Title: My NixOS configuration | |
Author: Solène | |
Date: 21 December 2021 | |
Tags: nixos linux | |
Description: In this text I share my NixOS configuration file. | |
# Introduction | |
Let me share my NixOS configuration file, the one in | |
/etc/nixos/configuration.nix that describe what is installed on my | |
Lenovo T470 laptop. | |
The base of NixOS is that you declare every user, services, network and | |
system settings in a file, and finally it configures itself to match | |
your expectations. You can also install global packages and per-user | |
packages. It makes a system environment reproducible and reliable. | |
# The file | |
```NixOS configuration file | |
{ config, pkgs, ... }: | |
{ | |
imports = | |
[ # Include the results of the hardware scan. | |
./hardware-configuration.nix | |
]; | |
# run garbage collector at 19h00 everyday | |
# and remove stuff older than 60 days | |
nix.gc.automatic = true; | |
nix.gc.dates = "19:00"; | |
nix.gc.persistent = true; | |
nix.gc.options = "--delete-older-than 60d"; | |
# clean /tmp at boot | |
boot.cleanTmpDir = true; | |
# latest kernel | |
boot.kernelPackages = pkgs.linuxPackages_latest; | |
# sync disk when buffer reach 6% of memory | |
boot.kernel.sysctl = { | |
"vm.dirty_ratio" = 6; | |
}; | |
# allow non free stuff | |
nixpkgs.config.allowUnfree = true; | |
# Use the systemd-boot EFI boot loader. | |
boot.loader.systemd-boot.enable = true; | |
boot.loader.efi.canTouchEfiVariables = true; | |
networking.hostName = "t470"; | |
time.timeZone = "Europe/Paris"; | |
networking.networkmanager.enable = true; | |
# wireguard VPN | |
networking.wireguard.interfaces = { | |
wg0 = { | |
ips = [ "192.168.5.1/24" ]; | |
listenPort = 1234; | |
privateKeyFile = "/root/wg-private"; | |
peers = [ | |
{ # server | |
publicKey = "MY PUB KEY"; | |
endpoint = "SERVER:PORT"; | |
allowedIPs = [ "192.168.5.0/24" ]; | |
}]; | |
}; | |
}; | |
# firejail firefox by default | |
programs.firejail.wrappedBinaries = { | |
firefox = { | |
executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox"; | |
profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; | |
}; | |
}; | |
# azerty keyboard <3 | |
i18n.defaultLocale = "fr_FR.UTF-8"; | |
console = { | |
# font = "Lat2-Terminus16"; | |
keyMap = "fr"; | |
}; | |
# clean logs older than 2d | |
services.cron.systemCronJobs = [ | |
"0 20 * * * root journalctl --vacuum-time=2d" | |
]; | |
# nvidia prime offload rendering for eGPU | |
hardware.nvidia.modesetting.enable = true; | |
hardware.nvidia.prime.sync.allowExternalGpu = true; | |
hardware.nvidia.prime.offload.enable = true; | |
hardware.nvidia.prime.nvidiaBusId = "PCI:10:0:0"; | |
hardware.nvidia.prime.intelBusId = "PCI:0:2:0"; | |
services.xserver.videoDrivers = ["nvidia" ]; | |
# programs | |
programs.steam.enable = true; | |
programs.firejail.enable = true; | |
programs.fish.enable = true; | |
programs.gamemode.enable = true; | |
programs.ssh.startAgent = true; | |
# services | |
services.acpid.enable = true; | |
services.thermald.enable = true; | |
services.fwupd.enable = true; | |
services.vnstat.enable = true; | |
# Enable the X11 windowing system. | |
services.xserver.enable = true; | |
services.xserver.displayManager.sddm.enable = true; | |
services.xserver.desktopManager.plasma5.enable = true; | |
services.xserver.desktopManager.xfce.enable = false; | |
services.xserver.desktopManager.gnome.enable = false; | |
# Configure keymap in X11 | |
services.xserver.layout = "fr"; | |
services.xserver.xkbOptions = "eurosign:e"; | |
# Enable sound. | |
sound.enable = true; | |
hardware.pulseaudio.enable = true; | |
# Enable touchpad support | |
services.xserver.libinput.enable = true; | |
users.users.solene = { | |
isNormalUser = true; | |
shell = pkgs.fish; | |
packages = with pkgs; [ | |
gajim audacity chromium dmd dtools | |
kate kdeltachat pavucontrol rclone rclone-browser | |
zim claws-mail mpv musikcube git-annex | |
]; | |
extraGroups = [ "wheel" "sudo" "networkmanager" ]; | |
}; | |
# my gaming users running steam/lutris/emulators | |
users.users.gaming = { | |
isNormalUser = true; | |
shell = pkgs.fish; | |
extraGroups = [ "networkmanager" "video" ]; | |
packages = with pkgs; [ lutris firefox ]; | |
}; | |
users.users.aria = { | |
isNormalUser = true; | |
shell = pkgs.fish; | |
packages = with pkgs; [ aria2 ]; | |
}; | |
# global packages | |
environment.systemPackages = with pkgs; [ | |
ncdu kakoune git rsync restic tmux fzf | |
]; | |
# Enable the OpenSSH daemon. | |
services.openssh.enable = true; | |
# Open ports in the firewall. | |
networking.firewall.enable = true; | |
networking.firewall.allowedTCPPorts = [ 22 ]; | |
networking.firewall.allowedUDPPorts = [ ]; | |
# user aria can only use tun0 | |
networking.firewall.extraCommands = " | |
iptables -A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT | |
iptables -A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT | |
iptables -A OUTPUT -m owner --uid-owner 1002 -j REJECT | |
"; | |
# This value determines the NixOS release from which the default | |
# settings for stateful data, like file locations and database versions | |
# on your system were taken. It‘s perfectly fine and recommended to leave | |
# this value at the release version of the first install of this system. | |
# Before changing this value read the documentation for this option | |
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). | |
system.stateVersion = "21.11"; # Did you read the comment? | |
} | |
``` |