f4fc2b5d10
These scripts were originally written by horrors, and have since been hacked up a lot by jade. We are putting them up as a CL since it is better to have checked in benchmarking scripts than to not have benchmarking scripts. cc: https://git.lix.systems/lix-project/lix/issues/23 Co-authored-by: eldritch horrors <pennae@lix.systems> Change-Id: I95c2f9d24753ac468944c5781deec9508fd5cb8c
325 lines
6 KiB
Nix
325 lines
6 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
{
|
|
boot = {
|
|
initrd = {
|
|
availableKernelModules = [
|
|
"xhci_pci"
|
|
"ahci"
|
|
];
|
|
kernelModules = [ "dm-snapshot" ];
|
|
luks.devices = {
|
|
croot = {
|
|
device = "/dev/sdb";
|
|
allowDiscards = true;
|
|
};
|
|
};
|
|
};
|
|
kernelModules = [ "kvm-intel" ];
|
|
kernelPackages = pkgs.linuxPackages_latest;
|
|
|
|
loader = {
|
|
systemd-boot.enable = true;
|
|
efi.canTouchEfiVariables = true;
|
|
};
|
|
};
|
|
|
|
hardware = {
|
|
enableRedistributableFirmware = true;
|
|
cpu.intel.updateMicrocode = true;
|
|
opengl.driSupport32Bit = true;
|
|
opengl.extraPackages = with pkgs; [
|
|
vaapiIntel
|
|
intel-media-driver
|
|
intel-compute-runtime
|
|
];
|
|
};
|
|
|
|
fileSystems = {
|
|
"/" = {
|
|
device = "/dev/sda2";
|
|
fsType = "xfs";
|
|
options = [ "noatime" ];
|
|
};
|
|
|
|
"/boot" = {
|
|
device = "/dev/sda1";
|
|
fsType = "vfat";
|
|
};
|
|
|
|
"/nas" = {
|
|
device = "nas:/";
|
|
fsType = "nfs4";
|
|
options = [
|
|
"ro"
|
|
"x-systemd.automount"
|
|
];
|
|
};
|
|
};
|
|
swapDevices = [ { device = "/dev/swap"; } ];
|
|
|
|
networking = {
|
|
useDHCP = false;
|
|
hostName = "host";
|
|
wireless = {
|
|
enable = true;
|
|
interfaces = [ "eth1" ];
|
|
};
|
|
interfaces = {
|
|
eth0.useDHCP = true;
|
|
eth1.useDHCP = true;
|
|
};
|
|
wg-quick.interfaces = {
|
|
wg0 = {
|
|
address = [ "2001:db8::1" ];
|
|
privateKeyFile = "/etc/secrets/wg0.key";
|
|
peers = [
|
|
{
|
|
publicKey = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
|
|
endpoint = "[2001:db8::2]:61021";
|
|
allowedIPs = [ "2001::db8:1::/64" ];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
firewall.allowedUDPPorts = [ 4567 ];
|
|
};
|
|
|
|
i18n = {
|
|
defaultLocale = "en_US.UTF-8";
|
|
inputMethod.enabled = "ibus";
|
|
};
|
|
|
|
services = {
|
|
xserver = {
|
|
enable = true;
|
|
layout = "us";
|
|
xkbVariant = "altgr-intl";
|
|
xkbOptions = "ctrl:nocaps";
|
|
libinput.enable = true;
|
|
wacom.enable = true;
|
|
videoDrivers = [ "modesetting" ];
|
|
modules = [ pkgs.xf86_input_wacom ];
|
|
|
|
displayManager.sx.enable = true;
|
|
windowManager.i3.enable = true;
|
|
};
|
|
|
|
udev.extraHwdb = ''
|
|
# not like this mattered at all
|
|
# we're not running udev from here
|
|
'';
|
|
|
|
udev.extraRules = ''
