.
This commit is contained in:
		
							parent
							
								
									a22dfad11d
								
							
						
					
					
						commit
						6eade157b3
					
				
					 17 changed files with 306 additions and 289 deletions
				
			
		|  | @ -13,9 +13,9 @@ in | ||||||
|     ] |     ] | ||||||
|     ++ (mapModulesRec' (toString ./modules) import); |     ++ (mapModulesRec' (toString ./modules) import); | ||||||
| 
 | 
 | ||||||
|   environments.variables = { |   environment.variables = { | ||||||
|     KAAS = config.kaas.dir; |     KAAS = config.kaas.dir; | ||||||
|     KAAS_BIN = config.kaasbinDir; |     KAAS_BIN = config.kaas.binDir; | ||||||
|     NIXPKGS_ALLOW_UNFREE = "1"; |     NIXPKGS_ALLOW_UNFREE = "1"; | ||||||
|   };   |   };   | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -1,6 +1,6 @@ | ||||||
| { config, lib, pkgs, ... }: | { config, lib, pkgs, ... }: | ||||||
| { | { | ||||||
|   imports = [ ./hardware-configuration.nix ]; |   imports = [ ./hardware.nix ]; | ||||||
| 
 | 
 | ||||||
|   modules = { |   modules = { | ||||||
|     themes.active = "everforrest"; |     themes.active = "everforrest"; | ||||||
|  |  | ||||||
|  | @ -1,94 +0,0 @@ | ||||||
| { config, lib, pkgs, inputs, ... }: |  | ||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|     ./hardware-configuration.nix |  | ||||||
|     ../../modules/system/boot.nix |  | ||||||
|     ../../modules/system/networking.nix |  | ||||||
|     ../../modules/system/audio.nix |  | ||||||
|     ../../modules/system/zsa_voyager.nix |  | ||||||
|      |  | ||||||
|     ../../modules/desktop/plasma.nix |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
|     |  | ||||||
|     ../../modules/programs/security.nix |  | ||||||
|     ../../modules/programs/theme.nix |  | ||||||
|     ../../modules/programs/shell.nix |  | ||||||
|     ../../modules/programs/gaming.nix |  | ||||||
|     ../../modules/programs/harden.nix |  | ||||||
|     ../../modules/programs/communication.nix |  | ||||||
|     ../../modules/programs/office.nix |  | ||||||
|     inputs.home-manager.nixosModules.default |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   nixpkgs.config = { |  | ||||||
|     allowUnfree = true; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   nix.settings.experimental-features = [ "nix-command" "flakes" ]; |  | ||||||
| 
 |  | ||||||
|   # Define a user account. Don't forget to set a password with ‘passwd’. |  | ||||||
|   users.users.chris = { |  | ||||||
|     isNormalUser = true; |  | ||||||
|     extraGroups = [ "wheel" "audio" ]; # Enable ‘sudo’ for the user. |  | ||||||
|     packages = with pkgs; []; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   home-manager = { |  | ||||||
|     useGlobalPkgs = true; |  | ||||||
|     useUserPackages = true; |  | ||||||
|     extraSpecialArgs = { inherit inputs; }; |  | ||||||
|     backupFileExtension = "backup"; |  | ||||||
|     users = { |  | ||||||
|       chris.imports = [ ../../users/chris.nix ]; |  | ||||||
| #      root.imports = [ ../../users/root.nix ]; |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   environment.systemPackages = with pkgs; [ |  | ||||||
|     neovim |  | ||||||
|     wget |  | ||||||
| #    chromium |  | ||||||
|     thunderbird |  | ||||||
|     zoxide |  | ||||||
|     atuin |  | ||||||
|     btop |  | ||||||
|     dust |  | ||||||
|     bat |  | ||||||
|     tldr |  | ||||||
|     eza |  | ||||||
|     nextcloud-client |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   systemd.services.numLockOnTty = { |  | ||||||
