198 lines
5.2 KiB
Nix
198 lines
5.2 KiB
Nix
{ config, pkgs, ... }:
|
||
|
||
{
|
||
############################################################
|
||
# BOOTLOADER – GRUB
|
||
############################################################
|
||
|
||
boot.loader.grub.enable = true;
|
||
boot.loader.grub.device = "nodev";
|
||
boot.loader.grub.efiSupport = true;
|
||
boot.loader.grub.efiInstallAsRemovable = true;
|
||
boot.loader.grub.useOSProber = false;
|
||
|
||
boot.loader.efi.canTouchEfiVariables = false;
|
||
boot.loader.efi.efiSysMountPoint = "/boot";
|
||
|
||
############################################################
|
||
# INITRD – LUKS
|
||
############################################################
|
||
|
||
boot.initrd.availableKernelModules = [
|
||
"usb_storage"
|
||
"xhci_hcd"
|
||
"ehci_pci"
|
||
"ahci"
|
||
"sd_mod"
|
||
"nvme"
|
||
"sr_mod"
|
||
];
|
||
|
||
boot.initrd.luks.devices.root = {
|
||
device = "/dev/disk/by-partlabel/nixos-crypt";
|
||
preLVM = true;
|
||
allowDiscards = true;
|
||
};
|
||
|
||
############################################################
|
||
# FIRMWARE
|
||
############################################################
|
||
|
||
hardware.enableAllFirmware = true;
|
||
hardware.enableRedistributableFirmware = true;
|
||
hardware.cpu.intel.updateMicrocode = true;
|
||
hardware.cpu.amd.updateMicrocode = true;
|
||
|
||
############################################################
|
||
# FILESYSTEMS
|
||
############################################################
|
||
|
||
fileSystems."/" = {
|
||
device = "/dev/disk/by-label/nixos-root";
|
||
fsType = "ext4";
|
||
};
|
||
|
||
fileSystems."/boot" = {
|
||
device = "/dev/disk/by-label/EFI";
|
||
fsType = "vfat";
|
||
};
|
||
|
||
############################################################
|
||
# LOCALE / NETWORK
|
||
############################################################
|
||
|
||
networking.networkmanager.enable = true;
|
||
time.timeZone = "Europe/Berlin";
|
||
i18n.defaultLocale = "de_DE.UTF-8";
|
||
console.keyMap = "de";
|
||
|
||
############################################################
|
||
# DESKTOP
|
||
############################################################
|
||
|
||
services.displayManager.gdm.enable = true;
|
||
services.desktopManager.gnome.enable = true;
|
||
services.libinput.enable = true;
|
||
|
||
############################################################
|
||
# AUDIO
|
||
############################################################
|
||
|
||
services.pulseaudio.enable = false;
|
||
security.rtkit.enable = true;
|
||
services.pipewire = {
|
||
enable = true;
|
||
alsa.enable = true;
|
||
alsa.support32Bit = true;
|
||
pulse.enable = true;
|
||
};
|
||
|
||
############################################################
|
||
# BLUETOOTH / PRINTING
|
||
############################################################
|
||
|
||
hardware.bluetooth.enable = true;
|
||
services.blueman.enable = true;
|
||
services.printing.enable = true;
|
||
|
||
############################################################
|
||
# USER
|
||
############################################################
|
||
|
||
users.users.user = {
|
||
isNormalUser = true;
|
||
extraGroups = [ "wheel" "networkmanager" ];
|
||
shell = pkgs.bash;
|
||
initialPassword = "1312";
|
||
};
|
||
|
||
############################################################
|
||
# PACKAGES
|
||
############################################################
|
||
|
||
nixpkgs.config.allowUnfree = true;
|
||
|
||
environment.systemPackages = with pkgs; [
|
||
git
|
||
vim
|
||
curl
|
||
wget
|
||
openssh
|
||
obsidian
|
||
libreoffice
|
||
keepassxc
|
||
thunderbird
|
||
tor-browser
|
||
inkscape
|
||
gimp
|
||
pdfarranger
|
||
];
|
||
|
||
programs.firefox.enable = true;
|
||
|
||
############################################################
|
||
# USB ROOT LOSS → SHUTDOWN (FIXED)
|
||
############################################################
|
||
|
||
systemd.services.shutdown-on-root-usb-loss = {
|
||
description = "Shutdown if USB device backing / disappears";
|
||
wantedBy = [ "multi-user.target" ];
|
||
after = [ "local-fs.target" ];
|
||
|
||
serviceConfig = {
|
||
Type = "simple";
|
||
ExecStart = pkgs.writeShellScript "watch-root-usb" ''
|
||
set -e
|
||
|
||
FINDMNT=${pkgs.util-linux}/bin/findmnt
|
||
LSBLK=${pkgs.util-linux}/bin/lsblk
|
||
BASENAME=${pkgs.coreutils}/bin/basename
|
||
SLEEP=${pkgs.coreutils}/bin/sleep
|
||
SYSTEMCTL=${pkgs.systemd}/bin/systemctl
|
||
|
||
ROOT_SRC="$($FINDMNT -n -o SOURCE / || true)"
|
||
[ -z "$ROOT_SRC" ] && exit 0
|
||
|
||
if [[ "$ROOT_SRC" == /dev/dm-* ]]; then
|
||
PARENT="$($LSBLK -no PKNAME "$ROOT_SRC")"
|
||
ROOT_DEV="/dev/$PARENT"
|
||
else
|
||
ROOT_DEV="$ROOT_SRC"
|
||
fi
|
||
|
||
TRAN="$($LSBLK -no TRAN "$ROOT_DEV" || true)"
|
||
[ "$TRAN" != "usb" ] && exec $SLEEP infinity
|
||
|
||
DEV_NAME="$($BASENAME "$ROOT_DEV")"
|
||
|
||
while [ -e "/sys/class/block/$DEV_NAME" ]; do
|
||
$SLEEP 1
|
||
done
|
||
|
||
$SYSTEMCTL poweroff
|
||
'';
|
||
Restart = "no";
|
||
};
|
||
};
|
||
|
||
############################################################
|
||
# KERNEL FAILSAFE
|
||
############################################################
|
||
|
||
boot.kernel.sysctl = {
|
||
"kernel.panic" = 5;
|
||
"kernel.panic_on_oops" = 1;
|
||
};
|
||
|
||
############################################################
|
||
# SWAP
|
||
############################################################
|
||
|
||
zramSwap.enable = true;
|
||
|
||
############################################################
|
||
# SYSTEM VERSION
|
||
############################################################
|
||
|
||
system.stateVersion = "25.11";
|
||
} |