config/base.nix

148 lines
5.1 KiB
Nix
Raw Normal View History

{ config, pkgs, lib, inputs, ... }:
2024-02-11 02:08:03 +01:00
2023-02-25 04:39:30 +01:00
{
2024-01-27 03:47:28 +01:00
imports = let ifExists = p: if builtins.pathExists p then p else {}; in [
2023-06-19 02:44:40 +02:00
./cachix.nix # update with `cachix use --mode nixos -d . FOOBAR`
2024-10-19 18:53:16 +02:00
./secrets
./profiles/locale-no.nix
2024-02-11 05:00:48 +01:00
./profiles/upgrade-diff.nix
2024-07-10 00:36:50 +02:00
./profiles/lix.nix
2023-03-12 05:14:28 +01:00
# results of 'nixos-generate-config'
# nice to have if i just dump this flake into /etc/nixos on a clean install
2024-01-27 03:47:28 +01:00
(ifExists ./configuration.nix )
(ifExists ./hardware-configuration.nix )
2024-12-26 01:18:01 +01:00
# TODO: move somewhere smart
{
options.virtualisation.isVmVariant = lib.mkOption {
type = lib.types.bool;
default = false;
};
config.virtualisation.vmVariant = {
virtualisation.isVmVariant = true;
};
}
2023-02-25 04:39:30 +01:00
];
2024-10-09 16:43:52 +02:00
nixpkgs.overlays = [
(import ./overlays/wl-clipboard-timeout.nix)
];
2024-07-10 00:31:00 +02:00
2023-11-10 22:54:07 +01:00
nixpkgs.config.permittedInsecurePackages = [
2024-06-07 18:26:44 +02:00
pkgs.pulsar.name
pkgs.zotero.name
pkgs.gitea.name
2023-11-10 22:54:07 +01:00
];
2023-06-29 02:16:16 +02:00
environment.systemPackages = with pkgs; [
ddrescue
gptfdisk
ms-sys
nvme-cli
parted
pciutils
smartmontools
testdisk
usbutils
2024-02-11 05:00:48 +01:00
] ++ lib.optionals (builtins.elem config.nixpkgs.system [ "x86_64-linux" "aarch64_linux"]) [
2024-02-10 22:11:25 +01:00
cage
weston
2023-06-29 02:16:16 +02:00
];
2024-02-17 03:49:30 +01:00
# TODO: selectively whitelist
2023-02-25 04:39:30 +01:00
nixpkgs.config.allowUnfree = true;
2024-08-13 16:26:58 +02:00
nixpkgs.config.allowUnfreePredicate = pkg: true;
2023-03-03 02:24:07 +01:00
nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg
2023-02-25 04:39:30 +01:00
2025-01-08 21:08:08 +01:00
# apply microcode to fix functional and security issues
2023-07-09 00:10:03 +02:00
hardware.enableRedistributableFirmware = true;
2025-01-08 21:08:08 +01:00
hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64;
hardware.cpu.intel.updateMicrocode = pkgs.stdenv.isx86_64;
# enable kernel same-page merging for improved vm test performance
hardware.ksm.enable = true;
2023-07-09 00:10:03 +02:00
2024-09-13 18:25:22 +02:00
boot.initrd.systemd.enable = true; # systemd manages initfs boot, systemd-analyse can see what happened
# https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049
# raise to 15 if auto upgrading
boot.loader.grub.configurationLimit = lib.mkDefault 5;
boot.loader.systemd-boot.configurationLimit = lib.mkDefault 5;
boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 5;
networking.firewall.enable = true; # default
#networking.nftables.enable = true; # wirewall backend, instead of iptables, breaks docker which uses iptables
#networking.firewall.allowPing = false;
2024-09-27 12:30:28 +02:00
#networking.networkmanager.wifi.backend = "iwd"; # default is wpa_supplicant, iwd doesn't support eduroam
2025-01-08 21:08:08 +01:00
networking.firewall.logRefusedConnections = false; # too spammy, rotates dmesg too quickly
