{ pkgs, config, lib, ... }: { time.timeZone = "Europe/Amsterdam"; i18n.defaultLocale = "en_US.UTF-8"; services = { gnome.gnome-keyring.enable = lib.mkForce false; xserver = { enable = true; displayManager.gdm = { enable = true; }; desktopManager.gnome.enable = true; excludePackages = with pkgs; [ xterm ]; }; printing = { enable = true; drivers = [ pkgs.hplip pkgs.gutenprint ]; }; pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; }; }; users = { users.pim = { isNormalUser = true; extraGroups = [ "wheel" "docker" "input" "wireshark" "dialout" ]; }; }; environment = { systemPackages = with pkgs; [ wget curl git btop ripgrep vim dogdns tree dig ]; gnome.excludePackages = with pkgs; with pkgs.gnome; [ totem gnome-tour epiphany geary gnome-console gnome-music gnome-calendar ]; }; system = { stateVersion = "23.05"; activationScripts.diff = '' if [[ -e /run/current-system ]]; then ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" fi ''; }; programs.ssh.startAgent = true; security = { rtkit.enable = true; sudo.extraConfig = '' Defaults timestamp_timeout=30 ''; }; nix = { package = pkgs.nixFlakes; settings.trusted-users = [ "root" "pim" ]; extraOptions = '' experimental-features = nix-command flakes ''; gc = { automatic = true; persistent = true; dates = "weekly"; options = "--delete-older-than 7d"; }; }; age = { identityPaths = [ "/home/pim/.ssh/age_ed25519" ]; secrets = { wg-quick-home-privkey.file = ../secrets/wg-quick-home-privkey.age; wg-quick-home-preshared-key.file = ../secrets/wg-quick-home-preshared-key.age; }; }; networking = { useDHCP = lib.mkDefault true; wg-quick.interfaces = { home = { privateKeyFile = config.age.secrets.wg-quick-home-privkey.path; address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ]; dns = [ "192.168.30.131" ]; autostart = false; mtu = 1412; peers = [{ presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path; endpoint = "wg.kun.is:51820"; publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg="; allowedIPs = [ "0.0.0.0/0" "::/0" ]; }]; }; home-no-pihole = { privateKeyFile = config.age.secrets.wg-quick-home-privkey.path; address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ]; dns = [ "192.168.10.1" ]; autostart = false; mtu = 1412; peers = [{ presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path; endpoint = "wg.kun.is:51820"; publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg="; allowedIPs = [ "0.0.0.0/0" "::/0" ]; }]; }; }; }; virtualisation.docker = { enable = true; rootless = { enable = true; setSocketVariable = true; }; }; nixpkgs = { hostPlatform = lib.mkDefault "x86_64-linux"; config = { permittedInsecurePackages = [ "electron-25.9.0" ]; allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "vmware-horizon-client" "libfprint-2-tod1-goodix" "vmware-workstation" ]; }; }; boot = { kernelModules = [ "kvm-intel" ]; extraModulePackages = [ ]; initrd = { availableKernelModules = [ "xhci_pci" "sd_mod" ]; kernelModules = [ ]; }; loader = { efi.canTouchEfiVariables = true; systemd-boot.enable = lib.mkForce false; }; lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; }; kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; }; }; hardware = { cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; pulseaudio.enable = false; }; }