2021-11-25 11:55:30 +00:00
# This is where extra desktop goodies can be found.
# As a note, this is not where you set the aesthetics of your graphical sessions.
# That can be found in the `themes` module.
2022-07-13 11:10:15 +00:00
{ config , options , lib , pkgs , . . . }:
2021-11-25 11:55:30 +00:00
2022-04-16 16:12:19 +00:00
let cfg = config . profiles . system ;
2021-11-25 13:45:48 +00:00
in {
2022-04-16 16:12:19 +00:00
options . profiles . system = {
2021-12-11 05:16:45 +00:00
enable =
lib . mkEnableOption " a l l d e s k t o p - r e l a t e d s e r v i c e s a n d d e f a u l t p r o g r a m s " ;
audio . enable =
lib . mkEnableOption " a l l d e s k t o p a u d i o - r e l a t e d s e r v i c e s s u c h a s P i p e w i r e " ;
fonts . enable = lib . mkEnableOption " f o n t - r e l a t e d c o n f i g u r a t i o n " ;
hardware . enable =
lib . mkEnableOption " t h e c o m m o n h a r d w a r e - r e l a t e d c o n f i g u r a t i o n " ;
cleanup . enable = lib . mkEnableOption " a c t i v a t i o n o f c l e a n u p s e r v i c e s " ;
2022-04-16 16:17:19 +00:00
autoUpgrade . enable = lib . mkEnableOption " a u t o - u p g r a d e s e r v i c e w i t h t h i s s y s t e m " ;
2021-12-25 13:30:10 +00:00
wine = {
enable = lib . mkEnableOption " W i n e a n d W i n e - r e l a t e d t o o l s " ;
package = lib . mkOption {
type = lib . types . package ;
description = " T h e W i n e p a c k a g e t o b e u s e d f o r r e l a t e d t o o l s . " ;
default = pkgs . wineWowPackages . stable ;
} ;
} ;
2022-11-23 14:45:06 +00:00
hardened-config . enable = lib . mkEnableOption " h a r d e n e d c o n f i g u r a t i o n p r i m a r i l y i n t e n d e d f o r s e r v e r s " ;
2021-11-25 11:55:30 +00:00
} ;
2021-11-25 13:45:48 +00:00
config = lib . mkIf cfg . enable ( lib . mkMerge [
2021-11-25 11:55:30 +00:00
( {
# Enable Flatpak for additional options for installing desktop applications.
services . flatpak . enable = true ;
2022-07-07 14:34:46 +00:00
xdg . portal . enable = true ;
2022-08-20 06:13:54 +00:00
environment . etc =
let
urls = {
" f l a t h u b " = {
url = " h t t p s : / / f l a t h u b . o r g / r e p o / f l a t h u b . f l a t p a k r e p o " ;
2022-09-21 06:01:26 +00:00
sha256 = " s h a 2 5 6 - M 3 H d J Q 5 h 2 e F j N j A H P + / a F T z U Q m 9 y 9 K + g w z c 6 4 u j + o D o = " ;
2022-08-20 06:13:54 +00:00
} ;
" f l a t h u b - b e t a " = {
url = " h t t p s : / / f l a t h u b . o r g / b e t a - r e p o / f l a t h u b - b e t a . f l a t p a k r e p o " ;
2022-09-21 06:01:26 +00:00
sha256 = " s h a 2 5 6 - W C y u P J + d R j n w J 9 7 6 / m + j O 9 o K O k 1 E E p D Z J q 2 F o r 4 P c g Y = " ;
2022-08-20 06:13:54 +00:00
} ;
" g n o m e - n i g h t l y " = {
url = " h t t p s : / / n i g h t l y . g n o m e . o r g / g n o m e - n i g h t l y . f l a t p a k r e p o " ;
2022-09-21 06:01:26 +00:00
sha256 = " s h a 2 5 6 - r F l u V p C v g s 1 i y 7 Y K V n k P h 3 p 6 Y u F 4 o r b V u O h L U U F R y Y M = " ;
2022-08-20 06:13:54 +00:00
} ;
" k d e a p p s " = {
url = " h t t p s : / / d i s t r i b u t e . k d e . o r g / k d e a p p s . f l a t p a k r e p o " ;
2022-09-21 06:01:26 +00:00
sha256 = " s h a 2 5 6 - d C F 9 Q Q Y M m q M u z w A S + H Y o P A A t w f z O 7 a V C l 8 s 4 R w h n e q I = " ;
2022-08-20 06:13:54 +00:00
} ;
} ;
in
lib . mapAttrs'
( name : remote : lib . nameValuePair " f l a t p a k / r e m o t e s . d / ${ name } . f l a t p a k r e p o " {
source = pkgs . fetchurl remote ;
} )
urls ;
2021-11-25 11:55:30 +00:00
2022-08-13 00:31:09 +00:00
programs . extra-container . enable = true ;
2021-11-25 11:55:30 +00:00
# Enable font-related options for more smoother and consistent experience.
2022-04-16 16:17:19 +00:00
fonts . fontconfig . enable = true ;
2022-01-12 02:45:06 +00:00
# Run unpatched binaries with these!
2022-07-13 11:10:15 +00:00
programs . nix-ld . enable = true ;
2022-01-12 02:45:06 +00:00
environment . systemPackages = with pkgs ; [
2022-10-13 10:32:47 +00:00
nix-alien # Ambassador for the pre-compiled binaries.
nix-index # locate but for the entire store directory.
