{ pkgs, config, lib, ... }: { # Users are managed through nix. If a user is added manually, it # will be removed on system activation. users.mutableUsers = false; boot = { loader = { # Use the systemd-boot EFI boot loader. systemd-boot.enable = true; # Prohibits gaining root access by passing init=/bin/sh as a # kernel parameter systemd-boot.editor = false; efi.canTouchEfiVariables = true; }; tmp = { cleanOnBoot = true; useTmpfs = true; }; kernelPackages = pkgs.linuxPackages_latest; }; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; time.timeZone = "America/Los_Angeles"; # see https://www.man7.org/linux/man-pages/man5/loader.conf.5.html boot.loader.systemd-boot.consoleMode = "max"; console = { earlySetup = true; font = "${pkgs.terminus_font}/share/consolefonts/ter-132n.psf.gz"; packages = with pkgs; [ terminus_font ]; keyMap = "us"; }; security.sudo.wheelNeedsPassword = false; security.polkit.enable = true; services.fstrim.enable = true; services.fwupd.enable = true; programs.ssh = { # $ ssh-keyscan example.com knownHosts = { github = { hostNames = [ "github.com" ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; }; rsync = { hostNames = [ "de2664.rsync.net" ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObQN4P/deJ/k4P4kXh6a9K4Q89qdyywYetp9h3nwfPo"; }; }; }; nix = { package = pkgs.nixFlakes; settings = { trusted-users = [ "root" "@wheel" ]; auto-optimise-store = true; substituters = [ "https://cachix.cachix.org" "https://nix-community.cachix.org" ]; trusted-public-keys = [ "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; experimental-features = [ "nix-command" "flakes" ]; # Whether to warn about dirty Git/Mercurial trees - this is not # useful information to me. warn-dirty = false; # The timeout (in seconds) for establishing connections in the binary # cache substituter. It corresponds to curl’s –connect-timeout option. # The default is equivalent to 300 seconds, way too long. connect-timeout = 5; # The number of lines of the tail of the log to show if a build fails. # The default is 10 and it's usually too short. log-lines = 25; # If set to true, Nix will fall back to building from source if # a binary substitute fails. This is equivalent to the –fallback # flag. The default is false. fallback = true; }; gc = { automatic = true; options = "--delete-older-than 14d"; }; }; environment.shells = with pkgs; [ bashInteractive ]; environment.systemPackages = with pkgs; [ binutils cacert curl dmidecode ethtool flamegraph git htop hwdata iftop iptraf-ng linuxPackages.cpupower config.boot.kernelPackages.perf lm_sensors lsb-release lsof man-pages mg mtr numactl parted pciutils perf-tools powertop rsync sqlite strace tcpdump tmux traceroute unzip usbutils vim wget wireguard-tools # my custom tools tools.perf-flamegraph-pid ]; programs.bcc.enable = true; programs.zsh.enable = true; # Show installed packages (https://www.reddit.com/r/NixOS/comments/fsummx/comment/fm45htj/?utm_source=share&utm_medium=web2x&context=3) environment.etc."installed-packages".text = let packages = builtins.map (p: "${p.name}") config.environment.systemPackages; sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); formatted = builtins.concatStringsSep "\n" sortedUnique; in formatted; }