaudio.enable = false;
|
|
security.rtkit.enable = true;
|
|
systemd.services.rtkit-daemon.serviceConfig.LogLevelMax = "notice";
|
|
services.pipewire = {
|
|
enable = true;
|
|
alsa = { enable = true; support32Bit = true; };
|
|
pulse.enable = true;
|
|
};
|
|
|
|
# Virtualization
|
|
virtualisation = {
|
|
containers.registries.search = [ "docker.io" ];
|
|
docker = { enable = true; enableOnBoot = false; autoPrune.enable = true; };
|
|
podman.enable = true;
|
|
libvirtd.enable = true;
|
|
};
|
|
|
|
# OpenPGP
|
|
services.pcscd.enable = true;
|
|
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
|
|
|
|
# Graphical environment
|
|
services.xserver.enable = true;
|
|
services.xserver.displayManager.gdm.enable = true;
|
|
services.xserver.desktopManager.gnome.enable = true;
|
|
|
|
# Applications
|
|
environment.localBinInPath = true;
|
|
environment.sessionVariables.NIXOS_OZONE_WL = "1";
|
|
environment.gnome.excludePackages = with pkgs; [
|
|
gnome.epiphany
|
|
gnome.geary
|
|
gnome.gnome-calculator
|
|
gnome.gnome-maps
|
|
gnome.gnome-music
|
|
gnome.gnome-weather
|
|
gnome-photos
|
|
];
|
|
programs.zsh.enable = true;
|
|
|
|
# Users
|
|
users.mutableUsers = false;
|
|
users.groups.ak.gid = 1000;
|
|
users.users.ak = {
|
|
isNormalUser = true;
|
|
uid = 1000;
|
|
group = "ak";
|
|
extraGroups = [
|
|
"wheel"
|
|
"networkmanager"
|
|
"lp"
|
|
"scanner"
|
|
"podman"
|
|
"docker"
|
|
"libvirtd"
|
|
"ydotool"
|
|
];
|
|
description = "Andrew";
|
|
hashedPassword = builtins.readFile ./local/resources/ak.passwd;
|
|
shell = pkgs.zsh;
|
|
openssh.authorizedKeys.keys = [ (builtins.readFile ./resources/andrew.pub) ];
|
|
};
|
|
};
|
|
}
|