|     wantedBy = [ "multi-user.target" ]; |  | ||||||
|     serviceConfig = { |  | ||||||
|       ExecStart = lib.mkForce (pkgs.writeShellScript "numLockOnTty" '' |  | ||||||
|         for tty in /dev/tty{1..6}; do |  | ||||||
|           ${pkgs.kbd}/bin/setleds -D +num < "$tty"; |  | ||||||
|         done |  | ||||||
|       ''); |  | ||||||
|     }; |  | ||||||
|   }; |  | ||||||
| 
 |  | ||||||
|   # This option defines the first version of NixOS you have installed on this particular machine, |  | ||||||
|   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. |  | ||||||
|   # |  | ||||||
|   # Most users should NEVER change this value after the initial install, for any reason, |  | ||||||
|   # even if you've upgraded your system to a new NixOS release. |  | ||||||
|   # |  | ||||||
|   # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, |  | ||||||
|   # so changing it will NOT upgrade your system. |  | ||||||
|   # |  | ||||||
|   # This value being lower than the current NixOS release does NOT mean your system is |  | ||||||
|   # out of date, out of support, or vulnerable. |  | ||||||
|   # |  | ||||||
|   # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, |  | ||||||
|   # and migrated your data accordingly. |  | ||||||
|   # |  | ||||||
|   # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . |  | ||||||
|   system.stateVersion = "23.11"; # Did you read the comment? |  | ||||||
| 
 |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
|  | @ -1,40 +0,0 @@ | ||||||
| # Do not modify this file!  It was generated by ‘nixos-generate-config’ |  | ||||||
| # and may be overwritten by future invocations.  Please make changes |  | ||||||
| # to /etc/nixos/configuration.nix instead. |  | ||||||
| { config, lib, pkgs, modulesPath, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   imports = |  | ||||||
|     [ (modulesPath + "/installer/scan/not-detected.nix") |  | ||||||
|     ]; |  | ||||||
| 
 |  | ||||||
|   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; |  | ||||||
|   boot.initrd.kernelModules = [ ]; |  | ||||||
|   boot.kernelModules = [ "kvm-intel" ]; |  | ||||||
|   boot.extraModulePackages = [ ]; |  | ||||||
| 
 |  | ||||||
|   fileSystems."/" = |  | ||||||
|     { device = "/dev/disk/by-uuid/8c4eaf57-fdb2-4c4c-bcc0-74e85a1c7985"; |  | ||||||
|       fsType = "ext4"; |  | ||||||
|     }; |  | ||||||
| 
 |  | ||||||
|   fileSystems."/boot" = |  | ||||||
|     { device = "/dev/disk/by-uuid/C842-316A"; |  | ||||||
|       fsType = "vfat"; |  | ||||||
|       options = [ "fmask=0022" "dmask=0022" ]; |  | ||||||
|     }; |  | ||||||
| 
 |  | ||||||
|   swapDevices = |  | ||||||
|     [ { device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; } |  | ||||||
|     ]; |  | ||||||
| 
 |  | ||||||
|   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking |  | ||||||
|   # (the default) this is the recommended approach. When using systemd-networkd it's |  | ||||||
|   # still possible to use this option, but it's recommended to use it in conjunction |  | ||||||
|   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. |  | ||||||
|   networking.useDHCP = lib.mkDefault true; |  | ||||||
|   # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; |  | ||||||
| 
 |  | ||||||
|   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; |  | ||||||
|   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; |  | ||||||
| } |  | ||||||
							
