Kieran's opinionated (and probably slightly dumb) nix config
dunkirk.sh
1# This is your system's configuration file.
2# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
3{
4 inputs,
5 lib,
6 config,
7 pkgs,
8 ...
9}:
10{
11 imports = [
12 inputs.hardware.nixosModules.framework-11th-gen-intel
13
14 ./hardware-configuration.nix
15 ./home-manager.nix
16 ./disk-config.nix
17
18 (inputs.import-tree ../../modules)
19 ];
20
21 nixpkgs = {
22 config = {
23 allowUnfree = true;
24 };
25 };
26
27 nix =
28 let
29 flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
30 in
31 {
32 settings = {
33 # Enable flakes and new 'nix' command
34 experimental-features = "nix-command flakes";
35 # Opinionated: disable global registry
36 flake-registry = "";
37 # Workaround for https://github.com/NixOS/nix/issues/9574
38 nix-path = config.nix.nixPath;
39 trusted-users = [
40 "kierank"
41 ];
42 };
43 # Opinionated: disable channels
44 channel.enable = false;
45
46 optimise.automatic = true;
47
48 # Opinionated: make flake registry and nix path match flake inputs
49 registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
50 nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
51 };
52
53 time.timeZone = "America/New_York";
54
55 # grouped for readability
56 environment.systemPackages = map lib.lowPrio (
57 let
58 core = [
59 pkgs.coreutils
60 pkgs.calc
61 pkgs.screen
62 pkgs.xdg-user-dirs
63 pkgs.libnotify
64 pkgs.notify-desktop
65 pkgs.bc
66 pkgs.jq
67 pkgs.psmisc
68 ];
69 terminals = [
70 pkgs.alacritty
71 inputs.ghostty.packages.x86_64-linux.default
72 ];
73 cli_utils = [
74 pkgs.bat
75 pkgs.fd
76 pkgs.eza
77 pkgs.xh
78 pkgs.dust
79 pkgs.ripgrep
80 pkgs.ripgrep-all
81 pkgs.glow
82 pkgs.gitui
83 pkgs.lazygit
84 pkgs.clipse
85 pkgs.direnv
86 pkgs.nix-output-monitor
87 pkgs.nixpkgs-review
88 pkgs.nix-prefetch
89 pkgs.arduino-cli
90 pkgs.zsh
91 pkgs.starship
92 pkgs.gum
93 pkgs.unstable.wakatime-cli
94 inputs.terminal-wakatime.packages.x86_64-linux.default
95 ];
96 networking = [
97 pkgs.curl
98 pkgs.wget
99 pkgs.dogdns
100 pkgs.inetutils
101 pkgs.mosh
102 pkgs.ngrok
103 pkgs.networkmanagerapplet
104 pkgs.networkmanager-iodine
105 pkgs.iodine
106 ];
107 nix_tools = [
108 inputs.nixvim.packages.x86_64-linux.default
109 pkgs.nixd
110 pkgs.nil
111 pkgs.nixfmt-rfc-style
112 inputs.agenix.packages.x86_64-linux.default
113 ];
114 security = [
115 pkgs.openssl
116 pkgs.gpgme
117 pkgs.gnupg
118 pkgs.unstable.mitmproxy
119 pkgs.caido
120 ];
121 editors = [
122 inputs.zed.packages.x86_64-linux.default
123 pkgs.unstable.zed-editor
124 pkgs.arduino-ide
125 ];
126 browsers = [
127 pkgs.firefox
128 (pkgs.chromium.override { enableWideVine = true; })
129 ];
130 wayland = [
131 pkgs.swww
132 pkgs.wluma
133 pkgs.brightnessctl
134 pkgs.hyprpaper
135 pkgs.hyprsunset
136 pkgs.wl-clipboard
137 pkgs.grim
138 pkgs.slurp
139 pkgs.wtype
140 pkgs.mako
141 pkgs.unstable.hyprpicker
142 pkgs.wl-screenrec
143 inputs.hyprland-contrib.packages.${pkgs.system}.grimblast
144 pkgs.playerctl
145 pkgs.libnotify
146 pkgs.notify-desktop
147 pkgs.lxde.lxsession
148 ];
149 gnome = [
150 pkgs.gnome-online-accounts
151 pkgs.gnome-online-accounts-gtk
152 pkgs.gnome-disk-utility
