unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

commit then think

Browse Source
This commit is contained in:
unexplrd
2025-02-06 22:14:22 +02:00
parent c7576dc1ee
commit 7ec6392e68
46 changed files with 129 additions and 488 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/sarien/configuration.nix
View File

@ -9,9 +9,10 @@
./users.nix
./programs.nix
./system/main.nix
./stylix.nix
chaotic.nixosModules.default
stylix.nixosModules.stylix
self.nixosModules.desktop
self.nixosModules.system
];
desktop = {
hyprland.enable = true;

11
hosts/sarien/system/stylix.nix → hosts/sarien/stylix.nix
View File

@ -1,4 +1,11 @@
{pkgs, ...}: {
{
pkgs,
inputs,
...
}: {
imports = [
inputs.stylix.nixosModules.stylix
];
environment.systemPackages = with pkgs; [
nerd-fonts.iosevka
];
@ -11,7 +18,7 @@
name = "Bibata-Modern-Ice";
size = 32;
};
image = ../../../wallpapers/wallhaven-p966oj.jpg;
image = ../../wallpapers/wallhaven-p966oj.jpg;
opacity.terminal = 0.9;
fonts = {
sizes = {

9
hosts/sarien/system/main.nix
View File

@ -1,9 +0,0 @@
{
imports = [
./misc/main.nix
./security/main.nix
./virtual/main.nix
./wireless/main.nix
./stylix.nix
];
}

29
hosts/sarien/system/misc/locale.nix
View File

@ -1,29 +0,0 @@
{
config,
lib,
...
}: {
options = {
locale.ukrainian.enable =
lib.mkEnableOption "enables ukrainian locale";
};
config = lib.mkIf config.locale.ukrainian.enable {
i18n = {
defaultLocale = "uk_UA.UTF-8";
extraLocaleSettings = {
LC_CTYPE = "uk_UA.UTF-8";
LC_NUMERIC = "uk_UA.UTF-8";
LC_TIME = "uk_UA.UTF-8";
LC_COLLATE = "en_US.UTF-8";
LC_MONETARY = "uk_UA.UTF-8";
LC_MESSAGES = "uk_UA.UTF-8";
LC_PAPER = "uk_UA.UTF-8";
LC_NAME = "uk_UA.UTF-8";
LC_ADDRESS = "uk_UA.UTF-8";
LC_TELEPHONE = "uk_UA.UTF-8";
LC_MEASUREMENT = "uk_UA.UTF-8";
LC_IDENTIFICATION = "uk_UA.UTF-8";
};
};
};
}

7
hosts/sarien/system/misc/main.nix
View File

@ -1,7 +0,0 @@
{
imports = [
./opentabletdriver.nix
./qmk-vial.nix
./locale.nix
];
}

6
hosts/sarien/system/misc/mullvad-vpn.nix
View File

@ -1,6 +0,0 @@
{pkgs, ...}: {
services.mullvad-vpn = {
enable = true;
package = pkgs.mullvad-vpn;
};
}

20
hosts/sarien/system/misc/opentabletdriver.nix
View File

@ -1,20 +0,0 @@
{
config,
lib,
...
}: {
options = {
opentabletdriver.enable =
lib.mkEnableOption "enables opentabletdriver";
};
config = lib.mkIf config.opentabletdriver.enable {
hardware.opentabletdriver = {
enable = true;
daemon.enable = true;
blacklistedKernelModules = [
"hid-uclogic"
"wacom"
];
};
};
}

17
hosts/sarien/system/misc/qmk-vial.nix
View File

@ -1,17 +0,0 @@
{
pkgs,
lib,
config,
...
}: {
options = {
qmk-vial.enable =
lib.mkEnableOption "adds a udev rule for vial keyboards";
};
config = lib.mkIf config.qmk-vial.enable {
services.udev.extraRules = ''
#vial rule
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
'';
};
}

90
hosts/sarien/system/security/basic.nix
View File

@ -1,90 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.security.basic;
in {
options = {
security.basic.enable =
lib.mkEnableOption "enable basic security";
};
config = lib.mkIf cfg.enable {
security = {
sudo.enable = false;
# doas.enable = true;
sudo-rs = {
enable = true;
execWheelOnly = true;
};
polkit.enable = true;
polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
subject.isInGroup("users")
&& (
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions"
)
)
{
return polkit.Result.YES;
}
});
'';
apparmor.enable = lib.mkDefault true;
};
environment.systemPackages = with pkgs; [
(mkIf (config.security.doas.enable == true) doas-sudo-shim) # if doas install doas sudo shim
];
services.dbus = {
apparmor = "enabled";
implementation = "broker";
};
services.ntpd-rs = {
enable = true;
#settings = {
# server = {
# require-nts = true;
# };
#};
};
boot.blacklistedKernelModules = [
# Obscure network protocols
"ax25"
"netrom"
"rose"
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
nix.settings.allowed-users = lib.mkDefault ["@users"];
};
}

