nixos/configuration.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, lib, nixpkgs, pkgs, home-manager, ... }:

let
  my_python = (pkgs.python3.withPackages (ps: with ps; [ git_plan ]));

  my_emacs = (pkgs.emacsWithPackagesFromUsePackage {
    config = ./emacs.el;
    defaultInitFile = true;
    package = pkgs.emacs29-pgtk.overrideAttrs (old: { withTreeSitter = true; });
    #alwaysEnsure = true;
    extraEmacsPackages = epkgs: [
      pkgs.mu
      pkgs.mu.mu4e
      epkgs.treesit-grammars.with-all-grammars
      epkgs.evil-collection
    ];
  });

in {
  imports = [
    #./gnupg.nix
  ];
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nix.extraOptions = ''
    !include ${config.sops.secrets.github_token.path}
    bash-prompt = (nix:$name)\040\[\033[1;32m\][\u@\h:\w]\$\[\033[0m\]\040
    extra-sandbox-paths = /nix/var/cache/ccache
  '';

  sops = {
    environment.SOPS_GPG_EXEC = "${pkgs.gnupg}/bin/gpg";
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      fastmail_password = {
        owner = config.users.users.knazarov.name;
        group = config.users.users.knazarov.group;
      };
      github_token = {
        owner = config.users.users.knazarov.name;
        group = config.users.users.knazarov.group;
      };
      git_plan_config = {
        owner = config.users.users.knazarov.name;
        group = config.users.users.knazarov.group;
      };
      git_plan_credentials = {
        owner = config.users.users.knazarov.name;
        group = config.users.users.knazarov.group;
      };
      mullvad_account = { };
    };
  };

  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Enable networking
  networking.networkmanager.enable = true;

  # Set your time zone.
  time.timeZone = "Europe/London";

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "en_US.UTF-8";
    LC_IDENTIFICATION = "en_US.UTF-8";
    LC_MEASUREMENT = "en_US.UTF-8";
    LC_MONETARY = "en_US.UTF-8";
    LC_NAME = "en_US.UTF-8";
    LC_NUMERIC = "en_US.UTF-8";
    LC_PAPER = "en_US.UTF-8";
    LC_TELEPHONE = "en_US.UTF-8";
    LC_TIME = "en_US.UTF-8";
  };

  # Mainly to access SMB shares on local network
  services.gvfs = {
    enable = true;
    package = lib.mkForce pkgs.gnome3.gvfs;
  };

  # Configure keymap in X11
  services.xserver = {
    xkb.layout = "us";
    xkb.variant = "";
  };

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.knazarov = {
    isNormalUser = true;
    description = "Konstantin Nazarov";
    extraGroups = [ "networkmanager" "wheel" config.users.groups.keys.name ];
    packages = with pkgs; [ ];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGxebDydOcs7URJjXFHMU++ruaZOJpXbK4ixH19pWTsX7WtxxriZxD4+RQ3oyllGG/8sEFzEe0NoTHUPU6YrBpfwT/ekGDmCJHtvZ+rZs+cRQd6tObfAUip1B1Mcvhuaj0prnrbfohOuHpvQ/L8TogIKuHgczDmud4KGUu0mxCsUHbD5tlKpsgN+dJXkvjxsO7JhhF9JpFTrYAU0gTuBPTt3ynpnZKrE1NgnE0iy+CEr/v41dLqxw3fUjT3nOFUQ1l/VKTw5mLt5Iw7XmBLuFGLRAVrwzXxeBCfYqKGYgY4QV8HCcVpcqC8zWmRskiRetzQ/5HwRagm4yZr0I+LZ305nGB0cSJzLWXXOUF6SDg2cqAXFpF/o2LoFCmaV5h3jmCGOUrowF7oV4mYwBMWfabrbZx21z/R56GkAOOEKc2h+Qh5wIj4yayX081SkqJK3J9+3vGG4VvXnwGnPnWQFqrzeedyV74maffGBGFYm0UOcD+oG6EwM+7MEUBpJm9m4c= knazarov"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkDvP2BO1uV0AwEjABYFEiA2BbGo1IsSht4emYMRLgi root@mira"
    ];
  };