								
								
									
										47
									
								
								hosts/chris-pc/hardware.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										47
									
								
								hosts/chris-pc/hardware.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,47 @@ | ||||||
|  | { config, lib, pkgs, modulesPath, ... }: | ||||||
|  | let | ||||||
|  |   inherit (lib.modules) mkDefault; | ||||||
|  |   inherir (lib.attrsets) attrValues; | ||||||
|  | in | ||||||
|  | { | ||||||
|  |   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; | ||||||
|  | 
 | ||||||
|  |   fileSystems."/" = | ||||||
|  |     { device = "/dev/disk/by-uuid/8c4eaf57-fdb2-4c4c-bcc0-74e85a1c7985"; | ||||||
|  |       fsType = "ext4"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |   fileSystems."/boot" = { | ||||||
|  |     device = "/dev/disk/by-uuid/C842-316A"; | ||||||
|  |     fsType = "vfat"; | ||||||
|  |     options = [ "fmask=0022" "dmask=0022" ]; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   swapDevices = [ | ||||||
|  |     { device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; } | ||||||
|  |   ]; | ||||||
|  | 
 | ||||||
|  |   boot = { | ||||||
|  |     initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; | ||||||
|  |     initrd.kernelModules = [ ]; | ||||||
|  |     kernelModules = [ "kvm-intel" ]; | ||||||
|  |     kernelParams = []; | ||||||
|  |     extraModulePackages = [ ]; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   networking.useDHCP = lib.mkDefault true; | ||||||
|  | 
 | ||||||
|  |   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; | ||||||
|  |   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; | ||||||
|  | 
 | ||||||
|  |   services = { | ||||||
|  |     power-profiles-deamon-enable = false; | ||||||
|  |     thermald.enable = false; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   modules.hardware = { | ||||||
|  |     pipewire.enable = true; | ||||||
|  |     bluetooth.enable = false; | ||||||
|  |     pointer.enable = true; | ||||||
|  |   }; | ||||||
|  | } | ||||||
|  | @ -1,6 +1,6 @@ | ||||||
| { config, lib, pkgs, ... }: | { config, lib, pkgs, ... }: | ||||||
| { | { | ||||||
|   imports = [ ./hardware-configuration.nix ]; |   imports = [ ./hardware.nix ]; | ||||||
| 
 | 
 | ||||||
|   modules = { |   modules = { | ||||||
|     themes.active = "everforrest"; |     themes.active = "everforrest"; | ||||||
|  |  | ||||||
|  | @ -1,38 +0,0 @@ | ||||||
| # Do not modify this file!  It was generated by ‘nixos-generate-config’ |  | ||||||
| # and may be overwritten by future invocations.  Please make changes |  | ||||||
| # to /etc/nixos/configuration.nix instead. |  | ||||||
| { config, lib, pkgs, modulesPath, ... }: |  | ||||||
| 
 |  | ||||||
| { |  | ||||||
|   imports = |  | ||||||
|     [ (modulesPath + "/installer/scan/not-detected.nix") |  | ||||||
|     ]; |  | ||||||
| 
 |  | ||||||
|   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; |  | ||||||
|   boot.initrd.kernelModules = [ ]; |  | ||||||
|   boot.kernelModules = [ "kvm-intel" ]; |  | ||||||
|   boot.extraModulePackages = [ ]; |  | ||||||
| 
 |  | ||||||
|   fileSystems."/" = |  | ||||||
|     { device = "/dev/disk/by-uuid/dd518f17-61c9-4831-b1bd-e1cc2af292aa"; |  | ||||||
|       fsType = "ext4"; |  | ||||||
|     }; |  | ||||||
| 
 |  | ||||||
|   fileSystems."/boot" = |  | ||||||
|     { device = "/dev/disk/by-uuid/0A56-EBFE"; |  | ||||||
|       fsType = "vfat"; |  | ||||||
|       options = [ "fmask=0022" "dmask=0022" ]; |  | ||||||
|     }; |  | ||||||
| 
 |  | ||||||
|   swapDevices = [ ]; |  | ||||||
| 
 |  | ||||||
|   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking |  | ||||||
|   # (the default) this is the recommended approach. When using systemd-networkd it's |  | ||||||
|   # still possible to use this option, but it's recommended to use it in conjunction |  | ||||||
|   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. |  | ||||||
|   networking.useDHCP = lib.mkDefault true; |  | ||||||
|   # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; |  | ||||||
| 
 |  | ||||||
|   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; |  | ||||||
|   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; |  | ||||||
| } |  | ||||||
							
								
								
