{ config, pkgs, ... }: { nix = { package = pkgs.nixUnstable; extraOptions = '' experimental-features = nix-command flakes ''; optimise.automatic = true; }; # boot.binfmt.emulatedSystems = [ "aarch64-linux" "qemu-aarch64" ]; networking = { networkmanager = { enable = true; wifi = { scanRandMacAddress = false; }; }; useDHCP = false; interfaces = { }; firewall = { # 51820 is used by wireguard allowedUDPPorts = [ 51820 ]; # 1714 - 1764 is used by kdeconnect allowedTCPPortRanges = [{ from = 1714; to = 1764; }]; allowedUDPPortRanges = [{ from = 1714; to = 1764; }]; # if packets are still dropped, they will show up in dmesg logReversePathDrops = true; # # wireguard trips rpfilter up # extraCommands = '' # ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN # ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN # ''; # extraStopCommands = '' # ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true # ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true # ''; }; }; # Set your time zone. time.timeZone = "Europe/Madrid"; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "us"; }; services.dbus.enable = true; services.xserver = { enable = true; layout = "us"; xkbVariant = "altgr-intl"; xkbOptions = "caps:escape"; displayManager.startx.enable = true; libinput.enable = true; extraConfig = '' Section "InputClass" Identifier "trackball" MatchProduct "Clearly Superior Technologies. CST Laser Trackball" Driver "libinput" Option "ButtonMapping" "3 2 1 4 5" Option "AccelerationProfile" "0" Option "AccelerationScheme" "predictable" Option "AccelerationNumerator" "3" Option "AccelSpeed" "-0.9" EndSection ''; }; services.tor.enable = true; services.udev = { packages = [ pkgs.android-udev-rules ]; }; services.avahi.enable = true; # Enable CUPS to print documents. # services.printing.enable = true; # Enable sound. # sound.enable = true; # hardware.pulseaudio.enable = true; security.rtkit.enable = true; services.pipewire = { enable = true; alsa = { enable = true; support32Bit = true; }; pulse.enable = true; jack.enable = true; }; security.doas = { enable = true; extraRules = [{ groups = [ "wheel" ]; keepEnv = true; noPass = true; }]; }; security.sudo.enable = true; security.pam.services = { swaylock.text = '' auth include login ''; waylock.text = '' auth include system-auth ''; login = { allowNullPassword = true; setEnvironment = true; setLoginUid = true; startSession = true; unixAuth = true; updateWtmp = true; # Unlock keyring on login. enableGnomeKeyring = true; }; system-auth = { allowNullPassword = true; setEnvironment = true; setLoginUid = true; startSession = true; unixAuth = true; updateWtmp = true; # Unlock keyring on login. enableGnomeKeyring = true; }; }; security.polkit.enable = true; # List packages installed in system profile. To search, run: # $ nix search wget # environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget # firefox # ]; environment.systemPackages = with pkgs; [ dmidecode flashrom git ]; # Enable touchpad support (enabled default in most desktopManager). # Define a user account. Don't forget to set a password with ‘passwd’. users = { mutableUsers = false; groups = { plugdev = { }; }; users = { root.initialHashedPassword = "$6$3TVh31LfZQFaZi8T$9.cNxrApCaAetC8wRJXxA5U9n4Hbta3CoggvG0HntTQ6sCRQWIV01EhIjdzJoZZ1kqF2ItWkF8Sqprl5raUKY0"; rilla = { uid = 1000; isNormalUser = true; shell = pkgs.zsh; extraGroups = [ "wheel" "docker" "libvirtd" "dialout" "plugdev" "adbusers" "video" ]; initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; }; }; }; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; programs.mosh.enable = true; programs.zsh.enable = true; programs.slock.enable = true; programs.fuse.userAllowOther = true; # List services that you want to enable: services.pcscd.enable = true; services.openssh = { enable = true; passwordAuthentication = false; permitRootLogin = "no"; hostKeys = [{ path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }]; knownHosts = { "*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,snitch,trantor,capibara,axolotl,echidna" = { certAuthority = true; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHperHwojXZeo3QWAu1f3kiCKeaHHSqBXJM6ZZEefxdd host_ca"; }; }; extraConfig = '' HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub TrustedUserCAKeys /etc/ssh/user_ca.pub ''; }; virtualisation = { docker.enable = true; podman = { enable = true; defaultNetwork.dnsname.enable = true; }; libvirtd.enable = true; spiceUSBRedirection.enable = true; }; services.spice-vdagentd.enable = true; programs.dconf.enable = true; services.udev.extraRules = '' # UDEV rules for Teensy USB devices ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1" ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1" SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666" KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666" ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="664", GROUP="plugdev" # acpi brightness rulres ACTION=="add", SUBSYSTEM=="backlight", KERNEL=="acpi_video0", GROUP="video", MODE="0664" RUN+="${pkgs.coreutils-full}/bin/chgrp video /sys/class/backlight/intel_backlight/brightness" RUN+="${pkgs.coreutils-full}/bin/chmod g+w /sys/class/backlight/intel_backlight/brightness" ''; hardware.opengl.enable = true; hardware.bluetooth.enable = true; services.blueman.enable = true; fileSystems = { "/" = { device = "tmpfs"; fsType = "tmpfs"; options = [ "defaults" "size=2G" "mode=755" ]; }; }; swapDevices = [{ device = "/swap/swapfile"; }]; environment.persistence = { "/mnt/persist" = { directories = [ "/etc/NetworkManager/system-connections" "/etc/nixos" "/etc/wireguard" "/var/lib/bluetooth" "/var/lib/docker" "/var/lib/libvirt" "/var/lib/systemd/coredump" ]; files = [ "/etc/machine-id" "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key-cert.pub" "/etc/ssh/user_ca.pub" ]; }; "/mnt/logs" = { directories = [ "/var/log" ]; }; }; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.11"; # Did you read the comment? }