{ config, lib, pkgs, modulesPath, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ./common.nix #./kde.nix #./95theme.nix #./gnome.nix #./fdn-vpn.nix ./sway.nix ./wayfire.nix ]; networking.hostName = "lindy"; networking.hostId = "b8149765"; # Driver config boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" "wl" ]; boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; # ZFS config boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.supportedFilesystems = [ "zfs" ]; boot.zfs.devNodes = "/dev/mapper"; boot.zfs.extraPools = [ "Zonz" ]; services.zfs.autoScrub.enable = true; services.zfs.autoScrub.pools = [ "Zonz" ]; services.zfs.autoScrub.interval = "quarterly"; # Use Grub boot.loader.grub.enable = true; boot.loader.grub.efiSupport = true; boot.loader.grub.device = "nodev"; boot.loader.grub.extraGrubInstallArgs = [ "--bootloader-id=NixOS" ]; boot.loader.efi.efiSysMountPoint = "/boot/efi"; boot.loader.efi.canTouchEfiVariables = true; boot.initrd.luks.devices = { cryptssd = { device = "/dev/disk/by-uuid/a5aad0b3-fb8c-4711-80db-d8fdcc832f83"; allowDiscards = true; }; }; fileSystems."/" = { device = "none"; fsType = "tmpfs"; options = [ "defaults" "size=6G" "mode=755" ]; }; fileSystems."/var" = { device = "lindy/nixos/var"; fsType = "zfs"; }; fileSystems."/home" = { device = "lindy/home"; fsType = "zfs"; neededForBoot = true; # because contains password files used below }; fileSystems."/nix" = { device = "lindy/nixos/nix"; fsType = "zfs"; }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/b9f80731-ac5a-476e-9454-32fef4ebc40f"; fsType = "ext4"; options = [ "discard" ]; }; fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/02D0-F1C6"; fsType = "vfat"; }; fileSystems."/root" = # /root contains the Borg cache for the backup script { device = "/nix/persist/root"; fsType = "none"; options = [ "bind" ]; }; fileSystems."/etc/NetworkManager/system-connections" = { device = "/nix/persist/etc/NetworkManager/system-connections"; fsType = "none"; options = [ "bind" ]; }; environment.etc."machine-id".source = "/nix/persist/etc/machine-id"; environment.etc."ssh/ssh_host_rsa_key".source = "/nix/persist/etc/ssh/ssh_host_rsa_key"; environment.etc."ssh/ssh_host_rsa_key.pub".source = "/nix/persist/etc/ssh/ssh_host_rsa_key.pub"; environment.etc."ssh/ssh_host_ed25519_key".source = "/nix/persist/etc/ssh/ssh_host_ed25519_key"; environment.etc."ssh/ssh_host_ed25519_key.pub".source = "/nix/persist/etc/ssh/ssh_host_ed25519_key.pub"; # ---- zonz (encrypted zfs) ---- environment.etc.crypttab = { enable = true; text = '' Kogami UUID=61534c91-df18-4c71-9244-54e677f5d4fa /nix/persist/root/kogami_key Komaru UUID=caf8496f-006b-4762-bb20-506d4c7bdb51 /nix/persist/root/komaru_key ''; }; # ---- immutable user config ---- users.mutableUsers = false; users.users.lx.hashedPasswordFile = "/home/lx/.password"; users.users.lx.uid = 1000; # ---- # Zram zramSwap.enable = true; # Local backup (borg to Zonz) services.cron.enable = true; services.cron.systemCronJobs = [ "0 20 * * * root /media/Zonz/lindy/do-backup.sh" ]; # Remote backup (restic to infracoll) services.restic.backups."infracoll" = { repository = "s3:http://garage.isomorphis.me:3900/restic-lx"; environmentFile = "/nix/persist/etc/secrets/restic/infracoll/credentials"; passwordFile = "/nix/persist/etc/secrets/restic/infracoll/password"; paths = [ "/nix/persist" "/home/lx" "/media/Zonz/Private" "/media/Zonz/Stuff" ]; exclude = [ "/home/lx/.cache" "/home/lx/.cargo" "/home/lx/.local/share/Steam" "/home/lx/Deuxfleurs/garage/tmp" ]; timerConfig = { OnCalendar = "21:30"; Persistent = true; }; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; }; # Graphics specialisation = { nvidia.configuration = { boot.kernelParams = [ "i915.modeset=0" ]; hardware.nvidia.modesetting.enable = true; services.xserver.videoDrivers = [ "nvidia" ]; }; intelVfio.configuration = { boot.blacklistedKernelModules = [ "nouveau" "nvidia" "nvidia_modeset" "nvidia_uvm" "nvidia_drm" ]; boot.kernelParams = [ "intel_iommu=on" "iommu=pt" "vfio-pci.ids=10de:17c2,10de:0fb0,8086:0c01" ]; boot.initrd.availableKernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; services.xserver.videoDrivers = [ "modesetting" ]; systemd.tmpfiles.rules = [ "f /dev/shm/looking-glass 0660 lx kvm -" ]; environment.systemPackages = with pkgs; [ looking-glass-client ]; }; }; hardware.opengl.enable = true; # Docker, VirtualBox virtualisation.docker.enable = true; virtualisation.virtualbox.host.enable = true; users.users.lx.extraGroups = [ "docker" "vboxusers" ]; # Use resolver from network services.resolved.enable = false; # Making dev work available outside networking.firewall.allowedTCPPorts = [ # 8910 8920 # web dev 4317 4318 # jaeger container ]; networking.firewall.allowedUDPPorts = [ 4010 # scream ]; # Work around ipv6 peering issue networking.extraHosts = '' 109.136.139.78 git.deuxfleurs.fr ''; # GnuPG agent at system level, if at home level conflicts with arch programs.gnupg.agent = { enable = true; enableSSHSupport = false; pinentryFlavor = "gnome3"; }; environment.systemPackages = with pkgs; [ zfs docker-compose pinentry.gnome3 ]; nix.gc.automatic = false; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; }