|
|
# ACTION=="add", SUBSYSTEM=="input", ...
|
|
'';
|
|
};
|
|
|
|
sound.enable = true;
|
|
hardware.pulseaudio = {
|
|
enable = true;
|
|
package = pkgs.pulseaudioFull;
|
|
daemon.config = {
|
|
lock-memory = "yes";
|
|
realtime-scheduling = "yes";
|
|
rlimit-rtprio = "-1";
|
|
};
|
|
};
|
|
|
|
programs = {
|
|
light.enable = true;
|
|
wireshark = {
|
|
enable = true;
|
|
package = pkgs.wireshark-qt;
|
|
};
|
|
gnupg.agent = {
|
|
enable = true;
|
|
};
|
|
};
|
|
|
|
fonts.packages = with pkgs; [
|
|
font-awesome
|
|
noto-fonts
|
|
noto-fonts-cjk
|
|
noto-fonts-emoji
|
|
noto-fonts-extra
|
|
dejavu_fonts
|
|
powerline-fonts
|
|
source-code-pro
|
|
cantarell-fonts
|
|
];
|
|
|
|
users = {
|
|
mutableUsers = false;
|
|
|
|
users = {
|
|
user = {
|
|
isNormalUser = true;
|
|
group = "user";
|
|
extraGroups = [
|
|
"wheel"
|
|
"video"
|
|
"audio"
|
|
"dialout"
|
|
"users"
|
|
"kvm"
|
|
"wireshark"
|
|
];
|
|
password = "unimportant";
|
|
};
|
|
};
|
|
|
|
groups = {
|
|
user = { };
|
|
};
|
|
};
|
|
|
|
security = {
|
|
pam.loginLimits = [
|
|
{
|
|
domain = "@audio";
|
|
item = "memlock";
|
|
type = "-";
|
|
value = "unlimited";
|
|
}
|
|
{
|
|
domain = "@audio";
|
|
item = "rtprio";
|
|
type = "-";
|
|
value = "99";
|
|
}
|
|
{
|
|
domain = "@audio";
|
|
item = "nofile";
|
|
type = "soft";
|
|
value = "99999";
|
|
}
|
|
{
|
|
domain = "@audio";
|
|
item = "nofile";
|
|
type = "hard";
|
|
value = "99999";
|
|
}
|
|
];
|
|
|
|
sudo.extraRules = [
|
|
{
|
|
users = [ "user" ];
|
|
commands = [
|
|
{
|
|
command = "${pkgs.linuxPackages.cpupower}/bin/cpupower";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
a2jmidid
|
|
age
|
|
ardour
|
|
bemenu
|
|
blender
|
|
breeze-icons
|
|
breeze-qt5
|
|
bubblewrap
|
|
calf
|
|
claws-mail
|
|
darktable
|
|
duperemove
|
|
emacs
|
|
feh
|
|
file
|
|
firefox
|
|
fluidsynth
|
|
gnome3.adwaita-icon-theme
|
|
gnuplot
|
|
graphviz
|
|
helm
|
|
i3status-rust
|
|
inkscape
|
|
jack2
|
|
jq
|
|
krita
|
|
ldns
|
|
libqalculate
|
|
libreoffice
|
|
man-pages
|
|
nheko
|
|
nix-diff
|
|
nix-index
|
|
nix-output-monitor
|
|
open-music-kontrollers.patchmatrix
|
|
pamixer
|
|
pavucontrol
|
|
pciutils
|
|
picom
|
|
pwgen
|
|
redshift
|
|
ripgrep
|
|
rlwrap
|
|
silver-searcher
|
|
soundfont-fluid
|
|
whois
|
|
wol
|
|
xclip
|
|
xdot
|
|
xdotool
|
|
xorg.xkbcomp
|
|
yt-dlp
|
|
zathura
|
|
borgbackup
|
|
linuxPackages.cpupower
|
|
mtr
|
|
kitty
|
|
xf86_input_wacom
|
|
];
|
|
|
|
environment.pathsToLink = [ "/share/soundfonts" ];
|
|
|
|
systemd.user.services.run-python = {
|
|
after = [ "network-online.target" ];
|
|
script = ''
|
|
exec ${pkgs.python3}/bin/python
|
|
'';
|
|
serviceConfig = {
|
|
CapabilityBoundingSet = [ "" ];
|
|
KeyringMode = "private";
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true;
|
|
PrivateDevices = true;
|
|
PrivateTmp = true;
|
|
PrivateUsers = true;
|
|
ProcSubset = "pid";
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "invisible";
|
|
ProtectSystem = "strict";
|
|
RestrictAddressFamilies = "AF_INET AF_INET6";
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~ @resources @privileged"
|
|
];
|
|
UMask = "077";
|
|
};
|
|
};
|
|
|
|
system.stateVersion = "23.11";
|
|
}
|