diff options
| author | Fuwn <[email protected]> | 2024-09-04 19:57:20 -0700 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2024-09-04 19:57:20 -0700 |
| commit | 8b5e5079e5fd00eadf2e3926c104e4ecf99a5779 (patch) | |
| tree | d35acd86220ae3ffa521677d55acb37e9436ba64 | |
| parent | styles (diff) | |
| download | nixos-config-8b5e5079e5fd00eadf2e3926c104e4ecf99a5779.tar.xz nixos-config-8b5e5079e5fd00eadf2e3926c104e4ecf99a5779.zip | |
refac
78 files changed, 724 insertions, 247 deletions
diff --git a/home/ebisu/fortune/desktop/default.nix b/home/ebisu/fortune/desktop/default.nix index 56cc9c9..a69315f 100644 --- a/home/ebisu/fortune/desktop/default.nix +++ b/home/ebisu/fortune/desktop/default.nix @@ -24,7 +24,5 @@ bibata-cursors xorg.xlsclients libnotify - # lemurs - # emptty ]; } diff --git a/home/ebisu/fortune/desktop/hyprland/hyprland/executions.nix b/home/ebisu/fortune/desktop/hyprland/hyprland/executions.nix index f9cd3c4..bcd333b 100644 --- a/home/ebisu/fortune/desktop/hyprland/hyprland/executions.nix +++ b/home/ebisu/fortune/desktop/hyprland/hyprland/executions.nix @@ -11,7 +11,7 @@ # "${pkgs.waybar}/bin/waybar" "waybar" "hyprctl setcursor Bibata-Modern-Ice 18" - "trayscale" + "trayscale --hide-window" # Fcitx5 "fcitx5-remote -r" diff --git a/home/ebisu/fortune/development/nix/default.nix b/home/ebisu/fortune/development/nix/default.nix index c713393..954dd97 100644 --- a/home/ebisu/fortune/development/nix/default.nix +++ b/home/ebisu/fortune/development/nix/default.nix @@ -29,5 +29,6 @@ devenv manix niv + nix-diff ]; } diff --git a/home/ebisu/fortune/system/virtualisation/default.nix b/home/ebisu/fortune/system/virtualisation/default.nix index 3352886..8465b37 100644 --- a/home/ebisu/fortune/system/virtualisation/default.nix +++ b/home/ebisu/fortune/system/virtualisation/default.nix @@ -1,9 +1,5 @@ { pkgs, ... }: { imports = [ ./docker.nix ]; - - home.packages = with pkgs; [ - bottles - virt-manager - ]; + home.packages = [ pkgs.bottles ]; } diff --git a/modules/default.nix b/modules/default.nix index e491f13..c18ed49 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,20 +1,10 @@ { imports = [ - ./boot - ./environment - ./programs - ./security ./hardware - ./networking - ./services - ./datetime.nix - ./nix.nix - ./nixpkgs.nix - ./system.nix - ./users.nix - ./virtualisation.nix - ./xdg-portal.nix + ./multimedia + ./nix + ./security + ./system + ./virtualisation ]; - - location.provider = "geoclue2"; } diff --git a/modules/environment/default.nix b/modules/environment/default.nix deleted file mode 100644 index fafb09d..0000000 --- a/modules/environment/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - imports = [ - ./system-packages - ./variables.nix - ]; - - environment.shellAliases.nvidia-settings = "nvidia-settings --config='$XDG_CONFIG_HOME'/nvidia/settings"; -} diff --git a/modules/environment/system-packages/default.nix b/modules/environment/system-packages/default.nix deleted file mode 100644 index 1174e5e..0000000 --- a/modules/environment/system-packages/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ./gtk.nix - ./libva.nix - ./nvidia.nix - ./usb.nix - ./vulkan.nix - ]; - - environment.systemPackages = with pkgs; [ - vim - wget - git - mediastreamer-openh264 - pinentry - runc - openntpd - mesa - amdctl - ]; - - systemd.services.containerd.path = with pkgs; [ - containerd - runc - iptables - nvidia-docker - ]; -} diff --git a/modules/environment/system-packages/nvidia.nix b/modules/environment/system-packages/nvidia.nix deleted file mode 100644 index dad4394..0000000 --- a/modules/environment/system-packages/nvidia.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - nvidia-container-toolkit - nvidia-docker - ]; -} diff --git a/modules/hardware/bluetooth.nix b/modules/hardware/bluetooth.nix index ede4f77..8400a72 100644 --- a/modules/hardware/bluetooth.nix +++ b/modules/hardware/bluetooth.nix @@ -1,5 +1,7 @@ { pkgs, ... }: { + boot.kernelParams = [ "btusb" ]; + hardware.bluetooth = { enable = true; powerOnBoot = true; diff --git a/modules/hardware/cpu.nix b/modules/hardware/cpu.nix new file mode 100644 index 0000000..b57190a --- /dev/null +++ b/modules/hardware/cpu.nix @@ -0,0 +1,26 @@ +{ + pkgs, + config, + ... +}: +{ + hardware.cpu.amd.updateMicrocode = true; + environment.systemPackages = [ pkgs.amdctl ]; + + powerManagement = { + enable = true; + cpuFreqGovernor = "performance"; + }; + + boot = { + kernelModules = [ + # "kvm-amd" + "amd-pstate" + "zenpower" + "msr" + ]; + + kernelParams = [ "amd_iommu=on" ]; + extraModulePackages = [ config.boot.kernelPackages.zenpower ]; + }; +} diff --git a/modules/hardware/default.nix b/modules/hardware/default.nix index 4c413a0..167e7c7 100644 --- a/modules/hardware/default.nix +++ b/modules/hardware/default.nix @@ -1,13 +1,14 @@ { imports = [ + ./cpu.nix ./bluetooth.nix - ./graphics.nix - ./nvidia.nix + ./usb.nix + ./tpm.nix + ./yubikey.nix ]; hardware = { enableRedistributableFirmware = true; enableAllFirmware = true; - cpu.amd.updateMicrocode = true; }; } diff --git a/modules/hardware/nvidia.nix b/modules/hardware/nvidia.nix deleted file mode 100644 index 31e2100..0000000 --- a/modules/hardware/nvidia.