.

default.nix

@@ -13,9 +13,9 @@ in
     ]
     ++ (mapModulesRec' (toString ./modules) import);
 
-  environments.variables = {
+  environment.variables = {
     KAAS = config.kaas.dir;
-    KAAS_BIN = config.kaasbinDir;
+    KAAS_BIN = config.kaas.binDir;
     NIXPKGS_ALLOW_UNFREE = "1";
   };  
 

hosts/chris-pc/default.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 {
-  imports = [ ./hardware-configuration.nix ];
+  imports = [ ./hardware.nix ];
 
   modules = {
     themes.active = "everforrest";

hosts/chris-pc/default.nix.back

@@ -1,94 +0,0 @@
-{ config, lib, pkgs, inputs, ... }:
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../modules/system/boot.nix
-    ../../modules/system/networking.nix
-    ../../modules/system/audio.nix
-    ../../modules/system/zsa_voyager.nix
-    
-    ../../modules/desktop/plasma.nix
-
-
-
-   
-    ../../modules/programs/security.nix
-    ../../modules/programs/theme.nix
-    ../../modules/programs/shell.nix
-    ../../modules/programs/gaming.nix
-    ../../modules/programs/harden.nix
-    ../../modules/programs/communication.nix
-    ../../modules/programs/office.nix
-    inputs.home-manager.nixosModules.default
-  ];
-
-  nixpkgs.config = {
-    allowUnfree = true;
-  };
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.chris = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" "audio" ]; # Enable ‘sudo’ for the user.
-    packages = with pkgs; [];
-  };
-
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    extraSpecialArgs = { inherit inputs; };
-    backupFileExtension = "backup";
-    users = {
-      chris.imports = [ ../../users/chris.nix ];
-#      root.imports = [ ../../users/root.nix ];
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    neovim
-    wget
-#    chromium
-    thunderbird
-    zoxide
-    atuin
-    btop
-    dust
-    bat
-    tldr
-    eza
-    nextcloud-client
-  ];
-
-  systemd.services.numLockOnTty = {
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      ExecStart = lib.mkForce (pkgs.writeShellScript "numLockOnTty" ''
-        for tty in /dev/tty{1..6}; do
-          ${pkgs.kbd}/bin/setleds -D +num < "$tty";
-        done
-      '');
-    };
-  };
-
-  # This option defines the first version of NixOS you have installed on this particular machine,
-  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
-  #
-  # Most users should NEVER change this value after the initial install, for any reason,
-  # even if you've upgraded your system to a new NixOS release.
-  #
-  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
-  # so changing it will NOT upgrade your system.
-  #
-  # This value being lower than the current NixOS release does NOT mean your system is
-  # out of date, out of support, or vulnerable.
-  #
-  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
-  # and migrated your data accordingly.
-  #
-  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
-  system.stateVersion = "23.11"; # Did you read the comment?
-
-}
-

hosts/chris-pc/hardware-configuration.nix

@@ -1,40 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/8c4eaf57-fdb2-4c4c-bcc0-74e85a1c7985";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/C842-316A";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/chris-pc/hardware.nix

@@ -0,0 +1,47 @@
+{ config, lib, pkgs, modulesPath, ... }:
+let
+  inherit (lib.modules) mkDefault;
+  inherir (lib.attrsets) attrValues;
+in
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/8c4eaf57-fdb2-4c4c-bcc0-74e85a1c7985";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/C842-316A";
+    fsType = "vfat";
+    options = [ "fmask=0022" "dmask=0022" ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; }
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-intel" ];
+    kernelParams = [];
+    extraModulePackages = [ ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  services = {
+    power-profiles-deamon-enable = false;
+    thermald.enable = false;
+  };
+
+  modules.hardware = {
+    pipewire.enable = true;
+    bluetooth.enable = false;
+    pointer.enable = true;
+  };
+}

hosts/chris-server/default.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 {
-  imports = [ ./hardware-configuration.nix ];
+  imports = [ ./hardware.nix ];
 
   modules = {
     themes.active = "everforrest";

hosts/chris-server/hardware-configuration.nix

@@ -1,38 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/dd518f17-61c9-4831-b1bd-e1cc2af292aa";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/0A56-EBFE";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/chris-server/hardware.nix

