diff options
32 files changed, 580 insertions, 96 deletions
diff --git a/modules/boot/default.nix b/modules/boot/default.nix index 4d8b8d1..6042882 100644 --- a/modules/boot/default.nix +++ b/modules/boot/default.nix @@ -12,9 +12,11 @@ boot = { crashDump.enable = false; + consoleLogLevel = 3; loader = { timeout = 5; + generationsDir.copyKernels = true; efi = { canTouchEfiVariables = true; @@ -23,24 +25,86 @@ }; kernelPackages = pkgs.linuxPackages_zen; - kernelModules = [ "v4l2loopback" ]; - extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; - - kernel.sysctl = lib.mkMerge ( - map - (interface: { - "net.ipv6.conf.${interface}.disable_ipv6" = true; - }) - [ - "enp42s0" - "wlp4s0" - "tun0" - ] - ); + blacklistedKernelModules = [ "nouveau" ]; + + extraModulePackages = with config.boot.kernelPackages; [ + v4l2loopback + zenpower + ]; + + # initrd.availableKernelModules = [ + # "aesni_intel" + # "cryptd" + # "usb_storage" + # ]; + + kernelModules = [ + "v4l2loopback" + "tls" + "tcp_bbr" + "uhid" + "amd-pstate" + "zenpower" + "msr" + ]; + + kernel.sysctl = { + # TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets (we're not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're on a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + # And other stuff + "net.ipv4.conf.all.log_martians" = true; + "net.ipv4.conf.default.log_martians" = true; + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + "net.ipv6.conf.default.accept_ra" = 0; + "net.ipv6.conf.all.accept_ra" = 0; + "net.ipv4.tcp_timestamps" = 0; + + # TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + + "net.ipv6.conf.enp42s0.disable_ipv6" = true; + "net.ipv6.conf.wlp4s0.disable_ipv6" = true; + "net.ipv6.conf.tun0.disable_ipv6" = true; + }; kernelParams = [ "nvidia-drm.fbdev=1" "nvidia.NVreg_PreserveVideoMemoryAllocations=1" + "usbcore.autosuspend=-1" + "iommu=pt" + "threadirqs" + "btusb" + "amd_iommu=on" + "luks.options=timeout=0" + "rd.luks.options=timeout=0" ]; }; } diff --git a/modules/default.nix b/modules/default.nix index 22b7854..e491f13 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -3,18 +3,18 @@ ./boot ./environment ./programs + ./security ./hardware + ./networking ./services ./datetime.nix - ./networking.nix ./nix.nix ./nixpkgs.nix - ./security.nix + ./system.nix ./users.nix ./virtualisation.nix ./xdg-portal.nix ]; location.provider = "geoclue2"; - system.autoUpgrade.enable = false; } diff --git a/modules/environment/system-packages/default.nix b/modules/environment/system-packages/default.nix index a43d8c3..1174e5e 100644 --- a/modules/environment/system-packages/default.nix +++ b/modules/environment/system-packages/default.nix @@ -2,6 +2,8 @@ { imports = [ ./gtk.nix + ./libva.nix + ./nvidia.nix ./usb.nix ./vulkan.nix ]; @@ -12,9 +14,10 @@ git mediastreamer-openh264 pinentry - nvidia-container-toolkit - nvidia-docker runc + openntpd + mesa + amdctl ]; systemd.services.containerd.path = with pkgs; [ diff --git a/modules/environment/system-packages/libva.nix b/modules/environment/system-packages/libva.nix new file mode 100644 index 0000000..d420495 --- /dev/null +++ b/modules/environment/system-packages/libva.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + libva + libva-utils + ]; +} diff --git a/modules/environment/system-packages/nvidia.nix b/modules/environment/system-packages/nvidia.nix new file mode 100644 index 0000000..dad4394 --- /dev/null +++ b/modules/environment/system-packages/nvidia.