aboutsummaryrefslogtreecommitdiff
path: root/config/nix.org
diff options
context:
space:
mode:
Diffstat (limited to 'config/nix.org')
-rw-r--r--config/nix.org2403
1 files changed, 2402 insertions, 1 deletions
diff --git a/config/nix.org b/config/nix.org
index 10e682e..aed87f6 100644
--- a/config/nix.org
+++ b/config/nix.org
@@ -4,4 +4,2405 @@
#+html_head: <link rel="stylesheet" type="text/css" href="../style.css" />
* Introduction
-This is my NixOS configuration.
+This is my NixOS configuration. It is a part of my monorepo, and this file automatically tangles
+to all the under the nix/ directory in my monorepo [[https://git.nullring.xyz/monorepo.git][git repository]]. My monorepo also stores my
+website, as my website stores my [[file:elfeed.org][elfeed]] and [[file:emacs.org][emacs]] configurations. Additionally, I want to track
+my emacs configuration with my Nix configuration. Having them in one repository means that my
+emacs configuration is pinned to my flake.
+
+Hence, my monorepo serves a dual purpose, as do many of the files within my monorepo. They are
+often data files used in my configuration (i.e. emacs, elfeed, org-roam, agenda, journal, etc...)
+and they are webpages as well. This page is one such example of this concept.
+* Flake.nix
+The flake is the entry point of the NixOS configuration. Here, I have a list of all the systems
+that I use with all the modules that they use. My NixOS configuration is heavily modularized,
+so that adding new configurations that add modifications is made simple.
+#+begin_src nix :tangle ../nix/flake.nix
+ {
+ description = "Emacs centric configurations for a complete networked system";
+
+ inputs = {
+ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+
+ home-manager = {
+ url = "github:nix-community/home-manager/release-24.11";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ disko = {
+ url = "github:nix-community/disko";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ lanzaboote = {
+ url = "github:nix-community/lanzaboote/v0.4.1";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ nur.url = "github:nix-community/NUR";
+ sops-nix.url = "github:Mic92/sops-nix";
+ scripts.url = "github:ret2pop/scripts";
+ wallpapers.url = "github:ret2pop/wallpapers";
+ sounds.url = "github:ret2pop/sounds";
+ };
+
+ outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, sops-nix, ... }@attrs: {
+ nixosConfigurations = {
+ installer = nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ modules = [
+ (
+ { pkgs, modulesPath, ... }:
+ {
+ imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ];
+ }
+ )
+ ./systems/installer/default.nix
+ ];
+ };
+
+ continuity = nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ specialArgs = attrs;
+ modules = [
+ lanzaboote.nixosModules.lanzaboote
+ disko.nixosModules.disko
+ home-manager.nixosModules.home-manager
+ sops-nix.nixosModules.sops
+ { nixpkgs.overlays = [ nur.overlays.default ]; }
+ { home-manager.extraSpecialArgs = attrs; }
+
+ ./modules/sda-simple.nix
+ ./systems/continuity/default.nix
+ ];
+ };
+
+ spontaneity = nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ specialArgs = attrs;
+ modules = [];
+ };
+
+ affinity = nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ specialArgs = attrs;
+ modules = [];
+ };
+ };
+ };
+ }
+#+end_src
+Listed here is my installer as well, which is used to install the systems in my configuration.
+* Sops Configuration
+In order to use the sops configuration, you must change the age public key to the one that
+you own:
+#+begin_src yaml :tangle ../nix/.sops.yaml
+keys:
+ - &primary age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr
+creation_rules:
+ - path_regex: secrets/secrets.yaml$
+ key_groups:
+ - age:
+ - *primary
+#+end_src
+also note that you will have to write your own secrets.yaml file, with an entry called ~mail~,
+which is used for the imaps and smtps password.
+* Modules
+** Vars
+Variables used for regular configuration in your system ~defafult.nix~ file. The options are
+largely self-documenting.
