bikeshedding
This commit is contained in:
parent
07170ee242
commit
052257c5a7
|
@ -51,16 +51,8 @@
|
||||||
./modules/vfio.nix
|
./modules/vfio.nix
|
||||||
./modules/ccache.nix
|
./modules/ccache.nix
|
||||||
./modules/impermanence.nix
|
./modules/impermanence.nix
|
||||||
|
./modules/common.nix
|
||||||
impermanence.nixosModule
|
impermanence.nixosModule
|
||||||
{
|
|
||||||
# make this flake's nixpkgs available to the whole system
|
|
||||||
nix = {
|
|
||||||
generateNixPathFromInputs = true;
|
|
||||||
generateRegistryFromInputs = true;
|
|
||||||
linkInputs = true;
|
|
||||||
};
|
|
||||||
nixpkgs.overlays = [ (self: super: import ./pkgs { pkgs = super; inherit lib; }) ];
|
|
||||||
}
|
|
||||||
];
|
];
|
||||||
hosts = {
|
hosts = {
|
||||||
nixmsi = mkHost {
|
nixmsi = mkHost {
|
||||||
|
|
|
@ -65,7 +65,6 @@ in {
|
||||||
# resume_offset = $(btrfs inspect-internal map-swapfile -r path/to/swapfile)
|
# resume_offset = $(btrfs inspect-internal map-swapfile -r path/to/swapfile)
|
||||||
"resume_offset=533760"
|
"resume_offset=533760"
|
||||||
"fbcon=font:TER16x32"
|
"fbcon=font:TER16x32"
|
||||||
"consoleblank=60"
|
|
||||||
# disable PSR to *hopefully* avoid random hangs
|
# disable PSR to *hopefully* avoid random hangs
|
||||||
# this one didnt help
|
# this one didnt help
|
||||||
"amdgpu.dcdebugmask=0x10"
|
"amdgpu.dcdebugmask=0x10"
|
||||||
|
@ -102,25 +101,16 @@ in {
|
||||||
nixpkgs.config.allowUnfreePredicate = pkg: (lib.getName pkg) == "steam-original";
|
nixpkgs.config.allowUnfreePredicate = pkg: (lib.getName pkg) == "steam-original";
|
||||||
hardware = {
|
hardware = {
|
||||||
steam-hardware.enable = true;
|
steam-hardware.enable = true;
|
||||||
enableRedistributableFirmware = true;
|
|
||||||
opengl.driSupport32Bit = true;
|
opengl.driSupport32Bit = true;
|
||||||
# needed for sway WLR_RENDERER=vulkan
|
# needed for sway WLR_RENDERER=vulkan
|
||||||
opengl.extraPackages = with pkgs; [ vulkan-validation-layers ];
|
opengl.extraPackages = with pkgs; [ vulkan-validation-layers ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh = {
|
# services.openssh.enable = true;
|
||||||
enable = true;
|
|
||||||
settings.PasswordAuthentication = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.tlp.enable = true;
|
services.tlp.enable = true;
|
||||||
services.tlp.settings = {
|
# fix for my realtek usb ethernet adapter
|
||||||
USB_EXCLUDE_PHONE = 1;
|
services.tlp.settings.USB_DENYLIST = "0bda:8156";
|
||||||
START_CHARGE_THRESH_BAT0 = 75;
|
|
||||||
STOP_CHARGE_THRESH_BAT0 = 80;
|
|
||||||
# fix for my realtek usb ethernet adapter
|
|
||||||
USB_DENYLIST = "0bda:8156";
|
|
||||||
};
|
|
||||||
|
|
||||||
