# Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ #./mod/dnscrypt-proxy.nix ./mod/hardware-configuration.nix ./mod/yggdrasil-static-rootless.nix ./guix-daemon.nix ]; sound.enable = true; hardware.pulseaudio.enable = true; # Use the systemd-boot EFI boot loader. boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = false; }; supportedFilesystems = [ "zfs" ]; }; #docker virtualisation.docker.enable = true; programs.sway.enable = false; services.xserver.enable = true; services.xserver.displayManager.gdm.enable = true; # services.xserver.displayManager.gdm.wayland = false; services.xserver.desktopManager.gnome.enable = true; services.xserver.videoDrivers = [ "amdgpu" ]; networking = { hostId = "818f063f"; # hex; for ZFS; taken from uuidgen. hostName = "uf"; networkmanager.enable = false; wireless.enable = true; wireless.userControlled.enable = true; # wireless.networks.FF.pskRaw = "d5ff8b82eb2e8da73dccc7052d170b4163947dc580a52fc0a9ef1d0e9acb3799"; wireless.networks.FFF.pskRaw = "27ade8312b6c980ae36a699af5a33a1e6746d9c09cde907a4727c0633b2960b6"; wireless.interfaces = ["wlp1s0"]; # interfaces.enp2s0.useDHCP = true; interfaces.wlp1s0.useDHCP = true; firewall = { enable = true; extraCommands = " iptables -A INPUT -p tcp --dport 9040 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -d 127.192.0.0/11 -j REDIRECT --to-port 9040 iptables -t nat -A OUTPUT -p tcp -d 127.192.0.0/11 -j REDIRECT --to-port 9040 iptables -t nat -A OUTPUT -d 10.191.0.1 -p tcp -j REDIRECT --to-port 4444 iptables -t nat -A PREROUTING -d 10.191.0.1 -p tcp -j REDIRECT --to-port 4444 iptables -t nat -A OUTPUT -d 10.191.0.1 -p tcp --dport 80 -j REDIRECT --to-port 8118 iptables -t nat -A PREROUTING -d 10.191.0.1 -p tcp --dport 80 -j REDIRECT --to-port 8118"; allowedTCPPorts = [ 22 80 443 8080]; allowedUDPPorts = [ 22 80 443 8080]; }; }; time.timeZone = "UTC"; console = { font = "latarcyrheb-sun16"; keyMap = "dvorak"; }; users.groups.nly.gid = 1024; users.groups.i1l.gid = 1667; users.users = { nly = { group = "nly"; extraGroups = [ "wheel" "video" "audio" "docker"]; isNormalUser = true; uid = 1001; }; i1l = { group = "i1l"; extraGroups = [ "video" "systemd-journal" ]; isNormalUser = true; uid = 1666; }; }; security.pam.services.su.requireWheel = true; environment = { systemPackages = with pkgs; [ # apps emacs git file vim w3m neovim age gnupg emacs-all-the-icons-fonts minetest wl-clipboard # linux hak man-pages linuxPackages.bcc linuxPackages.perf perf-tools bpftool # network wget bind curl darkhttpd ]; loginShellInit = " init_guix () { # system's guix, user's guix, and user's profile local s u p s=/var/guix/profiles/per-user/root/current-guix/etc/profile u=~/.config/guix/current/etc/profile p=~/.guix-profile/etc/profile if [ -f $u ]; then source $u; else source $s; fi if [ -f $p ]; then source $p; fi }; init_guix"; }; services.flatpak.enable = true; services = { openssh = { enable = true; allowSFTP = true; challengeResponseAuthentication = false; # what's it? forwardX11 = false; # not secure? permitRootLogin = "prohibit-password"; passwordAuthentication = false; }; i2pd = { enable = true; # no extra config proto.httpProxy.enable = true; }; tor = { enable = true; settings = { DNSPort = 5353; TransPort = 9040; # ["IsolateClientAddr" "IsolateClientProtocol" "IsolateDestAddr" "IsolateDestPort"]; AutomapHostsOnResolve = true; VirtualAddrNetworkIPv4 = "127.192.0.0/11"; VirtualAddrNetworkIPv6 = "[FE80::]/10"; # Hidden Service SSH HiddenServiceDir = "/var/lib/tor/ssh-service/"; HiddenServicePort = 22; }; }; unbound = { enable = true; settings = { server = { domain-insecure = "onion"; private-domain = "onion"; do-not-query-localhost = "no"; local-zone = [ "onion. nodefault" "\"i2p\" redirect"]; local-data = "\"i2p A 10.191.0.1\""; }; forward-zone = [ { name = "onion"; forward-addr = "127.0.0.1@5353"; forward-first = "no"; } { name = "ygg"; ## this is a rather funny construction: some 4 real DNS resolvers ## (ALFIS) behind an /etc/hosts-on-steroids resolver. forward-addr = "127.0.0.2@8053"; forward-first = "no"; } ]; }; }; privoxy = { enable = true; settings = { accept-intercepted-requests = true; forward = ".i2p 127.0.0.1:4444"; }; }; }; # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.03"; # Did you read the comment? }