{ config, pkgs, ... }: { # boot.binfmt.emulatedSystems = [ "aarch64-linux" "qemu-aarch64" ]; networking = { networkmanager = { enable = true; wifi = { scanRandMacAddress = false; }; }; useDHCP = false; interfaces = { }; firewall = { # 51820 is used by wireguard allowedUDPPorts = [ 51820 ]; # 1714 - 1764 is used by kdeconnect allowedTCPPortRanges = [{ from = 1714; to = 1764; }]; allowedUDPPortRanges = [{ from = 1714; to = 1764; }]; # if packets are still dropped, they will show up in dmesg logReversePathDrops = true; # # wireguard trips rpfilter up # extraCommands = '' # ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN # ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN # ''; # extraStopCommands = '' # ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true # ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true # ''; }; }; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; services.dbus.enable = true; services.tor.enable = true; services.udev = { packages = [ pkgs.android-udev-rules ]; }; services.avahi.enable = true; services.rpcbind.enable = true; services.nfs.server.enable = true; # Enable CUPS to print documents. # services.printing.enable = true; # Enable sound. # sound.enable = true; # hardware.pulseaudio.enable = true; security.rtkit.enable = true; services.pipewire = { enable = true; alsa = { enable = true; support32Bit = true; }; pulse.enable = true; jack.enable = true; }; security.pam.services = { swaylock.text = '' auth include login ''; waylock.text = '' auth include system-auth ''; login = { allowNullPassword = true; setEnvironment = true; setLoginUid = true; startSession = true; unixAuth = true; updateWtmp = true; # Unlock keyring on login. enableGnomeKeyring = true; }; system-auth = { allowNullPassword = true; setEnvironment = true; setLoginUid = true; startSession = true; unixAuth = true; updateWtmp = true; # Unlock keyring on login. enableGnomeKeyring = true; }; }; security.polkit.enable = true; # List packages installed in system profile. To search, run: # $ nix search wget # environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget # firefox # ]; environment.systemPackages = with pkgs; [ dmidecode flashrom mbuffer ]; # Enable touchpad support (enabled default in most desktopManager). # Define a user account. Don't forget to set a password with ‘passwd’. users = { groups = { plugdev = { }; }; users = { rilla = { shell = pkgs.zsh; extraGroups = [ "wheel" "docker" "libvirtd" "dialout" "plugdev" "adbusers" "video" "vboxusers" ]; subUidRanges = [{ startUid = 100000; count = 65536; }]; subGidRanges = [{ startGid = 100000; count = 65536; }]; }; }; }; programs.mosh.enable = true; programs.zsh.enable = true; programs.slock.enable = true; programs.fuse.userAllowOther = true; programs.nix-ld.enable = true; services.pcscd.enable = true; virtualisation = { docker.enable = true; podman = { enable = true; defaultNetwork.settings.dns_enabled = true; }; libvirtd = { enable = true; allowedBridges = [ "virbr0" "virbr1" "virbr2" ]; }; spiceUSBRedirection.enable = true; virtualbox.host.enable = true; }; services.spice-vdagentd.enable = true; programs.dconf.enable = true; services.udev.extraRules = '' # UDEV rules for Teensy USB devices ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1" ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1" SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666" KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666" ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="664", GROUP="plugdev" # acpi brightness rulres ACTION=="add", SUBSYSTEM=="backlight", KERNEL=="acpi_video0", GROUP="video", MODE="0664" RUN+="${pkgs.coreutils-full}/bin/chgrp video /sys/class/backlight/intel_backlight/brightness" RUN+="${pkgs.coreutils-full}/bin/chmod g+w /sys/class/backlight/intel_backlight/brightness" ''; hardware.opengl.enable = true; hardware.bluetooth.enable = true; services.blueman.enable = true; environment.persistence = { "/mnt/persist" = { directories = [ "/etc/NetworkManager/system-connections" "/etc/nixos" "/etc/wireguard" "/var/lib/bluetooth" "/var/lib/docker" "/var/lib/libvirt" "/var/lib/systemd/coredump" "/home/rilla/.Slic3r" "/home/rilla/.abook" "/home/rilla/.bitmonero" "/home/rilla/.config/Element" "/home/rilla/.config/Nextcloud" "/home/rilla/.config/Signal" "/home/rilla/.config/Slack" "/home/rilla/.config/SuperCollider" "/home/rilla/.config/VirtualBox" "/home/rilla/.config/ardour6" "/home/rilla/.config/chromium" "/home/rilla/.config/kdeconnect" "/home/rilla/.config/kicad" "/home/rilla/.config/nvim/plugin" "/home/rilla/.config/syncthing" "/home/rilla/.config/tea" "/home/rilla/.config/whatsapp-for-linux" "/home/rilla/.electrum" "/home/rilla/.gnupg" "/home/rilla/.hydrogen" "/home/rilla/.john" "/home/rilla/.kube" "/home/rilla/.librewolf" "/home/rilla/.local/share/Bisq" "/home/rilla/.local/share/Nextcloud" "/home/rilla/.local/share/Steam" "/home/rilla/.local/share/SuperCollider" "/home/rilla/.local/share/TelegramDesktop" "/home/rilla/.local/share/containers" "/home/rilla/.local/share/dino" "/home/rilla/.local/share/direnv" "/home/rilla/.local/share/gopass/stores" "/home/rilla/.local/share/keyrings" "/home/rilla/.local/share/mpd" "/home/rilla/.local/share/nvim" "/home/rilla/.local/share/tor-browser" "/home/rilla/.local/share/webkitgtk" "/home/rilla/.local/state/wireplumber" "/home/rilla/.local/state/zsh" "/home/rilla/.mozilla" "/home/rilla/.newsboat" "/home/rilla/.password-store" "/home/rilla/.platformio" "/home/rilla/.vagrant.d" "/home/rilla/.vdirsyncer" "/home/rilla/.virtualenvs" "/home/rilla/.wine" "/home/rilla/Nextcloud" "/home/rilla/VirtualBox VMs" "/home/rilla/configs" # "/home/rilla/.cache" ]; files = [ "/etc/machine-id" "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key-cert.pub" "/etc/ssh/user_ca.pub" "/home/rilla/.lmmsrc.xml" "/home/rilla/.mailsynclastrun" "/home/rilla/.ssh/known_hosts" ]; }; "/mnt/data" = { directories = [ "/etc/luks-keys" "/home/rilla/Audio" "/home/rilla/Calendars" "/home/rilla/Contacts" "/home/rilla/Documents" "/home/rilla/Downloads" "/home/rilla/Images" "/home/rilla/Maildir" "/home/rilla/Monero" "/home/rilla/code" "/home/rilla/misc" "/home/rilla/workspace" ]; files = [ "/etc/btrbk/id_ed25519" "/etc/btrbk/id_ed25519.pub" "/etc/btrbk/id_ed25519-cert.pub" ]; }; "/mnt/logs" = { directories = [ "/var/log" ]; }; "/mnt/vfs_share" = { directories = [ "/home/rilla/vfs_share" ]; }; }; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; }