From fcddd3ba06088e235243d41395e40fd9e0107a76 Mon Sep 17 00:00:00 2001 From: Fuwn Date: Tue, 1 Oct 2024 06:02:50 -0700 Subject: modules: move shared pc modules from desktop to pc --- modules/desktop/default.nix | 2 - modules/desktop/hardware/bluetooth.nix | 19 --- modules/desktop/hardware/cpu.nix | 21 --- modules/desktop/hardware/default.nix | 14 -- modules/desktop/hardware/tpm.nix | 18 --- modules/desktop/hardware/usb.nix | 10 -- modules/desktop/hardware/yubikey.nix | 18 --- modules/desktop/networking/default.nix | 13 -- modules/desktop/networking/dhcpcd.nix | 12 -- modules/desktop/networking/i2p.nix | 2 +- modules/desktop/networking/loopback.nix | 7 - modules/desktop/networking/networkmanager.nix | 22 --- modules/desktop/networking/optimise.nix | 73 --------- modules/desktop/networking/pia.nix | 10 -- modules/desktop/networking/upnp.nix | 12 -- modules/desktop/security/apparmor.nix | 22 --- modules/desktop/security/audit.nix | 17 --- modules/desktop/security/default.nix | 19 --- modules/desktop/security/doas.nix | 13 -- modules/desktop/security/kernel.nix | 160 -------------------- modules/desktop/security/pam.nix | 50 ------- modules/desktop/security/polkit.nix | 7 - modules/desktop/security/sudo.nix | 75 ---------- modules/desktop/software/access/default.nix | 6 - modules/desktop/software/access/gnupg.nix | 18 --- modules/desktop/software/access/ssh.nix | 11 -- modules/desktop/software/default.nix | 29 +--- modules/desktop/software/desktop/default.nix | 6 - modules/desktop/software/desktop/gtk.nix | 8 - modules/desktop/software/desktop/xdg-portal.nix | 15 -- modules/desktop/software/encryption.nix | 16 -- modules/desktop/software/input.nix | 23 --- modules/desktop/software/locale.nix | 4 - .../desktop/software/multimedia/audio/default.nix | 6 - .../desktop/software/multimedia/audio/pipewire.nix | 164 --------------------- .../software/multimedia/audio/wireplumber.nix | 42 ------ modules/desktop/software/multimedia/default.nix | 6 - .../desktop/software/multimedia/video/default.nix | 11 -- .../desktop/software/multimedia/video/graphics.nix | 21 --- .../desktop/software/multimedia/video/libva.nix | 7 - .../desktop/software/multimedia/video/nvidia.nix | 38 ----- .../desktop/software/multimedia/video/vulkan.nix | 9 -- modules/desktop/software/services/adb.nix | 12 -- modules/desktop/software/services/ananicy.nix | 8 - modules/desktop/software/services/dbus.nix | 15 -- modules/desktop/software/services/default.nix | 18 +-- modules/desktop/software/services/libinput.nix | 10 +- modules/desktop/software/services/logrotate.nix | 24 --- modules/desktop/software/services/printing.nix | 19 --- modules/desktop/software/services/xserver.nix | 10 -- modules/desktop/software/shell.nix | 7 - modules/desktop/software/users.nix | 46 ------ modules/desktop/software/video/default.nix | 7 + modules/desktop/software/video/graphics.nix | 21 +++ modules/desktop/software/video/libva.nix | 7 + modules/desktop/software/video/nvidia.nix | 38 +++++ modules/desktop/variables/default.nix | 9 -- modules/desktop/variables/fcitx.nix | 13 -- modules/pc/default.nix | 13 +- modules/pc/hardware/bluetooth.nix | 19 +++ modules/pc/hardware/cpu.nix | 21 +++ modules/pc/hardware/default.nix | 14 ++ modules/pc/hardware/tpm.nix | 18 +++ modules/pc/hardware/usb.nix | 10 ++ modules/pc/hardware/yubikey.nix | 18 +++ modules/pc/locale.nix | 10 ++ modules/pc/networking/default.nix | 17 +++ modules/pc/networking/dhcpcd.nix | 12 ++ modules/pc/networking/loopback.nix | 7 + modules/pc/networking/networkmanager.nix | 22 +++ modules/pc/networking/optimise.nix | 73 +++++++++ modules/pc/networking/pia.nix | 10 ++ modules/pc/networking/upnp.nix | 12 ++ modules/pc/security/apparmor.nix | 22 +++ modules/pc/security/audit.nix | 17 +++ modules/pc/security/default.nix | 19 +++ modules/pc/security/doas.nix | 13 ++ modules/pc/security/kernel.nix | 160 ++++++++++++++++++++ modules/pc/security/pam.nix | 50 +++++++ modules/pc/security/polkit.nix | 7 + modules/pc/security/sudo.nix | 75 ++++++++++ modules/pc/software/access/default.nix | 6 + modules/pc/software/access/gnupg.nix | 18 +++ modules/pc/software/access/ssh.nix | 11 ++ modules/pc/software/default.nix | 34 +++++ modules/pc/software/desktop/default.nix | 6 + modules/pc/software/desktop/gtk.nix | 8 + modules/pc/software/desktop/xdg-portal.nix | 15 ++ modules/pc/software/encryption.nix | 16 ++ modules/pc/software/input.nix | 23 +++ modules/pc/software/multimedia/audio/default.nix | 6 + modules/pc/software/multimedia/audio/pipewire.nix | 164 +++++++++++++++++++++ .../pc/software/multimedia/audio/wireplumber.nix | 42 ++++++ modules/pc/software/multimedia/default.nix | 6 + modules/pc/software/multimedia/video/default.nix | 9 ++ modules/pc/software/multimedia/video/vulkan.nix | 9 ++ modules/pc/software/multimedia/video/xserver.nix | 6 + modules/pc/software/services/adb.nix | 12 ++ modules/pc/software/services/ananicy.nix | 8 + modules/pc/software/services/dbus.nix | 15 ++ modules/pc/software/services/default.nix | 22 +++ modules/pc/software/services/logrotate.nix | 24 +++ modules/pc/software/services/printing.nix | 19 +++ modules/pc/software/shell.nix | 7 + modules/pc/software/users.nix | 46 ++++++ modules/pc/variables/default.nix | 11 ++ modules/pc/variables/fcitx.nix | 13 ++ 107 files changed, 1269 insertions(+), 1246 deletions(-) delete mode 100644 modules/desktop/hardware/bluetooth.nix delete mode 100644 modules/desktop/hardware/cpu.nix delete mode 100644 modules/desktop/hardware/default.nix delete mode 100644 modules/desktop/hardware/tpm.nix delete mode 100644 modules/desktop/hardware/usb.nix delete mode 100644 modules/desktop/hardware/yubikey.nix delete mode 100644 modules/desktop/networking/dhcpcd.nix delete mode 100644 modules/desktop/networking/loopback.nix delete mode 100644 modules/desktop/networking/networkmanager.nix delete mode 100644 modules/desktop/networking/optimise.nix delete mode 100644 modules/desktop/networking/pia.nix delete mode 100644 modules/desktop/networking/upnp.nix delete mode 100644 modules/desktop/security/apparmor.nix delete mode 100644 modules/desktop/security/audit.nix delete mode 100644 modules/desktop/security/default.nix delete mode 100644 modules/desktop/security/doas.nix delete mode 100644 modules/desktop/security/kernel.nix delete mode 100644 modules/desktop/security/pam.nix delete mode 100644 modules/desktop/security/polkit.nix delete mode 100644 modules/desktop/security/sudo.nix delete mode 100644 modules/desktop/software/access/default.nix delete mode 100644 modules/desktop/software/access/gnupg.nix delete mode 100644 modules/desktop/software/access/ssh.nix delete mode 100644 modules/desktop/software/desktop/default.nix delete mode 100644 modules/desktop/software/desktop/gtk.nix delete mode 100644 modules/desktop/software/desktop/xdg-portal.nix delete mode 100644 modules/desktop/software/encryption.nix delete mode 100644 modules/desktop/software/input.nix delete mode 100644 modules/desktop/software/locale.nix delete mode 100644 modules/desktop/software/multimedia/audio/default.nix delete mode 100644 modules/desktop/software/multimedia/audio/pipewire.nix delete mode 100644 modules/desktop/software/multimedia/audio/wireplumber.nix delete mode 100644 modules/desktop/software/multimedia/default.nix delete mode 100644 modules/desktop/software/multimedia/video/default.nix delete mode 100644 modules/desktop/software/multimedia/video/graphics.nix delete mode 100644 modules/desktop/software/multimedia/video/libva.nix delete mode 100644 modules/desktop/software/multimedia/video/nvidia.nix delete mode 100644 modules/desktop/software/multimedia/video/vulkan.nix delete mode 100644 modules/desktop/software/services/adb.nix delete mode 100644 modules/desktop/software/services/ananicy.nix delete mode 100644 modules/desktop/software/services/dbus.nix delete mode 100644 modules/desktop/software/services/logrotate.nix delete mode 100644 modules/desktop/software/services/printing.nix delete mode 100644 modules/desktop/software/services/xserver.nix delete mode 100644 modules/desktop/software/shell.nix delete mode 100644 modules/desktop/software/users.nix create mode 100644 modules/desktop/software/video/default.nix create mode 100644 modules/desktop/software/video/graphics.nix create mode 100644 modules/desktop/software/video/libva.nix create mode 100644 modules/desktop/software/video/nvidia.nix delete mode 100644 modules/desktop/variables/fcitx.nix create mode 100644 modules/pc/hardware/bluetooth.nix create mode 100644 modules/pc/hardware/cpu.nix create mode 100644 modules/pc/hardware/default.nix create mode 100644 modules/pc/hardware/tpm.nix create mode 100644 modules/pc/hardware/usb.nix create mode 100644 modules/pc/hardware/yubikey.nix create mode 100644 modules/pc/locale.nix create mode 100644 modules/pc/networking/default.nix create mode 100644 modules/pc/networking/dhcpcd.nix create mode 100644 modules/pc/networking/loopback.nix create mode 100644 modules/pc/networking/networkmanager.nix create mode 100644 modules/pc/networking/optimise.nix create mode 100644 modules/pc/networking/pia.nix create mode 100644 modules/pc/networking/upnp.nix create mode 100644 modules/pc/security/apparmor.nix create mode 100644 modules/pc/security/audit.nix create mode 100644 modules/pc/security/default.nix create mode 100644 modules/pc/security/doas.nix create mode 100644 modules/pc/security/kernel.nix create mode 100644 modules/pc/security/pam.nix create mode 100644 modules/pc/security/polkit.nix create mode 100644 modules/pc/security/sudo.nix create mode 100644 modules/pc/software/access/default.nix create mode 100644 modules/pc/software/access/gnupg.nix create mode 100644 modules/pc/software/access/ssh.nix create mode 100644 modules/pc/software/default.nix create mode 100644 modules/pc/software/desktop/default.nix create mode 100644 modules/pc/software/desktop/gtk.nix create mode 100644 modules/pc/software/desktop/xdg-portal.nix create mode 100644 modules/pc/software/encryption.nix create mode 100644 modules/pc/software/input.nix create mode 100644 modules/pc/software/multimedia/audio/default.nix create mode 100644 modules/pc/software/multimedia/audio/pipewire.nix create mode 100644 modules/pc/software/multimedia/audio/wireplumber.nix create mode 100644 modules/pc/software/multimedia/default.nix create mode 100644 modules/pc/software/multimedia/video/default.nix create mode 100644 modules/pc/software/multimedia/video/vulkan.nix create mode 100644 modules/pc/software/multimedia/video/xserver.nix create mode 100644 modules/pc/software/services/adb.nix create mode 100644 modules/pc/software/services/ananicy.nix create mode 100644 modules/pc/software/services/dbus.nix create mode 100644 modules/pc/software/services/default.nix create mode 100644 modules/pc/software/services/logrotate.nix create mode 100644 modules/pc/software/services/printing.nix create mode 100644 modules/pc/software/shell.nix create mode 100644 modules/pc/software/users.nix create mode 100644 modules/pc/variables/default.nix create mode 100644 modules/pc/variables/fcitx.nix (limited to 'modules') diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix index 1e5a9ac..03879b4 100644 --- a/modules/desktop/default.nix +++ b/modules/desktop/default.nix @@ -1,9 +1,7 @@ { config, self, ... }: { imports = [ - ./hardware ./networking - ./security ./software ./variables ./virtualisation diff --git a/modules/desktop/hardware/bluetooth.nix b/modules/desktop/hardware/bluetooth.nix deleted file mode 100644 index 9737504..0000000 --- a/modules/desktop/hardware/bluetooth.