some reorganizing

sys/profiles/core/boot.nix

@@ -0,0 +1,22 @@
+{config, ...}: {
+  boot = {
+    initrd = {
+      systemd.enable = true;
+    };
+
+    consoleLogLevel = 3;
+    kernelParams = [
+      "quiet"
+      "systemd.show_status=auto"
+      "rd.udev.log_level=3"
+    ];
+
+    loader = {
+      # systemd-boot on UEFI
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+
+    plymouth.enable = true;
+  };
+}

sys/profiles/core/compat.nix

@@ -0,0 +1,65 @@
+{pkgs, ...}: let
+  list-of-libraries = with pkgs; [
+    alsa-lib
+    at-spi2-atk
+    at-spi2-core
+    atk
+    cairo
+    cups
+    curl
+    dbus
+    expat
+    fontconfig
+    freetype
+    fuse3
+    gdk-pixbuf
+    glib
+    gtk3
+    icu
+    libGL
+    libappindicator-gtk3
+    libdrm
+    libglvnd
+    libnotify
+    libpulseaudio
+    libunwind
+    libusb1
+    libuuid
+    libxkbcommon
+    libxml2
+    mesa
+    nspr
+    nss
+    openssl
+    pango
+    pipewire
+    stdenv.cc.cc
+    systemd
+    vulkan-loader
+    xorg.libX11
+    xorg.libXScrnSaver
+    xorg.libXcomposite
+    xorg.libXcursor
+    xorg.libXdamage
+    xorg.libXext
+    xorg.libXfixes
+    xorg.libXi
+    xorg.libXrandr
+    xorg.libXrender
+    xorg.libXtst
+    xorg.libxcb
+    xorg.libxkbfile
+    xorg.libxshmfence
+    zlib
+  ];
+in {
+  programs.appimage = {
+    enable = true;
+    package = pkgs.appimage-run.override {
+      extraPkgs = p: list-of-libraries;
+    };
+  };
+
+  programs.nix-ld.enable = true;
+  programs.nix-ld.libraries = list-of-libraries;
+}

sys/profiles/core/deploy.nix

@@ -0,0 +1,25 @@
+{
+  lib,
+  self,
+  ...
+}: {
+  nix.settings.trusted-users = ["deploy"]; # trust closures created by our user
+
+  users.groups.deploy = {};
+  users.users.deploy = {
+    isSystemUser = false;
+    isNormalUser = true; # i want a home directory for some things
+    useDefaultShell = true;
+    group = "deploy";
+    extraGroups = ["wheel"];
+
+    hashedPassword = lib.mkForce null;
+    hashedPasswordFile = lib.mkForce null;
+    password = lib.mkForce null;
+    passwordFile = lib.mkForce null;
+
+    openssh.authorizedKeys.keyFiles = [
+      (self + /sshKeys/xun_nixdesk)
+    ];
+  };
+}

sys/profiles/core/docs.nix

@@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  documentation = {
+    dev.enable = true;
+    # man.generateCaches = true; # this does slow down builds by quite a lot
+  };
+  environment.systemPackages = with pkgs; [
+    linux-manual
+    man-pages
+    man-pages-posix
+  ];
+}

sys/profiles/core/gvfs.nix

@@ -0,0 +1,3 @@
+{
+  services.gvfs.enable = true;
+}

sys/profiles/core/locale.nix

@@ -0,0 +1,11 @@
+{lib, ...}: {
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    supportedLocales = [
+      "en_US.UTF-8/UTF-8"
+    ];
+  };
+  services.xserver.xkb.layout = "eu";
+
+  time.timeZone = lib.mkDefault "Europe/Berlin";
+}

sys/profiles/core/security.nix

@@ -0,0 +1,65 @@
+# security tweaks borrowed from @hlissner
+{
+  boot.kernel.sysctl = {
+    # The Magic SysRq key is a key combo that allows users connected to the
+    # system console of a Linux kernel to perform some low-level commands.
+    # Disable it, since we don't need it, and is a potential security concern.
+    "kernel.sysrq" = 0;
+
+    ## TCP hardening
+    # Prevent bogus ICMP errors from filling up logs.
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+    # Reverse path filtering causes the kernel to do source validation of
+    # packets received from all interfaces. This can mitigate IP spoofing.
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Do not accept IP source route packets (we're not a router)
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Don't send ICMP redirects (again, we're not a router)
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Refuse ICMP redirects (MITM mitigations)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Protects against SYN flood attacks
+    "net.ipv4.tcp_syncookies" = 1;
+    # Incomplete protection again TIME-WAIT assassination
+    "net.ipv4.tcp_rfc1337" = 1;
+
+    ## TCP optimization
+    # TCP Fast Open is a TCP extension that reduces network latency by packing
+    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+    # both incoming and outgoing connections:
+    "net.ipv4.tcp_fastopen" = 3;
+    # Bufferbloat mitigations + slight improvement in throughput & latency
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+
+  boot.kernelModules = ["tcp_bbr"];
+
+  # Change me later!
+  #users.users.root.initialPassword = "nixos";
+
+  security = {
+    # allow wayland lockers to unlock the screen
+    pam.services.swaylock.text = "auth include login";
+
+    # userland niceness
+    rtkit.enable = true;
+
+    # don't ask for password for wheel group
+    sudo.wheelNeedsPassword = false;
+
+    # allow running as any id without them being listed in /etc/passwd
+    # this might be a security problem but whatever
+    sudo.extraConfig = ''
+      Defaults runas_allow_unknown_id
+    '';
+  };
+}

sys/profiles/core/ssh.nix

@@ -0,0 +1,22 @@
+{lib, ...}: {
+  services.openssh = {
+    enable = lib.mkDefault true;
+    settings = {
+      # Use only public keys
+      PasswordAuthentication = lib.mkForce false;
+      KbdInteractiveAuthentication = lib.mkForce false;
+
+      # root login is never welcome, except for remote builders
+      PermitRootLogin = lib.mkForce "prohibit-password";
+    };
+
+    startWhenNeeded = lib.mkDefault true;
+    openFirewall = lib.mkDefault true;
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+}

sys/profiles/core/tools.nix

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    htop
+    btop
+    vim
+  ];
+}

sys/profiles/core/users.nix

@@ -0,0 +1,16 @@
+{pkgs, ...}: {
+  users.users.xun = {
+    isNormalUser = true;
+    initialPassword = "nixos";
+    shell = pkgs.zsh;
+    extraGroups = [
+      "wheel"
+      "input"
+      "kvm"
+      "libvirt"
+      "video"
+      "render"
+      "audio"
+    ];
+  };
+}