init

system/core/boot.nix

@@ -0,0 +1,34 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  boot = {
+    initrd = {
+      systemd.enable = true;
+      supportedFilesystems = ["ext4"];
+    };
+
+    ## use latest kernel
+    kernelPackages = pkgs.linuxPackages_latest;
+
+    consoleLogLevel = 3;
+    kernelParams = [
+      "quiet"
+      "systemd.show_status=auto"
+      "rd.udev.log_level=3"
+    ];
+
+    loader = {
+      # systemd-boot on UEFI
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+
+    plymouth.enable = true;
+  };
+
+  environment.systemPackages = [
+    config.boot.kernelPackages.cpupower
+  ];
+}

system/core/default.nix

@@ -0,0 +1,25 @@
+{lib, ...}: {
+  imports = [
+    ./security.nix
+    ./users.nix
+    ./tools.nix
+    ./ssh.nix
+    ../nix
+    ../programs/zsh.nix
+  ];
+
+  documentation.dev.enable = true;
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    supportedLocales = [
+      "en_US.UTF-8/UTF-8"
+    ];
+  };
+  services.xserver.layout = "eu";
+
+  # don't touch this
+  system.stateVersion = lib.mkDefault "23.11";
+
+  time.timeZone = lib.mkDefault "Europe/Stockholm";
+}

system/core/security.nix

@@ -0,0 +1,59 @@
+# security tweaks borrowed from @hlissner
+{
+  boot.kernel.sysctl = {
+    # The Magic SysRq key is a key combo that allows users connected to the
+    # system console of a Linux kernel to perform some low-level commands.
+    # Disable it, since we don't need it, and is a potential security concern.
+    "kernel.sysrq" = 0;
+
+    ## TCP hardening
+    # Prevent bogus ICMP errors from filling up logs.
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+    # Reverse path filtering causes the kernel to do source validation of
+    # packets received from all interfaces. This can mitigate IP spoofing.
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Do not accept IP source route packets (we're not a router)
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Don't send ICMP redirects (again, we're not a router)
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Refuse ICMP redirects (MITM mitigations)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Protects against SYN flood attacks
+    "net.ipv4.tcp_syncookies" = 1;
+    # Incomplete protection again TIME-WAIT assassination
+    "net.ipv4.tcp_rfc1337" = 1;
+
+    ## TCP optimization
+    # TCP Fast Open is a TCP extension that reduces network latency by packing
+    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+    # both incoming and outgoing connections:
+    "net.ipv4.tcp_fastopen" = 3;
+    # Bufferbloat mitigations + slight improvement in throughput & latency
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+
+  boot.kernelModules = ["tcp_bbr"];
+
+  # Change me later!
+  #users.users.root.initialPassword = "nixos";
+
+  security = {
+    # allow wayland lockers to unlock the screen
+    pam.services.swaylock.text = "auth include login";
+
+    # userland niceness
+    rtkit.enable = true;
+
+    # don't ask for password for wheel group
+    sudo.wheelNeedsPassword = false;
+  };
+}

system/core/ssh.nix

@@ -0,0 +1,22 @@
+{lib, ...}: {
+  services.openssh = {
+    enable = lib.mkDefault true;
+    settings = {
+      # Use only public keys
+      PasswordAuthentication = lib.mkForce false;
+      KbdInteractiveAuthentication = lib.mkForce false;
+
+      # root login is never welcome, except for remote builders
+      PermitRootLogin = lib.mkForce "prohibit-password";
+    };
+
+    startWhenNeeded = lib.mkDefault true;
+    openFirewall = lib.mkDefault false;
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+}

system/core/tools.nix

@@ -0,0 +1,5 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    htop
+  ];
+}

system/core/users.nix

@@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  users.users.xun = {
+    isNormalUser = true;
+    initialPassword = "nixos";
+    shell = pkgs.zsh;
+    extraGroups = [
+      "video"
+      "wheel"
+    ];
+  };
+}

system/default.nix

@@ -0,0 +1,23 @@
+let
+  desktop = [
+    ./core
+    ./core/boot.nix
+
+    ./hardware/opengl.nix
+    ./hardware/bluetooth.nix
+
+    ./network/networkd.nix
+    ./network/avahi.nix
+    ./network/tailscale.nix
+
+    ./desktop
+    ./desktop/awesome.nix
+
+    ./programs
+
+    ./services
+    ./services/pipewire.nix
+  ];
+in {
+  inherit desktop;
+}