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs, ... }: -{ - boot.kernelParams = [ "btusb" ]; - services.blueman.enable = true; - - hardware.bluetooth = { - enable = true; - powerOnBoot = true; - package = pkgs.bluez5-experimental; - disabledPlugins = [ "sap" ]; - # hsphfpd.enable = true; - - settings.General = { - JustWorksRepairing = "always"; - MultiProfile = "multiple"; - Experimental = true; - }; - }; -} diff --git a/modules/desktop/hardware/cpu.nix b/modules/desktop/hardware/cpu.nix deleted file mode 100644 index 1ac3a27..0000000 --- a/modules/desktop/hardware/cpu.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ pkgs, config, ... }: -{ - environment.systemPackages = [ pkgs.amdctl ]; - - powerManagement = { - enable = true; - cpuFreqGovernor = "performance"; - }; - - boot = { - kernelModules = [ - # "kvm-amd" - "amd-pstate" - "zenpower" - "msr" - ]; - - kernelParams = [ "amd_iommu=on" ]; - extraModulePackages = [ config.boot.kernelPackages.zenpower ]; - }; -} diff --git a/modules/desktop/hardware/default.nix b/modules/desktop/hardware/default.nix deleted file mode 100644 index 167e7c7..0000000 --- a/modules/desktop/hardware/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - imports = [ - ./cpu.nix - ./bluetooth.nix - ./usb.nix - ./tpm.nix - ./yubikey.nix - ]; - - hardware = { - enableRedistributableFirmware = true; - enableAllFirmware = true; - }; -} diff --git a/modules/desktop/hardware/tpm.nix b/modules/desktop/hardware/tpm.nix deleted file mode 100644 index b84551e..0000000 --- a/modules/desktop/hardware/tpm.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, ... }: -{ - security.tpm2 = { - enable = true; - applyUdevRules = true; - abrmd.enable = true; - tctiEnvironment.enable = true; - pkcs11.enable = true; - }; - - environment.systemPackages = with pkgs; [ - tpm2-tools - tpm2-tss - tpm2-abrmd - ]; - - boot.kernelModules = [ "uhid" ]; -} diff --git a/modules/desktop/hardware/usb.nix b/modules/desktop/hardware/usb.nix deleted file mode 100644 index f697761..0000000 --- a/modules/desktop/hardware/usb.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - usbutils - lm_sensors - pciutils - ]; - - boot.kernelParams = [ "usbcore.autosuspend=-1" ]; -} diff --git a/modules/desktop/hardware/yubikey.nix b/modules/desktop/hardware/yubikey.nix deleted file mode 100644 index 6bd4a5c..0000000 --- a/modules/desktop/hardware/yubikey.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, ... }: -{ - hardware.gpgSmartcards.enable = true; - - services = { - pcscd.enable = true; - udev.packages = [ pkgs.yubikey-personalization ]; - }; - - environment.systemPackages = with pkgs; [ - yubikey-manager - yubikey-manager-qt - yubikey-personalization - yubikey-personalization-gui - yubico-piv-tool - yubioath-flutter - ]; -} diff --git a/modules/desktop/networking/default.nix b/modules/desktop/networking/default.nix index e6f5b03..d91b90d 100644 --- a/modules/desktop/networking/default.nix +++ b/modules/desktop/networking/default.nix @@ -1,21 +1,8 @@ { imports = [ ./caddy.nix - ./dhcpcd.nix ./i2p.nix ./ipv6.nix - ./loopback.nix - ./networkmanager.nix - ./optimise.nix - ./pia.nix ./tor.nix - ./upnp.nix ]; - - # https://discourse.nixos.org/t/rebuild-error-failed-to-start-network-manager-wait-online/41977/2 - systemd.network.wait-online.enable = false; - boot.initrd.systemd.network.wait-online.enable = false; - - # https://discourse.nixos.org/t/how-to-disable-networkmanager-wait-online-service-in-the-configuration-file/19963/2 - systemd.services.NetworkManager-wait-online.enable = false; } diff --git a/modules/desktop/networking/dhcpcd.nix b/modules/desktop/networking/dhcpcd.nix deleted file mode 100644 index f46b657..0000000 --- a/modules/desktop/networking/dhcpcd.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - networking.dhcpcd = { - wait = "background"; - - extraConfig = '' - noarp - nooption domain_name_servers, domain_name, domain_search, host_name - nooption ntp_servers - nohook resolv.conf, wpa_supplicant - ''; - }; -} diff --git a/modules/desktop/networking/i2p.nix b/modules/desktop/networking/i2p.nix index 8bca73e..92fb657 100644 --- a/modules/desktop/networking/i2p.nix +++ b/modules/desktop/networking/i2p.nix @@ -1,5 +1,5 @@ { - # https://voidcruiser.nl/rambles/i2p-on-nixos/ + # containers.i2pd = { autoStart = true; diff --git a/modules/desktop/networking/loopback.nix b/modules/desktop/networking/loopback.nix deleted file mode 100644 index 62e745e..0000000 --- a/modules/desktop/networking/loopback.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, ... }: -{ - boot = { - kernelModules = [ "v4l2loopback" ]; - extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; - }; -} diff --git a/modules/desktop/networking/networkmanager.nix b/modules/desktop/networking/networkmanager.nix deleted file mode 100644 index 7ef0e04..0000000 --- a/modules/desktop/networking/networkmanager.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = [ pkgs.networkmanagerapplet ]; - - networking.networkmanager = { - enable = true; - plugins = [ pkgs.networkmanager-openvpn ]; - dns = "none"; # "systemd-resolved" - wifi.backend = "iwd"; - - unmanaged = [ - "interface-name:tailscale*" - "interface-name:br-*" - "interface-name:rndis*" - "interface-name:docker*" - "interface-name:virbr*" - "interface-name:vboxnet*" - "interface-name:waydroid*" - "type:bridge" - ]; - }; -} diff --git a/modules/desktop/networking/optimise.nix b/modules/desktop/networking/optimise.nix deleted file mode 100644 index c6f2bec..0000000 --- a/modules/desktop/networking/optimise.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - boot = { - kernelModules = [ - "tls" - "tcp_bbr" - ]; - - kernel.sysctl = { - # TCP hardening - # Prevent bogus ICMP errors from filling up logs. - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # Reverse path filtering causes the kernel to do source validation of - # packets received from all interfaces. This can mitigate IP spoofing. - "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.conf.all.rp_filter" = 1; - # Do not accept IP source route packets (we're not a router) - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects (again, we're on a router) - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - # Refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - # Protects against SYN flood attacks - "net.ipv4.tcp_syncookies" = 1; - # Incomplete protection again TIME-WAIT assassination - "net.ipv4.tcp_rfc1337" = 1; - # And other stuff - "net.ipv4.conf.all.log_martians" = true; - "net.ipv4.conf.default.log_martians" = true; - "net.ipv4.icmp_echo_ignore_broadcasts" = true; - "net.ipv6.conf.default.accept_ra" = 0; - "net.ipv6.conf.all.accept_ra" = 0; - "net.ipv4.tcp_timestamps" = 0; - - # TCP optimization - # TCP Fast Open is a TCP extension that reduces network latency by packing - # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for - # both incoming and outgoing connections: - "net.ipv4.tcp_fastopen" = 3; - # Bufferbloat mitigations + slight improvement in throughput & latency - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; - - # Other stuff that I am too lazy to document - "net.core.optmem_max" = 65536; - "net.core.rmem_default" = 1048576; - "net.core.rmem_max" = 16777216; - "net.core.somaxconn" = 8192; - "net.core.wmem_default" = 1048576; - "net.core.wmem_max" = 16777216; - "net.ipv4.ip_local_port_range" = "16384 65535"; - "net.ipv4.tcp_max_syn_backlog" = 8192; - "net.ipv4.tcp_max_tw_buckets" = 2000000; - "net.ipv4.tcp_mtu_probing" = 1; - "net.ipv4.tcp_rmem" = "4096 1048576 2097152"; - "net.ipv4.tcp_slow_start_after_idle" = 0; - "net.ipv4.tcp_tw_reuse" = 1; - "net.ipv4.tcp_wmem" = "4096 65536 16777216"; - "net.ipv4.udp_rmem_min" = 8192; - "net.ipv4.udp_wmem_min" = 8192; - "net.netfilter.nf_conntrack_generic_timeout" = 60; - "net.netfilter.nf_conntrack_max" = 1048576; - "net.netfilter.nf_conntrack_tcp_timeout_established" = 600; - "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1; - }; - }; -} diff --git a/modules/desktop/networking/pia.nix b/modules/desktop/networking/pia.nix deleted file mode 100644 index d52dbf8..0000000 --- a/modules/desktop/networking/pia.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ secrets, ... }: -{ - services.pia = { - enable = true; - - authUserPass = { - inherit (secrets.pia) username password; - }; - }; -} diff --git a/modules/desktop/networking/upnp.nix b/modules/desktop/networking/upnp.nix deleted file mode 100644 index 998592a..0000000 --- a/modules/desktop/networking/upnp.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - services.miniupnpd = { - enable = true; - natpmp = true; - externalInterface = "enp42s0"; - - internalIPs = [ - "enp42s0" - "wlan0" - ]; - }; -} diff --git a/modules/desktop/security/apparmor.nix b/modules/desktop/security/apparmor.nix deleted file mode 100644 index 170838c..0000000 --- a/modules/desktop/security/apparmor.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - apparmor-pam - apparmor-utils - apparmor-parser - apparmor-profiles - apparmor-bin-utils - apparmor-kernel-patches - libapparmor - ]; - - services.dbus.apparmor = "enabled"; - - security.apparmor = { - enable = true; - enableCache = true; - killUnconfinedConfinables = true; - packages = [ pkgs.apparmor-profiles ]; - policies.dummy.profile = "/dummy { }"; - }; -} diff --git a/modules/desktop/security/audit.nix b/modules/desktop/security/audit.nix deleted file mode 100644 index 9922213..0000000 --- a/modules/desktop/security/audit.nix +++ /dev/null @@ -1,17 +0,0 @@ -let - enable = false; -in -{ - security = { - auditd.enable = enable; - - audit = { - inherit enable; - - rules = [ - "-a exit,always -F arch=b64 -S execve" - "-a exit,always -F arch=b32 -S execve" - ]; - }; - }; -} diff --git a/modules/desktop/security/default.nix b/modules/desktop/security/default.nix deleted file mode 100644 index c1c084c..0000000 --- a/modules/desktop/security/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, ... }: -{ - imports = [ - ./apparmor.nix - ./audit.nix - ./doas.nix - ./kernel.nix - ./pam.nix - ./polkit.nix - ./sudo.nix - ]; - - security = { - rtkit.enable = lib.modules.mkForce config.services.pipewire.enable; - virtualisation.flushL1DataCache = "always"; - }; - - programs.firejail.enable = true; -} diff --git a/modules/desktop/security/doas.nix b/modules/desktop/security/doas.nix deleted file mode 100644 index af717ca..0000000 --- a/modules/desktop/security/doas.