nixdots/hosts/herugrim/default.nix

{
  lib,
  pkgs,
  ...
}: {
  imports = [
    ./hardware-configuration.nix
  ];

  boot.supportedFilesystems = ["btrfs"];

  # My flake disables this by default for security reasons. However,
  # with an encrypted setup, which requires entering password before
  # booting anyways, this is not a security concern, and changing the
  # kernel params can be useful for debugging.
  boot.loader.systemd-boot.editor = true;

  nix.settings = {
    max-jobs = 6;
    cores = 6;
  };

  # NixOS release from which this machine was first installed.
  # (for stateful data, like file locations and db versions)
  # Leave this alone!
  system.stateVersion = lib.mkForce "23.11";

  services.openssh.settings.PasswordAuthentication = lib.mkForce true;

  myOptions = {
    system = {
      hostname = "herugrim";
      username = "itsdrike";

      sound.enable = true;

      impermanence = {
        root = {
          enable = true;
          # Some people use /nix/persist/system for this, leaving persistent files in /nix subvolume
          # I much prefer using a standalone subvolume for this though.
          persistentMountPoint = "/persist";
        };

        # Configure automatic root subvolume wiping on boot from initrd
        autoWipeBtrfs = {
          enable = true;
          devices."/dev/disk/by-label/NIXROOT".subvolumes = ["root"];
        };
      };

      boot = {
        secure-boot.enable = true;
        tmpOnTmpfs = true;
      };
    };

    device = {
      roles = {
        type = "laptop";
        virtual-machine = false;
      };
      cpu.type = "amd";
      gpu.type = "hybrid-nvidia";
      hasTPM = true;
      bluetooth.enable = true;
    };

    security = {
      auditd = {
        enable = true;
        autoPrune.enable = true;
      };
    };

    workstation = {
      printing.enable = true;
    };

    home-manager = {
      enable = true;
      stateVersion = "23.11";

      git = {
        userName = "ItsDrike";
        userEmail = "itsdrike@protonmail.com";
        signing = {
          enable = true;
          key = "FA2745890B7048C0";
        };
      };

      wms.hyprland = {
        enable = true;
        monitor = [
          "eDP-1, 1920x1080@60, 0x0, 1"
        ];
      };

      programs = {
        browsers = {
          chromium.enable = true;
          firefox.enable = true;
          mullvad-browser.enable = true;
          schizofox.enable = true;
        };
        applications = {
          spotify.enable = true;
        };
      };
    };
  };
}
Add herogrim host 2024-04-07 12:38:24 +00:00			`{`
Run alejandra 2024-07-26 23:07:07 +00:00			`lib,`
			`pkgs,`
			`...`
			`}: {`
Add herogrim host 2024-04-07 12:38:24 +00:00			`imports = [`
			`./hardware-configuration.nix`
			`];`

Run alejandra 2024-07-26 23:07:07 +00:00			`boot.supportedFilesystems = ["btrfs"];`
Add herogrim host 2024-04-07 12:38:24 +00:00
Update boot options 2024-04-12 18:57:52 +00:00			`# My flake disables this by default for security reasons. However,`
			`# with an encrypted setup, which requires entering password before`
			`# booting anyways, this is not a security concern, and changing the`
			`# kernel params can be useful for debugging.`
			`boot.loader.systemd-boot.editor = true;`

Add herogrim host 2024-04-07 12:38:24 +00:00			`nix.settings = {`
			`max-jobs = 6;`
			`cores = 6;`
			`};`

			`# NixOS release from which this machine was first installed.`
			`# (for stateful data, like file locations and db versions)`
			`# Leave this alone!`
			`system.stateVersion = lib.mkForce "23.11";`

			`services.openssh.settings.PasswordAuthentication = lib.mkForce true;`

			`myOptions = {`
			`system = {`
			`hostname = "herugrim";`
			`username = "itsdrike";`
Add impermanence config 2024-04-07 16:28:15 +00:00
Add sound support 2024-05-15 19:24:55 +00:00			`sound.enable = true;`

Rework (and fix) impermanence 2024-04-07 22:36:02 +00:00			`impermanence = {`
			`root = {`
			`enable = true;`
			`# Some people use /nix/persist/system for this, leaving persistent files in /nix subvolume`
			`# I much prefer using a standalone subvolume for this though.`
			`persistentMountPoint = "/persist";`
			`};`

