{ config, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix ./disko-config.nix ]; boot = { # Lanzaboote currently replaces the systemd-boot module. loader.systemd-boot.enable = lib.mkForce false; loader.efi.canTouchEfiVariables = true; bootspec.enable = true; lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; # This will be the new location in unstable # pkiBundle = "/var/lib/sbctl"; }; initrd.systemd.enable = true; # Name "crypted" corresponds to the luks name in disko config initrd.luks.devices.crypted = { device = lib.mkForce "/dev/disk/by-uuid/26973b85-9c65-488b-93fb-8992ea0f8d50"; crypttabExtraOpts = [ "tpm2-device=auto" ]; }; }; networking.hostName = "dalinar"; networking.firewall = { enable = true; allowedUDPPorts = [ 53 ]; }; networking.useNetworkd = true; services.resolved = { enable = true; extraConfig = '' DNSStubListener=no ''; }; time.timeZone = "Europe/Berlin"; i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "de"; }; users.mutableUsers = false; # mkpasswd -m sha512crypt users.users.root.hashedPassword = "$6$JdgM.TQt0/0988od$yPVgGZ5zu6HjG.sVjzEWJBm4L7XEReuplrqLRekPq/GrAyk5GrFmPM9hdzrmD28PDX9AtxaClYM5emsJ75YfJ0"; environment.systemPackages = with pkgs; [ htop sbctl tmux vim wget ]; powerManagement.powertop.enable = true; programs.neovim.enable = true; services.tailscale.enable = true; services.unbound = { enable = true; settings = { server = { interface = [ "127.0.0.1" ]; port = 5335; access-control = [ "127.0.0.1 allow" ]; harden-glue = true; num-threads = 4; harden-dnssec-stripped = true; use-caps-for-id = false; prefetch = true; edns-buffer-size = 1232; hide-identity = true; hide-version = true; private-address = [ "172.16.0.0/12" ]; }; forward-zone = [ { name = "."; forward-addr = [ "9.9.9.9#dns.quad9.net" "149.112.112.112#dns.quad9.net" ]; forward-tls-upstream = true; } ]; }; }; services.blocky = { enable = true; settings = { upstreams.groups.default = [ "127.0.0.1:${builtins.toString config.services.unbound.settings.server.port}" ]; blocking = { denylists.ads = [ "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" ]; clientGroupsBlock.default = [ "ads" ]; }; ports = { dns = 53; http = 4000; # port for prometheus metrics }; prometheus = { enable = true; path = "/metrics"; }; queryLog.type = "none"; }; }; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # # Most users should NEVER change this value after the initial install, for any reason, # even if you've upgraded your system to a new NixOS release. # # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how # to actually do that. # # This value being lower than the current NixOS release does NOT mean your system is # out of date, out of support, or vulnerable. # # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, # and migrated your data accordingly. # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.stateVersion = "24.11"; # Did you read the comment? }