flake/hosts/dust/default.nix

293 lines
6.9 KiB
Nix
Raw Normal View History

2024-07-23 16:14:27 +00:00
{
lib,
2024-08-27 21:44:22 +00:00
config,
2024-07-23 16:14:27 +00:00
pkgs,
2024-08-27 21:44:22 +00:00
inputs,
2024-07-23 16:14:27 +00:00
...
}:
{
2024-09-07 06:49:47 +00:00
imports =
[
2024-09-22 08:31:23 +00:00
../../nixos/profiles/restic
2024-09-07 06:49:47 +00:00
../../nixos/profiles/sing-box
2024-07-23 16:14:27 +00:00
2024-09-07 06:49:47 +00:00
./anti-feature.nix
./disko.nix
./hardware-configuration.nix
./lanzaboote.nix
./preservation.nix
]
++ (with inputs; [
disko.nixosModules.disko
home-manager.nixosModules.home-manager
lanzaboote.nixosModules.lanzaboote
preservation.nixosModules.preservation
]);
2024-07-23 16:14:27 +00:00
2024-09-30 16:26:30 +00:00
sops.secrets = lib.mapAttrs (_n: v: v // { sopsFile = ./secrets.yaml; }) (
lib.listToAttrs (
lib.map (x: lib.nameValuePair "wireless/${x}" { path = "/var/lib/iwd/${x}.psk"; }) [
"Galaxy S24 EC54"
"ImmortalWrt"
"XYC-SEEWO"
"wangxiaobo"
]
)
// {
"hashed-passwd" = {
neededForUsers = true;
};
"nix-access-tokens" = {
owner = "guanranwang";
mode = "0440";
};
}
);
2024-09-30 16:15:02 +00:00
networking = {
useNetworkd = true;
useDHCP = false;
};
systemd.network.networks = {
"10-wlan0" = {
name = "wlan0";
DHCP = "yes";
dhcpV4Config.RouteMetric = 2048;
dhcpV6Config.RouteMetric = 2048;
};
"11-eth" = {
matchConfig = {
Kind = "!*";
Type = "ether";
};
DHCP = "yes";
};
};
2024-10-20 06:45:52 +00:00
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_testing;
2024-09-30 16:15:02 +00:00
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
2024-07-23 16:14:27 +00:00
networking.hostName = "dust";
time.timeZone = "Asia/Shanghai";
2024-08-12 07:25:36 +00:00
system.stateVersion = "24.05";
2024-07-23 16:14:27 +00:00
2024-08-30 18:35:42 +00:00
# TODO: move to 'core' profile
services.userborn.enable = true;
2024-10-20 06:45:52 +00:00
system.etc.overlay.enable = true;
system.etc.overlay.mutable = false;
# HACK: for impermanence
environment.etc =
lib.genAttrs
[
"ssh/ssh_host_rsa_key"
"ssh/ssh_host_rsa_key.pub"
"ssh/ssh_host_ed25519_key"
"ssh/ssh_host_ed25519_key.pub"
"secureboot/placeholder"
]
(_n: {
source = pkgs.emptyFile;
mode = "0644";
});
2024-08-30 18:35:42 +00:00
2024-09-30 16:15:02 +00:00
users.users."guanranwang" = {
isNormalUser = true;
description = "Guanran Wang";
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
shell = pkgs.fish;
extraGroups = [ "wheel" ];
2024-08-27 21:44:22 +00:00
};
home-manager = {
users.guanranwang = import ../../home;
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {
inherit inputs;
};
};
2024-07-23 16:14:27 +00:00
2024-08-19 14:45:14 +00:00
boot.tmp.useTmpfs = true;
2024-09-20 17:38:01 +00:00
environment.systemPackages = with pkgs; [ yubikey-manager ];
2024-07-23 16:14:27 +00:00
2024-09-20 17:38:01 +00:00
networking.firewall = {
allowedTCPPorts = [ 53317 ];
allowedUDPPorts = [ 53317 ];
};
2024-07-23 16:14:27 +00:00
2024-09-20 17:38:01 +00:00
programs = {
adb.enable = true;
dconf.enable = true;
fish.enable = true;
gamemode.enable = true;
localsend.enable = true;
seahorse.enable = true;
steam.enable = true;
ssh = {
startAgent = true;
enableAskPassword = true;
};
2024-07-23 16:14:27 +00:00
};
2024-09-20 17:38:01 +00:00
services = {
power-profiles-daemon.enable = true;
gvfs.enable = true;
gnome = {
gnome-keyring.enable = true;
sushi.enable = true;
};
tailscale = {
enable = true;
openFirewall = true;
};
# yubikey
pcscd.enable = true;
udev.packages = [ pkgs.yubikey-personalization ];
};
2024-07-23 16:14:27 +00:00
fonts = {
enableDefaultPackages = false;