# see modules/vfio.nix
|
# see modules/vfio.nix
|
||||||
vfio.enable = true;
|
vfio.enable = true;
|
||||||
|
@ -190,15 +180,6 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
### SECTION 2: SYSTEM CONFIG/ENVIRONMENT ###
|
### SECTION 2: SYSTEM CONFIG/ENVIRONMENT ###
|
||||||
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
|
|
||||||
i18n.supportedLocales = lib.mkDefault [
|
|
||||||
"C.UTF-8/UTF-8"
|
|
||||||
"en_US.UTF-8/UTF-8"
|
|
||||||
"en_DK.UTF-8/UTF-8"
|
|
||||||
];
|
|
||||||
# ISO-8601
|
|
||||||
i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
|
|
||||||
|
|
||||||
console.font = "${pkgs.terminus_font}/share/consolefonts/ter-v32n.psf.gz";
|
console.font = "${pkgs.terminus_font}/share/consolefonts/ter-v32n.psf.gz";
|
||||||
|
|
||||||
networking.useDHCP = true;
|
networking.useDHCP = true;
|
||||||
|
@ -213,7 +194,6 @@ in {
|
||||||
networking.firewall.allowedUDPPorts = lib.range 1714 1764;
|
networking.firewall.allowedUDPPorts = lib.range 1714 1764;
|
||||||
|
|
||||||
networking.wireless.iwd.enable = true;
|
networking.wireless.iwd.enable = true;
|
||||||
#networking.networkmanager.enable = true;
|
|
||||||
|
|
||||||
services.ratbagd.enable = true;
|
services.ratbagd.enable = true;
|
||||||
|
|
||||||
|
@ -239,111 +219,22 @@ in {
|
||||||
environment.etc."system76-scheduler/exceptions.ron".source =
|
environment.etc."system76-scheduler/exceptions.ron".source =
|
||||||
"${pkgs.system76-scheduler}/etc/system76-scheduler/exceptions.ron";
|
"${pkgs.system76-scheduler}/etc/system76-scheduler/exceptions.ron";
|
||||||
|
|
||||||
# i wanted to be able to use both x and wayland... but honestly wayland is enough for me
|
common.workstation = true;
|
||||||
services.xserver.libinput.enable = true;
|
common.gettyAutologin = true;
|
||||||
/*
|
# programs.firejail.enable = true;
|
||||||
services.xserver = {
|
|
||||||
enable = true;
|
|
||||||
libinput.enable = true;
|
|
||||||
desktopManager.xterm.enable = false;
|
|
||||||
# I couldn't get lightdm to start sway, so let's just do this
|
|
||||||
displayManager.startx.enable = true;
|
|
||||||
windowManager.i3.enable = true;
|
|
||||||
};
|
|
||||||
*/
|
|
||||||
|
|
||||||
programs.sway.enable = true;
|
|
||||||
programs.firejail.enable = true;
|
|
||||||
# doesn't work:
|
# doesn't work:
|
||||||
# programs.wireshark.enable = true;
|
# programs.wireshark.enable = true;
|
||||||
# users.groups.wireshark.members = [ "user "];
|
# users.groups.wireshark.members = [ "user "];
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
vim
|
|
||||||
wget
|
|
||||||
git
|
|
||||||
man-pages man-pages-posix
|
|
||||||
];
|
|
||||||
services.dbus.enable = true;
