Initial import from nixos-config-old

.gitignore

@@ -0,0 +1 @@
+result

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "private"]
+	path = private
+	url = git@github.com:artemist/nixos-config-private.git

boot-config.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+
+{
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernel.sysctl."vm.swappiness" = 5;
+    cleanTmpDir = true;
+    loader.systemd-boot.enable = true;
+
+    initrd.luks = {
+      reusePassphrases = true;
+      devices = {
+        balrog = {
+          device = "/dev/disk/by-uuid/274ec302-20b7-43bf-aa72-895ffdd96919";
+          preLVM = true;
+          allowDiscards = true;
+        };
+      };
+    };
+  };
+
+  services.udev = {
+    packages = [
+      pkgs.android-udev-rules
+      pkgs.openocd
+      (pkgs.callPackage ./externals/rules/adafruit.nix { })
+      (pkgs.callPackage ./externals/rules/fpga.nix { })
+      (pkgs.callPackage ./externals/rules/limesuite.nix { })
+      (pkgs.callPackage ./externals/rules/cm-rgb.nix { })
+      (pkgs.callPackage ./externals/rules/uhk.nix { })
+    ];
+  };
+}

configuration.nix

@@ -0,0 +1,186 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+    ./private  
+    ./hardware-configuration.nix
+    ./boot-config.nix
+    ./packages.nix
+    ./fonts.nix
+    ./ssh.nix
+  ];
+
+  nix = {
+    daemonNiceLevel = 5;
+    daemonIONiceLevel = 1;
+    autoOptimiseStore = true;
+    gc = {
+      automatic = true;
+      dates = "00:00";
+      options = "--delete-older-than 14d";
+    };
+    trustedUsers = [ "artemis" ];
+  };
+
+  console = {
+    keyMap = "us";
+    earlySetup = true;
+  };
+
+  i18n.defaultLocale = "de_DE.UTF-8";
+
+  nixpkgs = {
+    config.allowUnfree = true;
+  };
+
+  time.timeZone = "Etc/UTC";
+
+  environment = {
+    variables = {
+      MOZ_USE_XINPUT2 = "1";
+      EDITOR = "nvim";
+      TERMINAL = "kitty";
+      _JAVA_AWT_WM_NONREPARENTING = "1";
+    };
+    enableDebugInfo = true;
+    shellAliases = {
+      vim = "nvim";
+    };
+  };
+
+  sound.enable = true;
+
+  virtualisation = {
+    docker.enable = true;
+    lxd = {
+      enable = true;
+      recommendedSysctlSettings = true;
+    };
+  };
+
+  security = {
+    pam = {
+      u2f = {
+        enable = true;
+        authFile = "/etc/u2f_keys";
+        cue = true;
+      };
+      services.swaylock.u2fAuth = false;
+      services.i3lock.u2fAuth = false;
+      services.login.u2fAuth = false;
+      services.sytemd-user.u2fAuth = false;
+      services.xlock.u2fAuth = false;
+      services.xscreensaver.u2fAuth = false;
+    };
+    polkit.enable = true;
+  };
+
+  services = {	
+    avahi = {
+      enable = true;
+      nssmdns = true;
+      publish = {
+        enable = true;
+        userServices = true;
+      };
+    };
+    accounts-daemon.enable = true;
+    chrony.enable = true;
+    flatpak.enable = true;
+    fwupd.enable = true;
+    kbfs.enable = true;
+    keybase.enable = true;
+    logind.extraConfig = "HandlePowerKey=suspend";
+    pcscd.enable = true;
+    syncthing = {
+      enable = true;
+      user = "artemis";
+      dataDir = "/home/artemis";
+    };
+    printing = {
+      enable = true;
+      drivers = with pkgs; [ gutenprint gutenprintBin ];
+    };
+  };
+  xdg.portal = {
+    enable = true;
+    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+  };
+
+  hardware = {	
+    cpu.amd.updateMicrocode = true;
+    u2f.enable = true;
+    bluetooth.enable = true;
+    opengl = {	
+      extraPackages = [ pkgs.vaapiVdpau pkgs.libvdpau-va-gl ];
+      driSupport32Bit = true;
+    };
+    pulseaudio = {
+      enable = true;
+      package = pkgs.pulseaudioFull;
+      support32Bit = true;
+      daemon.config.flat-volumes = "no";
+    };
+  };
+
+  networking = {
+    hostName = "balrog";
+    firewall.enable = false;
+    networkmanager = {
+      enable = true;
+      ethernet.macAddress = "random";
+      wifi.macAddress = "random";
+    };
+  };
+
+  programs = {
+    adb.enable = true;
+    java = {
+      enable = true;
+      package = pkgs.adoptopenjdk-bin;
+    };
+    gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+    sway = {
+      enable = true;
+      wrapperFeatures.gtk = true;
+    };
+    light.enable = true;
+    wireshark = {
+      enable = true;
+      package = pkgs.wireshark-qt;
+    };
+    firejail.enable = true;	
+    fish.enable = true;
+    xonsh.enable = true;
+  };
+
+  users = {
+    users.artemis = {
+      isNormalUser = true;
+      description = "Artemis Tosini";
+      uid = 1000;
+      shell = "/run/current-system/sw/bin/fish";
+      extraGroups = ["networkmanager" "wheel" "adbusers" "wireshark" "video" "docker" "lxd" "plugdev" "dialout"];
+      # hashedPassword set in private
+    };
+    extraGroups.plugdev = { };
+    users.root = {
+      subUidRanges = [ { startUid = 16777216; count = 16777216; } { startUid = config.users.users.artemis.uid; count = 1; } ];
+      subGidRanges = [ { startGid = 16777216; count = 16777216; } { startGid = 100; count = 1; } ];
+    };
+    mutableUsers = false;
+  };
+  systemd.extraConfig = "DefaultLimitCORE=infinity";
+  security.pam.loginLimits = [ { domain = "*"; item = "core"; type = "hard"; value = "infinity"; } ];
+
+  system.stateVersion = "19.03";
+
+}

