diff --git a/.codex b/.codex new file mode 100644 index 0000000..e69de29 diff --git a/hosts/dunamis/configuration.nix b/hosts/dunamis/configuration.nix index 98ad195..dd4871b 100644 --- a/hosts/dunamis/configuration.nix +++ b/hosts/dunamis/configuration.nix @@ -35,6 +35,7 @@ }; networking.firewall = rec { + allowedTCPPorts = [8080]; allowedTCPPortRanges = [ { from = 1714; diff --git a/hosts/dunamis/host.toml b/hosts/dunamis/host.toml index 567a7cb..468fb60 100644 --- a/hosts/dunamis/host.toml +++ b/hosts/dunamis/host.toml @@ -4,9 +4,12 @@ id = "c7f6c4a1" type = "workstation" stateVersion = "24.11" +[boot.secureBoot] +enable = true + +[boot.tpmDiskUnlock] +enable = true + [config] locale = "uk_UA.UTF-8" timeZone = "Europe/Kyiv" -secureBoot = true -tpmDiskUnlock = true - diff --git a/hosts/kled/configuration.nix b/hosts/kled/configuration.nix index 8ed7c1c..e306bc5 100644 --- a/hosts/kled/configuration.nix +++ b/hosts/kled/configuration.nix @@ -42,12 +42,15 @@ stateVersion = "25.11"; }; + boot.secureBoot.enable = true; + hardware = { + graphics.vaapi = "intel-media-driver"; + powerSave.enable = true; + }; + input.homeRowMods.enable = true; + networking.iwd.enable = true; + config = { - laptop.homeRowMods = true; - powerSave = true; - secureBoot = true; - useIwd = true; - vaapi = "intel-media-driver"; locale = "uk_UA.UTF-8"; timeZone = "Europe/Kyiv"; }; diff --git a/hosts/legion/host.toml b/hosts/legion/host.toml index bf762e6..40391cb 100644 --- a/hosts/legion/host.toml +++ b/hosts/legion/host.toml @@ -4,11 +4,21 @@ id = "45b00123" type = "laptop" stateVersion = "25.11" +[boot.secureBoot] +enable = true + +[boot.tpmDiskUnlock] +enable = true + +[hardware.graphics] +vaapi = "nvidia" + +[hardware.powerSave] +enable = true + +#[input.homeRowMods] +#enable = true + [config] locale = "uk_UA.UTF-8" timeZone = "Europe/Kyiv" -secureBoot = true -tpmDiskUnlock = true -vaapi = "nvidia" -# laptop.homeRowMods = true -powerSave = true diff --git a/modules/home/desktop/dms/programs/niri.nix b/modules/home/desktop/dms/programs/niri.nix index 27a2d16..054f4fc 100644 --- a/modules/home/desktop/dms/programs/niri.nix +++ b/modules/home/desktop/dms/programs/niri.nix @@ -56,11 +56,11 @@ in { layout = "us,ua"; variant = "colemak_dh" - + ( - if osConfig.unexplrd.host.name == "dunamis" - then "_ortho" - else "" - ) + # + ( + # if osConfig.unexplrd.host.name == "dunamis" + # then "_ortho" + # else "" + # ) + ","; }; repeat-delay = 200; diff --git a/modules/nixos/shared/boot/default.nix b/modules/nixos/shared/boot/default.nix new file mode 100644 index 0000000..e95a31d --- /dev/null +++ b/modules/nixos/shared/boot/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./secure-boot.nix + ./tpm-disk-unlock.nix + ]; +} diff --git a/modules/nixos/shared/boot/secure-boot.nix b/modules/nixos/shared/boot/secure-boot.nix new file mode 100644 index 0000000..d2b6024 --- /dev/null +++ b/modules/nixos/shared/boot/secure-boot.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkDefault mkEnableOption; + cfg = config.unexplrd.boot.secureBoot; +in { + options.unexplrd.boot.secureBoot.enable = + mkEnableOption "secure boot support"; + + config = { + boot.loader.systemd-boot.enable = mkDefault (!cfg.enable); + }; +} diff --git a/modules/nixos/shared/boot/tpm-disk-unlock.nix b/modules/nixos/shared/boot/tpm-disk-unlock.nix new file mode 100644 index 0000000..1b6b625 --- /dev/null +++ b/modules/nixos/shared/boot/tpm-disk-unlock.