nixos-config/machines/loki/configuration.nix

618 lines
12 KiB
Nix

{ nixos-hardware, ... }:
{ pkgs, config, ... }:
{
imports = [
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-cpu-amd-pstate
nixos-hardware.nixosModules.common-gpu-amd
nixos-hardware.nixosModules.common-pc-ssd
# ./vm.nix
# ./barman.nix
../../users/erwin
../../users/root
../../users/builder
];
nixpkgs.config = {
rocmSupport = false; # Re-enable when I get a newer GPU than an RX 570
};
eboskma = {
users = {
erwin = {
enable = true;
home = true;
};
builder.enable = true;
};
base = {
plymouth.enable = true;
work = false;
udev-rules = {
qmk = true;
solo2 = false;
picotool = true;
blink1 = false;
probe-rs = true;
};
};
bluetooth.enable = true;
desktop = {
enable = true;
wayland = true;
};
fonts.enable = true;
gnome.enable = true;
greetd = {
enable = false;
sway = true;
river = true;
wallpaper = ../../wallpapers/river-2560.png;
};
guix.enable = false;
networking = {
enable = true;
};
nix-common = {
enable = true;
cross-systems = [ "aarch64-linux" ];
gc-interval = "weekly";
};
podman.enable = true;
regreet = {
enable = true;
wallpaper = ../../wallpapers/river-2560.png;
wayvnc = false;
};
tailscale = {
enable = true;
nftables = true;
};
sound = {
enable = true;
jack = true;
};
systemd.enable = true;
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/42065c7e-d0aa-4de8-a913-014cf59d48ac";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/4064-A1BE";
fsType = "vfat";
};
"/home" = {
device = "/dev/disk/by-uuid/082ec5d2-238e-4713-9c37-31b1cb0fb8c3";
fsType = "ext4";
};
};
# Enable new implementation of switch-to-configuration built in Rust
system = {
switch = {
enable = false;
enableNg = true;
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/d93788f7-1b94-4687-8313-055d17f42b7e"; } ];
hardware = {
# Enable firmware
enableAllFirmware = true;
graphics = {
enable32Bit = true;
};
# i2c support
i2c.enable = true;
amdgpu = {
initrd.enable = true;
opencl.enable = false;
};
};
boot = {
initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
initrd.kernelModules = [ ];
kernelPackages = pkgs.linuxPackages_latest;
kernelModules = [
"kvm-amd"
"apple-mfi-fastcharge"
"zenpower"
"nf_nat_ftp"
];
blacklistedKernelModules = [
"k10temp"
];
kernelParams = [ "amd_pstate.shared_mem=1" ];
extraModulePackages = with config.boot.kernelPackages; [
cpupower
# rtl88x2bu
zenpower
];
loader = {
systemd-boot = {
enable = true;
configurationLimit = 10;
};
efi.canTouchEfiVariables = true;
};
};
time.timeZone = "Europe/Amsterdam";
networking = {
hostName = "loki";
useDHCP = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall = {
trustedInterfaces = [
"lo"
"tailscale0"
];
allowedTCPPorts = [
# NFS
111
2049
4100
4101
4102
20048
# Horus System V2
12345
5555
5556
# Elixir/Phoenix dev environment
4000
# SteamLink
27036
27037
];
allowedUDPPorts = [
# NFS
111
2049
4100
4101
4102
20048
# SteamLink
27031
27036
];
allowedTCPPortRanges = [
# Sonos / noson
{
from = 1400;
to = 1410;
}
];
allowedUDPPortRanges = [
# Sunshine
{
from = 47998;
to = 48000;
}
# Sonos / noson / pulseaudio
{
from = 1400;
to = 1410;
}
];
};
wireless.iwd = {
enable = true;
settings = {
General = {
EnableNetworkConfiguration = true;
};
};
};
};
security = {
sudo-rs = {
enable = true;
};
sudo.enable = false;
apparmor = {
enable = true;
};
pam.services.swaylock = {
unixAuth = true;
setLoginUid = true;
enableGnomeKeyring = true;
allowNullPassword = true;
updateWtmp = true;
startSession = true;
};
};
systemd = {
network = {
enable = true;
config = {
networkConfig = {
IPv6PrivacyExtensions = true;
};
};
wait-online = {
anyInterface = true;
};
netdevs = {
"10-horus0" = {
netdevConfig = {
Kind = "wireguard";
MTUBytes = "1420";
Name = "horus0";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wireguard-horus0-privkey.path;
};
wireguardPeers = [
{
PublicKey = "6faxlUG8+F7uVrKk/OJqqy5k2+OzrhXc/cV6Zsfbl0c=";
AllowedIPs = [
"192.168.4.0/23"
"192.168.6.0/24"
"192.168.7.0/24"
"192.168.8.0/24"
