options = {
monorepo = {
- profiles = {
- cuda.enable = lib.mkEnableOption "Enables CUDA support";
- documentation.enable = lib.mkEnableOption "Enables documentation on system.";
- secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl.";
- pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup";
- tor.enable = lib.mkEnableOption "Enables tor along with torsocks";
- home.enable = lib.mkEnableOption "Enables home user";
- server.enable = lib.mkEnableOption "Enables server services";
- };
+ profiles = {
+ cuda.enable = lib.mkEnableOption "Enables CUDA support";
+ documentation.enable = lib.mkEnableOption "Enables documentation on system.";
+ secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl.";
+ pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup";
+ tor.enable = lib.mkEnableOption "Enables tor along with torsocks";
+ home.enable = lib.mkEnableOption "Enables home user";
+ server.enable = lib.mkEnableOption "Enables server services";
+ ttyonly.enable = lib.mkEnableOption "TTY only, no xserver";
+ };
};
};
config = {
home-manager.users."${config.monorepo.vars.userName}" = {
- programs.home-manager.enable = config.monorepo.profiles.home.enable;
+ programs.home-manager.enable = config.monorepo.profiles.home.enable;
};
environment.systemPackages = lib.mkIf config.monorepo.profiles.documentation.enable (with pkgs; [
- linux-manual
- man-pages
- man-pages-posix
+ linux-manual
+ man-pages
+ man-pages-posix
]);
monorepo = {
- profiles = {
- documentation.enable = lib.mkDefault true;
- pipewire.enable = lib.mkDefault true;
- tor.enable = lib.mkDefault true;
- home.enable = lib.mkDefault true;
- };
+ profiles = {
+ documentation.enable = lib.mkDefault true;
+ pipewire.enable = lib.mkDefault true;
+ tor.enable = lib.mkDefault true;
+ home.enable = lib.mkDefault true;
+ };
};
};
}
services.xserver = {
enable = lib.mkDefault true;
displayManager = {
- startx.enable = true;
+ startx.enable = true;
};
windowManager = {
- i3 = {
- enable = true;
- package = pkgs.i3-gaps;
- };
+ i3 = {
+ enable = ! config.monorepo.profiles.ttyonly.enable;
+ package = pkgs.i3-gaps;
+ };
};
desktopManager = {
- runXdgAutostartIfNone = true;
+ runXdgAutostartIfNone = true;
};
xkb = {
- layout = "us";
- variant = "";
- options = "caps:escape";
+ layout = "us";
+ variant = "";
+ options = "caps:escape";
};
videoDrivers = (if config.monorepo.profiles.cuda.enable then [ "nvidia" ] else []);
settings = {
PasswordAuthentication = true;
AllowUsers = [ config.monorepo.vars.userName ];
- PermitRootLogin = "no";
+ PermitRootLogin = "prohibit-password";
KbdInteractiveAuthentication = false;
};
};
{ config, lib, ... }:
{
services.postfix = {
- enable = true;
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
config = {
};
};
{ config, lib, pkgs, ... }:
{
hardware = {
- graphics.extraPackages = with pkgs; [
- vaapiVdpau
- libvdpau-va-gl
- nvidia-vaapi-driver
- ];
+ graphics.extraPackages = (if config.monorepo.profiles.cuda.enable
+ then with pkgs; [
+ vaapiVdpau
+ libvdpau-va-gl
+ nvidia-vaapi-driver
+ ] else []);
nvidia = {
- modesetting.enable = true;
- powerManagement = {
- enable = true;
- finegrained = false;
- };
- nvidiaSettings = true;
- open = false;
- package = config.boot.kernelPackages.nvidiaPackages.stable;
+ modesetting.enable = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ powerManagement = {
+ enable = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ finegrained = false;
+ };
+ nvidiaSettings = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ open = lib.mkDefault false;
+ package = config.boot.kernelPackages.nvidiaPackages.stable;
};
};
}
#+begin_src nix :tangle ../nix/modules/cuda.nix
{ config, lib, pkgs, ... }:
{
- environment.systemPackages = with pkgs; [
- cudatoolkit
- cudaPackages.cudnn
- cudaPackages.libcublas
- linuxPackages.nvidia_x11
- ];
+ environment.systemPackages = (if config.monorepo.profiles.cuda.enable then with pkgs; [
+ cudatoolkit
+ cudaPackages.cudnn
+ cudaPackages.libcublas
