{ config, pkgs, lib, ... }: let network = import ./network.nix; isVM = config.ptw.system.isVM; wireless = config.ptw.system.wireless; primaryInterface = lib.attrByPath [ "ptw" "system" "primaryInterface" ] "" config; in { time.timeZone = "Europe/Berlin"; ostylk.nftables = { enable = true; tables.firewall = { family = "inet"; chains = { non-libvirt.extraConfig = let deviceIPString = lib.concatStringsSep "," (with network; [ miku nishimiya tamaki mashu # ayame ]); in '' # Accept traffic from my devices ip saddr != { ${deviceIPString} } drop ''; input.extraConfig = '' type filter hook input priority 0 ct state { established, related } accept iif lo accept iif ${primaryInterface} goto non-libvirt ''; }; }; }; networking = { useDHCP = false; # Done by the network manager networkmanager.enable = true; #interfaces.*.useDHCP = false; hostName = config.ptw.system.hostName; hosts = lib.mkIf (!isVM) { "${network.miku}" = [ "miku.local" ]; "${network.nishimiya}" = [ "nishimiya.local" ]; #"${network.ayame}" = [ "ayame.local" ]; "${network.tamaki}" = [ "tamaki.local" ]; "${network.mashu}" = [ "mashu.local" ]; }; }; i18n.defaultLocale = "en_GB.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "de"; }; users = { mutableUsers = false; extraUsers = { root = { # Disable root login hashedPassword = "*"; }; }; }; documentation.nixos.enable = false; environment = { systemPackages = with pkgs; [ htop vim git # Otherwise we cannot install home-manager git-crypt gnupg python3 # RT scheduling rtkit ] ++ lib.optionals (!isVM) (with pkgs; [ gopass ]); sessionVariables = { # Prevent us from having to always type it out NIXOS_CONFIG = "/home/${config.ptw.system.singleUser}/Development/Personal/nixos-config/hosts/${config.networking.hostName}.nix"; }; }; fonts.fonts = with pkgs; [ # CJK fonts source-han-sans source-han-serif # Coding fonts source-code-pro # Icon fonts nerdfonts ]; # We don't tolerate non-free software, except for Steam and Linux firmware nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "firmwareLinuxNonfree" "microcodeAmd" "microcodeIntel" "steam" "steam-original" "steam-runtime" "discord" ]; services = { # TODO: Is this correct? Maybe run once timesyncd.enable = false; # Everyone needs sound pipewire = { enable = true; pulse.enable = true; jack.enable = true; alsa.enable = true; alsa.support32Bit = true; }; # On desktop: Monitor keyboards, mice, ... # On portable devices: Monitor their battery upower.enable = true; # What generated entropy? haveged.enable = true; printing.enable = lib.mkDefault false; avahi.enable = false; # For debugging. # TODO: Lock to known IPs and keys sshd.enable = true; # Prevent unexpected OOM situations with heavy swapping earlyoom = { enable = true; enableNotifications = true; }; }; # Don't wait for a network connection systemd.services.NetworkManager-wait-online.enable = false; security.sudo.extraConfig = '' Defaults env_keep += "NIXOS_CONFIG" ''; hardware = { enableRedistributableFirmware = true; # This is a Pipewire household! pulseaudio.enable = false; opengl = { enable = true; driSupport32Bit = true; driSupport = true; extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ]; }; # Only a subset of my devices have bluetooth bluetooth = lib.mkIf wireless { enable = true; }; }; nix.package = pkgs.nixUnstable; nix.extraOptions = '' experimental-features = nix-command flakes ca-references ''; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; }; system.stateVersion = "21.05"; }