49
hosts/sarien/system/security/dnscrypt-proxy.nix
View File

@ -1,49 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib; {
options = {
security.dnscrypt-proxy.enable =
mkEnableOption "enable dnscrypt-proxy";
};
config = mkIf config.security.dnscrypt-proxy.enable {
networking = {
nameservers = ["127.0.0.1" "::1"];
# If using dhcpcd:
dhcpcd.extraConfig = "nohook resolv.conf";
# If using NetworkManager:
networkmanager.dns = "none";
};
# Make sure you don't have services.resolved.enable on.
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = false;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
server_names = [
#"quad9-dnscrypt-ip4-filter-pri"
"cloudflare"
];
};
};
systemd.services.dnscrypt-proxy2.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
};
}

66
hosts/sarien/system/security/extensive.nix
View File

@ -1,66 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.security.extensive;
in {
options = {
security.extensive.enable =
mkEnableOption "enable extensive security";
};
config = mkIf cfg.enable {
security.basic.enable = true;
environment.memoryAllocator.provider = mkDefault "scudo";
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
security = {
lockKernelModules = mkDefault false;
protectKernelImage = mkDefault true;
# allowSimultaneousMultithreading = mkDefault false;
forcePageTableIsolation = mkDefault true;
unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
virtualisation.flushL1DataCache = mkDefault "always";
apparmor.enable = mkDefault true;
apparmor.killUnconfinedConfinables = mkDefault true;
};
boot.kernel.sysctl = {
# Hide kptrs even for processes with CAP_SYSLOG
"kernel.kptr_restrict" = mkOverride 500 2;
# Disable bpf() JIT (to eliminate spray attacks)
"net.core.bpf_jit_enable" = mkDefault false;
# Disable ftrace debugging
"kernel.ftrace_enabled" = mkDefault false;
};
boot.kernel.sysctl = {
# Enable strict reverse path filtering (that is, do not attempt to route
# packets that "obviously" do not belong to the iface's network; dropped
# packets are logged as martians).
"net.ipv4.conf.all.log_martians" = mkDefault true;
"net.ipv4.conf.all.rp_filter" = mkDefault "1";
"net.ipv4.conf.default.log_martians" = mkDefault true;
"net.ipv4.conf.default.rp_filter" = mkDefault "1";
# Ignore broadcast ICMP (mitigate SMURF)
"net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
# setting is applied to interfaces added after the sysctls are set)
"net.ipv4.conf.all.accept_redirects" = mkDefault false;
"net.ipv4.conf.all.secure_redirects" = mkDefault false;
"net.ipv4.conf.default.accept_redirects" = mkDefault false;
"net.ipv4.conf.default.secure_redirects" = mkDefault false;
"net.ipv6.conf.all.accept_redirects" = mkDefault false;
"net.ipv6.conf.default.accept_redirects" = mkDefault false;
# Ignore outgoing ICMP redirects (this is ipv4 only)
"net.ipv4.conf.all.send_redirects" = mkDefault false;
"net.ipv4.conf.default.send_redirects" = mkDefault false;
};
};
}

7
hosts/sarien/system/security/main.nix
View File

@ -1,7 +0,0 @@
{
imports = [
./basic.nix
./extensive.nix
./dnscrypt-proxy.nix
];
}

29
hosts/sarien/system/virtual/docker.nix
View File

@ -1,29 +0,0 @@
{
# pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.virtual.docker;
in {
options = {
virtual.docker.enable =
mkEnableOption "enable docker";
};
config = mkIf cfg.enable {
virtualisation.docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
storageDriver = "btrfs";
autoPrune.enable = true;
#defaultNetwork.settings = {
# dns_enabled = true;
#};
};
virtualisation.oci-containers.backend = "docker";
};
}

35
hosts/sarien/system/virtual/libvirt.nix
View File

@ -1,35 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.virtual.libvirt;
in {
options = {
virtual.libvirt.enable =
mkEnableOption "enables virtualisation";
};
config = mkIf cfg.enable {
virtualisation.libvirtd = {
enable = true;
qemu = {
package = pkgs.qemu_kvm;
runAsRoot = false;
swtpm.enable = true;
vhostUserPackages = [pkgs.virtiofsd];
ovmf = {
enable = true;
packages = [
(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
})
.fd
];
};
};
};
};
}

7
hosts/sarien/system/virtual/main.nix
View File

@ -1,7 +0,0 @@
{
imports = [
./libvirt.nix
./podman.nix
./docker.nix
];
}

28
hosts/sarien/system/virtual/podman.nix
View File

@ -1,28 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.virtual.podman;
in {
options = {
virtual.podman.enable =
mkEnableOption "enables podman";
};
config = mkIf cfg.enable {
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true;
};
};
environment.systemPackages = with pkgs; [
podman-tui
podman-compose
];
};
}