|
|
||||||
# I don't remember whether I really need this...
|
|
||||||
security.polkit.enable = true;
|
|
||||||
services.printing.enable = true;
|
services.printing.enable = true;
|
||||||
|
# from nix-gaming
|
||||||
# pipewire:
|
services.pipewire.lowLatency = {
|
||||||
security.rtkit.enable = true;
|
|
||||||
services.pipewire = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
alsa.enable = true;
|
# 96 is mostly fine but has some xruns
|
||||||
alsa.support32Bit = true;
|
# 128 has xruns every now and then too, but is overall fine
|
||||||
pulse.enable = true;
|
quantum = 128;
|
||||||
jack.enable = true;
|
rate = 48000;
|
||||||
# from nix-gaming
|
|
||||||
lowLatency = {
|
|
||||||
enable = true;
|
|
||||||
# 96 is mostly fine but has some xruns
|
|
||||||
# 128 has xruns every now and then too, but is overall fine
|
|
||||||
quantum = 128;
|
|
||||||
rate = 48000;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# environment.pathsToLink = [ "/share/zsh" "/share/fish" ];
|
|
||||||
programs.fish = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
/*programs.zsh = {
|
|
||||||
enable = true;
|
|
||||||
enableBashCompletion = true;
|
|
||||||
};*/
|
|
||||||
|
|
||||||
programs.fuse.userAllowOther = true;
|
|
||||||
|
|
||||||
programs.ccache.enable = true;
|
programs.ccache.enable = true;
|
||||||
|
|
||||||
xdg.portal = {
|
|
||||||
enable = true;
|
|
||||||
extraPortals = with pkgs; [ xdg-desktop-portal-gtk xdg-desktop-portal-wlr ];
|
|
||||||
};
|
|
||||||
|
|
||||||
users.mutableUsers = false;
|
|
||||||
users.users.user = {
|
|
||||||
uid = 1000;
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "networkmanager" "wheel" ];
|
|
||||||
# initialHashedPassword = ...set in private.nix;
|
|
||||||
};
|
|
||||||
# users.users.root.initialHashedPassword = ...set in private.nix;
|
|
||||||
nix = {
|
|
||||||
settings = {
|
|
||||||
allowed-users = [ "user" ];
|
|
||||||
auto-optimise-store = true;
|
|
||||||
};
|
|
||||||
gc = {
|
|
||||||
automatic = true;
|
|
||||||
dates = "weekly";
|
|
||||||
options = "--delete-older-than 30d";
|
|
||||||
};
|
|
||||||
package = pkgs.nixFlakes;
|
|
||||||
extraOptions = ''
|
|
||||||
experimental-features = nix-command flakes
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
systemd.services.nix-daemon.serviceConfig.LimitSTACKSoft = "infinity";
|
|
||||||
|
|
||||||
documentation.dev.enable = true;
|
|
||||||
|
|
||||||
# autologin once after boot
|
|
||||||
# --skip-login means directly call login instead of first asking for username
|
|
||||||
# (normally login asks for username too, but getty prefers to do it by itself for whatever reason)
|
|
||||||
services.getty.extraArgs = [ "--skip-login" ];
|
|
||||||
services.getty.loginProgram = let
|
|
||||||
lockfile = "/tmp/login-once.lock";
|
|
||||||
in with pkgs; writeShellScript "login-once" ''
|
|
||||||
if [ -f '${lockfile}' ]; then
|
|
||||||
exec ${shadow}/bin/login $@
|
|
||||||
else
|
|
||||||
${coreutils}/bin/touch '${lockfile}'
|
|
||||||
exec ${shadow}/bin/login -f user
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -43,9 +43,6 @@ in {
|
||||||
availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
|
availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
|
||||||
};
|
};
|
||||||
kernelModules = [ "kvm-intel" ];
|
kernelModules = [ "kvm-intel" ];
|
||||||
kernelParams = [
|
|
||||||
"consoleblank=60"
|
|
||||||
];
|
|
||||||
loader = {
|
loader = {
|
||||||
grub = {
|
grub = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -59,7 +56,6 @@ in {
|
||||||
efi.efiSysMountPoint = "/boot/efi";
|
