ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: complete rewrite

Browse source
This commit is contained in:
ooks-io 2024-10-23 23:46:25 +13:00
parent 19a4bbda3c
commit 8e81943cf9
399 changed files with 3396 additions and 8042 deletions
Download patch file Download diff file Expand all files Collapse all files

5
modules/nixos/appearance/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./options.nix
];
}

74
modules/nixos/appearance/options.nix Normal file
View file

@ -0,0 +1,74 @@
{
config,
lib,
...
}: let
inherit (lib) isString hasPrefix removePrefix mkOption mkOptionType;
inherit (lib.types) enum str nullOr package path int attrsOf coercedTo;
hexColorType = mkOptionType {
name = "hex-color";
descriptionClass = "noun";
description = "RGB color in hex format";
check = x: isString x && !(hasPrefix "#" x);
};
mkFontOption = {
family = mkOption {
type = str;
default = "";
};
package = mkOption {
type = package;
default = null;
};
};
cfg = config.ooknet.appearance;
in {
# imports = [./palettes];
options.ooknet.appearance = {
fonts = {
monospace = mkFontOption;
regular = mkFontOption;
};
wallpaper = {
path = mkOption {
type = path;
default = null;
};
};
cursor = {
package = mkOption {
type = package;
default = null;
};
name = mkOption {
type = str;
default = "";
};
size = mkOption {
type = int;
default = 22;
};
};
# Credit to github:misterio77/nix-colors
colorscheme = {
name = mkOption {
type = enum ["gruvbox-material-medium"];
default = "gruvbox-material-medium";
};
variant = mkOption {
type = enum ["dark" "light"];
default = "dark";
};
slug = mkOption {
type = str;
default = "${toString cfg.colorscheme.name}-${toString cfg.colorscheme.variant}";
};
palette = mkOption {
type = attrsOf (coercedTo str (removePrefix "#") hexColorType);
default = (import ./palettes/${config.ooknet.appearance.colorscheme.slug}.nix).colorscheme.palette;
};
};
};
}

65
modules/nixos/appearance/palettes/gruvbox-material-medium-dark.nix Normal file
View file

@ -0,0 +1,65 @@
{
colorscheme = {
palette = {
crust = "#282828";
mantle = "#32302f";
base = "#3a3735";
surface-0 = "#45403d";
surface-1 = "#504945";
surface-2 = "#5A524C";
overlay-0 = "#696059";
overlay-1 = "#70665C";
overlay-2 = "#7C6F64";
subtext-0 = "#928374";
subtext-1 = "#A89984";
text = "#d4be98";
red = "#ea6962";
dull-red = "#D87974";
bright-red = "#F47771";
orange = "#e78a4e";
dull-orange = "#D39063";
bright-orange = "#F3995E";
yellow = "#d8a657";
dull-yellow = "#c2A16B";
bright-yellow = "#E5B361";
green = "#a9b665";
dull-green = "#989F7A";
bright-green = "#B8C86A";
cyan = "#89b482";
dull-cyan = "#93A790";
bright-cyan = "#92C78A";
blue = "#7daea3";
dull-blue = "#939A98";
bright-blue = "#85C1B4";
purple = "#d3869b";
dull-purple = "#C397A3";
bright-purple = "#E193A8";
base00 = "#282828";
base01 = "#32302f";
base02 = "#504945";
base03 = "#7C6F64";
base04 = "#A89984";
base05 = "#D4BE98";
base06 = "#DDc7a1";
base07 = "#FBF1C7";
base08 = "#EA6962";
base09 = "#E78A4E";
base0A = "#d8a657";
base0B = "#A9B665";
base0C = "#89B482";
base0D = "#7DAEA3";
base0E = "#D3869B";
base0F = "#E37B35";
base10 = "#141617";
base11 = "#050505";
base12 = "#F47771";
base13 = "#D8A657";
base14 = "#B7C86A";
base15 = "#92C78A";
base16 = "#85C1B4";
base17 = "#E193A8";
};
};
}

49
modules/nixos/base/admin.nix Normal file
View file

@ -0,0 +1,49 @@
{
lib,
config,
pkgs,
inputs,
inputs',
self',
self,
keys,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet.host) role admin;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in {
config = {
users.users.${admin.name} = {
isNormalUser = true;
shell = pkgs.${admin.shell};
initialPassword = "password";
openssh.authorizedKeys.keys = [keys.users."${admin.name}"];
extraGroups =
[
"wheel"
"video"
"audio"
]
++ ifTheyExist [
"git"
"media"
"network"
"libvirtd"
"streamer"
"torrenter"
];
};
home-manager = mkIf (role == "workstation" || admin.homeManager) {
useGlobalPkgs = true;
useUserPackages = true;
backupFileExtension = "hm.old";
verbose = true;
extraSpecialArgs = {inherit inputs inputs' self self';};
users.${admin.name} = {
imports = ["${self}/modules/home/base"];
};
};
};
}

31
modules/nixos/base/boot.nix Normal file
View file

@ -0,0 +1,31 @@
{lib, ...}: let
inherit (lib) mkDefault;
in {
boot = {
loader = {
systemd-boot = {
enable = mkDefault true;
consoleMode = "max";
editor = false;
configurationLimit = 5;
};
efi.canTouchEfiVariables = mkDefault true;
};
initrd = {
availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = [
"nvme"
"xhci_pci"
"btrfs"
"sd_mod"
];
};
};
}

14
modules/nixos/base/default.nix Normal file
View file

@ -0,0 +1,14 @@
{
imports = [
./nix.nix
./boot.nix
./admin.nix
./locale.nix
./options.nix
./secrets.nix
./openssh.nix
./tailscale.nix
./networking.nix
./security
];
}

9
modules/nixos/base/locale.nix Normal file
View file

@ -0,0 +1,9 @@
{
time.timeZone = "Pacific/Auckland";
location.provider = "geoclue2";
services.geoclue2.enable = true;
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = ["en_US.UTF-8/UTF-8"];
};
}

45
modules/nixos/base/networking.nix Normal file
View file

@ -0,0 +1,45 @@
{lib, ...}: let
inherit (lib) mkForce mkDefault;
in {
imports = [
./openssh.nix
./tailscale.nix
];
networking = {
enableIPv6 = true;
# disable global dhcp
useDHCP = mkForce false;
usePredictableInterfaceNames = mkDefault true;
nameservers = [
#quad9 IPv6
"2620:fe::fe"
"2620:fe::9"
#quad9 IPv4
"9.9.9.9"
"149.112.112.112"
];
networkmanager = {
enable = true;
dns = "systemd-resolved";
wifi = {
macAddress = "random";
scanRandMacAddress = true;
powersave = true;
};
unmanaged = ["interface-name:tailscale*"];
};
};
services = {
resolved = {
enable = true;
domains = ["~."];
fallbackDns = ["9.9.9.9"]; #quad9
#dnsovertls = "true";
};
};
systemd.services.NetworkManager-wait-online.enable = false;
}

