aboutsummaryrefslogtreecommitdiff
path: root/nix
diff options
context:
space:
mode:
Diffstat (limited to 'nix')
-rw-r--r--nix/flake.nix2
-rw-r--r--nix/modules/configuration.nix291
-rw-r--r--nix/modules/cuda.nix4
-rw-r--r--nix/modules/default.nix41
-rw-r--r--nix/modules/home/user.nix2
-rw-r--r--nix/modules/nvidia.nix27
-rw-r--r--nix/modules/postfix.nix2
-rw-r--r--nix/modules/ssh.nix2
-rw-r--r--nix/modules/xserver.nix18
-rw-r--r--nix/systems/affinity/default.nix15
-rw-r--r--nix/systems/affinity/home.nix9
-rw-r--r--nix/systems/continuity/default.nix2
-rw-r--r--nix/systems/continuity/home.nix6
-rw-r--r--nix/systems/home.nix11
-rw-r--r--nix/systems/spontaneity/default.nix4
-rw-r--r--nix/systems/spontaneity/home.nix6
16 files changed, 237 insertions, 205 deletions
diff --git a/nix/flake.nix b/nix/flake.nix
index 950e86a..39606b4 100644
--- a/nix/flake.nix
+++ b/nix/flake.nix
@@ -51,7 +51,6 @@
sops-nix.nixosModules.sops
{ nixpkgs.overlays = [ nur.overlays.default ]; }
{ home-manager.extraSpecialArgs = attrs; }
-
./systems/continuity/default.nix
];
};
@@ -66,7 +65,6 @@
sops-nix.nixosModules.sops
{ nixpkgs.overlays = [ nur.overlays.default ]; }
{ home-manager.extraSpecialArgs = attrs; }
-
./systems/affinity/default.nix
];
};
diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix
index 97b8764..62b02f6 100644
--- a/nix/modules/configuration.nix
+++ b/nix/modules/configuration.nix
@@ -24,7 +24,7 @@
environment = {
etc = {
- securetty.text = ''
+ securetty.text = ''
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
'';
@@ -35,13 +35,13 @@
coredump.enable = false;
network.config.networkConfig.IPv6PrivacyExtensions = "kernel";
tmpfiles.settings = {
- "restricthome"."/home/*".Z.mode = "~0700";
+ "restricthome"."/home/*".Z.mode = "~0700";
- "restrictetcnixos"."/etc/nixos/*".Z = {
- mode = "0000";
- user = "root";
- group = "root";
- };
+ "restrictetcnixos"."/etc/nixos/*".Z = {
+ mode = "0000";
+ user = "root";
+ group = "root";
+ };
};
};
@@ -50,126 +50,126 @@
extraModulePackages = [ ];
initrd = {
- availableKernelModules = [
- "xhci_pci"
- "ahci"
- "usb_storage"
- "sd_mod"
- "nvme"
- "sd_mod"
- "ehci_pci"
- "rtsx_pci_sdmmc"
- "usbhid"
- ];
-
- kernelModules = [ ];
+ availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usb_storage"
+ "sd_mod"
+ "nvme"
+ "sd_mod"
+ "ehci_pci"
+ "rtsx_pci_sdmmc"
+ "usbhid"
+ ];
+
+ kernelModules = [ ];
};
lanzaboote = {
- enable = config.monorepo.profiles.secureBoot.enable;
- pkiBundle = "/etc/secureboot";
+ enable = config.monorepo.profiles.secureBoot.enable;
+ pkiBundle = "/etc/secureboot";
};
loader = {
- systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable);
- efi.canTouchEfiVariables = true;
+ systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable);
+ efi.canTouchEfiVariables = true;
};
kernelModules = [
- "snd-seq"
- "snd-rawmidi"
- "xhci_hcd"
- "kvm_intel"
+ "snd-seq"
+ "snd-rawmidi"
+ "xhci_hcd"
+ "kvm_intel"
];
kernelParams = [
- "debugfs=off"
- "page_alloc.shuffle=1"
- "slab_nomerge"
- "page_poison=1"
-
- # madaidan
- "pti=on"
- "randomize_kstack_offset=on"
- "vsyscall=none"
- "module.sig_enforce=1"
- "lockdown=confidentiality"
-
- # cpu
- "spectre_v2=on"
- "spec_store_bypass_disable=on"
- "tsx=off"
- "tsx_async_abort=full,nosmt"
- "mds=full,nosmt"
- "l1tf=full,force"
- "nosmt=force"
- "kvm.nx_huge_pages=force"
-
- # hardened
- "extra_latent_entropy"
-
- # mineral
- "init_on_alloc=1"
- "random.trust_cpu=off"
- "random.trust_bootloader=off"
- "intel_iommu=on"
