ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(flake-parts): initial flake-parts configuration

Browse source
This commit is contained in:
ooks-io 2024-05-13 22:50:56 +12:00
parent 8f67be9e68
commit 5603001d65
230 changed files with 380 additions and 717 deletions
Download patch file Download diff file Expand all files Collapse all files

5
inputs/system/modules/base/audio/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./pipewire
];
}

111
inputs/system/modules/base/audio/pipewire/default.nix Normal file
View file

@ -0,0 +1,111 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf;
inherit (lib.generators) toLua;
inherit (lib.lists) any elem optionals;
# inherit (builtins) elem;
hasBT = (elem "bluetooth" config.systemModules.host.hardware.features);
hasFunction = f: elem f config.systemModules.host.function;
in
{
config = mkIf (any hasFunction ["workstation" "gaming" "media-server"]) {
hardware.pulseaudio.enable = !config.services.pipewire.enable;
security.rtkit.enable = config.services.pipewire.enable;
services.pipewire =
let
quantum = 64;
rate = 48000;
qr = "${toString quantum}/${toString rate}";
in
{
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
# Low latency module provided by notashelf/nyx
extraConfig.pipewire."99-lowlatency" = {
context = {
properties.default.clock.min-quantum = quantum;
modules = [
{
name = "libpipewire-module-rtkit";
flags = ["ifexists" "nofail"];
args = {
nice.level = -15;
rt = {
prio = 88;
time.soft = 200000;
time.hard = 200000;
};
};
}
{
name = "libpipewire-module-protocol-pulse";
args = {
server.address = ["unix:native"];
pulse.min = {
req = qr;
quantum = qr;
frag = qr;
};
};
}
];
stream.properties = {
node.latency = qr;
resample.quality = 1;
};
};
};
wireplumber = {
enable = true;
configPackages = let
matches = toLua {
multiline = false;
indent = false;
} [[["node.name" "matches" "alsa_output.*"]]];
apply_properties = toLua {} {
"audio.format" = "S32LE";
"audio.rate" = rate * 2;
"api.alsa.period-size" = 2;
};
in
[
(pkgs.writeTextDir "share/lowlatency.lua.d/99-alsa-lowlatency.lua" ''
alsa_monitor.rules = {
{
matches = ${matches};
apply_properties = ${apply_properties};
}
}
'')
]
++ optionals hasBT [
(pkgs.writeTextDir "share/bluetooth.lua.d/51-bluez-config.lua" ''
bluez_monitor.properties = {
["bluez5.enable-sbc-xq"] = true,
["bluez5.enable-msbc"] = true,
["bluez5.enable-hw-volume"] = true,
["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
}
'')
];
};
};
systemd.user.services = {
pipewire.wantedBy = ["default.target"];
pipewire-pulse.wantedBy = ["default.target"];
};
};
}

16
inputs/system/modules/base/bootloader/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ lib, ... }:
{
imports = [ ./systemd ./plymouth ];
options.systemModules = {
bootloader = {
systemd = {
enable = lib.mkEnableOption "Enable systemd bootloader module";
};
};
plymouth = {
enable = lib.mkEnableOption "Enable plymouth bootscreen";
};
};
}

1
inputs/system/modules/base/bootloader/grub/default.nix Normal file
View file

@ -0,0 +1 @@
## to be implemented

15
inputs/system/modules/base/bootloader/plymouth/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, config, pkgs, ... }:
let
cfg = config.systemModules.plymouth;
in
{
config = lib.mkIf cfg.enable {
boot.plymouth = {
enable = true;
themePackages = [(pkgs.catppuccin-plymouth.override {variant = "mocha";})];
theme = "catppuccin-mocha";
};
};
}

18
inputs/system/modules/base/bootloader/systemd/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
boot.loader = {
systemd-boot = {
enable = true;
consoleMode = "max";
};
efi.canTouchEfiVariables = true;
};
};
}

27
inputs/system/modules/base/default.nix Normal file
View file

@ -0,0 +1,27 @@
{ lib, ... }:
{
imports = [
./gaming
./shell
./bootloader
./nix
./programs
./displayManager
./networking
./locale
./virtualization
./security
./services
./audio
./host
./video
];
options.systemModules = {
virtualisation = {
enable = lib.mkEnableOption "Enable virtualisation module";
};
};
}

5
inputs/system/modules/base/displayManager/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./tuigreet
];
}

30
inputs/system/modules/base/displayManager/tuigreet/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ pkgs, lib, config, ... }:
let
inherit (lib) mkIf;
tuigreet = "${pkgs.greetd.tuigreet}/bin/tuigreet";
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${tuigreet} --time --remember --cmd Hyprland"; # TODO: dont hardcode this
user = "greeter";
};
};
};
systemd.services.greetd.serviceConfig = {
Type = "idle";
StandardInput = "tty";
StandardOutput = "tty";
StandardError = "journal"; # Without this errors will spam on screen
# Without these bootlogs will spam on screen
TTYReset = true;
TTYVHangup = true;
TTYVTDisallocate = true;
};
};
}