externals/rules/adafruit.nix

@@ -0,0 +1,7 @@
+{ writeTextFile }:
+
+writeTextFile {
+  name = "adafruit-udev-rules";
+  text = builtins.readFile ./adafruit.rules;
+  destination = "/etc/udev/rules.d/70-adafruit.rules";
+}

externals/rules/adafruit.rules

@@ -0,0 +1,13 @@
+
+# Make Trinket/Pro Trinket/Gemma/Flora programmable without running Arduino as root.
+SUBSYSTEM=="usb", ATTRS{idProduct}=="0c9f", ATTRS{idVendor}=="1781", MODE="0660", GROUP="dialout"
+
+# Blacklist Adafruit USB CDC boards from being manipulated by ModemManager.
+# Fixes issue with hanging references to /dev/ttyACM* devices on Ubuntu 15.04.
+# ATTRS{idVendor}=="239a", ENV{ID_MM_DEVICE_IGNORE}="1"
+
+# Adafruit feather 32u4
+SUBSYSTEM=="tty", ATTRS{idVendor}=="239a", ATTRS{idProduct}=="800c", TAG+="uaccess"
+
+# Adafruit feather32 usb-serial interface (Silicon Labs CP2104)
+SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", TAG+="uaccess"

externals/rules/cm-rgb.nix

@@ -0,0 +1,7 @@
+{ writeTextFile }:
+
+writeTextFile {
+  name = "cm-rgb-udev-rules";
+  text = builtins.readFile ./cm-rgb.rules;
+  destination = "/etc/udev/rules.d/60-cm-rgb.rules";
+}

externals/rules/cm-rgb.rules

@@ -0,0 +1 @@
+SUBSYSTEM=="usb", ATTR{idVendor}=="2516", ATTR{idProduct}=="0051", TAG+="uaccess", TAG+="udev-acl"

externals/rules/fpga.nix

@@ -0,0 +1,7 @@
+{ writeTextFile }:
+
+writeTextFile {
+  name = "fpga-udev-rules";
+  text = builtins.readFile ./fpga.rules;
+  destination = "/etc/udev/rules.d/71-fpga.rules";
+}

externals/rules/fpga.rules

@@ -0,0 +1,3 @@
+
+# TinyFPGA Bx
+SUBSYSTEM=="tty", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="6130", TAG+="uaccess"

