{ config, pkgs, ... }: { # Firmware. # # Enables e.g. Intel microcode updates. # Defaults to `config.hardware.enableAllFirmware`. #hardware.enableRedistributableFirmware = true; hardware.enableAllFirmware = true; # Allow unfree packages. nixpkgs.config.allowUnfree = true; # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # Setup keyfile. boot.initrd.secrets = { "/crypto_keyfile.bin" = null; }; # Enables wireless support via wpa_supplicant. # networking.wireless.enable = true; # Enable networking. networking.networkmanager.enable = true; networking.nameservers = [ # https://www.kuketz-blog.de/empfehlungsecke/#dns # dot.ffmuc.net (supports DNSSEC) "5.1.66.255" "185.150.99.255" # https://www.kuketz-blog.de/empfehlungsecke/#dns # unfiltered.adguard-dns.com (supports DNSSEC) "94.140.14.140" "94.140.14.141" ]; # Set your time zone. time.timeZone = "Europe/Berlin"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; i18n.extraLocaleSettings = { LC_ADDRESS = "de_DE.UTF-8"; LC_IDENTIFICATION = "de_DE.UTF-8"; LC_MEASUREMENT = "de_DE.UTF-8"; LC_MONETARY = "de_DE.UTF-8"; LC_NAME = "de_DE.UTF-8"; LC_NUMERIC = "de_DE.UTF-8"; LC_PAPER = "de_DE.UTF-8"; LC_TELEPHONE = "de_DE.UTF-8"; LC_TIME = "de_DE.UTF-8"; }; # Configure console keymap. console.keyMap = "de-latin1-nodeadkeys"; # Define a user account. Don't forget to set a password with `passwd`. users.users.yoda = { isNormalUser = true; description = "Yoda"; extraGroups = [ "networkmanager" "wheel" ]; packages = with pkgs; [ # Nix dependency management. niv ]; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ ]; # SystemMaxFileSize: Defaults to one eighth of the values configured with SystemMaxUse= and RuntimeMaxUse=, so that usually seven rotated journal files are kept as history. # MaxFileSec: To ensure that not too much data is lost at once when old journal files are deleted, it might make sense to change this value from the default of one month. # https://www.freedesktop.org/software/systemd/man/journald.conf.html services.journald.extraConfig = '' SystemMaxUse=800M MaxFileSec=7day ''; # BTRFS mount options. # # compress= # `nixos-generate-config` does not detect mount options, so we add them here. # https://nixos.wiki/wiki/Btrfs#Compression # # noatime # Under read intensive work-loads, specifying noatime significantly improves performance because no new access time information needs to be written. # https://man.archlinux.org/man/btrfs.5#NOTES_ON_GENERIC_MOUNT_OPTIONS # # commit= # The number of seconds between periodic commits to the filesystem. This is 30 seconds by default. Increasing this value reduces the frequency of periodic writes which can reduce wear on the disk. However, this also increases the risk of data loss during the event of an untimely crash. # https://www.jwillikers.com/btrfs-mount-options # fileSystems = { "/".options = [ "compress=zstd" "noatime" "commit=120" ]; }; # BTRFS scrub. # # Scrubbing is the process of checking file consistency. # Scrubbing may be done "online", meaning you don't need to unmount a subvolume to scrub it. # https://nixos.wiki/wiki/Btrfs#Scrubbing # Btrfs scrub is "[a]n online filesystem checking tool. Reads all the data and metadata on the filesystem and uses checksums and the duplicate copies from RAID storage to identify and repair any corrupt data." # https://wiki.archlinux.org/title/btrfs#Scrub # The scrub command operates on a whole filesystem, not just individual subvolumes. # https://unix.stackexchange.com/a/724412 # # As this command reads all data, it wears down the disk. One should not run it too often. For large, slow disks once per month should be fine. # # To run it manually: # sudo btrfs scrub start / # sudo btrfs scrub status / services.btrfs.autoScrub = { enable = true; interval = "monthly"; fileSystems = [ "/" ]; }; nix.settings.auto-optimise-store = true; # Firewall. # https://nixos.wiki/wiki/Firewall # -> Firewall rules may be overwritten by docker, as per https://github.com/NixOS/nixpkgs/issues/111852 networking.firewall.enable = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.05"; # Did you read the comment? }