dotfiles/nixos/dustbowl.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ nixpkgs }:
{ config, lib, pkgs, ... }:

{
  imports =
    [
      # Include the results of the hardware scan.
      /etc/nixos/hardware-configuration.nix
      /etc/nixos/private.nix
      ./cachix.nix
    ];

  nixpkgs.config.allowUnfree = true;
  nix = {
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
      builders-use-substitutes = true
    '';
    distributedBuilds = true;
    registry.nixpkgs.flake = nixpkgs;
  };

  # Kernel version
  boot.kernelPackages = pkgs.linuxPackages_5_15;

  # Use the systemd-boot EFI boot loader.
  # boot.loader.systemd-boot.enable = true;
  boot.loader.efi = {
    canTouchEfiVariables = true;
    efiSysMountPoint = "/boot/efi";
  };
  boot.loader.grub = {
    enable = true;
    device = "nodev";
    efiSupport = true;
    enableCryptodisk = true;
  };
  boot.initrd.luks.devices = {
    root = {
      device = "/dev/disk/by-uuid/70c16b36-14b6-4939-9fc9-210774614e72";
      preLVM = true;
    };
  };
  boot.initrd.availableKernelModules = [
    "aesni_intel"
    "cryptd"
  ];

  # Enable systemd watchdog
  # systemd.watchdog = {
  #   runtimeTime = "30s";
  #   rebootTime = "10m";
  # };

  boot.extraModulePackages = [
    config.boot.kernelPackages.v4l2loopback.out
  ];

  boot.kernelModules = [
    "v4l2loopback"
  ];

  # For Focusrite Scarlett 2i2
  # See https://github.com/Focusrite-Scarlett-on-Linux/sound-usb-kernel-module
  boot.extraModprobeConfig = ''
    options snd_usb_audio vid=0x1235 pid=0x8210 device_setup=1
  '';

  # Add qemu-binfmt for ARM and AArch64
  boot.binfmt.emulatedSystems = [
    "armv7l-linux"
    "aarch64-linux"
    "riscv64-linux"
  ];

  services.udisks2.enable = true;

  services.fwupd.enable = true;

  networking.useNetworkd = true;
  networking.hostName = "dustbowl";
  networking.wireless.enable = true;
  networking.wireless.interfaces = [ "wlp2s0" ];

  networking.wireguard.enable = true;
  networking.firewall.checkReversePath = "loose";

  services.mullvad-vpn.enable = true;

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.wlp2s0.useDHCP = true;

  # Add TeleSec root certificate to /etc/ explicitly for eduroam
  environment.etc."ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem".source = pkgs.fetchurl {
    url = "https://www.pki.dfn.de/fileadmin/PKI/zertifikate/T-TeleSec_GlobalRoot_Class_2.pem";
    sha256 = "0if8aqd06sid7a0vw009zpa087wxcgdd2x6z2zs4pis5kvyqj2dk";
  };

  # services.dnscrypt-proxy2 = {
  #   enable = true;
  #   settings = {
  #     require_nolog = true;
  #     require_nofilter = true;
  #     sources.public-resolvers = {
  #       urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
  #       cache_file = "public-resolvers.md";
  #       minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
  #       refresh_delay = 72;
  #     };
  #   };
  # };

  # udev rules
  services.udev.packages = with pkgs; [
    yubikey-personalization
    openrgb
  ];

  # Configure console
  console = {
    font = "Lat2-Terminus16";
    keyMap = "adnw";
  };

  # Select internationalisation properties.
  i18n = {
    defaultLocale = "en_US.UTF-8";
  };

  # Set location (for wlsunset)
  location = {
    latitude = 49.5;
    longitude = 8.4;
  };

  environment.systemPackages = with pkgs; [
    ntfs3g
    file
    usbutils
    pciutils
    calc
    wget
    unzip
    zip
    psmisc
    htop
    vim
    vis
    git
    git-lfs
    bubblewrap
    openconnect
    yubikey-personalization
    yubico-pam
    nmap
    bind.dnsutils
    gdb
    intel-gpu-tools
    config.boot.kernelPackages.perf
    fd
    ripgrep
    jq
    fzf
    tig
    croc
    mullvad
    jless
    restic
    pdfgrep
    tmux
    sshuttle
    rclone
    timewarrior
    syncthing
    nextcloud-client
    mpd

    # GTK theme
    gnome.adwaita-icon-theme

    # Wayland setup
    grim
    slurp
    wl-clipboard
    mako
    foot
    xdg-utils
    i3status
    wlr-randr
    waypipe
    wl-mirror

    # GUI software
    emacs29-pgtk
    firefox
    thunderbird
    mpv
    zathura
    imv
    pavucontrol
    xournalpp
    libreoffice
    okular
    ungoogled-chromium
    openrgb
    obs-studio
    tdesktop
    signal-desktop
    element-desktop
    virt-manager
    zotero
    wpa_supplicant_gui
    keepassxc
    mpdevil

    (callPackage ./posy-cursor-black.nix { })
  ];

  services.gnome.gnome-keyring.enable = true;