+#+begin_src nix :tangle ../nix/modules/vars.nix
+ { lib, ... }:
+ {
+ options.monorepo.vars = {
+ hostName = lib.mkOption {
+ type = lib.types.str;
+ default = "continuity";
+ example = "hostname";
+ description = "system hostname";
+ };
+
+ userName = lib.mkOption {
+ type = lib.types.str;
+ default = "preston";
+ example = "myUser";
+ description = "system username";
+ };
+
+ fullName = lib.mkOption {
+ type = lib.types.str;
+ default = "Preston Pan";
+ example = "John Doe";
+ description = "Full Name";
+ };
+
+ gpgKey = lib.mkOption {
+ type = lib.types.str;
+ default = "AEC273BF75B6F54D81343A1AC1FE6CED393AE6C1";
+ example = "1234567890ABCDEF...";
+ description = "GPG key fingerprint";
+ };
+
+ remoteHost = lib.mkOption {
+ type = lib.types.str;
+ default = "nullring.xyz";
+ example = "example.com";
+ description = "Address to push to and pull from for website and git repos";
+ };
+
+ timeZone = lib.mkOption {
+ type = lib.types.str;
+ default = "America/Vancouver";
+ example = "America/Chicago";
+ description = "Linux timezone";
+ };
+
+ monitors = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ default = [
+ "HDMI-A-1"
+ "eDP-1"
+ "DP-2"
+ "DP-3"
+ "LVDS-1"
+ ];
+ example = [];
+ description = "Monitors that waybar will use";
+ };
+ };
+ }
+#+end_src
+** Default Profile
+Again, these are self documenting variables that you may see used below. These are to be used
+under ~default.nix~ in the ~systems~ folder.
+#+begin_src nix :tangle ../nix/modules/default.nix
+{ lib, config, pkgs, ... }:
+{
+ imports = [
+ ./configuration.nix
+ ./home/home.nix
+ ./vars.nix
+ ];
+
+ options = {
+ monorepo = {
+ profiles = {
+ cuda.enable = lib.mkEnableOption "Enables CUDA support";
+ documentation.enable = lib.mkEnableOption "Enables documentation on system.";
+ secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl.";
+ pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup";
+ tor.enable = lib.mkEnableOption "Enables tor along with torsocks";
+ home.enable = lib.mkEnableOption "Enables home user";
+ };
+ };
+ };
+
+ config = {
+ home-manager.users."${config.monorepo.vars.userName}" = {
+ programs.home-manager.enable = config.monorepo.profiles.home.enable;
+ };
+
+ environment.systemPackages = lib.mkIf config.monorepo.profiles.documentation.enable (with pkgs; [
+ linux-manual
+ man-pages
+ man-pages-posix
+ ]);
+
+ monorepo = {
+ profiles = {
+ documentation.enable = lib.mkDefault true;
+ pipewire.enable = lib.mkDefault true;
+ tor.enable = lib.mkDefault true;
+ home.enable = lib.mkDefault true;
+ };
+ };
+ };
+}
+#+end_src
+** X11
+My Xorg configuration is used as a backup for when wayland applications don't work. Note that
+using this configuration is extremely inefficient and my i3 configuration is unoptimized.
+Still, it is suitable for using Krita.
+#+begin_src nix :tangle ../nix/modules/xserver.nix
+{ lib, pkgs, ... }:
+{
+ services.xserver = {
+ enable = lib.mkDefault true;
+ displayManager = {
+ startx.enable = true;
+ };
+
+ windowManager = {
+ i3 = {
+ enable = true;
+ package = pkgs.i3-gaps;
+ };
+ };
+
+ desktopManager = {
+ runXdgAutostartIfNone = true;
+ };
+
+ xkb = {
+ layout = "us";
+ variant = "";
+ options = "caps:escape";
+ };
+
+ videoDrivers = [];
+ };
+}
+#+end_src
+You should add your own video drivers in a custom machine configuration.
+** Pipewire
+My low latency pipewire configuration is used for music production, as well as for regular
+desktop usage. Pipewire is much better than pulseaudio because it supports jack with the same
+underlying interface and it breaks significantly less often.