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - security.doas = { - enable = true; - extraRules = [ - { - keepEnv = true; - # persist = true; - noPass = true; - users = [ "ebisu" ]; - } - ]; - }; -} diff --git a/modules/desktop/security/kernel.nix b/modules/desktop/security/kernel.nix deleted file mode 100644 index 62b2f28..0000000 --- a/modules/desktop/security/kernel.nix +++ /dev/null @@ -1,160 +0,0 @@ -{ lib, ... }: -{ - boot = { - # https://docs.kernel.org/admin-guide/sysctl/vm.html - kernel.sysctl = { - # The Magic SysRq key is a key combo that allows users connected to the - # system console of a Linux kernel to perform some low-level commands. - # Disable it, since we don't need it, and is a potential security concern. - "kernel.sysrq" = lib.mkForce 0; - - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - # FIXME: this breaks game launchers, find a way to launch them with privileges (steam) - # gamescope wrapped with the capabilities *might* solve the issue - # spoiler: it didn't - # "kernel.yama.ptrace_scope" = 2; - - # Hide kptrs even for processes with CAP_SYSLOG - # also prevents printing kernel pointers - "kernel.kptr_restrict" = 2; - - # Disable bpf() JIT (to eliminate spray attacks) - "net.core.bpf_jit_enable" = false; - - # Disable ftrace debugging - "kernel.ftrace_enabled" = false; - - # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). - "kernel.dmesg_restrict" = 1; - - # Prevent creating files in potentially attacker-controlled environments such - # as world-writable directories to make data spoofing attacks more difficult - "fs.protected_fifos" = 2; - - # Prevent unintended writes to already-created files - "fs.protected_regular" = 2; - - # Disable SUID binary dump - "fs.suid_dumpable" = 0; - - # Prevent unprivileged users from creating hard or symbolic links to files - "fs.protected_symlinks" = 1; - "fs.protected_hardlinks" = 1; - - # Disable late module loading - # "kernel.modules_disabled" = 1; - - # Disallow profiling at all levels without CAP_SYS_ADMIN - "kernel.perf_event_paranoid" = 3; - - # Require CAP_BPF to use bpf - "kernel.unprivileged_bpf_disabled" = true; - - # Prevent boot console kernel log information leaks - "kernel.printk" = "3 3 3 3"; - - # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to - # prevent unprivileged attackers from loading vulnerable line disciplines with - # the TIOCSETD ioctl - "dev.tty.ldisc_autoload" = 0; - - # Kexec allows replacing the current running kernel. There may be an edge case where - # you wish to boot into a different kernel, but I do not require kexec. Disabling it - # patches a potential security hole in our system. - "kernel.kexec_load_disabled" = true; - - # Borrowed by NixOS/nixpkgs. Since the security module does not explain what those - # options do, it is up you to educate yourself dear reader. - # See: - # - - # - - "vm.mmap_rnd_bits" = 32; - "vm.mmap_min_addr" = 65536; - }; - - # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html - kernelParams = [ - # I'm sure we break hibernation in at least 5 other sections of this config, so - # let's disable hibernation explicitly. Allowing hibernation makes it possible - # to replace the booted kernel with a malicious one, akin to kexec. This helps - # us prevent an attack called "Evil Maid" where an attacker with physical access - # to the device. P.S. I chose to mention "Evil Maid" specifically because it sounds - # funny. Do not think that is the only attack you are vulnerable to. - # See: - "nohibernate" - - # make stack-based attacks on the kernel harder - "randomize_kstack_offset=on" - - # Disable vsyscalls as they are obsolete and have been replaced with vDSO. - # vsyscalls are also at fixed addresses in memory, making them a potential - # target for ROP attacks - # this breaks really old binaries for security - "vsyscall=none" - - # reduce most of the exposure of a heap attack to a single cache - # Disable slab merging which significantly increases the difficulty of heap - # exploitation by preventing overwriting objects from merged caches and by - # making it harder to influence slab cache layout - "slab_nomerge" - - # Disable debugfs which exposes a lot of sensitive information about the - # kernel. Some programs, such as powertop, use this interface to gather - # information about the system, but it is not necessary for the system to - # actually publish those. I can live without it. - "debugfs=off" - - # Sometimes certain kernel exploits will cause what is known as an "oops". - # This parameter will cause the kernel to panic on such oopses, thereby - # preventing those exploits - "oops=panic" - - # Only allow kernel modules that have been signed with a valid key to be - # loaded, which increases security by making it much harder to load a - # malicious kernel module - "module.sig_enforce=1" - - # The kernel lockdown LSM can eliminate many methods that user space code - # could abuse to escalate to kernel privileges and extract sensitive - # information. This LSM is necessary to implement a clear security boundary - # between user space and the kernel - # integrity: kernel features that allow userland to modify the running kernel - # are disabled - # confidentiality: kernel features that allow userland to extract confidential - # information from the kernel are also disabled - # ArchWiki recommends opting in for "integrity", however since we avoid modifying - # running kernel (by the virtue of using NixOS and locking module hot-loading) the - # confidentiality mode is a better solution. - "lockdown=confidentiality" - - # enable buddy allocator free poisoning - # on: memory will befilled with a specific byte pattern - # that is unlikely to occur in normal operation. - # off (default): page poisoning will be disabled - "page_poison=on" - - # performance improvement for direct-mapped memory-side-cache utilization - # reduces the predictability of page allocations - "page_alloc.shuffle=1" - - # for debugging kernel-level slab issues - "slub_debug=FZP" - - # ignore access time (atime) updates on files - # except when they coincide with updates to the ctime or mtime - "rootflags=noatime" - - # linux security modules - "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux" - - # prevent the kernel from blanking plymouth out of the fb - "fbcon=nodefer" - - # the format that will be used for integrity audit logs - # 0 (default): basic integrity auditing messages - # 1: additional integrity auditing messages - "integrity_audit=1" - ]; - }; -} diff --git a/modules/desktop/security/pam.nix b/modules/desktop/security/pam.nix deleted file mode 100644 index b7eb426..0000000 --- a/modules/desktop/security/pam.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - security = { - pam = { - loginLimits = [ - { - domain = "@wheel"; - item = "nofile"; - type = "soft"; - value = "524288"; - } - { - domain = "@wheel"; - item = "nofile"; - type = "hard"; - value = "1048576"; - } - ]; - - services = - let - ttyAudit = { - enable = true; - enablePattern = "*"; - }; - in - { - swaylock.text = "auth include login"; - gtklock.text = "auth include login"; - - login = { - inherit ttyAudit; - - setLoginUid = true; - }; - - sshd = { - inherit ttyAudit; - - setLoginUid = true; - }; - - sudo = { - inherit ttyAudit; - - setLoginUid = true; - }; - }; - }; - }; -} diff --git a/modules/desktop/security/polkit.nix b/modules/desktop/security/polkit.nix deleted file mode 100644 index 786d1a0..0000000 --- a/modules/desktop/security/polkit.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ lib, ... }: -{ - security.polkit = { - enable = true; - debug = lib.modules.mkDefault true; - }; -} diff --git a/modules/desktop/security/sudo.nix b/modules/desktop/security/sudo.nix deleted file mode 100644 index 6623b71..0000000 --- a/modules/desktop/security/sudo.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ pkgs, lib, ... }: -let - inherit (lib.modules) mkForce; -in -{ - security = { - sudo-rs.enable = mkForce false; - - sudo = { - enable = true; - execWheelOnly = mkForce true; - wheelNeedsPassword = lib.modules.mkDefault false; - - extraConfig = '' - Defaults lecture = never - Defaults pwfeedback - Defaults env_keep += "EDITOR PATH DISPLAY" - Defaults timestamp_timeout = 300 - ''; - - extraRules = [ - { - groups = [ "wheel" ]; - commands = - map - (rule: { - command = lib.meta.getExe' rule.package rule.command; - options = [ "NOPASSWD" ]; - }) - ( - with pkgs; - [ - { - package = coreutils; - command = "sync"; - } - { - package = hdparm; - command = "hdparm"; - } - { - package = nixos-rebuild; - command = "nixos-rebuild"; - } - { - package = nvme-cli; - command = "nvme"; - } - { - package = systemd; - command = "poweroff"; - } - { - package = systemd; - command = "reboot"; - } - { - package = systemd; - command = "shutdown"; - } - { - package = systemd; - command = "systemctl"; - } - { - package = util-linux; - command = "dmesg"; - } - ] - ); - } - ]; - }; - }; -} diff --git a/modules/desktop/software/access/default.nix b/modules/desktop/software/access/default.nix deleted file mode 100644 index 32d5500..0000000 --- a/modules/desktop/software/access/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./gnupg.nix - ./ssh.nix - ]; -} diff --git a/modules/desktop/software/access/gnupg.nix b/modules/desktop/software/access/gnupg.nix deleted file mode 100644 index e60da30..0000000 --- a/modules/desktop/software/access/gnupg.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, ... }: -{ - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-curses; - enableExtraSocket = true; - enableBrowserSocket = true; - - settings = { - enable-ssh-support = ""; - ttyname = "$GPG_TTY"; - default-cache-ttl = 34560000; # 60 - max-cache-ttl = 34560000; # 120 - allow-loopback-pinentry = ""; - }; - }; -} diff --git a/modules/desktop/software/access/ssh.nix b/modules/desktop/software/access/ssh.nix deleted file mode 100644 index b514049..0000000 --- a/modules/desktop/software/access/ssh.