{ config, lib, pkgs, hostname, username, eth_interface, service_configs, options, ... }: { imports = [ ./hardware.nix ./zfs.nix ./services/postgresql.nix ./services/jellyfin.nix ./services/caddy.nix ./services/immich.nix ./services/gitea.nix ./services/minecraft.nix ./services/wg.nix ./services/qbittorrent.nix ./services/bitmagnet.nix # ./services/matrix.nix # ./services/owntracks.nix ./services/soulseek.nix # ./services/llama-cpp.nix ./services/ups.nix ]; systemd.targets = { sleep.enable = false; suspend.enable = false; hibernate.enable = false; hybrid-sleep.enable = false; }; # srvos enables vim, i don't want to use vim, disable it here: programs.vim = { defaultEditor = false; } // lib.optionalAttrs (options.programs.vim ? enable) { enable = false; }; powerManagement = { powertop.enable = true; enable = true; cpuFreqGovernor = "powersave"; }; # https://github.com/NixOS/nixpkgs/issues/101459#issuecomment-758306434 security.pam.loginLimits = [ { domain = "*"; type = "soft"; item = "nofile"; value = "4096"; } ]; nix = { # optimize the store optimise.automatic = true; # enable flakes! settings = { experimental-features = [ "nix-command" "flakes" ]; }; }; boot = { # 6.12 LTS until 2026 kernelPackages = pkgs.linuxPackages_6_12_hardened; loader = { # Use the systemd-boot EFI boot loader. efi.canTouchEfiVariables = true; # 1s timeout timeout = 1; }; initrd = { compressor = "zstd"; }; loader.systemd-boot.enable = lib.mkForce false; lanzaboote = { enable = true; # needed to be in `/etc/secureboot` for sbctl to work pkiBundle = "/etc/secureboot"; }; }; system.activationScripts = { # extract all my secureboot keys "secureboot-keys".text = '' #!/bin/sh rm -fr ${config.boot.lanzaboote.pkiBundle} || true mkdir -p ${config.boot.lanzaboote.pkiBundle} ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle} chown -R root:wheel ${config.boot.lanzaboote.pkiBundle} chmod -R 500 ${config.boot.lanzaboote.pkiBundle} ''; }; environment.etc = { "issue".text = ""; }; # Set your time zone. time.timeZone = "America/New_York"; # Enable the OpenSSH daemon. services.openssh = { enable = true; settings = { AllowUsers = [ username "root" ]; PasswordAuthentication = false; PermitRootLogin = "yes"; # for deploying configs }; }; hardware.graphics = { enable = true; extraPackages = with pkgs; [ vaapiVdpau intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) vpl-gpu-rt # QSV on 11th gen or newer ]; }; #fwupd for updating firmware services.fwupd = { enable = true; extraRemotes = [ "lvfs-testing" ]; }; environment.systemPackages = with pkgs; [ helix lm_sensors bottom htop doas-sudo-shim neofetch borgbackup smartmontools ripgrep intel-gpu-tools iotop iftop tmux wget powertop lsof reflac list-usb-drives pfetch-rs sbctl # add `skdump` libatasmart ]; systemd.services.no-rgb = let no-rgb = ( pkgs.writeShellApplication { name = "no-rgb"; runtimeInputs = with pkgs; [ openrgb coreutils gnugrep ]; text = '' #!/bin/sh set -e NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ') for i in $(seq 0 $((NUM_DEVICES - 1))); do openrgb --noautoconnect --device "$i" --mode direct --color 000000 done ''; } ); in { description = "disable rgb"; serviceConfig = { ExecStart = "${lib.getExe no-rgb}"; Type = "oneshot"; }; wantedBy = [ "multi-user.target" ]; }; services.hardware.openrgb = { enable = true; package = pkgs.openrgb-with-all-plugins; motherboard = "amd"; }; services.udev.packages = [ pkgs.openrgb-with-all-plugins ]; hardware.i2c.enable = true; networking = { nameservers = [ "1.1.1.1" "9.9.9.9" ]; hostName = hostname; hostId = "0f712d56"; firewall.enable = true; useDHCP = false; enableIPv6 = false; interfaces.${eth_interface} = { ipv4.addresses = [ { address = "10.1.1.102"; prefixLength = 24; } ]; ipv6.addresses = [ { address = "fe80::9e6b:ff:fe4d:abb"; prefixLength = 64; } ]; }; defaultGateway = { address = "10.1.1.1"; interface = eth_interface; }; # TODO! fix this # defaultGateway6 = { # address = "fe80::/64"; # interface = eth_interface; # }; }; users.groups.${service_configs.torrent_group} = { }; users.users.${username} = { isNormalUser = true; extraGroups = [ "wheel" "video" "render" service_configs.torrent_group ]; hashedPasswordFile = builtins.toString ./secrets/hashedPass; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop ]; }; # used for deploying configs to server users.users.root.openssh.authorizedKeys.keys = config.users.users.${username}.openssh.authorizedKeys.keys; # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell programs.fish.enable = true; programs.bash = { interactiveShellInit = '' if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] then shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" exec ${pkgs.fish}/bin/fish $LOGIN_OPTION fi ''; }; security = { #lets use doas and not sudo! doas.enable = true; sudo.enable = false; # Configure doas doas.extraRules = [ { users = [ username ]; keepEnv = true; persist = true; } ]; }; services.murmur = { enable = true; openFirewall = true; welcometext = "meow meow meow meow meow :3 xd"; password = builtins.readFile ./secrets/murmur_password; }; # services.botamusique = { # enable = true; # settings = { # server = {port = config.services.murmur.port; # password = config.services.murmur.password; # }; # }; # }; # systemd.tmpfiles.rules = [ # "d /tank/music 775 ${username} users" # ]; system.stateVersion = "24.11"; }