diff options
author | Preston Pan <ret2pop@gmail.com> | 2025-01-13 22:11:02 -0800 |
---|---|---|
committer | Preston Pan <ret2pop@gmail.com> | 2025-01-13 22:11:02 -0800 |
commit | dd461e48043dabee4694e2b200f4c1d9cfdbc3d9 (patch) | |
tree | bc6c481be908e92e52d7828caf17365d00f5e7b7 /nix | |
parent | d878a0353ba8cec87df4f79d59864c92b1ea4cea (diff) |
merge these two repos into one
Diffstat (limited to 'nix')
-rw-r--r-- | nix/.sops.yaml | 7 | ||||
-rw-r--r-- | nix/flake.lock | 425 | ||||
-rw-r--r-- | nix/flake.nix | 74 | ||||
-rw-r--r-- | nix/modules/default.nix | 6 | ||||
-rw-r--r-- | nix/modules/home/secrets.nix | 19 | ||||
-rw-r--r-- | nix/modules/secure-boot.nix | 20 | ||||
-rw-r--r-- | nix/modules/vars.nix | 48 | ||||
-rw-r--r-- | nix/secrets/secrets.yaml | 23 | ||||
-rw-r--r-- | nix/systems/desktop/configuration.nix | 399 | ||||
-rw-r--r-- | nix/systems/desktop/home.nix | 14 | ||||
-rw-r--r-- | nix/systems/desktop/sda-simple.nix | 39 | ||||
-rw-r--r-- | nix/systems/desktop/user.nix | 1395 | ||||
-rw-r--r-- | nix/systems/desktop/vars.nix | 54 | ||||
-rw-r--r-- | nix/systems/installer/commits.nix | 4 | ||||
-rw-r--r-- | nix/systems/installer/iso.nix | 181 |
15 files changed, 2708 insertions, 0 deletions
diff --git a/nix/.sops.yaml b/nix/.sops.yaml new file mode 100644 index 0000000..9c91d66 --- /dev/null +++ b/nix/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary diff --git a/nix/flake.lock b/nix/flake.lock new file mode 100644 index 0000000..1bfaf27 --- /dev/null +++ b/nix/flake.lock @@ -0,0 +1,425 @@ +{ + "nodes": { + "crane": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717535930, + "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=", + "owner": "ipetkov", + "repo": "crane", + "rev": "55e7754ec31dac78980c8be45f8a28e80e370946", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736437680, + "narHash": "sha256-9Sy17XguKdEU9M5peTrkWSlI/O5IAqjHzdzxbXnc30g=", + "owner": "nix-community", + "repo": "disko", + "rev": "4d5d07d37ff773338e40a92088f45f4f88e509c8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736373539, + "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1718178907, + "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.1", + "repo": "lanzaboote", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1736200483, + "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1736344531, + "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1731763621, + "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nur": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1736483761, + "narHash": "sha256-4ebVuPVQ1J2NxDDzDjSAeu44B8qv8163l2K63cFYpS4=", + "owner": "nix-community", + "repo": "NUR", + "rev": "4f54273e0e23db6d8c65150de4b29bffa9b1b518", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1717664902, + "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-manager": "home-manager", + "lanzaboote": "lanzaboote", + "nixpkgs": "nixpkgs", + "nur": "nur", + "scripts": "scripts", + "sops-nix": "sops-nix", + "wallpapers": "wallpapers" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717813066, + "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "scripts": { + "locked": { + "lastModified": 