298 lines
7.1 KiB
Nix
298 lines
7.1 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
inputs,
|
|
...
|
|
}:
|
|
{
|
|
imports =
|
|
[
|
|
../../nixos/profiles/restic
|
|
../../nixos/profiles/sing-box
|
|
|
|
./anti-feature.nix
|
|
./disko.nix
|
|
./hardware-configuration.nix
|
|
./lanzaboote.nix
|
|
./preservation.nix
|
|
]
|
|
++ (with inputs; [
|
|
disko.nixosModules.disko
|
|
home-manager.nixosModules.home-manager
|
|
lanzaboote.nixosModules.lanzaboote
|
|
preservation.nixosModules.preservation
|
|
]);
|
|
|
|
sops.secrets = lib.mapAttrs (_n: v: v // { sopsFile = ./secrets.yaml; }) (
|
|
lib.listToAttrs (
|
|
lib.map (x: lib.nameValuePair "wireless/${x}" { path = "/var/lib/iwd/${x}.psk"; }) [
|
|
"Galaxy S24 EC54"
|
|
"ImmortalWrt"
|
|
"XYC-SEEWO"
|
|
"wangxiaobo"
|
|
]
|
|
)
|
|
// {
|
|
"hashed-passwd" = {
|
|
neededForUsers = true;
|
|
};
|
|
"nix-access-tokens" = {
|
|
owner = "guanranwang";
|
|
mode = "0440";
|
|
};
|
|
}
|
|
);
|
|
|
|
networking = {
|
|
useNetworkd = true;
|
|
useDHCP = false;
|
|
};
|
|
|
|
systemd.network.networks = {
|
|
"10-wlan0" = {
|
|
name = "wlan0";
|
|
DHCP = "yes";
|
|
dhcpV4Config.RouteMetric = 2048;
|
|
dhcpV6Config.RouteMetric = 2048;
|
|
};
|
|
"11-eth" = {
|
|
matchConfig = {
|
|
Kind = "!*";
|
|
Type = "ether";
|
|
};
|
|
DHCP = "yes";
|
|
};
|
|
};
|
|
|
|
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_testing;
|
|
|
|
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
|
|
|
|
networking.hostName = "dust";
|
|
time.timeZone = "Asia/Shanghai";
|
|
system.stateVersion = "24.05";
|
|
|
|
# TODO: move to 'core' profile
|
|
services.userborn.enable = true;
|
|
system.etc.overlay.enable = true;
|
|
system.etc.overlay.mutable = false;
|
|
# HACK: for impermanence
|
|
environment.etc =
|
|
lib.genAttrs
|
|
[
|
|
"ssh/ssh_host_rsa_key"
|
|
"ssh/ssh_host_rsa_key.pub"
|
|
"ssh/ssh_host_ed25519_key"
|
|
"ssh/ssh_host_ed25519_key.pub"
|
|
"secureboot/placeholder"
|
|
]
|
|
(_n: {
|
|
source = pkgs.emptyFile;
|
|
mode = "0644";
|
|
});
|
|
|
|
users.users."guanranwang" = {
|
|
isNormalUser = true;
|
|
description = "Guanran Wang";
|
|
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
|
|
shell = pkgs.fish;
|
|
extraGroups = [ "wheel" ];
|
|
};
|
|
|
|
home-manager = {
|
|
users.guanranwang = import ../../home;
|
|
useGlobalPkgs = true;
|
|
useUserPackages = true;
|
|
extraSpecialArgs = {
|
|
inherit inputs;
|
|
};
|
|
};
|
|
|
|
boot.tmp.useTmpfs = true;
|
|
|
|
environment.systemPackages = with pkgs; [ yubikey-manager ];
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ 53317 ];
|
|
allowedUDPPorts = [ 53317 ];
|
|
};
|
|
|
|
programs = {
|
|
adb.enable = true;
|
|
dconf.enable = true;
|
|
fish.enable = true;
|
|
gamemode.enable = true;
|
|
localsend.enable = true;
|
|
seahorse.enable = true;
|
|
steam.enable = true;
|
|
ssh = {
|
|
startAgent = true;
|
|
enableAskPassword = true;
|
|
};
|
|
};
|
|
|
|
services = {
|
|
power-profiles-daemon.enable = true;
|
|
gvfs.enable = true;
|
|
gnome = {
|
|
gnome-keyring.enable = true;
|
|
sushi.enable = true;
|
|
};
|
|
tailscale = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
};
|
|
|
|
# yubikey
|
|
pcscd.enable = true;
|
|
udev.packages = [ pkgs.yubikey-personalization ];
|
|
};
|
|
|
|
fonts = {
|
|
enableDefaultPackages = false;
|
|
packages = with pkgs; [
|
|
(nerdfonts.override { fonts = [ "NerdFontsSymbolsOnly" ]; })
|
|
(inter.overrideAttrs {
|
