{ config, pkgs, lib, inputs, ... }: let network = import ./network.nix; isVM = config.ptw.system.isVM; wireless = config.ptw.system.wireless; primaryInterface = lib.attrByPath [ "ptw" "system" "primaryInterface" ] "" config; in { time.timeZone = "Europe/Berlin"; ostylk.nftables = { enable = true; tables.firewall = { family = "inet"; chains = { non-libvirt.extraConfig = let deviceIPString = lib.concatStringsSep "," (with network; [ miku nishimiya tamaki mashu taihou # ayame ]); in '' # Accept traffic from my devices ip saddr != { ${deviceIPString} } drop ''; input.extraConfig = '' type filter hook input priority 0 ct state { established, related } accept iif lo accept iif ${primaryInterface} goto non-libvirt ''; }; }; }; networking = { useDHCP = false; # Done by the network manager networkmanager.enable = true; #interfaces.*.useDHCP = false; hostName = config.ptw.system.hostName; hosts = lib.mkIf (!isVM) { "${network.miku}" = [ "miku.local" ]; "${network.nishimiya}" = [ "nishimiya.local" ]; #"${network.ayame}" = [ "ayame.local" ]; "${network.tamaki}" = [ "tamaki.local" ]; "${network.mashu}" = [ "mashu.local" ]; "${network.taihou}" = [ "taihou.local" ]; }; }; i18n.defaultLocale = "en_GB.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "de"; }; users = { mutableUsers = false; extraUsers = { root = { # Disable root login hashedPassword = "*"; }; }; }; documentation.nixos.enable = false; environment = { systemPackages = with pkgs; [ htop vim git # Otherwise we cannot install home-manager git-crypt gnupg python3 # General utilities bandwhich bottom latencytop # RT scheduling rtkit ] ++ lib.optionals (!isVM) (with pkgs; [ gopass ]); sessionVariables = { # Prevent us from having to always type it out NIXOS_CONFIG = "/home/${config.ptw.system.singleUser}/Development/Personal/nixos-config/hosts/${config.networking.hostName}.nix"; }; }; fonts.fonts = with pkgs; [ # CJK fonts source-han-sans source-han-serif # Coding fonts source-code-pro # Icon fonts nerdfonts ]; # We don't tolerate non-free software, except for Steam and Linux firmware nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "firmwareLinuxNonfree" "microcodeAmd" "microcodeIntel" "steam" "steam-original" "steam-runtime" "discord" "minecraft" ]; services = { # TODO: Is this correct? Maybe run once timesyncd.enable = false; # Everyone needs sound pipewire = { enable = true; pulse.enable = true; jack.enable = true; alsa.enable = true; alsa.support32Bit = true; /* config.pipewire = { "context.modules" = [ { name = "libpipewire-module-rtkit"; args = {}; flags = [ "ifexists" "nofail" ]; } { name = "libpipewire-module-protocol-native"; } { name = "libpipewire-module-client-node"; } { name = "libpipewire-module-adapter"; } { name = "libpipewire-module-metadata"; } { name = "libpipewire-module-filter-chain"; args = { "node.name" = "effect_output.virtual-surround-7.1-hesuvi"; "node.description" = "Virtual Surround Sink"; "media.name" = "Virtual Surround Sink"; "filter.graph" = { nodes = [ { type = "builtin"; label = "copy"; name = "copyFL"; } { type = "builtin"; label = "copy"; name = "copyFR"; } { type = "builtin"; label = "copy"; name = "copyFC"; } { type = "builtin"; label = "copy"; name = "copyRL"; } { type = "builtin"; label = "copy"; name = "copyRR"; } { type = "builtin"; label = "copy"; name = "copySL"; } { type = "builtin"; label = "copy"; name = "copySR"; } { type = "builtin"; label = "copy"; name = "copyLFE"; } { type = "builtin"; label = "convolver"; name = "convFL_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 0; }; } { type = "builtin"; label = "convolver"; name = "convFL_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 1; }; } { type = "builtin"; label = "convolver"; name = "convSL_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 2; }; } { type = "builtin"; label = "convolver"; name = "convSL_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 3; }; } { type = "builtin"; label = "convolver"; name = "convRL_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 