From e2a0172e2d78e900103063fce15bb313bdb3713a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 27 Sep 2023 12:38:41 +0200 Subject: [PATCH] feat(flake): use flake-parts --- flake.lock | 222 +++++++++++----- flake.nix | 251 +++++++++--------- hosts/nixos-desktop/default.nix | 57 ++-- .../nixos-desktop/hardware-configuration.nix | 75 +++--- hosts/nixos-desktop/system.nix | 1 - hosts/nixos-laptop/default.nix | 86 +++--- hosts/nixos-laptop/hardware-configuration.nix | 12 +- hosts/nixos-laptop/system.nix | 1 - hosts/scadspc25/default.nix | 17 +- hosts/scadspc25/hardware-configuration.nix | 83 +++--- hosts/scadspc25/system.nix | 1 - modules/profiles/base.nix | 18 -- modules/programs/hyprland/default.nix | 139 +++++----- modules/security/default.nix | 102 +++---- 14 files changed, 576 insertions(+), 489 deletions(-) delete mode 100644 hosts/nixos-desktop/system.nix delete mode 100644 hosts/nixos-laptop/system.nix delete mode 100644 hosts/scadspc25/system.nix diff --git a/flake.lock b/flake.lock index 0168879..159b808 100644 --- a/flake.lock +++ b/flake.lock @@ -93,9 +93,28 @@ "type": "github" } }, + "devshell": { + "inputs": { + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1695195896, + "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=", + "owner": "numtide", + "repo": "devshell", + "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "disko": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1695380190, @@ -160,6 +179,24 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1693611461, + "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "neovim-nightly-overlay", @@ -180,9 +217,9 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib" + "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { "lastModified": 1688466019, @@ -197,7 +234,7 @@ "type": "indirect" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "neovim-nightly-overlay", @@ -222,7 +259,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1694529238, @@ -240,7 +277,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1685518550, @@ -258,7 +295,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1685518550, @@ -313,9 +350,9 @@ }, "hercules-ci-agent": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "haskell-flake": "haskell-flake", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1688568579, @@ -332,7 +369,7 @@ }, "hercules-ci-effects": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "hercules-ci-agent": "hercules-ci-agent", "nixpkgs": [ "neovim-nightly-overlay", @@ -412,7 +449,7 @@ }, "hypr-contrib": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1695455081, @@ -431,8 +468,8 @@ "hyprland": { "inputs": { "hyprland-protocols": "hyprland-protocols", - "nixpkgs": "nixpkgs_3", - "systems": "systems_2", + "nixpkgs": "nixpkgs_4", + "systems": "systems_3", "wlroots": "wlroots", "xdph": "xdph" }, @@ -477,7 +514,7 @@ }, "hyprpaper": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1694600309, @@ -588,10 +625,10 @@ "neovim-nightly-overlay": { "inputs": { "flake-compat": "flake-compat", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "hercules-ci-effects": "hercules-ci-effects", "neovim-flake": "neovim-flake", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1695513850, @@ -671,11 +708,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694948089, - "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=", + "lastModified": 1677383253, + "narHash": "sha256-UfpzWfSxkfXHnb4boXZNaKsAcUrZT9Hw+tao1oZxd08=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db", + "rev": "9952d6bc395f5841262b006fbace8dd7e143b634", "type": "github" }, "original": { @@ -686,6 +723,24 @@ } }, "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1693471703, + "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib_2": { "locked": { "dir": "lib", "lastModified": 1688049487, @@ -735,7 +790,39 @@ "type": "github" } }, + "nixpkgs_10": { + "locked": { + "lastModified": 1692934111, + "narHash": "sha256-9EEE59v/esKNMR5zKbLRV9NoRPYvERw5jHQOnfr47bk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1e44a037bbf4fcaba041436e65e87be88f3f495b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { + "locked": { + "lastModified": 1694948089, + "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1658161305, "narHash": "sha256-X/nhnMCa1Wx4YapsspyAs6QYz6T/85FofrI6NpdPDHg=", @@ -751,7 +838,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1694767346, "narHash": "sha256-5uH27SiVFUwsTsqC5rs3kS7pBoNhtoy9QfTP9BmknGk=", @@ -767,7 +854,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1683014792, "narHash": "sha256-6Va9iVtmmsw4raBc3QKvQT2KT/NGRWlvUlJj46zN8B8=", @@ -783,7 +870,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1688322751, "narHash": "sha256-eW62dC5f33oKZL7VWlomttbUnOTHrAbte9yNUNW8rbk=", @@ -799,33 +886,17 @@ "type": "github" } }, - "nixpkgs_6": { - "locked": { - "lastModified": 1695318763, - "narHash": "sha256-FHVPDRP2AfvsxAdc+AsgFJevMz5VBmnZglFUMlxBkcY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e12483116b3b51a185a33a272bf351e357ba9a99", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_7": { "locked": { "lastModified": 1695318763, "narHash": "sha256-FHVPDRP2AfvsxAdc+AsgFJevMz5VBmnZglFUMlxBkcY=", - "owner": "nixos", + "owner": "NixOS", "repo": "nixpkgs", "rev": "e12483116b3b51a185a33a272bf351e357ba9a99", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" @@ -833,15 +904,15 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1689261696, - "narHash": "sha256-LzfUtFs9MQRvIoQ3MfgSuipBVMXslMPH/vZ+nM40LkA=", - "owner": "NixOS", + "lastModified": 1695318763, + "narHash": "sha256-FHVPDRP2AfvsxAdc+AsgFJevMz5VBmnZglFUMlxBkcY=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "df1eee2aa65052a18121ed4971081576b25d6b5c", + "rev": "e12483116b3b51a185a33a272bf351e357ba9a99", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" @@ -849,11 +920,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1692934111, - "narHash": "sha256-9EEE59v/esKNMR5zKbLRV9NoRPYvERw5jHQOnfr47bk=", + "lastModified": 1689261696, + "narHash": "sha256-LzfUtFs9MQRvIoQ3MfgSuipBVMXslMPH/vZ+nM40LkA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1e44a037bbf4fcaba041436e65e87be88f3f495b", + "rev": "df1eee2aa65052a18121ed4971081576b25d6b5c", "type": "github" }, "original": { @@ -901,7 +972,7 @@ "flake-compat": "flake-compat_3", "flake-utils": "flake-utils_3", "gitignore": "gitignore", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -941,7 +1012,9 @@ "agenix": "agenix", "arkenfox-userjs": "arkenfox-userjs", "asus-touchpad-numpad-driver": "asus-touchpad-numpad-driver", + "devshell": "devshell", "disko": "disko", + "flake-parts": "flake-parts", "flake-utils": "flake-utils", "hmts-nvim": "hmts-nvim", "home-manager": "home-manager_2", @@ -954,7 +1027,7 @@ "nil": "nil", "nix-lazy-nvim": "nix-lazy-nvim", "nix-super": "nix-super", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nvim-puppeteer": "nvim-puppeteer", "nvim-treesitter": "nvim-treesitter", "pre-commit-hooks": "pre-commit-hooks", @@ -1039,21 +1112,6 @@ } }, "systems_2": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_3": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -1068,6 +1126,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, "systems_4": { "locked": { "lastModified": 1681028828, @@ -1098,6 +1171,21 @@ "type": "github" } }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "telekasten-nvim": { "flake": false, "locked": { @@ -1133,7 +1221,7 @@ "timers": { "inputs": { "naersk": "naersk", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_10", "utils": "utils" }, "locked": { @@ -1152,7 +1240,7 @@ }, "utils": { "inputs": { - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1692799911, diff --git a/flake.nix b/flake.nix index 475d0cd..4fab135 100644 --- a/flake.nix +++ b/flake.nix @@ -1,11 +1,6 @@ { description = "My awesome system config"; - /* - ╔══════════════════════════════════════════════════════════╗ - ║ Inputs ║ - ╚══════════════════════════════════════════════════════════╝ - */ inputs = { # Nix master.url = "github:nixos/nixpkgs"; @@ -13,6 +8,8 @@ stable.url = "github:nixos/nixpkgs/nixos-23.05"; flake-utils.url = "github:numtide/flake-utils"; + flake-parts.url = "github:hercules-ci/flake-parts"; + devshell.url = "github:numtide/devshell"; agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; @@ -20,9 +17,11 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager"; - nil.inputs.flake-utils.follows = "flake-utils"; - nil.inputs.nixpkgs.follows = "nixpkgs"; - nil.url = "github:oxalica/nil"; + nil = { + inputs.flake-utils.follows = "flake-utils"; + inputs.nixpkgs.follows = "nixpkgs"; + url = "github:oxalica/nil"; + }; pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix"; @@ -77,147 +76,141 @@ timers.url = "git+https://gitea.moritzboeh.me/moritz/timers.git"; }; - /* - ╔══════════════════════════════════════════════════════════╗ - ║ Outputs ║ - ╚══════════════════════════════════════════════════════════╝ - */ - outputs = inputs@{ self, nixpkgs, ... }: + outputs = inputs@{ self, flake-parts, ... }: let - systems = [ "x86_64-linux" "aarch64-linux" ]; - - forEachSystem = lib.genAttrs systems; - - lib = nixpkgs.lib.extend - (self: _: { my = import ./lib { lib = self; }; }); - - overlay = import ./overlays { - inherit inputs; - inherit (self) lib; - }; - - config.allowUnfree = true; - - overlays = [ + defaultOverlays = [ inputs.hypr-contrib.overlays.default inputs.neovim-nightly-overlay.overlay - overlay + self.overlay ]; - - pkgsFor = system: import nixpkgs { - inherit system config; - overlays = overlays ++ [ + finalOverlays = + defaultOverlays ++ [ ( _: prev: { master = import inputs.master { inherit (prev) system; - inherit overlays config; + overlays = defaultOverlays; }; stable = import inputs.stable { inherit (prev) system; - inherit overlays config; + overlays = defaultOverlays; }; } ) - overlay ]; - }; - - defaultModules = [ - { nixpkgs = { inherit config; }; } - ./modules - inputs.home-manager.nixosModule - { - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - extraSpecialArgs = { inherit inputs self; }; - sharedModules = [ inputs.nix-lazy-nvim.homeManagerModules.default ]; - }; - } - inputs.agenix.nixosModules.age - inputs.disko.nixosModules.default - inputs.impermanence.nixosModules.impermanence + in + flake-parts.lib.mkFlake { inherit inputs; } { + imports = [ + inputs.flake-parts.flakeModules.easyOverlay + inputs.pre-commit-hooks.flakeModule + inputs.devshell.flakeModule ]; - hosts = self.lib.my.mapModules - (path: - let - system = import "${path}/system.nix"; - pkgs = pkgsFor system; - in - lib.nixosSystem { - inherit pkgs system lib; - specialArgs = { - inherit inputs self; - }; - modules = defaultModules ++ [ path ]; - }) - ./hosts; + systems = [ "x86_64-linux" ]; + perSystem = { config, self', inputs', pkgs, system, ... }: { + _module.args.pkgs = + import inputs.nixpkgs { + inherit system; + overlays = finalOverlays; + }; - pre-commit-check = system: inputs.pre-commit-hooks.lib."${system}".run { - src = ./.; - hooks = { - nixpkgs-fmt.enable = true; - statix.enable = true; - shellcheck.enable = true; - stylua.enable = true; - }; - }; - in - with lib; { - inherit lib; - - # ╔══════════════════════════════════════════════════════════╗ - # ║ NixOS Configurations ║ - # ╚══════════════════════════════════════════════════════════╝ - - nixosConfigurations = hosts; - - # ╔══════════════════════════════════════════════════════════╗ - # ║ Other Outputs ║ - # ╚══════════════════════════════════════════════════════════╝ - - devShells = forEachSystem (system: - let - pkgs = pkgsFor system; - in - { - default = pkgs.mkShell + devshells.default = { + devshell.startup.pre-commit-hook.text = config.pre-commit.installationScript; + commands = [ { - inherit (pre-commit-check system) shellHook; - name = "dotfiles"; - packages = with pkgs; [ - # Secrets - agenix - # cachix - cachix - ]; - }; - }); - - checks = forEachSystem (system: { - pre-commit-check = pre-commit-check system; - }); - - legacyPackages = forEachSystem pkgsFor; - - packages = forEachSystem (system: - let - pkgs = pkgsFor system; - in - filterAttrs (_: isDerivation) - (overlay pkgs pkgs) - ); - - overlays = - let - overlayNames = attrNames (overlay null null); - mkOverlay = name: final: prev: (overlay final prev).${name}; - in - (genAttrs overlayNames mkOverlay) // { - default = overlay; + name = "agenix"; + help = "wrapper around agenix"; + command = '' + sudo EDITOR="${pkgs.lib.getExe pkgs.vim}" ${pkgs.lib.getExe' inputs'.agenix.packages.default "agenix"} --identity /etc/ssh/ssh_host_ed25519_key "$@" + ''; + } + { + name = "nixos-build"; + help = "use nom to build system"; + command = + '' + nom build --no-link ".#nixosConfigurations.