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ lib, config, ... }: -{ - programs.ssh.startAgent = false; - security.pam.sshAgentAuth.enable = true; - - services.fail2ban.jails.sshd.settings = { - enabled = true; - filter = "sshd[mode=aggressive]"; - port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports); - }; -} diff --git a/modules/desktop/software/default.nix b/modules/desktop/software/default.nix index 179f4ad..01e196c 100644 --- a/modules/desktop/software/default.nix +++ b/modules/desktop/software/default.nix @@ -1,40 +1,13 @@ -{ pkgs, ... }: { imports = [ - ./access ./boot - ./desktop - ./multimedia ./services + ./video ./aagl.nix - ./encryption.nix ./gaming.nix - ./input.nix - ./locale.nix ./programs.nix - ./shell.nix ./systemd.nix - ./users.nix ]; - environment.enableAllTerminfo = true; services.displayManager.ly.enable = true; - - system = { - autoUpgrade = { - enable = false; - allowReboot = false; - }; - - switch = { - enable = false; - enableNg = true; - }; - }; - - console = { - earlySetup = true; - font = "ter-v16n"; - packages = [ pkgs.terminus_font ]; - }; } diff --git a/modules/desktop/software/desktop/default.nix b/modules/desktop/software/desktop/default.nix deleted file mode 100644 index bd2c811..0000000 --- a/modules/desktop/software/desktop/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./gtk.nix - ./xdg-portal.nix - ]; -} diff --git a/modules/desktop/software/desktop/gtk.nix b/modules/desktop/software/desktop/gtk.nix deleted file mode 100644 index 4357e75..0000000 --- a/modules/desktop/software/desktop/gtk.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - gtk2 - gtk3 - gtk4 - ]; -} diff --git a/modules/desktop/software/desktop/xdg-portal.nix b/modules/desktop/software/desktop/xdg-portal.nix deleted file mode 100644 index 72bcb97..0000000 --- a/modules/desktop/software/desktop/xdg-portal.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -{ - xdg.portal = { - enable = true; - config.common.default = "*"; - # wlr.enable = true; - # xdgOpenUsePortal = true; - - extraPortals = with pkgs; [ - xdg-desktop-portal-wlr - xdg-desktop-portal-gtk - xdg-desktop-portal-gnome - ]; - }; -} diff --git a/modules/desktop/software/encryption.nix b/modules/desktop/software/encryption.nix deleted file mode 100644 index 53a24bb..0000000 --- a/modules/desktop/software/encryption.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - boot = { - initrd.availableKernelModules = [ - # "aesni_intel" - # "cryptd" - "usb_storage" - ]; - - # - kernelParams = [ - "luks.options=timeout=0" - "rd.luks.options=timeout=0" - "rootflags=x-systemd.device-timeout=0" - ]; - }; -} diff --git a/modules/desktop/software/input.nix b/modules/desktop/software/input.nix deleted file mode 100644 index 5d43085..0000000 --- a/modules/desktop/software/input.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, ... }: -{ - i18n = { - inputMethod = { - enable = true; - type = "fcitx5"; - - fcitx5 = { - waylandFrontend = true; - - addons = with pkgs; [ - fcitx5-configtool - fcitx5-gtk - fcitx5-hangul - fcitx5-mozc - fcitx5-rime - rime-data - catppuccin-fcitx5 - ]; - }; - }; - }; -} diff --git a/modules/desktop/software/locale.nix b/modules/desktop/software/locale.nix deleted file mode 100644 index aded640..0000000 --- a/modules/desktop/software/locale.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ - location.provider = "geoclue2"; - time.hardwareClockInLocalTime = false; -} diff --git a/modules/desktop/software/multimedia/audio/default.nix b/modules/desktop/software/multimedia/audio/default.nix deleted file mode 100644 index f4e7f0a..0000000 --- a/modules/desktop/software/multimedia/audio/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./pipewire.nix - # ./wireplumber.nix - ]; -} diff --git a/modules/desktop/software/multimedia/audio/pipewire.nix b/modules/desktop/software/multimedia/audio/pipewire.nix deleted file mode 100644 index 2824176..0000000 --- a/modules/desktop/software/multimedia/audio/pipewire.nix +++ /dev/null @@ -1,164 +0,0 @@ -# { lib, ... }: -# let -# inherit (lib.modules) mkBefore; -# inherit (lib.lists) singleton; -# inherit (builtins) toString; -# mapOptionDefault = lib.attrsets.mapAttrs (_: lib.modules.mkOptionDefault); -# quantum = toString 64; -# rate = toString 48000; -# qr = "${quantum}/${rate}"; -# in -{ - services.pipewire = { - enable = true; - wireplumber.enable = true; - jack.enable = true; - pulse.enable = true; - audio.enable = true; - - alsa = { - enable = true; - support32Bit = true; - }; - - extraConfig = { - pipewire = { - "10-logging" = { - "context.properties"."log.level" = 3; - }; - - # "10-defaults" = { - # "context.properties" = mapOptionDefault { - # "clock.power-of-two-quantum" = true; - # "core.daemon" = true; - # "core.name" = "pipewire-0"; - # "link.max-buffers" = 16; - # "settings.check-quantum" = true; - # }; - - # "context.spa-libs" = mapOptionDefault { - # "audio.convert.*" = "audioconvert/libspa-audioconvert"; - # "avb.*" = "avb/libspa-avb"; - # "api.alsa.*" = "alsa/libspa-alsa"; - # "api.v4l2.*" = "v4l2/libspa-v4l2"; - # "api.libcamera.*" = "libcamera/libspa-libcamera"; - # "api.bluez5.*" = "bluez5/libspa-bluez5"; - # "api.vulkan.*" = "vulkan/libspa-vulkan"; - # "api.jack.*" = "jack/libspa-jack"; - # "support.*" = "support/libspa-support"; - # "video.convert.*" = "videoconvert/libspa-videoconvert"; - # }; - # }; - }; - - # pipewire-pulse = { - # "10-defaults" = { - # "context.spa-libs" = mapOptionDefault { - # "audio.convert.*" = "audioconvert/libspa-audioconvert"; - # "support.*" = "support/libspa-support"; - # }; - - # "pulse.cmd" = mkBefore [ - # { - # cmd = "load-module"; - # args = "module-always-sink"; - # flags = [ ]; - # } - # ]; - - # "pulse.properties" = { - # "server.address" = mkBefore [ "unix:native" ]; - # }; - - # "pulse.rules" = mkBefore [ - # { - # matches = [ - # { "application.process.binary" = "teams"; } - # { "application.process.binary" = "teams-insiders"; } - # { "application.process.binary" = "skypeforlinux"; } - # ]; - - # actions.quirks = [ "force-s16-info" ]; - # } - # { - # matches = singleton { "application.process.binary" = "firefox"; }; - # actions.quirks = [ "remove-capture-dont-move" ]; - # } - # { - # matches = singleton { "application.name" = "~speech-dispatcher*"; }; - - # actions = { - # update-props = { - # "pulse.min.req" = "1024/48000"; # 21 milliseconds - # "pulse.min.quantum " = "1024/48000"; # 21 milliseconds - # }; - # }; - # } - # ]; - # }; - # }; - - # pipewire."92-low-latency" = { - # "context.properties" = { - # "default.clock.rate" = rate; - # "default.clock.quantum" = quantum; - # "default.clock.min-quantum" = quantum; - # "default.clock.max-quantum" = quantum; - # "default.clock.allowed-rates" = [ rate ]; - # }; - - # # "context.modules" = [ - # # { - # # name = "libpipewire-module-rtkit"; - - # # flags = [ - # # "ifexists" - # # "nofail" - # # ]; - - # # args = { - # # "nice.level" = -15; - # # "rt.prio" = 90; - # # "rt.time.soft" = 200000; - # # "rt.time.hard" = 200000; - # # }; - # # } - # # { - # # name = "libpipewire-module-protocol-pulse"; - - # # args = { - # # "server.address" = [ "unix:native" ]; - # # "pulse.min.quantum" = qr; - # # "pulse.min.req" = qr; - # # "pulse.min.frag" = qr; - # # }; - # # } - # # ]; - - # "stream.properties" = { - # "node.latency" = qr; - # "resample.quality" = 1; - # }; - # }; - - # pipewire-pulse."92-low-latency" = { - # "context.modules" = singleton { - # name = "libpipewire-module-protocol-pulse"; - - # args = { - # "pulse.min.req" = qr; - # "pulse.default.req" = qr; - # "pulse.max.req" = qr; - # "pulse.min.quantum" = qr; - # "pulse.max.quantum" = qr; - # }; - # }; - - # "stream.properties" = { - # "node.latency" = qr; - # "resample.quality" = 4; - # }; - # }; - }; - }; -} diff --git a/modules/desktop/software/multimedia/audio/wireplumber.nix b/modules/desktop/software/multimedia/audio/wireplumber.nix deleted file mode 100644 index 970396f..0000000 --- a/modules/desktop/software/multimedia/audio/wireplumber.nix +++ /dev/null @@ -1,42 +0,0 @@ -let - rate = builtins.toString 48000; -in -{ - services.pipewire.wireplumber = { - enable = true; - - extraConfig = { - "10-log-level-debug" = { - "context.properties"."log.level" = "D"; - }; - - "10-default-volume" = { - "wireplumber.settings"."device.routes.default-sink-volume" = 1.0; - }; - - "92-low-latency" = { - "monitor.alsa.rules" = [ - { - matches = [ - { "device.name" = "~alsa_card.*"; } - { "node.name" = "~alsa_output.*"; } - ]; - - actions.update-props = { - "node.description" = "ALSA Low Latency Output"; - "audio.rate" = rate; - "audio.format" = "S32LE"; - "resample.quality" = 4; - "resample.disable" = false; - "session.suspend-timeout-seconds" = 0; - "api.alsa.period-size" = 2; - "api.alsa.headroom" = 128; - "api.alsa.period-num" = 2; - "api.alsa.disable-batch" = false; - }; - } - ]; - }; - }; - }; -} diff --git a/modules/desktop/software/multimedia/default.nix b/modules/desktop/software/multimedia/default.nix deleted file mode 100644 index 7bf261a..0000000 --- a/modules/desktop/software/multimedia/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./audio - ./video - ]; -} diff --git a/modules/desktop/software/multimedia/video/default.nix b/modules/desktop/software/multimedia/video/default.nix deleted file mode 100644 index 31cdfd5..0000000 --- a/modules/desktop/software/multimedia/video/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ./graphics.nix - ./libva.nix - ./nvidia.nix - ./vulkan.nix - ]; - - environment.systemPackages = [ pkgs.mediastreamer-openh264 ]; -} diff --git a/modules/desktop/software/multimedia/video/graphics.nix b/modules/desktop/software/multimedia/video/graphics.nix deleted file mode 100644 index 13da295..0000000 --- a/modules/desktop/software/multimedia/video/graphics.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ pkgs, ... }: -{ - hardware.graphics = { - enable = true; - enable32Bit = true; - - extraPackages = with pkgs; [ - nvidia-vaapi-driver - vaapiVdpau - libvdpau-va-gl - ]; - - extraPackages32 = with pkgs; [ - nvidia-vaapi-driver - vaapiVdpau - libvdpau-va-gl - ]; - }; - - environment.systemPackages = [ pkgs.mesa ]; -} diff --git a/modules/desktop/software/multimedia/video/libva.nix b/modules/desktop/software/multimedia/video/libva.nix deleted file mode 100644 index d420495..0000000 --- a/modules/desktop/software/multimedia/video/libva.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - libva - libva-utils - ]; -} diff --git a/modules/desktop/software/multimedia/video/nvidia.nix b/modules/desktop/software/multimedia/video/nvidia.nix deleted file mode 100644 index c133bc2..0000000 --- a/modules/desktop/software/multimedia/video/nvidia.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ pkgs, config, ... }: -{ - environment = { - systemPackages = with pkgs; [ - nvidia-container-toolkit - nvidia-docker - ]; - - shellAliases.nvidia-settings = "nvidia-settings --config='$XDG_CONFIG_HOME'/nvidia/settings"; - }; - - boot = { - blacklistedKernelModules = [ "nouveau" ]; - - kernelParams = [ - "nvidia-drm.fbdev=1" - "nvidia-drm.modeset=1" - "nvidia.NVreg_PreserveVideoMemoryAllocations=1" - ]; - }; - - hardware = { - nvidia-container-toolkit.enable = true; - - nvidia = { - modesetting.enable = true; - open = false; - nvidiaSettings = true; - package = config.boot.kernelPackages.nvidiaPackages.production; - forceFullCompositionPipeline = true; - - powerManagement = { - enable = true; - finegrained = false; - }; - }; - }; -} diff --git a/modules/desktop/software/multimedia/video/vulkan.nix b/modules/desktop/software/multimedia/video/vulkan.nix deleted file mode 100644 index be37e0e..0000000 --- a/modules/desktop/software/multimedia/video/vulkan.