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, ... }: -{ - hardware = { - nvidia-container-toolkit.enable = true; - - nvidia = { - modesetting.enable = true; - open = false; - nvidiaSettings = true; - package = config.boot.kernelPackages.nvidiaPackages.production; - forceFullCompositionPipeline = true; - - powerManagement = { - enable = true; - finegrained = false; - }; - }; - }; -} diff --git a/modules/security/tpm.nix b/modules/hardware/tpm.nix index 3277d9f..b84551e 100644 --- a/modules/security/tpm.nix +++ b/modules/hardware/tpm.nix @@ -13,4 +13,6 @@ tpm2-tss tpm2-abrmd ]; + + boot.kernelModules = [ "uhid" ]; } diff --git a/modules/environment/system-packages/usb.nix b/modules/hardware/usb.nix index 28bb194..f697761 100644 --- a/modules/environment/system-packages/usb.nix +++ b/modules/hardware/usb.nix @@ -5,4 +5,6 @@ lm_sensors pciutils ]; + + boot.kernelParams = [ "usbcore.autosuspend=-1" ]; } diff --git a/modules/hardware/yubikey.nix b/modules/hardware/yubikey.nix new file mode 100644 index 0000000..87633ac --- /dev/null +++ b/modules/hardware/yubikey.nix @@ -0,0 +1,23 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + hardware.gpgSmartcards.enable = true; + + services = { + pcscd.enable = true; + udev.packages = [ pkgs.yubikey-personalization ]; + }; + + environment.systemPackages = with pkgs; [ + yubikey-manager + yubikey-manager-qt + yubikey-personalization + yubikey-personalization-gui + yubico-piv-tool + yubioath-flutter + ]; +} diff --git a/modules/multimedia/audio/default.nix b/modules/multimedia/audio/default.nix new file mode 100644 index 0000000..f4e7f0a --- /dev/null +++ b/modules/multimedia/audio/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./pipewire.nix + # ./wireplumber.nix + ]; +} diff --git a/modules/services/pipewire.nix b/modules/multimedia/audio/pipewire.nix index 4e914a1..4e914a1 100644 --- a/modules/services/pipewire.nix +++ b/modules/multimedia/audio/pipewire.nix diff --git a/modules/services/wireplumber.nix b/modules/multimedia/audio/wireplumber.nix index 970396f..970396f 100644 --- a/modules/services/wireplumber.nix +++ b/modules/multimedia/audio/wireplumber.nix diff --git a/modules/multimedia/default.nix b/modules/multimedia/default.nix new file mode 100644 index 0000000..7bf261a --- /dev/null +++ b/modules/multimedia/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./audio + ./video + ]; +} diff --git a/modules/multimedia/video/default.nix b/modules/multimedia/video/default.nix new file mode 100644 index 0000000..1157479 --- /dev/null +++ b/modules/multimedia/video/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +{ + imports = [ + ./graphics.nix + ./libva.nix + ./nvidia.nix + ./vulkan.nix + ]; + + environment.systemPackages = [ + pkgs.mediastreamer-openh264 + ]; +} diff --git a/modules/hardware/graphics.nix b/modules/multimedia/video/graphics.nix index 0e01517..13da295 100644 --- a/modules/hardware/graphics.nix +++ b/modules/multimedia/video/graphics.nix @@ -16,4 +16,6 @@ libvdpau-va-gl ]; }; + + environment.systemPackages = [ pkgs.mesa ]; } diff --git a/modules/environment/system-packages/libva.nix b/modules/multimedia/video/libva.nix index d420495..d420495 100644 --- a/modules/environment/system-packages/libva.nix +++ b/modules/multimedia/video/libva.nix diff --git a/modules/multimedia/video/nvidia.nix b/modules/multimedia/video/nvidia.nix new file mode 100644 index 0000000..bc8cb22 --- /dev/null +++ b/modules/multimedia/video/nvidia.nix @@ -0,0 +1,37 @@ +{ pkgs, config, ... }: +{ + environment = { + systemPackages = with pkgs; [ + nvidia-container-toolkit + nvidia-docker + ]; + + shellAliases.nvidia-settings = "nvidia-settings --config='$XDG_CONFIG_HOME'/nvidia/settings"; + }; + + boot = { + blacklistedKernelModules = [ "nouveau" ]; + + kernelParams = [ + "nvidia-drm.fbdev=1" + "nvidia.NVreg_PreserveVideoMemoryAllocations=1" + ]; + }; + + hardware = { + nvidia-container-toolkit.enable = true; + + nvidia = { + modesetting.enable = true; + open = false; + nvidiaSettings = true; + package = config.boot.kernelPackages.nvidiaPackages.production; + forceFullCompositionPipeline = true; + + powerManagement = { + enable = true; + finegrained = false; + }; + }; + }; +} diff --git a/modules/environment/system-packages/vulkan.nix b/modules/multimedia/video/vulkan.nix index be37e0e..be37e0e 100644 --- a/modules/environment/system-packages/vulkan.nix +++ b/modules/multimedia/video/vulkan.nix diff --git a/modules/networking/networkmanager.nix b/modules/networking/networkmanager.nix deleted file mode 100644 index 8435824..0000000 --- a/modules/networking/networkmanager.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: -{ - networking.networkmanager = { - enable = true; - plugins = [ pkgs.networkmanager-openvpn ]; - dns = "systemd-resolved"; - wifi.backend = "iwd"; - }; -} diff --git a/modules/nix.nix b/modules/nix/default.nix index ee392d7..7461ea2 100644 --- a/modules/nix.nix +++ b/modules/nix/default.nix @@ -1,5 +1,16 @@ { config, ... }: { + imports = [ + ./nh.nix + ]; + + nixpkgs.config = { + cudaSupport = true; + allowUnfree = true; + }; + + programs.nix-index-database.comma.enable = true; + nix = { settings = { auto-optimise-store = true; diff --git a/modules/programs/nh.nix b/modules/nix/nh.nix index 29481a6..29481a6 100644 --- a/modules/programs/nh.nix +++ b/modules/nix/nh.nix diff --git a/modules/nixpkgs.nix b/modules/nixpkgs.nix deleted file mode 100644 index 206983c..0000000 --- a/modules/nixpkgs.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - nixpkgs.config = { - cudaSupport = true; - allowUnfree = true; - }; -} diff --git a/modules/security/apparmor.nix b/modules/security/apparmor.nix new file mode 100644 index 0000000..a469add --- /dev/null +++ b/modules/security/apparmor.nix @@ -0,0 +1,22 @@ +{ pkgs, config, ... }: +{ + environment.systemPackages = with pkgs; [ + apparmor-pam + apparmor-utils + apparmor-parser + apparmor-profiles + apparmor-bin-utils + apparmor-kernel-patches + libapparmor + ]; + + services.dbus.apparmor = "enabled"; + + security.apparmor = { + enable = true; + enableCache = true; + killUnconfinedConfinables = true; + packages = [ pkgs.apparmor-profiles ]; + policies.dummy.profile = "/dummy { }"; + }; +} diff --git a/modules/security/audit.nix b/modules/security/audit.nix index 67dce9d..e5d820a 100644 --- a/modules/security/audit.nix +++ b/modules/security/audit.nix @@ -1,6 +1,10 @@ { - security.audit = { - enable = true; - rules = [ "-a exit,always -F arch=b64 -S execve" ]; + security = { + auditd.enable = true; + + audit = { + enable = true; + rules = [ "-a exit,always -F arch=b64 -S execve" ]; + }; }; } diff --git a/modules/security/default.nix b/modules/security/default.nix index 06302ea..48cc702 100644 --- a/modules/security/default.nix +++ b/modules/security/default.nix @@ -3,22 +3,22 @@ lib, ... }: -let - inherit (lib.modules) mkForce; -in { imports = [ + ./apparmor.nix ./audit.nix ./doas.nix + ./kernel.nix + ./pam.nix ./pki.nix ./polkit.nix ./sudo.nix - ./tpm.nix ]; security = { - auditd.enable = true; - rtkit.enable = mkForce config.services.pipewire.enable; + rtkit.enable = lib.modules.mkForce config.services.pipewire.enable; virtualisation.flushL1DataCache = "always"; }; + + programs.firejail.enable = true; } diff --git a/modules/security/kernel.nix b/modules/security/kernel.nix new file mode 100644 index 0000000..62b2f28 --- /dev/null +++ b/modules/security/kernel.nix @@ -0,0 +1,160 @@ +{ lib, ... }: +{ + boot = { + # https://docs.kernel.org/admin-guide/sysctl/vm.html + kernel.sysctl = { + # The Magic SysRq key is a key combo that allows users connected to the + # system console of a Linux kernel to perform some low-level commands. + # Disable it, since we don't need it, and is a potential security concern. + "kernel.sysrq" = lib.mkForce 0; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + # FIXME: this breaks game launchers, find a way to launch them with privileges (steam) + # gamescope wrapped with the capabilities *might* solve the issue + # spoiler: it didn't + # "kernel.yama.ptrace_scope" = 2; + + # Hide kptrs even for processes with CAP_SYSLOG + # also prevents printing kernel pointers + "kernel.kptr_restrict" = 2; + + # Disable bpf() JIT (to eliminate spray attacks) + "net.core.bpf_jit_enable" = false; + + # Disable ftrace debugging + "kernel.ftrace_enabled" = false; + + # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). + "kernel.dmesg_restrict" = 1; + + # Prevent creating files in potentially attacker-controlled environments such + # as world-writable directories to make data spoofing attacks more difficult + "fs.protected_fifos" = 2; + + # Prevent unintended writes to already-created files + "fs.protected_regular" = 2; + + # Disable SUID binary dump + "fs.suid_dumpable" = 0; + + # Prevent unprivileged users from creating hard or symbolic links to files + "fs.protected_symlinks" = 1; + "fs.protected_hardlinks" = 1; + + # Disable late module loading + # "kernel.modules_disabled" = 1; + + # Disallow profiling at all levels without CAP_SYS_ADMIN + "kernel.perf_event_paranoid" = 3; + + # Require CAP_BPF to use bpf + "kernel.unprivileged_bpf_disabled" = true; + + # Prevent boot console kernel log information leaks + "kernel.printk" = "3 3 3 3"; + + # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to + # prevent unprivileged attackers from loading vulnerable line disciplines with + # the TIOCSETD ioctl + "dev.tty.ldisc_autoload" = 0; + + # Kexec allows replacing the current running kernel. There may be an edge case where + # you wish to boot into a different kernel, but I do not require kexec. Disabling it + # patches a potential security hole in our system. + "kernel.kexec_load_disabled" = true; + + # Borrowed by NixOS/nixpkgs. Since the security module does not explain what those + # options do, it is up you to educate yourself dear reader. + # See: + # - <https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-rnd-bits> + # - <https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-min-addr> + "vm.mmap_rnd_bits" = 32; + "vm.mmap_min_addr" = 65536; + }; + + # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html + kernelParams = [ + # I'm sure we break hibernation in at least 5 other sections of this config, so + # let's disable hibernation explicitly. Allowing hibernation makes it possible + # to replace the booted kernel with a malicious one, akin to kexec. This helps + # us prevent an attack called "Evil Maid" where an attacker with physical access + # to the device. P.S. I chose to mention "Evil Maid" specifically because it sounds + # funny. Do not think that is the only attack you are vulnerable to. + # See: <https://en.wikipedia.org/wiki/Evil_maid_attack> + "nohibernate" + + # make stack-based attacks on the kernel harder + "randomize_kstack_offset=on" + + # Disable vsyscalls as they are obsolete and have been replaced with vDSO. + # vsyscalls are also at fixed addresses in memory, making them a potential + # target for ROP attacks + # this breaks really old binaries for security + "vsyscall=none" + + # reduce most of the exposure of a heap attack to a single cache + # Disable slab merging which significantly increases the difficulty of heap + # exploitation by preventing overwriting objects from merged caches and by + # making it harder to influence slab cache layout + "slab_nomerge" + + # Disable debugfs which exposes a lot of sensitive information about the + # kernel. Some programs, such as powertop, use this interface to gather + # information about the system, but it is not necessary for the system to + # actually publish those. I can live without it. + "debugfs=off" + + # Sometimes certain kernel exploits will cause what is known as an "oops". + # This parameter will cause the kernel to panic on such oopses, thereby + # preventing those exploits + "oops=panic" + + # Only allow kernel modules that have been signed with a valid key to be + # loaded, which increases security by making it much harder to load a + # malicious kernel module + "module.sig_enforce=1" + + # The kernel lockdown LSM can eliminate many methods that user space code + # could abuse to escalate to kernel privileges and extract sensitive + # information. This LSM is necessary to implement a clear security boundary + # between user space and the kernel + # integrity: kernel features that allow userland to modify the running kernel + # are disabled + # confidentiality: kernel features that allow userland to extract confidential + # information from the kernel are also disabled + # ArchWiki recommends opting in for "integrity", however since we avoid modifying + # running kernel (by the virtue of using NixOS and locking module hot-loading) the + # confidentiality mode is a better solution. + "lockdown=confidentiality" + + # enable buddy allocator free poisoning + # on: memory will befilled with a specific byte pattern + # that is unlikely to occur in normal operation. + # off (default): page poisoning will be disabled + "page_poison=on" + + # performance improvement for direct-mapped memory-side-cache utilization + # reduces the predictability of page allocations + "page_alloc.shuffle=1" + + # for debugging kernel-level slab issues + "slub_debug=FZP" + + # ignore access time (atime) updates on files + # except when they coincide with updates to the ctime or mtime + "rootflags=noatime" + + # linux security modules + "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux" + + # prevent the kernel from blanking plymouth out of the fb + "fbcon=nodefer" + + # the format that will be used for integrity audit logs + # 0 (default): basic integrity auditing messages + # 1: additional integrity auditing messages + "integrity_audit=1" + ]; + }; +} diff --git a/modules/security/pam.nix b/modules/security/pam.nix new file mode 100644 index 0000000..b7eb426 --- /dev/null +++ b/modules/security/pam.nix @@ -0,0 +1,50 @@ +{ + security = { + pam = { + loginLimits = [ + { + domain = "@wheel"; + item = "nofile"; + type = "soft"; + value = "524288"; + } + { + domain = "@wheel"; + item = "nofile"; + type = "hard"; + value = "1048576"; + } + ]; + + services = + let + ttyAudit = { + enable = true; + enablePattern = "*"; + }; + in + { + swaylock.text = "auth include login"; + gtklock.text = "auth include login"; + + login = { + inherit ttyAudit; + + setLoginUid = true; + }; + + sshd = { + inherit ttyAudit; + + setLoginUid = true; + }; + + sudo = { + inherit ttyAudit; + + setLoginUid = true; + }; + }; + }; + }; +} diff --git a/modules/security/polkit.nix b/modules/security/polkit.nix index 400ea87..786d1a0 100644 --- a/modules/security/polkit.nix +++ b/modules/security/polkit.nix @@ -1,6 +1,7 @@ +{ lib, ... }: { security.polkit = { enable = true; - debug = true; + debug = lib.modules.mkDefault true; }; } diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix index 5c79eaf..6623b71 100644 --- a/modules/security/sudo.nix +++ b/modules/security/sudo.nix @@ -1,7 +1,75 @@ +{ pkgs, lib, ... }: +let + inherit (lib.modules) mkForce; +in { - security.sudo = { - enable = true; - execWheelOnly = true; - wheelNeedsPassword = false; + security = { + sudo-rs.enable = mkForce false; + + sudo = { + enable = true; + execWheelOnly = mkForce true; + wheelNeedsPassword = lib.modules.mkDefault false; + + extraConfig = '' + Defaults lecture = never + Defaults pwfeedback + Defaults env_keep += "EDITOR PATH DISPLAY" + Defaults timestamp_timeout = 300 + ''; + + extraRules = [ + { + groups = [ "wheel" ]; + commands = + map + (rule: { + command = lib.meta.getExe' rule.package rule.command; + options = [ "NOPASSWD" ]; + }) + ( + with pkgs; + [ + { + package = coreutils; + command = "sync"; + } + { + package = hdparm; + command = "hdparm"; + } + { + package = nixos-rebuild; + command = "nixos-rebuild"; + } + { + package = nvme-cli; + command = "nvme"; + } + { + package = systemd; + command = "poweroff"; + } + { + package = systemd; + command = "reboot"; + } + { + package = systemd; + command = "shutdown"; + } + { + package = systemd; + command = "systemctl"; + } + { + package = util-linux; + command = "dmesg"; + } + ] + ); + } + ]; + }; }; } diff --git a/modules/system.nix b/modules/system.nix deleted file mode 100644 index 9ba445e..0000000 --- a/modules/system.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - system = { - autoUpgrade.enable = false; - - switch = { - enable = false; - enableNg = true; - }; - }; -} diff --git a/modules/system/access/default.nix b/modules/system/access/default.nix new file mode 100644 index 0000000..7db7629 --- /dev/null +++ b/modules/system/access/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./gnupg.nix + ./mosh.nix + ./ssh.nix + ]; +} diff --git a/modules/programs/gnupg.nix b/modules/system/access/gnupg.nix index aeffb23..aeffb23 100644 --- a/modules/programs/gnupg.nix +++ b/modules/system/access/gnupg.nix diff --git a/modules/programs/mosh.nix b/modules/system/access/mosh.nix index c9af5bf..c9af5bf 100644 --- a/modules/programs/mosh.nix +++ b/modules/system/access/mosh.nix diff --git a/modules/services/openssh.nix b/modules/system/access/ssh.nix index 8bab2a4..b1fc187 100644 --- a/modules/services/openssh.nix +++ b/modules/system/access/ssh.nix @@ -1,4 +1,6 @@ { + programs.ssh.startAgent = false; + services.openssh = { enable = true; ports = [ 22 ]; diff --git a/modules/system/boot/default.nix b/modules/system/boot/default.nix new file mode 100644 index 0000000..9a517ef --- /dev/null +++ b/modules/system/boot/default.nix @@ -0,0 +1,32 @@ +{ + pkgs, + config, + ... +}: +{ + imports = [ + ./grub.nix + ./systemd-boot.nix + ]; + + boot = { + crashDump.enable = false; + consoleLogLevel = 3; + kernelPackages = pkgs.linuxPackages_zen; + + kernelParams = [ + "iommu=pt" + "threadirqs" + ]; + + loader = { + timeout = 5; + generationsDir.copyKernels = true; + + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + }; + }; +} diff --git a/modules/boot/grub.nix b/modules/system/boot/grub.nix index 49e0eef..49e0eef 100644 --- a/modules/boot/grub.nix +++ b/modules/system/boot/grub.nix diff --git a/modules/boot/systemd-boot.nix b/modules/system/boot/systemd-boot.nix index 5b50bad..5b50bad 100644 --- a/modules/boot/systemd-boot.nix +++ b/modules/system/boot/systemd-boot.nix diff --git a/modules/datetime.nix b/modules/system/datetime/datetime.nix index 9d9bbbb..7451fa2 100644 --- a/modules/datetime.nix +++ b/modules/system/datetime/datetime.nix @@ -1,6 +1,12 @@ { pkgs, ... }: { time.timeZone = "America/Los_Angeles"; + location.provider = "geoclue2"; + + services = { + chrony.enable = false; + timesyncd.enable = true; + }; i18n = { defaultLocale = "en_US.UTF-8"; diff --git a/modules/system/datetime/default.nix b/modules/system/datetime/default.nix new file mode 100644 index 0000000..97ba4c8 --- /dev/null +++ b/modules/system/datetime/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./datetime.nix + ./openntpd.nix + ]; +} diff --git a/modules/services/openntpd.nix b/modules/system/datetime/openntpd.nix index ebd148d..ec59d5b 100644 --- a/modules/services/openntpd.nix +++ b/modules/system/datetime/openntpd.nix @@ -1,3 +1,4 @@ +{ pkgs, ... }: { services.openntpd = { enable = true; @@ -7,4 +8,6 @@ listen on ::1 ''; }; + + environment.systemPackages = [ pkgs.openntpd ]; } diff --git a/modules/system/default.nix b/modules/system/default.nix new file mode 100644 index 0000000..cdef99d --- /dev/null +++ b/modules/system/default.nix @@ -0,0 +1,24 @@ +{ + imports = [ + ./access + ./boot + ./datetime + ./desktop + ./networking + ./services + ./encryption.nix + ./programs.nix + ./systemd.nix + ./users.nix + ./variables.nix + ]; + + system = { + autoUpgrade.enable = false; + + switch = { + enable = false; + enableNg = true; + }; + }; +} diff --git a/modules/system/desktop/default.nix b/modules/system/desktop/default.nix new file mode 100644 index 0000000..bd2c811 --- /dev/null +++ b/modules/system/desktop/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./gtk.nix + ./xdg-portal.nix + ]; +} diff --git a/modules/environment/system-packages/gtk.nix b/modules/system/desktop/gtk.nix index 4357e75..4357e75 100644 --- a/modules/environment/system-packages/gtk.nix +++ b/modules/system/desktop/gtk.nix diff --git a/modules/xdg-portal.nix b/modules/system/desktop/xdg-portal.nix index 72bcb97..72bcb97 100644 --- a/modules/xdg-portal.nix +++ b/modules/system/desktop/xdg-portal.nix diff --git a/modules/system/encryption.nix b/modules/system/encryption.nix new file mode 100644 index 0000000..53a24bb --- /dev/null +++ b/modules/system/encryption.nix @@ -0,0 +1,16 @@ +{ + boot = { + initrd.availableKernelModules = [ + # "aesni_intel" + # "cryptd" + "usb_storage" + ]; + + # <https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Timeout> + kernelParams = [ + "luks.options=timeout=0" + "rd.luks.options=timeout=0" + "rootflags=x-systemd.device-timeout=0" + ]; + }; +} diff --git a/modules/networking/default.nix b/modules/system/networking/default.nix index 753e877..96f89d0 100644 --- a/modules/networking/default.nix +++ b/modules/system/networking/default.nix @@ -1,14 +1,20 @@ { imports = [ + ./vpn ./dhcpcd.nix + ./fail2ban.nix ./firewall.nix + ./ipv6.nix + ./loopback.nix ./networkmanager.nix + ./optimise.nix + ./resolved.nix + ./tor.nix ]; networking = { hostName = "kansai"; nftables.enable = true; - enableIPv6 = false; nameservers = [ "1.1.1.1#one.one.one.one" diff --git a/modules/networking/dhcpcd.nix b/modules/system/networking/dhcpcd.nix index 99ac0f3..99ac0f3 100644 --- a/modules/networking/dhcpcd.nix +++ b/modules/system/networking/dhcpcd.nix diff --git a/modules/services/fail2ban.nix b/modules/system/networking/fail2ban.nix index fa45565..fa45565 100644 --- a/modules/services/fail2ban.nix +++ b/modules/system/networking/fail2ban.nix diff --git a/modules/networking/firewall.nix b/modules/system/networking/firewall.nix index d389bff..569089c 100644 --- a/modules/networking/firewall.nix +++ b/modules/system/networking/firewall.nix @@ -3,7 +3,6 @@ enable = true; allowedUDPPorts = [ 53 ]; allowPing = false; - trustedInterfaces = [ "tailscale0" ]; allowedTCPPorts = [ 80 diff --git a/modules/system/networking/ipv6.nix b/modules/system/networking/ipv6.nix new file mode 100644 index 0000000..274c1ae --- /dev/null +++ b/modules/system/networking/ipv6.nix @@ -0,0 +1,9 @@ +{ + boot.kernel.sysctl = { + "net.ipv6.conf.enp42s0.disable_ipv6" = true; + "net.ipv6.conf.wlp4s0.disable_ipv6" = true; + "net.ipv6.conf.tun0.disable_ipv6" = true; + }; + + networking.enableIPv6 = false; +} diff --git a/modules/system/networking/loopback.nix b/modules/system/networking/loopback.nix new file mode 100644 index 0000000..62e745e --- /dev/null +++ b/modules/system/networking/loopback.nix @@ -0,0 +1,7 @@ +{ config, ... }: +{ + boot = { + kernelModules = [ "v4l2loopback" ]; + extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; + }; +} diff --git a/modules/system/networking/networkmanager.nix b/modules/system/networking/networkmanager.nix new file mode 100644 index 0000000..e5fdfc1 --- /dev/null +++ b/modules/system/networking/networkmanager.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ pkgs.networkmanagerapplet ]; + + networking.networkmanager = { + enable = true; + plugins = [ pkgs.networkmanager-openvpn ]; + dns = "systemd-resolved"; + wifi.backend = "iwd"; + + unmanaged = [ + "interface-name:tailscale*" + "interface-name:br-*" + "interface-name:rndis*" + "interface-name:docker*" + "interface-name:virbr*" + "interface-name:vboxnet*" + "interface-name:waydroid*" + "type:bridge" + ]; + }; +} diff --git a/modules/boot/default.nix b/modules/system/networking/optimise.nix index 964a4e1..c6f2bec 100644 --- a/modules/boot/default.nix +++ b/modules/system/networking/optimise.nix @@ -1,54 +1,8 @@ { - pkgs, - config, - ... -}: -{ - imports = [ - ./grub.nix - ./systemd-boot.nix - ]; - boot = { - crashDump.enable = false; - consoleLogLevel = 3; - - loader = { - timeout = 5; - generationsDir.copyKernels = true; - - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - }; - - kernelPackages = pkgs.linuxPackages_zen; - blacklistedKernelModules = [ "nouveau" ]; - - extraModulePackages = with config.boot.kernelPackages; [ - v4l2loopback - zenpower - ]; - - initrd = { - # systemd.enable = true; - - availableKernelModules = [ - # "aesni_intel" - # "cryptd" - "usb_storage" - ]; - }; - kernelModules = [ - "v4l2loopback" "tls" "tcp_bbr" - "uhid" - "amd-pstate" - "zenpower" - "msr" ]; kernel.sysctl = { @@ -93,21 +47,27 @@ "net.ipv4.tcp_congestion_control" = "bbr"; "net.core.default_qdisc" = "cake"; - "net.ipv6.conf.enp42s0.disable_ipv6" = true; - "net.ipv6.conf.wlp4s0.disable_ipv6" = true; - "net.ipv6.conf.tun0.disable_ipv6" = true; + # Other stuff that I am too lazy to document + "net.core.optmem_max" = 65536; + "net.core.rmem_default" = 1048576; + "net.core.rmem_max" = 16777216; + "net.core.somaxconn" = 8192; + "net.core.wmem_default" = 1048576; + "net.core.wmem_max" = 16777216; + "net.ipv4.ip_local_port_range" = "16384 65535"; + "net.ipv4.tcp_max_syn_backlog" = 8192; + "net.ipv4.tcp_max_tw_buckets" = 2000000; + "net.ipv4.tcp_mtu_probing" = 1; + "net.ipv4.tcp_rmem" = "4096 1048576 2097152"; + "net.ipv4.tcp_slow_start_after_idle" = 0; + "net.ipv4.tcp_tw_reuse" = 1; + "net.ipv4.tcp_wmem" = "4096 65536 16777216"; + "net.ipv4.udp_rmem_min" = 8192; + "net.ipv4.udp_wmem_min" = 8192; + "net.netfilter.nf_conntrack_generic_timeout" = 60; + "net.netfilter.nf_conntrack_max" = 1048576; + "net.netfilter.nf_conntrack_tcp_timeout_established" = 600; + "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1; }; - - kernelParams = [ - "nvidia-drm.fbdev=1" - "nvidia.NVreg_PreserveVideoMemoryAllocations=1" - "usbcore.autosuspend=-1" - "iommu=pt" - "threadirqs" - "btusb" - "amd_iommu=on" - "luks.options=timeout=0" - "rd.luks.options=timeout=0" - ]; }; } diff --git a/modules/services/resolved.nix b/modules/system/networking/resolved.nix index 632ca7a..632ca7a 100644 --- a/modules/services/resolved.nix +++ b/modules/system/networking/resolved.nix diff --git a/modules/services/tor.nix b/modules/system/networking/tor.nix index 3e3831f..3e3831f 100644 --- a/modules/services/tor.nix +++ b/modules/system/networking/tor.nix diff --git a/modules/system/networking/vpn/default.nix b/modules/system/networking/vpn/default.nix new file mode 100644 index 0000000..92a11b0 --- /dev/null +++ b/modules/system/networking/vpn/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./pia.nix + ./tailscale.nix + ]; +} diff --git a/modules/services/pia.nix b/modules/system/networking/vpn/pia.nix index d52dbf8..d52dbf8 100644 --- a/modules/services/pia.nix +++ b/modules/system/networking/vpn/pia.nix diff --git a/modules/system/networking/vpn/tailscale.nix b/modules/system/networking/vpn/tailscale.nix new file mode 100644 index 0000000..5d51594 --- /dev/null +++ b/modules/system/networking/vpn/tailscale.nix @@ -0,0 +1,4 @@ +{ + services.tailscale.enable = true; + networking.firewall.trustedInterfaces = [ "tailscale0" ]; +} diff --git a/modules/programs/default.nix b/modules/system/programs.nix index 7139072..8a856d5 100644 --- a/modules/programs/default.nix +++ b/modules/system/programs.nix @@ -1,20 +1,21 @@ +{ pkgs, ... }: { - imports = [ - ./gnupg.nix - ./mosh.nix - ./nh.nix - ]; - programs = { fish.enable = true; mtr.enable = true; dconf.enable = true; - ssh.startAgent = false; ccache.enable = true; - nix-index-database.comma.enable = true; bash.interactiveShellInit = '' export HISTFILE="$XDG_STATE_HOME/bash/history" ''; }; + + environment.systemPackages = with pkgs; [ + vim + wget + git + pinentry + runc + ]; } diff --git a/modules/services/ananicy.nix b/modules/system/services/ananicy.nix index bdc9bbd..bdc9bbd 100644 --- a/modules/services/ananicy.nix +++ b/modules/system/services/ananicy.nix diff --git a/modules/services/dbus.nix b/modules/system/services/dbus.nix index d67ed2b..d67ed2b 100644 --- a/modules/services/dbus.nix +++ b/modules/system/services/dbus.nix diff --git a/modules/services/default.nix b/modules/system/services/default.nix index adc5d0b..44436bd 100644 --- a/modules/services/default.nix +++ b/modules/system/services/default.nix @@ -3,16 +3,8 @@ imports = [ ./ananicy.nix ./dbus.nix - ./fail2ban.nix ./libinput.nix ./ollama.nix - ./openntpd.nix - ./openssh.nix - ./pia.nix - ./pipewire.nix - ./resolved.nix - ./tor.nix - # ./wireplumber.nix ./xserver.nix ]; @@ -23,9 +15,6 @@ gvfs.enable = true; udev.packages = with pkgs; [ pkgs.logitech-udev-rules ]; thermald.enable = true; - chrony.enable = false; - timesyncd.enable = true; irqbalance.enable = true; - tailscale.enable = true; }; } diff --git a/modules/services/libinput.nix b/modules/system/services/libinput.nix index 643f814..643f814 100644 --- a/modules/services/libinput.nix +++ b/modules/system/services/libinput.nix diff --git a/modules/services/ollama.nix b/modules/system/services/ollama.nix index 2638d12..2638d12 100644 --- a/modules/services/ollama.nix +++ b/modules/system/services/ollama.nix diff --git a/modules/services/xserver.nix b/modules/system/services/xserver.nix index e08ac04..e08ac04 100644 --- a/modules/services/xserver.nix +++ b/modules/system/services/xserver.nix diff --git a/modules/system/systemd.nix b/modules/system/systemd.nix new file mode 100644 index 0000000..9ecb5b2 --- /dev/null +++ b/modules/system/systemd.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: +{ + # boot.initrd.systemd.enable = true; + + systemd.services.containerd.path = with pkgs; [ + containerd + runc + iptables + nvidia-docker + ]; +} diff --git a/modules/users.nix b/modules/system/users.nix index 4055353..4055353 100644 --- a/modules/users.nix +++ b/modules/system/users.nix diff --git a/modules/environment/variables.nix b/modules/system/variables.nix index 7e9b794..7e9b794 100644 --- a/modules/environment/variables.nix +++ b/modules/system/variables.nix diff --git a/modules/virtualisation.nix b/modules/virtualisation.nix deleted file mode 100644 index 579a0e2..0000000 --- a/modules/virtualisation.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, lib, ... }: -{ - virtualisation = { - docker = { - enable = true; - storageDriver = "btrfs"; - enableOnBoot = false; - liveRestore = true; - enableNvidia = lib.mkForce true; - extraOptions = "--iptables=False"; - - daemon.settings = { - default-runtime = "nvidia"; - # runtimes.nvidia.path = "${pkgs.nvidia-docker}/bin/nvidia-container-runtime"; - experimental = true; - }; - - autoPrune = { - enable = false; - dates = "daily"; - }; - - rootless = { - enable = false; - setSocketVariable = true; - - daemon.settings = { - default-runtime = "nvidia"; - runtimes.nvidia.path = "${pkgs.nvidia-docker}/bin/nvidia-container-runtime"; - experimental = true; - }; - }; - }; - - libvirtd.enable = true; - }; -} diff --git a/modules/virtualisation/default.nix b/modules/virtualisation/default.nix new file mode 100644 index 0000000..765923f --- /dev/null +++ b/modules/virtualisation/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./docker.nix + ./libvirtd.nix + ]; +} diff --git a/modules/virtualisation/docker.nix b/modules/virtualisation/docker.nix new file mode 100644 index 0000000..20ce40a --- /dev/null +++ b/modules/virtualisation/docker.nix @@ -0,0 +1,33 @@ +{ pkgs, lib, ... }: +{ + virtualisation.docker = { + enable = true; + storageDriver = "btrfs"; + enableOnBoot = false; + liveRestore = true; + enableNvidia = lib.mkForce true; + extraOptions = "--iptables=False"; + + daemon.settings = { + default-runtime = "nvidia"; + # runtimes.nvidia.path = "${pkgs.nvidia-docker}/bin/nvidia-container-runtime"; + experimental = true; + }; + + autoPrune = { + enable = false; + dates = "daily"; + }; + + rootless = { + enable = false; + setSocketVariable = true; + + daemon.settings = { + default-runtime = "nvidia"; + runtimes.nvidia.path = "${pkgs.nvidia-docker}/bin/nvidia-container-runtime"; + experimental = true; + }; + }; + }; +} diff --git a/modules/virtualisation/libvirtd.nix b/modules/virtualisation/libvirtd.nix new file mode 100644 index 0000000..4618c46 --- /dev/null +++ b/modules/virtualisation/libvirtd.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: +{ + boot.extraModprobeConfig = "options kvm_intel nested=1"; + environment.systemPackages = [ pkgs.virt-manager ]; + + virtualisation.libvirtd = { + enable = true; + + qemu = { + package = pkgs.qemu_kvm; + runAsRoot = true; + swtpm.enable = true; + + ovmf = { + enable = true; + + packages = [ + (pkgs.OVMF.override { + secureBoot = true; + tpmSupport = true; + }).fd + ]; + }; + }; + }; +} |