-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfiguration.nix
More file actions
428 lines (370 loc) · 12.8 KB
/
Copy pathconfiguration.nix
File metadata and controls
428 lines (370 loc) · 12.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running 'nixos-help').
{
config,
pkgs,
lib,
...
}: {
nix = {
settings.trusted-users = ["root" "felix"];
extraOptions = ''
experimental-features = nix-command flakes
'';
};
nixpkgs.config.allowUnfree = true;
imports = [
# Include the results of the hardware scan.
<nixos-hardware/lenovo/thinkpad/p52>
/etc/nixos/hardware-configuration.nix
];
hardware.bluetooth.enable = true;
#hardware.keyboard.zsa.enable = true; # For ZSA Live Training
services.udev.packages = [
(pkgs.writeTextFile {
name = "moonlander_udev";
text = ''
SUBSYSTEMS=="usb", ATTRS{idVendor}=="3297", ATTRS{idProduct}=="1969", MODE="0666", TAG+="uaccess", SYMLINK+="stm32_dfu", GROUP="plugdev"
'';
destination = "/etc/udev/rules.d/50-zsa.rules";
})
];
# ZFS support
boot.supportedFilesystems = ["zfs"];
boot.zfs.forceImportRoot = false;
# Pin kernel to ZFS-compatible version to prevent build failures
boot.kernelPackages = pkgs.linuxPackages;
# ZFS maintenance
services.zfs.autoScrub.enable = true;
services.zfs.trim.enable = true;
# ZFS /nix mount
fileSystems."/nix" = {
device = "tank/nix";
fsType = "zfs";
neededForBoot = true;
};
boot.zfs.extraPools = ["tank"];
fileSystems."/boot" = {
device = lib.mkForce "/dev/disk/by-uuid/AC04-D43D";
fsType = "vfat";
options = ["fmask=0077" "dmask=0077"];
};
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.configurationLimit = 8;
# zswap (kernel-integrated compressed cache in front of disk swap) + a
# modest swap file on the ext4 root. Replaces the previous zram-only setup:
# zswap participates in reclaim and evicts cold compressed pages to disk,
# avoiding zram's hard-limit brownouts and LRU inversion.
swapDevices = [
{
device = "/swapfile";
size = 16 * 1024;
}
];
boot.kernelParams = [
"zswap.enabled=1"
"zswap.compressor=zstd"
"zswap.zpool=zsmalloc" # preferred allocator (vs z3fold/zbud)
"zswap.max_pool_percent=20"
];
boot.kernel.sysctl = {
"vm.swappiness" = 100; # compressed zswap tier is cheap; bias reclaim toward anon pages
"vm.watermark_scale_factor" = 200; # start reclaim earlier
"vm.page-cluster" = 0; # NVMe + compressed: no readahead clustering
};
# --- OOM setup
systemd.oomd.enable = true;
systemd.oomd.settings.OOM = {
DefaultMemoryPressureLimit = "60%";
DefaultMemoryPressureDurationSec = "30s";
DefaultSwapUsedLimit = "90%";
};
# Ensure user sessions are protected, kill leaf services first
systemd.user.extraConfig = ''
ManagedOOMMemoryPressure=kill
ManagedOOMSwap=kill
'';
# ---
# Dropbox
systemd.user.services.dropbox = {
wantedBy = ["graphical-session.target"];
unitConfig.RequiresMountsFor = ["/data/Dropbox"];
environment = {
QT_PLUGIN_PATH = "/run/current-system/sw/${pkgs.qt5.qtbase.qtPluginPrefix}";
QML2_IMPORT_PATH = "/run/current-system/sw/${pkgs.qt5.qtbase.qtQmlPrefix}";
};
serviceConfig = {
ExecStart = "${lib.getBin pkgs.dropbox}/bin/dropbox";
ExecReload = "${lib.getBin pkgs.coreutils}/bin/kill -HUP $MAINPID";
KillMode = "control-group";
Restart = "on-failure";
RestartSec = "3";
PrivateTmp = true;
ProtectSystem = "full";
Nice = 10;
};
};
# Fix for Apple keyboard
# https://discourse.nixos.org/t/setting-sys-module-hid-apple-parameters-fnmode-to-0-at-boot/15570/4
boot.extraModprobeConfig = ''
options hid_apple fnmode=0
'';
# networking.networkmanager.unmanaged = [ "*" "except:type:wwan" "except:type:gsm"];
networking.hostId = "baddcafe"; # Must be set for zfs to work
networking.hostName = "felix-nixos"; # Define your hostname.
