{ config, pkgs, ... }: { nix = { package = pkgs.nixUnstable; extraOptions = '' experimental-features = nix-command flakes ''; optimise.automatic = true; }; # boot.binfmt.emulatedSystems = [ "aarch64-linux" "qemu-aarch64" ]; networking = { networkmanager = { enable = true; wifi = { scanRandMacAddress = false; }; }; useDHCP = false; interfaces = { }; firewall = { # 51820 is used by wireguard allowedUDPPorts = [ 51820 ]; # 1714 - 1764 is used by kdeconnect allowedTCPPortRanges = [{ from = 1714; to = 1764; }]; allowedUDPPortRanges = [{ from = 1714; to = 1764; }]; # if packets are still dropped, they will show up in dmesg logReversePathDrops = true; # wireguard trips rpfilter up extraCommands = '' ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN ''; extraStopCommands = '' ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true ''; }; }; # Set your time zone. time.timeZone = "Europe/Madrid"; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "us"; }; services.dbus.enable = true; services.xserver = { enable = true; layout = "us"; xkbVariant = "altgr-intl"; xkbOptions = "caps:escape"; displayManager.startx.enable = true; libinput.enable = true; extraConfig = '' Section "InputClass" Identifier "trackball" MatchProduct "Clearly Superior Technologies. CST Laser Trackball" Driver "libinput" Option "ButtonMapping" "3 2 1 4 5" Option "AccelerationProfile" "0" Option "AccelerationScheme" "predictable" Option "AccelerationNumerator" "3" Option "AccelSpeed" "-0.9" EndSection ''; }; services.tor.enable = true; services.udev = { packages = [ pkgs.android-udev-rules ]; }; services.avahi.enable = true; # Enable CUPS to print documents. # services.printing.enable = true; # Enable sound. # sound.enable = true; # hardware.pulseaudio.enable = true; security.rtkit.enable = true; services.pipewire = { enable = true; alsa = { enable = true; support32Bit = true; }; pulse.enable = true; jack.enable = true; }; security.doas = { enable = true; extraRules = [{ groups = [ "wheel" ]; keepEnv = true; noPass = true; }]; }; security.sudo.enable = false; security.pam.services = { swaylock.text = '' auth include login ''; login = { allowNullPassword = true; setEnvironment = true; setLoginUid = true; startSession = true; unixAuth = true; updateWtmp = true; # Unlock keyring on login. enableGnomeKeyring = true; }; }; # List packages installed in system profile. To search, run: # $ nix search wget # environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget # firefox # ]; environment.systemPackages = with pkgs; [ dmidecode flashrom git ]; # Enable touchpad support (enabled default in most desktopManager). # Define a user account. Don't forget to set a password with ‘passwd’. users = { mutableUsers = false; groups = { plugdev = { }; }; users = { root.initialHashedPassword = "$6$3TVh31LfZQFaZi8T$9.cNxrApCaAetC8wRJXxA5U9n4Hbta3CoggvG0HntTQ6sCRQWIV01EhIjdzJoZZ1kqF2ItWkF8Sqprl5raUKY0"; rilla = { uid = 1000; isNormalUser = true; shell = pkgs.zsh; extraGroups = [ "wheel" "docker" "libvirtd" "dialout" "plugdev" "adbusers" "dockervolumes" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDaiwmnSKC4DpznZlode1987DvGVLWqkvDZXZ6ey/LOZhRHvNnr5lP4Ke034R17mHHuTlzzuTKUKTN6JcIxBURGUwjWgNQO5z+7SapdOvPpw7M8wOlgp92CbIMiE/tReNbUi2e584Y5NR4tMCQm+FPvQ7c7nY/WoxJ6VSiKBbXzN+IrB9H6ZAVyfAlzHpxhwXeuP5xFwTtapzyzyc4phvuIhbXUc9NOZHXwoAR2La/0TVOgDyktEmCq6aGet03Azz6KPRptdnf4g9V3u8YivccXfd9WTrJr9fj1fWjDU9bBKVU6GtdcSwfqKwa6X4sQIZfONKvVEfqbIIEB70FsXHcdfnm3EN5L1PWbC441Q8bB1zvu/GnlXTlxDFmzByxnbLWTSPLuQyKq5sv9va8Jl9QEVpS3qWJbPHYBTevgboTExyLmpEfsCI+Of86Oxb8PNjyhX1/oWiy8S3w+5oQgAb+yNfSVPnX7CO4oGQhnttoXHA94LzxArYr9zZIp2asRMlc4VVWVH/jQ4FdLDjvKNARYiytOplZBPvFOHJiGb/rfjZKbMPPE+3V1WQPZ6B2nlWN5QxTpnLgTQnONr5rlSrvzFPY8BISUAYcdOCErG4agHDkHFZqWn8u+51wUZUnXo4NI+rty4Nzmc/kPfqWyv/8mSJfihidfuuHGEEzCk1qVdQ== cardno:000611073199" ]; initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; }; }; }; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; programs.mosh.enable = true; programs.zsh.enable = true; programs.fuse.userAllowOther = true; # List services that you want to enable: services.pcscd.enable = true; services.openssh = { enable = true; passwordAuthentication = false; permitRootLogin = "no"; }; virtualisation = { docker.enable = true; libvirtd.enable = true; }; programs.dconf.enable = true; services.udev.extraRules = '' # UDEV rules for Teensy USB devices ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1" ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1" SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666" KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666" ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="664", GROUP="plugdev" ''; hardware.opengl.enable = true; hardware.bluetooth.enable = true; services.blueman.enable = true; fileSystems = { "/" = { device = "tmpfs"; fsType = "tmpfs"; options = [ "defaults" "size=2G" "mode=755" ]; }; "/persist/system" = { device = "/dev/mapper/system"; fsType = "btrfs"; options = [ "subvol=persist" "compress=zstd" ]; neededForBoot = true; }; "/persist/user" = { device = "/dev/mapper/user"; fsType = "btrfs"; options = [ "subvol=persist" "compress=zstd" ]; neededForBoot = true; }; "/nix" = { device = "/dev/mapper/system"; fsType = "btrfs"; options = [ "subvol=nix" "compress=zstd" ]; }; "/boot" = { device = "/dev/mapper/system"; fsType = "btrfs"; options = [ "subvol=boot" "compress=zstd" ]; }; "/swap" = { device = "/dev/mapper/system"; fsType = "btrfs"; options = [ "subvol=swap" ]; }; }; swapDevices = [{ device = "/swap/swapfile"; }]; environment.persistence = { "/persist/system" = { directories = [ "/var/log" "/var/lib/bluetooth" "/var/lib/systemd/coredump" "/var/lib/docker" ]; files = [ "/etc/machine-id" #"/etc/nix/id_rsa" "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key.pub" ]; }; "/persist/user" = { directories = [ "/etc/NetworkManager/system-connections" "/etc/nixos" "/var/lib/libvirt" "/etc/wireguard" ]; }; }; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.05"; # Did you read the comment? }