schulze/nix-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs

Browse Source
This commit is contained in:
Felix Schulze
2025-06-18 11:55:05 +02:00
parent cac174dd69
commit 76e240c44c
3 changed files with 324 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
README.md
View File

@ -1,5 +1,146 @@
# Felix's NixOS Config # Felix's NixOS Configuration
## A modular, flake-based NixOS configuration supporting multiple hosts with shared and host-specific configurations.
Note: `hardware-configuration.nix` is hardware-specific. Generate your own with: `sudo nixos-generate-config` ## 🏗️ Structure Overview
```
nixos/
├── flake.nix # Main flake definition with inputs and outputs
├── hosts/ # Host-specific configurations
│ ├── wildfire/ # Desktop workstation (AMD GPU)
│ └── hurricane/ # Laptop/secondary system
├── modules/ # Shared configuration modules
│ ├── common.nix # Base system configuration
│ ├── programs.nix # System-wide packages and programs
│ ├── home/ # Home Manager configurations
│ └── desktops/ # Desktop environment configurations
└── rebuild-nix-system.sh # Helper script for system rebuilds
```
## 🖥️ Hosts
### Wildfire (Desktop Workstation)
- **GPU**: AMD with `lact` daemon for GPU control
- **Features**: Gaming setup with Steam, DaVinci Resolve, Ardour
- **Special**: LUKS encryption, dedicated GPU configuration
### Hurricane (Laptop/Secondary)
- **Type**: Portable system
- **Features**: Basic desktop setup with power management
- **Special**: Touchpad support, power profiles
Both hosts use:
- **Desktop**: Hyprland (Wayland compositor)
- **Display Manager**: regreet (lightweight Wayland greeter)
- **Audio**: PipeWire with ALSA and PulseAudio compatibility
- **Security**: Firejail sandboxing for browsers, Yubikey support
## 🧩 Modules
### `modules/common.nix`
Base system configuration shared across all hosts:
- **User Management**: Main user `schulze` with shell and groups
- **Boot**: systemd-boot with latest kernel
- **Networking**: NetworkManager with firewall
- **Localization**: Swedish locale with English UI
- **Security**: Core dump disabled, firewall enabled, ClamAV antivirus
- **Home Manager**: Integration and user-specific imports
- **System**: Auto-upgrades, fonts, and core settings
### `modules/programs.nix`
System-wide packages and program configurations:
- **Development**: VS Code (Cursor), Git, Python, Node.js, etc.
- **CLI Tools**: Modern alternatives (zoxide, starship, fish)
- **Security**: GPG, OpenSSL, Yubikey tools
- **Applications**: Firefox, Thunderbird, LibreOffice, media tools
- **Virtualization**: Docker, libvirt/QEMU with virt-manager
### `modules/desktops/hyprland-desktop.nix`
Hyprland desktop environment setup:
- **Compositor**: Hyprland with UWSM session management
- **Portal**: XDG desktop portal for Wayland
- **Workflow**: Waybar, Rofi, Mako notifications
- **Theming**: Gruvbox theme with consistent fonts
- **Tools**: Screenshot tools, clipboard manager, file manager
### `modules/home/`
Home Manager configurations:
- **`hyprland.nix`**: User-specific Hyprland configuration
- **`home-manager.nix`**: Base Home Manager settings
## 🚀 Usage
### Building and Switching
```bash
# Build and switch to new configuration
sudo nixos-rebuild switch --flake .#hostname
# Or use the helper script
./rebuild-nix-system.sh
```
### Updating the System
```bash
# Update flake inputs
nix flake update
# Update and rebuild
./update-nix-system.sh
```
## 🔒 Security Features
- **Sandboxing**: Browsers run in Firejail containers
- **Firewall**: Enabled by default, minimal open ports
- **Antivirus**: ClamAV with automatic signature updates
- **Authentication**: Yubikey U2F support
- **Encryption**: LUKS disk encryption (wildfire)
- **Updates**: Automatic security updates at 02:00
## 🎨 Theming and UI
- **Theme**: Gruvbox Dark
- **Icons**: Flat-Remix-Red-Dark
- **Fonts**: Intel One Mono, Noto Sans
- **Terminal**: Ghostty with Fish shell
- **Launcher**: Rofi (Wayland)
- **Notifications**: Mako
## 📦 Package Management
### System Packages
- Defined in `modules/programs.nix`
- Available system-wide for all users
### Host-Specific Packages
- Added in individual host `configuration.nix` files
- Only installed on that specific host
### User Packages
- Managed through Home Manager
- Per-user configurations in `modules/home/`
## 🔄 Development Workflow
### Code Style
- Use `alejandra` for Nix code formatting
- Comment complex configurations
- Group related settings together

141
modules/common.nix
View File

@ -1,25 +1,37 @@
# Common system configuration shared across all hosts
# This module contains the base settings that every system should have
{ {
pkgs, pkgs,
inputs, inputs,
... ...
