# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: let unstable = import (fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz) { config = { allowUnfree = true; }; }; impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; in { nixpkgs.config.allowUnfree = true; nixpkgs.config.allowBroken = true; security.pki.certificates = [ "/home/dominik/.local/share/mkcert/rootCA.pem" ]; imports = [ # Include the results of the hardware scan. "${impermanence}/nixos.nix" ./utils/bento.nix ./utils/modules/sops.nix ./utils/modules/nur.nix ./modules/appimage.nix ./modules/sway/sway.nix ./modules/printer.nix ./modules/nvim/default.nix ./utils/modules/autoupgrade.nix ./cachix.nix ./users # ./modules/steam.nix ./hardware-configuration.nix ]; nixpkgs.overlays = [ (import ./utils/overlays/packages.nix) ]; services.gvfs.enable = true; fonts.packages = with pkgs; [ git git-lfs open-sans nix-prefetch jq oh-my-zsh zsh-autosuggestions zsh-completions zsh-syntax-highlighting zsh-history-substring-search creality-print ]; programs.zsh = { enable = true; ohMyZsh = { enable = true; # Enable Oh My Zsh theme = "steeef"; # Set theme plugins = [ "git" ]; # Add plugins }; }; users.defaultUserShell = pkgs.zsh; services.fwupd.enable = true; swapDevices = [ { device = "/nix/persist/swapfile"; size = 32 * 1024; # Size is in megabytes } ]; # nixos cross building qemu boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.supportedFilesystems = [ "ntfs" ]; boot.plymouth = { enable = true; theme = "spin"; themePackages = with pkgs; [ # By default we would install all themes (adi1090x-plymouth-themes.override { selected_themes = [ "spin" ]; }) ]; }; hardware.bluetooth.enable = true; hardware.bluetooth.powerOnBoot = true; hardware.bluetooth.settings = { General = { ControllerMode = "bredr"; }; }; services.tlp = { enable = true; settings = { CPU_SCALING_GOVERNOR_ON_AC = "performance"; CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; START_CHARGE_THRESH_BAT0 = 60; STOP_CHARGE_THRESH_BAT0 = 80; }; }; environment.persistence."/nix/persist" = { hideMounts = true; directories = [ "/home" ]; }; environment.persistence."/nix/persist/system" = { hideMounts = true; directories = [ "/etc/nixos" "/root/.ssh" "/var/bento" "/var/log" "/var/lib/bluetooth" "/var/lib/docker" "/var/lib/flatpak" "/var/lib/nixos" "/etc/NetworkManager/system-connections" ]; files = [ "/etc/machine-id" { file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } { file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } { file = "/etc/ssh/ssh_host_rsa_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } { file = "/etc/ssh/ssh_host_rsa_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } ]; }; services.openssh.enable = true; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.defaultSopsFile = ./secrets.yaml; sops.secrets.epicenter_vpn_ca = {}; sops.secrets.epicenter_vpn_cert = {}; sops.secrets.epicenter_vpn_key = {}; sops.secrets.wg_private_key = {}; sops.secrets.wg_preshared_key = {}; sops.secrets.wg-cloonar-key = {}; virtualisation.docker.enable = true; services.flatpak.enable = true; systemd.services.flatpak-repo = { wantedBy = [ "multi-user.target" ]; path = [ pkgs.flatpak ]; script = '' flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo ''; }; networking.hostName = "nb-01"; # Define your hostname. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. networking.extraHosts = '' 77.119.230.30 vpn.cloonar.com 10.25.0.25 archive.zeichnemit.at ''; # Set your time zone. time.timeZone = "Europe/Vienna"; console.keyMap = "de"; users.users.dominik = { isNormalUser = true; hashedPassword = "$y$j9T$btz9xel62NjCyLdQRm5ck1$iCm6R7u4wiMeSVfrB6Y.3UwoQJ/rfkXiYSrXI2RTYm/"; extraGroups = [ "wheel" "disk" "video" "audio" "mysql" "docker" "vboxusers" "networkmanager" "onepassword" "onepassword-cli" "dialout" ]; # Enable ‘sudo’ for the user. }; environment.systemPackages = with pkgs; [ bento docker-compose drone-cli git-filter-repo nix-prefetch-git openaudible vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. wget wireguard-tools wineWowPackages.stable wineWowPackages.fonts winetricks # ykfde ]; environment.variables = { TERMINAL_COMMAND = "alacritty"; }; services.blueman.enable = true; system.stateVersion = "24.05"; # Did you read the comment? security.polkit.enable = true; systemd = { user.services.polkit-gnome-authentication-agent-1 = { description = "polkit-gnome-authentication-agent-1"; wantedBy = [ "graphical-session.target" ]; wants = [ "graphical-session.target" ]; after = [ "graphical-session.target" ]; serviceConfig = { Type = "simple"; ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; Restart = "on-failure"; RestartSec = 1; TimeoutStopSec = 10; }; }; }; networking.wireguard.interfaces = { wg0 = { # Determines the IP address and subnet of the client's end of the tunnel interface. ips = [ "10.42.98.201/32" ]; # Path to the private key file. # # Note: The private key can also be included inline via the privateKey option, # but this makes the private key world-readable; thus, using privateKeyFile is # recommended. # publicKey: YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8= privateKeyFile = config.sops.secrets.wg-cloonar-key.path; peers = [ { publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q="; allowedIPs = [ "10.42.96.0/20" # wohnservice-wien "10.254.240.0/24" "10.254.235.0/24" # epicenter.works "10.14.0.0/16" "10.25.0.0/16" ]; endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 persistentKeepalive = 25; } ]; postSetup = '' printf "nameserver 10.42.97.1\nsearch cloonar.com" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0 -x ''; }; }; # networking.networkmanager.insertNameservers = [ "9.9.9.9" "149.112.112.11" "2620:fe::fe" "2620:fe::9" ]; # services.avahi.enable = false; # networking.resolvconf.enable = lib.mkForce false; # services.resolved = { # enable = true; # dnssec = "true"; # domains = [ "~." ]; # fallbackDns = [ "9.9.9.9" "149.112.112.11" "2620:fe::fe" "2620:fe::9" ]; # dnsovertls = "true"; # }; # networking.wg-quick.interfaces = { # wg0 = { # address = [ "10.42.98.201/32" ]; # privateKeyFile = config.sops.secrets.wg-cloonar-key.path; # # postUp = '' # ${pkgs.systemd}/bin/resolvectl dns wg0 10.42.97.1 # ${pkgs.systemd}/bin/resolvectl domain wg0 cloonar.com # ${pkgs.systemd}/bin/resolvectl dnsovertls wg0 true # ''; # # peers = [ # { # publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q="; # allowedIPs = [ # "10.42.96.0/20" # # wohnservice-wien # "10.254.240.0/24" # # epicenter.works # "10.14.0.0/16" # "10.25.0.0/16" # ]; # endpoint = "vpn.cloonar.com:51822"; # persistentKeepalive = 25; # } # ]; # }; # }; nix = { settings.auto-optimise-store = true; settings.experimental-features = [ "nix-command" "flakes" ]; # autoOptimiseStore = true; gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; # Free up to 1GiB whenever there is less than 100MiB left. extraOptions = '' min-free = ${toString (100 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)} ''; }; services.xserver.desktopManager.gnome.extraGSettingsOverrides = '' [org.gnome.desktop.interface] cursor-size=24 ''; }