68
inputs/system/modules/base/gaming/default.nix Normal file
View file

@ -0,0 +1,68 @@
{ lib, config, pkgs, ... }:
let
inherit (lib) mkIf;
inherit (builtins) elem;
steamFix = pkgs.steam.override {
extraPkgs = pkgs: with pkgs; [
xorg.libXcursor
xorg.libXi
xorg.libXinerama
xorg.libXScrnSaver
libpng
libpulseaudio
libvorbis
stdenv.cc.cc.lib
libkrb5
keyutils
mangohud
winetricks
protontricks
gtk3
gtk3-x11
];
};
host = config.systemModules.host;
in
{
config = mkIf (elem "gaming" host.function) {
hardware.opengl.extraPackages = [ pkgs.gamescope ];
programs = {
steam = {
enable = true;
package = steamFix;
extraCompatPackages = [ pkgs.proton-ge-bin.steamcompattool ];
};
gamescope = {
enable = true;
capSysNice = true;
};
gamemode = {
enable = true;
settings = {
general = {
renice = 15;
softrealtime = "auto";
};
custom = {
start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
};
};
};
};
networking.firewall = {
allowedTCPPorts = [ 3074 ];
allowedUDPPorts = [
88
500
3074
2075
3544
4500
];
};
};
}

65
inputs/system/modules/base/host/admin/default.nix Normal file
View file

@ -0,0 +1,65 @@
{ lib, config, pkgs, inputs, outputs, self, ... }:
let
cfg = config.systemModules.host.admin;
host = config.systemModules.host;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
inherit (lib) mkIf types mkOption;
in
{
options.systemModules.host.admin = {
name = mkOption {
type = types.str;
default = "ooks";
description = "Name of the primary user";
};
shell = mkOption {
type = types.enum ["fish" "bash" "zsh"];
default = "zsh";
description = "The login shell of the primary user";
};
sshKey = mkOption {
type = types.str;
default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn3ff3HaZHIyH4K13k8Mwqu/o7jIABJ8rANK+r2PfJk";
description = "The ssh key for the admin user";
};
homeManager = mkOption {
type = types.bool;
default = false;
description = "Enables home manager module for the admin user";
};
};
config = {
users.users.${cfg.name} = {
isNormalUser = true;
shell = pkgs.${cfg.shell};
initialPassword = "password";
openssh.authorizedKeys.keys = [ "${cfg.sshKey}" ];
extraGroups = [
"wheel"
"video"
"audio"
] ++ ifTheyExist [
"git"
"media"
"network"
"libvirtd"
"deluge"
"streamer"
"torrenter"
];
};
home-manager = mkIf cfg.homeManager {
useGlobalPkgs = true;
useUserPackages = true;
backupFileExtension = "hm.old";
verbose = true;
extraSpecialArgs = { inherit inputs outputs self; };
users.${cfg.name} = {
imports = [ "${self}/inputs/home/user/${cfg.name}/${host.name}" ];
};
};
};
}

9
inputs/system/modules/base/host/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./admin
./name
./type
./function
./hardware
];
}

13
inputs/system/modules/base/host/function/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, ... }:
let
inherit (lib) types mkOption;
in
{
options.systemModules.host.function = mkOption {
type = with types; listOf (enum ["gaming" "workstation" "media-server"]);
default = [];
description = "Host's primary function/s";
};
}

29
inputs/system/modules/base/host/function/workstation/default.nix Normal file
View file

@ -0,0 +1,29 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
inherit (builtins) elem;
function = config.systemModules.host.function;
in
{
config = mkIf (elem "workstation" function) {
systemModules = {
audio.enable = true;
video.enable = true;
programs = {
dconf.enable = true;
wireshark.enable = true;
bandwhich.enable = true;
kdeconnect.enable = true;
};
services = {
}
}
}
}

15
inputs/system/modules/base/host/hardware/common/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
hardware = {
enableRedistributableFirmware = true;
enableAllFirmware = true;
};
};
}

42
inputs/system/modules/base/host/hardware/cpu/amd/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ lib, config, pkgs, ... }:
let
inherit (lib) mkMerge mkEnableOption mkIf versionAtLeast versionOlder;
inherit (builtins) elem;
cpu = config.systemModules.host.hardware.cpu;
cfg = cpu.amd;
kernelVersion = config.boot.kernelPackages.kernel.version;
kernelVersionAtLeast = versionAtLeast kernelVersion;
kernelVersionOlder= versionOlder kernelVersion;
in
{
options.systemModules.host.hardware.cpu.amd.pstate.enable = mkEnableOption "Enable amd pstate module";
config = mkIf (elem cpu.type ["amd"]) {
environment.systemPackages = [pkgs.amdctl];
hardware.cpu.amd.updateMicrocode = true;
boot = mkMerge [
{
kernelModules = [
"amd-pstate"
"amd-kvm" # virtulization
"msr" # required for amdctl
];
}
(mkIf (cfg.pstate.enable && (kernelVersionAtLeast "5.27") && (kernelVersionOlder "6.1")) {
kernelParams = ["initcall_blacklist-acpi_cpufreq_init"];
kernelModules = ["amd-pstate"];
})
(mkIf (cfg.pstate.enable && (kernelVersionAtLeast "6.1") && (kernelVersionOlder "6.3")) {
kernelParams = ["amd_pstate=passive"];
})
(mkIf (cfg.pstate.enable && (kernelVersionAtLeast "6.3")) {
kernelParams = ["amd_pstate=active"];
})
];
};
}

18
inputs/system/modules/base/host/hardware/cpu/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, ... }:
let
inherit (lib) types mkOption;
in
{
imports = [
./amd
./intel
];
options.systemModules.host.hardware.cpu.type = mkOption {
type = with types; nullOr (enum ["intel" "amd"]);
default = null;
description = "Type of cpu system module to use";
};
}