  # Use doas instead of sudo
  security.sudo.enable = false;
  security.doas = {
    enable = true;
    extraRules = [
      {
        groups = [ "wheel" ];
        persist = true;
        keepEnv = true;
      }
    ];
  };

  security.wrappers.rr = {
    owner = "root";
    group = "root";
    capabilities = "cap_perfmon=ip";
    source = "${pkgs.rr}/bin/rr";
  };

  security.wrappers.intel_gpu_top = {
    owner = "root";
    group = "root";
    capabilities = "cap_perfmon=p";
    source = "${pkgs.intel-gpu-tools}/bin/intel_gpu_top";
  };

  # TPM2 setup
  security.tpm2 = {
    enable = true;
    pkcs11.enable = true;
  };

  # Enable gnupg
  programs.gnupg.agent.enable = true;

  programs.fish.enable = true;

  programs.captive-browser = {
    enable = true;
    interface = "wlp2s0";
  };

  # Steam
  programs.steam.enable = true;

  # Open ports in the firewall.
  networking.firewall.enable = false;
  # networking.firewall.allowedTCPPorts = [ 8080 6600 ];
  # networking.firewall.allowedUDPPorts = [ 8080 ];

  # Enable CUPS to print documents.
  services.printing.enable = true;
  services.printing.drivers = [ pkgs.hplipWithPlugin ];

  hardware.sane = {
    enable = true;
    brscan4.enable = true;
    extraBackends = [ pkgs.hplipWithPlugin ];
  };

  hardware.rtl-sdr.enable = true;

  systemd.user.services.wlsunset = {
    description = "wlsunset colour temperature adjuster";
    wantedBy = [ "graphical-session.target" ];
    partOf = [ "graphical-session.target" ];
    serviceConfig = {
      ExecStart = ''
        ${pkgs.wlsunset}/bin/wlsunset \
          -l ${toString config.location.latitude} \
          -L ${toString config.location.longitude} \
          -t 2000 \
      '';
      RestartSec = 3;
      Restart = "always";
    };
  };

  systemd.user.services.mpris-proxy = {
    description = "Bluetooth MPRIS Proxy";
    wantedBy = [ "graphical-session.target" ];
    partOf = [ "graphical-session.target" ];
    serviceConfig = {
      ExecStart = ''
        ${pkgs.bluez}/bin/mpris-proxy
      '';
      RestartSec = 3;
      Restart = "always";
    };
  };

  systemd.user.services.swayidle = {
    description = "swayidle idle manager for Wayland";
    wantedBy = [ "graphical-session.target" ];
    partOf = [ "graphical-session.target" ];
    path = with pkgs; [ bash sway swaylock ];
    serviceConfig = {
      ExecStart = ''
        ${pkgs.swayidle}/bin/swayidle -w \
          timeout 300 'swaylock -f -c 000000' \
          timeout 600 'swaymsg "output * dpms off"' \
          resume 'swaymsg "output * dpms on"' \
          before-sleep 'swaylock -f -c 000000'
      '';
      RestartSec = 3;
      Restart = "always";
    };
  };

  # Enable sound.
  sound.enable = true;

  # Bluetooth
  hardware.bluetooth = {
    enable = true;
    settings = {
      General.Experimental = true;
    };
  };

  # UPower
  services.upower.enable = true;

  # RealtimeKit
  security.rtkit.enable = true;

  # Video acceleration
  hardware.opengl.extraPackages = with pkgs; [
    vaapiIntel
    intel-compute-runtime
  ];

  programs.wireshark.enable = true;

  # PipeWire
  services.pipewire = {
    enable = true;
    alsa = {
      enable = true;
      support32Bit = true;
    };
    pulse.enable = true;
  };

  # Sway
  programs.sway = {
    extraSessionCommands = ''
      export XCURSOR_THEME=posy-cursor-black
      export _JAVA_AWT_WM_NONREPARENTING=1
    '';
    wrapperFeatures.gtk = true;
    enable = true;
  };

  # Sway systemd integration
  # https://wiki.archlinux.org/title/Sway#Manage_Sway-specific_daemons_with_systemd
  systemd.user.targets.sway-session = {
    description = "Sway compositor session";
    bindsTo = [ "graphical-session.target" ];
    wants = [ "graphical-session-pre.target" ];
    after = [ "graphical-session-pre.target" ];
  };
  environment.etc."sway/config.d/systemd.conf".source = pkgs.writeText "systemd.conf" ''
    exec_always "systemctl --user start sway-session.target"
  '';

  xdg.portal.enable = true;

  # Fonts
  fonts.packages = with pkgs; [
    fira-code
    noto-fonts
    noto-fonts-emoji
    noto-fonts-extra
    roboto
    roboto-slab
    roboto-mono
  ];
  fonts.fontconfig = {
    enable = true;
    defaultFonts = {
      emoji = [ "Noto Color Emoji" ];
      monospace = [ "Fira Code" ];
      sansSerif = [ "Noto Sans" ];
    };
  };

  virtualisation.libvirtd.enable = true;

  # virtualisation.virtualbox.host = {
  #   enable = true;
  #   enableExtensionPack = true;
  # };

  users.users.joachim = {
    isNormalUser = true;
    home = "/home/joachim";
    shell = pkgs.fish;
    extraGroups = [ "wheel" "scanner" "libvirtd" "wireshark" "vboxusers" "tss" "plugdev" ];
  };

  # Yubikey PAM
  security.pam.yubico = {
    enable = true;
    mode = "challenge-response";
  };

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "20.03"; # Did you read the comment?

}