megamanmalte/nixos
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
nixos/hosts/helix-texta.nix

216 lines
5.7 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, pkgs, lib, ... }:
let
pamLogin = ''
# Account management.
account required pam_unix.so
# Authentication management.
auth sufficient ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=challenge-response
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
auth sufficient pam_unix.so nullok likeauth try_first_pass
auth required pam_deny.so
# Password management.
password sufficient pam_unix.so nullok sha512
# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0
session required pam_unix.so
session required pam_loginuid.so
session required ${pkgs.linux-pam}/lib/security/pam_lastlog.so silent
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
'';
in {
boot = {
# Use the systemd-boot EFI boot loader.
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
networking = {
hostName = "helix-texta";
# nm ftw
networkmanager = {
enable = true;
packages = with pkgs; [ networkmanager-vpnc ];
};
};
system.fsPackages = [ pkgs.sshfs ];
# Pipewire for my wayland
sound.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
config.pipewire-pulse."stream.properties" = {
"channelmix.upmix" = true;
"channelmix.lfe-cutoff" = 150;
};
config.pipewire = { "default.clock.allowed-rates" = [ 48000 44100 ]; };
media-session.config.alsa-monitor = {
rules = [{
matches = [{
"node.name" =
"alsa_output.usb-Focusrite_Scarlett_Solo_USB_Y7ENM550A6399B-00.pro-output-0";
}];
actions = {
update-props = {
#"audio.rate" = 96000;
"api.alsa.headroom" = 1024;
};
};
}];
};
};
xdg.portal = {
enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-wlr pkgs.xdg-desktop-portal-gtk ];
gtkUsePortal = true;
};
services.udev.customRules = [
# Rename the Scarlett Solo using udev
{
name = "85-scarlett-solo";
rules = ''
SUBSYSTEM=="usb", ENV{ID_MODEL_ID}=="8211", ENV{ID_VENDOR_ID}=="1235", TAG+="systemd", SYMLINK+="scarlett_solo"
'';
}
{
name = "85-yubikey";
rules = ''
SUBSYSTEM=="usb", ENV{ID_MODEL_ID}=="0407", ENV{ID_VENDOR_ID}=="1050", TAG+="systemd", SYMLINK+="yubikey"
'';
}
];
security.pam = {
yubico = {
enable = true;
#id = "ccccccvblrrf";
control = "required";
mode = "challenge-response";
debug = false;
};
services.login = {
name = "login";
# Fix when https://github.com/NixOS/nixpkgs/pull/105319 lands..
text = pamLogin;
};
#services.swaylock = {
# name = "swaylock";
# fprintAuth = true;
# unixAuth = true;
#};
};
services.fprintd.enable = true;
users = {
# I like my users unmutable
mutableUsers = false;
# Myself
users.malte = {
description = "Malte Tammena";
hashedPassword =
"$6$zqEC2iJJ98Ne$lRERO30msyjJm7oJCqRD/xj3NIm4De37gD.VUzfg7aceosE/6S6eNAaruIakgUtSC970MHRPoNlCEy1RoFuyh.";
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"video"
"lp"
"kvm"
"libvirtd"
"podman"
"scanner"
config.users.groups.keys.name
];
# Yes, use the best, please
shell = pkgs.fish;
};
};
home-manager.users.malte.imports = [ ../users/malte/home.nix ];
programs.fish.enable = true;
# Use some fonts
fonts = {
enableDefaultFonts = true;
fonts = with pkgs; [ firaCodeNerd noto-fonts noto-fonts-cjk joypixels ];
fontconfig = {
enable = true;
defaultFonts.monospace = [ "FiraCode Nerd Font" ];
};
};
# Configure GPG with SSH support and enable the yubikey
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "qt";
};
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
dockerSocket.enable = true;
defaultNetwork.dnsname.enable = true;
};
};
programs.dconf.enable = true;
programs.steam.enable = true;
nixpkgs.config.packageOverrides = pkgs: {
steam = pkgs.steam.override {
extraPkgs = pkgs: [ pkgs.openssl ];
#nativeOnly = true;
};
};
programs.sway.enable = true;
services.dbus.packages = [ pkgs.gnome3.dconf ];
services.udev.packages = with pkgs; [ yubikey-personalization chrysalis ];
environment.systemPackages = with pkgs; [
thunderbolt
qt5.qtwayland
chrysalis
];
services.printing.enable = true;
services.fwupd.enable = true;
services.devmon.enable = true;
sops.defaultSopsFile = ../secrets/hosts/helix-texta/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# TODO: Improve this
sops.secrets."restic-backup-malte" = {
sopsFile = ../secrets/users/malte/secrets.yaml;
owner = "malte";
mode = "0400";
key = "restic-backup";
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
}
Reference in a new issue View git blame Copy permalink