									
										41
									
								
								hosts/chris-server/hardware.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								hosts/chris-server/hardware.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,41 @@ | ||||||
|  | { config, lib, pkgs, modulesPath, ... }: | ||||||
|  | { | ||||||
|  |   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; | ||||||
|  | 
 | ||||||
|  |   fileSystems."/" = | ||||||
|  |     { device = "/dev/disk/by-uuid/dd518f17-61c9-4831-b1bd-e1cc2af292aa"; | ||||||
|  |       fsType = "ext4"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |   fileSystems."/boot" = | ||||||
|  |     { device = "/dev/disk/by-uuid/0A56-EBFE"; | ||||||
|  |       fsType = "vfat"; | ||||||
|  |       options = [ "fmask=0022" "dmask=0022" ]; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |   swapDevices = [ ]; | ||||||
|  | 
 | ||||||
|  |   boot = { | ||||||
|  |     initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; | ||||||
|  |     initrd.kernelModules = [ ]; | ||||||
|  |     kernelModules = [ "kvm-intel" ]; | ||||||
|  |     kernelParams = []; | ||||||
|  |     extraModulePackages = [ ]; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   networking.useDHCP = lib.mkDefault true; | ||||||
|  | 
 | ||||||
|  |   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; | ||||||
|  |   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; | ||||||
|  | 
 | ||||||
|  |   services = { | ||||||
|  |     power-profiles-deamon-enable = false; | ||||||
|  |     thermald.enable = false; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   modules.hardware = { | ||||||
|  |     pipewire.enable = true; | ||||||
|  |     bluetooth.enable = false; | ||||||
|  |     pointer.enable = true; | ||||||
|  |   }; | ||||||
|  | } | ||||||
|  | @ -1,10 +0,0 @@ | ||||||
| { config, user, sensitive, lib, ... }: { |  | ||||||
|   networking.firewall.enable = true; |  | ||||||
| 
 |  | ||||||
| #  security.sudo.execWheelOnly = true; |  | ||||||
| #  security.auditd.enable = true; |  | ||||||
| #  security.audit.enable = !config.boot.isContainer; |  | ||||||
| 
 |  | ||||||
|   # PGP set up. |  | ||||||
|   programs.gnupg.agent.enable = true; |  | ||||||
| } |  | ||||||
|  | @ -1,12 +0,0 @@ | ||||||
| { pkgs, security, ... }: |  | ||||||
| { |  | ||||||
|   environment.systemPackages = with pkgs; [ |  | ||||||
|     kdePackages.kwallet-pam |  | ||||||
|     bitwarden |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   security.pam.services.kwallet = { |  | ||||||
|     name = "kwallet"; |  | ||||||
|     enableKwallet = true; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
|  | @ -13,23 +13,21 @@ in | ||||||
| 
 | 
 | ||||||
|   config = mkMerge [ |   config = mkMerge [ | ||||||
|     (mkIf config.modules.develop.rust.enable { |     (mkIf config.modules.develop.rust.enable { | ||||||
|       nixpkgs.overlays = [ inputs.rust.overlays.default ]; |  | ||||||
| 
 |  | ||||||
|       user.packages = attrValues { |       user.packages = attrValues { | ||||||
|         rust-package = pkgs.rust-bin.nightly.latest.default; |         rust-package = pkgs.rust-bin.nightly.latest.default; | ||||||
|         inherit (pkgs) rust-analyser rust-script; |         inherit (pkgs) rust-analyser rust-script; | ||||||
|       }; |       }; | ||||||
| 
 | 
 | ||||||
|       environment.shellAlliases = { |       environment.shellAliases = { | ||||||
|         rs = "rustc"; |         rs = "rustc"; | ||||||
