~ruther/nixos-config

ref: 6904cf1761334d033556f106c82d79b48e6657f4 nixos-config/nixos/hosts/laptop-phobos/default.nix -rw-r--r-- 2.7 KiB
6904cf17 — Frantisek Bohacek refactor: modularize the configuration 1 year, 1 day ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

#
#  Specific system configuration settings for desktop
#
#  flake.nix
#   ├─ ./hosts
#   │   └─ ./laptop
#   │        ├─ default.nix *
#   │        └─ hardware-configuration.nix
#   └─ ./modules
#       ├─ ./desktop
#       │   ├─ ./bspwm
#       │   │   └─ default.nix
#       │   └─ ./virtualisation
#       │       └─ docker.nix
#       └─ ./hardware
#           └─ default.nix
#

{ pkgs, lib, ... }:

{
  imports = [
    ./hardware-configuration.nix
  ];

  nixos-config.isLaptop = true;
  profiles.virtualisation.enable = true;
  profiles.desktop.qtile.enable = true;
  profiles.desktop.gnome.enable = true;
  profiles.vpn.enable = true;
  profiles.sync.enable = true;
  profiles.development = {
    enable = true;

    fpga.cables = [ "vivado" "ise" ];
    mcu.cables = [ "tiva-c" "st-link" "trezor" ];
  };

  networking.hostName = "laptop-phobos";

  boot = {                                  # Boot options
    kernelPackages = pkgs.linuxPackages_latest;

    # Secure boot
    lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";
    };

    loader = {                              # EFI Boot
      efi = {
        canTouchEfiVariables = true;
      };
      systemd-boot = {
        enable = lib.mkForce false; # lanzaboote is used instead
        editor = false;                     # Better security, disallows passing /bin/sh to start as root
        configurationLimit = 5;
      };
      timeout = 0;
    };

    initrd.systemd.enable = true;
    initrd.luks.devices = {
      "crypted-linux-root" = {
        device = "/dev/disk/by-label/crypted-linux-root";
        allowDiscards = true;

        keyFileSize = 256;
        keyFile = "/dev/disk/by-id/usb-VendorCo_ProductCode_92073160DC061126104-0:0";
        keyFileTimeout = 10;
      };
    };
  };

  # TODO under qtile
  hardware = {                              # No xbacklight, this is the alterantive
    brillo.enable = true;
  };

  # TODO under qtile
  programs = {
    xss-lock = let
    xsecurelock = (pkgs.xsecurelock.overrideAttrs(attrs: {
      postInstall = attrs.postInstall or "" + ''
        wrapProgram $out/bin/xsecurelock --set XSECURELOCK_COMPOSITE_OBSCURER 0
      '';
    }));
    in {
      enable = true;
      lockerCommand = "${xsecurelock}/bin/xsecurelock";
    };
  };

  services = {
    logind.lidSwitch = "suspend";           # suspend on lid close

    xserver.libinput = {
      enable = true;
      touchpad = {
        naturalScrolling = true;
        tapping = true;
      };
    };

    printing = {
      enable = true;
      drivers = [
        pkgs.splix
        pkgs.samsung-unified-linux-driver
      ];
    };
  };

  # Wireguard
  profiles.vpn.lanIp = "192.168.32.25";
}
Do not follow this link