nixos config

flake.lock

@@ -0,0 +1,65 @@
+{
+  "nodes": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738667255,
+        "narHash": "sha256-sMMQb9NydZqQ/MvvtPp+Ny0W9P0Jk0moU7SrTBlO5Vo=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "7abcf59a365430b36f84eaa452a466b11e469e33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1738638143,
+        "narHash": "sha256-ZYMe4c4OCtIUBn5hx15PEGr0+B1cNEpl2dsaLxwY2W0=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "9bdd53f5908453e4d03f395eb1615c3e9a351f70",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1738546358,
+        "narHash": "sha256-nLivjIygCiqLp5QcL7l56Tca/elVqM9FG1hGd9ZSsrg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c6e957d81b96751a3d5967a0fd73694f303cc914",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,91 @@
+{
+  description = "aar0ns flake configuration";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+  };
+   
+   #   c3d2-user-module = {
+   #    url = "git+https://gitea.c3d2.de/C3D2/nix-user-module.git";
+   #  };
+   #  sops-nix = {
+   #    url = "github:Mic92/sops-nix";
+   #    inputs.nixpkgs.follows = "nixpkgs";
+   #  };
+   # };
+
+  outputs = { self, nixpkgs, home-manager, nixos-hardware }:
+  let
+
+    system = "x86_64-linux"; 
+    pkgs = import nixpkgs { 
+      inherit system; 
+    };
+    
+    base-modules = [
+      ./modules/defaults/nix.nix
+       
+    home-manager.nixosModules.home-manager
+      ./modules/defaults/home-manager.nix
+    ];
+ 
+  in
+  {
+    legacypackages.x86_64-linux = {
+      inherit pkgs;
+    };
+    
+    nixosConfigurations = {
+      nussbaum = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+
+       modules = base-modules ++ [
+         nixos-hardware.nixosModules.lenovo-thinkpad-t490
+	 home-manager.nixosModules.home-manager 
+	 ./modules/defaults/home-manager.nix
+         ./modules/systems/t490.nix
+         ./modules/defaults/base.nix
+         ./modules/defaults/desktop.nix
+         ./modules/defaults/fonts.nix
+	 ./modules/defaults/home-manager.nix
+         ./modules/defaults/networking.nix
+         ./modules/defaults/users.nix
+         ./modules/defaults/virtualization/docker.nix
+         ./modules/defaults/virtualization/kvm.nix
+	 ./modules/defaults/security.nix
+	 ];
+      };
+    };
+  };
+}
+      # lib.mergeAttrs commonAttrs {
+      #  modules = [
+      #    ./modules/configuration.nix
+      #     c3d2-user-module.nixosModule
+      #     sops-nix.nixosModules.sops
+      #  ];
+      # });
+
+      #mobile = nixpkgs.lib.nixosSystem (lib.mergeAttrs commonAttrs {
+      #  modules = [
+      #    ./hosts/mobile/configuration.nix
+      #    c3d2-user-module.nixosModule
+      #    sops-nix.nixosModules.sops
+      #  ];
+      #});
+
+      #tower = nixpkgs.lib.nixosSystem (lib.mergeAttrs commonAttrs {
+      #  modules = [
+      #    ./hosts/tower/configuration.nix
+      #    sops-nix.nixosModules.sops
+      #  ];
+      #});
+#    };
+#  };
+#}
+

modules/defaults/base.nix

@@ -0,0 +1,33 @@
+## Some defaults I want for all my systems
+
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    nix-index
+    vim tmux
+    wget curl
+    htop atop iotop iftop
+    file bc
+    babashka rlwrap
+  ];
+
+  boot.loader.grub.configurationLimit = 5;
+  boot.loader.systemd-boot.configurationLimit = 5;
+  #boot.loader.grub.copyKernels = false;
+
+  time.timeZone = "Europe/Berlin";
+  i18n.defaultLocale = "de_DE.UTF-8";
+  #i18n.defaultLocale = "en_US.UTF-8";
+  i18n.extraLocaleSettings = 
+  {
+    LC_MESSAGES = "en_US.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
+    LANGUAGE = "de";
+    LC_MONETARY = "de_DE.UTF-8";
+    LC_MEASUREMENT = "de_DE.UTF-8";
+    LC_NUMERIC = "de_DE.UTF-8";
+    LANG = "en_US.UTF-8";
+  };
+
+  environment.variables = { EDITOR = "vim"; };
+}

