# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { # Add Lix instead of Nix nixpkgs.overlays = [ (final: prev: { inherit (prev.lixPackageSets.stable) nixpkgs-review nix-eval-jobs nix-fast-build colmena ; }) ]; nix.package = pkgs.lixPackageSets.stable.lix; imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; # Enable Rsymc services.rsync.enable = true; # Passwordless sudo for wheel group security.sudo.wheelNeedsPassword = false; # Hardware U2F support - Passwordless sudo with hardware key security.pam.u2f = { enable = true; settings = { authfile = "/etc/u2f_keys"; cue = true; pinverification = 0; # No PIN verification userpresence = 1; # Require user presence (touch) }; }; # Add to your configuration.nix # Optimize builds nix.settings = { # Enable parallel building max-jobs = "auto"; cores = 0; # Use all available cores # Optimize store operations auto-optimise-store = true; # Build settings sandbox = true; keep-outputs = true; keep-derivations = true; }; # Enable distributed builds (optional, for your VM setup) nix.buildMachines = []; nix.distributedBuilds = false; # Optimize garbage collection nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; # Increase build speed with tmpfs for builds (if you have enough RAM) # Comment out if low on memory systemd.services.nix-daemon.environment = { TMPDIR = "/tmp"; }; boot.tmp.useTmpfs = true; boot.tmp.tmpfsSize = "50%"; # Adjust based on your 62GB RAM # For image building specifically virtualisation.vmVariant = { virtualisation = { memorySize = 4096; # Adjust for build-vm cores = 2; }; }; # SSH Agent authentication security.pam.sshAgentAuth.enable = true; # Automatic upgrades system.autoUpgrade = { enable = true; # Set to true for automatic updates dates = "daily"; allowReboot = false; }; # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # Enable Tailscale services.tailscale.enable = true; networking.hostName = "nixos-build-machine"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking networking.networkmanager.enable = true; # Set your time zone. time.timeZone = "Europe/Copenhagen"; # Select internationalisation properties. i18n.defaultLocale = "en_AU.UTF-8"; i18n.extraLocaleSettings = { LC_ADDRESS = "en_AU.UTF-8"; LC_IDENTIFICATION = "en_AU.UTF-8"; LC_MEASUREMENT = "en_AU.UTF-8"; LC_MONETARY = "en_AU.UTF-8"; LC_NAME = "en_AU.UTF-8"; LC_NUMERIC = "en_AU.UTF-8"; LC_PAPER = "en_AU.UTF-8"; LC_TELEPHONE = "en_AU.UTF-8"; LC_TIME = "en_AU.UTF-8"; }; # Configure keymap in X11 services.xserver.xkb = { layout = "au"; variant = ""; }; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.nixosbm = { isNormalUser = true; description = "NixOS Build Machine"; extraGroups = ["networkmanager" "wheel"]; packages = with pkgs; []; }; # Remote builder server setup users.users.nixremote = { isNormalUser = true; description = "Nix Remote Builder"; home = "/home/nixremote"; createHome = true; # Lock the user account (no login shell) shell = pkgs.shadow; # SSH key for remote builds openssh.authorizedKeys.keys = [ # Add the public key from your client machines here # Example: "ssh-ed25519 AAAAC3... root@client-machine" ]; }; systemd.tmpfiles.rules = [ "z /home/nixremote 0555 nixremote nixremote - -" "z /home/nixremote/.ssh 0555 nixremote nixremote - -" ]; # Allow unfree packages nixpkgs.config.allowUnfree = true; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. wget fastfetch hyfetch helix ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh.enable = true; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # Attach the system to the IPFire network: set a static IP on the Proxmox bridge (ens18) # Adjust `ens18` and the address below to your environment. networking.interfaces.ens18.ipv4.addresses = [ { address = "10.1.1.3"; #dns = "10.1.1.2"; prefixLength = 24; } ]; networking.defaultGateway = "10.1.1.1"; environment.etc."resolv.conf".text = '' nameserver 10.1.1.2 ''; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "25.11"; # Did you read the comment? # THE FOLLOWING CODE BLOCK IS FOR COPYING TO OTHER CONFIGURATIONS, NOT FOR THIS FILE # nix.distributedBuilds = true; # nix.buildMachines = [ # { # hostName = "nixos-build-machine"; # system = "x86_64-linux"; # sshUser = "nixremote"; # sshKey = "/root/.ssh/nixremote"; # maxJobs = 4; # speedFactor = 2; # supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; # } # ]; # # Generate SSH key for remote building #systemd.services.generate-nixremote-key = { # description = "Generate SSH key for remote Nix builds"; # wantedBy = [ "multi-user.target" ]; # serviceConfig = { # Type = "oneshot"; # RemainAfterExit = true; # }; # script = '' # if [ ! -f /root/.ssh/nixremote ]; then # ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/nixremote -N "" -C "nix-remote-builder" # fi # ''; #}; # #programs.ssh.extraConfig = '' # Host nixos-build-machine # HostName 192.168.1.175 # IdentitiesOnly yes # IdentityFile /root/.ssh/nixremote # User nixremoteStrictHostKeyChecking accept-new #''; # # Manual step required: After rebuilding the client, copy /root/.ssh/nixremote.pub # from the client to the build machine's users.users.nixremote.openssh.authorizedKeys.keys list, # then rebuild the build machine. # i.e on the client: run "cat /root.ssh/nixremote.pub" # and copy the output to the build machine's configuration.nix }