{ config, pkgs, lib, ... }: let # Add nixpkgs-unstable channel with the following command: # nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs-unstable && nix-channel --update # 09/15/24: Use nixpkgs-unstable for logseq, see https://github.com/NixOS/nixpkgs/pull/340427 unstable = import { config = config.nixpkgs.config; }; host_name = "litten"; host_fqdn = "${host_name}.brenise.dev"; in { imports = [ ./hardware-configuration.nix ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nixpkgs.config = { allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "obsidian" "packer" "reaper" "vscode" "terraform" "zoom" "charlatan3" ]; }; nixpkgs.overlays = [ (self: super: { ansible = super.ansible.overrideAttrs (oldAttrs: { propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ [ super.python312Packages.jmespath ]; }); # Add jmespath to ansible build inputs }) ]; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; }; hardware = { bluetooth.enable = true; keyboard.qmk.enable = true; graphics = { # https://wiki.nixos.org/wiki/Accelerated_Video_Playback enable = true; extraPackages = with pkgs; [ intel-media-driver ]; }; }; networking = { hostName = "${host_name}"; # networkmanager.enable = true; firewall.enable = false; interfaces = { enp100s0.ipv4.addresses = [{ address = "192.168.1.35"; prefixLength = 24; }]; }; defaultGateway = { address = "192.168.1.1"; interface = "enp100s0"; }; # TODO https://nixos.wiki/wiki/Encrypted_DNS nameservers = [ "1.1.1.1" "8.8.8.8" ]; extraHosts = '' 192.168.1.1 shinx.${host_fqdn} ''; }; time.timeZone = "America/Los_Angeles"; i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; # keyMap = "us"; useXkbConfig = true; # use xkbOptions in tty. }; users = { groups.glance = {}; users = { root = { openssh.authorizedKeys.keyFiles = [ /etc/nixos/ssh/authorized_keys ]; }; blee = { openssh.authorizedKeys.keyFiles = [ /etc/nixos/ssh/authorized_keys ]; isNormalUser = true; extraGroups = [ "wheel" "docker" "glance" ]; packages = with pkgs; [ binutils chromium coreutils # base64 element-desktop firefox gimp gnumake home-manager jellyfin-media-player kate # kwrite kdenlive libsForQt5.kcalc # unstable.logseq # warning: https://github.com/logseq/logseq/issues/10851#issuecomment-2402925912 moonlight-qt obs-studio obsidian pavucontrol # qbittorrent rtorrent sq synergy tenacity thunderbird tor-browser via vlc vscode xcaddy # warning: awfuly hacky yt-dlp zoom-us # Build vim huge with clipboard support (vim_configurable.overrideAttrs (oldAttrs: { features = "huge"; })) awscli2 aws-sam-cli # broken, fails to init. use pip install aws-sam-cli packer terraform ansible python311 python311Packages.pip python311Packages.ipython libreoffice-qt hunspell hunspellDicts.uk_UA hunspellDicts.th_TH # postman # nope, auth is broken nodejs_20 yarn deno nix-init nix-tree nurl # music apps reaper spek ]; }; glance = { isSystemUser = true; group = "glance"; home = "/var/lib/glance"; createHome = true; description = "Glance service user"; # shell = pkgs.bash; }; }; }; # home-manager.users.blee = { }; environment = { systemPackages = with pkgs; [ # GPU tools android-tools arp-scan cryptsetup curl difftastic dig dnscontrol dnsutils doas exiftool ffmpeg file fzf git go htop iftop imagemagick iperf jq lego libressl lm_sensors mediainfo net-snmp # snmpwalk netcat nettools parted pass pciutils # lspci psmisc qrencode rsync screen tcpdump tmux tree unzip vim vulkan-tools wget whois wireguard-tools zbar zip ]; shellInit = '' pheonix() { systemctl restart "$1" journalctl -fu "$1" } ''; plasma5.excludePackages = with pkgs.libsForQt5; [ plasma-browser-integration ]; etc."gitconfig".text = '' [init] defaultBranch = main ''; # vscode on Wayland #sessionVariables.NIXOS_OZONE_WL = "1"; }; programs = { appimage = { enable = true; binfmt = true; package = pkgs.appimage-run.override { extraPkgs = pkgs: [ pkgs.libthai # lume ]; }; }; # hyprland = { # enable = true; # xwayland.enable = true; # }; fish.enable = true; vim = { enable = true; defaultEditor = true; }; bash = { shellAliases = { ll = "ls -lAF --classify --group-directories-first"; l = "ls -lF --classify --group-directories-first"; }; # https://nixos.wiki/wiki/Fish interactiveShellInit = '' if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] then shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" exec ${pkgs.fish}/bin/fish $LOGIN_OPTION fi ''; }; mtr.enable = true; gnupg.agent = { enable = true; enableSSHSupport = true; }; kdeconnect.enable = true; chromium = { enable = true; extraOpts = { "SpellcheckEnabled" = false; "DefaultSearchProviderEnabled" = true; "DefaultSearchProviderName" = "Kagi"; "DefaultSearchProviderSearchURL" = "https://kagi.com/search?q={searchTerms}"; "SearchSuggestEnabled" = false; "DefaultSearchProviderSuggestURL" = ""; }; }; }; security = { sudo.enable = false; doas = { enable = true; extraRules = [ { users = [ "blee" ]; persist = true; } ]; }; # pki.certificateFiles = [ # "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" # # "/etc/ssl/certs/dotted-turbans.pem" # ]; }; services = { openssh.enable = true; udev.packages = [ pkgs.via ]; # https://discourse.nixos.org/t/bluetooth-a2dp-sink-not-showing-up-in-pulseaudio-on-nixos/32447/4?u=bleetube pipewire = { enable = true; pulse.enable = true; alsa.enable = true; # for tenacity # jack.enable = true; # this might be useful for reaper, but enabling it breaks stereo audio for some reason }; avahi = { # for resolving start9 hostname enable = true; nssmdns4 = true; # Enable NSS support for mDNS }; syncthing = { enable = true; user = "blee"; dataDir = "/home/blee/Documents"; }; journald.extraConfig = "MaxRetentionSec=30day"; # https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/monitoring/prometheus/exporters.nix prometheus.exporters.node = { enable = true; port = 8030; # openFirewall = true; enabledCollectors = [ "cpu.info" "interrupts" "netstat" "vmstat" "systemd" "tcpstat" "processes" ]; }; caddy = { enable = true; logFormat = "output discard"; extraConfig = let tlsConfig = '' tls { dns namecheap { api_key {env.NAMECHEAP_API_KEY} user {env.NAMECHEAP_API_USER} api_endpoint https://api.namecheap.com/xml.response } } ''; in '' ${host_fqdn} { # open-webui ${tlsConfig} reverse_proxy http://127.0.0.1:8080 # handle /files/* { # root /mnt/usb/ # file_server browse # } } ${host_fqdn}:4430 { # node_exporter ${tlsConfig} reverse_proxy http://127.0.0.1:8030 } ${host_fqdn}:4431 { # litellm ${tlsConfig} reverse_proxy http://127.0.0.1:8031 } ${host_fqdn}:4432 { # glance ${tlsConfig} reverse_proxy http://127.0.0.1:8032 } ''; }; displayManager = { sddm.enable = true; #defaultSession = "plasmawayland"; }; xserver = { enable = true; desktopManager.plasma5.enable = true; }; }; systemd = { services.caddy = { serviceConfig = { EnvironmentFile = "/var/src/secrets/namecheap"; ExecStart = [ "" # This empty string clears the existing ExecStart commands "/opt/bin/caddy run --config /etc/caddy/caddy_config --adapter caddyfile" ]; ExecReload = [ "" # This empty string clears the existing ExecReload commands "/opt/bin/caddy reload --config /etc/caddy/caddy_config --adapter caddyfile --force" ]; }; }; services.glance = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { User = "glance"; Group = "glance"; WorkingDirectory = "/var/lib/glance"; # Environment = "LOG_LEVEL=debug"; # https://github.com/glanceapp/glance/issues/196 ExecStart = "${pkgs.glance}/bin/glance --config config.yaml"; }; }; # TODO: fix errors # services.nightly-backups = { # description = "Nightly Backup Service"; # wantedBy = [ "multi-user.target" ]; # after = [ "network.target" ]; # # enable = false; # testing # serviceConfig = { # User = "blee"; # Type = "oneshot"; # Environment = "NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels"; # WorkingDirectory = "/home/blee/ops/brenise.dev/scripts/backups"; # # batch.sh calls other shell scripts which leads to nix environment hell. # # As a workaround, I think we could add multiple ExecStart lines for other backup scripts. # # ExecStart = "${pkgs.bash}/bin/bash /home/blee/ops/brenise.dev/scripts/backups/batch.sh"; # ExecStart = "${pkgs.bash}/bin/bash /home/blee/ops/brenise.dev/scripts/backups/hosts/litten.brenise.dev.sh"; # # Path = [ # # "${pkgs.openssh}/bin" # # "${pkgs.coreutils}/bin" # # "${pkgs.gnugrep}/bin" # # "${pkgs.gnused}/bin" # # ]; # }; # }; # timers.nightly-backups = { # wantedBy = [ "timers.target" ]; # partOf = [ "nightly-backups.service" ]; # timerConfig = { # OnCalendar = "daily"; # nCalendar = "*-*-* 03:00:00"; # # Persistent = true; # Unit = "nightly-backups.service"; # }; # }; services.open-webui = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { Type = "forking"; User = "blee"; WorkingDirectory = "/opt/open-webui"; Environment = "NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels"; }; script = "${pkgs.nix}/bin/nix-shell"; }; }; virtualisation.docker = { enable = true; rootless = { enable = true; setSocketVariable = true; }; autoPrune = { enable = true; dates = "monthly"; }; }; system.stateVersion = "23.05"; }