#+title: NixOS System Configurations #+PROPERTY: header-args :mkdirp yes * Systems I have opted to use NixOS for my systems moving forward. You can read a bit more about this move [[https://blog.gabrielsimmer.com/posts/from-guix-to-nixos][here]]. I haven't dabbled with custom configuration too much so this is pretty close to the default configuration. ** London London is my primary desktop. Be sure to import the hardware configuration the Nix installer generates. #+begin_src nix :tangle nix/configuration.nix # Tangled in ../Systems.org { config, pkgs, ... }: { imports = [ ./hardware-configuration.nix ]; #+end_src Bootloader is GRUB so I can dual boot Windows. =enableCryptodisk= is annoying but apparently neccesary. #+begin_src nix :tangle nix/configuration.nix boot.loader.grub = { enable = true; version = 2; device = "nodev"; useOSProber = true; efiSupport = true; enableCryptodisk = true; canTouchEfiVariables = true; efiSysMountPoint = "/boot/efi"; }; #+end_src Basic system stuff that I won't really touch by hand. Importantly, enabled nix flakes. #+begin_src nix :tangle nix/configuration.nix boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.kernelPackages = pkgs.linuxPackages_6_0; # Setup keyfile boot.initrd.secrets = { "/crypto_keyfile.bin" = null; }; # Enable swap on luks boot.initrd.luks.devices."luks-63100442-37df-4579-a787-cb2f2c67b3d1".device = "/dev/disk/by-uuid/63100442-37df-4579-a787-cb2f2c67b3d1"; boot.initrd.luks.devices."luks-63100442-37df-4579-a787-cb2f2c67b3d1".keyFile = "/crypto_keyfile.bin"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; time.timeZone = "Europe/London"; i18n.defaultLocale = "en_GB.utf8"; #+end_src Networking stuff. I use Tailscale as a mesh VPN, and Mullvad for "privacy". #+begin_src nix :tangle nix/configuration.nix networking.hostName = "LONDON"; # Define your hostname. # Enable networking networking.networkmanager.enable = true; systemd.services.NetworkManager-wait-online.enable = false; networking.firewall.checkReversePath = "loose"; networking.firewall.allowedTCPPorts = [ 3389 ]; # for RDP services.mullvad-vpn.enable = true; services.tailscale.enable = true; #+end_src Next, X11! I haven't quite made the switch to Wayland. Theoretically Plasma supports it but it doesn't seem to want to work. Long term I want to run Sway on an ultrawide. I also enable RDP in case I need to remote back into my desktop (if I can't use SSH for whatever reason). Also enable the nvidia drivers here. #+begin_src nix :tangle nix/configuration.nix # Enable the X11 windowing system. services.xserver.enable = true; # Enable the KDE Plasma Desktop Environment. services.xserver.displayManager.sddm.enable = true; services.xserver.desktopManager.plasma5.enable = true; services.xrdp.enable = true; services.xrdp.defaultWindowManager = "startplasma-x11"; # Configure keymap in X11 services.xserver = { layout = "us"; xkbVariant = ""; }; # Allow unfree packages nixpkgs.config.allowUnfree = true; services.xserver.videoDrivers = [ "nvidia" ]; hardware.opengl.enable = true; #+end_src Basic user setup. I use home-manager for my profile applications so just give me vim and that's it (I actually use emacs, but it doesn't hurt to have a fallback). #+begin_src nix :tangle nix/configuration.nix programs.zsh.enable = true; environment.shells = with pkgs; [ zsh ]; users.users.gsimmer = { shell = pkgs.zsh; isNormalUser = true; description = "Gabriel Simmer"; extraGroups = [ "networkmanager" "wheel" ]; packages = with pkgs; [ vim ]; }; #+end_src Misc. utilities. Printing, sound, Docker, Steam, fonts. Why is Steam installed at a system level? I don't know. I think I got confused. This will be move to home-manager at some point. #+begin_src nix :tangle nix/configuration.nix environment.systemPackages = with pkgs; [ os-prober tailscale cifs-utils pinentry-curses ]; # Enable CUPS to print documents. services.printing.enable = true; # Enable sound with pipewire. sound.enable = true; hardware.pulseaudio.enable = false; security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; # If you want to use JACK applications, uncomment this #jack.enable = true; }; virtualisation = { docker = { enable = true; rootless = { enable = true; setSocketVariable = true; }; }; }; programs.dconf.enable = true; programs.steam = { enable = true; remotePlay.openFirewall = true; dedicatedServer.openFirewall = false; }; fonts.fonts = with pkgs; [ ibm-plex jetbrains-mono ]; services.yubikey-agent.enable = true; services.pcscd.enable = true; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; programs.gnupg.agent = { enable = true; pinentryFlavor = "curses"; enableSSHSupport = true; }; system.stateVersion = "22.05"; } #+end_src Hardware configuration generated by the NixOS installer. #+begin_src nix :tangle nix/hardware-configuration.nix # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { config, lib, pkgs, modulesPath, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; fileSystems."/" = { device = "/dev/disk/by-uuid/cd6f3e34-65ce-4be5-b4d4-6818e70dcff3"; fsType = "ext4"; }; boot.initrd.luks.devices."luks-0cd5d85e-e232-4f75-a8b3-087737657fef".device = "/dev/disk/by-uuid/0cd5d85e-e232-4f75-a8b3-087737657fef"; fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/AB23-FA19"; fsType = "vfat"; }; fileSystems."/home/gsimmer/FHG" = { device = "/dev/disk/by-label/FHG"; fsType = "ext4"; }; swapDevices = [ { device = "/dev/disk/by-uuid/c50f2d93-2f31-4afc-ad26-4730a8f4b7f0"; } ]; networking.useDHCP = lib.mkDefault true; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.video.hidpi.enable = lib.mkDefault true; } #+end_src ** Raspberry Pis /This section is deprecated, as my Pis now run Raspbian with k3s./ I have two Raspberry Pis - a 3B+ ("watcher"), and a 4 ("panda"). Watcher serves as a watchdog for my self hosted services, usually living on Panda. *** The Installer Image Very minimal changes required here, only really need to enabled the SSH daemon and add my key so I can push the actual configuration. I might investigate bundling the "real" configurations into the live installer image, so I have to run fewer commands. [[https://nixos.wiki/wiki/NixOS_on_ARM#Getting_the_installer][More info on the NixOS Wiki]] #+begin_src nix :tangle nix/image-configuration.nix { ... }: { imports = [ ]; services.sshd.enable = true; services.ntp.enable = true; users.users.gsimmer = { isNormalUser = true; extraGroups = [ "wheel" ]; password = "pass"; # This gets changed. Don't get any ideas. openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"]; }; } #+end_src *** Watcher Watcher is my Raspberry Pi 3B+ responsible for monitoring various services and devices on my network (and generally the wider web). It uses [[https://github.com/gmemstr/platypus][Platypus]] (my custom monitoring platform) for this, along with some cron jobs to curl the services themselves. Actually declaractive install of Platypus is TODO, once I have the next release tagged. #+begin_src nix :tangle nix/watcher-configuration.nix { config, pkgs, lib, ... }: { boot.loader.grub.enable = false; boot.loader.generic-extlinux-compatible.enable = true; boot.kernelPackages = pkgs.linuxPackages_latest; services.sshd.enable = true; services.ntp.enable = true; users.users.gsimmer = { isNormalUser = true; extraGroups = [ "wheel" ]; password = "pass"; # This gets changed. Don't get any ideas. openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"]; }; environment.systemPackages = [ pkgs.git pkgs.curl ]; systemd.user.services.ensure-curlscript = { script = '' # At some point this will pull down a more complete script. echo "Done!" ''; wantedBy = [ "multi-user.target" ]; }; # Enable cron services services.cron = { enable = true; systemCronJobs = [ "*/5 * * * * gsimmer curl -I -o /dev/null -w \"$(date)|\\%{http_code}\" https://pw.gmem.ca > /home/gsimmer/pw-status" "*/5 * * * * gsimmer curl -I -o /dev/null -w \"$(date)|\\%{http_code}\" https://hue.gmem.ca > /home/gsimmer/hue-status" ]; }; fileSystems = { "/" = { device = "/dev/disk/by-label/NIXOS_SD"; fsType = "ext4"; }; }; networking.firewall.enable = false; } #+end_src *** Panda Panda is a general-purpose Raspberry Pi 4, responsible for hosting some network shares and my password manager (using [[https://github.com/dani-garcia/vaultwarden][Vaultwarden]]). Largely TODO, this currently runs Raspbian until I'm happy with my testbed. #+begin_src nix :tangle nix/panda-configuration.nix { ... }: { imports = [ ]; # put your own configuration here, for example ssh keys: users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com" ]; } #+end_src