configuration.nix
{ config, pkgs, lib, inputs, self, ... }:
let secrets = import ./secrets.nix; in
{
imports = [ ./hardware-configuration.nix ];
microvm.vms.tron = {
flake = self;
updateFlake = "git+file:///etc/nixos";
};
nix = {
# package = pkgs.nixUnstable;
settings = {
trusted-users = [ "root" "user" ];
experimental-features = [ "nix-command" "flakes" "ca-derivations" ];
auto-optimise-store = true;
trusted-public-keys = [
#...
];
substituters = [
"https://cache.nixos.org"
"https://nixpkgs-wayland.cachix.org"
];
};
nixPath = [ "nixpkgs=${pkgs.path}" ];
registry =
let lock = (with builtins; fromJSON (readFile ./flake.lock)); in
{
nixpkgs = with lock.nodes.${lock.nodes.${lock.root}.inputs.nixpkgs}; {
from = { id = "nixpkgs"; type = "indirect"; };
to = locked;
};
};
};
nixpkgs.config.allowUnfree = true;
programs.nix-ld.enable = true;
boot.loader.timeout = 1;
boot.loader.systemd-boot = {
enable = true;
editor = false;
configurationLimit = 10;
};
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.initrd = {
luks.devices."root" = {
device = "/dev/disk/by-uuid/the-uuid";
preLVM = true;
# keyFile = "/keyfile0.bin";
fallbackToPassword = true;
allowDiscards = true;
};
secrets."keyfile0.bin" = "/etc/secrets/initrd/keyfile0.bin";
};
boot.plymouth = {
enable = true;
theme = "hexagon_dots_alt";
themePackages = [ pkgs.plymouth-hexagon ];
};
boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = 2;
boot.kernelModules = [ "v4l2loopback" ];
boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ];
services.greetd = {
enable = true;
settings.default_session.command = "''${pkgs.greetd.greetd}/bin/agreety --cmd zsh";
restart = true;
};
# For microvm
# networking.nat = {
# enable = true;
# enableIPv6 = true;
# externalInterface = "eth0";
# internalInterfaces = [ "microvm" ];
# };
networking.firewall.enable = true;
networking.useDHCP = false;
# networking.useNetworkd = true;
networking.interfaces.wlan0 = {
useDHCP = true;
mtu = 9000;
};
networking.wireless.iwd.settings = {
General.AddressRandomization = "network";
Settings.AlwaysRandomizeAddress = true;
Network = {
EnableIPv6 = true;
NameResolvingService = "resolvconf";
};
};
networking.networkmanager = {
enable = true;
wifi = {
macAddress = "random";
backend = "iwd";
powersave = true;
scanRandMacAddress = true;
};
};
services.unbound = {
enable = true;
resolveLocalQueries = true;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
domain-insecure = [ "ygg." "licdn.com." ];
server = {
interface = [ "127.0.0.1" "::1" ];
hide-identity = "yes";
hide-version = "yes";
hide-trustanchor = "yes";
};
remote-control.control-enable = true;
forward-zone = [
{ name = "\"ano,\""; forward-addr = "21.3.3.64"; }
{ name = "\"licdn.com.\""; forward-addr = "1.1.1.1"; }
{
name = "\"ygg.\"";
forward-addr = [
#...
];
}
{
name = ".";
forward-addr = [
#...
];
forward-tls-upstream = true;
}
];
};
};
services.yggdrasil = {
enable = true;
persistentKeys = false;
settings.Peers = [
#...
