unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1769288238

Browse Source
This commit is contained in:
unexplrd
2026-01-24 22:57:18 +02:00
parent fa32ae5510
commit 84020b1572
94 changed files with 1428 additions and 1024 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/nixos/shared/default.nix
+100
View File
@@ -0,0 +1,100 @@
{
config,
# inputs,
lib,
pkgs,
...
}: let
inherit (lib) mkDefault mkOption mkEnableOption mkIf;
cfg = config.unexplrd.config;
cfgHost = config.unexplrd.host;
in {
imports = [
./hardware
./misc
./module/lanzaboote.nix
./module/locale.nix
./networking
./nix
./security
./stylix
./programs.nix
./services.nix
./sops.nix
./users.nix
];
options = {
unexplrd.host = {
name = mkOption {
type = lib.types.str;
};
id = mkOption {
type = lib.types.strMatching "[a-z0-9]{8}";
};
stateVersion = mkOption {
type = lib.types.strMatching ''[0-9]{2}\.[0-9]{2}'';
};
type = mkOption {
type = lib.types.enum ["laptop" "server" "workstation"];
};
};
unexplrd.config = {
laptop.homeRowMods = mkEnableOption "set to have mods on asdfjkl;";
powerSave = mkEnableOption "set to use various power saving daemons";
secureBoot = mkEnableOption "set if secure boot is configured";
tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2";
useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant";
vaapi = lib.mkOption {
type = lib.types.nullOr (lib.types.enum ["intel-media-driver" "nvidia"]);
default = null;
};
};
};
config = lib.mkMerge [
{
system.stateVersion = cfgHost.stateVersion;
networking.hostName = cfgHost.name;
networking.hostId = cfgHost.id;
}
{
boot.initrd.systemd.tpm2.enable = mkDefault cfg.tpmDiskUnlock;
boot.loader.systemd-boot.enable = mkDefault (!cfg.secureBoot);
}
(mkIf (cfg.laptop.homeRowMods)
# lib.asserts.assertMsg (config.services.kanata.enable != config.services.keyd.enable) "Kanata and keyd create soft lock when both enabled"
{
services.kanata.enable = true;
services.kanata.keyboards.internal = {
extraDefCfg = ''
process-unmapped-keys no
'';
configFile = ./kanata/internal.kbd;
};
})
(mkIf (cfg.powerSave) {
powerManagement.enable = true;
powerManagement.powertop.enable = true;
services.power-profiles-daemon.enable = true;
services.thermald.enable = true;
services.upower.enable = true;
})
(mkIf cfg.useIwd {
networking = {
networkmanager.wifi.backend = "iwd";
wireless.iwd.enable = true;
};
})
(mkIf (cfg.vaapi == "intel-media-driver") {
hardware.graphics.extraPackages = with pkgs; [
intel-compute-runtime
intel-media-driver
vpl-gpu-rt
];
})
(mkIf (cfg.vaapi == "nvidia") {
hardware.graphics.extraPackages = with pkgs; [
nvidia-vaapi-driver
];
})
];
}
modules/nixos/shared/hardware/default.nix
+5
View File
@@ -0,0 +1,5 @@
{
imports = [
./facter.nix
];
}
modules/nixos/shared/hardware/facter.nix
+17
View File
@@ -0,0 +1,17 @@
{
config,
lib,
inputs,
...
}: let
inherit (inputs) mysecrets;
inherit (config.networking) hostName;
in {
# imports = with inputs; [
# nixos-facter-modules.nixosModules.facter
# ];
hardware.facter.reportPath = "${mysecrets}/facter/${hostName}.json";
systemd.network.wait-online.enable = false;
networking.dhcpcd.enable = lib.mkForce false;
networking.networkmanager.dhcp = "internal";
}
modules/nixos/shared/kanata/internal.kbd
+100
View File
@@ -0,0 +1,100 @@
;; Kanata Configuration File for Graphite Anglemod Layout
;; Define the source keys Kanata will intercept.
