initial

2025-02-06 00:33:06 +02:00
commit 2e6e28ef32
254 changed files with 28562 additions and 0 deletions
--- a/hosts/sarien/system/main.nix
+++ b/hosts/sarien/system/main.nix
@ -0,0 +1,9 @@
+{
+  imports = [
+    ./misc/main.nix
+    ./security/main.nix
+    ./virtual/main.nix
+    ./wireless/main.nix
+    ./stylix.nix
+  ];
+}
--- a/hosts/sarien/system/misc/locale.nix
+++ b/hosts/sarien/system/misc/locale.nix
@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  options = {
+    locale.ukrainian.enable =
+      lib.mkEnableOption "enables ukrainian locale";
+  };
+  config = lib.mkIf config.locale.ukrainian.enable {
+    i18n = {
+      defaultLocale = "uk_UA.UTF-8";
+      extraLocaleSettings = {
+        LC_CTYPE = "uk_UA.UTF-8";
+        LC_NUMERIC = "uk_UA.UTF-8";
+        LC_TIME = "uk_UA.UTF-8";
+        LC_COLLATE = "en_US.UTF-8";
+        LC_MONETARY = "uk_UA.UTF-8";
+        LC_MESSAGES = "uk_UA.UTF-8";
+        LC_PAPER = "uk_UA.UTF-8";
+        LC_NAME = "uk_UA.UTF-8";
+        LC_ADDRESS = "uk_UA.UTF-8";
+        LC_TELEPHONE = "uk_UA.UTF-8";
+        LC_MEASUREMENT = "uk_UA.UTF-8";
+        LC_IDENTIFICATION = "uk_UA.UTF-8";
+      };
+    };
+  };
+}
--- a/hosts/sarien/system/misc/main.nix
+++ b/hosts/sarien/system/misc/main.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./opentabletdriver.nix
+    ./qmk-vial.nix
+    ./locale.nix
+  ];
+}
--- a/hosts/sarien/system/misc/mullvad-vpn.nix
+++ b/hosts/sarien/system/misc/mullvad-vpn.nix
@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  services.mullvad-vpn = {
+    enable = true;
+    package = pkgs.mullvad-vpn;
+  };
+}
--- a/hosts/sarien/system/misc/opentabletdriver.nix
+++ b/hosts/sarien/system/misc/opentabletdriver.nix
@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  options = {
+    opentabletdriver.enable =
+      lib.mkEnableOption "enables opentabletdriver";
+  };
+  config = lib.mkIf config.opentabletdriver.enable {
+    hardware.opentabletdriver = {
+      enable = true;
+      daemon.enable = true;
+      blacklistedKernelModules = [
+        "hid-uclogic"
+        "wacom"
+      ];
+    };
+  };
+}
--- a/hosts/sarien/system/misc/qmk-vial.nix
+++ b/hosts/sarien/system/misc/qmk-vial.nix
@ -0,0 +1,17 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  options = {
+    qmk-vial.enable =
+      lib.mkEnableOption "adds a udev rule for vial keyboards";
+  };
+  config = lib.mkIf config.qmk-vial.enable {
+    services.udev.extraRules = ''
+      #vial rule
+      KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
+    '';
+  };
+}
--- a/hosts/sarien/system/security/basic.nix
+++ b/hosts/sarien/system/security/basic.nix
@ -0,0 +1,90 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.security.basic;
+in {
+  options = {
+    security.basic.enable =
+      lib.mkEnableOption "enable basic security";
+  };
+  config = lib.mkIf cfg.enable {
+    security = {
+      sudo.enable = false;
+      # doas.enable = true;
+      sudo-rs = {
+        enable = true;
+        execWheelOnly = true;
+      };
+      polkit.enable = true;
+      polkit.extraConfig = ''
+        polkit.addRule(function(action, subject) {
+          if (
+            subject.isInGroup("users")
+              && (
+                action.id == "org.freedesktop.login1.reboot" ||
+                action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+                action.id == "org.freedesktop.login1.power-off" ||
+                action.id == "org.freedesktop.login1.power-off-multiple-sessions"
+              )
+            )
+          {
+            return polkit.Result.YES;
+          }
+        });
+      '';
+      apparmor.enable = lib.mkDefault true;
+    };
+
+    environment.systemPackages = with pkgs; [
+      (mkIf (config.security.doas.enable == true) doas-sudo-shim) # if doas install doas sudo shim
+    ];
+
+    services.dbus = {
+      apparmor = "enabled";
+      implementation = "broker";
+    };
+    services.ntpd-rs = {
+      enable = true;
+      #settings = {
+      #  server = {
+      #    require-nts = true;
+      #  };
+      #};
+    };
+
+    boot.blacklistedKernelModules = [
+      # Obscure network protocols
+      "ax25"
+      "netrom"
+      "rose"
+      # Old or rare or insufficiently audited filesystems
+      "adfs"
+      "affs"
+      "bfs"
+      "befs"
+      "cramfs"
+      "efs"
+      "erofs"
+      "exofs"
+      "freevxfs"
+      "f2fs"
+      "hfs"
+      "hpfs"
+      "jfs"
+      "minix"
+      "nilfs2"
+      "ntfs"
+      "omfs"
+      "qnx4"
+      "qnx6"
+      "sysv"
+      "ufs"
+    ];
+
+    nix.settings.allowed-users = lib.mkDefault ["@users"];
+  };
+}
--- a/hosts/sarien/system/security/dnscrypt-proxy.nix
+++ b/hosts/sarien/system/security/dnscrypt-proxy.nix
@ -0,0 +1,49 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  options = {
+    security.dnscrypt-proxy.enable =
+      mkEnableOption "enable dnscrypt-proxy";
+  };
+  config = mkIf config.security.dnscrypt-proxy.enable {
+    networking = {
+      nameservers = ["127.0.0.1" "::1"];
+      # If using dhcpcd:
+      dhcpcd.extraConfig = "nohook resolv.conf";
+      # If using NetworkManager:
+      networkmanager.dns = "none";
+    };
+
+    # Make sure you don't have services.resolved.enable on.
