FINALLY, it was stylix that was breaking the desktop!!!

2025-03-23 16:12:22 +01:00 · 2025-03-23 16:12:22 +01:00 · 32f2213e88
commit 32f2213e88
parent ec7429d384
10 changed files with 317 additions and 234 deletions
--- a/modules/system/options.nix
+++ b/modules/system/options.nix
@ -14,6 +14,10 @@ in
  };

  config = {
+    environment.variables = {
+      NIXPKGS_ALLOW_UNFREE = "1";
+    };
+
    nix.settings = let
      inherit (lib) elem attrNames filterAttrs;

@ -22,6 +26,7 @@ in
      {
        trusted-users = users;
        allowed-users = users;
+        experimental-features = [ "nix-command" "flakes" ];
      };
  };
 }
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@ -1,70 +1,77 @@
-{ pkgs, ... }:
+{ inputs, pkgs, ... }:
 {
-  environment.systemPackages = with pkgs; [
-    kdePackages.kwallet-pam
-    bitwarden
-    sops
-  ];
+  imports = [
+      inputs.sops-nix.nixosModules.sops
+    ];

-  security = {
-    sudo.execWheelOnly = true;
-    acme.acceptTerms = true;
-    polkit.enable = true;
-    pam = {
-      u2f = {
-        enable = true;
-        settings.cue = true;
-      };
+  config = {
+    environment.systemPackages = with pkgs; [
+      bitwarden
+      sops
+    ];

-      services.kwallet = {
-        name = "kwallet";
-        enableKwallet = true;
-      };
-    };
-  };
+    sops = {
+      defaultSopsFile = ./secrets/secrets.yml;
+      defaultSopsFormat = "yml";

-  networking.firewall.enable = true;
-  programs.gnupg.agent.enable = true;
-
-  boot = {
-    loader.systemd-boot = {
-      editor = false;
-      configurationLimit = 50;
+      age.keyFile = "/home/";
    };

-    kernelModules = [ "tcp_bbr" ];
-    kernel.sysctl = {
-      ## TCP hardening
-      # Prevent bogus ICMP errors from filling up logs.
-      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
-      # Reverse path filtering causes the kernel to do source validation of
-      # packets received from all interfaces. This can mitigate IP spoofing.
-      "net.ipv4.conf.default.rp_filter" = 1;
-      "net.ipv4.conf.all.rp_filter" = 1;
-      # Do not accept IP source route packets (we're not a router)
-      "net.ipv4.conf.all.accept_source_route" = 0;
-      "net.ipv6.conf.all.accept_source_route" = 0;
-      # Don't send ICMP redirects (again, we're on a router)
-      "net.ipv4.conf.all.send_redirects" = 0;
-      "net.ipv4.conf.default.send_redirects" = 0;
-      # Refuse ICMP redirects (MITM mitigations)
-      "net.ipv4.conf.all.accept_redirects" = 0;
-      "net.ipv4.conf.default.accept_redirects" = 0;
-      "net.ipv4.conf.all.secure_redirects" = 0;
-      "net.ipv4.conf.default.secure_redirects" = 0;
-      "net.ipv6.conf.all.accept_redirects" = 0;
-      "net.ipv6.conf.default.accept_redirects" = 0;
-      # Protects against SYN flood attacks
-      "net.ipv4.tcp_syncookies" = 1;
-      # Incomplete protection again TIME-WAIT assassination
-      "net.ipv4.tcp_rfc1337" = 1;
+    security = {
+      sudo.execWheelOnly = true;
+      acme.acceptTerms = true;
+      polkit.enable = true;
+      pam = {
+        u2f = {
+          enable = true;
+          settings.cue = true;
+        };
+      };
+    };

-      ## TCP optimization
-      # Enable TCP Fast Open for incoming and outgoing connections
-      "net.ipv4.tcp_fastopen" = 3;
-      # Bufferbloat mitigations + slight improvement in throughput & latency
-      "net.ipv4.tcp_congestion_control" = "bbr";
-      "net.core.default_qdisc" = "cake";
+    networking.firewall.enable = true;
+    programs.gnupg.agent.enable = true;
+
+    boot = {
+      loader.systemd-boot = {
+        editor = false;
+        configurationLimit = 50;
+      };
+
+      kernelModules = [ "tcp_bbr" ];
+      kernel.sysctl = {
+        ## TCP hardening
+        # Prevent bogus ICMP errors from filling up logs.
+        "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+        # Reverse path filtering causes the kernel to do source validation of
+        # packets received from all interfaces. This can mitigate IP spoofing.
+        "net.ipv4.conf.default.rp_filter" = 1;
+        "net.ipv4.conf.all.rp_filter" = 1;
+        # Do not accept IP source route packets (we're not a router)
+        "net.ipv4.conf.all.accept_source_route" = 0;
+        "net.ipv6.conf.all.accept_source_route" = 0;
+        # Don't send ICMP redirects (again, we're on a router)
+        "net.ipv4.conf.all.send_redirects" = 0;
+        "net.ipv4.conf.default.send_redirects" = 0;
+        # Refuse ICMP redirects (MITM mitigations)
+        "net.ipv4.conf.all.accept_redirects" = 0;
+        "net.ipv4.conf.default.accept_redirects" = 0;
+        "net.ipv4.conf.all.secure_redirects" = 0;
+        "net.ipv4.conf.default.secure_redirects" = 0;
+        "net.ipv6.conf.all.accept_redirects" = 0;
+        "net.ipv6.conf.default.accept_redirects" = 0;
+        # Protects against SYN flood attacks
+        "net.ipv4.tcp_syncookies" = 1;
+        # Incomplete protection again TIME-WAIT assassination
+        "net.ipv4.tcp_rfc1337" = 1;
+
+        ## TCP optimization
+        # Enable TCP Fast Open for incoming and outgoing connections
+        "net.ipv4.tcp_fastopen" = 3;
+        # Bufferbloat mitigations + slight improvement in throughput & latency
+        "net.ipv4.tcp_congestion_control" = "bbr";
+        "net.core.default_qdisc" = "cake";
+      };
    };
  };
 }
--- a/modules/system/theming.nix
+++ b/modules/system/theming.nix
@ -1,18 +1,16 @@
-{ inputs, config, options, lib, pkgs, ... }:
+{ inputs, config, lib, ... }:
 let
  inherit (lib) mkIf;
+  inherit (lib.options) mkEnableOption;

  cfg = config.modules.theming;
 in
 {
  imports = [
-      inputs.stylix.nixosModules.stylix
-    ];
+    inputs.stylix.nixosModules.stylix
+  ];

-  options.modules.theming = let
-    inherit (lib.options) mkEnableOption;
-  in
-  {
+  options.modules.theming = {
    enable = mkEnableOption "enable theming";
  };