69
modules/nixos/base/nix.nix Normal file
View file

@ -0,0 +1,69 @@
{
inputs,
pkgs,
lib,
config,
...
}: let
inherit (builtins) attrValues;
inherit (lib) mkIf mapAttrsToList;
inherit (config.ooknet.host) admin;
in {
environment = {
# disable default nix packages
# these packages are installed by default [ perl rsync strace ]
defaultPackages = [];
systemPackages = attrValues {
inherit (pkgs) git deadnix statix;
inherit (inputs.agenix.packages.${pkgs.system}) default;
};
};
nix = {
# package = pkgs.lix;
registry = {
nixpkgs.flake = inputs.nixpkgs;
default.flake = inputs.nixpkgs;
};
nixPath = mapAttrsToList (name: _: "${name}=${name}") config.nix.registry;
settings = {
trusted-users = ["@wheel" "root"];
experimental-features = ["nix-command" "flakes"];
accept-flake-config = true;
auto-optimise-store = true;
# cache
substituters = [
"https://cache.nixos.org?priority=10"
"https://nix-community.cachix.org"
"https://neovim-flake.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"neovim-flake.cachix.org-1:iyQ6lHFhnB5UkVpxhQqLJbneWBTzM8LBYOFPLNH4qZw="
];
# TODO: setup builders -- builders-use-substitutes = true;
};
};
nixpkgs = {
config.allowUnfree = true;
# why are we doing this
overlays = [
# zellij status bar plugin
(_final: prev: {
zjstatus = inputs.zjstatus.packages.${prev.system}.default;
})
];
};
# nix rebuild utililty
programs.nh = {
enable = true;
# sets an environment variable FLAKE that nh will refer to by default
flake = mkIf admin.homeManager "/home/${admin.name}/.config/ooknet";
# garbage collect
clean = {
enable = true;
extraArgs = "--keep 5 --keep-since 14d";
};
};
}

82
modules/nixos/base/openssh.nix Normal file
View file

@ -0,0 +1,82 @@
{
services.openssh = {
enable = true;
startWhenNeeded = true;
ports = [22];
settings = {
UseDns = true;
PubkeyAuthentication = "yes";
PermitRootLogin = "no";
PermitEmptyPasswords = "no";
PasswordAuthentication = false;
# disable support for .rhost files
IgnoreRhosts = "yes";
# by default openssh uses port 22
# restict key exchange, cipher, and MAC algorithms, as per <https://www.ssh-audit.com>
KexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group18-sha512"
"diffie-hellman-group-exchange-sha256"
"diffie-hellman-group16-sha512"
];
Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-gcm@openssh.com"
"aes128-ctr"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
/*
HostKeyAlgorithms = [
"sk-ssh-ed25519-cert-v01@openssh.com"
"ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-512-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com,ssh-ed25519"
"ssh-ed25519"
"rsa-sha2-512"
"rsa-sha2-256"
];
CASignatureAlgorithms = [
"sk-ssh-ed25519@openssh.com"
"ssh-ed25519"
"rsa-sha2-512"
"rsa-sha2-256"
];
GSSAPIKexAlgorithms = [
"gss-curve25519-sha256-"
"gss-group16-sha512"
];
HostbasedAcceptedAlgorithms = [
"sk-ssh-ed25519-cert-v01@openssh.com"
"ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-512-cert-v01@openssh.com"
"rsa-sha2-256-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"ssh-ed25519,rsa-sha2-512"
"rsa-sha2-256"
];
PubkeyAcceptedAlgorithms = [
"sk-ssh-ed25519-cert-v01@openssh.com"
"ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-512-cert-v01@openssh.com"
"rsa-sha2-256-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"ssh-ed25519"
"rsa-sha2-512"
"rsa-sha2-256"
];
*/
};
};
}

48
modules/nixos/base/options.nix Normal file
View file

@ -0,0 +1,48 @@
{lib, ...}: let
inherit (lib) mkOption;
inherit (lib.types) str enum bool;
in {
options.ooknet.host = {
name = mkOption {
type = str;
default = "ooks-generic";
};
type = mkOption {
type = enum ["desktop" "laptop"];
};
role = mkOption {
type = enum ["workstation" "server"];
};
exitNode = mkOption {
type = bool;
default = false;
};
admin = {
name = mkOption {
type = str;
default = "ooks";
};
shell = mkOption {
type = enum ["bash" "zsh" "fish"];
default = "fish";
};
gitName = mkOption {
type = str;
default = "ooks-io";
};
gitEmail = mkOption {
type = str;
default = "ooks@protonmail.com";
};
homeManager = mkOption {
type = bool;
default = false;
description = ''
Home-manager is enabled if ooknet.host.role == "workstation".
If host is not a workstation and you would like to enable home-manager
enable this option.
'';
};
};
};
}

31
modules/nixos/base/secrets.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
lib,
self,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet) host;
inherit (host) admin;
inherit (config.services) tailscale;
in {
age.identityPaths = [
"/home/${admin.name}/.ssh/id_ed25519"
];
age.secrets = {
tailscale-auth = mkIf tailscale.enable {
file = "${self}/secrets/tailscale-auth.age";
owner = "${admin.name}";
group = "users";
mode = "400";
};
github_key = mkIf admin.homeManager {
file = "${self}/secrets/github_key.age";
path = "/home/${admin.name}/.ssh/github_key";
owner = "${admin.name}";
group = "users";
};
};
}

68
modules/nixos/base/security/apparmor.nix Normal file
View file

@ -0,0 +1,68 @@
{
pkgs,
config,
lib,
...
}: let
inherit (builtins) attrValues;
inherit (lib) getExe;
in {
security = {
apparmor = {
enable = true;
# packages to include with apparmors path
packages = [pkgs.apparmor-profiles];
# kill any process that does not have a apparmor profile enabled
killUnconfinedConfinables = true;
# apparmor policies
# FIXME
policies = {
"default_deny" = {
enforce = false;
enable = false;
profile = ''
profile default_deny /** { }
'';
};
"nix" = {
enforce = false;
enable = false;
profile = ''
${getExe config.nix.package} {
unconfined,
}
'';
};
"sudo" = {
enforce = false;
enable = false;
profile = ''
${getExe pkgs.sudo} {
file /** rwlkUx,
}
'';
};
};
};
};
# enable apparmor mode for dbus
services.dbus.apparmor = "enabled";
# apparmor packages to add to path
environment.systemPackages = attrValues {
inherit
(pkgs)
apparmor-utils
apparmor-bin-utils
apparmor-kernel-patches
apparmor-parser
apparmor-profiles
apparmor-pam
libapparmor
;
};
}

