c5806a44a7
At the moment there is no other way for requests from nugget to camden to resolve correctly, as the Hyperoptic router is eating this traffic on the LAN.
259 lines
5.6 KiB
Nix
259 lines
5.6 KiB
Nix
# This file configures nugget, my home desktop machine.
|
|
|
|
{ pkgs, lib, ... }:
|
|
|
|
config: let
|
|
nixpkgs = import pkgs.third_party.nixpkgsSrc {
|
|
config.allowUnfree = true;
|
|
};
|
|
|
|
lieer = (pkgs.third_party.lieer {});
|
|
in pkgs.lib.fix(self: {
|
|
imports = [
|
|
../modules/tailscale.nix
|
|
];
|
|
|
|
hardware = {
|
|
pulseaudio.enable = true;
|
|
cpu.intel.updateMicrocode = true;
|
|
u2f.enable = true;
|
|
};
|
|
|
|
boot = {
|
|
cleanTmpDir = true;
|
|
kernelModules = [ "kvm-intel" ];
|
|
|
|
loader = {
|
|
timeout = 3;
|
|
systemd-boot.enable = true;
|
|
efi.canTouchEfiVariables = false;
|
|
};
|
|
|
|
initrd = {
|
|
luks.devices.nugget-crypt.device = "/dev/disk/by-label/nugget-crypt";
|
|
availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
|
|
kernelModules = [ "dm-snapshot" ];
|
|
};
|
|
};
|
|
|
|
nix = {
|
|
nixPath = [
|
|
"depot=/home/tazjin/depot"
|
|
"nixpkgs=${pkgs.third_party.nixpkgsSrc}"
|
|
];
|
|
};
|
|
|
|
nixpkgs.pkgs = nixpkgs;
|
|
|
|
networking = {
|
|
hostName = "nugget";
|
|
useDHCP = false;
|
|
interfaces.eno1.useDHCP = true;
|
|
interfaces.wlp7s0.useDHCP = true;
|
|
|
|
# Don't use ISP's DNS servers:
|
|
nameservers = [
|
|
"8.8.8.8"
|
|
"8.8.4.4"
|
|
];
|
|
|
|
# Open Chromecast-related ports & servedir
|
|
firewall.enable = false;
|
|
firewall.allowedTCPPorts = [ 4242 5556 5558 ];
|
|
|
|
# Connect to the WiFi to let the Chromecast work.
|
|
wireless.enable = true;
|
|
wireless.networks = {
|
|
"How do I computer?" = {
|
|
psk = "washyourface";
|
|
};
|
|
};
|
|
|
|
# The current home router can't forward ports on the local
|
|
# network, but I'd like to test if camden is serving the correct
|
|
# certificates.
|
|
extraHosts = ''
|
|
192.168.1.205 camden camden.tazj.in git.camden.tazj.in
|
|
'';
|
|
};
|
|
|
|
# Generate an immutable /etc/resolv.conf from the nameserver settings
|
|
# above (otherwise DHCP overwrites it):
|
|
environment.etc."resolv.conf" = with lib; with pkgs; {
|
|
source = writeText "resolv.conf" ''
|
|
${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
|
|
options edns0
|
|
'';
|
|
};
|
|
|
|
time.timeZone = "Europe/London";
|
|
|
|
environment.systemPackages =
|
|
# programs from the depot
|
|
(with pkgs; [
|
|
lieer
|
|
ops.kontemplate
|
|
third_party.git
|
|
third_party.guile
|
|
third_party.tailscale
|
|
tools.emacs
|
|
]) ++
|
|
|
|
# programs from nixpkgs
|
|
(with nixpkgs; [
|
|
age
|
|
bat
|
|
cachix
|
|
chromium
|
|
curl
|
|
direnv
|
|
dnsutils
|
|
exa
|
|
fd
|
|
gnupg
|
|
go
|
|
google-chrome
|
|
google-cloud-sdk
|
|
htop
|
|
i3lock
|
|
imagemagick
|
|
jq
|
|
keybase-gui
|
|
kubectl
|
|
miller
|
|
msmtp
|
|
nix-prefetch-github
|
|
notmuch
|
|
openssh
|
|
openssl
|
