chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

.

Browse source
This commit is contained in:
Chris Kruining 2024-07-23 17:46:03 +02:00
parent a22dfad11d
commit 6eade157b3
17 changed files with 306 additions and 289 deletions
Download patch file Download diff file Expand all files Collapse all files

4
default.nix
View file

@ -13,9 +13,9 @@ in
] ]
++ (mapModulesRec' (toString ./modules) import); ++ (mapModulesRec' (toString ./modules) import);
environments.variables = { environment.variables = {
KAAS = config.kaas.dir; KAAS = config.kaas.dir;
KAAS_BIN = config.kaasbinDir; KAAS_BIN = config.kaas.binDir;
NIXPKGS_ALLOW_UNFREE = "1"; NIXPKGS_ALLOW_UNFREE = "1";
}; };

2
hosts/chris-pc/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports = [ ./hardware-configuration.nix ]; imports = [ ./hardware.nix ];
modules = { modules = {
themes.active = "everforrest"; themes.active = "everforrest";

94
hosts/chris-pc/default.nix.back
View file

@ -1,94 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules/system/boot.nix
../../modules/system/networking.nix
../../modules/system/audio.nix
../../modules/system/zsa_voyager.nix
../../modules/desktop/plasma.nix
../../modules/programs/security.nix
../../modules/programs/theme.nix
../../modules/programs/shell.nix
../../modules/programs/gaming.nix
../../modules/programs/harden.nix
../../modules/programs/communication.nix
../../modules/programs/office.nix
inputs.home-manager.nixosModules.default
];
nixpkgs.config = {
allowUnfree = true;
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# Define a user account. Don't forget to set a password with passwd.
users.users.chris = {
isNormalUser = true;
extraGroups = [ "wheel" "audio" ]; # Enable sudo for the user.
packages = with pkgs; [];
};
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = { inherit inputs; };
backupFileExtension = "backup";
users = {
chris.imports = [ ../../users/chris.nix ];
# root.imports = [ ../../users/root.nix ];
};
};
environment.systemPackages = with pkgs; [
neovim
wget
# chromium
thunderbird
zoxide
atuin
btop
dust
bat
tldr
eza
nextcloud-client
];
systemd.services.numLockOnTty = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = lib.mkForce (pkgs.writeShellScript "numLockOnTty" ''
for tty in /dev/tty{1..6}; do
${pkgs.kbd}/bin/setleds -D +num < "$tty";
done
'');
};
};
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "23.11"; # Did you read the comment?
}

40
hosts/chris-pc/hardware-configuration.nix
View file

@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/8c4eaf57-fdb2-4c4c-bcc0-74e85a1c7985";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/C842-316A";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

47
hosts/chris-pc/hardware.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, lib, pkgs, modulesPath, ... }:
let
inherit (lib.modules) mkDefault;
inherir (lib.attrsets) attrValues;
in
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/8c4eaf57-fdb2-4c4c-bcc0-74e85a1c7985";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/C842-316A";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [
{ device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; }
];
boot = {
initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
kernelParams = [];
extraModulePackages = [ ];
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
services = {
power-profiles-deamon-enable = false;
thermald.enable = false;
};
modules.hardware = {
pipewire.enable = true;
bluetooth.enable = false;
pointer.enable = true;
};
}

2
hosts/chris-server/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports = [ ./hardware-configuration.nix ]; imports = [ ./hardware.nix ];
modules = { modules = {
themes.active = "everforrest"; themes.active = "everforrest";

38
hosts/chris-server/hardware-configuration.nix
View file

@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/dd518f17-61c9-4831-b1bd-e1cc2af292aa";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0A56-EBFE";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

41
hosts/chris-server/hardware.nix Normal file
View file

@ -0,0 +1,41 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/dd518f17-61c9-4831-b1bd-e1cc2af292aa";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0A56-EBFE";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
boot = {
initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
kernelParams = [];
extraModulePackages = [ ];
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
services = {
power-profiles-deamon-enable = false;
thermald.enable = false;
};
modules.hardware = {
pipewire.enable = true;
bluetooth.enable = false;
pointer.enable = true;
};
}

10
modules/_programs/harden.nix
View file

@ -1,10 +0,0 @@
{ config, user, sensitive, lib, ... }: {
networking.firewall.enable = true;
# security.sudo.execWheelOnly = true;
# security.auditd.enable = true;
# security.audit.enable = !config.boot.isContainer;
# PGP set up.
programs.gnupg.agent.enable = true;
}

12
modules/_programs/security.nix
View file

@ -1,12 +0,0 @@
{ pkgs, security, ... }:
{
environment.systemPackages = with pkgs; [
kdePackages.kwallet-pam
bitwarden
];
security.pam.services.kwallet = {
name = "kwallet";
enableKwallet = true;
};
}

