first building version of lpt2 as flake

2024-10-26 00:04:27 +02:00 · 2024-10-26 00:04:27 +02:00 · b71f8ee636
commit b71f8ee636
parent 31e80e7401
44 changed files with 396 additions and 677 deletions
--- a/hosts/desktop-environment.nix
+++ b/hosts/desktop-environment.nix
@ -0,0 +1,139 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  config = {
+    services = {
+      # Enable the X11 windowing system / wayland depending on DE
+      xserver = {
+        enable = true;
+      };
+
+      libinput.enable = true;
+
+      # flatpak xdg-portal-kde crashes, otherwise this would be global
+      flatpak.enable = true;
+
+      fstrim.enable = true;
+
+      earlyoom = {
+        enable = true;
+        freeMemThreshold = 5;
+      };
+    };
+
+    # Enable sound with pipewire.
+    sound.enable = true;
+    hardware.pulseaudio.enable = false;
+    security.rtkit.enable = true;
+    services.pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      #jack.enable = true;
+    };
+
+    programs = {
+      kdeconnect.enable = true;
+      firefox = {
+        enable = true;
+        languagePacks = ["en-US" "de"];
+      };
+      nix-ld = {
+        enable = true;
+        libraries = with pkgs; [
+          stdenv.cc.cc
+          zlib
+          zstd
+          curl
+          openssl
+          attr
+          libssh
+          bzip2
+          libxml2
+          acl
+          libsodium
+          util-linux
+          xz
+          systemd
+        ];
+      };
+      appimage = {
+        enable = true;
+        binfmt = true;
+      };
+    };
+
+    networking = {
+      networkmanager.enable = true;
+
+      firewall = {
+        allowedTCPPortRanges = [
+          {
+            # KDE Connect / gsconnect
+            from = 1714;
+            to = 1764;
+          }
+        ];
+        allowedUDPPortRanges = [
+          {
+            # KDE Connect / gsconnect
+            from = 1714;
+            to = 1764;
+          }
+        ];
+      };
+    };
+
+    systemd = {
+      # save some boot time because nothing actually requires network connectivity
+      services.NetworkManager-wait-online.enable = false;
+
+      # prevent stuck units from preventing shutdown (default is 120s)
+      extraConfig = ''
+        DefaultTimeoutStopSec=12s
+      '';
+    };
+
+    environment.systemPackages = with pkgs; [
+      lm_sensors
+
+      # office
+      libreoffice-qt
+      hunspell
+      hunspellDicts.de-de
+      hunspellDicts.en-us-large
+
+      gnumake
+    ];
+
+    nixpkgs.config.permittedInsecurePackages = [];
+
+    my.allowUnfreePackages = [
+      "insync"
+      "insync-pkg"
+
+      "rider"
+      "pycharm-professional"
+      "jetbrains-toolbox"
+
+      "anydesk"
+    ];
+
+    fonts = {
+      enableDefaultPackages = true;
+      fontconfig.defaultFonts.monospace = ["FiraCode Nerd Font"];
+      packages = with pkgs; [
+        (nerdfonts.override {fonts = ["FiraCode"];})
+      ];
+    };
+
+    hardware.logitech.wireless = {
+      enable = true;
+      enableGraphical = true;
+    };
+  };
+}
--- a/hosts/desktop-hardware.nix
+++ b/hosts/desktop-hardware.nix
@ -0,0 +1,44 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: {
+  config = {
+    boot = {
+      kernelPackages = pkgs.linuxPackages_zen;
+      kernelParams = ["quiet" "udev.log_level=3"];
+      supportedFilesystems = ["btrfs"];
+      initrd.supportedFilesystems = ["btrfs"];
+      consoleLogLevel = 0;
+      initrd.verbose = false;
+      plymouth.enable = true;
+      loader = {
+        timeout = 3;
+        efi.canTouchEfiVariables = true;
+        systemd-boot = {
+          enable = true;
+          editor = false; # do not allow changing kernel parameters
+          consoleMode = "max";
+        };
+      };
+    };
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
+
+    hardware = {
+      enableRedistributableFirmware = true;
+      bluetooth.enable = true;
+    };
+
+    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+    services.fwupd.enable = true;
+  };
+}
--- a/hosts/gaming.nix
+++ b/hosts/gaming.nix
@ -0,0 +1,52 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  config = {
+    hardware = {
+      opengl = {
+        driSupport = true;
+        driSupport32Bit = true;
+        extraPackages = with pkgs; [mangohud];
+        extraPackages32 = with pkgs; [mangohud];
+      };
+
+      steam-hardware.enable = true;
+      xpadneo.enable = true;
+    };
+
+    environment.systemPackages = with pkgs; [
+      wineWowPackages.stagingFull
+      wineWowPackages.fonts
+      winetricks
+      dxvk
+      mangohud
+      vulkan-tools
+      glxinfo
+      lutris
+    ];
+
+    programs = {
+      xwayland.enable = true;
+      steam = {
+        enable = true;
+        remotePlay.openFirewall = true;
+        dedicatedServer.openFirewall = true;
+      };
+      gamemode.enable = true;
+    };
+
+    networking.firewall.allowedUDPPorts = [
+      # Factorio
+      34197
+    ];
+
+    my.allowUnfreePackages = [
+      "steam"
+      "steam-original"
+      "steam-run"
+    ];
+  };
+}
--- a/hosts/gnome.nix
+++ b/hosts/gnome.nix
@ -0,0 +1,50 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  config = {
+    services = {
+      xserver = {
+        # Enable the GNOME Desktop Environment.