$(hostname).config.system.build.toplevel" $@ + ''; + } + { + name = "nixos-switch"; + help = "wrapper for nixos-rebuild switch"; + command = "sudo nixos-rebuild switch --flake . $@"; + } + { + name = "nixos-test"; + help = "wrapper for nixos-rebuild switch"; + command = "sudo nixos-rebuild test --flake . $@"; + } + { + name = "nixos-boot"; + help = "wrapper for nixos-rebuild switch"; + command = "sudo nixos-rebuild boot --flake . $@"; + } + ]; }; + + pre-commit = { + check.enable = true; + settings = { + hooks = { + nixpkgs-fmt.enable = true; + statix.enable = true; + shellcheck.enable = true; + stylua.enable = true; + }; + }; + }; + + legacyPackages = pkgs; + + packages = + self.lib.filterAttrs (_: self.lib.isDerivation) + (self.overlay pkgs pkgs); + }; + + flake = { + lib = inputs.nixpkgs.lib.extend + (self: _: { my = import ./lib { lib = self; }; }); + + overlay = import ./overlays { + inherit inputs; + inherit (self) lib; + }; + + nixosConfigurations = self.lib.my.mapModules + (path: + self.lib.nixosSystem { + inherit (self) lib; + specialArgs = { + inherit inputs self; + }; + modules = + [ + ./modules + { + nixpkgs = { + overlays = finalOverlays; + config.allowUnfree = true; + }; + } + inputs.home-manager.nixosModule + { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = { inherit inputs self; }; + sharedModules = [ inputs.nix-lazy-nvim.homeManagerModules.default ]; + }; + } + inputs.agenix.nixosModules.age + inputs.disko.nixosModules.default + inputs.impermanence.nixosModules.impermanence + ] + ++ [ path ]; + }) + ./hosts; + }; }; nixConfig = { diff --git a/hosts/nixos-desktop/default.nix b/hosts/nixos-desktop/default.nix index 7fbb0ce..79984e0 100644 --- a/hosts/nixos-desktop/default.nix +++ b/hosts/nixos-desktop/default.nix @@ -31,14 +31,27 @@ home-manager.users.moritz.home.packages = with pkgs; [ jetbrains.idea-community ]; + hardware = { + keyboard.qmk.enable = true; + nvidia.modesetting.enable = true; + opengl = { + enable = true; + driSupport32Bit = true; + driSupport = true; + }; - hardware.keyboard.qmk.enable = true; + # sensors + enableAllFirmware = true; - # KERNEL - boot.kernelPackages = pkgs.linuxPackages_latest; + bluetooth.enable = true; + }; - # BOOT boot = { + # KERNEL + kernelPackages = pkgs.linuxPackages_latest; + + # BOOT + supportedFilesystems = [ "btrfs" "ntfs" ]; loader = { grub = { @@ -49,6 +62,8 @@ }; efi.canTouchEfiVariables = true; }; + + kernelModules = [ "lm92" "drivetemp" ]; }; # NETWORKING @@ -73,33 +88,23 @@ }; networkmanager.enable = true; }; - hardware.nvidia.modesetting.enable = true; - services.xserver.videoDrivers = [ "nvidia" ]; - hardware.opengl = { - enable = true; - driSupport32Bit = true; - driSupport = true; + services = { + xserver.videoDrivers = [ "nvidia" ]; + xserver.xrandrHeads = [ + { output = "HDMI-1"; } + { + output = "HDMI-0"; + primary = true; + } + ]; + + # Powersaving + tlp.enable = true; }; - services.xserver.xrandrHeads = [ - { output = "HDMI-1"; } - { - output = "HDMI-0"; - primary = true; - } - ]; console.keyMap = "de"; - - # Powersaving - services.tlp.enable = true; powerManagement.enable = true; - - # sensors - hardware.enableAllFirmware = true; environment.systemPackages = with pkgs; [ lm_sensors ]; - boot.kernelModules = [ "lm92" "drivetemp" ]; - - hardware.bluetooth.enable = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/hosts/nixos-desktop/hardware-configuration.nix b/hosts/nixos-desktop/hardware-configuration.nix index 6ecf64c..75c7ac5 100644 --- a/hosts/nixos-desktop/hardware-configuration.nix +++ b/hosts/nixos-desktop/hardware-configuration.nix @@ -7,51 +7,56 @@ , ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; - fsType = "btrfs"; - options = [ "subvol=root" "compress=zstd" ]; + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + kernelModules = [ ]; + luks.devices."enc".device = "/dev/disk/by-uuid/30025a9f-44cf-4074-8ae2-d4925efd67dd"; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; }; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" ]; + }; - boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/30025a9f-44cf-4074-8ae2-d4925efd67dd"; + "/home" = { + device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd" ]; + }; - fileSystems."