91 lines
3.0 KiB
Nix
91 lines
3.0 KiB
Nix
{ config, pkgs, lib, inputs, ... }:
|
|
|
|
{
|
|
imports = let ifExists = p: if builtins.pathExists p then p else {}; in [
|
|
./cachix.nix # update with `cachix use --mode nixos -d . FOOBAR`
|
|
./profiles/locale-no.nix
|
|
./profiles/upgrade-diff.nix
|
|
# results of 'nixos-generate-config'
|
|
# nice to have if i just dump this flake into /etc/nixos on a clean install
|
|
(ifExists ./configuration.nix )
|
|
(ifExists ./hardware-configuration.nix )
|
|
];
|
|
|
|
nixpkgs.overlays = [ (import ./overlay.nix) ];
|
|
|
|
nixpkgs.config.permittedInsecurePackages = [
|
|
pkgs.pulsar.name
|
|
pkgs.zotero.name
|
|
pkgs.gitea.name
|
|
];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
ddrescue
|
|
gptfdisk
|
|
ms-sys
|
|
nvme-cli
|
|
parted
|
|
pciutils
|
|
smartmontools
|
|
testdisk
|
|
usbutils
|
|
] ++ lib.optionals (builtins.elem config.nixpkgs.system [ "x86_64-linux" "aarch64_linux"]) [
|
|
cage
|
|
weston
|
|
];
|
|
|
|
# TODO: selectively whitelist
|
|
nixpkgs.config.allowUnfree = true;
|
|
nixpkgs.config.allowUnfreePredicate = (pkg: true);
|
|
nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg
|
|
|
|
hardware.enableRedistributableFirmware = true;
|
|
|
|
sops.secrets.nix-access-tokens.mode = "0440";
|
|
sops.secrets.nix-access-tokens.group = config.users.groups.keys.name;
|
|
nix.extraOptions = ''
|
|
!include ${config.sops.secrets.nix-access-tokens.path}
|
|
'';
|
|
|
|
nix.settings.experimental-features = [
|
|
"nix-command"
|
|
"flakes"
|
|
];
|
|
nix.settings.allowed-users = [ "*" ]; # default
|
|
#nix.settings.allowed-users = [ "@nixbld" "@builders" ]; # TODO: this
|
|
nix.settings.trusted-users = [ "root" "@wheel" ];
|
|
nix.settings.keep-derivations = true; # great with nix-diff
|
|
nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
|
|
nix.settings.max-silent-time = 3600;
|
|
#nix.settings.keep-failed = true;
|
|
#nix.settings.log-lines = 35;
|
|
#nix.optimize.automatic = true; # periodic optimization
|
|
nix.gc.automatic = true;
|
|
nix.gc.dates = "weekly";
|
|
nix.gc.options = lib.mkIf config.system.autoUpgrade.enable "--delete-older-than 15d";
|
|
nix.settings.min-free = 3 * 1024 * 1024 * 1024;
|
|
nix.settings.max-free = 20 * 1024 * 1024 * 1024;
|
|
|
|
services.thermald.enable = lib.mkIf (config.nixpkgs.system == "x86_64-linux") true;
|
|
|
|
# System fonts
|
|
# Nice to have when X-forwading on headless machines
|
|
fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts
|
|
fonts.enableDefaultPackages = true; # dejavu, freefont, gyre, liberation, unifont, noto-fonts-emoji
|
|
fonts.packages = with pkgs; [
|
|
noto-fonts # includes Cousine
|
|
noto-fonts-cjk
|
|
noto-fonts-emoji
|
|
noto-fonts-extra
|
|
];
|
|
|
|
networking.firewall.enable = true; # default
|
|
|
|
# https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049
|
|
# raise to 15 if auto upgrading
|
|
boot.loader.grub.configurationLimit = lib.mkDefault 5;
|
|
boot.loader.systemd-boot.configurationLimit = lib.mkDefault 5;
|
|
boot.loader.raspberryPi.uboot.configurationLimit = lib.mkDefault 5;
|
|
boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 5;
|
|
}
|