From b6956dd32fbe4bd6a83336a66c3ff73ec47c7b9c Mon Sep 17 00:00:00 2001 From: Fuwn Date: Wed, 11 Sep 2024 00:52:32 -0700 Subject: Bump: i2p --- modules/default.nix | 3 +- modules/multimedia/audio/default.nix | 6 - modules/multimedia/audio/pipewire.nix | 164 ---------------------- modules/multimedia/audio/wireplumber.nix | 42 ------ modules/multimedia/default.nix | 6 - modules/multimedia/video/default.nix | 11 -- modules/multimedia/video/graphics.nix | 21 --- modules/multimedia/video/libva.nix | 7 - modules/multimedia/video/nvidia.nix | 37 ----- modules/multimedia/video/vulkan.nix | 9 -- modules/software/access/default.nix | 7 + modules/software/access/gnupg.nix | 18 +++ modules/software/access/mosh.nix | 6 + modules/software/access/ssh.nix | 35 +++++ modules/software/boot/default.nix | 29 ++++ modules/software/boot/grub.nix | 22 +++ modules/software/boot/systemd-boot.nix | 9 ++ modules/software/default.nix | 40 ++++++ modules/software/desktop/default.nix | 6 + modules/software/desktop/gtk.nix | 8 ++ modules/software/desktop/xdg-portal.nix | 15 ++ modules/software/encryption.nix | 16 +++ modules/software/gaming.nix | 26 ++++ modules/software/input.nix | 25 ++++ modules/software/locale.nix | 9 ++ modules/software/multimedia/audio/default.nix | 6 + modules/software/multimedia/audio/pipewire.nix | 164 ++++++++++++++++++++++ modules/software/multimedia/audio/wireplumber.nix | 42 ++++++ modules/software/multimedia/default.nix | 6 + modules/software/multimedia/video/default.nix | 11 ++ modules/software/multimedia/video/graphics.nix | 21 +++ modules/software/multimedia/video/libva.nix | 7 + modules/software/multimedia/video/nvidia.nix | 37 +++++ modules/software/multimedia/video/vulkan.nix | 9 ++ modules/software/networking/default.nix | 41 ++++++ modules/software/networking/dhcpcd.nix | 12 ++ modules/software/networking/firewall/default.nix | 11 ++ modules/software/networking/firewall/fail2ban.nix | 20 +++ modules/software/networking/i2p.nix | 38 +++++ modules/software/networking/ipv6.nix | 9 ++ modules/software/networking/loopback.nix | 7 + modules/software/networking/networkmanager.nix | 23 +++ modules/software/networking/optimise.nix | 73 ++++++++++ modules/software/networking/resolved.nix | 17 +++ modules/software/networking/tor.nix | 27 ++++ modules/software/networking/vpn/default.nix | 6 + modules/software/networking/vpn/pia.nix | 10 ++ modules/software/networking/vpn/tailscale.nix | 15 ++ modules/software/programs.nix | 22 +++ modules/software/services/adb.nix | 12 ++ modules/software/services/ananicy.nix | 8 ++ modules/software/services/dbus.nix | 15 ++ modules/software/services/default.nix | 22 +++ modules/software/services/libinput.nix | 13 ++ modules/software/services/ollama.nix | 6 + modules/software/services/printing.nix | 19 +++ modules/software/services/xserver.nix | 6 + modules/software/systemd.nix | 11 ++ modules/software/users.nix | 42 ++++++ modules/software/variables.nix | 74 ++++++++++ modules/system/access/default.nix | 7 - modules/system/access/gnupg.nix | 18 --- modules/system/access/mosh.nix | 6 - modules/system/access/ssh.nix | 35 ----- modules/system/boot/default.nix | 29 ---- modules/system/boot/grub.nix | 22 --- modules/system/boot/systemd-boot.nix | 9 -- modules/system/default.nix | 39 ----- modules/system/desktop/default.nix | 6 - modules/system/desktop/gtk.nix | 8 -- modules/system/desktop/xdg-portal.nix | 15 -- modules/system/encryption.nix | 16 --- modules/system/gaming.nix | 26 ---- modules/system/input.nix | 25 ---- modules/system/locale.nix | 9 -- modules/system/networking/default.nix | 40 ------ modules/system/networking/dhcpcd.nix | 12 -- modules/system/networking/firewall/default.nix | 11 -- modules/system/networking/firewall/fail2ban.nix | 20 --- modules/system/networking/ipv6.nix | 9 -- modules/system/networking/loopback.nix | 7 - modules/system/networking/networkmanager.nix | 23 --- modules/system/networking/optimise.nix | 73 ---------- modules/system/networking/resolved.nix | 17 --- modules/system/networking/tor.nix | 27 ---- modules/system/networking/vpn/default.nix | 6 - modules/system/networking/vpn/pia.nix | 10 -- modules/system/networking/vpn/tailscale.nix | 15 -- modules/system/programs.nix | 22 --- modules/system/services/adb.nix | 12 -- modules/system/services/ananicy.nix | 8 -- modules/system/services/dbus.nix | 15 -- modules/system/services/default.nix | 22 --- modules/system/services/libinput.nix | 13 -- modules/system/services/ollama.nix | 6 - modules/system/services/printing.nix | 19 --- modules/system/services/xserver.nix | 6 - modules/system/systemd.nix | 11 -- modules/system/users.nix | 42 ------ modules/system/variables.nix | 74 ---------- 100 files changed, 1134 insertions(+), 1095 deletions(-) delete mode 100644 modules/multimedia/audio/default.nix delete mode 100644 modules/multimedia/audio/pipewire.nix delete mode 100644 modules/multimedia/audio/wireplumber.nix delete mode 100644 modules/multimedia/default.nix delete mode 100644 modules/multimedia/video/default.nix delete mode 100644 modules/multimedia/video/graphics.nix delete mode 100644 modules/multimedia/video/libva.nix delete mode 100644 modules/multimedia/video/nvidia.nix delete mode 100644 modules/multimedia/video/vulkan.nix create mode 100644 modules/software/access/default.nix create mode 100644 modules/software/access/gnupg.nix create mode 100644 modules/software/access/mosh.nix create mode 100644 modules/software/access/ssh.nix create mode 100644 modules/software/boot/default.nix create mode 100644 modules/software/boot/grub.nix create mode 100644 modules/software/boot/systemd-boot.nix create mode 100644 modules/software/default.nix create mode 100644 modules/software/desktop/default.nix create mode 100644 modules/software/desktop/gtk.nix create mode 100644 modules/software/desktop/xdg-portal.nix create mode 100644 modules/software/encryption.nix create mode 100644 modules/software/gaming.nix create mode 100644 modules/software/input.nix create mode 100644 modules/software/locale.nix create mode 100644 modules/software/multimedia/audio/default.nix create mode 100644 modules/software/multimedia/audio/pipewire.nix create mode 100644 modules/software/multimedia/audio/wireplumber.nix create mode 100644 modules/software/multimedia/default.nix create mode 100644 modules/software/multimedia/video/default.nix create mode 100644 modules/software/multimedia/video/graphics.nix create mode 100644 modules/software/multimedia/video/libva.nix create mode 100644 modules/software/multimedia/video/nvidia.nix create mode 100644 modules/software/multimedia/video/vulkan.nix create mode 100644 modules/software/networking/default.nix create mode 100644 modules/software/networking/dhcpcd.nix create mode 100644 modules/software/networking/firewall/default.nix create mode 100644 modules/software/networking/firewall/fail2ban.nix create mode 100644 modules/software/networking/i2p.nix create mode 100644 modules/software/networking/ipv6.nix create mode 100644 modules/software/networking/loopback.nix create mode 100644 modules/software/networking/networkmanager.nix create mode 100644 modules/software/networking/optimise.nix create mode 100644 modules/software/networking/resolved.nix create mode 100644 modules/software/networking/tor.nix create mode 100644 modules/software/networking/vpn/default.nix create mode 100644 modules/software/networking/vpn/pia.nix create mode 100644 modules/software/networking/vpn/tailscale.nix create mode 100644 modules/software/programs.nix create mode 100644 modules/software/services/adb.nix create mode 100644 modules/software/services/ananicy.nix create mode 100644 modules/software/services/dbus.nix create mode 100644 modules/software/services/default.nix create mode 100644 modules/software/services/libinput.nix create mode 100644 modules/software/services/ollama.nix create mode 100644 modules/software/services/printing.nix create mode 100644 modules/software/services/xserver.nix create mode 100644 modules/software/systemd.nix create mode 100644 modules/software/users.nix create mode 100644 modules/software/variables.nix delete mode 100644 modules/system/access/default.nix delete mode 100644 modules/system/access/gnupg.nix delete mode 100644 modules/system/access/mosh.nix delete mode 100644 modules/system/access/ssh.nix delete mode 100644 modules/system/boot/default.nix delete mode 100644 modules/system/boot/grub.nix delete mode 100644 modules/system/boot/systemd-boot.nix delete mode 100644 modules/system/default.nix delete mode 100644 modules/system/desktop/default.nix delete mode 100644 modules/system/desktop/gtk.nix delete mode 100644 modules/system/desktop/xdg-portal.nix delete mode 100644 modules/system/encryption.nix delete mode 100644 modules/system/gaming.nix delete mode 100644 modules/system/input.nix delete mode 100644 modules/system/locale.nix delete mode 100644 modules/system/networking/default.nix delete mode 100644 modules/system/networking/dhcpcd.nix delete mode 100644 modules/system/networking/firewall/default.nix delete mode 100644 modules/system/networking/firewall/fail2ban.nix delete mode 100644 modules/system/networking/ipv6.nix delete mode 100644 modules/system/networking/loopback.nix delete mode 100644 modules/system/networking/networkmanager.nix delete mode 100644 modules/system/networking/optimise.nix delete mode 100644 modules/system/networking/resolved.nix delete mode 100644 modules/system/networking/tor.nix delete mode 100644 modules/system/networking/vpn/default.nix delete mode 100644 modules/system/networking/vpn/pia.nix delete mode 100644 modules/system/networking/vpn/tailscale.nix delete mode 100644 modules/system/programs.nix delete mode 100644 modules/system/services/adb.nix delete mode 100644 modules/system/services/ananicy.nix delete mode 100644 modules/system/services/dbus.nix delete mode 100644 modules/system/services/default.nix delete mode 100644 modules/system/services/libinput.nix delete mode 100644 modules/system/services/ollama.nix delete mode 100644 modules/system/services/printing.nix delete mode 100644 modules/system/services/xserver.nix delete mode 100644 modules/system/systemd.nix delete mode 100644 modules/system/users.nix delete mode 100644 modules/system/variables.nix (limited to 'modules') diff --git a/modules/default.nix b/modules/default.nix index c18ed49..653e176 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,10 +1,9 @@ { imports = [ ./hardware - ./multimedia ./nix ./security - ./system + ./software ./virtualisation ]; } diff --git a/modules/multimedia/audio/default.nix b/modules/multimedia/audio/default.nix deleted file mode 100644 index f4e7f0a..0000000 --- a/modules/multimedia/audio/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./pipewire.nix - # ./wireplumber.nix - ]; -} diff --git a/modules/multimedia/audio/pipewire.nix b/modules/multimedia/audio/pipewire.nix deleted file mode 100644 index 2824176..0000000 --- a/modules/multimedia/audio/pipewire.nix +++ /dev/null @@ -1,164 +0,0 @@ -# { lib, ... }: -# let -# inherit (lib.modules) mkBefore; -# inherit (lib.lists) singleton; -# inherit (builtins) toString; -# mapOptionDefault = lib.attrsets.mapAttrs (_: lib.modules.mkOptionDefault); -# quantum = toString 64; -# rate = toString 48000; -# qr = "${quantum}/${rate}"; -# in -{ - services.pipewire = { - enable = true; - wireplumber.enable = true; - jack.enable = true; - pulse.enable = true; - audio.enable = true; - - alsa = { - enable = true; - support32Bit = true; - }; - - extraConfig = { - pipewire = { - "10-logging" = { - "context.properties"."log.level" = 3; - }; - - # "10-defaults" = { - # "context.properties" = mapOptionDefault { - # "clock.power-of-two-quantum" = true; - # "core.daemon" = true; - # "core.name" = "pipewire-0"; - # "link.max-buffers" = 16; - # "settings.check-quantum" = true; - # }; - - # "context.spa-libs" = mapOptionDefault { - # "audio.convert.*" = "audioconvert/libspa-audioconvert"; - # "avb.*" = "avb/libspa-avb"; - # "api.alsa.*" = "alsa/libspa-alsa"; - # "api.v4l2.*" = "v4l2/libspa-v4l2"; - # "api.libcamera.*" = "libcamera/libspa-libcamera"; - # "api.bluez5.*" = "bluez5/libspa-bluez5"; - # "api.vulkan.*" = "vulkan/libspa-vulkan"; - # "api.jack.*" = "jack/libspa-jack"; - # "support.*" = "support/libspa-support"; - # "video.convert.*" = "videoconvert/libspa-videoconvert"; - # }; - # }; - }; - - # pipewire-pulse = { - # "10-defaults" = { - # "context.spa-libs" = mapOptionDefault { - # "audio.convert.*" = "audioconvert/libspa-audioconvert"; - # "support.*" = "support/libspa-support"; - # }; - - # "pulse.cmd" = mkBefore [ - # { - # cmd = "load-module"; - # args = "module-always-sink"; - # flags = [ ]; - # } - # ]; - - # "pulse.properties" = { - # "server.address" = mkBefore [ "unix:native" ]; - # }; - - # "pulse.rules" = mkBefore [ - # { - # matches = [ - # { "application.process.binary" = "teams"; } - # { "application.process.binary" = "teams-insiders"; } - # { "application.process.binary" = "skypeforlinux"; } - # ]; - - # actions.quirks = [ "force-s16-info" ]; - # } - # { - # matches = singleton { "application.process.binary" = "firefox"; }; - # actions.quirks = [ "remove-capture-dont-move" ]; - # } - # { - # matches = singleton { "application.name" = "~speech-dispatcher*"; }; - - # actions = { - # update-props = { - # "pulse.min.req" = "1024/48000"; # 21 milliseconds - # "pulse.min.quantum " = "1024/48000"; # 21 milliseconds - # }; - # }; - # } - # ]; - # }; - # }; - - # pipewire."92-low-latency" = { - # "context.properties" = { - # "default.clock.rate" = rate; - # "default.clock.quantum" = quantum; - # "default.clock.min-quantum" = quantum; - # "default.clock.max-quantum" = quantum; - # "default.clock.allowed-rates" = [ rate ]; - # }; - - # # "context.modules" = [ - # # { - # # name = "libpipewire-module-rtkit"; - - # # flags = [ - # # "ifexists" - # # "nofail" - # # ]; - - # # args = { - # # "nice.level" = -15; - # # "rt.prio" = 90; - # # "rt.time.soft" = 200000; - # # "rt.time.hard" = 200000; - # # }; - # # } - # # { - # # name = "libpipewire-module-protocol-pulse"; - - # # args = { - # # "server.address" = [ "unix:native" ]; - # # "pulse.min.quantum" = qr; - # # "pulse.min.req" = qr; - # # "pulse.min.frag" = qr; - # # }; - # # } - # # ]; - - # "stream.properties" = { - # "node.latency" = qr; - # "resample.quality" = 1; - # }; - # }; - - # pipewire-pulse."92-low-latency" = { - # "context.modules" = singleton { - # name = "libpipewire-module-protocol-pulse"; - - # args = { - # "pulse.min.req" = qr; - # "pulse.default.req" = qr; - # "pulse.max.req" = qr; - # "pulse.min.quantum" = qr; - # "pulse.max.quantum" = qr; - # }; - # }; - - # "stream.properties" = { - # "node.latency" = qr; - # "resample.quality" = 4; - # }; - # }; - }; - }; -} diff --git a/modules/multimedia/audio/wireplumber.nix b/modules/multimedia/audio/wireplumber.nix deleted file mode 100644 index 970396f..0000000 --- a/modules/multimedia/audio/wireplumber.nix +++ /dev/null @@ -1,42 +0,0 @@ -let - rate = builtins.toString 48000; -in -{ - services.pipewire.wireplumber = { - enable = true; - - extraConfig = { - "10-log-level-debug" = { - "context.properties"."log.level" = "D"; - }; - - "10-default-volume" = { - "wireplumber.settings"."device.routes.default-sink-volume" = 1.0; - }; - - "92-low-latency" = { - "monitor.alsa.rules" = [ - { - matches = [ - { "device.name" = "~alsa_card.*"; } - { "node.name" = "~alsa_output.*"; } - ]; - - actions.update-props = { - "node.description" = "ALSA Low Latency Output"; - "audio.rate" = rate; - "audio.format" = "S32LE"; - "resample.quality" = 4; - "resample.disable" = false; - "session.suspend-timeout-seconds" = 0; - "api.alsa.period-size" = 2; - "api.alsa.headroom" = 128; - "api.alsa.period-num" = 2; - "api.alsa.disable-batch" = false; - }; - } - ]; - }; - }; - }; -} diff --git a/modules/multimedia/default.nix b/modules/multimedia/default.nix deleted file mode 100644 index 7bf261a..0000000 --- a/modules/multimedia/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./audio - ./video - ]; -} diff --git a/modules/multimedia/video/default.nix b/modules/multimedia/video/default.nix deleted file mode 100644 index 31cdfd5..0000000 --- a/modules/multimedia/video/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ./graphics.nix - ./libva.nix - ./nvidia.nix - ./vulkan.nix - ]; - - environment.systemPackages = [ pkgs.mediastreamer-openh264 ]; -} diff --git a/modules/multimedia/video/graphics.nix b/modules/multimedia/video/graphics.nix deleted file mode 100644 index 13da295..0000000 --- a/modules/multimedia/video/graphics.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ pkgs, ... }: -{ - hardware.graphics = { - enable = true; - enable32Bit = true; - - extraPackages = with pkgs; [ - nvidia-vaapi-driver - vaapiVdpau - libvdpau-va-gl - ]; - - extraPackages32 = with pkgs; [ - nvidia-vaapi-driver - vaapiVdpau - libvdpau-va-gl - ]; - }; - - environment.systemPackages = [ pkgs.mesa ]; -} diff --git a/modules/multimedia/video/libva.nix b/modules/multimedia/video/libva.nix deleted file mode 100644 index d420495..0000000 --- a/modules/multimedia/video/libva.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - libva - libva-utils - ]; -} diff --git a/modules/multimedia/video/nvidia.nix b/modules/multimedia/video/nvidia.nix deleted file mode 100644 index bc8cb22..0000000 --- a/modules/multimedia/video/nvidia.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, config, ... }: -{ - environment = { - systemPackages = with pkgs; [ - nvidia-container-toolkit - nvidia-docker - ]; - - shellAliases.nvidia-settings = "nvidia-settings --config='$XDG_CONFIG_HOME'/nvidia/settings"; - }; - - boot = { - blacklistedKernelModules = [ "nouveau" ]; - - kernelParams = [ - "nvidia-drm.fbdev=1" - "nvidia.NVreg_PreserveVideoMemoryAllocations=1" - ]; - }; - - hardware = { - nvidia-container-toolkit.enable = true; - - nvidia = { - modesetting.enable = true; - open = false; - nvidiaSettings = true; - package = config.boot.kernelPackages.nvidiaPackages.production; - forceFullCompositionPipeline = true; - - powerManagement = { - enable = true; - finegrained = false; - }; - }; - }; -} diff --git a/modules/multimedia/video/vulkan.nix b/modules/multimedia/video/vulkan.nix deleted file mode 100644 index be37e0e..0000000 --- a/modules/multimedia/video/vulkan.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - vulkan-loader - vulkan-validation-layers - vulkan-tools - vulkan-extension-layer - ]; -} diff --git a/modules/software/access/default.nix b/modules/software/access/default.nix new file mode 100644 index 0000000..7db7629 --- /dev/null +++ b/modules/software/access/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./gnupg.nix + ./mosh.nix + ./ssh.nix + ]; +} diff --git a/modules/software/access/gnupg.nix b/modules/software/access/gnupg.nix new file mode 100644 index 0000000..e60da30 --- /dev/null +++ b/modules/software/access/gnupg.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-curses; + enableExtraSocket = true; + enableBrowserSocket = true; + + settings = { + enable-ssh-support = ""; + ttyname = "$GPG_TTY"; + default-cache-ttl = 34560000; # 60 + max-cache-ttl = 34560000; # 120 + allow-loopback-pinentry = ""; + }; + }; +} diff --git a/modules/software/access/mosh.nix b/modules/software/access/mosh.nix new file mode 100644 index 0000000..c9af5bf --- /dev/null +++ b/modules/software/access/mosh.nix @@ -0,0 +1,6 @@ +{ + programs.mosh = { + enable = true; + openFirewall = false; + }; +} diff --git a/modules/software/access/ssh.nix b/modules/software/access/ssh.nix new file mode 100644 index 0000000..8a2b30d --- /dev/null +++ b/modules/software/access/ssh.nix @@ -0,0 +1,35 @@ +{ lib, config, ... }: +{ + programs.ssh.startAgent = false; + + services = { + fail2ban.jails.sshd.settings = { + enabled = true; + filter = "sshd[mode=aggressive]"; + port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports); + }; + + openssh = { + enable = true; + ports = [ 22 ]; + openFirewall = false; + + settings = { + KexAlgorithms = [ + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group16-sha512" + "diffie-hellman-group18-sha512" + "diffie-hellman-group-exchange-sha256" + "sntrup761x25519-sha512@openssh.com" + ]; + + Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + ]; + }; + }; + }; +} diff --git a/modules/software/boot/default.nix b/modules/software/boot/default.nix new file mode 100644 index 0000000..0798849 --- /dev/null +++ b/modules/software/boot/default.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: +{ + imports = [ + ./grub.nix + ./systemd-boot.nix + ]; + + boot = { + tmp.cleanOnBoot = true; + crashDump.enable = false; + consoleLogLevel = 3; + kernelPackages = pkgs.linuxPackages_zen; + + kernelParams = [ + "iommu=pt" + "threadirqs" + ]; + + loader = { + timeout = 1; + generationsDir.copyKernels = true; + + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + }; + }; +} diff --git a/modules/software/boot/grub.nix b/modules/software/boot/grub.nix new file mode 100644 index 0000000..3932713 --- /dev/null +++ b/modules/software/boot/grub.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + device = "nodev"; + efiSupport = true; + useOSProber = true; + memtest86.enable = true; + gfxmodeEfi = "1920x1080x32"; + gfxmodeBios = "1920x1080x32"; + gfxpayloadBios = "keep"; + gfxpayloadEfi = "keep"; + splashMode = "normal"; + + theme = pkgs.fetchFromGitHub { + owner = "Lxtharia"; + repo = "minegrub-theme"; + rev = "193b3a7c3d432f8c6af10adfb465b781091f56b3"; + sha256 = "1bvkfmjzbk7pfisvmyw5gjmcqj9dab7gwd5nmvi8gs4vk72bl2ap"; + }; + }; +} diff --git a/modules/software/boot/systemd-boot.nix b/modules/software/boot/systemd-boot.nix new file mode 100644 index 0000000..b51a896 --- /dev/null +++ b/modules/software/boot/systemd-boot.nix @@ -0,0 +1,9 @@ +{ + boot.loader.systemd-boot = { + enable = false; + editor = true; + consoleMode = "max"; + memtest86.enable = true; + netbootxyz.enable = true; + }; +} diff --git a/modules/software/default.nix b/modules/software/default.nix new file mode 100644 index 0000000..4239899 --- /dev/null +++ b/modules/software/default.nix @@ -0,0 +1,40 @@ +{ pkgs, ... }: +{ + imports = [ + ./access + ./boot + ./desktop + ./multimedia + ./networking + ./services + ./encryption.nix + # ./gaming.nix + ./input.nix + ./locale.nix + ./programs.nix + ./systemd.nix + ./users.nix + ./variables.nix + ]; + + system = { + autoUpgrade = { + enable = false; + allowReboot = false; + }; + + switch = { + enable = false; + enableNg = true; + }; + }; + + environment.enableAllTerminfo = true; + + console = { + earlySetup = true; + keyMap = "us"; + font = "ter-v18n"; + packages = [ pkgs.terminus_font ]; + }; +} diff --git a/modules/software/desktop/default.nix b/modules/software/desktop/default.nix new file mode 100644 index 0000000..bd2c811 --- /dev/null +++ b/modules/software/desktop/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./gtk.nix + ./xdg-portal.nix + ]; +} diff --git a/modules/software/desktop/gtk.nix b/modules/software/desktop/gtk.nix new file mode 100644 index 0000000..4357e75 --- /dev/null +++ b/modules/software/desktop/gtk.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + gtk2 + gtk3 + gtk4 + ]; +} diff --git a/modules/software/desktop/xdg-portal.nix b/modules/software/desktop/xdg-portal.nix new file mode 100644 index 0000000..72bcb97 --- /dev/null +++ b/modules/software/desktop/xdg-portal.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: +{ + xdg.portal = { + enable = true; + config.common.default = "*"; + # wlr.enable = true; + # xdgOpenUsePortal = true; + + extraPortals = with pkgs; [ + xdg-desktop-portal-wlr + xdg-desktop-portal-gtk + xdg-desktop-portal-gnome + ]; + }; +} diff --git a/modules/software/encryption.nix b/modules/software/encryption.nix new file mode 100644 index 0000000..53a24bb --- /dev/null +++ b/modules/software/encryption.nix @@ -0,0 +1,16 @@ +{ + boot = { + initrd.availableKernelModules = [ + # "aesni_intel" + # "cryptd" + "usb_storage" + ]; + + # + kernelParams = [ + "luks.options=timeout=0" + "rd.luks.options=timeout=0" + "rootflags=x-systemd.device-timeout=0" + ]; + }; +} diff --git a/modules/software/gaming.nix b/modules/software/gaming.nix new file mode 100644 index 0000000..790a94e --- /dev/null +++ b/modules/software/gaming.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: +let + openFirewall = false; +in +{ + programs.steam = { + enable = true; + remotePlay.openFirewall = openFirewall; + localNetworkGameTransfers.openFirewall = openFirewall; + dedicatedServer.openFirewall = openFirewall; + extest.enable = true; + + package = pkgs.steam.override { extraEnv.MANGOHUD = true; }; + }; + + programs.gamemode = { + enable = true; + enableRenice = false; + }; + + environment.systemPackages = with pkgs; [ + mangohud + gamescope + steamtinkerlaunch + ]; +} diff --git a/modules/software/input.nix b/modules/software/input.nix new file mode 100644 index 0000000..e9f3c45 --- /dev/null +++ b/modules/software/input.nix @@ -0,0 +1,25 @@ +{ pkgs, ... }: +{ + i18n = { + defaultLocale = "en_US.UTF-8"; + + inputMethod = { + enable = true; + type = "fcitx5"; + + fcitx5 = { + waylandFrontend = true; + + addons = with pkgs; [ + fcitx5-configtool + fcitx5-gtk + fcitx5-hangul + fcitx5-mozc + fcitx5-rime + rime-data + catppuccin-fcitx5 + ]; + }; + }; + }; +} diff --git a/modules/software/locale.nix b/modules/software/locale.nix new file mode 100644 index 0000000..2648b82 --- /dev/null +++ b/modules/software/locale.nix @@ -0,0 +1,9 @@ +{ secrets, ... }: +{ + location.provider = "geoclue2"; + + time = { + timeZone = "${secrets.timezone}"; + hardwareClockInLocalTime = false; + }; +} diff --git a/modules/software/multimedia/audio/default.nix b/modules/software/multimedia/audio/default.nix new file mode 100644 index 0000000..f4e7f0a --- /dev/null +++ b/modules/software/multimedia/audio/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./pipewire.nix + # ./wireplumber.nix + ]; +} diff --git a/modules/software/multimedia/audio/pipewire.nix b/modules/software/multimedia/audio/pipewire.nix new file mode 100644 index 0000000..2824176 --- /dev/null +++ b/modules/software/multimedia/audio/pipewire.nix @@ -0,0 +1,164 @@ +# { lib, ... }: +# let +# inherit (lib.modules) mkBefore; +# inherit (lib.lists) singleton; +# inherit (builtins) toString; +# mapOptionDefault = lib.attrsets.mapAttrs (_: lib.modules.mkOptionDefault); +# quantum = toString 64; +# rate = toString 48000; +# qr = "${quantum}/${rate}"; +# in +{ + services.pipewire = { + enable = true; + wireplumber.enable = true; + jack.enable = true; + pulse.enable = true; + audio.enable = true; + + alsa = { + enable = true; + support32Bit = true; + }; + + extraConfig = { + pipewire = { + "10-logging" = { + "context.properties"."log.level" = 3; + }; + + # "10-defaults" = { + # "context.properties" = mapOptionDefault { + # "clock.power-of-two-quantum" = true; + # "core.daemon" = true; + # "core.name" = "pipewire-0"; + # "link.max-buffers" = 16; + # "settings.check-quantum" = true; + # }; + + # "context.spa-libs" = mapOptionDefault { + # "audio.convert.*" = "audioconvert/libspa-audioconvert"; + # "avb.*" = "avb/libspa-avb"; + # "api.alsa.*" = "alsa/libspa-alsa"; + # "api.v4l2.*" = "v4l2/libspa-v4l2"; + # "api.libcamera.*" = "libcamera/libspa-libcamera"; + # "api.bluez5.*" = "bluez5/libspa-bluez5"; + # "api.vulkan.*" = "vulkan/libspa-vulkan"; + # "api.jack.*" = "jack/libspa-jack"; + # "support.*" = "support/libspa-support"; + # "video.convert.*" = "videoconvert/libspa-videoconvert"; + # }; + # }; + }; + + # pipewire-pulse = { + # "10-defaults" = { + # "context.spa-libs" = mapOptionDefault { + # "audio.convert.*" = "audioconvert/libspa-audioconvert"; + # "support.*" = "support/libspa-support"; + # }; + + # "pulse.cmd" = mkBefore [ + # { + # cmd = "load-module"; + # args = "module-always-sink"; + # flags = [ ]; + # } + # ]; + + # "pulse.properties" = { + # "server.address" = mkBefore [ "unix:native" ]; + # }; + + # "pulse.rules" = mkBefore [ + # { + # matches = [ + # { "application.process.binary" = "teams"; } + # { "application.process.binary" = "teams-insiders"; } + # { "application.process.binary" = "skypeforlinux"; } + # ]; + + # actions.quirks = [ "force-s16-info" ]; + # } + # { + # matches = singleton { "application.process.binary" = "firefox"; }; + # actions.quirks = [ "remove-capture-dont-move" ]; + # } + # { + # matches = singleton { "application.name" = "~speech-dispatcher*"; }; + + # actions = { + # update-props = { + # "pulse.min.req" = "1024/48000"; # 21 milliseconds + # "pulse.min.quantum " = "1024/48000"; # 21 milliseconds + # }; + # }; + # } + # ]; + # }; + # }; + + # pipewire."92-low-latency" = { + # "context.properties" = { + # "default.clock.rate" = rate; + # "default.clock.quantum" = quantum; + # "default.clock.min-quantum" = quantum; + # "default.clock.max-quantum" = quantum; + # "default.clock.allowed-rates" = [ rate ]; + # }; + + # # "context.modules" = [ + # # { + # # name = "libpipewire-module-rtkit"; + + # # flags = [ + # # "ifexists" + # # "nofail" + # # ]; + + # # args = { + # # "nice.level" = -15; + # # "rt.prio" = 90; + # # "rt.time.soft" = 200000; + # # "rt.time.hard" = 200000; + # # }; + # # } + # # { + # # name = "libpipewire-module-protocol-pulse"; + + # # args = { + # # "server.address" = [ "unix:native" ]; + # # "pulse.min.quantum" = qr; + # # "pulse.min.req" = qr; + # # "pulse.min.frag" = qr; + # # }; + # # } + # # ]; + + # "stream.properties" = { + # "node.latency" = qr; + # "resample.quality" = 1; + # }; + # }; + + # pipewire-pulse."92-low-latency" = { + # "context.modules" = singleton { + # name = "libpipewire-module-protocol-pulse"; + + # args = { + # "pulse.min.req" = qr; + # "pulse.default.req" = qr; + # "pulse.max.req" = qr; + # "pulse.min.quantum" = qr; + # "pulse.max.quantum" = qr; + # }; + # }; + + # "stream.properties" = { + # "node.latency" = qr; + # "resample.quality" = 4; + # }; + # }; + }; + }; +} diff --git a/modules/software/multimedia/audio/wireplumber.nix b/modules/software/multimedia/audio/wireplumber.nix new file mode 100644 index 0000000..970396f --- /dev/null +++ b/modules/software/multimedia/audio/wireplumber.nix @@ -0,0 +1,42 @@ +let + rate = builtins.toString 48000; +in +{ + services.pipewire.wireplumber = { + enable = true; + + extraConfig = { + "10-log-level-debug" = { + "context.properties"."log.level" = "D"; + }; + + "10-default-volume" = { + "wireplumber.settings"."device.routes.default-sink-volume" = 1.0; + }; + + "92-low-latency" = { + "monitor.alsa.rules" = [ + { + matches = [ + { "device.name" = "~alsa_card.*"; } + { "node.name" = "~alsa_output.*"; } + ]; + + actions.update-props = { + "node.description" = "ALSA Low Latency Output"; + "audio.rate" = rate; + "audio.format" = "S32LE"; + "resample.quality" = 4; + "resample.disable" = false; + "session.suspend-timeout-seconds" = 0; + "api.alsa.period-size" = 2; + "api.alsa.headroom" = 128; + "api.alsa.period-num" = 2; + "api.alsa.disable-batch" = false; + }; + } + ]; + }; + }; + }; +} diff --git a/modules/software/multimedia/default.nix b/modules/software/multimedia/default.nix new file mode 100644 index 0000000..7bf261a --- /dev/null +++ b/modules/software/multimedia/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./audio + ./video + ]; +} diff --git a/modules/software/multimedia/video/default.nix b/modules/software/multimedia/video/default.nix new file mode 100644 index 0000000..31cdfd5 --- /dev/null +++ b/modules/software/multimedia/video/default.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: +{ + imports = [ + ./graphics.nix + ./libva.nix + ./nvidia.nix + ./vulkan.nix + ]; + + environment.systemPackages = [ pkgs.mediastreamer-openh264 ]; +} diff --git a/modules/software/multimedia/video/graphics.nix b/modules/software/multimedia/video/graphics.nix new file mode 100644 index 0000000..13da295 --- /dev/null +++ b/modules/software/multimedia/video/graphics.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: +{ + hardware.graphics = { + enable = true; + enable32Bit = true; + + extraPackages = with pkgs; [ + nvidia-vaapi-driver + vaapiVdpau + libvdpau-va-gl + ]; + + extraPackages32 = with pkgs; [ + nvidia-vaapi-driver + vaapiVdpau + libvdpau-va-gl + ]; + }; + + environment.systemPackages = [ pkgs.mesa ]; +} diff --git a/modules/software/multimedia/video/libva.nix b/modules/software/multimedia/video/libva.nix new file mode 100644 index 0000000..d420495 --- /dev/null +++ b/modules/software/multimedia/video/libva.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + libva + libva-utils + ]; +} diff --git a/modules/software/multimedia/video/nvidia.nix b/modules/software/multimedia/video/nvidia.nix new file mode 100644 index 0000000..bc8cb22 --- /dev/null +++ b/modules/software/multimedia/video/nvidia.nix @@ -0,0 +1,37 @@ +{ pkgs, config, ... }: +{ + environment = { + systemPackages = with pkgs; [ + nvidia-container-toolkit + nvidia-docker + ]; + + shellAliases.nvidia-settings = "nvidia-settings --config='$XDG_CONFIG_HOME'/nvidia/settings"; + }; + + boot = { + blacklistedKernelModules = [ "nouveau" ]; + + kernelParams = [ + "nvidia-drm.fbdev=1" + "nvidia.NVreg_PreserveVideoMemoryAllocations=1" + ]; + }; + + hardware = { + nvidia-container-toolkit.enable = true; + + nvidia = { + modesetting.enable = true; + open = false; + nvidiaSettings = true; + package = config.boot.kernelPackages.nvidiaPackages.production; + forceFullCompositionPipeline = true; + + powerManagement = { + enable = true; + finegrained = false; + }; + }; + }; +} diff --git a/modules/software/multimedia/video/vulkan.nix b/modules/software/multimedia/video/vulkan.nix new file mode 100644 index 0000000..be37e0e --- /dev/null +++ b/modules/software/multimedia/video/vulkan.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + vulkan-loader + vulkan-validation-layers + vulkan-tools + vulkan-extension-layer + ]; +} diff --git a/modules/software/networking/default.nix b/modules/software/networking/default.nix new file mode 100644 index 0000000..724693d --- /dev/null +++ b/modules/software/networking/default.nix @@ -0,0 +1,41 @@ +{ secrets, ... }: +{ + imports = [ + ./firewall + ./vpn + ./dhcpcd.nix + ./i2p.nix + ./ipv6.nix + ./loopback.nix + ./networkmanager.nix + ./optimise.nix + ./resolved.nix + ./tor.nix + ]; + + # https://discourse.nixos.org/t/rebuild-error-failed-to-start-network-manager-wait-online/41977/2 + systemd.network.wait-online.enable = false; + boot.initrd.systemd.network.wait-online.enable = false; + + # https://discourse.nixos.org/t/how-to-disable-networkmanager-wait-online-service-in-the-configuration-file/19963/2 + systemd.services.NetworkManager-wait-online.enable = false; + + networking = { + hostName = "kansai"; + nftables.enable = true; + + nameservers = [ + "45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io" + "2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io" + "45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io" + "2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io" + ]; + + timeServers = [ + "0.nixos.pool.ntp.org" + "1.nixos.pool.ntp.org" + "2.nixos.pool.ntp.org" + "3.nixos.pool.ntp.org" + ]; + }; +} diff --git a/modules/software/networking/dhcpcd.nix b/modules/software/networking/dhcpcd.nix new file mode 100644 index 0000000..f46b657 --- /dev/null +++ b/modules/software/networking/dhcpcd.nix @@ -0,0 +1,12 @@ +{ + networking.dhcpcd = { + wait = "background"; + + extraConfig = '' + noarp + nooption domain_name_servers, domain_name, domain_search, host_name + nooption ntp_servers + nohook resolv.conf, wpa_supplicant + ''; + }; +} diff --git a/modules/software/networking/firewall/default.nix b/modules/software/networking/firewall/default.nix new file mode 100644 index 0000000..074f398 --- /dev/null +++ b/modules/software/networking/firewall/default.nix @@ -0,0 +1,11 @@ +{ + imports = [ ./fail2ban.nix ]; + + networking.firewall = { + enable = true; + allowPing = false; + logReversePathDrops = true; + logRefusedConnections = false; + checkReversePath = "loose"; + }; +} diff --git a/modules/software/networking/firewall/fail2ban.nix b/modules/software/networking/firewall/fail2ban.nix new file mode 100644 index 0000000..6311b14 --- /dev/null +++ b/modules/software/networking/firewall/fail2ban.nix @@ -0,0 +1,20 @@ +{ pkgs, lib, ... }: +{ + services.fail2ban = { + enable = false; + banaction = "nftables-multiport"; + banaction-allports = lib.mkDefault "nftables-allport"; + + extraPackages = with pkgs; [ + nftables + ipset + ]; + + ignoreIP = [ + "10.0.0.0/8" + "172.16.0.0/12" + "100.64.0.0/16" + "192.168.0.0/16" + ]; + }; +} diff --git a/modules/software/networking/i2p.nix b/modules/software/networking/i2p.nix new file mode 100644 index 0000000..19077ba --- /dev/null +++ b/modules/software/networking/i2p.nix @@ -0,0 +1,38 @@ +{ + # https://voidcruiser.nl/rambles/i2p-on-nixos/ + containers.i2pd = { + autoStart = true; + + config = { + system.stateVersion = "24.05"; + + networking.firewall.allowedTCPPorts = [ + 7656 + 7070 + 4447 + 4444 + ]; + + services.i2pd = { + enable = true; + address = "0.0.0.0"; + + proto = { + http.enable = true; + socksProxy.enable = true; + httpProxy.enable = true; + sam.enable = true; + i2cp.enable = true; + }; + + addressbook.subscriptions = [ + "http://inr.i2p/export/alive-hosts.txt" + "http://i2p-projekt.i2p/hosts.txt" + "http://stats.i2p/cgi-bin/newhosts.txt" + "http://reg.i2p/export/hosts.txt" + "http://notbob.i2p/hosts.txt" + ]; + }; + }; + }; +} diff --git a/modules/software/networking/ipv6.nix b/modules/software/networking/ipv6.nix new file mode 100644 index 0000000..274c1ae --- /dev/null +++ b/modules/software/networking/ipv6.nix @@ -0,0 +1,9 @@ +{ + boot.kernel.sysctl = { + "net.ipv6.conf.enp42s0.disable_ipv6" = true; + "net.ipv6.conf.wlp4s0.disable_ipv6" = true; + "net.ipv6.conf.tun0.disable_ipv6" = true; + }; + + networking.enableIPv6 = false; +} diff --git a/modules/software/networking/loopback.nix b/modules/software/networking/loopback.nix new file mode 100644 index 0000000..62e745e --- /dev/null +++ b/modules/software/networking/loopback.nix @@ -0,0 +1,7 @@ +{ config, ... }: +{ + boot = { + kernelModules = [ "v4l2loopback" ]; + extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; + }; +} diff --git a/modules/software/networking/networkmanager.nix b/modules/software/networking/networkmanager.nix new file mode 100644 index 0000000..8672759 --- /dev/null +++ b/modules/software/networking/networkmanager.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ pkgs.networkmanagerapplet ]; + + networking.networkmanager = { + enable = true; + plugins = [ pkgs.networkmanager-openvpn ]; + # dns = + dns = "none"; # "systemd-resolved" + wifi.backend = "iwd"; + + unmanaged = [ + "interface-name:tailscale*" + "interface-name:br-*" + "interface-name:rndis*" + "interface-name:docker*" + "interface-name:virbr*" + "interface-name:vboxnet*" + "interface-name:waydroid*" + "type:bridge" + ]; + }; +} diff --git a/modules/software/networking/optimise.nix b/modules/software/networking/optimise.nix new file mode 100644 index 0000000..c6f2bec --- /dev/null +++ b/modules/software/networking/optimise.nix @@ -0,0 +1,73 @@ +{ + boot = { + kernelModules = [ + "tls" + "tcp_bbr" + ]; + + kernel.sysctl = { + # TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets (we're not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're on a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + # And other stuff + "net.ipv4.conf.all.log_martians" = true; + "net.ipv4.conf.default.log_martians" = true; + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + "net.ipv6.conf.default.accept_ra" = 0; + "net.ipv6.conf.all.accept_ra" = 0; + "net.ipv4.tcp_timestamps" = 0; + + # TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + + # Other stuff that I am too lazy to document + "net.core.optmem_max" = 65536; + "net.core.rmem_default" = 1048576; + "net.core.rmem_max" = 16777216; + "net.core.somaxconn" = 8192; + "net.core.wmem_default" = 1048576; + "net.core.wmem_max" = 16777216; + "net.ipv4.ip_local_port_range" = "16384 65535"; + "net.ipv4.tcp_max_syn_backlog" = 8192; + "net.ipv4.tcp_max_tw_buckets" = 2000000; + "net.ipv4.tcp_mtu_probing" = 1; + "net.ipv4.tcp_rmem" = "4096 1048576 2097152"; + "net.ipv4.tcp_slow_start_after_idle" = 0; + "net.ipv4.tcp_tw_reuse" = 1; + "net.ipv4.tcp_wmem" = "4096 65536 16777216"; + "net.ipv4.udp_rmem_min" = 8192; + "net.ipv4.udp_wmem_min" = 8192; + "net.netfilter.nf_conntrack_generic_timeout" = 60; + "net.netfilter.nf_conntrack_max" = 1048576; + "net.netfilter.nf_conntrack_tcp_timeout_established" = 600; + "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1; + }; + }; +} diff --git a/modules/software/networking/resolved.nix b/modules/software/networking/resolved.nix new file mode 100644 index 0000000..82effbe --- /dev/null +++ b/modules/software/networking/resolved.nix @@ -0,0 +1,17 @@ +{ secrets, ... }: +{ + services.resolved = { + enable = false; + dnssec = "true"; + domains = [ "~." ]; + dnsovertls = "true"; + llmnr = "false"; + + extraConfig = '' + DNS=45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io + DNS=2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io + DNS=45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io + DNS=2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io + ''; + }; +} diff --git a/modules/software/networking/tor.nix b/modules/software/networking/tor.nix new file mode 100644 index 0000000..dfbfb3a --- /dev/null +++ b/modules/software/networking/tor.nix @@ -0,0 +1,27 @@ +{ pkgs, ... }: +{ + services.tor = { + enable = true; + torsocks.enable = true; + + client = { + enable = true; + dns.enable = true; + }; + }; + + programs.proxychains = { + enable = true; + quietMode = false; + proxyDNS = true; + package = pkgs.proxychains-ng; + + proxies = { + tor = { + type = "socks5"; + host = "127.0.0.1"; + port = 9050; + }; + }; + }; +} diff --git a/modules/software/networking/vpn/default.nix b/modules/software/networking/vpn/default.nix new file mode 100644 index 0000000..92a11b0 --- /dev/null +++ b/modules/software/networking/vpn/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./pia.nix + ./tailscale.nix + ]; +} diff --git a/modules/software/networking/vpn/pia.nix b/modules/software/networking/vpn/pia.nix new file mode 100644 index 0000000..d52dbf8 --- /dev/null +++ b/modules/software/networking/vpn/pia.nix @@ -0,0 +1,10 @@ +{ secrets, ... }: +{ + services.pia = { + enable = true; + + authUserPass = { + inherit (secrets.pia) username password; + }; + }; +} diff --git a/modules/software/networking/vpn/tailscale.nix b/modules/software/networking/vpn/tailscale.nix new file mode 100644 index 0000000..21f471a --- /dev/null +++ b/modules/software/networking/vpn/tailscale.nix @@ -0,0 +1,15 @@ +{ config, ... }: +{ + networking.firewall.trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ]; + + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + + # + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; +} diff --git a/modules/software/programs.nix b/modules/software/programs.nix new file mode 100644 index 0000000..a1025fb --- /dev/null +++ b/modules/software/programs.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + programs = { + fish.enable = true; + mtr.enable = true; + dconf.enable = true; + ccache.enable = true; + fuse.userAllowOther = true; + + bash.interactiveShellInit = '' + export HISTFILE="$XDG_STATE_HOME/bash/history" + ''; + }; + + environment.systemPackages = with pkgs; [ + vim + wget + git + pinentry + runc + ]; +} diff --git a/modules/software/services/adb.nix b/modules/software/services/adb.nix new file mode 100644 index 0000000..d106ead --- /dev/null +++ b/modules/software/services/adb.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: +{ + programs.adb.enable = true; + + services.udev = { + packages = [ pkgs.android-udev-rules ]; + + extraRules = '' + SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", MODE="0666", GROUP="adbusers" + ''; + }; +} diff --git a/modules/software/services/ananicy.nix b/modules/software/services/ananicy.nix new file mode 100644 index 0000000..bdc9bbd --- /dev/null +++ b/modules/software/services/ananicy.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + services.ananicy = { + enable = false; + package = pkgs.ananicy-cpp; + rulesProvider = pkgs.ananicy-rules-cachyos; + }; +} diff --git a/modules/software/services/dbus.nix b/modules/software/services/dbus.nix new file mode 100644 index 0000000..8b25bf9 --- /dev/null +++ b/modules/software/services/dbus.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: +{ + services.dbus = { + enable = true; + implementation = "broker"; + + packages = with pkgs; [ + dconf + gcr + udisks2 + # flatpak + # xdg-desktop-portal + ]; + }; +} diff --git a/modules/software/services/default.nix b/modules/software/services/default.nix new file mode 100644 index 0000000..f126f62 --- /dev/null +++ b/modules/software/services/default.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + imports = [ + # ./adb.nix + ./ananicy.nix + ./dbus.nix + ./libinput.nix + ./ollama.nix + # ./printing.nix + ./xserver.nix + ]; + + services = { + printing.enable = false; + gnome.gnome-keyring.enable = true; + fstrim.enable = false; + gvfs.enable = true; + udev.packages = with pkgs; [ pkgs.logitech-udev-rules ]; + thermald.enable = true; + irqbalance.enable = true; + }; +} diff --git a/modules/software/services/libinput.nix b/modules/software/services/libinput.nix new file mode 100644 index 0000000..643f814 --- /dev/null +++ b/modules/software/services/libinput.nix @@ -0,0 +1,13 @@ +{ + services.libinput = { + enable = true; + + mouse = { + accelProfile = "flat"; + }; + + touchpad = { + accelProfile = "flat"; + }; + }; +} diff --git a/modules/software/services/ollama.nix b/modules/software/services/ollama.nix new file mode 100644 index 0000000..d737250 --- /dev/null +++ b/modules/software/services/ollama.nix @@ -0,0 +1,6 @@ +{ + services.ollama = { + enable = true; + acceleration = "cuda"; + }; +} diff --git a/modules/software/services/printing.nix b/modules/software/services/printing.nix new file mode 100644 index 0000000..f7a38de --- /dev/null +++ b/modules/software/services/printing.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: +{ + services = { + printing = { + enable = true; + + drivers = with pkgs; [ + gutenprint + hplip + ]; + }; + + avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + }; +} diff --git a/modules/software/services/xserver.nix b/modules/software/services/xserver.nix new file mode 100644 index 0000000..e08ac04 --- /dev/null +++ b/modules/software/services/xserver.nix @@ -0,0 +1,6 @@ +{ + services.xserver = { + xkb.layout = "us"; + videoDrivers = [ "nvidia" ]; + }; +} diff --git a/modules/software/systemd.nix b/modules/software/systemd.nix new file mode 100644 index 0000000..9ecb5b2 --- /dev/null +++ b/modules/software/systemd.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: +{ + # boot.initrd.systemd.enable = true; + + systemd.services.containerd.path = with pkgs; [ + containerd + runc + iptables + nvidia-docker + ]; +} diff --git a/modules/software/users.nix b/modules/software/users.nix new file mode 100644 index 0000000..4055353 --- /dev/null +++ b/modules/software/users.nix @@ -0,0 +1,42 @@ +{ pkgs, ... }: +let + initialPassword = "123456"; +in +{ + users.users = { + root = { + inherit initialPassword; + + shell = pkgs.bash; + }; + + ebisu = { + inherit initialPassword; + + isNormalUser = true; + shell = pkgs.fish; + + extraGroups = [ + "wheel" + "systemd-journal" + "audio" + "video" + "input" + "plugdev" + "lp" + "tss" + "power" + "nix" + "network" + "networkmanager" + "wireshark" + "mysql" + "docker" + "podman" + "git" + "libvirtd" + "kvm" + ]; + }; + }; +} diff --git a/modules/software/variables.nix b/modules/software/variables.nix new file mode 100644 index 0000000..7e9b794 --- /dev/null +++ b/modules/software/variables.nix @@ -0,0 +1,74 @@ +{ + environment.variables = { + # OpenGL + __GL_GSYNC_ALLOWED = "1"; + __GL_VRR_ALLOWED = "0"; + __GL_MaxFramesAllowed = "1"; + + # Java + _JAVA_AWT_WM_NONREPARENTING = "1"; + + # Qt + QT_AUTO_SCREEN_SCALE_FACTOR = "1"; + QT_WAYLAND_DISABLE_WINDOWDECORATION = "1"; + QT_QPA_PLATFORM = "wayland;xcb"; + DISABLE_QT5_COMPAT = "0"; + DISABLE_QT_COMPAT = "0"; + QT_QPA_PLATFORMTHEME = "qt5ct"; + # QT_STYLE_OVERRIDE = "kvantum"; + + # Electron + # ELECTRON_OZONE_PLATFORM_HINT = "auto"; + # OZONE_PLATFORM = "wayland"; + NIXOS_OZONE_WL = "1"; + + # Proton + PROTON_ENABLE_NGX_UPDATER = "1"; + + # wlroots + WLR_NO_HARDWARE_CURSORS = "1"; + WLR_DRM_NO_ATOMIC = "1"; + WLR_USE_LIBINPUT = "1"; + WLR_RENDERER_ALLOW_SOFTWARE = "1"; + WLR_DRM_DEVICES = "/dev/dri/card0"; + WLR_EGL_NO_MODIFIERS = "1"; + WLR_BACKEND = "vulkan"; + WLR_RENDERER = "vulkan"; + + # Mozilla + MOZ_ENABLE_WAYLAND = "1"; + MOZ_DISABLE_RDD_SANDBOX = "1"; + + # Nvidia + LIBVA_DRIVER_NAME = "nvidia"; + __GLX_VENDOR_LIBRARY_NAME = "nvidia"; + GBM_BACKEND = "nvidia-drm"; + __VK_LAYER_NV_optimus = "NVIDIA_only"; + __NV_PRIME_RENDER_OFFLOAD = "1"; + NVD_BACKEND = "direct"; + + # Fcitx + # https://fcitx-im.org/wiki/Using_Fcitx_5_on_Wayland + QT_IM_MODULE = "fcitx"; + XMODIFIERS = "@im=fcitx"; + # GTK_IM_MODULE = "wayland"; + # GTK_IM_MODULE = "fcitx"; + SDL_IM_MODULE = "fcitx"; + GLFW_IM_MODULE = "ibus"; + INPUT_METHOD = "fcitx"; + CUDA_CACHE_PATH = "$XDG_CACHE_HOME/nv"; + + # Other Wayland + GDK_BACKEND = "wayland,x11,*"; + SDL_VIDEODRIVER = "wayland"; + CLUTTER_BACKEND = "wayland"; + XWAYLAND_NO_GLAMOR = "1"; # Gamescope + ANKI_WAYLAND = "1"; + XDG_SESSION_TYPE = "wayland"; + + # Other + GTK_USE_PORTAL = "1"; + DIRENV_LOG_FORMAT = ""; + SSH_AUTH_SOCK = "/run/user/1000/keyring/ssh"; + }; +} diff --git a/modules/system/access/default.nix b/modules/system/access/default.nix deleted file mode 100644 index 7db7629..0000000 --- a/modules/system/access/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./gnupg.nix - ./mosh.nix - ./ssh.nix - ]; -} diff --git a/modules/system/access/gnupg.nix b/modules/system/access/gnupg.nix deleted file mode 100644 index e60da30..0000000 --- a/modules/system/access/gnupg.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, ... }: -{ - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-curses; - enableExtraSocket = true; - enableBrowserSocket = true; - - settings = { - enable-ssh-support = ""; - ttyname = "$GPG_TTY"; - default-cache-ttl = 34560000; # 60 - max-cache-ttl = 34560000; # 120 - allow-loopback-pinentry = ""; - }; - }; -} diff --git a/modules/system/access/mosh.nix b/modules/system/access/mosh.nix deleted file mode 100644 index c9af5bf..0000000 --- a/modules/system/access/mosh.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - programs.mosh = { - enable = true; - openFirewall = false; - }; -} diff --git a/modules/system/access/ssh.nix b/modules/system/access/ssh.nix deleted file mode 100644 index 8a2b30d..0000000 --- a/modules/system/access/ssh.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ lib, config, ... }: -{ - programs.ssh.startAgent = false; - - services = { - fail2ban.jails.sshd.settings = { - enabled = true; - filter = "sshd[mode=aggressive]"; - port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports); - }; - - openssh = { - enable = true; - ports = [ 22 ]; - openFirewall = false; - - settings = { - KexAlgorithms = [ - "curve25519-sha256" - "curve25519-sha256@libssh.org" - "diffie-hellman-group16-sha512" - "diffie-hellman-group18-sha512" - "diffie-hellman-group-exchange-sha256" - "sntrup761x25519-sha512@openssh.com" - ]; - - Macs = [ - "hmac-sha2-512-etm@openssh.com" - "hmac-sha2-256-etm@openssh.com" - "umac-128-etm@openssh.com" - ]; - }; - }; - }; -} diff --git a/modules/system/boot/default.nix b/modules/system/boot/default.nix deleted file mode 100644 index 0798849..0000000 --- a/modules/system/boot/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ./grub.nix - ./systemd-boot.nix - ]; - - boot = { - tmp.cleanOnBoot = true; - crashDump.enable = false; - consoleLogLevel = 3; - kernelPackages = pkgs.linuxPackages_zen; - - kernelParams = [ - "iommu=pt" - "threadirqs" - ]; - - loader = { - timeout = 1; - generationsDir.copyKernels = true; - - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - }; - }; -} diff --git a/modules/system/boot/grub.nix b/modules/system/boot/grub.nix deleted file mode 100644 index 3932713..0000000 --- a/modules/system/boot/grub.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, ... }: -{ - boot.loader.grub = { - enable = true; - device = "nodev"; - efiSupport = true; - useOSProber = true; - memtest86.enable = true; - gfxmodeEfi = "1920x1080x32"; - gfxmodeBios = "1920x1080x32"; - gfxpayloadBios = "keep"; - gfxpayloadEfi = "keep"; - splashMode = "normal"; - - theme = pkgs.fetchFromGitHub { - owner = "Lxtharia"; - repo = "minegrub-theme"; - rev = "193b3a7c3d432f8c6af10adfb465b781091f56b3"; - sha256 = "1bvkfmjzbk7pfisvmyw5gjmcqj9dab7gwd5nmvi8gs4vk72bl2ap"; - }; - }; -} diff --git a/modules/system/boot/systemd-boot.nix b/modules/system/boot/systemd-boot.nix deleted file mode 100644 index b51a896..0000000 --- a/modules/system/boot/systemd-boot.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - boot.loader.systemd-boot = { - enable = false; - editor = true; - consoleMode = "max"; - memtest86.enable = true; - netbootxyz.enable = true; - }; -} diff --git a/modules/system/default.nix b/modules/system/default.nix deleted file mode 100644 index 7b9013b..0000000 --- a/modules/system/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ./access - ./boot - ./desktop - ./networking - ./services - ./encryption.nix - # ./gaming.nix - ./input.nix - ./locale.nix - ./programs.nix - ./systemd.nix - ./users.nix - ./variables.nix - ]; - - system = { - autoUpgrade = { - enable = false; - allowReboot = false; - }; - - switch = { - enable = false; - enableNg = true; - }; - }; - - environment.enableAllTerminfo = true; - - console = { - earlySetup = true; - keyMap = "us"; - font = "ter-v18n"; - packages = [ pkgs.terminus_font ]; - }; -} diff --git a/modules/system/desktop/default.nix b/modules/system/desktop/default.nix deleted file mode 100644 index bd2c811..0000000 --- a/modules/system/desktop/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./gtk.nix - ./xdg-portal.nix - ]; -} diff --git a/modules/system/desktop/gtk.nix b/modules/system/desktop/gtk.nix deleted file mode 100644 index 4357e75..0000000 --- a/modules/system/desktop/gtk.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - gtk2 - gtk3 - gtk4 - ]; -} diff --git a/modules/system/desktop/xdg-portal.nix b/modules/system/desktop/xdg-portal.nix deleted file mode 100644 index 72bcb97..0000000 --- a/modules/system/desktop/xdg-portal.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -{ - xdg.portal = { - enable = true; - config.common.default = "*"; - # wlr.enable = true; - # xdgOpenUsePortal = true; - - extraPortals = with pkgs; [ - xdg-desktop-portal-wlr - xdg-desktop-portal-gtk - xdg-desktop-portal-gnome - ]; - }; -} diff --git a/modules/system/encryption.nix b/modules/system/encryption.nix deleted file mode 100644 index 53a24bb..0000000 --- a/modules/system/encryption.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - boot = { - initrd.availableKernelModules = [ - # "aesni_intel" - # "cryptd" - "usb_storage" - ]; - - # - kernelParams = [ - "luks.options=timeout=0" - "rd.luks.options=timeout=0" - "rootflags=x-systemd.device-timeout=0" - ]; - }; -} diff --git a/modules/system/gaming.nix b/modules/system/gaming.nix deleted file mode 100644 index 790a94e..0000000 --- a/modules/system/gaming.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ pkgs, ... }: -let - openFirewall = false; -in -{ - programs.steam = { - enable = true; - remotePlay.openFirewall = openFirewall; - localNetworkGameTransfers.openFirewall = openFirewall; - dedicatedServer.openFirewall = openFirewall; - extest.enable = true; - - package = pkgs.steam.override { extraEnv.MANGOHUD = true; }; - }; - - programs.gamemode = { - enable = true; - enableRenice = false; - }; - - environment.systemPackages = with pkgs; [ - mangohud - gamescope - steamtinkerlaunch - ]; -} diff --git a/modules/system/input.nix b/modules/system/input.nix deleted file mode 100644 index e9f3c45..0000000 --- a/modules/system/input.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, ... }: -{ - i18n = { - defaultLocale = "en_US.UTF-8"; - - inputMethod = { - enable = true; - type = "fcitx5"; - - fcitx5 = { - waylandFrontend = true; - - addons = with pkgs; [ - fcitx5-configtool - fcitx5-gtk - fcitx5-hangul - fcitx5-mozc - fcitx5-rime - rime-data - catppuccin-fcitx5 - ]; - }; - }; - }; -} diff --git a/modules/system/locale.nix b/modules/system/locale.nix deleted file mode 100644 index 2648b82..0000000 --- a/modules/system/locale.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ secrets, ... }: -{ - location.provider = "geoclue2"; - - time = { - timeZone = "${secrets.timezone}"; - hardwareClockInLocalTime = false; - }; -} diff --git a/modules/system/networking/default.nix b/modules/system/networking/default.nix deleted file mode 100644 index ddc8d10..0000000 --- a/modules/system/networking/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ secrets, ... }: -{ - imports = [ - ./firewall - ./vpn - ./dhcpcd.nix - ./ipv6.nix - ./loopback.nix - ./networkmanager.nix - ./optimise.nix - ./resolved.nix - ./tor.nix - ]; - - # https://discourse.nixos.org/t/rebuild-error-failed-to-start-network-manager-wait-online/41977/2 - systemd.network.wait-online.enable = false; - boot.initrd.systemd.network.wait-online.enable = false; - - # https://discourse.nixos.org/t/how-to-disable-networkmanager-wait-online-service-in-the-configuration-file/19963/2 - systemd.services.NetworkManager-wait-online.enable = false; - - networking = { - hostName = "kansai"; - nftables.enable = true; - - nameservers = [ - "45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io" - "2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io" - "45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io" - "2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io" - ]; - - timeServers = [ - "0.nixos.pool.ntp.org" - "1.nixos.pool.ntp.org" - "2.nixos.pool.ntp.org" - "3.nixos.pool.ntp.org" - ]; - }; -} diff --git a/modules/system/networking/dhcpcd.nix b/modules/system/networking/dhcpcd.nix deleted file mode 100644 index f46b657..0000000 --- a/modules/system/networking/dhcpcd.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - networking.dhcpcd = { - wait = "background"; - - extraConfig = '' - noarp - nooption domain_name_servers, domain_name, domain_search, host_name - nooption ntp_servers - nohook resolv.conf, wpa_supplicant - ''; - }; -} diff --git a/modules/system/networking/firewall/default.nix b/modules/system/networking/firewall/default.nix deleted file mode 100644 index 074f398..0000000 --- a/modules/system/networking/firewall/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - imports = [ ./fail2ban.nix ]; - - networking.firewall = { - enable = true; - allowPing = false; - logReversePathDrops = true; - logRefusedConnections = false; - checkReversePath = "loose"; - }; -} diff --git a/modules/system/networking/firewall/fail2ban.nix b/modules/system/networking/firewall/fail2ban.nix deleted file mode 100644 index 6311b14..0000000 --- a/modules/system/networking/firewall/fail2ban.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, lib, ... }: -{ - services.fail2ban = { - enable = false; - banaction = "nftables-multiport"; - banaction-allports = lib.mkDefault "nftables-allport"; - - extraPackages = with pkgs; [ - nftables - ipset - ]; - - ignoreIP = [ - "10.0.0.0/8" - "172.16.0.0/12" - "100.64.0.0/16" - "192.168.0.0/16" - ]; - }; -} diff --git a/modules/system/networking/ipv6.nix b/modules/system/networking/ipv6.nix deleted file mode 100644 index 274c1ae..0000000 --- a/modules/system/networking/ipv6.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - boot.kernel.sysctl = { - "net.ipv6.conf.enp42s0.disable_ipv6" = true; - "net.ipv6.conf.wlp4s0.disable_ipv6" = true; - "net.ipv6.conf.tun0.disable_ipv6" = true; - }; - - networking.enableIPv6 = false; -} diff --git a/modules/system/networking/loopback.nix b/modules/system/networking/loopback.nix deleted file mode 100644 index 62e745e..0000000 --- a/modules/system/networking/loopback.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, ... }: -{ - boot = { - kernelModules = [ "v4l2loopback" ]; - extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; - }; -} diff --git a/modules/system/networking/networkmanager.nix b/modules/system/networking/networkmanager.nix deleted file mode 100644 index 8672759..0000000 --- a/modules/system/networking/networkmanager.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = [ pkgs.networkmanagerapplet ]; - - networking.networkmanager = { - enable = true; - plugins = [ pkgs.networkmanager-openvpn ]; - # dns = - dns = "none"; # "systemd-resolved" - wifi.backend = "iwd"; - - unmanaged = [ - "interface-name:tailscale*" - "interface-name:br-*" - "interface-name:rndis*" - "interface-name:docker*" - "interface-name:virbr*" - "interface-name:vboxnet*" - "interface-name:waydroid*" - "type:bridge" - ]; - }; -} diff --git a/modules/system/networking/optimise.nix b/modules/system/networking/optimise.nix deleted file mode 100644 index c6f2bec..0000000 --- a/modules/system/networking/optimise.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - boot = { - kernelModules = [ - "tls" - "tcp_bbr" - ]; - - kernel.sysctl = { - # TCP hardening - # Prevent bogus ICMP errors from filling up logs. - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # Reverse path filtering causes the kernel to do source validation of - # packets received from all interfaces. This can mitigate IP spoofing. - "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.conf.all.rp_filter" = 1; - # Do not accept IP source route packets (we're not a router) - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects (again, we're on a router) - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - # Refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - # Protects against SYN flood attacks - "net.ipv4.tcp_syncookies" = 1; - # Incomplete protection again TIME-WAIT assassination - "net.ipv4.tcp_rfc1337" = 1; - # And other stuff - "net.ipv4.conf.all.log_martians" = true; - "net.ipv4.conf.default.log_martians" = true; - "net.ipv4.icmp_echo_ignore_broadcasts" = true; - "net.ipv6.conf.default.accept_ra" = 0; - "net.ipv6.conf.all.accept_ra" = 0; - "net.ipv4.tcp_timestamps" = 0; - - # TCP optimization - # TCP Fast Open is a TCP extension that reduces network latency by packing - # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for - # both incoming and outgoing connections: - "net.ipv4.tcp_fastopen" = 3; - # Bufferbloat mitigations + slight improvement in throughput & latency - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; - - # Other stuff that I am too lazy to document - "net.core.optmem_max" = 65536; - "net.core.rmem_default" = 1048576; - "net.core.rmem_max" = 16777216; - "net.core.somaxconn" = 8192; - "net.core.wmem_default" = 1048576; - "net.core.wmem_max" = 16777216; - "net.ipv4.ip_local_port_range" = "16384 65535"; - "net.ipv4.tcp_max_syn_backlog" = 8192; - "net.ipv4.tcp_max_tw_buckets" = 2000000; - "net.ipv4.tcp_mtu_probing" = 1; - "net.ipv4.tcp_rmem" = "4096 1048576 2097152"; - "net.ipv4.tcp_slow_start_after_idle" = 0; - "net.ipv4.tcp_tw_reuse" = 1; - "net.ipv4.tcp_wmem" = "4096 65536 16777216"; - "net.ipv4.udp_rmem_min" = 8192; - "net.ipv4.udp_wmem_min" = 8192; - "net.netfilter.nf_conntrack_generic_timeout" = 60; - "net.netfilter.nf_conntrack_max" = 1048576; - "net.netfilter.nf_conntrack_tcp_timeout_established" = 600; - "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1; - }; - }; -} diff --git a/modules/system/networking/resolved.nix b/modules/system/networking/resolved.nix deleted file mode 100644 index 82effbe..0000000 --- a/modules/system/networking/resolved.