dotfiles/nixos/dustbowl.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ emacs-overlay, nixpkgs }:
{ config, lib, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      /etc/nixos/hardware-configuration.nix
      ./cachix.nix
    ];

  nixpkgs.config.allowUnfree = true;
  nix = {
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
      builders-use-substitutes = true
    '';
    distributedBuilds = true;
    registry.nixpkgs.flake = nixpkgs;
  };

  # Kernel version
  boot.kernelPackages = pkgs.linuxPackages_5_15;

  # Use the systemd-boot EFI boot loader.
  # boot.loader.systemd-boot.enable = true;
  boot.loader.efi = {
    canTouchEfiVariables = true;
    efiSysMountPoint = "/boot/efi";
  };
  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "nodev";
    efiSupport = true;
    enableCryptodisk = true;
  };
  boot.initrd.luks.devices = {
    root = {
      device = "/dev/disk/by-uuid/70c16b36-14b6-4939-9fc9-210774614e72";
      preLVM = true;
    };
  };

  boot.extraModulePackages = [
    config.boot.kernelPackages.v4l2loopback.out
  ];

  boot.kernelModules = [
    "v4l2loopback"
  ];

  # For Focusrite Scarlett 2i2
  # See https://github.com/Focusrite-Scarlett-on-Linux/sound-usb-kernel-module
  boot.extraModprobeConfig = ''
    options snd_usb_audio vid=0x1235 pid=0x8210 device_setup=1
  '';

  # Add qemu-binfmt for ARM and AArch64
  boot.binfmt.emulatedSystems = [
    "armv7l-linux"
    "aarch64-linux"
    "riscv64-linux"
  ];

  services.fwupd.enable = true;

  networking.hostName = "dustbowl"; # Define your hostname.
  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.wireless.interfaces = [ "wlp2s0" ];

  networking.wireguard.enable = true;
  networking.firewall.checkReversePath = "loose";

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.wlp2s0.useDHCP = true;

  # Add TeleSec root certificate to /etc/ explicitly for eduroam
  environment.etc."ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem".source = pkgs.fetchurl {
    url = "https://www.pki.dfn.de/fileadmin/PKI/zertifikate/T-TeleSec_GlobalRoot_Class_2.pem";
    sha256 = "0if8aqd06sid7a0vw009zpa087wxcgdd2x6z2zs4pis5kvyqj2dk";
  };

  # services.dnscrypt-proxy2 = {
  #   enable = true;
  #   settings = {
  #     require_nolog = true;
  #     require_nofilter = true;
  #     sources.public-resolvers = {
  #       urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
  #       cache_file = "public-resolvers.md";
  #       minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
  #       refresh_delay = 72;
  #     };
  #   };
  # };

  # udev rules
  services.udev.packages = with pkgs; [
    yubikey-personalization
    openrgb
  ];

  # Configure console
  console = {
    font = "Lat2-Terminus16";
    keyMap = "de";
  };

  # Select internationalisation properties.
  i18n = {
    defaultLocale = "en_US.UTF-8";
  };

  # Set location (e.g. for redshift)
  location = {
    latitude = 1.3766;
    longitude = 103.8160;
  };

  environment.systemPackages = with pkgs; [
    ntfs3g
    file
    usbutils
    pciutils
    calc
    wget
    unzip
    zip
    psmisc
    htop
    vim
    vis
    git
    bubblewrap
    openconnect
    yubikey-personalization
    yubico-pam
    nmap
    bind.dnsutils
    openrgb
    gdb
    intel-gpu-tools
    config.boot.kernelPackages.perf
    fd
    ripgrep
    jq
    fzf
    tig
    croc

    # GTK theme
    gnome.adwaita-icon-theme

    # Wayland setup
    grim
    slurp
    wl-clipboard
    mako
    foot
    xdg-utils
    i3status
    wlr-randr

    # GUI software
    emacsPgtk
    firefox
    thunderbird
    mpv
    zathura
    imv
    pavucontrol
    xournalpp
    libreoffice
    okular
  ];

  # Use doas instead of sudo
  security.sudo.enable = false;
  security.doas = {
    enable = true;
    extraRules = [
      {
        groups = ["wheel"];
        persist = true;
        keepEnv = true;
      }
    ];
  };

  security.wrappers.rr = {
    owner = "root";
    group = "root";
    capabilities = "cap_perfmon=ip";
    source = "${pkgs.rr}/bin/rr";
    };

  security.wrappers.intel_gpu_top = {
    owner = "root";
    group = "root";
    capabilities = "cap_perfmon=p";
    source = "${pkgs.intel-gpu-tools}/bin/intel_gpu_top";
  };

  # Enable gnupg
  programs.gnupg.agent.enable = true;

  programs.fish.enable = true;

  # Steam
  programs.steam.enable = true;

  nixpkgs.config.packageOverrides = pkgs: rec {
    # Override firefox
    firefox = pkgs.firefox.override {
      forceWayland = true;
    };
  };

  nixpkgs.overlays = [ emacs-overlay.overlay ];

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 8080 ];
  networking.firewall.allowedUDPPorts = [ 8080 ];

  # Enable CUPS to print documents.
  services.printing.enable = true;
  services.printing.drivers = [ pkgs.hplipWithPlugin ];

  hardware.sane = {
    enable = true;
    brscan4.enable = true;
    extraBackends = [ pkgs.hplipWithPlugin ];
  };

  systemd.user.services.wlsunset = {
    description = "wlsunset colour temperature adjuster";
    wantedBy = [ "graphical-session.target" ];
    partOf = [ "graphical-session.target" ];
    serviceConfig = {
      ExecStart = ''
        ${pkgs.wlsunset}/bin/wlsunset \
          -l 49.5 \
          -L 8.4 \
          -t 2000 \
      '';
      RestartSec = 3;
      Restart = "always";
    };
  };

  # Hardware

  # Enable sound.
  sound.enable = true;

  # Bluetooth
  hardware.bluetooth.enable = true;

  systemd.services.bluetooth.serviceConfig.ExecStart =
    let args = [ "-f" "/etc/bluetooth/main.conf" "-E" ];
    in lib.mkForce [ "" "${config.hardware.bluetooth.package}/libexec/bluetooth/bluetoothd ${lib.escapeShellArgs args}" ];

  # UPower
  services.upower.enable = true;

  # RealtimeKit
  security.rtkit.enable = true;

  # Video acceleration
  hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];

  # PipeWire
  services.pipewire = {
    enable = true;
    alsa = {
      enable = true;
      support32Bit = true;
    };
    pulse.enable = true;
  };

  # Sway
  programs.sway.enable = true;

  xdg.portal = {
    enable = true;
    extraPortals = [ pkgs.xdg-desktop-portal-wlr ];
  };

  # Fonts
  fonts.fonts = with pkgs; [
    fira-code
    noto-fonts noto-fonts-emoji noto-fonts-extra
  ];
  fonts.fontconfig = {
    enable = true;
    defaultFonts = {
      emoji = [ "Noto Color Emoji" ];
      monospace = [ "Fira Code" ];
      sansSerif = [ "Noto Sans" ];
    };
  };

  virtualisation.libvirtd.enable = true;

  users.users.joachim = {
    isNormalUser = true;
    home = "/home/joachim";
    shell = pkgs.fish;
    extraGroups = [ "wheel" "scanner" "libvirtd" "adbusers" ];
  };

  # Yubikey PAM
  security.pam.yubico = {
    enable = true;
    mode = "challenge-response";
  };

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "20.03"; # Did you read the comment?

}