mogorman · July 17, 2020 18:53
diff --git a/configuration.nix b/configuration.nix
 { config, lib, pkgs, ... }:

 let
  home-manager = builtins.fetchTarball {
    url = "https://github.com/rycee/home-manager/archive/master.tar.gz";
  };

  impermanence = builtins.fetchTarball {
    url =
      "https://github.com/nix-community/impermanence/archive/master.tar.gz";
  };

  emacs = builtins.fetchTarball {
      url = https://github.com/nix-community/emacs-overlay/archive/master.tar.gz;
    };
 in
 {
  imports =
    [
      <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
      "${home-manager}/nixos"
      "${impermanence}/nixos.nix"
    ];

  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
    { device = "none";
      fsType = "tmpfs";
      neededForBoot = true;
      options = [ "defaults" "size=8G" "mode=755" ];
    };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/C3B6-791C";
      fsType = "vfat";
    };

  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/cf578d60-babe-4bd1-aa25-8d8e99006baf";
      neededForBoot = true;
      fsType = "ext4";
    };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/47628b11-4fc1-48a2-80a4-aa52ea923955"; }
    ];

  nix.maxJobs = lib.mkDefault 4;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

  system.stateVersion = "20.03"; # Did you read the comment?
  networking.hostName = "dent";

  time.timeZone = "US/Eastern";

  networking.networkmanager.enable = true;

  boot.initrd.luks.gpgSupport = true;
  boot.initrd.luks.devices = {
    root = {
      device = "/dev/sda2";
      preLVM = true;
      allowDiscards = true;
      gpgCard = {
        gracePeriod = 25;
        encryptedPass = "${/nix/persist/boot_pass/pass.gpg}";
        publicKey = "${/nix/persist/boot_pass/mog.asc}";
      };
    };
  };

  hardware.nitrokey.enable = true;
  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
  security.pam.enableSSHAgentAuth = true;

  environment.etc."vim/vimrc".text = ''
    set nocompatible
    syntax on
    set backspace=indent,eol,start
    set mouse-=a
  '';


  systemd.tmpfiles.rules = [
    "L /var/lib/bluetooth - - - - /nix/persist/var/lib/bluetooth"
    "L /etc/NetworkManager/system-connections - - - - /nix/persist/etc/NetworkManager/system-connections"
  ];

  environment.etc."machine-id".source = "/nix/persist/etc/machine-id";
  environment.etc."nixos".source = "/nix/persist/etc/nixos";

  environment.etc."ssh/ssh_host_rsa_key".source
    = "/nix/persist/etc/ssh/ssh_host_rsa_key";
  environment.etc."ssh/ssh_host_rsa_key.pub".source
    = "/nix/persist/etc/ssh/ssh_host_rsa_key.pub";
  environment.etc."ssh/ssh_host_ed25519_key".source
    = "/nix/persist/etc/ssh/ssh_host_ed25519_key";
  environment.etc."ssh/ssh_host_ed25519_key.pub".source
    = "/nix/persist/etc/ssh/ssh_host_ed25519_key.pub";

  environment.persistence."/nix/persist" = {
    directories = [
       "/mog"
    ];
    files = [
    ];
  };

  users.mutableUsers = false;
  users.users.mog = {
    isNormalUser = true;
    createHome = true;
    group = "users";
    extraGroups = [ "networkmanager" "wheel" "dialout" "vboxusers" "docker" "libvirtd" "nitrokey" "plugdev" ];
    uid = 1000;
    hashedPassword = "$6$ejVrOQWib3P9U$vJcq2KH.sJsgEMvX9iqNmWUiyumI25d7ap2fwNt9k0FBVrZZhis5P/lQBt/3I8m4HiR9aOSnW.DNhagVMJD..0";
  };
  home-manager.users.mog = { pkgs, ... }: {
    imports = [ "${impermanence}/home-manager.nix" ];