(defsrc
grv 1 2 3 4 5 6 7 8 9 0 - = bspc
tab q w e r t y u i o p [ ] \
caps a s d f g h j k l ; ' ret
lsft z x c v b n m , . / rsft
lctl lmet lalt spc ralt rmet rctl
)
(defvar
tap-time 150
hold-time 200
)
(defalias
escctrl (tap-hold 100 100 esc lctl)
a (multi f24 (tap-hold $tap-time $hold-time a lalt))
s (multi f24 (tap-hold $tap-time $hold-time s lmet))
d (multi f24 (tap-hold $tap-time $hold-time d lctl))
f (multi f24 (tap-hold $tap-time $hold-time f lsft))
x (multi f24 (tap-hold $tap-time $hold-time x ralt))
j (multi f24 (tap-hold $tap-time $hold-time j lsft))
k (multi f24 (tap-hold $tap-time $hold-time k lctl))
l (multi f24 (tap-hold $tap-time $hold-time l lmet))
; (multi f24 (tap-hold $tap-time $hold-time ; lalt))
. (multi f24 (tap-hold $tap-time $hold-time . ralt))
)
;; Default QWERTY Layout
(deflayer qwerty
@grl 1 2 3 4 5 6 7 8 9 0 - = bspc
tab q w e r t y u i o p [ ] \
caps @a @s @d @f g h @j @k @l @; ' ret
lsft z @x c v b n m , @. / rsft
lctl lmet lalt spc ralt rmet rctl
)
(defalias
ca (multi f24 (tap-hold $tap-time $hold-time a lalt))
cr (multi f24 (tap-hold $tap-time $hold-time r lmet))
cs (multi f24 (tap-hold $tap-time $hold-time s lctl))
ct (multi f24 (tap-hold $tap-time $hold-time t lsft))
cc (multi f24 (tap-hold $tap-time $hold-time c ralt))
cn (multi f24 (tap-hold $tap-time $hold-time n lsft))
ce (multi f24 (tap-hold $tap-time $hold-time e lctl))
ci (multi f24 (tap-hold $tap-time $hold-time i lmet))
co (multi f24 (tap-hold $tap-time $hold-time o lalt))
)
;; Colemak-DH + home row mods
(deflayer colemak-dh
@grl 1 2 3 4 5 6 7 8 9 0 - = bspc
tab q w f p b j l u y ; [ ] \
caps @ca @cr @cs @ct g m @cn @ce @ci @co ' ret
lsft x @cc d v z k h , @. / rsft
lctl lmet lalt spc ralt rmet _
)
(defalias
quote (fork ' S-- (lsft rsft)) ;; ' -> _
comma (fork , S-/ (lsft rsft)) ;; , -> ?
hyphen (fork - S-' (lsft rsft)) ;; - -> "
slash (fork / S-, (lsft rsft)) ;; / -> <
)
;; Graphite Anglemod Layout
(deflayer graphite-anglemod
@grl 1 2 3 4 5 6 7 8 9 0 [ ] bspc
tab b l d w z @quote f o u j ; = \
@cap n r t s g y h a e i @comma ret
lsft x m c v q p k . @hyphen @slash rsft
lctl lmet lalt spc ralt rmet rctl
)
;; Define layer-switching aliases for clean deflayer declarations
(defalias
;; Tap: backtick (grave), Hold: toggles 'layers' for layer switching.
grl (tap-hold 200 200 grv (layer-toggle layers))
;; Layer-switch aliases
gar (layer-switch graphite-anglemod)
cdh (layer-switch colemak-dh)
qwr (layer-switch qwerty)
;; Tap for Caps Lock, Hold for Ctrl
cap (tap-hold 200 200 caps lctl)
)
;; Layer-Switching Layer
;; Keys 1 and 2 switch between QWERTY and Graphite Anglemod layouts
;; The _ (underscore) indicates transparent behavior (passes through base layer).
(deflayer layers
_ @qwr @cdh @gar _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _
)
modules/nixos/shared/misc/default.nix
+60
View File
@@ -0,0 +1,60 @@
{
lib,
pkgs,
# inputs,
...
}: {
imports = [
# inputs.chaotic.nixosModules.default
./slim.nix
./uutils.nix
];
boot = {
consoleLogLevel = 0;
kernel.sysctl."vm.swappiness" = 10;
plymouth.enable = true;
initrd = {
systemd.enable = true;
};
kernelPackages = pkgs.linuxPackages_latest;
# kernelPackages = pkgs.linuxPackages_cachyos;
loader = {
timeout = 0;
efi.canTouchEfiVariables = true;
systemd-boot = {
consoleMode = "auto";
configurationLimit = lib.mkOverride 1337 10;
};
};
tmp.cleanOnBoot = lib.mkDefault true;
};
console.font = "${pkgs.spleen}/share/consolefonts/spleen-16x32.psfu";
environment = {
ldso32 = null;
# memoryAllocator.provider = "mimalloc"; # weird memory consumption stuff
variables = {
LESS = "-R --mouse";
};
};
networking.networkmanager.enable = true;
services.journald.extraConfig = ''
SystemMaxUse=1G
'';
systemd.coredump.extraConfig = ''
Storage=none
ProcessSizeMax=0
'';
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 25;
priority = 5;
};
}
modules/nixos/shared/misc/slim.nix
+20
View File
@@ -0,0 +1,20 @@
{
# taken from https://github.com/NuschtOS/nixos-modules/blob/main/modules/slim.nix
documentation = {
# html docs and info are not required, man pages are enough
doc.enable = false;
info.enable = false;
};
# environment.defaultPackages = lib.mkForce [];
# programs.thunderbird.package = pkgs.thunderbird.override {cfg.speechSynthesisSupport = false;};
# during testing only 550K-650K of the tmpfs where used
security.wrapperDirSize = "10M";
services = {
orca.enable = false; # requires speechd
speechd.enable = false; # voice files are big and fat
};
}
modules/nixos/shared/misc/uutils.nix
+63
View File
@@ -0,0 +1,63 @@
{pkgs, ...}: let
coreutils-full-name =
"coreuutils-full"
+ builtins.concatStringsSep ""