20
inputs/system/modules/base/host/hardware/cpu/intel/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf;
inherit (builtins) elem;
hardware = config.systemModules.host.hardware.cpu;
in
{
# TODO: put kvm/gvt behind virtualization module flag
config = mkIf (elem hardware.type ["intel"]) {
boot = {
kernelModules = ["kvm-intel"];
kernelParams = ["i915.fastboot=1" "enable_gvt=1"];
};
hardware.cpu.intel.updateMicrocode = true;
environment.systemPackages = [pkgs.intel-gpu-tools];
};
}

8
inputs/system/modules/base/host/hardware/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./cpu
./gpu
./features
./common
];
}

13
inputs/system/modules/base/host/hardware/features/backlight/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, config, ... }:
let
features = config.systemModules.host.hardware.features;
inherit (lib) mkIf;
inherit (builtins) elem;
in
{
config = mkIf (elem "backlight" features) {
hardware.brillo.enable = true;
};
}

94
inputs/system/modules/base/host/hardware/features/battery/default.nix Normal file
View file

@ -0,0 +1,94 @@
{ lib, config, pkgs, ... }:
let
features = config.systemModules.host.hardware.features;
cfg = config.systemModules.host.hardware.battery;
inherit (lib) mkIf mkDefault mkOption types;
inherit (builtins) elem;
MHz = x: x * 1000;
in
{
options.systemModules.host.hardware.battery = {
powersave = {
minFreq = mkOption {
type = types.int;
default = 800;
description = "Minimum frequency for powersave mode in MHz";
};
maxFreq = mkOption {
type = types.int;
default = 1100;
description = "Maximum frequency for powersave mode in MHz";
};
};
performance = {
minFreq = mkOption {
type = types.int;
default = 1500;
description = "Minimum frequency for performance mode in MHz";
};
maxFreq = mkOption {
type = types.int;
default = 2600;
description = "Maximum frequency for performance mode in MHz";
};
};
};
config = mkIf (elem "battery" features) {
boot = {
kernelModules = ["acpi_call"];
extraModulePackages = with config.boot.kernelPackages; [
acpi_call
cpupower
];
};
services = {
auto-cpufreq = {
enable = true;
settings = {
battery = {
governor = "powersave";
scaling_min_freq = mkDefault (MHz cfg.powersave.minFreq);
scaling_max_freq = mkDefault (MHz cfg.powersave.maxFreq);
turbo = "never";
};
charger = {
governor = "performance";
scaling_min_freq = mkDefault (MHz cfg.performance.minFreq);
scaling_max_freq = mkDefault (MHz cfg.performance.maxFreq);
turbo = "auto";
};
};
};
upower = {
enable = true;
percentageLow = 25;
percentageCritical = 5;
percentageAction = 3;
criticalPowerAction = "Hibernate";
};
undervolt = {
enable = true;
tempBat = 65;
};
thermald.enable = true;
power-profiles-daemon.enable = true;
logind = {
lidSwitch = "suspend";
};
};
environment.systemPackages = with pkgs; [
acpi
powertop
];
};
}

24
inputs/system/modules/base/host/hardware/features/bluetooth/default.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
let
features = config.systemModules.host.hardware.features;
inherit (lib) mkIf;
inherit (builtins) elem;
in
{
config = mkIf (elem "bluetooth" features) {
hardware.bluetooth = {
enable = true;
package = pkgs.bluez5-experimental;
};
environment.systemPackages = with pkgs; [
live-buds-cli
bluetuith
];
# https://github.com/NixOS/nixpkgs/issues/114222
systemd.user.services.telephony_client.enable = false;
};
}

20
inputs/system/modules/base/host/hardware/features/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ lib, config, ... }:
let
inherit (lib) types mkOption;
in
{
imports = [
./bluetooth
./backlight
./battery
./ssd
];
options.systemModules.host.hardware.features = mkOption {
type = with types; listOf (enum ["bluetooth" "backlight" "battery" "ssd"]);
default = [];
description = "What extra hardware feature system modules to use";
};
}

23
inputs/system/modules/base/host/hardware/features/ssd/default.nix Normal file
View file

@ -0,0 +1,23 @@
{ lib, config, ... }:
let
features = config.systemModules.host.hardware.features;
inherit (lib) mkIf;
inherit (builtins) elem;
in
{
config = mkIf (elem "ssd" features) {
services.fstrim = {
enable = true;
};
# only run fstrim while connected on AC
systemd.services.fstrim = {
unitConfig.ConditionACPower = true;
serviceConfig = {
Nice = 19;
IOSchedulingClass = "idle";
};
};
};
}

29
inputs/system/modules/base/host/hardware/gpu/amd/default.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
let
gpu = config.systemModules.host.hardware.gpu;
inherit (lib) mkIf mkDefault;
inherit (builtins) elem;
in
{
config = mkIf (elem gpu.type ["amd"]) {
hardware.opengl = {
extraPackages = with pkgs; [
vulkan-tools
vulkan-loader
vulkan-extension-layer
vulkan-validation-layers
# amdvlk
mesa
];
extraPackages32 = [ pkgs.driversi686Linux.amdvlk ];
};
boot = {
initrd.kernelModules = ["amdgpu"];
kernelModules = ["amdgpu"];
};
environment.systemPackages = [ pkgs.nvtopPackages.amd ];
services.xserver.videoDrivers = mkDefault ["modesetting" "amdgpu"];
};
}

19
inputs/system/modules/base/host/hardware/gpu/default.nix Normal file
View file