|         ca = "cargo"; |         ca = "cargo"; | ||||||
|       }; |       }; | ||||||
|     }) |     }) | ||||||
| 
 | 
 | ||||||
|     (mkIf config.modules.develop.cdg.enable { |     (mkIf config.modules.develop.xdg.enable { | ||||||
|       env = { |       home = { | ||||||
|         CARGO_HOME = "$XDG_DATA_HOME/cargo"; |         sessionVariables.CARGO_HOME = "$XDG_DATA_HOME/cargo"; | ||||||
|         PATH = [ "$CARGO_HOME/bin" ]; |         sessionPath = ["$CARGO_HOME/bin"]; | ||||||
|       }; |       }; | ||||||
|     }) |     }) | ||||||
|   ]; |   ]; | ||||||
|  |  | ||||||
|  | @ -20,15 +20,44 @@ in | ||||||
|         "${config.user.home}/Workspace/public/kaas" |         "${config.user.home}/Workspace/public/kaas" | ||||||
|         "/etc/kaas" |         "/etc/kaas" | ||||||
|       ]); |       ]); | ||||||
|       hostDir = mkOpt path "${config.kaas.dir}/hosts/${config.networking.hostName}"; |       homeDir = mkOpt path "${config.kaas.dir}/hosts/${config.networking.hostName}"; | ||||||
|       binDir = mkOpt path "${config.kaas.dir}/bin"; |       binDir = mkOpt path "${config.kaas.dir}/bin"; | ||||||
|       configDir = mkOpt path "${config.kaas.dir}/config"; |       configDir = mkOpt path "${config.kaas.dir}/config"; | ||||||
|       modulesDir = mkOpt path "${config.kaas.dir}/modules"; |       modulesDir = mkOpt path "${config.kaas.dir}/modules"; | ||||||
|       themesDir = mkOpt path "${config.kaas.modulesDir}/themes"; |       themesDir = mkOpt path "${config.kaas.modulesDir}/themes"; | ||||||
|     }; |     }; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   config = { | ||||||
|  |     user = let | ||||||
|  |       user = builtins.getEnv "USER"; | ||||||
|  |       name = | ||||||
|  |         if builtins.elem user [ "" "root" ] then "chris" | ||||||
|  |         else user; | ||||||
|  |     in | ||||||
|  |     { | ||||||
|  |       inherit name; | ||||||
|  |       description = "Primary user account"; | ||||||
|  |       extraGroups = [ "wheel" ]; | ||||||
|  |       isNormalUser = true; | ||||||
|  |       home = "/home/${name}"; | ||||||
|  |       group = "users"; | ||||||
|  |       uid = 1000; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     home-manager.useUserPackages = true; | ||||||
| 
 | 
 | ||||||
|     home = { |     home = { | ||||||
|       # HIER BEN IK GEBLEVEN!!! |       stateVersion = config.system.stateVersion; | ||||||
|  |       sessionPath = [ "$KAAS_BIN" "$XDG_BIN_HOME" "$PATH" ]; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     users.users.${config.user.name} = mkAliasDefinitions options.user; | ||||||
|  | 
 | ||||||
|  |     nix.settings = let users = [ "" config.user.name ]; in | ||||||
|  |     { | ||||||
|  |       trusted-users = users; | ||||||
|  |       allowed-users = users; | ||||||
|     }; |     }; | ||||||
|   }; |   }; | ||||||
| } | } | ||||||
|  |  | ||||||
|  | @ -21,95 +21,97 @@ in | ||||||
|     # Prevent x11 askPass prompt on git push: |     # Prevent x11 askPass prompt on git push: | ||||||
|     programs.ssh.askPassword = ""; |     programs.ssh.askPassword = ""; | ||||||
| 
 | 
 | ||||||
|     hm.programs.zsh.initExtra = '' |     home.sessionVariables.GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)"; | ||||||
|       # -------===[ Helpful Git Fn's ]===------- # |  | ||||||
|       gitignore() { |  | ||||||
|         curl -s -o .gitignore https://gitignore.io/api/$1 |  | ||||||
|       } |  | ||||||
|     ''; |  | ||||||
| 