}: { }: {
imports = [ imports = [
# Import Home Manager as a NixOS module for user-specific configurations
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
]; ];
# Home Manager configuration # ================================
# HOME MANAGER INTEGRATION
# ================================
# Configure Home Manager to manage user-specific dotfiles and applications
home-manager = { home-manager = {
# Create backup files when Home Manager would overwrite existing files
backupFileExtension = "backupHM"; backupFileExtension = "backupHM";
# Use system packages instead of separate user packages (saves space)
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
# User-specific Home Manager configurations
users.schulze.imports = [ users.schulze.imports = [
./home/hyprland.nix ./home/hyprland.nix # Hyprland window manager user config
./home/home-manager.nix ./home/home-manager.nix # Base user environment
]; ];
}; };
# Define the main user account # ================================
# USER MANAGEMENT
# ================================
users = { users = {
# Define the main user account
users.schulze = { users.schulze = {
isNormalUser = true; isNormalUser = true;
description = "Felix Schulze"; description = "Felix Schulze";
@ -29,33 +41,47 @@
groups.libvirtd.members = ["schulze"]; groups.libvirtd.members = ["schulze"];
}; };
# Bootloader. # ================================
# BOOT CONFIGURATION
# ================================
boot = { boot = {
# Use systemd-boot (modern UEFI bootloader)
loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
# Always use the latest kernel for best hardware support
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
}; };
# ================================
# NETWORKING
# ================================
networking = { networking = {
# Enable networking # Enable NetworkManager for easy network configuration
networkmanager.enable = true; networkmanager.enable = true;
# Network security # Security: Enable firewall and block all ports by default
# enable firewall and block all ports # Host-specific ports are opened in individual host configurations
firewall.enable = true; firewall.enable = true;
}; };
# disable coredump that could be exploited later # ================================
# and also slow down the system when something crash # SECURITY HARDENING
# ================================
# Disable core dumps to prevent potential security exploits
# and improve system performance during crashes
systemd.coredump.enable = false; systemd.coredump.enable = false;
# Set your time zone. # ================================
# LOCALIZATION
# ================================
# Set timezone to Swedish time
time.timeZone = "Europe/Stockholm"; time.timeZone = "Europe/Stockholm";
# Select internationalisation properties. # Internationalization: English UI with Swedish regional settings
i18n = { i18n = {
defaultLocale = "en_GB.UTF-8"; defaultLocale = "en_GB.UTF-8"; # British English for UI
extraLocaleSettings = { extraLocaleSettings = {
# Swedish locale for regional formats (dates, currency, etc.)
LC_ADDRESS = "sv_SE.UTF-8"; LC_ADDRESS = "sv_SE.UTF-8";
LC_IDENTIFICATION = "sv_SE.UTF-8"; LC_IDENTIFICATION = "sv_SE.UTF-8";
LC_MEASUREMENT = "sv_SE.UTF-8"; LC_MEASUREMENT = "sv_SE.UTF-8";
@ -68,79 +94,99 @@
}; };
}; };
# Configure console keymap # Configure console to use Swedish keyboard layout
console.keyMap = "sv-latin1"; console.keyMap = "sv-latin1";
# ================================
# SYSTEM SERVICES
# ================================
services = { services = {
# Enable CUPS to print documents. # Disable CUPS printing (enable per-host if needed)
printing.enable = false; printing.enable = false;
# Enable sound with pipewire. # Modern audio stack: PipeWire replaces PulseAudio
pulseaudio.enable = false; pulseaudio.enable = false; # Disable old PulseAudio
pipewire = { pipewire = {
enable = true; enable = true;
alsa.enable = true; alsa.enable = true; # ALSA compatibility
alsa.support32Bit = true; alsa.support32Bit = true; # 32-bit app support
pulse.enable = true; pulse.enable = true; # PulseAudio compatibility
wireplumber.enable = true; wireplumber.enable = true; # Session manager
}; };
# enable antivirus clamav and keep the signatures' database updated # Antivirus protection with automatic updates
clamav = { clamav = {
daemon.enable = true; daemon.enable = true; # Background virus scanning
updater.enable = true; updater.enable = true; # Automatic signature updates
}; };
}; };
# Realtime scheduling priority for audio # ================================
# SECURITY & PERMISSIONS
# ================================
# Enable real-time scheduling for audio applications (low-latency audio)
security.rtkit.enable = true; security.rtkit.enable = true;
# Polkit agent (authentication dialogs) # Enable Polkit for GUI authentication dialogs (password prompts)
security.polkit.enable = true; security.polkit.enable = true;
