471 lines
11 KiB
Nix
471 lines
11 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
options,
|
|
lib,
|
|
...
|
|
}: let
|
|
# Set common boot paramaters
|
|
commonKernelParams = [
|
|
# Nvidia settings
|
|
"nvidia_drm.fbdev=1"
|
|
|
|
# VM/GPU passthrough
|
|
"amd_iommu=on"
|
|
"iommu=pt"
|
|
"nested=1"
|
|
|
|
# Virtualization nonsense
|
|
"transparent_hugepage=never"
|
|
|
|
# Isolate devices into IOMMU groups
|
|
"pcie_acs_override=downstream,multifunction"
|
|
"pci=routeirq"
|
|
];
|
|
in {
|
|
# Import other nix files and firmware
|
|
imports = let
|
|
homeManager =
|
|
fetchTarball
|
|
"https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";
|
|
in [
|
|
./hardware-configuration.nix
|
|
./jimbo.nix
|
|
"${homeManager}/nixos"
|
|
];
|
|
|
|
# Allow unfree packages and accept packages from the Nix User Repos
|
|
nixpkgs = {
|
|
config = {
|
|
allowUnfree = true;
|
|
packageOverrides = pkgs: {
|
|
unstable =
|
|
import (
|
|
fetchTarball
|
|
"https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz"
|
|
) {
|
|
inherit pkgs;
|
|
config.allowUnfree = true;
|
|
};
|
|
nur = import (
|
|
fetchTarball
|
|
"https://github.com/nix-community/NUR/archive/master.tar.gz"
|
|
) {inherit pkgs;};
|
|
};
|
|
};
|
|
|
|
# Package overlays/patches
|
|
overlays = [
|
|
# MPV scripts
|
|
(self: super: {
|
|
mpv = super.mpv.override {
|
|
scripts = with self.mpvScripts; [mpris sponsorblock thumbnail];
|
|
};
|
|
})
|
|
];
|
|
};
|
|
|
|
# Allow flakes and enable garbage collection
|
|
nix = {
|
|
settings.experimental-features = ["nix-command" "flakes"];
|
|
gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 14d";
|
|
};
|
|
};
|
|
|
|
# Set all boot options
|
|
boot = {
|
|
# Set a kernel version and load/blacklist drivers
|
|
kernelPackages = pkgs.unstable.linuxPackages_zen;
|
|
blacklistedKernelModules = ["pcspkr"];
|
|
kernelParams = commonKernelParams ++ ["vfio-pci.ids=10de:1f82,10de:10fa"];
|
|
initrd.kernelModules = ["vfio" "vfio_pci" "vfio_iommu_type1"];
|
|
kernel.sysctl."vm.max_map_count" = 2147483642;
|
|
|
|
# Manage supported filesystems
|
|
supportedFilesystems = {
|
|
ntfs = true;
|
|
zfs = lib.mkForce false;
|
|
};
|
|
|
|
# Modprobe settings
|
|
extraModprobeConfig = ''
|
|
options hid_apple fnmode=2
|
|
'';
|
|
|
|
# Use the Systemd-Boot bootloader
|
|
loader.systemd-boot = {
|
|
enable = true;
|
|
netbootxyz.enable = true;
|
|
};
|
|
};
|
|
|
|
# Additional entry to boot from the second GPU
|
|
specialisation = {
|
|
gputwo.configuration = {
|
|
boot.kernelParams = commonKernelParams ++ ["vfio-pci.ids=10de:2504,10de:228e"];
|
|
};
|
|
};
|
|
|
|
# Allow binary firmware
|
|
hardware.enableRedistributableFirmware = true;
|
|
|
|
# Enable video drivers
|
|
services.xserver.videoDrivers = ["nvidia"];
|
|
hardware.nvidia = {
|
|
modesetting.enable = true;
|
|
nvidiaSettings = false;
|
|
package = config.boot.kernelPackages.nvidiaPackages.beta;
|
|
open = true;
|
|
};
|
|
|
|
# Enable a permissioning system
|
|
security = {
|
|
sudo.enable = false;
|
|
doas = {
|
|
enable = true;
|
|
extraRules = [
|
|
# Give wheel root access, allow persistant session
|
|
{
|
|
groups = ["wheel"];
|
|
keepEnv = true;
|
|
persist = true;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
# Enable the ZSH shell
|
|
programs.zsh.enable = true;
|
|
|
|
# Disable Nano
|
|
programs.nano.enable = false;
|
|
|
|
# Timezone
|
|
time.timeZone = "America/New_York";
|
|
|
|
# Define user accounts
|
|
users.users.jimbo = {
|
|
description = "Jimbo Awesome";
|
|
isNormalUser = true;
|
|
hashedPassword = "$6$gYpE.pG/zPXgin06$2kydjDfd0K62Dhf9P0PFvJhRNz6xIC/bHYaf/XYqyKcLyZNzPQpy8uy9tCRcSYlj1wwBhzVtTRyItwajOHCEj0";
