{ inputs, lib, pkgs, config, ... }: { imports = [ inputs.hardware.nixosModules.common-cpu-amd inputs.hardware.nixosModules.common-gpu-amd ./disko.nix ./network.nix ./wireguard.nix ./nginx.nix ./jellyfin.nix ./transmission.nix ./mindustry.nix # ./home-assistant ./samba.nix # ./steam.nix # ./ollama.nix # ./sunshine.nix # ./photoprism.nix # ./immich.nix # ./nextcloud.nix ./paperless.nix ]; # services.kanidm = { }; age.rekey = { # TODO: store in `meta` hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB"; # masterIdentities = [ "${inputs.self}/secrets/privkey.age" ]; # storageMode = "local"; # localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}"; }; networking.hostName = "jeeves"; boot = { loader.systemd-boot.enable = true; kernelPackages = pkgs.linuxPackages_latest; binfmt.emulatedSystems = [ "aarch64-linux" ]; initrd = { availableKernelModules = [ "nvme" ]; # kernelModules = [ # "amdgpu" # ]; }; }; hardware.enableRedistributableFirmware = true; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; nix = let flakeInputs = lib.filterAttrs (lib.const (lib.isType "flake")) inputs; in { # This will add each flake input as a registry # To make nix3 commands consistent with your flake registry = lib.mapAttrs (_: value: { flake = value; }) flakeInputs; # This will additionally add your inputs to the system's legacy channels # Making legacy nix commands consistent as well, awesome! nixPath = lib.mapAttrsToList (key: value: "${key}=flake:${key}") flakeInputs; settings = { trusted-users = [ "root" "jeeves" ]; experimental-features = "nix-command flakes"; auto-optimise-store = true; }; }; programs.zsh.enable = true; environment.systemPackages = with pkgs; [ git # FIXME: cannot deploy neovim-nightly # V neovim source # > error: cannot add path '/nix/store/rhjznh5jdzdkzbnn0fhhvcf9rys0s59d-source' because it lacks a signature by a trusted key # neovim ]; # NOTE: made with `mkpasswd -m sha-512` age.secrets."jeeves.user.password" = { rekeyFile = "${inputs.self}/secrets/home/jeeves/user/password.age"; generator = { script = { pkgs, ... }: '' ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 ''; }; }; users = { mutableUsers = true; users = { jeeves = { isNormalUser = true; shell = pkgs.zsh; hashedPasswordFile = config.age.secrets."jeeves.user.password".path; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj8ZGcvI80WrJWV+dNy1a3L973ydSNqtwcVHzurDUaW (none)" ]; extraGroups = [ "wheel" "networkmanager" "audio" "docker" "transmission" "input" ]; }; }; }; # reo101.jellyfin = { # enable = true; # image = "docker.io/jellyfin/jellyfin:latest"; # volumes = [ # "/var/cache/jellyfin/config:/config" # "/var/cache/jellyfin/cache:/cache" # "/var/log/jellyfin:/log" # "/data/media/jellyfin:/media:ro" # ]; # ports = [ # "8096:8096" # ]; # }; # security.sudo-rs = { # enable = !config.security.sudo.enable; # inherit (config.security.sudo) extraRules; # }; security.sudo = { enable = true; extraRules = [ { users = [ "jeeves" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea } ]; } ]; }; services.openssh = { enable = true; settings = { PermitRootLogin = "no"; PasswordAuthentication = false; }; }; boot.plymouth = { enable = true; }; # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "23.05"; }