(builtins.genList (_: "_") (builtins.stringLength pkgs.coreutils-full.version));
coreutils-name =
"coreuutils"
+ builtins.concatStringsSep ""
(builtins.genList (_: "_") (builtins.stringLength pkgs.coreutils.version));
findutils-name =
"finduutils"
+ builtins.concatStringsSep ""
(builtins.genList (_: "_") (builtins.stringLength pkgs.findutils.version));
diffutils-name =
"diffuutils"
+ builtins.concatStringsSep ""
(builtins.genList (_: "_") (builtins.stringLength pkgs.diffutils.version));
in {
system.replaceDependencies.replacements = [
# coreutils
{
# system
oldDependency = pkgs.coreutils-full;
newDependency = pkgs.symlinkJoin {
# Make the name length match so it builds
name = coreutils-full-name;
paths = [pkgs.uutils-coreutils-noprefix];
};
}
{
# applications
oldDependency = pkgs.coreutils;
newDependency = pkgs.symlinkJoin {
# Make the name length match so it builds
name = coreutils-name;
paths = [pkgs.uutils-coreutils-noprefix];
};
}
# findutils
# {
# # applications
# oldDependency = pkgs.findutils;
# newDependency = pkgs.symlinkJoin {
# # Make the name length match so it builds
# name = findutils-name;
# paths = [pkgs.uutils-findutils];
# };
# }
# diffutils
# {
# # applications
# oldDependency = pkgs.diffutils;
# newDependency = pkgs.symlinkJoin {
# # Make the name length match so it builds
# name = diffutils-name;
# paths = [pkgs.uutils-diffutils];
# };
# }
];
}
modules/nixos/shared/module/lanzaboote.nix
+15
View File
@@ -0,0 +1,15 @@
{
config,
inputs,
...
}: {
imports = with inputs; [
lanzaboote.nixosModules.lanzaboote
];
boot = {
lanzaboote = {
enable = config.unexplrd.config.secureBoot;
pkiBundle = "/var/lib/sbctl";
};
};
}
modules/nixos/shared/module/locale.nix
+44
View File
@@ -0,0 +1,44 @@
{
config,
lib,
...
}: let
inherit (lib) types mkOption;
cfg = config.unexplrd.config;
in {
options = {
unexplrd.config = {
locale = mkOption {
type = types.strMatching "[a-z]{2}_[A-Z]{2}\\.UTF-8";
default = "en_US.UTF-8";
description = "set locale";
};
timeZone = mkOption {
type = types.str;
default = "Europe/Kyiv";
};
};
};
config = {
time.timeZone = cfg.timeZone;
i18n = let
inherit (cfg) locale;
in {
defaultLocale = locale;
extraLocaleSettings = {
LC_ADDRESS = locale;
LC_COLLATE = "en_US.UTF-8";
LC_CTYPE = locale;
LC_IDENTIFICATION = locale;
LC_MEASUREMENT = locale;
LC_MESSAGES = locale;
LC_MONETARY = locale;
LC_NAME = locale;
LC_NUMERIC = locale;
LC_PAPER = locale;
LC_TELEPHONE = locale;
LC_TIME = locale;
};
};
};
}
modules/nixos/shared/networking/default.nix
+11
View File
@@ -0,0 +1,11 @@
{
networking.networkmanager = {
ethernet.macAddress = "stable";
wifi.macAddress = "random";
wifi.scanRandMacAddress = true;
};
networking.wireless.iwd = {
settings.General.AddressRandomization = "network";
settings.Settings.AlwaysRandomizeAddress = true;
};
}
modules/nixos/shared/networking/hosts.nix
+5
View File
@@ -0,0 +1,5 @@
{
networking.hosts = {
"192.168.1.42" = ["dunamis"];
};
}
modules/nixos/shared/nix/common.nix
+49
View File
@@ -0,0 +1,49 @@
{
pkgs,
# inputs,
# config,
lib,
...
}: {
# imports = with inputs; [lix.nixosModules.default];
nix = {
package = pkgs.lixPackageSets.git.lix;
# package = pkgs.lixPackageSets.latest.lix;
channel.enable = false;
daemonCPUSchedPolicy = "idle";
optimise = {
automatic = true;
dates = ["weekly"];
};
};
nix.settings = {
auto-optimise-store = true;
experimental-features = [
"nix-command"
"flakes"
# for container in builds support
"auto-allocate-uids"
"cgroups"
# Enable the use of the fetchClosure built-in function in the Nix language.
# "fetch-closure"
# Allow derivation builders to call Nix, and thus build derivations recursively.
# "recursive-nix"
# Allow the use of the impure-env setting.
# "configurable-impure-env"
];
# no longer need to pre-allocate build users for everything
auto-allocate-uids = lib.mkDefault true;
# Needs a patch in Nix to work properly: https://github.com/NixOS/nix/pull/13135
use-cgroups = true;
# for container in builds support
system-features = ["uid-range"];
use-xdg-base-directories = true;
};
}
modules/nixos/shared/nix/default.nix
+6
View File
@@ -0,0 +1,6 @@
{
imports = [
./common.nix
./substituters.nix
];
}
modules/nixos/shared/nix/substituters.nix
+18
View File
@@ -0,0 +1,18 @@
{
nix.settings = {
substituters = [
"https://cache.nixos.org/"
"https://chaotic-nyx.cachix.org/"
"https://cosmic.cachix.org/"
"https://nix-community.cachix.org/"
"https://vicinae.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
"cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"vicinae.cachix.org-1:1kDrfienkGHPYbkpNj1mWTr7Fm1+zcenzgTizIcI3oc="
];
};
}
modules/nixos/shared/programs.nix
+21
View File
@@ -0,0 +1,21 @@
{
pkgs,
lib,
...