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ secrets, ... }: -{ - services.resolved = { - enable = false; - dnssec = "true"; - domains = [ "~." ]; - dnsovertls = "true"; - llmnr = "false"; - - extraConfig = '' - DNS=45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io - DNS=2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io - DNS=45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io - DNS=2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io - ''; - }; -} diff --git a/modules/system/networking/tor.nix b/modules/system/networking/tor.nix deleted file mode 100644 index dfbfb3a..0000000 --- a/modules/system/networking/tor.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ pkgs, ... }: -{ - services.tor = { - enable = true; - torsocks.enable = true; - - client = { - enable = true; - dns.enable = true; - }; - }; - - programs.proxychains = { - enable = true; - quietMode = false; - proxyDNS = true; - package = pkgs.proxychains-ng; - - proxies = { - tor = { - type = "socks5"; - host = "127.0.0.1"; - port = 9050; - }; - }; - }; -} diff --git a/modules/system/networking/vpn/default.nix b/modules/system/networking/vpn/default.nix deleted file mode 100644 index 92a11b0..0000000 --- a/modules/system/networking/vpn/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./pia.nix - ./tailscale.nix - ]; -} diff --git a/modules/system/networking/vpn/pia.nix b/modules/system/networking/vpn/pia.nix deleted file mode 100644 index d52dbf8..0000000 --- a/modules/system/networking/vpn/pia.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ secrets, ... }: -{ - services.pia = { - enable = true; - - authUserPass = { - inherit (secrets.pia) username password; - }; - }; -} diff --git a/modules/system/networking/vpn/tailscale.nix b/modules/system/networking/vpn/tailscale.nix deleted file mode 100644 index 21f471a..0000000 --- a/modules/system/networking/vpn/tailscale.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, ... }: -{ - networking.firewall.trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ]; - - services.tailscale = { - enable = true; - useRoutingFeatures = "both"; - }; - - # - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; - "net.ipv6.conf.all.forwarding" = true; - }; -} diff --git a/modules/system/programs.nix b/modules/system/programs.nix deleted file mode 100644 index a1025fb..0000000 --- a/modules/system/programs.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, ... }: -{ - programs = { - fish.enable = true; - mtr.enable = true; - dconf.enable = true; - ccache.enable = true; - fuse.userAllowOther = true; - - bash.interactiveShellInit = '' - export HISTFILE="$XDG_STATE_HOME/bash/history" - ''; - }; - - environment.systemPackages = with pkgs; [ - vim - wget - git - pinentry - runc - ]; -} diff --git a/modules/system/services/adb.nix b/modules/system/services/adb.nix deleted file mode 100644 index d106ead..0000000 --- a/modules/system/services/adb.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, ... }: -{ - programs.adb.enable = true; - - services.udev = { - packages = [ pkgs.android-udev-rules ]; - - extraRules = '' - SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", MODE="0666", GROUP="adbusers" - ''; - }; -} diff --git a/modules/system/services/ananicy.nix b/modules/system/services/ananicy.nix deleted file mode 100644 index bdc9bbd..0000000 --- a/modules/system/services/ananicy.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - services.ananicy = { - enable = false; - package = pkgs.ananicy-cpp; - rulesProvider = pkgs.ananicy-rules-cachyos; - }; -} diff --git a/modules/system/services/dbus.nix b/modules/system/services/dbus.nix deleted file mode 100644 index 8b25bf9..0000000 --- a/modules/system/services/dbus.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -{ - services.dbus = { - enable = true; - implementation = "broker"; - - packages = with pkgs; [ - dconf - gcr - udisks2 - # flatpak - # xdg-desktop-portal - ]; - }; -} diff --git a/modules/system/services/default.nix b/modules/system/services/default.nix deleted file mode 100644 index f126f62..0000000 --- a/modules/system/services/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - # ./adb.nix - ./ananicy.nix - ./dbus.nix - ./libinput.nix - ./ollama.nix - # ./printing.nix - ./xserver.nix - ]; - - services = { - printing.enable = false; - gnome.gnome-keyring.enable = true; - fstrim.enable = false; - gvfs.enable = true; - udev.packages = with pkgs; [ pkgs.logitech-udev-rules ]; - thermald.enable = true; - irqbalance.enable = true; - }; -} diff --git a/modules/system/services/libinput.nix b/modules/system/services/libinput.nix deleted file mode 100644 index 643f814..0000000 --- a/modules/system/services/libinput.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - services.libinput = { - enable = true; - - mouse = { - accelProfile = "flat"; - }; - - touchpad = { - accelProfile = "flat"; - }; - }; -} diff --git a/modules/system/services/ollama.nix b/modules/system/services/ollama.nix deleted file mode 100644 index d737250..0000000 --- a/modules/system/services/ollama.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - services.ollama = { - enable = true; - acceleration = "cuda"; - }; -} diff --git a/modules/system/services/printing.nix b/modules/system/services/printing.nix deleted file mode 100644 index f7a38de..0000000 --- a/modules/system/services/printing.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs, ... }: -{ - services = { - printing = { - enable = true; - - drivers = with pkgs; [ - gutenprint - hplip - ]; - }; - - avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - }; -} diff --git a/modules/system/services/xserver.nix b/modules/system/services/xserver.nix deleted file mode 100644 index e08ac04..0000000 --- a/modules/system/services/xserver.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - services.xserver = { - xkb.layout = "us"; - videoDrivers = [ "nvidia" ]; - }; -} diff --git a/modules/system/systemd.nix b/modules/system/systemd.nix deleted file mode 100644 index 9ecb5b2..0000000 --- a/modules/system/systemd.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs, ... }: -{ - # boot.initrd.systemd.enable = true; - - systemd.services.containerd.path = with pkgs; [ - containerd - runc - iptables - nvidia-docker - ]; -} diff --git a/modules/system/users.nix b/modules/system/users.nix deleted file mode 100644 index 4055353..0000000 --- a/modules/system/users.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ pkgs, ... }: -let - initialPassword = "123456"; -in -{ - users.users = { - root = { - inherit initialPassword; - - shell = pkgs.bash; - }; - - ebisu = { - inherit initialPassword; - - isNormalUser = true; - shell = pkgs.fish; - - extraGroups = [ - "wheel" - "systemd-journal" - "audio" - "video" - "input" - "plugdev" - "lp" - "tss" - "power" - "nix" - "network" - "networkmanager" - "wireshark" - "mysql" - "docker" - "podman" - "git" - "libvirtd" - "kvm" - ]; - }; - }; -} diff --git a/modules/system/variables.nix b/modules/system/variables.nix deleted file mode 100644 index 7e9b794..0000000 --- a/modules/system/variables.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - environment.variables = { - # OpenGL - __GL_GSYNC_ALLOWED = "1"; - __GL_VRR_ALLOWED = "0"; - __GL_MaxFramesAllowed = "1"; - - # Java - _JAVA_AWT_WM_NONREPARENTING = "1"; - - # Qt - QT_AUTO_SCREEN_SCALE_FACTOR = "1"; - QT_WAYLAND_DISABLE_WINDOWDECORATION = "1"; - QT_QPA_PLATFORM = "wayland;xcb"; - DISABLE_QT5_COMPAT = "0"; - DISABLE_QT_COMPAT = "0"; - QT_QPA_PLATFORMTHEME = "qt5ct"; - # QT_STYLE_OVERRIDE = "kvantum"; - - # Electron - # ELECTRON_OZONE_PLATFORM_HINT = "auto"; - # OZONE_PLATFORM = "wayland"; - NIXOS_OZONE_WL = "1"; - - # Proton - PROTON_ENABLE_NGX_UPDATER = "1"; - - # wlroots - WLR_NO_HARDWARE_CURSORS = "1"; - WLR_DRM_NO_ATOMIC = "1"; - WLR_USE_LIBINPUT = "1"; - WLR_RENDERER_ALLOW_SOFTWARE = "1"; - WLR_DRM_DEVICES = "/dev/dri/card0"; - WLR_EGL_NO_MODIFIERS = "1"; - WLR_BACKEND = "vulkan"; - WLR_RENDERER = "vulkan"; - - # Mozilla - MOZ_ENABLE_WAYLAND = "1"; - MOZ_DISABLE_RDD_SANDBOX = "1"; - - # Nvidia - LIBVA_DRIVER_NAME = "nvidia"; - __GLX_VENDOR_LIBRARY_NAME = "nvidia"; - GBM_BACKEND = "nvidia-drm"; - __VK_LAYER_NV_optimus = "NVIDIA_only"; - __NV_PRIME_RENDER_OFFLOAD = "1"; - NVD_BACKEND = "direct"; - - # Fcitx - # https://fcitx-im.org/wiki/Using_Fcitx_5_on_Wayland - QT_IM_MODULE = "fcitx"; - XMODIFIERS = "@im=fcitx"; - # GTK_IM_MODULE = "wayland"; - # GTK_IM_MODULE = "fcitx"; - SDL_IM_MODULE = "fcitx"; - GLFW_IM_MODULE = "ibus"; - INPUT_METHOD = "fcitx"; - CUDA_CACHE_PATH = "$XDG_CACHE_HOME/nv"; - - # Other Wayland - GDK_BACKEND = "wayland,x11,*"; - SDL_VIDEODRIVER = "wayland"; - CLUTTER_BACKEND = "wayland"; - XWAYLAND_NO_GLAMOR = "1"; # Gamescope - ANKI_WAYLAND = "1"; - XDG_SESSION_TYPE = "wayland"; - - # Other - GTK_USE_PORTAL = "1"; - DIRENV_LOG_FORMAT = ""; - SSH_AUTH_SOCK = "/run/user/1000/keyring/ssh"; - }; -} -- cgit v1.2.3