Your Name
278 lines
6.9 KiB
Nix
278 lines
6.9 KiB
Nix
# This is your system's configuration file.
|
|
# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
|
|
{
|
|
inputs,
|
|
outputs,
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
modulesPath,
|
|
...
|
|
}: {
|
|
# Import modules including LXC container support
|
|
imports = [
|
|
# Include the default lxd configuration.
|
|
"${modulesPath}/virtualisation/lxc-container.nix"
|
|
|
|
# Import your generated (nixos-generate-config) hardware configuration
|
|
./hardware-configuration.nix
|
|
|
|
# Import our custom modules
|
|
outputs.nixosModules.important-defaults
|
|
outputs.nixosModules.incus
|
|
outputs.nixosModules.orbstack
|
|
outputs.nixosModules.redis-cluster
|
|
# outputs.nixosModules.power-user-defaults
|
|
];
|
|
|
|
nixpkgs = {
|
|
# You can add overlays here
|
|
overlays = [
|
|
# Add overlays your own flake exports (from overlays and pkgs dir):
|
|
outputs.overlays.additions
|
|
outputs.overlays.modifications
|
|
outputs.overlays.unstable-packages
|
|
|
|
# You can also add overlays exported from other flakes:
|
|
# neovim-nightly-overlay.overlays.default
|
|
|
|
# Or define it inline, for example:
|
|
# (final: prev: {
|
|
# hi = final.hello.overrideAttrs (oldAttrs: {
|
|
# patches = [ ./change-hello-to-hi.patch ];
|
|
# });
|
|
# })
|
|
];
|
|
# Configure your nixpkgs instance
|
|
config = {
|
|
# Disable if you don't want unfree packages
|
|
allowUnfree = true;
|
|
};
|
|
};
|
|
|
|
nix = let
|
|
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
|
|
in {
|
|
settings = {
|
|
# Enable flakes and new 'nix' command
|
|
experimental-features = "nix-command flakes";
|
|
# Opinionated: disable global registry
|
|
flake-registry = "";
|
|
# Workaround for https://github.com/NixOS/nix/issues/9574
|
|
nix-path = config.nix.nixPath;
|
|
};
|
|
# Opinionated: disable channels
|
|
channel.enable = false;
|
|
|
|
# Opinionated: make flake registry and nix path match flake inputs
|
|
registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
|
|
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
|
|
};
|
|
|
|
# User configuration
|
|
users.users.wongdingfeng = {
|
|
uid = 502;
|
|
extraGroups = [ "wheel" "orbstack" "audio" "video" ];
|
|
|
|
# simulate isNormalUser, but with an arbitrary UID
|
|
isSystemUser = true;
|
|
group = "users";
|
|
createHome = true;
|
|
home = "/home/wongdingfeng";
|
|
homeMode = "700";
|
|
useDefaultShell = true;
|
|
|
|
# Set a password for RDP login (insecure but required)
|
|
hashedPassword = "$6$rounds=4096$salt$3xAS2/rKTsVNrHRYnBJcLk9KPIbO7GGr.vCO6xLz2CIhVFZFj9EoylXnJz7sVLJhfJk8hGgJ2U8J1QD2vG7z0."; # password: "password"
|
|
|
|
# SSH keys
|
|
openssh.authorizedKeys.keys = [
|
|
# Add your SSH public keys here
|
|
# "ssh-rsa AAAAB3NzaC1yc2EAAAA... your-email@example.com"
|
|
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... your-email@example.com"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICA/3qb5Eg8NSFMHXZqFlWI9TxHZHQtFAjvcDfiTUtbv wongdingfeng@Wong-Ding-Fengs-MacBook-Pro.local-2024-01-23"
|
|
];
|
|
};
