start to use home manager as NixOS module

machines/calcite/configuration.nix

@@ -0,0 +1,254 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./network.nix
+      ../sops.nix
+      ../clash.nix
+    ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ];
+  boot.supportedFilesystems = [ "ntfs" ];
+
+  networking.hostName = "calcite";
+
+  programs.vim.defaultEditor = true;
+
+  # Keep this even if enabled in home manager
+  programs.fish.enable = true;
+  environment.shells = [ pkgs.fish ];
+  users.defaultUserShell = pkgs.fish;
+
+  # Setup wireguard
+  # Set your time zone.
+  time.timeZone = "Asia/Shanghai";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.utf8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "zh_CN.utf8";
+    LC_IDENTIFICATION = "zh_CN.utf8";
+    LC_MEASUREMENT = "zh_CN.utf8";
+    LC_MONETARY = "zh_CN.utf8";
+    LC_NAME = "zh_CN.utf8";
+    LC_NUMERIC = "zh_CN.utf8";
+    LC_PAPER = "zh_CN.utf8";
+    LC_TELEPHONE = "zh_CN.utf8";
+    LC_TIME = "en_US.utf8";
+  };
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+
+  # Enable the GNOME Desktop Environment.
+  services.xserver.displayManager.gdm.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+
+  # Configure keymap in X11
+  services.xserver = {
+    layout = "us";
+    xkbVariant = "";
+  };
+
+  # Enable CUPS to print documents.
+  services.printing.enable = true;
+  services.printing.drivers = [ pkgs.hplip ];
+
+  # Enable sound with pipewire.
+  sound.enable = true;
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    wireplumber.enable = true;
+    alsa.enable = true;
+    #alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    jack.enable = true;
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.xin = {
+    isNormalUser = true;
+    description = "xin";
+    extraGroups = [ "networkmanager" "wheel" "wireshark" ];
+  };
+
+  # Enable automatic login for the user.
+  services.xserver.displayManager.autoLogin.enable = true;
+  services.xserver.displayManager.autoLogin.user = "xin";
+
+  # Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
+  systemd.services."getty@tty1".enable = false;
+  systemd.services."autovt@tty1".enable = false;
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.permittedInsecurePackages = [
+    # For wechat-uos
+    "electron-19.0.7"
+  ];
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    # Filesystem
+    nfs-utils
+
+    winetricks
+    wineWowPackages.waylandFull
+    faudio
+
+    # ==== CLI tools ==== #
+    rust-analyzer
+
+    # tesseract5 # ocr
+    ocrmypdf # pdfocr
+
+    grc
+
+    # ==== Development ==== #
+    # VCS
+    git-crypt
+
+    jetbrains.jdk # patch jetbrain runtime java
+    jetbrains.clion
+    jetbrains.pycharm-professional
+    jetbrains.idea-ultimate
+    android-studio
+
+    # Language server
+    clang-tools
+    rnix-lsp
+
+    # C/C++
+    gcc
+    gdb
+
+    # Python
+    # reference: https://nixos.wiki/wiki/Python
+    (
+      let
+        my-python-packages = python-packages: with python-packages; [
+          pandas
+          requests
+          numpy
+          pyyaml
+        ];
+        python-with-my-packages = python3.withPackages my-python-packages;
+      in
+      python-with-my-packages
+    )
+
+    # Tex
+    texlive.combined.scheme-full
+
+    # ==== GUI Softwares ==== #
+    # Gnome tweaks
+    gnomeExtensions.dash-to-dock
+    gnomeExtensions.hide-top-bar
+    gnomeExtensions.tray-icons-reloaded
+    gnome.gnome-tweaks
+    gthumb
+
+    steam
+
+    # Multimedia
+    vlc
+    obs-studio
+    spotify
+
+    digikam
+
+    # IM
+    tdesktop
+    qq
+    config.nur.repos.xddxdd.wechat-uos
+
+    # Mail
+    thunderbird
+
+    # Password manager
+    keepassxc
+
+    # Browser
+    firefox
+    chromium
+    microsoft-edge
+
+    # Writting
+    obsidian
+    zotero
+    wpsoffice
+
+    config.nur.repos.linyinfeng.wemeet
+
+    virt-manager
+  ];
+
+  programs.steam = {
+    enable = true;
+  };
+
+  system.stateVersion = "22.05";
+
+  # Use mirror for binary cache
+  nix.settings.substituters = [
+    "https://mirrors.ustc.edu.cn/nix-channels/store"
+    "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"
+  ];
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # MTP support
+  services.gvfs.enable = true;
+
+  # Fonts
+  fonts = {
+    fonts = with pkgs; [
+      (nerdfonts.override { fonts = [ "FiraCode" ]; })
+      noto-fonts
+      noto-fonts-emoji
+      liberation_ttf
+      mplus-outline-fonts.githubRelease
+      dina-font
+      proggyfonts
+      ubuntu_font_family
+      # Chinese
+      wqy_microhei
+      wqy_zenhei
+      noto-fonts-cjk-sans
+      noto-fonts-cjk-serif
+      source-han-sans
+      source-han-serif
+    ];
+    fontconfig = {
+      defaultFonts = {
+        serif = [ "Noto Serif CJK SC" "Ubuntu" ];
+        sansSerif = [ "Noto Sans CJK SC" "Ubuntu" ];
+        monospace = [ "FiraCode NerdFont Mono" "Ubuntu" ];
+      };
+    };
+  };
+  # Virtualization
+  virtualisation = {
+    libvirtd.enable = true;
+    podman = {
+      enable = true;
+      enableNvidia = true;
+    };
+    docker = {
+      enable = true;
+      enableNvidia = true;
+      autoPrune.enable = true;
+    };
+  };
+}