/home" = { - device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; - fsType = "btrfs"; - options = [ "subvol=home" "compress=zstd" ]; - }; + "/nix" = { + device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" ]; + }; - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; - fsType = "btrfs"; - options = [ "subvol=nix" "compress=zstd" ]; - }; + "/var/log" = { + device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd" ]; + neededForBoot = true; + }; - fileSystems."/var/log" = { - device = "/dev/disk/by-uuid/668a49b3-d169-461f-861d-0c3e6a1642d1"; - fsType = "btrfs"; - options = [ "subvol=log" "compress=zstd" ]; - neededForBoot = true; - }; + "/boot" = { + device = "/dev/disk/by-uuid/297B-C04C"; + fsType = "vfat"; + }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/297B-C04C"; - fsType = "vfat"; - }; - - fileSystems."/media/games" = { - device = "/dev/disk/by-uuid/8f92ff36-a685-4a67-a3d4-55136dc5f286"; - fsType = "ext4"; + "/media/games" = { + device = "/dev/disk/by-uuid/8f92ff36-a685-4a67-a3d4-55136dc5f286"; + fsType = "ext4"; + }; }; swapDevices = [{ device = "/dev/disk/by-uuid/00ad6f74-f23e-4ac0-abfb-89bdfe5ab8ae"; }]; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/nixos-desktop/system.nix b/hosts/nixos-desktop/system.nix deleted file mode 100644 index 132026a..0000000 --- a/hosts/nixos-desktop/system.nix +++ /dev/null @@ -1 +0,0 @@ -"x86_64-linux" diff --git a/hosts/nixos-laptop/default.nix b/hosts/nixos-laptop/default.nix index da26953..350e1f8 100644 --- a/hosts/nixos-laptop/default.nix +++ b/hosts/nixos-laptop/default.nix @@ -74,54 +74,56 @@ services.tlp.enable = true; powerManagement.enable = true; - # Hibernare on low battery - systemd.timers.hibernate-on-low-battery = { - wantedBy = [ "multi-user.target" ]; - timerConfig = { - OnUnitActiveSec = "120"; - OnBootSec = "120"; + systemd = { + # Hibernare on low battery + timers.hibernate-on-low-battery = { + wantedBy = [ "multi-user.target" ]; + timerConfig = { + OnUnitActiveSec = "120"; + OnBootSec = "120"; + }; + }; + services.hibernate-on-low-battery = + let + batteryLevelSufficient = + let + batteryPath = "/sys/class/power_supply/BATT"; + in + pkgs.writeShellScriptBin "battery-level-sufficient" '' + test "$(cat ${batteryPath}/status)" != Discharging \ + || test "$(cat ${batteryPath}/capacity)" -ge 5 + ''; + in + { + serviceConfig.Type = "oneshot"; + onFailure = [ "hibernate.target" ]; + script = "${batteryLevelSufficient}/bin/battery-level-sufficient"; + }; + services.asus-touchpad-numpad = { + description = "Activate Numpad inside the touchpad with top right corner switch"; + documentation = [ "https://github.com/mohamed-badaoui/asus-touchpad-numpad-driver" ]; + path = [ pkgs.i2c-tools ]; + script = '' + cd ${inputs.asus-touchpad-numpad-driver} + # In the last argument here you choose your layout. + ${ + pkgs.python3.withPackages (ps: [ps.libevdev]) + }/bin/python asus_touchpad.py m433ia + ''; + # Probably needed because it fails on boot seemingly because the driver + # is not ready yet. Alternativly, you can use `sleep 3` or similar in the + # `script`. + serviceConfig = { + RestartSec = "1s"; + Restart = "on-failure"; + }; + wantedBy = [ "multi-user.target" ]; }; }; - systemd.services.hibernate-on-low-battery = - let - batteryLevelSufficient = - let - batteryPath = "/sys/class/power_supply/BATT"; - in - pkgs.writeShellScriptBin "battery-level-sufficient" '' - test "$(cat ${batteryPath}/status)" != Discharging \ - || test "$(cat ${batteryPath}/capacity)" -ge 5 - ''; - in - { - serviceConfig.Type = "oneshot"; - onFailure = [ "hibernate.target" ]; - script = "${batteryLevelSufficient}/bin/battery-level-sufficient"; - }; # Trackpad # i2c for https://github.com/mohamed-badaoui/asus-touchpad-numpad-driver hardware.i2c.enable = true; - systemd.services.asus-touchpad-numpad = { - description = "Activate Numpad inside the touchpad with top right corner switch"; - documentation = [ "https://github.com/mohamed-badaoui/asus-touchpad-numpad-driver" ]; - path = [ pkgs.i2c-tools ]; - script = '' - cd ${inputs.asus-touchpad-numpad-driver} - # In the last argument here you choose your layout. - ${ - pkgs.python3.withPackages (ps: [ps.libevdev]) - }/bin/python asus_touchpad.py m433ia - ''; - # Probably needed because it fails on boot seemingly because the driver - # is not ready yet. Alternativly, you can use `sleep 3` or similar in the - # `script`. - serviceConfig = { - RestartSec = "1s"; - Restart = "on-failure"; - }; - wantedBy = [ "multi-user.target" ]; - }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/hosts/nixos-laptop/hardware-configuration.nix b/hosts/nixos-laptop/hardware-configuration.nix index 25d25d4..1475b88 100644 --- a/hosts/nixos-laptop/hardware-configuration.nix +++ b/hosts/nixos-laptop/hardware-configuration.nix @@ -2,12 +2,16 @@ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { modulesPath +, lib , ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + boot = { + initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "rtsx_pci_sdmmc" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "rtsx_pci_sdmmc" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/nixos-laptop/system.nix b/hosts/nixos-laptop/system.nix deleted file mode 100644 index 132026a..0000000 --- a/hosts/nixos-laptop/system.nix +++ /dev/null @@ -1 +0,0 @@ -"x86_64-linux" diff --git a/hosts/scadspc25/default.nix b/hosts/scadspc25/default.nix index 6e1633d..c57511a 100644 --- a/hosts/scadspc25/default.nix +++ b/hosts/scadspc25/default.nix @@ -21,12 +21,18 @@ services.synology-drive.enable = true; programs.hyprland.keyboardLayouts = [ "us" "de" ]; }; + boot = { + loader = { + grub = { - # Use the systemd-boot EFI boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.device = "nodev"; - boot.loader.grub.efiSupport = true; - boot.loader.efi.canTouchEfiVariables = true; + # Use the systemd-boot EFI boot loader. + enable = true; + device = "nodev"; + efiSupport = true; + }; + efi.canTouchEfiVariables = true; + }; + }; networking.hostName = "scadspc25"; # Define your hostname. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. @@ -53,4 +59,3 @@ system.stateVersion = "23.05"; # Did you read the comment? } - diff --git a/hosts/scadspc25/hardware-configuration.nix b/hosts/scadspc25/hardware-configuration.nix index d4d8fdb..7e0391f 100644 --- a/hosts/scadspc25/hardware-configuration.nix +++ b/hosts/scadspc25/hardware-configuration.nix @@ -8,52 +8,55 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; + boot = { - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + fileSystems = { + "/" = + { + device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" "noatime" ]; + }; - fileSystems."/" = - { - device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; - fsType = "btrfs"; - options = [ "subvol=root" "compress=zstd" "noatime" ]; - }; + "/home" = + { + device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd" "noatime" ]; + }; - fileSystems."/home" = - { - device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; - fsType = "btrfs"; - options = [ "subvol=home" "compress=zstd" "noatime" ]; - }; + "/nix" = + { + device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; - fileSystems."/nix" = - { - device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; - fsType = "btrfs"; - options = [ "subvol=nix" "compress=zstd" "noatime" ]; - }; + "/var/log" = + { + device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd" "noatime" ]; + }; - fileSystems."/var/log" = - { - device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; - fsType = "btrfs"; - options = [ "subvol=log" "compress=zstd" "noatime" ]; - }; + "/snapshots" = + { + device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; + fsType = "btrfs"; + options = [ "subvol=snapshots" "compress=zstd" "noatime" ]; + }; - fileSystems."/snapshots" = - { - device = "/dev/disk/by-uuid/cfc2d232-f833-4ecf-8098-fe805afd390d"; - fsType = "btrfs"; - options = [ "subvol=snapshots" "compress=zstd" "noatime" ]; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/3B2B-63DB"; - fsType = "vfat"; - }; + "/boot" = + { + device = "/dev/disk/by-uuid/3B2B-63DB"; + fsType = "vfat"; + }; + }; swapDevices = [{ device = "/dev/disk/by-uuid/c08ff6b6-d6e2-4620-95fc-6c20b04c7363"; }]; diff --git a/hosts/scadspc25/system.nix b/hosts/scadspc25/system.nix deleted file mode 100644 index 132026a..0000000 --- a/hosts/scadspc25/system.nix +++ /dev/null @@ -1 +0,0 @@ -"x86_64-linux" diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix index bab1dd9..b0396ca 100644 --- a/modules/profiles/base.nix +++ b/modules/profiles/base.nix @@ -6,21 +6,6 @@ with lib; let - nom-system = pkgs.writeFishApplication { - name = "nom-system"; - runtimeInputs = with pkgs; [ nix-output-monitor ]; - text = /* fish */ '' - nom build --no-link "/home/moritz/.dotfiles#nixosConfigurations.