# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix # ./onlyoffice.nix ]; # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "ne001"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking networking.networkmanager.enable = true; # Set your time zone. time.timeZone = "America/New_York"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; i18n.extraLocaleSettings = { LC_ADDRESS = "en_US.UTF-8"; LC_IDENTIFICATION = "en_US.UTF-8"; LC_MEASUREMENT = "en_US.UTF-8"; LC_MONETARY = "en_US.UTF-8"; LC_NAME = "en_US.UTF-8"; LC_NUMERIC = "en_US.UTF-8"; LC_PAPER = "en_US.UTF-8"; LC_TELEPHONE = "en_US.UTF-8"; LC_TIME = "en_US.UTF-8"; }; ################################################################# # fro Intel Graphics Drivers # The default and recommended driver for Intel Graphics in X.org is modesetting (included in the xorg-server package itself). services.xserver.videoDrivers = [ "modesetting" ]; # Enable the KDE Plasma Desktop Environment. services.displayManager.sddm.enable = true; services.desktopManager.plasma6.enable = true; # Configure keymap in X11 services.xserver.enable = true; services.xserver.xkb.layout = "us,kr"; services.xserver.xkb.variant = ""; # Enable automatic login for the user. services.xserver.displayManager.autoLogin.enable = true; services.xserver.displayManager.autoLogin.user = "user"; # Enable xrdp services services.xrdp.defaultWindowManager = "startplasma-x11"; services.xrdp.enable = true; services.xrdp.openFirewall = true; # Configure ssh services.openssh = { enable = true; ports = [ 22 ]; settings = { PasswordAuthentication = true; AllowUsers = null; # Allows all users by default. Can be [ "user1" "user2" ] UseDns = true; X11Forwarding = false; PermitRootLogin = "prohibit-password"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no" }; }; ########################################################################################### # Enable CUPS to print documents. services.printing.enable = true; services.avahi = { enable = true; nssmdns4 = true; openFirewall = true; }; # CUPS (is weird... does not support UTF-8), so from terminal change password via doas passwd > 123 > then localhost:631/admin use "username:root" "password:123" services.printing.drivers = [ pkgs.cups-dymo ]; # users.users.user = { # extraGroups = [ “lp” ]; # }; # The settings base is the CUPS daemon that needs to be running. This is how the user sends commands to the printer it has access to. But enabling CUPS is not enough, as it runs under its own user and for you to interact with it you will need to be part of the CUPS group. Without this setting I was unable to send any command to the printer(both of them). Also in case of a printer that does not use IPP you will probably need to add a driver for the printer as I did for the Dymo.# # Enable sound with pipewire. hardware.pulseaudio.enable = false; security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; # If you want to use JACK applications, uncomment this jack.enable = true; # use the example session manager (no others are packaged yet so this is enabled by default, # no need to redefine it in your config for now) #media-session.enable = true; }; # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; ############################################################################################## # Enable Firmware Update services.fwupd.enable = true; ############################################################################################## # SECURITY : doas to replace sudo security.doas.enable = true; security.doas.extraRules = [{ groups = [ "wheel" ]; persist = true; keepEnv = true; }]; security.sudo.enable = false; security.sudo.execWheelOnly = true; ############################################################################################## ## NVIDIA : DRIVERS & SYSTEM # zramSwap.enable = false; # problematic # swapDevices = [{ # device = "/var/lib/swapfile"; # size = 24*1000; # }]; # Enable OpenGL # hardware = { # graphics = { # enable = true; # }; # enableAllFirmware = true; # }; # boot.extraModprobeConfig = '' # options snd-intel-dspcfg dsp_driver=1 # ''; # Load nvidia driver for Xorg and Wayland # services.xserver.videoDrivers = ["nvidia"]; # hardware.nvidia = { # NVIDIA prime GPU selection # prime = { # offload = { # enable = true; # enableOffloadCmd = true; # }; # intelBusId = "PCI:1:0:0"; # nvidiaBusId = "PCI:0:2:0"; # }; # modesetting.enable = true; # powerManagement = { # enable = true; # finegrained = true; # }; # open = false; # nvidiaSettings = true; # package = config.boot.kernelPackages.nvidiaPackages.stable; # }; ############################################################################################## # Enable Ollama LLM manager services.ollama = { enable = true; # acceleration = "cuda"; }; ############################################################################################## services.cron = { enable = true; systemCronJobs = [ # Minute Hour Day Month Weekday User Command "*/5 * * * * root /mnt/mine/data/git/gitpulls.sh" #>> /tmp/cron.log" # The