titaniumtown/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

etcnixos -> system

Browse Source
This commit is contained in:
Simon Gardling
2025-11-21 12:19:28 -05:00
parent 946d72b66b
commit 8a06e4560d
18 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

285
system/common.nix Normal file
View File

@@ -0,0 +1,285 @@
{
config,
pkgs,
lib,
username,
system,
hostname,
inputs,
niri-package,
...
}:
{
imports = [
./declarative-nm.nix
# ./vm.nix
./steam.nix
./networking.nix
inputs.nixos-hardware.nixosModules.common-pc-ssd
inputs.disko.nixosModules.disko
inputs.lanzaboote.nixosModules.lanzaboote
];
# use tuned instead of tlp or ppd
services.power-profiles-daemon.enable = false;
services.tlp.enable = false;
services.tuned.enable = true;
# allow overclocking (I actually underclock but lol)
hardware.amdgpu.overdrive.ppfeaturemask = "0xFFF7FFFF";
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
services.kmscon.enable = true;
# Add niri to display manager session packages
services.displayManager.sessionPackages = [ niri-package ];
# Gamescope configuration for Steam Deck-like experience
programs = {
gamescope = {
enable = true;
capSysNice = true;
};
steam = {
enable = true;
gamescopeSession.enable = true;
};
};
system.activationScripts = {
# FIX: https://github.com/NixOS/nix/issues/2982
"profile-channel-dummy".text = ''
#!/bin/sh
mkdir -p /nix/var/nix/profiles/per-user/root/channels
'';
# extract all my secureboot keys
# TODO! proper secrets management
"secureboot-keys".text = ''
#!/usr/bin/env sh
rm -fr ${config.boot.lanzaboote.pkiBundle} || true
mkdir -p ${config.boot.lanzaboote.pkiBundle}
${lib.getExe pkgs.gnutar} xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
'';
};
swapDevices = [ ];
nix = {
# optimize the store
optimise.automatic = false;
# enable flakes!
settings.experimental-features = [
"nix-command"
"flakes"
];
};
# allow unfree packages for jovian-nixos
nixpkgs.config.allowUnfree = true;
# kernel options
boot = {
kernelPackages = pkgs.linuxPackages_latest;
# kernelPackages = pkgs.linuxPackages;
lanzaboote = {
enable = true;
# TODO: proper secrets management so this is not stored in nix store
pkiBundle = "/var/lib/sbctl";
};
# Bootloader.
loader = {
efi.canTouchEfiVariables = true;
timeout = 1;
/*
Lanzaboote currently replaces the systemd-boot module.
This setting is usually set to true in configuration.nix
generated at installation time. So we force it to false
for now.
*/
systemd-boot.enable = lib.mkForce false;
systemd-boot.configurationLimit = 10;
};
initrd = {
compressor = "zstd";
availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"amdgpu"
];
};
kernelModules = [
"kvm-amd"
"ip_tables"
"iptable_nat"
"msr"
"btusb"
];
};
environment.etc = {
# override default nixos /etc/issue
"issue".text = "";
};
services = {
# fwupd for updating firmware
fwupd = {
enable = true;
extraRemotes = [ "lvfs-testing" ];
};
# auto detect network printers
avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
# Enable CUPS to print documents.
printing = {
enable = true;
drivers = with pkgs; [ hplip ];
};
# I don't want fingerprint login
fprintd.enable = false;
# Making sure mullvad works on boot
mullvad-vpn.enable = true;
# power statistics
upower.enable = true;
};
# EST
time.timeZone = "America/New_York";
security = {
# lets use doas and not sudo!
doas.enable = true;
sudo.enable = false;
# Configure doas
doas.extraRules = [
{
users = [ username ];
keepEnv = true;
persist = true;
}
];
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable Bluetooth
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
# Enable experimental features for battery % of bluetooth devices
settings.General.Experimental = true;
};
# Apply gtk themes by enabling dconf
programs.dconf.enable = true;
# Enable sound with pipewire.
services.pulseaudio.enable = false; # pipewire >>>>>>> pulseaudio
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
# Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`)
users.users.${username} = {
isNormalUser = true;
extraGroups = [
"networkmanager"
"wheel"
"video"
"camera"
"adbusers"
];
# TODO! this is really bad :( I should really figure out how to do proper secrets management
hashedPasswordFile = "${./secrets/password-hash}";
};
services.gvfs.enable = true;
programs.gphoto2.enable = true;
programs.adb.enable = true;
# Enable thermal data
services.thermald.enable = true;
services.pcscd.enable = true;
programs.gnupg.agent = {
enable = true;
pinentryPackage = pkgs.pinentry-curses;
enableSSHSupport = false;
};
# System packages
environment.systemPackages = with pkgs; [
mullvad-vpn
#secureboot ctl
sbctl
dmidecode
doas-sudo-shim
glib
usbutils
libmtp
man-pages
man-pages-posix
# needed for home-manager
git
];
# wayland with electron/chromium applications
environment.sessionVariables.NIXOS_OZONE_WL = "1";
# https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
programs.fish.enable = true;
programs.bash = {
interactiveShellInit = ''
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
then
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
fi
'';
};
# port 53317 for localsend
networking.firewall.allowedUDPPorts = [ 53317 ];
networking.firewall.allowedTCPPorts = [ 53317 ];
system.stateVersion = "25.05";
nixpkgs.hostPlatform = "x86_64-linux";
documentation.enable = true;
documentation.man.enable = true;
documentation.dev.enable = true;
}