287 lines
10 KiB
Nix
287 lines
10 KiB
Nix
{ config, pkgs, lib, inputs, ... }:
|
|
|
|
let
|
|
network = import ./network.nix;
|
|
isVM = config.ptw.system.isVM;
|
|
wireless = config.ptw.system.wireless;
|
|
primaryInterface = lib.attrByPath [ "ptw" "system" "primaryInterface" ] "" config;
|
|
in {
|
|
time.timeZone = "Europe/Berlin";
|
|
ostylk.nftables = {
|
|
enable = true;
|
|
|
|
tables.firewall = {
|
|
family = "inet";
|
|
chains = {
|
|
non-libvirt.extraConfig = let
|
|
deviceIPString = lib.concatStringsSep "," (with network; [
|
|
miku nishimiya tamaki mashu taihou # ayame
|
|
]);
|
|
in ''
|
|
# Accept traffic from my devices
|
|
ip saddr != { ${deviceIPString} } drop
|
|
'';
|
|
input.extraConfig = ''
|
|
type filter hook input priority 0
|
|
|
|
ct state { established, related } accept
|
|
iif lo accept
|
|
iif ${primaryInterface} goto non-libvirt
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
networking = {
|
|
useDHCP = false; # Done by the network manager
|
|
networkmanager.enable = true;
|
|
|
|
#interfaces.*.useDHCP = false;
|
|
|
|
hostName = config.ptw.system.hostName;
|
|
hosts = lib.mkIf (!isVM) {
|
|
"${network.miku}" = [ "miku.local" ];
|
|
"${network.nishimiya}" = [ "nishimiya.local" ];
|
|
#"${network.ayame}" = [ "ayame.local" ];
|
|
"${network.tamaki}" = [ "tamaki.local" ];
|
|
"${network.mashu}" = [ "mashu.local" ];
|
|
"${network.taihou}" = [ "taihou.local" ];
|
|
};
|
|
};
|
|
|
|
i18n.defaultLocale = "en_GB.UTF-8";
|
|
console = {
|
|
font = "Lat2-Terminus16";
|
|
keyMap = "de";
|
|
};
|
|
|
|
users = {
|
|
mutableUsers = false;
|
|
|
|
extraUsers = {
|
|
root = {
|
|
# Disable root login
|
|
hashedPassword = "*";
|
|
};
|
|
};
|
|
};
|
|
|
|
documentation.nixos.enable = false;
|
|
|
|
environment = {
|
|
systemPackages = with pkgs; [
|
|
htop
|
|
vim
|
|
git # Otherwise we cannot install home-manager
|
|
git-crypt
|
|
gnupg
|
|
python3
|
|
|
|
# General utilities
|
|
bandwhich bottom latencytop
|
|
|
|
# RT scheduling
|
|
rtkit
|
|
] ++ lib.optionals (!isVM) (with pkgs; [ gopass ]);
|
|
|
|
sessionVariables = {
|
|
# Prevent us from having to always type it out
|
|
NIXOS_CONFIG = "/home/${config.ptw.system.singleUser}/Development/Personal/nixos-config/hosts/${config.networking.hostName}.nix";
|
|
};
|
|
};
|
|
|
|
fonts.fonts = with pkgs; [
|
|
# CJK fonts
|
|
source-han-sans source-han-serif
|
|
# Coding fonts
|
|
source-code-pro
|
|
# Icon fonts
|
|
nerdfonts
|
|
];
|
|
|
|
# We don't tolerate non-free software, except for Steam and Linux firmware
|
|
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
|
"firmwareLinuxNonfree" "microcodeAmd" "microcodeIntel"
|
|
"steam" "steam-original" "steam-runtime"
|
|
"discord" "minecraft"
|
|
];
|
|
|
|
services = {
|
|
# TODO: Is this correct? Maybe run once
|
|
timesyncd.enable = false;
|
|
|
|
# Everyone needs sound
|
|
pipewire = {
|
|
enable = true;
|
|
pulse.enable = true;
|
|
jack.enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
/*
|
|
config.pipewire = {
|
|
"context.modules" = [
|
|
{
|
|
name = "libpipewire-module-rtkit";
|
|
args = {};
|
|
flags = [ "ifexists" "nofail" ];
|
|
}
|
|
{ name = "libpipewire-module-protocol-native"; }
|
|
{ name = "libpipewire-module-client-node"; }
|
|
{ name = "libpipewire-module-adapter"; }
|
|
{ name = "libpipewire-module-metadata"; }
|
|
|
|
{
|
|
name = "libpipewire-module-filter-chain";
|
|
args = {
|
|
"node.name" = "effect_output.virtual-surround-7.1-hesuvi";
|
|
"node.description" = "Virtual Surround Sink";
|
|
"media.name" = "Virtual Surround Sink";
|
|
"filter.graph" = {
|
|
nodes = [
|
|
{ type = "builtin"; label = "copy"; name = "copyFL"; }
|
|
{ type = "builtin"; label = "copy"; name = "copyFR"; }
|
|
{ type = "builtin"; label = "copy"; name = "copyFC"; }
|
|
{ type = "builtin"; label = "copy"; name = "copyRL"; }
|
|
{ type = "builtin"; label = "copy"; name = "copyRR"; }
|
|
{ type = "builtin"; label = "copy"; name = "copySL"; }
|
|
{ type = "builtin"; label = "copy"; name = "copySR"; }
|
|
{ type = "builtin"; label = "copy"; name = "copyLFE"; }
|
|
|
|