@ -0,0 +1,19 @@
{ lib, ... }:
let
inherit (lib) types mkOption;
in
{
imports = [
./amd
./intel
./nvidia
];
options.systemModules.host.hardware.gpu.type = mkOption {
type = with types; nullOr (enum ["intel" "amd" "nvidia"]);
default = null;
description = "Type of gpu system module to use";
};
}

37
inputs/system/modules/base/host/hardware/gpu/intel/default.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, lib, pkgs, ... }:
let
gpu = config.systemModules.host.hardware.gpu;
inherit (lib) mkIf;
inherit (builtins) elem;
# vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
in
{
config = mkIf (elem gpu.type ["intel"]) {
services.xserver.videoDrivers = ["modesetting"];
hardware.opengl = {
extraPackages = with pkgs; [
vaapiIntel
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime
intel-media-driver
];
extraPackages32 = with pkgs.pkgsi686Linux; [
vaapiIntel
vaapiVdpau
libvdpau-va-gl
intel-media-driver
];
};
boot.initrd.kernelModules = ["i915"];
environment.variables = mkIf config.hardware.opengl.enable {
VDPAU_DRIVER = "va_gl";
};
};
}

51
inputs/system/modules/base/host/hardware/gpu/nvidia/default.nix Normal file
View file

@ -0,0 +1,51 @@
{ config, lib, pkgs, ... }:
let
gpu = config.systemModules.host.hardware.gpu;
inherit (lib) mkIf mkDefault;
inherit (builtins) elem;
production = config.boot.kernelPackages.nvidiaPackages.production;
# beta = config.boot.kernelPackages.nvidiaPackages.beta;
in
{
# TODO: make option to choose nvidia package
config = mkIf (elem gpu.type ["nvidia"]) {
hardware = {
nvidia = {
open = mkDefault true;
package = production;
forceFullCompositionPipeline = true;
nvidiaSettings = false;
nvidiaPersistenced = true;
modesetting.enable = true;
powerManagement = {
enable = mkDefault true;
finegrained = mkDefault false;
};
};
opengl = {
extraPackages = with pkgs; [ nvidia-vaapi-driver ];
extraPackages32 = with pkgs.pkgsi686Linux; [ nvidia-vaapi-driver ];
};
};
environment.systemPackages = with pkgs; [
libva
libva-utils
vulkan-loader
vulkan-validation-layers
vulkan-tools
vulkan-extension-layer
mesa
nvtopPackages.nvidia
];
environment.sessionVariables = {
LIBVA_DRIVER_NAME = "nvidia";
NVD_BACKEND = "direct";
};
};
}

21
inputs/system/modules/base/host/name/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ lib, config, ... }:
let
inherit (lib) types mkOption;
cfg = config.systemModules.host;
in
{
options.systemModules.host = {
name = mkOption {
type = types.str;
default = "ooksgeneric";
description = "Name of host machine";
};
};
config = {
networking.hostName = cfg.name;
environment.sessionVariables.HN = cfg.name;
};
}

13
inputs/system/modules/base/host/type/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, ... }:
let
inherit (lib) mkOption types;
in
{
options.systemModules.host.type = mkOption {
type = types.enum ["desktop" "laptop" "mixed" "server" "phone" "laptop" "micro" "vm"];
default = "";
description = "Declare what type of device the host is";
};
}

17
inputs/system/modules/base/locale/default.nix Normal file
View file

@ -0,0 +1,17 @@
{ lib, ... }:
let
inherit (lib) mkDefault;
in
{
i18n = {
defaultLocale = mkDefault "en_US.UTF-8";
supportedLocales = mkDefault [
"en_US.UTF-8/UTF-8"
];
};
time.timeZone = mkDefault "Pacific/Auckland";
location.provider = "geoclue2";
services.geoclue2.enable = true;
}

29
inputs/system/modules/base/networking/default.nix Normal file
View file

@ -0,0 +1,29 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
imports = [
./firewall
./tools
./ssh
./tcp
./resolved
./tailscale
];
config = mkIf (host.type != "phone") {
networking.networkmanager = {
enable = true;
dns = "systemd-resolved";
};
systemd = {
network.wait-online.enable = false;
services.NetworkManager-wait-online.enable = false;
};
};
}

18
inputs/system/modules/base/networking/firewall/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
networking.firewall = {
enable = true;
allowedTCPPorts = [
443 # https
57621 # spotify
];
};
};
}

19
inputs/system/modules/base/networking/resolved/default.nix Normal file
View file

@ -0,0 +1,19 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
services.resolved = {
enable = true;
fallbackDns = ["9.9.9.9"];
# allow-downgrade is vulnerable to downgrade attacks
extraConfig = ''
DNSOverTLS=yes # or allow-downgrade
'';
};
};
}

39
inputs/system/modules/base/networking/ssh/default.nix Normal file
View file

@ -0,0 +1,39 @@
{ lib, config, ... }:
let
inherit (lib) mkIf mkDefault;
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn3ff3HaZHIyH4K13k8Mwqu/o7jIABJ8rANK+r2PfJk";
phoneKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINredx07UAk2l1wUPujYnmJci1+XEmcUuSX0DIYg6Vzz";
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
environment.sessionVariables.SSH_AUTH_SOCK = "~/.1password/agent.sock";
services.openssh = {
enable = true;
settings = {
UseDns = false;
PasswordAuthentication = false;
AuthenticationMethods = "publickey";
UsePAM = false;
PermitRootLogin = "no";
StreamLocalBindUnlink = "yes";
KbdInteractiveAuthentication = mkDefault false;
};
};
programs = {
ssh = {
knownHosts = {
"192.168.1.36".publicKey = phoneKey;
};
};
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
};
}

