 |
Title: My NixOS configuration |
|
Author: Solène |
|
Date: 21 December 2021 |
|
Tags: nixos linux |
|
Description: In this text I share my NixOS configuration file. |
|
|
|
# Introduction |
|
|
|
Let me share my NixOS configuration file, the one in |
|
/etc/nixos/configuration.nix that describe what is installed on my |
|
Lenovo T470 laptop. |
|
|
|
The base of NixOS is that you declare every user, services, network and |
|
system settings in a file, and finally it configures itself to match |
|
your expectations. You can also install global packages and per-user |
|
packages. It makes a system environment reproducible and reliable. |
|
|
|
# The file |
|
|
|
```NixOS configuration file |
|
{ config, pkgs, ... }: |
|
|
|
{ |
|
imports = |
|
[ # Include the results of the hardware scan. |
|
./hardware-configuration.nix |
|
]; |
|
|
|
# run garbage collector at 19h00 everyday |
|
# and remove stuff older than 60 days |
|
nix.gc.automatic = true; |
|
nix.gc.dates = "19:00"; |
|
nix.gc.persistent = true; |
|
nix.gc.options = "--delete-older-than 60d"; |
|
|
|
# clean /tmp at boot |
|
boot.cleanTmpDir = true; |
|
|
|
# latest kernel |
|
boot.kernelPackages = pkgs.linuxPackages_latest; |
|
|
|
# sync disk when buffer reach 6% of memory |
|
boot.kernel.sysctl = { |
|
"vm.dirty_ratio" = 6; |
|
}; |
|
|
|
# allow non free stuff |
|
nixpkgs.config.allowUnfree = true; |
|
|
|
# Use the systemd-boot EFI boot loader. |
|
boot.loader.systemd-boot.enable = true; |
|
boot.loader.efi.canTouchEfiVariables = true; |
|
|
|
networking.hostName = "t470"; |
|
time.timeZone = "Europe/Paris"; |
|
networking.networkmanager.enable = true; |
|
|
|
# wireguard VPN |
|
networking.wireguard.interfaces = { |
|
wg0 = { |
|
ips = [ "192.168.5.1/24" ]; |
|
listenPort = 1234; |
|
privateKeyFile = "/root/wg-private"; |
|
peers = [ |
|
{ # server |
|
publicKey = "MY PUB KEY"; |
|
endpoint = "SERVER:PORT"; |
|
allowedIPs = [ "192.168.5.0/24" ]; |
|
}]; |
|
}; |
|
}; |
|
|
|
# firejail firefox by default |
|
programs.firejail.wrappedBinaries = { |
|
firefox = { |
|
executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox"; |
|
profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; |
|
}; |
|
}; |
|
|
|
|
|
# azerty keyboard <3 |
|
i18n.defaultLocale = "fr_FR.UTF-8"; |
|
console = { |
|
# font = "Lat2-Terminus16"; |
|
keyMap = "fr"; |
|
}; |
|
|
|
# clean logs older than 2d |
|
services.cron.systemCronJobs = [ |
|
"0 20 * * * root journalctl --vacuum-time=2d" |
|
]; |
|
|
|
# nvidia prime offload rendering for eGPU |
|
hardware.nvidia.modesetting.enable = true; |
|
hardware.nvidia.prime.sync.allowExternalGpu = true; |
|
hardware.nvidia.prime.offload.enable = true; |
|
hardware.nvidia.prime.nvidiaBusId = "PCI:10:0:0"; |
|
hardware.nvidia.prime.intelBusId = "PCI:0:2:0"; |
|
services.xserver.videoDrivers = ["nvidia" ]; |
|
|
|
# programs |
|
programs.steam.enable = true; |
|
programs.firejail.enable = true; |
|
programs.fish.enable = true; |
|
programs.gamemode.enable = true; |
|
programs.ssh.startAgent = true; |
|
|
|
# services |
|
services.acpid.enable = true; |
|
services.thermald.enable = true; |
|
services.fwupd.enable = true; |
|
services.vnstat.enable = true; |
|
|
|
# Enable the X11 windowing system. |
|
services.xserver.enable = true; |
|
services.xserver.displayManager.sddm.enable = true; |
|
services.xserver.desktopManager.plasma5.enable = true; |
|
services.xserver.desktopManager.xfce.enable = false; |
|
services.xserver.desktopManager.gnome.enable = false; |
|
|
|
# Configure keymap in X11 |
|
services.xserver.layout = "fr"; |
|
services.xserver.xkbOptions = "eurosign:e"; |
|
|
|
# Enable sound. |
|
sound.enable = true; |
|
hardware.pulseaudio.enable = true; |
|
|
|
# Enable touchpad support |
|
services.xserver.libinput.enable = true; |
|
|
|
users.users.solene = { |
|
isNormalUser = true; |
|
shell = pkgs.fish; |
|
packages = with pkgs; [ |
|
gajim audacity chromium dmd dtools |
|
kate kdeltachat pavucontrol rclone rclone-browser |
|
zim claws-mail mpv musikcube git-annex |
|
]; |
|
extraGroups = [ "wheel" "sudo" "networkmanager" ]; |
|
}; |
|
|
|
# my gaming users running steam/lutris/emulators |
|
users.users.gaming = { |
|
isNormalUser = true; |
|
shell = pkgs.fish; |
|
extraGroups = [ "networkmanager" "video" ]; |
|
packages = with pkgs; [ lutris firefox ]; |
|
}; |
|
|
|
users.users.aria = { |
|
isNormalUser = true; |
|
shell = pkgs.fish; |
|
packages = with pkgs; [ aria2 ]; |
|
}; |
|
|
|
# global packages |
|
environment.systemPackages = with pkgs; [ |
|
ncdu kakoune git rsync restic tmux fzf |
|
]; |
|
|
|
# Enable the OpenSSH daemon. |
|
services.openssh.enable = true; |
|
|
|
# Open ports in the firewall. |
|
networking.firewall.enable = true; |
|
networking.firewall.allowedTCPPorts = [ 22 ]; |
|
networking.firewall.allowedUDPPorts = [ ]; |
|
|
|
# user aria can only use tun0 |
|
networking.firewall.extraCommands = " |
|
iptables -A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT |
|
iptables -A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT |
|
iptables -A OUTPUT -m owner --uid-owner 1002 -j REJECT |
|
"; |
|
|
|
# This value determines the NixOS release from which the default |
|
# settings for stateful data, like file locations and database versions |
|
# on your system were taken. It‘s perfectly fine and recommended to leave |
|
# this value at the release version of the first install of this system. |
|
# Before changing this value read the documentation for this option |
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). |
|
system.stateVersion = "21.11"; # Did you read the comment? |
|
|
|
} |
|
``` |