+ linuxPackages.nvidia_x11
+ ] else []);
}
#+end_src
** Main Configuration
environment = {
etc = {
- securetty.text = ''
+ securetty.text = ''
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
'';
coredump.enable = false;
network.config.networkConfig.IPv6PrivacyExtensions = "kernel";
tmpfiles.settings = {
- "restricthome"."/home/*".Z.mode = "~0700";
+ "restricthome"."/home/*".Z.mode = "~0700";
- "restrictetcnixos"."/etc/nixos/*".Z = {
- mode = "0000";
- user = "root";
- group = "root";
- };
+ "restrictetcnixos"."/etc/nixos/*".Z = {
+ mode = "0000";
+ user = "root";
+ group = "root";
+ };
};
};
extraModulePackages = [ ];
initrd = {
- availableKernelModules = [
- "xhci_pci"
- "ahci"
- "usb_storage"
- "sd_mod"
- "nvme"
- "sd_mod"
- "ehci_pci"
- "rtsx_pci_sdmmc"
- "usbhid"
- ];
+ availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usb_storage"
+ "sd_mod"
+ "nvme"
+ "sd_mod"
+ "ehci_pci"
+ "rtsx_pci_sdmmc"
+ "usbhid"
+ ];
- kernelModules = [ ];
+ kernelModules = [ ];
};
lanzaboote = {
- enable = config.monorepo.profiles.secureBoot.enable;
- pkiBundle = "/etc/secureboot";
+ enable = config.monorepo.profiles.secureBoot.enable;
+ pkiBundle = "/etc/secureboot";
};
loader = {
- systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable);
- efi.canTouchEfiVariables = true;
+ systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable);
+ efi.canTouchEfiVariables = true;
};
kernelModules = [
- "snd-seq"
- "snd-rawmidi"
- "xhci_hcd"
- "kvm_intel"
+ "snd-seq"
+ "snd-rawmidi"
+ "xhci_hcd"
+ "kvm_intel"
];
kernelParams = [
- "debugfs=off"
- "page_alloc.shuffle=1"
- "slab_nomerge"
- "page_poison=1"
-
- # madaidan
- "pti=on"
- "randomize_kstack_offset=on"
- "vsyscall=none"
- "module.sig_enforce=1"
- "lockdown=confidentiality"
-
- # cpu
- "spectre_v2=on"
- "spec_store_bypass_disable=on"
- "tsx=off"
- "tsx_async_abort=full,nosmt"
- "mds=full,nosmt"
- "l1tf=full,force"
- "nosmt=force"
- "kvm.nx_huge_pages=force"
-
- # hardened
- "extra_latent_entropy"
-
- # mineral
- "init_on_alloc=1"
- "random.trust_cpu=off"
- "random.trust_bootloader=off"
- "intel_iommu=on"
- "amd_iommu=force_isolation"
- "iommu=force"
- "iommu.strict=1"
- "init_on_free=1"
- "quiet"
- "loglevel=0"
+ "debugfs=off"
+ "page_alloc.shuffle=1"
+ "slab_nomerge"
+ "page_poison=1"
+
+ # madaidan
+ "pti=on"
+ "randomize_kstack_offset=on"
+ "vsyscall=none"
+ "module.sig_enforce=1"
+ "lockdown=confidentiality"
+
+ # cpu
+ "spectre_v2=on"
+ "spec_store_bypass_disable=on"
+ "tsx=off"
+ "tsx_async_abort=full,nosmt"
+ "mds=full,nosmt"
+ "l1tf=full,force"
+ "nosmt=force"
+ "kvm.nx_huge_pages=force"
+
+ # hardened
+ "extra_latent_entropy"
+
+ # mineral
+ "init_on_alloc=1"
+ "random.trust_cpu=off"
+ "random.trust_bootloader=off"
+ "intel_iommu=on"
+ "amd_iommu=force_isolation"
+ "iommu=force"
+ "iommu.strict=1"
+ "init_on_free=1"
+ "quiet"
+ "loglevel=0"
];
blacklistedKernelModules = [
- "netrom"
- "rose"
-
- "adfs"
- "affs"
- "bfs"
- "befs"
- "cramfs"
- "efs"
- "erofs"
- "exofs"
- "freevxfs"
- "f2fs"
- "hfs"
- "hpfs"
- "jfs"
- "minix"
- "nilfs2"
- "ntfs"
- "omfs"
- "qnx4"
- "qnx6"
- "sysv"
- "ufs"
+ "netrom"
+ "rose"
+
+ "adfs"
+ "affs"
+ "bfs"
+ "befs"
+ "cramfs"
+ "efs"
+ "erofs"
+ "exofs"
+ "freevxfs"
+ "f2fs"
+ "hfs"
+ "hpfs"
+ "jfs"
+ "minix"
+ "nilfs2"
+ "ntfs"
+ "omfs"
+ "qnx4"
+ "qnx6"
+ "sysv"
+ "ufs"
];
kernel.sysctl = {
- "kernel.ftrace_enabled" = false;
- "net.core.bpf_jit_enable" = false;
- "kernel.kptr_restrict" = 2;
-
- # madaidan
- "vm.swappiness" = 1;
- "vm.unprivileged_userfaultfd" = 0;
- "dev.tty.ldisc_autoload" = 0;
- "kernel.kexec_load_disabled" = 1;
- "kernel.sysrq" = 4;
- "kernel.perf_event_paranoid" = 3;
-
- # net
- "net.ipv4.icmp_echo_ignore_broadcasts" = true;
-
- "net.ipv4.conf.all.accept_redirects" = false;
- "net.ipv4.conf.all.secure_redirects" = false;
- "net.ipv4.conf.default.accept_redirects" = false;
- "net.ipv4.conf.default.secure_redirects" = false;
- "net.ipv6.conf.all.accept_redirects" = false;
