431 lines
10 KiB
Nix
431 lines
10 KiB
Nix
{ config, pkgs, options, lib, ... }:
|
|
let
|
|
# Import home manager, set common boot paramaters
|
|
homeManager = fetchTarball
|
|
"https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";
|
|
commonKernelParams = [
|
|
# Nvidia GSP firmware
|
|
"nouveau.config=NvGspRm=1"
|
|
|
|
# VM/GPU passthrough
|
|
"amd_iommu=on"
|
|
"iommu=pt"
|
|
"nested=1"
|
|
|
|
# Virtualization nonsense
|
|
"transparent_hugepage=never"
|
|
|
|
# Isolate devices into IOMMU groups
|
|
"pcie_acs_override=downstream,multifunction"
|
|
"pci=routeirq"
|
|
];
|
|
in
|
|
|
|
{
|
|
# Import other nix files and firmware
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
./jimbo.nix
|
|
"${homeManager}/nixos"
|
|
];
|
|
|
|
# Allow unfree packages and accept packages from the Nix User Repos
|
|
nixpkgs = {
|
|
config = {
|
|
allowUnfree = true;
|
|
packageOverrides = pkgs: {
|
|
unstable = import (builtins.fetchTarball
|
|
"https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz") {
|
|
inherit pkgs;
|
|
config.allowUnfree = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
# Package overlays/patches
|
|
overlays = [
|
|
# MPV scripts
|
|
(self: super: {
|
|
mpv = super.mpv.override {
|
|
scripts = with self.mpvScripts;
|
|
[ mpris sponsorblock thumbnail ];
|
|
};
|
|
})
|
|
];
|
|
};
|
|
|
|
# Allow flakes and enable garbage collection
|
|
nix = {
|
|
settings.experimental-features = [ "nix-command" "flakes" ];
|
|
gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 14d";
|
|
};
|
|
};
|
|
|
|
# Set all boot options
|
|
boot = {
|
|
# Set a kernel version and load/blacklist drivers
|
|
kernelPackages = pkgs.unstable.linuxPackages_zen;
|
|
blacklistedKernelModules = [ "pcspkr" ];
|
|
kernelParams = commonKernelParams ++ [ "vfio-pci.ids=10de:1f82,10de:10fa" ];
|
|
initrd.kernelModules = [ "vfio" "vfio_pci" "vfio_iommu_type1" ];
|
|
kernel.sysctl."vm.max_map_count" = 2147483642;
|
|
|
|
# Manage supported filesystems
|
|
supportedFilesystems = {
|
|
ntfs = true;
|
|
zfs = lib.mkForce false;
|
|
};
|
|
|
|
# Modprobe settings
|
|
extraModprobeConfig = ''
|
|
options hid_apple fnmode=2
|
|
'';
|
|
|
|
# Use the Systemd-Boot bootloader
|
|
loader.systemd-boot = {
|
|
enable = true;
|
|
netbootxyz.enable = true;
|
|
};
|
|
};
|
|
|
|
# Add a kernel entry to boot from the secondary GPU
|
|
specialisation = {
|
|
gputwo.configuration = {
|
|
boot.kernelParams = commonKernelParams ++ [ "vfio-pci.ids=10de:2504,10de:228e" ];
|
|
};
|
|
};
|
|
|
|
# Allow binary firmware
|
|
hardware.enableRedistributableFirmware = true;
|
|
|
|
# Enable the Nouveau drivers
|
|
services.xserver.videoDrivers = [ "nouveau" ];
|
|
#hardware.nvidia = {
|
|
# modesetting.enable = true;
|
|
# nvidiaSettings = false;
|
|
# package = config.boot.kernelPackages.nvidiaPackages.beta;
|
|
#};
|
|
|
|
# Enable a permissioning system
|
|
security = {
|
|
sudo.enable = false;
|
|
doas = {
|
|
enable = true;
|
|
extraRules = [
|
|
# Give wheel root access, allow persistant session
|
|
{ groups = [ "wheel" ]; keepEnv = true; persist = true; }
|
|
];
|
|
};
|
|
};
|
|
|
|
# Enable the ZSH shell
|
|
programs.zsh.enable = true;
|
|
|
|
# Disable Nano
|
|
programs.nano.enable = false;
|
|
|
|
# Timezone
|
|
time.timeZone = "America/New_York";
|
|
|
|
# Define user accounts
|
|
users.users.jimbo = {
|
|
description = "Jimbo Awesome";
|
|
isNormalUser = true;
|
|
hashedPassword =
|
|
"$6$gYpE.pG/zPXgin06$2kydjDfd0K62Dhf9P0PFvJhRNz6xIC/bHYaf/XYqyKcLyZNzPQpy8uy9tCRcSYlj1wwBhzVtTRyItwajOHCEj0";
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKC8Uqxb09V3msBgDv6lD/nETMYr/X0OgtpDo8ldcMK jimbo@JimDebianServer"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeqiMCRXtpoP+BvKBmzvkL7oLKKCmbfdaQIF3yk/S8I jimbo@DV-JHAMPTON-NIXOS"
|
|
];
|
|
extraGroups = [
|
|
"wheel" "audio" "video" "input" "disk"
|
|
"dialout" "networkmanager" "rtkit"
|
|
"kvm" "libvirtd" "qemu-libvirtd"
|
|
];
|
|
uid = 1000;
|
|
shell = pkgs.zsh;
|
|
};