packages = with pkgs; [
2024-09-20 17:38:01 +00:00
(nerdfonts.override { fonts = [ "NerdFontsSymbolsOnly" ]; })
2024-11-22 09:16:04 +00:00
(ibm-plex.override { families = [ "mono" ]; })
2024-07-23 16:14:27 +00:00
(inter.overrideAttrs {
installPhase = ''
runHook preInstall
install -Dm644 -t $out/share/fonts/truetype/ InterVariable*.ttf
runHook postInstall
'';
})
(source-serif.overrideAttrs {
installPhase = ''
runHook preInstall
install -Dm444 VAR/*.otf -t $out/share/fonts/variable
runHook postInstall
'';
})
source-han-sans-vf-otf
source-han-serif-vf-otf
2024-08-15 15:32:56 +00:00
noto-fonts
2024-07-23 16:14:27 +00:00
noto-fonts-color-emoji
];
2024-08-15 15:32:56 +00:00
fontconfig = {
defaultFonts = {
2024-09-20 17:38:01 +00:00
emoji = [ "Noto Color Emoji" ];
2024-08-15 15:32:56 +00:00
# Append emoji font for Qt apps, they might use the monochrome emoji
monospace = [
2024-11-15 13:20:47 +00:00
"IBM Plex Mono"
2024-08-15 15:32:56 +00:00
"Source Han Sans SC VF"
"Symbols Nerd Font"
"Noto Color Emoji"
];
sansSerif = [
"Inter Variable"
"Source Han Sans SC VF"
"Noto Color Emoji"
];
serif = [
"Source Serif 4 Variable"
"Source Han Serif SC VF"
"Noto Color Emoji"
];
};
2024-09-30 15:45:26 +00:00
# GitHub prefers Noto Sans...
2024-10-11 04:01:45 +00:00
# DejaVu Sans from nixpkgs#fontconfig.out
2024-08-15 15:32:56 +00:00
localConf = ''
<selectfont>
<rejectfont>
<pattern>
<patelt name="family">
<string>Noto Sans</string>
</patelt>
</pattern>
2024-10-11 04:01:45 +00:00
</rejectfont>
<rejectfont>
<pattern>
<patelt name="family">
<string>DejaVu Sans</string>
</patelt>
</pattern>
2024-08-15 15:32:56 +00:00
</rejectfont>
</selectfont>
'';
2024-07-23 16:14:27 +00:00
};
};
console = {
earlySetup = true;
keyMap = "dvorak";
};
services.greetd = {
enable = true;
2024-08-01 22:17:30 +00:00
settings.default_session.command = "${lib.getExe pkgs.greetd.tuigreet} --cmd ${pkgs.writeShellScript "sway" ''
2024-08-15 15:33:15 +00:00
dbus-update-activation-environment --all --systemd
2024-08-01 22:17:30 +00:00
exec systemd-cat --identifier=sway sway
''}";
2024-07-23 16:14:27 +00:00
};
security.polkit.enable = true;
systemd.user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1";
wantedBy = [ "graphical-session.target" ];
wants = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
2024-07-23 16:14:27 +00:00
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
security.pam.services.swaylock = { };
2024-07-23 16:14:27 +00:00
xdg.portal = {
enable = true;
wlr.enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
2024-07-23 16:14:27 +00:00
# https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf
config."sway" = {
default = "gtk";
"org.freedesktop.impl.portal.ScreenCast" = "wlr";
"org.freedesktop.impl.portal.Screenshot" = "wlr";
"org.freedesktop.impl.portal.Inhibit" = "none";
};
};
2024-08-27 21:02:01 +00:00
services.sing-box.settings = {
outbounds = [
{
type = "selector";
tag = "select";
outbounds = [
"tyo0"
2024-09-21 20:19:03 +00:00
"sin0"
2024-08-27 21:02:01 +00:00
"direct"
];
default = "tyo0";
}
];
route = {
final = "select";
};
experimental = {
2024-09-30 13:33:48 +00:00
clash_api = rec {
2024-08-27 21:02:01 +00:00
external_controller = "127.0.0.1:9090";
external_ui = pkgs.metacubexd;
secret = "hunter2";
2024-10-19 04:54:41 +00:00
# https://www.v2ex.com/t/1076579
2024-09-30 13:33:48 +00:00
access_control_allow_origin = [ "http://${external_controller}" ];
2024-08-27 21:02:01 +00:00
};
};
};
2024-09-22 08:31:23 +00:00
services.restic.backups.persist.exclude = [ "/persist/home/guanranwang/.local/share/Steam" ];
2024-07-23 16:14:27 +00:00
}