example above runs the command every 5 minutes as the root user. ]; }; ############################################################################################## services = { # Network shares samba = { package = pkgs.samba4Full; # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support (compared to the default package, `samba` # Required for samba to register mDNS records for auto discovery # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268 enable = true; openFirewall = true; shares.testshare = { path = "/mnt/mine/data"; writable = "true"; comment = "Hello World!"; }; extraConfig = '' server smb encrypt = required # ^^ Note: Breaks `smbclient -L -U%` by default, might require the client to set `client min protocol`? server min protocol = SMB3_00 ''; }; avahi = { publish.enable = true; publish.userServices = true; # ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile` #nssmdns4 = true; # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it enable = true; openFirewall = true; }; samba-wsdd = { # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued enable = true; openFirewall = true; }; }; ############################################################################################## # NIX PACKAGE : MANAGEMENT & APPLICATIONS # Allow unfree packages nixpkgs.config.allowUnfree = true; # NOTES: # List packages installed in system profile. To search, run: # $ nix search wget # Install firefox. # programs.firefox = { # enable = true; # package = pkgs.librewolf; # policies = { # DisableTelemetry = true; # DisableFirefoxStudies = true; # Preferences = { # "cookiebanners.service.mode.privateBrowsing" = 2; # Block cookie banners in private browsing # "cookiebanners.service.mode" = 2; # Block cookie banners # "privacy.donottrackheader.enabled" = true; # "privacy.fingerprintingProtection" = true; # "privacy.resistFingerprinting" = true; # "privacy.trackingprotection.emailtracking.enabled" = true; # "privacy.trackingprotection.enabled" = true; # "privacy.trackingprotection.fingerprinting.enabled" = true; # "privacy.trackingprotection.socialtracking.enabled" = true; # }; # ExtensionSettings = { # "jid1-ZAdIEUB7XOzOJw@jetpack" = { # install_url = "https://addons.mozilla.org/firefox/downloads/latest/duckduckgo-for-firefox/latest.xpi"; # installation_mode = "force_installed"; # }; # "uBlock0@raymondhill.net" = { # install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; # installation_mode = "force_installed"; # }; # }; # }; #falkon }; environment.systemPackages = with pkgs; [ vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. wget git pcsclite alpaca btop libfido2 netbird-ui gnupg step-ca step-cli appimage-run sshuttle ghostscript opensc yubikey-manager # For L4-Sol Admin # appimage-run #rustdesk-flutter # Moved to Flatpak gparted # blender # kdenlive # vlc # librewolf # onlyoffice-desktopeditors # gimp-with-plugins # inkscape-with-extensions # zoom-us # gitui # vscode # nextcloud-client wireguard-tools imagemagick # For L5-Engineering/Devlopers [ NOTE MUST BE USED WITH 'CONTAINIZAZATION' SECTION!!! ] dive # look into docker image layers podman-tui # status of containers in the terminal docker-compose # start group of containers for dev #podman-compose # start group of containers for dev distrobox # KDE kdePackages.discover # Optional: Install if you use Flatpak or fwupd firmware update sevice kdePackages.kcalc # Calculator kdePackages.kcharselect # Tool to select and copy special characters from all installed fonts kdePackages.kcolorchooser # A small utility to select a color kdePackages.kolourpaint # Easy-to-use paint program kdePackages.ksystemlog # KDE SystemLog Application kdePackages.sddm-kcm # Configuration module for SDDM kdiff3 # Compares and merges 2 or 3 files or directories hardinfo2 # System information and benchmarks for Linux systems haruna # Open source video player built with Qt/QML and libmpv xclip # Tool to access the X clipboard from a console application ]; ############################################################################################## # Enable Netbird services.netbird.enable = true; # for netbird service & CLI ############################################################################################## # Enable flatpak services.flatpak.enable = true; # must add to install_flatpaks.sh "https://github.com/nargacu83/nixos/blob/main/install-flatpaks.sh" # flatpak --user override --filesystem=$HOME/.local/share/fonts:ro; # flatpak --user override --filesystem=$HOME/.icons:ro; # flatpak --user override --filesystem=/nix/store:ro; ############################################################################################## # Install nerdfonts fonts.packages = with pkgs; [ nerdfonts # corefonts ]; ###################################################################################### # To Enable Virtualization # Enable libvirtd for managing virtual machines virtualisation.libvirtd.enable = true; # Enable virt-manager, the graphical user interface programs.virt-manager.enable = true; # Add