62
inputs/system/modules/base/networking/tailscale/default.nix Normal file
View file

@ -0,0 +1,62 @@
{ lib, config, pkgs, ... }:
let
cfg = config.systemModules.networking.tailscale;
inherit (config.services) tailscale;
inherit (lib.lists) optionals;
inherit (lib.types) bool listOf str;
inherit (lib.strings) concatStringsSep;
inherit (lib) mkIf mkEnableOption mkOption mkDefault;
in
{
options.systemModules.networking.tailscale = {
enable = mkEnableOption "Enable tailscale system module";
server = mkOption {
type = bool;
default = false;
description = "Define if the host is a server";
};
client = mkOption {
type = bool;
default = cfg.enable;
description = "Define if the host is a client";
};
tag = mkOption {
type = listOf str;
default =
if cfg.client then ["tag:client"]
else if cfg.server then ["tag:server"]
else [];
description = "Sets host tag depending on if server/client";
};
operator = mkOption {
type = str;
default = "ooks";
description = "Name of the tailscale operator";
};
};
config = mkIf cfg.enable {
services.tailscale = {
enable = true;
useRoutingFeatures = mkDefault "both";
# permitCertUid = "root";
extraUpFlags =
[ "--ssh" "--operator=$USER" ]
++ optionals cfg.server [ "--advertise-exit-node" ]
++ optionals (cfg.tags != []) ["--advertise-tags" (concatStringsSep "," cfg.tags)];
};
networking.firewall = {
allowedUDPPorts = [tailscale.port];
trustedInterfaces = ["${tailscale.interfaceName}"];
checkReversePath = "loose";
};
systemd.network.wait-online.ignoredInterfaces = ["${tailscale.interfaceName}"];
environment.systemPackages = [ pkgs.tailscale ];
};
}

79
inputs/system/modules/base/networking/tcp/default.nix Normal file
View file

@ -0,0 +1,79 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
# nyx module
config = mkIf (host.type != "phone") {
boot = {
kernelModules = ["tls" "tcp_bbr"];
kernel.sysctl = {
# TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're on a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
# And other stuff
"net.ipv4.conf.all.log_martians" = true;
"net.ipv4.conf.default.log_martians" = true;
"net.ipv4.icmp_echo_ignore_broadcasts" = true;
"net.ipv6.conf.default.accept_ra" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv4.tcp_timestamps" = 0;
# TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
# Other stuff that I am too lazy to document
"net.core.optmem_max" = 65536;
"net.core.rmem_default" = 1048576;
"net.core.rmem_max" = 16777216;
"net.core.somaxconn" = 8192;
"net.core.wmem_default" = 1048576;
"net.core.wmem_max" = 16777216;
"net.ipv4.ip_local_port_range" = "16384 65535";
"net.ipv4.tcp_max_syn_backlog" = 8192;
"net.ipv4.tcp_max_tw_buckets" = 2000000;
"net.ipv4.tcp_mtu_probing" = 1;
"net.ipv4.tcp_rmem" = "4096 1048576 2097152";
"net.ipv4.tcp_slow_start_after_idle" = 0;
"net.ipv4.tcp_tw_reuse" = 1;
"net.ipv4.tcp_wmem" = "4096 65536 16777216";
"net.ipv4.udp_rmem_min" = 8192;
"net.ipv4.udp_wmem_min" = 8192;
"net.netfilter.nf_conntrack_generic_timeout" = 60;
"net.netfilter.nf_conntrack_max" = 1048576;
"net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
"net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1;
};
};
};
}

9
inputs/system/modules/base/networking/tools/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
traceroute
mtr
tcpdump
];
}

10
inputs/system/modules/base/nix/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ lib, ... }:
{
imports = [
./nh
./nix
./nixpkgs
./subs
];
}

22
inputs/system/modules/base/nix/nh/default.nix Normal file
View file

@ -0,0 +1,22 @@
{ pkgs, lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
# TODO: i dont't want to hardcode this.
environment.variables.FLAKE = "/home/ooks/.config/ooknix/";
programs.nh = {
enable = true;
package = pkgs.nh;
clean = {
enable = true;
extraArgs = "--keep-since 30d";
};
};
};
}

23
inputs/system/modules/base/nix/nix/default.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, inputs, ... }:
let
inherit (lib) mkIf mapAttrs mkDefault;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
nix = {
settings = {
trusted-users = [ "root" "@wheel" ];
auto-optimise-store = mkDefault true;
experimental-features = [ "nix-command" "flakes" "repl-flake" ];
warn-dirty = false;
system-features = [ "kvm" "big-parallel" "nixos-test" ];
flake-registry = "";
};
registry = mapAttrs (_: value: { flake = value; }) inputs;
nixPath = [ "nixpkgs=${inputs.nixpkgs.outPath}" ];
};
};
}

26
inputs/system/modules/base/nix/nixpkgs/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ lib, config, inputs, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
nixpkgs = {
config = {
allowUnfree = true;
permittedInsecurePackages = [
"openssl-1.1.1u"
"electron-25.9.0"
];
};
overlays = [
(final: prev: {
waybar = inputs.nixpkgs-wayland.packages.${prev.system}.waybar;
zjstatus = inputs.zjstatus.packages.${prev.system}.default;
})
];
};
};
}