1709958643, + "narHash": "sha256-+NHuHYUTUkjIOaCZlH7gICDwRu2dMgJ6smmU9DvgLT0=", + "owner": "ret2pop", + "repo": "scripts", + "rev": "8e230dcb118d5a25629c1980a4764ae071bfb2bf", + "type": "github" + }, + "original": { + "owner": "ret2pop", + "repo": "scripts", + "type": "github" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1736203741, + "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733222881, + "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49717b5af6f80172275d47a418c9719a31a78b53", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "wallpapers": { + "locked": { + "lastModified": 1710138216, + "narHash": "sha256-LcgB1Fkb9PZLF9BiV310mSWe3emK1+aJ2gxkeSsuOQ4=", + "owner": "ret2pop", + "repo": "wallpapers", + "rev": "18edf36b53936ee2eda766b7b29ee91b21e2d5cd", + "type": "github" + }, + "original": { + "owner": "ret2pop", + "repo": "wallpapers", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/flake.nix b/nix/flake.nix new file mode 100644 index 0000000..555a8c1 --- /dev/null +++ b/nix/flake.nix @@ -0,0 +1,74 @@ +{ + description = "Emacs centric configurations for a complete networked system"; + + inputs = { + nixpkgs = { + url = "github:nixos/nixpkgs/nixos-24.11"; + }; + + home-manager = { + url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.1"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nur.url = "github:nix-community/NUR"; + sops-nix.url = "github:Mic92/sops-nix"; + scripts.url = "github:ret2pop/scripts"; + wallpapers.url = "github:ret2pop/wallpapers"; + }; + + outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, sops-nix, ... }@attrs: { + nixosConfigurations = { + installer = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ( + { pkgs, modulesPath, ... }: + { + imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; + } + ) + ./systems/installer/iso.nix + ]; + }; + + continuity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + { nixpkgs.overlays = [ nur.overlays.default ]; } + { home-manager.extraSpecialArgs = attrs; } + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + ./systems/desktop/configuration.nix + ./systems/desktop/sda-simple.nix + ./systems/desktop/home.nix + ]; + }; + + spontaneity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = []; + }; + + affinity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = []; + }; + }; + }; +} diff --git a/nix/modules/default.nix b/nix/modules/default.nix new file mode 100644 index 0000000..b03d632 --- /dev/null +++ b/nix/modules/default.nix @@ -0,0 +1,6 @@ +{ lib, config, pkgs, ... }: +{ + imports = [ + ./home/secrets.nix + ]; +} diff --git a/nix/modules/home/secrets.nix b/nix/modules/home/secrets.nix new file mode 100644 index 0000000..64eab73 --- /dev/null +++ b/nix/modules/home/secrets.nix @@ -0,0 +1,19 @@ +{ lib, config, pkgs, inputs, ... }: +{ + imports = [ + ../vars.nix + ]; + + options = { + secrets.enable = lib.mkEnableOption "enables encrypted secrets on system"; + }; + + config = lib.mkIf config.secrets.enable { + home-manager = { + sharedModules = [ + inputs.sops-nix.homeManagerModules.sops + ]; + users."${user.user}" = {}; + }; + }; +} diff --git a/nix/modules/secure-boot.nix b/nix/modules/secure-boot.nix new file mode 100644 index 0000000..0785835 --- /dev/null +++ b/nix/modules/secure-boot.nix @@ -0,0 +1,20 @@ +{ pkgs, lib, config, inputs, ... }: +{ + imports = [ + inputs.lanzaboote.nixosModules.lanzaboote + ]; + + options = { + secure-boot.enable = lib.mkEnableOption "Enables secure boot on system"; + }; + + config = lib.mkIf config.secure-boot.enable { + boot = { + loader.systemd-boot.enable = lib.mkForce false; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + }; + }; +} diff --git a/nix/modules/vars.nix b/nix/modules/vars.nix new file mode 100644 index 0000000..43e45ad --- /dev/null +++ b/nix/modules/vars.nix @@ -0,0 +1,48 @@ +# Change the following variables +{}: +{ + options = { + # set your host name. + hostName = "continuity"; + + user = { + userName = "preston"; + fullName = "Preston Pan"; + gpgKey = "AEC273BF75B6F54D81343A1AC1FE6CED393AE6C1"; + }; + + servers = { + # email used for `From` and also as your login email. + email = "ret2pop@gmail.com"; + # IMAPS server. Must be encrypted. + imapsServer = "imap.gmail.com"; + # SMTPS server. Must be encrypted. + smtpsServer = "smtp.gmail.com"; + + # Used for referencing the remote host in config. This mostly shouldn't matter if you are not + # using my website. + remoteHost = "nullring.xyz"; + }; + + # Change to your timezone + timeZone = "America/Vancouver"; + + # After rebooting, use the command `hyprctl monitors` in order to check which monitor + # you are using. This is so that waybar knows which monitors to appear in. + monitors = [ + "HDMI-A-1" + "eDP-1" + "DP-2" + "DP-3" + "LVDS-1" + ]; + + # enable video drivers based on your system. + # Example: + # videoDrivers = [ + # "nvidia" + # "amdgpu" + # ] + videoDrivers = []; + }; +} diff --git a/nix/secrets/secrets.yaml b/nix/secrets/secrets.yaml new file mode 100644 index 0000000..735ceed --- /dev/null +++ b/nix/secrets/secrets.yaml @@ -0,0 +1,23 @@ +hello: ENC[AES256_GCM,data:SyGz4JsQGWYBSsn59/iy2jtF5LxcLqvuYlJa9Ng30TYHZLjGHLFnFLCN8H1JLg==,iv:DAtgeXT/nnNDGfayt7GrzDI527CawbF7sLAbw6A5bYs=,tag:zQyCdvFekQW3fhsqzV51Fw==,type:str] +mail: ENC[AES256_GCM,data:IFJnuVbshByUh5S3HoSnX5AyOg==,iv:gF0JlnBGAMLduMIG/hZtssdkHVL9/RDmDwBw/WoMDwQ=,tag:adDgcz/VrAN6/kfYTKa5XA==,type:str] +digikey: ENC[AES256_GCM,data:U1c2HYB/YjwlyHvD3XVTqWJdb9/8BeS6,iv:DNsBoaqgUPdfO9knQLCMeJVO8kctQ9XNvcY2xcpI0NM=,tag:kuJ9BYqVx0GeTBSW5EsItg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNHJDMllEZkJYQitsTlls + WTRkQUdJOWZxRDR1WkFXdWRDUllFVmFGUFZnCmh3Mi9KMGM2aTFxQksxT1cyVDJ1 + bytaVGVIVnlyY1hacS9BVG1aSVVCOTQKLS0tIGdLTEFORTZsYmFkMGZHUWJ5akFQ + OFFNeEtOTk5FSm9RaDFad0UyeWZ2WDgKIwGoB4a5WAIkE93gzqdUzNlo5vgQ1zLy + yhEFrE1NbhyItnZIg/yRhqFG0dv7D3pEP3pq2Seew6pKJg/s9UTJ8Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-11T05:57:15Z" + mac: ENC[AES256_GCM,data:/2PFJp4LHH8CJu1VCt0kN6N0ntxCsJ9J5fGVUBRE43Y7tseNtI/ItGa9vGuMLR64Y2lysUShtdx+6E68W7L5NOqMHecomqdj1oT21k2DSVysAmJ7xc43uMw9Ck8flDssFu2CQx4uVk7bNdLfj6zfEJXiv3vi8UErqr5beMdcfA4=,iv:iIb9vNaiCyuQpusN0WlVEbDlVeE/eJ8T6Fx+NJTIXfs=,tag:BSjTynwKJpamVDw6gRahQQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/nix/systems/desktop/configuration.nix b/nix/systems/desktop/configuration.nix new file mode 100644 index 0000000..8359d25 --- /dev/null +++ b/nix/systems/desktop/configuration.nix @@ -0,0 +1,399 @@ +{ pkgs, lib, ... }: +let + vars = import ./vars.nix; +in +{ + imports = []; + + hardware.enableAllFirmware = true; + + documentation = { + enable = true; + man.enable = true; + dev.enable = true; + }; + + environment = { + etc = { + securetty.text = '' + # /etc/securetty: list of terminals on which root is allowed to login. + # See securetty(5) and login(1). + ''; + }; + }; + + systemd = { + coredump.enable = false; + network.config.networkConfig.IPv6PrivacyExtensions = "kernel"; + tmpfiles.settings = { + "restricthome"."/home/*".Z.mode = "~0700"; + + "restrictetcnixos"."