@@ -0,0 +1,41 @@
+{ config, lib, pkgs, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/dd518f17-61c9-4831-b1bd-e1cc2af292aa";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/0A56-EBFE";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  boot = {
+    initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-intel" ];
+    kernelParams = [];
+    extraModulePackages = [ ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  services = {
+    power-profiles-deamon-enable = false;
+    thermald.enable = false;
+  };
+
+  modules.hardware = {
+    pipewire.enable = true;
+    bluetooth.enable = false;
+    pointer.enable = true;
+  };
+}

modules/_programs/harden.nix

@@ -1,10 +0,0 @@
-{ config, user, sensitive, lib, ... }: {
-  networking.firewall.enable = true;
-
-#  security.sudo.execWheelOnly = true;
-#  security.auditd.enable = true;
-#  security.audit.enable = !config.boot.isContainer;
-
-  # PGP set up.
-  programs.gnupg.agent.enable = true;
-}

modules/_programs/security.nix

@@ -1,12 +0,0 @@
-{ pkgs, security, ... }:
-{
-  environment.systemPackages = with pkgs; [
-    kdePackages.kwallet-pam
-    bitwarden
-  ];
-
-  security.pam.services.kwallet = {
-    name = "kwallet";
-    enableKwallet = true;
-  };
-}

modules/develop/rust.nix

@@ -13,23 +13,21 @@ in
 
   config = mkMerge [
     (mkIf config.modules.develop.rust.enable {
-      nixpkgs.overlays = [ inputs.rust.overlays.default ];
-
       user.packages = attrValues {
         rust-package = pkgs.rust-bin.nightly.latest.default;
         inherit (pkgs) rust-analyser rust-script;
       };
 
-      environment.shellAlliases = {
+      environment.shellAliases = {
         rs = "rustc";
         ca = "cargo";
       };
     })
 
-    (mkIf config.modules.develop.cdg.enable {
-      env = {
-        CARGO_HOME = "$XDG_DATA_HOME/cargo";
-        PATH = [ "$CARGO_HOME/bin" ];
+    (mkIf config.modules.develop.xdg.enable {
+      home = {
+        sessionVariables.CARGO_HOME = "$XDG_DATA_HOME/cargo";
+        sessionPath = ["$CARGO_HOME/bin"];
       };
     })
   ];

modules/options.nix

@@ -20,15 +20,44 @@ in
         "${config.user.home}/Workspace/public/kaas"
         "/etc/kaas"
       ]);
-      hostDir = mkOpt path "${config.kaas.dir}/hosts/${config.networking.hostName}";
+      homeDir = mkOpt path "${config.kaas.dir}/hosts/${config.networking.hostName}";
       binDir = mkOpt path "${config.kaas.dir}/bin";
       configDir = mkOpt path "${config.kaas.dir}/config";
       modulesDir = mkOpt path "${config.kaas.dir}/modules";
       themesDir = mkOpt path "${config.kaas.modulesDir}/themes";
     };
+  };
+
+  config = {
+    user = let
+      user = builtins.getEnv "USER";
+      name =
+        if builtins.elem user [ "" "root" ] then "chris"
+        else user;
+    in
+    {
+      inherit name;
+      description = "Primary user account";
+      extraGroups = [ "wheel" ];
+      isNormalUser = true;
+      home = "/home/${name}";
+      group = "users";
+      uid = 1000;
+    };
+
+    home-manager.useUserPackages = true;
 
     home = {
-      # HIER BEN IK GEBLEVEN!!!
+      stateVersion = config.system.stateVersion;
+      sessionPath = [ "$KAAS_BIN" "$XDG_BIN_HOME" "$PATH" ];
+    };
+
+    users.users.${config.user.name} = mkAliasDefinitions options.user;
+
+    nix.settings = let users = [ "" config.user.name ]; in
+    {
+      trusted-users = users;
+      allowed-users = users;
     };
   };
 }

modules/shell/toolset/git.nix

@@ -21,95 +21,97 @@ in
     # Prevent x11 askPass prompt on git push:
     programs.ssh.askPassword = "";
 