}: {
programs = {
fish.enable = true;
mosh.enable = true;
nix-ld.enable = true;
nh = {
enable = true;
flake = "/etc/nixos";
};
};
environment.systemPackages = with pkgs; [
(lib.hiPrio uutils-coreutils-noprefix)
git
helix
nushell
];
}
modules/nixos/shared/security/boot.nix
+190
View File
@@ -0,0 +1,190 @@
{
boot.kernel.sysctl = {
"fs.suid_dumpable" = 0;
# prevent pointer leaks
"kernel.kptr_restrict" = 2;
# restrict kernel log to CAP_SYSLOG capability
"kernel.dmesg_restrict" = 1;
# Note: certian container runtimes or browser sandboxes might rely on the following
# restrict eBPF to the CAP_BPF capability
"kernel.unprivileged_bpf_disabled" = 1;
# should be enabled along with bpf above
# "net.core.bpf_jit_harden" = 2;
# restrict loading TTY line disciplines to the CAP_SYS_MODULE
"dev.tty.ldisk_autoload" = 0;
# prevent exploit of use-after-free flaws
"vm.unprivileged_userfaultfd" = 0;
# kexec is used to boot another kernel during runtime and can be abused
"kernel.kexec_load_disabled" = 1;
# Kernel self-protection
# SysRq exposes a lot of potentially dangerous debugging functionality to unprivileged users
# 4 makes it so a user can only use the secure attention key. A value of 0 would disable completely
"kernel.sysrq" = 0;
# disable unprivileged user namespaces, Note: Docker, NH, and other apps may need this
# "kernel.unprivileged_userns_clone" = 0; # Set to 1 because it makes NH and other programs fail
# This should be set to 0 if you don't rely on flatpak, NH, Docker, etc.
"kernel.unprivileged_userns_clone" = 1;
# restrict all usage of performance events to the CAP_PERFMON capability
"kernel.perf_event_paranoid" = 3;
# Network
# protect against SYN flood attacks (denial of service attack)
"net.ipv4.tcp_syncookies" = 1;
# protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
# enable source validation of packets received (prevents IP spoofing)
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
# Protect against IP spoofing
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# prevent man-in-the-middle attacks
"net.ipv4.icmp_echo_ignore_all" = 1;
# ignore ICMP request, helps avoid Smurf attacks
"net.ipv4.conf.all.forwarding" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv6.conf.default.accept_source_route" = 0;
# Reverse path filtering causes the kernel to do source validation of
"net.ipv6.conf.all.forwarding" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Userspace
# restrict usage of ptrace
# "kernel.yama.ptrace_scope" = 2; # breaks anti-cheat
# ASLR memory protection (64-bit systems)
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
# only permit symlinks to be followed when outside of a world-writable sticky directory
"fs.protected_symlinks" = 1;
"fs.protected_hardlinks" = 1;
# Prevent creating files in potentially attacker-controlled environments
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
# Randomize memory
"kernel.randomize_va_space" = 2;
# Exec Shield (Stack protection)
"kernel.exec-shield" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelParams = [
# "systemd.unified_cgroup_hierarchy=1"
# "cgroup_no_v1=all"
"amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma"
"gather_data_sampling=force"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
# "lockdown=integrity" # confidentiality
"kvm_amd.sev=1"
"kvm_amd.sev_es=1"
"kvm_amd.sev_snp=1"
# "mitigations=auto,nosmt"
"module.sig_enforce=1"
"page_alloc.shuffle=1"
"randomize_kstack_offset=on"
"vsyscall=none"
];
boot.blacklistedKernelModules =
[
# Obscure networking protocols
"dccp" # Datagram Congestion Control Protocol
"sctp" # Stream Control Transmission Protocol
"rds" # Reliable Datagram Sockets
"tipc" # Transparent Inter-Process Communication
"n-hdlc" # High-level Data Link Control
"ax25" # Amateur X.25
"netrom" # NetRom
"x25" # X.25
"rose"
"decnet"
"econet"
"af_802154" # IEEE 802.15.4
"ipx" # Internetwork Packet Exchange
"appletalk"
"psnap" # SubnetworkAccess Protocol
"p8023" # Novell raw IEE 802.3
"p8022" # IEE 802.3
"can" # Controller Area Network
"atm"
# Various rare filesystems
"cramfs"
"freevxfs"
"jffs2"
"hfs"
"hfsplus"
"udf"
# "squashfs" # compressed read-only file system used for Live CDs
# "cifs" # cmb (Common Internet File System)
# "nfs" # Network File System
# "nfsv3"
# "nfsv4"
# "ksmbd" # SMB3 Kernel Server
# "gfs2" # Global File System 2
# vivid driver is only useful for testing purposes and has been the
# cause of privilege escalation vulnerabilities
# "vivid"
]
++ [
# Various framebuffer drivers
# "aty128fb"
# "atyfb"
# "radeonfb"
# "cirrusfb"
"cyber2000fb"
"cyblafb"
"gx1fb"
"hgafb"