];
Endpoint = "212.45.34.195:51820";
PersistentKeepalive = 25;
}
];
};
"11-horus1" = {
netdevConfig = {
Kind = "wireguard";
MTUBytes = "1420";
Name = "horus1";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wireguard-horus1-privkey.path;
};
wireguardPeers = [
{
PublicKey = "UZGk9xoXhpHwM6jDWQvYDgJKk/OfcX9gw4iM9bPJJ00=";
AllowedIPs = [
"10.128.0.0/23"
];
Endpoint = "212.45.34.195:51822";
PersistentKeepalive = 25;
}
];
};
};
networks = {
"40-enp4s0" = {
matchConfig = {
Name = "enp4s0";
};
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
dhcpV4Config = {
RouteMetric = 64;
};
};
"40-horus0" = {
matchConfig = {
Name = "horus0";
};
linkConfig = {
ActivationPolicy = "manual";
};
networkConfig = {
DHCP = "no";
DNS = "192.168.4.1";
Domains = [
"bedum.horus.nu"
"internal.horus.nu"
];
};
address = [ "10.10.4.2/24" ];
routes = [
{
Destination = "192.168.4.0/23";
Scope = "link";
}
{
Destination = "192.168.6.0/24";
Scope = "link";
}
{
Destination = "192.168.7.0/24";
Scope = "link";
}
{
Destination = "192.168.8.0/24";
Scope = "link";
}
];
};
"41-horus1" = {
matchConfig = {
Name = "horus1";
};
linkConfig = {
ActivationPolicy = "manual";
};
networkConfig = {
DHCP = "no";
};
address = [ "10.128.0.2/23" ];
};
};
links = {
"40-enp4s0" = {
matchConfig = {
OriginalName = "enp4s0";
};
linkConfig = {
WakeOnLan = "magic";
};
};
};
};
};
services = {
udev = {
extraRules = ''
ACTION=="add", ATTRS{idVendor}=="0951", ATTRS{idProduct}=="1666", NAME=keys
ACTION=="add", ATTRS{idVendor}=="0781", ATTRS{idProduct}=="55b1", NAME=vault
'';
};
logind = {
hibernateKey = "ignore";
powerKey = "ignore";
rebootKey = "ignore";
suspendKey = "hibernate";
hibernateKeyLongPress = "ignore";
powerKeyLongPress = "ignore";
rebootKeyLongPress = "ignore";
suspendKeyLongPress = "ignore";
};
openssh.enable = true;
colord.enable = true;
udisks2 = {
enable = true;
};
envfs.enable = false;
teamviewer.enable = true;
sunshine = {
enable = true;
capSysAdmin = true;
# user = "erwin";
openFirewall = true;
};
plantuml-server = {
enable = true;
listenPort = 5080;
};
};
programs = {
sway = {
enable = true;
package = pkgs.swayfx;
wrapperFeatures = {
gtk = true;
base = true;
};
extraPackages = with pkgs; [
swaylock
swayidle
];
};
river.enable = true;
gnome-disks.enable = true;
gamemode = {
enable = true;
settings = {
general = {
renice = 5;
};
custom = {
start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
};
};
};
appimage = {
enable = true;
binfmt = true;
};
ryzen-monitor-ng.enable = true;
nix-ld = {
enable = true;
libraries = with pkgs; [
alsa-lib
at-spi2-atk
at-spi2-core
atk
cairo
cups
curl
dbus
expat
fontconfig
freetype
fuse3
gdk-pixbuf
glib
gtk3
icu
libGL
libappindicator-gtk3
libdrm
libglvnd
libnotify
libpulseaudio
libunwind
libusb1
libuuid
libxkbcommon
mesa
nspr
nss
openssl
pango
pipewire
sqlite
stdenv.cc.cc
systemd
vulkan-loader
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXi
xorg.libXrandr
xorg.libXrender
xorg.libXtst
xorg.libxcb
xorg.libxkbfile
xorg.libxshmfence
zlib
];
};
};
powerManagement = {
cpuFreqGovernor = "ondemand";
};
environment = {
sessionVariables = {
AMD_VULKAN_ICD = "RADV";
};
systemPackages = with pkgs; [
incus
iwgtk
tailscale
];
};
# Workaround for packages that has HIP paths hardcoded
# systemd.tmpfiles.rules =
# let
# rocmEnv = pkgs.symlinkJoin {
# name = "rocm-combined";
# paths = with pkgs.rocmPackages; [
# rocblas
# hipblas
# clr
# ];
# };
# in
# [ "L+ /opt/rocm - - - - ${rocmEnv}" ];
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
ha_now_playing_token = {
owner = "erwin";
};
gh_token = {
owner = "erwin";
};
renovate_env = {
owner = "erwin";
};
livebook-env = {
owner = "erwin";
};
livebook-password = {
owner = "erwin";
};
wireguard-horus0-privkey = {
owner = "systemd-network";
};
wireguard-horus1-privkey = {
owner = "systemd-network";
};
k3s-token = { };
barman-passwords = {
# owner = "barman";
};
factorio-token = {
owner = "erwin";
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}