+        desktopManager.gnome.enable = true;
+        displayManager = {
+          gdm.enable = true;
+        };
+      };
+
+      displayManager.defaultSession = "gnome";
+
+      gnome = {
+        tracker-miners.enable = false;
+        tracker.enable = false;
+        sushi.enable = true;
+        gnome-remote-desktop.enable = true;
+      };
+    };
+
+    programs = {
+      dconf.enable = true;
+      gpaste.enable = true;
+      kdeconnect.package = pkgs.gnomeExtensions.gsconnect;
+    };
+
+    # remove some gnome default apps
+    environment.gnome.excludePackages = with pkgs.gnome; [
+      cheese # photo booth
+      epiphany # web browser
+      evince # document viewer
+      geary # email client
+      gnome-maps
+      gnome-weather
+      gnome-music
+      pkgs.gnome-tour
+    ];
+
+    environment.systemPackages = with pkgs; [gnome.ghex impression];
+
+    # RDP connections
+    networking.firewall.allowedTCPPorts = [3389];
+  };
+}
--- a/hosts/intel-graphics.nix
+++ b/hosts/intel-graphics.nix
@ -0,0 +1,28 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  config = {
+    hardware.opengl = {
+      extraPackages = with pkgs; [
+        intel-media-driver
+        vaapiIntel
+        vaapiVdpau
+        libvdpau-va-gl
+        intel-ocl
+      ];
+      extraPackages32 = with pkgs.pkgsi686Linux; [
+        intel-media-driver
+        vaapiIntel
+        vaapiVdpau
+        libvdpau-va-gl
+      ];
+    };
+    environment.systemPackages = with pkgs; [
+      nvtopPackages.intel
+    ];
+    my.allowUnfreePackages = ["intel-ocl"];
+  };
+}
--- a/hosts/latex.nix
+++ b/hosts/latex.nix
@ -0,0 +1,14 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  config = {
+    environment.systemPackages = with pkgs; [
+      fontconfig
+      texliveFull
+      texstudio
+    ];
+  };
+}
--- a/hosts/printing.nix
+++ b/hosts/printing.nix
@ -0,0 +1,19 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  config = {
+    services = {
+      # Enable CUPS to print documents.
+      printing.enable = true;
+
+      avahi = {
+        enable = true; # runs the Avahi daemon
+        nssmdns4 = true; # enables the mDNS NSS plug-in
+        openFirewall = true; # opens the firewall for UDP port 5353
+      };
+    };
+  };
+}
--- a/hosts/vinzenz-lpt2/default.nix
+++ b/hosts/vinzenz-lpt2/default.nix
@ -0,0 +1,6 @@
+{...}: {
+  imports = [
+    ./hardware.nix
+    ./environment.nix
+  ];
+}
--- a/hosts/vinzenz-lpt2/environment.nix
+++ b/hosts/vinzenz-lpt2/environment.nix
@ -0,0 +1,60 @@
+{pkgs, ...}: {
+  imports = [
+    ../../home
+    ../../home/gnome-home.nix
+    ../../users/vinzenz.nix
+    ../desktop-environment.nix
+    ../gnome.nix
+    ../gaming.nix
+    ../printing.nix
+    ../latex.nix
+  ];
+
+  config = {
+    home-manager.users.vinzenz = import ../../home/vinzenz-home.nix;
+
+    virtualisation = {
+      containers.enable = true;
+      podman = {
+        enable = true;
+        dockerCompat = true;
+        dockerSocket.enable = true;
+        autoPrune.enable = true;
+      };
+    };
+
+    users.users.vinzenz.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
+    ];
+    #
+    #users.users.ronja.openssh.authorizedKeys.keys = [
+    #  ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ronja-ssh-host-key''
+    #];
+    #
+    services.nginx = {
+      enable = true;
+
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+
+      virtualHosts = {
+        "vinzenz-lpt2" = {
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:3000/";
+            proxyWebsockets = true;
+          };
+
+          serverAliases = ["172.23.42.96"];
+        };
+      };
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [80 8001 3000];
+      allowedUDPPorts = [2342];
+    };
+  };
+}
--- a/hosts/vinzenz-lpt2/hardware.nix
+++ b/hosts/vinzenz-lpt2/hardware.nix
@ -0,0 +1,62 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../desktop-hardware.nix
+    ../intel-graphics.nix
+  ];
+  config = {
+    # intel cpu
+    boot.kernelModules = ["kvm-intel"];
+    hardware.cpu.intel.updateMicrocode = true;
+
+    boot.loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    networking.useDHCP = lib.mkDefault true;
+
+    hardware.enableRedistributableFirmware = true;
+
+    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+    boot.initrd = {
+      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme"];
+      luks.devices = {
+        "luks-2c654ff2-3c42-48d3-a1e3-9545679afaa3" = {
+          device = "/dev/disk/by-uuid/2c654ff2-3c42-48d3-a1e3-9545679afaa3";
+        };
+      };
+    };
+
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-uuid/e4dad0c8-26a1-45e9-bbd9-48565eb6574e";
+        fsType = "btrfs";
+        options = ["subvol=@"];
+      };
+
+      "/boot" = {
+        device = "/dev/disk/by-uuid/E2B7-2BC1";
+        fsType = "vfat";
+      };
+    };
+
+    swapDevices = [
+      {
+        device = "/var/lib/swapfile";
+        size = 32 * 1024;
+      }
+    ];
+
+    services.thermald.enable = true;
+    services.hardware.bolt.enable = true; # thunderbolt security
+  };
+}