# "i810fb"
# "intelfb"
# "kyrofb"
"lxfb"
"matroxfb_base"
"neofb"
# "nvidiafb"
"pm2fb"
# "rivafb"
"s1d13xxxfb"
# "savagefb"
"sisfb"
# "sstfb"
# "tdfxfb"
# "tridentfb"
"vesafb"
"vfb"
# "viafb"
"vt8623fb"
"udlfb"
];
}
modules/nixos/shared/security/coredump.nix
+11
View File
@@ -0,0 +1,11 @@
{
security.pam.loginLimits = [
{
domain = "*"; # Applies to all users/sessions
type = "-"; # Set both soft and hard limits
item = "core"; # The soft/hard limit item
value = "0"; # Core dumps size is limited to 0 (effectively disabled)
}
];
systemd.coredump.enable = false;
}
modules/nixos/shared/security/default.nix
+75
View File
@@ -0,0 +1,75 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkIf;
in {
imports = [
./boot.nix
./coredump.nix
./services.nix
./ssh.nix
];
networking.modemmanager.enable = false;
nix.settings.allowed-users = ["@users"];
nix.settings.trusted-users = ["@wheel"];
environment.systemPackages = with pkgs; [
(mkIf config.security.doas.enable doas-sudo-shim)
];
security =
lib.attrsets.recursiveUpdate {
# doas.enable = true;
polkit.enable = true;
sudo-rs.enable = false;
sudo.enable = false;
wrappers = {
newgrp.enable = false;
pkexec.enable = false;
sg.enable = false;
su.enable = false;
};
} {
sudo-rs.execWheelOnly = true;
# pam.sshAgentAuth.enable = true;
polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
subject.isInGroup("users")
&& (
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions"
)
)
{
return polkit.Result.YES;
}
});
'';
};
services.dbus.implementation = "broker";
services.chrony = {
enable = true;
enableRTCTrimming = false;
enableNTS = true;
extraConfig = "rtcsync";
extraFlags = ["-r" "-s"];
servers = [
"time.cloudflare.com iburst nts"
"ntppool1.time.nl iburst nts"
"nts.netnod.se iburst nts"
"ptbtime1.ptb.de iburst nts"
"time.dfm.dk iburst nts"
"time.cifelli.xyz iburst nts"
];
};
}
modules/nixos/shared/security/services.nix
+29
View File
@@ -0,0 +1,29 @@
{
# config,
lib,
# pkgs,
...
}: let
systemd-services-hardened = fetchGit {
url = "https://github.com/wallago/nix-system-services-hardened.git";
ref = "main";
rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
};
fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
in {
imports = fromHardened [
"accounts-daemon"
"getty"
# "nix-daemon" # TODO: breaks cgroups, ...
"nscd"
"rescue"
"sshd"
"systemd-machined"
"systemd-rfkill"
"systemd-udevd"
];
systemd.services = {
nix-daemon.serviceConfig.RestrictNamespaces = lib.mkForce [];
sshd.serviceConfig.ProtectHome = lib.mkForce "no";
};
}
modules/nixos/shared/security/ssh.nix
+59
View File
@@ -0,0 +1,59 @@
{config, ...}: {
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitEmptyPasswords = false;
PermitTunnel = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = config.services.xserver.enable;
MaxAuthTries = 3;
MaxSessions = 2;
ClientAliveInterval = 300;
ClientAliveCountMax = 0;
# AllowUsers = ["user"];
TCPKeepAlive = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
LogLevel = "VERBOSE";
PermitRootLogin = "no";
KexAlgorithms = [
# Post-Quantum: https://www.openssh.org/pq.html
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
"curve25519-sha256@libssh.org"
"ecdh-sha2-nistp521"
"ecdh-sha2-nistp384"
"ecdh-sha2-nistp256"
"diffie-hellman-group-exchange-sha256"
];
Ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
# stream cipher alternative to aes256, proven to be resilient
# Very fast on basically anything
"chacha20-poly1305@openssh.com"
# industry standard, fast if you have AES-NI hardware
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
Macs = [
# Combines the SHA-512 hash func with a secret key to create a MAC
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
}
modules/nixos/shared/services.nix
+38
View File
@@ -0,0 +1,38 @@
{lib, ...}: {
services =
lib.attrsets.recursiveUpdate {
# hardware.openrgb.enable = true;
avahi.enable = true;
# dnscrypt-proxy.enable = true;
flatpak.enable = true;
fstrim.enable = true;
fwupd.enable = true;
kmscon.enable = true;
opensnitch.enable = false;
openssh.enable = true;
scx.enable = true;
userborn.enable = true;
} {
dnscrypt-proxy.settings = {
bootstrap_resolvers = ["9.9.9.11:53" "9.9.9.9:53"];
require_dnssec = true;
server_names = ["mullvad-doh"];
};
fstrim.interval = "daily";
kmscon = {
hwRender = true;
extraOptions = "--drm";
};
logind.settings.Login = {
HandleLidSwitch = "ignore";
HandlePowerKey = "suspend";
};
opensnitch.settings = {
DefaultAaction = "deny";
Firewall = "iptables";
InterceptUnknown = true;
ProcMonitorMethod = "ebpf";
};
scx.scheduler = "scx_rustland";
};
}
modules/nixos/shared/sops.nix
+61
View File
@@ -0,0 +1,61 @@
{
config,
inputs,
...
