diff --git a/devShells/default.nix b/devShells/default.nix index 0f887da..188ac77 100644 --- a/devShells/default.nix +++ b/devShells/default.nix @@ -30,4 +30,6 @@ in rust-x11 = import ./rust-x11.nix environment; go = import ./go.nix environment; + + python-uv = import ./python-uv.nix environment; }) diff --git a/devShells/python-uv.nix b/devShells/python-uv.nix new file mode 100644 index 0000000..d643899 --- /dev/null +++ b/devShells/python-uv.nix @@ -0,0 +1,8 @@ +{pkgs, ...}: +pkgs.mkShellNoCC { + packages = with pkgs; [ + uv + curl + jq + ]; +} diff --git a/flake.lock b/flake.lock index 238355c..b8ac813 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ }, "catppuccin": { "locked": { - "lastModified": 1728407414, - "narHash": "sha256-B8LaxUP93eh+it8RW1pGq4SsU2kj7f0ipzFuhBvpON8=", + "lastModified": 1730458408, + "narHash": "sha256-JQ+SphQn13bdibKUrBBBznYehXX4xJrxD1ifBp6vSWw=", "owner": "catppuccin", "repo": "nix", - "rev": "96cf8b4a05fb23a53c027621b1147b5cf9e5439f", + "rev": "191fbf2d81a63fad8f62f1233c0051f09b75d0ad", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "crane": { "locked": { - "lastModified": 1728344376, - "narHash": "sha256-lxTce2XE6mfJH8Zk6yBbqsbu9/jpwdymbSH5cCbiVOA=", + "lastModified": 1730504891, + "narHash": "sha256-Fvieht4pai+Wey7terllZAKOj0YsaDP0e88NYs3K/Lo=", "owner": "ipetkov", "repo": "crane", - "rev": "fd86b78f5f35f712c72147427b1eb81a9bd55d0b", + "rev": "8658adcdad49b8f2c6cbf0cc3cb4b4db988f7638", "type": "github" }, "original": { @@ -178,11 +178,11 @@ "rust-analyzer-src": [] }, "locked": { - "lastModified": 1728628307, - "narHash": "sha256-GRMRHZyU+R0RqKPFFgi7BBMDIRFPnHaAhOIxlqyvbZQ=", + "lastModified": 1730529264, + "narHash": "sha256-5gC0y6cKXKQvumK4jOhKyjVsYqQ7EOcWKNtKB8UiP74=", "owner": "nix-community", "repo": "fenix", - "rev": "b0a014d5b9dba793ebc205bcf12a93b5f6a4c66c", + "rev": "fff718e230e40b8202d7be6223c13492bb0010a8", "type": "github" }, "original": { @@ -321,11 +321,11 @@ ] }, "locked": { - "lastModified": 1728598744, - "narHash": "sha256-sSfvyO5xH3HObHHmh6lp/hcvo7tMjFKd/HXpxyrRnoE=", + "lastModified": 1730490306, + "narHash": "sha256-AvCVDswOUM9D368HxYD25RsSKp+5o0L0/JHADjLoD38=", "owner": "nix-community", "repo": "home-manager", - "rev": "342a1d682386d3a1d74f9555cb327f2f311dda6e", + "rev": "1743615b61c7285976f85b303a36cdf88a556503", "type": "github" }, "original": { @@ -334,6 +334,34 @@ "type": "github" } }, + "ixx": { + "inputs": { + "flake-utils": [ + "nixvim", + "nuschtosSearch", + "flake-utils" + ], + "nixpkgs": [ + "nixvim", + "nuschtosSearch", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729544999, + "narHash": "sha256-YcyJLvTmN6uLEBGCvYoMLwsinblXMkoYkNLEO4WnKus=", + "owner": "NuschtOS", + "repo": "ixx", + "rev": "65c207c92befec93e22086da9456d3906a4e999c", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "ref": "v0.0.5", + "repo": "ixx", + "type": "github" + } + }, "libpng": { "flake": false, "locked": { @@ -406,11 +434,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1728492678, - "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", "type": "github" }, "original": { @@ -437,11 +465,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1728156290, - "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", + "lastModified": 1729973466, + "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "17ae88b569bb15590549ff478bab6494dde4a907", + "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950", "type": "github" }, "original": { @@ -482,11 +510,11 @@ "treefmt-nix": [] }, "locked": { - "lastModified": 