config/configuration.nix

386 lines
9.2 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, pkgs, lib, ... }:
{
#nixpkgs.overlays = overlays;
nixpkgs.config.allowUnfreePredicate = (pkg: true);
nixpkgs.config.allowUnfree = true;
system.autoUpgrade.enable = true; # daily nixos-rebuild switch, no reboot by default
# TODO: can i make this non-string?
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
# TODO: move to pbsds home
programs.ssh.extraConfig = ''
Host *.ntnu.no *.pvv.org
User pederbs
'';
# deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
nix.settings.auto-optimise-store = true;
#nix.optimize.automatic = true; # periodic optimization
nix.gc.automatic = true;
nix.gc.dates = "weekly";
nix.gc.options = "--delete-older-than 30d";
imports = [
./hardware-configuration.nix # results of hardware scan
./cachix.nix
./profiles/web
./profiles/web/index
./profiles/web/cinny
./profiles/web/element
./profiles/web/flexget
./profiles/web/gitea
./profiles/web/hydra
./profiles/web/invidious
./profiles/web/jellyfin
./profiles/web/libreddit
./profiles/web/mattermost
./profiles/web/navidrome
./profiles/web/netdata
./profiles/web/nitter
./profiles/web/ntopng
./profiles/web/owncast
./profiles/web/paperless
./profiles/web/polaris
./profiles/web/resilio
./profiles/web/roundcube
./profiles/web/thelounge
./profiles/web/vaultwarden
./profiles/web/webdav-zotero
#./profiles/web/convos
#./profiles/web/cryptpad
#./profiles/web/galene
#./profiles/web/graphana
#./profiles/web/hedgedoc
#./profiles/web/home-assistant
#./profiles/web/jitsi-meet
#./profiles/web/kukkee
#./profiles/web/matrix-synapse
#./profiles/web/shlink
#./profiles/web/sourcegraph
./profiles/web/pdoc
./profiles/web/linktree-pbsds
./profiles/web/refleksjon-no
./profiles/web/roroslyd-no
./profiles/web/trivial-gradios
./profiles/web/censordodge
./profiles/web/openspeedtest
./profiles/code-remote
./profiles/remote-builders #
./profiles/nfs/reidun.nix # NFS mounts
./profiles/autossh-reverse-tunnels
#./profiles/xrdp
./users
#./users/pbsds # todo: <- make this possible
# How to override package used by module
# https://github.com/NixOS/nixpkgs/issues/55366
# TODO: move to where relevant
<nixos-unstable/nixos/modules/services/misc/jellyfin.nix>
<nixos-unstable/nixos/modules/services/web-apps/invidious.nix>
];
disabledModules = [
"services/misc/jellyfin.nix"
"services/web-apps/invidious.nix"
];
services.jellyfin.package = pkgs.unstable.jellyfin;
services.invidious.package = pkgs.unstable.invidious;
# TODO: remove? Move to where relevant
nixpkgs.overlays = [ (import ./overlays) ];
# Allow unstable packages.
nixpkgs.config.packageOverrides = pkgs: {
unstable = import <nixos-unstable> {
config = config.nixpkgs.config;
};
# TODO: nur
};
# enable opengl (headless)
hardware.opengl.enable = true;
#hardware.opengl.extraPackages = [ pkgs.mesa.drivers ];
hardware.opengl.extraPackages = with pkgs; [ mesa.drivers vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ];
# run/build weird binaries
boot.binfmt.emulatedSystems = [
"wasm32-wasi"
"wasm64-wasi"
"x86_64-windows"
"aarch64-linux"
"riscv64-linux"
#"x86_64-darwin"
#"aarch64-darwin"
];
services.thermald.enable = true;
# Bootloader
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.useOSProber = true;
# Virtualization
#services.docker.enable = true;
virtualisation = {
podman.enable = true;
# TODO: are these default since 22.11?
podman.dockerCompat = true; # alias docker to podman
oci-containers.backend = "podman";
};
# Networking
networking = {
# Enable networking
networkmanager.enable = true;
#wireless.enable = true; # Enables wireless support via wpa_supplicant.