machines/calcite/hardware-configuration.nix

@@ -0,0 +1,49 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-label/NIXROOT";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot/efi" =
+    { device = "/dev/disk/by-label/EFIBOOT";
+      fsType = "vfat";
+    };
+
+  fileSystems."/media/data" =
+    {
+      device = "/dev/disk/by-label/WINDATA";
+      fsType = "ntfs3";
+      options = [ "rw" "uid=1000" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-label/NIXSWAP"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/calcite/network.nix

@@ -0,0 +1,37 @@
+{ pkgs, ...}:
+
+{
+  # Enable networking
+  networking = {
+    nameservers = [ "127.0.0.1" "::1" ];
+    networkmanager = {
+      enable = true;
+    };
+    resolvconf.useLocalResolver = true;
+  };
+
+  # Enable Tailscale
+  services.tailscale.enable = true;
+  # services.tailscale.useRoutingFeatures = "both";
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  networking.firewall.allowedUDPPorts = [ 41641 ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  programs.steam.remotePlay.openFirewall = true;
+
+  # Add gsconnect, open firewall
+  programs.kdeconnect = {
+    enable = true;
+    package = pkgs.gnomeExtensions.gsconnect;
+  };
+
+  programs.wireshark = {
+    enable = true;
+    package = pkgs.wireshark-qt;
+  };
+
+  # services.gnome.gnome-remote-desktop.enable = true;
+}

machines/calcite/secrets.yaml

@@ -0,0 +1,30 @@
+clash_subscription_link: ENC[AES256_GCM,data:HKHMCu6FAhXroM+j33coUhJybw2P0k4c+2NyVoLkHRtxyWc2qDmwLfyaYfU9hkBdE60eZ6t5ewNFnMFe78DatVTcwPXGznY=,iv:0yP9LG8lUdjKiize6z5LjY3NsGmKST4H2aMvOZoUXyo=,tag:vcBk7seKuaSpEw8PXmM05A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRXoxNVJzZERQTFdDNWlL
+            N2s2ajdCVzFFZWlSY1dndWhCL0RuMnk3aVdJCjJaQUJ2a1VPanArN2YxMy9vSEYv
+            blBISEZQL3UvNnRFN0ozZ3hzbEcvaDQKLS0tIEYydmF2bHBwQWdTSFFQQ29ROGxi
+            OFo3K3N6VWsyRnphblVsM2pHZnljUncKWLyzuKl+8WXtvlPtsaYG4PyGYNmPFdG5
+            gxlMsQvaUrGReCs9M3EeS0KKvl9INzOP33KCiwrIAfq1PygP1xF1QQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZHpMa0NiYzJSa0Jyd3dD
+            WUFzenY3dEYzRjBxbVk4NWFGUnp0N0oySjE4CllEMlRXSmR6cWR0QlMrOWJGdEhO
+            ZzkwaFRRMVdjcVhLaEpMcFhxMTVxcTQKLS0tIEY3eER1d3B0NGtsdk9RaENscTBk
+            eHg2UVZRRkdVWm5PdW1MSzhVTGlpc3cKnZj4fil9mysiJJcDK4SLo+I0TcUtgww1
+            67W3wpd2y+ofIEP/qBSTVU4PYJ+ZsYDr1hy+6qJ7r4rgQ9wzLiWBog==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-22T15:22:58Z"
+    mac: ENC[AES256_GCM,data:3LtivTLt04ADulz9XkMxcpgAY6it+hWFuXZVI9AOuFVQCgGE41fpH0RUKgJ4kIpr5kvbe4wVLQ6OTFqBcAkPnBBPCCg/Npzo7sWbGOiBEyK3aEk2uGsmZHqpDexHS5VJvSY0iePD+Qb/LNxjBo4KLWGNj+frKnpGALV0Qn6yzIE=,iv:alylpWLPhIIL4piaVFpjHbXJY4nz0pcUIFN5TvVcj74=,tag:HaSjcpwRMZ06UjXoDwEmyg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3