9
modules/nixos/base/security/auditing.nix Normal file
View file

@ -0,0 +1,9 @@
{pkgs, ...}: {
security = {
audit = {
enable = true;
rules = ["-a exit, always -F arch=b64 -s execve"];
};
};
environment.systemPackages = [pkgs.lynis];
}

10
modules/nixos/base/security/default.nix Normal file
View file

@ -0,0 +1,10 @@
{
imports = [
./tcp.nix
./sudo.nix
./kernel.nix
./firewall.nix
./auditing.nix
./apparmor.nix
];
}

8
modules/nixos/base/security/firewall.nix Normal file
View file

@ -0,0 +1,8 @@
{
networking.firewall = {
enable = true;
# dont respond to icmpv4 pings.
allowPing = false;
};
}

198
modules/nixos/base/security/kernel.nix Normal file
View file

@ -0,0 +1,198 @@
{
lib,
config,
...
}: let
inherit (lib) optionals mkForce concatLists;
inherit (builtins) elem;
inherit (config.ooknet.hardware) features;
in {
# see:
# <https://madaidans-insecurities.github.io/guides/linux-hardening.html>
# github:notashelf/nyx
security = {
# Protects the kernel from being tampered with at runtime. prevents the ability to hibernate.
protectKernelImage = true;
# page table isolation (PTI) is a kernel option designed to protect against
# side-channel attacks, including Meltdown & Spectre vunerabilities.
forcePageTableIsolation = true;
# locking kernel modules during runtime breaks certain services by stopping them from being
# loaded at runtime. we use some of these services, so we disable this kernel option.
lockKernelModules = false;
# we enable simultaneous multithreading (SMT) because while it increases our attack surface
# disabling it comes at a large perfomance loss.
allowSimultaneousMultithreading = true;
# slight increase in attack surface, but allows for sandboxing
allowUserNamespaces = true;
# we don't need unpivileged user namespaces unless we are messing with containers so we disable
unprivilegedUsernsClone = false;
};
boot = {
kernel = {
sysctl = {
# obfuscate kernel pointers to protect against attacks that rely on memory layout of the kernel
"kernel.kptr_restrict" = 2;
# we don't make use of sysrq so we disable it to protect ourselves against potential physical attacks
"kernel.sysrq" = mkForce 0;
# limits the exposer of the kernel memory address via dmesg
"kernel.dmesg_restrict" = 1;
# we are not a kernel developer so we disable this to prevent potential information leaks & attacks
"kernel.ftrace_enabled" = false;
# disables performance events for all non-root users, root can only acess events that are explicitly
# enabled.
"kernel.perf_event_paranoid" = 3;
# disables the use of berkeley packet filter (BPF) to unpriviliged users.
"kernel.unprivileged_bpf_disabled" = 1;
# prevents potentially leaking sensitive information from the boot console kernel log.
"kernel.printk" = "3 3 3 3";
# just-in-time (JIT) compiler for the berkeley packet filter (BPF). disable this as we dont make use
# of it and reduces potential security risks.
"net.core.bpf_jit_enable" = false;
# disables core dumps for SUID and SGID this reduces the risk of exposing sensitive information
# that might reside in the memory at the time of a crash
"fs.suid_dumpable" = 0;
# enforces strict access to files only allows the user or root to write regular files
"fs.protected_regular" = 2;
"fs.protected_fifos" = 2;
# disables the automatic loading of TTY line disciplines
"dev.tty.ldisc_autoload" = "0";
};
};
# https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
kernelParams = [
# kernel errors can trigger something known as an "oops", by settings oops=panic we add a fail-safe
# mechanism to ensure that in the advent of an oops the system reboots, preventing the system from running
# in a potentially compromised state.
"oops=panic"
# enforces signature checking on all kernel modules before they are loaded.
"module.sig_enforce=1"
# enables memory page poisoning, increasing the difficulty for attackers to exploit
# use-after-free vulnerabillities.
"page_poison=on"
# enables kernel adress space layout randomization (KASLR) which mitigates memory exploits
# & increases system entropy.
"page_alloc.shuffle=1"
# randomizes the kernel stack offset, mitigating stack-based attacks.
"randomize_kstack_offset=on"
# lockdown aims to restrict certain kernel functionality that could be exploited by an attacker with
# user space code.
"lockdown=confidentiality"
# disables a common interface that contains sensitive info on the kernel
"debugfs=off"
# prevent kernel from blanking plymouth out of the frame buffer console
"fbcon=nodefer"
# enables auditing of integrity measurement events
"integrity_audit=1"
# increases memory safety by modifying the state of the memory objects more closely & helps detecting
# & identifying bugs
"slub_debug=FZP"
# disables the legacy vyscall mechanism, reducing attack surface.
"vsyscall=none"
# reduce exposure to heap attacks by preventing different slab caches from being merged.
"slab_nomerge"
"rootflags=noatime"
"lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
];
blacklistedKernelModules = concatLists [
# Obscure network protocols
[
"dccp" # Datagram Congestion Control Protocol
"sctp" # Stream Control Transmission Protocol
"rds" # Reliable Datagram Sockets
"tipc" # Transparent Inter-Process Communication
"n-hdlc" # High-level Data Link Control
"netrom" # NetRom
"x25" # X.25
"ax25" # Amatuer X.25
"rose" # ROSE
"decnet" # DECnet
"econet" # Econet
"af_802154" # IEEE 802.15.4
"ipx" # Internetwork Packet Exchange
"appletalk" # Appletalk
"psnap" # SubnetworkAccess Protocol
"p8022" # IEEE 802.3
"p8023" # Novell raw IEEE 802.3
"can" # Controller Area Network
"atm" # ATM
]
# Old or rare or insufficiently audited filesystems
[
"adfs" # Active Directory Federation Services
"affs" # Amiga Fast File System
"befs" # "Be File System"
"bfs" # BFS, used by SCO UnixWare OS for the /stand slice
"cifs" # Common Internet File System
"cramfs" # compressed ROM/RAM file system
"efs" # Extent File System
"erofs" # Enhanced Read-Only File System
"exofs" # EXtended Object File System
"freevxfs" # Veritas filesystem driver
"f2fs" # Flash-Friendly File System
"vivid" # Virtual Video Test Driver (unnecessary, and a historical cause of escalation issues)
"gfs2" # Global File System 2
"hpfs" # High Performance File System (used by OS/2)
"hfs" # Hierarchical File System (Macintosh)
"hfsplus" # " same as above, but with extended attributes
"jffs2" # Journalling Flash File System (v2)
"jfs" # Journaled File System - only useful for VMWare sessions
"ksmbd" # SMB3 Kernel Server
"minix" # minix fs - used by the minix OS
"nfsv3" # " (v3)
"nfsv4" # Network File System (v4)
"nfs" # Network File System
"nilfs2" # New Implementation of a Log-structured File System
"omfs" # Optimized MPEG Filesystem
"qnx4" # extent-based file system used by the QNX4 and QNX6 OSes
"qnx6" # "
"squashfs" # compressed read-only file system (used by live CDs)
"sysv" # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
"udf" # https://docs.kernel.org/5.15/filesystems/udf.html
]
# Disable Thunderbolt and FireWire to prevent DMA attacks
[
"thunderbolt"
"firewire-core"
]
# if bluetooth is enabled, whitelist the module
# necessary for bluetooth dongles to work
(optionals (! (elem "bluetooth" features)) [
"bluetooth" # let bluetooth work
"btusb" # let bluetooth dongles work
])
];
};
}