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkDefault mkEnableOption; + cfg = config.unexplrd.boot.tpmDiskUnlock; +in { + options.unexplrd.boot.tpmDiskUnlock.enable = + mkEnableOption "TPM2 disk unlock support"; + + config = { + boot.initrd.systemd.tpm2.enable = mkDefault cfg.enable; + }; +} diff --git a/modules/nixos/shared/default.nix b/modules/nixos/shared/default.nix index e4d2295..8220fc2 100644 --- a/modules/nixos/shared/default.nix +++ b/modules/nixos/shared/default.nix @@ -1,16 +1,15 @@ -{ - config, - # inputs, - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault mkOption mkEnableOption mkIf; - cfg = config.unexplrd.config; - cfgHost = config.unexplrd.host; -in { +{lib, ...}: { imports = [ + (lib.mkRenamedOptionModule ["unexplrd" "config" "laptop" "homeRowMods"] ["unexplrd" "input" "homeRowMods" "enable"]) + (lib.mkRenamedOptionModule ["unexplrd" "config" "powerSave"] ["unexplrd" "hardware" "powerSave" "enable"]) + (lib.mkRenamedOptionModule ["unexplrd" "config" "secureBoot"] ["unexplrd" "boot" "secureBoot" "enable"]) + (lib.mkRenamedOptionModule ["unexplrd" "config" "tpmDiskUnlock"] ["unexplrd" "boot" "tpmDiskUnlock" "enable"]) + (lib.mkRenamedOptionModule ["unexplrd" "config" "useIwd"] ["unexplrd" "networking" "iwd" "enable"]) + (lib.mkRenamedOptionModule ["unexplrd" "config" "vaapi"] ["unexplrd" "hardware" "graphics" "vaapi"]) + ./boot ./hardware + ./host.nix + ./input/home-row-mods.nix ./misc ./module/lanzaboote.nix ./module/locale.nix @@ -24,79 +23,4 @@ in { ./sops.nix ./users.nix ]; - options = { - unexplrd.host = { - name = mkOption { - type = lib.types.str; - }; - id = mkOption { - type = lib.types.strMatching "[a-z0-9]{8}"; - }; - stateVersion = mkOption { - type = lib.types.strMatching ''[0-9]{2}\.[0-9]{2}''; - }; - type = mkOption { - type = lib.types.enum ["laptop" "server" "workstation"]; - }; - }; - unexplrd.config = { - laptop.homeRowMods = mkEnableOption "set to have mods on asdfjkl;"; - powerSave = mkEnableOption "set to use various power saving daemons"; - secureBoot = mkEnableOption "set if secure boot is configured"; - tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2"; - useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant"; - vaapi = lib.mkOption { - type = lib.types.nullOr (lib.types.enum ["intel-media-driver" "nvidia"]); - default = null; - }; - }; - }; - config = lib.mkMerge [ - { - system.stateVersion = cfgHost.stateVersion; - networking.hostName = cfgHost.name; - networking.hostId = cfgHost.id; - } - { - boot.initrd.systemd.tpm2.enable = mkDefault cfg.tpmDiskUnlock; - boot.loader.systemd-boot.enable = mkDefault (!cfg.secureBoot); - } - (mkIf (cfg.laptop.homeRowMods) - # lib.asserts.assertMsg (config.services.kanata.enable != config.services.keyd.enable) "Kanata and keyd create soft lock when both enabled" - { - services.kanata.enable = true; - services.kanata.keyboards.internal = { - extraDefCfg = '' - process-unmapped-keys no - ''; - configFile = ./kanata/internal.kbd; - }; - }) - (mkIf (cfg.powerSave) { - powerManagement.enable = true; - powerManagement.powertop.enable = true; - services.power-profiles-daemon.enable = true; - services.thermald.enable = true; - services.upower.enable = true; - hardware.bluetooth.settings.Policy.AutoEnable = false; - }) - (mkIf cfg.useIwd { - networking = { - networkmanager.wifi.backend = "iwd"; - wireless.iwd.enable = true; - }; - }) - (mkIf (cfg.vaapi == "intel-media-driver") { - hardware.graphics.extraPackages = with pkgs; [ - intel-compute-runtime - intel-media-driver - vpl-gpu-rt - ]; - }) - (mkIf (cfg.vaapi == "nvidia") { - hardware.graphics.extraPackages = with pkgs; [ - nvidia-vaapi-driver - ]; - }) - ]; } diff --git a/modules/nixos/shared/hardware/default.nix b/modules/nixos/shared/hardware/default.nix index b28fad6..33e6570 100644 --- a/modules/nixos/shared/hardware/default.nix +++ b/modules/nixos/shared/hardware/default.nix @@ -1,5 +1,7 @@ { imports = [ ./facter.nix + ./graphics/vaapi.nix + ./power-save.nix ]; } diff --git a/modules/nixos/shared/hardware/graphics/vaapi.nix b/modules/nixos/shared/hardware/graphics/vaapi.nix new file mode 100644 index 0000000..e30ce75 --- /dev/null +++ b/modules/nixos/shared/hardware/graphics/vaapi.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkIf mkOption types; + cfg = config.unexplrd.hardware.graphics.vaapi; +in { + options.unexplrd.hardware.graphics.vaapi = mkOption { + type = types.nullOr (types.enum ["intel-media-driver" "nvidia"]); + default = null; + }; + + config = lib.mkMerge [ + (mkIf (cfg == "intel-media-driver") { + hardware.graphics.extraPackages = with pkgs; [ + intel-compute-runtime + intel-media-driver + vpl-gpu-rt + ]; + }) + (mkIf (cfg == "nvidia") { + hardware.graphics.extraPackages = with pkgs; [ + nvidia-vaapi-driver + ]; + }) + ]; +} diff --git a/modules/nixos/shared/hardware/power-save.nix b/modules/nixos/shared/hardware/power-save.nix new file mode 100644 index 0000000..1ecd215 --- /dev/null +++ b/modules/nixos/shared/hardware/power-save.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkEnableOption mkIf; + cfg = config.unexplrd.hardware.powerSave; +in { + options.unexplrd.hardware.powerSave.enable = + mkEnableOption "power saving defaults"; + + config = mkIf cfg.enable { + powerManagement.enable = true; + powerManagement.powertop.enable = true; + services.power-profiles-daemon.enable = true; + services.thermald.enable = true; + services.upower.enable = true; + hardware.bluetooth.settings.Policy.AutoEnable = false; + }; +} diff --git a/modules/nixos/shared/host.nix b/modules/nixos/shared/host.nix new file mode 100644 index 0000000..d3bca61 --- /dev/null +++ b/modules/nixos/shared/host.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkOption types; + cfg = config.unexplrd.host; +in { + options.unexplrd.host = { + name = mkOption { + type = types.str; + }; + id = mkOption { + type = types.strMatching "[a-z0-9]{8}"; + }; + stateVersion = mkOption { + type = types.strMatching ''[0-9]{2}\.[0-9]{2}''; + }; + type = mkOption { + type = types.enum ["laptop" "server" "workstation"]; + }; + }; + + config = { + system.stateVersion = cfg.stateVersion; + networking.hostName = cfg.name; + networking.hostId = cfg.id; + }; +} diff --git a/modules/nixos/shared/input/home-row-mods.nix b/modules/nixos/shared/input/home-row-mods.nix new file mode 100644 index 0000000..2900bb6 --- /dev/null +++ b/modules/nixos/shared/input/home-row-mods.