aboutsummaryrefslogtreecommitdiff
path: root/bench/configuration.nix
diff options
context:
space:
mode:
Diffstat (limited to 'bench/configuration.nix')
-rw-r--r--bench/configuration.nix325
1 files changed, 325 insertions, 0 deletions
diff --git a/bench/configuration.nix b/bench/configuration.nix
new file mode 100644
index 000000000..54782a1d3
--- /dev/null
+++ b/bench/configuration.nix
@@ -0,0 +1,325 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+{
+ boot = {
+ initrd = {
+ availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ ];
+ kernelModules = [ "dm-snapshot" ];
+ luks.devices = {
+ croot = {
+ device = "/dev/sdb";
+ allowDiscards = true;
+ };
+ };
+ };
+ kernelModules = [ "kvm-intel" ];
+ kernelPackages = pkgs.linuxPackages_latest;
+
+ loader = {
+ systemd-boot.enable = true;
+ efi.canTouchEfiVariables = true;
+ };
+ };
+
+ hardware = {
+ enableRedistributableFirmware = true;
+ cpu.intel.updateMicrocode = true;
+ opengl.driSupport32Bit = true;
+ opengl.extraPackages = with pkgs; [
+ vaapiIntel
+ intel-media-driver
+ intel-compute-runtime
+ ];
+ };
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/sda2";
+ fsType = "xfs";
+ options = [ "noatime" ];
+ };
+
+ "/boot" = {
+ device = "/dev/sda1";
+ fsType = "vfat";
+ };
+
+ "/nas" = {
+ device = "nas:/";
+ fsType = "nfs4";
+ options = [
+ "ro"
+ "x-systemd.automount"
+ ];
+ };
+ };
+ swapDevices = [ { device = "/dev/swap"; } ];
+
+ networking = {
+ useDHCP = false;
+ hostName = "host";
+ wireless = {
+ enable = true;
+ interfaces = [ "eth1" ];
+ };
+ interfaces = {
+ eth0.useDHCP = true;
+ eth1.useDHCP = true;
+ };
+ wg-quick.interfaces = {
+ wg0 = {
+ address = [ "2001:db8::1" ];
+ privateKeyFile = "/etc/secrets/wg0.key";
+ peers = [
+ {
+ publicKey = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+ endpoint = "[2001:db8::2]:61021";
+ allowedIPs = [ "2001::db8:1::/64" ];
+ }
+ ];
+ };
+ };
+
+ firewall.allowedUDPPorts = [ 4567 ];
+ };
+
+ i18n = {
+ defaultLocale = "en_US.UTF-8";
+ inputMethod.enabled = "ibus";
+ };
+
+ services = {
+ xserver = {
+ enable = true;
+ layout = "us";
+ xkbVariant = "altgr-intl";
+ xkbOptions = "ctrl:nocaps";
+ libinput.enable = true;
+ wacom.enable = true;
+ videoDrivers = [ "modesetting" ];
+ modules = [ pkgs.xf86_input_wacom ];
+
+ displayManager.sx.enable = true;
+ windowManager.i3.enable = true;
+ };
+
+ udev.extraHwdb = ''
+ # not like this mattered at all
+ # we're not running udev from here
+ '';
+
+ udev.extraRules = ''
+ # ACTION=="add", SUBSYSTEM=="input", ...
+ '';
+ };
+
+ sound.enable = true;
+ hardware.pulseaudio = {
+ enable = true;
+ package = pkgs.pulseaudioFull;
+ daemon.config = {
+ lock-memory = "yes";
+ realtime-scheduling = "yes";
+ rlimit-rtprio = "-1";
+ };
+ };
+
+ programs = {
+ light.enable = true;
+ wireshark = {
+ enable = true;
+ package = pkgs.wireshark-qt;
+ };
+ gnupg.agent = {
+ enable = true;
+ };
+ };
+
+ fonts.packages = with pkgs; [
+ font-awesome
+ noto-fonts
+ noto-fonts-cjk
+ noto-fonts-emoji
+ noto-fonts-extra
+ dejavu_fonts
+ powerline-fonts
+ source-code-pro
+ cantarell-fonts
+ ];
+
+ users = {
+ mutableUsers = false;
+
+ users = {
+ user = {
+ isNormalUser = true;
+ group = "user";
+ extraGroups = [
+ "wheel"
+ "video"
+ "audio"
+ "dialout"
+ "users"
+ "kvm"
+ "wireshark"
+ ];
+ password = "unimportant";
+ };
+ };
+
+ groups = {
+ user = { };
+ };
+ };
+
+ security = {
+ pam.loginLimits = [
+ {
+ domain = "@audio";
+ item = "memlock";
+ type = "-";
+ value = "unlimited";
+ }
+ {
+ domain = "@audio";
+ item = "rtprio";
+ type = "-";
+ value = "99";
+ }
+ {
+ domain = "@audio";
+ item = "nofile";
+ type = "soft";
+ value = "99999";
+ }
+ {
+ domain = "@audio";
+ item = "nofile";
+ type = "hard";
+ value = "99999";
+ }
+ ];
+
+ sudo.extraRules = [
+ {
+ users = [ "user" ];
+ commands = [
+ {
+ command = "${pkgs.linuxPackages.cpupower}/bin/cpupower";
+ options = [ "NOPASSWD" ];
+ }
+ ];
+ }
+ ];
+ };
+
+ environment.systemPackages = with pkgs; [
+ a2jmidid
+ age
+ ardour
+ bemenu
+ blender
+ breeze-icons
+ breeze-qt5
+ bubblewrap
+ calf
+ claws-mail
+ darktable
+ duperemove
+ emacs
+ feh
+ file
+ firefox
+ fluidsynth
+ gnome3.adwaita-icon-theme
+ gnuplot
+ graphviz
+ helm
+ i3status-rust
+ inkscape
+ jack2
+ jq
+ krita
+ ldns
+ libqalculate
+ libreoffice
+ man-pages
+ nheko
+ nix-diff
+ nix-index
+ nix-output-monitor
+ open-music-kontrollers.patchmatrix
+ pamixer
+ pavucontrol
+ pciutils
+ picom
+ pwgen
+ redshift
+ ripgrep
+ rlwrap
+ silver-searcher
+ soundfont-fluid
+ whois
+ wol
+ xclip
+ xdot
+ xdotool
+ xorg.xkbcomp
+ yt-dlp
+ zathura
+ borgbackup
+ linuxPackages.cpupower
+ mtr
+ kitty
+ xf86_input_wacom
+ ];
+
+ environment.pathsToLink = [ "/share/soundfonts" ];
+
+ systemd.user.services.run-python = {
+ after = [ "network-online.target" ];
+ script = ''
+ exec ${pkgs.python3}/bin/python
+ '';
+ serviceConfig = {
+ CapabilityBoundingSet = [ "" ];
+ KeyringMode = "private";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ PrivateTmp = true;
+ PrivateUsers = true;
+ ProcSubset = "pid";
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ ProtectProc = "invisible";
+ ProtectSystem = "strict";
+ RestrictAddressFamilies = "AF_INET AF_INET6";
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [
+ "@system-service"
+ "~ @resources @privileged"
+ ];
+ UMask = "077";
+ };
+ };
+
+ system.stateVersion = "23.11";
+}