12
modules/develop/rust.nix
View file

@ -13,23 +13,21 @@ in
config = mkMerge [ config = mkMerge [
(mkIf config.modules.develop.rust.enable { (mkIf config.modules.develop.rust.enable {
nixpkgs.overlays = [ inputs.rust.overlays.default ];
user.packages = attrValues { user.packages = attrValues {
rust-package = pkgs.rust-bin.nightly.latest.default; rust-package = pkgs.rust-bin.nightly.latest.default;
inherit (pkgs) rust-analyser rust-script; inherit (pkgs) rust-analyser rust-script;
}; };
environment.shellAlliases = { environment.shellAliases = {
rs = "rustc"; rs = "rustc";
ca = "cargo"; ca = "cargo";
}; };
}) })
(mkIf config.modules.develop.cdg.enable { (mkIf config.modules.develop.xdg.enable {
env = { home = {
CARGO_HOME = "$XDG_DATA_HOME/cargo"; sessionVariables.CARGO_HOME = "$XDG_DATA_HOME/cargo";
PATH = [ "$CARGO_HOME/bin" ]; sessionPath = ["$CARGO_HOME/bin"];
}; };
}) })
]; ];

33
modules/options.nix
View file

@ -20,15 +20,44 @@ in
"${config.user.home}/Workspace/public/kaas" "${config.user.home}/Workspace/public/kaas"
"/etc/kaas" "/etc/kaas"
]); ]);
hostDir = mkOpt path "${config.kaas.dir}/hosts/${config.networking.hostName}"; homeDir = mkOpt path "${config.kaas.dir}/hosts/${config.networking.hostName}";
binDir = mkOpt path "${config.kaas.dir}/bin"; binDir = mkOpt path "${config.kaas.dir}/bin";
configDir = mkOpt path "${config.kaas.dir}/config"; configDir = mkOpt path "${config.kaas.dir}/config";
modulesDir = mkOpt path "${config.kaas.dir}/modules"; modulesDir = mkOpt path "${config.kaas.dir}/modules";
themesDir = mkOpt path "${config.kaas.modulesDir}/themes"; themesDir = mkOpt path "${config.kaas.modulesDir}/themes";
}; };
};
config = {
user = let
user = builtins.getEnv "USER";
name =
if builtins.elem user [ "" "root" ] then "chris"
else user;
in
{
inherit name;
description = "Primary user account";
extraGroups = [ "wheel" ];
isNormalUser = true;
home = "/home/${name}";
group = "users";
uid = 1000;
};
home-manager.useUserPackages = true;
home = { home = {
# HIER BEN IK GEBLEVEN!!! stateVersion = config.system.stateVersion;
sessionPath = [ "$KAAS_BIN" "$XDG_BIN_HOME" "$PATH" ];
};
users.users.${config.user.name} = mkAliasDefinitions options.user;
nix.settings = let users = [ "" config.user.name ]; in
{
trusted-users = users;
allowed-users = users;
}; };
}; };
} }