efi.efiSysMountPoint = "/boot/efi";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
hardware.enableRedistributableFirmware = true;
|
|
||||||
fileSystems = {
|
fileSystems = {
|
||||||
"/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true;
|
"/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true;
|
||||||
options = [ "defaults" "size=2G" "mode=755" ]; };
|
options = [ "defaults" "size=2G" "mode=755" ]; };
|
||||||
|
@ -95,14 +91,6 @@ in {
|
||||||
extraOptions = [ "--loadavg-target" "8.0" ];
|
extraOptions = [ "--loadavg-target" "8.0" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
|
|
||||||
i18n.supportedLocales = lib.mkDefault [
|
|
||||||
"C.UTF-8/UTF-8"
|
|
||||||
"en_US.UTF-8/UTF-8"
|
|
||||||
"en_DK.UTF-8/UTF-8"
|
|
||||||
];
|
|
||||||
# ISO-8601
|
|
||||||
i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
|
|
||||||
console.font = "${pkgs.terminus_font}/share/consolefonts/ter-v24n.psf.gz";
|
console.font = "${pkgs.terminus_font}/share/consolefonts/ter-v24n.psf.gz";
|
||||||
networking.useDHCP = true;
|
networking.useDHCP = true;
|
||||||
networking.resolvconf.extraConfig = ''
|
networking.resolvconf.extraConfig = ''
|
||||||
|
@ -178,55 +166,30 @@ in {
|
||||||
startWhenNeeded = false;
|
startWhenNeeded = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.fish.enable = true;
|
users.users.user.extraGroups = [ config.services.unbound.group ];
|
||||||
users.defaultUserShell = pkgs.fish;
|
|
||||||
users.users.user = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "wheel" config.services.unbound.group ];
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
comma
|
|
||||||
git
|
|
||||||
vim
|
|
||||||
wget
|
|
||||||
# rxvt-unicode-unwrapped.terminfo
|
|
||||||
kitty.terminfo
|
|
||||||
tmux
|
|
||||||
];
|
|
||||||
|
|
||||||
services.postgresql.enable = true;
|
services.postgresql.enable = true;
|
||||||
services.postgresql.package = pkgs.postgresql_13;
|
services.postgresql.package = pkgs.postgresql_13;
|
||||||
|
|
||||||
nix = {
|
|
||||||
settings = {
|
|
||||||
allowed-users = [ "user" ];
|
|
||||||
auto-optimise-store = true;
|
|
||||||
};
|
|
||||||
gc = {
|
|
||||||
automatic = true;
|
|
||||||
dates = "weekly";
|
|
||||||
options = "--delete-older-than 30d";
|
|
||||||
};
|
|
||||||
package = pkgs.nixFlakes;
|
|
||||||
extraOptions = ''
|
|
||||||
experimental-features = nix-command flakes
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
systemd.services.nix-daemon.serviceConfig.LimitSTACKSoft = "infinity";
|
|
||||||
|
|
||||||
# SSH
|
# SSH
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# settings.PermitRootLogin = "no";
|
# settings.PermitRootLogin = false;
|
||||||
settings.PasswordAuthentication = false;
|
/*listenAddresses = [{
|
||||||
listenAddresses = [{
|
|
||||||
addr = "0.0.0.0";
|
addr = "0.0.0.0";
|
||||||
} {
|
} {
|
||||||
addr = "::";
|
addr = "::";
|
||||||
}];
|
}];*/
|
||||||
|
};
|
||||||
|
services.fail2ban = {
|
||||||
|
enable = true;
|
||||||
|
ignoreIP = lib.optionals (cfg.lanCidrV4 != "0.0.0.0/0") [ cfg.lanCidrV4 ]
|
||||||
|
++ (lib.optionals (cfg.lanCidrV6 != "::/0") [ cfg.lanCidrV6 ]);
|
||||||
|
jails.dovecot = ''
|
||||||
|
enabled = true
|
||||||
|
filter = dovecot
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
services.fail2ban.enable = true;
|
|
||||||
|
|
||||||
# SEARXNG
|
# SEARXNG
|
||||||
services.searx.enable = true;
|
services.searx.enable = true;
|
||||||
|
@ -242,14 +205,13 @@ in {
|
||||||
services.searx.uwsgiConfig = let inherit (config.services.searx) settings; in {
|
services.searx.uwsgiConfig = let inherit (config.services.searx) settings; in {
|
||||||