+#+begin_src nix :tangle ../nix/modules/pipewire.nix
+{ lib, config, ... }:
+{
+ services.pipewire = {
+ enable = lib.mkDefault config.monorepo.profiles.pipewire.enable;
+ alsa = {
+ enable = true;
+ support32Bit = true;
+ };
+ pulse.enable = true;
+ jack.enable = true;
+ wireplumber.enable = true;
+ extraConfig.pipewire-pulse."92-low-latency" = {
+ "context.properties" = [
+ {
+ name = "libpipewire-module-protocol-pulse";
+ args = { };
+ }
+ ];
+ "pulse.properties" = {
+ "pulse.min.req" = "32/48000";
+ "pulse.default.req" = "32/48000";
+ "pulse.max.req" = "32/48000";
+ "pulse.min.quantum" = "32/48000";
+ "pulse.max.quantum" = "32/48000";
+ };
+ "stream.properties" = {
+ "node.latency" = "32/48000";
+ "resample.quality" = 1;
+ };
+ };
+ };
+}
+#+end_src
+** SSH
+My SSH daemon configuration.
+#+begin_src nix :tangle ../nix/modules/ssh.nix
+{ config, ... }:
+{
+ services.openssh = {
+ enable = true;
+ settings = {
+ PasswordAuthentication = true;
+ AllowUsers = [ config.monorepo.vars.userName ];
+ PermitRootLogin = "no";
+ KbdInteractiveAuthentication = false;
+ };
+ };
+}
+#+end_src
+** Tor
+This is my tor configuration, used for my cryptocurrency wallets and whatever else I want
+it to do.
+#+begin_src nix :tangle ../nix/modules/tor.nix
+{ config, lib, ... }:
+{
+ services.tor = {
+ enable = lib.mkDefault config.monorepo.profiles.tor.enable;
+ openFirewall = true;
+ client = {
+ enable = lib.mkDefault config.monorepo.profiles.tor.enable;
+ socksListenAddress = {
+ IsolateDestAddr = true;
+ addr = "127.0.0.1";
+ port = 9050;
+ };
+ dns.enable = true;
+ };
+ torsocks = {
+ enable = lib.mkDefault config.monorepo.profiles.tor.enable;
+ server = "127.0.0.1:9050";
+ };
+ };
+}
+#+end_src
+** Kubo IPFS
+I use IPFS for my website and also for my ISOs for truly declarative and deterministic
+configuration. NixOS might be moving to IPFS for binary cache distribution and package
+distribution soon, and I'm waiting on that.
+#+begin_src nix :tangle ../nix/modules/kubo.nix
+{ config, pkgs, ... }:
+{
+ services.kubo = {
+ enable = true;
+ };
+}
+#+end_src
+** Main Configuration
+This is the backbone of the all the NixOS configurations, with all these options being shared
+because they enhance security.
+#+begin_src nix :tangle ../nix/modules/configuration.nix
+ { config, pkgs, lib, ... }:
+ {
+ imports = [
+ ./xserver.nix
+ ./ssh.nix
+ ./pipewire.nix
+ ./tor.nix
+ ./kubo.nix
+ ];
+
+ documentation = {
+ enable = lib.mkDefault config.monorepo.profiles.documentation.enable;
+ man.enable = lib.mkDefault config.monorepo.profiles.documentation.enable;
+ dev.enable = lib.mkDefault config.monorepo.profiles.documentation.enable;
+ };
+
+ environment = {
+ etc = {
+ securetty.text = ''
+ # /etc/securetty: list of terminals on which root is allowed to login.
+ # See securetty(5) and login(1).