153 pkgs.baobab
154 pkgs.simple-scan
155 pkgs.file-roller
156 pkgs.font-manager
157 pkgs.nautilus
158 pkgs.loupe
159 pkgs.totem
160 pkgs.overskride
161 ];
162 dev_langs = [
163 pkgs.nodejs_22
164 pkgs.unstable.bun
165 pkgs.python3
166 pkgs.go
167 pkgs.gopls
168 pkgs.gotools
169 pkgs.go-tools
170 pkgs.gcc
171 pkgs.rustc
172 pkgs.cargo
173 pkgs.jdk23
174 pkgs.ruby
175 pkgs.cmake
176 pkgs.unstable.biome
177 pkgs.unstable.apktool
178 pkgs.nodePackages_latest.prisma
179 pkgs.unstable.zola
180 ];
181 media = [
182 pkgs.ffmpeg
183 pkgs.video-trimmer
184 pkgs.pitivi
185 pkgs.audacity
186 pkgs.unstable.amberol
187 pkgs.zoom-us
188 ];
189 graphics = [
190 pkgs.imagemagick
191 pkgs.inkscape
192 pkgs.blender
193 pkgs.exiftool
194 pkgs.unstable.aseprite
195 pkgs.godot_4
196 pkgs.unstable.kikit
197 pkgs.openboardview
198 pkgs.bambu-studio
199 pkgs.unstable.orca-slicer
200 pkgs.qflipper
201 ];
202 office = [
203 pkgs.slack
204 pkgs.libreoffice
205 pkgs.unstable.zotero
206 ];
207 gaming = [
208 pkgs.prismlauncher
209 pkgs.vesktop
210 pkgs.cava
211 pkgs.gobang
212 pkgs.love
213 ];
214 frc = [
215 inputs.frc-nix.packages.${pkgs.system}.elastic-dashboard
216 inputs.frc-nix.packages.${pkgs.system}.pathplanner
217 inputs.frc-nix.packages.${pkgs.system}.roborioteamnumbersetter
218 inputs.frc-nix.packages.${pkgs.system}.sysid
219 inputs.frc-nix.packages.${pkgs.system}.wpilib-utility
220 inputs.frc-nix.packages.${pkgs.system}.advantagescope
221 ];
222 misc = [
223 pkgs.invoice
224 pkgs.pop
225 pkgs.vhs
226 pkgs.torrential
227 inputs.flare.packages.x86_64-linux.default
228 pkgs.unstable.ollama
229 pkgs.unstable.claude-code
230 pkgs.udiskie
231 pkgs.neofetch
232 pkgs.unstable.kicad-testing
233 pkgs.zenity
234 ];
235 in
236 core
237 ++ terminals
238 ++ cli_utils
239 ++ networking
240 ++ nix_tools
241 ++ security
242 ++ editors
243 ++ browsers
244 ++ wayland
245 ++ gnome
246 ++ dev_langs
247 ++ media
248 ++ graphics
249 ++ office
250 ++ gaming
251 ++ frc
252 ++ misc
253 );
254
255 programs.nh = {
256 enable = true;
257 clean.enable = true;
258 clean.extraArgs = "--keep-since 4d --keep 3";
259 flake = "/home/kierank/dots";
260 };
261
262 fonts.packages =
263 with pkgs;
264 [
265 fira
266 comic-neue
267 ]
268 ++ builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts);
269
270 # import the secret
271 age.identityPaths = [
272 "/home/kierank/.ssh/id_rsa"
273 "/etc/ssh/id_rsa"
274 "/mnt/etc/ssh/id_rsa"
275 ];
276 age.secrets = {
277 wifi = {
278 file = ../../../secrets/wifi.age;
279 owner = "kierank";
280 };
281 resend = {
282 file = ../../../secrets/resend.age;
283 owner = "kierank";
284 };
285 wakatime = {
286 file = ../../../secrets/wakatime.age;
287 path = "/home/kierank/.wakatime.cfg";
288 owner = "kierank";
289 };
290 bluesky = {
291 file = ../../../secrets/bluesky.age;
292 owner = "kierank";
293 };
294 iodine = {
295 file = ../../../secrets/iodine.age;
296 owner = "kierank";
297 };
298 };
299
300 environment.sessionVariables = {
301 XDG_CACHE_HOME = "$HOME/.cache";
302 XDG_CONFIG_HOME = "$HOME/.config";
303 XDG_DATA_HOME = "$HOME/.local/share";
304 XDG_STATE_HOME = "$HOME/.local/state";
305 NIXOS_OZONE_WL = "1";