15
modules/nixos/base/security/sudo.nix Normal file
View file

@ -0,0 +1,15 @@
{
security = {
sudo = {
# allow wheel user to execute sudo without a password
wheelNeedsPassword = false;
# only allow users in the wheel access to sudo
execWheelOnly = true;
extraConfig = ''
Defaults pwfeedback # password feedback
Defaults lecture = never # disable warning message
Defaults timestamp_timeout=10 # set sudo timeout to 10 minutes
'';
};
};
}

76
modules/nixos/base/security/tcp.nix Normal file
View file

@ -0,0 +1,76 @@
{
# this is a collection of tcp related sysctl commands that are floating around,
# unsure who the original author is
# see:
# <https://madaidans-insecurities.github.io/guides/linux-hardening.html>
# github:fort-nix/nix-bitcoin
# github:hlissner/dotfiles
# github:notashelf/nyx
boot = {
kernel.sysctl = {
# TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're on a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
# And other stuff
"net.ipv4.conf.all.log_martians" = true;
"net.ipv4.conf.default.log_martians" = true;
"net.ipv4.icmp_echo_ignore_broadcasts" = true;
"net.ipv6.conf.default.accept_ra" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv4.tcp_timestamps" = 0;
# TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
# Other stuff that I am too lazy to document
"net.core.optmem_max" = 65536;
"net.core.rmem_default" = 1048576;
"net.core.rmem_max" = 16777216;
"net.core.somaxconn" = 8192;
"net.core.wmem_default" = 1048576;
"net.core.wmem_max" = 16777216;
"net.ipv4.ip_local_port_range" = "16384 65535";
"net.ipv4.tcp_max_syn_backlog" = 8192;
"net.ipv4.tcp_max_tw_buckets" = 2000000;
"net.ipv4.tcp_mtu_probing" = 1;
"net.ipv4.tcp_rmem" = "4096 1048576 2097152";
"net.ipv4.tcp_slow_start_after_idle" = 0;
"net.ipv4.tcp_tw_reuse" = 1;
"net.ipv4.tcp_wmem" = "4096 65536 16777216";
"net.ipv4.udp_rmem_min" = 8192;
"net.ipv4.udp_wmem_min" = 8192;
"net.netfilter.nf_conntrack_generic_timeout" = 60;
"net.netfilter.nf_conntrack_max" = 1048576;
"net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
"net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1;
};
};
}

50
modules/nixos/base/tailscale.nix Normal file
View file

@ -0,0 +1,50 @@
{
config,
lib,
...
}: let
inherit (lib.lists) concatLists optionals;
inherit (config.ooknet) host;
inherit (config.ooknet.host) admin;
inherit (config.services) tailscale;
in {
services.tailscale = {
enable = true;
# "client"/"both" - reverce path filtering will be set to loose instead of strict
# "server"/"both" - ip forwarding will be enabled
useRoutingFeatures = "both";
# user that can fetch tailscale tls certs
permitCertUid = "root";
# authentication key for auto connect service
authKeyFile = config.age.secrets.tailscale-auth.path;
# flags to pass to the auto-connect service
extraUpFlags = concatLists [
["--ssh"]
(optionals (admin.name != null) ["--opterator ${admin.name}"])
(optionals host.exitNode ["--advertise-exit-node"])
];
# opens relevant tailscale ports over UDP
openFirewall = true;
};
# trust tailscale default interface
networking.firewall.trustedInterfaces = ["${tailscale.interfaceName}"];
# credit github:notashelf/nyx
systemd = {
# ignore tailscale interface for wait-online service
network.wait-online.ignoredInterfaces = ["${tailscale.interfaceName}"];
# only start tailscale daemon after network-online and systemd-resolved services
# are up
services.tailscaled = {
after = ["network-online.target" "systemd-resolved.service"];
wants = ["network-online.target" "systemd-resolved.service"];
};
};
}

19
modules/nixos/console/default.nix Normal file
View file

@ -0,0 +1,19 @@
{
lib,
config,
self,
...
}: let
inherit (config.ooknet.host) admin;
inherit (lib) mkIf;
in {
imports = [
./shell
./profile
./options.nix
];
home-manager.users.${admin.name} = mkIf admin.homeManager {
imports = ["${self}/modules/home/console"];
};
}

39
modules/nixos/console/options.nix Normal file
View file

@ -0,0 +1,39 @@
{lib, ...}: let
inherit (lib) mkOption mkEnableOption;
inherit (lib.types) nullOr enum;
in {
options.ooknet.console = {
profile = mkOption {
type = nullOr (enum ["standard" "minimal"]);
default = "standard";
};
editor = mkOption {
type = enum ["nvim"];
default = "nvim";
};
multiplexer = mkOption {
type = enum ["zellij"];
default = "zellij";
};
shell = {
bash.enable = mkEnableOption "";
zsh.enable = mkEnableOption "";
fish.enable = mkEnableOption "";
};
tools = {
bat.enable = mkEnableOption "";
btop.enable = mkEnableOption "";
direnv.enable = mkEnableOption "";
eza.enable = mkEnableOption "";
ffmpeg.enable = mkEnableOption "";
fzf.enable = mkEnableOption "";
nixIndex.enable = mkEnableOption "";
starship.enable = mkEnableOption "";
utils.enable = mkEnableOption "";
git.enable = mkEnableOption "";
ssh.enable = mkEnableOption "";
zellij.enable = mkEnableOption "";
nvim.enable = mkEnableOption "";
};
};
}

5
modules/nixos/console/profile/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./standard.nix
];
}