33
inputs/system/modules/base/nix/subs/default.nix Normal file
View file

@ -0,0 +1,33 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
nix.settings = {
substituters = [
"https://cache.nixos.org?priority=10"
"https://fufexan.cachix.org"
"https://helix.cachix.org"
"https://hyprland.cachix.org"
"https://nix-community.cachix.org"
"https://nix-gaming.cachix.org"
"https://anyrun.cachix.org"
"https://nixpkgs-wayland.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
"anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
];
};
};
}

13
inputs/system/modules/base/programs/bandwhich/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
inherit (builtins) elem;
host = config.systemModules.host;
in
{
config = mkIf (elem "workstation" host.function) {
programs.bandwhich.enable = true;
};
}

13
inputs/system/modules/base/programs/dconf/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
inherit (builtins) elem;
host = config.systemModules.host;
in
{
config = mkIf (elem "workstation" host.function){
programs.dconf.enable = true;
};
}

9
inputs/system/modules/base/programs/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./dconf
./kdeconnect
./seahorse
./wireshark
./bandwhich
];
}

7
inputs/system/modules/base/programs/kdeconnect/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
programs.kdeconnect = {
enable = true;
};
}

13
inputs/system/modules/base/programs/seahorse/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
inherit (builtins) elem;
host = config.systemModules.host;
in
{
config = mkIf (elem "workstation" host.function) {
programs.seahorse.enable = true;
};
}

13
inputs/system/modules/base/programs/wireshark/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
inherit (builtins) elem;
host = config.systemModules.host;
in
{
config = mkIf (elem "workstation" host.function) {
programs.wireshark.enable = true;
};
}

18
inputs/system/modules/base/security/1password/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
programs = {
_1password.enable = true;
_1password-gui = {
enable = true;
polkitPolicyOwners = [ "${host.admin.name}" ];
};
};
};
}

9
inputs/system/modules/base/security/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./1password
./kernel
./pam
./polkit
./sudo
];
}

195
inputs/system/modules/base/security/kernel/default.nix Normal file
View file

@ -0,0 +1,195 @@
{ lib, config, ... }:
let
inherit (lib) optionals mkForce concatLists;
inherit (builtins) elem;
features = config.systemModules.host.hardware.features;
in
{
security = {
# Protects the kernel from being tampered with at runtime. prevents the ability to hibernate.
protectKernelImage = true;
# page table isolation (PTI) is a kernel option designed to protect against
# side-channel attacks, including Meltdown & Spectre vunerabilities.
forcePageTableIsolation = true;
# locking kernel modules during runtime breaks certain services by stopping them from being
# loaded at runtime. we use some of these services, so we disable this kernel option.
lockKernelModules = false;
# we enable simultaneous multithreading (SMT) because while it increases our attack surface
# disabling it comes at a large perfomance loss.
allowSimultaneousMultithreading = true;
# slight increase in attack surface, but allows for sandboxing
allowUserNamespaces = true;
# we don't need unpivileged user namespaces unless we are messing with containers so we disable
unprivilegedUsernsClone = false;
};
boot = {
kernel = {
sysctl = {
# obfuscate kernel pointers to protect against attacks that rely on memory layout of the kernel
"kernel.kptr_restrict" = 2;
# we don't make use of sysrq so we disable it to protect ourselves against potential physical attacks
"kernel.sysrq" = mkForce 0;
# limits the exposer of the kernel memory address via dmesg
"kernel.dmesg_restrict" = 1;
# we are not a kernel developer so we disable this to prevent potential information leaks & attacks
"kernel.ftrace_enabled" = false;
# disables performance events for all non-root users, root can only acess events that are explicitly
# enabled.
"kernel.perf_event_paranoid" = 3;
# disables the use of berkeley packet filter (BPF) to unpriviliged users.
"kernel.unprivileged_bpf_disabled" = 1;
# prevents potentially leaking sensitive information from the boot console kernel log.
"kernel.printk" = "3 3 3 3";
# just-in-time (JIT) compiler for the berkeley packet filter (BPF). disable this as we dont make use
# of it and reduces potential security risks.
"net.core.bpf_jit_enable" = false;
# disables core dumps for SUID and SGID this reduces the risk of exposing sensitive information
# that might reside in the memory at the time of a crash
"fs.suid_dumpable" = 0;
# enforces strict access to files only allows the user or root to write regular files
"fs.protected_regular" = 2;
"fs.protected_fifos" = 2;
# disables the automatic loading of TTY line disciplines
"dev.tty.ldisc_autoload" = "0";
};
};
# https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
kernelParams = [
# kernel errors can trigger something known as an "oops", by settings oops=panic we add a fail-safe
# mechanism to ensure that in the advent of an oops the system reboots, preventing the system from running
# in a potentially compromised state.
"oops=panic"
# enforces signature checking on all kernel modules before they are loaded.
"module.sig_enforce=1"
# enables memory page poisoning, increasing the difficulty for attackers to exploit
# use-after-free vulnerabillities.
"page_poison=on"
# enables kernel adress space layout randomization (KASLR) which mitigates memory exploits
# & increases system entropy.
"page_alloc.shuffle=1"
# randomizes the kernel stack offset, mitigating stack-based attacks.
"randomize_kstack_offset=on"
# lockdown aims to restrict certain kernel functionality that could be exploited by an attacker with
# user space code.
"lockdown=confidentiality"
# disables a common interface that contains sensitive info on the kernel
"debugfs=off"
# prevent kernel from blanking plymouth out of the frame buffer console
"fbcon=nodefer"
# enables auditing of integrity measurement events
"integrity_audit=1"
# increases memory safety by modifying the state of the memory objects more closely & helps detecting
# & identifying bugs
"slub_debug=FZP"
# disables the legacy vyscall mechanism, reducing attack surface.
"vsyscall=none"
# reduce exposure to heap attacks by preventing different slab caches from being merged.
"slab_nomerge"
"rootflags=noatime"
"lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
];
blacklistedKernelModules = concatLists [
# Obscure network protocols
[
"dccp" # Datagram Congestion Control Protocol
"sctp" # Stream Control Transmission Protocol
"rds" # Reliable Datagram Sockets
"tipc" # Transparent Inter-Process Communication
"n-hdlc" # High-level Data Link Control
"netrom" # NetRom
"x25" # X.25
"ax25" # Amatuer X.25
"rose" # ROSE
"decnet" # DECnet
"econet" # Econet
"af_802154" # IEEE 802.15.4
"ipx" # Internetwork Packet Exchange
"appletalk" # Appletalk
"psnap" # SubnetworkAccess Protocol
"p8022" # IEEE 802.3
"p8023" # Novell raw IEEE 802.3
"can" # Controller Area Network
"atm" # ATM
]
# Old or rare or insufficiently audited filesystems
[
"adfs" # Active Directory Federation Services
"affs" # Amiga Fast File System
"befs" # "Be File System"
"bfs" # BFS, used by SCO UnixWare OS for the /stand slice
"cifs" # Common Internet File System
"cramfs" # compressed ROM/RAM file system
"efs" # Extent File System
"erofs" # Enhanced Read-Only File System
"exofs" # EXtended Object File System
"freevxfs" # Veritas filesystem driver
"f2fs" # Flash-Friendly File System
"vivid" # Virtual Video Test Driver (unnecessary, and a historical cause of escalation issues)
"gfs2" # Global File System 2
"hpfs" # High Performance File System (used by OS/2)
"hfs" # Hierarchical File System (Macintosh)
"hfsplus" # " same as above, but with extended attributes
"jffs2" # Journalling Flash File System (v2)
"jfs" # Journaled File System - only useful for VMWare sessions
"ksmbd" # SMB3 Kernel Server
"minix" # minix fs - used by the minix OS
"nfsv3" # " (v3)
"nfsv4" # Network File System (v4)
"nfs" # Network File System
"nilfs2" # New Implementation of a Log-structured File System
"omfs" # Optimized MPEG Filesystem
"qnx4" # extent-based file system used by the QNX4 and QNX6 OSes
"qnx6" # "
"squashfs" # compressed read-only file system (used by live CDs)
"sysv" # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
"udf" # https://docs.kernel.org/5.15/filesystems/udf.html
]
# Disable Thunderbolt and FireWire to prevent DMA attacks
[
"thunderbolt"
"firewire-core"
]
# if bluetooth is enabled, whitelist the module
# necessary for bluetooth dongles to work
(optionals (! (elem "bluetooth" features)) [
"bluetooth" # let bluetooth work
"btusb" # let bluetooth dongles work
])
];
};
}

