blob: ab40afc2e925358fe5c09bfa7c681a25f2217c96 (
plain) (
tree)
|
|
{ depot, lib, pkgs, ... }:
config:
let
quasselClient = pkgs.quassel.override {
client = true;
enableDaemon = false;
monolithic = false;
};
# Use a screen lock command that resets the keyboard layout
# before locking, to avoid locking me out when the layout is
# in Russian.
screenLock = pkgs.writeShellScriptBin "tazjin-screen-lock" ''
${pkgs.xorg.setxkbmap}/bin/setxkbmap us
${pkgs.xorg.setxkbmap}/bin/setxkbmap -option caps:super
exec ${pkgs.xsecurelock}/bin/xsecurelock
'';
in
lib.fix (self: {
imports = [
"${depot.third_party.impermanence}/nixos.nix"
"${pkgs.home-manager.src}/nixos"
];
tvl.cache.enable = true;
# Work around strongswan 5.9.4 being incompatible with servers not
# patched against some CVE. I need this for work ..
nixpkgs.overlays = [
depot.third_party.overlays.strongswan-workaround
];
boot = rec {
initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
initrd.kernelModules = [ ];
# Restore /home to the blank snapshot, erasing all ephemeral data.
initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r zpool/ephemeral/home@tazjin-clean
'';
# Install thinkpad modules for TLP
extraModulePackages = [ kernelPackages.acpi_call ];
kernelModules = [ "kvm-amd" "i2c_dev" ];
kernelPackages = pkgs.linuxPackages_latest;
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
zfs.enableUnstable = true;
};
fileSystems = {
"/" = {
device = "tmpfs";
fsType = "tmpfs";
options = [ "defaults" "size=8G" "mode=755" ];
};
"/home" = {
device = "zpool/ephemeral/home";
fsType = "zfs";
};
"/nix" = {
device = "zpool/local/nix";
fsType = "zfs";
};
"/depot" = {
device = "zpool/safe/depot";
fsType = "zfs";
};
"/persist" = {
device = "zpool/safe/persist";
fsType = "zfs";
neededForBoot = true;
};
# SD card
"/mnt" = {
device = "/dev/disk/by-uuid/c602d703-f1b9-4a44-9e45-94dfe24bdaa8";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/BF4F-388B";
fsType = "vfat";
};
};
hardware = {
cpu.amd.updateMicrocode = true;
enableRedistributableFirmware = true;
bluetooth.enable = true;
opengl = {
enable = true;
extraPackages = with pkgs; [
vaapiVdpau
libvdpau-va-gl
];
};
};
networking = {
hostName = "tverskoy";
hostId = "3c91827f";
domain = "tvl.su";
useDHCP = false;
networkmanager.enable = true;
firewall.enable = false;
nameservers = [
"8.8.8.8"
"8.8.4.4"
];
};
fonts = {
fonts = with pkgs; [
corefonts
dejavu_fonts
jetbrains-mono
noto-fonts-cjk
noto-fonts-emoji
];
fontconfig = {
hinting.enable = true;
subpixel.lcdfilter = "light";
defaultFonts = {
monospace = [ "JetBrains Mono" ];
};
};
};
environment.persistence."/persist" = {
directories = [
"/etc/NetworkManager/system-connections"
"/etc/mullvad-vpn"
"/var/cache/mullvad-vpn"
"/var/lib/bluetooth"
"/var/lib/systemd/coredump"
"/var/log"
];
files = [
"/etc/machine-id"
];
};
# from https://github.com/NixOS/nixpkgs/issues/64965
environment.etc."ipsec.secrets".text = ''
include ipsec.d/ipsec.nm-l2tp.secrets
'';
security.rtkit.enable = true;
services = {
pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
};
redshift.enable = true;
blueman.enable = true;
mullvad-vpn.enable = true;
fwupd.enable = true;
printing.enable = true;
# expose i2c device as /dev/i2c-amdgpu-dm and make it user-accessible
# this is required for sending control commands to the Dasung screen.
udev.extraRules = ''
SUBSYSTEM=="i2c-dev", ACTION=="add", DEVPATH=="/devices/pci0000:00/0000:00:08.1/0000:06:00.0/i2c-5/i2c-dev/i2c-5", SYMLINK+="i2c-amdgpu-dm", TAG+="uaccess"
'';
# Enable power-saving features.
tlp.enable = true;
xserver = {
enable = true;
layout = "us";
xkbOptions = "caps:super";
videoDrivers = [ "amdgpu" ];
libinput.enable = true;
displayManager = {
# Give EXWM permission to control the session.
sessionCommands = "${pkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";
lightdm.enable = true;
