new: nixosConfigurations.vinheim
All checks were successful
nix / check (push) Successful in 3m5s

This commit is contained in:
L-Nafaryus 2024-11-28 09:50:53 +05:00
parent 2096fd85e8
commit aa5ac516dd
Signed by: L-Nafaryus
GPG Key ID: 553C97999B363D38
4 changed files with 540 additions and 0 deletions

View File

@ -31,4 +31,18 @@
];
specialArgs = {bonPkgs = self.packages.x86_64-linux;};
};
vinheim = lib.nixosSystem {
system = "x86_64-linux";
modules = with inputs; [
home-manager.nixosModules.home-manager
./vinheim
];
specialArgs = {
inherit inputs bonLib;
bonPkgs = self.packages.x86_64-linux;
};
};
}

View File

@ -0,0 +1,135 @@
{
pkgs,
lib,
config,
bonLib,
...
}: {
system.stateVersion = "23.11";
imports = [
./hardware.nix
./users.nix
];
nix = {
settings = {
experimental-features = ["nix-command" "flakes"];
substituters = [
"https://cache.elnafo.ru"
"https://bonfire.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.elnafo.ru:j3VD+Hn+is2Qk3lPXDSdPwHJQSatizk7V82iJ2RP1yo="
"bonfire.cachix.org-1:mzAGBy/Crdf8NhKail5ciK7ZrGRbPJJobW6TwFb7WYM="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
auto-optimise-store = true;
trusted-users = ["l-nafaryus"];
allowed-users = ["l-nafaryus"];
};
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 7d";
};
};
# Nix packages
nixpkgs = {
hostPlatform = lib.mkDefault "x86_64-linux";
config.allowUnfree = true;
config.cudaSupport = false;
};
services.desktopManager.plasma6.enable = true;
services.displayManager.sddm = {
enable = true;
wayland.enable = true;
};
services.dbus = {
enable = true;
packages = with pkgs; [networkmanager];
};
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
services.openssh = {
enable = true;
startWhenNeeded = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
programs.ssh.extraConfig = ''
Host catarina
HostName 77.242.105.50
Port 22
User l-nafaryus
'';
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true;
};
libvirtd.enable = true;
};
# Base packages
environment.systemPackages = with pkgs; [
wget
parted
ntfs3g
sshfs
exfat
btrfs-progs
btrbk
lm_sensors
btop
git
git-lfs
lazygit
nnn
fzf
ripgrep
fd
unzip
fishPlugins.fzf-fish
fishPlugins.tide
fishPlugins.grc
fishPlugins.hydro
grc
gnupg
pass
bat
];
programs = {
fish.enable = true;
neovim = {
enable = true;
defaultEditor = true;
};
};
}

View File

@ -0,0 +1,121 @@
{
config,
lib,
pkgs,
...
}: {
# Boot
boot = {
loader.grub = {
enable = true;
device = "/dev/nvme0n1";
useOSProber = true;
};
initrd = {
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
kernelModules = [];
};
kernelModules = ["kvm-intel" "tcp_bbr" "coretemp" "nct6775"];
kernelParams = ["threadirqs"];
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets
"net.ipv4.conf.all.accept_source_route" = 1;
"net.ipv4.conf.wlo1.accept_source_route" = 1;
"net.ipv6.conf.all.accept_source_route" = 1;
# Don't send ICMP redirects
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
swapDevices = [];
services.fstrim.enable = true;
security = {
protectKernelImage = true;
sudo.extraConfig = ''Defaults timestamp_timeout=30'';
rtkit.enable = true;
polkit.enable = true;
};
# Hardware etc
hardware = {
cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
graphics.enable = true;
graphics.enable32Bit = true;
bluetooth.enable = true;
pulseaudio.enable = false;
};
networking = {
networkmanager = {
enable = true;
enableStrongSwan = true;
packages = with pkgs; [
networkmanager-l2tp
];
};
hostName = "nixos";
extraHosts = ''192.168.130.211 gitlab'';
};
time.timeZone = "Asia/Yekaterinburg";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
};
}

