1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
{
me,
pkgs,
auxiliaryPkgs,
unstablePkgs,
...
}:
let
inherit (builtins) filter elem;
filterUnsupportedPackages =
packages: filter (p: elem me.system (p.meta.platforms or [ me.system ])) packages;
in
{
imports = [
./nix.nix
./user.nix
./locale.nix
./vim.nix
./tmux.nix
./gnome.nix
./fonts.nix
./flatpak.nix
./libreoffice.nix
./electronics.nix
./hardware-keys.nix
./nix-ld.nix
];
services.envfs.enable = true;
virtualisation = {
libvirtd.enable = true;
docker.enable = true;
};
# fish enables this by default,
# it makes every nixos rebuild very slow.
documentation.man.generateCaches = false;
documentation = {
info.enable = true;
doc.enable = true;
dev.enable = true;
nixos = {
enable = true;
includeAllModules = true;
};
};
networking.hostName = me.name;
# use corsac dns server
networking.nameservers =
let
corsacTailnet = "100.64.100.100";
in
[ corsacTailnet ];
services.resolved.enable = true;
services = {
acpid.enable = true;
sysprof.enable = true;
tailscale = {
enable = true;
useRoutingFeatures = "both";
extraUpFlags = [ "--ssh" ];
};
# sometimes needed for gnupg
pcscd.enable = true;
};
programs = {
# steam requires the i386 package set, which obviously does not work on ARM.
# TODO: pull out gaming related configuration (like steam) into a seperate module.
# steam = {
# enable = true;
# remotePlay.openFirewall = true;
# };
virt-manager.enable = true;
fish.enable = true;
git.enable = true;
ghidra = {
enable = true;
package = auxiliaryPkgs.ghidra;
gdb = true;
};
wireshark = {
enable = true;
dumpcap.enable = true;
usbmon.enable = true;
};
adb.enable = true;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-gnome3;
};
};
# on desktop machines (a.k.a. minerals) we only use tailscale ssh
# for access, so we don't generally have normal host keys, and
# have to grab the ones tailscale uses.
age.identityPaths = [ "/var/lib/tailscale/ssh/ssh_host_ed25519_key" ];
# TODO: the filter already does some good work, but we need some way to
# pick out x86-only packages, so it is not as opaque as it currently is.
# (who knows if muse-sounds-manager is actually installed, for example?)
environment.systemPackages = (with pkgs; filterUnsupportedPackages [
file unzip jq dig htop wget screen dive
gnupg pinentry-gnome3 age agenix minisign openssl cryptsetup pamtester
bitwarden-desktop bitwarden-cli
inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid
minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool
sysprof wireshark seer mitmproxy hardinfo2 btrfs-assistant remmina trayscale
vlc celluloid foliate calibre
yt-dlp ffmpeg_7-full imagemagick handbrake mpv helvum
gimp3 krita mypaint aseprite rnote fontforge-gtk
blender inkscape obs-studio darktable davinci-resolve
orca-slicer
renderdoc
audacity musescore muse-sounds-manager reaper
# bitwigs bubblewrap configuration requires some non-ARM package sets.
# bitwig-studio
ungoogled-chromium librewolf lagrange
senpai signal-desktop alpaca newsflash
qemu_full virtiofsd
openvpn openvpn3 update-resolv-conf
transmission_4-gtk fragments
xorg.xeyes wl-clipboard
ripgrep hyperfine parallel just fzf bat delta eza fd tokei didyoumean
universal-ctags compiledb graphviz
python3 uv ruff
nodejs_22 deno yarn
rustc rustup cargo rustfmt
go gopls delve go-task gotags golangci-lint
meson cmake gnumake ninja gdb gcc clang clang-tools
hare haredoc
jdk maven gradle
nil nixfmt-rfc-style
nixpkgs-review nixpkgs-fmt nixpkgs-lint-community
postgresql
helix alacritty ghostty
androidStudioPackages.dev
winetricks bottles
scrcpy apfs-fuse nfs-utils
ubootTools dtc cloud-utils
borgbackup pika-backup
prismlauncher xonotic
man-pages man-pages-posix
]) ++ (with unstablePkgs; [
claude-code gemini-cli
]) ++ (with auxiliaryPkgs; [
# TODO: need fixes for 25.05
# retroarch wine
# TODO: ngfx (obviously) does not work on ARM, put it somewhere else
# ngfx
]);
environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn";
}
|
