add: system modules and options

2024-01-15 23:58:37 +13:00 · 2024-01-15 23:58:37 +13:00 · 47eb3e0691
commit 47eb3e0691
parent 9bfc70318d
21 changed files with 269 additions and 158 deletions
--- a/system/base/fish.nix
+++ b/system/base/fish.nix
@ -1,10 +0,0 @@
-{
-  programs.fish = {
-    enable = true;
-    vendor = {
-      completions.enable = true;
-      config.enable = true;
-      functions.enable = true;
-    };
-  };
-}
--- a/system/base/security.nix
+++ b/system/base/security.nix
@ -1,58 +0,0 @@
-
-
-
-
-{ config, pkgs, ... }:
-
-
-{
-
-  environment.systemPackages = with pkgs; [
-    polkit_gnome
-];
-
-  programs = {
-    gnupg.agent = {
-      enable = true;
-      enableSSHSupport = true;
-    };
-    _1password = {
-      enable = true;
-    };
-    _1password-gui = {
-      enable = true;
-      polkitPolicyOwners = [ "ooks" ];
-    };
-  };
-  security = {
-    polkit = {
-      enable = true;
-    };
-    pam.services = { swaylock = { }; };
-    sudo = {
-      enable = true;
-      extraConfig = ''
-        ooks ALL=(ALL) NOPASSWD:ALL
-        '';
-    };
-  };
-  
-  systemd = {
-    user.services.polkit-gnome-authentication-agent-1 = {
-      description = "polkit-gnome-authentication-agent-1";
-      wantedBy = [ "graphical-session.target" ];
-      wants = [ "graphical-session.target" ];
-      after = [ "graphical-session.target" ];
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
-        Restart = "on-failure";
-        RestartSec = 1;
-        TimeoutStopSec = 10;
-
-      };
-    };
-  };
-
-
-}
--- a/system/base/systemdboot.nix
+++ b/system/base/systemdboot.nix
@ -1,9 +0,0 @@
-{
-  boot.loader = {
-    systemd-boot = {
-      enable = true;
-      consoleMode = "max";
-    };
-    efi.canTouchEfiVariables = true;
-  };
-}
--- a/system/modules/bootloader/default.nix
+++ b/system/modules/bootloader/default.nix
@ -0,0 +1,17 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.systemModules.bootloader;
+in
+
+{
+  config = lib.mkIf cfg.enable {
+    boot.loader = {
+      systemd-boot = {
+        enable = true;
+        consoleMode = "max";
+      };
+      efi.canTouchEfiVariables = true;
+    };
+  };
+}
--- a/system/modules/default.nix
+++ b/system/modules/default.nix
@ -1,3 +1,5 @@
+{ lib, ... }:
+
 {
  imports = [
    ./hardware
@ -6,4 +8,17 @@
    ./programs
    ./user
  ];
+
+
+  options.systemModules = {
+    security = {
+      enable = lib.mkEnableOption "Enable security module";
+    };
+    bootloader = {
+      enable = lib.mkEnableOption "Enable systemd bootloader module";
+    };
+    pipewire = {
+      enable = lib.mkEnableOption "Enable pipewire module";
+    };
+  };
 }
--- a/system/modules/displayManager/greetd/default.nix
+++ b/system/modules/displayManager/greetd/default.nix
@ -0,0 +1,26 @@
+{ pkgs, ... }:
+let
+  tuigreet = "${pkgs.greetd.tuigreet}/bin/tuigreet";
+in
+{
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        command = "${tuigreet} --time --remember --cmd Hyprland";
+        user = "greeter";
+      };
+    };
+  };
+
+  systemd.services.greetd.serviceConfig = {
+    Type = "idle";
+    StandardInput = "tty";
+    StandardOutput = "tty";
+    StandardError = "journal"; # Without this errors will spam on screen
+    # Without these bootlogs will spam on screen
+    TTYReset = true;
+    TTYVHangup = true;
+    TTYVTDisallocate = true;
+  };
+}
--- a/system/modules/bootloader/systemd/default.nix
+++ b/system/modules/bootloader/systemd/default.nix
--- a/system/modules/locale/default.nix
+++ b/system/modules/locale/default.nix
@ -8,3 +8,4 @@
  time.timeZone = lib.mkDefault "Pacific/Auckland";
  services.geoclue2.enable = true;
 }
+
--- a/system/modules/nix/default.nix
+++ b/system/modules/nix/default.nix
@ -1,3 +1,5 @@
+{ lib, ... }:
+
 {
  imports = [
    ./nh.nix
@ -5,4 +7,8 @@
    ./nixpkgs
    ./subs.nix
  ];
+
+  options.systemModules.nixOptions = {
+    enable = lib.mkEnableOption "Enable nix related configuration modules";
+  };
 }
--- a/system/modules/nix/nh.nix
+++ b/system/modules/nix/nh.nix
@ -1,16 +1,23 @@
-{ inputs, ... }: {
+{ inputs, lib, config, ... }: 