162
modules/shell/toolset/git.nix
View file

@ -21,95 +21,97 @@ in
# Prevent x11 askPass prompt on git push: # Prevent x11 askPass prompt on git push:
programs.ssh.askPassword = ""; programs.ssh.askPassword = "";
hm.programs.zsh.initExtra = '' home.sessionVariables.GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)";
# -------===[ Helpful Git Fn's ]===------- #
gitignore() {
curl -s -o .gitignore https://gitignore.io/api/$1
}
'';
hm.programs.fish.functions = { hm.programs = {
gitignore = "curl -sL https://www.gitignore.io/api/$argv"; zsh.initExtra = ''
}; # -------===[ Helpful Git Fn's ]===------- #
gitignore() {
curl -s -o .gitignore https://gitignore.io/api/$1
}
'';
env = {GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)";}; fish.functions = {
gitignore = "curl -sL https://www.gitignore.io/api/$argv";
hm.programs.git = {
enable = true;
package = pkgs.gitFull;
difftastic = {
enable = true;
background = "dark";
color = "always";
display = "inline";
}; };
ignores = [ git = {
# General: enable = true;
"*.bloop" package = pkgs.gitFull;
"*.bsp" difftastic = {
"*.metals" enable = true;
"*.metals.sbt" background = "dark";
"*metals.sbt" color = "always";
"*.direnv" display = "inline";
"*.envrc"
"*hie.yaml"
"*.mill-version"
"*.jvmopts"
# OS-related:
".DS_Store?"
".DS_Store"
".CFUserTextEncoding"
".Trash"
".Xauthority"
"thumbs.db"
"Thumbs.db"
"Icon?"
# Compiled residues:
"*.class"
"*.exe"
"*.o"
"*.pyc"
"*.elc"
];
extraConfig = {
init.defaultBranch = "main";
core = {
editor = "nvim";
whitespace = "trailing-space,space-before-tab";
};
credential.helper = "${pkgs.gitFull}/bin/git-credential-libsecret";
user = {
name = "Chris Kruining";
email = "chris@kruining.eu";
signingKey = readFile "${config.user.home}/.ssh/id_ed25519.pub";
}; };
gpg.format = "ssh"; ignores = [
commit.gpgSign = true; # General:
tag.gpgSign = true; "*.bloop"
"*.bsp"
"*.metals"
"*.metals.sbt"
"*metals.sbt"
"*.direnv"
"*.envrc"
"*hie.yaml"
"*.mill-version"
"*.jvmopts"
push = { # OS-related:
default = "current"; ".DS_Store?"
gpgSign = "if-asked"; ".DS_Store"
autoSquash = true; ".CFUserTextEncoding"
}; ".Trash"
pull.rebase = true; ".Xauthority"
"thumbs.db"
"Thumbs.db"
"Icon?"
filter = { # Compiled residues:
required = true; "*.class"
smudge = "git-lfs smudge -- %f"; "*.exe"
process = "git-lfs filter-process"; "*.o"
clean = "git-lfs clean -- %f"; "*.pyc"
}; "*.elc"
];
url = { extraConfig = {
"https://github.com/".insteadOf = "gh:"; init.defaultBranch = "main";
"git@github.com:".insteadOf = "ssh+gh:"; core = {
editor = "nvim";
whitespace = "trailing-space,space-before-tab";
};
credential.helper = "${pkgs.gitFull}/bin/git-credential-libsecret";
user = {
name = "Chris Kruining";
email = "chris@kruining.eu";
signingKey = readFile "${config.user.home}/.ssh/id_ed25519.pub";
};
gpg.format = "ssh";
commit.gpgSign = true;
tag.gpgSign = true;
push = {
default = "current";
gpgSign = "if-asked";
autoSquash = true;
};
pull.rebase = true;
filter = {
required = true;
smudge = "git-lfs smudge -- %f";
process = "git-lfs filter-process";
clean = "git-lfs clean -- %f";
};
url = {
"https://github.com/".insteadOf = "gh:";
"git@github.com:".insteadOf = "ssh+gh:";
};
}; };
}; };
}; };

2
modules/system/audio.nix
View file

@ -32,7 +32,7 @@ in
}; };
}; };
home.configFile = mkIf config.module.hardware.bluetooth.enable { home.configFile = mkIf config.modules.hardware.bluetooth.enable {
wireplumber-bluetooth = { wireplumber-bluetooth = {
target = "wireplumber/bluetooth.lua.d/51-bluez-config.lua"; target = "wireplumber/bluetooth.lua.d/51-bluez-config.lua";
text = '' text = ''

2
modules/system/boot.nix
View file

@ -1,6 +1,6 @@
{ config, options, lib, pkgs, ... }: { config, options, lib, pkgs, ... }:
{ {
boot.loader.systemd-boot-enable = true; boot.loader.systemd-boot.enable = true;
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";

62
modules/system/security.nix Normal file
View file

@ -0,0 +1,62 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
kdePackages.kwallet-pam
bitwarden
];
security = {
sudo.execWheelOnly = true;
acme.acceptTerms = true;
polkit.enable = true;
pam.services.kwallet = {
name = "kwallet";
enableKwallet = true;
};
};
networking.firewall.enable = true;
programs.gnupg.agent.enable = true;
boot = {
loader.systemd-boot = {
editor = false;
configurationLimit = 50;
};
kernalModules = [ "tcp_bbr" ];
kernal.sysctl = {
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're on a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# Enable TCP Fast Open for incoming and outgoing connections
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
}

32
modules/xgd.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, ... }:
{
hm.xdg.enable = true;
environment = {
sessionVariables = {
XDG_CACHE_HOME = "$HOME/.cache";
XDG_CONFIG_HOME = "$HOME/.config";
XDG_DATA_HOME = "$HOME/.local/share";
XDG_BIN_HOME = "$HOME/.local/bin";
};
variables = {
__GL_SHADER_DISK_CACHE_PATH = "$XDG_CACHE_HOME/nv";
ASPELL_CONF = ''
per-conf $XDG_CONFIG_HOME/aspell/aspell.conf;
personal $XDG_CONFIG_HOME/aspell/en_US.pws;
repl $XDG_CONFIG_HOME/aspell/en.prepl;
'';
CUDA_CACHE_PATH = "$XDG_CACHE_HOME/nv";
HISTFILE = "$XDG_DATA_HOME/bash/history";
INPUTRC = "$XDG_CONFIG_HOME/readline/inputrc";
LESSHISTFILE = "$XDG_CACHE_HOME/lesshst";
WGETRC = "$XDG_CONFIG_HOME/wgetrc";
};
extraInit = ''
export XAUTHORITY=/tmp/Xauthority
[ -e ~/.Xauthority ] && mv -f ~/.Xauthority "$XAUTHORITY"
'';
};
}