  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = with pkgs; [
    # needed to request polkit access (for instance, for SMB shares)
    lxqt.lxqt-policykit
    vim
    waybar
    foot
    wayland
    xdg-utils
    glib
    dracula-theme
    adwaita-icon-theme
    swaylock
    swayidle
    wl-clipboard
    keyd
    tdesktop
    git
    source-code-pro
    pavucontrol
    brightnessctl
    sops
    age
    ssh-to-age
    syncthing
    pass
    pkgs.gnupg
    pciutils
    slack
    q-sh
    notes-sh
    transmission_4-gtk
    mpv
    imv
    okular
    yt-dlp
    evince # document viewer
    firefox
    gthumb
    unzip
    somafm-cli
    yubikey-manager
    yubikey-manager-qt
    ripgrep
    file
    zoom-us
    obs-studio
    nautilus
    xfce.thunar
    zig
    mullvad-vpn
    mullvad
    usbutils
    wf-recorder
    xournalpp
    dnsutils
    graphviz
    fzf
    fd
    nixfmt
    my_emacs
    libreoffice
    gcc
    neovim
    go
    gopls
    lazygit
    guile
    solc
    kdenlive
    kooha # screen capture

    # ----------
    # mainly needed for npm which decided to play hardball
    automake
    autoconf
    # ----------

    (pkgs.callPackage ./nil_cli.nix {})
    #network-manager-applet
    #(clang-tools.override {
      #llvmPackages = llvmPackages_17;
      #enableLibcxx = false;
    #}) # mainly for clang-format
    clang-tools
    #  wget
    my_python
  ];

  services.mullvad-vpn = { enable = true; };
  systemd.services."mullvad-daemon".postStart =
    let mullvad = config.services.mullvad-vpn.package;
    in ''
      while ! ${mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
      ${mullvad}/bin/mullvad account login `cat /var/run/secrets/mullvad_account`
      ${mullvad}/bin/mullvad auto-connect set on
      ${mullvad}/bin/mullvad tunnel ipv6 set on
    '';

  services.fwupd.enable = true;

  services.gnome.gnome-keyring.enable = true;
  #services.emacs.package = nixpkgs.emacsUnstablePgtk;

  # Enables wayland support in electron apps (e.g. slack)
  environment.sessionVariables.NIXOS_OZONE_WL = "1";

  # Enable screen sharing on Wayland
  xdg = {
    portal = {
      enable = true;
      wlr.enable = true;
      extraPortals = with pkgs; [
        xdg-desktop-portal-wlr
        xdg-desktop-portal-gtk
      ];
    };
  };

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  programs.gnupg.package = pkgs.gnupg;
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    enableExtraSocket = true;
  };

  programs.sway = {
    enable = true;
    wrapperFeatures.gtk = true;
  };

  # List services that you want to enable:

  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    wireplumber.enable = true;
  };

  programs.steam = {
    enable = true;
  };

  # Disable unneeded PipeWire devices and rename the ones I use to more recognizable names
  environment.etc."wireplumber/main.lua.d/51-device-rename.lua".text = ''
    table.insert(alsa_monitor.rules, {
      matches = {
        {
          { "node.name", "equals", "alsa_output.usb-Audioengine_LLC_Audioengine_2__AE202010001A2002-00.analog-stereo" },
        },
      },
      apply_properties = {
        ["node.description"] = "Speakers",
        ["node.nick"] = "Speakers",
      },
    })
    table.insert(alsa_monitor.rules, {
      matches = {
        {
          { "node.name", "equals", "alsa_output.usb-SteelSeries_SteelSeries_Arctis_5_00000000-00.analog-chat" },
        },
      },
      apply_properties = {
        ["node.description"] = "Headphones",
        ["node.nick"] = "Headphones",
      },
    })
    table.insert(alsa_monitor.rules, {
      matches = {
        {
          { "node.name", "equals", "alsa_input.usb-SteelSeries_SteelSeries_Arctis_5_00000000-00.analog-chat" },
        },
      },
      apply_properties = {
        ["node.description"] = "Headphone Mic",
        ["node.nick"] = "Headphone Mic",
      },
    })
    table.insert(alsa_monitor.rules, {
      matches = {
        {{ "node.name", "equals", "alsa_output.usb-SteelSeries_SteelSeries_Arctis_5_00000000-00.analog-game" },},
      },
      apply_properties = {
        ["node.disabled"] = true,
      },
    })
    table.insert(alsa_monitor.rules, {
      matches = {
        {{ "node.name", "equals", "alsa_output.pci-0000_14_00.1.hdmi-stereo" },},
      },
      apply_properties = {
        ["node.disabled"] = true,
      },
    })
    table.insert(alsa_monitor.rules, {
      matches = {
        {{ "node.name", "equals", "alsa_input.usb-MACROSILICON_USB_Video-02.analog-stereo" },},
      },
      apply_properties = {
        ["node.disabled"] = true,
      },
    })
  '';

