108 lines
3.5 KiB
Nix
108 lines
3.5 KiB
Nix
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
# This is a placeholder
|
|
in
|
|
{
|
|
options = {};
|
|
imports = [ ../packages/default.nix ../users/default.nix ./config/stm32 ];
|
|
|
|
config = {
|
|
hardware = {
|
|
bluetooth.enable = lib.mkDefault false;
|
|
steam-hardware.enable = lib.mkDefault false;
|
|
};
|
|
|
|
boot = {
|
|
kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
|
|
loader = {
|
|
efi.canTouchEfiVariables = lib.mkDefault true;
|
|
systemd-boot.enable = lib.mkDefault true;
|
|
};
|
|
};
|
|
|
|
environment.sessionVariables = {
|
|
SOPS_AGE_KEY_FILE = "/persist/secrets/age.txt";
|
|
};
|
|
|
|
programs = {
|
|
appimage.binfmt = true;
|
|
direnv = {
|
|
enable = true;
|
|
nix-direnv.enable = true;
|
|
};
|
|
};
|
|
security.sudo.wheelNeedsPassword = false;
|
|
security.rtkit.enable = true;
|
|
services = {
|
|
fstrim.enable = true;
|
|
resolved = {
|
|
enable = true;
|
|
dnsovertls = "opportunistic";
|
|
fallbackDns = [
|
|
"2620:fe::10#dns10.quad9.net"
|
|
"2620:fe::fe:10#dns10.quad9.net"
|
|
"9.9.9.10#dns10.quad9.net"
|
|
"149.112.112.10#dns10.quad9.net"
|
|
];
|
|
extraConfig = ''
|
|
DNS=2620:fe::10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net 9.9.9.10#dns10.quad9.net 149.112.112.10#dns10.quad9.net
|
|
'';
|
|
};
|
|
xserver.displayManager.lightdm.enable = false;
|
|
};
|
|
|
|
# Wireguard stuff, to-do make better
|
|
networking.firewall = {
|
|
enable = true;
|
|
# if packets are still dropped, they will show up in dmesg
|
|
logReversePathDrops = true;
|
|
# wireguard trips rpfilter up
|
|
extraCommands = ''
|
|
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 47111 -j RETURN
|
|
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 47111 -j RETURN
|
|
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
|
|
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
|
|
'';
|
|
extraStopCommands = ''
|
|
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 47111 -j RETURN || true
|
|
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 47111 -j RETURN || true
|
|
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
|
|
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
|
|
'';
|
|
# Open ports in the firewall.
|
|
allowedTCPPorts = [ 22000 ];
|
|
allowedUDPPorts = [ 22000 ];
|
|
};
|
|
|
|
services.udev.packages = [
|
|
(pkgs.writeTextFile {
|
|
|
|
name = "alterra-udev";
|
|
destination = "/etc/udev/rules.d/92-alterra.rules";
|
|
text = ''
|
|
# USB-Blaster
|
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6001", MODE="0666"
|
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6002", MODE="0666"
|
|
|
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6003", MODE="0666"
|
|
|
|
# USB-Blaster II
|
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6010", MODE="0666"
|
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6810", MODE="0666"
|
|
'';
|
|
})];
|
|
|
|
services.openssh = lib.mkIf (config.stitchyconf.form == "server"){
|
|
enable = true;
|
|
settings.PasswordAuthentication = false;
|
|
settings.KbdInteractiveAuthentication = false;
|
|
};
|
|
|
|
sops.age.keyFile = "/persist/secrets/age.txt";
|
|
|
|
environment.etc.hosts.mode = "0644";
|
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
};
|
|
}
|