ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add: system modules and options

Browse source
This commit is contained in:
ooks-io 2024-01-15 23:58:37 +13:00
parent 9bfc70318d
commit 47eb3e0691
21 changed files with 269 additions and 158 deletions
Download patch file Download diff file Expand all files Collapse all files

10
system/base/fish.nix
View file

@ -1,10 +0,0 @@
{
programs.fish = {
enable = true;
vendor = {
completions.enable = true;
config.enable = true;
functions.enable = true;
};
};
}

58
system/base/security.nix
View file

@ -1,58 +0,0 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
polkit_gnome
];
programs = {
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
_1password = {
enable = true;
};
_1password-gui = {
enable = true;
polkitPolicyOwners = [ "ooks" ];
};
};
security = {
polkit = {
enable = true;
};
pam.services = { swaylock = { }; };
sudo = {
enable = true;
extraConfig = ''
ooks ALL=(ALL) NOPASSWD:ALL
'';
};
};
systemd = {
user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1";
wantedBy = [ "graphical-session.target" ];
wants = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};
}

9
system/base/systemdboot.nix
View file

@ -1,9 +0,0 @@
{
boot.loader = {
systemd-boot = {
enable = true;
consoleMode = "max";
};
efi.canTouchEfiVariables = true;
};
}

17
system/modules/bootloader/default.nix
View file

@ -0,0 +1,17 @@
{ lib, config, ... }:
let
cfg = config.systemModules.bootloader;
in
{
config = lib.mkIf cfg.enable {
boot.loader = {
systemd-boot = {
enable = true;
consoleMode = "max";
};
efi.canTouchEfiVariables = true;
};
};
}

15
system/modules/default.nix
View file

@ -1,3 +1,5 @@
{ lib, ... }:
{
imports = [
./hardware
@ -6,4 +8,17 @@
./programs
./user
];
options.systemModules = {
security = {
enable = lib.mkEnableOption "Enable security module";
};
bootloader = {
enable = lib.mkEnableOption "Enable systemd bootloader module";
};
pipewire = {
enable = lib.mkEnableOption "Enable pipewire module";
};
};
}

26
system/modules/displayManager/greetd/default.nix
View file

@ -0,0 +1,26 @@
{ pkgs, ... }:
let
tuigreet = "${pkgs.greetd.tuigreet}/bin/tuigreet";
in
{
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${tuigreet} --time --remember --cmd Hyprland";
user = "greeter";
};
};
};
systemd.services.greetd.serviceConfig = {
Type = "idle";
StandardInput = "tty";
StandardOutput = "tty";
StandardError = "journal"; # Without this errors will spam on screen
# Without these bootlogs will spam on screen
TTYReset = true;
TTYVHangup = true;
TTYVTDisallocate = true;
};
}

0
system/modules/bootloader/systemd/default.nix → system/modules/gaming/default.nix
View file

1
system/base/locale.nix → system/modules/locale/default.nix
View file

@ -8,3 +8,4 @@
time.timeZone = lib.mkDefault "Pacific/Auckland";
services.geoclue2.enable = true;
}

6
system/modules/nix/default.nix
View file

@ -1,3 +1,5 @@
{ lib, ... }:
{
imports = [
./nh.nix
@ -5,4 +7,8 @@
./nixpkgs
./subs.nix
];
options.systemModules.nixOptions = {
enable = lib.mkEnableOption "Enable nix related configuration modules";
};
}

21
system/modules/nix/nh.nix
View file

@ -1,16 +1,23 @@
{ inputs, ... }: {
{ inputs, lib, config, ... }:
let
cfg = config.systemModules.nixOptions;
in
{
imports = [
inputs.nh.nixosModules.default
];
config = lib.mkIf cfg.enable {
environment.variables.FLAKE = "/home/ooks/Coding/nix/ooks-io/nix";
environment.variables.FLAKE = "/home/ooks/Coding/nix/ooks-io/nix";
nh = {
enable = true;
clean = {
nh = {
enable = true;
extraArgs = "--keep-since 30d";
clean = {
enable = true;
extraArgs = "--keep-since 30d";
};
};
};
}

