{ config, pkgs, lib, ... }: { boot = { initrd = { availableKernelModules = [ "xhci_pci" "ahci" ]; kernelModules = [ "dm-snapshot" ]; luks.devices = { croot = { device = "/dev/sdb"; allowDiscards = true; }; }; }; kernelModules = [ "kvm-intel" ]; kernelPackages = pkgs.linuxPackages_latest; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; }; hardware = { enableRedistributableFirmware = true; cpu.intel.updateMicrocode = true; opengl.driSupport32Bit = true; opengl.extraPackages = with pkgs; [ vaapiIntel intel-media-driver intel-compute-runtime ]; }; fileSystems = { "/" = { device = "/dev/sda2"; fsType = "xfs"; options = [ "noatime" ]; }; "/boot" = { device = "/dev/sda1"; fsType = "vfat"; }; "/nas" = { device = "nas:/"; fsType = "nfs4"; options = [ "ro" "x-systemd.automount" ]; }; }; swapDevices = [ { device = "/dev/swap"; } ]; networking = { useDHCP = false; hostName = "host"; wireless = { enable = true; interfaces = [ "eth1" ]; }; interfaces = { eth0.useDHCP = true; eth1.useDHCP = true; }; wg-quick.interfaces = { wg0 = { address = [ "2001:db8::1" ]; privateKeyFile = "/etc/secrets/wg0.key"; peers = [ { publicKey = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; endpoint = "[2001:db8::2]:61021"; allowedIPs = [ "2001::db8:1::/64" ]; } ]; }; }; firewall.allowedUDPPorts = [ 4567 ]; }; i18n = { defaultLocale = "en_US.UTF-8"; inputMethod.enabled = "ibus"; }; services = { xserver = { enable = true; layout = "us"; xkbVariant = "altgr-intl"; xkbOptions = "ctrl:nocaps"; libinput.enable = true; wacom.enable = true; videoDrivers = [ "modesetting" ]; modules = [ pkgs.xf86_input_wacom ]; displayManager.sx.enable = true; windowManager.i3.enable = true; }; udev.extraHwdb = '' # not like this mattered at all # we're not running udev from here ''; udev.extraRules = '' # ACTION=="add", SUBSYSTEM=="input", ... ''; }; sound.enable = true; hardware.pulseaudio = { enable = true; package = pkgs.pulseaudioFull; daemon.config = { lock-memory = "yes"; realtime-scheduling = "yes"; rlimit-rtprio = "-1"; }; }; programs = { light.enable = true; wireshark = { enable = true; package = pkgs.wireshark-qt; }; gnupg.agent = { enable = true; }; }; fonts.packages = with pkgs; [ font-awesome noto-fonts noto-fonts-cjk noto-fonts-emoji noto-fonts-extra dejavu_fonts powerline-fonts source-code-pro cantarell-fonts ]; users = { mutableUsers = false; users = { user = { isNormalUser = true; group = "user"; extraGroups = [ "wheel" "video" "audio" "dialout" "users" "kvm" "wireshark" ]; password = "unimportant"; }; }; groups = { user = { }; }; }; security = { pam.loginLimits = [ { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; } { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; } { domain = "@audio"; item = "nofile"; type = "soft"; value = "99999"; } { domain = "@audio"; item = "nofile"; type = "hard"; value = "99999"; } ]; sudo.extraRules = [ { users = [ "user" ]; commands = [ { command = "${pkgs.linuxPackages.cpupower}/bin/cpupower"; options = [ "NOPASSWD" ]; } ]; } ]; }; environment.systemPackages = with pkgs; [ a2jmidid age ardour bemenu blender breeze-icons breeze-qt5 bubblewrap calf claws-mail darktable duperemove emacs feh file firefox fluidsynth gnome3.adwaita-icon-theme gnuplot graphviz helm i3status-rust inkscape jack2 jq krita ldns libqalculate libreoffice man-pages nheko nix-diff nix-index nix-output-monitor open-music-kontrollers.patchmatrix pamixer pavucontrol pciutils picom pwgen redshift ripgrep rlwrap silver-searcher soundfont-fluid whois wol xclip xdot xdotool xorg.xkbcomp yt-dlp zathura borgbackup linuxPackages.cpupower mtr kitty xf86_input_wacom ]; environment.pathsToLink = [ "/share/soundfonts" ]; systemd.user.services.run-python = { after = [ "network-online.target" ]; script = '' exec ${pkgs.python3}/bin/python ''; serviceConfig = { CapabilityBoundingSet = [ "" ]; KeyringMode = "private"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; PrivateUsers = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; RestrictAddressFamilies = "AF_INET AF_INET6"; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~ @resources @privileged" ]; UMask = "077"; }; }; system.stateVersion = "23.11"; }