+ '';
+ };
+ };
+
+ systemd = {
+ coredump.enable = false;
+ network.config.networkConfig.IPv6PrivacyExtensions = "kernel";
+ tmpfiles.settings = {
+ "restricthome"."/home/*".Z.mode = "~0700";
+
+ "restrictetcnixos"."/etc/nixos/*".Z = {
+ mode = "0000";
+ user = "root";
+ group = "root";
+ };
+ };
+ };
+
+
+ boot = {
+ extraModulePackages = [ ];
+
+ initrd = {
+ availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usb_storage"
+ "sd_mod"
+ "nvme"
+ "sd_mod"
+ "ehci_pci"
+ "rtsx_pci_sdmmc"
+ "usbhid"
+ ];
+
+ kernelModules = [ ];
+ };
+
+ lanzaboote = {
+ enable = config.monorepo.profiles.secureBoot.enable;
+ pkiBundle = "/etc/secureboot";
+ };
+
+ loader = {
+ systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable);
+ efi.canTouchEfiVariables = true;
+ };
+
+ kernelModules = [
+ "snd-seq"
+ "snd-rawmidi"
+ "xhci_hcd"
+ "kvm_intel"
+ ];
+
+ kernelParams = [
+ "debugfs=off"
+ "page_alloc.shuffle=1"
+ "slab_nomerge"
+ "page_poison=1"
+
+ # madaidan
+ "pti=on"
+ "randomize_kstack_offset=on"
+ "vsyscall=none"
+ "module.sig_enforce=1"
+ "lockdown=confidentiality"
+
+ # cpu
+ "spectre_v2=on"
+ "spec_store_bypass_disable=on"
+ "tsx=off"
+ "tsx_async_abort=full,nosmt"
+ "mds=full,nosmt"
+ "l1tf=full,force"
+ "nosmt=force"
+ "kvm.nx_huge_pages=force"
+
+ # hardened
+ "extra_latent_entropy"
+
+ # mineral
+ "init_on_alloc=1"
+ "random.trust_cpu=off"
+ "random.trust_bootloader=off"
+ "intel_iommu=on"
+ "amd_iommu=force_isolation"
+ "iommu=force"
+ "iommu.strict=1"
+ "init_on_free=1"
+ "quiet"
+ "loglevel=0"
+ ];
+
+ blacklistedKernelModules = [
+ "netrom"
+ "rose"
+
+ "adfs"
+ "affs"
+ "bfs"
+ "befs"
+ "cramfs"
+ "efs"
+ "erofs"
+ "exofs"
+ "freevxfs"
+ "f2fs"
+ "hfs"
+ "hpfs"
+ "jfs"
+ "minix"
+ "nilfs2"
+ "ntfs"
+ "omfs"
+ "qnx4"
+ "qnx6"
+ "sysv"
+ "ufs"
+ ];
+
+ kernel.sysctl = {
+ "kernel.ftrace_enabled" = false;
+ "net.core.bpf_jit_enable" = false;
+ "kernel.kptr_restrict" = 2;
+
+ # madaidan
+ "vm.swappiness" = 1;
+ "vm.unprivileged_userfaultfd" = 0;
+ "dev.tty.ldisc_autoload" = 0;
+ "kernel.kexec_load_disabled" = 1;
+ "kernel.sysrq" = 4;
+ "kernel.perf_event_paranoid" = 3;
+
+ # net
+ "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+ "net.ipv4.conf.all.accept_redirects" = false;
+ "net.ipv4.conf.all.secure_redirects" = false;
+ "net.ipv4.conf.default.accept_redirects" = false;
+ "net.ipv4.conf.default.secure_redirects" = false;
+ "net.ipv6.conf.all.accept_redirects" = false;
+ "net.ipv6.conf.default.accept_redirects" = false;
+ };
+ };
+
+ networking = {
+ useDHCP = lib.mkDefault true;
+ hostName = config.monorepo.vars.hostName;
+ networkmanager = {
+ enable = true;
+ # wifi.macAddress = "";
+ };
+ firewall = {
+ allowedTCPPorts = [ ];
+ allowedUDPPorts = [ ];
+ };
+ };
+
+ hardware = {
+ enableAllFirmware = true;
+ cpu.intel.updateMicrocode = true;
+ graphics.enable = true;
+ pulseaudio.enable = ! config.monorepo.profiles.pipewire.enable;
+
+ bluetooth = {
+ enable = true;
+ powerOnBoot = true;
+ };
+ };
+
+ services = {
+ chrony = {
+ enable = true;
+ enableNTS = true;
+ servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ];
+ };
+
+ jitterentropy-rngd.enable = true;
+ resolved.dnssec = true;
+ # usbguard.enable = true;
+ usbguard.enable = false;
+ dbus.apparmor = "enabled";
+
+ kanata.enable = true;
+
+ # Misc.