1728593423, - "narHash": "sha256-xM3+7mvWwM5i+RXD97wQ/fSoQDFidVxNszIfKIv9msE=", + "lastModified": 1730499477, + "narHash": "sha256-olt0Sx4alDxv3ko9BgbV3SsE2KQ/Tf0/Az1Fr9s2Y6U=", "owner": "nix-community", "repo": "nixvim", - "rev": "af650ba9401501352d6eaaced192bbb4abfaec87", + "rev": "356896f58dde22ee16481b7c954e340dceec340d", "type": "github" }, "original": { @@ -498,17 +526,18 @@ "nuschtosSearch": { "inputs": { "flake-utils": "flake-utils", + "ixx": "ixx", "nixpkgs": [ "nixvim", "nixpkgs" ] }, "locked": { - "lastModified": 1728513479, - "narHash": "sha256-yAR9M1jvuAoahYNxo3RNnPMcua1TAIPurFKmH2/g3lg=", + "lastModified": 1730337772, + "narHash": "sha256-uTxvqDohfG85+zldO5Tf1B+fuAF8ZhMouNwG5S6OAnA=", "owner": "NuschtOS", "repo": "search", - "rev": "5cb7ef512ec20a5b7d60fc70dba014560559698a", + "rev": "4e0a7a95a3df3333771abc4df6a656e7baf67106", "type": "github" }, "original": { @@ -669,11 +698,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1728345710, - "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", + "lastModified": 1729999681, + "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", + "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56", "type": "github" }, "original": { @@ -741,11 +770,11 @@ }, "locked": { "dir": "nix", - "lastModified": 1728322634, - "narHash": "sha256-cUnwLCSc59Sx3E+meVlVUMfyROr0aToWPID7UA6PZvg=", + "lastModified": 1730443872, + "narHash": "sha256-dQG+9b/EUn+UWDjDSsje19hn3DxiDOzSGmIwsSGdqDA=", "owner": "wez", "repo": "wezterm", - "rev": "ed430415ee69279ea692358525196ad7d4c965b8", + "rev": "0983ae90d6dfb45c5f99058e97de73a70ca9dd36", "type": "github" }, "original": { diff --git a/lib/preconfiguredModules/bonvim.nix b/lib/preconfiguredModules/bonvim.nix index 63c644c..0ac516e 100644 --- a/lib/preconfiguredModules/bonvim.nix +++ b/lib/preconfiguredModules/bonvim.nix @@ -152,13 +152,15 @@ # UI plugins.noice = { enable = true; - lsp.override = { - "cmp.entry.get_documentation" = true; - "vim.lsp.util.convert_input_to_markdown_lines" = true; - "vim.lsp.util.stylize_markdown" = true; - }; - presets = { - long_message_to_split = true; + settings = { + lsp.override = { + "cmp.entry.get_documentation" = true; + "vim.lsp.util.convert_input_to_markdown_lines" = true; + "vim.lsp.util.stylize_markdown" = true; + }; + presets = { + long_message_to_split = true; + }; }; }; @@ -365,14 +367,16 @@ }; cmake.enable = true; nil_ls.enable = true; + pyright.enable = true; + ruff.enable = true; # pylyzer.enable = true; # not working with virtual environments currently :( - pylsp = { - enable = true; # https://github.com/nix-community/nixvim/pull/1893 - settings.plugins = { - pyflakes.enabled = true; - black.enabled = true; - }; - }; + #pylsp = { + # enable = true; # https://github.com/nix-community/nixvim/pull/1893 + # settings.plugins = { + # pyflakes.enabled = true; + # black.enabled = true; + # }; + #}; rust_analyzer = { enable = true; package = rust-analyzer; diff --git a/lib/preconfiguredModules/nixos/common.nix b/lib/preconfiguredModules/nixos/common.nix index 45bb0bf..7b19b9a 100644 --- a/lib/preconfiguredModules/nixos/common.nix +++ b/lib/preconfiguredModules/nixos/common.nix @@ -7,7 +7,7 @@ # Nix settings nix = { settings = { - experimental-features = ["nix-command" "flakes" "repl-flake"]; + experimental-features = ["nix-command" "flakes"]; substituters = [ "https://cache.elnafo.ru" "https://bonfire.cachix.org" @@ -91,8 +91,9 @@ "net.ipv4.conf.default.rp_filter" = 1; "net.ipv4.conf.all.rp_filter" = 1; # Do not accept IP source