{ config, lib, pkgs, ... }: let # Taken from https://nixos.wiki/wiki/Overlays overlaysCompat = pkgs.writeTextFile { name = "overlays-compat"; destination = "/overlays.nix"; text = '' self: super: with super.lib; let # Load the system config and get the `nixpkgs.overlays` option overlays = (import { }).config.nixpkgs.overlays; in # Apply all overlays to the input of the current "main" overlay foldl' (flip extends) (_: super) overlays self ''; }; in { # Options that affect multiple modules options.sbruder = { full = lib.mkOption { type = lib.types.bool; description = '' Whether to build the full system. If disabled, the system closure will be smaller, but some features will not be available. ''; default = true; }; gui.enable = lib.mkEnableOption "gui"; games.enable = lib.mkEnableOption "games"; }; # All modules are imported but non-essential modules are activated by # configuration options imports = [ ../pkgs/modules.nix ./binfmt.nix ./cups.nix ./docker.nix ./fonts.nix ./grub.nix ./gui.nix ./initrd-ssh.nix ./libvirt.nix ./locales.nix ./mailserver.nix ./media-proxy.nix ./network-manager.nix ./nginx-interactive-index ./nginx.nix ./office.nix ./prometheus/node_exporter.nix ./pubkeys.nix ./pulseaudio.nix ./restic ./secrets.nix ./ssh.nix ./tools.nix ./udev.nix ./unfree.nix ./wireguard ]; config = lib.mkMerge [ { # Essential system tools environment.systemPackages = with pkgs; [ git git-crypt # used to store secrets in configuration git-lfs # not so essential, but required to clone config htop tmux vim ]; # Clean temporary files on boot boot.cleanTmpDir = true; # Set zsh as default shell programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; environment.etc."zshrc.local".source = "${pkgs.grml-zsh-config}/etc/zsh/zshrc"; # command-not-found does not work without channels programs.command-not-found.enable = false; # Hard drive monitoring services.smartd.enable = lib.mkDefault true; # Network monitoring services.vnstat.enable = true; # Authentication/Encryption agents programs.gnupg.agent.enable = true; programs.ssh.startAgent = true; # When this is set to true (default), routing everything through a # wireguard tunnel does not work. networking.firewall.checkReversePath = false; # Open ports for quick tests networking.firewall = { allowedTCPPortRanges = lib.singleton { from = 9990; to = 9999; }; allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; }; }; nix = { nixPath = [ "/var/src" # pinned nixpkgs and configuration "nixpkgs=/var/src/nixpkgs" # for nix run "nixpkgs-overlays=${overlaysCompat}" ]; # Make sudoers trusted nix users trustedUsers = [ "@wheel" ]; # On-the-fly optimisation of nix store autoOptimiseStore = true; # Keep output of derivations with gc root extraOptions = lib.optionalString config.sbruder.full '' keep-outputs = true keep-derivations = true ''; # Make nix build in background less noticeable daemonIONiceLevel = 5; # 0-7 }; systemd.services.nix-daemon.serviceConfig.CPUSchedulingPolicy = "batch"; nixpkgs.overlays = [ (import ../pkgs) (final: prev: { unstable = import (import ../nix/sources.nix).nixpkgs-unstable { config = config.nixpkgs.config; overlays = config.nixpkgs.overlays; }; }) ]; # Globally set Let’s Encrypt requirements security.acme = { acceptTerms = true; email = "security@sbruder.de"; }; } (lib.mkIf (!config.sbruder.full) { # Adapted from nixpkgs/nixos/modules/profiles/minimal.nix i18n.supportedLocales = map (locale: locale + "/UTF-8") ((lib.singleton config.i18n.defaultLocale) ++ (lib.attrValues config.i18n.extraLocaleSettings)); documentation.enable = lib.mkDefault false; }) ]; }