23
inputs/system/modules/base/security/pam/default.nix Normal file
View file

@ -0,0 +1,23 @@
{
security = {
pam = {
loginLimits = [
{
domain = "@wheel";
item = "nofile";
type = "soft";
value = "524288";
}
{
domain = "@wheel";
item = "nofile";
type = "hard";
value = "1048576";
}
];
services = {
hyprlock = {};
};
};
};
}

19
inputs/system/modules/base/security/polkit/default.nix Normal file
View file

@ -0,0 +1,19 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault mkIf;
in
{
security.polkit = {
enable = true;
debug = mkDefault true;
extraConfig = mkIf config.security.polkit.debug ''
/* Log authorization checks. */
polkit.addRule(function(action, subject) {
polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
});
'';
};
}

60
inputs/system/modules/base/security/sudo/default.nix Normal file
View file

@ -0,0 +1,60 @@
{ lib, ... }:
let
inherit (lib) mkDefault mkForce;
in
{
# nyx module
security = {
sudo-rs.enable = mkForce false; # we don't want the rust sudo fork
sudo = {
enable = true;
wheelNeedsPassword = mkDefault false; # only use false here if the extraRules below are enabled
execWheelOnly = mkForce true; # only allow wheel to execute sudo
extraConfig = /* shell */ ''
Defaults lecture = never # disable sudo lecture
Defaults pwfeedback # password feedback
Defaults env_keep += "EDITOR PATH DISPLAY" # variables to be passes to root
Defaults timestamp_timeout = 300 # asks for sudo password ever 300s
'';
extraRules = [
{
# allow wheel group to run nixos-rebuild without password
groups = ["wheel"];
commands = let
currentSystem = "/run/current-system/";
storePath = "/nix/store/";
in [
{
command = "${storePath}/*/bin/switch-to-configuration";
options = ["SETENV" "NOPASSWD"];
}
{
command = "${currentSystem}/sw/bin/nix-store";
options = ["SETENV" "NOPASSWD"];
}
{
command = "${currentSystem}/sw/bin/nix-env";
options = ["SETENV" "NOPASSWD"];
}
{
command = "${currentSystem}/sw/bin/nixos-rebuild";
options = ["NOPASSWD"];
}
{
# let wheel group collect garbage without password
command = "${currentSystem}/sw/bin/nix-collect-garbage";
options = ["SETENV" "NOPASSWD"];
}
{
# let wheel group interact with systemd without password
command = "${currentSystem}/sw/bin/systemctl";
options = ["NOPASSWD"];
}
];
}
];
};
};
}

