{ inputs, self, config, ... }: let flakeConfig = config; in { flake.nixosModules.nixos-host = { pkgs, lib, config, ... }: let smbSecretFile = ../../secrets/smb-credentials.age; hasSmbSecret = builtins.pathExists smbSecretFile; gsfDevice = "/dev/input/by-id/usb-Ploopy_Corporation_Ploopy_Adept_Trackball_E6626067D39C532A0000000000000000-if02-event-mouse"; in { imports = [ inputs.agenix.nixosModules.default inputs.maccel.nixosModules.default inputs.gsf.nixosModules.default ../../hardware-configuration.nix ]; # Bootloader boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # Use latest kernel boot.kernelPackages = pkgs.linuxPackages_latest; # Custom EDID override for Samsung 240Hz on DP-1 # Extreme mt7921e fallback: disable PCIe ASPM globally boot.kernelParams = [ "drm.edid_firmware=DP-1:edid/g80.bin" "pcie_aspm=off" ]; # mt7921e stability tweaks boot.extraModprobeConfig = '' options mt7921e disable_aspm=Y options mt7921e disable_clc=Y ''; hardware.firmware = [ (pkgs.runCommand "g80-edid-firmware" {} '' install -Dm444 ${../assets/edid/g80.bin} $out/lib/firmware/edid/g80.bin '') ]; # Hostname networking.hostName = "nixos"; # Networking networking.networkmanager = { enable = true; wifi.powersave = false; settings.device."wifi.scan-rand-mac-address" = "no"; }; # Work around mt7921e getting stuck after suspend/resume environment.etc."systemd/system-sleep/99-mt7921e-reset" = { text = '' #!/bin/sh case "$1" in post) ${pkgs.kmod}/bin/modprobe -r mt7921e || true ${pkgs.kmod}/bin/modprobe mt7921e ;; esac ''; mode = "0755"; }; # LocalSend networking.firewall = { allowedTCPPorts = [53317]; allowedUDPPorts = [53317]; }; # WebHID/VIA access on Linux (VIA needs hidraw access) services.udev.extraRules = '' # General VIA rule (matches vial docs/reddit workaround) KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" # Explicit Ploopy Adept (VID:PID 5043:5c47) KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="5043", ATTRS{idProduct}=="5c47", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" ''; # Time zone time.timeZone = "Europe/Lisbon"; # Locale i18n.defaultLocale = "en_GB.UTF-8"; i18n.extraLocaleSettings = { LC_ADDRESS = "pt_PT.UTF-8"; LC_IDENTIFICATION = "pt_PT.UTF-8"; LC_MEASUREMENT = "pt_PT.UTF-8"; LC_MONETARY = "pt_PT.UTF-8"; LC_NAME = "pt_PT.UTF-8"; LC_NUMERIC = "pt_PT.UTF-8"; LC_PAPER = "pt_PT.UTF-8"; LC_TELEPHONE = "pt_PT.UTF-8"; LC_TIME = "pt_PT.UTF-8"; }; # Printing services.printing.enable = true; # Audio services.pulseaudio.enable = false; security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; }; # SSH services.openssh = { enable = true; settings = { PermitRootLogin = "no"; }; }; # User account users.users.${flakeConfig.username} = { isNormalUser = true; description = "Thomas Gouveia Lopes"; extraGroups = ["networkmanager" "wheel"]; }; users.groups.maccel.members = [flakeConfig.username]; hardware.maccel = { enable = true; enableCli = true; parameters = { mode = "linear"; sensMultiplier = 1.0; yxRatio = 1.0; inputDpi = 1000.0; angleRotation = 0.0; acceleration = 0.3; offset = 2.0; outputCap = 2.0; }; }; hardware.gsf = { enable = true; device = gsfDevice; inputGroupUsers = [flakeConfig.username]; }; # Programs # Allow unfree nixpkgs.config.allowUnfree = true; # Use Lix as the system Nix implementation nix.package = pkgs.lixPackageSets.stable.lix; # Enable flakes + restrict who can submit builds to the daemon nix.settings = { experimental-features = ["nix-command" "flakes"]; allowed-users = ["root" flakeConfig.username]; }; # Auto-unlock gnome-keyring on login security.pam.services.login.enableGnomeKeyring = true; security.pam.services.gdm.enableGnomeKeyring = true; security.pam.services.gdm-password.enableGnomeKeyring = true; # State version system.stateVersion = "25.11"; boot.supportedFilesystems = ["cifs"]; warnings = lib.optional (!hasSmbSecret) '' SMB automount is disabled: missing ${toString smbSecretFile}. Create it with agenix: sudo env RULES=secrets/secrets.nix nix run github:ryantm/agenix -- -e secrets/smb-credentials.age -i /etc/ssh/ssh_host_ed25519_key and set: username=... password=... # optional # domain=WORKGROUP ''; age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"]; age.secrets."smb-credentials" = lib.mkIf hasSmbSecret { file = smbSecretFile; mode = "0400"; owner = "root"; group = "root"; }; fileSystems."/mnt/unraid-data" = lib.mkIf hasSmbSecret { device = "//192.168.1.102/data"; fsType = "cifs"; options = [ "credentials=${config.age.secrets."smb-credentials".path}" "uid=1000" "gid=1000" "iocharset=utf8" "nofail" "x-systemd.automount" "_netdev" "noserverino" "vers=3.0" ]; }; fileSystems."/mnt/unraid-appdata" = lib.mkIf hasSmbSecret { device = "//192.168.1.102/appdata"; fsType = "cifs"; options = [ "credentials=${config.age.secrets."smb-credentials".path}" "uid=1000" "gid=1000" "iocharset=utf8" "nofail" "x-systemd.automount" "_netdev" "noserverino" "vers=3.0" ]; }; fileSystems."/mnt/endeavour" = { device = "/dev/disk/by-uuid/a32ca052-12a5-4355-bd3b-b4515d9ea4a5"; fsType = "ext4"; options = ["defaults" "noatime"]; }; }; }