socket = "${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
|
socket = "${lib.quotePotentialIpV6 settings.server.bind_address}:${toString settings.server.port}";
|
||||||
};
|
};
|
||||||
users.groups.searx.members = [ "nginx" ];
|
services.searx.environmentFile = /var/lib/searx/searx.env;
|
||||||
services.searx.environmentFile = "/etc/nixos/private/searx.env";
|
|
||||||
services.searx.settings = {
|
services.searx.settings = {
|
||||||
use_default_settings = true;
|
use_default_settings = true;
|
||||||
search = {
|
search = {
|
||||||
safe_search = 0; # Filter results. 0: None, 1: Moderate, 2: Strict
|
safe_search = 0;
|
||||||
autocomplete = "duckduckgo"; # Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "startpage", "swisscows", "qwant", "wikipedia" - leave blank to turn it off by default
|
autocomplete = "duckduckgo"; # dbpedia, duckduckgo, google, startpage, swisscows, qwant, wikipedia - leave blank to turn off
|
||||||
default_lang = ""; # Default search language - leave blank to detect from browser information or use codes from 'languages.py'
|
default_lang = ""; # leave blank to detect from browser info or use codes from languages.py
|
||||||
};
|
};
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
|
@ -273,10 +235,6 @@ in {
|
||||||
pool_maxsize = 10; # Number of allowable keep-alive connections, or null
|
pool_maxsize = 10; # Number of allowable keep-alive connections, or null
|
||||||
enable_http2 = true; # See https://www.python-httpx.org/http2/
|
enable_http2 = true; # See https://www.python-httpx.org/http2/
|
||||||
};
|
};
|
||||||
/* = {
|
|
||||||
name = "soundcloud";
|
|
||||||
disabled = true;
|
|
||||||
};*/
|
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."search.${cfg.domainName}" = let inherit (config.services.searx) settings; in {
|
services.nginx.virtualHosts."search.${cfg.domainName}" = let inherit (config.services.searx) settings; in {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
@ -292,9 +250,7 @@ in {
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
services.nginx.streamConfig =
|
services.nginx.streamConfig =
|
||||||
let
|
let
|
||||||
cert = config.security.acme.certs."${cfg.domainName}".directory + "/fullchain.pem";
|
inherit (config.security.acme.certs."${cfg.domainName}") directory;
|
||||||
certKey = config.security.acme.certs."${cfg.domainName}".directory + "/key.pem";
|
|
||||||
trustedCert = config.security.acme.certs."${cfg.domainName}".directory + "/chain.pem";
|
|
||||||
in ''
|
in ''
|
||||||
upstream dns {
|
upstream dns {
|
||||||
zone dns 64k;
|
zone dns 64k;
|
||||||
|
@ -302,9 +258,9 @@ in {
|
||||||
}
|
}
|
||||||
server {
|
server {
|
||||||
listen 853 ssl;
|
listen 853 ssl;
|
||||||
ssl_certificate ${cert};
|
ssl_certificate ${directory}/fullchain.pem;
|
||||||
ssl_certificate_key ${certKey};
|
ssl_certificate_key ${directory}/key.pem;
|
||||||
ssl_trusted_certificate ${trustedCert};
|
ssl_trusted_certificate ${directory}/chain.pem;
|
||||||
proxy_pass dns;
|
proxy_pass dns;
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
@ -333,7 +289,7 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."www.${cfg.domainName}" = {
|
services.nginx.virtualHosts."www.${cfg.domainName}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
globalRedirect = cfg.domainName;
|
globalRedirect = cfg.domainName;
|
||||||
|
@ -372,7 +328,8 @@ in {
|
||||||
sendOnly = true;
|
sendOnly = true;
|
||||||
};
|
};
|
||||||
services.dovecot2.extraConfig =
|
services.dovecot2.extraConfig =
|
||||||
let passwd = builtins.toFile "dovecot2-local-passwd" ''
|
let
|
||||||
|
passwd = builtins.toFile "dovecot2-local-passwd" ''
