diff --git a/nixosConfigurations/default.nix b/nixosConfigurations/default.nix index ec92b84..741761e 100644 --- a/nixosConfigurations/default.nix +++ b/nixosConfigurations/default.nix @@ -31,4 +31,18 @@ ]; specialArgs = {bonPkgs = self.packages.x86_64-linux;}; }; + + vinheim = lib.nixosSystem { + system = "x86_64-linux"; + modules = with inputs; [ + home-manager.nixosModules.home-manager + ./vinheim + ]; + specialArgs = { + inherit inputs bonLib; + bonPkgs = self.packages.x86_64-linux; + }; + }; + + } diff --git a/nixosConfigurations/vinheim/default.nix b/nixosConfigurations/vinheim/default.nix new file mode 100644 index 0000000..b6e9933 --- /dev/null +++ b/nixosConfigurations/vinheim/default.nix @@ -0,0 +1,135 @@ +{ + pkgs, + lib, + config, + bonLib, + ... +}: { + system.stateVersion = "23.11"; + + imports = [ + ./hardware.nix + ./users.nix + ]; + + nix = { + settings = { + experimental-features = ["nix-command" "flakes"]; + substituters = [ + "https://cache.elnafo.ru" + "https://bonfire.cachix.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "cache.elnafo.ru:j3VD+Hn+is2Qk3lPXDSdPwHJQSatizk7V82iJ2RP1yo=" + "bonfire.cachix.org-1:mzAGBy/Crdf8NhKail5ciK7ZrGRbPJJobW6TwFb7WYM=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + auto-optimise-store = true; + trusted-users = ["l-nafaryus"]; + allowed-users = ["l-nafaryus"]; + }; + gc = { + automatic = lib.mkDefault true; + dates = lib.mkDefault "weekly"; + options = lib.mkDefault "--delete-older-than 7d"; + }; + }; + + # Nix packages + nixpkgs = { + hostPlatform = lib.mkDefault "x86_64-linux"; + config.allowUnfree = true; + config.cudaSupport = false; + }; + + services.desktopManager.plasma6.enable = true; + + services.displayManager.sddm = { + enable = true; + wayland.enable = true; + }; + + services.dbus = { + enable = true; + packages = with pkgs; [networkmanager]; + }; + + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + + services.openssh = { + enable = true; + startWhenNeeded = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + }; + + programs.ssh.extraConfig = '' + Host catarina + HostName 77.242.105.50 + Port 22 + User l-nafaryus + ''; + + virtualisation = { + containers.enable = true; + podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; + }; + libvirtd.enable = true; + }; + + # Base packages + environment.systemPackages = with pkgs; [ + wget + + parted + ntfs3g + sshfs + exfat + btrfs-progs + btrbk + + lm_sensors + btop + + git + git-lfs + lazygit + + nnn + fzf + ripgrep + fd + + unzip + + fishPlugins.fzf-fish + fishPlugins.tide + fishPlugins.grc + fishPlugins.hydro + grc + + gnupg + pass + + bat + ]; + + programs = { + fish.enable = true; + + neovim = { + enable = true; + defaultEditor = true; + }; + }; +} diff --git a/nixosConfigurations/vinheim/hardware.nix b/nixosConfigurations/vinheim/hardware.nix new file mode 100644 index 0000000..adec540 --- /dev/null +++ b/nixosConfigurations/vinheim/hardware.nix @@ -0,0 +1,121 @@ +{ + config, + lib, + pkgs, + ... +}: { + # Boot + boot = { + loader.grub = { + enable = true; + device = "/dev/nvme0n1"; + useOSProber = true; + }; + initrd = { + availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"]; + kernelModules = []; + }; + kernelModules = ["kvm-intel" "tcp_bbr" "coretemp" "nct6775"]; + kernelParams = ["threadirqs"]; + extraModulePackages = with config.boot.kernelPackages; [v4l2loopback]; + + kernel.sysctl = { + # The Magic SysRq key is a key combo that allows users connected to the + # system console of a Linux kernel to perform some low-level commands. + # Disable it, since we don't need it, and is a potential security concern. + "kernel.sysrq" = 0; + + ## TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets + "net.ipv4.conf.all.accept_source_route" = 1; + "net.ipv4.conf.wlo1.accept_source_route" = 1; + "net.ipv6.conf.all.accept_source_route" = 1; + # Don't send ICMP redirects + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + + ## TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + }; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + swapDevices = []; + + services.fstrim.enable = true; + + security = { + protectKernelImage = true; + sudo.extraConfig = ''Defaults timestamp_timeout=30''; + rtkit.enable = true; + polkit.enable = true; + }; + + # Hardware etc + hardware = { + cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + graphics.enable = true; + graphics.enable32Bit = true; + + bluetooth.enable = true; + + pulseaudio.enable = false; + }; + + networking = { + networkmanager = { + enable = true; + enableStrongSwan = true; + packages = with pkgs; [ + networkmanager-l2tp + ]; + }; + hostName = "nixos"; + extraHosts = ''192.168.130.211 gitlab''; + }; + + time.timeZone = "Asia/Yekaterinburg"; + + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + }; +} diff --git a/nixosConfigurations/vinheim/users.nix b/nixosConfigurations/vinheim/users.nix new file mode 100644 index 0000000..2239f8e --- /dev/null +++ b/nixosConfigurations/vinheim/users.nix @@ -0,0 +1,270 @@ +{ + config, + pkgs, + lib, + bonPkgs, + bonLib, + inputs, + ... +}: let + user = "l-nafaryus"; +in { + # Users + users.users.l-nafaryus = { + isNormalUser = true; + description = "L-Nafaryus"; + extraGroups = ["networkmanager" "wheel" "audio" "libvirtd" "input" "video" "disk" "wireshark" "podman"]; + group = "users"; + uid = 1000; + initialPassword = "nixos"; + shell = pkgs.fish; + }; + + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.backupFileExtension = "hmbackup"; + + home-manager.users.