|
|
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
# This being `true` leads to a few nasty bugs, change at your own risk!
|
|
users.mutableUsers = false;
|
|
|
|
time.timeZone = "Asia/Singapore";
|
|
|
|
# SSH Server configuration
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
# Better security defaults
|
|
PasswordAuthentication = true;
|
|
PermitRootLogin = "yes";
|
|
|
|
# Enable X11 forwarding
|
|
X11Forwarding = true;
|
|
X11DisplayOffset = 10;
|
|
X11UseLocalhost = true;
|
|
|
|
# Additional security settings
|
|
Protocol = 2;
|
|
MaxAuthTries = 3;
|
|
ClientAliveInterval = 300;
|
|
ClientAliveCountMax = 2;
|
|
|
|
# Allow only specific users (optional - uncomment if needed)
|
|
# AllowUsers = [ "wongdingfeng" ];
|
|
};
|
|
|
|
# Optional: Custom port (uncomment if you want to change from default 22)
|
|
ports = [ 2222 ];
|
|
};
|
|
|
|
# Redis Cluster configuration
|
|
services.redisCluster = {
|
|
enable = true;
|
|
masters = 8; # 8 master nodes
|
|
replicasPerMaster = 1; # 1 replicas each = 16 total instances
|
|
basePort = 7000; # Masters: 7000-7007, Replicas: 7008-7015
|
|
announceIp = "0.0.0.0"; # Bind to all interfaces
|
|
openFirewall = true;
|
|
};
|
|
|
|
# System packages
|
|
environment.systemPackages = with pkgs; [
|
|
neovim
|
|
gitAndTools.gitFull
|
|
tmux
|
|
htop
|
|
neofetch
|
|
ripgrep
|
|
fd
|
|
ranger
|
|
fish
|
|
|
|
# Desktop applications
|
|
firefox
|
|
chromium
|
|
gnome-terminal
|
|
nautilus
|
|
gedit
|
|
|
|
# System utilities
|
|
xorg.xauth
|
|
xorg.xhost
|
|
|
|
# Development tools
|
|
vscode
|
|
curl
|
|
wget
|
|
];
|
|
|
|
# Enable X11 with GNOME desktop environment
|
|
services.xserver = {
|
|
enable = true;
|
|
|
|
# GNOME Desktop Environment
|
|
displayManager.gdm.enable = true;
|
|
desktopManager.gnome.enable = true;
|
|
|
|
# Keyboard layout
|
|
xkb = {
|
|
layout = "us";
|
|
variant = "";
|
|
};
|
|
};
|
|
|
|
# Enable xrdp for remote desktop access
|
|
services.xrdp = {
|
|
enable = true;
|
|
defaultWindowManager = "gnome-session";
|
|
openFirewall = true;
|
|
|
|
# Insecure configuration - allows all connections
|
|
port = 3389;
|
|
|
|
# Additional insecure settings
|
|
confDir = pkgs.writeTextDir "xrdp.ini" ''
|
|
[Globals]
|
|
ini_version=1
|
|
fork=true
|
|
port=3389
|
|
tcp_nodelay=true
|
|
tcp_keepalive=true
|
|
security_layer=negotiate
|
|
crypt_level=low
|
|
certificate=
|
|
key_file=
|
|
ssl_protocols=TLSv1.2, TLSv1.3
|
|
autorun=
|
|
allow_channels=true
|
|
allow_multimon=true
|
|
bitmap_cache=true
|
|
bitmap_compression=true
|
|
hide_log_window=true
|
|
max_bpp=32
|
|
new_cursors=true
|
|
use_fastpath=both
|
|
require_credentials=false
|
|
bulk_compression=true
|
|
|
|
[Xorg]
|
|
name=Xorg
|
|
lib=libxup.so
|
|
username=ask
|
|
password=ask
|
|
ip=127.0.0.1
|
|
port=-1
|
|
code=20
|
|
'';
|
|
};
|
|
|
|
# Additional firewall configuration for xrdp
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 3389 2222 ]; # xrdp and SSH
|
|
};
|
|
|
|
# Enable sound for desktop environment
|
|
security.rtkit.enable = true;
|
|
services.pipewire = {
|
|
enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
pulse.enable = true;
|
|
};
|
|
|
|
# Font configuration for X11 applications
|
|
fonts = {
|
|
packages = with pkgs; [
|
|
dejavu_fonts
|
|
liberation_ttf
|
|
freetype
|
|
];
|
|
fontconfig.enable = true;
|
|
};
|
|
|
|
# GNOME services and additional desktop features
|
|
services.gnome = {
|
|
gnome-keyring.enable = true;
|
|
glib-networking.enable = true;
|
|
};
|
|
|
|
# Enable location services for GNOME
|
|
services.geoclue2.enable = true;
|
|
|
|
# Enable printing support
|
|
services.printing.enable = true;
|
|
|
|
# Enable USB support
|
|
services.udisks2.enable = true;
|
|
|
|
# Modern systemd features
|
|
systemd.extraConfig = ''
|
|
DefaultTimeoutStopSec=10s
|
|
'';
|
|
|
|
# Latest NixOS system state version
|
|
system.stateVersion = "25.05"; # Use latest stable version
|
|
}
|