# Set your time zone.
time.timeZone = "Europe/Stockholm";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
# quad9 DNS https://quad9.net/
networking.nameservers = ["9.9.9.9" "149.112.112.112"];
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "sv_SE.UTF-8";
LC_IDENTIFICATION = "sv_SE.UTF-8";
LC_MEASUREMENT = "sv_SE.UTF-8";
LC_MONETARY = "sv_SE.UTF-8";
LC_NAME = "sv_SE.UTF-8";
LC_NUMERIC = "sv_SE.UTF-8";
LC_PAPER = "sv_SE.UTF-8";
LC_TELEPHONE = "sv_SE.UTF-8";
LC_TIME = "sv_SE.UTF-8";
};
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# };
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
services.displayManager.gdm.enable = true;
services.desktopManager.gnome.enable = true;
programs.ssh.askPassword = lib.mkForce "${pkgs.seahorse}/libexec/seahorse/ssh-askpass";
services.xserver.xkb.options = "ctrl:swapcaps";
# https://discourse.nixos.org/t/setting-caps-lock-as-ctrl-not-working/11952/3
# Run this and reboot:
# gsettings reset org.gnome.desktop.input-sources xkb-options
# gsettings reset org.gnome.desktop.input-sources sources
services.xserver.xkbOptions = "ctrl:swapcaps"; # READ the comment above!
console.useXkbConfig = true;
# Configure keymap in X11 services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
services.libinput.enable = true;
# Swap Super and Alt on the built-in laptop keyboard only
services.keyd = {
enable = true;
keyboards.laptop = {
ids = ["0001:0001"];
settings.main = {
leftalt = "layer(meta)";
leftmeta = "layer(alt)";
};
};
keyboards.mouse = {
ids = ["25a7:fa10"];
settings.main = {
mouseback = "M-,";
mouseforward = "M-.";
};
};
};
# services.udev.extraRules = ''
# '';
users.groups.plugdev = {};
users.groups.podman-dev = {};
# Define a user account. Don't forget to set a password with ‘passwd’.
users.users.felix = {
isNormalUser = true;
home = "/home/felix";
description = "Felix Holmgren";
extraGroups = ["wheel" "networkmanager" "plugdev" "podman-dev"];
};
# Dedicated user for sandboxed container operations. Podman runs as this user
# so containers can’t access felix’s home directory (SSH keys, credentials, etc.).
# Unix file permissions do the enforcement — no sandbox code needed.
# SECURITY INVARIANT: /home/felix must remain mode 700 (the NixOS default).
# The bwrap-podman isolation depends on this — if bwrap-podman can traverse
# /home/felix, the podman socket becomes a sandbox escape (containers could
# volume-mount felix’s files).
users.users.bwrap-podman = {
isSystemUser = true;
group = "podman-dev";
home = "/var/lib/bwrap-podman";
createHome = true;
};
users.users.bwrap-podman.subUidRanges = [
{
startUid = 200000;
count = 65536;
}
];
users.users.bwrap-podman.subGidRanges = [
{
startGid = 200000;
count = 65536;
}
];
users.users.bwrap-podman.linger = true;
users.extraUsers.felix = {
shell = pkgs.fish;
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
alacritty
bubblewrap # Low-level unprivileged sandboxing (for sandboxing)
gnomeExtensions.appindicator
gnomeExtensions.cronomix
gnomeExtensions.paperwm
discord
exercism
file
firefox
ghostty
gnome-tweaks
gnumake
goldendict-ng
ungoogled-chromium
joplin-desktop
libreoffice
openfortivpn
# planify
# ripcord
#remmina
slack
socat # bidirectional data transfer (for sandboxing)
spotify
squid # HTTP proxy for domain filtering (for sandboxing)
sublime-merge
# tuba
# tutanota-desktop
unixtools.ping
#vlc
wget
# niri environment
# niri
# fuzzel
# waybar
];
programs.fish.enable = true;
virtualisation.podman = {
enable = true;
dockerCompat = true; # creates 'docker' -> 'podman' symlink
dockerSocket.enable = true;
};
