# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: let impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; in { nixpkgs.config.allowUnfree = true; nixpkgs.config.allowBroken = true; security.pki.certificates = [ "/home/dominik/.local/share/mkcert/rootCA.pem" ]; imports = [ "${impermanence}/nixos.nix" ./utils/bento.nix ./utils/modules/sops.nix ./utils/modules/nur.nix # ./utils/modules/attic-cache ./modules/appimage.nix ./modules/desktop ./modules/development ./modules/printer.nix # ./modules/cyberghost.nix ./utils/modules/autoupgrade.nix ./modules/puppeteer.nix ./modules/mcp-global.nix ./modules/ollama.nix ./modules/qdrant.nix ./modules/battery-brightness.nix ./modules/suspend-fixes.nix ./cachix.nix ./users # ./modules/steam.nix ./modules/fingerprint.nix ./modules/set-nix-channel.nix ./hardware-configuration.nix ]; # services.snap.enable = true; nixpkgs.overlays = [ (import ./utils/overlays/packages.nix) ]; services.gvfs.enable = true; fonts.packages = with pkgs; [ git git-lfs open-sans nix-prefetch jq mkcert oh-my-zsh zsh-autosuggestions zsh-completions zsh-syntax-highlighting zsh-history-substring-search creality-print ]; programs.zsh = { enable = true; ohMyZsh = { enable = true; # Enable Oh My Zsh theme = "steeef"; # Set theme plugins = [ "git" ]; # Add plugins }; }; users.defaultUserShell = pkgs.zsh; services.fwupd.enable = true; # Disable irqbalance to save battery (not critical for laptop workloads) services.irqbalance.enable = false; swapDevices = [ { device = "/swap/swapfile"; size = 96 * 1024; # Size is in megabytes (96GB for full hibernation with 92GB RAM) } ]; # Memory tuning for 92GB RAM boot.kernel.sysctl = { "vm.swappiness" = 10; "vm.dirty_ratio" = 10; "vm.dirty_background_ratio" = 5; "vm.vfs_cache_pressure" = 50; # Battery optimization - increase dirty writeback time to batch writes "vm.dirty_writeback_centisecs" = 3000; # 30 seconds (default: 500 = 5s) "vm.dirty_expire_centisecs" = 3000; # 30 seconds (default: 3000) # Enable laptop mode for aggressive disk power management "vm.laptop_mode" = 5; }; # nixos cross building qemu boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.supportedFilesystems = [ "ntfs" ]; # Btrfs maintenance services.btrfs.autoScrub = { enable = true; interval = "monthly"; fileSystems = [ "/nix" ]; }; boot.plymouth = { enable = true; theme = "spin"; themePackages = with pkgs; [ # By default we would install all themes (adi1090x-plymouth-themes.override { selected_themes = [ "spin" ]; }) ]; }; hardware.bluetooth.enable = true; hardware.bluetooth.powerOnBoot = false; # Save battery - enable manually when needed hardware.bluetooth.settings = { General = { ControllerMode = "bredr"; }; }; environment.persistence."/nix/persist" = { hideMounts = true; directories = [ "/home" ]; }; environment.persistence."/nix/persist/system" = { hideMounts = true; directories = [ "/etc/nixos" "/root/.ssh" "/var/bento" "/var/log" "/var/lib/bluetooth" "/var/lib/docker" "/var/lib/flatpak" "/var/lib/fprint" "/var/lib/nixos" "/var/lib/mysql" "/etc/NetworkManager/system-connections" ]; files = [ "/etc/machine-id" { file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } { file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } { file = "/etc/ssh/ssh_host_rsa_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } { file = "/etc/ssh/ssh_host_rsa_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } ]; }; services.openssh.enable = true; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.defaultSopsFile = ./secrets.yaml; sops.secrets.epicenter_vpn_ca = {}; sops.secrets.epicenter_vpn_cert = {}; sops.secrets.epicenter_vpn_key = {}; sops.secrets.wg_private_key = {}; sops.secrets.wg_preshared_key = {}; sops.secrets.wg-cloonar-key = {}; virtualisation.docker.enable = true; services.flatpak.enable = true; systemd.services.flatpak-repo = { wantedBy = [ "multi-user.target" ]; path = [ pkgs.flatpak ]; script = '' flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo ''; }; networking.hostName = "nb-01"; # Define your hostname. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. networking.extraHosts = '' 77.119.230.30 vpn.cloonar.com ''; # Set your time zone. time.timeZone = "Europe/Vienna"; console.keyMap = "de"; users.users.dominik = { isNormalUser = true; hashedPassword = "$y$j9T$btz9xel62NjCyLdQRm5ck1$iCm6R7u4wiMeSVfrB6Y.3UwoQJ/rfkXiYSrXI2RTYm/"; extraGroups = [ "wheel" "disk" "video" "audio" "mysql" "docker" "vboxusers" "networkmanager" "onepassword" "onepassword-cli" "dialout" ]; # Enable ‘sudo’ for the user. }; users.groups.dominik = {}; environment.systemPackages = with pkgs; [ alsa-utils sshpass pinentry-curses # ykfde ]; environment.variables = { TERMINAL_COMMAND = "alacritty"; MOZ_ENABLE_WAYLAND = "1"; }; services.blueman.enable = true; security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; jack.enable = true; }; hardware.sane.enable = true; security.polkit.enable = true; systemd = { user.services.polkit-gnome-authentication-agent-1 = { description = "polkit-gnome-authentication-agent-1"; wantedBy = [ "graphical-session.target" ]; wants = [ "graphical-session.target" ]; after = [ "graphical-session.target" ]; serviceConfig = { Type = "simple"; ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; Restart = "on-failure"; RestartSec = 1; TimeoutStopSec = 10; }; }; }; networking.wireguard.interfaces = { wg0 = { ips = [ "10.42.98.201/32" ]; # publicKey: YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8= privateKeyFile = config.sops.secrets.wg-cloonar-key.path; peers = [ { publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q="; allowedIPs = [ "10.42.96.0/20" # wohnservice-wien "10.254.240.0/24" "10.254.235.0/24" # epicenter.works "10.14.0.0/16" "10.25.0.0/16" "188.34.191.144/32" # web-arm "91.107.201.241" # mail ]; endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 persistentKeepalive = 25; } ]; postSetup = '' printf "nameserver 10.42.97.1\nsearch cloonar.com" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0 -x ''; }; }; # pgp services.pcscd.enable = true; programs.gnupg.agent = { enable = true; enableSSHSupport = true; pinentryPackage = pkgs.pinentry-curses; }; nix = { settings = { auto-optimise-store = true; experimental-features = [ "nix-command" "flakes" ]; max-jobs = 12; cores = 2; }; gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 14d"; }; # Free up to 1GiB whenever there is less than 100MiB left. extraOptions = '' min-free = ${toString (100 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)} ''; }; services.xserver.desktopManager.gnome.extraGSettingsOverrides = '' [org.gnome.desktop.interface] cursor-size=24 ''; system.stateVersion = "24.05"; # Did you read the comment? }