2022-11-06 09:38:51 +00:00
nix-index-update # If you don't want to rebuild the entire thing and have the chance for the operation to slow down to the point of freezing then here's your chance.
2022-01-12 02:45:06 +00:00
] ;
2022-06-09 05:00:07 +00:00
2022-10-22 08:15:52 +00:00
# command-not-found except better integrated since we're already using
# nix-index.
environment . interactiveShellInit = ''
. $ { pkgs . nix-index } /etc/profile.d/command-not-found.sh
'' ;
2022-06-09 05:00:07 +00:00
# Enable running GNOME apps outside GNOME.
programs . dconf . enable = true ;
2021-11-25 11:55:30 +00:00
} )
( lib . mkIf cfg . audio . enable {
# Enable the preferred audio workflow.
2022-01-09 05:38:59 +00:00
sound . enable = false ;
2021-11-25 11:55:30 +00:00
hardware . pulseaudio . enable = false ;
security . rtkit . enable = true ;
services . pipewire = {
enable = true ;
2022-05-20 06:47:09 +00:00
# This is enabled by default but I want to explicit since
# this is my preferred way of managing anyways.
wireplumber . enable = true ;
2022-08-20 06:13:54 +00:00
# Enable all the bi-...bridges.
2021-11-25 11:55:30 +00:00
alsa . enable = true ;
alsa . support32Bit = true ;
pulse . enable = true ;
jack . enable = true ;
} ;
2022-09-24 05:07:56 +00:00
# This is based from https://jackaudio.org/faq/linux_rt_config.html.
security . pam . loginLimits = [
{
domain = " @ a u d i o " ;
type = " - " ;
item = " r t p r i o " ;
value = " 9 5 " ;
}
{
domain = " @ a u d i o " ;
type = " - " ;
item = " m e m l o c k " ;
value = " u n l i m i t e d " ;
}
] ;
2021-11-25 13:45:48 +00:00
} )
( lib . mkIf cfg . fonts . enable {
fonts = {
enableDefaultFonts = true ;
2022-07-13 23:59:18 +00:00
fontDir . enable = true ;
2021-11-25 13:45:48 +00:00
fontconfig = {
enable = true ;
includeUserConf = true ;
2021-11-27 08:04:01 +00:00
defaultFonts = {
2022-07-07 23:28:59 +00:00
monospace = [ " I o s e v k a " " J e t b r a i n s M o n o " " S o u r c e C o d e P r o " ] ;
2021-11-27 08:04:01 +00:00
sansSerif = [ " S o u r c e S a n s P r o " " N o t o S a n s " ] ;
serif = [ " S o u r c e S e r i f P r o " " N o t o S e r i f " ] ;
2022-07-07 23:28:59 +00:00
emoji = [ " N o t o C o l o r E m o j i " ] ;
2021-11-27 08:04:01 +00:00
} ;
2021-11-25 13:45:48 +00:00
} ;
2021-11-29 09:58:02 +00:00
fonts = with pkgs ; [
2022-07-07 23:28:59 +00:00
# Some monospace fonts.
iosevka
jetbrains-mono
2021-11-27 08:04:01 +00:00
2021-11-29 09:58:02 +00:00
# Noto font family
noto-fonts
noto-fonts-cjk
2022-07-13 23:59:18 +00:00
noto-fonts-cjk-sans
noto-fonts-cjk-serif
2021-11-29 09:58:02 +00:00
noto-fonts-extra
noto-fonts-emoji
2022-07-13 23:59:18 +00:00
noto-fonts-emoji-blob-bin
2021-11-27 08:04:01 +00:00
2021-11-29 09:58:02 +00:00
# Adobe Source font family
source-code-pro
source-sans-pro
source-han-sans
source-serif-pro
source-han-serif
source-han-mono
2021-11-25 13:45:48 +00:00
2021-11-29 09:58:02 +00:00
# Math fonts
2022-10-13 10:32:47 +00:00
stix-two # Didn't know rivers can have sequels.
xits-math # NOTE TO SELF: I wouldn't consider to name the fork with its original project's name backwards.
