{ flake, flakeInputs, pkgs, customUtils, lib, config, path, ... }: let mwnSubnetsPublic = [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16" "192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24" "193.174.96.0/22" "194.95.59.0/24" ]; mwnSubnetsPrivate = [ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16" ]; in { imports = with flake.nixosModules.systemProfiles; [ ./hw.nix ./mail ./libvirt tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 flakeInputs.impermanence.nixosModules.impermanence flakeInputs.nixVirt.nixosModules.default ]; config = { nixpkgs = { system = "x86_64-linux"; externalConfig = { allowUnfree = true; pulseaudio = true; }; extraOverlays = [ flakeInputs.niri-flake.overlays.niri ]; }; time.timeZone = null; boot = { initrd = { systemd = { emergencyAccess = config.users.users.root.hashedPassword; }; luks.devices = { nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; nvm1 = { device = "/dev/disk/by-uuid/2884e98d-5afd-4965-91c9-88ffb5ec58bc"; bypassWorkqueues = true; }; }; availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ]; }; supportedFilesystems = [ "nfs" "nfs4" ]; blacklistedKernelModules = [ "nouveau" ]; # Use the systemd-boot EFI boot loader. loader = { systemd-boot = { enable = true; configurationLimit = 15; }; efi.canTouchEfiVariables = true; timeout = null; }; plymouth.enable = true; kernelPackages = pkgs.linuxPackages_latest; kernelPatches = [ { name = "edac-config"; patch = null; extraStructuredConfig = with lib.kernel; { EDAC = yes; EDAC_IE31200 = yes; }; } { name = "zswap-default"; patch = null; extraStructuredConfig = with lib.kernel; { ZSWAP_DEFAULT_ON = yes; ZSWAP_SHRINKER_DEFAULT_ON = yes; }; } ]; tmp.useTmpfs = true; kernel.sysctl = { "net.ipv4.ip_forward" = true; "net.ipv6.conf.all.forwarding" = true; }; }; services.timesyncd.enable = false; services.chrony = { enable = true; enableNTS = true; servers = []; extraConfig = '' pool time.cloudflare.com iburst nts pool nts.netnod.se prefer iburst nts server ptbtime1.ptb.de prefer iburst nts server ptbtime2.ptb.de prefer iburst nts server ptbtime3.ptb.de prefer iburst nts server ptbtime4.ptb.de prefer iburst nts authselectmode require minsources 3 nocerttimecheck 1 leapsectz right/UTC makestep 0.1 3 cmdport 0 ''; }; networking = { domain = "yggdrasil"; search = [ "yggdrasil" ]; hosts = { "127.0.0.1" = [ "sif.yggdrasil" "sif" ]; "::1" = [ "sif.yggdrasil" "sif" ]; }; firewall.enable = false; nftables = { enable = true; rulesetFile = ./ruleset.nft; }; # firewall = { # enable = true; # allowedTCPPorts = [ 22 # ssh # 8000 # quickserve # ]; # }; # wlanInterfaces = { # wlan0 = { # device = "wlp82s0"; # }; # }; # bonds = { # "lan" = { # interfaces = [ "wlan0" "enp0s31f6" "dock0" ]; # driverOptions = { # miimon = "1000"; # mode = "active-backup"; # primary_reselect = "always"; # }; # }; # }; useDHCP = false; useNetworkd = true; # interfaces."tinc.yggdrasil" = { # virtual = true; # virtualType = config.services.tinc.networks.yggdrasil.interfaceType; # macAddress = "5c:93:21:c3:61:39"; # }; }; environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { text = '' except-interface=virbr0 server=/libvirt/192.168.122.1@virbr0 ''; }; environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = { text = '' server=/mathinst.loc/10.153.88.9@wgrz server=/cipmath.loc/10.153.88.9@wgrz ''; }; environment.etc."NetworkManager/dnsmasq.d/yggdrasil.conf" = { text = '' server=/yggdrasil/2a03:4000:52:ada:1:1::@yggdrasil server=/141.10.in-addr.arpa/2a03:4000:52:ada:1:1::@yggdrasil server=/1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa/2a03:4000:52:ada:1:1::@yggdrasil ''; }; systemd.network = { netdevs = { wgrz = { netdevConfig = { Name = "wgrz"; Kind = "wireguard"; MTUBytes = "1558"; }; wireguardConfig = { PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; ListenPort = 51822; # FirewallMark = 1; }; wireguardPeers = [ { AllowedIPs = [ "10.200.116.1/32" "10.163.88.40/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic; PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI="; PersistentKeepalive = 25; Endpoint = "wg.math.lmu.de:51820"; } ]; }; virbr0 = { netdevConfig = { Name = "virbr0"; Kind = "bridge"; MACAddress = "52:54:00:18:85:5b"; }; }; rz-gre-1 = { netdevConfig = { Name = "rz-gre-1"; Kind = "gretap"; MTUBytes = "1520"; }; tunnelConfig = { Local = "10.200.116.128"; Remote = "10.200.116.1"; Independent = true; }; }; rz-gre-1-0971 = { netdevConfig = { Name = "rz-gre-1-0971"; Kind = "vlan"; MTUBytes = "1500"; }; vlanConfig = { Id = 971; }; }; rz-gre-1-2403 = { netdevConfig = { Name = "rz-gre-1-2403"; Kind = "vlan"; MTUBytes = "1500"; }; vlanConfig = { Id = 2403; }; }; rz-0971 = { netdevConfig = { Name = "rz-0971"; Kind = "bridge"; MTUBytes = "1500"; }; }; rz-2403 = { netdevConfig = { Name = "rz-2403"; Kind = "bridge"; MTUBytes = "1500"; }; }; }; networks = { wgrz = { name = "wgrz"; matchConfig = { Name = "wgrz"; }; address = ["10.200.116.128/24"]; routes = map (Destination: { inherit Destination; Gateway = "10.200.116.1"; GatewayOnLink = true; Table = "wgrz"; }) (mwnSubnetsPrivate ++ mwnSubnetsPublic ++ ["10.163.88.40/32"]); routingPolicyRules = [ { Table = "main"; # FirewallMark = 1; To = "129.187.111.225"; Priority = 100; } { Table = "main"; To = "10.153.91.204"; Priority = 100; } { Table = "wgrz"; From = "10.200.116.128"; Priority = 200; } { Table = "wgrz"; To = "10.163.88.40"; Priority = 200; } ] ++ map (To: { Table = "wgrz"; inherit To; Priority = 200; }) (mwnSubnetsPrivate ++ mwnSubnetsPublic); linkConfig = { RequiredForOnline = false; }; networkConfig = { LLMNR = false; MulticastDNS = false; DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; # Tunnel = "rz-gre-1"; }; }; virbr0 = { name = "virbr0"; matchConfig = { Name = "virbr0"; }; address = ["192.168.122.1/24" "fd45:febc:b028::/48"]; networkConfig = { ConfigureWithoutCarrier = true; LLMNR = false; MulticastDNS = false; }; }; rz-gre-1 = { name = "rz-gre-1"; matchConfig = { Name = "rz-gre-1"; }; networkConfig = { VLAN = [ "rz-gre-1-0971" "rz-gre-1-2403" ]; }; }; rz-gre-1-0971 = { name = "rz-gre-1-0971"; matchConfig = { Name = "rz-gre-1-0971"; }; networkConfig = { Bridge = "rz-0971"; }; }; rz-gre-1-2403 = { name = "rz-gre-1-2403"; matchConfig = { Name = "rz-gre-1-2403"; }; networkConfig = { Bridge = "rz-2403"; }; }; }; config.routeTables.wgrz = 1025; }; sops.secrets.wgrz = { format = "binary"; sopsFile = ./wgrz/privkey; }; networking.networkmanager.unmanaged = ["wgrz" "virbr0"]; systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ "wgrz.priv:${config.sops.secrets.wgrz.path}" ]; services.dnsmasq = { enable = true; resolveLocalQueries = false; settings = { enable-ra = true; local = "/libvirt/"; domain-needed = true; expand-hosts = true; bogus-priv = true; no-hosts = true; listen-address = [ "192.168.122.1" "fd45:febc:b028::" ]; # interface = "virbr0"; # except-interface = "lo"; bind-interfaces = true; domain = "libvirt,192.168.122.0/24"; dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ]; dhcp-host = [ "52:54:00:18:85:5b,sif,192.168.122.1" ]; dhcp-authoritative = true; dhcp-rapid-commit = true; dhcp-option = "option6:dns-server,[fd45:febc:b028::]"; }; }; systemd.services.dnsmasq = { bindsTo = ["sys-subsystem-net-devices-virbr0.device"]; after = ["sys-subsystem-net-devices-virbr0.device"]; }; systemd.services.libvirtd = { wants = ["dnsmasq.service"]; bindsTo = ["sys-subsystem-net-devices-virbr0.device"]; after = ["dnsmasq.service" "sys-subsystem-net-devices-virbr0.device"]; }; services.openssh = { enable = true; settings = { PasswordAuthentication = true; KbdInteractiveAuthentication = true; }; }; powerManagement = { enable = true; cpuFreqGovernor = "schedutil"; }; environment.systemPackages = with pkgs; [ nvtopPackages.full brightnessctl config.boot.kernelPackages.v4l2loopback s-tui uhk-agent ]; services = { uucp = { enable = true; nodeName = "sif"; remoteNodes = { "ymir" = { publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"]; hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; }; }; defaultCommands = lib.mkForce []; }; avahi.enable = true; fwupd.enable = true; fprintd.enable = true; blueman.enable = true; colord.enable = true; vnstat.enable = true; upower.enable = true; thinkfan.enable = true; logind = { lidSwitch = "suspend"; lidSwitchDocked = "lock"; lidSwitchExternalPower = "lock"; }; atd = { enable = true; allowEveryone = true; }; xserver = { enable = false; xkb = { layout = "us"; variant = "dvp"; options = "compose:caps"; }; wacom.enable = true; dpi = 282; videoDrivers = [ "nvidia" ]; screenSection = '' Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }" ''; deviceSection = '' Option "TearFree" "True" ''; exportConfiguration = true; }; libinput.enable = true; greetd = { enable = true; # settings.default_session.command = let # cfg = config.programs.regreet; # in pkgs.writeShellScript "greeter" '' # modprobe -r nvidia_drm # exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package} # ''; }; }; programs.regreet = { enable = true; theme = { package = pkgs.equilux-theme; name = "Equilux-compact"; }; iconTheme = { package = pkgs.paper-icon-theme; name = "Paper-Mono-Dark"; }; font = { package = pkgs.fira; name = "Fira Sans"; # size = 6; }; cageArgs = [ "-s" "-m" "last" ]; settings = { GTK.application_prefer_dark_theme = true; }; }; programs.niri.enable = true; systemd.tmpfiles.settings = { "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" { last_user = "gkleen"; user_to_last_sess.gkleen = "Niri"; }); }; users = { users.gkleen.extraGroups = [ "media" "plugdev" "input" "rtkit" ]; groups.media = {}; groups.plugdev = {}; groups.input = {}; }; security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; jack.enable = true; wireplumber.enable = true; extraConfig = { pipewire."10-custom" = { "context.properties" = { "log.level" = 2; "core.daemon" = true; "core.name" = "pipewire-0"; "module.x11.bell" = false; }; "context.modules" = [ { name = "libpipewire-module-rtkit"; args = { "nice.level" = -15; "rt.prio" = 88; "rt.time.soft" = 200000; "rt.time.hard" = 200000; }; flags = [ "ifexists" "nofail" ]; } # { name = "libpipewire-module-protocol-native"; } { name = "libpipewire-module-profiler"; } # { name = "libpipewire-module-metadata"; } { name = "libpipewire-module-spa-device-factory"; } { name = "libpipewire-module-spa-node-factory"; } # { name = "libpipewire-module-client-node"; } # { name = "libpipewire-module-client-device"; } { name = "libpipewire-module-portal"; flags = [ "ifexists" "nofail" ]; } { name = "libpipewire-module-access"; args = {}; } { name = "libpipewire-module-adapter"; } { name = "libpipewire-module-link-factory"; } { name = "libpipewire-module-session-manager"; } ]; }; pipewire-pulse."10-custom" = { "context.properties" = { "log.level" = 2; }; "context.modules" = [ { name = "libpipewire-module-rtkit"; args = { "nice.level" = -15; "rt.prio" = 88; "rt.time.soft" = 200000; "rt.time.hard" = 200000; }; flags = [ "ifexists" "nofail" ]; } # { name = "libpipewire-module-protocol-native"; } # { name = "libpipewire-module-client-node"; } { name = "libpipewire-module-adapter"; } # { name = "libpipewire-module-metadata"; } # { # name = "libpipewire-module-protocol-pulse"; # args = { # "server.address" = [ "unix:native" ]; # }; # } ]; "stream.properties" = { "resample.quality" = 1; }; }; }; }; hardware = { bluetooth = { enable = true; package = pkgs.bluez; settings = { General = { Enable = "Source,Sink,Media,Socket"; }; }; }; trackpoint = { enable = true; emulateWheel = true; sensitivity = 255; speed = 255; }; nvidia = { open = true; modesetting.enable = true; powerManagement.enable = false; prime = { nvidiaBusId = "PCI:1:0:0"; intelBusId = "PCI:0:2:0"; reverseSync.enable = true; offload.enableOffloadCmd = true; }; }; graphics = { enable = true; enable32Bit = true; # setLdLibraryPath = true; }; firmware = [ pkgs.firmwareLinuxNonfree ]; keyboard.uhk.enable = true; nitrokey.enable = true; }; # sound.enable = true; nix = { settings = { auto-optimise-store = true; max-jobs = 4; }; daemonCPUSchedPolicy = "idle"; daemonIOSchedClass = "idle"; buildServers.vidhar = let vidhar = flake.nixosConfigurations.vidhar; in { address = "vidhar.yggdrasil"; systems = [vidhar.config.nixpkgs.system] ++ vidhar.config.nix.settings.extra-platforms; supportedFeatures = vidhar.config.nix.settings.system-features; maxJobs = 12; speedFactor = 4; }; }; systemd.services."nix-daemon" = { serviceConfig = { CPUQuota = "400%"; }; }; environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; systemd.services."ac-plugged" = { description = "Inhibit handling of lid-switch and sleep"; path = with pkgs; [ systemd coreutils ]; script = '' exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity ''; serviceConfig = { Type = "simple"; }; }; services.udev.extraRules = with pkgs; lib.mkAfter '' SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" ''; systemd.services."nix-daemon".serviceConfig = { MemoryAccounting = true; MemoryHigh = "50%"; MemoryMax = "75%"; }; services.journald.extraConfig = '' SystemMaxUse=100M ''; services.dbus.packages = with pkgs; [ dbus dconf ]; services.udisks2.enable = true; programs = { light.enable = true; wireshark.enable = true; dconf.enable = true; }; services.pcscd.enable = true; sops.secrets.gkleen-rclone = { sopsFile = ./gkleen-rclone.yaml; key = "passphrase"; owner = "gkleen"; group = "users"; }; i18n.inputMethod = { enable = true; type = "ibus"; }; environment.sessionVariables."GTK_USE_PORTAL" = "1"; xdg.portal = { enable = true; extraPortals = with pkgs; [xdg-desktop-portal-gtk]; config.niri = { default = ["gnome" "gtk"]; "org.freedesktop.impl.portal.FileChooser" = ["gtk"]; "org.freedesktop.impl.portal.OpenFile" = ["gtk"]; "org.freedesktop.impl.portal.Access" = ["gtk"]; "org.freedesktop.impl.portal.Notification" = ["gtk"]; "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"]; "org.freedesktop.impl.portal.Inhibit" = ["none"]; }; }; services.gnome.gnome-keyring.enable = lib.mkForce true; environment.persistence."/.bcachefs" = { hideMounts = true; directories = [ "/nix" "/root" "/var/log" "/var/lib/sops-nix" "/var/lib/nixos" "/var/lib/systemd" "/home" "/var/lib/chrony" "/var/lib/fprint" "/var/lib/bluetooth" "/var/lib/upower" "/var/lib/postfix" "/etc/NetworkManager/system-connections" { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; } { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; } ]; files = [ ]; }; systemd.services.timezone = { wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime"; ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime"; }; }; services.tzupdate.enable = true; security.pam.services.gtklock = {}; home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; system.stateVersion = "24.11"; }; }