+    services.dnscrypt-proxy2 = {
+      enable = true;
+      settings = {
+        ipv6_servers = false;
+        require_dnssec = true;
+
+        sources.public-resolvers = {
+          urls = [
+            "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+            "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+          ];
+          cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+          minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+        };
+
+        # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+        server_names = [
+          #"quad9-dnscrypt-ip4-filter-pri"
+          "cloudflare"
+        ];
+      };
+    };
+
+    systemd.services.dnscrypt-proxy2.serviceConfig = {
+      StateDirectory = "dnscrypt-proxy";
+    };
+  };
+}
--- a/hosts/sarien/system/security/extensive.nix
+++ b/hosts/sarien/system/security/extensive.nix
@ -0,0 +1,66 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.security.extensive;
+in {
+  options = {
+    security.extensive.enable =
+      mkEnableOption "enable extensive security";
+  };
+  config = mkIf cfg.enable {
+    security.basic.enable = true;
+
+    environment.memoryAllocator.provider = mkDefault "scudo";
+    environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
+
+    security = {
+      lockKernelModules = mkDefault false;
+      protectKernelImage = mkDefault true;
+      # allowSimultaneousMultithreading = mkDefault false;
+      forcePageTableIsolation = mkDefault true;
+      unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
+      virtualisation.flushL1DataCache = mkDefault "always";
+      apparmor.enable = mkDefault true;
+      apparmor.killUnconfinedConfinables = mkDefault true;
+    };
+
+    boot.kernel.sysctl = {
+      # Hide kptrs even for processes with CAP_SYSLOG
+      "kernel.kptr_restrict" = mkOverride 500 2;
+      # Disable bpf() JIT (to eliminate spray attacks)
+      "net.core.bpf_jit_enable" = mkDefault false;
+      # Disable ftrace debugging
+      "kernel.ftrace_enabled" = mkDefault false;
+    };
+
+    boot.kernel.sysctl = {
+      # Enable strict reverse path filtering (that is, do not attempt to route
+      # packets that "obviously" do not belong to the iface's network; dropped
+      # packets are logged as martians).
+      "net.ipv4.conf.all.log_martians" = mkDefault true;
+      "net.ipv4.conf.all.rp_filter" = mkDefault "1";
+      "net.ipv4.conf.default.log_martians" = mkDefault true;
+      "net.ipv4.conf.default.rp_filter" = mkDefault "1";
+
+      # Ignore broadcast ICMP (mitigate SMURF)
+      "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
+
+      # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+      # setting is applied to interfaces added after the sysctls are set)
+      "net.ipv4.conf.all.accept_redirects" = mkDefault false;
+      "net.ipv4.conf.all.secure_redirects" = mkDefault false;
+      "net.ipv4.conf.default.accept_redirects" = mkDefault false;
+      "net.ipv4.conf.default.secure_redirects" = mkDefault false;
+      "net.ipv6.conf.all.accept_redirects" = mkDefault false;
+      "net.ipv6.conf.default.accept_redirects" = mkDefault false;
+
+      # Ignore outgoing ICMP redirects (this is ipv4 only)
+      "net.ipv4.conf.all.send_redirects" = mkDefault false;
+      "net.ipv4.conf.default.send_redirects" = mkDefault false;
+    };
+  };
+}
--- a/hosts/sarien/system/security/main.nix
+++ b/hosts/sarien/system/security/main.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./basic.nix
+    ./extensive.nix
+    ./dnscrypt-proxy.nix
+  ];
+}
--- a/hosts/sarien/system/stylix.nix
+++ b/hosts/sarien/system/stylix.nix
@ -0,0 +1,41 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    nerd-fonts.iosevka
+  ];
+  stylix = {
+    enable = true;
+    base16Scheme = "${pkgs.base16-schemes}/share/themes/ayu-light.yaml";
+    polarity = "light";
+    cursor = {
+      package = pkgs.bibata-cursors;
+      name = "Bibata-Modern-Ice";
+      size = 32;
+    };
+    image = ../../../wallpapers/wallhaven-yxpv2k.png;
+    opacity.terminal = 0.9;
+    fonts = {
+      sizes = {
+        applications = 14;
+        desktop = 14;
