Rethink configuration

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
This commit is contained in:
Ivan Bushchik 2023-08-19 11:06:28 +03:00
parent c10365ed35
commit 595cc4d833
No known key found for this signature in database
GPG key ID: 9F6DDABE11A2674D
13 changed files with 270 additions and 58 deletions

1
.gitignore vendored
View file

@ -1,2 +1 @@
asahi* asahi*
flake.lock

View file

@ -18,17 +18,25 @@
daemonIOSchedClass = "idle"; daemonIOSchedClass = "idle";
}; };
documentation = {
doc.enable = false;
info.enable = false;
man.enable = true;
nixos.enable = false;
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
neovim
wget wget
git
curl curl
usbutils usbutils
pciutils pciutils
coreutils-full coreutils-full
killall killall
git
git-crypt git-crypt
neovim
python3Minimal python3Minimal
]; ];
boot.tmp.cleanOnBoot = true;
} }

View file

@ -6,8 +6,6 @@
lm_sensors lm_sensors
]; ];
boot.plymouth.enable = true;
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
services.blueman.enable = true; services.blueman.enable = true;

View file

@ -1,4 +1,4 @@
{ ... }: { pkgs, ... }:
{ {
networking.wireless.iwd.enable = true; networking.wireless.iwd.enable = true;
@ -28,4 +28,6 @@
services.timesyncd.enable = true; services.timesyncd.enable = true;
networking.timeServers = [ "ntp1.vniiftri.ru" "0.ru.pool.ntp.org" "0.pool.ntp.org" ]; networking.timeServers = [ "ntp1.vniiftri.ru" "0.ru.pool.ntp.org" "0.pool.ntp.org" ];
boot.kernelModules = [ "af_packet" ];
environment.systemPackages = with pkgs; [ mtr tcpdump traceroute ];
} }

48
common/security.nix Normal file
View file

@ -0,0 +1,48 @@
{ lib, ... }:
{
systemd.coredump.enable = false;
security = {
lockKernelModules = true;
protectKernelImage = true;
allowSimultaneousMultithreading = true;
forcePageTableIsolation = false;
virtualisation.flushL1DataCache = "always";
apparmor = {
enable = true;
killUnconfinedConfinables = true;
};
allowUserNamespaces = true;
};
boot.kernel.sysctl = {
"kernel.sysrq" = 0;
"net.ipv4.icmp_ignore_bogus_error_responces" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.tcp_rfc1337" = 1;
"net.ipv4.tcp_fastopen" = 3;
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelModules = [ "tcp_bbr" ];
}

View file

@ -2,10 +2,12 @@
let let
secrets = import ../secrets.nix; secrets = import ../secrets.nix;
in { in rec {
users.mutableUsers = false;
users.users.ivabus = { users.users.ivabus = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "input" ]; extraGroups = [ "wheel" "input" "video" "audio" "disk" "libvirtd" "qemu-libvirtd"];
uid = 1000; uid = 1000;
packages = with pkgs; [ packages = with pkgs; [
tree tree
@ -29,6 +31,12 @@ in {
hashedPassword = secrets.hashed-password; hashedPassword = secrets.hashed-password;
}; };
users.users.root = {
hashedPassword = null;
openssh.authorizedKeys.keys = users.users.ivabus.openssh.authorizedKeys.keys;
};
programs.zsh = { programs.zsh = {
enable = true; enable = true;
}; };
@ -39,36 +47,6 @@ in {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users.ivabus = { home-manager.users.ivabus = {
gtk = {
enable = true;
theme = {
name = "Catppuccin-Macchiato-Standard-Blue-dark";
package = pkgs.catppuccin-gtk.override {
accents = [ "blue" ];
tweaks = [ "rimless" ];
size = "standard";
variant = "macchiato";
};
};
iconTheme = {
name = "Mint-Y-Blue";
package = pkgs.cinnamon.mint-y-icons;
};
cursorTheme = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
};
font = {
name = "Ubuntu";
size = 9;
package = pkgs.ubuntu_font_family;
};
};
home.pointerCursor = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors";
};
programs.git = { programs.git = {
enable = true; enable = true;
userName = "Ivan Bushchik"; userName = "Ivan Bushchik";

116
flake.lock Normal file
View file

@ -0,0 +1,116 @@
{
"nodes": {
"apple-silicon-support": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1692423274,
"narHash": "sha256-r84qq3YWbDtISIFh9tfNtmqVfBUYrhvIgE/Ivk+1F6Y=",
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"rev": "5e5a0933387f914f2ad7033f2afbc8a074b9480b",
"type": "github"
},
"original": {
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"type": "github"
}
},
"flake-compat": {
"locked": {
"lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1692503956,
"narHash": "sha256-MOA6FKc1YgfGP3ESnjSYfsyJ1BXlwV5pGlY/u5XdJfY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "958c06303f43cf0625694326b7f7e5475b1a2d5c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1692264070,
"narHash": "sha256-WepAkIL2UcHOj7JJiaFS/vxrA9lklQHv8p+xGL+7oQ0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "42c25608aa2ad4e5d3716d8d63c606063513ba33",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"rev": "42c25608aa2ad4e5d3716d8d63c606063513ba33",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1692447944,
"narHash": "sha256-fkJGNjEmTPvqBs215EQU4r9ivecV5Qge5cF/QDLVn3U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d680ded26da5cf104dd2735a51e88d2d8f487b4d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"apple-silicon-support": "apple-silicon-support",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs_2"
}
},
"rust-overlay": {
"flake": false,
"locked": {
"lastModified": 1686795910,
"narHash": "sha256-jDa40qRZ0GRQtP9EMZdf+uCbvzuLnJglTUI2JoHfWDc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "5c2b97c0a9bc5217fc3dfb1555aae0fb756d99f9",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

