250 lines
5.6 KiB
Nix
250 lines
5.6 KiB
Nix
{
|
|
config,
|
|
options,
|
|
pkgs,
|
|
lib,
|
|
username,
|
|
inputs,
|
|
site_config,
|
|
niri-package,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
./common.nix
|
|
|
|
# desktop-only modules
|
|
./desktop-vm.nix
|
|
./desktop-steam.nix
|
|
./desktop-networkmanager.nix
|
|
./desktop-age-secrets.nix
|
|
./desktop-lanzaboote-agenix.nix
|
|
|
|
inputs.disko.nixosModules.disko
|
|
|
|
inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
|
|
inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
|
|
inputs.nixos-hardware.nixosModules.common-pc-ssd
|
|
];
|
|
|
|
# allow overclocking (I actually underclock but lol)
|
|
hardware.amdgpu.overdrive.ppfeaturemask = "0xFFFFFFFF";
|
|
|
|
# Add niri to display manager session packages
|
|
services.displayManager.sessionPackages = [ niri-package ];
|
|
|
|
programs = {
|
|
gamescope = {
|
|
enable = true;
|
|
capSysNice = true;
|
|
};
|
|
steam = {
|
|
enable = true;
|
|
gamescopeSession.enable = true;
|
|
};
|
|
};
|
|
|
|
system.activationScripts = {
|
|
# FIX: https://github.com/NixOS/nix/issues/2982
|
|
"profile-channel-dummy".text = ''
|
|
#!/bin/sh
|
|
mkdir -p /nix/var/nix/profiles/per-user/root/channels
|
|
'';
|
|
|
|
};
|
|
|
|
swapDevices = [ ];
|
|
|
|
# Desktop-specific Nix cache — muffin serves it, desktops consume.
|
|
# Base nix settings (optimise, gc, experimental-features) come from common.nix.
|
|
nix.settings = {
|
|
substituters = [ site_config.binary_cache.url ];
|
|
trusted-public-keys = [
|
|
site_config.binary_cache.public_key
|
|
];
|
|
netrc-file = config.age.secrets.nix-cache-netrc.path;
|
|
};
|
|
|
|
# cachyos kernel overlay
|
|
nixpkgs.overlays = [ inputs.nix-cachyos-kernel.overlays.default ];
|
|
|
|
# kernel options
|
|
boot = {
|
|
|
|
# cachyos kernel: bore scheduler, full lto, x86_64-v3 (common to zen 3 + zen 5)
|
|
kernelPackages = pkgs.linuxPackages_latest;
|
|
|
|
# aes_generic is built-in as of linux 7.0, no longer a loadable module
|
|
initrd.luks.cryptoModules = lib.mkForce (
|
|
lib.filter (m: m != "aes_generic") options.boot.initrd.luks.cryptoModules.default
|
|
);
|
|
|
|
# some default initrd modules (ata_piix etc) don't exist with ATA_SFF=n
|
|
initrd.allowMissingModules = true;
|
|
|
|
lanzaboote = {
|
|
enable = true;
|
|
# TODO: proper secrets management so this is not stored in nix store
|
|
pkiBundle = "/var/lib/sbctl";
|
|
};
|
|
|
|
# Bootloader.
|
|
loader = {
|
|
efi.canTouchEfiVariables = true;
|
|
|
|
timeout = 1;
|
|
/*
|
|
Lanzaboote currently replaces the systemd-boot module.
|
|
This setting is usually set to true in configuration.nix
|
|
generated at installation time. So we force it to false
|
|
for now.
