My NixOS configuration

Comment on Mastodon

Introduction

Let me share my NixOS configuration file, the one in /etc/nixos/configuration.nix that describe what is installed on my Lenovo T470 laptop.

The base of NixOS is that you declare every user, services, network and system settings in a file, and finally it configures itself to match your expectations. You can also install global packages and per-user packages. It makes a system environment reproducible and reliable.

The file

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # run garbage collector at 19h00 everyday
  # and remove stuff older than 60 days
  nix.gc.automatic = true;
  nix.gc.dates = "19:00";
  nix.gc.persistent = true;
  nix.gc.options = "--delete-older-than 60d";

  # clean /tmp at boot
  boot.cleanTmpDir = true;

  # latest kernel
  boot.kernelPackages = pkgs.linuxPackages_latest;

  # sync disk when buffer reach 6% of memory
  boot.kernel.sysctl = {
      "vm.dirty_ratio" = 6;
  };

  # allow non free stuff
  nixpkgs.config.allowUnfree = true;

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = "t470";
  time.timeZone = "Europe/Paris";
  networking.networkmanager.enable = true;

  # wireguard VPN
  networking.wireguard.interfaces = {
      wg0 = {
              ips = [ "192.168.5.1/24" ];
              listenPort = 1234;
              privateKeyFile = "/root/wg-private";
              peers = [
              { # server
               publicKey = "MY PUB KEY";
               endpoint = "SERVER:PORT";
               allowedIPs = [ "192.168.5.0/24" ];
              }];
      };
  };

  # firejail firefox by default
  programs.firejail.wrappedBinaries = {
      firefox = {
          executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
          profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
      };
  };


  # azerty keyboard <3
  i18n.defaultLocale = "fr_FR.UTF-8";
  console = {
  #   font = "Lat2-Terminus16";
    keyMap = "fr";
  };

  # clean logs older than 2d
  services.cron.systemCronJobs = [
      "0 20 * * * root journalctl --vacuum-time=2d"
  ];

  # nvidia prime offload rendering for eGPU
  hardware.nvidia.modesetting.enable = true;
  hardware.nvidia.prime.sync.allowExternalGpu = true;
  hardware.nvidia.prime.offload.enable = true;
  hardware.nvidia.prime.nvidiaBusId = "PCI:10:0:0";
  hardware.nvidia.prime.intelBusId = "PCI:0:2:0";
  services.xserver.videoDrivers = ["nvidia" ];

  # programs
  programs.steam.enable = true;
  programs.firejail.enable = true;
  programs.fish.enable = true;
  programs.gamemode.enable = true;
  programs.ssh.startAgent = true;

  # services
  services.acpid.enable = true;
  services.thermald.enable = true;
  services.fwupd.enable = true;
  services.vnstat.enable = true;

  # Enable the X11 windowing system.
  services.xserver.enable = true;
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;
  services.xserver.desktopManager.xfce.enable = false;
  services.xserver.desktopManager.gnome.enable = false;

  # Configure keymap in X11
  services.xserver.layout = "fr";
  services.xserver.xkbOptions = "eurosign:e";

  # Enable sound.
  sound.enable = true;
  hardware.pulseaudio.enable = true;

  # Enable touchpad support
  services.xserver.libinput.enable = true;

  users.users.solene = {
     isNormalUser = true;
     shell = pkgs.fish;
     packages = with pkgs; [
        gajim audacity chromium dmd dtools
     	kate kdeltachat pavucontrol rclone rclone-browser
     	zim claws-mail mpv musikcube git-annex
     ];
     extraGroups = [ "wheel" "sudo" "networkmanager" ];
  };

  # my gaming users running steam/lutris/emulators
  users.users.gaming = {
     isNormalUser = true;
     shell = pkgs.fish;
     extraGroups = [ "networkmanager" "video" ];
     packages = with pkgs; [ lutris firefox ];
  };

  users.users.aria = {
     isNormalUser = true;
     shell = pkgs.fish;
     packages = with pkgs; [ aria2 ];
  };

  # global packages
  environment.systemPackages = with pkgs; [
      ncdu kakoune git rsync restic tmux fzf
  ];

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  # Open ports in the firewall.
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [ 22 ];
  networking.firewall.allowedUDPPorts = [ ];

  # user aria can only use tun0
  networking.firewall.extraCommands = "
iptables -A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT
iptables -A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner 1002 -j REJECT
  ";

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11"; # Did you read the comment?

}