+        popups = 13;
+        terminal = 15;
+      };
+      serif = {
+        package = pkgs.nerd-fonts.iosevka;
+        name = "Iosevka Nerd Font Propo";
+      };
+      sansSerif = {
+        package = pkgs.nerd-fonts.iosevka;
+        name = "Iosevka Nerd Font Propo";
+      };
+      monospace = {
+        package = pkgs.nerd-fonts.iosevka;
+        name = "Iosevka Nerd Font Mono";
+      };
+      emoji = {
+        package = pkgs.noto-fonts-emoji;
+        name = "Noto Color Emoji";
+      };
+    };
+  };
+}
--- a/hosts/sarien/system/virtual/docker.nix
+++ b/hosts/sarien/system/virtual/docker.nix
@ -0,0 +1,29 @@
+{
+  # pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.virtual.docker;
+in {
+  options = {
+    virtual.docker.enable =
+      mkEnableOption "enable docker";
+  };
+  config = mkIf cfg.enable {
+    virtualisation.docker = {
+      enable = true;
+      rootless = {
+        enable = true;
+        setSocketVariable = true;
+      };
+      storageDriver = "btrfs";
+      autoPrune.enable = true;
+      #defaultNetwork.settings = {
+      #  dns_enabled = true;
+      #};
+    };
+    virtualisation.oci-containers.backend = "docker";
+  };
+}
--- a/hosts/sarien/system/virtual/libvirt.nix
+++ b/hosts/sarien/system/virtual/libvirt.nix
@ -0,0 +1,35 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.virtual.libvirt;
+in {
+  options = {
+    virtual.libvirt.enable =
+      mkEnableOption "enables virtualisation";
+  };
+  config = mkIf cfg.enable {
+    virtualisation.libvirtd = {
+      enable = true;
+      qemu = {
+        package = pkgs.qemu_kvm;
+        runAsRoot = false;
+        swtpm.enable = true;
+        vhostUserPackages = [pkgs.virtiofsd];
+        ovmf = {
+          enable = true;
+          packages = [
+            (pkgs.OVMF.override {
+              secureBoot = true;
+              tpmSupport = true;
+            })
+            .fd
+          ];
+        };
+      };
+    };
+  };
+}
--- a/hosts/sarien/system/virtual/main.nix
+++ b/hosts/sarien/system/virtual/main.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./libvirt.nix
+    ./podman.nix
+    ./docker.nix
+  ];
+}
--- a/hosts/sarien/system/virtual/podman.nix
+++ b/hosts/sarien/system/virtual/podman.nix
@ -0,0 +1,28 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.virtual.podman;
+in {
+  options = {
+    virtual.podman.enable =
+      mkEnableOption "enables podman";
+  };
+  config = mkIf cfg.enable {
+    virtualisation = {
+      containers.enable = true;
+      podman = {
+        enable = true;
+        dockerCompat = true;
+        defaultNetwork.settings.dns_enabled = true;
+      };
+    };
+    environment.systemPackages = with pkgs; [
+      podman-tui
+      podman-compose
+    ];
+  };
+}
--- a/hosts/sarien/system/wireless/bluetooth.nix
+++ b/hosts/sarien/system/wireless/bluetooth.nix
@ -0,0 +1,21 @@
+{
+  # pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.wireless.bluetooth;
+in {
+  options = {
+    wireless.bluetooth = {
+      enable = mkEnableOption "enable bluetooth";
+      enableBlueman = mkEnableOption "enable bluetooth manager";
+    };
+  };
+  config = mkIf cfg.enable {
+    hardware.bluetooth.enable = true;
+    hardware.bluetooth.powerOnBoot = true;
+    services.blueman.enable = cfg.enableBlueman;
+  };
+}
--- a/hosts/sarien/system/wireless/main.nix
+++ b/hosts/sarien/system/wireless/main.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./bluetooth.nix
+    ./wifi.nix
+  ];
+}
--- a/hosts/sarien/system/wireless/wifi.nix
+++ b/hosts/sarien/system/wireless/wifi.nix
@ -0,0 +1,29 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.wireless.wifi;
+in {
+  options = {
+    wireless.wifi.enable =
+      mkEnableOption "enables wifi with iwd and MAC address randomisation";
+  };
+  config = mkIf cfg.enable {
+    networking = {
+      networkmanager.wifi.backend = "iwd";
+      wireless.iwd = {
+        enable = true;
+        settings = {
+          General = {
+            AddressRandomization = "network";
+          };
+          Settings = {
+            AlwaysRandomizeAddress = true;
+          };
+        };
+      };
+    };
+  };
+}