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + nvidia-container-toolkit + nvidia-docker + ]; +} diff --git a/modules/environment/system-packages/vulkan.nix b/modules/environment/system-packages/vulkan.nix index e8dda9b..be37e0e 100644 --- a/modules/environment/system-packages/vulkan.nix +++ b/modules/environment/system-packages/vulkan.nix @@ -4,5 +4,6 @@ vulkan-loader vulkan-validation-layers vulkan-tools + vulkan-extension-layer ]; } diff --git a/modules/hardware/bluetooth.nix b/modules/hardware/bluetooth.nix index 1b6e38b..ede4f77 100644 --- a/modules/hardware/bluetooth.nix +++ b/modules/hardware/bluetooth.nix @@ -1,6 +1,17 @@ +{ pkgs, ... }: { hardware.bluetooth = { enable = true; powerOnBoot = true; + package = pkgs.bluez5-experimental; + disabledPlugins = [ "sap" ]; + + settings = { + General = { + JustWorksRepairing = "always"; + MultiProfile = "multiple"; + Experimental = true; + }; + }; }; } diff --git a/modules/hardware/default.nix b/modules/hardware/default.nix index fe52084..4c413a0 100644 --- a/modules/hardware/default.nix +++ b/modules/hardware/default.nix @@ -8,5 +8,6 @@ hardware = { enableRedistributableFirmware = true; enableAllFirmware = true; + cpu.amd.updateMicrocode = true; }; } diff --git a/modules/hardware/graphics.nix b/modules/hardware/graphics.nix index b757b58..0e01517 100644 --- a/modules/hardware/graphics.nix +++ b/modules/hardware/graphics.nix @@ -9,5 +9,11 @@ vaapiVdpau libvdpau-va-gl ]; + + extraPackages32 = with pkgs; [ + nvidia-vaapi-driver + vaapiVdpau + libvdpau-va-gl + ]; }; } diff --git a/modules/networking.nix b/modules/networking.nix deleted file mode 100644 index 061a076..0000000 --- a/modules/networking.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ pkgs, ... }: -{ - networking = { - hostName = "kansai"; - nftables.enable = true; - enableIPv6 = false; - - networkmanager = { - enable = true; - plugins = [ pkgs.networkmanager-openvpn ]; - }; - - nameservers = [ - "1.1.1.1#one.one.one.one" - "1.0.0.1#one.one.one.one" - "9.9.9.9#dns.quad9.net" - "149.112.112.112#dns.quad9.net" - ]; - - firewall = { - enable = true; - allowedUDPPorts = [ 53 ]; - - allowedTCPPorts = [ - 80 - 443 - ]; - - allowedUDPPortRanges = [ - { - from = 60000; - to = 61000; - } - ]; - }; - - dhcpcd = { - wait = "background"; - extraConfig = "noarp"; - }; - }; -} diff --git a/modules/networking/default.nix b/modules/networking/default.nix new file mode 100644 index 0000000..caf7686 --- /dev/null +++ b/modules/networking/default.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +{ + imports = [ + ./dhcpcd.nix + ./firewall.nix + ./networkmanager.nix + ]; + + networking = { + hostName = "kansai"; + nftables.enable = true; + enableIPv6 = false; + + nameservers = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" + "149.112.112.112#dns.quad9.net" + ]; + + timeServers = [ + "0.nixos.pool.ntp.org" + "1.nixos.pool.ntp.org" + "2.nixos.pool.ntp.org" + "3.nixos.pool.ntp.org" + ]; + }; +} diff --git a/modules/networking/dhcpcd.nix b/modules/networking/dhcpcd.nix new file mode 100644 index 0000000..99ac0f3 --- /dev/null +++ b/modules/networking/dhcpcd.nix @@ -0,0 +1,6 @@ +{ + networking.dhcpcd = { + wait = "background"; + extraConfig = "noarp"; + }; +} diff --git a/modules/networking/firewall.nix b/modules/networking/firewall.nix new file mode 100644 index 0000000..73bc44f --- /dev/null +++ b/modules/networking/firewall.nix @@ -0,0 +1,18 @@ +{ + networking.firewall = { + enable = true; + allowedUDPPorts = [ 53 ]; + + allowedTCPPorts = [ + 80 + 443 + ]; + + allowedUDPPortRanges = [ + { + from = 60000; + to = 61000; + } + ]; + }; +} diff --git a/modules/networking/networkmanager.nix b/modules/networking/networkmanager.nix new file mode 100644 index 0000000..edb4c1c --- /dev/null +++ b/modules/networking/networkmanager.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + networking.networkmanager = { + enable = true; + plugins = [ pkgs.networkmanager-openvpn ]; + dns = "systemd-resolved"; + }; +} diff --git a/modules/nix.nix b/modules/nix.nix index 1c3a435..6de07bb 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -6,16 +6,29 @@ http-connections = 0; warn-dirty = false; log-lines = 50; - # sandbox = "relaxed"; + sandbox = true; + sandbox-fallback = false; extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; + keep-going = true; + accept-flake-config = false; + + system-features = [ + "nixos-test" + "kvm" + "recursive-nix" + "big-parallel" + ]; trusted-users = [ + "root" "@wheel" + "nix-builder" ]; allowed-users = [ "root" "@wheel" + "nix-builder" ]; substituters = [ @@ -25,6 +38,7 @@ "https://nyx.chaotic.cx/" "https://nixpkgs-wayland.cachix.org" "https://cuda-maintainers.cachix.org" + "https://nixpkgs-unfree.cachix.org" ]; trusted-public-keys = [ @@ -33,18 +47,31 @@ "nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" + "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs=" ]; experimental-features = [ "nix-command" "flakes" + "recursive-nix" + "ca-derivations" + "auto-allocate-uids" + "cgroups" + "repl-flake" + "no-url-literals" + "dynamic-derivations" ]; }; gc = { automatic = true; - dates = "daily"; + dates = "03:00"; options = "--delete-older-than 3d"; }; + + optimise = { + automatic = true; + dates = [ "04:00" ]; + }; }; } diff --git a/modules/programs/default.nix b/modules/programs/default.nix index ae1670a..7139072 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -12,5 +12,9 @@ ssh.startAgent = false; ccache.enable = true; nix-index-database.comma.enable = true; + + bash.interactiveShellInit = '' + export HISTFILE="$XDG_STATE_HOME/bash/history" + ''; }; } diff --git a/modules/security.nix b/modules/security.nix deleted file mode 100644 index b377317..0000000 --- a/modules/security.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - security = { - polkit.enable = true; - auditd.enable = true; - - sudo = { - enable = true; - execWheelOnly = true; - }; - - audit = { - enable = true; - rules = [ "-a exit,always -F arch=b64 -S execve" ]; - }; - - doas = { - enable = true; - extraRules = [ - { - keepEnv = true; - # persist = true; - noPass = true; - - users = [ "ebisu" ]; - } - ]; - }; - }; -} diff --git a/modules/security/audit.nix b/modules/security/audit.nix new file mode 100644 index 0000000..67dce9d --- /dev/null +++ b/modules/security/audit.nix @@ -0,0 +1,6 @@ +{ + security.audit = { + enable = true; + rules = [ "-a exit,always -F arch=b64 -S execve" ]; + }; +} diff --git a/modules/security/default.nix b/modules/security/default.nix new file mode 100644 index 0000000..06302ea --- /dev/null +++ b/modules/security/default.