Aughhthghhhgh

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>

README.md

@@ -24,6 +24,22 @@ Apple Silicon hosts require additional `--impure` flag for firmware installation
 - vetus (iMac 27" 2017)
 - celerrime (MacBook Air M2)
 
+## Modules
+
+Module example:
+```nix
+{ config, lib, ... }:
+
+let
+    cfg = config.my.MODULE;
+in {
+  options.my.MODULE.enable = lib.mkEnableOption "Enable MODULE";
+  config = lib.mkIf (cfg.enable) {
+    MODULE_CONFIGURATION
+  };
+}
+```
+
 ## Shells
 
 I "made" some shell in [shells/](./shells).
@@ -35,3 +51,9 @@ I install my dotfiles with prepared script
 ```shell
 curl https://iva.bz/nix | sh
 ```
+
+## TODO
+
+- Setup services (which I host)
+- Setup "secret" roles (I need them)
+- Setup router

common/networking.nix

@@ -2,6 +2,7 @@
 
 {
   networking.firewall.allowPing = true;
+
   networking.useNetworkd = lib.mkDefault true;
   systemd.network.wait-online.enable = lib.mkDefault false;
 

common/remote-access.nix

@@ -5,7 +5,7 @@
     enable = true;
     settings.PasswordAuthentication = false;
     
-    # Cute banner, right?
+    # Cute banner, r-right?
     banner = ''
 
 Authorized access only!
@@ -14,7 +14,4 @@ If you are not authorized to access or use this system, disconnect now!
 
     '';
   };
-
-  # TODO: I don't use it
-  programs.mosh.enable = true;
 }

common/security.nix

@@ -19,6 +19,8 @@
   boot.kernel.sysctl = {
     "kernel.sysrq" = 0;
 
+    # Picked from https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/Network-stack
+
     "net.ipv4.icmp_ignore_bogus_error_responces" = 1;
     "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
     "net.ipv4.conf.default.rp_filter" = 1;

common/user.nix

@@ -5,16 +5,17 @@ let
 in rec {
   users.mutableUsers = false;
 
+  users.groups.ivabus = { gid = 1000; };
   users.users.ivabus = {
     isNormalUser = true;
-    # Figure out groups I need
-    extraGroups = [ "wheel" "input" "video" "audio" "disk" "libvirtd" "qemu-libvirtd"];
+    group = "ivabus";
+    extraGroups = [ "users" "wheel" ];
     uid = 1000;
     packages = with pkgs; [
       tree
       cargo
       rustc
-      neofetch
+      neofetch # I use NixOS BTW
       htop
     ];
     shell = pkgs.zsh;

default.nix

@@ -2,7 +2,7 @@ rec {
   common = import ./common;
   roles = import ./roles;
 
-  modules = { pkgs, ... }: rec {
+  modules = { pkgs, ... }: {
     imports = [
       common
       roles

machines/stella/default.nix

@@ -20,7 +20,7 @@ in {
     devel.enable = true;
     gaming.enable = true;
     graphical.enable = true;
-    latex.enable = true;
+    latex.enable = false;
     virtualisation.enable = true;
     yggdrasil-client.enable = true;
   };
@@ -37,4 +37,3 @@ in {
 
   system.stateVersion = "23.05";
 }
-

roles/devel.nix

@@ -14,6 +14,7 @@ in {
         llvm
         lld
         python3Full
+        gnumake
         automake
         autoconf
         meson

roles/latex.nix

@@ -7,7 +7,7 @@ in {
   config = lib.mkIf (cfg.enable){
     environment.systemPackages = with pkgs; [
       # Maybe I don't need to use -full variant of texlive
-      # I should find distribution I actually need
+      # TODO: I should find distribution I actually need
       texlive.combined.scheme-full
     ];
   };

roles/virtualisation.nix

@@ -5,6 +5,7 @@ let
 in {
   options.my.roles.virtualisation.enable = lib.mkEnableOption "Enable tools for virtualisation";
   config = lib.mkIf (cfg.enable) {
+    # TODO: Think if I ever need virtualisation
     virtualisation.libvirtd.enable = true;
     environment.systemPackages = with pkgs; [
       qemu_full

roles/yggdrasil-client.nix

@@ -10,7 +10,7 @@ in {
       persistentKeys = true;
       settings = {
         Peers = [
-          # Maybe add more peers, not only mine
+          # TODO: Maybe add more peers, not only mine. But for now it's ok
           "tls://ygg.iva.bz:50002"
         ];
       };