}: let
inherit (inputs) mysecrets;
inherit (config.networking) hostName;
dotSsh = name: "/home/user/.ssh/" + name;
sopsFile = mysecrets + "/hosts/${hostName}.yaml";
sshKey = {
mode = "0400";
owner = "user";
};
in {
imports = with inputs; [
sops-nix.nixosModules.sops
];
sops = {
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
defaultSopsFile = mysecrets + "/common.yaml";
secrets = {
"user-password-hashed".neededForUsers = true;
"ssh-config" = {
path = dotSsh "config";
mode = "0400";
owner = "user";
};
"ssh-${hostName}-user" = {
inherit sopsFile;
inherit (sshKey) mode owner;
path = dotSsh "id_ed25519";
};
"ssh-${hostName}-user.pub" = {
inherit sopsFile;
inherit (sshKey) mode owner;
path = dotSsh "id_ed25519.pub";
};
"ssh-unexplrd" = {
inherit (sshKey) mode owner;
path = dotSsh "id_unexplrd_ed25519";
};
"ssh-unexplrd.pub" = {
inherit (sshKey) mode owner;
path = dotSsh "id_unexplrd_ed25519.pub";
};
"ssh-uni" = {
inherit (sshKey) mode owner;
path = dotSsh "id_uni_ed25519";
};
"ssh-uni.pub" = {
inherit (sshKey) mode owner;
path = dotSsh "id_uni_ed25519.pub";
};
};
};
}
modules/nixos/shared/stylix/default.nix
+421
View File
@@ -0,0 +1,421 @@
{
config,
inputs,
lib,
pkgs,
...
}: let
inherit (lib) mkEnableOption mkOption mkIf;
inherit (lib) optionalAttrs;
inherit (lib.types) bool str;
cfg = config.unexplrd.stylix;
fromBase16Schemes = f: "${pkgs.base16-schemes}/share/themes/${f}.yaml";
interPackage = pkgs.inter;
iosevkaPackage = pkgs.nerd-fonts.iosevka;
iosevkaTermPackage = pkgs.nerd-fonts.iosevka-term;
mesloLgPackage = pkgs.nerd-fonts.meslo-lg;
# jetBrainsMonoPackage = pkgs.nerd-fonts.jetbrains-mono;
geistMonoPackage = pkgs.nerd-fonts.geist-mono;
geistPackage = pkgs.geist-font;
wallpapers = import ./wallpapers.nix;
interIosevka = {
serif = {
package = interPackage;
name = "Inter";
};
monospace = {
package = iosevkaTermPackage;
name = "IosevkaTerm Nerd Font Mono";
};
};
themes = {
dark = {
tomorrow = {
polarity = "dark";
base16Scheme = fromBase16Schemes "tomorrow-night";
# image = wallpapers.abstract.lambda;
inherit (interIosevka) serif monospace;
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 24;
};
};
ashes = {
polarity = "dark";
base16Scheme = fromBase16Schemes "classic-dark";
image = wallpapers.abstract.lambda;
inherit (interIosevka) serif monospace;
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 24;
};
};
rose-pine-moon = {
polarity = "dark";
base16Scheme = fromBase16Schemes "rose-pine-moon";
image = wallpapers.cyber-dawn;
inherit (interIosevka) serif monospace;
cursor = {
package = pkgs.nordzy-cursor-theme;
name = "Nordzy-cursors";
size = 24;
};
};
rose-pine = {
polarity = "dark";
base16Scheme = fromBase16Schemes "rose-pine";
image = wallpapers.cyber-dawn;
inherit (interIosevka) serif monospace;
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 24;
};
};
kanagawa = {
polarity = "dark";
base16Scheme = fromBase16Schemes "kanagawa";
image = wallpapers.cyber-dawn;
inherit (interIosevka) serif monospace;
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 24;
};
};
sandcastle = {
polarity = "dark";
base16Scheme = fromBase16Schemes "sandcastle";
image = wallpapers.abstract.waves;
serif = {
package = geistPackage;
name = "Geist";
};
monospace = {
package = geistMonoPackage;
name = "GeistMono NFM";
};
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 24;
};
};
gruvbox-dark-pale = {
polarity = "dark";
base16Scheme = fromBase16Schemes "gruvbox-dark-pale";
image = wallpapers.mountains-sepia;
serif = {
package = geistPackage;
name = "Geist";
};
monospace = {
package = geistMonoPackage;
name = "GeistMono Nerd Font";
};
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 24;
};
};
nord = {
polarity = "dark";
base16Scheme = fromBase16Schemes "nord";
image = builtins.fetchurl {
url = "https://w.wallhaven.cc/full/l8/wallhaven-l8l9gq.png";