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + ... +}: +let + inherit (lib.modules) mkForce; +in +{ + imports = [ + ./audit.nix + ./doas.nix + ./pki.nix + ./polkit.nix + ./sudo.nix + ./tpm.nix + ]; + + security = { + auditd.enable = true; + rtkit.enable = mkForce config.services.pipewire.enable; + virtualisation.flushL1DataCache = "always"; + }; +} diff --git a/modules/security/doas.nix b/modules/security/doas.nix new file mode 100644 index 0000000..32dcca0 --- /dev/null +++ b/modules/security/doas.nix @@ -0,0 +1,12 @@ +{ + security.doas = { + enable = true; + extraRules = [ + { + keepEnv = true; + persist = true; + users = [ "ebisu" ]; + } + ]; + }; +} diff --git a/modules/security/pki.nix b/modules/security/pki.nix new file mode 100644 index 0000000..b804fc5 --- /dev/null +++ b/modules/security/pki.nix @@ -0,0 +1,42 @@ +{ lib, ... }: +{ + security.pki = { + certificates = lib.mkForce [ ]; + + caCertificateBlacklist = [ + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" + "Autoridad de Certificacion Firmaprofesional CIF A62634068" + + # China Financial Certification Authority + "CFCA EV ROOT" + + # Chunghwa Telecom Co., Ltd + "ePKI Root Certification Authority" + "HiPKI Root CA - G1" + + # Dhimyotis + "Certigna" + "Certigna Root CA" + + # GUANG DONG CERTIFICATE AUTHORITY + "GDCA TrustAUTH R5 ROOT" + + # Hongkong Post + "Hongkong Post Root CA 3" + + # iTrusChina Co.,Ltd. + "vTrus ECC Root CA" + "vTrus Root CA" + + # Krajowa Izba Rozliczeniowa S.A. + "SZAFIR ROOT CA2" + + # NetLock Kft. + "NetLock Arany (Class Gold) Főtanúsítvány" + + # TAIWAN-CA + "TWCA Root Certification Authority" + "TWCA Global Root CA" + ]; + }; +} diff --git a/modules/security/polkit.nix b/modules/security/polkit.nix new file mode 100644 index 0000000..400ea87 --- /dev/null +++ b/modules/security/polkit.nix @@ -0,0 +1,6 @@ +{ + security.polkit = { + enable = true; + debug = true; + }; +} diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix new file mode 100644 index 0000000..bbb2e20 --- /dev/null +++ b/modules/security/sudo.nix @@ -0,0 +1,6 @@ +{ + security.sudo = { + enable = true; + execWheelOnly = true; + }; +} diff --git a/modules/security/tpm.nix b/modules/security/tpm.nix new file mode 100644 index 0000000..3277d9f --- /dev/null +++ b/modules/security/tpm.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + security.tpm2 = { + enable = true; + applyUdevRules = true; + abrmd.enable = true; + tctiEnvironment.enable = true; + pkcs11.enable = true; + }; + + environment.systemPackages = with pkgs; [ + tpm2-tools + tpm2-tss + tpm2-abrmd + ]; +} diff --git a/modules/services/default.nix b/modules/services/default.nix index 38f4c42..5737d0c 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -5,10 +5,13 @@ ./dbus.nix ./fail2ban.nix ./libinput.nix + ./ollama.nix + ./openntpd.nix ./openssh.nix ./pia.nix ./pipewire.nix ./resolved.nix + # ./wireplumber.nix ./xserver.nix ]; @@ -18,5 +21,8 @@ fstrim.enable = true; gvfs.enable = true; udev.packages = with pkgs; [ pkgs.logitech-udev-rules ]; + thermald.enable = true; + chrony.enable = false; + timesyncd.enable = true; }; } diff --git a/modules/services/openntpd.nix b/modules/services/openntpd.nix