pim/nixos-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add x201 configuration

Browse source 
Create module for lanzaboote
This commit is contained in:
Pim Kunis 2024-05-26 17:12:52 +02:00
parent e069bd25a2
commit 955f9e3a07
4 changed files with 134 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

184
nixos/default.nix
View file

@ -1,184 +0,0 @@
{ pkgs, config, lib, ... }: {
time.timeZone = "Europe/Amsterdam";
i18n.defaultLocale = "en_US.UTF-8";
services = {
gnome.gnome-keyring.enable = lib.mkForce false;
xserver = {
enable = true;
displayManager.gdm = { enable = true; };
desktopManager.gnome.enable = true;
excludePackages = with pkgs; [ xterm ];
};
printing = {
enable = true;
drivers = [ pkgs.hplip pkgs.gutenprint ];
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
};
users = {
users.pim = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "input" "wireshark" "dialout" ];
};
};
environment = {
systemPackages = with pkgs; [
wget
curl
git
btop
ripgrep
vim
dogdns
tree
dig
];
gnome.excludePackages = with pkgs; with pkgs.gnome; [
totem
gnome-tour
epiphany
geary
gnome-console
gnome-music
gnome-calendar
];
};
system = {
stateVersion = "23.05";
activationScripts.diff = ''
if [[ -e /run/current-system ]]; then
${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
fi
'';
};
programs.ssh.startAgent = true;
security = {
rtkit.enable = true;
sudo.extraConfig = ''
Defaults timestamp_timeout=30
'';
};
nix = {
package = pkgs.nixFlakes;
settings.trusted-users = [ "root" "pim" ];
extraOptions = ''
experimental-features = nix-command flakes
'';
gc = {
automatic = true;
persistent = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
age = {
identityPaths = [ "/home/pim/.ssh/age_ed25519" ];
secrets = {
wg-quick-home-privkey.file = ../secrets/wg-quick-home-privkey.age;
wg-quick-home-preshared-key.file =
../secrets/wg-quick-home-preshared-key.age;
};
};
networking = {
useDHCP = lib.mkDefault true;
wg-quick.interfaces = {
home = {
privateKeyFile = config.age.secrets.wg-quick-home-privkey.path;
address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ];
dns = [ "192.168.30.131" ];
autostart = false;
mtu = 1412;
peers = [{
presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path;
endpoint = "wg.kun.is:51820";
publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
}];
};
home-no-pihole = {
privateKeyFile = config.age.secrets.wg-quick-home-privkey.path;
address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ];
dns = [ "192.168.10.1" ];
autostart = false;
mtu = 1412;
peers = [{
presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path;
endpoint = "wg.kun.is:51820";
publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
}];
};
};
};
virtualisation.docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
nixpkgs = {
hostPlatform = lib.mkDefault "x86_64-linux";
config = {
permittedInsecurePackages = [ "electron-25.9.0" ];
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "vmware-horizon-client" "libfprint-2-tod1-goodix" "vmware-workstation" ];
};
};
boot = {
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
initrd = {
availableKernelModules = [ "xhci_pci" "sd_mod" ];
kernelModules = [ ];
};
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = lib.mkForce false;
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
};
hardware = {
cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
pulseaudio.enable = false;
};
}