4; }; } { type = "builtin"; label = "convolver"; name = "convRL_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 5; }; } { type = "builtin"; label = "convolver"; name = "convFC_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 6; }; } { type = "builtin"; label = "convolver"; name = "convFR_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 7; }; } { type = "builtin"; label = "convolver"; name = "convFR_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 8; }; } { type = "builtin"; label = "convolver"; name = "convSR_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 9; }; } { type = "builtin"; label = "convolver"; name = "convSR_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 10; }; } { type = "builtin"; label = "convolver"; name = "convRR_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 11; }; } { type = "builtin"; label = "convolver"; name = "convRR_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 12; }; } { type = "builtin"; label = "convolver"; name = "convFC_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 13; }; } { type = "builtin"; label = "convolver"; name = "convLFE_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 6; }; } { type = "builtin"; label = "convolver"; name = "convLFE_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 13; }; } { type = "builtin"; label = "mixer"; name = "mixL"; } { type = "builtin"; label = "mixer"; name = "mixR"; } ]; links = let linkInput = channel: [ { output = "copy${channel}:Out"; input = "conv${channel}_L:In"; } { output = "copy${channel}:Out"; input = "conv${channel}_R:In"; } ]; linkOutput = channel: n: [ { output = "conv${channel}_L:Out"; input = "mix_L:In ${builtins.toString n}"; } { output = "conv${channel}_R:Out"; input = "mix_R:In ${builtins.toString n}"; } ]; in (builtins.concatMap (channel: linkInput channel) [ "FL" "SL" "RL" "FC" "FR" "SR" "RR" "LFE" ]) ++ [ (linkOutput "FL" 1) (linkOutput "SL" 2) (linkOutput "RL" 3) (linkOutput "FC" 4) (linkOutput "FR" 5) (linkOutput "SR" 6) (linkOutput "RR" 7) (linkOutput "LFE" 8) ]; inputs = builtins.map (channel: "copy${channel}:In") [ "FL" "SL" "RL" "FC" "FR" "SR" "RR" "LFE" ]; outputs = [ "mixL:Out" "mixR:Out" ]; }; "capture.props" = { "media.class" = "Audio/Sink"; "audio.channels" = 8; "audio.position" = [ "FL" "FR" "FC" "LFE" "RL" "RR" "SL" "SR" ]; }; "playback.props" = { "node.passive" = true; "audio.channels" = 2; "audio.positions" = [ "FL" "FR" ]; }; }; } ]; }; */ }; # On desktop: Monitor keyboards, mice, ... # On portable devices: Monitor their battery upower.enable = true; # What generated entropy? #haveged.enable = true; printing.enable = lib.mkDefault false; avahi.enable = false; # For debugging. # TODO: Lock to known IPs and keys sshd.enable = true; # Prevent unexpected OOM situations with heavy swapping earlyoom = { enable = true; enableNotifications = true; }; }; # Don't wait for a network connection systemd.services.NetworkManager-wait-online.enable = false; security.sudo.extraConfig = '' Defaults env_keep += "NIXOS_CONFIG" ''; hardware = { enableRedistributableFirmware = true; # This is a Pipewire household! pulseaudio.enable = false; opengl = { enable = true; driSupport32Bit = true; driSupport = true; extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ]; }; # Only a subset of my devices have bluetooth bluetooth = lib.mkIf wireless { enable = true; }; }; nix = { package = pkgs.nixUnstable; extraOptions = '' experimental-features = nix-command flakes ''; registry = { nixpkgs.flake = inputs.nixpkgs; }; settings = { substituters = [ "https://cache.nixos.org/" # Official binary substitute "https://nix-community.cachix.org/" # For emacsGccPgtk ]; trusted-public-keys = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" # Official binary substitute "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" # nix-community ]; }; }; boot = { cleanTmpDir = true; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; }; system.stateVersion = "21.05"; }