Simon Bruder
34c801c7e9
On virtual machines it does not make much sense to have it activated (also the service fails to start).
144 lines
3.6 KiB
Nix
144 lines
3.6 KiB
Nix
{ config, lib, pkgs, ... }:
|
||
let
|
||
# Taken from https://nixos.wiki/wiki/Overlays
|
||
overlaysCompat = pkgs.writeTextFile {
|
||
name = "overlays-compat";
|
||
destination = "/overlays.nix";
|
||
text = ''
|
||
self: super:
|
||
with super.lib;
|
||
let
|
||
# Load the system config and get the `nixpkgs.overlays` option
|
||
overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;
|
||
in
|
||
# Apply all overlays to the input of the current "main" overlay
|
||
foldl' (flip extends) (_: super) overlays self
|
||
'';
|
||
};
|
||
in
|
||
{
|
||
# Options that affect multiple modules
|
||
options.sbruder = {
|
||
full = lib.mkOption {
|
||
type = lib.types.bool;
|
||
description = ''
|
||
Whether to build the full system. If disabled, the system closure will
|
||
be smaller, but some features will not be available.
|
||
'';
|
||
default = true;
|
||
};
|
||
gui.enable = lib.mkEnableOption "gui";
|
||
games.enable = lib.mkEnableOption "games";
|
||
};
|
||
|
||
# All modules are imported but non-essential modules are activated by
|
||
# configuration options
|
||
imports = [
|
||
../pkgs/modules.nix
|
||
./cups.nix
|
||
./docker.nix
|
||
./fonts.nix
|
||
./grub.nix
|
||
./gui.nix
|
||
./initrd-ssh.nix
|
||
./libvirt.nix
|
||
./locales.nix
|
||
./media-proxy.nix
|
||
./network-manager.nix
|
||
./office.nix
|
||
./prometheus/node_exporter.nix
|
||
./pubkeys.nix
|
||
./pulseaudio.nix
|
||
./restic.nix
|
||
./secrets.nix
|
||
./ssh.nix
|
||
./tools.nix
|
||
./udev.nix
|
||
./unfree.nix
|
||
./wireguard
|
||
];
|
||
|
||
config = {
|
||
# Essential system tools
|
||
environment.systemPackages = with pkgs; [
|
||
git
|
||
git-crypt # used to store secrets in configuration
|
||
git-lfs # not so essential, but required to clone config
|
||
htop
|
||
tmux
|
||
vim
|
||
];
|
||
|
||
# Clean temporary files on boot
|
||
boot.cleanTmpDir = true;
|
||
|
||
# Set zsh as default shell
|
||
programs.zsh.enable = true;
|
||
users.defaultUserShell = pkgs.zsh;
|
||
|
||
# command-not-found does not work without channels
|
||
programs.command-not-found.enable = false;
|
||
|
||
# Sane swapping
|
||
boot.kernel.sysctl."vm.swapiness" = 10;
|
||
|
||
# Store logs persistently
|
||
services.journald.extraConfig = "Storage = persistent";
|
||
|
||
# Hard drive monitoring
|
||
services.smartd.enable = lib.mkDefault true;
|
||
# Network monitoring
|
||
services.vnstat.enable = true;
|
||
|
||
# Authentication/Encryption agents
|
||
programs.gnupg.agent.enable = true;
|
||
programs.ssh.startAgent = true;
|
||
|
||
# When this is set to true (default), routing everything through a
|
||
# wireguard tunnel does not work.
|
||
networking.firewall.checkReversePath = "loose";
|
||
|
||
nix = {
|
||
nixPath = [
|
||
"/var/src" # pinned nixpkgs and configuration
|
||
"nixpkgs=/var/src/nixpkgs" # for nix run
|
||
"nixpkgs-overlays=${overlaysCompat}"
|
||
];
|
||
# Make sudoers trusted nix users
|
||
trustedUsers = [ "@wheel" ];
|
||
|
||
# On-the-fly optimisation of nix store
|
||
autoOptimiseStore = true;
|
||
# Keep output of derivations with gc root
|
||
extraOptions = ''
|
||
keep-outputs = true
|
||
keep-derivations = true
|
||
'';
|
||
|
||
# Make nix build in background less noticeable
|
||
daemonIONiceLevel = 5; # 0-7
|
||
};
|
||
systemd.services.nix-daemon.serviceConfig.CPUSchedulingPolicy = "batch";
|
||
|
||
nixpkgs.config = {
|
||
# Add unstable channel
|
||
packageOverrides = pkgs: {
|
||
unstable = import (import ../nix/sources.nix).nixpkgs-unstable {
|
||
config = config.nixpkgs.config;
|
||
overlays = config.nixpkgs.overlays;
|
||
};
|
||
};
|
||
};
|
||
|
||
nixpkgs.overlays = [
|
||
(import ../pkgs)
|
||
];
|
||
|
||
# Globally set Let’s Encrypt requirements
|
||
security.acme = {
|
||
acceptTerms = true;
|
||
email = "security@sbruder.de";
|
||
};
|
||
};
|
||
}
|