 | 
 | ||||||
|     hm.programs.fish.functions = { |     hm.programs = { | ||||||
|       gitignore = "curl -sL https://www.gitignore.io/api/$argv"; |       zsh.initExtra = '' | ||||||
|     }; |         # -------===[ Helpful Git Fn's ]===------- # | ||||||
|  |         gitignore() { | ||||||
|  |           curl -s -o .gitignore https://gitignore.io/api/$1 | ||||||
|  |         } | ||||||
|  |       ''; | ||||||
| 
 | 
 | ||||||
|     env = {GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)";}; |       fish.functions = { | ||||||
| 
 |         gitignore = "curl -sL https://www.gitignore.io/api/$argv"; | ||||||
|     hm.programs.git = { |  | ||||||
|       enable = true; |  | ||||||
|       package = pkgs.gitFull; |  | ||||||
|       difftastic = { |  | ||||||
|         enable = true; |  | ||||||
|         background = "dark"; |  | ||||||
|         color = "always"; |  | ||||||
|         display = "inline"; |  | ||||||
|       }; |       }; | ||||||
| 
 | 
 | ||||||
|       ignores = [ |       git = { | ||||||
|         # General: |         enable = true; | ||||||
|         "*.bloop" |         package = pkgs.gitFull; | ||||||
|         "*.bsp" |         difftastic = { | ||||||
|         "*.metals" |           enable = true; | ||||||
|         "*.metals.sbt" |           background = "dark"; | ||||||
|         "*metals.sbt" |           color = "always"; | ||||||
|         "*.direnv" |           display = "inline"; | ||||||
|         "*.envrc" |  | ||||||
|         "*hie.yaml" |  | ||||||
|         "*.mill-version" |  | ||||||
|         "*.jvmopts" |  | ||||||
| 
 |  | ||||||
|         # OS-related: |  | ||||||
|         ".DS_Store?" |  | ||||||
|         ".DS_Store" |  | ||||||
|         ".CFUserTextEncoding" |  | ||||||
|         ".Trash" |  | ||||||
|         ".Xauthority" |  | ||||||
|         "thumbs.db" |  | ||||||
|         "Thumbs.db" |  | ||||||
|         "Icon?" |  | ||||||
| 
 |  | ||||||
|         # Compiled residues: |  | ||||||
|         "*.class" |  | ||||||
|         "*.exe" |  | ||||||
|         "*.o" |  | ||||||
|         "*.pyc" |  | ||||||
|         "*.elc" |  | ||||||
|       ]; |  | ||||||
| 
 |  | ||||||
|       extraConfig = { |  | ||||||
|         init.defaultBranch = "main"; |  | ||||||
|         core = { |  | ||||||
|           editor = "nvim"; |  | ||||||
|           whitespace = "trailing-space,space-before-tab"; |  | ||||||
|         }; |  | ||||||
|         credential.helper = "${pkgs.gitFull}/bin/git-credential-libsecret"; |  | ||||||
| 
 |  | ||||||
|         user = { |  | ||||||
|           name = "Chris Kruining"; |  | ||||||
|           email = "chris@kruining.eu"; |  | ||||||
|           signingKey = readFile "${config.user.home}/.ssh/id_ed25519.pub"; |  | ||||||
|         }; |         }; | ||||||
| 
 | 
 | ||||||
|         gpg.format = "ssh"; |         ignores = [ | ||||||
|         commit.gpgSign = true; |           # General: | ||||||
|         tag.gpgSign = true; |           "*.bloop" | ||||||
|  |           "*.bsp" | ||||||
|  |           "*.metals" | ||||||
|  |           "*.metals.sbt" | ||||||
|  |           "*metals.sbt" | ||||||
|  |           "*.direnv" | ||||||
|  |           "*.envrc" | ||||||
|  |           "*hie.yaml" | ||||||
|  |           "*.mill-version" | ||||||
|  |           "*.jvmopts" | ||||||
| 
 | 
 | ||||||
|         push = { |           # OS-related: | ||||||
|           default = "current"; |           ".DS_Store?" | ||||||