    programs.home-manager.enable = true;

    home.persistence."/nix/persist/home/mog" = {
      directories = [
        ".ssh" ".gnupg/private-keys-v1.d" ".gnupg/openpgp-revocs.d" "Downloads" "code" "downloads"
        ".config/dconf" ".config/hexchat" ".config/gnome-initial-setup-done"
        ".config/vlc" ".config/gtk-3.0" ".config/goa-1.0" ".config/Signal" ".config/Slack"
        ".cache/mozilla" ".mozilla"
        ".local/share/keyrings"
        ".local/share/gnome-settings-daemon"
        ".local/share/gnome-shell"
      ];
      files = [ ".bash_history" ".gnupg/pubring.gpg" ".gnupg/secring.gpg" ".gnupg/trustdb.gpg" ];
    };
    programs.gpg.enable = true;
    services.gpg-agent = {
      enable = true;
      enableExtraSocket = true;
      enableSshSupport = true;
    };
    programs.direnv.enable = true;
    programs.fzf.enable = true;
    programs.command-not-found.enable = true;
    programs.bash = {
      enable = true;
      historyControl = [ "erasedups" "ignoredups" "ignorespace" ];
      initExtra = ''
        export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
      '';
    };
  };

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.systemd-boot.editor = false;

  boot.kernelPackages = pkgs.linuxPackages_latest;

  networking.useDHCP = false;
  networking.interfaces.wlan0.useDHCP = false;

  services.udev = {
    extraRules = ''
        ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="34:13:e8:37:5c:fd", NAME="wlan0"
        # Rule for USB Receiver
        SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c53e", MODE="0660", TAG+="uaccess", GROUP="dialout"

        # Rule when connected via Bluetooth
        # Updated rule, thanks to Torsten Maehne (https://github.com/maehne)
        SUBSYSTEMS=="input", ATTRS{name}=="SPOTLIGHT*", MODE="0660", TAG+="uaccess", GROUP="dialout"
      '';
    };

  services.tlp.enable = true;
  services.tlp.extraConfig = ''
    USB_BLACKLIST="1d50:60e6 20a0:4108"
  '';

  services.openssh.enable = true;
  services.blueman.enable = true;
  virtualisation.docker.enable = true;
  networking.firewall.enable = false;

  # Enable the X11 windowing system.
  services.xserver.enable = true;
  services.xserver.wacom.enable = true;
  services.xserver.libinput.enable = true;
  services.xserver.modules = [ pkgs.xf86_input_wacom ];
  environment.variables = { MOZ_USE_XINPUT2="1"; };

  services.xserver.layout = "us";
  services.printing.enable = true;

  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome3.enable = true;

  sound.enable = true;
  hardware.pulseaudio.enable = true;
  hardware.opengl.driSupport32Bit = true;
  hardware.pulseaudio.support32Bit = true;

  hardware.pulseaudio.package = pkgs.pulseaudioFull;
  hardware.bluetooth.enable = true;

  services.logind.lidSwitch = "lock";
  services.logind.lidSwitchDocked = "lock";
  services.logind.lidSwitchExternalPower = "lock";

  services.fstrim.enable = true;
  services.fstrim.interval = "daily";

  # Enable Wireguard
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "192.168.255.5/24" ];
      privateKeyFile = "/nix/persist/wireguard/wireguard-private";

      peers = [
        {
          publicKey = "U++AMnQZh5xnD2GL5ORgj1DTsu7CYvdy4akUMvD4yj8=";

          allowedIPs = [ "192.168.255.0/24" ];
          endpoint = "home.rldn.net:51820";

          persistentKeepalive = 25;
        }
      ];
    };
  };

  services.avahi.enable = true;
  services.avahi.nssmdns = true;
  services.lorri.enable = true;

  nixpkgs.overlays = [
    (import (builtins.fetchTarball {
      url = https://github.com/nix-community/emacs-overlay/archive/master.tar.gz;
    }))
  ];

  environment.systemPackages = with pkgs; [
    vim
    firefox
    direnv
    lorri
    binutils-unwrapped

    onboard
    gnome3.gnome-tweak-tool
    xorg.xeyes
    vlc
    hexchat
    signal-desktop
    slack
    zoom-us
    gpa

    gnome3.evolution
    evolution-ews
    gnomeExtensions.night-theme-switcher
    gnomeExtensions.caffeine
    gnomeExtensions.clipboard-indicator
    gnomeExtensions.appindicator
    gnomeExtensions.drop-down-terminal
    tilix

    fzf
    gitAndTools.gitFull
  ];

  nixpkgs.config = {
    pulseaudio = true;
    allowUnfree = true;

    packageOverrides = super: let self = super.pkgs; in {
      steam = super.steam.override {
        extraPkgs = p: with p; [
          glxinfo        # for diagnostics
          nettools       # for `hostname`, which some scripts expect
        ];
      };
      mplayer = super.mplayer.override {
        pulseSupport = true;
      };
    };
  };

  programs.bash.enableCompletion = true;

  console.keyMap = "us";
  console.font = "Lat2-Terminus16";
  i18n = {
    defaultLocale = "en_US.UTF-8";
  };

  fonts = {
    enableFontDir = true;
    enableGhostscriptFonts = true;
    fonts = with pkgs; [
      inconsolata  # monospaced
      ubuntu_font_family  # Ubuntu fonts
      unifont # some international languages
      corefonts
      mononoki
      victor-mono
      ankacoder
      ankacoder-condensed
      terminus_font
      terminus_font_ttf
    ];
  };
 }
	{ config, lib, pkgs, ... }:

	let
	home-manager = builtins.fetchTarball {
	url = "https://github.com/rycee/home-manager/archive/master.tar.gz";
	};

	impermanence = builtins.fetchTarball {
	url =
	"https://github.com/nix-community/impermanence/archive/master.tar.gz";
	};

	emacs = builtins.fetchTarball {
	url = https://github.com/nix-community/emacs-overlay/archive/master.tar.gz;
	};
	in
	{
	imports =
	[
	<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
	"${home-manager}/nixos"
	"${impermanence}/nixos.nix"
	];

	boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
	boot.initrd.kernelModules = [ "dm-snapshot" ];
	boot.kernelModules = [ "kvm-intel" ];
	boot.extraModulePackages = [ ];

	fileSystems."/" =
	{ device = "none";
	fsType = "tmpfs";
	neededForBoot = true;
	options = [ "defaults" "size=8G" "mode=755" ];
	};

	fileSystems."/boot" =
	{ device = "/dev/disk/by-uuid/C3B6-791C";
	fsType = "vfat";
	};

	fileSystems."/nix" =
	{ device = "/dev/disk/by-uuid/cf578d60-babe-4bd1-aa25-8d8e99006baf";
	neededForBoot = true;
	fsType = "ext4";
	};

	swapDevices =
	[ { device = "/dev/disk/by-uuid/47628b11-4fc1-48a2-80a4-aa52ea923955"; }
	];

	nix.maxJobs = lib.mkDefault 4;
	powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

	system.stateVersion = "20.03"; # Did you read the comment?
	networking.hostName = "dent";

	time.timeZone = "US/Eastern";

	networking.networkmanager.enable = true;

	boot.initrd.luks.gpgSupport = true;
	boot.initrd.luks.devices = {
	root = {
	device = "/dev/sda2";
	preLVM = true;
	allowDiscards = true;
	gpgCard = {
	gracePeriod = 25;
	encryptedPass = "${/nix/persist/boot_pass/pass.gpg}";
	publicKey = "${/nix/persist/boot_pass/mog.asc}";
	};
	};
	};

	hardware.nitrokey.enable = true;
	programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
	security.pam.enableSSHAgentAuth = true;

	environment.etc."vim/vimrc".text = ''
	set nocompatible
	syntax on
	set backspace=indent,eol,start
	set mouse-=a
	'';


	systemd.tmpfiles.rules = [
	"L /var/lib/bluetooth - - - - /nix/persist/var/lib/bluetooth"
	"L /etc/NetworkManager/system-connections - - - - /nix/persist/etc/NetworkManager/system-connections"
	];

	environment.etc."machine-id".source = "/nix/persist/etc/machine-id";
	environment.etc."nixos".source = "/nix/persist/etc/nixos";

	environment.etc."ssh/ssh_host_rsa_key".source
	= "/nix/persist/etc/ssh/ssh_host_rsa_key";
	environment.etc."ssh/ssh_host_rsa_key.pub".source
	= "/nix/persist/etc/ssh/ssh_host_rsa_key.pub";
	environment.etc."ssh/ssh_host_ed25519_key".source
	= "/nix/persist/etc/ssh/ssh_host_ed25519_key";
	environment.etc."ssh/ssh_host_ed25519_key.pub".source
	= "/nix/persist/etc/ssh/ssh_host_ed25519_key.pub";

	environment.persistence."/nix/persist" = {
	directories = [
	"/mog"
	];
	files = [
	];
	};

	users.mutableUsers = false;
	users.users.mog = {
	isNormalUser = true;
	createHome = true;
	group = "users";
	extraGroups = [ "networkmanager" "wheel" "dialout" "vboxusers" "docker" "libvirtd" "nitrokey" "plugdev" ];
	uid = 1000;
	hashedPassword = "$6$ejVrOQWib3P9U$vJcq2KH.sJsgEMvX9iqNmWUiyumI25d7ap2fwNt9k0FBVrZZhis5P/lQBt/3I8m4HiR9aOSnW.DNhagVMJD..0";
	};
	home-manager.users.mog = { pkgs, ... }: {
	imports = [ "${impermanence}/home-manager.nix" ];

	programs.home-manager.enable = true;

	home.persistence."/nix/persist/home/mog" = {
	directories = [
	".ssh" ".gnupg/private-keys-v1.d" ".gnupg/openpgp-revocs.d" "Downloads" "code" "downloads"
	".config/dconf" ".config/hexchat" ".config/gnome-initial-setup-done"
	".config/vlc" ".config/gtk-3.0" ".config/goa-1.0" ".config/Signal" ".config/Slack"
	".cache/mozilla" ".mozilla"
	".local/share/keyrings"
	".local/share/gnome-settings-daemon"
	".local/share/gnome-shell"
	];
	files = [ ".bash_history" ".gnupg/pubring.gpg" ".gnupg/secring.gpg" ".gnupg/trustdb.gpg" ];
	};
	programs.gpg.enable = true;
	services.gpg-agent = {
	enable = true;
	enableExtraSocket = true;
	enableSshSupport = true;
	};
	programs.direnv.enable = true;
	programs.fzf.enable = true;
	programs.command-not-found.enable = true;
	programs.bash = {
	enable = true;
	historyControl = [ "erasedups" "ignoredups" "ignorespace" ];
	initExtra = ''
	export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
	'';
	};
	};

	boot.loader.systemd-boot.enable = true;
	boot.loader.efi.canTouchEfiVariables = true;
	boot.loader.systemd-boot.editor = false;

	boot.kernelPackages = pkgs.linuxPackages_latest;

	networking.useDHCP = false;
	networking.interfaces.wlan0.useDHCP = false;

	services.udev = {
	extraRules = ''
	ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="34:13:e8:37:5c:fd", NAME="wlan0"
	# Rule for USB Receiver
	SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c53e", MODE="0660", TAG+="uaccess", GROUP="dialout"