+let
+  cfg = config.systemModules.nixOptions;
+in
+
+{
  imports = [
    inputs.nh.nixosModules.default
  ];
  
-  environment.variables.FLAKE = "/home/ooks/Coding/nix/ooks-io/nix";
+  config = lib.mkIf cfg.enable {
+    environment.variables.FLAKE = "/home/ooks/Coding/nix/ooks-io/nix";

-  nh = {
-    enable = true;
-    clean = {
+    nh = {
      enable = true;
-      extraArgs = "--keep-since 30d";
+      clean = {
+        enable = true;
+        extraArgs = "--keep-since 30d";
+      };
    };
  };
 }
--- a/system/modules/nix/nix.nix
+++ b/system/modules/nix/nix.nix
@ -1,15 +1,22 @@
-{ config, lib, pkgs, inputs, ... }: {
+{ config, lib, pkgs, inputs, ... }: 

-  nix = {
-    settings = {
-      trusted-users = [ "root" "@wheel" ];
-      auto-optimise-store = lib.mkDefault true;
-      experimental-features = [ "nix-command" "flakes" "repl-flake" ];
-      warn-dirty = false;
-      system-features = [ "kvm" "big-parallel" "nixos-test" ];
-      flake-registry = "";
+let
+  cfg = config.systemModules.nixOptions;
+in
+
+{
+  config = lib.mkIf cfg.enable {
+    nix = {
+      settings = {
+        trusted-users = [ "root" "@wheel" ];
+        auto-optimise-store = lib.mkDefault true;
+        experimental-features = [ "nix-command" "flakes" "repl-flake" ];
+        warn-dirty = false;
+        system-features = [ "kvm" "big-parallel" "nixos-test" ];
+        flake-registry = "";
+      };
+      registry = lib.mapAttrs (_: value: { flake = value; }) inputs;
+      nixPath = [ "nixpkgs=${inputs.nixpkgs.outPath}" ];
    }; 
-    registry = lib.mapAttrs (_: value: { flake = value; }) inputs;
-    nixPath = [ "nixpkgs=${inputs.nixpkgs.outPath}" ];
  };
 }
--- a/system/modules/nix/nixpkgs.nix
+++ b/system/modules/nix/nixpkgs.nix
@ -1,13 +1,20 @@
-{ outputs, ... }: {
+{ outputs, lib, config, ... }:

-  nixpkgs = {
-    overlays = builtins.attrValues outputs.overlays;
-    config = {
-      allowUnfree = true;
-      permittedInsecurePackages = [
-        "openssl-1.1.1u"
-        "electron-25.9.0"
-      ];
+let
+  cfg = config.systemModules.nixOptions;
+in
+
+{
+  config = lib.mkIf cfg.enable {
+    nixpkgs = {
+      overlays = builtins.attrValues outputs.overlays;
+      config = {
+        allowUnfree = true;
+        permittedInsecurePackages = [
+          "openssl-1.1.1u"
+          "electron-25.9.0"
+        ];
+      };
    };
  };
 }
--- a/system/modules/nix/subs.nix
+++ b/system/modules/nix/subs.nix
@ -1,18 +1,26 @@
-{
-  nix.settings = {
-    substituters = [
-      "https://cache.nixos.org?priority=10"
-      "https://fufexan.cachix.org"
-      "https://helix.cachix.org"
-      "https://hyprland.cachix.org"
-      "https://nix-community.cachix.org"
-    ];
+{ lib, config, ... }:

-    trusted-public-keys = [
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-      "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
-      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-    ];
+let
+  cfg = config.systemModules.nixOptions;
+in
+
+{
+  config = lib.mkIf cfg.enable {
+    nix.settings = {
+      substituters = [
+        "https://cache.nixos.org?priority=10"
+        "https://fufexan.cachix.org"
+        "https://helix.cachix.org"
+        "https://hyprland.cachix.org"
+        "https://nix-community.cachix.org"
+      ];
+
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
  };
 }
--- a/system/modules/pipewire/default.nix
+++ b/system/modules/pipewire/default.nix
@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.systemModules.pipewire;
+in
+
+{
+  config = lib.mkIf cfg.enable {
+    hardware.pulseaudio.enable = lib.mkForce false;
+    services.pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+    };
+  };
+}
+
--- a/system/modules/programs/greetd.nix
+++ b/system/modules/programs/greetd.nix
@ -1,36 +0,0 @@
-{ pkgs, ... }:
-let
-  tuigreet = "${pkgs.greetd.tuigreet}/bin/tuigreet";
-in
-{
-  services.greetd = {
-    enable = true;
-    settings = {
-      default_session = {
-        command = "${tuigreet} --time --remember --cmd Hyprland";
-        user = "greeter";
-      };
-    };
-  };
-
-  # this is a life saver.
-  # literally no documentation about this anywhere.
-  # might be good to write about this...
-  # https://www.reddit.com/r/NixOS/comments/u0cdpi/tuigreet_with_xmonad_how/
-  systemd.services.greetd.serviceConfig = {
-    Type = "idle";
-    StandardInput = "tty";
-    StandardOutput = "tty";
-    StandardError = "journal"; # Without this errors will spam on screen
-    # Without these bootlogs will spam on screen
-    TTYReset = true;
-    TTYVHangup = true;
-    TTYVTDisallocate = true;
-  };
-
-  #environment.etc."greetd/environments".text = ''
-  #  Hyprland
-  #  fish
-  #  bash
-  #'';
-}
--- a/system/modules/security/default.nix
+++ b/system/modules/security/default.nix
@ -0,0 +1,100 @@
+{ lib, config, pkgs, ... }:
+
+let
+  cfg = config.systemModules.security;
+in
+
+{
+  config = lib.mkIf cfg.enable {
+
+    environment.systemPackages = with pkgs; [
+      polkit_gnome
+    ];
+
+    programs = {
+      gnupg.agent = {
+        enable = true;
+        enableSSHSupport = true;
+      };
+      _1password = {
+        enable = true;
+      };
+      _1password-gui = {
+        enable = true;
+        polkitPolicyOwners = [ "ooks" ];
+      };
+    };
+    security = {
+      polkit = {
+        enable = true;
+      };
+      pam.services = { swaylock = { }; };
+      sudo = {
+        enable = true;
+        wheelNeedsPassword = false;
+      };
+    };
+    rtkit.enable = true;
+
+    # security tweaks borrowed from @hlissner
+    boot.kernel.sysctl = {
+      # The Magic SysRq key is a key combo that allows users connected to the
+      # system console of a Linux kernel to perform some low-level commands.
+      # Disable it, since we don't need it, and is a potential security concern.
+      "kernel.sysrq" = 0;
+
+      ## TCP hardening
+      # Prevent bogus ICMP errors from filling up logs.
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      # Reverse path filtering causes the kernel to do source validation of
+      # packets received from all interfaces. This can mitigate IP spoofing.
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      # Do not accept IP source route packets (we're not a router)
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      # Don't send ICMP redirects (again, we're not a router)
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # Refuse ICMP redirects (MITM mitigations)
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      # Protects against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # Incomplete protection again TIME-WAIT assassination
+      "net.ipv4.tcp_rfc1337" = 1;
+
+      ## TCP optimization
+      # TCP Fast Open is a TCP extension that reduces network latency by packing
+      # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+      # both incoming and outgoing connections:
+      "net.ipv4.tcp_fastopen" = 3;
+      # Bufferbloat mitigations + slight improvement in throughput & latency
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
+    };
+
+    boot.kernelModules = ["tcp_bbr"];  
+
+    systemd = {
+      user.services.polkit-gnome-authentication-agent-1 = {
+        description = "polkit-gnome-authentication-agent-1";
+        wantedBy = [ "graphical-session.target" ];
+        wants = [ "graphical-session.target" ];
+        after = [ "graphical-session.target" ];
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+          Restart = "on-failure";
+          RestartSec = 1;
+          TimeoutStopSec = 10;
+
+        };
+      };
+    };
+  };
+}
--- a/system/modules/security/polkit/default.nix
+++ b/system/modules/security/polkit/default.nix
--- a/system/modules/security/sudo/default.nix
+++ b/system/modules/security/sudo/default.nix
--- a/system/modules/userShell/fish/default.nix
+++ b/system/modules/userShell/fish/default.nix
@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  users.users.ooks.shell = pkgs.fish;
+  programs.fish = {
+    enable = true;
+    vendor = {
+      completions.enable = true;
+      config.enable = true;
+      functions.enable = true;
+    };
+  };
+}
--- a/system/modules/virtulization/default.nix
+++ b/system/modules/virtulization/default.nix
--- a/system/user/ooks/default.nix
+++ b/system/user/ooks/default.nix
@ -4,7 +4,6 @@ in
 {
  users.users.ooks = {
    isNormalUser = true;
-    shell = pkgs.fish;
    extraGroups = [
    "wheel"
    "video"