# Podman API socket for sandboxed container operations.
# Runs as bwrap-podman user service (via linger) so containers can't access
# felix's files (/home/felix is 700). User service gives podman natural access
# to its own systemd instance for healthcheck timers — no D-Bus bridging needed.
systemd.tmpfiles.rules = [
"d /run/bwrap-podman 0775 bwrap-podman podman-dev -"
];
systemd.user.sockets.bwrap-podman = {
wantedBy = ["sockets.target"];
unitConfig.ConditionUser = "bwrap-podman";
socketConfig = {
ListenStream = "/run/bwrap-podman/podman.sock";
SocketMode = "0666";
};
};
systemd.user.services.bwrap-podman = {
requires = ["bwrap-podman.socket"];
unitConfig.ConditionUser = "bwrap-podman";
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.podman}/bin/podman system service --time=0";
Environment = [
"PATH=/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"
"CONTAINERS_CONF=/etc/bwrap-podman/containers.conf"
];
};
};
# containers.conf for bwrap-podman
environment.etc."bwrap-podman/containers.conf".text = ''
[engine]
cgroup_manager = "cgroupfs"
'';
virtualisation.containers.containersConf.settings = {
engine = {
compose_providers = ["${pkgs.docker-compose}/bin/docker-compose"];
compose_warning_logs = false;
};
};
# Rootless podman needs subuid/subgid ranges for user namespaces
users.users.felix.subUidRanges = [
{
startUid = 100000;
count = 65536;
}
];
users.users.felix.subGidRanges = [
{
startGid = 100000;
count = 65536;
}
];
programs.ssh.extraConfig = ''
'';
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
# DVC VPN certificate
security.pki.certificates = [
''
-----BEGIN CERTIFICATE-----
MIIDjzCCAnegAwIBAgIQFyPb1YwQILpL7T81QR5wNzANBgkqhkiG9w0BAQsFADBZ
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZkdmMtY28x
KDAmBgNVBAMTH0RWQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdGl5IC0gRzEwIBcNMjQw
NjExMDgzOTQ1WhgPMjA3NDA2MTEwODQ5NDVaMFkxFTATBgoJkiaJk/IsZAEZFgVs
b2NhbDEWMBQGCgmSJomT8ixkARkWBmR2Yy1jbzEoMCYGA1UEAxMfRFZDIENlcnRp
ZmljYXRlIEF1dGhvcml0aXkgLSBHMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMXbnUvLQ/NLi+XIMWNK+qaMHf+oKmOnB3F9GbUfQaYiflXUsz42nzf2
csMNzRhi4PpgqGPhsw5trx8YxvC/dlnlhHBv5Lv43l+nmL2FY5HcLImDIjtKO7wZ
NzF/5pidUb0kvIX0onVwP5tGzJaUhfW7yH4ye2yFcMtFMPPPmEPGdLoZljpK3QQA
yunANkd+hi2/HWPYGacx2aQhKsZOvPyDXntXB/xTh4K5Bxv1sBBWeMLiXY6A6xYO
xwajF4rjcNWkXNLlyGufK98/oMCevrDvxdZLKDznif1FjopNpexGli2pAFDBpl+y
eUOTPDbd1oOIq2j+FXOyFGys2Z/Jq8UCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8G
A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD3wY7I8ItbfULsSUkjIF/bP1WRbMBAG
CSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBdU6Q23FcolHGZy3lD
mE1GhxUpZgc0uQBZMjafsTfFlTYafGdaDGKt4+W33wERcZ/sMA46F4LiJRSs6KAi
CZX5g2Ere7TByROrT0w1KT31NR+JdQf6AGwIz+xwlqKSuBRZa41h+uzTzxD7OEgX
wyQ4YJfBMnQEG8IhiozWWOOUZ5S1iAB9nZY59x3Qw5Uzl/P7NQVLYaCwtwibZ7Ix
q6vnuK1wypvMP2gNhSDuzc3d6HXmV+aHFs5wAyGzK2/CXJzSv9Hs88tfxHMCoHTo
nYhz0ptUQyB/DoAShVwdrfgjPbCP7py/DE34P0HYKJwyQvsO6FXO0WYM+x96JuvW
MACf
-----END CERTIFICATE-----
''
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}