|
|
|
|
# Installed programs to the system profile.
|
|
environment.systemPackages = with pkgs; [
|
|
# Essential system tools
|
|
cifs-utils parted git
|
|
|
|
# Printer control
|
|
system-config-printer
|
|
|
|
# Virtual machines
|
|
virt-manager virtiofsd dnsmasq
|
|
spice-vdagent looking-glass-client
|
|
];
|
|
|
|
# Disable the HTML documentation link
|
|
documentation = {
|
|
nixos.enable = false;
|
|
info.enable = false;
|
|
};
|
|
|
|
# Enable OpenGL
|
|
hardware.opengl = {
|
|
enable = true;
|
|
driSupport = true;
|
|
driSupport32Bit = true;
|
|
package = pkgs.unstable.mesa.drivers;
|
|
package32 = pkgs.unstable.pkgsi686Linux.mesa.drivers;
|
|
extraPackages = with pkgs; [
|
|
vulkan-loader
|
|
vulkan-validation-layers
|
|
vulkan-extension-layer
|
|
];
|
|
};
|
|
|
|
# Enable Steam hardware and gamemode
|
|
hardware.steam-hardware.enable = true;
|
|
programs.gamemode.enable = true;
|
|
|
|
# Networking settings
|
|
networking = {
|
|
# Set hostname
|
|
hostName = "JimNixPC";
|
|
|
|
# Choose networking method
|
|
dhcpcd.enable = true;
|
|
wireless.enable = false;
|
|
#networkmanager.enable = true;
|
|
#enableB43Firmware = true;
|
|
|
|
# Enable nftables over iptables
|
|
nftables.enable = true;
|
|
|
|
# Enable firewall passthrough
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
# Sunshine TCP
|
|
47984 47989 48010
|
|
];
|
|
allowedUDPPorts = [
|
|
# Sunshine UDP
|
|
47998 47999 48000
|
|
|
|
# Games
|
|
27005 27015 7777
|
|
];
|
|
allowPing = false;
|
|
};
|
|
|
|
# Set hostnames
|
|
hosts = {
|
|
"192.168.2.10" = [ "pc" ];
|
|
"192.168.2.11" = [ "server" ];
|
|
"172.16.0.2" = [ "vm" ];
|
|
};
|
|
|
|
# Set nameserver
|
|
nameservers = [
|
|
"9.9.9.9"
|
|
"1.1.1.1"
|
|
];
|
|
};
|
|
|
|
# Enable Bluetooth
|
|
hardware.bluetooth = {
|
|
enable = true;
|
|
settings = {
|
|
General.Experimental = "true";
|
|
Policy.AutoEnable = "true";
|
|
};
|
|
};
|
|
|
|
# Enable lingering for Bluetooth and allow Looking-Glass permissions
|
|
systemd.tmpfiles.rules = [
|
|
"f /var/lib/systemd/linger/jimbo"
|
|
"f /dev/shm/looking-glass 0660 jimbo libvirtd -"
|
|
];
|
|
|
|
# Make udev rules to make PDP controller and Oculus Rift CV1 work
|
|
services.udev = let
|
|
oculusRules = pkgs.writeTextFile {
|
|
name = "10-oculus.rules";
|
|
text = ''
|
|
KERNEL=="hidraw*", ATTRS{idVendor}=="0e6f", ATTRS{idProduct}=="0184", MODE="0660", TAG+="uaccess"
|
|
'';
|
|
destination = "/etc/udev/rules.d/10-oculus.rules";
|
|
};
|
|
pdpRules = pkgs.writeTextFile {
|
|
name = "10-pdp.rules";
|
|
text = ''
|
|
SUBSYSTEM=="usb", ATTR{idVendor}=="2833", MODE="0666"
|
|
'';
|
|
destination = "/etc/udev/rules.d/10-pdp.rules";
|
|
};
|
|
in {
|
|
packages = [ oculusRules pdpRules ];
|
|
};
|
|
|
|
# Enable audio
|
|
security.rtkit.enable = true;
|
|
hardware.pulseaudio.enable = false;
|
|
services.pipewire = {
|
|
enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
pulse.enable = true;
|
|
#jack.enable = true;
|
|
};
|
|
|
|
# Fonts
|
|
fonts = {
|
|
packages = with pkgs; [
|
|
liberation_ttf twitter-color-emoji ubuntu_font_family noto-fonts sarasa-gothic
|
|
orbitron (nerdfonts.override { fonts = [ "UbuntuMono" ]; })