the current user to the libvirtd group for access # users.users.username.extraGroups = [ "libvirtd" ]; users.groups.libvirtd.members = ["user"]; # Configure QEMU (optional) virtualisation.libvirtd.qemu.vhostUserPackages = with pkgs; [ virtiofsd ]; # Enable services for QEMU guests (optional) services.qemuGuest.enable = true; services.spice-vdagentd.enable = true; # Enable copy and paste virtualisation.spiceUSBRedirection.enable = true; ###################################################################################### # To Enable Containerization # Enable common container config files in /etc/containers virtualisation.containers.enable = true; virtualisation = { podman = { enable = true; # Create a `docker` alias for podman, to use it as a drop-in replacement dockerCompat = true; # Required for containers under podman-compose to be able to talk to each other. defaultNetwork.settings.dns_enabled = true; }; }; ############################################################################################## ## For "User" Customization/Tailoring # Define a user account. Don't forget to set a password with ‘passwd’. users.users.user = { isNormalUser = true; description = "user"; extraGroups = [ "networkmanager" "wheel" "audio" "sound" "video" "input" "tty" "lp"]; packages = with pkgs; [ kdePackages.kate jq # com.warlordsoftwares.youtube-downloader-4ktube # thunderbird ]; shell = "${pkgs.bashInteractive}${pkgs.bashInteractive.shellPath}"; # openssh.authorizedKeys.keyFiles = [ # /etc/nixos/ssh/authorized_keys #] }; ###################################################################################### #// NOTE: MUST REGISTER YUBIKEY 5C FIRST ON THE COMPUTER SYSTEM # Create an authorization mapping file for your user. The authorization mapping file is like ~/.ssh/known_hosts but for Yubikeys. # nix-shell -p pam_u2f # mkdir -p ~/.config/Yubico # pamu2fcfg > ~/.config/Yubico/u2f_keys # add another yubikey (optional): pamu2fcfg -n >> ~/.config/Yubico/u2f_keys #// Enable pam security.pam.u2f = { enable = true; settings = { interactive = true; cue = true; }; }; security.pam.services = { login.u2fAuth = false; sudo.u2fAuth = true; }; security.pam.yubico = { enable = true; debug = true; mode = "challenge-response"; id = [ "33722643" ]; #### Change for each yubikey, set for demo ki }; services.pcscd.enable = true; #$# Locking the screen when a Yubikey is unplugged # services.udev.extraRules = '' # ACTION=="remove",\ # ENV{ID_BUS}=="usb",\ # ENV{ID_MODEL_ID}=="0407",\ # ENV{ID_VENDOR_ID}=="1050",\ # ENV{ID_VENDOR}=="Yubico",\ # RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" # ''; # nix-shell -p OpenSSHl # register key # ssh-keygen -t ed25519-sk -f ~/.ssh/id_xxxx_xxxx # ssh-copy-id -i ~/.ssh/id_xxxx_xxxx.pub YOUR_USER_NAME@IP_ADDRESS_OF_THE_SERVER # chown user:users id_xxxx_xxxx ###################################################################################### # Configure alias environment.interactiveShellInit = '' alias gs='git status' alias na='nix-shell -p' alias sh-a3='ssh -i ~/.ssh/id_red_rooster user@192.168.122.12' alias sh-d12='ssh -i ~/.ssh/id_red_rooster user@192.168.122.96' alias sh-n25='ssh -i /home/user/.ssh/id_red_penguin user@192.168.122.2' #alias sh-zap1='ssh -o "IdentitiesOnly=yes" -i /home/user/.ssh/id_red_penguin root@red-penguin-60185.zap.cloud' # goodg.org alias sh-zap1='ssh -i /home/user/.ssh/id_red_penguin root@red-penguin-60185.zap.cloud' alias sh-zap2='ssh -i ~/.ssh/id_red_penguin root@green-albatross-93202.zap.cloud' #tubano.io alias sh-z1='ssh -i ~/.ssh/id_red_penguin user@crimson-frog-83913.zap.cloud' alias sh-z2='ssh -i ~/.ssh/id_red_penguin root@black-gnu-54725.zap.cloud' alias sh-z7='ssh -i ~/.ssh/id_red_penguin root@indigo-butterfly-83565.zap.cloud' ''; ###################################################################################### # Enable pam for "user" #security.pam.u2f.settings = { # origin = "pam://yubi"; # authfile = pkgs.writeText "u2f-mappings" ( # username:KOQnz9gjYOETURdkWlK08ZHWQC/nS1zpJ8Ue8NhAojq93u85VsdGlUwEHrbVC4UD72PkLxlxu8W/zvH+htbe5g==,+6sZEp6pJ2xvC5+Bf4vImf3AfanY04M3UJ6lIdkz6vv5YZWSCqbaNtmtYnLB/9sQX3CfgwPHUVnWOx8yoF8/og==,es256,+presence # ":,,," # ); # }; # services = { # pcscd.enable = true; # udev.packages = [ pkgs.yubikey-personalization ]; # }; ###################################################################################### # security.pam.u2f = { # origin = "pam://nixos"; # authFile = pkgs.writeText "u2f-mappings" (lib.concatStrings [ # user # ":EX33RpQfJfL424vAnY5vBu4T1wZpHl9cg6UhIRIpmPGoGagAaVxWlVyIxiCGvQltJaVqvDvOmw7Oto19uYEE1QDGd4mwmUTYNljg58jVTbF6slBvwSWFXkolpi7Opshk,59PIz9PuXnrJT9/OGX0XPKmeEpkhyFlruiKGeCgYl4NEhCXrkPhaMQ6un87MKkFtM5V1Qu0eTme863zOg97NAQ==,es256,+presence" #":,,," # ]); # }; # security.pam.services = { # login.u2fAuth = true; # sudo.u2fAuth = true; # }; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: # Enable the OpenSSH daemon. # services.openssh.enable = true; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "25.05"; # Did you read the comment? }