From 595cc4d833f7dffd305f557da84e303f8b7cb148 Mon Sep 17 00:00:00 2001 From: Ivan Bushchik Date: Sat, 19 Aug 2023 11:06:28 +0300 Subject: [PATCH] Rethink configuration Signed-off-by: Ivan Bushchik --- .gitignore | 1 - common/base.nix | 12 +++- common/laptop.nix | 2 - common/networking.nix | 4 +- common/security.nix | 48 ++++++++++++++++ common/user.nix | 42 ++++---------- flake.lock | 116 +++++++++++++++++++++++++++++++++++++++ flake.nix | 17 ++++-- roles/design.nix | 9 +++ roles/devel.nix | 32 +++++++---- roles/graphical.nix | 36 +++++++++++- roles/virtualisation.nix | 5 ++ shells/crossShell.nix | 4 +- 13 files changed, 270 insertions(+), 58 deletions(-) create mode 100644 common/security.nix create mode 100644 flake.lock create mode 100644 roles/design.nix create mode 100644 roles/virtualisation.nix diff --git a/.gitignore b/.gitignore index 3405f13..25e28f3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ asahi* -flake.lock diff --git a/common/base.nix b/common/base.nix index fbae0fa..f19cf81 100644 --- a/common/base.nix +++ b/common/base.nix @@ -18,17 +18,25 @@ daemonIOSchedClass = "idle"; }; + documentation = { + doc.enable = false; + info.enable = false; + man.enable = true; + nixos.enable = false; + }; + environment.systemPackages = with pkgs; [ - neovim wget - git curl usbutils pciutils coreutils-full killall + git git-crypt + neovim python3Minimal ]; + boot.tmp.cleanOnBoot = true; } \ No newline at end of file diff --git a/common/laptop.nix b/common/laptop.nix index 7abf22b..02b915f 100644 --- a/common/laptop.nix +++ b/common/laptop.nix @@ -6,8 +6,6 @@ lm_sensors ]; - boot.plymouth.enable = true; - hardware.bluetooth.enable = true; services.blueman.enable = true; diff --git a/common/networking.nix b/common/networking.nix index f48008a..3f6daf5 100644 --- a/common/networking.nix +++ b/common/networking.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { networking.wireless.iwd.enable = true; @@ -28,4 +28,6 @@ services.timesyncd.enable = true; networking.timeServers = [ "ntp1.vniiftri.ru" "0.ru.pool.ntp.org" "0.pool.ntp.org" ]; + boot.kernelModules = [ "af_packet" ]; + environment.systemPackages = with pkgs; [ mtr tcpdump traceroute ]; } diff --git a/common/security.nix b/common/security.nix new file mode 100644 index 0000000..db32a1c --- /dev/null +++ b/common/security.nix @@ -0,0 +1,48 @@ +{ lib, ... }: + +{ + systemd.coredump.enable = false; + + security = { + lockKernelModules = true; + protectKernelImage = true; + allowSimultaneousMultithreading = true; + forcePageTableIsolation = false; + virtualisation.flushL1DataCache = "always"; + apparmor = { + enable = true; + killUnconfinedConfinables = true; + }; + + allowUserNamespaces = true; + + }; + + boot.kernel.sysctl = { + "kernel.sysrq" = 0; + "net.ipv4.icmp_ignore_bogus_error_responces" = 1; + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + + "net.ipv4.tcp_syncookies" = 1; + "net.ipv4.tcp_rfc1337" = 1; + + "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + }; + + boot.kernelModules = [ "tcp_bbr" ]; +} diff --git a/common/user.nix b/common/user.nix index 0c6827e..e6ccb48 100644 --- a/common/user.nix +++ b/common/user.nix @@ -2,10 +2,12 @@ let secrets = import ../secrets.nix; -in { +in rec { + users.mutableUsers = false; + users.users.ivabus = { isNormalUser = true; - extraGroups = [ "wheel" "input" ]; + extraGroups = [ "wheel" "input" "video" "audio" "disk" "libvirtd" "qemu-libvirtd"]; uid = 1000; packages = with pkgs; [ tree @@ -29,6 +31,12 @@ in { hashedPassword = secrets.hashed-password; }; + + users.users.root = { + hashedPassword = null; + openssh.authorizedKeys.keys = users.users.ivabus.openssh.authorizedKeys.keys; + }; + programs.zsh = { enable = true; }; @@ -39,36 +47,6 @@ in { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; home-manager.users.ivabus = { - gtk = { - enable = true; - theme = { - name = "Catppuccin-Macchiato-Standard-Blue-dark"; - package = pkgs.catppuccin-gtk.override { - accents = [ "blue" ]; - tweaks = [ "rimless" ]; - size = "standard"; - variant = "macchiato"; - }; - }; - iconTheme = { - name = "Mint-Y-Blue"; - package = pkgs.cinnamon.mint-y-icons; - }; - cursorTheme = { - name = "Catppuccin-Macchiato-Dark-Cursors"; - package = pkgs.catppuccin-cursors.macchiatoDark; - }; - font = { - name = "Ubuntu"; - size = 9; - package = pkgs.ubuntu_font_family; - }; - }; - home.pointerCursor = { - name = "Catppuccin-Macchiato-Dark-Cursors"; - package = pkgs.catppuccin-cursors.macchiatoDark; - x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors"; - }; programs.git = { enable = true; userName = "Ivan Bushchik"; diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..9d78871 --- /dev/null +++ b/flake.lock @@ -0,0 +1,116 @@ +{ + "nodes": { + "apple-silicon-support": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1692423274, + "narHash": "sha256-r84qq3YWbDtISIFh9tfNtmqVfBUYrhvIgE/Ivk+1F6Y=", + "owner": "tpwrules", + "repo": "nixos-apple-silicon", + "rev": "5e5a0933387f914f2ad7033f2afbc8a074b9480b", + "type": "github" + }, + "original": { + "owner": "tpwrules", + "repo": "nixos-apple-silicon", + "type": "github" + } + }, + "flake-compat": { + "locked": { + "lastModified": 1688025799, + "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1692503956, + "narHash": "sha256-MOA6FKc1YgfGP3ESnjSYfsyJ1BXlwV5pGlY/u5XdJfY=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "958c06303f43cf0625694326b7f7e5475b1a2d5c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1692264070, + "narHash": "sha256-WepAkIL2UcHOj7JJiaFS/vxrA9lklQHv8p+xGL+7oQ0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "42c25608aa2ad4e5d3716d8d63c606063513ba33", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "42c25608aa2ad4e5d3716d8d63c606063513ba33", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1692447944, + "narHash": "sha256-fkJGNjEmTPvqBs215EQU4r9ivecV5Qge5cF/QDLVn3U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d680ded26da5cf104dd2735a51e88d2d8f487b4d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "apple-silicon-support": "apple-silicon-support", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs_2" + } + }, + "rust-overlay": { + "flake": false, + "locked": { + "lastModified": 1686795910, + "narHash": "sha256-jDa40qRZ0GRQtP9EMZdf+uCbvzuLnJglTUI2JoHfWDc=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "5c2b97c0a9bc5217fc3dfb1555aae0fb756d99f9", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 3500126..51075b3 100644 --- a/flake.nix +++ b/flake.nix @@ -19,15 +19,18 @@ modules = [ home-manager.nixosModules.home-manager ./common/base.nix - ./common/user.nix ./common/laptop.nix - ./common/networking.nix ./common/locale.nix + ./common/networking.nix ./common/remote-access.nix + ./common/security.nix + ./common/user.nix + ./roles/design.nix + ./roles/devel.nix + ./roles/gaming.nix ./roles/graphical.nix ./roles/latex.nix - ./roles/gaming.nix - ./roles/devel.nix + ./roles/virtualisation.nix ./roles/yggdrasil-client.nix ./machines/stella/configuration.nix ./machines/stella/hardware.nix @@ -40,15 +43,17 @@ modules = [ home-manager.nixosModules.home-manager ./common/base.nix - ./common/user.nix ./common/laptop.nix - ./common/networking.nix ./common/locale.nix + ./common/networking.nix ./common/remote-access.nix + ./common/security.nix + ./common/user.nix ./roles/graphical.nix ./roles/latex.nix ./roles/gaming.nix ./roles/devel.nix + ./roles/virtualisation.nix ./roles/yggdrasil-client.nix ./machines/vetus/configuration.nix ./machines/vetus/hardware.nix diff --git a/roles/design.nix b/roles/design.nix new file mode 100644 index 0000000..4d8487c --- /dev/null +++ b/roles/design.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + inkscape + gimp + imagemagick + ]; +} diff --git a/roles/devel.nix b/roles/devel.nix index e395fe4..75c6b32 100644 --- a/roles/devel.nix +++ b/roles/devel.nix @@ -1,15 +1,25 @@ { config, pkgs, lib, ... }: { - nixpkgs.config.allowUnfree = true; - environment.systemPackages = with pkgs; [ - rustc - cargo - rustup - vscode - clang - llvm - lld - python3Full + config = lib.mkMerge [{ + nixpkgs.config.allowUnfree = true; + environment.systemPackages = with pkgs; [ + rustc + cargo + rustup + vscode + clang + llvm + lld + python3Full + automake + autoconf + meson + ninja + ]; + } + + (lib.mkIf (!pkgs.stdenv.isAarch64) {boot.binfmt.emulatedSystems = [ "aarch64-linux" ];}) + (lib.mkIf (!pkgs.stdenv.isx86_64) {boot.binfmt.emulatedSystems = [ "x86_64-linux" ];}) ]; -} +} \ No newline at end of file diff --git a/roles/graphical.nix b/roles/graphical.nix index 10832c1..476b344 100644 --- a/roles/graphical.nix +++ b/roles/graphical.nix @@ -40,7 +40,6 @@ kanshi libsForQt5.qt5ct mako - pulseaudio brightnessctl wdisplays ]; @@ -70,6 +69,8 @@ fonts.packages = with pkgs; [ noto-fonts noto-fonts-cjk + noto-fonts-cjk-sans + noto-fonts-cjk-serif noto-fonts-emoji jetbrains-mono font-awesome @@ -80,4 +81,37 @@ roboto-mono kochi-substitute ]; + + home-manager.users.ivabus = { + gtk = { + enable = true; + theme = { + name = "Catppuccin-Macchiato-Standard-Blue-dark"; + package = pkgs.catppuccin-gtk.override { + accents = [ "blue" ]; + tweaks = [ "rimless" ]; + size = "standard"; + variant = "macchiato"; + }; + }; + iconTheme = { + name = "Mint-Y-Blue"; + package = pkgs.cinnamon.mint-y-icons; + }; + cursorTheme = { + name = "Catppuccin-Macchiato-Dark-Cursors"; + package = pkgs.catppuccin-cursors.macchiatoDark; + }; + font = { + name = "Ubuntu"; + size = 9; + package = pkgs.ubuntu_font_family; + }; + }; + home.pointerCursor = { + name = "Catppuccin-Macchiato-Dark-Cursors"; + package = pkgs.catppuccin-cursors.macchiatoDark; + x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors"; + }; + }; } \ No newline at end of file diff --git a/roles/virtualisation.nix b/roles/virtualisation.nix new file mode 100644 index 0000000..2353af5 --- /dev/null +++ b/roles/virtualisation.nix @@ -0,0 +1,5 @@ +{ pkgs, ... }: + +{ + virtualisation.libvirtd.enable = true; +} \ No newline at end of file diff --git a/shells/crossShell.nix b/shells/crossShell.nix index 7bd7a2a..068c568 100644 --- a/shells/crossShell.nix +++ b/shells/crossShell.nix @@ -9,10 +9,10 @@ in pkgs.pkgsStatic.callPackage ( {mkShell, pkg-config, zlib, file}: mkShell { - nativeBuildInputs = [ pkg-config file]; + nativeBuildInputs = [ pkg-config file ]; buildInputs = [ zlib ]; env = { - CROSS = crossSystem; + CROSS_COMPILE = crossSystem; }; } ) {}