|
|
];
|
|
fontconfig.defaultFonts.emoji = [ "Twitter Color Emoji" ];
|
|
};
|
|
|
|
# Enable Dconf and some portals
|
|
services.dbus.enable = true;
|
|
programs.dconf.enable = true;
|
|
programs.light.enable = true;
|
|
security.pam.services.swaylock = {};
|
|
xdg.portal = {
|
|
enable = true;
|
|
config.common.default = "*";
|
|
wlr = {
|
|
enable = true;
|
|
settings = {
|
|
screencast = {
|
|
max_fps = 60;
|
|
chooser_type = "simple";
|
|
chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or -B 00000066 -b 00000099";
|
|
};
|
|
};
|
|
};
|
|
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
|
|
};
|
|
|
|
# Configure greetd for remote login
|
|
services.greetd = {
|
|
enable = true;
|
|
restart = true;
|
|
settings = {
|
|
terminal = {
|
|
vt = 2;
|
|
switch = true;
|
|
};
|
|
default_session = {
|
|
command = "/home/jimbo/.config/sway/start.sh";
|
|
user = "jimbo";
|
|
};
|
|
};
|
|
};
|
|
|
|
# QT theming
|
|
qt = {
|
|
enable = true;
|
|
style = "gtk2";
|
|
platformTheme = "gtk2";
|
|
};
|
|
|
|
# Enable printing
|
|
services = {
|
|
printing = {
|
|
enable = true;
|
|
drivers = with pkgs; [ hplip ];
|
|
webInterface = false;
|
|
};
|
|
avahi = {
|
|
enable = true;
|
|
nssmdns4 = true;
|
|
openFirewall = true;
|
|
};
|
|
};
|
|
|
|
# Enable virtualization
|
|
virtualisation = {
|
|
libvirtd = {
|
|
enable = true;
|
|
onBoot = "ignore";
|
|
onShutdown = "shutdown";
|
|
qemu = {
|
|
ovmf = {
|
|
enable = true;
|
|
packages = [ pkgs.OVMFFull.fd ];
|
|
};
|
|
swtpm.enable = true;
|
|
};
|
|
};
|
|
spiceUSBRedirection.enable = true;
|
|
};
|
|
|
|
# Enable SSH
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
LogLevel = "VERBOSE";
|
|
PermitRootLogin = "no";
|
|
PrintLastLog = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
ports = [ 2211 ];
|
|
};
|
|
|
|
# Block SSH connections after numerous attempts
|
|
services.fail2ban = {
|
|
enable = true;
|
|
maxretry = 10;
|
|
};
|
|
|
|
# Enable AppImages
|
|
programs.appimage = {
|
|
enable = true;
|
|
binfmt = true;
|
|
};
|
|
|
|
# Enable MPD
|
|
services.mpd = {
|
|
enable = true;
|
|
user = "jimbo";
|
|
group = "users";
|
|
musicDirectory = "/home/jimbo/JimboNFS/Music";
|
|
playlistDirectory = "/home/jimbo/JimboNFS/Music/Playlists";
|
|
extraConfig = ''
|
|
audio_output {
|
|
type "pipewire"
|
|
name "Local Pipewire"
|
|
}
|
|
'';
|
|
};
|
|
systemd.services.mpd.environment = {
|
|
XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.jimbo.uid}";
|
|
};
|
|
|
|
# Enable AppArmor
|
|
security.apparmor.enable = true;
|
|
|
|
# Enable a keying agent
|
|
services.gnome.gnome-keyring.enable = true;
|
|
|
|
# Enable Polkit for authentication
|
|
security.polkit.enable = true;
|
|
|
|
# Battery saver for laptops
|
|
services.tlp.enable = true;
|
|
|
|
# Enable extra functionality in file managers
|
|
services.gvfs.enable = true;
|
|
|
|
# Attempt to automount USB drives
|
|
services.udisks2.enable = true;
|
|
|
|
# Enable school VPN
|
|
services.globalprotect.enable = true;
|
|
|
|
# Define the initial install version and allow auto-upgrades
|
|
system.stateVersion = "23.11";
|
|
system.autoUpgrade.enable = true;
|
|
}
|