blob: 86fe4d8ec58844aaad9f21a45f646047bf2996e4 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
{ pkgs, config, lib, ... }:
{
# Users are managed through nix. If a user is added manually, it
# will be removed on system activation.
users.mutableUsers = false;
boot = {
loader = {
# Use the systemd-boot EFI boot loader.
systemd-boot.enable = true;
# Prohibits gaining root access by passing init=/bin/sh as a
# kernel parameter
systemd-boot.editor = false;
efi.canTouchEfiVariables = true;
};
kernelPackages = pkgs.linuxPackages_latest;
cleanTmpDir = true;
tmpOnTmpfs = true;
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
time.timeZone = "America/Los_Angeles";
# see https://www.man7.org/linux/man-pages/man5/loader.conf.5.html
boot.loader.systemd-boot.consoleMode = "max";
console = {
earlySetup = true;
font = "${pkgs.terminus_font}/share/consolefonts/ter-132n.psf.gz";
packages = with pkgs; [ terminus_font ];
keyMap = "us";
};
security.sudo.wheelNeedsPassword = false;
security.polkit.enable = true;
services.fstrim.enable = true;
services.fwupd.enable = true;
programs.ssh = {
# $ ssh-keyscan example.com
knownHosts = {
github = {
hostNames = [ "github.com" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
};
rsync = {
hostNames = [ "de2664.rsync.net" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObQN4P/deJ/k4P4kXh6a9K4Q89qdyywYetp9h3nwfPo";
};
};
};
nix = {
package = pkgs.nixFlakes;
settings = {
trusted-users = [ "root" "@wheel" ];
auto-optimise-store = true;
substituters = [
"https://cachix.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
experimental-features = [ "nix-command" "flakes" ];
# Whether to warn about dirty Git/Mercurial trees - this is not
# useful information to me.
warn-dirty = false;
# The timeout (in seconds) for establishing connections in the binary
# cache substituter. It corresponds to curl’s –connect-timeout option.
# The default is equivalent to 300 seconds, way too long.
connect-timeout = 5;
# The number of lines of the tail of the log to show if a build fails.
# The default is 10 and it's usually too short.
log-lines = 25;
# If set to true, Nix will fall back to building from source if
# a binary substitute fails. This is equivalent to the –fallback
# flag. The default is false.
fallback = true;
};
gc = {
automatic = true;
options = "--delete-older-than 14d";
};
};
environment.shells = with pkgs; [ bashInteractive ];
environment.systemPackages = with pkgs; [
binutils
cacert
curl
dmidecode
ethtool
flamegraph
git
htop
hwdata
iftop
iptraf-ng
linuxPackages.cpupower
config.boot.kernelPackages.perf
lm_sensors
lsb-release
lsof
man-pages
mg
mtr
numactl
parted
pciutils
perf-tools
powertop
rsync
sqlite
strace
tcpdump
tmux
traceroute
unzip
usbutils
vim
wget
wireguard-tools
# my custom tools
tools.perf-flamegraph-pid
];
programs.bcc.enable = true;
}
|
