wytch/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nix-config/hosts/coven/configuration.nix
wytch 613e37d58b remote install config
2026-04-24 14:48:12 -05:00

189 lines
5.1 KiB
Nix
Raw Permalink Blame History

{ config, pkgs, lib, inputs, ... }:
{
imports = [
./hardware-configuration.nix
./disk.nix
../../modules/nixos/garbage-collection.nix
inputs.nixos-hardware.nixosModules.framework-13th-gen-intel
];
hardware.graphics.enable32Bit = true;
nix.settings.experimental-features = [ "nix-command" "flakes" ];
services.pulseaudio.support32Bit = true;
# Bootloader
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# LUKS2 unlock via systemd-cryptenroll + FIDO2 (Yubikey).
# Enroll with: systemd-cryptenroll --fido2-device=auto /dev/disk/by-partlabel/disk-main-luks
# A recovery passphrase in slot 0 is kept as fallback by cryptenroll by default.
# initrdUnlock is false in disk.nix so we own the full device config here.
boot.initrd.systemd.fido2.enable = true;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-partlabel/disk-main-luks";
allowDiscards = true;
bypassWorkqueues = true;
crypttabExtraOpts = [ "fido2-device=auto" ];
};
# zram swap — 8 GB on a 16 GB machine, no swap partition needed
zramSwap = {
enable = true;
memoryPercent = 50;
algorithm = "zstd";
};
# Use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
networking.hostName = "coven";
networking.networkmanager.enable = true;
time.timeZone = "America/Chicago";
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
services.xserver.enable = true;
services.fwupd.enable = true;
services.logind.settings.Login = {
HandleLidSwitch = "poweroff";
HandleLidSwitchExternalPower = "lock";
HandleLidSwitchDocked = "ignore";
};
services.thermald.enable = true;
powerManagement.powertop.enable = true;
services.fstrim.enable = true;
# KDE Plasma 6
services.displayManager.sddm.enable = true;
services.desktopManager.plasma6.enable = true;
services.xserver.xkb = {
layout = "us";
variant = "";
};
services.printing.enable = true;
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
AllowUsers = [ "sonja" ];
};
};
users.defaultUserShell = pkgs.zsh;
users.users.sonja = {
shell = pkgs.zsh;
isNormalUser = true;
description = "sonja";
extraGroups = [ "networkmanager" "wheel" ];
};
# home-manager module is injected by the flake; no need to import it here
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.sonja = import ../../home/sonja/home.nix;
programs.ssh.extraConfig = ''
Host whatbox
Hostname sojourner.whatbox.ca
Port 22
User subtext2792
'';
programs.firefox.enable = true;
programs.zsh.enable = true;
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
package = pkgs.steam.override {
extraPkgs = pkgs: [ pkgs.mesa-demos ];
};
gamescopeSession.enable = true;
};
services.udev.packages = [ pkgs.yubikey-personalization ];
services.pcscd.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
steam-run
mesa-demos
pciutils
gnupg
pcsc-tools
pinentry-curses
ranger
nodejs_24
gqrx
];
programs.noisetorch.enable = true;
# btrfs snapshots — timeline via snapper
services.snapper.configs.root = {
SUBVOLUME = "/";
ALLOW_USERS = [ "sonja" ];
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
TIMELINE_LIMIT_HOURLY = 24;
TIMELINE_LIMIT_DAILY = 7;
TIMELINE_LIMIT_WEEKLY = 4;
TIMELINE_LIMIT_MONTHLY = 6;
TIMELINE_LIMIT_YEARLY = 2;
};
# sops — dormant until .sops.yaml is populated with your GPG fingerprint
# and secrets/secrets.yaml is created and encrypted.
# sops.defaultSopsFile = ../../secrets/secrets.yaml;
# sops.gnupg.sshKeyPaths = [];
# sops.secrets.ssh_host_ed25519_key = {
# path = "/etc/ssh/ssh_host_ed25519_key";
# mode = "0600";
# };
# Note: system.autoUpgrade with a channel URL does not apply to flake-managed
# systems. Use `nixos-rebuild switch --flake .#coven` to upgrade instead.
system.stateVersion = "25.11";
}
Reference in New Issue View Git Blame Copy Permalink