externals/rules/limesuite.nix

@@ -0,0 +1,7 @@
+{ writeTextFile }:
+
+writeTextFile {
+  name = "limesuite-udev-rules";
+  text = builtins.readFile ./limesuite.rules;
+  destination = "/etc/udev/rules.d/64-limesuite.rules";
+}

externals/rules/limesuite.rules

@@ -0,0 +1,7 @@
+SUBSYSTEM=="usb", ATTR{idVendor}=="04b4", ATTR{idProduct}=="8613", SYMLINK+="stream-%k", MODE="666"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04b4", ATTR{idProduct}=="00f1", SYMLINK+="stream-%k", MODE="666"
+SUBSYSTEM=="usb", ATTR{idVendor}=="0403", ATTR{idProduct}=="601f", SYMLINK+="stream-%k", MODE="666"
+SUBSYSTEM=="usb", ATTR{idVendor}=="1d50", ATTR{idProduct}=="6108", SYMLINK+="stream-%k", MODE="666"
+SUBSYSTEM=="xillybus", MODE="666", OPTIONS="last_rule"
+
+SUBSYSTEM=="tty", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", MODE="0666", SYMLINK+="serial"

externals/rules/uhk.nix

@@ -0,0 +1,7 @@
+{ writeTextFile }:
+
+writeTextFile {
+  name = "uhk-udev-rules";
+  text = builtins.readFile ./uhk.rules;
+  destination = "/etc/udev/rules.d/69-uhk.rules";
+}

externals/rules/uhk.rules

@@ -0,0 +1,6 @@
+# Ultimate Hacking Keyboard rules
+# These are the udev rules for accessing the USB interfaces of the UHK as non-root users.
+# Copy this file to /etc/udev/rules.d and physically reconnect the UHK afterwards.
+SUBSYSTEM=="input", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="612[0-7]", GROUP="input", MODE="0660"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="612[0-7]", TAG+="uaccess"
+KERNEL=="hidraw*", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="612[0-7]", TAG+="uaccess"

fonts.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+
+{
+  fonts = {
+    enableDefaultFonts = true;
+    fonts = with pkgs; [
+      cantarell-fonts
+      corefonts
+      dejavu_fonts
+      fira-code
+      noto-fonts
+      noto-fonts-cjk
+      noto-fonts-emoji
+      noto-fonts-extra
+      source-code-pro
+      source-sans-pro
+    ];
+  };
+}

hardware-configuration.nix

@@ -0,0 +1,51 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/aca21111-a488-4bc7-90a7-e61517c24818";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/aca21111-a488-4bc7-90a7-e61517c24818";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1AC2-9317";
+      fsType = "vfat";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/aca21111-a488-4bc7-90a7-e61517c24818";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  fileSystems."/data" =
+    { device = "/dev/disk/by-uuid/ba796824-5165-4a95-87c2-1fb49a449138";
+      fsType = "btrfs";
+    };
+
+  boot.initrd.luks.devices."data".device = "/dev/disk/by-uuid/3de20c8e-2c31-491a-a8cc-fea4762e8601";
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/b134fecf-719f-45af-b317-001e413f06c4"; }
+    ];
+
+  nix.maxJobs = lib.mkDefault 16;
+}