/etc/nixos/*".Z = { + mode = "0000"; + user = "root"; + group = "root"; + }; + }; + }; + + + boot = { + extraModulePackages = [ ]; + + initrd = { + availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "nvme" + "sd_mod" + "ehci_pci" + "rtsx_pci_sdmmc" + "usbhid" + ]; + + kernelModules = [ ]; + }; + + lanzaboote = { + enable = vars.secureBoot; + pkiBundle = "/etc/secureboot"; + }; + + loader = { + systemd-boot.enable = lib.mkForce (! vars.secureBoot); + efi.canTouchEfiVariables = true; + }; + + kernelModules = [ + "snd-seq" + "snd-rawmidi" + "xhci_hcd" + "kvm_intel" + ]; + + kernelParams = [ + "debugfs=off" + "page_alloc.shuffle=1" + "slab_nomerge" + "page_poison=1" + + # madaidan + "pti=on" + "randomize_kstack_offset=on" + "vsyscall=none" + "module.sig_enforce=1" + "lockdown=confidentiality" + + # cpu + "spectre_v2=on" + "spec_store_bypass_disable=on" + "tsx=off" + "tsx_async_abort=full,nosmt" + "mds=full,nosmt" + "l1tf=full,force" + "nosmt=force" + "kvm.nx_huge_pages=force" + + # hardened + "extra_latent_entropy" + + # mineral + "init_on_alloc=1" + "random.trust_cpu=off" + "random.trust_bootloader=off" + "intel_iommu=on" + "amd_iommu=force_isolation" + "iommu=force" + "iommu.strict=1" + "init_on_free=1" + "quiet" + "loglevel=0" + ]; + + blacklistedKernelModules = [ + "netrom" + "rose" + + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" + ]; + + kernel.sysctl = { + "kernel.ftrace_enabled" = false; + "net.core.bpf_jit_enable" = false; + "kernel.kptr_restrict" = 2; + + # madaidan + "vm.swappiness" = 1; + "vm.unprivileged_userfaultfd" = 0; + "dev.tty.ldisc_autoload" = 0; + "kernel.kexec_load_disabled" = 1; + "kernel.sysrq" = 4; + "kernel.perf_event_paranoid" = 3; + + # net + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + + "net.ipv4.conf.all.accept_redirects" = false; + "net.ipv4.conf.all.secure_redirects" = false; + "net.ipv4.conf.default.accept_redirects" = false; + "net.ipv4.conf.default.secure_redirects" = false; + "net.ipv6.conf.all.accept_redirects" = false; + "net.ipv6.conf.default.accept_redirects" = false; + }; + }; + + networking = { + useDHCP = lib.mkDefault true; + hostName = vars.hostName; + networkmanager = { + enable = true; + # wifi.macAddress = ""; + }; + firewall = { + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; + }; + }; + + hardware = { + cpu.intel.updateMicrocode = true; + bluetooth = { + enable = true; + powerOnBoot = true; + }; + + graphics = { + enable = true; + }; + + pulseaudio.enable = false; + }; + + services = { + chrony = { + enable = true; + enableNTS = true; + servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ]; + }; + + jitterentropy-rngd.enable = true; + resolved.dnssec = true; + # usbguard.enable = true; + usbguard.enable = false; + dbus = { + apparmor = "enabled"; + }; + + tor = { + enable = true; + openFirewall = true; + client = { + enable = true; + socksListenAddress = { + IsolateDestAddr = true; + addr = "127.0.0.1"; + port = 9050; + }; + dns.enable = true; + }; + torsocks = { + enable = true; + server = "127.0.0.1:9050"; + }; + }; + + xserver = { + displayManager = { + startx.enable = true; + }; + + windowManager = { + i3 = { + enable = true; + package = pkgs.i3-gaps; + }; + }; + + desktopManager = { + runXdgAutostartIfNone = true; + }; + + xkb = { + layout = "us"; + variant = ""; + options = "caps:escape"; + }; + + videoDrivers = vars.videoDrivers; + enable = true; + }; + + pipewire = { + enable = true; + alsa = { + enable = true; + support32Bit = true; + }; + pulse.enable = true; + jack.enable = true; + wireplumber.enable = true; + extraConfig.pipewire-pulse."92-low-latency" = { + "context.properties" = [ + { + name = "libpipewire-module-protocol-pulse"; + args = { }; + } + ]; + "pulse.properties" = { + "pulse.min.req" = "32/48000"; + "pulse.default.req" = "32/48000"; + "pulse.max.req" = "32/48000"; + "pulse.min.quantum" = "32/48000"; + "pulse.max.quantum" = "32/48000"; + }; + "stream.properties" = { + "node.latency" = "32/48000"; + "resample.quality" = 1; + }; + }; + }; + + kanata = { + enable = true; + }; + + openssh = { + enable = true; + settings = { + PasswordAuthentication = true; + AllowUsers = [ vars.userName ]; + PermitRootLogin = "no"; + KbdInteractiveAuthentication = false; + }; + }; + + # Misc. + udev = { + extraRules = ''''; + packages = with pkgs; [ + platformio-core + platformio-core.udev + openocd + ]; + }; + + printing.enable = true; + udisks2.enable = true; + }; + + programs = { + nix-ld.enable = true; + zsh.enable = true; + light.enable = true; + ssh.enableAskPassword = false; + }; + + nixpkgs = { + hostPlatform = lib.mkDefault "x86_64-linux"; + config = { + allowUnfree = true; + cudaSupport = false; + }; + }; + + security = { + apparmor = { + enable = true; + killUnconfinedConfinables = true; + }; + + pam.loginLimits = [ + { domain = "*"; item = "nofile"; type = "-"; value = "32768"; } + { domain = "*"; item = "memlock"; type = "-"; value = "32768"; } + ]; + rtkit.enable = true; + + lockKernelModules = true; + protectKernelImage = true; + allowSimultaneousMultithreading = false; + forcePageTableIsolation = true; + + tpm2 = { + enable = true; + pkcs11.enable = true; + tctiEnvironment.enable = true; + }; + + auditd.enable = true; + audit.enable = true; + chromiumSuidSandbox.enable = true; + sudo.enable = true; + }; + + xdg.portal = { + enable = true; + wlr.enable = true; + extraPortals = with pkgs; [ xdg-desktop-portal-gtk xdg-desktop-portal xdg-desktop-portal-hyprland ]; + config.common.default = "*"; + }; + + environment.systemPackages = with pkgs; [ + cryptsetup + restic + sbctl + linux-manual + man-pages + man-pages-posix + tree + ]; + + + users.users = { + root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch" + ]; + + "${vars.userName}" = { + initialPassword = "${vars.userName}"; + isNormalUser = true; + description = vars.fullName; + extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ]; + shell = pkgs.zsh; + packages = []; + }; + }; + + + nix.settings.experimental-features = "nix-command flakes"; + time.timeZone = vars.timeZone; + i18n.defaultLocale = "en_CA.UTF-8"; + + system = { + stateVersion = "24.11"; + nixos = { + tags = [ "continuity-2.0" ]; + }; + }; +} diff --git a/nix/systems/desktop/home.nix b/nix/systems/desktop/home.nix new file mode 100644 index 0000000..166bd16 --- /dev/null +++ b/nix/systems/desktop/home.nix @@ -0,0 +1,14 @@ +{ sops-nix, ... }: +let + vars = import ./vars.nix; +in +{ + home-manager = { + sharedModules = [ + sops-nix.homeManagerModules.sops + ]; + useGlobalPkgs = true; + useUserPackages = true; + users."${vars.userName}" = ./user.nix; + }; +} diff --git a/nix/systems/desktop/sda-simple.nix b/nix/systems/desktop/sda-simple.nix new file mode 100644 index 0000000..86263dd --- /dev/null +++ b/nix/systems/desktop/sda-simple.nix @@ -0,0 +1,39 @@ +# This will install a simple system with a root and boot partition. +# Make sure to change the entry device entry to the one that you +# are installing the configuration to. +{ + disko.devices = { + disk = { + my-disk = { + # change this entry + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "500M"; + priority = 1; + content = { + type = "filesystem"; + fo |