# Allow unfree packages # ================================
# NIX CONFIGURATION
# ================================
# Allow installation of proprietary/unfree software
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# Enable Flakes # Enable modern Nix features (flakes and new CLI)
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
# Automatic system upgrades # ================================
# AUTOMATIC MAINTENANCE
# ================================
# Configure automatic system updates for security
system.autoUpgrade = { system.autoUpgrade = {
enable = true; enable = true;
flake = inputs.self.outPath; flake = inputs.self.outPath; # Use this flake for updates
flags = [ flags = [
"--update-input" "--update-input"
"nixpkgs" "nixpkgs" # Update nixpkgs input
"-L" # print build logs "-L" # Print build logs for transparency
]; ];
dates = "02:00"; dates = "02:00"; # Run at 2 AM
randomizedDelaySec = "45min"; randomizedDelaySec = "45min"; # Random delay to avoid server load
}; };
# Fonts # ================================
# FONTS
# ================================
# System-wide fonts for consistent typography
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
intel-one-mono intel-one-mono # Monospace font for coding
noto-fonts noto-fonts # Comprehensive Unicode support
noto-fonts-emoji noto-fonts-emoji # Emoji support
]; ];
# This improves touchscreen support and enables additional touchpad gestures. It also enables smooth scrolling as opposed to the stepped scrolling that Firefox has by default # ================================
# BROWSER OPTIMIZATIONS
# ================================
# Improve touchscreen and scrolling support in Firefox
environment.sessionVariables = { environment.sessionVariables = {
MOZ_USE_XINPUT2 = "1"; MOZ_USE_XINPUT2 = "1";
}; };
# create system-wide executables firefox and chromium # ================================
# that will wrap the real binaries so everything work out of the box. # SANDBOXED APPLICATIONS
# enable firejail # ================================
# Enable Firejail for application sandboxing (security)
programs.firejail = { programs.firejail = {
enable = true; enable = true;
# Create sandboxed wrappers for browsers
wrappedBinaries = { wrappedBinaries = {
firefox = { firefox = {
executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox"; executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
extraArgs = [ extraArgs = [
# Required for U2F USB stick # Required for U2F USB security keys
"--ignore=private-dev" "--ignore=private-dev"
# Enable system notifications # Enable desktop notifications
"--dbus-user.talk=org.freedesktop.Notifications" "--dbus-user.talk=org.freedesktop.Notifications"
]; ];
}; };
@ -150,7 +196,12 @@
}; };
}; };
}; };
# Yubikey Settings
# ================================
# HARDWARE SECURITY (YUBIKEY)
# ================================
# Enable Yubikey support for SSH and GPG
services.yubikey-agent.enable = true; services.yubikey-agent.enable = true;
# Enable U2F authentication for login
security.pam.u2f.enable = true; security.pam.u2f.enable = true;
} }

114
modules/desktops/hyprland-desktop.nix
View File

@ -1,35 +1,55 @@
# Hyprland Desktop Environment Configuration
# Complete setup for Hyprland Wayland compositor with modern desktop tools
{ {
inputs, inputs,
pkgs, pkgs,
... ...
}: { }: {
# ================================
# DISPLAY SERVER CONFIGURATION
# ================================
services = { services = {
# X11 server configuration (for compatibility)
xserver = { xserver = {
enable = true; enable = true;
displayManager.gdm.enable = false; displayManager.gdm.enable = false; # Disable GDM in favor of regreet
}; };
# Greetd is lightweight and Wayland-native
# Lightweight Wayland-native display manager
greetd.enable = true; greetd.enable = true;
upower.enable = true; # Power management services for laptops and desktops
power-profiles-daemon.enable = true; upower.enable = true; # Battery and power device monitoring
power-profiles-daemon.enable = true; # CPU frequency scaling
}; };
# ================================
# HYPRLAND BINARY CACHE
# ================================
# Configure Cachix for faster Hyprland installations
nix.settings = { nix.settings = {
substituters = ["https://hyprland.cachix.org"]; substituters = ["https://hyprland.cachix.org"];
trusted-substituters = ["https://hyprland.cachix.org"]; trusted-substituters = ["https://hyprland.cachix.org"];
trusted-public-keys = ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="]; trusted-public-keys = ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="];
}; };
# ================================
# HYPRLAND & SESSION MANAGEMENT
# ================================
programs = { programs = {
