nix-configurations/hosts/m3-nix/default.nix

{ config, pkgs, lib, ... }:
let
  nvidia-offload = pkgs.writeShellScriptBin "nvidia-offload" ''
    #!/bin/bash
    export __NV_PRIME_RENDER_OFFLOAD=1
    export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
    export __GLX_VENDOR_LIBRARY_NAME=nvidia
    export __VK_LAYER_NV_optimus=NVIDIA_only
    exec "$@"
  '';

in {
  imports = [ # Include the results of the hardware scan.
    ./hardware-configuration.nix
    <home-manager/nixos>
  ];

  specialisation = {
    external-display.configuration = {
      system.nixos.tags = [ "externer-Monitor" ];
      hardware.nvidia.prime.offload.enable = lib.mkForce false;
      hardware.nvidia.powerManagement.finegrained = lib.mkForce false;
    };
  };
  specialisation = {
    dual-display.configuration = {
      system.nixos.tags = [ "dual-monitor" ];
      hardware.nvidia.prime.offload.enable = lib.mkForce false;
      hardware.nvidia.prime.sync.enable = lib.mkForce true;
      hardware.nvidia.powerManagement.finegrained = lib.mkForce false;
    };
  };
  
  # Bootloader.
  # boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
  boot.loader.grub.enable = true;
  boot.loader.grub.efiSupport = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "nodev";
  boot.loader.grub.useOSProber = true;

  hardware.tuxedo-keyboard.enable = true;
  boot.kernelParams = [
    "tuxedo_keyboard.mode=0" # https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam
    "tuxedo_keyboard.brightness=255"
    "tuxedo_keyboard.color_left=0xff0a0a"
  ];
  # Setup keyfile
  boot.initrd.secrets = { "/crypto_keyfile.bin" = null; };
  boot.extraModprobeConfig = ''
    options kvm_intel nested=1
    options kvm_intel emulate_invalid_guest_state=0
    options kvm ignore_msrs=1
  '';

  boot.initrd.luks.devices."luks-a7b1ba69-0951-4347-886e-4c0c24c2b871".keyFile =
    "/crypto_keyfile.bin";
  networking.hostName = "m3-nix"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.firewall.extraCommands =
    "iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns";
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Enable networking
  networking.networkmanager.enable = true;
  networking.wg-quick.interfaces = {
    wg0 = {
      address = [ "10.13.13.4/24" ];
      dns = [ "192.168.178.75" ];
      privateKeyFile = "/root/wg/peer_m3arch/privatekey-peer_m3arch";

      peers = [{
        publicKey = "zA3c0S33ZsX5oRMRCrNDYg6pCMLdRurLV+7cU2Chbwk=";
        allowedIPs = [ "0.0.0.0/0" "::/0" ];
        endpoint = "45.132.245.244:51820";
        persistentKeepalive = 25;
      }];
    };
  };
  nix.extraOptions = ''
    experimental-features = nix-command
  '';
  nix.settings.experimental-features = "nix-command flakes";
  programs.wireshark.enable = true;
  # Set your time zone.
  time.timeZone = "Europe/Berlin";

  # Select internationalisation properties.
  i18n.defaultLocale = "de_DE.utf8";
  services.auto-cpufreq.enable = true;
  services.tlp.enable = true;
  services.fstrim.enable = true;
  services.cron = {
    enable = true;
    systemCronJobs = [ "" ];
  };
  services.hardware.bolt.enable = true;
  services.gvfs = {
    enable = true;
    package = pkgs.gnome3.gvfs;
  };
  #services.xserver.videoDrivers = [ "intel" ];
  hardware.nvidia = {
    prime = {
      offload.enable = true;

      # Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA
      intelBusId = "PCI:0:2:0";

      # Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA
      nvidiaBusId = "PCI:1:0:0";
    };
    modesetting.enable = true;
    powerManagement.finegrained = true;
    powerManagement.enable = true;
  };
  services.xserver = {
    enable = true;
    exportConfiguration = true;
    videoDrivers = [ "nvidia" ];
    displayManager = {
      defaultSession = "xfce+i3";
      lightdm = { enable = true; };
    };
    desktopManager = {
      xterm.enable = false;
      xfce = {
        enable = true;
        noDesktop = true;
        enableXfwm = false;
        #thunarPlugins = [ pkgs.xfce.thunar-archive-plugin ];
      };
    };
    windowManager.i3.package = pkgs.i3-gaps;
    windowManager.i3.enable = true;
  };
  programs.thunar.plugins = [ pkgs.xfce.thunar-archive-plugin ];
  services.xserver.screenSection = ''
    Option         "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}"
    Option         "AllowIndirectGLXProtocol" "off"
    Option         "TripleBuffer" "on"
  '';
  hardware.opengl.enable = true;
  hardware.opengl.driSupport32Bit = true;

  # Enable the X11 windowing system.
  # services.xserver.enable = true;

  # Enable the XFCE Desktop Environment.
  # services.xserver.desktopManager.xfce.enable = true;

  services.kubo = { enable = true; };

  # Configure keymap in X11
  services.xserver = {
    layout = "de";
    xkbOptions = "ctrl:nocaps";
  };

  # Configure console keymap
  console.keyMap = "de";

  # Enable CUPS to print documents.
  services.printing.enable = true;
  # Enable sound with pipewire.
  sound.enable = true;
  sound.mediaKeys.enable = true;
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    # If you want to use JACK applications, uncomment this
    #jack.enable = true;

    # use the example session manager (no others are packaged yet so this is enabled by default,
    # no need to redefine it in your config for now)
    #media-session.enable = true;
  };

  users.defaultUserShell = pkgs.fish;
  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.m3tam3re = {
    isNormalUser = true;
    description = "m3tam3re";
    extraGroups =
      [ "networkmanager" "wheel" "libvirtd" "flatpak" "docker" "wireshark" ];
  };

  #    home-manager.users.m3tam3re = { pkgs, ... }: {
  #    home.packages = [ pkgs.home-manager ];
  #    programs.bash.enable = true;
  #};
  programs.fish = {
    enable = true;
    useBabelfish = true;
    vendor.functions.enable = true;
    vendor.config.enable = true;
    vendor.completions.enable = true;
  };

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
  services.flatpak.enable = true;
  # xdg desktop intergration (required for flatpak)

  xdg.portal = {
    enable = true;
    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
  };
  # Enable Virtualization
  virtualisation.libvirtd.enable = true;
  virtualisation.libvirtd.qemu.swtpm.enable = true;
  virtualisation.libvirtd.qemu.ovmf.enable = true;
  virtualisation.docker = {
    enable = true;
    enableOnBoot = true;
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = [
    #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
    pkgs.alacritty
    pkgs.curl
    pkgs.docker
    pkgs.docker-compose
    pkgs.exa
    pkgs.firefox
    pkgs.killall
    pkgs.libpng
    pkgs.neovim
    pkgs.OVMFFull
    pkgs.pam_gnupg
    pkgs.ripgrep
    pkgs.swtpm
    pkgs.tmux
    pkgs.tree
    pkgs.wget
    nvidia-offload
  ];
  services.udev.extraRules = ''
      # Trezor
    SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
    KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
    # Trezor v2
    SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
    SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
    KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
    ACTION=="add", SUBSYSTEM=="backlight", KERNEL=="intel_backlight", MODE="0666", GROUP="users", RUN+="${pkgs.coreutils}/bin/chmod a+w /sys/class/backlight/%k/brightness"
    ACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"
  '';
  programs.steam = {
    enable = true;
    remotePlay.openFirewall = true;
    dedicatedServer.openFirewall = true;
  };
  programs.gamemode.enable = true;
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
  programs.ssh.askPassword = "";

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  nix.gc = {
    automatic = true;
    options = "--delete-older-than 30d";
  };
  nix.optimise.automatic = true;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leavecatenate(variables, "bootdev", bootdev)
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.05"; # Did you read the comment?

}