306 PRISMA_QUERY_ENGINE_LIBRARY = "${pkgs.prisma-engines}/lib/libquery_engine.node";
307 PRISMA_QUERY_ENGINE_BINARY = "${pkgs.prisma-engines}/bin/query-engine";
308 PRISMA_SCHEMA_ENGINE_BINARY = "${pkgs.prisma-engines}/bin/schema-engine";
309 RESEND_API_KEY = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.resend.path})";
310 POP_FROM = "me@dunkirk.sh";
311 EDITOR = "nvim";
312 SYSTEMD_EDITOR = "nvim";
313 VISUAL = "nvim";
314 };
315
316 modules = {
317 authentication.enable = true;
318 apps.tuigreet = {
319 enable = true;
320 command = "Hyprland";
321 };
322 network.wifi = {
323 enable = true;
324 hostName = "moonlark";
325 nameservers = [
326 "1.1.1.1"
327 "1.0.0.1"
328 "8.8.8.8"
329 "9.9.9.9"
330 ];
331 envFile = config.age.secrets.wifi.path;
332 profiles = {
333 "KlukasNet".pskVar = "psk_home";
334 "Everseen".pskVar = "psk_hotspot";
335 "SAAC Sanctuary".pskVar = "psk_church";
336 "MVNU-student" = { };
337 "Status Solutions Guest".pskVar = "psk_robotics";
338 "FRC-1317-CECE".psk = "digitalfusion";
339 "1317-fortress-of-awesomeness" = { };
340 "PAST PD".pskVar = "psk_past";
341 "Heartland".psk = "beourguest";
342 "WPL_Public_AccessII" = { };
343 "Yowzaford".pskVar = "psk_rhoda";
344 "cu-events".psk = "freesmile82";
345 "QargoCoffee-Guest".psk = "Lavazza@7";
346 "Fulton".psk = "9064405930";
347 "TP-LINK_ECF0".psk = "ad1066AD!";
348 };
349 };
350 };
351
352 services.iodine.clients = {
353 t1 = {
354 server = "t1.dunkirk.sh";
355 passwordFile = config.age.secrets.iodine.path;
356 };
357 };
358
359 virtualisation = {
360 libvirtd.enable = true;
361 virtualbox = {
362 host.enable = true;
363 host.enableExtensionPack = true;
364 };
365 docker.enable = true;
366 };
367
368 programs.nix-ld.enable = true;
369
370 programs.zsh.enable = true;
371
372 programs.direnv.enable = true;
373
374 # TODO: Configure your system-wide user settings (groups, etc), add more users as needed.
375 users.users = {
376 kierank = {
377 # You can skip setting a root password by passing '--no-root-passwd' to nixos-install.
378 # Be sure to change it (using passwd) after rebooting!
379 initialPassword = "lolzthisaintsecure!";
380 isNormalUser = true;
381 shell = pkgs.zsh;
382 openssh.authorizedKeys.keys = [
383 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzEEjvbL/ttqmYoDjxYQmDIq36BabROJoXgQKeh9liBxApwp+2PmgxROzTg42UrRc9pyrkq5kVfxG5hvkqCinhL1fMiowCSEs2L2/Cwi40g5ZU+QwdcwI8a4969kkI46PyB19RHkxg54OUORiIiso/WHGmqQsP+5wbV0+4riSnxwn/JXN4pmnE//stnyAyoiEZkPvBtwJjKb3Ni9n3eNLNs6gnaXrCtaygEZdebikr9kS2g9mM696HvIFgM6cdR/wZ7DcLbG3IdTXuHN7PC3xxL+Y4ek5iMreQIPmuvs4qslbthPGYoYbYLUQiRa9XO5s/ksIj5Z14f7anHE6cuTQVpvNWdGDOigyIVS5qU+4ZF7j+rifzOXVL48gmcAvw/uV68m5Wl/p0qsC/d8vI3GYwEsWG/EzpAlc07l8BU2LxWgN+d7uwBFaJV9VtmUDs5dcslsh8IbzmtC9gq3OLGjklxTfIl6qPiL8U33oc/UwqzvZUrI2BlbagvIZYy6rP+q0= kierank@mockingjay"
384 ];
385 extraGroups = [
386 "wheel"
387 "networkmanager"
388 "audio"
389 "video"
390 "docker"
391 "plugdev"
392 "input"
393 "dialout"
394 "docker"
395 "libvirtd"
396 "vboxusers"
397 ];
398 };
399 root.openssh.authorizedKeys.keys = [
