snix/ops/nixos/nugget/default.nix

# This file contains the configuration for my home desktop.

{ pkgs, ... }:

config: let
  inherit (pkgs) lib;

  nixpkgs = import pkgs.third_party.nixpkgsSrc {
    config.allowUnfree = true;
  };

  lieer = (pkgs.third_party.lieer {});
in pkgs.lib.fix(self: {
  hardware = {
    pulseaudio.enable = true;
    cpu.intel.updateMicrocode = true;
    u2f.enable = true;
  };

  boot = {
    cleanTmpDir = true;
    kernelModules = [ "kvm-intel" ];

    loader = {
      timeout = 3;
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = false;
    };

    initrd = {
      luks.devices.nugget-crypt.device = "/dev/disk/by-label/nugget-crypt";
      availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
      kernelModules = [ "dm-snapshot" ];
    };
  };

  nix = {
    nixPath = [
      "depot=/home/tazjin/depot"
      "nixpkgs=${pkgs.third_party.nixpkgsSrc}"
    ];
  };

  nixpkgs.pkgs = nixpkgs;

  networking = {
    hostName = "nugget";
    useDHCP = false;
    interfaces.eno1.useDHCP = true;
    interfaces.wlp7s0.useDHCP = true;

    # Don't use ISP's DNS servers:
    nameservers = [
      "8.8.8.8"
      "8.8.4.4"
    ];

    # Open Chromecast-related ports & servedir
    firewall.enable = false;
    firewall.allowedTCPPorts = [ 4242 5556 5558 ];

    # Connect to the WiFi to let the Chromecast work.
    wireless.enable = true;
    wireless.networks = {
      "How do I computer?" = {
        psk = "washyourface";
      };
    };
  };

  # Generate an immutable /etc/resolv.conf from the nameserver settings
  # above (otherwise DHCP overwrites it):
  environment.etc."resolv.conf" = with lib; with pkgs; {
    source = writeText "resolv.conf" ''
      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
      options edns0
    '';
  };

  time.timeZone = "Europe/London";

  environment.systemPackages =
    # programs from the depot
    (with pkgs; [
      lieer
      ops.kontemplate
      third_party.git
      third_party.guile
      tools.emacs
    ]) ++

    # programs from nixpkgs
    (with nixpkgs; [
      age
      bat
      cachix
      chromium
      curl
      direnv
      dnsutils
      exa
      fd
      gnupg
      go
      google-chrome
      google-cloud-sdk
      htop
      i3lock
      imagemagick
      jq
      keybase-gui
      kubectl
      miller
      msmtp
      nix-prefetch-github
      notmuch
      openssh
      openssl
      pass
      pavucontrol
      pinentry
      pinentry-emacs
      pwgen
      ripgrep
      rustup
      sbcl
      scrot
      spotify
      tokei
      tree
      unzip
      vlc
      xclip
      yubico-piv-tool
      yubikey-personalization
    ]);

    fileSystems = {
      "/".device = "/dev/disk/by-label/nugget-root";
      "/boot".device = "/dev/disk/by-label/EFI";
      "/home".device = "/dev/disk/by-label/nugget-home";
    };

    # Configure user account
    users.extraUsers.tazjin = {
      extraGroups = [ "wheel" "audio" ];
      isNormalUser = true;
      uid = 1000;
      shell = nixpkgs.fish;
    };

    security.sudo = {
      enable = true;
      extraConfig = "wheel ALL=(ALL:ALL) SETENV: ALL";
    };

    fonts = {
      fonts = with nixpkgs; [
        corefonts
        dejavu_fonts
        input-fonts
        jetbrains-mono
        noto-fonts-cjk
        noto-fonts-emoji
      ];

      fontconfig = {
        hinting.enable = true;
        subpixel.lcdfilter = "light";

        defaultFonts = {
          monospace = [ "JetBrains Mono" ];
        };
      };
    };

    # Configure location (Vauxhall, London) for services that need it.
    location = {
      latitude = 51.4819109;
      longitude = -0.1252998;
    };

    programs.fish.enable = true;

    services.redshift.enable = true;
    services.openssh.enable = true;
    services.keybase.enable = true;

    # Required for Yubikey usage as smartcard
    services.pcscd.enable = true;
    services.udev.packages = [
      nixpkgs.yubikey-personalization
    ];

    services.xserver = {
      enable = true;
      layout = "us";
      xkbOptions = "caps:super";
      exportConfiguration = true;
      videoDrivers = [ "nvidia" ];

      displayManager = {
        # Give EXWM permission to control the session.
        sessionCommands = "${nixpkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";

        lightdm.enable = true;
        lightdm.greeters.gtk.clock-format = "%H·%M";
      };

      windowManager.session = pkgs.lib.singleton {
        name = "exwm";
        start = "${pkgs.tools.emacs}/bin/tazjins-emacs";
      };
    };

    # Do not restart the display manager automatically
    systemd.services.display-manager.restartIfChanged = lib.mkForce false;

    # Configure email setup
    systemd.user.services.lieer-tazjin = {
      description = "Synchronise mail@tazj.in via lieer";
      script = "${lieer}/bin/gmi sync";

      serviceConfig = {
        WorkingDirectory = "%h/mail/account.tazjin";
        Type = "oneshot";
      };
    };

    systemd.user.timers.lieer-tazjin = {
      wantedBy = [ "timers.target" ];

      timerConfig = {
        OnActiveSec = "1";
        OnUnitActiveSec = "180";
      };
    };

    # ... and other nonsense.
    system.stateVersion = "19.09";
})