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - vulkan-loader - vulkan-validation-layers - vulkan-tools - vulkan-extension-layer - ]; -} diff --git a/modules/desktop/software/services/adb.nix b/modules/desktop/software/services/adb.nix deleted file mode 100644 index d106ead..0000000 --- a/modules/desktop/software/services/adb.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, ... }: -{ - programs.adb.enable = true; - - services.udev = { - packages = [ pkgs.android-udev-rules ]; - - extraRules = '' - SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", MODE="0666", GROUP="adbusers" - ''; - }; -} diff --git a/modules/desktop/software/services/ananicy.nix b/modules/desktop/software/services/ananicy.nix deleted file mode 100644 index bdc9bbd..0000000 --- a/modules/desktop/software/services/ananicy.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - services.ananicy = { - enable = false; - package = pkgs.ananicy-cpp; - rulesProvider = pkgs.ananicy-rules-cachyos; - }; -} diff --git a/modules/desktop/software/services/dbus.nix b/modules/desktop/software/services/dbus.nix deleted file mode 100644 index 8b25bf9..0000000 --- a/modules/desktop/software/services/dbus.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -{ - services.dbus = { - enable = true; - implementation = "broker"; - - packages = with pkgs; [ - dconf - gcr - udisks2 - # flatpak - # xdg-desktop-portal - ]; - }; -} diff --git a/modules/desktop/software/services/default.nix b/modules/desktop/software/services/default.nix index 4b9ccf6..49fc20c 100644 --- a/modules/desktop/software/services/default.nix +++ b/modules/desktop/software/services/default.nix @@ -1,24 +1,8 @@ -{ pkgs, ... }: { imports = [ - # ./adb.nix - ./ananicy.nix - ./dbus.nix ./libinput.nix - ./logrotate.nix ./ollama.nix - # ./printing.nix - ./xserver.nix ]; - services = { - printing.enable = false; - gnome.gnome-keyring.enable = true; - fstrim.enable = false; - gvfs.enable = true; - udev.packages = with pkgs; [ pkgs.logitech-udev-rules ]; - thermald.enable = true; - irqbalance.enable = true; - gpm.enable = true; - }; + services.xserver.videoDrivers = [ "nvidia" ]; } diff --git a/modules/desktop/software/services/libinput.nix b/modules/desktop/software/services/libinput.nix index 643f814..e010873 100644 --- a/modules/desktop/software/services/libinput.nix +++ b/modules/desktop/software/services/libinput.nix @@ -1,13 +1,7 @@ { services.libinput = { enable = true; - - mouse = { - accelProfile = "flat"; - }; - - touchpad = { - accelProfile = "flat"; - }; + mouse.accelProfile = "flat"; + touchpad.accelProfile = "flat"; }; } diff --git a/modules/desktop/software/services/logrotate.nix b/modules/desktop/software/services/logrotate.nix deleted file mode 100644 index 2dedf2e..0000000 --- a/modules/desktop/software/services/logrotate.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, lib, ... }: -{ - services.logrotate.settings = { - "/var/log/audit/audit.log" = { }; - - header = { - global = true; - dateext = true; - dateformat = "-%Y-%m-%d"; - nomail = true; - missingok = true; - copytruncate = true; - priority = 1; - frequency = "daily"; - rotate = 7; - minage = 1; - compress = true; - compresscmd = "${lib.getExe' pkgs.zstd "zstd"}"; - compressoptions = " -Xcompression-level 10"; - compressext = "zst"; - uncompresscmd = "${lib.getExe' pkgs.zstd "unzstd"}"; - }; - }; -} diff --git a/modules/desktop/software/services/printing.nix b/modules/desktop/software/services/printing.nix deleted file mode 100644 index f7a38de..0000000 --- a/modules/desktop/software/services/printing.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs, ... }: -{ - services = { - printing = { - enable = true; - - drivers = with pkgs; [ - gutenprint - hplip - ]; - }; - - avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - }; -} diff --git a/modules/desktop/software/services/xserver.nix b/modules/desktop/software/services/xserver.nix deleted file mode 100644 index f1833a4..0000000 --- a/modules/desktop/software/services/xserver.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - services.xserver = { - xkb = { - layout = "us"; - options = "caps:escape"; - }; - - videoDrivers = [ "nvidia" ]; - }; -} diff --git a/modules/desktop/software/shell.nix b/modules/desktop/software/shell.nix deleted file mode 100644 index 0b3508f..0000000 --- a/modules/desktop/software/shell.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: -{ - environment = with pkgs; { - binsh = "${dash}/bin/dash"; - shells = [ fish ]; - }; -} diff --git a/modules/desktop/software/users.nix b/modules/desktop/software/users.nix deleted file mode 100644 index ab3fe03..0000000 --- a/modules/desktop/software/users.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ pkgs, secrets, ... }: -let - initialHashedPassword = secrets.initial_hashed_password; -in -{ - users = { - mutableUsers = false; - - users = { - root = { - inherit initialHashedPassword; - - shell = pkgs.bash; - }; - - ebisu = { - inherit initialHashedPassword; - - isNormalUser = true; - shell = pkgs.fish; - - extraGroups = [ - "wheel" - "systemd-journal" - "audio" - "video" - "input" - "plugdev" - "lp" - "tss" - "power" - "nix" - "network" - "networkmanager" - "wireshark" - "mysql" - "docker" - "podman" - "git" - "libvirtd" - "kvm" - ]; - }; - }; - }; -} diff --git a/modules/desktop/software/video/default.nix b/modules/desktop/software/video/default.nix new file mode 100644 index 0000000..280a7d9 --- /dev/null +++ b/modules/desktop/software/video/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./graphics.nix + ./libva.nix + ./nvidia.nix + ]; +} diff --git a/modules/desktop/software/video/graphics.nix b/modules/desktop/software/video/graphics.nix new file mode 100644 index 0000000..13da295 --- /dev/null +++ b/modules/desktop/software/video/graphics.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: +{ + hardware.graphics = { + enable = true; + enable32Bit = true; + + extraPackages = with pkgs; [ + nvidia-vaapi-driver + vaapiVdpau + libvdpau-va-gl + ]; + + extraPackages32 = with pkgs; [ + nvidia-vaapi-driver + vaapiVdpau + libvdpau-va-gl + ]; + }; + + environment.systemPackages = [ pkgs.mesa ]; +} diff --git a/modules/desktop/software/video/libva.nix b/modules/desktop/software/video/libva.nix new file mode 100644 index 0000000..d420495 --- /dev/null +++ b/modules/desktop/software/video/libva.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + libva + libva-utils + ]; +} diff --git a/modules/desktop/software/video/nvidia.nix b/modules/desktop/software/video/nvidia.nix new file mode 100644 index 0000000..c133bc2 --- /dev/null +++ b/modules/desktop/software/video/nvidia.nix @@ -0,0 +1,38 @@ +{ pkgs, config, ... }: +{ + environment = { + systemPackages = with pkgs; [ + nvidia-container-toolkit + nvidia-docker + ]; + + shellAliases.nvidia-settings = "nvidia-settings --config='$XDG_CONFIG_HOME'/nvidia/settings"; + }; + + boot = { + blacklistedKernelModules = [ "nouveau" ]; + + kernelParams = [ + "nvidia-drm.fbdev=1" + "nvidia-drm.modeset=1" + "nvidia.NVreg_PreserveVideoMemoryAllocations=1" + ]; + }; + + hardware = { + nvidia-container-toolkit.enable = true; + + nvidia = { + modesetting.enable = true; + open = false; + nvidiaSettings = true; + package = config.boot.kernelPackages.nvidiaPackages.production; + forceFullCompositionPipeline = true; + + powerManagement = { + enable = true; + finegrained = false; + }; + }; + }; +} diff --git a/modules/desktop/variables/default.nix b/modules/desktop/variables/default.nix index 8315ceb..0ca8cf0 100644 --- a/modules/desktop/variables/default.nix +++ b/modules/desktop/variables/default.nix @@ -1,7 +1,6 @@ { imports = [ ./electron.nix - ./fcitx.nix ./mozilla.nix ./nvidia.nix ./opengl.nix @@ -9,12 +8,4 @@ ./wayland.nix ./wlroots.nix ]; - - environment.variables = { - _JAVA_AWT_WM_NONREPARENTING = "1"; - PROTON_ENABLE_NGX_UPDATER = "1"; - GTK_USE_PORTAL = "1"; - DIRENV_LOG_FORMAT = ""; - SSH_AUTH_SOCK = "/run/user/1000/keyring/ssh"; - }; } diff --git a/modules/desktop/variables/fcitx.nix b/modules/desktop/variables/fcitx.nix deleted file mode 100644 index 0ac550f..0000000 --- a/modules/desktop/variables/fcitx.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - environment.variables = { - # https://fcitx-im.org/wiki/Using_Fcitx_5_on_Wayland - QT_IM_MODULE = "fcitx"; - XMODIFIERS = "@im=fcitx"; - # GTK_IM_MODULE = "wayland"; - # GTK_IM_MODULE = "fcitx"; - SDL_IM_MODULE = "fcitx"; - GLFW_IM_MODULE = "ibus"; - INPUT_METHOD = "fcitx"; - CUDA_CACHE_PATH = "$XDG_CACHE_HOME/nv"; - }; -} diff --git a/modules/pc/default.nix b/modules/pc/default.nix index 97fe6b9..f35aff2 100644 --- a/modules/pc/default.nix +++ b/modules/pc/default.nix @@ -1,8 +1,13 @@ -{ pkgs, secrets, ... }: +{ pkgs, ... }: { - i18n.defaultLocale = secrets.i18n.locale; - time.timeZone = secrets.i18n.timezone; - console.keyMap = secrets.i18n.keymap; + imports = [ + ./hardware + ./networking + ./security + ./software + ./variables + ./locale.nix + ]; environment.systemPackages = with pkgs; [ vim diff --git a/modules/pc/hardware/bluetooth.nix b/modules/pc/hardware/bluetooth.nix new file mode 100644 index 0000000..9737504 --- /dev/null +++ b/modules/pc/hardware/bluetooth.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: +{ + boot.kernelParams = [ "btusb" ]; + services.blueman.enable = true; + + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + package = pkgs.bluez5-experimental; + disabledPlugins = [ "sap" ]; + # hsphfpd.enable = true; + + settings.General = { + JustWorksRepairing = "always"; + MultiProfile = "multiple"; + Experimental = true; + }; + }; +} diff --git a/modules/pc/hardware/cpu.nix b/modules/pc/hardware/cpu.nix new file mode 100644 index 0000000..1ac3a27 --- /dev/null +++ b/modules/pc/hardware/cpu.nix @@ -0,0 +1,21 @@ +{ pkgs, config, ... }: +{ + environment.systemPackages = [ pkgs.amdctl ]; + + powerManagement = { + enable = true; + cpuFreqGovernor = "performance"; + }; + + boot = { + kernelModules = [ + # "kvm-amd" + "amd-pstate" + "zenpower" + "msr" + ]; + + kernelParams = [ "amd_iommu=on" ]; + extraModulePackages = [ config.boot.kernelPackages.zenpower ]; + }; +} diff --git a/modules/pc/hardware/default.nix b/modules/pc/hardware/default.nix new file mode 100644 index 0000000..cc2915e --- /dev/null +++ b/modules/pc/hardware/default.nix @@ -0,0 +1,14 @@ +{ + imports = [ + ./bluetooth.nix + ./cpu.nix + ./usb.nix + ./tpm.nix + ./yubikey.nix + ]; + + hardware = { + enableRedistributableFirmware = true; + enableAllFirmware = true; + }; +} diff --git a/modules/pc/hardware/tpm.nix b/modules/pc/hardware/tpm.nix new file mode 100644 index 0000000..b84551e --- /dev/null +++ b/modules/pc/hardware/tpm.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + security.tpm2 = { + enable = true; + applyUdevRules = true; + abrmd.enable = true; + tctiEnvironment.enable = true; + pkcs11.enable = true; + }; + + environment.systemPackages = with pkgs; [ + tpm2-tools + tpm2-tss + tpm2-abrmd + ]; + + boot.kernelModules = [ "uhid" ]; +} diff --git a/modules/pc/hardware/usb.nix b/modules/pc/hardware/usb.nix new file mode 100644 index 0000000..f697761 --- /dev/null +++ b/modules/pc/hardware/usb.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + usbutils + lm_sensors + pciutils + ]; + + boot.kernelParams = [ "usbcore.autosuspend=-1" ]; +} diff --git a/modules/pc/hardware/yubikey.nix b/modules/pc/hardware/yubikey.nix new file mode 100644 index 0000000..6bd4a5c --- /dev/null +++ b/modules/pc/hardware/yubikey.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + hardware.gpgSmartcards.enable = true; + + services = { + pcscd.enable = true; + udev.packages = [ pkgs.yubikey-personalization ]; + }; + + environment.systemPackages = with pkgs; [ + yubikey-manager + yubikey-manager-qt + yubikey-personalization + yubikey-personalization-gui + yubico-piv-tool + yubioath-flutter + ]; +} diff --git a/modules/pc/locale.nix b/modules/pc/locale.nix new file mode 100644 index 0000000..fa47fd5 --- /dev/null +++ b/modules/pc/locale.nix @@ -0,0 +1,10 @@ +{ secrets, ... }: +{ + i18n.defaultLocale = secrets.i18n.locale; + location.provider = "geoclue2"; + + time = { + timeZone = secrets.i18n.timezone; + hardwareClockInLocalTime = false; + }; +} diff --git a/modules/pc/networking/default.nix b/modules/pc/networking/default.nix new file mode 100644 index 0000000..f73f6ab --- /dev/null +++ b/modules/pc/networking/default.nix @@ -0,0 +1,17 @@ +{ + imports = [ + ./dhcpcd.nix + ./loopback.nix + ./networkmanager.nix + ./optimise.nix + ./pia.nix + ./upnp.nix + ]; + + # https://discourse.nixos.org/t/rebuild-error-failed-to-start-network-manager-wait-online/41977/2 + systemd.network.wait-online.enable = false; + boot.initrd.systemd.network.wait-online.enable = false; + + # https://discourse.nixos.org/t/how-to-disable-networkmanager-wait-online-service-in-the-configuration-file/19963/2 + systemd.services.NetworkManager-wait-online.enable = false; +} diff --git a/modules/pc/networking/dhcpcd.nix b/modules/pc/networking/dhcpcd.nix new file mode 100644 index 0000000..f46b657 --- /dev/null +++ b/modules/pc/networking/dhcpcd.nix @@ -0,0 +1,12 @@ +{ + networking.dhcpcd = { + wait = "background"; + + extraConfig = '' + noarp + nooption domain_name_servers, domain_name, domain_search, host_name + nooption ntp_servers + nohook resolv.conf, wpa_supplicant + ''; + }; +} diff --git a/modules/pc/networking/loopback.nix b/modules/pc/networking/loopback.nix new file mode 100644 index 0000000..62e745e --- /dev/null +++ b/modules/pc/networking/loopback.nix @@ -0,0 +1,7 @@ +{ config, ... }: +{ + boot = { + kernelModules = [ "v4l2loopback" ]; + extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; + }; +} diff --git a/modules/pc/networking/networkmanager.nix b/modules/pc/networking/networkmanager.nix new file mode 100644 index 0000000..7ef0e04 --- /dev/null +++ b/modules/pc/networking/networkmanager.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ pkgs.networkmanagerapplet ]; + + networking.networkmanager = { + enable = true; + plugins = [ pkgs.networkmanager-openvpn ]; + dns = "none"; # "systemd-resolved" + wifi.backend = "iwd"; + + unmanaged = [ + "interface-name:tailscale*" + "interface-name:br-*" + "interface-name:rndis*" + "interface-name:docker*" + "interface-name:virbr*" + "interface-name:vboxnet*" + "interface-name:waydroid*" + "type:bridge" + ]; + }; +} diff --git a/modules/pc/networking/optimise.nix b/modules/pc/networking/optimise.nix new file mode 100644 index 0000000..c6f2bec --- /dev/null +++ b/modules/pc/networking/optimise.nix @@ -0,0 +1,73 @@ +{ + boot = { + kernelModules = [ + "tls" + "tcp_bbr" + ]; + + kernel.sysctl = { + # TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets (we're not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're on a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + # And other stuff + "net.ipv4.conf.all.log_martians" = true; + "net.ipv4.conf.default.log_martians" = true; + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + "net.ipv6.conf.default.accept_ra" = 0; + "net.ipv6.conf.all.accept_ra" = 0; + "net.ipv4.tcp_timestamps" = 0; + + # TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + + # Other stuff that I am too lazy to document + "net.core.optmem_max" = 65536; + "net.core.rmem_default" = 1048576; + "net.core.rmem_max" = 16777216; + "net.core.somaxconn" = 8192; + "net.core.wmem_default" = 1048576; + "net.core.wmem_max" = 16777216; + "net.ipv4.ip_local_port_range" = "16384 65535"; + "net.ipv4.tcp_max_syn_backlog" = 8192; + "net.ipv4.tcp_max_tw_buckets" = 2000000; + "net.ipv4.tcp_mtu_probing" = 1; + "net.ipv4.tcp_rmem" = "4096 1048576 2097152"; + "net.ipv4.tcp_slow_start_after_idle" = 0; + "net.ipv4.tcp_tw_reuse" = 1; + "net.ipv4.tcp_wmem" = "4096 65536 16777216"; + "net.ipv4.udp_rmem_min" = 8192; + "net.ipv4.udp_wmem_min" = 8192; + "net.netfilter.nf_conntrack_generic_timeout" = 60; + "net.netfilter.nf_conntrack_max" = 1048576; + "net.netfilter.nf_conntrack_tcp_timeout_established" = 600; + "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1; + }; + }; +} diff --git a/modules/pc/networking/pia.nix b/modules/pc/networking/pia.nix new file mode 100644 index 0000000..d52dbf8 --- /dev/null +++ b/modules/pc/networking/pia.nix @@ -0,0 +1,10 @@ +{ secrets, ... }: +{ + services.pia = { + enable = true; + + authUserPass = { + inherit (secrets.pia) username password; + }; + }; +} diff --git a/modules/pc/networking/upnp.nix b/modules/pc/networking/upnp.nix new file mode 100644 index 0000000..998592a --- /dev/null +++ b/modules/pc/networking/upnp.nix @@ -0,0 +1,12 @@ +{ + services.miniupnpd = { + enable = true; + natpmp = true; + externalInterface = "enp42s0"; + + internalIPs = [ + "enp42s0" + "wlan0" + ]; + }; +} diff --git a/modules/pc/security/apparmor.nix b/modules/pc/security/apparmor.nix new file mode 100644 index 0000000..170838c --- /dev/null +++ b/modules/pc/security/apparmor.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + apparmor-pam + apparmor-utils + apparmor-parser + apparmor-profiles + apparmor-bin-utils + apparmor-kernel-patches + libapparmor + ]; + + services.dbus.apparmor = "enabled"; + + security.apparmor = { + enable = true; + enableCache = true; + killUnconfinedConfinables = true; + packages = [ pkgs.apparmor-profiles ]; + policies.dummy.profile = "/dummy { }"; + }; +} diff --git a/modules/pc/security/audit.nix b/modules/pc/security/audit.nix new file mode 100644 index 0000000..9922213 --- /dev/null +++ b/modules/pc/security/audit.nix @@ -0,0 +1,17 @@ +let + enable = false; +in +{ + security = { + auditd.enable = enable; + + audit = { + inherit enable; + + rules = [ + "-a exit,always -F arch=b64 -S execve" + "-a exit,always -F arch=b32 -S execve" + ]; + }; + }; +} diff --git a/modules/pc/security/default.nix b/modules/pc/security/default.nix new file mode 100644 index 0000000..c1c084c --- /dev/null +++ b/modules/pc/security/default.nix @@ -0,0 +1,19 @@ +{ config, lib, ... }: +{ + imports = [ + ./apparmor.nix + ./audit.nix + ./doas.nix + ./kernel.nix + ./pam.nix + ./polkit.nix + ./sudo.nix + ]; + + security = { + rtkit.enable = lib.modules.mkForce config.services.pipewire.enable; + virtualisation.flushL1DataCache = "always"; + }; + + programs.firejail.enable = true; +} diff --git a/modules/pc/security/doas.nix b/modules/pc/security/doas.nix new file mode 100644 index 0000000..af717ca --- /dev/null +++ b/modules/pc/security/doas.nix @@ -0,0 +1,13 @@ +{ + security.doas = { + enable = true; + extraRules = [ + { + keepEnv = true; + # persist = true; + noPass = true; + users = [ "ebisu" ]; + } + ]; + }; +} diff --git a/modules/pc/security/kernel.nix b/modules/pc/security/kernel.nix new file mode 100644 index 0000000..62b2f28 --- /dev/null +++ b/modules/pc/security/kernel.nix @@ -0,0 +1,160 @@ +{ lib, ... }: +{ + boot = { + # https://docs.kernel.org/admin-guide/sysctl/vm.html + kernel.sysctl = { + # The Magic SysRq key is a key combo that allows users connected to the + # system console of a Linux kernel to perform some low-level commands. + # Disable it, since we don't need it, and is a potential security concern. + "kernel.sysrq" = lib.mkForce 0; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + # FIXME: this breaks game launchers, find a way to launch them with privileges (steam) + # gamescope wrapped with the capabilities *might* solve the issue + # spoiler: it didn't + # "kernel.yama.ptrace_scope" = 2; + + # Hide kptrs even for processes with CAP_SYSLOG + # also prevents printing kernel pointers + "kernel.kptr_restrict" = 2; + + # Disable bpf() JIT (to eliminate spray attacks) + "net.core.bpf_jit_enable" = false; + + # Disable ftrace debugging + "kernel.ftrace_enabled" = false; + + # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). + "kernel.dmesg_restrict" = 1; + + # Prevent creating files in potentially attacker-controlled environments such + # as world-writable directories to make data spoofing attacks more difficult + "fs.protected_fifos" = 2; + + # Prevent unintended writes to already-created files + "fs.protected_regular" = 2; + + # Disable SUID binary dump + "fs.suid_dumpable" = 0; + + # Prevent unprivileged users from creating hard or symbolic links to files + "fs.protected_symlinks" = 1; + "fs.protected_hardlinks" = 1; + + # Disable late module loading + # "kernel.modules_disabled" = 1; + + # Disallow profiling at all levels without CAP_SYS_ADMIN + "kernel.perf_event_paranoid" = 3; + + # Require CAP_BPF to use bpf + "kernel.unprivileged_bpf_disabled" = true; + + # Prevent boot console kernel log information leaks + "kernel.printk" = "3 3 3 3"; + + # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to + # prevent unprivileged attackers from loading vulnerable line disciplines with + # the TIOCSETD ioctl + "dev.tty.ldisc_autoload" = 0; + + # Kexec allows replacing the current running kernel. There may be an edge case where + # you wish to boot into a different kernel, but I do not require kexec. Disabling it + # patches a potential security hole in our system. + "kernel.kexec_load_disabled" = true; + + # Borrowed by NixOS/nixpkgs. Since the security module does not explain what those + # options do, it is up you to educate yourself dear reader. + # See: + # - + # - + "vm.mmap_rnd_bits" = 32; + "vm.mmap_min_addr" = 65536; + }; + + # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html + kernelParams = [ + # I'm sure we break hibernation in at least 5 other sections of this config, so + # let's disable hibernation explicitly. Allowing hibernation makes it possible + # to replace the booted kernel with a malicious one, akin to kexec. This helps + # us prevent an attack called "Evil Maid" where an attacker with physical access + # to the device. P.S. I chose to mention "Evil Maid" specifically because it sounds + # funny. Do not think that is the only attack you are vulnerable to. + # See: + "nohibernate" + + # make stack-based attacks on the kernel harder + "randomize_kstack_offset=on" + + # Disable vsyscalls as they are obsolete and have been replaced with vDSO. + # vsyscalls are also at fixed addresses in memory, making them a potential + # target for ROP attacks + # this breaks really old binaries for security + "vsyscall=none" + + # reduce most of the exposure of a heap attack to a single cache + # Disable slab merging which significantly increases the difficulty of heap + # exploitation by preventing overwriting objects from merged caches and by + # making it harder to influence slab cache layout + "slab_nomerge" + + # Disable debugfs which exposes a lot of sensitive information about the + # kernel. Some programs, such as powertop, use this interface to gather + # information about the system, but it is not necessary for the system to + # actually publish those. I can live without it. + "debugfs=off" + + # Sometimes certain kernel exploits will cause what is known as an "oops". + # This parameter will cause the kernel to panic on such oopses, thereby + # preventing those exploits + "oops=panic" + + # Only allow kernel modules that have been signed with a valid key to be + # loaded, which increases security by making it much harder to load a + # malicious kernel module + "module.sig_enforce=1" + + # The kernel lockdown LSM can eliminate many methods that user space code + # could abuse to escalate to kernel privileges and extract sensitive + # information. This LSM is necessary to implement a clear security boundary + # between user space and the kernel + # integrity: kernel features that allow userland to modify the running kernel + # are disabled + # confidentiality: kernel features that allow userland to extract confidential + # information from the kernel are also disabled + # ArchWiki recommends opting in for "integrity", however since we avoid modifying + # running kernel (by the virtue of using NixOS and locking module hot-loading) the + # confidentiality mode is a better solution. + "lockdown=confidentiality" + + # enable buddy allocator free poisoning + # on: memory will befilled with a specific byte pattern + # that is unlikely to occur in normal operation. + # off (default): page poisoning will be disabled + "page_poison=on" + + # performance improvement for direct-mapped memory-side-cache utilization + # reduces the predictability of page allocations + "page_alloc.shuffle=1" + + # for debugging kernel-level slab issues + "slub_debug=FZP" + + # ignore access time (atime) updates on files + # except when they coincide with updates to the ctime or mtime + "rootflags=noatime" + + # linux security modules + "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux" + + # prevent the kernel from blanking plymouth out of the fb + "fbcon=nodefer" + + # the format that will be used for integrity audit logs + # 0 (default): basic integrity auditing messages + # 1: additional integrity auditing messages + "integrity_audit=1" + ]; + }; +} diff --git a/modules/pc/security/pam.nix b/modules/pc/security/pam.nix new file mode 100644 index 0000000..b7eb426 --- /dev/null +++ b/modules/pc/security/pam.nix @@ -0,0 +1,50 @@ +{ + security = { + pam = { + loginLimits = [ + { + domain = "@wheel"; + item = "nofile"; + type = "soft"; + value = "524288"; + } + { + domain = "@wheel"; + item = "nofile"; + type = "hard"; + value = "1048576"; + } + ]; + + services = + let + ttyAudit = { + enable = true; + enablePattern = "*"; + }; + in + { + swaylock.text = "auth include login"; + gtklock.text = "auth include login"; + + login = { + inherit ttyAudit; + + setLoginUid = true; + }; + + sshd = { + inherit ttyAudit; + + setLoginUid = true; + }; + + sudo = { + inherit ttyAudit; + + setLoginUid = true; + }; + }; + }; + }; +} diff --git a/modules/pc/security/polkit.nix b/modules/pc/security/polkit.nix new file mode 100644 index 0000000..786d1a0 --- /dev/null +++ b/modules/pc/security/polkit.nix @@ -0,0 +1,7 @@ +{ lib, ... }: +{ + security.polkit = { + enable = true; + debug = lib.modules.mkDefault true; + }; +} diff --git a/modules/pc/security/sudo.nix b/modules/pc/security/sudo.nix new file mode 100644 index 0000000..6623b71 --- /dev/null +++ b/modules/pc/security/sudo.nix @@ -0,0 +1,75 @@ +{ pkgs, lib, ... }: +let + inherit (lib.modules) mkForce; +in +{ + security = { + sudo-rs.enable = mkForce false; + + sudo = { + enable = true; + execWheelOnly = mkForce true; + wheelNeedsPassword = lib.modules.mkDefault false; + + extraConfig = '' + Defaults lecture = never + Defaults pwfeedback + Defaults env_keep += "EDITOR PATH DISPLAY" + Defaults timestamp_timeout = 300 + ''; + + extraRules = [ + { + groups = [ "wheel" ]; + commands = + map + (rule: { + command = lib.meta.getExe' rule.package rule.command; + options = [ "NOPASSWD" ]; + }) + ( + with pkgs; + [ + { + package = coreutils; + command = "sync"; + } + { + package = hdparm; + command = "hdparm"; + } + { + package = nixos-rebuild; + command = "nixos-rebuild"; + } + { + package = nvme-cli; + command = "nvme"; + } + { + package = systemd; + command = "poweroff"; + } + { + package = systemd; + command = "reboot"; + } + { + package = systemd; + command = "shutdown"; + } + { + package = systemd; + command = "systemctl"; + } + { + package = util-linux; + command = "dmesg"; + } + ] + ); + } + ]; + }; + }; +} diff --git a/modules/pc/software/access/default.nix b/modules/pc/software/access/default.nix new file mode 100644 index 0000000..32d5500 --- /dev/null +++ b/modules/pc/software/access/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./gnupg.nix + ./ssh.nix + ]; +} diff --git a/modules/pc/software/access/gnupg.nix b/modules/pc/software/access/gnupg.nix new file mode 100644 index 0000000..e60da30 --- /dev/null +++ b/modules/pc/software/access/gnupg.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-curses; + enableExtraSocket = true; + enableBrowserSocket = true; + + settings = { + enable-ssh-support = ""; + ttyname = "$GPG_TTY"; + default-cache-ttl = 34560000; # 60 + max-cache-ttl = 34560000; # 120 + allow-loopback-pinentry = ""; + }; + }; +} diff --git a/modules/pc/software/access/ssh.nix b/modules/pc/software/access/ssh.nix new file mode 100644 index 0000000..b514049 --- /dev/null +++ b/modules/pc/software/access/ssh.nix @@ -0,0 +1,11 @@ +{ lib, config, ... }: +{ + programs.ssh.startAgent = false; + security.pam.sshAgentAuth.enable = true; + + services.fail2ban.jails.sshd.settings = { + enabled = true; + filter = "sshd[mode=aggressive]"; + port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports); + }; +} diff --git a/modules/pc/software/default.nix b/modules/pc/software/default.nix new file mode 100644 index 0000000..8638a58 --- /dev/null +++ b/modules/pc/software/default.nix @@ -0,0 +1,34 @@ +{ pkgs, secrets, ... }: +{ + imports = [ + ./access + ./desktop + ./multimedia + ./services + ./encryption.nix + ./input.nix + ./shell.nix + ./users.nix + ]; + + environment.enableAllTerminfo = true; + + system = { + autoUpgrade = { + enable = false; + allowReboot = false; + }; + + switch = { + enable = false; + enableNg = true; + }; + }; + + console = { + earlySetup = true; + font = "ter-v16n"; + keyMap = secrets.i18n.keymap; + packages = [ pkgs.terminus_font ]; + }; +} diff --git a/modules/pc/software/desktop/default.nix b/modules/pc/software/desktop/default.nix new file mode 100644 index 0000000..bd2c811 --- /dev/null +++ b/modules/pc/software/desktop/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./gtk.nix + ./xdg-portal.nix + ]; +} diff --git a/modules/pc/software/desktop/gtk.nix b/modules/pc/software/desktop/gtk.nix new file mode 100644 index 0000000..4357e75 --- /dev/null +++ b/modules/pc/software/desktop/gtk.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + gtk2 + gtk3 + gtk4 + ]; +} diff --git a/modules/pc/software/desktop/xdg-portal.nix b/modules/pc/software/desktop/xdg-portal.nix new file mode 100644 index 0000000..72bcb97 --- /dev/null +++ b/modules/pc/software/desktop/xdg-portal.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: +{ + xdg.portal = { + enable = true; + config.common.default = "*"; + # wlr.enable = true; + # xdgOpenUsePortal = true; + + extraPortals = with pkgs; [ + xdg-desktop-portal-wlr + xdg-desktop-portal-gtk + xdg-desktop-portal-gnome + ]; + }; +} diff --git a/modules/pc/software/encryption.nix b/modules/pc/software/encryption.nix new file mode 100644 index 0000000..53a24bb --- /dev/null +++ b/modules/pc/software/encryption.nix @@ -0,0 +1,16 @@ +{ + boot = { + initrd.availableKernelModules = [ + # "aesni_intel" + # "cryptd" + "usb_storage" + ]; + + # + kernelParams = [ + "luks.options=timeout=0" + "rd.luks.options=timeout=0" + "rootflags=x-systemd.device-timeout=0" + ]; + }; +} diff --git a/modules/pc/software/input.nix b/modules/pc/software/input.nix new file mode 100644 index 0000000..5d43085 --- /dev/null +++ b/modules/pc/software/input.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: +{ + i18n = { + inputMethod = { + enable = true; + type = "fcitx5"; + + fcitx5 = { + waylandFrontend = true; + + addons = with pkgs; [ + fcitx5-configtool + fcitx5-gtk + fcitx5-hangul + fcitx5-mozc + fcitx5-rime + rime-data + catppuccin-fcitx5 + ]; + }; + }; + }; +} diff --git a/modules/pc/software/multimedia/audio/default.nix b/modules/pc/software/multimedia/audio/default.nix new file mode 100644 index 0000000..f4e7f0a --- /dev/null +++ b/modules/pc/software/multimedia/audio/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./pipewire.nix + # ./wireplumber.nix + ]; +} diff --git a/modules/pc/software/multimedia/audio/pipewire.nix b/modules/pc/software/multimedia/audio/pipewire.nix new file mode 100644 index 0000000..2824176 --- /dev/null +++ b/modules/pc/software/multimedia/audio/pipewire.nix @@ -0,0 +1,164 @@ +# { lib, ... }: +# let +# inherit (lib.modules) mkBefore; +# inherit (lib.lists) singleton; +# inherit (builtins) toString; +# mapOptionDefault = lib.attrsets.mapAttrs (_: lib.modules.mkOptionDefault); +# quantum = toString 64; +# rate = toString 48000; +# qr = "${quantum}/${rate}"; +# in +{ + services.pipewire = { + enable = true; + wireplumber.enable = true; + jack.enable = true; + pulse.enable = true; + audio.enable = true; + + alsa = { + enable = true; + support32Bit = true; + }; + + extraConfig = { + pipewire = { + "10-logging" = { + "context.properties"."log.level" = 3; + }; + + # "10-defaults" = { + # "context.properties" = mapOptionDefault { + # "clock.power-of-two-quantum" = true; + # "core.daemon" = true; + # "core.name" = "pipewire-0"; + # "link.max-buffers" = 16; + # "settings.check-quantum" = true; + # }; + + # "context.spa-libs" = mapOptionDefault { + # "audio.convert.*" = "audioconvert/libspa-audioconvert"; + # "avb.*" = "avb/libspa-avb"; + # "api.alsa.*" = "alsa/libspa-alsa"; + # "api.v4l2.*" = "v4l2/libspa-v4l2"; + # "api.libcamera.*" = "libcamera/libspa-libcamera"; + # "api.bluez5.*" = "bluez5/libspa-bluez5"; + # "api.vulkan.*" = "vulkan/libspa-vulkan"; + # "api.jack.*" = "jack/libspa-jack"; + # "support.*" = "support/libspa-support"; + # "video.convert.*" = "videoconvert/libspa-videoconvert"; + # }; + # }; + }; + + # pipewire-pulse = { + # "10-defaults" = { + # "context.spa-libs" = mapOptionDefault { + # "audio.convert.*" = "audioconvert/libspa-audioconvert"; + # "support.*" = "support/libspa-support"; + # }; + + # "pulse.cmd" = mkBefore [ + # { + # cmd = "load-module"; + # args = "module-always-sink"; + # flags = [ ]; + # } + # ]; + + # "pulse.properties" = { + # "server.address" = mkBefore [ "unix:native" ]; + # }; + + # "pulse.rules" = mkBefore [ + # { + # matches = [ + # { "application.process.binary" = "teams"; } + # { "application.process.binary" = "teams-insiders"; } + # { "application.process.binary" = "skypeforlinux"; } + # ]; + + # actions.quirks = [ "force-s16-info" ]; + # } + # { + # matches = singleton { "application.process.binary" = "firefox"; }; + # actions.quirks = [ "remove-capture-dont-move" ]; + # } + # { + # matches = singleton { "application.name" = "~speech-dispatcher*"; }; + + # actions = { + # update-props = { + # "pulse.min.req" = "1024/48000"; # 21 milliseconds + # "pulse.min.quantum " = "1024/48000"; # 21 milliseconds + # }; + # }; + # } + # ]; + # }; + # }; + + # pipewire."92-low-latency" = { + # "context.properties" = { + # "default.clock.rate" = rate; + # "default.clock.quantum" = quantum; + # "default.clock.min-quantum" = quantum; + # "default.clock.max-quantum" = quantum; + # "default.clock.allowed-rates" = [ rate ]; + # }; + + # # "context.modules" = [ + # # { + # # name = "libpipewire-module-rtkit"; + + # # flags = [ + # # "ifexists" + # # "nofail" + # # ]; + + # # args = { + # # "nice.level" = -15; + # # "rt.prio" = 90; + # # "rt.time.soft" = 200000; + # # "rt.time.hard" = 200000; + # # }; + # # } + # # { + # # name = "libpipewire-module-protocol-pulse"; + + # # args = { + # # "server.address" = [ "unix:native" ]; + # # "pulse.min.quantum" = qr; + # # "pulse.min.req" = qr; + # # "pulse.min.frag" = qr; + # # }; + # # } + # # ]; + + # "stream.properties" = { + # "node.latency" = qr; + # "resample.quality" = 1; + # }; + # }; + + # pipewire-pulse."92-low-latency" = { + # "context.modules" = singleton { + # name = "libpipewire-module-protocol-pulse"; + + # args = { + # "pulse.min.req" = qr; + # "pulse.default.req" = qr; + # "pulse.max.req" = qr; + # "pulse.min.quantum" = qr; + # "pulse.max.quantum" = qr; + # }; + # }; + + # "stream.properties" = { + # "node.latency" = qr; + # "resample.quality" = 4; + # }; + # }; + }; + }; +} diff --git a/modules/pc/software/multimedia/audio/wireplumber.nix b/modules/pc/software/multimedia/audio/wireplumber.nix new file mode 100644 index 0000000..970396f --- /dev/null +++ b/modules/pc/software/multimedia/audio/wireplumber.nix @@ -0,0 +1,42 @@ +let + rate = builtins.toString 48000; +in +{ + services.pipewire.wireplumber = { + enable = true; + + extraConfig = { + "10-log-level-debug" = { + "context.properties"."log.level" = "D"; + }; + + "10-default-volume" = { + "wireplumber.settings"."device.routes.default-sink-volume" = 1.0; + }; + + "92-low-latency" = { + "monitor.alsa.rules" = [ + { + matches = [ + { "device.name" = "~alsa_card.*"; } + { "node.name" = "~alsa_output.*"; } + ]; + + actions.update-props = { + "node.description" = "ALSA Low Latency Output"; + "audio.rate" = rate; + "audio.format" = "S32LE"; + "resample.quality" = 4; + "resample.disable" = false; + "session.suspend-timeout-seconds" = 0; + "api.alsa.period-size" = 2; + "api.alsa.headroom" = 128; + "api.alsa.period-num" = 2; + "api.alsa.disable-batch" = false; + }; + } + ]; + }; + }; + }; +} diff --git a/modules/pc/software/multimedia/default.nix b/modules/pc/software/multimedia/default.nix new file mode 100644 index 0000000..7bf261a --- /dev/null +++ b/modules/pc/software/multimedia/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./audio + ./video + ]; +} diff --git a/modules/pc/software/multimedia/video/default.nix b/modules/pc/software/multimedia/video/default.nix new file mode 100644 index 0000000..94aa42d --- /dev/null +++ b/modules/pc/software/multimedia/video/default.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + imports = [ + ./vulkan.nix + ./xserver.nix + ]; + + environment.systemPackages = [ pkgs.mediastreamer-openh264 ]; +} diff --git a/modules/pc/software/multimedia/video/vulkan.nix b/modules/pc/software/multimedia/video/vulkan.nix new file mode 100644 index 0000000..be37e0e --- /dev/null +++ b/modules/pc/software/multimedia/video/vulkan.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + vulkan-loader + vulkan-validation-layers + vulkan-tools + vulkan-extension-layer + ]; +} diff --git a/modules/pc/software/multimedia/video/xserver.nix b/modules/pc/software/multimedia/video/xserver.nix new file mode 100644 index 0000000..9c16f4c --- /dev/null +++ b/modules/pc/software/multimedia/video/xserver.nix @@ -0,0 +1,6 @@ +{ + services.xserver.xkb = { + layout = "us"; + options = "caps:escape"; + }; +} diff --git a/modules/pc/software/services/adb.nix b/modules/pc/software/services/adb.nix new file mode 100644 index 0000000..d106ead --- /dev/null +++ b/modules/pc/software/services/adb.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: +{ + programs.adb.enable = true; + + services.udev = { + packages = [ pkgs.android-udev-rules ]; + + extraRules = '' + SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", MODE="0666", GROUP="adbusers" + ''; + }; +} diff --git a/modules/pc/software/services/ananicy.nix b/modules/pc/software/services/ananicy.nix new file mode 100644 index 0000000..bdc9bbd --- /dev/null +++ b/modules/pc/software/services/ananicy.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + services.ananicy = { + enable = false; + package = pkgs.ananicy-cpp; + rulesProvider = pkgs.ananicy-rules-cachyos; + }; +} diff --git a/modules/pc/software/services/dbus.nix b/modules/pc/software/services/dbus.nix new file mode 100644 index 0000000..8b25bf9 --- /dev/null +++ b/modules/pc/software/services/dbus.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: +{ + services.dbus = { + enable = true; + implementation = "broker"; + + packages = with pkgs; [ + dconf + gcr + udisks2 + # flatpak + # xdg-desktop-portal + ]; + }; +} diff --git a/modules/pc/software/services/default.nix b/modules/pc/software/services/default.nix new file mode 100644 index 0000000..92baa54 --- /dev/null +++ b/modules/pc/software/services/default.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + imports = [ + # ./adb.nix + ./ananicy.nix + ./dbus.nix + ./logrotate.nix + # ./printing.nix + ]; + + services = { + printing.enable = false; + gnome.gnome-keyring.enable = true; + fstrim.enable = false; + gvfs.enable = true; + udev.packages = [ pkgs.logitech-udev-rules ]; + thermald.enable = true; + irqbalance.enable = true; + gpm.enable = true; + libinput.enable = true; + }; +} diff --git a/modules/pc/software/services/logrotate.nix b/modules/pc/software/services/logrotate.nix new file mode 100644 index 0000000..2dedf2e --- /dev/null +++ b/modules/pc/software/services/logrotate.nix @@ -0,0 +1,24 @@ +{ pkgs, lib, ... }: +{ + services.logrotate.settings = { + "/var/log/audit/audit.log" = { }; + + header = { + global = true; + dateext = true; + dateformat = "-%Y-%m-%d"; + nomail = true; + missingok = true; + copytruncate = true; + priority = 1; + frequency = "daily"; + rotate = 7; + minage = 1; + compress = true; + compresscmd = "${lib.getExe' pkgs.zstd "zstd"}"; + compressoptions = " -Xcompression-level 10"; + compressext = "zst"; + uncompresscmd = "${lib.getExe' pkgs.zstd "unzstd"}"; + }; + }; +} diff --git a/modules/pc/software/services/printing.nix b/modules/pc/software/services/printing.nix new file mode 100644 index 0000000..f7a38de --- /dev/null +++ b/modules/pc/software/services/printing.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: +{ + services = { + printing = { + enable = true; + + drivers = with pkgs; [ + gutenprint + hplip + ]; + }; + + avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + }; +} diff --git a/modules/pc/software/shell.nix b/modules/pc/software/shell.nix new file mode 100644 index 0000000..0b3508f --- /dev/null +++ b/modules/pc/software/shell.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + environment = with pkgs; { + binsh = "${dash}/bin/dash"; + shells = [ fish ]; + }; +} diff --git a/modules/pc/software/users.nix b/modules/pc/software/users.nix new file mode 100644 index 0000000..ab3fe03 --- /dev/null +++ b/modules/pc/software/users.nix @@ -0,0 +1,46 @@ +{ pkgs, secrets, ... }: +let + initialHashedPassword = secrets.initial_hashed_password; +in +{ + users = { + mutableUsers = false; + + users = { + root = { + inherit initialHashedPassword; + + shell = pkgs.bash; + }; + + ebisu = { + inherit initialHashedPassword; + + isNormalUser = true; + shell = pkgs.fish; + + extraGroups = [ + "wheel" + "systemd-journal" + "audio" + "video" + "input" + "plugdev" + "lp" + "tss" + "power" + "nix" + "network" + "networkmanager" + "wireshark" + "mysql" + "docker" + "podman" + "git" + "libvirtd" + "kvm" + ]; + }; + }; + }; +} diff --git a/modules/pc/variables/default.nix b/modules/pc/variables/default.nix new file mode 100644 index 0000000..1a0e958 --- /dev/null +++ b/modules/pc/variables/default.nix @@ -0,0 +1,11 @@ +{ + imports = [ ./fcitx.nix ]; + + environment.variables = { + _JAVA_AWT_WM_NONREPARENTING = "1"; + PROTON_ENABLE_NGX_UPDATER = "1"; + GTK_USE_PORTAL = "1"; + DIRENV_LOG_FORMAT = ""; + SSH_AUTH_SOCK = "/run/user/1000/keyring/ssh"; + }; +} diff --git a/modules/pc/variables/fcitx.nix b/modules/pc/variables/fcitx.nix new file mode 100644 index 0000000..0ac550f --- /dev/null +++ b/modules/pc/variables/fcitx.nix @@ -0,0 +1,13 @@ +{ + environment.variables = { + # https://fcitx-im.org/wiki/Using_Fcitx_5_on_Wayland + QT_IM_MODULE = "fcitx"; + XMODIFIERS = "@im=fcitx"; + # GTK_IM_MODULE = "wayland"; + # GTK_IM_MODULE = "fcitx"; + SDL_IM_MODULE = "fcitx"; + GLFW_IM_MODULE = "ibus"; + INPUT_METHOD = "fcitx"; + CUDA_CACHE_PATH = "$XDG_CACHE_HOME/nv"; + }; +} -- cgit v1.2.3