{ config, pkgs, lib, inputs, ... }: # TODO: split this file into a `base` folder? { imports = let ifExists = p: if builtins.pathExists p then p else {}; in [ ./../../secrets ./cachix.nix # update with `nix run nixpkgs#cachix -- use --mode nixos -d . FOOBAR` ./nix.nix ./lix.nix ./locale-no.nix ./upgrade-diff.nix ./vm-variant.nix ./ccache ./../mounts/common-nfs.nix /* ./profiles/mounts/common-zfs.nix */ ]; nixpkgs.overlays = [ (import ./../../overlays/wl-clipboard-timeout.nix) ]; nixpkgs.config.permittedInsecurePackages = [ pkgs.pulsar.name # TODO: remove once electron is bumped pkgs.zotero.name pkgs.gitea.name pkgs.forgejo.name pkgs.olm.name # TODO: remove ]; # https://consoledonottrack.com/ environment.variables.DO_NOT_TRACK = "1"; environment.systemPackages = lib.mkIf (!config.virtualisation.isVmVariant) ([ pkgs.ddrescue pkgs.gptfdisk pkgs.ms-sys pkgs.nvme-cli pkgs.parted pkgs.pciutils pkgs.smartmontools pkgs.testdisk pkgs.usbutils ] ++ lib.optionals (lib.elem pkgs.stdenv.hostPlatform [ "x86_64-linux" "aarch64_linux"]) [ pkgs.cage pkgs.weston ]); # TODO: selectively whitelist nixpkgs.config.allowUnfree = true; # nixpkgs.config.allowAliases = false; # nixpkgs.config.warnAliases = true; nixpkgs.config.allowUnfreePredicate = pkg: true; nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg # apply microcode to fix functional and security issues hardware.enableRedistributableFirmware = true; hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64; hardware.cpu.intel.updateMicrocode = pkgs.stdenv.isx86_64; # enable kernel same-page merging for improved vm test performance hardware.ksm.enable = true; # enable Alt+SysRq+ shortcuts # https://wiki.nixos.org/wiki/Linux_kernel#Enable_SysRq # boot.kernel.sysctl."kernel.sysrq" = 1; boot.initrd.systemd.enable = true; # systemd manages initfs boot, systemd-analyse can see what happened # https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049 # raised to 15 if auto upgrading by auto-upgrade.nix boot.loader.grub.configurationLimit = lib.mkDefault 5; boot.loader.systemd-boot.configurationLimit = lib.mkDefault 5; boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 5; networking.firewall.enable = true; # default #networking.nftables.enable = true; # wirewall backend, instead of iptables, breaks docker which uses iptables #networking.firewall.allowPing = false; #networking.networkmanager.wifi.backend = "iwd"; # default is wpa_supplicant, iwd doesn't support eduroam networking.firewall.logRefusedConnections = false; # too spammy, rotates dmesg too quickly security.sudo.execWheelOnly = true; services.thermald.enable = lib.all (x: x) [ (pkgs.stdenv.hostPlatform.system == "x86_64-linux") (!config.boot.isContainer or false) ]; # no acme in build-vm mode: virtualisation.vmVariant = { security.acme.defaults.server = "https://127.0.0.1"; security.acme.preliminarySelfsigned = true; }; # set VM root password in build-vm mode virtualisation.vmVariant = { users.users.root.initialPassword = "root"; }; # fix VM networking, disable static IPs virtualisation.vmVariant = { networking.interfaces = lib.mkForce {}; networking.defaultGateway = lib.mkForce null; networking.nameservers = lib.mkForce []; networking.networkmanager.enable = lib.mkForce false; networking.useDHCP = lib.mkForce true; }; # System fonts # Nice to have when X-forwarding on headless machines fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts fonts.enableDefaultPackages = true; # dejavu, freefont, gyre, liberation, unifont, noto-fonts-emoji fonts.packages = with pkgs; [ noto-fonts # includes Cousine noto-fonts-cjk-sans noto-fonts-cjk-serif noto-fonts-emoji noto-fonts-extra ]; services.fail2ban = { ignoreIP = [ # Whitelist some subnets "192.168.0.0/24" # local "10.0.0.0/8" # local "100.64.0.0/10" # tailscale ]; }; }