17
inputs/system/modules/base/services/dbus/default.nix Normal file
View file

@ -0,0 +1,17 @@
{ lib, config, pkgs, ... }:
let
inherit (lib) mkIf;
inherit (lib.lists) any elem;
hasFunction = f: elem f config.systemModules.host.function;
in
{
config = mkIf (any hasFunction ["workstation" "gaming"]) {
services.dbus = {
enable = true;
packages = with pkgs; [ dconf gcr udisks2 ];
implementation = "broker";
};
};
}

18
inputs/system/modules/base/services/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, ... }:
{
imports = [
./mediaServer
./system76Scheduler
./dbus
./gnome
./gvfs
];
options.systemModules.services = {
mediaServer = {
enable = lib.mkEnableOption "Enable mediaserver service module";
};
};
}

18
inputs/system/modules/base/services/gnome/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, config, pkgs, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone" && host.type != "server") {
services = {
gnome = {
glib-networking.enable = true;
gnome-keyring.enable = true;
};
udev.packages = [ pkgs.gnome.gnome-settings-daemon ];
};
};
}

12
inputs/system/modules/base/services/gvfs/default.nix Normal file
View file

@ -0,0 +1,12 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf ( host.type != "phone") {
services.gvfs.enable = true;
};
}

51
inputs/system/modules/base/services/mediaServer/default.nix Normal file
View file

@ -0,0 +1,51 @@
{ config, lib, pkgs, ... }:
let
cfg = config.systemModules.services.mediaServer;
in
{
config = lib.mkIf cfg.enable {
users.groups.media = { };
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
];
services = {
jellyfin = {
group = "media";
enable = true;
openFirewall = true;
};
deluge = {
group = "media";
enable = true;
web.enable = true;
};
radarr = {
group = "media";
enable = true;
openFirewall = true;
};
sonarr = {
group = "media";
enable = true;
openFirewall = true;
};
prowlarr.enable = true;
};
systemd.tmpfiles.rules = [
"d /jellyfin 0770 - media - -"
];
fileSystems."/jellyfin" = {
device = "/dev/disk/by-label/jellyfin";
fsType = "btrfs";
};
};
}

20
inputs/system/modules/base/services/system76Scheduler/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ lib, config, ... }:
let
inherit (lib) mkIf;
host = config.systemModules.host;
in
{
config = mkIf (host.type != "phone") {
services.system76-scheduler = {
enable = true;
};
# fix suspend issues
powerManagement = {
powerDownCommands = "systemctl stop system76-scheduler";
resumeCommands = "systemctl start system76-scheduler";
};
};
}

17
inputs/system/modules/base/shell/bash/default.nix Normal file
View file

@ -0,0 +1,17 @@
{ lib, config, pkgs, ... }:
let
inherit (lib) mkIf;
adminShell = config.systemModules.host.admin.shell;
cfg = config.systemModules.shell.zsh;
in
{
config = mkIf (adminShell == "bash" || cfg.enable) {
programs.bash = {
enable = true;
};
environment.pathsToLink = ["/share/bash-completion"];
};
}

7
inputs/system/modules/base/shell/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./fish
./bash
./zsh
];
}

22
inputs/system/modules/base/shell/fish/default.nix Normal file
View file

@ -0,0 +1,22 @@
{ lib, config, ... }:
let
inherit (lib) mkIf mkEnableOption;
adminShell = config.systemModules.host.admin.shell;
cfg = config.systemModules.shell.fish;
in
{
options.systemModules.shell.fish.enable = mkEnableOption "Enable fish module";
config = mkIf (adminShell == "fish" || cfg.enable) {
programs.fish = {
enable = true;
vendor = {
completions.enable = true;
config.enable = true;
functions.enable = true;
};
};
};
}

25
inputs/system/modules/base/shell/zsh/default.nix Normal file
View file

@ -0,0 +1,25 @@
{ lib, config, ... }:
let
inherit (lib) mkIf mkEnableOption;
adminShell = config.systemModules.host.admin.shell;
cfg = config.systemModules.shell.zsh;
in
{
options.systemModules.shell.zsh.enable = mkEnableOption "Enable zsh module";
config = mkIf (adminShell == "zsh" || cfg.enable) {
programs.zsh = {
enable = true;
enableCompletion = true;
syntaxHighlighting.enable = true;
autosuggestions = {
enable = true;
async = true;
};
};
environment.pathsToLink = ["/share/zsh"];
};
}

21
inputs/system/modules/base/video/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ lib, config, pkgs, ... }:
let
inherit (lib) mkIf;
inherit (builtins) elem;
isx86Linux = pkgs: with pkgs.stdenv; hostPlatform.isLinux && hostPlatform.isx86;
host = config.systemModules.host;
validFunction = ["workstation" "gaming" "media-server"];
in
{
config = mkIf (elem host.function validFunction) {
hardware = {
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = isx86Linux pkgs;
};
};
};
}

33
inputs/system/modules/base/virtualization/default.nix Normal file
View file

@ -0,0 +1,33 @@
{ lib, config, pkgs, ... }:
let
cfg = config.systemModules.virtualisation;
in
{
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
virt-manager
virt-viewer
spice
spice-gtk
spice-protocol
win-virtio
win-spice
gnome.adwaita-icon-theme
];
virtualisation = {
libvirtd = {
enable = true;
qemu = {
swtpm.enable = true;
ovmf.enable = true;
ovmf.packages = [ pkgs.OVMFFull.fd ];
};
};
spiceUSBRedirection.enable = true;
};
services.spice-vdagentd.enable = true;
};
}