name = "wallhaven-l8l9gq.png";
sha256 = "0ypr44sg0fn55m1b52dgr1nnscpi2p6rfkjsm7vvrdqw7bafbx2z";
};
inherit (interIosevka) serif monospace;
cursor = {
package = pkgs.nordzy-cursor-theme;
name = "Nordzy-cursors";
size = 32;
};
};
helios = {
polarity = "dark";
base16Scheme = fromBase16Schemes "helios";
image = builtins.fetchurl {
url = "https://w.wallhaven.cc/full/lq/wallhaven-lqorw2.png";
name = "wallhaven-lqorw2.png";
sha256 = "sha256:1rjchjq4pc2jyq8dvpa17mmscv9qcm0h0zv468lsf8s51anpid6p";
};
inherit (interIosevka) serif monospace;
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 24;
};
};
sulphurpool = {
polarity = "dark";
base16Scheme = fromBase16Schemes "atelier-sulphurpool";
image = builtins.fetchurl {
url = "https://w.wallhaven.cc/full/rd/wallhaven-rd5q3m.jpg";
name = "wallhaven-rd5q3m.jpg";
sha256 = "sha256:1sa2739vwwv1xafzjvxlg3kvq26xmcxg6hrwq29q40j617r63sy6";
};
serif = {
package = interPackage;
name = "Inter Nerd Font";
};
monospace = {
package = iosevkaTermPackage;
name = "IosevkaTerm Nerd Font Mono";
};
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 24;
};
};
vesper = {
polarity = "dark";
base16Scheme = fromBase16Schemes "vesper";
image = wallpapers.abstract.squares;
serif = {
package = geistPackage;
name = "Geist";
};
monospace = {
package = geistMonoPackage;
name = "GeistMono Nerd Font";
};
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 24;
};
};
};
light = {
tomorrow = {
polarity = "light";
base16Scheme = fromBase16Schemes "tomorrow";
# image = wallpapers.abstract.lambda;
inherit (interIosevka) serif monospace;
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Ice";
size = 24;
};
};
selenized = {
polarity = "light";
base16Scheme = fromBase16Schemes "selenized-white";
# image = wallpapers.abstract.lambda;
inherit (interIosevka) serif monospace;
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Ice";
size = 24;
};
};
rose-pine-dawn = {
polarity = "light";
base16Scheme = fromBase16Schemes "rose-pine-dawn";
image = wallpapers.cyber-dawn;
serif = {
package = iosevkaPackage;
name = "Iosevka Nerd Font Propo";
};
monospace = {
package = iosevkaTermPackage;
name = "IosevkaTerm Nerd Font Mono";
};
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Ice";
size = 24;
};
nord-light = {
polarity = "light";
base16Scheme = fromBase16Schemes "nord-light";
image = builtins.fetchurl {
url = "https://w.wallhaven.cc/full/l8/wallhaven-l8l9gq.png";
name = "wallhaven-l8l9gq.png";
sha256 = "0ypr44sg0fn55m1b52dgr1nnscpi2p6rfkjsm7vvrdqw7bafbx2z";
};
serif = {
package = iosevkaPackage;
name = "Iosevka Nerd Font Propo";
};
monospace = {
package = iosevkaTermPackage;
name = "IosevkaTerm Nerd Font Mono";
};
cursor = {
package = pkgs.nordzy-cursor-theme;
name = "Nordzy-cursors-white";
size = 32;
};
};
};
himalaya = {
# lightly pink like himalayan salt
polarity = "light";
base16Scheme = fromBase16Schemes "atelier-plateau-light";
image = wallpapers.mountains-pink;
serif = {
package = interPackage;
name = "Inter Nerd Font";
};
monospace = {
package = mesloLgPackage;
name = "MesloLGM Nerd Font Mono";
};
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Ice";
size = 24;
};
};
github = {
polarity = "light";
base16Scheme = fromBase16Schemes "github";
image = wallpapers.abstract.squares;
serif = {
package = geistPackage;
name = "Geist Light";
};
monospace = {
package = geistMonoPackage;
name = "GeistMono Nerd Font";
};
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Ice";
size = 24;
};
};
};
};
in {
imports = with inputs; [
stylix.nixosModules.stylix
];
options = {
unexplrd.stylix = {
enable = mkEnableOption "enable stylix";
useCursor = mkOption {
type = bool;
default = true;
description = "enable cursor settings";
};
theme = mkOption {
type = str;
default = "nord";
};
polarity = mkOption {
type = lib.types.enum ["dark" "light"];
default = "dark";
};
};
};