-    hm.programs.zsh.initExtra = ''
-      # -------===[ Helpful Git Fn's ]===------- #
-      gitignore() {
-        curl -s -o .gitignore https://gitignore.io/api/$1
-      }
-    '';
+    home.sessionVariables.GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)";
 
-    hm.programs.fish.functions = {
-      gitignore = "curl -sL https://www.gitignore.io/api/$argv";
-    };
+    hm.programs = {
+      zsh.initExtra = ''
+        # -------===[ Helpful Git Fn's ]===------- #
+        gitignore() {
+          curl -s -o .gitignore https://gitignore.io/api/$1
+        }
+      '';
 
-    env = {GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)";};
-
-    hm.programs.git = {
-      enable = true;
-      package = pkgs.gitFull;
-      difftastic = {
-        enable = true;
-        background = "dark";
-        color = "always";
-        display = "inline";
+      fish.functions = {
+        gitignore = "curl -sL https://www.gitignore.io/api/$argv";
       };
 
-      ignores = [
-        # General:
-        "*.bloop"
-        "*.bsp"
-        "*.metals"
-        "*.metals.sbt"
-        "*metals.sbt"
-        "*.direnv"
-        "*.envrc"
-        "*hie.yaml"
-        "*.mill-version"
-        "*.jvmopts"
-
-        # OS-related:
-        ".DS_Store?"
-        ".DS_Store"
-        ".CFUserTextEncoding"
-        ".Trash"
-        ".Xauthority"
-        "thumbs.db"
-        "Thumbs.db"
-        "Icon?"
-
-        # Compiled residues:
-        "*.class"
-        "*.exe"
-        "*.o"
-        "*.pyc"
-        "*.elc"
-      ];
-
-      extraConfig = {
-        init.defaultBranch = "main";
-        core = {
-          editor = "nvim";
-          whitespace = "trailing-space,space-before-tab";
-        };
-        credential.helper = "${pkgs.gitFull}/bin/git-credential-libsecret";
-
-        user = {
-          name = "Chris Kruining";
-          email = "chris@kruining.eu";
-          signingKey = readFile "${config.user.home}/.ssh/id_ed25519.pub";
+      git = {
+        enable = true;
+        package = pkgs.gitFull;
+        difftastic = {
+          enable = true;
+          background = "dark";
+          color = "always";
+          display = "inline";
         };
 
-        gpg.format = "ssh";
-        commit.gpgSign = true;
-        tag.gpgSign = true;
+        ignores = [
+          # General:
+          "*.bloop"
+          "*.bsp"
+          "*.metals"
+          "*.metals.sbt"
+          "*metals.sbt"
+          "*.direnv"
+          "*.envrc"
+          "*hie.yaml"
+          "*.mill-version"
+          "*.jvmopts"
 
-        push = {
-          default = "current";
-          gpgSign = "if-asked";
-          autoSquash = true;
-        };
-        pull.rebase = true;
+          # OS-related:
+          ".DS_Store?"
+          ".DS_Store"
+          ".CFUserTextEncoding"
+          ".Trash"
+          ".Xauthority"
+          "thumbs.db"
+          "Thumbs.db"
+          "Icon?"
 
-        filter = {
-          required = true;
-          smudge = "git-lfs smudge -- %f";
-          process = "git-lfs filter-process";
-          clean = "git-lfs clean -- %f";
-        };
+          # Compiled residues:
+          "*.class"
+          "*.exe"
+          "*.o"
+          "*.pyc"
+          "*.elc"
+        ];
 
-        url = {
-          "https://github.com/".insteadOf = "gh:";
-          "git@github.com:".insteadOf = "ssh+gh:";
+        extraConfig = {
+          init.defaultBranch = "main";
+          core = {
+            editor = "nvim";
+            whitespace = "trailing-space,space-before-tab";
+          };
+          credential.helper = "${pkgs.gitFull}/bin/git-credential-libsecret";
+
+          user = {
+            name = "Chris Kruining";
+            email = "chris@kruining.eu";
+            signingKey = readFile "${config.user.home}/.ssh/id_ed25519.pub";
+          };
+
+          gpg.format = "ssh";
+          commit.gpgSign = true;
+          tag.gpgSign = true;
+
+          push = {
+            default = "current";
+            gpgSign = "if-asked";
+            autoSquash = true;
+          };
+          pull.rebase = true;
+
+          filter = {
+            required = true;
+            smudge = "git-lfs smudge -- %f";
+            process = "git-lfs filter-process";
+            clean = "git-lfs clean -- %f";
+          };
+
+          url = {
+            "https://github.com/".insteadOf = "gh:";
+            "git@github.com:".insteadOf = "ssh+gh:";
+          };
         };
       };
     };

modules/system/audio.nix

@@ -32,7 +32,7 @@ in
       };
     };
 
