143 lines
4.4 KiB
Nix
143 lines
4.4 KiB
Nix
{ config, pkgs, lib, inputs, ... }:
|
|
|
|
# TODO: split this file into a `base` folder?
|
|
|
|
{
|
|
imports = let ifExists = p: if builtins.pathExists p then p else {}; in [
|
|
./../../secrets
|
|
./binary-caches.nix
|
|
./nix.nix
|
|
# ./lix.nix
|
|
./locale-no.nix
|
|
./upgrade-diff.nix
|
|
./vm-variant.nix
|
|
./ccache
|
|
./../mounts/common-nfs.nix
|
|
# ./profiles/mounts/common-zfs.nix
|
|
];
|
|
|
|
nixpkgs.overlays = [
|
|
(import ./../../overlays/wl-clipboard-timeout.nix)
|
|
];
|
|
|
|
# TODO: selectively whitelist
|
|
nixpkgs.config.allowUnfree = true;
|
|
# nixpkgs.config.allowAliases = false;
|
|
# nixpkgs.config.warnAliases = true;
|
|
nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg
|
|
|
|
# TODO:
|
|
# nixpkgs.config.allowUnfreePredicate = drv: lib.elem (lib.getName drv) [
|
|
# pkgs.davinci-resolve.pname
|
|
# pkgs.intel-ocl.pname
|
|
# ];
|
|
|
|
nixpkgs.config.permittedInsecurePackages = [
|
|
pkgs.pulsar.name # TODO: remove once electron is bumped
|
|
pkgs.zotero.name
|
|
pkgs.gitea.name
|
|
pkgs.forgejo.name
|
|
pkgs.olm.name # TODO: remove
|
|
];
|
|
|
|
# https://consoledonottrack.com/
|
|
environment.variables.DO_NOT_TRACK = "1";
|
|
|
|
environment.systemPackages = lib.mkIf (!config.virtualisation.isVmVariant) ([
|
|
pkgs.dmidecode
|
|
pkgs.ddrescue
|
|
pkgs.gptfdisk
|
|
pkgs.ms-sys
|
|
pkgs.nvme-cli
|
|
pkgs.parted
|
|
pkgs.pciutils
|
|
pkgs.smartmontools
|
|
pkgs.testdisk
|
|
pkgs.usbutils
|
|
] ++ lib.optionals (lib.elem pkgs.stdenv.hostPlatform [ "x86_64-linux" "aarch64_linux"]) [
|
|
pkgs.cage
|
|
pkgs.weston
|
|
]);
|
|
|
|
# apply microcode to fix functional and security issues
|
|
hardware.enableRedistributableFirmware = true;
|
|
hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64;
|
|
hardware.cpu.intel.updateMicrocode = pkgs.stdenv.isx86_64;
|
|
|
|
# enable kernel same-page merging for improved vm test performance
|
|
hardware.ksm.enable = true;
|
|
|
|
# enable Alt+SysRq+<key> shortcuts
|
|
# https://wiki.nixos.org/wiki/Linux_kernel#Enable_SysRq
|
|
# boot.kernel.sysctl."kernel.sysrq" = 1;
|
|
|
|
boot.initrd.systemd.enable = true; # systemd manages initfs boot, systemd-analyse can see what happened
|
|
# https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049
|
|
# raised to 15 if auto upgrading by auto-upgrade.nix
|
|
boot.loader.grub.configurationLimit = lib.mkDefault 5;
|
|
boot.loader.systemd-boot.configurationLimit = lib.mkDefault 5;
|
|
boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 5;
|
|
|
|
networking.firewall.enable = lib.mkDefault true; # default is true
|
|
#networking.nftables.enable = true; # wirewall backend, instead of iptables, breaks docker which uses iptables
|
|
#networking.firewall.allowPing = false;
|
|
#networking.networkmanager.wifi.backend = "iwd"; # default is wpa_supplicant, iwd doesn't support eduroam
|
|
networking.firewall.logRefusedConnections = false; # too spammy, rotates dmesg too quickly
|
|
|
|
# nixos-rebuild switch --specialisation no-firewall
|
|
specialisation.no-firewall.configuration = {
|
|
networking.firewall.enable = false;
|
|
services.fail2ban.enable = false; # requires firewall
|
|
};
|
|
|
|
security.sudo.execWheelOnly = true;
|
|
|
|
services.thermald.enable = lib.all (x: x) [
|
|
(pkgs.stdenv.hostPlatform.system == "x86_64-linux")
|
|
(!config.boot.isContainer or false)
|
|
];
|
|
|
|
# no acme in build-vm mode:
|
|
virtualisation.vmVariant = {
|
|
security.acme.defaults.server = "https://127.0.0.1";
|
|
security.acme.preliminarySelfsigned = true;
|
|
};
|
|
|
|
# set VM root password in build-vm mode
|
|
virtualisation.vmVariant = {
|
|
users.users.root.initialPassword = "root";
|
|
};
|
|
|
|
# fix VM networking, disable static IPs
|
|
virtualisation.vmVariant = {
|
|
networking.interfaces = lib.mkForce {};
|
|
networking.defaultGateway = lib.mkForce null;
|
|
networking.nameservers = lib.mkForce [];
|
|
networking.networkmanager.enable = lib.mkForce false;
|
|
networking.useDHCP = lib.mkForce true;
|
|
};
|
|
|
|
# System fonts
|
|
# Nice to have when X-forwarding on headless machines
|
|
fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts
|
|
fonts.enableDefaultPackages = true; # dejavu, freefont, gyre, liberation, unifont, noto-fonts-emoji
|
|
fonts.packages = with pkgs; [
|
|
noto-fonts # includes Cousine
|
|
noto-fonts-cjk-sans
|
|
noto-fonts-cjk-serif
|
|
#noto-fonts-emoji # removed
|
|
noto-fonts-color-emoji
|
|
#noto-fonts-extra
|
|
noto-fonts
|
|
];
|
|
|
|
services.fail2ban = {
|
|
ignoreIP = [
|
|
# Whitelist some subnets
|
|
"192.168.0.0/24" # local
|
|
"10.0.0.0/8" # local
|
|
"100.64.0.0/10" # tailscale
|
|
];
|
|
};
|
|
}
|