189 lines
4.5 KiB
Nix
Executable file
189 lines
4.5 KiB
Nix
Executable file
{
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
./stylix.nix
|
|
# ./Hyprsuck/hyprsuck.nix
|
|
./Suckless/suckless.nix
|
|
./ryzenadj.nix
|
|
# ./virtualisation.nix
|
|
./Hetzner/setup.nix
|
|
];
|
|
|
|
nix.settings = {
|
|
experimental-features = [
|
|
"nix-command"
|
|
"flakes"
|
|
];
|
|
# Axium binary caches
|
|
substituters = [
|
|
"https://cache.nixos.org"
|
|
"https://axium.cachix.org"
|
|
"https://cache.axiomania.org/main"
|
|
];
|
|
|
|
http-connections = 128;
|
|
max-substitution-jobs = 128;
|
|
max-jobs = "auto";
|
|
|
|
trusted-public-keys = [
|
|
"axium.cachix.org-1:BfzPfRTbbCYmaQrVLSWchgsR4ScA9ZCZ389FyWspUH8="
|
|
"main:Uz5F0MbXItVx2XCmBbEAMmQ0T6+DZDgLaXWalh1k++o="
|
|
];
|
|
};
|
|
|
|
nix.distributedBuilds = true;
|
|
|
|
# Required for home-manager xdg.portal with useUserPackages
|
|
environment.pathsToLink = [
|
|
"/share/applications"
|
|
"/share/xdg-desktop-portal"
|
|
];
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
boot.loader.systemd-boot.configurationLimit = 10;
|
|
boot.loader.timeout = 1;
|
|
|
|
networking.hostName = "v3";
|
|
|
|
# Resolve VPN-only services to the WireGuard IP so traffic
|
|
# goes through the tunnel and nginx sees a 10.100.0.x source
|
|
networking.hosts."10.100.0.1" = [
|
|
"vault.axiomania.org"
|
|
"music.axiomania.org"
|
|
"sync.axiomania.org"
|
|
"books.axiomania.org"
|
|
"audio.axiomania.org"
|
|
"docs.axiomania.org"
|
|
"search.axiomania.org"
|
|
"home.axiomania.org"
|
|
];
|
|
|
|
networking.networkmanager.enable = true;
|
|
hardware.bluetooth.enable = true;
|
|
|
|
time.timeZone = "Asia/Ho_Chi_Minh";
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
i18n.extraLocaleSettings = {
|
|
LC_ADDRESS = "en_US.UTF-8";
|
|
LC_IDENTIFICATION = "en_US.UTF-8";
|
|
LC_MEASUREMENT = "en_US.UTF-8";
|
|
LC_MONETARY = "en_US.UTF-8";
|
|
LC_NAME = "en_US.UTF-8";
|
|
LC_NUMERIC = "en_US.UTF-8";
|
|
LC_PAPER = "en_US.UTF-8";
|
|
LC_TELEPHONE = "en_US.UTF-8";
|
|
LC_TIME = "en_US.UTF-8";
|
|
};
|
|
|
|
services.getty.autologinUser = "lebowski";
|
|
|
|
programs.nix-ld.enable = true;
|
|
|
|
services.pulseaudio.enable = false;
|
|
security.rtkit.enable = true;
|
|
|
|
services.pipewire = {
|
|
enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
pulse.enable = true;
|
|
};
|
|
|
|
users.users.lebowski = {
|
|
isNormalUser = true;
|
|
description = "Antoine Lespinasse";
|
|
extraGroups = [
|
|
"networkmanager"
|
|
"wheel"
|
|
"input"
|
|
];
|
|
};
|
|
|
|
# GVfs - for Nautilus trash, network shares, MTP devices
|
|
services.gvfs.enable = true;
|
|
|
|
# UPower - battery/power device monitoring
|
|
services.upower.enable = true;
|
|
|
|
# Power Profiles Daemon - power management (performance/balanced/power-saver)
|
|
services.power-profiles-daemon.enable = true;
|
|
|
|
# System packages (stable for core tools)
|
|
environment.systemPackages = with pkgs; [
|
|
wget
|
|
git
|
|
bat
|
|
btop
|
|
ncdu
|
|
nmap
|
|
neofetch
|
|
xdotool
|
|
jq
|
|
attic-client
|
|
wireguard-tools
|
|
sox
|
|
|
|
ffmpegthumbnailer
|
|
gdk-pixbuf
|
|
librsvg
|
|
evince
|
|
libgsf
|
|
libjxl
|
|
libavif
|
|
|
|
# Disk utilities
|
|
gparted
|
|
gnome-disk-utility
|
|
|
|
# Image / PDF viewers
|
|
kdePackages.gwenview
|
|
kdePackages.okular
|
|
|
|
# File browser
|
|
xfce.thunar
|
|
xfce.thunar-volman
|
|
xfce.tumbler # thumbnails
|
|
];
|
|
|
|
# ============================================================================
|
|
# WireGuard VPN profiles
|
|
# ============================================================================
|
|
# Generate keys: wg genkey | sudo tee /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
|
|
# Then add the public key as a peer on the VPS.
|
|
# Start/stop: sudo systemctl start/stop wg-quick-wg-services / wg-quick-wg-vpn
|
|
|
|
# Profile 1: Internal services only (split tunnel)
|
|
networking.wg-quick.interfaces.wg-services = {
|
|
autostart = true;
|
|
address = [ "10.100.0.2/24" ];
|
|
privateKeyFile = "/etc/wireguard/private.key";
|
|
peers = [{
|
|
publicKey = "F2hvz4vx9VrM6IZ2zMUG2FMPMCMwmfxGH9qocbe4q3U=";
|
|
endpoint = "178.104.15.221:51820";
|
|
allowedIPs = [ "10.100.0.0/24" ];
|
|
persistentKeepalive = 25;
|
|
}];
|
|
};
|
|
|
|
# Profile 2: Full VPN + AdGuard DNS ad-blocking
|
|
networking.wg-quick.interfaces.wg-vpn = {
|
|
autostart = false;
|
|
address = [ "10.100.0.2/24" ];
|
|
dns = [ "10.100.0.1" ];
|
|
privateKeyFile = "/etc/wireguard/private.key";
|
|
peers = [{
|
|
publicKey = "F2hvz4vx9VrM6IZ2zMUG2FMPMCMwmfxGH9qocbe4q3U=";
|
|
endpoint = "178.104.15.221:51820";
|
|
allowedIPs = [ "0.0.0.0/0" ];
|
|
persistentKeepalive = 25;
|
|
}];
|
|
};
|
|
|
|
system.stateVersion = "25.11";
|
|
}
|