- "amd_iommu=force_isolation"
- "iommu=force"
- "iommu.strict=1"
- "init_on_free=1"
- "quiet"
- "loglevel=0"
+ "debugfs=off"
+ "page_alloc.shuffle=1"
+ "slab_nomerge"
+ "page_poison=1"
+
+ # madaidan
+ "pti=on"
+ "randomize_kstack_offset=on"
+ "vsyscall=none"
+ "module.sig_enforce=1"
+ "lockdown=confidentiality"
+
+ # cpu
+ "spectre_v2=on"
+ "spec_store_bypass_disable=on"
+ "tsx=off"
+ "tsx_async_abort=full,nosmt"
+ "mds=full,nosmt"
+ "l1tf=full,force"
+ "nosmt=force"
+ "kvm.nx_huge_pages=force"
+
+ # hardened
+ "extra_latent_entropy"
+
+ # mineral
+ "init_on_alloc=1"
+ "random.trust_cpu=off"
+ "random.trust_bootloader=off"
+ "intel_iommu=on"
+ "amd_iommu=force_isolation"
+ "iommu=force"
+ "iommu.strict=1"
+ "init_on_free=1"
+ "quiet"
+ "loglevel=0"
];
blacklistedKernelModules = [
- "netrom"
- "rose"
-
- "adfs"
- "affs"
- "bfs"
- "befs"
- "cramfs"
- "efs"
- "erofs"
- "exofs"
- "freevxfs"
- "f2fs"
- "hfs"
- "hpfs"
- "jfs"
- "minix"
- "nilfs2"
- "ntfs"
- "omfs"
- "qnx4"
- "qnx6"
- "sysv"
- "ufs"
+ "netrom"
+ "rose"
+
+ "adfs"
+ "affs"
+ "bfs"
+ "befs"
+ "cramfs"
+ "efs"
+ "erofs"
+ "exofs"
+ "freevxfs"
+ "f2fs"
+ "hfs"
+ "hpfs"
+ "jfs"
+ "minix"
+ "nilfs2"
+ "ntfs"
+ "omfs"
+ "qnx4"
+ "qnx6"
+ "sysv"
+ "ufs"
];
kernel.sysctl = {
- "kernel.ftrace_enabled" = false;
- "net.core.bpf_jit_enable" = false;
- "kernel.kptr_restrict" = 2;
-
- # madaidan
- "vm.swappiness" = 1;
- "vm.unprivileged_userfaultfd" = 0;
- "dev.tty.ldisc_autoload" = 0;
- "kernel.kexec_load_disabled" = 1;
- "kernel.sysrq" = 4;
- "kernel.perf_event_paranoid" = 3;
-
- # net
- "net.ipv4.icmp_echo_ignore_broadcasts" = true;
-
- "net.ipv4.conf.all.accept_redirects" = false;
- "net.ipv4.conf.all.secure_redirects" = false;
- "net.ipv4.conf.default.accept_redirects" = false;
- "net.ipv4.conf.default.secure_redirects" = false;
- "net.ipv6.conf.all.accept_redirects" = false;
- "net.ipv6.conf.default.accept_redirects" = false;
+ "kernel.ftrace_enabled" = false;
+ "net.core.bpf_jit_enable" = false;
+ "kernel.kptr_restrict" = 2;
+
+ # madaidan
+ "vm.swappiness" = 1;
+ "vm.unprivileged_userfaultfd" = 0;
+ "dev.tty.ldisc_autoload" = 0;
+ "kernel.kexec_load_disabled" = 1;
+ "kernel.sysrq" = 4;
+ "kernel.perf_event_paranoid" = 3;
+
+ # net
+ "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+ "net.ipv4.conf.all.accept_redirects" = false;
+ "net.ipv4.conf.all.secure_redirects" = false;
+ "net.ipv4.conf.default.accept_redirects" = false;
+ "net.ipv4.conf.default.secure_redirects" = false;
+ "net.ipv6.conf.all.accept_redirects" = false;
+ "net.ipv6.conf.default.accept_redirects" = false;
};
};
@@ -177,32 +177,31 @@
useDHCP = lib.mkDefault true;
hostName = config.monorepo.vars.hostName;
networkmanager = {
- enable = true;
- # wifi.macAddress = "";
+ enable = true;
};
firewall = {
- allowedTCPPorts = [ 22 11434 ];
- allowedUDPPorts = [ ];
+ allowedTCPPorts = [ 22 11434 ];
+ allowedUDPPorts = [ ];
};
};
hardware = {
enableAllFirmware = true;
cpu.intel.updateMicrocode = true;
- graphics.enable = true;
+ graphics.enable = ! config.monorepo.profiles.ttyonly.enable;
pulseaudio.enable = ! config.monorepo.profiles.pipewire.enable;
bluetooth = {
- enable = true;
- powerOnBoot = true;
+ enable = true;
+ powerOnBoot = true;
};
};
services = {
chrony = {
- enable = true;
- enableNTS = true;
- servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ];
+ enable = true;
+ enableNTS = true;
+ servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ];
};
jitterentropy-rngd.enable = true;