33
system/modules/nix/nix.nix
View file

@ -1,15 +1,22 @@
{ config, lib, pkgs, inputs, ... }: {
{ config, lib, pkgs, inputs, ... }:
nix = {
settings = {
trusted-users = [ "root" "@wheel" ];
auto-optimise-store = lib.mkDefault true;
experimental-features = [ "nix-command" "flakes" "repl-flake" ];
warn-dirty = false;
system-features = [ "kvm" "big-parallel" "nixos-test" ];
flake-registry = "";
};
registry = lib.mapAttrs (_: value: { flake = value; }) inputs;
nixPath = [ "nixpkgs=${inputs.nixpkgs.outPath}" ];
};
let
cfg = config.systemModules.nixOptions;
in
{
config = lib.mkIf cfg.enable {
nix = {
settings = {
trusted-users = [ "root" "@wheel" ];
auto-optimise-store = lib.mkDefault true;
experimental-features = [ "nix-command" "flakes" "repl-flake" ];
warn-dirty = false;
system-features = [ "kvm" "big-parallel" "nixos-test" ];
flake-registry = "";
};
registry = lib.mapAttrs (_: value: { flake = value; }) inputs;
nixPath = [ "nixpkgs=${inputs.nixpkgs.outPath}" ];
};
};
}

25
system/modules/nix/nixpkgs.nix
View file

@ -1,13 +1,20 @@
{ outputs, ... }: {
{ outputs, lib, config, ... }:
nixpkgs = {
overlays = builtins.attrValues outputs.overlays;
config = {
allowUnfree = true;
permittedInsecurePackages = [
"openssl-1.1.1u"
"electron-25.9.0"
];
let
cfg = config.systemModules.nixOptions;
in
{
config = lib.mkIf cfg.enable {
nixpkgs = {
overlays = builtins.attrValues outputs.overlays;
config = {
allowUnfree = true;
permittedInsecurePackages = [
"openssl-1.1.1u"
"electron-25.9.0"
];
};
};
};
}

38
system/modules/nix/subs.nix
View file

@ -1,18 +1,26 @@
{
nix.settings = {
substituters = [
"https://cache.nixos.org?priority=10"
"https://fufexan.cachix.org"
"https://helix.cachix.org"
"https://hyprland.cachix.org"
"https://nix-community.cachix.org"
];
{ lib, config, ... }:
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
let
cfg = config.systemModules.nixOptions;
in
{
config = lib.mkIf cfg.enable {
nix.settings = {
substituters = [
"https://cache.nixos.org?priority=10"
"https://fufexan.cachix.org"
"https://helix.cachix.org"
"https://hyprland.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
};
}

19
system/modules/pipewire/default.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, ... }:
let
cfg = config.systemModules.pipewire;
in
{
config = lib.mkIf cfg.enable {
hardware.pulseaudio.enable = lib.mkForce false;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
};
}

36
system/modules/programs/greetd.nix
View file

@ -1,36 +0,0 @@
{ pkgs, ... }:
let
tuigreet = "${pkgs.greetd.tuigreet}/bin/tuigreet";
in
{
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${tuigreet} --time --remember --cmd Hyprland";
user = "greeter";
};
};
};
# this is a life saver.
# literally no documentation about this anywhere.
# might be good to write about this...
# https://www.reddit.com/r/NixOS/comments/u0cdpi/tuigreet_with_xmonad_how/
systemd.services.greetd.serviceConfig = {
Type = "idle";
StandardInput = "tty";
StandardOutput = "tty";
StandardError = "journal"; # Without this errors will spam on screen
# Without these bootlogs will spam on screen
TTYReset = true;
TTYVHangup = true;
TTYVTDisallocate = true;
};
#environment.etc."greetd/environments".text = ''
# Hyprland
# fish
# bash
#'';
}

100
system/modules/security/default.nix Normal file
View file

@ -0,0 +1,100 @@
{ lib, config, pkgs, ... }:
let
cfg = config.systemModules.security;
in
{
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
polkit_gnome
];
programs = {
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
_1password = {
enable = true;
};
_1password-gui = {
enable = true;
polkitPolicyOwners = [ "ooks" ];
};
};
security = {
polkit = {
enable = true;
};
pam.services = { swaylock = { }; };
sudo = {
enable = true;
wheelNeedsPassword = false;
};
};
rtkit.enable = true;
# security tweaks borrowed from @hlissner
boot.kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're not a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelModules = ["tcp_bbr"];
systemd = {
user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1";
wantedBy = [ "graphical-session.target" ];
wants = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};
};
}

0
system/modules/security/polkit/default.nix
View file

0
system/modules/security/sudo/default.nix
View file

12
system/modules/userShell/fish/default.nix
View file

@ -0,0 +1,12 @@
{ pkgs, ... }:
{
users.users.ooks.shell = pkgs.fish;
programs.fish = {
enable = true;
vendor = {
completions.enable = true;
config.enable = true;
functions.enable = true;
};
};
}

0
system/modules/programs/vm.nix → system/modules/virtulization/default.nix
View file

1
system/user/ooks/default.nix
View file

@ -4,7 +4,6 @@ in
{
users.users.ooks = {
isNormalUser = true;
shell = pkgs.fish;
extraGroups = [
"wheel"
"video"