+ udev = {
+ extraRules = '''';
+ packages = with pkgs; [
+ platformio-core
+ platformio-core.udev
+ openocd
+ ];
+ };
+
+ printing.enable = true;
+ udisks2.enable = true;
+ };
+
+ programs = {
+ nix-ld.enable = true;
+ zsh.enable = true;
+ light.enable = true;
+ ssh.enableAskPassword = false;
+ };
+
+ nixpkgs = {
+ hostPlatform = lib.mkDefault "x86_64-linux";
+ config = {
+ allowUnfree = true;
+ cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ };
+ };
+
+ security = {
+ apparmor = {
+ enable = true;
+ killUnconfinedConfinables = true;
+ };
+
+ pam.loginLimits = [
+ { domain = "*"; item = "nofile"; type = "-"; value = "32768"; }
+ { domain = "*"; item = "memlock"; type = "-"; value = "32768"; }
+ ];
+ rtkit.enable = true;
+
+ lockKernelModules = true;
+ protectKernelImage = true;
+ allowSimultaneousMultithreading = false;
+ forcePageTableIsolation = true;
+
+ tpm2 = {
+ enable = true;
+ pkcs11.enable = true;
+ tctiEnvironment.enable = true;
+ };
+
+ auditd.enable = true;
+ audit.enable = true;
+ chromiumSuidSandbox.enable = true;
+ sudo.enable = true;
+ };
+
+ xdg.portal = {
+ enable = true;
+ wlr.enable = true;
+ extraPortals = with pkgs; [
+ xdg-desktop-portal-gtk
+ xdg-desktop-portal
+ xdg-desktop-portal-hyprland
+ ];
+ config.common.default = "*";
+ };
+
+ environment.systemPackages = with pkgs; [
+ restic
+ sbctl
+ git
+ vim
+ curl
+ ];
+
+ users.users = {
+ root.openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch"
+ ];
+
+ "${config.monorepo.vars.userName}" = {
+ initialPassword = "${config.monorepo.vars.userName}";
+ isNormalUser = true;
+ description = config.monorepo.vars.fullName;
+ extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ];
+ shell = pkgs.zsh;
+ packages = [];
+ };
+ };
+
+ nix.settings.experimental-features = "nix-command flakes";
+ time.timeZone = config.monorepo.vars.timeZone;
+ i18n.defaultLocale = "en_CA.UTF-8";
+ system.stateVersion = "24.11";
+ }
+#+end_src
+** Disko
+This is the disko configuration for my continuity system. It features a boot and ext4 partition,
+on disk /dev/sda. All my SATA disks have this location by default, but if you want to use nvme,
+you will have to import that configuration in your ~systems/xxx/default.nix~.
+#+begin_src nix :tangle ../nix/modules/sda-simple.nix
+{
+ disko.devices = {
+ disk = {
+ my-disk = {
+ device = "/dev/sda";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ ESP = {
+ type = "EF00";
+ size = "500M";
+ priority = 1;
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ mountOptions = [ "umask=0077" ];
+ };
+ };
+ root = {
+ size = "100%";
+ priority = 2;
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+}
+#+end_src
+** Home
+Time for my home user configuration, which is managed by home-manager. First we start off with
+this module to enter us into the home-manager namespace:
+#+begin_src nix :tangle ../nix/modules/home/home.nix
+{ config, sops-nix, ... }:
+{
+ home-manager = {
+ sharedModules = [
+ sops-nix.homeManagerModules.sops
+ ];
+ useGlobalPkgs = true;
+ useUserPackages = true;
+ users."${config.monorepo.vars.userName}" = import ./default.nix;
+ };
+}
+#+end_src
+as you can see, we import default.nix which puts us in the home-manager namespace. Everything
+in the top level from now on will implicitly be located at
+~users."${config.monorepo.vars.userName}".xxxxx~, and we will look at default.nix next.
+*** Default Home Profile
+As you can see, I have my installed home packages installed based on the profiles enabled. Also,
+I have many imports that we'll go through next.