|
||||||
noreply@${cfg.domainName}:{plain}${cfg.unhashedNoreplyPassword}::::::allow_nets=local,127.0.0.0/8,::1
|
noreply@${cfg.domainName}:{plain}${cfg.unhashedNoreplyPassword}::::::allow_nets=local,127.0.0.0/8,::1
|
||||||
'';
|
'';
|
||||||
in ''
|
in ''
|
||||||
|
|
138
system/modules/common.nix
Normal file
138
system/modules/common.nix
Normal file
|
@ -0,0 +1,138 @@
|
||||||
|
{ lib
|
||||||
|
, pkgs
|
||||||
|
, config
|
||||||
|
, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
options.common = with lib; mkOption {
|
||||||
|
type = types.submodule {
|
||||||
|
options = {
|
||||||
|
workstation = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "whether this device is a workstation (meaning a device for personal use rather than a server)";
|
||||||
|
};
|
||||||
|
mainUsername = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "user";
|
||||||
|
description = "main user's username";
|
||||||
|
};
|
||||||
|
gettyAutologin = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "make getty autologin to the main user";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
default = { };
|
||||||
|
};
|
||||||
|
config = let
|
||||||
|
cfg = config.common;
|
||||||
|
in {
|
||||||
|
nix = {
|
||||||
|
settings = {
|
||||||
|
allowed-users = [ cfg.mainUsername ];
|
||||||
|
auto-optimise-store = true;
|
||||||
|
};
|
||||||
|
gc = {
|
||||||
|
automatic = true;
|
||||||
|
dates = "weekly";
|
||||||
|
options = "--delete-older-than 30d";
|
||||||
|
};
|
||||||
|
package = pkgs.nixFlakes;
|
||||||
|
extraOptions = ''
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
'';
|
||||||
|
# from flake-utils-plus: make this flake's nixpkgs available to the whole system
|
||||||
|
generateNixPathFromInputs = true;
|
||||||
|
generateRegistryFromInputs = true;
|
||||||
|
linkInputs = true;
|
||||||
|
};
|
||||||
|
systemd.services.nix-daemon.serviceConfig.LimitSTACKSoft = "infinity";
|
||||||
|
boot.kernelParams = [
|
||||||
|
"consoleblank=60"
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.overlays = [ (self: super: import ../pkgs { pkgs = super; inherit lib; }) ];
|
||||||
|
hardware.enableRedistributableFirmware = true;
|
||||||
|
services.openssh.settings.PasswordAuthentication = false;
|
||||||
|
services.tlp.settings.USB_EXCLUDE_PHONE = 1;
|
||||||
|
services.tlp.settings.START_CHARGE_THRESH_BAT0 = 75;
|
||||||
|
services.tlp.settings.STOP_CHARGE_THRESH_BAT0 = 80;
|
||||||
|
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
|
||||||
|
i18n.supportedLocales = lib.mkDefault [
|
||||||
|
"C.UTF-8/UTF-8"
|
||||||
|
"en_US.UTF-8/UTF-8"
|
||||||
|
"en_DK.UTF-8/UTF-8"
|
||||||
|
];
|
||||||
|
# ISO-8601
|
||||||
|
i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
|
||||||
|
environment.systemPackages = with pkgs; ([
|
||||||
|
wget
|
||||||
|
git
|
||||||
|
] ++ (if cfg.workstation then [
|
||||||
|
comma
|
||||||
|
neovim
|
||||||
|
man-pages man-pages-posix
|
||||||
|
] else [
|
||||||
|
kitty.terminfo
|
||||||
|
# rxvt-unicode-unwrapped.terminfo
|
||||||
|
vim
|
||||||
|
tmux
|
||||||
|
]));
|
||||||
|
documentation.dev.enable = lib.mkIf cfg.workstation true;
|
||||||
|
programs.fish.enable = true;
|
||||||
|
/*programs.zsh = {
|
||||||
|
enable = true;
|
||||||
|
enableBashCompletion = true;
|
||||||
|
};*/
|
||||||
|
users.defaultUserShell = lib.mkIf (!cfg.workstation) pkgs.fish;
|
||||||
|
users.users.${cfg.mainUsername} = {
|
||||||
|
uid = 1000;
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel" ];
|
||||||
|
};
|
||||||
|
services.xserver.libinput.enable = lib.mkIf cfg.workstation true;
|
||||||
