NixOS-Config/PC/configuration.nix

426 lines
9.8 KiB
Nix

{ config, pkgs, options, lib, ... }:
let
# Import home manager, set common boot paramaters
homeManager = fetchTarball
"https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";
commonKernelParams = [
# Nvidia GSP firmware
"nouveau.config=NvGspRm=1"
# VM/GPU passthrough
"amd_iommu=on"
"iommu=pt"
"nested=1"
# Virtualization nonsense
"transparent_hugepage=never"
# Isolate devices into IOMMU groups
"pcie_acs_override=downstream,multifunction"
"pci=routeirq"
];
in
{
# Import other nix files and firmware
imports = [
./hardware-configuration.nix
./jimbo.nix
"${homeManager}/nixos"
];
# Allow unfree packages and accept packages from the Nix User Repos
nixpkgs = {
config = {
allowUnfree = true;
packageOverrides = pkgs: {
unstable = import (builtins.fetchTarball
"https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz") {
inherit pkgs;
config.allowUnfree = true;
};
};
};
# Package overlays/patches
overlays = [
# MPV scripts
(self: super: {
mpv = super.mpv.override {
scripts = with self.mpvScripts;
[ mpris sponsorblock thumbnail ];
};
})
];
};
# Allow flakes and enable garbage collection
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 14d";
};
};
# Set all boot options
boot = {
# Set a kernel version and load/blacklist drivers
kernelPackages = pkgs.unstable.linuxPackages_zen;
blacklistedKernelModules = [ "pcspkr" ];
kernelParams = commonKernelParams ++ [ "vfio-pci.ids=10de:13c2,10de:0fbb" ];
initrd.kernelModules = [ "vfio" "vfio_pci" "vfio_iommu_type1" ];
kernel.sysctl."vm.max_map_count" = 2147483642;
# Manage supported filesystems
supportedFilesystems = {
ntfs = true;
zfs = lib.mkForce false;
};
# Modprobe settings
extraModprobeConfig = ''
options hid_apple fnmode=2
'';
# Use the Systemd-Boot bootloader
loader.systemd-boot = {
enable = true;
netbootxyz.enable = true;
};
};
# Add a kernel entry to boot from the secondary GPU
specialisation = {
gputwo.configuration = {
boot.kernelParams = commonKernelParams ++ [ "vfio-pci.ids=10de:2504,10de:228e" ];
};
};
# Allow binary firmware
hardware.enableRedistributableFirmware = true;
# Enable the Nouveau drivers
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.beta;
};
# Enable a permissioning system
security = {
sudo.enable = false;
doas = {
enable = true;
extraRules = [
# Give wheel root access, allow persistant session
{ groups = [ "wheel" ]; keepEnv = true; persist = true; }
];
};
};
# Enable the ZSH shell
programs.zsh.enable = true;
# Disable Nano
programs.nano.enable = false;
# Timezone
time.timeZone = "America/New_York";
# Define user accounts
users.users.jimbo = {
description = "Jimbo Awesome";
isNormalUser = true;
hashedPassword =
"$6$gYpE.pG/zPXgin06$2kydjDfd0K62Dhf9P0PFvJhRNz6xIC/bHYaf/XYqyKcLyZNzPQpy8uy9tCRcSYlj1wwBhzVtTRyItwajOHCEj0";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKC8Uqxb09V3msBgDv6lD/nETMYr/X0OgtpDo8ldcMK jimbo@JimDebianServer"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuCYrIZlD6LNpFh3XTYbXaPQWYysr1oZAX4DL3gF28l jimbo@DV-JHAMPTON"
];
extraGroups = [
"wheel" "audio" "video" "input" "disk"
"dialout" "networkmanager" "rtkit"
"kvm" "libvirtd" "qemu-libvirtd"
];
uid = 1000;
shell = pkgs.zsh;
};