$(hostname).config.system.build.toplevel" $argv - ''; - }; - nom-system-command = name: command: pkgs.writeFishApplication { - inherit name; - runtimeInputs = with pkgs; [ nom-system nix ]; - text = /* fish */ '' - nom-system $argv && ${command} - ''; - }; - f = pkgs.writeFishApplication { name = "f"; runtimeInputs = with pkgs; [ fzf bat ]; @@ -158,9 +143,6 @@ in bottom # nix - (nom-system-command "nixos-boot" "sudo nixos-rebuild boot --flake ~/.dotfiles") - (nom-system-command "nixos-switch" "sudo nixos-rebuild switch --flake ~/.dotfiles") - (nom-system-command "nixos-test" "sudo nixos-rebuild test --flake ~/.dotfiles") nix-output-monitor nixpkgs-fmt which-nix diff --git a/modules/programs/hyprland/default.nix b/modules/programs/hyprland/default.nix index 6bbeff6..d363fac 100644 --- a/modules/programs/hyprland/default.nix +++ b/modules/programs/hyprland/default.nix @@ -53,88 +53,94 @@ in services.dunst.enable = true; }; - # enable home-manager module home-manager.users.moritz = { + # import home-manager module imports = [ inputs.hyprland.homeManagerModules.default ]; + # enable home-manager module wayland.windowManager.hyprland = { enable = true; package = hyprland; recommendedEnvironment = true; extraConfig = import ./_config.nix args; }; - }; - - # add waybar as a status bar - home-manager.users.moritz.programs.waybar = { - enable = true; - - # start using systemd service - systemd = { + # add waybar as a status bar + programs.waybar = { enable = true; - target = "graphical-session.target"; - }; - settings = { - mainBar = { - start_hidden = true; - layer = "top"; - position = "top"; - height = 20; - modules-left = [ "hyprland/workspaces" ]; - modules-center = [ "hyprland/window" ]; - modules-right = [ "hyprland/language" "network" "memory" "cpu" "battery" "clock" ]; + # start using systemd service + systemd = { + enable = true; + target = "graphical-session.target"; + }; + + settings = { + mainBar = { + start_hidden = true; + layer = "top"; + position = "top"; + height = 20; + modules-left = [ "hyprland/workspaces" ]; + modules-center = [ "hyprland/window" ]; + modules-right = [ "hyprland/language" "network" "memory" "cpu" "battery" "clock" ]; + }; }; }; - }; - # lock screen after timeout - home-manager.users.moritz.programs.swaylock = { - enable = true; - settings = { - color = "000000"; + # lock screen after timeout + programs.swaylock = { + enable = true; + settings = { + color = "000000"; + }; + }; + services.swayidle = { + enable = true; + events = [ + { + event = "before-sleep"; + command = "${getExe pkgs.swaylock} -fF"; + } + { + event = "lock"; + command = "${getExe pkgs.swaylock} -fF"; + } + ]; + timeouts = + let + lockTimeout = 10; + in + [ + { + timeout = lockTimeout * 60 - 10; + command = "${pkgs.libnotify}/bin/notify-send 'Locking screen!'"; + } + { + timeout = lockTimeout * 60; + command = "${hyprland}/bin/hyprctl dispatch dpms off"; + resumeCommand = "${hyprland}/bin/hyprctl dispatch dpms on"; + } + { + timeout = lockTimeout * 60 + 10; + command = "${pkgs.systemd}/bin/loginctl lock-session"; + } + ] ++ optional + (!cfg.nvidiaSupport) # TODO https://github.com/hyprwm/Hyprland/issues/1728 + { + timeout = 30 * 60; + command = "${pkgs.systemd}/bin/systemctl suspend-and-hibernate"; + }; + systemdTarget = "hyprland-session.target"; + }; + + systemd.user.services.nextcloud-client.Service = { + RestartSec = "500ms"; + Restart = "on-failure"; }; }; - home-manager.users.moritz.services.swayidle = { - enable = true; - events = [ - { - event = "before-sleep"; - command = "${getExe pkgs.swaylock} -fF"; - } - { - event = "lock"; - command = "${getExe pkgs.swaylock} -fF"; - } - ]; - timeouts = - let - lockTimeout = 10; - in - [ - { - timeout = lockTimeout * 60 - 10; - command = "${pkgs.libnotify}/bin/notify-send 'Locking screen!'"; - } - { - timeout = lockTimeout * 60; - command = "${hyprland}/bin/hyprctl dispatch dpms off"; - resumeCommand = "${hyprland}/bin/hyprctl dispatch dpms on"; - } - { - timeout = lockTimeout * 60 + 10; - command = "${pkgs.systemd}/bin/loginctl lock-session"; - } - ] ++ optional - (!cfg.nvidiaSupport) # TODO https://github.com/hyprwm/Hyprland/issues/1728 - { - timeout = 30 * 60; - command = "${pkgs.systemd}/bin/systemctl suspend-and-hibernate"; - }; - systemdTarget = "hyprland-session.target"; - }; + # adds pam module for swaylock security.pam.services.swaylock = { }; @@ -151,11 +157,6 @@ in requiredBy = [ "xdg-desktop-portal.service" ]; }; - home-manager.users.moritz.systemd.user.services.nextcloud-client.Service = { - RestartSec = "500ms"; - Restart = "on-failure"; - }; - # add user packages for wayland and hyprland in particular users.users.moritz.packages = with pkgs; [ brightnessctl # control brightness diff --git a/modules/security/default.nix b/modules/security/default.nix index 1e67492..3fcd4fb 100644 --- a/modules/security/default.nix +++ b/modules/security/default.nix @@ -5,62 +5,64 @@ ## System security tweaks # Prevent replacing the running kernel w/o reboot # security.protectKernelImage = lib.mkDefault true; # NOTE disabled for now to enable hibernate + boot = { - # tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy - # on ssd systems, and volatile! Because it's wiped on reboot. - boot.tmp.useTmpfs = lib.mkDefault true; - # If not using tmpfs, which is naturally purged on reboot, we must clean it - # /tmp ourselves. /tmp should be volatile storage! - boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); + # tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy + # on ssd systems, and volatile! Because it's wiped on reboot. + tmp.useTmpfs = lib.mkDefault true; + # If not using tmpfs, which is naturally purged on reboot, we must clean it + # /tmp ourselves. /tmp should be volatile storage! + tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); - # Fix a security hole in place for backwards compatibility. See desc in - # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix - boot.loader.systemd-boot.editor = false; + # Fix a security hole in place for backwards compatibility. See desc in + # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix + loader.systemd-boot.editor = false; - boot.kernel.sysctl = { - # The Magic SysRq key is a key combo that allows users connected to the - # system console of a Linux kernel to perform some low-level commands. - # Disable it, since we don't need it, and is a potential security concern. - "kernel.sysrq" = 0; + kernel.sysctl = { + # The Magic SysRq key is a key combo that allows users connected to the + # system console of a Linux kernel to perform some low-level commands. + # Disable it, since we don't need it, and is a potential security concern. + "kernel.sysrq" = 0; - ## TCP hardening - # Prevent bogus ICMP errors from filling up logs. - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # Reverse path filtering causes the kernel to do source validation of - # packets received from all interfaces. This can mitigate IP spoofing. - "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.conf.all.rp_filter" = 1; - # Do not accept IP source route packets (we're not a router) - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects (again, we're on a router) - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - # Refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - # Protects against SYN flood attacks - "net.ipv4.tcp_syncookies" = 1; - # Incomplete protection again TIME-WAIT assassination - "net.ipv4.tcp_rfc1337" = 1; - # Log martian packages - "net.ipv4.conf.all.log_martians" = 1; - "net.ipv4.conf.default.log_martians" = 1; + ## TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets (we're not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're on a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + # Log martian packages + "net.ipv4.conf.all.log_martians" = 1; + "net.ipv4.conf.default.log_martians" = 1; - ## TCP optimization - # TCP Fast Open is a TCP extension that reduces network latency by packing - # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for - # both incoming and outgoing connections: - "net.ipv4.tcp_fastopen" = 3; - # Bufferbloat mitigations + slight improvement in throughput & latency - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; + ## TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + }; + kernelModules = [ "tcp_bbr" ]; }; - boot.kernelModules = [ "tcp_bbr" ]; # So we don't have to do this later... security.acme.acceptTerms = true;