+#+begin_src nix :tangle ../nix/modules/home/default.nix
+{ lib, config, pkgs, ... }:
+{
+ imports = [
+ ../vars.nix
+ ./fcitx.nix
+ ./secrets.nix
+ ./emacs.nix
+ ./firefox.nix
+ ./git.nix
+ ./hyprland.nix
+ ./mpv.nix
+ ./yt-dlp.nix
+ ./wofi.nix
+ ./kitty.nix
+ ./waybar.nix
+ ./zsh.nix
+ ./mbsync.nix
+ ./msmtp.nix
+ ./gammastep.nix
+ ./mpd.nix
+ ./mako.nix
+ ./user.nix
+ ];
+
+ options = {
+ monorepo.profiles = {
+ enable = lib.mkEnableOption "Enables home manager desktop configuration";
+ # Programs
+ lang-c.enable = lib.mkEnableOption "Enables C language support";
+ lang-sh.enable = lib.mkEnableOption "Enables sh language support";
+ lang-rust.enable = lib.mkEnableOption "Enables Rust language support";
+ lang-python.enable = lib.mkEnableOption "Enables python language support";
+ lang-sol.enable = lib.mkEnableOption "Enables solidity language support";
+ lang-openscad.enable = lib.mkEnableOption "Enables openscad language support";
+ lang-js.enable = lib.mkEnableOption "Enables javascript language support";
+ lang-nix.enable = lib.mkEnableOption "Enables nix language support";
+ lang-coq.enable = lib.mkEnableOption "Enables coq language support";
+
+ crypto.enable = lib.mkEnableOption "Enables various cryptocurrency wallets";
+ art.enable = lib.mkEnableOption "Enables various art programs";
+ music.enable = lib.mkEnableOption "Enables mpd";
+
+ hyprland = {
+ enable = lib.mkEnableOption "Enables hyprland";
+ monitors = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ default = [
+ "HDMI-A-1"
+ "eDP-1"
+ "DP-2"
+ "DP-3"
+ "LVDS-1"
+ ];
+ example = [];
+ description = "Hyprland monitors";
+ };
+ };
+ email = {
+ email = lib.mkOption {
+ type = lib.types.str;
+ default = "ret2pop@gmail.com";
+ example = "john@example.com";
+ description = "Email address and imaps/smtps account";
+ };
+ imapsServer = lib.mkOption {
+ type = lib.types.str;
+ default = "imap.gmail.com";
+ example = "imap.example.com";
+ description = "imaps server address";
+ };
+ smtpsServer = lib.mkOption {
+ type = lib.types.str;
+ default = "smtp.gmail.com";
+ example = "smtp.example.com";
+ description = "smtp server address";
+ };
+ enable = lib.mkEnableOption "Enables email";
+ };
+ };
+ };
+
+ config = {
+ home.packages = (if config.monorepo.profiles.email.enable then [ pkgs.mu ] else [])
+ ++
+ (if config.monorepo.profiles.lang-c.enable then (with pkgs; [
+ autobuild
+ clang
+ gdb
+ gnumake
+ bear
+ clang-tools
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.lang-js.enable then (with pkgs; [
+ nodejs
+ bun
+ yarn
+ typescript
+ vscode-langservers-extracted
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.lang-rust.enable then (with pkgs; [
+ cargo
+ rust-analyzer
+ rustfmt
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.lang-python.enable then (with pkgs; [
+ poetry
+ python3
+ python312Packages.jedi
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.lang-sol.enable then (with pkgs; [
+ solc
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.lang-openscad.enable then (with pkgs; [
+ openscad
+ openscad-lsp
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.lang-sh.enable then (with pkgs; [
+ bash-language-server
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.lang-coq.enable then (with pkgs; [
+ coq
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.lang-nix.enable then (with pkgs; [
+ nil
+ nixd
+ nixfmt-rfc-style
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.crypto.enable then (with pkgs; [
+ bitcoin
+ electrum
+ monero-cli
+ monero-gui
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.art.enable then (with pkgs; [
+ inkscape
+ krita
+ ]) else [])
+ ++
+ (if config.monorepo.profiles.music.enable then (with pkgs; [
+ mpc-cli
+ sox
+ ]) else []);
+
+ monorepo.profiles = {
+ enable = lib.mkDefault true;
+ music.enable = lib.mkDefault true;
+ hyprland.enable = lib.mkDefault true;
+ email.enable = lib.mkDefault true;
+
+ # Programming
+ lang-c.enable = lib.mkDefault true;
+ lang-rust.enable = lib.mkDefault true;
+ lang-python.enable = lib.mkDefault true;
+ lang-sol.enable = lib.mkDefault true;
+ lang-sh.enable = lib.mkDefault true;
+ lang-openscad.enable = lib.mkDefault true;
+ lang-js.enable = lib.mkDefault true;
+ lang-nix.enable = lib.mkDefault true;
+ lang-coq.enable = lib.mkDefault true;
+
+ crypto.enable = lib.mkDefault true;
+ art.enable = lib.mkDefault true;
+ };
+ };
+}
+#+end_src
+*** Firefox
+I conditionally enable metamask based on the cryptocurrency option. Everything else here should
+be straightforward.
