Files
nix-config/modules/common.nix
Felix Schulze ec38db785c wildfire: 408 current 2025-06-30 23:43:55 25.05.20250629.b43c397 6.15.4 *
replace systemd-boot with epic GRUB

wildfire: 410 current  2025-07-01 18:59:46  25.05.20250629.b43c397  6.15.4                          *

disable cryptodisk (grub)

grub not on /efi

wildfire: 416 current  2025-07-01 21:25:46  25.05.20250620.b2485d5  6.15.3                          *

no config generation limit wildfire: 417 current  2025-07-01 21:28:25  25.05.20250620.b2485d5  6.15.3                          *
2025-07-01 21:57:57 +02:00

305 lines
9.4 KiB
Nix

# Common system configuration shared across all hosts
# This module contains the base settings that every system should have
{
pkgs,
pkgs-unstable,
inputs,
...
}: let
colors = import ./gruvbox-theme.nix;
in {
imports = [
# Import Home Manager as a NixOS module for user-specific configurations
inputs.home-manager.nixosModules.home-manager
];
# ================================
# HOME MANAGER INTEGRATION
# ================================
# Configure Home Manager to manage user-specific dotfiles and applications
home-manager = {
# Create backup files when Home Manager would overwrite existing files
backupFileExtension = "backupHM";
# Use system packages instead of separate user packages (saves space)
useGlobalPkgs = true;
useUserPackages = true;
# Pass unstable packages to home-manager modules
extraSpecialArgs = {
pkgs-unstable = pkgs-unstable;
};
# User-specific Home Manager configurations
users.schulze.imports = [
./hm/home-manager.nix # Base user environment
./hm/hyprland.nix # Hyprland window manager user config
./hm/hyprlock.nix # Hyprlock screen lock user config
./hm/hypridle.nix # Hypridle idle daemon user config
./hm/cursor.nix # Mouse cursor config
./hm/rofi.nix # Rofi theme/config
./hm/ghostty.nix # Ghostty config
./hm/gtk.nix # GTK theme
./hm/nextcloud.nix # Nextcloud autostart
./hm/code-cursor.nix # Cursor config
./hm/vim.nix # Vim config
./hm/hyprsunset.nix # Hyprsunset night mode
./hm/btop.nix # Btop config
./hm/ssh.nix # SSH config
./hm/gitkraken.nix # GitKraken config
./hm/waybar.nix # Waybar config
./hm/cava.nix # Audio visualizer config
];
};
# ================================
# USER MANAGEMENT
# ================================
users = {
# Define the main user account
users.schulze = {
isNormalUser = true;
description = "Felix Schulze";
extraGroups = ["networkmanager" "wheel" "docker" "plugdev"];
shell = pkgs.fish;
};
groups.libvirtd.members = ["schulze"];
};
# ================================
# BOOT CONFIGURATION
# ================================
boot = {
loader = {
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
# Use GRUB (modern UEFI bootloader)
grub = {
enable = true;
efiSupport = true;
device = "nodev";
enableCryptodisk = false; # ← GRUB lives on the unencrypted ESP
memtest86.enable = true; # Enable memtest86 for hardware testing
# Styling
backgroundColor = "${colors.gruvbox.bg0}";
#splashImage = "";
};
};
# Always use the latest kernel for best hardware support
kernelPackages = pkgs.linuxPackages_latest;
};
# ================================
# NETWORKING
# ================================
networking = {
# Enable NetworkManager for easy network configuration
networkmanager.enable = true;
# Security: Enable firewall and block all ports by default
# Host-specific ports are opened in individual host configurations
firewall.enable = true;
};
# ================================
# LOCALIZATION
# ================================
# Set timezone to Swedish time
time.timeZone = "Europe/Stockholm";
# Internationalization: English UI with Swedish regional settings
i18n = {
defaultLocale = "en_GB.UTF-8"; # British English for UI
extraLocaleSettings = {
# Swedish locale for regional formats (dates, currency, etc.)
LC_ADDRESS = "sv_SE.UTF-8";
LC_IDENTIFICATION = "sv_SE.UTF-8";
LC_MEASUREMENT = "sv_SE.UTF-8";
LC_MONETARY = "sv_SE.UTF-8";
LC_NAME = "sv_SE.UTF-8";
LC_NUMERIC = "sv_SE.UTF-8";
LC_PAPER = "sv_SE.UTF-8";
LC_TELEPHONE = "sv_SE.UTF-8";
LC_TIME = "sv_SE.UTF-8";
};
};
# Configure console to use Swedish keyboard layout
console.keyMap = "sv-latin1";
# ================================
# SYSTEM SERVICES
# ================================
services = {
# Disable CUPS printing (enable per-host if needed)
printing.enable = false;
# Modern audio stack: PipeWire replaces PulseAudio
pulseaudio.enable = false; # Disable old PulseAudio
pipewire = {
enable = true;
alsa.enable = true; # ALSA compatibility
