{ config, pkgs, ... }: { imports = [ # where are we ? #./wollomi.nix # ./adrift.nix ./quiver.nix # home manager should exist for users ./cachix.nix # declarative cachix (import (builtins.fetchTarball "https://github.com/jonascarpay/declarative-cachix/archive/master.tar.gz")) ]; cachix = [ "nix-community" ]; nix.extraOptions = '' experimental-features = nix-command flakes keep-outputs = true keep-derivations = true ''; environment.pathsToLink = [ "/share/zsh" ]; boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.configurationLimit = 2; boot.loader.systemd-boot.consoleMode = "max"; boot.loader.timeout = 3; boot.kernelPackages = pkgs.linuxPackages_xanmod_latest; boot.tmpOnTmpfs = true; networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. time.timeZone = "Australia/Sydney"; time.hardwareClockInLocalTime = true; # Select internationalisation properties. i18n.defaultLocale = "en_AU.UTF-8"; i18n.supportedLocales = [ "en_AU.UTF-8/UTF-8" ]; console = { font = "Lat2-Terminus16"; useXkbConfig = true; # use xkbOptions in tty. }; nixpkgs.config.allowUnfree = true; hardware.opengl.enable = true; hardware.opengl.driSupport32Bit = true; #input stuff # services.xserver.xkbOptions = { # "eurosign:e"; # "caps:escape" # map caps to escape. # }; services.xserver.enable = true; services.xserver.layout = "us"; services.xserver.libinput.enable = true; # kde time services.xserver.desktopManager.plasma5.enable = true; services.xserver.displayManager.sddm = { enable = true; theme = "${(pkgs.fetchFromGitHub { owner = "EricKotato"; repo = "sddm-slice"; rev = "763b8f4e01c00c1f8590fc7a103e14f6e8449443"; sha256 = "sha256-UW53ZdKb3RSrrcZ9GxZsJyjzS/uKR8lkaLLyi+2o27U="; })}"; autoNumlock = true; settings = { General = { InputMethod = ""; }; }; }; services.xserver.desktopManager.plasma5.runUsingSystemd = true; programs.dconf.enable = true; services.resolved = { enable = true; fallbackDns = [ "103.1.206.179" "168.138.8.38" "168.138.12.137" ]; }; # Enable sound. security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; jack.enable = true; }; # gtk compatibility qt5.enable = true; qt5.platformTheme = "kde"; #qt5.style = "gtk2"; programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; services.tailscale.enable = true; services.mullvad-vpn.enable = true; environment.systemPackages = with pkgs; [ rnix-lsp tailscale mullvad mullvad-vpn cachix helix ark curl home-manager git zsh ]; networking.nftables = { enable = true; ruleset = '' table inet mullvad-ts { chain exclude-outgoing { type route hook output priority 0; policy accept; ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; ip daddr 100.100.100.100 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; } chain allow-incoming { type filter hook input priority -10; policy accept; iif "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65; } chain exclude-dns { type filter hook output priority -10; policy accept; ip daddr 100.100.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; ip daddr 100.100.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; } } table inet filter { chain input { type filter hook input priority 0; policy drop; ct state invalid counter drop comment "early drop of invalid packets" ct state {established, related} counter accept comment "accept all connections related to connections made by us" iifname "tailscale0" accept comment "allow all tailscale packets" iif lo accept comment "accept loopback" ip protocol icmp counter accept comment "accept all ICMP types" ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types" tcp dport 22 counter accept comment "accept SSH" counter comment "count dropped packets" } chain forward { type filter hook forward priority 0; policy drop; } } ''; }; networking.firewall.enable = false; # networking.firewall = { # trustedInterfaces = [ "tailscale0" ]; # checkReversePath = "loose"; # }; system.stateVersion = "22.05"; # Did you read the comment? }