diff --git a/README.md b/README.md index dc23726..4b53b37 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ - `hardware`: self-explenatory - `locales`: localization options - `packages`: services & packages with common configurations - - `default.nix`: The minimum configuration that a machine needs + - `base.nix`: The minimum configuration that a machine needs - `full-install.nix`: if this machine has a DE or is going to be used by a human - `tasia-packages.nix`: Collection of additional packages - `hosts`: Machine-specific configurations diff --git a/common/default.nix b/common/base.nix similarity index 60% rename from common/default.nix rename to common/base.nix index 0c218ed..5d9486d 100644 --- a/common/default.nix +++ b/common/base.nix @@ -9,10 +9,10 @@ imports = [ ./locales/paris.nix - ./packages/sshd.nix - ./packages/neovim.nix - ./packages/zsh.nix - ./packages/git.nix + ./services/sshd.nix + ./programs/neovim.nix + ./programs/zsh.nix + ./programs/git.nix ]; nixpkgs = { @@ -59,12 +59,48 @@ ]; boot.loader = { - systemd-boot.enable = true; + systemd-boot = { + enable = true; + editor = false; + }; + efi.canTouchEfiVariables = true; }; + # boot.initrd.enable = true; + # boot.initrd.systemd.enable = true; + # boot.plymouth = { + # enable = true; + # font = "${pkgs.jetbrains-mono}/share/fonts/truetype/JetBrainsMono-Regular.ttf"; + # themePackages = [ pkgs.catppuccin-plymouth ]; + # theme = "catppuccin-macchiato"; + # logo = pkgs.fetchurl { + # url = "https://nixos.org/logo/nixos-hires.png"; + # sha256 = "1ivzgd7iz0i06y36p8m5w48fd8pjqwxhdaavc0pxs7w1g7mcy5si"; + # }; + # }; + networking = { - networkmanager.enable = true; + networkmanager = { + enable = true; + wifi = { + powersave = true; + scanRandMacAddress = true; + # XXX https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1091 + #backend = "iwd"; + # Generate a random MAC for each WiFi and associate the two permanently. + macAddress = "stable"; + }; + # Randomize MAC for every ethernet connetion + ethernet.macAddress = "random"; + connectionConfig = { + # IPv6 Privacy Extensions + "ipv6.ip6-privacy" = 2; + + # unique DUID per connection + "ipv6.dhcp-duid" = "stable-uuid"; + }; + }; firewall = { enable = true; @@ -98,10 +134,16 @@ sysstat file ffmpeg + usbutils ]; services = { fwupd.enable = true; tailscale.enable = true; }; +# console = { +# earlySetup = true; +# }; + + # boot.blacklistedKernelModules = [ "nvidia_drm" ]; } diff --git a/common/de/greetd.nix b/common/de/greetd.nix new file mode 100644 index 0000000..a3abf47 --- /dev/null +++ b/common/de/greetd.nix @@ -0,0 +1,15 @@ +{pkgs, ...}: { + services.greetd = { + enable = true; + settings = { + default_session = { + command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --time-format '%I:%M %p | %a • %h | %F' --cmd Hyprland"; + user = "greeter"; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + greetd.tuigreet + ]; +} diff --git a/common/de/hyprland.nix b/common/de/hyprland.nix index 1feb892..9ea6a49 100644 --- a/common/de/hyprland.nix +++ b/common/de/hyprland.nix @@ -1,4 +1,46 @@ -{ +{pkgs, ...}: { # Not working on phoenix for some reason programs.hyprland.enable = true; + + environment.sessionVariables.NIXOS_OZONE_WL = "1"; + environment.sessionVariables.WLR_NO_HARDWARE_CURSORS = "1"; + + environment.systemPackages = with pkgs; [ + pyprland + hyprpicker + hyprcursor + + wezterm + cool-retro-term + + starship + helix + + qutebrowser + zathura + mpv + imv + + neofetch + onefetch + ipfetch + cpufetch + ramfetch + starfetch + octofetch + htop + bottom + btop + zfxtop + kmon + + # vulkan-tools + # opencl-info + # clinfo + # vdpauinfo + # libva-utils + # nvtop + dig + speedtest-rs + ]; } diff --git a/common/de/plasma5.nix b/common/de/plasma5.nix index d128dff..4e4edad 100644 --- a/common/de/plasma5.nix +++ b/common/de/plasma5.nix @@ -17,6 +17,6 @@ }; programs.kdeconnect = { - enable = true; + enable = false; }; } diff --git a/common/de/plasma6.nix b/common/de/plasma6.nix index 885689f..a105358 100644 --- a/common/de/plasma6.nix +++ b/common/de/plasma6.nix @@ -3,16 +3,6 @@ ./plasma-packages.nix ]; - # Enable Wayland/Plasma6 - services.displayManager = { - sddm = { - enable = true; - wayland.enable = true; - }; - - defaultSession = "plasma"; - }; - services.desktopManager.plasma6.enable = true; # Use ksshaskpass to access stored secrets @@ -21,6 +11,6 @@ }; programs.kdeconnect = { - enable = true; + enable = false; }; } diff --git a/common/de/sddm.nix b/common/de/sddm.nix new file mode 100644 index 0000000..f545269 --- /dev/null +++ b/common/de/sddm.nix @@ -0,0 +1,10 @@ +{ + services.displayManager = { + sddm = { + enable = true; + wayland.enable = true; + }; + + defaultSession = "plasma"; + }; +} diff --git a/common/hardware/btrfs.nix b/common/hardware/btrfs.nix index ab931af..50f0093 100644 --- a/common/hardware/btrfs.nix +++ b/common/hardware/btrfs.nix @@ -1,7 +1,32 @@ -{lib, ...