View file

@ -19,15 +19,18 @@
modules = [ modules = [
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
./common/base.nix ./common/base.nix
./common/user.nix
./common/laptop.nix ./common/laptop.nix
./common/networking.nix
./common/locale.nix ./common/locale.nix
./common/networking.nix
./common/remote-access.nix ./common/remote-access.nix
./common/security.nix
./common/user.nix
./roles/design.nix
./roles/devel.nix
./roles/gaming.nix
./roles/graphical.nix ./roles/graphical.nix
./roles/latex.nix ./roles/latex.nix
./roles/gaming.nix ./roles/virtualisation.nix
./roles/devel.nix
./roles/yggdrasil-client.nix ./roles/yggdrasil-client.nix
./machines/stella/configuration.nix ./machines/stella/configuration.nix
./machines/stella/hardware.nix ./machines/stella/hardware.nix
@ -40,15 +43,17 @@
modules = [ modules = [
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
./common/base.nix ./common/base.nix
./common/user.nix
./common/laptop.nix ./common/laptop.nix
./common/networking.nix
./common/locale.nix ./common/locale.nix
./common/networking.nix
./common/remote-access.nix ./common/remote-access.nix
./common/security.nix
./common/user.nix
./roles/graphical.nix ./roles/graphical.nix
./roles/latex.nix ./roles/latex.nix
./roles/gaming.nix ./roles/gaming.nix
./roles/devel.nix ./roles/devel.nix
./roles/virtualisation.nix
./roles/yggdrasil-client.nix ./roles/yggdrasil-client.nix
./machines/vetus/configuration.nix ./machines/vetus/configuration.nix
./machines/vetus/hardware.nix ./machines/vetus/hardware.nix

9
roles/design.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
inkscape
gimp
imagemagick
];
}

View file

@ -1,15 +1,25 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
nixpkgs.config.allowUnfree = true; config = lib.mkMerge [{
environment.systemPackages = with pkgs; [ nixpkgs.config.allowUnfree = true;
rustc environment.systemPackages = with pkgs; [
cargo rustc
rustup cargo
vscode rustup
clang vscode
llvm clang
lld llvm
python3Full lld
python3Full
automake
autoconf
meson
ninja
];
}
(lib.mkIf (!pkgs.stdenv.isAarch64) {boot.binfmt.emulatedSystems = [ "aarch64-linux" ];})
(lib.mkIf (!pkgs.stdenv.isx86_64) {boot.binfmt.emulatedSystems = [ "x86_64-linux" ];})
]; ];
} }

View file

@ -40,7 +40,6 @@
kanshi kanshi
libsForQt5.qt5ct libsForQt5.qt5ct
mako mako
pulseaudio
brightnessctl brightnessctl
wdisplays wdisplays
]; ];
@ -70,6 +69,8 @@
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
noto-fonts noto-fonts
noto-fonts-cjk noto-fonts-cjk
noto-fonts-cjk-sans
noto-fonts-cjk-serif
noto-fonts-emoji noto-fonts-emoji
jetbrains-mono jetbrains-mono
font-awesome font-awesome
@ -80,4 +81,37 @@
roboto-mono roboto-mono
kochi-substitute kochi-substitute
]; ];
home-manager.users.ivabus = {
gtk = {
enable = true;
theme = {
name = "Catppuccin-Macchiato-Standard-Blue-dark";
package = pkgs.catppuccin-gtk.override {
accents = [ "blue" ];
tweaks = [ "rimless" ];
size = "standard";
variant = "macchiato";
};
};
iconTheme = {
name = "Mint-Y-Blue";
package = pkgs.cinnamon.mint-y-icons;
};
cursorTheme = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
};
font = {
name = "Ubuntu";
size = 9;
package = pkgs.ubuntu_font_family;
};
};
home.pointerCursor = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors";
};
};
} }

5
roles/virtualisation.nix Normal file
View file

@ -0,0 +1,5 @@
{ pkgs, ... }:
{
virtualisation.libvirtd.enable = true;
}

View file

@ -9,10 +9,10 @@ in
pkgs.pkgsStatic.callPackage ( pkgs.pkgsStatic.callPackage (
{mkShell, pkg-config, zlib, file}: {mkShell, pkg-config, zlib, file}:
mkShell { mkShell {
nativeBuildInputs = [ pkg-config file]; nativeBuildInputs = [ pkg-config file ];
buildInputs = [ zlib ]; buildInputs = [ zlib ];
env = { env = {
CROSS = crossSystem; CROSS_COMPILE = crossSystem;
}; };
} }
) {} ) {}