  services.dbus.enable = true;

  services.greetd = {
    enable = true;
    settings = rec {
      initial_session = {
        command = "${pkgs.sway}/bin/sway";
        user = "knazarov";
      };
      default_session = initial_session;
    };
  };

  services.keyd = {
    enable = true;
    keyboards = {

      default = {
        ids = [ "*" ];
        settings = {
          main = {
            capslock = "overload(control, esc)";
            leftalt = "layer(meta_mac)";
            leftmeta = "layer(alt)";
          };
          "meta_mac:M" = {
            c = "C-insert";
            v = "S-insert";
          };
        };
      };
    };
  };

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    #    settings = {
    #      passwordAuthentication = false;
    #      kbdInteractiveAuthentication = false;
    #    };
  };

  services.jellyfin = {
    enable = true;
    openFirewall = true;
  };

  networking.firewall.allowedTCPPorts = [
    8096
    # Syncthing
    8384
    22000
  ];

  networking.firewall.allowedUDPPorts = [
    # Syncthing
    22000
    21027
  ];

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?

  # needed for sway
  security.polkit.enable = true;
  # needed for pipewire
  security.rtkit.enable = true;

  # allow remote rebuilds
  nix.settings.trusted-users = [ "@wheel" ];

  # needed for YubiKey smartcard support
  services.pcscd.enable = true;

  fonts.fontDir.enable = true;
  fonts.packages = with pkgs; [
    dejavu_fonts
    (nerdfonts.override { fonts = [ "SourceCodePro" ]; })
    source-code-pro
    font-awesome # for waybar indicators
  ];

  home-manager.users.knazarov = {
    # The home.stateVersion option does not have a default and must be set
    home.stateVersion = "24.11";

    home.sessionVariables = {
      EDITOR = "emacs -nw --no-splash";
      GUILE_LOAD_PATH = "${config.users.users.knazarov.home}/guile";
    };

    home.file.".guile" = {
      source = ./guile-config;
    };

    programs.lf = {
      enable = true;
      extraConfig = ''
        set sixel true
        set previewer ${pkgs.chafa}/bin/chafa
      '';

    };

    programs.bash = {
      enable = true;
      bashrcExtra = ''
        if [[ "$INSIDE_EMACS" = 'vterm' ]] \
          && [[ -n ''${EMACS_VTERM_PATH} ]] \
          && [[ -f ''${EMACS_VTERM_PATH}/etc/emacs-vterm-bash.sh ]]; then
          source ''${EMACS_VTERM_PATH}/etc/emacs-vterm-bash.sh
        fi
      '';
      shellAliases = {
        nn = "notes.sh -n";
        ne =
          ''notes.sh -l | fzf --tac --with-nth="2..-1" | xargs -o notes.sh -e'';
        vim = "emacs -nw --no-splash";

      };
    };

    xdg.mimeApps = {
      enable = true;

      defaultApplications = {
        "text/html" = "firefox.desktop";
        "x-scheme-handler/http" = "firefox.desktop";
        "x-scheme-handler/https" = "firefox.desktop";
        "x-scheme-handler/about" = "firefox.desktop";
        "x-scheme-handler/unknown" = "firefox.desktop";
      };
    };

    gtk = {
      enable = true;
      gtk3.extraConfig = { gtk-enable-animations = "0"; };
      gtk4.extraConfig = { gtk-enable-animations = "0"; };
    };