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKC8Uqxb09V3msBgDv6lD/nETMYr/X0OgtpDo8ldcMK jimbo@JimDebianServer"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeqiMCRXtpoP+BvKBmzvkL7oLKKCmbfdaQIF3yk/S8I jimbo@DV-JHAMPTON-NIXOS"
|
|
];
|
|
extraGroups = [
|
|
"wheel"
|
|
"audio"
|
|
"video"
|
|
"input"
|
|
"disk"
|
|
"dialout"
|
|
"networkmanager"
|
|
"rtkit"
|
|
"kvm"
|
|
"libvirtd"
|
|
"qemu-libvirtd"
|
|
];
|
|
uid = 1000;
|
|
shell = pkgs.zsh;
|
|
};
|
|
|
|
# Install programs system-wide
|
|
environment.systemPackages = with pkgs; [
|
|
# Essential system tools
|
|
cifs-utils
|
|
parted
|
|
git
|
|
|
|
# Printer control
|
|
system-config-printer
|
|
|
|
# Virtual machines
|
|
virt-manager
|
|
virtiofsd
|
|
dnsmasq
|
|
spice-vdagent
|
|
looking-glass-client
|
|
];
|
|
|
|
# Disable the HTML documentation link
|
|
documentation = {
|
|
nixos.enable = false;
|
|
info.enable = false;
|
|
};
|
|
|
|
# Enable graphics
|
|
hardware.opengl = {
|
|
enable = true;
|
|
driSupport32Bit = true;
|
|
extraPackages = with pkgs; [
|
|
vulkan-loader
|
|
vulkan-validation-layers
|
|
vulkan-extension-layer
|
|
];
|
|
};
|
|
|
|
# Enable Steam hardware and gamemode
|
|
hardware.steam-hardware.enable = true;
|
|
programs.gamemode.enable = true;
|
|
|
|
# Networking settings
|
|
networking = {
|
|
# Set hostname
|
|
hostName = "JimNixPC";
|
|
|
|
# Choose networking method
|
|
dhcpcd.enable = true;
|
|
wireless.enable = false;
|
|
#networkmanager.enable = true;
|
|
#enableB43Firmware = true;
|
|
|
|
# Enable firewall
|
|
firewall = {
|
|
allowPing = false;
|
|
extraInputRules = ''
|
|
ip saddr 10.0.0.2 accept comment "Accept Server Connections"
|
|
'';
|
|
};
|
|
|
|
# Enable nftables over iptables
|
|
nftables.enable = true;
|
|
|
|
# Set hostnames
|
|
hosts = {
|
|
"10.0.0.2" = ["server"];
|
|
"10.0.0.3" = ["pc"];
|
|
};
|
|
};
|
|
|
|
# Enable Bluetooth
|
|
hardware.bluetooth = {
|
|
enable = true;
|
|
settings = {
|
|
General.Experimental = "true";
|
|
Policy.AutoEnable = "true";
|
|
};
|
|
};
|
|
|
|
# Enable lingering for Bluetooth and allow Looking-Glass permissions
|
|
systemd.tmpfiles.rules = [
|
|
"f /var/lib/systemd/linger/jimbo"
|
|
"f /dev/shm/looking-glass 0660 jimbo libvirtd -"
|
|
];
|
|
|
|
# Make udev rules to make PDP controller and Oculus Rift CV1 work
|
|
services.udev = let
|
|
oculusRules = pkgs.writeTextFile {
|
|
name = "10-oculus.rules";
|
|
text = ''
|
|
KERNEL=="hidraw*", ATTRS{idVendor}=="0e6f", ATTRS{idProduct}=="0184", MODE="0660", TAG+="uaccess"
|
|
'';
|
|
destination = "/etc/udev/rules.d/10-oculus.rules";
|
|
};
|
|
pdpRules = pkgs.writeTextFile {
|
|
name = "10-pdp.rules";
|
|
text = ''
|
|
SUBSYSTEM=="usb", ATTR{idVendor}=="2833", MODE="0666"
|
|
'';
|
|
destination = "/etc/udev/rules.d/10-pdp.rules";
|
|
};
|
|
in {
|
|
packages = [oculusRules pdpRules];
|
|
};
|
|
|
|
# Enable audio
|
|
security.rtkit.enable = true;
|
|
hardware.pulseaudio.enable = false;
|
|
services.pipewire = {
|
|
enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
pulse.enable = true;
|
|
#jack.enable = true;
|
|
wireplumber.configPackages = [
|
|
(pkgs.writeTextDir "share/wireplumber/wireplumber.conf.d/11-bluetooth-policy.conf" ''
|
|
wireplumber.settings = { bluetooth.autoswitch-to-headset-profile = false }
|
|
'')
|
|
];
|
|
};
|
|
|
|
# Fonts
|
|
fonts = {
|
|
packages = with pkgs; [
|
|
liberation_ttf
|
|
twitter-color-emoji
|
|
ubuntu_font_family
|
|
noto-fonts
|
|
sarasa-gothic
|
|
orbitron
|
|
(nerdfonts.override {fonts = ["UbuntuMono"];})
|
|
];
|
|
fontconfig.defaultFonts.emoji = ["Twitter Color Emoji"];