|           gpgSign = "if-asked"; |           ".DS_Store" | ||||||
|           autoSquash = true; |           ".CFUserTextEncoding" | ||||||
|         }; |           ".Trash" | ||||||
|         pull.rebase = true; |           ".Xauthority" | ||||||
|  |           "thumbs.db" | ||||||
|  |           "Thumbs.db" | ||||||
|  |           "Icon?" | ||||||
| 
 | 
 | ||||||
|         filter = { |           # Compiled residues: | ||||||
|           required = true; |           "*.class" | ||||||
|           smudge = "git-lfs smudge -- %f"; |           "*.exe" | ||||||
|           process = "git-lfs filter-process"; |           "*.o" | ||||||
|           clean = "git-lfs clean -- %f"; |           "*.pyc" | ||||||
|         }; |           "*.elc" | ||||||
|  |         ]; | ||||||
| 
 | 
 | ||||||
|         url = { |         extraConfig = { | ||||||
|           "https://github.com/".insteadOf = "gh:"; |           init.defaultBranch = "main"; | ||||||
|           "git@github.com:".insteadOf = "ssh+gh:"; |           core = { | ||||||
|  |             editor = "nvim"; | ||||||
|  |             whitespace = "trailing-space,space-before-tab"; | ||||||
|  |           }; | ||||||
|  |           credential.helper = "${pkgs.gitFull}/bin/git-credential-libsecret"; | ||||||
|  | 
 | ||||||
|  |           user = { | ||||||
|  |             name = "Chris Kruining"; | ||||||
|  |             email = "chris@kruining.eu"; | ||||||
|  |             signingKey = readFile "${config.user.home}/.ssh/id_ed25519.pub"; | ||||||
|  |           }; | ||||||
|  | 
 | ||||||
|  |           gpg.format = "ssh"; | ||||||
|  |           commit.gpgSign = true; | ||||||
|  |           tag.gpgSign = true; | ||||||
|  | 
 | ||||||
|  |           push = { | ||||||
|  |             default = "current"; | ||||||
|  |             gpgSign = "if-asked"; | ||||||
|  |             autoSquash = true; | ||||||
|  |           }; | ||||||
|  |           pull.rebase = true; | ||||||
|  | 
 | ||||||
|  |           filter = { | ||||||
|  |             required = true; | ||||||
|  |             smudge = "git-lfs smudge -- %f"; | ||||||
|  |             process = "git-lfs filter-process"; | ||||||
|  |             clean = "git-lfs clean -- %f"; | ||||||
|  |           }; | ||||||
|  | 
 | ||||||
|  |           url = { | ||||||
|  |             "https://github.com/".insteadOf = "gh:"; | ||||||
|  |             "git@github.com:".insteadOf = "ssh+gh:"; | ||||||
|  |           }; | ||||||
|         }; |         }; | ||||||
|       }; |       }; | ||||||
|     }; |     }; | ||||||
|  |  | ||||||
|  | @ -32,7 +32,7 @@ in | ||||||
|       }; |       }; | ||||||
|     }; |     }; | ||||||
| 
 | 
 | ||||||
|     home.configFile = mkIf config.module.hardware.bluetooth.enable { |     home.configFile = mkIf config.modules.hardware.bluetooth.enable { | ||||||
|       wireplumber-bluetooth = { |       wireplumber-bluetooth = { | ||||||
|         target = "wireplumber/bluetooth.lua.d/51-bluez-config.lua"; |         target = "wireplumber/bluetooth.lua.d/51-bluez-config.lua"; | ||||||
|         text = '' |         text = '' | ||||||
|  |  | ||||||
|  | @ -1,6 +1,6 @@ | ||||||
| { config, options, lib, pkgs, ... }: | { config, options, lib, pkgs, ... }: | ||||||
| { | { | ||||||
|   boot.loader.systemd-boot-enable = true; |   boot.loader.systemd-boot.enable = true; | ||||||
| 
 | 
 | ||||||
|   time.timeZone = "Europe/Amsterdam"; |   time.timeZone = "Europe/Amsterdam"; | ||||||
|    |    | ||||||
|  |  | ||||||
							