new file mode 100644 index 0000000..ebd148d --- /dev/null +++ b/modules/services/openntpd.nix @@ -0,0 +1,10 @@ +{ + services.openntpd = { + enable = true; + + extraConfig = '' + listen on 127.0.0.1 + listen on ::1 + ''; + }; +} diff --git a/modules/services/openssh.nix b/modules/services/openssh.nix index d4926c1..b970945 100644 --- a/modules/services/openssh.nix +++ b/modules/services/openssh.nix @@ -3,5 +3,25 @@ enable = true; ports = [ 2222 ]; openFirewall = true; + + settings = { + UseDns = false; + X11Forwarding = false; + + KexAlgorithms = [ + "curve25519-sha256" + "diffie-hellman-group16-sha512" + "diffie-hellman-group18-sha512" + "diffie-hellman-group-exchange-sha256" + ]; + + Macs = [ + ]; + }; }; } diff --git a/modules/services/pia.nix b/modules/services/pia.nix index 405f0f1..d52dbf8 100644 --- a/modules/services/pia.nix +++ b/modules/services/pia.nix @@ -4,8 +4,7 @@ enable = true; authUserPass = { - username = secrets.pia.username; - password = secrets.pia.password; + inherit (secrets.pia) username password; }; }; } diff --git a/modules/services/pipewire.nix b/modules/services/pipewire.nix index 80a24ce..4506fbd 100644 --- a/modules/services/pipewire.nix +++ b/modules/services/pipewire.nix @@ -1,3 +1,15 @@ +{ lib, ... }: +let + inherit (lib.attrsets) mapAttrs; + inherit (lib.modules) mkBefore mkOptionDefault; + inherit (lib.lists) singleton; + inherit (builtins) toString; + + mapOptionDefault = mapAttrs (_: mkOptionDefault); + quantum = toString 64; + rate = toString 48000; + qr = "${quantum}/${rate}"; +in { services.pipewire = { enable = true; @@ -10,5 +22,145 @@ enable = true; support32Bit = true; }; + + extraConfig = { + pipewire = { + "10-logging" = { + "context.properties"."log.level" = 3; + }; + + # "10-defaults" = { + # "context.properties" = mapOptionDefault { + # "clock.power-of-two-quantum" = true; + # "core.daemon" = true; + # "core.name" = "pipewire-0"; + # "link.max-buffers" = 16; + # "settings.check-quantum" = true; + # }; + + # "context.spa-libs" = mapOptionDefault { + # "audio.convert.*" = "audioconvert/libspa-audioconvert"; + # "avb.*" = "avb/libspa-avb"; + # "api.alsa.*" = "alsa/libspa-alsa"; + # "api.v4l2.*" = "v4l2/libspa-v4l2"; + # "api.libcamera.*" = "libcamera/libspa-libcamera"; + # "api.bluez5.*" = "bluez5/libspa-bluez5"; + # "api.vulkan.*" = "vulkan/libspa-vulkan"; + # "api.jack.*" = "jack/libspa-jack"; + # "support.*" = "support/libspa-support"; + # "video.convert.*" = "videoconvert/libspa-videoconvert"; + # }; + # }; + }; + + # pipewire-pulse = { + # "10-defaults" = { + # "context.spa-libs" = mapOptionDefault { + # "audio.convert.*" = "audioconvert/libspa-audioconvert"; + # "support.*" = "support/libspa-support"; + # }; + + # "pulse.cmd" = mkBefore [ + # { + # cmd = "load-module"; + # args = "module-always-sink"; + # flags = [ ]; + # } + # ]; + + # "pulse.properties" = { + # "server.address" = mkBefore [ "unix:native" ]; + # }; + + # "pulse.rules" = mkBefore [ + # { + # matches = [ + # { "application.process.binary" = "teams"; } + # { "application.process.binary" = "teams-insiders"; } + # { "application.process.binary" = "skypeforlinux"; } + # ]; + + # actions.quirks = [ "force-s16-info" ]; + # } + # { + # matches = singleton { "application.process.binary" = "firefox"; }; + # actions.quirks = [ "remove-capture-dont-move" ]; + # } + # { + # matches = singleton { "application.name" = "~speech-dispatcher*"; }; + + # actions = { + # update-props = { + # "pulse.min.req" = "1024/48000"; # 21 milliseconds + # "pulse.min.quantum " = "1024/48000"; # 21 milliseconds + # }; + # }; + # } + # ]; + # }; + # }; + + # pipewire."92-low-latency" = { + # "context.properties" = { + # "default.clock.rate" = rate; + # "default.clock.quantum" = quantum; + # "default.clock.min-quantum" = quantum; + # "default.clock.max-quantum" = quantum; + # "default.clock.allowed-rates" = [ rate ]; + # }; + + # # "context.modules" = [ + # # { + # # name = "libpipewire-module-rtkit"; + + # # flags = [ + # # "ifexists" + # # "nofail" + # # ]; + + # # args = { + # # "nice.level" = -15; + # # "rt.prio" = 90; + # # "rt.time.soft" = 200000; + # # "rt.time.hard" = 200000; + # # }; + # # } + # # { + # # name = "libpipewire-module-protocol-pulse"; + + # # args = { + # # "server.address" = [ "unix:native" ]; + # # "pulse.min.quantum" = qr; + # # "pulse.min.req" = qr; + # # "pulse.min.frag" = qr; + # # }; + # # } + # # ]; + + # "stream.properties" = { + # "node.latency" = qr; + # "resample.quality" = 1; + # }; + # }; + + # pipewire-pulse."92-low-latency" = { + # "context.modules" = singleton { + # name = "libpipewire-module-protocol-pulse"; + + # args = { + # "pulse.min.req" = qr; + # "pulse.default.req" = qr; + # "pulse.max.req" = qr; + # "pulse.min.quantum" = qr; + # "pulse.max.quantum" = qr; + # }; + # }; + + # "stream.properties" = { + # "node.latency" = qr; + # "resample.quality" = 4; + # }; + # }; + }; }; } diff --git a/modules/services/wireplumber.nix b/modules/services/wireplumber.nix new file mode 100644 index 0000000..970396f --- /dev/null +++ b/modules/services/wireplumber.nix @@ -0,0 +1,42 @@ +let + rate = builtins.toString 48000; +in +{ + services.pipewire.wireplumber = { + enable = true; + + extraConfig = { + "10-log-level-debug" = { + "context.properties"."log.level" = "D"; + }; + + "10-default-volume" = { + "wireplumber.settings"."device.routes.default-sink-volume" = 1.0; + }; + + "92-low-latency" = { + "monitor.alsa.rules" = [ + { + matches = [ + { "device.name" = "~alsa_card.*"; } + { "node.name" = "~alsa_output.*"; } + ]; + + actions.update-props = { + "node.description" = "ALSA Low Latency Output"; + "audio.rate" = rate; + "audio.format" = "S32LE"; + "resample.quality" = 4; + "resample.disable" = false; + "session.suspend-timeout-seconds" = 0; + "api.alsa.period-size" = 2; + "api.alsa.headroom" = 128; + "api.alsa.period-num" = 2; + "api.alsa.disable-batch" = false; + }; + } + ]; + }; + }; + }; +} diff --git a/modules/system.nix b/modules/system.nix new file mode 100644 index 0000000..9ba445e --- /dev/null +++ b/modules/system.nix @@ -0,0 +1,10 @@ +{ + system = { + autoUpgrade.enable = false; + + switch = { + enable = false; + enableNg = true; + }; + }; +} diff --git a/modules/users.nix b/modules/users.nix index a5f975a..4055353 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -17,12 +17,25 @@ in shell = pkgs.fish; extraGroups = [ - "networkmanager" "wheel" + "systemd-journal" + "audio" + "video" "input" + "plugdev" + "lp" + "tss" + "power" + "nix" + "network" + "networkmanager" + "wireshark" + "mysql" "docker" - "kvm" + "podman" + "git" "libvirtd" + "kvm" ]; }; }; |