	# Rule when connected via Bluetooth
	# Updated rule, thanks to Torsten Maehne (https://github.com/maehne)
	SUBSYSTEMS=="input", ATTRS{name}=="SPOTLIGHT*", MODE="0660", TAG+="uaccess", GROUP="dialout"
	'';
	};

	services.tlp.enable = true;
	services.tlp.extraConfig = ''
	USB_BLACKLIST="1d50:60e6 20a0:4108"
	'';

	services.openssh.enable = true;
	services.blueman.enable = true;
	virtualisation.docker.enable = true;
	networking.firewall.enable = false;

	# Enable the X11 windowing system.
	services.xserver.enable = true;
	services.xserver.wacom.enable = true;
	services.xserver.libinput.enable = true;
	services.xserver.modules = [ pkgs.xf86_input_wacom ];
	environment.variables = { MOZ_USE_XINPUT2="1"; };

	services.xserver.layout = "us";
	services.printing.enable = true;

	services.xserver.displayManager.gdm.enable = true;
	services.xserver.desktopManager.gnome3.enable = true;

	sound.enable = true;
	hardware.pulseaudio.enable = true;
	hardware.opengl.driSupport32Bit = true;
	hardware.pulseaudio.support32Bit = true;

	hardware.pulseaudio.package = pkgs.pulseaudioFull;
	hardware.bluetooth.enable = true;

	services.logind.lidSwitch = "lock";
	services.logind.lidSwitchDocked = "lock";
	services.logind.lidSwitchExternalPower = "lock";

	services.fstrim.enable = true;
	services.fstrim.interval = "daily";

	# Enable Wireguard
	networking.wireguard.interfaces = {
	wg0 = {
	ips = [ "192.168.255.5/24" ];
	privateKeyFile = "/nix/persist/wireguard/wireguard-private";

	peers = [
	{
	publicKey = "U++AMnQZh5xnD2GL5ORgj1DTsu7CYvdy4akUMvD4yj8=";

	allowedIPs = [ "192.168.255.0/24" ];
	endpoint = "home.rldn.net:51820";

	persistentKeepalive = 25;
	}
	];
	};
	};

	services.avahi.enable = true;
	services.avahi.nssmdns = true;
	services.lorri.enable = true;

	nixpkgs.overlays = [
	(import (builtins.fetchTarball {
	url = https://github.com/nix-community/emacs-overlay/archive/master.tar.gz;
	}))
	];

	environment.systemPackages = with pkgs; [
	vim
	firefox
	direnv
	lorri
	binutils-unwrapped

	onboard
	gnome3.gnome-tweak-tool
	xorg.xeyes
	vlc
	hexchat
	signal-desktop
	slack
	zoom-us
	gpa

	gnome3.evolution
	evolution-ews
	gnomeExtensions.night-theme-switcher
	gnomeExtensions.caffeine
	gnomeExtensions.clipboard-indicator
	gnomeExtensions.appindicator
	gnomeExtensions.drop-down-terminal
	tilix

	fzf
	gitAndTools.gitFull
	];

	nixpkgs.config = {
	pulseaudio = true;
	allowUnfree = true;

	packageOverrides = super: let self = super.pkgs; in {
	steam = super.steam.override {
	extraPkgs = p: with p; [
	glxinfo # for diagnostics
	nettools # for `hostname`, which some scripts expect
	];
	};
	mplayer = super.mplayer.override {
	pulseSupport = true;
	};
	};
	};

	programs.bash.enableCompletion = true;

	console.keyMap = "us";
	console.font = "Lat2-Terminus16";
	i18n = {
	defaultLocale = "en_US.UTF-8";
	};

	fonts = {
	enableFontDir = true;
	enableGhostscriptFonts = true;
	fonts = with pkgs; [
	inconsolata # monospaced
	ubuntu_font_family # Ubuntu fonts
	unifont # some international languages
	corefonts
	mononoki
	victor-mono
	ankacoder
	ankacoder-condensed
	terminus_font
	terminus_font_ttf
	];
	};
	}