2021-11-29 09:58:02 +00:00
] ;
2021-11-25 13:45:48 +00:00
} ;
2021-11-25 11:55:30 +00:00
} )
2021-12-06 07:27:51 +00:00
( lib . mkIf cfg . hardware . enable {
# Enable tablet support with OpenTabletDriver.
hardware . opentabletdriver . enable = true ;
2022-07-13 23:59:18 +00:00
# Enable support for Bluetooth.
2022-09-28 11:12:05 +00:00
hardware . bluetooth . enable = true ;
2021-12-06 07:27:51 +00:00
} )
2021-12-11 05:16:45 +00:00
( lib . mkIf cfg . cleanup . enable {
# Weekly garbage collection of Nix store.
nix . gc = {
automatic = true ;
persistent = true ;
dates = " w e e k l y " ;
2022-02-11 04:31:44 +00:00
options = " - - d e l e t e - o l d e r - t h a n 7 d " ;
} ;
# Run the optimizer.
nix . optimise = {
automatic = true ;
2022-07-09 02:44:49 +00:00
dates = [ " w e e k l y " ] ;
2021-12-11 05:16:45 +00:00
} ;
# Clear logs that are more than a month old weekly.
systemd = {
services . clean-log = {
description = " W e e k l y l o g c l e a n u p " ;
documentation = [ " m a n : j o u r n a l c t l ( 1 ) " ] ;
2022-08-20 06:13:54 +00:00
script = " ${ pkgs . systemd } / b i n / j o u r n a l c t l - - v a c u u m - t i m e = 3 0 d " ;
2021-12-11 05:16:45 +00:00
} ;
timers . clean-log = {
description = " W e e k l y l o g c l e a n u p " ;
documentation = [ " m a n : j o u r n a l c t l ( 1 ) " ] ;
2021-12-13 07:20:34 +00:00
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
2021-12-11 05:16:45 +00:00
timerConfig = {
OnCalendar = " w e e k l y " ;
Persistent = true ;
} ;
} ;
} ;
} )
2021-12-25 13:30:10 +00:00
2022-04-16 16:17:19 +00:00
( lib . mkIf cfg . autoUpgrade . enable {
system . autoUpgrade = {
enable = true ;
2022-06-26 00:45:57 +00:00
flake = " g i t h u b : f o o - d o g s q u a r e d / n i x o s - c o n f i g " ;
2022-04-16 16:17:19 +00:00
allowReboot = true ;
2022-08-20 06:13:54 +00:00
persistent = true ;
2022-04-16 16:17:19 +00:00
rebootWindow = {
lower = " 2 2 : 0 0 " ;
upper = " 0 0 : 0 0 " ;
} ;
dates = " w e e k l y " ;
2022-07-13 23:59:18 +00:00
flags = [
2022-11-19 03:05:31 +00:00
" - - u p d a t e - i n p u t "
" n i x p k g s "
2022-07-13 23:59:18 +00:00
" - - c o m m i t - l o c k - f i l e "
" - - n o - w r i t e - l o c k - f i l e "
] ;
2022-06-26 00:45:57 +00:00
randomizedDelaySec = " 1 m i n " ;
2022-04-16 16:17:19 +00:00
} ;
} )
2022-07-09 06:04:17 +00:00
# I try to avoid using Wine on NixOS because most of them uses FHS or
# something and I just want it to work but here goes.
2021-12-25 13:30:10 +00:00
( lib . mkIf cfg . wine . enable {
2022-01-11 12:22:08 +00:00
environment . systemPackages = with pkgs ; [
cfg . wine . package # The star of the show.
winetricks # We do a little trickery with missing Windows runtimes.
2022-11-06 09:38:51 +00:00
bottles # PlayOnLinux but better. :>
2022-01-11 12:22:08 +00:00
] ;
2021-12-25 13:30:10 +00:00
} )
2022-11-23 14:45:06 +00:00
2022-11-26 06:13:59 +00:00
# The profile intended to be used for servers. Most of the things here are
# based from the Securing Debian document.
2022-11-23 14:45:06 +00:00
( lib . mkIf cfg . hardened-config . enable {
# Don't replace it mid-way! DON'T TURN LEFT!!!!
security . protectKernelImage = true ;
# Hardened config equals hardened kernel.
boot . kernelPackages = pkgs . linuxKernel . packages . linux_6_0_hardened ;
# Be STRICT! MUAHAHAHAHA!!!!
services . fail2ban = {
enable = true ;
bantime-increment = {
enable = true ;
factor = " 4 " ;
maxtime = " 2 4 h " ;
} ;
} ;
boot . kernel . sysctl = {
# Disable system console entirely. We don't need it so get rid of it.
" k e r n e l . s y s r q " = 0 ;
} ;
} )
2021-11-25 11:55:30 +00:00
] ) ;
}