alsa.support32Bit = true; # 32-bit app support
pulse.enable = true; # PulseAudio compatibility
wireplumber.enable = true; # Session manager
};
playerctld.enable = true; # Playerctl daemon for media controls
# Antivirus protection with automatic updates
clamav = {
daemon.enable = true; # Background virus scanning
updater.enable = true; # Automatic signature updates
};
# Enable GNOME keyring for password management
gnome.gnome-keyring.enable = true;
# Bluetooth support
blueman.enable = true;
};
# Bluetooth support
hardware.bluetooth.enable = true;
# power management tool which allows for managing hibernate and suspend states
powerManagement.enable = true;
# ================================
# PERMISSIONS
# ================================
# Enable real-time scheduling for audio applications (low-latency audio)
security.rtkit.enable = true;
# Enable Polkit for GUI authentication dialogs (password prompts)
security.polkit.enable = true;
# ================================
# NIX CONFIGURATION
# ================================
# Allow installation of proprietary/unfree software
nixpkgs.config.allowUnfree = true;
nix = {
settings.experimental-features = ["nix-command" "flakes"]; # Enable modern Nix features (flakes and new CLI)
# Optimise the Nix store automatically to recover space
optimise = {
automatic = true;
dates = ["03:45"];
persistent = true; # Run missed optimisations
};
# Garbage collect the Nix store automatically to recover space
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 60d";
persistent = true; # Run missed GC
};
};
# ================================
# AUTOMATIC MAINTENANCE
# ================================
# Configure automatic system updates for security
system.autoUpgrade = {
enable = true;
flake = inputs.self.outPath; # Use this flake for updates
flags = [
"--update-input"
"nixpkgs" # Update nixpkgs input
"-L" # Print build logs for transparency
];
dates = "02:00"; # Run at 2 AM
randomizedDelaySec = "45min"; # Random delay to avoid server load
};
# ================================
# FONTS
# ================================
# System-wide fonts for consistent typography
fonts.packages = with pkgs; [
intel-one-mono # Monospace font for coding
noto-fonts # Comprehensive Unicode support
noto-fonts-cjk-sans # CJK support
noto-fonts-emoji # Emoji support
nerd-fonts.symbols-only # Symbols
fira-code # Monospace font for coding
fira-code-symbols # Symbols
];
# ================================
# ENVIRONMENT VARIABLES
# ================================
environment.sessionVariables = {
# Improve touchscreen and scrolling support in Firefox
MOZ_USE_XINPUT2 = "1";
# Screenshot directory for Hyprshot
HYPRSHOT_DIR = "$HOME/Nextcloud/Home-sync/Pictures/Screenshots";
};
# ================================
# SECURITY HARDENING
# ================================
# Enable fail2ban for brute force protection
services.fail2ban = {
enable = true;
# Ban IP after 3 failures
maxretry = 3;
bantime = "1h"; # Ban IPs for one hour on the first ban
bantime-increment = {
enable = true; # Enable increment of bantime after each violation
multipliers = "1 2 4 8 16 32 64";
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations
};
};
# Disable core dumps to prevent potential security exploits
# and improve system performance during crashes
systemd.coredump.enable = false;
# SANDBOXED APPLICATIONS
# Enable Firejail for application sandboxing (security)
programs.firejail = {
enable = true;
# Create sandboxed wrappers for browsers
wrappedBinaries = {
firefox = {
executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
extraArgs = [
# Required for U2F USB security keys
"--ignore=private-dev"
# Enable desktop notifications
"--dbus-user.talk=org.freedesktop.Notifications"
];
};
chromium = {
executable = "${pkgs.lib.getBin pkgs.ungoogled-chromium}/bin/chromium";
profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
};
};
};
environment.etc = {
"firejail/firefox.local".text = ''
# Custom Firejail profile for firefox
# Allow access to downloads
noblacklist ''${HOME}/Nextcloud
whitelist ''${HOME}/Nextcloud
# Enable native notifications.
dbus-user.talk org.freedesktop.Notifications
# Allow inhibiting screensavers.
dbus-user.talk org.freedesktop.ScreenSaver
# Allow screensharing under Wayland.
dbus-user.talk org.freedesktop.portal.Desktop
'';
};
# HARDWARE SECURITY (YUBIKEY)
# Enable Yubikey support for SSH and GPG
services.yubikey-agent.enable = true;
# Enable U2F authentication for login
security.pam.u2f.enable = true;
}