system/desktop/awesome.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    ./x11.nix
+  ];
+  services.xserver = {
+    enable = true;
+    windowManager.awesome.enable = true;
+  };
+}

system/desktop/default.nix

@@ -0,0 +1,14 @@
+{pkgs, ...}: {
+  xdg = {
+    portal = {
+      enable = true;
+      config = {
+        common.default = ["gtk"];
+      };
+      extraPortals = with pkgs; [
+        xdg-desktop-portal-wlr
+        xdg-desktop-portal-gtk
+      ];
+    };
+  };
+}

system/desktop/x11.nix

@@ -0,0 +1,5 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    xclip
+  ];
+}

system/hardware/bluetooth.nix

@@ -0,0 +1,5 @@
+{
+  hardware.bluetooth = {
+    enable = true;
+  };
+}

system/hardware/opengl.nix

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+  hardware.opengl = {
+    enable = true;
+    driSupport = true;
+    driSupport32Bit = true;
+  };
+}

system/hardware/specialisations.nix

@@ -0,0 +1,12 @@
+{
+  specialisation = {
+    light = {
+      inheritParentConfig = true;
+      configuration.programs.matugen.variant = "light";
+    };
+    dark = {
+      inheritParentConfig = true;
+      configuration.programs.matugen.variant = "dark";
+    };
+  };
+}

system/network/avahi.nix

@@ -0,0 +1,12 @@
+{
+  # network discovery, mDNS
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    publish = {
+      enable = true;
+      domain = true;
+      userServices = true;
+    };
+  };
+}

system/network/networkd.nix

@@ -0,0 +1,15 @@
+{
+  networking.useNetworkd = true;
+  systemd.network = {
+    enable = true;
+    networks."10-lan" = {
+      matchConfig.Name = "lan";
+      networkConfig.DHCP = "ipv4";
+    };
+  };
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = ["~."];
+  };
+}

system/network/tailscale.nix

@@ -0,0 +1,8 @@
+{config, ...}: {
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    useRoutingFeatures = "client";
+    authKeyFile = config.sops.secrets.tailscale-auth.path;
+  };
+}

system/nix/default.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  pkgs,
+  inputs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./nixpkgs.nix
+    ./substituters.nix
+  ];
+
+  # git is needed for flakes
+  environment.systemPackages = [pkgs.git];
+
+  nix = {
+    # pin the registry to avoid downloading and evaling a new nixpkgs version every time
+    registry = lib.mapAttrs (_: v: {flake = v;}) inputs;
+
+    # set the path for channels compat
+    nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry;
+
+    settings = {
+      auto-optimise-store = true;
+      builders-use-substitutes = true;
+      experimental-features = ["flakes" "nix-command"];
+
+      # for direnv GC roots
+      keep-outputs = true;
+      keep-derivations = true;
+
+      trusted-users = ["root" "@wheel"];
+    };
+  };
+}

system/nix/nixpkgs.nix

@@ -0,0 +1,6 @@
+{self, ...}: {
+  nixpkgs = {
+    config.allowUnfree = true;
+    config.permittedInsecurePackages = [];
+  };
+}

system/nix/substituters.nix

@@ -0,0 +1,16 @@
+{
+  nix.settings = {
+    substituters = [
+      # high priority since it's almost always used
+      "https://cache.nixos.org?priority=10"
+      "https://nix-community.cachix.org"
+      "https://nix-gaming.cachix.org"
+    ];
+
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
+    ];
+  };
+}

system/programs/adb.nix

@@ -0,0 +1,3 @@
+{
+  programs.adb.enable = true;
+}

system/programs/default.nix

@@ -0,0 +1,13 @@
+{
+  imports = [
+    ./fonts.nix
+    ./home-manager.nix
+    ./qt.nix
+    ./adb.nix
+  ];
+
+  programs = {
+    # make HM-managed GTK stuff work
+    dconf.enable = true;
+  };
+}