21
hosts/sarien/system/wireless/bluetooth.nix
View File

@ -1,21 +0,0 @@
{
# pkgs,
lib,
config,
...
}:
with lib; let
cfg = config.wireless.bluetooth;
in {
options = {
wireless.bluetooth = {
enable = mkEnableOption "enable bluetooth";
enableBlueman = mkEnableOption "enable bluetooth manager";
};
};
config = mkIf cfg.enable {
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = cfg.enableBlueman;
};
}

6
hosts/sarien/system/wireless/main.nix
View File

@ -1,6 +0,0 @@
{
imports = [
./bluetooth.nix
./wifi.nix
];
}

29
hosts/sarien/system/wireless/wifi.nix
View File

@ -1,29 +0,0 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.wireless.wifi;
in {
options = {
wireless.wifi.enable =
mkEnableOption "enables wifi with iwd and MAC address randomisation";
};
config = mkIf cfg.enable {
networking = {
networkmanager.wifi.backend = "iwd";
wireless.iwd = {
enable = true;
settings = {
General = {
AddressRandomization = "network";
};
Settings = {
AlwaysRandomizeAddress = true;
};
};
};
};
};
}

107
hosts/sarien/users/user/flatpak.nix Normal file
View File

@ -0,0 +1,107 @@
{
services.flatpak = {
enable = true;
remotes = [
{
name = "flathub";
location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
}
{
name = "hero-persson";
location = "https://hero-persson.github.io/unmojang-flatpak/index.flatpakrepo";
}
];
packages = [
# misc
"io.github.zen_browser.zen"
"net.mullvad.MullvadBrowser"
"com.obsproject.Studio"
"com.bitwarden.desktop"
"com.github.tchx84.Flatseal"
"org.qbittorrent.qBittorrent"
# "com.transmissionbt.Transmission"
"com.usebottles.bottles"
"com.logseq.Logseq"
"io.github.martchus.syncthingtray"
# chatting
"org.signal.Signal"
"im.riot.Riot"
"org.telegram.desktop"
"io.github.spacingbat3.webcord"
"org.mozilla.Thunderbird"
# media
"org.atheme.audacious"
"io.freetubeapp.FreeTube"
#"io.github.celluloid_player.Celluloid"
# "io.mpv.Mpv"
# gaming
#"com.github._0negal.Viper"
"net.lutris.Lutris"
"com.heroicgameslauncher.hgl"
{
appId = "org.unmojang.FjordLauncher";
origin = "hero-persson";
}
"org.freedesktop.Platform.VulkanLayer.MangoHud//24.08"
"org.freedesktop.Platform.VulkanLayer.gamescope//24.08"
];
overrides = {
"global" = {
# Force Wayland by default
Context = {
sockets = ["wayland" "!x11" "!fallback-x11"];
filesystems = [
"xdg-run/pipewire-0"
"xdg-config/gtk-3.0:ro"
"xdg-config/gtk-4.0:ro"
# "~/.local/share/fonts:ro"
"~/.local/share/icons:ro"
# "~/.nix-profile/share/icons:ro"
# "~/.nix-profile/share/fonts:ro"
"/nix/store:ro"
];
};
Environment = {
XCURSOR_PATH = "/run/host/user-share/icons:/run/host/share/icons";
ELECTRON_OZONE_PLATFORM_HINT = "wayland";
#GTK_THEME = "adw-gtk3";
};
};
"io.github.martchus.syncthingtray".Context.filesystems = ["/storage/games/heroic/Factorio/game/saves"];
"org.octave.Octave".Context.sockets = ["x11"];
"org.octave.Octave".Environment = {QT_QPA_PLATFORM = "xcb";};
"com.valvesoftware.Steam" = {
Context = {
sockets = ["x11" "wayland"];
filesystems = ["/storage/games/steam"];
};
Environment = {
STEAM_FORCE_DESKTOPUI_SCALING = "1.3";
};
};
"org.signal.Signal" = {
Environment = {
SIGNAL_PASSWORD_STORE = "gnome-libsecret";
};
};
"net.lutris.Lutris".Context = {
sockets = ["x11" "wayland"];
filesystems = ["/storage/games/lutris" "~/games/lutris"];
};
"com.heroicgameslauncher.hgl".Context = {
sockets = ["x11" "wayland"];
filesystems = ["/storage/games/heroic" "~/games/heroic"];
};
"com.usebottles.Bottles" = {
Context = {
sockets = ["x11" "wayland"];
filesystems = ["/home/user/docs/nure/tex-template/assets/BridgeKSG"];
};
};
};
};
}

1
hosts/sarien/users/user/home-configuration.nix
View File

@ -6,6 +6,7 @@
self.homeModules.desktop
self.homeModules.programs
./programs.nix
./flatpak.nix
];
home = {
stateVersion = "25.05";