@@ -215,12 +214,12 @@
# Misc.
udev = {
- extraRules = '''';
- packages = with pkgs; [
- platformio-core
- platformio-core.udev
- openocd
- ];
+ extraRules = '''';
+ packages = with pkgs; [
+ platformio-core
+ platformio-core.udev
+ openocd
+ ];
};
printing.enable = true;
@@ -237,20 +236,20 @@
nixpkgs = {
hostPlatform = lib.mkDefault "x86_64-linux";
config = {
- allowUnfree = true;
- cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ allowUnfree = true;
+ cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable;
};
};
security = {
apparmor = {
- enable = true;
- killUnconfinedConfinables = true;
+ enable = true;
+ killUnconfinedConfinables = true;
};
pam.loginLimits = [
- { domain = "*"; item = "nofile"; type = "-"; value = "32768"; }
- { domain = "*"; item = "memlock"; type = "-"; value = "32768"; }
+ { domain = "*"; item = "nofile"; type = "-"; value = "32768"; }
+ { domain = "*"; item = "memlock"; type = "-"; value = "32768"; }
];
rtkit.enable = true;
@@ -260,9 +259,9 @@
forcePageTableIsolation = true;
tpm2 = {
- enable = true;
- pkcs11.enable = true;
- tctiEnvironment.enable = true;
+ enable = true;
+ pkcs11.enable = true;
+ tctiEnvironment.enable = true;
};
auditd.enable = true;
@@ -275,9 +274,9 @@
enable = true;
wlr.enable = true;
extraPortals = with pkgs; [
- xdg-desktop-portal-gtk
- xdg-desktop-portal
- xdg-desktop-portal-hyprland
+ xdg-desktop-portal-gtk
+ xdg-desktop-portal
+ xdg-desktop-portal-hyprland
];
config.common.default = "*";
};
@@ -296,17 +295,17 @@
];
git = {
- isSystemUser = true;
- home = "/srv/git";
- shell = "${pkgs.git}/bin/git-shell";
+ isSystemUser = true;
+ home = "/srv/git";
+ shell = "${pkgs.git}/bin/git-shell";
};
"${config.monorepo.vars.userName}" = {
- initialPassword = "${config.monorepo.vars.userName}";
- isNormalUser = true;
- description = config.monorepo.vars.fullName;
- extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ];
- shell = pkgs.zsh;
- packages = [];
+ initialPassword = "${config.monorepo.vars.userName}";
+ isNormalUser = true;
+ description = config.monorepo.vars.fullName;
+ extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ];
+ shell = pkgs.zsh;
+ packages = [];
};
};
diff --git a/nix/modules/cuda.nix b/nix/modules/cuda.nix
index dd5846b..d5d9b7c 100644
--- a/nix/modules/cuda.nix
+++ b/nix/modules/cuda.nix
@@ -1,9 +1,9 @@
{ config, lib, pkgs, ... }:
{
- environment.systemPackages = with pkgs; [
+ environment.systemPackages = (if config.monorepo.profiles.cuda.enable then with pkgs; [
cudatoolkit
cudaPackages.cudnn
cudaPackages.libcublas
linuxPackages.nvidia_x11
- ];
+ ] else []);
}
diff --git a/nix/modules/default.nix b/nix/modules/default.nix
index ad4ccd3..f520d3b 100644
--- a/nix/modules/default.nix
+++ b/nix/modules/default.nix
@@ -7,36 +7,33 @@
options = {
monorepo = {
- profiles = {
- cuda.enable = lib.mkEnableOption "Enables CUDA support";
- documentation.enable = lib.mkEnableOption "Enables documentation on system.";
- secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl.";
- pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup";
- tor.enable = lib.mkEnableOption "Enables tor along with torsocks";
- home.enable = lib.mkEnableOption "Enables home user";
- server.enable = lib.mkEnableOption "Enables server services";
- };
+ profiles = {
+ cuda.enable = lib.mkEnableOption "Enables CUDA support";