+#+begin_src nix :tangle ../nix/modules/home/firefox.nix
+{ lib, config, pkgs, ... }:
+{
+ programs.firefox = {
+ enable = true;
+ policies = {
+ EnableTrackingProtection = true;
+ OfferToSaveLogins = false;
+ };
+ package = pkgs.firefox-wayland;
+ profiles = {
+ default = {
+ id = 0;
+ name = "default";
+ isDefault = true;
+
+ extensions = with pkgs.nur.repos.rycee.firefox-addons; [
+ ublock-origin
+ tree-style-tab
+ firefox-color
+ vimium
+ ]
+ ++ (lib.optional
+ config.monorepo.profiles.crypto.enable pkgs.nur.repos.rycee.firefox-addons.metamask);
+
+ settings = {
+ media = {
+ memory_cache_max_size = 65536;
+ cache_readahead_limit = 7200;
+ cache_resume_threshold = 3600;
+ peerconnection.ice = {
+ proxy_only_if_behind_proxy = true;
+ default_address_only = true;
+ };
+ };
+
+ gfx = {
+ content.skia-font-cache-size = 20;
+ canvas.accelerated = {
+ cache-items = 4096;
+ cache-size = 512;
+ };
+ };
+
+ network = {
+ http = {
+ max-connections = 1800;
+ max-persistent-connections-per-server = 10;
+ max-urgent-start-excessive-connections-per-host = 5;
+ referer.XOriginTrimmingPolicy = 2;
+ };
+
+ buffer.cache = {
+ size = 262144;
+ count = 128;
+ };
+
+ dns = {
+ max_high_priority_threads = 8;
+ disablePrefetch = true;
+ };
+
+ pacing.requests.enabled = false;
+ dnsCacheExpiration = 3600;
+ ssl_tokens_cache_capacity = 10240;
+ prefetch-next = false;
+ predictor.enabled = false;
+ cookie.sameSite.noneRequiresSecure = true;
+ IDN_show_punycode = true;
+ auth.subresource-http-auth-allow = 1;
+ captive-portal-service.enabled = false;
+ connectivity-service.enabled = false;
+ };
+
+ browser = {
+ download = {
+ always_ask_before_handling_new_types = true;
+ manager.addToRecentDocs = false;
+ open_pdf_attachments_inline = true;
+ start_downloads_in_tmp_dir = true;
+ };
+
+ urlbar = {
+ suggest.quicksuggest.sponsored = false;
+ suggest.quicksuggest.nonsponsored = false;
+ suggest.calculator = true;
+ update2.engineAliasRefresh = true;
+ unitConversion.enabled = true;
+ trending.featureGate = false;
+ };
+
+ search = {
+ separatePrivateDefault.ui.enabled = true;
+ suggest.enabled = false;
+ };
+
+ newtabpage.activity-stream = {
+ feeds = {
+ topsites = false;
+ section.topstories = false;
+ telemetry = false;
+ };
+ asrouter.userprefs.cfr = {
+ addons = false;
+ features = false;
+ };
+ telemetry = false;
+ };
+
+ privatebrowsing = {
+ vpnpromourl = "";
+ forceMediaMemoryCache = true;
+ };
+
+ display = {
+ focus_ring_on_anything = true;
+ focus_ring_style = 0;
+ focus_ring_width = 0;
+ };
+
+ cache.jsbc_compression_level = 3;
+ helperApps.deleteTempFileOnExit = true;
+ uitour.enabled = false;
+ sessionstore.interval = 60000;
+ formfill.enable = false;
+ xul.error_pages.expert_bad_cert = true;
+ contentblocking.category = "strict";
+ ping-centre.telemetry = false;
+ discovery.enabled = false;
+ shell.checkDefaultBrowser = false;
+ preferences.moreFromMozilla = false;
