thomas/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bot/helium-0.11.1.1
nixos-config/modules/hosts/nixos.nix
T
thomas 5e21664124 lix
2026-04-08 00:52:28 +01:00

241 lines
6.2 KiB
Nix
Raw Permalink Blame History

{
inputs,
self,
config,
...
}: let
flakeConfig = config;
in {
flake.nixosModules.nixos-host = {
pkgs,
lib,
config,
...
}: let
smbSecretFile = ../../secrets/smb-credentials.age;
hasSmbSecret = builtins.pathExists smbSecretFile;
gsfDevice = "/dev/input/by-id/usb-Ploopy_Corporation_Ploopy_Adept_Trackball_E6626067D39C532A0000000000000000-if02-event-mouse";
in {
imports = [
inputs.agenix.nixosModules.default
inputs.maccel.nixosModules.default
inputs.gsf.nixosModules.default
../../hardware-configuration.nix
];
# Bootloader
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
# Custom EDID override for Samsung 240Hz on DP-1
# Extreme mt7921e fallback: disable PCIe ASPM globally
boot.kernelParams = [
"drm.edid_firmware=DP-1:edid/g80.bin"
"pcie_aspm=off"
];
# mt7921e stability tweaks
boot.extraModprobeConfig = ''
options mt7921e disable_aspm=Y
options mt7921e disable_clc=Y
'';
hardware.firmware = [
(pkgs.runCommand "g80-edid-firmware" {} ''
install -Dm444 ${../assets/edid/g80.bin} $out/lib/firmware/edid/g80.bin
'')
];
# Hostname
networking.hostName = "nixos";
# Networking
networking.networkmanager = {
enable = true;
wifi.powersave = false;
settings.device."wifi.scan-rand-mac-address" = "no";
};
# Work around mt7921e getting stuck after suspend/resume
environment.etc."systemd/system-sleep/99-mt7921e-reset" = {
text = ''
#!/bin/sh
case "$1" in
post)
${pkgs.kmod}/bin/modprobe -r mt7921e || true
${pkgs.kmod}/bin/modprobe mt7921e
;;
esac
'';
mode = "0755";
};
# LocalSend
networking.firewall = {
allowedTCPPorts = [53317];
allowedUDPPorts = [53317];
};
# WebHID/VIA access on Linux (VIA needs hidraw access)
services.udev.extraRules = ''
# General VIA rule (matches vial docs/reddit workaround)
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
# Explicit Ploopy Adept (VID:PID 5043:5c47)
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="5043", ATTRS{idProduct}=="5c47", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
'';
# Time zone
time.timeZone = "Europe/Lisbon";
# Locale
i18n.defaultLocale = "en_GB.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "pt_PT.UTF-8";
LC_IDENTIFICATION = "pt_PT.UTF-8";
LC_MEASUREMENT = "pt_PT.UTF-8";
LC_MONETARY = "pt_PT.UTF-8";
LC_NAME = "pt_PT.UTF-8";
LC_NUMERIC = "pt_PT.UTF-8";
LC_PAPER = "pt_PT.UTF-8";
LC_TELEPHONE = "pt_PT.UTF-8";
LC_TIME = "pt_PT.UTF-8";
};
# Printing
services.printing.enable = true;
# Audio
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
# SSH
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
};
};
# User account
users.users.${flakeConfig.username} = {
isNormalUser = true;
description = "Thomas Gouveia Lopes";
extraGroups = ["networkmanager" "wheel"];
};
users.groups.maccel.members = [flakeConfig.username];
hardware.maccel = {
enable = true;
enableCli = true;
parameters = {
mode = "linear";
sensMultiplier = 1.0;
yxRatio = 1.0;
inputDpi = 1000.0;
angleRotation = 0.0;
acceleration = 0.3;
offset = 2.0;
outputCap = 2.0;
};
};
hardware.gsf = {
enable = true;
device = gsfDevice;
inputGroupUsers = [flakeConfig.username];
};
# Programs
# Allow unfree
nixpkgs.config.allowUnfree = true;
# Use Lix as the system Nix implementation
nix.package = pkgs.lixPackageSets.stable.lix;
# Enable flakes + restrict who can submit builds to the daemon
nix.settings = {
experimental-features = ["nix-command" "flakes"];
allowed-users = ["root" flakeConfig.username];
};
# Auto-unlock gnome-keyring on login
security.pam.services.login.enableGnomeKeyring = true;
security.pam.services.gdm.enableGnomeKeyring = true;
security.pam.services.gdm-password.enableGnomeKeyring = true;
# State version
system.stateVersion = "25.11";
boot.supportedFilesystems = ["cifs"];
warnings = lib.optional (!hasSmbSecret) ''
SMB automount is disabled: missing ${toString smbSecretFile}.
Create it with agenix:
sudo env RULES=secrets/secrets.nix nix run github:ryantm/agenix -- -e secrets/smb-credentials.age -i /etc/ssh/ssh_host_ed25519_key
and set:
username=...
password=...
# optional
# domain=WORKGROUP
'';
age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
age.secrets."smb-credentials" = lib.mkIf hasSmbSecret {
file = smbSecretFile;
mode = "0400";
owner = "root";
group = "root";
};
fileSystems."/mnt/unraid-data" = lib.mkIf hasSmbSecret {
device = "//192.168.1.102/data";
fsType = "cifs";
options = [
"credentials=${config.age.secrets."smb-credentials".path}"
"uid=1000"
"gid=1000"
"iocharset=utf8"
"nofail"
"x-systemd.automount"
"_netdev"
"noserverino"
"vers=3.0"
];
};
fileSystems."/mnt/unraid-appdata" = lib.mkIf hasSmbSecret {
device = "//192.168.1.102/appdata";
fsType = "cifs";
options = [
"credentials=${config.age.secrets."smb-credentials".path}"
"uid=1000"
"gid=1000"
"iocharset=utf8"
"nofail"
"x-systemd.automount"
"_netdev"
"noserverino"
"vers=3.0"
];
};
fileSystems."/mnt/endeavour" = {
device = "/dev/disk/by-uuid/a32ca052-12a5-4355-bd3b-b4515d9ea4a5";
fsType = "ext4";
options = ["defaults" "noatime"];
};
};
}
Reference in New Issue View Git Blame Copy Permalink