unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

restructure

Browse Source 
Signed-off-by: unexplrd <unexplrd@linerds.us>
This commit is contained in:
unexplrd
2025-06-17 12:45:52 +03:00
parent 02a8c645e9
commit 0bdff5ef5b
37 changed files with 167 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
modules/shared/nixos/boot/default.nix Normal file
View File

@ -0,0 +1,19 @@
{
inputs,
pkgs,
...
}: {
imports = with inputs; [
chaotic.nixosModules.default
./loader.nix
./lanzaboote.nix
];
boot = {
plymouth.enable = true;
consoleLogLevel = 0;
kernelPackages = pkgs.linuxPackages_cachyos;
initrd = {
systemd.enable = true;
};
};
}

15
modules/shared/nixos/boot/lanzaboote.nix Normal file
View File

@ -0,0 +1,15 @@
{
config,
inputs,
...
}: {
imports = with inputs; [
lanzaboote.nixosModules.lanzaboote
];
boot = {
lanzaboote = {
enable = config.module.config.secureBoot;
pkiBundle = "/var/lib/sbctl";
};
};
}

14
modules/shared/nixos/boot/loader.nix Normal file
View File

@ -0,0 +1,14 @@
{
config,
lib,
...
}: {
boot.loader = {
timeout = 0;
efi.canTouchEfiVariables = true;
systemd-boot = {
consoleMode = "auto";
configurationLimit = lib.mkOverride 1337 10;
};
};
}

90
modules/shared/nixos/default.nix Normal file
View File

@ -0,0 +1,90 @@
{
config,
# inputs,
lib,
pkgs,
...
}: let
inherit (lib) mkDefault mkEnableOption mkIf;
cfg = config.module.config;
in {
imports = [
./boot
./hardware
./misc
./networking
./nix
./security
./programs.nix
./services.nix
./users.nix
./sops.nix
];
options = {
module.config = {
laptop.homeRowMods = mkEnableOption "set to have mods on asdfjkl;";
powerSave = mkEnableOption "set to use various power saving daemons";
secureBoot = mkEnableOption "set if secure boot is configured";
tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2";
useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant";
vaapi = lib.mkOption {
type = lib.types.nullOr (lib.types.enum ["intel-media-driver" "nvidia"]);
default = null;
};
};
};
config = lib.mkMerge [
{
boot.initrd.systemd.tpm2.enable = mkDefault cfg.tpmDiskUnlock;
boot.loader.systemd-boot.enable = mkDefault (!cfg.secureBoot);
}
(mkIf (cfg.laptop.homeRowMods) {
services.keyd = {
enable = true;
keyboards = {
internal = {
ids = ["0001:0001" "048d:c101"];
settings.main = let
idleTimeout = toString 220;
holdTimeout = toString 170;
in {
a = "lettermod(alt, a, ${idleTimeout}, ${holdTimeout})";
s = "lettermod(meta, s, ${idleTimeout}, ${holdTimeout})";
d = "lettermod(control, d, ${idleTimeout}, ${holdTimeout})";
f = "lettermod(shift, f, ${idleTimeout}, ${holdTimeout})";
j = "lettermod(shift, j, ${idleTimeout}, ${holdTimeout})";
k = "lettermod(control, k, ${idleTimeout}, ${holdTimeout})";
l = "lettermod(meta, l, ${idleTimeout}, ${holdTimeout})";
";" = "lettermod(alt, ;, ${idleTimeout}, ${holdTimeout})";
};
};
};
};
})
(mkIf (cfg.powerSave) {
powerManagement.enable = true;
powerManagement.powertop.enable = true;
services.power-profiles-daemon.enable = true;
services.thermald.enable = true;
services.upower.enable = true;
})
(mkIf cfg.useIwd {
networking = {
networkmanager.wifi.backend = "iwd";
wireless.iwd.enable = true;
};
})
(mkIf (cfg.vaapi == "intel-media-driver") {
hardware.graphics.extraPackages = with pkgs; [
intel-compute-runtime
intel-media-driver
vpl-gpu-rt
];
})
(mkIf (cfg.vaapi == "nvidia") {
hardware.graphics.extraPackages = with pkgs; [
nvidia-vaapi-driver
];
})
];
}

5
modules/shared/nixos/hardware/default.nix Normal file
View File

@ -0,0 +1,5 @@
{
imports = [
./facter.nix
];
}

14
modules/shared/nixos/hardware/facter.nix Normal file
View File

@ -0,0 +1,14 @@
{
config,
inputs,
...
}: let
inherit (inputs) mysecrets;
inherit (config.networking) hostName;
in {
imports = with inputs; [
nixos-facter-modules.nixosModules.facter
];
facter.reportPath = "${mysecrets}/facter/${hostName}.json";
systemd.network.wait-online.enable = false;
}