+ documentation.enable = lib.mkEnableOption "Enables documentation on system.";
+ secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl.";
+ pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup";
+ tor.enable = lib.mkEnableOption "Enables tor along with torsocks";
+ home.enable = lib.mkEnableOption "Enables home user";
+ server.enable = lib.mkEnableOption "Enables server services";
+ ttyonly.enable = lib.mkEnableOption "TTY only, no xserver";
+ };
};
};
config = {
- home-manager.users."${config.monorepo.vars.userName}" = {
- programs.home-manager.enable = config.monorepo.profiles.home.enable;
- };
-
environment.systemPackages = lib.mkIf config.monorepo.profiles.documentation.enable (with pkgs; [
- linux-manual
- man-pages
- man-pages-posix
+ linux-manual
+ man-pages
+ man-pages-posix
]);
monorepo = {
- profiles = {
- documentation.enable = lib.mkDefault true;
- pipewire.enable = lib.mkDefault true;
- tor.enable = lib.mkDefault true;
- home.enable = lib.mkDefault true;
- };
+ profiles = {
+ documentation.enable = lib.mkDefault true;
+ pipewire.enable = lib.mkDefault true;
+ tor.enable = lib.mkDefault true;
+ home.enable = lib.mkDefault true;
+ };
};
};
}
diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix
index 20a5749..7c470aa 100644
--- a/nix/modules/home/user.nix
+++ b/nix/modules/home/user.nix
@@ -26,6 +26,7 @@
packages = with pkgs; [
# wikipedia
kiwix kiwix-tools
+
# passwords
age sops
@@ -64,6 +65,7 @@
acpilight
pfetch
libnotify
+ htop
];
};
diff --git a/nix/modules/nvidia.nix b/nix/modules/nvidia.nix
index a1dc840..2973386 100644
--- a/nix/modules/nvidia.nix
+++ b/nix/modules/nvidia.nix
@@ -1,21 +1,22 @@
{ config, lib, pkgs, ... }:
{
hardware = {
- graphics.extraPackages = with pkgs; [
- vaapiVdpau
- libvdpau-va-gl
- nvidia-vaapi-driver
- ];
+ graphics.extraPackages = (if config.monorepo.profiles.cuda.enable
+ then with pkgs; [
+ vaapiVdpau
+ libvdpau-va-gl
+ nvidia-vaapi-driver
+ ] else []);
nvidia = {
- modesetting.enable = true;
- powerManagement = {
- enable = true;
- finegrained = false;
- };
- nvidiaSettings = true;
- open = false;
- package = config.boot.kernelPackages.nvidiaPackages.stable;
+ modesetting.enable = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ powerManagement = {
+ enable = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ finegrained = false;
+ };
+ nvidiaSettings = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ open = lib.mkDefault false;
+ package = config.boot.kernelPackages.nvidiaPackages.stable;
};
};
}
diff --git a/nix/modules/postfix.nix b/nix/modules/postfix.nix
index 90eb253..35c9e21 100644
--- a/nix/modules/postfix.nix
+++ b/nix/modules/postfix.nix
@@ -1,7 +1,7 @@
{ config, lib, ... }:
{
services.postfix = {
- enable = true;
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
config = {
};
};
diff --git a/nix/modules/ssh.nix b/nix/modules/ssh.nix
index 55dc2fb..5c705c9 100644
--- a/nix/modules/ssh.nix
+++ b/nix/modules/ssh.nix
@@ -5,7 +5,7 @@
settings = {
PasswordAuthentication = true;
AllowUsers = [ config.monorepo.vars.userName ];
- PermitRootLogin = "no";
+ PermitRootLogin = "prohibit-password";
KbdInteractiveAuthentication = false;
};
};
diff --git a/nix/modules/xserver.nix b/nix/modules/xserver.nix
index 0298f12..aab138d 100644
--- a/nix/modules/xserver.nix
+++ b/nix/modules/xserver.nix
@@ -3,24 +3,24 @@
services.xserver = {
enable = lib.mkDefault true;
