{ config, pkgs, lib, inputs, ... }: { imports = let ifExists = p: if builtins.pathExists p then p else {}; in [ ./cachix.nix # update with `cachix use --mode nixos -d . FOOBAR` ./secrets ./profiles/locale-no.nix ./profiles/upgrade-diff.nix ./profiles/lix.nix # results of 'nixos-generate-config' # nice to have if i just dump this flake into /etc/nixos on a clean install (ifExists ./configuration.nix ) (ifExists ./hardware-configuration.nix ) # TODO: move somewhere smart { options.virtualisation.isVmVariant = lib.mkOption { type = lib.types.bool; default = false; }; config.virtualisation.vmVariant = { virtualisation.isVmVariant = true; }; } ]; nixpkgs.overlays = [ (import ./overlays/wl-clipboard-timeout.nix) ]; nixpkgs.config.permittedInsecurePackages = [ pkgs.pulsar.name pkgs.zotero.name pkgs.gitea.name ]; environment.systemPackages = with pkgs; [ ddrescue gptfdisk ms-sys nvme-cli parted pciutils smartmontools testdisk usbutils ] ++ lib.optionals (builtins.elem config.nixpkgs.system [ "x86_64-linux" "aarch64_linux"]) [ cage weston ]; # TODO: selectively whitelist nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfreePredicate = pkg: true; nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg # apply microcode to fix functional and security issues hardware.enableRedistributableFirmware = true; hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64; hardware.cpu.intel.updateMicrocode = pkgs.stdenv.isx86_64; # enable kernel same-page merging for improved vm test performance hardware.ksm.enable = true; boot.initrd.systemd.enable = true; # systemd manages initfs boot, systemd-analyse can see what happened # https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049 # raise to 15 if auto upgrading boot.loader.grub.configurationLimit = lib.mkDefault 5; boot.loader.systemd-boot.configurationLimit = lib.mkDefault 5; boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 5; networking.firewall.enable = true; # default #networking.nftables.enable = true; # wirewall backend, instead of iptables, breaks docker which uses iptables #networking.firewall.allowPing = false; #networking.networkmanager.wifi.backend = "iwd"; # default is wpa_supplicant, iwd doesn't support eduroam networking.firewall.logRefusedConnections = false; # too spammy, rotates dmesg too quickly #system.switch.enable = false; #system.switch.enableNg = true; # rewritten in rust sops.secrets.nix-access-tokens = {}; sops.secrets.nix-access-tokens-all.mode = "0440"; sops.secrets.nix-access-tokens-all.group = config.users.groups."keys".name; nix.extraOptions = '' !include ${config.sops.secrets.nix-access-tokens.path} !include ${config.sops.secrets.nix-access-tokens-all.path} ''; nix.settings.experimental-features = [ "nix-command" "flakes" /* "pipe-operator" # not supported on lix 2.91 */ ]; #nix.settings.allowed-users = [ "@builders" ]; # TODO: this nix.settings.allowed-users = [ "root" "@wheel" ]; # default is [ "*" ] nix.settings.trusted-users = [ "root" "@wheel" ]; nix.settings.keep-derivations = true; # keep .drv in store, great with nix-diff nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise nix.settings.max-silent-time = 3600; #nix.settings.keep-failed = true; # fills up $TMPDIR nix.settings.log-lines = 35; #nix.optimize.automatic = true; # periodic optimization nix.gc.automatic = true; nix.gc.dates = "weekly"; nix.gc.options = lib.mkIf config.system.autoUpgrade.enable "--delete-older-than 15d"; nix.settings.min-free = 3 * 1024 * 1024 * 1024; # starts cg nix.settings.max-free = 20 * 1024 * 1024 * 1024; # condition to end gc triggered by min-free security.sudo.execWheelOnly = true; services.thermald.enable = lib.all (x: x) [ (config.nixpkgs.system == "x86_64-linux") (!config.boot.isContainer or false) ]; # no acme in VM mode: virtualisation.vmVariant = { security.acme.defaults.server = "https://127.0.0.1"; security.acme.preliminarySelfsigned = true; }; # set VM root password in VM mode virtualisation.vmVariant = { users.users.root.initialPassword = "root"; }; # fix VM networking, disable static IPs virtualisation.vmVariant = { networking.interfaces = lib.mkForce {}; networking.defaultGateway = lib.mkForce null; networking.nameservers = lib.mkForce []; networking.networkmanager.enable = lib.mkForce false; networking.useDHCP = lib.mkForce true; }; # System fonts # Nice to have when X-forwading on headless machines fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts fonts.enableDefaultPackages = true; # dejavu, freefont, gyre, liberation, unifont, noto-fonts-emoji fonts.packages = with pkgs; [ noto-fonts # includes Cousine noto-fonts-cjk-sans noto-fonts-cjk-serif noto-fonts-emoji noto-fonts-extra ]; }