{ type = "builtin"; label = "convolver"; name = "convFL_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 0; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convFL_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 1; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convSL_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 2; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convSL_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 3; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convRL_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 4; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convRL_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 5; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convFC_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 6; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convFR_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 7; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convFR_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 8; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convSR_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 9; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convSR_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 10; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convRR_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 11; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convRR_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 12; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convFC_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 13; }; }
|
|
|
|
{ type = "builtin"; label = "convolver"; name = "convLFE_L"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 6; }; }
|
|
{ type = "builtin"; label = "convolver"; name = "convLFE_R"; config = { filename = "hrir_hesuvi/hrir.wav"; channel = 13; }; }
|
|
|
|
{ type = "builtin"; label = "mixer"; name = "mixL"; }
|
|
{ type = "builtin"; label = "mixer"; name = "mixR"; }
|
|
];
|
|
links = let
|
|
linkInput = channel: [
|
|
{ output = "copy${channel}:Out"; input = "conv${channel}_L:In"; }
|
|
{ output = "copy${channel}:Out"; input = "conv${channel}_R:In"; }
|
|
];
|
|
linkOutput = channel: n: [
|
|
{ output = "conv${channel}_L:Out"; input = "mix_L:In ${builtins.toString n}"; }
|
|
{ output = "conv${channel}_R:Out"; input = "mix_R:In ${builtins.toString n}"; }
|
|
];
|
|
in (builtins.concatMap (channel: linkInput channel) [ "FL" "SL" "RL" "FC" "FR" "SR" "RR" "LFE" ])
|
|
++ [
|
|
(linkOutput "FL" 1)
|
|
(linkOutput "SL" 2)
|
|
(linkOutput "RL" 3)
|
|
(linkOutput "FC" 4)
|
|
(linkOutput "FR" 5)
|
|
(linkOutput "SR" 6)
|
|
(linkOutput "RR" 7)
|
|
(linkOutput "LFE" 8)
|
|
];
|
|
inputs = builtins.map (channel: "copy${channel}:In") [ "FL" "SL" "RL" "FC" "FR" "SR" "RR" "LFE" ];
|
|
outputs = [ "mixL:Out" "mixR:Out" ];
|
|
};
|
|
|
|
"capture.props" = {
|
|
"media.class" = "Audio/Sink";
|
|
"audio.channels" = 8;
|
|
"audio.position" = [ "FL" "FR" "FC" "LFE" "RL" "RR" "SL" "SR" ];
|
|
};
|
|
"playback.props" = {
|
|
"node.passive" = true;
|
|
"audio.channels" = 2;
|
|
"audio.positions" = [ "FL" "FR" ];
|
|
};
|
|
};
|
|
}
|
|
];
|
|
};
|
|
*/
|
|
};
|
|
|
|
# On desktop: Monitor keyboards, mice, ...
|
|
# On portable devices: Monitor their battery
|
|
upower.enable = true;
|
|
|
|
# What generated entropy?
|
|
#haveged.enable = true;
|
|
|
|
printing.enable = lib.mkDefault false;
|
|
avahi.enable = false;
|
|
|
|
# For debugging.
|
|
# TODO: Lock to known IPs and keys
|
|
sshd.enable = true;
|
|
|
|
# Prevent unexpected OOM situations with heavy swapping
|
|
earlyoom = {
|
|
enable = true;
|
|
enableNotifications = true;
|
|
};
|
|
};
|
|
|
|
# Don't wait for a network connection
|
|
systemd.services.NetworkManager-wait-online.enable = false;
|
|
|
|
security.sudo.extraConfig = ''
|
|
Defaults env_keep += "NIXOS_CONFIG"
|
|
'';
|
|
|
|
hardware = {
|
|
enableRedistributableFirmware = true;
|
|
# This is a Pipewire household!
|
|
pulseaudio.enable = false;
|
|
|
|
opengl = {
|
|
enable = true;
|
|
driSupport32Bit = true;
|
|
driSupport = true;
|
|
extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ];
|
|
};
|
|
|
|
# Only a subset of my devices have bluetooth
|
|
bluetooth = lib.mkIf wireless {
|
|
enable = true;
|
|
};
|
|
};
|
|
|
|
nix = {
|
|
package = pkgs.nixUnstable;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
registry = {
|
|
nixpkgs.flake = inputs.nixpkgs;
|
|
};
|
|
settings = {
|
|
substituters = [
|
|
"https://cache.nixos.org/" # Official binary substitute
|
|
"https://nix-community.cachix.org/" # For emacsGccPgtk
|
|
];
|
|
trusted-public-keys = [
|
|
"hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" # Official binary substitute
|
|
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" # nix-community
|
|
];
|
|
};
|
|
};
|
|
|
|
boot = {
|
|
cleanTmpDir = true;
|
|
loader = {
|
|
systemd-boot.enable = true;
|
|
efi.canTouchEfiVariables = true;
|
|
};
|
|
};
|
|
|
|
system.stateVersion = "21.05";
|
|
}
|