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkEnableOption mkIf; + cfg = config.unexplrd.input.homeRowMods; +in { + options.unexplrd.input.homeRowMods.enable = + mkEnableOption "home row mods for the internal keyboard"; + + config = mkIf cfg.enable { + services.kanata.enable = true; + services.kanata.keyboards.internal = { + extraDefCfg = '' + process-unmapped-keys no + ''; + configFile = ../kanata/internal.kbd; + }; + }; +} diff --git a/modules/nixos/shared/misc/default.nix b/modules/nixos/shared/misc/default.nix index 522d70e..b59aa42 100644 --- a/modules/nixos/shared/misc/default.nix +++ b/modules/nixos/shared/misc/default.nix @@ -57,7 +57,7 @@ ''; zramSwap = { - enable = true; + enable = false; algorithm = "zstd"; memoryPercent = 25; priority = 5; diff --git a/modules/nixos/shared/module/lanzaboote.nix b/modules/nixos/shared/module/lanzaboote.nix index eefd959..4e69516 100644 --- a/modules/nixos/shared/module/lanzaboote.nix +++ b/modules/nixos/shared/module/lanzaboote.nix @@ -8,7 +8,7 @@ ]; boot = { lanzaboote = { - enable = config.unexplrd.config.secureBoot; + enable = config.unexplrd.boot.secureBoot.enable; pkiBundle = "/var/lib/sbctl"; }; }; diff --git a/modules/nixos/shared/networking/default.nix b/modules/nixos/shared/networking/default.nix index cd61f06..f3ce8b3 100644 --- a/modules/nixos/shared/networking/default.nix +++ b/modules/nixos/shared/networking/default.nix @@ -1,5 +1,8 @@ { - imports = [./hosts.nix]; + imports = [ + ./hosts.nix + ./iwd.nix + ]; networking.networkmanager = { ethernet.macAddress = "stable"; wifi.macAddress = "random"; diff --git a/modules/nixos/shared/networking/iwd.nix b/modules/nixos/shared/networking/iwd.nix new file mode 100644 index 0000000..cac634d --- /dev/null +++ b/modules/nixos/shared/networking/iwd.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkEnableOption mkIf; + cfg = config.unexplrd.networking.iwd; +in { + options.unexplrd.networking.iwd.enable = + mkEnableOption "iwd as the NetworkManager Wi-Fi backend"; + + config = mkIf cfg.enable { + networking = { + networkmanager.wifi.backend = "iwd"; + wireless.iwd.enable = true; + }; + }; +} diff --git a/modules/nixos/shared/security/ssh.nix b/modules/nixos/shared/security/ssh.nix index 91a13eb..d3215ab 100644 --- a/modules/nixos/shared/security/ssh.nix +++ b/modules/nixos/shared/security/ssh.nix @@ -4,7 +4,7 @@ settings = { PasswordAuthentication = false; PermitEmptyPasswords = false; - PermitTunnel = false; + PermitTunnel = true; UseDns = false; KbdInteractiveAuthentication = false; X11Forwarding = config.services.xserver.enable; @@ -14,7 +14,7 @@ ClientAliveCountMax = 0; # AllowUsers = ["user"]; TCPKeepAlive = false; - AllowTcpForwarding = false; + AllowTcpForwarding = "yes"; AllowAgentForwarding = false; LogLevel = "VERBOSE"; PermitRootLogin = "no"; diff --git a/modules/nixos/shared/services.nix b/modules/nixos/shared/services.nix index f2bfa62..5e745ba 100644 --- a/modules/nixos/shared/services.nix +++ b/modules/nixos/shared/services.nix @@ -33,6 +33,6 @@ InterceptUnknown = true; ProcMonitorMethod = "ebpf"; }; - scx.scheduler = "scx_rustland"; + # scx.scheduler = "scx_rustland"; }; } diff --git a/modules/users/user/services.nix b/modules/users/user/services.nix index 766b48e..a7a1b4f 100644 --- a/modules/users/user/services.nix +++ b/modules/users/user/services.nix @@ -8,6 +8,8 @@ # services.pueue.enable = true; # process queue in rust services.ssh-agent.enable = true; + services.kdeconnect.enable = true; + services.vicinae = { enable = true; systemd.enable = true;