# Installed programs to the system profile.
environment.systemPackages = with pkgs; [
# Essential system tools
cifs-utils parted git
# Printer control
system-config-printer
# Virtual machines
virt-manager virtiofsd dnsmasq
spice-vdagent looking-glass-client
];
# Disable the HTML documentation link
documentation = {
nixos.enable = false;
info.enable = false;
};
# Enable OpenGL
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
extraPackages = with pkgs; [
vulkan-loader
vulkan-validation-layers
vulkan-extension-layer
];
};
# Enable Steam hardware and gamemode
hardware.steam-hardware.enable = true;
programs.gamemode.enable = true;
# Networking settings
networking = {
# Set hostname
hostName = "JimNixPC";
# Choose networking method
dhcpcd.enable = true;
wireless.enable = false;
#networkmanager.enable = true;
#enableB43Firmware = true;
# Enable firewall passthrough
firewall = {
allowedTCPPorts = [
# Sunshine TCP
47984 47989 48010
];
allowedUDPPorts = [
# Sunshine UDP
47998 47999 48000
# Games
27005 27015 7777
];
allowPing = false;
};
# Set hostnames
hosts = {
"192.168.2.10" = [ "pc" ];
"192.168.2.11" = [ "server" ];
"172.16.0.2" = [ "vm" ];
};
# Set nameserver
nameservers = [
"9.9.9.9"
"1.1.1.1"
];
};
# Enable Bluetooth
hardware.bluetooth = {
enable = true;
settings = {
General.Experimental = "true";
Policy.AutoEnable = "true";
};
};
# Enable lingering for Bluetooth and allow Looking-Glass permissions
systemd.tmpfiles.rules = [
"f /var/lib/systemd/linger/jimbo"
"f /dev/shm/looking-glass 0660 jimbo libvirtd -"
];
# Make udev rules to make PDP controller and Oculus Rift CV1 work
services.udev = let
oculusRules = pkgs.writeTextFile {
name = "10-oculus.rules";
text = ''
KERNEL=="hidraw*", ATTRS{idVendor}=="0e6f", ATTRS{idProduct}=="0184", MODE="0660", TAG+="uaccess"
'';
destination = "/etc/udev/rules.d/10-oculus.rules";
};
pdpRules = pkgs.writeTextFile {
name = "10-pdp.rules";
text = ''
SUBSYSTEM=="usb", ATTR{idVendor}=="2833", MODE="0666"
'';
destination = "/etc/udev/rules.d/10-pdp.rules";
};
in {
packages = [ oculusRules pdpRules ];
};
# Enable audio
security.rtkit.enable = true;
hardware.pulseaudio.enable = false;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
#jack.enable = true;
};
# Fonts
fonts = {
packages = with pkgs; [
liberation_ttf twitter-color-emoji ubuntu_font_family noto-fonts sarasa-gothic
orbitron (nerdfonts.override { fonts = [ "UbuntuMono" ]; })
];
fontconfig.defaultFonts.emoji = [ "Twitter Color Emoji" ];
};
# Enable Dconf and some portals
services.dbus.enable = true;
programs.dconf.enable = true;
programs.light.enable = true;
security.pam.services.swaylock = {};
xdg.portal = {
enable = true;
config.common.default = "*";
wlr = {
enable = true;
settings = {
screencast = {
max_fps = 60;
chooser_type = "simple";
chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or -B 00000066 -b 00000099";
};
};
};
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
};
# Configure greetd for remote login
services.greetd = {
enable = true;
restart = true;
settings = {
terminal = {
vt = 2;
switch = true;
};
default_session = {
command = "/home/jimbo/.config/sway/start.sh";
user = "jimbo";
};
};
};
# QT theming
qt = {
enable = true;
style = "gtk2";
platformTheme = "gtk2";
};
# Enable printing
services = {
printing = {
enable = true;
drivers = with pkgs; [ hplip ];
webInterface = false;
};
avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
# Enable virtualization
virtualisation = {
libvirtd = {
enable = true;
onBoot = "ignore";
onShutdown = "shutdown";
qemu = {
ovmf = {
enable = true;
packages = [ pkgs.OVMFFull.fd ];
};
swtpm.enable = true;
};
};
spiceUSBRedirection.enable = true;
};
# Enable SSH
services.openssh = {
enable = true;
settings = {
LogLevel = "VERBOSE";
PermitRootLogin = "no";
PrintLastLog = "no";
PasswordAuthentication = false;
};
ports = [ 2211 ];
};
# Block SSH connections after numerous attempts
services.fail2ban = {
enable = true;
maxretry = 10;
};
# Enable AppImages
programs.appimage = {
enable = true;
binfmt = true;
};
# Enable MPD
services.mpd = {
enable = true;
user = "jimbo";
group = "users";
musicDirectory = "/home/jimbo/JimboNFS/Music";
playlistDirectory = "/home/jimbo/JimboNFS/Music/Playlists";
extraConfig = ''
audio_output {
type "pipewire"
name "Local Pipewire"
}
'';
};
systemd.services.mpd.environment = {
XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.jimbo.uid}";
};
# Enable AppArmor
security.apparmor.enable = true;
# Enable a keying agent
services.gnome.gnome-keyring.enable = true;
# Enable Polkit for authentication
security.polkit.enable = true;
# Battery saver for laptops
services.tlp.enable = true;
# Enable extra functionality in file managers
services.gvfs.enable = true;
# Attempt to automount USB drives
services.udisks2.enable = true;
# Enable school VPN
services.globalprotect.enable = true;
# Define the initial install version and allow auto-upgrades
system.stateVersion = "23.11";
system.autoUpgrade.enable = true;
}