190 lines
4.7 KiB
Nix
Executable file
190 lines
4.7 KiB
Nix
Executable file
|
|
{ config, pkgs, ... }:
|
|
|
|
{
|
|
|
|
|
|
imports = [
|
|
# where are we ?
|
|
#./wollomi.nix
|
|
# ./adrift.nix
|
|
./quiver.nix
|
|
|
|
# home manager should exist for users
|
|
<home-manager/nixos>
|
|
|
|
./cachix.nix
|
|
|
|
# declarative cachix
|
|
(import (builtins.fetchTarball "https://github.com/jonascarpay/declarative-cachix/archive/master.tar.gz"))
|
|
];
|
|
|
|
cachix = [
|
|
"nix-community"
|
|
];
|
|
|
|
nix.extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
keep-outputs = true
|
|
keep-derivations = true
|
|
'';
|
|
environment.pathsToLink = [ "/share/zsh" ];
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.systemd-boot.configurationLimit = 2;
|
|
boot.loader.systemd-boot.consoleMode = "max";
|
|
boot.loader.timeout = 3;
|
|
|
|
boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
|
|
|
|
boot.tmpOnTmpfs = true;
|
|
|
|
|
|
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
|
|
|
time.timeZone = "Australia/Sydney";
|
|
time.hardwareClockInLocalTime = true;
|
|
|
|
# Select internationalisation properties.
|
|
i18n.defaultLocale = "en_AU.UTF-8";
|
|
i18n.supportedLocales = [ "en_AU.UTF-8/UTF-8" ];
|
|
console = {
|
|
font = "Lat2-Terminus16";
|
|
useXkbConfig = true; # use xkbOptions in tty.
|
|
};
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
hardware.opengl.enable = true;
|
|
hardware.opengl.driSupport32Bit = true;
|
|
|
|
#input stuff
|
|
# services.xserver.xkbOptions = {
|
|
# "eurosign:e";
|
|
# "caps:escape" # map caps to escape.
|
|
# };
|
|
services.xserver.enable = true;
|
|
services.xserver.layout = "us";
|
|
services.xserver.libinput.enable = true;
|
|
# kde time
|
|
services.xserver.desktopManager.plasma5.enable = true;
|
|
services.xserver.displayManager.sddm = {
|
|
enable = true;
|
|
theme = "${(pkgs.fetchFromGitHub {
|
|
owner = "EricKotato";
|
|
repo = "sddm-slice";
|
|
rev = "763b8f4e01c00c1f8590fc7a103e14f6e8449443";
|
|
sha256 = "sha256-UW53ZdKb3RSrrcZ9GxZsJyjzS/uKR8lkaLLyi+2o27U=";
|
|
})}";
|
|
autoNumlock = true;
|
|
settings = {
|
|
General = {
|
|
InputMethod = "";
|
|
};
|
|
};
|
|
};
|
|
services.xserver.desktopManager.plasma5.runUsingSystemd = true;
|
|
programs.dconf.enable = true;
|
|
|
|
services.resolved = {
|
|
enable = true;
|
|
fallbackDns = [ "103.1.206.179" "168.138.8.38" "168.138.12.137" ];
|
|
};
|
|
|
|
|
|
# Enable sound.
|
|
security.rtkit.enable = true;
|
|
services.pipewire = {
|
|
enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
pulse.enable = true;
|
|
jack.enable = true;
|
|
};
|
|
|
|
# gtk compatibility
|
|
qt5.enable = true;
|
|
qt5.platformTheme = "kde";
|
|
#qt5.style = "gtk2";
|
|
|
|
programs.zsh.enable = true;
|
|
users.defaultUserShell = pkgs.zsh;
|
|
|
|
services.tailscale.enable = true;
|
|
|
|
services.mullvad-vpn.enable = true;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
rnix-lsp
|
|
|
|
tailscale
|
|
mullvad
|
|
mullvad-vpn
|
|
|
|
cachix
|
|
|
|
helix
|
|
ark
|
|
|
|
curl
|
|
|
|
home-manager
|
|
git
|
|
|
|
zsh
|
|
|
|
];
|
|
|
|
networking.nftables = {
|
|
enable = true;
|
|
ruleset = ''
|
|
|
|
table inet mullvad-ts {
|
|
chain exclude-outgoing {
|
|
type route hook output priority 0; policy accept;
|
|
ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
ip daddr 100.100.100.100 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
}
|
|
|
|
chain allow-incoming {
|
|
type filter hook input priority -10; policy accept;
|
|
iif "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
}
|
|
|
|
chain exclude-dns {
|
|
type filter hook output priority -10; policy accept;
|
|
ip daddr 100.100.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
ip daddr 100.100.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
}
|
|
}
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
ct state invalid counter drop comment "early drop of invalid packets"
|
|
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
|
|
iifname "tailscale0" accept comment "allow all tailscale packets"
|
|
iif lo accept comment "accept loopback"
|
|
ip protocol icmp counter accept comment "accept all ICMP types"
|
|
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
|
|
tcp dport 22 counter accept comment "accept SSH"
|
|
counter comment "count dropped packets"
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
}
|
|
|
|
}
|
|
'';
|
|
};
|
|
networking.firewall.enable = false;
|
|
# networking.firewall = {
|
|
# trustedInterfaces = [ "tailscale0" ];
|
|
# checkReversePath = "loose";
|
|
# };
|
|
|
|
|
|
system.stateVersion = "22.05"; # Did you read the comment?
|
|
|
|
}
|
|
|