about summary refs log tree commit diff
path: root/profiles/default.nix
blob: 198d9f49158b2b195af69995d343ff2a797ed88e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
{ pkgs, config, lib, ... }:
{
  # Users are managed through nix. If a user is added manually, it
  # will be removed on system activation.
  users.mutableUsers = false;

  boot = {
    loader = {
      # Use the systemd-boot EFI boot loader.
      systemd-boot.enable = true;
      # Prohibits gaining root access by passing init=/bin/sh as a
      # kernel parameter
      systemd-boot.editor = false;
      efi.canTouchEfiVariables = true;
    };

    kernelPackages = pkgs.linuxPackages_latest;
    cleanTmpDir = true;
    tmpOnTmpfs = true;
  };

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  time.timeZone = "America/Los_Angeles";

  # see https://www.man7.org/linux/man-pages/man5/loader.conf.5.html
  boot.loader.systemd-boot.consoleMode = "max";

  console = {
    earlySetup = true;
    font = "${pkgs.terminus_font}/share/consolefonts/ter-132n.psf.gz";
    packages = with pkgs; [ terminus_font ];
    keyMap = "us";
  };

  security.sudo.wheelNeedsPassword = false;
  security.polkit.enable = true;

  services.fstrim.enable = true;

  services.fwupd.enable = true;

  programs.ssh = {
    # $ ssh-keyscan example.com
    knownHosts = {
      github = {
        hostNames = [ "github.com" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
      };
      rsync = {
        hostNames = [ "de2664.rsync.net" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObQN4P/deJ/k4P4kXh6a9K4Q89qdyywYetp9h3nwfPo";
      };
    };
  };

  nix = {
    package = pkgs.nixFlakes;
    settings = {
      trusted-users = [ "root" "@wheel" ];
      auto-optimise-store = true;
      substituters = [
        "https://cachix.cachix.org"
        "https://nix-community.cachix.org"
      ];
      trusted-public-keys = [
        "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      ];
      experimental-features = [ "nix-command" "flakes" ];
      # Whether to warn about dirty Git/Mercurial trees - this is not
      # useful information to me.
      warn-dirty = false;
      # The timeout (in seconds) for establishing connections in the binary
      # cache substituter. It corresponds to curl’s –connect-timeout option.
      # The default is equivalent to 300 seconds, way too long.
      connect-timeout = 5;
      # The number of lines of the tail of the log to show if a build fails.
      # The default is 10 and it's usually too short.
      log-lines = 25;
      # If set to true, Nix will fall back to building from source if
      # a binary substitute fails. This is equivalent to the –fallback
      # flag. The default is false.
      fallback = true;
    };

    gc = {
      automatic = true;
      options = "--delete-older-than 14d";
    };
  };

  environment.shells = with pkgs; [ bashInteractive ];

  environment.systemPackages = with pkgs; [
    binutils
    cacert
    curl
    dmidecode
    ethtool
    flamegraph
    git
    htop
    hwdata
    iftop
    iptraf-ng
    linuxPackages.cpupower
    config.boot.kernelPackages.perf
    lm_sensors
    lsb-release
    lsof
    man-pages
    mg
    mtr
    numactl
    parted
    pciutils
    perf-tools
    powertop
    rsync
    sqlite
    strace
    tcpdump
    tmux
    traceroute
    unzip
    usbutils
    vim
    wget
    wireguard-tools

    # my custom tools
    tools.perf-flamegraph-pid
  ];

  programs.bcc.enable = true;

  # Show installed packages (https://www.reddit.com/r/NixOS/comments/fsummx/comment/fm45htj/?utm_source=share&utm_medium=web2x&context=3)
  environment.etc."installed-packages".text =
    let
      packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
      sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
      formatted = builtins.concatStringsSep "\n" sortedUnique;
    in
    formatted;
}