28
modules/nixos/console/profile/standard.nix Normal file
View file

@ -0,0 +1,28 @@
{
lib,
config,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet.console) profile;
in {
config = mkIf (profile == "standard") {
ooknet.console = {
editor = "nvim";
multiplexer = "zellij";
tools = {
bat.enable = true;
btop.enable = true;
direnv.enable = true;
eza.enable = true;
ffmpeg.enable = true;
fzf.enable = true;
git.enable = true;
nixIndex.enable = true;
starship.enable = true;
utils.enable = true;
ssh.enable = true;
};
};
};
}

5
modules/nixos/console/shell/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./fish.nix
];
}

22
modules/nixos/console/shell/fish.nix Normal file
View file

@ -0,0 +1,22 @@
{
lib,
config,
...
}: let
inherit (lib) mkIf mkEnableOption;
adminShell = config.ooknet.host.admin.shell;
cfg = config.ooknet.shell.fish;
in {
options.ooknet.shell.fish.enable = mkEnableOption "Enable fish module";
config = mkIf (adminShell == "fish" || cfg.enable) {
programs.fish = {
enable = true;
vendor = {
completions.enable = true;
config.enable = true;
functions.enable = true;
};
};
};
}

6
modules/nixos/hardware/common.nix Normal file
View file

@ -0,0 +1,6 @@
{
hardware = {
enableRedistributableFirmware = true;
enableAllFirmware = true;
};
}

40
modules/nixos/hardware/cpu/amd.nix Normal file
View file

@ -0,0 +1,40 @@
{
lib,
config,
pkgs,
...
}: let
inherit (lib) mkMerge mkIf versionAtLeast versionOlder;
inherit (config.ooknet.hardware) cpu;
cfg = cpu.amd;
kernelVersion = config.boot.kernelPackages.kernel.version;
kernelVersionAtLeast = versionAtLeast kernelVersion;
kernelVersionOlder = versionOlder kernelVersion;
in {
config = mkIf (cpu.type == "amd") {
environment.systemPackages = [pkgs.amdctl];
hardware.cpu.amd.updateMicrocode = true;
boot = mkMerge [
{
kernelModules = [
"amd-pstate"
"amd-kvm" # virtulization
"msr" # required for amdctl
];
}
(mkIf (cfg.pstate.enable && (kernelVersionAtLeast "5.27") && (kernelVersionOlder "6.1")) {
kernelParams = ["initcall_blacklist-acpi_cpufreq_init"];
kernelModules = ["amd-pstate"];
})
(mkIf (cfg.pstate.enable && (kernelVersionAtLeast "6.1") && (kernelVersionOlder "6.3")) {
kernelParams = ["amd_pstate=passive"];
})
(mkIf (cfg.pstate.enable && (kernelVersionAtLeast "6.3")) {
kernelParams = ["amd_pstate=active"];
})
];
};
}

6
modules/nixos/hardware/cpu/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./amd.nix
./intel.nix
];
}

18
modules/nixos/hardware/cpu/intel.nix Normal file
View file

@ -0,0 +1,18 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet.hardware) cpu;
in {
config = mkIf (cpu.type == "intel") {
boot = {
kernelModules = ["kvm-intel"];
kernelParams = ["i915.fastboot=1" "enable_gvt=1"];
};
hardware.cpu.intel.updateMicrocode = true;
environment.systemPackages = [pkgs.intel-gpu-tools];
};
}

9
modules/nixos/hardware/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./cpu
./gpu
./features
./common.nix
./options.nix
];
}

70
modules/nixos/hardware/features/audio.nix Normal file
View file

@ -0,0 +1,70 @@
{
lib,
config,
...
}: let
inherit (builtins) elem;
inherit (lib) mkIf;
inherit (config.ooknet.hardware) features;
in {
# generic audio configuration
config = mkIf (elem "audio" features) {
hardware.pulseaudio.enable = false;
services = {
pipewire = {
enable = true;
audio.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
# realtime audio
udev.extraRules = ''
KERNEL=="cpu_dma_latency", GROUP="audio"
KERNEL=="rtc0", GROUP="audio"
KERNEL=="hpet", GROUP="audio"
'';
};
security = {
rtkit.enable = true;
pam.loginLimits = [
{
domain = "@audio";
item = "nofile";
type = "soft";
value = "99999";
}
{
domain = "@audio";
item = "nofile";
type = "hard";
value = "99999";
}
{
domain = "@audio";
item = "rtprio";
type = "-";
value = "99";
}
{
domain = "@audio";
item = "memlock";
type = "-";
value = "unlimited";
}
{
domain = "@audio";
type = "-";
item = "nice";
value = -11;
}
];
};
};
}

13
modules/nixos/hardware/features/backlight.nix Normal file
View file

@ -0,0 +1,13 @@
{
lib,
config,
...
}: let
inherit (config.ooknet.hardware) features;
inherit (lib) mkIf;
inherit (builtins) elem;
in {
config = mkIf (elem "backlight" features) {
hardware.brillo.enable = true;
};
}

44
modules/nixos/hardware/features/battery.nix Normal file
View file

@ -0,0 +1,44 @@
{
lib,
config,
pkgs,
...
}: let
inherit (lib) mkIf;
inherit (builtins) elem attrValues;
inherit (config.ooknet.hardware) features;
in {
config = mkIf (elem "battery" features) {
services = {
# cpu power usage optimizer
auto-cpufreq = {enable = true;};
# application interface for power management
upower = {
enable = true;
percentageLow = 25;
percentageCritical = 5;
percentageAction = 3;
criticalPowerAction = "Hibernate";
};
# daemon for monitoring and controlling temperature
thermald = {enable = true;};
# put this here because if we are enabling the battery modules
# we are most likely using a laptop
# lidSwitch defines the action to perform when the laptop lid is
# closed
logind = {lidSwitch = "suspend";};
};
boot = {
kernelModules = ["acpi_call"];
extraModulePackages = attrValues {
inherit (config.boot.kernelPackages) acpi_call cpupower;
};
};
environment.systemPackages = attrValues {
inherit (pkgs) acpi powertop;
};
};
}

26
modules/nixos/hardware/features/bluetooth.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
lib,
pkgs,
self,
...
}: let
inherit (lib) mkIf;
inherit (builtins) elem attrValues;
inherit (config.ooknet.hardware) features;
in {
config = mkIf (elem "bluetooth" features) {
hardware.bluetooth = {
enable = true;
package = pkgs.bluez5-experimental;
};
environment.systemPackages = attrValues {
#inherit (self.packages.${pkgs.system}) live-buds-cli;
inherit (pkgs) bluetuith;
};
# https://github.com/NixOS/nixpkgs/issues/114222
systemd.user.services.telephony_client.enable = false;
};
}