    # Workaround for https://github.com/nix-community/home-manager/issues/5146
    services.gpg-agent = {
      enable = true;
      pinentryPackage = pkgs.pinentry-gnome3;
      enableExtraSocket = true;
    };

    programs.gpg = {
      enable = true;
      package = pkgs.gnupg;
      publicKeys = [
        {
          source = ./gpg_public_key.asc;
          trust = "ultimate";
        }
        {
          source = ./pgp_keys/FB4809DC51A4F483.asc;
          trust = "ultimate";
        }
      ];
      settings = { default-key = "0x0560020C9C577C1B"; };
      mutableKeys = false;
      mutableTrust = false;
    };

    programs.git = {
      enable = true;
      package = pkgs.gitAndTools.gitFull; # needed for git send-email support
      userName = "Konstantin Nazarov";
      userEmail = "mail@knazarov.com";
      signing = {
        gpgPath = "${pkgs.gnupg}/bin/gpg2";
        key = "0x0560020C9C577C1B";
        signByDefault = true;
      };
      extraConfig = {
        push = {
          autoSetupRemote = true;
        };
      };
    };

    accounts.email = {
      maildirBasePath = "${config.users.users.knazarov.home}/Maildir";
      accounts = {
        personal = let account = "mail@knazarov.com";
        in {
          primary = true;
          flavor = "fastmail.com";
          address = account;
          userName = account;
          realName = "Konstantin Nazarov";
          passwordCommand = "cat /run/secrets/fastmail_password";
          gpg = {
            key = "0x0560020C9C577C1B";
            signByDefault = true;
          };
          mu.enable = true;
          msmtp.enable = true;
          mbsync = {
            enable = true;
            # Folders existing on the server, but not locally, will be created.
            create = "maildir";

          };
          neomutt = { enable = true; };
        };
      };
    };

    programs.neomutt = { enable = true; };
    programs.mu = { enable = true; };
    programs.msmtp.enable = true;

    programs.mbsync = { enable = true; };

    #services.easyeffects = {
    #  enable = true;
    #};

    services.swayidle = {
      enable = true;
      timeouts = [
        {
          timeout = 300;
          command = "${pkgs.swaylock}/bin/swaylock -f -c 000000";
        }
        {
          timeout = 600;
          command = ''${pkgs.sway}/bin/swaymsg "output * dpms off"'';
          resumeCommand = ''${pkgs.sway}/bin/swaymsg "output * dpms on"'';
        }
      ];
      events = [{
        event = "before-sleep";
        command = "${pkgs.swaylock}/bin/swaylock -f -c 000000";
      }];
    };

    services.emacs = {
      enable = true;
      package = my_emacs;
      client.enable = true;

    };

    wayland.windowManager.sway = {
      enable = true;
      xwayland = true;
      config = rec {
        modifier = "Mod4";
        terminal = "foot";
        bars = [{ "command" = "waybar"; }];
        keybindings = pkgs.lib.mkOptionDefault {
          "XF86AudioRaiseVolume" =
            "exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+";
          "XF86AudioLowerVolume" =
            "exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-";
          "XF86AudioMute" = "exec wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle";
          "XF86AudioMicMute" =
            "exec pactl set-source-mute @DEFAULT_SOURCE@ toggle";
          "XF86MonBrightnessUp" = "exec brightnessctl s +5%";
          "XF86MonBrightnessDown" = "exec brightnessctl s 5%-";
          #"Mod4+Return" =
          #"exec emacs --eval '(progn (setq confirm-kill-processes nil) (vterm))'";
          #"Mod4+Return" = "exec emacsclient -c";
          "Mod4+Return" = "exec foot";
          "Mod4+space" =
            "exec ${pkgs.foot}/bin/foot -T mylauncher -a mylauncher ${pkgs.q-sh}/bin/q";
          "Mod4+p" =
            "exec '${pkgs.grim}/bin/grim -g \"$$(${pkgs.slurp}/bin/slurp)\" - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png'";
          "Mod4+o" =
            "exec '${pkgs.kooha}/bin/kooha'";
        };
        output = {
          "*" = { bg = "${./wallpaper.jpg} fill"; };
          "Lenovo Group Limited LEN T32p-20 VNA4VRNY" = { scale = "1.5"; };
          "LG Electronics LG TV SSCR2 0x01010101" = { mode = "1920x1080@60Hz"; };
        };
        input = {
          "type:keyboard" = {
            xkb_layout = "us,ru";
            xkb_options = "grp:alt_space_toggle";
          };
        };
        gaps = {
          inner = 10;
          outer = 5;
        };
        colors.unfocused = {
          border = "#dddddd";
          background = "#dddddd";
          text = "#888888";
          indicator = "#888888";
          childBorder = "#888888";
        };
      };
      extraConfig = ''
        for_window [title="as_toolbar"] floating enable
        for_window [title="mylauncher"] floating enable
        for_window [title="Firefox.*Sharing Indicator"] floating enable;
        default_border pixel 3
        input 1386:885:Wacom_Intuos_M_Pen map_to_output HDMI-A-1
      '';
    };
    programs.foot = {
      enable = true;
      settings = {
        main = { font = "Source Code Pro:size=12"; };

        colors = {
          background = "ffffff";
          foreground = "000000";
          regular0 = "000000";
          regular1 = "a60000";
          regular2 = "005e00";
          regular3 = "813e00";
          regular4 = "0031a9";
          regular5 = "721045";
          regular6 = "00538b";
          regular7 = "bfbfbf";
          bright0 = "595959";
          bright1 = "972500";
          bright2 = "315b00";
          bright3 = "70480f";
          bright4 = "2544bb";
          bright5 = "5317ac";
          bright6 = "005a5f";
          bright7 = "ffffff";
        };
        key-bindings = {
          clipboard-copy = "Control+Insert";
          clipboard-paste = "Shift+Insert";
          primary-paste = "Control+Shift+v";
        };
      };
    };
    programs.waybar = {
      enable = true;
      settings = [{
        layer = "top";
        position = "top";
        height = 24;
        modules-left = [ "sway/workspaces" "sway/mode" ];
        modules-center = [ "sway/window" ];
        modules-right = [ "idle_inhibitor" "battery" "clock" "tray" ];
        clock.format = "{:%Y-%m-%d %H:%M}";
        battery = {
          states = {
            # good = 95;
            warning = 30;
            critical = 15;
          };
          format = "{capacity}% {icon}";
          format-charging = "{capacity}% ";
          format-plugged = "{capacity}% ";
          format-alt = "{time} {icon}";
          format-icons = [ "" "" "" "" "" ];
        };
        idle_inhibitor = {
          format = "{icon}";
          format-icons = {
            activated = "";
            deactivated = "";
          };
        };
      }];
    };
    services.syncthing = { enable = true; };
    home.pointerCursor = {
      name = "Adwaita";
      package = pkgs.adwaita-icon-theme;
      size = 24;
      x11 = {
        enable = true;
        defaultCursor = "Adwaita";
      };
    };
  };

  virtualisation = {
    podman = {
      enable = true;
      dockerCompat = true;
      defaultNetwork.settings = { dns_enabled = true; };
    };
  };
  services.udev.packages = [ pkgs.android-udev-rules
                             (pkgs.callPackage ./zsa-udev-rules.nix {})];
  #udevadm info --query=all --name=/dev/sda1 | grep ID_SERIAL
  services.udev.extraRules =
    ''ACTION=="add", SUBSYSTEMS=="usb", SUBSYSTEM=="block", '' + ''
      ENV{ID_FS_USAGE}=="filesystem", ENV{ID_SERIAL_SHORT}=="Hidizs_AP80PRO", ''
    + ''RUN{program}+="${pkgs.systemd}/bin/systemd-mount --owner knazarov ''
    + ''--no-block --automount=yes --collect $devnode /media"'';

  systemd.timers."git_plan" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnBootSec = "1h";
      OnUnitActiveSec = "1h";
      Unit = "git_plan.service";
    };
  };

  systemd.services."git_plan" = {
    script = ''
      ${my_python}/bin/python3 -m git_plan -c /var/run/secrets/git_plan_config -r /var/run/secrets/git_plan_credentials oneshot
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "knazarov";
      StateDirectory = "git_plan";
      Environment = "PYTHONUNBUFFERED=1";
    };
  };

  systemd.timers."git_plan_pr" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "Mon,Tue,Wed,Thu,Fri *-*-* 10:00:00";
      Unit = "git_plan_pr.service";
    };
  };

  systemd.services."git_plan_pr" = {
    script = ''
      ${my_python}/bin/python3 -m git_plan -c /var/run/secrets/git_plan_config -r /var/run/secrets/git_plan_credentials pr
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "knazarov";
      StateDirectory = "git_plan";
      Environment = "PYTHONUNBUFFERED=1";
    };
  };
}