|
|
*/
|
|
systemd-boot.enable = lib.mkForce false;
|
|
systemd-boot.configurationLimit = 10;
|
|
};
|
|
|
|
initrd = {
|
|
systemd.enable = true;
|
|
compressor = "zstd";
|
|
kernelModules = [ "amdgpu" ]; # own the display from initrd, no fbcon handoff
|
|
availableKernelModules = [
|
|
"xhci_pci"
|
|
"thunderbolt"
|
|
"nvme"
|
|
"usbhid"
|
|
];
|
|
};
|
|
|
|
kernelModules = [
|
|
"kvm-amd"
|
|
"ip_tables"
|
|
"iptable_nat"
|
|
"msr"
|
|
"btusb"
|
|
];
|
|
};
|
|
|
|
services = {
|
|
# auto detect network printers
|
|
avahi = {
|
|
enable = true;
|
|
nssmdns4 = true;
|
|
openFirewall = true;
|
|
};
|
|
|
|
# Enable CUPS to print documents.
|
|
printing = {
|
|
enable = true;
|
|
drivers = with pkgs; [ hplip ];
|
|
};
|
|
|
|
# I don't want fingerprint login
|
|
fprintd.enable = false;
|
|
|
|
# Making sure mullvad works on boot
|
|
mullvad-vpn.enable = true;
|
|
|
|
# power statistics
|
|
upower.enable = true;
|
|
|
|
# power profiles for noctalia shell
|
|
power-profiles-daemon.enable = true;
|
|
|
|
# geolocation (uses beacondb.net by default)
|
|
geoclue2 = {
|
|
enable = true;
|
|
appConfig.zen-twilight = {
|
|
isAllowed = true;
|
|
isSystem = false;
|
|
};
|
|
};
|
|
};
|
|
|
|
# Select internationalisation properties.
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
# Enable Bluetooth
|
|
hardware.bluetooth = {
|
|
enable = true;
|
|
powerOnBoot = true;
|
|
|
|
# Enable experimental features for battery % of bluetooth devices
|
|
settings.General.Experimental = true;
|
|
};
|
|
|
|
# Apply gtk themes by enabling dconf
|
|
programs.dconf.enable = true;
|
|
|
|
# Enable sound with pipewire.
|
|
services.pulseaudio.enable = false; # pipewire >>>>>>> pulseaudio
|
|
security.rtkit.enable = true;
|
|
services.pipewire = {
|
|
enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
pulse.enable = true;
|
|
};
|
|
|
|
# Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`)
|
|
users.users.${username} = {
|
|
isNormalUser = true;
|
|
extraGroups = [
|
|
"networkmanager"
|
|
"wheel"
|
|
"video"
|
|
"camera"
|
|
"adbusers"
|
|
];
|
|
hashedPasswordFile = config.age.secrets.password-hash.path;
|
|
};
|
|
|
|
services.gvfs.enable = true;
|
|
programs.gphoto2.enable = true;
|
|
|
|
# Enable thermal data
|
|
services.thermald.enable = true;
|
|
|
|
services.pcscd.enable = true;
|
|
programs.gnupg.agent = {
|
|
enable = true;
|
|
pinentryPackage = pkgs.pinentry-curses;
|
|
enableSSHSupport = false;
|
|
};
|
|
|
|
# System packages
|
|
environment.systemPackages = with pkgs; [
|
|
# mullvad-vpn is provided by services.mullvad-vpn.enable
|
|
|
|
#secureboot ctl
|
|
sbctl
|
|
|
|
dmidecode
|
|
|
|
glib
|
|
usbutils
|
|
libmtp
|
|
man-pages
|
|
man-pages-posix
|
|
|
|
# needed for home-manager
|
|
git
|
|
|
|
tmux
|
|
android-tools
|
|
];
|
|
|
|
# wayland with electron/chromium applications
|
|
environment.sessionVariables.NIXOS_OZONE_WL = "1";
|
|
|
|
# port 53317 for localsend
|
|
networking.firewall.allowedUDPPorts = [ 53317 ];
|
|
networking.firewall.allowedTCPPorts = [ 53317 ];
|
|
|
|
system.stateVersion = "25.05";
|
|
nixpkgs.hostPlatform = "x86_64-linux";
|
|
|
|
documentation.enable = true;
|
|
documentation.man.enable = true;
|
|
documentation.dev.enable = true;
|
|
}
|