3
modules/shared/nixos/misc/default.nix Normal file
View File

@ -0,0 +1,3 @@
{
imports = [./slim.nix ./zram.nix];
}

20
modules/shared/nixos/misc/slim.nix Normal file
View File

@ -0,0 +1,20 @@
{
# taken from https://github.com/NuschtOS/nixos-modules/blob/main/modules/slim.nix
documentation = {
# html docs and info are not required, man pages are enough
doc.enable = false;
info.enable = false;
};
# environment.defaultPackages = lib.mkForce [];
# programs.thunderbird.package = pkgs.thunderbird.override {cfg.speechSynthesisSupport = false;};
# during testing only 550K-650K of the tmpfs where used
security.wrapperDirSize = "10M";
services = {
orca.enable = false; # requires speechd
speechd.enable = false; # voice files are big and fat
};
}

8
modules/shared/nixos/misc/zram.nix Normal file
View File

@ -0,0 +1,8 @@
{
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 25;
priority = 5;
};
}

18
modules/shared/nixos/networking/default.nix Normal file
View File

@ -0,0 +1,18 @@
{
networking = {
hosts = import ./hosts.nix;
networkmanager = {
ethernet.macAddress = "stable";
wifi = {
macAddress = "random";
scanRandMacAddress = true;
};
};
wireless.iwd = {
settings = {
General.AddressRandomization = "network";
Settings.AlwaysRandomizeAddress = true;
};
};
};
}

3
modules/shared/nixos/networking/hosts.nix Normal file
View File

@ -0,0 +1,3 @@
{
"192.168.1.42" = ["dunamis"];
}

41
modules/shared/nixos/nix/common.nix Normal file
View File

@ -0,0 +1,41 @@
{
pkgs,
lib,
...
}: {
nix = {
package = pkgs.lixPackageSets.latest.lix;
channel.enable = false;
daemonCPUSchedPolicy = "idle";
optimise = {
automatic = true;
dates = ["weekly"];
};
settings = {
auto-optimise-store = true;
experimental-features = [
"nix-command"
"flakes"
# for container in builds support
"auto-allocate-uids"
"cgroups"
# Enable the use of the fetchClosure built-in function in the Nix language.
"fetch-closure"
# Allow derivation builders to call Nix, and thus build derivations recursively.
# "recursive-nix"
# Allow the use of the impure-env setting.
# "configurable-impure-env"
];
};
};
# no longer need to pre-allocate build users for everything
nix.settings.auto-allocate-uids = lib.mkDefault true;
# Needs a patch in Nix to work properly: https://github.com/NixOS/nix/pull/13135
nix.settings.use-cgroups = true;
# for container in builds support
nix.settings.system-features = ["uid-range"];
}

7
modules/shared/nixos/nix/default.nix Normal file
View File

@ -0,0 +1,7 @@
{
imports = [
./common.nix
./distibuted-build.nix
./substituters.nix
];
}

49
modules/shared/nixos/nix/distibuted-build.nix Normal file
View File

@ -0,0 +1,49 @@
{
config,
inputs,
lib,
...
}: let
isBuildHost = config.networking.hostName == "dunamis";
in {
config = lib.mkMerge [
(lib.mkIf isBuildHost {
nix = let
inherit (builtins) readFile;
inherit (config.users.users) user;
in {
sshServe = {
enable = true;
keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
protocol = "ssh-ng";
trusted = true;
write = true;
};
};
})
(lib.mkIf (!isBuildHost) {
nix = let
inherit (builtins) readFile;
inherit (config.networking) hostName;
inherit (config.sops) secrets;
inherit (inputs) mysecrets;
pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
in {
distributedBuilds = true;
buildMachines = [
{
hostName = "dunamis";
maxJobs = 3;
protocol = "ssh-ng";
publicHostKey = pubHost;
speedFactor = 2;
sshKey = secrets."ssh-${hostName}-user".path;
sshUser = "nix-ssh";
supportedFeatures = ["benchmark" "big-parallel" "kvm" "nixos-test"];
system = "x86_64-linux";
}
];
};
})
];
}

16
modules/shared/nixos/nix/substituters.nix Normal file
View File

@ -0,0 +1,16 @@
{
nix.settings = {
substituters = [
"https://cache.nixos.org/"
"https://chaotic-nyx.cachix.org/"
"https://cosmic.cachix.org/"
"https://nix-community.cachix.org/"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
"cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
}

20
modules/shared/nixos/programs.nix Normal file
View File

@ -0,0 +1,20 @@
{
pkgs,
lib,
...
}: {
programs = {
fish.enable = true;
mosh.enable = true;
nix-ld.enable = true;
nh = {
enable = true;
flake = "/home/user/.config/nixos";
};
};
environment.systemPackages = with pkgs; [
(lib.hiPrio uutils-coreutils-noprefix)
helix
nushell
];
}