400 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzEEjvbL/ttqmYoDjxYQmDIq36BabROJoXgQKeh9liBxApwp+2PmgxROzTg42UrRc9pyrkq5kVfxG5hvkqCinhL1fMiowCSEs2L2/Cwi40g5ZU+QwdcwI8a4969kkI46PyB19RHkxg54OUORiIiso/WHGmqQsP+5wbV0+4riSnxwn/JXN4pmnE//stnyAyoiEZkPvBtwJjKb3Ni9n3eNLNs6gnaXrCtaygEZdebikr9kS2g9mM696HvIFgM6cdR/wZ7DcLbG3IdTXuHN7PC3xxL+Y4ek5iMreQIPmuvs4qslbthPGYoYbYLUQiRa9XO5s/ksIj5Z14f7anHE6cuTQVpvNWdGDOigyIVS5qU+4ZF7j+rifzOXVL48gmcAvw/uV68m5Wl/p0qsC/d8vI3GYwEsWG/EzpAlc07l8BU2LxWgN+d7uwBFaJV9VtmUDs5dcslsh8IbzmtC9gq3OLGjklxTfIl6qPiL8U33oc/UwqzvZUrI2BlbagvIZYy6rP+q0= kierank@mockingjay"
401 ];
402 };
403
404 programs.steam = {
405 enable = true;
406 remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
407 dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
408 localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
409 };
410
411 programs.hyprland.enable = true;
412 services.hypridle.enable = true;
413
414 programs.xwayland.enable = lib.mkForce true;
415
416 services.udev.packages = [
417 pkgs.qFlipper
418 pkgs.via
419 ];
420
421 # enable cups
422 services.printing.enable = true;
423 services.avahi = {
424 enable = true;
425 nssmdns4 = true;
426 openFirewall = true;
427 };
428
429 # enable bluetooth
430 hardware.bluetooth.enable = true;
431
432 # enable pipewire
433 # rtkit is optional but recommended
434 security.rtkit.enable = true;
435 services.pipewire = {
436 enable = true;
437 alsa.enable = true;
438 alsa.support32Bit = true;
439 pulse.enable = true;
440 # If you want to use JACK applications, uncomment this
441 jack.enable = true;
442 };
443
444 # This setups a SSH server. Very important if you're setting up a headless system.
445 # Feel free to remove if you don't need it.
446 services.openssh = {
447 enable = true;
448 settings = {
449 # Opinionated: forbid root login through SSH.
450 PermitRootLogin = "no";
451 # Opinionated: use keys only.
452 # Remove if you want to SSH using passwords
453 PasswordAuthentication = false;
454 };
455 };
456
457 networking.firewall = {
458 enable = true;
459 allowedTCPPorts = [
460 4455
461 51820
462 ];
463 allowedUDPPorts = [
464 4455
465 51820
466 ];
467 };
468
469 services.tailscale = {
470 enable = true;
471 useRoutingFeatures = "client";
472 };
473
474 services.devmon.enable = true;
475 services.gvfs.enable = true;
476 services.udisks2.enable = true;
477
478 services.logind.extraConfig = ''
479 # don't shutdown when power button is short-pressed
480 HandlePowerKey=ignore
481 HandlePowerKeyLongPress=poweroff
482 '';
483
484 # Requires at least 5.16 for working wi-fi and bluetooth.
485 # https://community.frame.work/t/using-the-ax210-with-linux-on-the-framework-laptop/1844/89
486 boot = {
487 kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "5.16") (
488 lib.mkDefault pkgs.linuxPackages_latest
489 );
490 loader.grub = {
491 # no need to set devices, disko will add all devices that have a EF02 partition to the list already
492 device = "nodev";
493 efiSupport = true;
494 efiInstallAsRemovable = true;
495 };
496 supportedFilesystems = [ "ntfs" ];
497 extraModprobeConfig = ''
498 options kvm_intel nested=1
499 options kvm_intel emulate_invalid_guest_state=0
500 options kvm ignore_msrs=1
501 '';
502 };
503
504 # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
505 system.stateVersion = "23.05";
506}