2024-09-13 18:25:22 +02:00
#system.switch.enable = false;
#system.switch.enableNg = true; # rewritten in rust
2024-10-18 22:05:53 +02:00
sops.secrets.nix-access-tokens = {};
2024-10-17 23:11:14 +02:00
sops.secrets.nix-access-tokens-all.mode = "0440";
2024-10-18 22:05:53 +02:00
sops.secrets.nix-access-tokens-all.group = config.users.groups."keys".name;
2024-06-24 12:23:09 +02:00
nix.extraOptions = ''
!include ${config.sops.secrets.nix-access-tokens.path}
2024-10-17 23:11:14 +02:00
!include ${config.sops.secrets.nix-access-tokens-all.path}
2024-06-24 12:23:09 +02:00
'';
2023-06-24 19:11:49 +02:00
nix.settings.experimental-features = [
"nix-command"
"flakes"
2024-11-15 04:50:41 +01:00
/* "pipe-operator" # not supported on lix 2.91 */
2023-02-26 21:15:08 +01:00
];
2024-07-31 21:47:36 +02:00
#nix.settings.allowed-users = [ "@builders" ]; # TODO: this
2025-01-08 21:08:08 +01:00
nix.settings.allowed-users = [ "root" "@wheel" ]; # default is [ "*" ]
nix.settings.trusted-users = [ "root" "@wheel" ];
2024-08-03 21:12:13 +02:00
nix.settings.keep-derivations = true; # keep .drv in store, great with nix-diff
2023-02-25 04:39:30 +01:00
nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
2024-06-16 13:25:03 +02:00
nix.settings.max-silent-time = 3600;
2024-08-03 21:12:13 +02:00
#nix.settings.keep-failed = true; # fills up $TMPDIR
nix.settings.log-lines = 35;
2024-06-06 21:31:22 +02:00
#nix.optimize.automatic = true; # periodic optimization
2023-02-25 04:39:30 +01:00
nix.gc.automatic = true;
nix.gc.dates = "weekly";
2024-06-15 20:34:46 +02:00
nix.gc.options = lib.mkIf config.system.autoUpgrade.enable "--delete-older-than 15d";
2024-10-18 20:50:04 +02:00
nix.settings.min-free = 3 * 1024 * 1024 * 1024; # starts cg
nix.settings.max-free = 20 * 1024 * 1024 * 1024; # condition to end gc triggered by min-free
2023-02-25 04:39:30 +01:00
2025-01-08 21:08:08 +01:00
security.sudo.execWheelOnly = true;
2024-10-19 20:41:39 +02:00
services.thermald.enable = lib.all (x: x) [
(config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false)
];
2023-02-25 04:39:30 +01:00
2024-08-14 17:09:15 +02:00
# no acme in VM mode:
virtualisation.vmVariant = {
2024-10-19 20:41:39 +02:00
security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
};
2024-08-14 17:09:15 +02:00
2024-12-26 01:18:01 +01:00
# set VM root password in VM mode
virtualisation.vmVariant = {
users.users.root.initialPassword = "root";
};
# fix VM networking, disable static IPs
virtualisation.vmVariant = {
networking.interfaces = lib.mkForce {};
networking.defaultGateway = lib.mkForce null;
networking.nameservers = lib.mkForce [];
networking.networkmanager.enable = lib.mkForce false;
networking.useDHCP = lib.mkForce true;
};
2023-10-14 18:23:24 +02:00
# System fonts
# Nice to have when X-forwading on headless machines
fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts
2024-02-18 22:14:40 +01:00
fonts.enableDefaultPackages = true; # dejavu, freefont, gyre, liberation, unifont, noto-fonts-emoji
fonts.packages = with pkgs; [
2023-10-14 18:23:24 +02:00
noto-fonts # includes Cousine
2024-10-24 23:43:35 +02:00
noto-fonts-cjk-sans
noto-fonts-cjk-serif
2023-10-14 18:23:24 +02:00
noto-fonts-emoji
noto-fonts-extra
];
2023-02-25 04:39:30 +01:00
}