];
};
services.kubo = {
enable = true;
autoMount = true;
enableGC = true;
extraConfig = {
Discovery.MDNS.Enabled = false;
Datastore.StorageMax = "20GB";
};
startWhenNeeded = true;
# defaultMode = "norouting";
# swarmAddress = [];
# gatewayAddress = "";
# apiAddress = "";
};
services.i2pd.enable = true;
services.tor = {
enable = true;
client.enable = true;
settings = {
UseBridges = 1;
ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/obfs4proxy";
Bridge = secrets.torBridges;
};
};
# services.tetrd.enable = true; # Required google services
virtualisation = {
docker.enable = true;
docker.rootless = {
enable = true;
setSocketVariable = true;
};
podman.enable = true;
waydroid.enable = true;
};
programs.adb.enable = true;
programs.droidcam.enable = true;
services.syncthing = {
enable = true;
devices.xperia.id = secrets.xperiaSyncthingId;
user = "user";
configDir = "/home/user/.config/syncthing";
overrideDevices = false;
overrideFolders = false;
};
programs.kdeconnect.enable = true;
services.logind = {
lidSwitch = "ignore";
extraConfig = ''
HandlePowerKey=ignore
'';
};
systemd.sleep.extraConfig = "HibernateDelaySec=30m";
services.upower.enable = true;
services.tlp = {
enable = true;
settings.CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
};
networking.hostName = "hostname";
time.timeZone = "Europe/Moscow";
i18n.defaultLocale = "en_US.UTF-8";
services.gpm.enable = true;
console = {
font = "Lat2-Terminus16";
keyMap = "us";
earlySetup = true;
colors = [
#...
];
};
sound.enable = true;
hardware.pulseaudio.enable = lib.mkForce false;
hardware.bluetooth.enable = true;
services.blueman.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
services.pipewire.media-session.config.bluez-monitor.rules = [
{
matches = [{ "device.name" = "~bluez_card.*"; }]; # Matches all cards
actions."update-props" = {
"bluez5.reconnect-profiles" = [ "hfp_hf" "hsp_hs" "a2dp_sink" ];
"bluez5.msbc-support" = true; # mSBC is not expected to work on all headset + adapter
"bluez5.sbc-xq-support" = true; # SBC-XQ is not expected to work on all headset + adapter
};
}
{
matches = [
{ "node.name" = "~bluez_input.*"; } # Matches all sources
{ "node.name" = "~bluez_output.*"; } # Matches all outputs
];
actions."node.pause-on-idle" = false;
}
];
users.users.user = {
isNormalUser = true;
extraGroups = [ "wheel" "video" "rtkit" "realtime" "audio" ];
shell = pkgs.zsh;
initialHashedPassword = secrets.userPassword;
openssh.authorizedKeys.keys = [ secrets.xperiaPublicKey ];
};
environment.pathsToLink = [ "/share/zsh" ];
environment.systemPackages = with pkgs; [
# Just in case
git
hub
gcc
parted
# Utils
iw
inetutils
dnsutils
iputils
usbutils
binutils
patchutils
diffutils
findutils
# Editor
kakoune
# Hardware stuff
brightnessctl
libsmbios
v4l-utils
# Alien
nix-alien #.packages."x86_64-linux".default
nix-index
nix-index-update
];
programs.iftop.enable = true;
programs.iotop.enable = true;
environment.variables = {
EDITOR = "kak";
VISUAL = "kak";
};
fonts = {
fonts = with pkgs; [ liberation_ttf liberastika ibm-plex miscfont ];
fontconfig = {
enable = true;
antialias = true;
defaultFonts = {
monospace = [ "Liberation Mono" ];
sansSerif = [ "Liberation Sans" ];
serif = [ "IBM Plex Serif" ];
};
};
enableDefaultFonts = true;
fontDir.enable = true;
};
# Security
services.clamav.updater.enable = true;
services.clamav.daemon.enable = true;
services.opensnitcher = {
enable = true;
settings = {
Server.Address = "unix:///tmp/osui.sock";
DefaultAction = "allow";
DefaultDuration = "5m";
Firewall = "iptables";
InterceptUnknown = true;
ProcMonitorMethod = "ebpf";
Stats.MaxEvents = 10000;
Stats.MaxStats = 100;
};
whitelistHosts = [ { ip = "127.0.0.1"; } ];
whitelistPackages = with pkgs; [
nix
clamav
yggdrasil
tor
i2pd
syncthing
glibc # nscd