modules/defaults/btrfs.nix

@@ -0,0 +1,53 @@
+{
+  imports =
+    [
+
+    ];
+
+  services.beesd.filesystems = {
+    luks-13b43fe2-5ff0-4e99-8d2a-2b92ff2e0df6 = {
+      spec = "UUID=6886fe4e-ebfc-458c-82e7-a0c4876529c8";
+      hashTableSizeMB = 4096;
+      #workDir ".beeshome";
+      verbosity = "err";
+      #extraOptions = [ "" ];
+    };
+  };
+
+
+  fileSystems."/" =
+  { 
+    fsType = "btrfs";
+    options = [ "compress=zstd" ];
+  };
+
+  fileSystems."/nix" = {
+    fsType = "btrfs";
+    options = [ "compress=zstd:10" ];
+  };
+
+  fileSystems."/var" = {
+    fsType = "btrfs";
+    options = [ "compress=zstd:3" ];
+  };
+
+  fileSystems."/var/lib" = {
+    fsType = "btrfs";
+    options = [ "compress=zstd:3" ];
+  };
+
+  fileSystems."/var/log" = {
+    fsType = "btrfs";
+    options = [ "compress=zstd:10" ];
+  };
+
+  fileSystems."/tmp" = { 
+    fsType = "btrfs";
+    options = [ "compress=zstd:1" ];
+  };
+
+  fileSystems."/home" = { 
+    fsType = "btrfs";
+    options = [ "compress=zstd:5" ];
+  };
+}

modules/defaults/desktop.nix

@@ -0,0 +1,55 @@
+{ config, pkgs, ... }:
+
+{
+  console.useXkbConfig = true;
+  
+  # Configure keymap in X11
+  services.xserver.xkb.layout = "de";
+
+  # Configure console keymap
+  # console.keyMap = "de";
+
+  # libinput.enable = true;
+    
+  # Desktop Environment KDE
+  services.displayManager.sddm.enable = true;
+  services.xserver.desktopManager.plasma5.enable = true;
+  
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+
+  # Enable Wayland
+  programs.xwayland.enable = true;
+
+  programs.dconf.enable = true;
+   
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+
+  # Enable CUPS to print documents.
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [ gutenprint splix ];
+  };
+
+  hardware.sane = {
+    enable = true;
+  #  extraBackends = with pkgs; [ hplipWithPlugin ];
+  };
+
+  # c3d2.addKnownHosts = true; # audio for c3d2
+  # c3d2.audioStreaming = true;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    jack.enable = true;
+  };
+
+  hardware.bluetooth.enable = true;
+  services.blueman.enable = true;
+
+}

modules/defaults/fonts.nix

@@ -0,0 +1,7 @@
+{ config, pkgs, nixpkgs, ... }:
+{
+  fonts.packages = with pkgs; [
+    nerd-fonts.overpass  ## required for starship
+    dejavu_fonts
+  ];
+}

modules/defaults/home-manager.nix

@@ -0,0 +1,12 @@
+## Don't forget to use the module `home-manager.nixosModules.home-manager`
+
+{ pkgs, ... }:
+{
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+
+  nixpkgs.config.permittedInsecurePackages = [
+     "openssl-1.1.1w"
+  ];
+}
+

modules/defaults/home-manager/admin.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    bind.dnsutils fping speedtest-cli
+    traceroute nmap
+    tcpdump mitmproxy
+  ];
+}

modules/defaults/home-manager/base.nix

@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    networkmanagerapplet
+
+    unzip
+    bat #silver-searcher
+    jq
+
+    libfaketime
+
+    dmenu  ## required by clipmenu
+  ];
+
+  programs.bash.enable = true;
+  programs.starship = {
+    enable = true;
+    enableBashIntegration = true;
+  };
+
+  services.clipmenu.enable = true;
+
+}