}: { +{ + lib, + pkgs, + ... +}: { services.btrfs.autoScrub = { enable = true; - interval = "weekly"; + interval = "monthly"; fileSystems = lib.mkDefault ["/"]; }; + + systemd.timers."btrfs-snapshot" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "5m"; + OnCalendar = "weekly"; + Persistent = true; + Unit = "btrfs-snapshot.service"; + }; + }; + + systemd.services."btrfs-snapshot" = { + script = '' + set -eu + ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot /home /snapshots/home/$(date +"%Y-M%m-%d_%H-%M-%S") -r + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; } diff --git a/common/hardware/nvidia-gpu.nix b/common/hardware/nvidia-gpu.nix index 8650634..2d653ba 100644 --- a/common/hardware/nvidia-gpu.nix +++ b/common/hardware/nvidia-gpu.nix @@ -47,4 +47,9 @@ environment.systemPackages = with pkgs; [ glxinfo ]; + + # To run Steam with nvidia-offload: run: + # echo "export XDG_DATA_HOME="$HOME/.local/share"" + # mkdir -p ~/.local/share/applications + # sed 's/^Exec=/&nvidia-offload /' /run/current-system/sw/share/applications/steam.desktop > ~/.local/share/applications/steam.desktop } diff --git a/common/programs/neovim.nix b/common/programs/neovim.nix index 5d39b4d..5637753 100644 --- a/common/programs/neovim.nix +++ b/common/programs/neovim.nix @@ -1,6 +1,6 @@ {pkgs, ...}: { # NeoVIm config - # Imported by default by ../default.nix + # Imported by default by ../base.nix programs.neovim = { enable = true; diff --git a/common/packages/auditd.nix b/common/services/auditd.nix similarity index 100% rename from common/packages/auditd.nix rename to common/services/auditd.nix diff --git a/common/services/usbguard.nix b/common/services/usbguard.nix new file mode 100644 index 0000000..2442bb5 --- /dev/null +++ b/common/services/usbguard.nix @@ -0,0 +1,25 @@ +{ + services.usbguard = { + enable = true; + dbus.enable = true; + + IPCAllowedGroups = ["wheel"]; + + rules = '' + # new-new-phoenix + allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" + allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW" hash "om34qyRbPxnt/bsdFrR3g2SWxDVsInxWWsiFkDIyEnY=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface ff:06:50 with-connect-type "hotplug" + allow id 048d:ce00 serial "" name "ITE Device(8291)" hash "snB5qcpdMc66wcxBmMAn+LStZHfOTO/c5RtrU9nzyHc=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-6" with-interface { 03:01:01 03:00:00 } with-connect-type "hardwired" + allow id 8087:0025 serial "" name "" hash "N/wLaNIwbl3mtRa9CDFbUH7EfSZDhv2X+d2xcrwsw8Q=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-14" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "hardwired" + + # USB Drives + + ## ISO USB + allow id 0951:1666 serial "D067E5161936F420A61181ED" name "DataTraveler 3.0" + + ## TAILS USB + allow id 346d:5678 serial "FC081FF86A47A" name "Disk 20" + ''; + }; +} diff --git a/hosts/enry/configuration.nix b/hosts/enry/configuration.nix index 46ae8cf..95a9609 100644 --- a/hosts/enry/configuration.nix +++ b/hosts/enry/configuration.nix @@ -7,7 +7,7 @@ in { imports = [ ./hardware-configuration.nix - ../../common/default.nix + ../../common/base.nix ../../common/hardware/raspberry-pi.nix diff --git a/hosts/new-new-phoenix/configuration.nix b/hosts/new-new-phoenix/configuration.nix index c661264..c9d85f2 100644 --- a/hosts/new-new-phoenix/configuration.nix +++ b/hosts/new-new-phoenix/configuration.nix @@ -7,7 +7,7 @@ in { imports = [ ./hardware-configuration.nix - ../../common/default.nix + ../../common/base.nix ../../common/full-install.nix ../../common/tasia-packages.nix @@ -21,15 +21,22 @@ in { ../../common/hardware/btrfs.nix ../../common/hardware/latest-kernel.nix - ../../common/de/plasma6.nix + ../../common/de/greetd.nix + ../../common/de/plasma6.nix ../../common/de/hyprland.nix - ../../common/packages/steam.nix - ../../common/packages/syncthing.nix + ../../common/programs/steam.nix + ../../common/services/syncthing.nix + ../../common/services/usbguard.nix ../../modules/nixos/vedirect-reader.nix ]; + boot.initrd.availableKernelModules = [ + # Btrfs CRC hardware acceleration + "crc32c-intel" + ]; + networking = { hostName = "new-new-phoenix"; @@ -53,7 +60,7 @@ in { users.users.tasia = { isNormalUser = true; description = "User"; - extraGroups = ["networkmanager" "wheel" "syncthing"]; + extraGroups = ["networkmanager" "wheel" "syncthing" "tss"]; initialPassword = "correcthorsebatterystaple"; openssh.authorizedKeys.keys = [ sshKeys.new-new-phoenix.tasia @@ -80,6 +87,15 @@ in { # ]; + security.tpm2.enable = true; + security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so + security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables + + hardware.bluetooth.enable = true; + hardware.bluetooth.powerOnBoot = false; + + services.blueman.enable = true; + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "23.11"; } diff --git a/hosts/new-new-phoenix/hardware-configuration.nix b/hosts/new-new-phoenix/hardware-configuration.nix index 377088d..459503f 100644 --- a/hosts/new-new-phoenix/hardware-configuration.nix +++ b/hosts/new-new-phoenix/hardware-configuration.nix @@ -12,7 +12,7 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_usb_sdmmc"]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "rtsx_usb_sdmmc"]; boot.initrd.kernelModules = []; boot.kernelModules = ["kvm-intel"]; boot.extraModulePackages = []; @@ -28,6 +28,13 @@ fileSystems."/boot" = { device = "/dev/disk/by-uuid/E290-4D47"; fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/cee0ceca-3ea6-43d8-a483-00882f9ae6bb"; + fsType = "btrfs"; + options = ["subvol=@home"]; }; swapDevices = []; @@ -37,7 +44,9 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; + # networking.interfaces.docker0.useDHCP = lib.mkDefault true; # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/hosts/new-phoenix/configuration.nix b/hosts/new-phoenix/configuration.nix index 88c617f..53b54b2 100644 --- a/hosts/new-phoenix/configuration.nix +++ b/hosts/new-phoenix/configuration.nix @@ -7,7 +7,7 @@ in { imports = [ ./hardware-configuration.nix - ../../common/default.nix + ../../common/base.nix ../../common/locales/en.nix ../../common/locales/fr-keymap.nix @@ -16,8 +16,8 @@ in { ../../common/hardware/ssd.nix ../../common/hardware/btrfs.nix - ../../common/packages/adguardhome.nix - ../../common/packages/syncthing.nix + ../../common/services/adguardhome.nix + ../../common/services/syncthing.nix ]; networking = { diff --git a/hosts/phoenix/configuration.nix b/hosts/phoenix/configuration.nix index 832bf15..83106be 100644 --- a/hosts/phoenix/configuration.nix +++ b/hosts/phoenix/configuration.nix @@ -7,7 +7,7 @@ in { imports = [ ./hardware-configuration.nix - ../../common/default.nix + ../../common/base.nix ../../common/full-install.nix ../../common/tasia-packages.nix @@ -22,9 +22,9 @@ in { ../../common/de/plasma6.nix - ../../common/packages/adguardhome.nix - ../../common/packages/steam.nix - ../../common/packages/syncthing.nix + ../../common/programs/steam.nix + ../../common/services/adguardhome.nix + ../../common/services/syncthing.nix ../../modules/nixos/vedirect-reader.nix ]; diff --git a/hosts/stuff/configuration.nix b/hosts/stuff/configuration.nix index ba35854..33848a3 100644 --- a/hosts/stuff/configuration.nix +++ b/hosts/stuff/configuration.nix @@ -3,7 +3,7 @@ in { imports = [ ./hardware-configuration.nix - ../../common/default.nix + ../../common/base.nix ../../common/locales/fr.nix ../../common/locales/fr-keymap.nix @@ -14,7 +14,7 @@ in { ../../common/de/plasma5.nix - ../../common/packages/syncthing.nix + ../../common/services/syncthing.nix ]; networking.hostName = "stuff"; diff --git a/hosts/theseus/configuration.nix b/hosts/theseus/configuration.nix index d2f3749..e7917c4 100644 --- a/hosts/theseus/configuration.nix +++ b/hosts/theseus/configuration.nix @@ -7,7 +7,7 @@ in { imports = [ ./hardware-configuration.nix - ../../common/default.nix + ../../common/base.nix ../../common/full-install.nix ../../common/allow-unfree.nix @@ -23,9 +23,9 @@ in { ../../common/de/plasma6.nix # ../../common/de/hyprland.nix - ../../common/packages/syncthing.nix - ../../common/packages/adguardhome.nix - ../../common/packages/steam.nix + ../../common/services/syncthing.nix + ../../common/services/adguardhome.nix + ../../common/programs/steam.nix ]; networking = {