Add impermanence config 2024-04-07 16:28:15 +00:00			`# Configure automatic root subvolume wiping on boot from initrd`
Rework (and fix) impermanence 2024-04-07 22:36:02 +00:00			`autoWipeBtrfs = {`
			`enable = true;`
Run alejandra 2024-07-26 23:07:07 +00:00			`devices."/dev/disk/by-label/NIXROOT".subvolumes = ["root"];`
Add impermanence config 2024-04-07 16:28:15 +00:00			`};`
			`};`
Add secure-boot 2024-04-12 16:25:26 +00:00
Update boot options 2024-04-12 18:57:52 +00:00			`boot = {`
			`secure-boot.enable = true;`
			`tmpOnTmpfs = true;`
			`};`
Add herogrim host 2024-04-07 12:38:24 +00:00			`};`
Add impermanence config 2024-04-07 16:28:15 +00:00
Add herogrim host 2024-04-07 12:38:24 +00:00			`device = {`
Add workstation-specific settings 2024-04-13 18:10:01 +00:00			`roles = {`
			`type = "laptop";`
			`virtual-machine = false;`
			`};`
Fix mistake in cpu type of herugrim host 2024-06-10 11:53:12 +00:00			`cpu.type = "amd";`
Fix nvidia on hybrid setups 2024-06-10 11:54:03 +00:00			`gpu.type = "hybrid-nvidia";`
Enable TPM 2024-04-12 19:38:05 +00:00			`hasTPM = true;`
Update bluetooth config 2024-06-23 22:27:54 +00:00			`bluetooth.enable = true;`
Add herogrim host 2024-04-07 12:38:24 +00:00			`};`
Add impermanence config 2024-04-07 16:28:15 +00:00
Add auditd 2024-04-15 20:47:54 +00:00			`security = {`
			`auditd = {`
			`enable = true;`
			`autoPrune.enable = true;`
			`};`
			`};`

Actually enforce the roles 2024-04-13 19:15:25 +00:00			`workstation = {`
			`printing.enable = true;`
			`};`

Add herogrim host 2024-04-07 12:38:24 +00:00			`home-manager = {`
Update options 2024-04-07 14:54:36 +00:00			`enable = true;`
Add herogrim host 2024-04-07 12:38:24 +00:00			`stateVersion = "23.11";`
Add options for enabling launcher programs 2024-06-10 18:06:57 +00:00
Add herogrim host 2024-04-07 12:38:24 +00:00			`git = {`
			`userName = "ItsDrike";`
			`userEmail = "itsdrike@protonmail.com";`
			`signing = {`
Rename git.signing.enabled to enable 2024-04-16 09:55:53 +00:00			`enable = true;`
Add herogrim host 2024-04-07 12:38:24 +00:00			`key = "FA2745890B7048C0";`
			`};`
			`};`
Add options for enabling launcher programs 2024-06-10 18:06:57 +00:00
Allow specifying monitors from os config 2024-06-09 21:08:39 +00:00			`wms.hyprland = {`
			`enable = true;`
			`monitor = [`
			`"eDP-1, 1920x1080@60, 0x0, 1"`
			`];`
			`};`
Add spotify+spicetify 2024-06-10 19:58:06 +00:00
			`programs = {`
Add chromium 2024-06-10 20:16:34 +00:00			`browsers = {`
			`chromium.enable = true;`
Add firefox browser 2024-06-20 12:15:29 +00:00			`firefox.enable = true;`
Add mullvad browser 2024-06-10 20:22:16 +00:00			`mullvad-browser.enable = true;`
Add schizofox 2024-06-10 21:01:31 +00:00			`schizofox.enable = true;`
Add chromium 2024-06-10 20:16:34 +00:00			`};`
Group app programs options 2024-06-21 09:41:29 +00:00			`applications = {`
			`spotify.enable = true;`
			`};`
Add spotify+spicetify 2024-06-10 19:58:06 +00:00			`};`
Add herogrim host 2024-04-07 12:38:24 +00:00			`};`
			`};`
			`}`