#iwd.enable = true
hostName = "noximilien"; # Define your hostname.
domain = "pbsds.net";
interfaces.eno1.ipv4.addresses = [
{ address = "192.168.1.9"; prefixLength = 24; }
];
nameservers = [
"192.168.1.254"
"8.8.8.8"
];
defaultGateway = {
address = "192.168.1.254";
interface = "eno1";
};
#useDHCP = true;
};
# firewall
services.fail2ban.enable = true;
networking.firewall.enable = true; # default
#networking.firewall.allowedTCPPorts = [ ... ];
#networking.firewall.allowedUDPPorts = [ ... ];
# Time zone and internationalisation properties.
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.utf8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "nb_NO.utf8";
LC_IDENTIFICATION = "nb_NO.utf8";
LC_MEASUREMENT = "nb_NO.utf8";
LC_MONETARY = "nb_NO.utf8";
LC_NAME = "nb_NO.utf8";
LC_NUMERIC = "nb_NO.utf8";
LC_PAPER = "nb_NO.utf8";
LC_TELEPHONE = "nb_NO.utf8";
LC_TIME = "nb_NO.utf8";
};
services.xserver.layout = "no";
services.xserver.xkbVariant = "";
console.keyMap = "no";
# Installed system packages
# $ nix search FOOBAR
# TODO: prune this, make home-manager deal with the majority
environment.systemPackages = with pkgs; [
lsof
lshw
htop
file
tmux
#parallel # already provided by moreutils
pwgen
git
nmap
rsync
bind.dnsutils
graphviz
dialog
cowsay
gnused
gnumake
coreutils-full
moreutils
binutils
diffutils
findutils
usbutils
bash-completion
curl
wget
strace
killall
zip
unrar
unzip
atool
p7zip
bzip2
gzip
atool
micro
aspell
aspellDicts.en
aspellDicts.nb
vimv
dos2unix
#rmate # TODO: add to nixpkgs
pandoc
cargo
cargo-edit
sqlite
#sshuttle
visidata
weston
cage
vimix-gtk-themes
flat-remix-icon-theme
xclip
feh
sshfs
glances
zenith
fzf
tealdeer #tldr
entr
axel aria
bat
xe # xargs alternative
sd # sed alternative
fd # find alternative
silver-searcher # `ag`
ripgrep
jq
yq
htmlq
sysz
du-dust # du alternative
ncdu # Disk usage analyzer with an ncurses interface
gh
hub
cachix
nix-output-monitor
nix-prefetch
nix-top
#nix-index
nix-tree
nixfmt
alejandra
];
# TODO: make this root only?
programs.bash.shellInit = ''
if command -v fzf-share >/dev/null; then
source "$(fzf-share)/key-bindings.bash"
source "$(fzf-share)/completion.bash"
fi
'';
# TODO: make this root only?
programs.bash.shellAliases."ed" = "micro"; # TODO: ${EDITOR:-micro}
environment.variables."EDITOR" = "micro";
# TODO: remove? Move?
programs.dconf.enable = true;
# System fonts
# Nice to have when X-forwading on headless machines
fonts.fonts = with pkgs; [
noto-fonts # includes Cousine
noto-fonts-cjk
noto-fonts-emoji
noto-fonts-extra
dejavu_fonts
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
#programs.mtr.enable = true;
#programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
#};
# OpenSSH
services.openssh.enable = true;
services.openssh.forwardX11 = true;
# auto domain update
systemd.services.domeneshop-updater = {
description = "domene.shop domain updater";
#after = [ "something?.service" ];
#wants = [ "something?.service" ];
serviceConfig = let
prog = pkgs.writeShellApplication {
name = "domeneshop-dyndns-updater.sh";
runtimeInputs = with pkgs; [ curl yq ];
text = ''
test -s /var/lib/secrets/domeneshop.toml || {
>&2 echo "ERROR: /var/lib/secrets/domeneshop.toml not found!"
exit 1
}
DOMENESHOP_TOKEN="$(tomlq .secrets.DOMENESHOP_TOKEN /var/lib/secrets/domeneshop.toml --raw-output)"
DOMENESHOP_SECRET="$(tomlq .secrets.DOMENESHOP_SECRET /var/lib/secrets/domeneshop.toml --raw-output)"
curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname=olavtr.pbsds.net
'';
};
in {
User = "domeneshop";
Group = "domeneshop";
DynamicUser = true;
ExecStart = "${prog}/bin/domeneshop-dyndns-updater.sh";
PrivateTmp = true;
};
};
systemd.timers.domeneshop-updater = let interval = "5h"; in {
description = "Update domene.shop every ${interval}";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5m";
OnUnitInactiveSec = interval;
Unit = "domeneshop-updater.service";
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
#system.stateVersion = "22.05"; # Did you read the comment?
}