displayManager = {
- startx.enable = true;
+ startx.enable = true;
};
windowManager = {
- i3 = {
- enable = true;
- package = pkgs.i3-gaps;
- };
+ i3 = {
+ enable = ! config.monorepo.profiles.ttyonly.enable;
+ package = pkgs.i3-gaps;
+ };
};
desktopManager = {
- runXdgAutostartIfNone = true;
+ runXdgAutostartIfNone = true;
};
xkb = {
- layout = "us";
- variant = "";
- options = "caps:escape";
+ layout = "us";
+ variant = "";
+ options = "caps:escape";
};
videoDrivers = (if config.monorepo.profiles.cuda.enable then [ "nvidia" ] else []);
diff --git a/nix/systems/affinity/default.nix b/nix/systems/affinity/default.nix
index 4423440..606d934 100644
--- a/nix/systems/affinity/default.nix
+++ b/nix/systems/affinity/default.nix
@@ -2,15 +2,16 @@
{
imports = [
../../modules/default.nix
- ../../modules/home/home.nix
../../modules/nvme-simple.nix
+ ../home.nix
];
- config.monorepo = {
- profiles = {
- server.enable = true;
- cuda.enable = true;
+ config = {
+ monorepo = {
+ profiles = {
+ server.enable = true;
+ cuda.enable = true;
+ };
+ vars.hostName = "affinity";
};
- vars.hostName = "affinity";
};
- config.home-manager.users."${config.monorepo.vars.userName}".monorepo.profiles.cuda.enable = true;
}
diff --git a/nix/systems/affinity/home.nix b/nix/systems/affinity/home.nix
new file mode 100644
index 0000000..7b08138
--- /dev/null
+++ b/nix/systems/affinity/home.nix
@@ -0,0 +1,9 @@
+{ lib, config, pkgs, ... }:
+{
+ imports = [
+ ../../modules/home/default.nix
+ ];
+ config.monorepo = {
+ profiles.cuda.enable = true;
+ };
+}
diff --git a/nix/systems/continuity/default.nix b/nix/systems/continuity/default.nix
index 1bff83c..d067581 100644
--- a/nix/systems/continuity/default.nix
+++ b/nix/systems/continuity/default.nix
@@ -2,7 +2,7 @@
{
imports = [
../../modules/default.nix
- ../../modules/home/home.nix
../../modules/sda-simple.nix
+ ../home.nix
];
}
diff --git a/nix/systems/continuity/home.nix b/nix/systems/continuity/home.nix
new file mode 100644
index 0000000..276ba52
--- /dev/null
+++ b/nix/systems/continuity/home.nix
@@ -0,0 +1,6 @@
+{ lib, config, pkgs, ... }:
+{
+ imports = [
+ ../../modules/home/default.nix
+ ];
+}
diff --git a/nix/systems/home.nix b/nix/systems/home.nix
new file mode 100644
index 0000000..af4aa68
--- /dev/null
+++ b/nix/systems/home.nix
@@ -0,0 +1,11 @@
+{ config, sops-nix, ... }:
+{
+ home-manager = {
+ sharedModules = [
+ sops-nix.homeManagerModules.sops
+ ];
+ useGlobalPkgs = true;
+ useUserPackages = true;
+ users."${config.monorepo.vars.userName}" = import (./. + "/${config.monorepo.vars.hostName}/home.nix");
+ };
+}
diff --git a/nix/systems/spontaneity/default.nix b/nix/systems/spontaneity/default.nix
index bc7ba81..5f79855 100644
--- a/nix/systems/spontaneity/default.nix
+++ b/nix/systems/spontaneity/default.nix
@@ -3,11 +3,13 @@
imports = [
../../modules/default.nix
../../modules/vda-simple.nix
+ ../home.nix
];
+
config.monorepo = {
profiles = {
server.enable = true;
- home.enable = false;
+ ttyonly.enable = true;
};
vars.hostName = "spontaneity";
};
diff --git a/nix/systems/spontaneity/home.nix b/nix/systems/spontaneity/home.nix
new file mode 100644
index 0000000..276ba52
--- /dev/null
+++ b/nix/systems/spontaneity/home.nix
@@ -0,0 +1,6 @@
+{ lib, config, pkgs, ... }:
+{
+ imports = [
+ ../../modules/home/default.nix
+ ];
+}
generated by cgit (git 2.34.1) at 2025-02-23 13:24:11 +0000