- "net.ipv6.conf.default.accept_redirects" = false;
+ "kernel.ftrace_enabled" = false;
+ "net.core.bpf_jit_enable" = false;
+ "kernel.kptr_restrict" = 2;
+
+ # madaidan
+ "vm.swappiness" = 1;
+ "vm.unprivileged_userfaultfd" = 0;
+ "dev.tty.ldisc_autoload" = 0;
+ "kernel.kexec_load_disabled" = 1;
+ "kernel.sysrq" = 4;
+ "kernel.perf_event_paranoid" = 3;
+
+ # net
+ "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+ "net.ipv4.conf.all.accept_redirects" = false;
+ "net.ipv4.conf.all.secure_redirects" = false;
+ "net.ipv4.conf.default.accept_redirects" = false;
+ "net.ipv4.conf.default.secure_redirects" = false;
+ "net.ipv6.conf.all.accept_redirects" = false;
+ "net.ipv6.conf.default.accept_redirects" = false;
};
};
useDHCP = lib.mkDefault true;
hostName = config.monorepo.vars.hostName;
networkmanager = {
- enable = true;
- # wifi.macAddress = "";
+ enable = true;
};
firewall = {
- allowedTCPPorts = [ 22 11434 ];
- allowedUDPPorts = [ ];
+ allowedTCPPorts = [ 22 11434 ];
+ allowedUDPPorts = [ ];
};
};
hardware = {
enableAllFirmware = true;
cpu.intel.updateMicrocode = true;
- graphics.enable = true;
+ graphics.enable = ! config.monorepo.profiles.ttyonly.enable;
pulseaudio.enable = ! config.monorepo.profiles.pipewire.enable;
bluetooth = {
- enable = true;
- powerOnBoot = true;
+ enable = true;
+ powerOnBoot = true;
};
};
services = {
chrony = {
- enable = true;
- enableNTS = true;
- servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ];
+ enable = true;
+ enableNTS = true;
+ servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ];
};
jitterentropy-rngd.enable = true;
# Misc.
udev = {
- extraRules = '''';
- packages = with pkgs; [
- platformio-core
- platformio-core.udev
- openocd
- ];
+ extraRules = '''';
+ packages = with pkgs; [
+ platformio-core
+ platformio-core.udev
+ openocd
+ ];
};
printing.enable = true;
nixpkgs = {
hostPlatform = lib.mkDefault "x86_64-linux";
config = {
- allowUnfree = true;
- cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable;
+ allowUnfree = true;
+ cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable;
};
};
security = {
apparmor = {
- enable = true;
- killUnconfinedConfinables = true;
+ enable = true;
+ killUnconfinedConfinables = true;
};
pam.loginLimits = [
- { domain = "*"; item = "nofile"; type = "-"; value = "32768"; }
- { domain = "*"; item = "memlock"; type = "-"; value = "32768"; }
+ { domain = "*"; item = "nofile"; type = "-"; value = "32768"; }
+ { domain = "*"; item = "memlock"; type = "-"; value = "32768"; }
];
rtkit.enable = true;
forcePageTableIsolation = true;
tpm2 = {
- enable = true;
- pkcs11.enable = true;
- tctiEnvironment.enable = true;
+ enable = true;
+ pkcs11.enable = true;
+ tctiEnvironment.enable = true;
};
auditd.enable = true;
enable = true;
wlr.enable = true;
extraPortals = with pkgs; [
- xdg-desktop-portal-gtk
- xdg-desktop-portal
- xdg-desktop-portal-hyprland
+ xdg-desktop-portal-gtk
+ xdg-desktop-portal
+ xdg-desktop-portal-hyprland
];
config.common.default = "*";
};
];
git = {
- isSystemUser = true;
- home = "/srv/git";
- shell = "${pkgs.git}/bin/git-shell";
+ isSystemUser = true;
+ home = "/srv/git";
+ shell = "${pkgs.git}/bin/git-shell";
};
"${config.monorepo.vars.userName}" = {
- initialPassword = "${config.monorepo.vars.userName}";
- isNormalUser = true;
- description = config.monorepo.vars.fullName;
- extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ];
- shell = pkgs.zsh;
- packages = [];
+ initialPassword = "${config.monorepo.vars.userName}";
+ isNormalUser = true;
+ description = config.monorepo.vars.fullName;
+ extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ];
+ shell = pkgs.zsh;
+ packages = [];
};
};
packages = with pkgs; [
# wikipedia
kiwix kiwix-tools
+
# passwords
age sops
acpilight
pfetch
libnotify
+ htop
];
};
config.monorepo = {
profiles = {
server.enable = true;
+ ttyonly.enable = true;
home.enable = false;
};
vars.hostName = "spontaneity";
projects / monorepo.git / commitdiff