# Settings that most of my hosts can agree on, but # some of these settings are overriden on a per-host basis. { pkgs, lib, config, inputs, ... }: let cfg = config.settings; inherit (lib) mkDefault; highSSHPort = 38611; vpnInterface = config.services.tailscale.interfaceName; enableHydraMinion = config.services.openssh.enable; in { imports = [ ./hdparm.nix ./malte.nix ./marie.nix ./deck.nix ./radicale.nix ./restic.nix ./wakeup.nix ./state.nix ]; options.settings = with lib; { nvidiaUsed = mkEnableOption "NVIDIA graphic card usage"; minimalGnome.enable = mkEnableOption "basic gnome stuff"; ssh.openOutsideVPN = mkEnableOption "an additional ssh port outside the VPN"; batteryStuff.enable = mkEnableOption "battery-related things"; hiDPI.enable = mkEnableOption "High-DPI display"; }; config = { # Allow joypixels' license and unfree licenses in general nixpkgs.config = { # TODO: Fix once allowUnfree works for home-manager again allowUnfreePredicate = _: true; joypixels.acceptLicense = true; }; # Some overlays nixpkgs.overlays = [ (_: super: { "2i-emulator" = super.callPackage ../pkgs/2i-emulator.nix {}; boilr = super.callPackage ../pkgs/boilr.nix {}; # Add fonts hackNerdLigatures = super.callPackage ../pkgs/hack.nix {}; darkman = super.callPackage ../pkgs/darkman.nix {}; }) ]; # This includes the firmware, oc hardware.enableRedistributableFirmware = true; # Add certificate authority used for my servers security.pki.certificates = [ (builtins.readFile ../secrets/ca.crt) ]; system.nixos.label = let rev = if builtins.hasAttr "dirtyShortRev" inputs.self then inputs.self.dirtyShortRev else inputs.self.shortRev; in (builtins.concatStringsSep "-" (builtins.sort (x: y: x < y) config.system.nixos.tags)) + config.system.nixos.version + "-SHA:${rev}"; # Use some binary caches nix.settings = { # add binary caches trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "cache.home:/ioV+oXpVgxDOZJvXIWmnyL83ERT4W6eW4SDEpnRbxU=" "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" ]; substituters = [ "https://cache.nixos.org" "https://nixpkgs-wayland.cachix.org" "https://hyprland.cachix.org" ]; trusted-users = [ # Hand the wheel group extra nix daemon rights "@wheel" # The hydra-minion is trusted aswell ] ++ lib.optional enableHydraMinion config.users.users.hydra-minion.name; }; nix.nixPath = ["nixpkgs=${inputs.nixpkgs}"]; users.users.hydra-minion = lib.mkIf enableHydraMinion { description = "Hydra Minion for remote building"; isSystemUser = true; home = "/home/hydra-minion"; createHome = true; useDefaultShell = true; group = config.users.groups.hydra-minion.name; openssh.authorizedKeys.keyFiles = [ ../users/malte/yubikey.pub ../secrets/hydra-overseer.pub ]; }; users.groups.hydra-minion = lib.mkIf enableHydraMinion {}; # Make sure that I can login over the tailscale infrastructure while increasing security services.openssh = { enable = pkgs.lib.mkDefault true; ports = [22 highSSHPort]; openFirewall = false; }; networking.firewall.interfaces.${vpnInterface} = { # Allow default port over VPN allowedTCPPorts = [22 highSSHPort]; }; # Add extra high port if requested for those outside the VPN networking.firewall.allowedTCPPorts = lib.optional cfg.ssh.openOutsideVPN highSSHPort; # Tailscale exit node seem to have a problem with strict checking networking.firewall.checkReversePath = "loose"; # Add yubikey for root authentication users.users.root.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub]; # Enable mosh for some SSH superpower programs.mosh.enable = pkgs.lib.mkDefault true; # Basic packages environment.systemPackages = with pkgs; [ # I might need git for rebuilding this flake on the remote machine git # Sops is for security sops # top is lacking pizzazz btop # An initial `tailscale up` is necessary to get the network going tailscale # I will need to have access to helix helix # I much rather use some tools other than the default fd # For highlighting log files tailspin # For spacing log files spacer # DiskUsage improvements du-dust # R.I.P. grep ripgrep ]; # Language and timezone defaults time.timeZone = "Europe/Berlin"; i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" ]; # Use the latest kernel, this is altered on some hosts with zfs requirements boot.kernelPackages = pkgs.lib.mkOverride 2000 pkgs.linuxPackages_latest; boot.loader.timeout = pkgs.lib.mkDefault 1; # This setting is fine, on hosts with x/wayland, I'll want to increase this boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10; # Network configuration with tailscale networking.useDHCP = false; # Enable tailscale! services.tailscale = { enable = true; interfaceName = "looking-glas"; }; networking.firewall.allowedUDPPorts = [config.services.tailscale.port]; # Regularly clear the store nix.gc = { automatic = true; dates = lib.mkDefault "weekly"; }; # Enable store optimiser nix.optimise = { automatic = true; dates = ["04:00"]; }; # GNOME # Don't forget to import DISPLAY into dbus variables programs.dconf.enable = mkDefault cfg.minimalGnome.enable; programs.seahorse.enable = mkDefault cfg.minimalGnome.enable; services.gnome.at-spi2-core.enable = mkDefault cfg.minimalGnome.enable; services.gnome.gnome-keyring.enable = mkDefault cfg.minimalGnome.enable; services.dbus.packages = lib.optional cfg.minimalGnome.enable pkgs.gcr; }; }