View File

@ -0,0 +1,270 @@
{
config,
pkgs,
lib,
bonPkgs,
bonLib,
inputs,
...
}: let
user = "l-nafaryus";
in {
# Users
users.users.l-nafaryus = {
isNormalUser = true;
description = "L-Nafaryus";
extraGroups = ["networkmanager" "wheel" "audio" "libvirtd" "input" "video" "disk" "wireshark" "podman"];
group = "users";
uid = 1000;
initialPassword = "nixos";
shell = pkgs.fish;
};
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.backupFileExtension = "hmbackup";
home-manager.users.${user} = {pkgs, ...}: let
hmConfig = config.home-manager.users.${user};
in {
home.stateVersion = "23.11";
home.username = "l-nafaryus";
home.homeDirectory = "/home/l-nafaryus";
imports = [
(bonLib.injectArgs {
inherit hmConfig;
})
inputs.catppuccin.homeManagerModules.catppuccin
inputs.ags.homeManagerModules.default
];
home.packages = with pkgs; [
taskwarrior3
gparted
firefox
thunderbird
qpwgraph
lutris
wine
winetricks
gamemode
inkscape
imagemagick
yt-dlp
ffmpeg
qbittorrent
telegram-desktop
onlyoffice-bin
# btop
lua
# bat
tree
bonPkgs.bonvim
kdePackages.kmail
kdePackages.kmail-account-wizard
lazydocker
docker-compose
podman-compose
dive
ksshaskpass
];
xdg.portal = {
enable = true;
configPackages = with pkgs; [
kdePackages.xdg-desktop-portal-kde
];
extraPortals = with pkgs; [
xdg-desktop-portal-gtk
];
};
# Theme
catppuccin = {
# global, for all enabled programs
enable = true;
flavor = "macchiato";
accent = "green";
};
programs = {
# General
fish = {
enable = true;
interactiveShellInit = ''
set fish_greeting
'';
plugins = with pkgs.fishPlugins;
map (p: {
name = p.pname;
src = p.src;
}) [
fzf-fish
tide
grc
hydro
];
functions = {
fish-theme-configure = ''
tide configure \
--auto \
--style=Lean \
--prompt_colors='True color' \
--show_time='12-hour format' \
--lean_prompt_height='Two lines' \
--prompt_connection=Disconnected \
--prompt_spacing=Compact \
--icons='Many icons' \
--transient=No
'';
};
};
git = {
enable = true;
lfs.enable = true;
userName = "L-Nafaryus";
userEmail = "l.nafaryus@gmail.com";
signing = {
key = "86F1EA98B48FFB19";
signByDefault = true;
};
extraConfig = {
# ignore trends
init.defaultBranch = "master";
core = {
quotePath = false;
commitGraph = true;
whitespace = "trailing-space";
};
receive.advertisePushOptions = true;
gc.writeCommitGraph = true;
diff.submodule = "log";
};
aliases = {
plog = "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
};
};
bat.enable = true;
btop = {
enable = true;
settings = {
cpu_bottom = true;
proc_tree = true;
};
};
fzf.enable = true;
lazygit.enable = true;
gpg = {
enable = true;
homedir = "${hmConfig.xdg.configHome}/gnupg";
mutableKeys = true;
mutableTrust = true;
settings = {
default-key = "B0B3 DFDB B842 BE9C 7468 B511 86F1 EA98 B48F FB19";
};
# TODO: replace existing ssh key with gpg provided
};
nnn = {
enable = true;
package = pkgs.nnn.override {withNerdIcons = true;};
bookmarks = {
d = "~/Downloads";
p = "~/projects";
i = "~/Pictures";
m = "~/Music";
v = "~/Videos";
};
plugins = {
src = "${hmConfig.programs.nnn.finalPackage}/share/plugins";
mappings = {
# TODO: add used programs for previews with FIFO support
p = "preview-tui";
};
};
};
ncmpcpp.enable = true;
# Graphical
obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
obs-vkcapture
input-overlay
obs-pipewire-audio-capture
wlrobs
inputs.obs-image-reaction.packages.${pkgs.system}.default
];
};
mpv = {
enable = true;
};
};
services = {
# General
gpg-agent = {
enable = true;
defaultCacheTtl = 3600;
defaultCacheTtlSsh = 3600;
enableSshSupport = true;
pinentryPackage = pkgs.pinentry-qt;
enableFishIntegration = true;
enableBashIntegration = true;
};
ssh-agent.enable = true;
};
# XDG
xdg = {
enable = true;
mime.enable = true;
userDirs.enable = true;
};
# dconf
dconf.settings = {
"org/virt-manager/virt-manager/connections" = {
autoconnect = ["qemu:///system"];
uris = ["qemu:///system"];
};
};
};
environment.sessionVariables = {
# hint electron applications to use wayland
NIXOS_OZONE_WL = "1";
DOCKER_HOST = "unix:///run/user/${toString config.users.users.l-nafaryus.uid}/podman/podman.sock";
};
systemd.user.extraConfig = "DefaultLimitNOFILE=524288";
programs.virt-manager.enable = true;
programs.wireshark = {
enable = true;
package = pkgs.wireshark;
};
fonts.packages = with pkgs; [nerdfonts liberation_ttf];
}