# SPDX-FileCopyrightText: 2020-2024 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later { config, lib, options, pkgs, ... }: { # Options that affect multiple modules options.sbruder = { full = lib.mkOption { type = lib.types.bool; description = '' Whether to build the full system. If disabled, the system closure will be smaller, but some features will not be available. ''; default = true; }; trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; }; gui.enable = lib.mkEnableOption "gui"; machine = { isVm = lib.mkOption { type = lib.types.bool; description = "Whether this machine is a virtual machine."; default = false; }; }; }; # All modules are imported but non-essential modules are activated by # configuration options imports = [ ../pkgs/modules.nix ./ausweisapp.nix ./authoritative-dns.nix ./cups.nix ./fancontrol.nix ./flatpak.nix ./fonts.nix ./games.nix ./grub.nix ./gui.nix ./infovhost.nix ./initrd-ssh.nix ./local-mail.nix ./locales.nix ./logitech.nix ./mailserver ./media-mount.nix ./media-proxy.nix ./network-manager.nix ./nginx-interactive-index ./nginx.nix ./nitrokey.nix ./nix.nix ./office.nix ./pipewire.nix ./podman.nix ./prometheus/node_exporter.nix ./prometheus/smartctl_exporter.nix ./pubkeys.nix ./qbittorrent ./restic ./secrets.nix ./ssh.nix ./static-webserver.nix ./syncthing.nix ./tmux.nix ./tools.nix ./udev.nix ./unfree.nix ./wireguard ./wkd ]; config = lib.mkMerge [ { # Essential system tools environment.systemPackages = with pkgs; [ git git-crypt # used to store secrets in configuration git-lfs # not so essential, but required to clone config htop tmux ]; programs.nano.enable = false; programs.vim = { enable = true; defaultEditor = true; }; # Clean temporary files on boot boot.tmp.cleanOnBoot = true; # Set zsh as default shell with reasonable default config for all users programs.zsh = { enable = true; loginShellInit = '' # do not glob # (conflicts with nix flakes) disable -p '#' ''; histSize = 100000; }; users.defaultUserShell = pkgs.zsh; environment.etc."zshrc.local".source = "${pkgs.grml-zsh-config}/etc/zsh/zshrc"; # command-not-found does not work without channels programs.command-not-found.enable = false; # Network monitoring services.vnstat.enable = true; environment.etc."vnstat.conf".text = '' UseUTC=1 ''; # Support for exotic file systems boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs"; programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable); # When this is set to true (default), routing everything through a # wireguard tunnel does not work. networking.firewall.checkReversePath = false; # Open ports for quick tests networking.firewall = { allowedTCPPortRanges = lib.singleton { from = 9990; to = 9999; }; allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; }; }; # Use nftables by default, # but allow it to be easily disabled on by-machine basis. networking.nftables.enable = lib.mkDefault true; # Globally set Let’s Encrypt requirements security.acme = { acceptTerms = true; defaults = { email = "security@sbruder.de"; }; }; system.activationScripts.diff = '' [ -L /run/current-system ] && ${config.nix.package}/bin/nix \ --experimental-features 'nix-command' \ store \ diff-closures /run/current-system "$systemConfig" ''; # Allow users to set allow_other for fuse mounts programs.fuse.userAllowOther = true; i18n.supportedLocales = (options.i18n.supportedLocales.default) ++ (lib.optionals config.sbruder.full [ "de_DE.UTF-8/UTF-8" ]); services.resolved = { # Set systemd-resolved’s fallback to Quad9 (instead of cloudflare/google) fallbackDns = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ]; # Allow resolving single lable hostnames (e.g., hostnames on the local network) llmnr = "false"; # resolved does not automatically append the search domain (for whatever reason) extraConfig = '' ResolveUnicastSingleLabel=yes Cache=no-negative ''; }; } (lib.mkIf (!config.sbruder.machine.isVm) { # Hard drive monitoring services.smartd.enable = lib.mkDefault true; # Firmware updates (only work on EFI systems, so enable only when using systemd-boot) services.fwupd.enable = lib.mkDefault (config.boot.loader.systemd-boot.enable); }) (lib.mkIf (!config.sbruder.full) { documentation.enable = lib.mkDefault false; }) (lib.mkIf (config.services.resolved.enable) { # With NixOS’s default database order for hosts, # resolving the FQDN with hostname -f always returns “localhost” # when resolved is enabled. # This changes the priority of the files database, # which fixes this. # This workaround was taken from # https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381 system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ]; }) ]; }