-    home.configFile = mkIf config.module.hardware.bluetooth.enable {
+    home.configFile = mkIf config.modules.hardware.bluetooth.enable {
       wireplumber-bluetooth = {
         target = "wireplumber/bluetooth.lua.d/51-bluez-config.lua";
         text = ''

modules/system/boot.nix

@@ -1,6 +1,6 @@
 { config, options, lib, pkgs, ... }:
 {
-  boot.loader.systemd-boot-enable = true;
+  boot.loader.systemd-boot.enable = true;
 
   time.timeZone = "Europe/Amsterdam";
   

modules/system/security.nix

@@ -0,0 +1,62 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    kdePackages.kwallet-pam
+    bitwarden
+  ];
+
+  security = {
+    sudo.execWheelOnly = true;
+    acme.acceptTerms = true;
+    polkit.enable = true;
+    pam.services.kwallet = {
+      name = "kwallet";
+      enableKwallet = true;
+    };
+  };
+
+  networking.firewall.enable = true;
+  programs.gnupg.agent.enable = true;
+
+  boot = {
+    loader.systemd-boot = {
+      editor = false;
+      configurationLimit = 50;
+    };
+
+    kernalModules = [ "tcp_bbr" ];
+    kernal.sysctl = {
+      ## TCP hardening
+      # Prevent bogus ICMP errors from filling up logs.
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      # Reverse path filtering causes the kernel to do source validation of
+      # packets received from all interfaces. This can mitigate IP spoofing.
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      # Do not accept IP source route packets (we're not a router)
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      # Don't send ICMP redirects (again, we're on a router)
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # Refuse ICMP redirects (MITM mitigations)
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      # Protects against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # Incomplete protection again TIME-WAIT assassination
+      "net.ipv4.tcp_rfc1337" = 1;
+
+      ## TCP optimization
+      # Enable TCP Fast Open for incoming and outgoing connections
+      "net.ipv4.tcp_fastopen" = 3;
+      # Bufferbloat mitigations + slight improvement in throughput & latency
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
+    };
+  };
+}

modules/xgd.nix

@@ -0,0 +1,32 @@
+{ config, ... }:
+{
+  hm.xdg.enable = true;
+
+  environment = {
+    sessionVariables = {
+      XDG_CACHE_HOME = "$HOME/.cache";
+      XDG_CONFIG_HOME = "$HOME/.config";
+      XDG_DATA_HOME = "$HOME/.local/share";
+      XDG_BIN_HOME = "$HOME/.local/bin";
+    };
+
+    variables = {
+      __GL_SHADER_DISK_CACHE_PATH = "$XDG_CACHE_HOME/nv";
+      ASPELL_CONF = ''
+        per-conf $XDG_CONFIG_HOME/aspell/aspell.conf;
+        personal $XDG_CONFIG_HOME/aspell/en_US.pws;
+        repl $XDG_CONFIG_HOME/aspell/en.prepl;
+      '';
+      CUDA_CACHE_PATH = "$XDG_CACHE_HOME/nv";
+      HISTFILE = "$XDG_DATA_HOME/bash/history";
+      INPUTRC = "$XDG_CONFIG_HOME/readline/inputrc";
+      LESSHISTFILE = "$XDG_CACHE_HOME/lesshst";
+      WGETRC = "$XDG_CONFIG_HOME/wgetrc";
+    };
+
+    extraInit = ''
+      export XAUTHORITY=/tmp/Xauthority
+      [ -e ~/.Xauthority ] && mv -f ~/.Xauthority "$XAUTHORITY"
+    '';
+  };
+}