11
modules/nixos/hardware/features/default.nix Normal file
View file

@ -0,0 +1,11 @@
{
imports = [
./video.nix
./printing.nix
./audio.nix
./battery.nix
./backlight.nix
./ssd.nix
# ./bluetooth.nix
];
}

24
modules/nixos/hardware/features/printing.nix Normal file
View file

@ -0,0 +1,24 @@
{
lib,
config,
pkgs,
...
}: let
inherit (lib) mkIf;
inherit (builtins) elem;
inherit (config.ooknet.hardware) features;
in {
config = mkIf (elem "printing" features) {
services = {
printing = {
enable = true;
drivers = [pkgs.hplip];
};
avahi = {
enable = true;
openFirewall = true;
nssmdns4 = true;
};
};
};
}

23
modules/nixos/hardware/features/ssd.nix Normal file
View file

@ -0,0 +1,23 @@
{
lib,
config,
...
}: let
inherit (lib) mkIf;
inherit (builtins) elem;
inherit (config.ooknet.hardware) features;
in {
config = mkIf (elem "ssd" features) {
services.fstrim = {
enable = true;
};
# only run fstrim while connected on AC
systemd.services.fstrim = {
unitConfig.ConditionACPower = true;
serviceConfig = {
Nice = 19;
IOSchedulingClass = "idle";
};
};
};
}

19
modules/nixos/hardware/features/video.nix Normal file
View file

@ -0,0 +1,19 @@
{
lib,
config,
pkgs,
...
}: let
inherit (lib) mkIf;
inherit (builtins) elem;
inherit (config.ooknet.hardware) features;
in {
config = mkIf (elem "video" features) {
hardware = {
graphics = {
enable = true;
enable32Bit = true;
};
};
};
}

32
modules/nixos/hardware/gpu/amd.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
lib,
pkgs,
...
}: let
inherit (config.ooknet.hardware) gpu;
inherit (lib) mkIf mkDefault;
inherit (builtins) attrValues;
in {
config = mkIf (gpu.type == "amd") {
hardware.graphics = {
extraPackages = attrValues {
inherit
(pkgs)
vulkan-tools
vulkan-loader
vulkan-extension-layer
vulkan-validation-layers
mesa
;
};
extraPackages32 = [pkgs.driversi686Linux.amdvlk];
};
boot = {
initrd.kernelModules = ["amdgpu"];
kernelModules = ["amdgpu"];
};
environment.systemPackages = [pkgs.nvtopPackages.amd];
services.xserver.videoDrivers = mkDefault ["modesetting" "amdgpu"];
};
}

7
modules/nixos/hardware/gpu/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./amd.nix
./intel.nix
./nvidia.nix
];
}

39
modules/nixos/hardware/gpu/intel.nix Normal file
View file

@ -0,0 +1,39 @@
{
config,
lib,
pkgs,
...
}: let
inherit (config.ooknet.hardware) gpu;
inherit (lib) mkIf;
inherit (builtins) attrValues;
in {
config = mkIf (gpu.type == "intel") {
services.xserver.videoDrivers = ["modesetting"];
hardware.graphics = {
extraPackages = attrValues {
inherit
(pkgs)
vaapiIntel
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime
intel-media-driver
;
};
extraPackages32 = attrValues {
inherit
(pkgs.pkgsi686Linux)
vaapiIntel
vaapiVdpau
libvdpau-va-gl
intel-media-driver
;
};
};
boot.initrd.kernelModules = ["i915"];
environment.variables = mkIf config.hardware.graphics.enable {
VDPAU_DRIVER = "va_gl";
};
};
}

64
modules/nixos/hardware/gpu/nvidia.nix Normal file
View file

@ -0,0 +1,64 @@
{
config,
lib,
pkgs,
...
}: let
inherit (config.ooknet.hardware) gpu;
inherit (lib) mkIf mkDefault;
inherit (builtins) attrValues;
# production = config.boot.kernelPackages.nvidiaPackages.production;
inherit (config.boot.kernelPackages.nvidiaPackages) beta;
in {
config = mkIf (gpu.type == "nvidia") {
# need this even if using wayland
services.xserver.videoDrivers = ["nvidia"];
hardware = {
nvidia = {
open = false;
package = beta;
forceFullCompositionPipeline = true;
nvidiaSettings = false;
nvidiaPersistenced = true;
modesetting.enable = true;
powerManagement = {
enable = mkDefault false;
finegrained = mkDefault false;
};
};
graphics = {
extraPackages = [pkgs.nvidia-vaapi-driver];
extraPackages32 = [pkgs.pkgsi686Linux.nvidia-vaapi-driver];
};
};
environment.systemPackages = attrValues {
inherit
(pkgs)
libva
libva-utils
vulkan-loader
vulkan-validation-layers
vulkan-tools
vulkan-extension-layer
mesa
;
inherit (pkgs.nvtopPackages) nvidia;
};
environment.sessionVariables = {
LIBVA_DRIVER_NAME = "nvidia";
NVD_BACKEND = "direct";
};
# https://github.com/ventureoo/nvidia-tweaks
services.udev.extraRules = ''
ACTION=="bind", SUBSYSTEM=="pci", DRIVERS=="nvidia", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="unbind", SUBSYSTEM=="pci", DRIVERS=="nvidia", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", TEST=="power/control", ATTR{power/control}="on"
'';
boot.kernelParams = [
"nvidia.NVreg_UsePageAttributeTable=1"
"nvidia.NVreg_InitializeSystemMemoryAllocations=0"
"nvidia.NVreg_EnableStreamMemOPs=1"
"nvidia.NVreg_RegistryDwords=__REGISTRYDWORDS"
];
};
}

101
modules/nixos/hardware/options.nix Normal file
View file

@ -0,0 +1,101 @@
{
lib,
config,
...
}: let
inherit (lib) mkOption mkEnableOption;
inherit (lib.types) nullOr enum bool submodule listOf int str;
inherit (config.ooknet) hardware;
in {
options.ooknet.hardware = {
gpu = {
type = mkOption {
type = nullOr (enum ["intel" "amd" "nvidia"]);
default = null;
};
};
cpu = {
type = mkOption {
type = nullOr (enum ["intel" "amd"]);
default = null;
};
amd.pstate.enable = mkEnableOption "";
};
features = mkOption {
type = listOf (enum [
"audio"
"video"
"bluetooth"
"backlight"
"battery"
"ssd"
"printing"
"fingerprint"
]);
default = ["ssd"];
};
# monitor module inspired by misterio77
# includes the addition of transform option
monitors = mkOption {
type = listOf (submodule {
options = {
name = mkOption {
type = str;
example = "DP-1";
};
primary = mkOption {
type = bool;
default = false;
};
width = mkOption {
type = int;
example = 1920;
};
height = mkOption {
type = int;
example = 1080;
};
refreshRate = mkOption {
type = int;
default = 60;
};
x = mkOption {
type = int;
default = 0;
};
y = mkOption {
type = int;
default = 0;
};
transform = mkOption {
type = int;
default = 0;
};
enabled = mkOption {
type = bool;
default = true;
};
workspace = mkOption {
type = nullOr str;
default = null;
};
};
});
default = [];
};
};
config = {
assertions = [
{
assertion =
((lib.length hardware.monitors) != 0)
-> ((lib.length (lib.filter (m: m.primary) hardware.monitors)) == 1);
message = "At least 1 primary monitor is required";
}
];
};
}