route packets - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; + "net.ipv4.conf.all.accept_source_route" = 1; + "net.ipv4.conf.wlo1.accept_source_route" = 1; + "net.ipv6.conf.all.accept_source_route" = 1; # Don't send ICMP redirects "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0; diff --git a/nixosConfigurations/astora/default.nix b/nixosConfigurations/astora/default.nix index 2a33946..ef89d80 100644 --- a/nixosConfigurations/astora/default.nix +++ b/nixosConfigurations/astora/default.nix @@ -53,7 +53,10 @@ wayland.enable = true; }; - services.dbus.enable = true; + services.dbus = { + enable = true; + packages = with pkgs; [networkmanager]; + }; services.printing = { enable = true; @@ -88,7 +91,7 @@ ''; }; - services.blueman.enable = true; + #services.blueman.enable = true; services.btrfs.autoScrub = { enable = true; @@ -116,5 +119,9 @@ defaultNetwork.settings.dns_enabled = true; }; libvirtd.enable = true; + test-share = { + source = "/home/l-nafaryus/vms/shared"; + target = "/mnt/shared"; + }; }; } diff --git a/nixosConfigurations/astora/hardware.nix b/nixosConfigurations/astora/hardware.nix index 14b4231..2d4f1fd 100644 --- a/nixosConfigurations/astora/hardware.nix +++ b/nixosConfigurations/astora/hardware.nix @@ -5,144 +5,14 @@ }: { # Boot boot = { - loader.systemd-boot.enable = true; - loader.systemd-boot.configurationLimit = 5; - loader.efi.canTouchEfiVariables = true; - - tmp.useTmpfs = lib.mkDefault true; - tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); - - initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; - initrd.kernelModules = []; - kernelModules = ["kvm-amd" "tcp_bbr" "coretemp" "nct6775"]; + kernelModules = ["kvm-amd"]; extraModulePackages = with config.boot.kernelPackages; [v4l2loopback]; - #extraModprobeConfig = '' - # options v4l2loopback devices=1 video_nr=1 card_label="OBS Camera" exclusive_caps=1 - #''; - kernelParams = ["threadirqs"]; - - kernel.sysctl = { - # The Magic SysRq key is a key combo that allows users connected to the - # system console of a Linux kernel to perform some low-level commands. - # Disable it, since we don't need it, and is a potential security concern. - "kernel.sysrq" = 0; - - ## TCP hardening - # Prevent bogus ICMP errors from filling up logs. - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # Reverse path filtering causes the kernel to do source validation of - # packets received from all interfaces. This can mitigate IP spoofing. - "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.conf.all.rp_filter" = 1; - # Do not accept IP source route packets - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - # Refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - # Protects against SYN flood attacks - "net.ipv4.tcp_syncookies" = 1; - # Incomplete protection again TIME-WAIT assassination - "net.ipv4.tcp_rfc1337" = 1; - - ## TCP optimization - # TCP Fast Open is a TCP extension that reduces network latency by packing - # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for - # both incoming and outgoing connections: - "net.ipv4.tcp_fastopen" = 3; - # Bufferbloat mitigations + slight improvement in throughput & latency - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; - }; - }; - - # Security - security = { - protectKernelImage = true; - acme.acceptTerms = true; - sudo.extraConfig = ''Defaults timestamp_timeout=30''; - rtkit.enable = true; - pam.loginLimits = [ - { - domain = "@audio"; - item = "memlock"; - type = "-"; - value = "unlimited"; - } - { - domain = "@audio"; - item = "rtprio"; - type = "-"; - value = "99"; - } - { - domain = "@audio"; - item = "nofile"; - type = "soft"; - value = "99999"; - } - { - domain = "@audio"; - item = "nofile"; - type = "hard"; - value = "99999"; - } - { - domain = "*"; - item = "nofile"; - type = "-"; - value = "524288"; - } - { - domain = "*"; - item = "memlock"; - type = "-"; - value = "524288"; - } - ]; - polkit.enable = true; }; users.users.root.initialPassword = "nixos"; # Filesystem fileSystems = { - "/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = ["subvol=root" "compress=zstd"]; - }; - - "/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - }; - - "/nix" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = ["subvol=nix" "compress=zstd" "noatime"]; - }; - - "/home" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = ["subvol=home" "compress=zstd"]; - }; - - "/swap" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = ["subvol=swap" "noatime"]; - }; - "/media/steam-library" = { device = "/dev/disk/by-label/siegward"; fsType = "btrfs"; @@ -156,16 +26,10 @@ }; }; - swapDevices = [ - {device = "/swap/swapfile";} - ]; - services.fstrim.enable = true; # Hardware etc hardware = { - enableRedistributableFirmware = true; - cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; nvidia.nvidiaSettings = true; @@ -181,56 +45,9 @@ }; networking = { - networkmanager.enable = true; - networkmanager.unmanaged = ["interface-name:ve-*"]; - useDHCP = lib.mkDefault true; - hostName = "astora"; - extraHosts = ''''; - - firewall = { + networkmanager = { enable = true; - allowedTCPPorts = [80 443]; - trustedInterfaces = ["ve-+"]; - extraCommands = '' - iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE - ''; - extraStopCommands = '' - iptables -t nat -D POSTROUTING -o wlo1 -j MASQUERADE - ''; - }; - - nat = { - enable = true; - externalInterface = "wlo1"; - internalInterfaces = ["ve-+"]; - }; - - interfaces.wlo1.ipv4.addresses = [ - { - address = "192.168.156.101"; - prefixLength = 24; - } - ]; - - defaultGateway = "192.168.156.1"; - nameservers = ["192.168.156.1" "8.8.8.8"]; - }; - - # Common - time.timeZone = "Asia/Yekaterinburg"; - - i18n = { - defaultLocale = "en_US.UTF-8"; - extraLocaleSettings = { - LC_ADDRESS = "en_US.UTF-8"; - LC_IDENTIFICATION = "en_US.UTF-8"; - LC_MEASUREMENT = "en_US.UTF-8"; - LC_MONETARY = "en_US.UTF-8"; - LC_NAME = "en_US.UTF-8"; - LC_NUMERIC = "en_US.UTF-8"; - LC_PAPER = "en_US.UTF-8"; - LC_TELEPHONE = "en_US.UTF-8"; - LC_TIME = "en_US.UTF-8"; + enableStrongSwan = true; }; }; } diff --git a/nixosConfigurations/astora/users.nix b/nixosConfigurations/astora/users.nix index d47052c..362fdaa 100644 --- a/nixosConfigurations/astora/users.nix +++ b/nixosConfigurations/astora/users.nix @@ -36,7 +36,7 @@ in { }) inputs.catppuccin.homeManagerModules.catppuccin inputs.ags.homeManagerModules.default - bonLib.preconfiguredModules.homeManager.hyprland + #bonLib.preconfiguredModules.homeManager.hyprland ]; home.packages = with pkgs; [ @@ -96,8 +96,8 @@ in { steamtinkerlaunch - dunst - libnotify + #dunst + #libnotify # btop lua # bat @@ -112,11 +112,25 @@ in { mpc-cli kdePackages.kmail + kdePackages.kmail-account-wizard flacon picard + + podman-desktop + virtiofsd ]; + xdg.portal = { + enable = true; + configPackages = with pkgs; [ + kdePackages.xdg-desktop-portal-kde + ]; + extraPortals = with pkgs; [ + xdg-desktop-portal-gtk + ]; + }; + # Theme catppuccin = { # global, for all enabled programs @@ -125,22 +139,6 @@ in { accent = "green"; }; - gtk = { - enable = true; - # TODO: fix catppuccin deprecation. Provide Paper icons to gtk and gnomeShell manually. (+ regreet) - catppuccin = { - enable = true; - accent = "green"; - flavor = "macchiato"; - gnomeShellTheme = true; - icon = { - enable = true; - accent = "green"; - flavor = "macchiato"; - }; - }; - }; - programs = { # General fish = { @@ -222,6 +220,9 @@ in { homedir = "${hmConfig.xdg.configHome}/gnupg"; mutableKeys = true; mutableTrust = true; + settings = { + default-key = "B0B3 DFDB B842 BE9C 7468 B511 86F1 EA98 B48F FB19"; + }; # TODO: replace existing ssh key with gpg provided }; @@ -249,7 +250,7 @@ in { # Graphical wezterm = { - enable = true; + enable = false; package = inputs.wezterm.packages.x86_64-linux.default; extraConfig = '' return { @@ -272,7 +273,7 @@ in { }; rofi = { - enable = true; + enable = false; package = pkgs.rofi-wayland; terminal = "${lib.getExe hmConfig.programs.wezterm.package}"; cycle = true; @@ -317,7 +318,7 @@ in { defaultCacheTtl = 3600; defaultCacheTtlSsh = 3600; enableSshSupport = true; - pinentryPackage = pkgs.pinentry-gtk2; + pinentryPackage = pkgs.pinentry-qt; enableFishIntegration = true; enableBashIntegration = true; }; @@ -383,28 +384,28 @@ in { }; # Services - services.spoofdpi.enable = true; + #services.spoofdpi.enable = true; - services.zapret = { - enable = true; - mode = "nfqws"; - firewallType = "iptables"; - disableIpv6 = true; - settings = '' - MODE_HTTP=1 - MODE_HTTP_KEEPALIVE=0 - MODE_HTTPS=1 - MODE_QUIC=1 - MODE_FILTER=ipset - TPWS_OPT="--split-http-req=method --split-pos=1 --oob" - NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=5" - NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake --dpi-desync-ttl=5" - NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=fake --dpi-desync-ttl=5" - NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-ttl=5" - INIT_APPLY_FW=1 - ''; - filterAddressesSource = "https://antifilter.network/download/ipsmart.lst"; - }; + #services.zapret = { + # enable = true; + # mode = "nfqws"; + # firewallType = "iptables"; + # disableIpv6 = true; + # settings = '' + # MODE_HTTP=1 + # MODE_HTTP_KEEPALIVE=0 + # MODE_HTTPS=1 + # MODE_QUIC=1 + # MODE_FILTER=ipset + # TPWS_OPT="--split-http-req=method --split-pos=1 --oob" + # NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=5" + # NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake --dpi-desync-ttl=5" + # NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=fake --dpi-desync-ttl=5" + # NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-ttl=5" + # INIT_APPLY_FW=1 + # ''; + # filterAddressesSource = "https://antifilter.network/download/ipsmart.lst"; + #}; # TODO: remember who use gvfs services.gvfs.enable = true; diff --git a/nixosModules/default.nix b/nixosModules/default.nix index 7651421..fa3efac 100644 --- a/nixosModules/default.nix +++ b/nixosModules/default.nix @@ -10,7 +10,8 @@ ./services/papermc.nix ./services/qbittorrent-nox.nix ./services/spoofdpi.nix - ./services/zapret.nix + # ISSUE: collision with nixos module zapret + #./services/zapret.nix ./services/conduit.nix ]; diff --git a/packages/default.nix b/packages/default.nix index bf17958..64fa60b 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -83,11 +83,12 @@ in # Pass for cache - wezterm = { - source = ./wezterm; - platforms = ["x86_64-linux"]; - builder = {...}: import; - }; + # ISSUE: attribute 'targetPlatforms' missing + #wezterm = { + # source = ./wezterm; + # platforms = ["x86_64-linux"]; + # builder = {...}: import; + #}; # Container images