# lightdm.greeters.gtk.clock-format = "%H:%M"; # TODO(tazjin): TZ?
};
windowManager.session = lib.singleton {
name = "exwm";
start = "${depot.users.tazjin.emacs}/bin/tazjins-emacs";
};
};
# Automatically collect garbage from the Nix store.
depot.automatic-gc = {
enable = true;
interval = "1 hour";
diskThreshold = 16; # GiB
maxFreed = 10; # GiB
preserveGenerations = "14d";
};
};
# Set variables to enable EXWM-XIM
environment.sessionVariables = {
XMODIFIERS = "@im=exwm-xim";
GTK_IM_MODULE = "xim";
QT_IM_MODULE = "xim";
CLUTTER_IM_MODULE = "xim";
};
# Automatically detect location to use for redshift
location.provider = "geoclue2";
# Do not restart the display manager automatically
systemd.services.display-manager.restartIfChanged = lib.mkForce false;
# If something needs more than 10s to stop it should probably be
# killed.
systemd.extraConfig = ''
DefaultTimeoutStopSec=10s
'';
time.timeZone = "Africa/Cairo";
nix = {
trustedUsers = [ "tazjin" ];
};
users.users.tazjin = {
isNormalUser = true;
createHome = true;
extraGroups = [ "wheel" "networkmanager" "video" "adbusers" ];
uid = 1000;
shell = pkgs.fish;
initialHashedPassword = "$6$d3FywUNCuZnJ4l.$ZW2ul59MLYon1v1xhC3lTJZfZ91lWW6Tpi13MpME0cJcYZNrsx7ABdgQRn.K05awruG2Y9ARAzURnmiJ31WTS1";
};
programs = {
adb.enable = true;
fish.enable = true;
light.enable = true;
mosh.enable = true;
ssh.startAgent = true;
# Required by impermanence
fuse.userAllowOther = true;
};
environment.systemPackages =
# programs from the depot
(with depot; [
screenLock
tools.nsfv-setup
users.tazjin.emacs
third_party.agenix.cli
]) ++
# programs from nixpkgs
(with pkgs; [
amber
audacity
bat
curl
ddcutil
direnv
dmd
dnsutils
emacsGcc # emacsclient
exa
fd
file
firefox
fractal
gdb
gh
git
gnupg
google-chrome
gtk3 # for gtk-launch
htop
hyperfine
iftop
imagemagick
jq
lieer
man-pages
mosh
msmtp
mullvad-vpn
networkmanagerapplet
nix-prefetch-github
nmap
notmuch
openssh
openssl
paperlike-go
pass
pavucontrol
pinentry
pinentry-emacs
pulseaudio # for pactl
pwgen
quasselClient
rink
ripgrep
rustup
screen
scrot
tig
tokei
tree
unzip
vlc
whois
xsecurelock
zoxide
]);
systemd.user.services.lieer-tazjin = {
description = "Synchronise mail@tazj.in via lieer";
script = "${pkgs.lieer}/bin/gmi sync";
serviceConfig = {
WorkingDirectory = "%h/mail/account.tazjin";
Type = "oneshot";
};
};
systemd.user.timers.lieer-tazjin = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnActiveSec = "1";
OnUnitActiveSec = "180";
};
};
home-manager.useGlobalPkgs = true;
home-manager.users.tazjin = { config, lib, ... }: {
imports = [ "${depot.third_party.impermanence}/home-manager.nix" ];
home.persistence."/persist/tazjin/home" = {
allowOther = true;
directories = [
".cargo"
".config/audacity"
".config/google-chrome"
".config/quassel-irc.org"
".config/spotify"
".config/syncthing"
".elfeed"
".gnupg"
".local/share/Steam"
".local/share/audacity"
".local/share/direnv"
".local/share/fish"
".local/share/keyrings"
".local/share/zoxide"
".mozilla/firefox"
".password-store"
".rustup"
".ssh"
".steam"
".telega"
"go"
"mail"
];
files = [
".notmuch-config"
];
};
home.activation.screenshots = lib.hm.dag.entryAnywhere ''
$DRY_RUN_CMD mkdir -p $HOME/screenshots
'';
programs.git = {
enable = true;
userName = "Vincent Ambo";
userEmail = "mail@tazj.in";
extraConfig = {
pull.rebase = true;
init.defaultBranch = "canon";
};
};
programs.fish = {
enable = true;
interactiveShellInit = ''
${pkgs.zoxide}/bin/zoxide init fish | source
'';
};
services.screen-locker = {
enable = true;
enableDetectSleep = true;
inactiveInterval = 10; # minutes
lockCmd = "${screenLock}/bin/tazjin-screen-lock";
};
services.picom = {
enable = true;
vSync = true;
backend = "glx";
};
# Enable the dunst notification daemon, but force the
# configuration file separately instead of going via the strange
# Nix->dunstrc encoding route.
services.dunst.enable = true;
xdg.configFile."dunst/dunstrc" = {
source = depot.users.tazjin.dotfiles.dunstrc;
onChange = ''
${pkgs.procps}/bin/pkill -u "$USER" ''${VERBOSE+-e} dunst || true
'';
};
systemd.user.startServices = true;
};
services.tailscale.enable = true;
services.zerotierone.enable = true;
services.zerotierone.joinNetworks = [
"35c192ce9bd4c8c7"
];
system.stateVersion = "20.09";
})
|