config = mkIf cfg.enable {
fonts.packages = [pkgs.nerd-fonts.symbols-only];
stylix = let
theme = themes.${cfg.polarity}.${cfg.theme};
in
{
autoEnable = true;
enable = true;
# TODO: disable when stylix updates
enableReleaseChecks = false;
inherit (cfg) polarity;
inherit
(theme)
# image
base16Scheme
;
image = null;
targets.gtksourceview.enable = false;
opacity = {
applications = 1.0;
terminal = 1.0;
popups = 1.0;
desktop = 1.0;
};
fonts = {
sizes = {
applications = 13;
terminal = 13;
popups = 14;
desktop = 13;
};
inherit (theme) serif monospace;
sansSerif = config.stylix.fonts.serif;
emoji = config.stylix.fonts.serif;
};
}
// optionalAttrs cfg.useCursor {
cursor = {
inherit (theme.cursor) package name size;
};
};
};
}
modules/nixos/shared/stylix/wallpapers.nix
+20
View File
@@ -0,0 +1,20 @@
let
fetchPaper = url: name: sha256: builtins.fetchurl {inherit url name sha256;};
in {
abstract = {
circle = fetchPaper "https://w.wallhaven.cc/full/ml/wallhaven-mlly8k.png" "wallhaven-mlly8k.png" "e5ZxRxZdCf0/fJ9RNurGdhRmMCthK9guJZ1Uf1IbG8E=";
squares = fetchPaper "https://w.wallhaven.cc/full/p9/wallhaven-p91dym.jpg" "wallhaven-p91dym.jpg" "wnsAhh0Soxm+lxahh+Xc/+CAw/abWgPIkeoOlzNGaDo=";
waves = fetchPaper "https://w.wallhaven.cc/full/5y/wallhaven-5ydl93.png" "wallhaven-5ydl93.png" "fTE2cyn2mkx05+Zn6qcs4+Rb7AYD0uyi6CNznuZYOjw=";
lambda = fetchPaper "https://w.wallhaven.cc/full/vp/wallhaven-vpp5m3.png" "wallhaven-vpp5m3.png" "7YBfNjZjE8K9QUF4sUlUp3ao2DD6clXtzxgze7LtJ4Q=";
};
green-red-knight = fetchPaper "https://w.wallhaven.cc/full/po/wallhaven-poo7gj.jpg" "wallhaven-poo7gj.jpg" "fUe4VsYUF0DmgSKWJao2Ag2Y6kbHunYMM5Q28XMEhDI=";
fern-outline = fetchPaper "https://w.wallhaven.cc/full/p9/wallhaven-p9m7ve.png" "wallhaven-p9m7ve.png" "0r7dl4fjwv2p5q5ggr4sjsl2h5m0s98k9qhiwkvmwi010lyffkx7";
mountains-pink = fetchPaper "https://w.wallhaven.cc/full/yq/wallhaven-yq7gox.jpg" "wallhaven-yq7gox.jpg" "09s31spp9mq71fgkl1w80nzdc1458p1gjfyi3y6fy14wj2dza0pj";
mountains-black = fetchPaper "https://w.wallhaven.cc/full/9d/wallhaven-9djzww.jpg" "wallhaven-9djzww.jpg" "1p2si922i9qs09h8c74lrvx0f284g0xvm7lh85gk1x7lqhn611zm";
cyber-dawn = fetchPaper "https://w.wallhaven.cc/full/ym/wallhaven-ymo2y7.png" "wallhaven-ymo2y7.png" "1b3j0hxxy8m25scq42lxsxc99xvr15pha1j4wplgz761asrvxly3";
retro-deck = fetchPaper "https://w.wallhaven.cc/full/1q/wallhaven-1q83qg.jpg" "wallhaven-1q83qg.jpg" "QPmG4QTRvubuX6Fy5rmMwYKw4aQdBiH/zGL/PMmUZOk=";
nixos-rainbow = fetchPaper "https://w.wallhaven.cc/full/p9/wallhaven-p9pd23.png" "wallhaven-p9pd23.png" "7CMuETntiVUCKhUIdJzX+sf3F47GvuX2a61o4xbEzww=";
mountains-sepia = fetchPaper "https://w.wallhaven.cc/full/k8/wallhaven-k89k81.jpg" "wallhaven-k89k81.jpg" "C0lvJ0ff0mCC3i9mmeHZsj/n6Ehkp3jaslVr7VDUB3k=";
jcurry-cloud = fetchPaper "https://w.wallhaven.cc/full/7j/wallhaven-7j6wpy.jpg" "wallhaven-je8rwq.jpg" "xsuCYc0mCDkrJZ+BUmEEclAfF17g1n39JHeubtZHP78=";
vapor-moon = fetchPaper "https://w.wallhaven.cc/full/lm/wallhaven-lm6d2r.png" "wallhaven-lm6d2r.png" "V07kj2zwFHDwzIN8QE8IFrJMXxDOBoK9C11sQGgTjyQ=";
}
modules/nixos/shared/users.nix
+43
View File
@@ -0,0 +1,43 @@
{
inputs,
config,
pkgs,
...
}: let
inherit (config.sops) secrets;
inherit (inputs) mysecrets;
sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub";
in {
users = {
mutableUsers = false;
# groups.admin = {};
users.admin = {
isNormalUser = true;
description = "System administrator";
extraGroups = ["wheel"]; # wheel = sudo
hashedPasswordFile = secrets."user-password-hashed".path;
openssh.authorizedKeys.keyFiles = map sshKeys [
"dunamis"
"eldrid"
"legion"
"morphius"
"sarien"
];
};
users.user = {
extraGroups = ["video" "libvirtd" "dialout"];
hashedPasswordFile = secrets."user-password-hashed".path;
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = map sshKeys [
"dunamis"
"eldrid"
"legion"
"morphius"
"sarien"
];
};
};
}