|
installPhase = ''
|
|
runHook preInstall
|
|
install -Dm644 -t $out/share/fonts/truetype/ InterVariable*.ttf
|
|
runHook postInstall
|
|
'';
|
|
})
|
|
(ibm-plex.overrideAttrs {
|
|
installPhase = ''
|
|
runHook preInstall
|
|
install -Dm644 IBM-Plex-Mono/IBMPlexMono-*.otf -t $out/share/fonts/opentype
|
|
runHook postInstall
|
|
'';
|
|
})
|
|
(source-serif.overrideAttrs {
|
|
installPhase = ''
|
|
runHook preInstall
|
|
install -Dm444 VAR/*.otf -t $out/share/fonts/variable
|
|
runHook postInstall
|
|
'';
|
|
})
|
|
source-han-sans-vf-otf
|
|
source-han-serif-vf-otf
|
|
noto-fonts
|
|
noto-fonts-color-emoji
|
|
];
|
|
fontconfig = {
|
|
defaultFonts = {
|
|
emoji = [ "Noto Color Emoji" ];
|
|
# Append emoji font for Qt apps, they might use the monochrome emoji
|
|
monospace = [
|
|
"IBM Plex Mono"
|
|
"Source Han Sans SC VF"
|
|
"Symbols Nerd Font"
|
|
"Noto Color Emoji"
|
|
];
|
|
sansSerif = [
|
|
"Inter Variable"
|
|
"Source Han Sans SC VF"
|
|
"Noto Color Emoji"
|
|
];
|
|
serif = [
|
|
"Source Serif 4 Variable"
|
|
"Source Han Serif SC VF"
|
|
"Noto Color Emoji"
|
|
];
|
|
};
|
|
# GitHub prefers Noto Sans...
|
|
# DejaVu Sans from nixpkgs#fontconfig.out
|
|
localConf = ''
|
|
<selectfont>
|
|
<rejectfont>
|
|
<pattern>
|
|
<patelt name="family">
|
|
<string>Noto Sans</string>
|
|
</patelt>
|
|
</pattern>
|
|
</rejectfont>
|
|
<rejectfont>
|
|
<pattern>
|
|
<patelt name="family">
|
|
<string>DejaVu Sans</string>
|
|
</patelt>
|
|
</pattern>
|
|
</rejectfont>
|
|
</selectfont>
|
|
'';
|
|
};
|
|
};
|
|
|
|
console = {
|
|
earlySetup = true;
|
|
keyMap = "dvorak";
|
|
};
|
|
|
|
services.greetd = {
|
|
enable = true;
|
|
settings.default_session.command = "${lib.getExe pkgs.greetd.tuigreet} --cmd ${pkgs.writeShellScript "sway" ''
|
|
dbus-update-activation-environment --all --systemd
|
|
exec systemd-cat --identifier=sway sway
|
|
''}";
|
|
};
|
|
|
|
security.polkit.enable = true;
|
|
systemd.user.services.polkit-gnome-authentication-agent-1 = {
|
|
description = "polkit-gnome-authentication-agent-1";
|
|
wantedBy = [ "graphical-session.target" ];
|
|
wants = [ "graphical-session.target" ];
|
|
after = [ "graphical-session.target" ];
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
|
|
Restart = "on-failure";
|
|
RestartSec = 1;
|
|
TimeoutStopSec = 10;
|
|
};
|
|
};
|
|
|
|
security.pam.services.swaylock = { };
|
|
xdg.portal = {
|
|
enable = true;
|
|
wlr.enable = true;
|
|
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
|
|
# https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf
|
|
config."sway" = {
|
|
default = "gtk";
|
|
"org.freedesktop.impl.portal.ScreenCast" = "wlr";
|
|
"org.freedesktop.impl.portal.Screenshot" = "wlr";
|
|
"org.freedesktop.impl.portal.Inhibit" = "none";
|
|
};
|
|
};
|
|
|
|
services.sing-box.settings = {
|
|
outbounds = [
|
|
{
|
|
type = "selector";
|
|
tag = "select";
|
|
outbounds = [
|
|
"tyo0"
|
|
"sin0"
|
|
"direct"
|
|
];
|
|
default = "tyo0";
|
|
}
|
|
];
|
|
|
|
route = {
|
|
final = "select";
|
|
};
|
|
|
|
experimental = {
|
|
clash_api = rec {
|
|
external_controller = "127.0.0.1:9090";
|
|
external_ui = pkgs.metacubexd;
|
|
secret = "hunter2";
|
|
# https://www.v2ex.com/t/1076579
|
|
access_control_allow_origin = [ "http://${external_controller}" ];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.restic.backups.persist.exclude = [ "/persist/home/guanranwang/.local/share/Steam" ];
|
|
}
|