|
|
};
|
|
|
|
# Enable Dconf and some portals
|
|
services.dbus.enable = true;
|
|
programs.dconf.enable = true;
|
|
programs.light.enable = true;
|
|
security.pam.services.swaylock = {};
|
|
xdg.portal = {
|
|
enable = true;
|
|
config.common.default = "*";
|
|
wlr = {
|
|
enable = true;
|
|
settings = {
|
|
screencast = {
|
|
max_fps = 60;
|
|
chooser_type = "simple";
|
|
chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or -B 00000066 -b 00000099";
|
|
};
|
|
};
|
|
};
|
|
extraPortals = with pkgs; [xdg-desktop-portal-gtk];
|
|
};
|
|
|
|
# Configure greetd for remote login
|
|
services.greetd = let
|
|
startSway = pkgs.writeScript "startsway" ''
|
|
# Use NVIDIA variables if drivers are in use
|
|
if lspci -k | grep "Kernel driver in use: nvidia" &> /dev/null; then
|
|
# NVIDIA/AMD variables
|
|
export LIBVA_DRIVER_NAME=nvidia
|
|
export GBM_BACKEND=nvidia-drm
|
|
export __GLX_VENDOR_LIBRARY_NAME=nvidia
|
|
export WLR_NO_HARDWARE_CURSORS=1
|
|
else
|
|
:
|
|
fi
|
|
|
|
# Sway/Wayland
|
|
export XDG_CURRENT_DESKTOP=sway
|
|
export QT_QPA_PLATFORM="wayland;xcb"
|
|
|
|
# Start Sway
|
|
sway --unsupported-gpu
|
|
'';
|
|
in {
|
|
enable = true;
|
|
restart = true;
|
|
settings = {
|
|
terminal = {
|
|
vt = 2;
|
|
switch = true;
|
|
};
|
|
default_session = {
|
|
command = "${startSway}";
|
|
user = "jimbo";
|
|
};
|
|
};
|
|
};
|
|
|
|
# Enable printing
|
|
services = {
|
|
printing = {
|
|
enable = true;
|
|
drivers = with pkgs; [hplip];
|
|
webInterface = false;
|
|
};
|
|
avahi = {
|
|
enable = true;
|
|
nssmdns4 = true;
|
|
openFirewall = true;
|
|
};
|
|
};
|
|
|
|
# Enable virtualization
|
|
virtualisation = {
|
|
libvirtd = {
|
|
enable = true;
|
|
onBoot = "ignore";
|
|
onShutdown = "shutdown";
|
|
qemu = {
|
|
ovmf = {
|
|
enable = true;
|
|
packages = [pkgs.OVMFFull.fd];
|
|
};
|
|
swtpm.enable = true;
|
|
};
|
|
};
|
|
spiceUSBRedirection.enable = true;
|
|
};
|
|
|
|
# Enable SSH
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
LogLevel = "VERBOSE";
|
|
PermitRootLogin = "no";
|
|
PrintLastLog = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
# Block SSH connections after numerous attempts
|
|
services.fail2ban = {
|
|
enable = true;
|
|
maxretry = 5;
|
|
bantime = "5m";
|
|
};
|
|
|
|
# Enable AppImages
|
|
programs.appimage = {
|
|
enable = true;
|
|
binfmt = true;
|
|
};
|
|
|
|
# Enable Sunshine as a service
|
|
services.sunshine = {
|
|
enable = true;
|
|
settings.port = 57989;
|
|
autoStart = false;
|
|
};
|
|
|
|
# Enable MPD
|
|
services.mpd = {
|
|
enable = true;
|
|
user = "jimbo";
|
|
group = "users";
|
|
musicDirectory = "/home/jimbo/JimboNFS/Music";
|
|
playlistDirectory = "/home/jimbo/JimboNFS/Music/Playlists";
|
|
extraConfig = ''
|
|
audio_output {
|
|
type "pipewire"
|
|
name "Local Pipewire"
|
|
}
|
|
'';
|
|
};
|
|
systemd.services.mpd.environment = {
|
|
XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.jimbo.uid}";
|
|
};
|
|
|
|
# Enable AppArmor
|
|
security.apparmor.enable = true;
|
|
|
|
# Enable a keying agent
|
|
services.gnome.gnome-keyring.enable = true;
|
|
|
|
# Enable Polkit for authentication
|
|
security.polkit.enable = true;
|
|
|
|
# Battery saver for laptops
|
|
services.tlp.enable = true;
|
|
|
|
# Enable extra functionality in file managers
|
|
services.gvfs.enable = true;
|
|
|
|
# Attempt to automount USB drives
|
|
services.udisks2.enable = true;
|
|
|
|
# Enable school VPN
|
|
services.globalprotect.enable = true;
|
|
|
|
# Define the initial install version and allow auto-upgrades
|
|
system.stateVersion = "23.11";
|
|
system.autoUpgrade.enable = true;
|
|
}
|