{ lib, config, pkgs, ... }: with lib; { orbekk.simple-firewall.enable = mkForce false; # Install desktop packages, but don't enable X11. orbekk.desktop.enable = true; orbekk.development.enable = true; services.xserver.enable = mkForce false; services.xserver.displayManager.lightdm.enable = mkForce false; # For bridge development. services.postgresql = { enable = true; ensureDatabases = [ "bridge_latest" ]; ensureUsers = [{ name = "orbekk"; ensurePermissions."DATABASE bridge_latest" = "ALL PRIVILEGES"; }]; }; # Fake pipewire socket activation. services.pipewire.socketActivation = false; systemd.user.services.pipewire-setup = { description = "Link pipewire socket"; after = [ "paths.target" ]; wantedBy = [ "default.target" ]; serviceConfig = { ExecStart = "${pkgs.coreutils}/bin/ln -s /tmp/pipewire-0 %t/pipewire-0"; Type = "oneshot"; }; }; # GPG socket is forwarded by SSH. systemd.user.sockets.gpg-agent.enable = mkForce false; nix.gc.persistent = false; boot.cleanTmpDir = mkForce false; # Don't delete bind mounts in /tmp. boot.isContainer = true; boot.postBootCommands = '' # After booting, register the contents of the Nix store in the Nix # database. if [ -f /nix-path-registration ]; then ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration && rm /nix-path-registration fi # nixos-rebuild also requires a "system" profile ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system ''; environment.defaultPackages = with pkgs; [ neovim xmonad ]; environment.etc."resolv.conf".text = '' nameserver 172.20.100.1 nameserver 8.8.8.8 ''; networking.hostName = "minideck"; networking.interfaces.host0 = { ipv4.addresses = [{ address = "172.20.199.2"; prefixLength = 24; }]; ipv4.routes = [{ address = "0.0.0.0"; prefixLength = 0; via = "172.20.199.1"; }]; }; users.users.root.initialHashedPassword = mkOverride 150 ""; system.activationScripts.installInitScript = mkForce '' ln -fs $systemConfig/init /sbin/init ''; environment.shellInit = '' source /.host-profile ''; services.openssh.enable = mkDefault true; services.openssh.startWhenNeeded = mkDefault true; system.stateVersion = "22.05"; systemd.tmpfiles.rules = [ # Don't remove the X11 socket. "d /tmp/.X11-unix 1777 root root" ]; systemd.suppressedSystemUnits = [ "systemd-udev-trigger.service" "systemd-udevd.service" "sys-fs-fuse-connections.mount" "sys-kernel-debug.mount" "dev-mqueue.mount" ]; }