packages.nix

@@ -0,0 +1,248 @@
+{ config, pkgs, ... }:
+
+let
+  llvm = pkgs.llvmPackages_10;
+  go = pkgs.go_1_14;
+  unwrappedFirefox = pkgs.firefox-bin-unwrapped.override { systemLocale = "de-DE"; };
+  fullFirefox = (pkgs.wrapFirefox unwrappedFirefox {
+    browserName = "firefox";
+    desktopName = "Firefox";
+    gdkWayland = true;
+    pname = "firefox-bin";
+  });
+in
+  {
+    environment.systemPackages = (with pkgs; [
+    # Audiovisual
+    audacity
+    darktable
+    ffmpeg-full
+    flac
+    gimp
+    lame
+    mpv
+    opusTools
+    pamixer
+    pavucontrol
+    sox
+    vlc_qt5
+    youtubeDL
+
+    # Drawing and art
+    krita
+    xournal
+    xournalpp
+
+    # Books
+    calibre
+
+    # Emulation
+    mgba
+    mupen64plus
+
+    # Wine and tools
+    cabextract
+    samba
+    wineWowPackages.staging
+    winetricks
+
+    # Virtualization
+    docker-compose
+    gnome3.gnome-boxes
+    qemu
+
+    # Linux tools
+    cachix
+    dmidecode
+    exfat
+    gparted
+    hdparm
+    iptables
+    krb5
+    lm_sensors
+    manpages
+    nethogs
+    ntfs3g
+    parted
+    pinentry-gtk2 # needed for tomb
+    powertop
+    psmisc
+    sbsigntool
+    udftools
+    xorg.xeyes
+    xorg.xkill
+
+    # Wayland tools
+    dex
+    glib
+    grim
+    imagemagick
+    mako
+    polkit_gnome
+    slurp
+    wf-recorder
+    wl-clipboard
+    wofi
+    xdg-user-dirs
+    xdg_utils
+    xsettingsd
+
+    # Useful CLI tools
+    appimage-run
+    bat
+    bind
+    borgbackup
+    file
+    git-lfs
+    gitAndTools.gitFull
+    htop
+    hunspell
+    iw
+    jq
+    libarchive
+    lsof
+    mercurialFull
+    neovim
+    nix-index
+    openssl
+    parallel
+    p7zip
+    pandoc
+    pciutils
+    pdftk
+    poppler_utils
+    ripgrep
+    rlwrap
+    subversion
+    tmux
+    tomb
+    traceroute
+    tree
+    unzip
+    usbutils
+    xclip
+    xxd
+    zip
+    
+    # Networking
+    curlFull
+    httpie
+    iodine
+    megatools
+    mosh
+    sshfs
+    sshuttle
+    transmission-gtk
+    transmission-remote-gtk
+    wget
+
+    # Development
+    arduino
+    binutils-unwrapped
+    ccache
+    clang-tools
+    cmake
+    conda
+    gcc9
+    gdb
+    gnumake
+    go
+    jetbrains.clion
+    llvm.clang
+    llvm.lld
+    nasm
+    patchelf
+    rr
+    rustup
+    valgrind
+    vscode
+
+    # Hardware
+    arachne-pnr
+    eagle
+    icestorm
+    kicad
+    nextpnr
+    tinyprog
+    verilator
+    verilog
+    yosys
+
+    # Radio
+    gr-limesdr
+    limesuite
+    gnuradio
+    soapysdr
+    gqrx
+
+    # Hacking tools
+    aircrack-ng
+    fusee-launcher
+    ghidra-bin
+    insomnia
+    ncat
+    pcsctools
+    pwndbg
+    python37Packages.binwalk-full
+    python37Packages.shodan
+
+    # Security
+    (pass.withExtensions (exts: [ exts.pass-otp ]))
+    _1password
+    keybase-gui
+    wireguard
+    yubikey-manager
+    yubioath-desktop
+
+    # Syncing
+    dropbox
+    syncthing-cli
+    syncthing-gtk
+
+    # GUI tools
+    evince
+    gnome3.eog
+    gnome3.gnome-system-monitor
+    googleearth
+    kitty
+    libreoffice-fresh
+    zathura
+
+    # Web
+    fullFirefox
+    google-chrome
+    tor-browser-bundle-bin
+
+    # Communication
+    discord
+    signal-desktop
+    slack
+    tdesktop
+
+    # Gnome configuration
+    arc-theme
+    gnome3.adwaita-icon-theme
+    gnome3.gnome-tweak-tool
+    gnomeExtensions.appindicator
+    hicolor-icon-theme
+    numix-icon-theme
+    numix-icon-theme-circle
+
+    # Games
+    multimc
+    steam
+    steam-run
+
+    # Game dependencies
+    gnome3.zenity # Steam requires zenity
+    SDL2 SDL2_ttf SDL2_image
+
+    # Debug info
+    wayland.debug
+
+    # Dictionaries
+  ]) ++ (with pkgs.hunspellDicts; [
+    en-us-large
+    de_DE
+  ]);
+}

private

@@ -0,0 +1 @@
+Subproject commit c0f1bdfa6fd98e0c74e6247d6e0c0238cbc29fb2

ssh.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+  };
+  # users.users.artemis.openssh.authorizedKeys.keys set in private
+}