|
/*
|
||||||
|
services.xserver = {
|
||||||
|
enable = true;
|
||||||
|
libinput.enable = true;
|
||||||
|
desktopManager.xterm.enable = false;
|
||||||
|
# I couldn't get lightdm to start sway, so let's just do this
|
||||||
|
displayManager.startx.enable = true;
|
||||||
|
windowManager.i3.enable = true;
|
||||||
|
};
|
||||||
|
*/
|
||||||
|
programs.sway.enable = lib.mkIf cfg.workstation true;
|
||||||
|
services.dbus.enable = lib.mkIf cfg.workstation true;
|
||||||
|
security.polkit.enable = lib.mkIf cfg.workstation true;
|
||||||
|
# pipewire:
|
||||||
|
security.rtkit.enable = lib.mkIf cfg.workstation true;
|
||||||
|
services.pipewire = lib.mkIf cfg.workstation {
|
||||||
|
enable = true;
|
||||||
|
alsa.enable = true;
|
||||||
|
alsa.support32Bit = true;
|
||||||
|
pulse.enable = true;
|
||||||
|
jack.enable = true;
|
||||||
|
};
|
||||||
|
programs.fuse.userAllowOther = true;
|
||||||
|
xdg.portal = lib.mkIf cfg.workstation {
|
||||||
|
enable = true;
|
||||||
|
extraPortals = with pkgs; [ xdg-desktop-portal-gtk xdg-desktop-portal-wlr ];
|
||||||
|
};
|
||||||
|
# autologin once after boot
|
||||||
|
# --skip-login means directly call login instead of first asking for username
|
||||||
|
# (normally login asks for username too, but getty prefers to do it by itself for whatever reason)
|
||||||
|
services.getty.extraArgs = lib.mkIf cfg.gettyAutologin [ "--skip-login" ];
|
||||||
|
services.getty.loginProgram = lib.mkIf cfg.gettyAutologin (let
|
||||||
|
lockfile = "/tmp/login-once.lock";
|
||||||
|
in with pkgs; writeShellScript "login-once" ''
|
||||||
|
if [ -f '${lockfile}' ]; then
|
||||||
|
exec ${shadow}/bin/login $@
|
||||||
|
else
|
||||||
|
${coreutils}/bin/touch '${lockfile}'
|
||||||
|
exec ${shadow}/bin/login -f user
|
||||||
|
fi
|
||||||
|
'');
|
||||||
|
};
|
||||||
|
}
|
|
@ -36,6 +36,7 @@ in {
|
||||||
default = { };
|
default = { };
|
||||||
};
|
};
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
users.mutableUsers = false;
|
||||||
# why is this not part of base NixOS?
|
# why is this not part of base NixOS?
|
||||||
systemd.tmpfiles.rules = [ "d /var/lib/systemd/pstore 0755 root root 14d" ];
|
systemd.tmpfiles.rules = [ "d /var/lib/systemd/pstore 0755 root root 14d" ];
|
||||||
# as weird as it sounds, I won't use tmpfs for /tmp in case I'll have to put files over 2GB there
|
# as weird as it sounds, I won't use tmpfs for /tmp in case I'll have to put files over 2GB there
|
||||||
|
@ -100,6 +101,8 @@ in {
|
||||||
{ directory = /var/lib/postgresql; user = "postgres"; group = "postgres"; mode = "0755"; }
|
{ directory = /var/lib/postgresql; user = "postgres"; group = "postgres"; mode = "0755"; }
|
||||||
]) ++ (lib.optionals config.services.unbound.enable [
|
]) ++ (lib.optionals config.services.unbound.enable [
|
||||||
{ directory = /var/lib/unbound; user = "unbound"; group = "unbound"; mode = "0755"; }
|
{ directory = /var/lib/unbound; user = "unbound"; group = "unbound"; mode = "0755"; }
|
||||||
|
]) ++ (lib.optionals config.services.searx.enable [
|
||||||
|
{ directory = /var/lib/searx; user = "searx"; group = "searx"; mode = "0700"; }
|
||||||
]) ++ (lib.optionals config.services.roundcube.enable [
|
]) ++ (lib.optionals config.services.roundcube.enable [
|
||||||
{ directory = /var/lib/roundcube; user = "roundcube"; group = "roundcube"; mode = "0700"; }
|
{ directory = /var/lib/roundcube; user = "roundcube"; group = "roundcube"; mode = "0700"; }
|
||||||
]) ++ (lib.optionals config.services.rspamd.enable [
|
]) ++ (lib.optionals config.services.rspamd.enable [
|
||||||
|
|
Loading…
Reference in a new issue