];
};
programs.browserpass.enable = true;
security.chromiumSuidSandbox.enable = true;
security.rtkit.enable = true;
programs.firejail = {
enable = true;
wrappedBinaries = {
zathura = {
executable = "${lib.getBin pkgs.zathura}/bin/zathura";
profile = "${pkgs.firejail}/etc/firejail/zathura.profile";
};
unzip = {
executable = "${lib.getBin pkgs.unzip}/bin/unzip";
profile = "${pkgs.firejail}/etc/firejail/unzip.profile";
};
};
};
services.earlyoom = {
enable = true;
enableNotifications = true;
};
# Desktop
hardware.opengl = {
enable = true;
driSupport32Bit = true;
extraPackages32 = with pkgs.pkgsi686Linux; [
vaapiIntel
libvdpau-va-gl
vaapiVdpau
];
extraPackages = with pkgs; [
vaapiIntel
libvdpau-va-gl
intel-media-driver
mesa.drivers
];
};
# programs.qt5ct.enable = true;
qt5.platformTheme = "qt5ct";
programs.waybar.enable = true;
programs.wshowkeys.enable = true;
programs.sway.enable = true;
programs.sway.wrapperFeatures.gtk = true;
services.flatpak.enable = true;
xdg.portal = {
enable = true;
# gtkUsePortal = true;
wlr = {
enable = true;
settings.screencast = {
max_fps = 30;
exec_before = "notify-send recording";
exec_after = "notify-send finished";
chooser_type = "simple";
chooser_cmd = "''${pkgs.slurp}/bin/slurp -f %o -or";
};
};
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
};
services.openssh = {
enable = true;
startWhenNeeded = true;
permitRootLogin = "no";
passwordAuthentication = false;
};
# Home manager
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
users.user = import ./home.nix;
};
nixpkgs.overlays = [
# NUR packages
inputs.nur.overlay
# Nixpkgs-wayland
inputs.nixpkgs-wayland.overlay
# Nix alien
inputs.nix-alien.overlay
# Colorscheme
(self: super: {
generated-gtk-theme =
self.callPackage "${inputs.rycee}/pkgs/materia-theme" {
configBase16 = {
name = "Generated";
kind = "dark";
colors = {
base00.hex.rgb = "1a1a21";
base01.hex.rgb = "151521";
base02.hex.rgb = "1a1a21";
base03.hex.rgb = "f8f8ff";
base04.hex.rgb = "bfdaff";
base05.hex.rgb = "b4b4b9";
base06.hex.rgb = "ff5fff";
base07.hex.rgb = "f8f8ff";
base08.hex.rgb = "151521";
base09.hex.rgb = "1a1a21";
base0A.hex.rgb = "babf75";
base0B.hex.rgb = "ffc552";
base0C.hex.rgb = "635196";
base0D.hex.rgb = "99a4bc";
base0E.hex.rgb = "99a4bc";
base0F.hex.rgb = "b4b4b9";
};
};
};
})
];
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}
And the error is
$ sudo nixos-rebuild build-vm-with-bootloader
[sudo] password for flynn:
building the system configuration...
error: builder for '/nix/store/jpbidg4qpnirhiqkfx1j6z098w16g39z-nixos-boot-disk.drv' failed with exit code 1;
last 10 log lines:
> Failed to check file system type of "/boot/efi": No such file or directory
> Traceback (most recent call last):
> File "/nix/store/cww0q5bk9drbi565j4szl6xjnbadxqi8-systemd-boot", line 315, in <module>
> main()
> File "/nix/store/cww0q5bk9drbi565j4szl6xjnbadxqi8-systemd-boot", line 243, in main
> subprocess.check_call(["/nix/store/wv5321690mvbf1da065dg53h7drcdl9z-systemd-251.4/bin/bootctl", "--esp-path=/boot/efi"] + flags + ["install"])
> File "/nix/store/wyhbl43ycqn43d08v5fqj1j6ynf7nz73-python3-3.10.7/lib/python3.10/subprocess.py", line 369, in check_call
> raise CalledProcessError(retcode, cmd)
> subprocess.CalledProcessError: Command '['/nix/store/wv5321690mvbf1da065dg53h7drcdl9z-systemd-251.4/bin/bootctl', '--esp-path=/boot/efi', 'install']' returned non-zero exit status 1.
> [ 3.420373] reboot: Power down
For full logs, run 'nix log /nix/store/jpbidg4qpnirhiqkfx1j6z098w16g39z-nixos-boot-disk.drv'.
error: 1 dependencies of derivation '/nix/store/s0bx8kcvh8hdkkcqbay2zg8042nx1j0w-run-nixos-vm.drv' failed to build
error: 1 dependencies of derivation '/nix/store/xs527zx175rcb0kswayxh8p39q2r3cyq-nixos-vm.drv' failed to build