123
modules/shared/nixos/security/default.nix Normal file
View File

@ -0,0 +1,123 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkIf mkDefault;
in {
security = {
sudo.enable = false;
# doas.enable = true;
sudo-rs = {
enable = true;
execWheelOnly = true;
};
polkit = {
enable = true;
extraConfig = ''
polkit.addRule(function(action, subject) {
if (
subject.isInGroup("users")
&& (
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions"
)
)
{
return polkit.Result.YES;
}
});
'';
};
apparmor.enable = mkDefault true;
pam.sshAgentAuth.enable = true;
};
environment.systemPackages = with pkgs; [
(mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
];
services = {
dbus = {
apparmor = "enabled";
implementation = "broker";
};
ntpd-rs = {
enable = true;
#settings = {
# server = {
# require-nts = true;
# };
#};
};
};
boot = {
kernel.sysctl = {
"dev.tty.ldisc_autoload" = 0;
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
"fs.suid_dumpable" = 0;
"kernel.kptr_restrict" = 2;
"kernel_kexec_load_disabled" = 1;
# "kernel.modules_disabled" = 1;
"kernel.sysrq" = 0;
"kernel.unprivileged_bpf_disabled" = 1;
"net.ipv4.conf.all.forwarding" = 0;
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.default.log_martians" = 1;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
};
kernelParams = [
"amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma"
"gather_data_sampling=force"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
"page_alloc.shuffle=1"
"vsyscall=none"
# "ia32_emulation=0"
# "lockdown=confidentiality"
# "module.sig_enforce=1"
];
blacklistedKernelModules = [
# Obscure network protocols
"ax25"
"netrom"
"rose"
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
};
nix.settings.allowed-users = mkDefault ["@users"];
}

38
modules/shared/nixos/services.nix Normal file
View File

@ -0,0 +1,38 @@
{
services = {
# hardware.openrgb.enable = true;
avahi.enable = true;
dnscrypt-proxy2 = {
enable = true;
settings = {
bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
require_dnssec = true;
server_names = ["mullvad-doh"];
};
};
flatpak.enable = true;
fstrim = {
enable = true;
interval = "daily";
};
fwupd.enable = true;
logind = {
lidSwitch = "ignore";
powerKey = "suspend";
};
opensnitch = {
enable = false;
settings = {
DefaultAaction = "deny";
Firewall = "iptables";
InterceptUnknown = true;
ProcMonitorMethod = "ebpf";
};
};
openssh.enable = true;
scx.enable = true;
scx.scheduler = "scx_flash";
syncthing.openDefaultPorts = true;
userborn.enable = true;
};
}

61
modules/shared/nixos/sops.nix Normal file
View File

@ -0,0 +1,61 @@
{
config,
inputs,
...
}: let
inherit (inputs) mysecrets;
inherit (config.networking) hostName;
dotSsh = name: "/home/user/.ssh/" + name;
sopsFile = mysecrets + "/hosts/${hostName}.yaml";
sshKey = {
mode = "0400";
owner = "user";
};
in {
imports = with inputs; [
sops-nix.nixosModules.sops
];
sops = {
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
defaultSopsFile = mysecrets + "/common.yaml";
secrets = {
"user-password-hashed".neededForUsers = true;
"ssh-config" = {
path = dotSsh "config";
mode = "0400";
owner = "user";
};
"ssh-${hostName}-user" = {
inherit sopsFile;
inherit (sshKey) mode owner;
path = dotSsh "id_ed25519";
};
"ssh-${hostName}-user.pub" = {
inherit sopsFile;
inherit (sshKey) mode owner;
path = dotSsh "id_ed25519.pub";
};
"ssh-unexplrd" = {
inherit (sshKey) mode owner;
path = dotSsh "id_unexplrd_ed25519";
};
"ssh-unexplrd.pub" = {
inherit (sshKey) mode owner;
path = dotSsh "id_unexplrd_ed25519.pub";
};
"ssh-uni" = {
inherit (sshKey) mode owner;
path = dotSsh "id_uni_ed25519";
};
"ssh-uni.pub" = {
inherit (sshKey) mode owner;
path = dotSsh "id_uni_ed25519.pub";
};
};
};
}

33
modules/shared/nixos/users.nix Normal file
View File

@ -0,0 +1,33 @@
{
inputs,
config,
pkgs,
lib,
...
}: let
inherit (config.networking) hostName;
inherit (config.sops) secrets;
inherit (inputs) mysecrets;
sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub";
in {
nix.settings.trusted-users = ["user"];
users.mutableUsers = false;
users.users = {
user = {
hashedPasswordFile = secrets."user-password-hashed".path;
extraGroups =
["wheel" "video" "libvirtd" "dialout"]
# for lisgd
++ lib.optional (hostName == "morphius" && config.desktop.niri.enable) "input";
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = map sshKeys [
"dunamis"
"eldrid"
"legion"
"morphius"
"sarien"
];
};
};
}