# Main Hyprland configuration
hyprland = { hyprland = {
enable = true; enable = true;
withUWSM = true; withUWSM = true; # Enable Universal Wayland Session Manager
# Only enable the flake packages after Cachix has already been enabled # Use cutting-edge Hyprland from flake input (latest features)
package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland; package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
portalPackage = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland; portalPackage = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
}; };
# regreet: Modern, customizable greeter for greetd
regreet.enable = true; regreet.enable = true;
# UWSM: Universal Wayland Session Manager
uwsm = { uwsm = {
enable = true; enable = true;
waylandCompositors.hyprland = { waylandCompositors.hyprland = {
@ -38,62 +58,96 @@
binPath = "/run/current-system/sw/bin/Hyprland"; binPath = "/run/current-system/sw/bin/Hyprland";
}; };
}; };
# ================================
# GTK THEMING CONFIGURATION
# ================================
# dconf: Configure GTK applications and GNOME settings
dconf = { dconf = {
enable = true; enable = true;
profiles.user.databases = [ profiles.user.databases = [
{ {
settings."org/gnome/desktop/interface" = { settings."org/gnome/desktop/interface" = {
gtk-theme = "Gruvbox-Dark-B"; gtk-theme = "Gruvbox-Dark-B"; # Dark theme for GTK apps
icon-theme = "Flat-Remix-Red-Dark"; icon-theme = "Flat-Remix-Red-Dark"; # Icon theme
font-name = "Noto Sans Medium 11"; font-name = "Noto Sans Medium 11"; # UI font
document-font-name = "Noto Sans Medium 11"; document-font-name = "Noto Sans Medium 11"; # Document font
monospace-font-name = "Intel One Mono Medium 11"; monospace-font-name = "Intel One Mono Medium 11"; # Terminal/code font
}; };
} }
]; ];
}; };
}; };
# ================================
# XDG & DESKTOP INTEGRATION
# ================================
xdg = { xdg = {
# Set default applications for file types
mime.defaultApplications = { mime.defaultApplications = {
"default-web-browser" = ["firefox.desktop"]; "default-web-browser" = ["firefox.desktop"];
}; };
# XDG Desktop Portal for Wayland integration
portal = { portal = {
enable = true; enable = true;
xdgOpenUsePortal = true; xdgOpenUsePortal = true; # Use portal for opening files/URLs
}; };
}; };
# ================================
# ENVIRONMENT VARIABLES
# ================================
environment.sessionVariables = { environment.sessionVariables = {
# Set Firefox as default browser
BROWSER = "${pkgs.lib.getBin pkgs.firefox}"; BROWSER = "${pkgs.lib.getBin pkgs.firefox}";
# Enable Wayland support for Electron apps (VS Code, Discord, etc.)
NIXOS_OZONE_WL = "1"; NIXOS_OZONE_WL = "1";
}; };
# ================================
# HYPRLAND DESKTOP PACKAGES
# ================================
# Essential tools for a functional Hyprland desktop
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# Core Hyprland workflow tools # ---- CORE HYPRLAND WORKFLOW ----
waybar # Panel waybar # Status bar/panel
rofi-wayland # Launcher rofi-wayland # Application launcher and dmenu replacement
mako # Notification daemon mako # Notification daemon
hyprpaper # Wallpaper daemon hyprpaper # Wallpaper daemon
hyprlock # Lock screen hyprlock # Screen lock utility
wl-clipboard # Clipboard utils
cliphist # Clipboard manager # ---- CLIPBOARD & INPUT ----
pavucontrol # GUI audio mixer wl-clipboard # Clipboard utilities for Wayland
blueman # Bluetooth tray cliphist # Clipboard history manager
networkmanagerapplet # System tray for network
brightnessctl # Brightness (for laptops) # ---- SYSTEM CONTROL ----
wlsunset # Night light/gamma adjustment pavucontrol # GUI audio mixer and control
grim blueman # Bluetooth manager with system tray
slurp networkmanagerapplet # Network management system tray
swappy brightnessctl # Screen brightness control (laptops)
wf-recorder # Screenshots & screenrecording wlsunset # Blue light filter/night mode
libsForQt5.qt5ct # For QT application appearance
nautilus # File manager # ---- SCREENSHOT & RECORDING ----
grim # Screenshot tool for Wayland
slurp # Screen area selection for screenshots
swappy # Screenshot editing and annotation
wf-recorder # Screen recording for Wayland
# ---- APPLICATION INTEGRATION ----
libsForQt5.qt5ct # Qt5 application theming control
nautilus # GNOME file manager (GTK)
]; ];
# ================================
# FILE MANAGER INTEGRATION
# ================================
# Configure Nautilus to work seamlessly with the desktop
programs.nautilus-open-any-terminal = { programs.nautilus-open-any-terminal = {
enable = true; enable = true;
terminal = "ghostty"; terminal = "ghostty"; # Use Ghostty as default terminal in file manager
}; };
# Enable GNOME Sushi for file preview in Nautilus
services.gnome.sushi.enable = true; services.gnome.sushi.enable = true;
} }