progress in multi user config

2025-03-18 16:43:07 +01:00 · 2025-03-18 16:43:07 +01:00 · 3a2f52f45e
commit 3a2f52f45e
parent f7891e1f30
68 changed files with 384 additions and 663 deletions
--- a/modules/system/system/audio.nix
+++ b/modules/system/system/audio.nix
@ -0,0 +1,35 @@
+{ config, options, lib, pkgs, ... }:
+let
+  inherit (lib.attrsets) attrValues;
+  inherit (lib.modules) mkIf;
+
+  cfg = config.modules.system.audio;
+in
+{
+  options.modules.system.audio = let
+    inherit (lib.options) mkEnableOption;
+  in
+  {
+    enable = mkEnableOption "modern audio support";
+  };
+
+  config = mkIf cfg.enable {
+    user.packages = attrValues {
+      inherit (pkgs) easyeffects;
+    };
+
+    security.rtkit.enable = true;
+
+    services.pipewire = {
+      enable = true;
+      wireplumber.enable = true;
+      pulse.enable = true;
+#       jack.enable = true;
+
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+    };
+  };
+}
--- a/modules/system/system/boot.nix
+++ b/modules/system/system/boot.nix
@ -0,0 +1,25 @@
+{ config, options, lib, pkgs, ... }:
+{
+  boot.loader = {
+    efi.canTouchEfiVariables = true;
+
+    # grub = {
+    #   enable = true;
+    #   efiSupport = cfg.mode == "uefi";
+    #   devices = [ "nodev" ];
+    #   configurationLimit = 1;
+    # };
+
+    systemd-boot.enable = true;
+
+    timeout = 0;
+  };
+
+  # nixos-boot = {
+  #   enable = true;
+
+  #   bgColor = { red = 17; green = 17; blue = 27; };
+  # };
+
+  time.timeZone = "Europe/Amsterdam";
+}
--- a/modules/system/system/graphics.nix
+++ b/modules/system/system/graphics.nix
@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+{
+  services.xserver.videoDrivers = [ "nvidia" ];
+
+  hardware = {
+    graphics = {
+      enable = true;
+      enable32Bit = true;
+    };
+
+    nvidia = {
+      modesetting.enable = true;
+      open = false;
+      nvidiaSettings = true;
+
+      powerManagement = {
+        enable = true;
+        finegrained = false;
+      };
+
+#       package = config.boot.kernelPackages.nvidiaPackages.vulkan_beta;
+
+      # package = let
+      #   rcu_patch = pkgs.fetchpatch {
+      #     url = "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch";
+      #     hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg=";
+      #   };
+      # in config.boot.kernelPackages.nvidiaPackages.mkDriver {
+      #   version = "550.40.07";
+      #   sha256_64bit = "sha256-KYk2xye37v7ZW7h+uNJM/u8fNf7KyGTZjiaU03dJpK0=";
+      #   sha256_aarch64 = "sha256-AV7KgRXYaQGBFl7zuRcfnTGr8rS5n13nGUIe3mJTXb4=";
+      #   openSha256 = "sha256-mRUTEWVsbjq+psVe+kAT6MjyZuLkG2yRDxCMvDJRL1I=";
+      #   settingsSha256 = "sha256-c30AQa4g4a1EHmaEu1yc05oqY01y+IusbBuq+P6rMCs=";
+      #   persistencedSha256 = "sha256-11tLSY8uUIl4X/roNnxf5yS2PQvHvoNjnd2CB67e870=";
+
+      #   patches = [ rcu_patch ];
+      # };
+    };
+  };
+}
--- a/modules/system/system/networking.nix
+++ b/modules/system/system/networking.nix
@ -0,0 +1,3 @@
+{ pkgs, ... }:
+{
+}
--- a/modules/system/system/security.nix
+++ b/modules/system/system/security.nix
@ -0,0 +1,70 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    kdePackages.kwallet-pam
+    bitwarden
+    sops
+  ];
+
+  security = {
+    sudo.execWheelOnly = true;
+    acme.acceptTerms = true;
+    polkit.enable = true;
+    pam = {
+      u2f = {
+        enable = true;
+        settings.cue = true;
+      };
+
+      services.kwallet = {
+        name = "kwallet";
+        enableKwallet = true;
+      };
+    };
+  };
+
+  networking.firewall.enable = true;
+  programs.gnupg.agent.enable = true;
+
+  boot = {
+    loader.systemd-boot = {
+      editor = false;
+      configurationLimit = 50;
+    };
+
+    kernelModules = [ "tcp_bbr" ];
+    kernel.sysctl = {
+      ## TCP hardening
+      # Prevent bogus ICMP errors from filling up logs.
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      # Reverse path filtering causes the kernel to do source validation of
+      # packets received from all interfaces. This can mitigate IP spoofing.
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      # Do not accept IP source route packets (we're not a router)
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      # Don't send ICMP redirects (again, we're on a router)
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # Refuse ICMP redirects (MITM mitigations)
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      # Protects against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # Incomplete protection again TIME-WAIT assassination
+      "net.ipv4.tcp_rfc1337" = 1;
+
+      ## TCP optimization
+      # Enable TCP Fast Open for incoming and outgoing connections
+      "net.ipv4.tcp_fastopen" = 3;
+      # Bufferbloat mitigations + slight improvement in throughput & latency
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
+    };
+  };
+}
--- a/modules/system/system/zsa_voyager.nix
+++ b/modules/system/system/zsa_voyager.nix
@ -0,0 +1,35 @@
+{ config, pkgs, options, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    keymapp
+  ];
+
+  hardware.keyboard.zsa.enable = true;
+
+  services.udev.extraRules = ''
+    # Rules for Oryx web flashing and live training
+    KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="plugdev"
+    KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
+
+    # Legacy rules for live training over webusb (Not needed for firmware v21+)
+    # Rule for all ZSA keyboards
+    SUBSYSTEM=="usb", ATTR{idVendor}=="3297", GROUP="plugdev"
+    # Rule for the Moonlander
+    SUBSYSTEM=="usb", ATTR{idVendor}=="3297", ATTR{idProduct}=="1969", GROUP="plugdev"
+    # Rule for the Ergodox EZ
+    SUBSYSTEM=="usb", ATTR{idVendor}=="feed", ATTR{idProduct}=="1307", GROUP="plugdev"
+    # Rule for the Planck EZ
+    SUBSYSTEM=="usb", ATTR{idVendor}=="feed", ATTR{idProduct}=="6060", GROUP="plugdev"
+
+    # Wally Flashing rules for the Ergodox EZ
+    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
+    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666"
+    KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666"
+
+    # Keymapp / Wally Flashing rules for the Moonlander and Planck EZ
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu"
+    # Keymapp Flashing rules for the Voyager
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="3297", MODE:="0666", SYMLINK+="ignition_dfu"
+  '';
+}