modules/defaults/home-manager/dev/base.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    gnumake
+    docker-compose
+
+    openssl
+  ];
+}

modules/defaults/home-manager/dev/git.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  programs.git = {
+    enable = true;
+    userEmail = "kontakt@aarontrom.de";
+    userName = "Aar0n";
+    ignores = [ "*.swp" ];
+    extraConfig = {
+      pull.rebase = true;
+      init.defaultBranch = "main";
+    };
+  };
+
+  home.packages = with pkgs; [
+    gitAndTools.gitflow
+    circleci-cli
+  ];
+}

modules/defaults/home-manager/multimedia.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    pavucontrol mpv yt-dlp vlc mixxx
+  ];
+
+  # services.blueman-applet.enable = true;
+}

modules/defaults/home-manager/nextcloud.nix

@@ -0,0 +1,4 @@
+{ pkgs, ... }:
+{
+  services.nextcloud-client.enable = true;
+}

modules/defaults/home-manager/office.nix

@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    pass
+    libreoffice ding
+    simple-scan xsane gimp imagemagick ffmpeg
+    thunderbird signal-desktop
+    texlive.combined.scheme-full pdftk
+  ];
+
+  programs.chromium = {
+    enable = true;
+    extensions = [
+      "naepdomgkenhinolocfifgehidddafch"  # browserpass
+      "pkehgijcmpdhfbdbbnkijodmdjhbjlgp"  # privacy badger
+      "gcbommkclmclpchllfjekcdonpmejbdp"  # https everywhere
+      "cjpalhdlnbpafiamejdnhcphjbkeiagm"  # ublock origin
+      "mafpmfcccpbjnhfhjnllmmalhifmlcie"  # snowflake
+      "bkdgflcldnnnapblkhphbgpggdiikppg"  # duckduckgo essentials
+    ];
+  };
+  
+  programs.firefox.enable = true;
+
+  programs.browserpass.enable = true;
+}

modules/defaults/networking.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+
+{
+  networking.usePredictableInterfaceNames = false;
+
+  networking.networkmanager.enable = true;
+
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+  networking.interfaces.wlan0.useDHCP = true;
+  
+  # services.openvpn.servers = {
+  #   officeVPN  = { config = '' config /root/nixos/openvpn/officeVPN.conf ''; };
+  # };
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  services.avahi = {
+    enable = true;
+    # nssmdns4 = true;
+  };
+
+  environment.systemPackages = with pkgs; [ macchanger ];
+}

modules/defaults/nix.nix

@@ -0,0 +1,25 @@
+{ config, pkgs, nixpkgs, ... }:
+
+{
+  boot.tmp.cleanOnBoot = true;
+  
+  nix.package = pkgs.nixVersions.git;
+  
+  # nix.extraOptions = "experimental-features = nix-command flakes ca-derivations";
+  nix.extraOptions = "experimental-features = nix-command flakes";
+  
+  #nix.daemonIONiceLevel = 7;
+  #nix.daemonNiceLevel = 19;
+
+  nix = { 
+    settings = {
+       experimental-features = [ "nix-command" "flakes" ]; 
+       auto-optimise-store = true;
+    };
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+  };
+}

modules/defaults/security.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+
+  environment.systemPackages = with pkgs; [
+    libyubikey
+    yubico-pam
+    yubikey-manager
+    yubikey-personalization
+    yubico-piv-tool
+    pcsctools
+    opensc
+    usbutils
+    ssh-to-age
+    age-plugin-yubikey
+  ];
+
+  # mutableUsers = false; TODO: blocked by https://github.com/Mic92/sops-nix/pull/680
+
+  programs.adb.enable = true;
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+  
+  services.pcscd = {
+    enable = false; # dependency of yubikey agent
+    plugins = [ pkgs.libykneomgr ];
+  };
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    enableExtraSocket = true;
+  };
+}
+