${user} = {pkgs, ...}: let + hmConfig = config.home-manager.users.${user}; + in { + home.stateVersion = "23.11"; + home.username = "l-nafaryus"; + home.homeDirectory = "/home/l-nafaryus"; + imports = [ + (bonLib.injectArgs { + inherit hmConfig; + }) + inputs.catppuccin.homeManagerModules.catppuccin + inputs.ags.homeManagerModules.default + ]; + + home.packages = with pkgs; [ + taskwarrior3 + + gparted + + firefox + thunderbird + + qpwgraph + + lutris + wine + winetricks + gamemode + + inkscape + imagemagick + yt-dlp + ffmpeg + + qbittorrent + telegram-desktop + + onlyoffice-bin + + # btop + lua + # bat + tree + bonPkgs.bonvim + + kdePackages.kmail + kdePackages.kmail-account-wizard + + lazydocker + docker-compose + podman-compose + dive + + ksshaskpass + ]; + + xdg.portal = { + enable = true; + configPackages = with pkgs; [ + kdePackages.xdg-desktop-portal-kde + ]; + extraPortals = with pkgs; [ + xdg-desktop-portal-gtk + ]; + }; + + # Theme + catppuccin = { + # global, for all enabled programs + enable = true; + flavor = "macchiato"; + accent = "green"; + }; + + programs = { + # General + fish = { + enable = true; + interactiveShellInit = '' + set fish_greeting + ''; + plugins = with pkgs.fishPlugins; + map (p: { + name = p.pname; + src = p.src; + }) [ + fzf-fish + tide + grc + hydro + ]; + functions = { + fish-theme-configure = '' + tide configure \ + --auto \ + --style=Lean \ + --prompt_colors='True color' \ + --show_time='12-hour format' \ + --lean_prompt_height='Two lines' \ + --prompt_connection=Disconnected \ + --prompt_spacing=Compact \ + --icons='Many icons' \ + --transient=No + ''; + }; + }; + + git = { + enable = true; + lfs.enable = true; + userName = "L-Nafaryus"; + userEmail = "l.nafaryus@gmail.com"; + signing = { + key = "86F1EA98B48FFB19"; + signByDefault = true; + }; + extraConfig = { + # ignore trends + init.defaultBranch = "master"; + core = { + quotePath = false; + commitGraph = true; + whitespace = "trailing-space"; + }; + receive.advertisePushOptions = true; + gc.writeCommitGraph = true; + diff.submodule = "log"; + }; + aliases = { + plog = "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit"; + }; + }; + + bat.enable = true; + + btop = { + enable = true; + settings = { + cpu_bottom = true; + proc_tree = true; + }; + }; + + fzf.enable = true; + + lazygit.enable = true; + + gpg = { + enable = true; + homedir = "${hmConfig.xdg.configHome}/gnupg"; + mutableKeys = true; + mutableTrust = true; + settings = { + default-key = "B0B3 DFDB B842 BE9C 7468 B511 86F1 EA98 B48F FB19"; + }; + # TODO: replace existing ssh key with gpg provided + }; + + nnn = { + enable = true; + package = pkgs.nnn.override {withNerdIcons = true;}; + bookmarks = { + d = "~/Downloads"; + p = "~/projects"; + i = "~/Pictures"; + m = "~/Music"; + v = "~/Videos"; + }; + plugins = { + src = "${hmConfig.programs.nnn.finalPackage}/share/plugins"; + mappings = { + # TODO: add used programs for previews with FIFO support + p = "preview-tui"; + }; + }; + }; + + ncmpcpp.enable = true; + + # Graphical + obs-studio = { + enable = true; + plugins = with pkgs.obs-studio-plugins; [ + obs-vkcapture + input-overlay + obs-pipewire-audio-capture + wlrobs + inputs.obs-image-reaction.packages.${pkgs.system}.default + ]; + }; + + mpv = { + enable = true; + }; + }; + + services = { + # General + gpg-agent = { + enable = true; + defaultCacheTtl = 3600; + defaultCacheTtlSsh = 3600; + enableSshSupport = true; + pinentryPackage = pkgs.pinentry-qt; + enableFishIntegration = true; + enableBashIntegration = true; + }; + + ssh-agent.enable = true; + }; + + # XDG + xdg = { + enable = true; + mime.enable = true; + userDirs.enable = true; + }; + + # dconf + dconf.settings = { + "org/virt-manager/virt-manager/connections" = { + autoconnect = ["qemu:///system"]; + uris = ["qemu:///system"]; + }; + }; + }; + + environment.sessionVariables = { + # hint electron applications to use wayland + NIXOS_OZONE_WL = "1"; + DOCKER_HOST = "unix:///run/user/${toString config.users.users.l-nafaryus.uid}/podman/podman.sock"; + }; + + systemd.user.extraConfig = "DefaultLimitNOFILE=524288"; + + programs.virt-manager.enable = true; + + programs.wireshark = { + enable = true; + package = pkgs.wireshark; + }; + + fonts.packages = with pkgs; [nerdfonts liberation_ttf]; +}