+ tabs.tabmanager.enabled = false;
+ aboutConfig.showWarning = false;
+ aboutwelcome.enabled = false;
+ bookmarks.openInTabClosesMenu = false;
+ menu.showViewImageInfo = true;
+ compactmode.show = true;
+ safebrowsing.downloads.remote.enabled = false;
+ tabs.crashReporting.sendReport = false;
+ crashReports.unsubmittedCheck.autoSubmit2 = false;
+ privateWindowSeparation.enabled = false;
+ };
+
+ security = {
+ mixed_content = {
+ block_display_content = true;
+ upgrade_display_content = true;
+ };
+ insecure_connection_text = {
+ enabled = true;
+ pbmode.enabled = true;
+ };
+ OCSP.enabled = 0;
+ remote_settings.crlite_filters.enabled = true;
+ pki.crlite_mode = 2;
+ ssl.treat_unsafe_negotiation_as_broken = true;
+ tls.enable_0rtt_data = false;
+ };
+
+ toolkit = {
+ telemetry = {
+ unified = false;
+ enabled = false;
+ server = "data:,";
+ archive.enabled = false;
+ newProfilePing.enabled = false;
+ shutdownPingSender.enabled = false;
+ updatePing.enabled = false;
+ bhrPing.enabled = false;
+ firstShutdownPing.enabled = false;
+ coverage.opt-out = true;
+ };
+ coverage = {
+ opt-out = true;
+ endpoint.base = "";
+ };
+ legacyUserProfileCustomizations.stylesheets = true;
+ };
+
+ dom = {
+ security = {
+ https_first = true;
+ https_first_schemeless = true;
+ sanitizer.enabled = true;
+ };
+ enable_web_task_scheduling = true;
+ };
+
+ layout = {
+ css = {
+ grid-template-masonry-value.enabled = true;
+ has-selector.enabled = true;
+ prefers-color-scheme.content-override = 2;
+ };
+ word_select.eat_space_to_next_word = false;
+ };
+
+ urlclassifier = {
+ trackingSkipURLs = "*.reddit.com, *.twitter.com, *.twimg.com, *.tiktok.com";
+ features.socialtracking.skipURLs = "*.instagram.com, *.twitter.com, *.twimg.com";
+ };
+
+ privacy = {
+ globalprivacycontrol.enabled = true;
+ history.custom = true;
+ userContext.ui.enabled = true;
+ };
+
+ full-screen-api = {
+ transition-duration = {
+ enter = "0 0";
+ leave = "0 0";
+ };
+ warning = {
+ delay = -1;
+ timeout = 0;
+ };
+ };
+
+ permissions.default = {
+ desktop-notification = 2;
+ geo = 2;
+ };
+
+ signon = {
+ formlessCapture.enabled = false;
+ privateBrowsingCapture.enabled = false;
+ };
+
+ datareporting = {
+ policy.dataSubmissionEnabled = false;
+ healthreport.uploadEnabled = false;
+ };
+
+ extensions = {
+ pocket.enabled = false;
+ getAddons.showPane = false;
+ htmlaboutaddons.recommendations.enabled = false;
+ postDownloadThirdPartyPrompt = false;
+ };
+
+ app = {
+ shield.optoutstudies.enabled = false;
+ normandy.enabled = false;
+ normandy.api_url = "";
+ };
+
+ image.mem.decode_bytes_at_a_time = 32768;
+ editor.truncate_user_pastes = false;
+ pdfjs.enableScripting = false;
+ geo.provider.network.url = "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%";
+ permissions.manager.defaultsUrl = "";
+ webchannel.allowObject.urlWhitelist = "";
+ breakpad.reportURL = "