modules/defaults/users.nix

@@ -0,0 +1,87 @@
+{ config, pkgs, ... }:
+{
+
+  programs.adb.enable = true;
+  services.udev.packages = [
+    pkgs.android-udev-rules
+  ];
+  
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.aaron = {
+    isNormalUser = true;
+     extraGroups = [ "wheel" "adbusers"]; # Enable ‘sudo’ for the user.
+    
+
+     packages = with pkgs; [
+        firefox
+        tree
+        thunderbird
+        element-desktop
+        gajim
+	keepassxc
+	git
+	nextcloud-client
+	# nextcloud27
+        libreoffice
+        signal-desktop
+        gnome-keyring
+        oh-my-git
+        tor
+        tor-browser-bundle-bin
+        inkscape
+        freetube
+        masterpdfeditor4
+        webtorrent_desktop
+        borgbackup
+	kcalc
+	fzf
+	imagemagick
+	gcc
+	calyx-vpn
+	riseup-vpn
+	ungoogled-chromium
+	kopia
+	smplayer
+	libsForQt5.kate
+	usbutils
+	openvpn 
+	appflowy
+	libsForQt5.krfb
+	libsForQt5.xdg-desktop-portal-kde
+	vscodium
+	python311Packages.wled
+	python311Packages.pip
+	yubioath-flutter
+	ripgrep
+     ];
+   };
+
+  programs.bash.shellAliases = {
+  yay = "sudo nixos-rebuild switch";
+  };
+
+  home-manager.users.aaron = { pkgs, config, ... }: {
+      home.stateVersion = "21.11";
+      imports = [
+        ./home-manager/base.nix
+  
+        ./home-manager/office.nix
+        ./home-manager/multimedia.nix
+        ./home-manager/nextcloud.nix
+  
+        ./home-manager/admin.nix
+        ./home-manager/dev/base.nix
+        # ./home-manager/dev/nvim-coc.nix
+        ./home-manager/dev/git.nix
+        # ./home-manager/dev/embedded.nix
+        # ./home-manager/dev/web.nix
+        # ./home-manager/dev/mobile.nix
+        # ./home-manager/dev/clojure.nix
+        # ./home-manager/dev/rust.nix
+      ];
+    };
+
+  programs.extra-container.enable = true;
+
+  # services.pcscd.enable = true;
+}

modules/defaults/virtualization/docker.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+{
+  virtualisation.docker.enable = true;
+
+  users.groups.docker = {};
+
+  virtualisation.docker.autoPrune.enable = true;
+}

modules/defaults/virtualization/kvm.nix

@@ -0,0 +1,9 @@
+{pkgs, ...}:
+
+{
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+  environment.systemPackages = with pkgs; [ virt-manager ];
+
+  users.users."aaron".extraGroups = [ "libvirtd" ];
+}

modules/swap.nix

@@ -0,0 +1,4 @@
+{ config, pkgs, nixpkgs, ... }:
+
+{swapDevices.*.randomEncryption.enable = false; #used to be enabled - I set it to false
+}

modules/systems/t490.nix

@@ -0,0 +1,63 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{  
+  system.stateVersion = "23.11";
+  networking.hostName = "nussbaum";
+
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    # ../defaults/fonts.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+
+  boot.initrd.luks.devices."nussbaum".device = "/dev/disk/by-uuid/683a959d-f887-4fe9-9a5c-8c65e39c0647";
+  boot.initrd.luks.devices."swap".device = "/dev/disk/by-uuid/f3dde71d-e12d-487e-81e8-7905d679aebb"; #used to be enabled
+  
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2279-E1C9";
+      fsType = "vfat";
+    };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/6a60a9f9-47d6-4617-a1cd-99cdc5a0f550";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/1df5f3df-8d38-41df-aac4-999747e5feab"; }
+    ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  # services.thinkfan.enable = true;
+    boot.extraModprobeConfig = ''
+      options thinkpad_acpi fan_control=1
+  '';
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  
+  networking.useDHCP = lib.mkDefault true;
+
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wwan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  nixpkgs.config.allowUnfree = true;  ## required by android-studio
+}