7
modules/nixos/server/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./options
./profiles
./services
];
}

5
modules/nixos/server/options/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./server.nix
];
}

22
modules/nixos/server/options/server.nix Normal file
View file

@ -0,0 +1,22 @@
{lib, ...}: let
inherit (lib) mkOption;
inherit (lib.types) nullOr listOf enum bool;
in {
options.ooknet.server = {
exitNode = mkOption {
type = bool;
default = false;
description = "Whether the server will act as a tailscale exit node or not";
};
profile = mkOption {
type = nullOr (enum ["linode"]);
default = null;
description = "The server profile the host will use as a base";
};
services = mkOption {
type = listOf (enum []);
default = [];
description = "List of services the server will host";
};
};
}

5
modules/nixos/server/profiles/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./linode.nix
];
}

59
modules/nixos/server/profiles/linode.nix Normal file
View file

@ -0,0 +1,59 @@
{
config,
lib,
pkgs,
...
}: let
inherit (builtins) attrValues;
inherit (lib) mkForce mkIf;
inherit (config.ooknet.server) profile;
in {
config = mkIf (profile == "linode") {
networking = {
tempAddresses = "disabled";
usePredictableInterfaceNames = mkForce false;
interfaces.eth0 = {
tempAddress = "disabled";
useDHCP = true;
};
};
boot = {
kernelModules = [];
# LISH console support
kernelParams = ["console=ttys0,19200n8"];
extraModulePackages = [];
initrd = {
availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod"];
kernelModules = [];
};
loader = {
grub = {
enable = true;
device = "/dev/sda";
forceInstall = true;
copyKernels = true;
fsIdentifier = "provided";
extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
};
# disable base settings
efi.canTouchEfiVariables = mkForce false;
systemd-boot.enable = mkForce false;
};
};
environment.systemPackages = attrValues {
inherit
(pkgs)
inetutils
mtr
sysstat
linode-cli
;
};
};
}

2
modules/nixos/server/services/default.nix Normal file
View file

@ -0,0 +1,2 @@
{
}

22
modules/nixos/workstation/default.nix Normal file
View file

@ -0,0 +1,22 @@
{
config,
self,
lib,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet.host) admin;
in {
imports = [
./options.nix
./themes
./services
./programs
./gaming
./environment
];
home-manager.users.${admin.name} = mkIf admin.homeManager {
imports = ["${self}/modules/home/workstation"];
};
}

3
modules/nixos/workstation/environment/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
imports = [./hyprland];
}

67
modules/nixos/workstation/environment/hyprland/default.nix Normal file
View file

@ -0,0 +1,67 @@
{
inputs',
config,
lib,
pkgs,
...
}: let
inherit (lib) concatStringsSep getExe mkIf;
inherit (config.ooknet.workstation) environment;
inherit (inputs'.hyprland.packages) xdg-desktop-portal-hyprland hyprland;
in {
config = mkIf (environment == "hyprland") {
programs.hyprland = {
enable = true;
package = hyprland;
portalPackage = xdg-desktop-portal-hyprland;
};
xdg.portal = {
enable = true;
extraPortals = [
pkgs.xdg-desktop-portal-gtk
xdg-desktop-portal-hyprland
];
config.common = {
default = ["gtk"];
"org.freedesktop.impl.portal.Screencast" = "hyprland";
"org.freedesktop.impl.portal.Screenshot" = "hyprland";
};
};
# required for wayland screen lockers to work
security.pam.services.hyprlock.text = "auth include login";
services.greetd = {
enable = true;
vt = 2;
settings = {
default_session = {
command = concatStringsSep " " [
(getExe pkgs.greetd.tuigreet)
"--time"
"--remember"
"--cmd"
(getExe hyprland)
];
};
};
};
systemd.services.greetd.serviceConfig = {
Type = "idle";
StandardInput = "tty";
StandardOutput = "tty";
StandardError = "journal"; # Without this errors will spam on screen
# Without these bootlogs will spam on screen
TTYReset = true;
TTYVHangup = true;
TTYVTDisallocate = true;
};
nix.settings = {
substituters = ["https://hyprland.cachix.org"];
trusted-public-keys = ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="];
};
};
}

6
modules/nixos/workstation/gaming/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./steam.nix
./gamemode.nix
];
}

50
modules/nixos/workstation/gaming/gamemode.nix Normal file
View file

@ -0,0 +1,50 @@
{
lib,
config,
pkgs,
inputs',
...
}: let
inherit (lib) optionalString elem getExe getExe' mkIf;
inherit (config.ooknet.workstation) profiles environment;
hyprctl = "${getExe' inputs'.hyprland.packages.hyprland "hyprctl"} -i 0";
notify-send = getExe pkgs.libnotify;
powerprofilectl = getExe pkgs.power-profiles-daemon;
optimizeScriptStart = pkgs.writeShellScript "gamemode-start" ''
${optionalString (environment == "hyprland") ''
${hyprctl} -i 0 --batch "\
keyword misc:vfr false; \
keyword render:direct_scanout true; \
keyword general:allow_tearing true" \
''}
${powerprofilectl} set performance
${notify-send} 'Gamemode Started'
'';
optimizeScriptStop = pkgs.writeShellScript "gamemode-end" ''
${optionalString (environment == "hyprland") ''
${hyprctl} -i 0 reload
''}
${powerprofilectl} set balanced
${notify-send} 'Gamemode Stopped'
'';
in {
config = mkIf (elem "gaming" profiles) {
environment.systemPackages = [pkgs.power-profiles-daemon];
programs.gamemode = {
enable = true;
settings = {
general = {
renice = 15;
softrealtime = "auto";
};
custom = {
start = optimizeScriptStart.outPath;
end = optimizeScriptStop.outPath;
};
};
};
};
}

