-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.nix
183 lines (140 loc) · 5.44 KB
/
config.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
{ pkgs, config, lib, hostname, username, stateVersion, ... } : {
imports = [ ./luciole.nix ];
# Various open source drivers
hardware.enableRedistributableFirmware = true;
# Update CPU's microcode
hardware.cpu.intel.updateMicrocode = true;
# Enable hardware accelerated graphics drivers
hardware.graphics.enable = true;
# Allow brightness control via `xbacklight` for users in `video` group
hardware.acpilight.enable = true;
# Enable bluetooth
hardware.bluetooth.enable = true;
# Enable `bredr` to pair with AirPods (only required to do the initial pairing)
# hardware.bluetooth.settings.General.ControllerMode = "bredr";
boot = {
# Use latest kernel
kernelPackages = pkgs.linuxPackages_latest;
# More power savings
# https://community.frame.work/t/tracking-linux-battery-life-tuning/6665/594
# https://discourse.ubuntu.com/t/fine-tuning-the-ubuntu-24-04-kernel-for-low-latency-throughput-and-power-efficiency/44834
kernelParams = [
"rcu_nocbs=all"
"rcutree.enable_rcu_lazy=1"
];
# Disable loading these modules during boot (so they don't trigger errors)
blacklistedKernelModules = [
"cros-usbpd-charger" # not used by frame.work EC and causes boot time error log
"hid-sensor-hub" # prevent interferences with fn/media keys - https://community.frame.work/t/20675/391
"iTCO_wdt" # disable "Intel TCO Watchdog Timer"
"mei_wdt" # disable "Intel Management Engine Interface Watchdog Timer"
];
# Disable bcache support in initrd
bcache.enable = false;
# Enable systemd in initrd
initrd.systemd.enable = true;
loader = {
# Don't display the boot loader (press <space> to show it if needed)
timeout = 0;
systemd-boot = {
# Enable "systemd-boot" boot loader
enable = true;
# Disable editing the boot menu
editor = false;
# Keep a maximum of 5 generations
configurationLimit = 5;
};
# Allow NixOS to modify EFI variables
efi.canTouchEfiVariables = true;
};
};
# Machine's name
networking.hostName = hostname;
# Use systemd's networkd
networking.useNetworkd = true;
# Disable dhcpcd because we're using networkd instead
networking.dhcpcd.enable = false;
# Enable `iwd`
networking.wireless.iwd.enable = true;
# Reduce services kill timeout from 1m30s down to 15s
systemd.extraConfig = "DefaultTimeoutStopSec=15s";
# Machine's timezone
time.timeZone = "Europe/Paris";
# Ensure users can't be changed
users.mutableUsers = false;
# Disable root login by setting an impossible password hash
users.users.root.hashedPassword = "!";
# Don't ask for password when `sudo`-ing
security.sudo.wheelNeedsPassword = false;
# Only members of `wheel` group can execute `sudo`
security.sudo.execWheelOnly = true;
# Enable RealtimeKit (required for pipewire / pulse)
security.rtkit.enable = true;
# Enable fingerprint reader
# Enroll with `sudo fprintd-enroll zogstrip`
# Verify with `fprintd-verify`
services.fprintd.enable = true;
# Enable TLP for better power management
services.tlp.enable = true;
# Enable pipewire for audio / video streams
services.pipewire.enable = true;
# Enable ALSA support for audio
services.pipewire.alsa.enable = true;
# Use dbus-broker, a better/faster dbus daemon (default in Arch)
# https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/
services.dbus.implementation = "broker";
# Disable power button
services.logind.powerKey = "ignore";
# Extra hwdb udev rules
services.udev.extraHwdb = ''
# Remap CAPS lock to ESC
evdev:atkbd:*
KEYBOARD_KEY_3a=esc
# Disable RFKILL key (airplane mode)
evdev:input:b0018v32ACp0006*
KEYBOARD_KEY_100c6=reserved
'';
# tailscale
services.tailscale.enable = true;
services.tailscale.useRoutingFeatures = "client";
networking.nameservers = [ "100.100.100.100" "8.8.8.8" "1.1.1.1" ];
networking.search = [ "bicorn-duckbill.ts.net" ];
# move the `tailscaled --cleanup` from "ExecStopPost" to "ExecStop" so it can stop _before_ network is down
systemd.services.tailscaled.serviceConfig = {
ExecStopPost = lib.mkForce null;
ExecStop = lib.mkForce "${config.services.tailscale.package}/bin/tailscaled --cleanup";
};
# use `agetty` to autologin
services.getty.autologinUser = username;
# hide login prompt and welcome message (issue)
services.getty.extraArgs = [ "--skip-login" "--noissue" "--nonewline" ];
# firmware updates manager
services.fwupd.enable = true;
# Remove nano
programs.nano.enable = false;
# Enable default fonts
# https://github.com/NixOS/nixpkgs/blob/12228ff1752d7b7624a54e9c1af4b222b3c1073b/nixos/modules/config/fonts/packages.nix#L35-L40
fonts.enableDefaultPackages = true;
fonts.packages = with pkgs; [
nerd-fonts.fira-code
];
# Allow 1password "unfree" packages
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem(lib.getName pkg) [
"1password-cli"
"1password"
];
# Disable nix channels
nix.channel.enable = false;
nix.settings = {
# Allow "flakes" system-wide
experimental-features = [ "nix-command" "flakes" ];
# All members of wheel group are trusted
trusted-users = [ "@wheel" ];
# Remove all "dirty repository" warnings
warn-dirty = false;
# Always show the trace message when there's an error
show-trace = true;
};
# NixOS version this flake was initially created on
system.stateVersion = stateVersion;
}