								
								
									
										62
									
								
								modules/system/security.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										62
									
								
								modules/system/security.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,62 @@ | ||||||
|  | { pkgs, ... }: | ||||||
|  | { | ||||||
|  |   environment.systemPackages = with pkgs; [ | ||||||
|  |     kdePackages.kwallet-pam | ||||||
|  |     bitwarden | ||||||
|  |   ]; | ||||||
|  | 
 | ||||||
|  |   security = { | ||||||
|  |     sudo.execWheelOnly = true; | ||||||
|  |     acme.acceptTerms = true; | ||||||
|  |     polkit.enable = true; | ||||||
|  |     pam.services.kwallet = { | ||||||
|  |       name = "kwallet"; | ||||||
|  |       enableKwallet = true; | ||||||
|  |     }; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   networking.firewall.enable = true; | ||||||
|  |   programs.gnupg.agent.enable = true; | ||||||
|  | 
 | ||||||
|  |   boot = { | ||||||
|  |     loader.systemd-boot = { | ||||||
|  |       editor = false; | ||||||
|  |       configurationLimit = 50; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     kernalModules = [ "tcp_bbr" ]; | ||||||
|  |     kernal.sysctl = { | ||||||
|  |       ## TCP hardening | ||||||
|  |       # Prevent bogus ICMP errors from filling up logs. | ||||||
|  |       "net.ipv4.icmp_ignore_bogus_error_responses" = 1; | ||||||
|  |       # Reverse path filtering causes the kernel to do source validation of | ||||||
|  |       # packets received from all interfaces. This can mitigate IP spoofing. | ||||||
|  |       "net.ipv4.conf.default.rp_filter" = 1; | ||||||
|  |       "net.ipv4.conf.all.rp_filter" = 1; | ||||||
|  |       # Do not accept IP source route packets (we're not a router) | ||||||
|  |       "net.ipv4.conf.all.accept_source_route" = 0; | ||||||
|  |       "net.ipv6.conf.all.accept_source_route" = 0; | ||||||
|  |       # Don't send ICMP redirects (again, we're on a router) | ||||||
|  |       "net.ipv4.conf.all.send_redirects" = 0; | ||||||
|  |       "net.ipv4.conf.default.send_redirects" = 0; | ||||||
|  |       # Refuse ICMP redirects (MITM mitigations) | ||||||
|  |       "net.ipv4.conf.all.accept_redirects" = 0; | ||||||
|  |       "net.ipv4.conf.default.accept_redirects" = 0; | ||||||
|  |       "net.ipv4.conf.all.secure_redirects" = 0; | ||||||
|  |       "net.ipv4.conf.default.secure_redirects" = 0; | ||||||
|  |       "net.ipv6.conf.all.accept_redirects" = 0; | ||||||
|  |       "net.ipv6.conf.default.accept_redirects" = 0; | ||||||
|  |       # Protects against SYN flood attacks | ||||||
|  |       "net.ipv4.tcp_syncookies" = 1; | ||||||
|  |       # Incomplete protection again TIME-WAIT assassination | ||||||
|  |       "net.ipv4.tcp_rfc1337" = 1; | ||||||
|  | 
 | ||||||
|  |       ## TCP optimization | ||||||
|  |       # Enable TCP Fast Open for incoming and outgoing connections | ||||||
|  |       "net.ipv4.tcp_fastopen" = 3; | ||||||
|  |       # Bufferbloat mitigations + slight improvement in throughput & latency | ||||||
|  |       "net.ipv4.tcp_congestion_control" = "bbr"; | ||||||
|  |       "net.core.default_qdisc" = "cake"; | ||||||
|  |     }; | ||||||
|  |   }; | ||||||
|  | } | ||||||
							
								
								
									
										32
									
								
								modules/xgd.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								modules/xgd.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,32 @@ | ||||||
|  | { config, ... }: | ||||||
|  | { | ||||||
|  |   hm.xdg.enable = true; | ||||||
|  | 
 | ||||||
|  |   environment = { | ||||||
|  |     sessionVariables = { | ||||||
|  |       XDG_CACHE_HOME = "$HOME/.cache"; | ||||||
|  |       XDG_CONFIG_HOME = "$HOME/.config"; | ||||||
|  |       XDG_DATA_HOME = "$HOME/.local/share"; | ||||||
|  |       XDG_BIN_HOME = "$HOME/.local/bin"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     variables = { | ||||||
|  |       __GL_SHADER_DISK_CACHE_PATH = "$XDG_CACHE_HOME/nv"; | ||||||
|  |       ASPELL_CONF = '' | ||||||
|  |         per-conf $XDG_CONFIG_HOME/aspell/aspell.conf; | ||||||
|  |         personal $XDG_CONFIG_HOME/aspell/en_US.pws; | ||||||
|  |         repl $XDG_CONFIG_HOME/aspell/en.prepl; | ||||||
|  |       ''; | ||||||
|  |       CUDA_CACHE_PATH = "$XDG_CACHE_HOME/nv"; | ||||||
|  |       HISTFILE = "$XDG_DATA_HOME/bash/history"; | ||||||
|  |       INPUTRC = "$XDG_CONFIG_HOME/readline/inputrc"; | ||||||
|  |       LESSHISTFILE = "$XDG_CACHE_HOME/lesshst"; | ||||||
|  |       WGETRC = "$XDG_CONFIG_HOME/wgetrc"; | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     extraInit = '' | ||||||
|  |       export XAUTHORITY=/tmp/Xauthority | ||||||
|  |       [ -e ~/.Xauthority ] && mv -f ~/.Xauthority "$XAUTHORITY" | ||||||
|  |     ''; | ||||||
|  |   }; | ||||||
|  | } | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue