diff --git a/lib/default.nix b/lib/default.nix index 871ba92..ae73b39 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -17,6 +17,7 @@ [ ./preconfiguredModules/bonvim.nix ./preconfiguredModules/homeManager + ./preconfiguredModules/nixos #(import ./preconfiguredModules/bonvim.nix) #(import ./preconfiguredModules/homeManager {inherit lib inputs;}) ]); diff --git a/lib/preconfiguredModules/homeManager/default.nix b/lib/preconfiguredModules/homeManager/default.nix index d411a44..8488917 100644 --- a/lib/preconfiguredModules/homeManager/default.nix +++ b/lib/preconfiguredModules/homeManager/default.nix @@ -1,20 +1,6 @@ -#{ -# lib, -# inputs, -# ... -#}: { ags = import ./ags; hyprland = import ./hyprland.nix; hypridle = import ./hypridle.nix; hyprlock = import ./hyprlock.nix; - - #hyprland = - # (lib.evalModules { - # modules = [ - # inputs.home-manager.nixosModules.home-manager - # ./hyprland - # ]; - # }) - # .config; } diff --git a/lib/preconfiguredModules/homeManager/hyprland.nix b/lib/preconfiguredModules/homeManager/hyprland.nix index dd25b53..b65431a 100644 --- a/lib/preconfiguredModules/homeManager/hyprland.nix +++ b/lib/preconfiguredModules/homeManager/hyprland.nix @@ -24,7 +24,6 @@ xdg.portal = { enable = true; configPackages = with pkgs; [ - #xdg-desktop-portal-wlr xdg-desktop-portal-hyprland ]; extraPortals = with pkgs; [ diff --git a/lib/preconfiguredModules/nixos/common.nix b/lib/preconfiguredModules/nixos/common.nix new file mode 100644 index 0000000..45bb0bf --- /dev/null +++ b/lib/preconfiguredModules/nixos/common.nix @@ -0,0 +1,236 @@ +{ + lib, + config, + pkgs, + ... +}: { + # Nix settings + nix = { + settings = { + experimental-features = ["nix-command" "flakes" "repl-flake"]; + substituters = [ + "https://cache.elnafo.ru" + "https://bonfire.cachix.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "cache.elnafo.ru:j3VD+Hn+is2Qk3lPXDSdPwHJQSatizk7V82iJ2RP1yo=" + "bonfire.cachix.org-1:mzAGBy/Crdf8NhKail5ciK7ZrGRbPJJobW6TwFb7WYM=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + auto-optimise-store = true; + }; + gc = { + automatic = lib.mkDefault true; + dates = lib.mkDefault "weekly"; + options = lib.mkDefault "--delete-older-than 7d"; + }; + }; + + # Filesystem + fileSystems = { + "/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd"]; + }; + + "/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + }; + + "/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix" "compress=zstd" "noatime"]; + }; + + "/home" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd"]; + }; + + "/swap" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=swap" "noatime"]; + }; + }; + + swapDevices = [ + {device = "/swap/swapfile";} + ]; + + # Boot and kernel options + boot = { + loader.systemd-boot.enable = true; + loader.systemd-boot.configurationLimit = 5; + loader.efi.canTouchEfiVariables = true; + + tmp.useTmpfs = lib.mkDefault true; + tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); + + initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; + initrd.kernelModules = []; + kernelModules = ["tcp_bbr" "coretemp" "nct6775"]; + kernelParams = ["threadirqs"]; + + kernel.sysctl = { + # The Magic SysRq key is a key combo that allows users connected to the + # system console of a Linux kernel to perform some low-level commands. + # Disable it, since we don't need it, and is a potential security concern. + "kernel.sysrq" = 0; + + ## TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + + ## TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + }; + }; + + # Security + security = { + protectKernelImage = true; + sudo.extraConfig = ''Defaults timestamp_timeout=30''; + rtkit.enable = true; + polkit.enable = true; + pam.loginLimits = [ + { + domain = "@audio"; + item = "memlock"; + type = "-"; + value = "unlimited"; + } + { + domain = "@audio"; + item = "rtprio"; + type = "-"; + value = "99"; + } + { + domain = "@audio"; + item = "nofile"; + type = "soft"; + value = "99999"; + } + { + domain = "@audio"; + item = "nofile"; + type = "hard"; + value = "99999"; + } + { + domain = "*"; + item = "nofile"; + type = "-"; + value = "524288"; + } + { + domain = "*"; + item = "memlock"; + type = "-"; + value = "524288"; + } + ]; + }; + + # Hardware + hardware = { + enableRedistributableFirmware = true; + }; + + # Timezone and locale + time.timeZone = "Asia/Yekaterinburg"; + + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + }; + + # Base packages + environment.systemPackages = with pkgs; [ + wget + + parted + ntfs3g + sshfs + exfat + btrfs-progs + btrbk + + lm_sensors + btop + + git + git-lfs + lazygit + + nnn + fzf + ripgrep + fd + + unzip + + fishPlugins.fzf-fish + fishPlugins.tide + fishPlugins.grc + fishPlugins.hydro + grc + + gnupg + pass + + bat + ]; + + programs = { + fish.enable = true; + + neovim = { + enable = true; + defaultEditor = true; + }; + }; +} diff --git a/lib/preconfiguredModules/nixos/default.nix b/lib/preconfiguredModules/nixos/default.nix new file mode 100644 index 0000000..6ea7316 --- /dev/null +++ b/lib/preconfiguredModules/nixos/default.nix @@ -0,0 +1,5 @@ +{ + common = import ./common.nix; + hyprland = import ./hyprland.nix; + hyprland-greetd = import ./hyprland-greetd.nix; +} diff --git a/lib/preconfiguredModules/nixos/hyprland-greetd.nix b/lib/preconfiguredModules/nixos/hyprland-greetd.nix new file mode 100644 index 0000000..f48e9ef --- /dev/null +++ b/lib/preconfiguredModules/nixos/hyprland-greetd.nix @@ -0,0 +1,33 @@ +{ + pkgs, + lib, + config, + ... +}: +lib.mkIf config.programs.hyprland.enable { + services.greetd = let + hyprConfig = pkgs.writeText "greetd-hyprland-config" '' + exec-once = ${lib.getExe pkgs.greetd.regreet}; hyprctl dispatch exit + ''; + in { + enable = true; + settings = { + default_session = { + command = "${lib.getExe config.programs.hyprland.package} --config ${hyprConfig}"; + user = "greeter"; + }; + }; + }; + + programs.regreet = { + enable = true; + settings = { + GTK = { + application_prefer_dark_theme = true; + }; + appearance = { + greeting_msg = "Hey, you. You're finally awake."; + }; + }; + }; +} diff --git a/lib/preconfiguredModules/nixos/hyprland.nix b/lib/preconfiguredModules/nixos/hyprland.nix new file mode 100644 index 0000000..f7c3ab1 --- /dev/null +++ b/lib/preconfiguredModules/nixos/hyprland.nix @@ -0,0 +1,6 @@ +{...}: { + programs.hyprland = { + enable = true; + xwayland.enable = true; + }; +} diff --git a/lib/preconfiguredModules/pack/hyprland.nix b/lib/preconfiguredModules/pack/hyprland.nix new file mode 100644 index 0000000..04af6f0 --- /dev/null +++ b/lib/preconfiguredModules/pack/hyprland.nix @@ -0,0 +1,20 @@ +{ + inputs, + hmConfig, + username, + bonLib, + ... +}: { + imports = [ + ../nixos/hyprland.nix + ../nixos/hyprland-greetd.nix + ]; + + home-manager.users.${username} = {...}: { + imports = [ + (bonLib.injectArgs {inherit hmConfig;}) + inputs.ags.homeManagerModules.default + ../homeManager/hyprland.nix + ]; + }; +} diff --git a/nixosConfigurations/astora/default.nix b/nixosConfigurations/astora/default.nix index e561c47..2a33946 100644 --- a/nixosConfigurations/astora/default.nix +++ b/nixosConfigurations/astora/default.nix @@ -2,35 +2,21 @@ pkgs, lib, config, + bonLib, ... }: { system.stateVersion = "23.11"; - imports = [./hardware.nix ./users.nix]; + imports = [ + bonLib.preconfiguredModules.nixos.common + ./hardware.nix + ./users.nix + ]; # Nix settings - nix = { - settings = { - experimental-features = ["nix-command" "flakes" "repl-flake"]; - trusted-users = ["l-nafaryus"]; - allowed-users = ["l-nafaryus"]; - substituters = [ - "https://cache.elnafo.ru" - "https://bonfire.cachix.org" - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "cache.elnafo.ru:j3VD+Hn+is2Qk3lPXDSdPwHJQSatizk7V82iJ2RP1yo=" - "bonfire.cachix.org-1:mzAGBy/Crdf8NhKail5ciK7ZrGRbPJJobW6TwFb7WYM=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - auto-optimise-store = true; - }; - gc = { - automatic = lib.mkDefault true; - dates = lib.mkDefault "weekly"; - options = lib.mkDefault "--delete-older-than 7d"; - }; + nix.settings = { + trusted-users = ["l-nafaryus"]; + allowed-users = ["l-nafaryus"]; }; # Nix packages @@ -57,52 +43,16 @@ videoDrivers = ["nvidia"]; - #displayManager.gdm = { - # enable = true; - # autoSuspend = false; - # wayland = true; - #}; - #desktopManager.gnome.enable = true; - #windowManager.awesome.enable = true; - wacom.enable = true; }; - services.greetd = let - hyprConfig = pkgs.writeText "greetd-hyprland-config" '' - exec-once = ${lib.getExe pkgs.greetd.regreet}; hyprctl dispatch exit - ''; - in { + services.desktopManager.plasma6.enable = true; + + services.displayManager.sddm = { enable = true; - settings = { - default_session = { - command = "${lib.getExe config.programs.hyprland.package} --config ${hyprConfig}"; - user = "greeter"; - }; - }; + wayland.enable = true; }; - programs.regreet = { - enable = true; - settings = { - GTK = { - application_prefer_dark_theme = true; - # TODO: provide gtk themes - # theme_name = "Catppuccin-Macchiato-Standard-Green-Dark"; - # icon_theme_name = "Catppuccin-Macchiato-Green-Cursors"; - # cursor_theme_name = "Papirus-Dark"; - # font_name = ""; - }; - appearance = { - greeting_msg = "Hey, you. You're finally awake."; - }; - }; - }; - - programs.hyprland = { - enable = true; - xwayland.enable = true; - }; services.dbus.enable = true; services.printing = { @@ -132,7 +82,6 @@ }; services.udev = { - packages = with pkgs; [gnome.gnome-settings-daemon]; extraRules = '' KERNEL=="rtc0", GROUP="audio" KERNEL=="hpet", GROUP="audio" @@ -147,49 +96,6 @@ fileSystems = ["/"]; }; - # Packages - environment.systemPackages = with pkgs; [ - wget - - parted - ntfs3g - sshfs - exfat - - lm_sensors - - git - git-lfs - ripgrep - fd - lazygit - unzip - - gnumake - - fishPlugins.fzf-fish - fishPlugins.tide - fishPlugins.grc - fishPlugins.hydro - - nnn - fzf - grc - - gcc - - cachix - ]; - - programs = { - fish.enable = true; - - neovim = { - enable = true; - defaultEditor = true; - }; - }; - programs.ssh.extraConfig = '' Host astora HostName 192.168.156.101 @@ -202,13 +108,6 @@ User l-nafaryus ''; - programs.direnv.enable = true; - - fonts.packages = with pkgs; [nerdfonts]; - - programs.steam.enable = true; - systemd.extraConfig = "DefaultLimitNOFILE=1048576"; - virtualisation = { containers.enable = true; podman = { diff --git a/nixosConfigurations/astora/hardware.nix b/nixosConfigurations/astora/hardware.nix index 247b9bb..14b4231 100644 --- a/nixosConfigurations/astora/hardware.nix +++ b/nixosConfigurations/astora/hardware.nix @@ -16,9 +16,9 @@ initrd.kernelModules = []; kernelModules = ["kvm-amd" "tcp_bbr" "coretemp" "nct6775"]; extraModulePackages = with config.boot.kernelPackages; [v4l2loopback]; - extraModprobeConfig = '' - options v4l2loopback devices=1 video_nr=1 card_label="OBS Camera" exclusive_caps=1 - ''; + #extraModprobeConfig = '' + # options v4l2loopback devices=1 video_nr=1 card_label="OBS Camera" exclusive_caps=1 + #''; kernelParams = ["threadirqs"]; kernel.sysctl = { diff --git a/nixosConfigurations/astora/users.nix b/nixosConfigurations/astora/users.nix index 75554d7..d47052c 100644 --- a/nixosConfigurations/astora/users.nix +++ b/nixosConfigurations/astora/users.nix @@ -40,12 +40,7 @@ in { ]; home.packages = with pkgs; [ - #gnupg - git - #nnn - pass taskwarrior3 - #tmux gparted @@ -99,22 +94,13 @@ in { jdk bonPkgs.ultimmc - liberation_ttf - steamtinkerlaunch - discord - webcord - - tor - #rofi-wayland - kgx dunst libnotify # btop lua # bat - musikcube mangohud gamescope libstrangle @@ -124,6 +110,11 @@ in { freenect mpc-cli + + kdePackages.kmail + + flacon + picard ]; # Theme @@ -406,10 +397,10 @@ in { MODE_QUIC=1 MODE_FILTER=ipset TPWS_OPT="--split-http-req=method --split-pos=1 --oob" - NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=7 --dpi-desync-fake-http=0x00000000" - NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake,split2 --dpi-desync-ttl=4" - NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2 --dpi-desync-split-pos=1" - NFQWS_OPT_DESYNC_QUIC="--dpi-desync=split2 --dpi-desync-repeats=6" + NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=5" + NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake --dpi-desync-ttl=5" + NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=fake --dpi-desync-ttl=5" + NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-ttl=5" INIT_APPLY_FW=1 ''; filterAddressesSource = "https://antifilter.network/download/ipsmart.lst"; @@ -437,4 +428,16 @@ in { # User-id must match above user. MPD will look inside this directory for the PipeWire socket. XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.l-nafaryus.uid}"; }; + + programs.kdeconnect = { + enable = true; + package = lib.mkForce pkgs.kdePackages.kdeconnect-kde; + }; + + programs.direnv.enable = true; + + fonts.packages = with pkgs; [nerdfonts liberation_ttf]; + + programs.steam.enable = true; + systemd.extraConfig = "DefaultLimitNOFILE=1048576"; }