17
modules/nixos/workstation/gaming/steam.nix Normal file
View file

@ -0,0 +1,17 @@
{
lib,
config,
pkgs,
...
}: let
inherit (lib) mkIf elem;
inherit (config.ooknet.workstation) profiles;
in {
config = mkIf (elem "gaming" profiles) {
programs.steam = {
enable = true;
package = pkgs.steam-small;
extraCompatPackages = [pkgs.proton-ge-bin];
};
};
}

33
modules/nixos/workstation/options.nix Normal file
View file

@ -0,0 +1,33 @@
{lib, ...}: let
inherit (lib) mkEnableOption mkOption;
inherit (lib.types) nullOr enum listOf;
in {
options.ooknet.workstation = {
theme = mkOption {
type = nullOr (enum ["minimal"]);
default = null;
};
profiles = mkOption {
type = listOf (enum ["gaming" "communication" "productivity" "creative" "media"]);
default = [];
};
environment = mkOption {
type = nullOr (enum ["hyprland"]);
default = "hyprland";
};
default = {
browser = mkOption {
type = nullOr (enum ["firefox"]);
default = "firefox";
};
terminal = mkOption {
type = enum ["foot"];
default = "foot";
};
};
programs = {
firefox.enable = mkEnableOption "";
foot.enable = mkEnableOption "";
};
};
}

11
modules/nixos/workstation/programs/1password.nix Normal file
View file

@ -0,0 +1,11 @@
{config, ...}: let
inherit (config.ooknet.host) admin;
in {
programs = {
_1password.enable = true;
_1password-gui = {
enable = true;
polkitPolicyOwners = ["${admin.name}"];
};
};
}

3
modules/nixos/workstation/programs/dconf.nix Normal file
View file

@ -0,0 +1,3 @@
{
programs.dconf = {enable = true;};
}

7
modules/nixos/workstation/programs/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./1password.nix
./dconf.nix
./kdeconnect.nix
];
}

3
modules/nixos/workstation/programs/kdeconnect.nix Normal file
View file

@ -0,0 +1,3 @@
{
programs.kdeconnect = {enable = true;};
}

11
modules/nixos/workstation/services/dbus.nix Normal file
View file

@ -0,0 +1,11 @@
{pkgs, ...}: let
inherit (builtins) attrValues;
in {
services.dbus = {
enable = true;
packages = attrValues {
inherit (pkgs) dconf gcr udisks2;
};
implementation = "broker";
};
}

6
modules/nixos/workstation/services/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./dbus.nix
./gnome-services.nix
];
}

10
modules/nixos/workstation/services/gnome-services.nix Normal file
View file

@ -0,0 +1,10 @@
{
services = {
# gnome services that I depend on
gvfs.enable = true;
gnome = {
glib-networking.enable = true;
gnome-keyring.enable = true;
};
};
}

5
modules/nixos/workstation/themes/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./minimal.nix
];
}

50
modules/nixos/workstation/themes/generated-wallpaper.nix Normal file
View file

@ -0,0 +1,50 @@
# Credit to github:misterio77/nix-colors
{
pkgs,
config,
}: let
inherit (config.ooknet.hardware) monitors;
inherit (config.ooknet.appearance) colorscheme;
largest = f: xs: builtins.head (builtins.sort (a: b: a > b) (map f xs));
largestWidth = largest (x: x.width) monitors;
largestHeight = largest (x: x.height) monitors;
in
{
width ? largestWidth,
height ? largestHeight,
logoScale ? 4,
backgroundColor ? colorscheme.palette.mantle,
logoColor1 ? colorscheme.palette.yellow,
logoColor2 ? colorscheme.palette.green,
}:
pkgs.stdenv.mkDerivation {
name = "generated-nix-wallpaper-${colorscheme.slug}.png";
src = pkgs.writeTextFile {
name = "template.svg";
text = ''
<svg width="${toString width}" height="${
toString height
}" version="1.1" xmlns="http://www.w3.org/2000/svg">
<rect width="${toString width}" height="${
toString height
}" fill="#${backgroundColor}"/>
<svg x="${toString (width / 2 - (logoScale * 50))}" y="${
toString (height / 2 - (logoScale * 50))
}" version="1.1" xmlns="http://www.w3.org/2000/svg">
<g transform="scale(${toString logoScale})">
<g transform="matrix(.19936 0 0 .19936 80.161 27.828)">
<path d="m-53.275 105.84-122.2-211.68 56.157-0.5268 32.624 56.869 32.856-56.565 27.902 0.011 14.291 24.69-46.81 80.49 33.229 57.826zm-142.26 92.748 244.42 0.012-27.622 48.897-65.562-0.1813 32.559 56.737-13.961 24.158-28.528 0.031-46.301-80.784-66.693-0.1359zm-9.3752-169.2-122.22 211.67-28.535-48.37 32.938-56.688-65.415-0.1717-13.942-24.169 14.237-24.721 93.111 0.2937 33.464-57.69z" fill="#${logoColor1}"/>
<path d="m-97.659 193.01 122.22-211.67 28.535 48.37-32.938 56.688 65.415 0.1716 13.941 24.169-14.237 24.721-93.111-0.2937-33.464 57.69zm-9.5985-169.65-244.42-0.012 27.622-48.897 65.562 0.1813-32.559-56.737 13.961-24.158 28.528-0.031 46.301 80.784 66.693 0.1359zm-141.76 93.224 122.2 211.68-56.157 0.5268-32.624-56.869-32.856 56.565-27.902-0.011-14.291-24.69 46.81-80.49-33.229-57.826z" fill="#${logoColor2}" style="isolation:auto;mix-blend-mode:normal"/>
</g>
</g>
</svg>
</svg>
'';
};
buildInputs = [pkgs.inkscape];
unpackPhase = "true";
buildPhase = ''
inkscape --export-type="png" $src -w ${toString width} -h ${toString height} -o wallpaper.png
'';
installPhase = "install -Dm0644 wallpaper.png $out";
}

40
modules/nixos/workstation/themes/minimal.nix Normal file
View file

@ -0,0 +1,40 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet.workstation) theme;
generatedWallpaper = import ./generated-wallpaper.nix {inherit config pkgs;} {};
in {
config = mkIf (theme == "minimal") {
ooknet.appearance = {
fonts = {
monospace = {
family = "JetBrainsMono Nerd Font";
package = pkgs.nerdfonts.override {fonts = ["JetBrainsMono"];};
};
regular = {
family = "Fira Sans";
package = pkgs.fira;
};
};
cursor = {
name = "Bibata-Modern-Ice";
package = pkgs.bibata-cursors;
size = 22;
};
wallpaper = {
path = "${generatedWallpaper}";
};
colorscheme = {
name = "gruvbox-material-medium";
variant = "dark";
};
};
};
}