|
pass
|
|
pavucontrol
|
|
pinentry
|
|
pinentry-emacs
|
|
pwgen
|
|
ripgrep
|
|
rustup
|
|
sbcl
|
|
scrot
|
|
spotify
|
|
tokei
|
|
tree
|
|
unzip
|
|
vlc
|
|
xclip
|
|
yubico-piv-tool
|
|
yubikey-personalization
|
|
]);
|
|
|
|
fileSystems = {
|
|
"/".device = "/dev/disk/by-label/nugget-root";
|
|
"/boot".device = "/dev/disk/by-label/EFI";
|
|
"/home".device = "/dev/disk/by-label/nugget-home";
|
|
};
|
|
|
|
# Configure user account
|
|
users.extraUsers.tazjin = {
|
|
extraGroups = [ "wheel" "audio" ];
|
|
isNormalUser = true;
|
|
uid = 1000;
|
|
shell = nixpkgs.fish;
|
|
};
|
|
|
|
security.sudo = {
|
|
enable = true;
|
|
extraConfig = "wheel ALL=(ALL:ALL) SETENV: ALL";
|
|
};
|
|
|
|
fonts = {
|
|
fonts = with nixpkgs; [
|
|
corefonts
|
|
dejavu_fonts
|
|
input-fonts
|
|
jetbrains-mono
|
|
noto-fonts-cjk
|
|
noto-fonts-emoji
|
|
];
|
|
|
|
fontconfig = {
|
|
hinting.enable = true;
|
|
subpixel.lcdfilter = "light";
|
|
|
|
defaultFonts = {
|
|
monospace = [ "JetBrains Mono" ];
|
|
};
|
|
};
|
|
};
|
|
|
|
# Configure location (Vauxhall, London) for services that need it.
|
|
location = {
|
|
latitude = 51.4819109;
|
|
longitude = -0.1252998;
|
|
};
|
|
|
|
programs.fish.enable = true;
|
|
|
|
services.redshift.enable = true;
|
|
services.openssh.enable = true;
|
|
services.keybase.enable = true;
|
|
|
|
# Required for Yubikey usage as smartcard
|
|
services.pcscd.enable = true;
|
|
services.udev.packages = [
|
|
nixpkgs.yubikey-personalization
|
|
];
|
|
|
|
services.xserver = {
|
|
enable = true;
|
|
layout = "us";
|
|
xkbOptions = "caps:super";
|
|
exportConfiguration = true;
|
|
videoDrivers = [ "nvidia" ];
|
|
|
|
displayManager = {
|
|
# Give EXWM permission to control the session.
|
|
sessionCommands = "${nixpkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";
|
|
|
|
lightdm.enable = true;
|
|
lightdm.greeters.gtk.clock-format = "%H·%M";
|
|
};
|
|
|
|
windowManager.session = pkgs.lib.singleton {
|
|
name = "exwm";
|
|
start = "${pkgs.tools.emacs}/bin/tazjins-emacs";
|
|
};
|
|
};
|
|
|
|
# Do not restart the display manager automatically
|
|
systemd.services.display-manager.restartIfChanged = lib.mkForce false;
|
|
|
|
# Configure email setup
|
|
systemd.user.services.lieer-tazjin = {
|
|
description = "Synchronise mail@tazj.in via lieer";
|
|
script = "${lieer}/bin/gmi sync";
|
|
|
|
serviceConfig = {
|
|
WorkingDirectory = "%h/mail/account.tazjin";
|
|
Type = "oneshot";
|
|
};
|
|
};
|
|
|
|
systemd.user.timers.lieer-tazjin = {
|
|
wantedBy = [ "timers.target" ];
|
|
|
|
timerConfig = {
|
|
OnActiveSec = "1";
|
|
OnUnitActiveSec = "180";
|
|
};
|
|
};
|
|
|
|
# Use Tailscale \o/
|
|
services.tailscale = {
|
|
enable = true;
|
|
relayConf = "/etc/tailscale/relay.conf";
|
|
aclFile = null; # allow all traffic for testing
|
|
package = pkgs.third_party.tailscale;
|
|
};
|
|
|
|
# ... and other nonsense.
|
|
system.stateVersion = "19.09";
|
|
})
|