nixos-config/modules/host.nix

227 lines
5.9 KiB
Nix
Raw Normal View History

2021-08-31 16:01:29 +00:00
{
2021-09-01 14:37:36 +00:00
lib, pkgs
}:
config: {
2021-08-31 16:01:29 +00:00
userName
, hostName
, wireless ? false
2021-09-04 18:39:04 +00:00
, wifiInterface ? ""
2021-09-11 22:32:18 +00:00
, primaryInterface ? ""
2021-08-31 16:01:29 +00:00
, overlays ? []
, hardwareImports ? [ "generic" ]
, programImports ? []
, extraImports ? []
2021-08-31 16:25:24 +00:00
, isVM ? false
2021-08-31 16:01:29 +00:00
, fileSystems
, swapDevices ? []
, extraPackages ? pkgs: []
, extraOptions ? old: {}
}:
let
overlaysSet = import ../overlays { pkgs = pkgs; lib = lib; };
2021-08-31 16:25:24 +00:00
network = import ./network.nix;
2021-08-31 16:01:29 +00:00
home-manager = builtins.fetchGit {
url = "https://github.com/nix-community/home-manager.git";
rev = "35a24648d155843a4d162de98c17b1afd5db51e4";
ref = "release-21.05";
};
2021-09-11 22:32:18 +00:00
primaryInterfaceWrapper = if wifiInterface != "" && primaryInterface == "" then wifiInterface else primaryInterface;
2021-08-31 16:01:29 +00:00
baseConfig = {
# Install home-manager
imports = [
"${home-manager}/nixos"
./users # For system.singleUser
(./users + "/${userName}.nix")
2021-09-11 22:32:18 +00:00
((import (fetchTarball https://github.com/edolstra/flake-compat/archive/master.tar.gz) {
src = builtins.fetchGit {
url = "https://dev.ostylk.de/NixDistro/Config.git";
rev = "703d3d727a86c5c45d59608b35e0dea62a3f8486";
};
}).defaultNix.nixosModules.nftables)
2021-08-31 16:01:29 +00:00
] ++ (map (item: ./programs + "/${item}") programImports)
++ (map (item: ./hardware + "/${item}.nix") hardwareImports)
2021-09-04 18:39:04 +00:00
++ lib.optional wireless ./hardware/wifi.nix
2021-08-31 16:01:29 +00:00
++ (map (item: ./. + "/${item}") extraImports);
home-manager.useGlobalPkgs = true;
nixpkgs.overlays = (map (item: lib.getAttr item overlaysSet) overlays);
time.timeZone = "Europe/Berlin";
2021-09-11 22:32:18 +00:00
ostylk.nftables = {
enable = true;
tables.firewall = {
family = "inet";
chains = {
non-libvirt.extraConfig = let
deviceIPString = lib.concatStringsSep "," (with network; [
miku nishimiya ayame tamaki mashu
]);
in ''
# Accept traffic from my devices
ip saddr != { ${deviceIPString} } drop
'';
input.extraConfig = ''
type filter hook input priority 0
ct state { established, related } accept
iif lo accept
iif ${primaryInterfaceWrapper} goto non-libvirt
'';
};
};
};
2021-08-31 16:01:29 +00:00
networking = {
useDHCP = false; # Done by the network manager
networkmanager.enable = false;
#interfaces.*.useDHCP = false;
hostName = hostName;
wireless.enable = (if wireless then true else lib.mkForce false);
2021-08-31 16:25:24 +00:00
hosts = lib.mkIf (!isVM) {
"${network.miku}" = [ "miku.local" ];
"${network.nishimiya}" = [ "nishimiya.local" ];
"${network.ayame}" = [ "ayame.local" ];
"${network.tamaki}" = [ "tamaki.local" ];
2021-09-11 18:06:19 +00:00
"${network.mashu}" = [ "mashu.local" ];
};
2021-08-31 16:01:29 +00:00
};
i18n.defaultLocale = "en_GB.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "de";
};
users = {
mutableUsers = false;
extraUsers = {
root = {
# Disable root login
hashedPassword = "*";
};
};
};
environment = {
systemPackages = with pkgs; [
htop
vim
git # Otherwise we cannot install home-manager
git-crypt
gnupg
python3
2021-08-31 16:25:24 +00:00
2021-08-31 16:01:29 +00:00
# RT scheduling
rtkit
2021-08-31 16:25:24 +00:00
] ++ extraPackages pkgs
++ lib.optionals (!isVM) (with pkgs; [ gopass ]);
2021-08-31 16:01:29 +00:00
sessionVariables = {
# Prevent us from having to always type it out
NIXOS_CONFIG = "/home/${config.system.singleUser}/Development/Personal/nixos-config/hosts/${config.networking.hostName}.nix";
};
};
2021-09-07 09:57:04 +00:00
fonts.fonts = with pkgs; [
# CJK fonts
source-han-sans source-han-serif
];
2021-08-31 16:01:29 +00:00
# We don't tolerate non-free software, except for Steam and Linux firmware
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
2021-08-31 16:15:06 +00:00
"firmwareLinuxNonfree" "microcodeAmd" "microcodeIntel"
2021-08-31 16:01:29 +00:00
"steam" "steam-original" "steam-runtime"
"discord"
];
2021-10-18 14:09:42 +00:00
nixpkgs.config.allowUnfree = true;
2021-08-31 16:01:29 +00:00
services = {
connman = {
enable = true;
extraFlags = [ "--nodnsproxy" ];
wifi = lib.mkIf wireless {
2021-10-18 14:09:42 +00:00
backend = "iwd";
2021-08-31 16:01:29 +00:00
};
};
# TODO: Is this correct? Maybe run once
timesyncd.enable = false;
# Everyone needs sound
pipewire = {
enable = true;
pulse.enable = true;
2021-10-18 14:09:42 +00:00
jack.enable = true;
2021-08-31 16:01:29 +00:00
alsa.enable = true;
alsa.support32Bit = true;
};
# On desktop: Monitor keyboards, mice, ...
# On portable devices: Monitor their battery
upower.enable = true;
# What generated entropy?
haveged.enable = true;
printing.enable = lib.mkDefault false;
avahi.enable = false;
# For debugging.
# TODO: Lock to known IPs and keys
sshd.enable = true;
2021-09-20 09:40:49 +00:00
# Prevent unexpected OOM situations with heavy swapping
earlyoom = {
enable = true;
enableNotifications = true;
};
2021-08-31 16:01:29 +00:00
};
# Don't wait for a network connection
systemd.services.NetworkManager-wait-online.enable = false;
security.sudo.extraConfig = ''
Defaults env_keep += "NIXOS_CONFIG"
'';
hardware = {
enableRedistributableFirmware = true;
# This is a Pipewire household!
pulseaudio.enable = false;
opengl = {
enable = true;
driSupport32Bit = true;
driSupport = true;
extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ];
};
# Only a subset of my devices have bluetooth
bluetooth = lib.mkIf wireless {
enable = true;
};
} // (if wireless then {
wifiInterface = wifiInterface;
} else {});
2021-08-31 16:01:29 +00:00
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
fileSystems = fileSystems;
swapDevices = swapDevices;
system.stateVersion = "21.05";
};
in lib.attrsets.recursiveUpdate baseConfig (extraOptions baseConfig)