system/programs/fonts.nix

@@ -0,0 +1,28 @@
+{pkgs, ...}: {
+  fonts = {
+    packages = with pkgs; [
+      powerline-fonts
+      dejavu_fonts
+      font-awesome
+      noto-fonts
+      noto-fonts-emoji
+      source-code-pro
+      iosevka
+
+      # nerdfonts
+      nerdfonts
+      #(nerdfonts.override {fonts = ["NerdFontsSymbolsOnly"];})
+    ];
+
+    # causes more issues than it solves
+    enableDefaultPackages = false;
+
+    # user defined fonts
+    # the reason there's Noto Color Emoji everywhere is to override DejaVu's
+    # B&W emojis that would sometimes show instead of some Color emojis
+    fontconfig.defaultFonts = {
+      monospace = ["DejaVu Sans Mono for Powerline"];
+      sansSerif = ["DejaVu Sans"];
+    };
+  };
+}

system/programs/gamemode.nix

@@ -0,0 +1,5 @@
+{
+  programs.gamemode = {
+    enable = true;
+  };
+}

system/programs/home-manager.nix

@@ -0,0 +1,9 @@
+{inputs, ...}: {
+  imports = [
+    inputs.home-manager.nixosModules.default
+  ];
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+  };
+}

system/programs/qt.nix

@@ -0,0 +1,7 @@
+{
+  qt = {
+    enable = true;
+    platformTheme = "gtk2";
+    style = "gtk2";
+  };
+}

system/programs/zsh.nix

@@ -0,0 +1,17 @@
+{
+  # enable zsh autocompletion for system packages (systemd, etc)
+  environment.pathsToLink = ["/share/zsh"];
+
+  programs = {
+    less.enable = true;
+
+    zsh = {
+      enable = true;
+      autosuggestions.enable = true;
+      syntaxHighlighting = {
+        enable = true;
+        highlighters = ["main" "brackets" "pattern"];
+      };
+    };
+  };
+}

system/services/default.nix

@@ -0,0 +1,10 @@
+{pkgs, ...}: {
+  services = {
+    dbus.implementation = "broker";
+
+    psd = {
+      enable = true;
+      resyncTimer = "10m";
+    };
+  };
+}

system/services/gnome-services.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}: {
+  services = {
+    dbus.packages = with pkgs; [
+      gcr
+      gnome.gnome-settings-daemon
+    ];
+
+    gnome.gnome-keyring.enable = true;
+
+    gvfs.enable = true;
+  };
+}

system/services/pipewire.nix

@@ -0,0 +1,11 @@
+{lib, ...}: {
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    jack.enable = true;
+    pulse.enable = true;
+  };
+
+  hardware.pulseaudio.enable = lib.mkForce false;
+}

system/services/syncthing.nix

@@ -0,0 +1,42 @@
+{
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    user = "xun";
+    group = "users";
+    dataDir = "/home/xun/.local/share/syncthing";
+    configDir = "/home/xun/.config/syncthing";
+
+    overrideDevices = true;
+    settings = {
+      devices = {
+        "nixdesk" = {
+          id = "2WCEQPF-2J4U7IK-XRT25FV-NFT2JEM-AVOMDEK-FIJNZ24-7WCBZC2-57CX2AP";
+          autoAcceptFolders = true;
+        };
+        "redmi-note-10-pro" = {
+          id = "U6YYTHR-2ZXIEXQ-RNDERSF-CTVSP67-W24VK4Y-5EQRIV5-T7JJW2N-33L7XQV";
+          autoAcceptFolders = true;
+        };
+        "hopper" = {
+          id = "DK3RPET-ACMULD2-TLQS6YM-XWUMS3N-JRNDNME-YTM3H4X-P7QVUKB-N3PL5QF";
+          autoAcceptFolders = true;
+        };
+      };
+      folders = {
+        "~/secrets" = {
+          devices = [
+            "nixdesk"
+            "redmi-note-10-pro"
+            "hopper"
+          ];
+          id = "sfw9y-yusup";
+        };
+      };
+    };
+
+    settings.options.urAccepted = -1; # disable usage reporting
+    settings.gui.insecureSkipHostcheck = true;
+    settings.gui.insecureAdminAccess = true;
+  };
+}