# This is your system's configuration file. # Use this to configure your system environment (it replaces /etc/nixos/configuration.nix) { inputs, outputs, lib, config, pkgs, modulesPath, ... }: { # Import modules including LXC container support imports = [ # Include the default lxd configuration. "${modulesPath}/virtualisation/lxc-container.nix" # Import your generated (nixos-generate-config) hardware configuration ./hardware-configuration.nix # Import our custom modules outputs.nixosModules.important-defaults outputs.nixosModules.incus outputs.nixosModules.orbstack outputs.nixosModules.redis-cluster # outputs.nixosModules.power-user-defaults ]; nixpkgs = { # You can add overlays here overlays = [ # Add overlays your own flake exports (from overlays and pkgs dir): outputs.overlays.additions outputs.overlays.modifications outputs.overlays.unstable-packages # You can also add overlays exported from other flakes: # neovim-nightly-overlay.overlays.default # Or define it inline, for example: # (final: prev: { # hi = final.hello.overrideAttrs (oldAttrs: { # patches = [ ./change-hello-to-hi.patch ]; # }); # }) ]; # Configure your nixpkgs instance config = { # Disable if you don't want unfree packages allowUnfree = true; }; }; nix = let flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; in { settings = { # Enable flakes and new 'nix' command experimental-features = "nix-command flakes"; # Opinionated: disable global registry flake-registry = ""; # Workaround for https://github.com/NixOS/nix/issues/9574 nix-path = config.nix.nixPath; }; # Opinionated: disable channels channel.enable = false; # Opinionated: make flake registry and nix path match flake inputs registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs; nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; }; # User configuration users.users.wongdingfeng = { uid = 502; extraGroups = [ "wheel" "orbstack" "audio" "video" ]; # simulate isNormalUser, but with an arbitrary UID isSystemUser = true; group = "users"; createHome = true; home = "/home/wongdingfeng"; homeMode = "700"; useDefaultShell = true; # Set a password for RDP login (insecure but required) hashedPassword = "$6$rounds=4096$salt$3xAS2/rKTsVNrHRYnBJcLk9KPIbO7GGr.vCO6xLz2CIhVFZFj9EoylXnJz7sVLJhfJk8hGgJ2U8J1QD2vG7z0."; # password: "password" # SSH keys openssh.authorizedKeys.keys = [ # Add your SSH public keys here # "ssh-rsa AAAAB3NzaC1yc2EAAAA... your-email@example.com" # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... your-email@example.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICA/3qb5Eg8NSFMHXZqFlWI9TxHZHQtFAjvcDfiTUtbv wongdingfeng@Wong-Ding-Fengs-MacBook-Pro.local-2024-01-23" ]; }; security.sudo.wheelNeedsPassword = false; # This being `true` leads to a few nasty bugs, change at your own risk! users.mutableUsers = false; time.timeZone = "Asia/Singapore"; # SSH Server configuration services.openssh = { enable = true; settings = { # Better security defaults PasswordAuthentication = true; PermitRootLogin = "yes"; # Enable X11 forwarding X11Forwarding = true; X11DisplayOffset = 10; X11UseLocalhost = true; # Additional security settings Protocol = 2; MaxAuthTries = 3; ClientAliveInterval = 300; ClientAliveCountMax = 2; # Allow only specific users (optional - uncomment if needed) # AllowUsers = [ "wongdingfeng" ]; }; # Optional: Custom port (uncomment if you want to change from default 22) ports = [ 2222 ]; }; # Redis Cluster configuration services.redisCluster = { enable = true; masters = 8; # 8 master nodes replicasPerMaster = 1; # 1 replicas each = 16 total instances basePort = 7000; # Masters: 7000-7007, Replicas: 7008-7015 announceIp = "0.0.0.0"; # Bind to all interfaces openFirewall = true; }; # System packages environment.systemPackages = with pkgs; [ neovim gitAndTools.gitFull tmux htop neofetch ripgrep fd ranger fish # Desktop applications firefox chromium gnome-terminal nautilus gedit # System utilities xorg.xauth xorg.xhost # Development tools vscode curl wget ]; # Enable X11 with GNOME desktop environment services.xserver = { enable = true; # GNOME Desktop Environment displayManager.gdm.enable = true; desktopManager.gnome.enable = true; # Keyboard layout xkb = { layout = "us"; variant = ""; }; }; # Enable xrdp for remote desktop access services.xrdp = { enable = true; defaultWindowManager = "gnome-session"; openFirewall = true; # Insecure configuration - allows all connections port = 3389; # Additional insecure settings confDir = pkgs.writeTextDir "xrdp.ini" '' [Globals] ini_version=1 fork=true port=3389 tcp_nodelay=true tcp_keepalive=true security_layer=negotiate crypt_level=low certificate= key_file= ssl_protocols=TLSv1.2, TLSv1.3 autorun= allow_channels=true allow_multimon=true bitmap_cache=true bitmap_compression=true hide_log_window=true max_bpp=32 new_cursors=true use_fastpath=both require_credentials=false bulk_compression=true [Xorg] name=Xorg lib=libxup.so username=ask password=ask ip=127.0.0.1 port=-1 code=20 ''; }; # Additional firewall configuration for xrdp networking.firewall = { enable = true; allowedTCPPorts = [ 3389 2222 ]; # xrdp and SSH }; # Enable sound for desktop environment security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; }; # Font configuration for X11 applications fonts = { packages = with pkgs; [ dejavu_fonts liberation_ttf freetype ]; fontconfig.enable = true; }; # GNOME services and additional desktop features services.gnome = { gnome-keyring.enable = true; glib-networking.enable = true; }; # Enable location services for GNOME services.geoclue2.enable = true; # Enable printing support services.printing.enable = true; # Enable USB support services.udisks2.enable = true; # Modern systemd features systemd.extraConfig = '' DefaultTimeoutStopSec=10s ''; # Latest NixOS system state version system.stateVersion = "25.05"; # Use latest stable version }