1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
{
pkgs,
lib,
config,
machineConfig,
...
}:
{
options.common.profiles.base.enable = lib.mkEnableOption "base profile";
config = lib.mkIf config.common.profiles.base.enable {
boot.kernel.sysctl."kernel.sysrq" = lib.mkDefault 1;
# make things more declerative
services.userborn.enable = lib.mkDefault true;
#users.mutableUsers = lib.mkForce false;
networking = {
hostId = builtins.substring 0 8 (builtins.hashString "sha256" machineConfig.machineName);
hostName = machineConfig.machineName;
domain = lib.mkDefault machineConfig.domain;
useNetworkd = lib.mkDefault true;
useDHCP = lib.mkDefault false;
nftables.enable = lib.mkDefault true;
firewall.enable = lib.mkDefault true;
};
hardware.enableRedistributableFirmware = true;
common = {
profiles = {
amdCpu.enable = lib.mkDefault (machineConfig.hardware.cpuVendor == "amd");
intelCpu.enable = lib.mkDefault (machineConfig.hardware.cpuVendor == "intel");
};
configure = {
boot.enable = lib.mkDefault true;
locale.enable = lib.mkDefault true;
sops.enable = lib.mkDefault true;
nix.enable = true;
};
services = {
openssh.enable = true;
};
security = {
nix.enable = lib.mkDefault true;
kernel.enable = lib.mkDefault true;
networking.enable = lib.mkDefault true;
};
programs = {
shellUtilities.enable = lib.mkDefault true;
systemUtilities.enable = lib.mkDefault true;
networkUtilities.enable = lib.mkDefault true;
fish.enable = lib.mkDefault true;
};
};
programs = {
command-not-found.enable = false; # Not usable without channels; use nix-index instead.
};
services = {
dbus.implementation = "broker";
};
security.sudo.extraConfig = "Defaults lecture=\"never\""; # "We trust you have received the usual lecture from the local System Administrator."
system = {
stateVersion = lib.mkDefault "25.11";
# thanks piegames (https://git.darmstadt.ccc.de/piegames/home-config/-/blob/master/modules/generic.nix#L84)
activationScripts = {
diff = {
supportsDryActivation = true;
text = ''
${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff "$(readlink /run/current-system)" "$systemConfig"
# Ignore "failures" because these tools have weird exit codes
${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \
-- "$(readlink /run/current-system)/activate" "$systemConfig/activate" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true
${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \
-x "os-release" -x "issue" \
-- "$(readlink /run/current-system)/etc" "$systemConfig/etc" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true
${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \
-x "environment.d" \
-x "hwdb.d" \
-- "$(readlink /run/current-system)/systemd" "$systemConfig/systemd" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true
'';
};
};
};
};
}