mikael/idiosyn
mikael/idiosyn
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial import

Browse source
This commit is contained in:
Mikael 2024-08-18 13:47:18 +02:00
commit 5543b7a3b7
Signed by: mikael
SSH key fingerprint: SHA256:21QyD2Meiot7jOUVitIR5YkGB/XuXdCvLW1hE6dsri0
52 changed files with 6168 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.gitignore vendored Normal file
View file

@ -0,0 +1,7 @@
# Hidden files
.*
!.git*
# Nix
/result
/result-*

643
flake.lock Normal file
View file

@ -0,0 +1,643 @@
{
"nodes": {
"base16": {
"inputs": {
"fromYaml": "fromYaml"
},
"locked": {
"lastModified": 1708890466,
"narHash": "sha256-LlrC09LoPi8OPYOGPXegD72v+//VapgAqhbOFS3i8sc=",
"owner": "SenchoPens",
"repo": "base16.nix",
"rev": "665b3c6748534eb766c777298721cece9453fdae",
"type": "github"
},
"original": {
"owner": "SenchoPens",
"repo": "base16.nix",
"type": "github"
}
},
"base16-fish": {
"flake": false,
"locked": {
"lastModified": 1622559957,
"narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
"owner": "tomyun",
"repo": "base16-fish",
"rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
"type": "github"
},
"original": {
"owner": "tomyun",
"repo": "base16-fish",
"type": "github"
}
},
"base16-foot": {
"flake": false,
"locked": {
"lastModified": 1696725948,
"narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=",
"owner": "tinted-theming",
"repo": "base16-foot",
"rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-foot",
"type": "github"
}
},
"base16-helix": {
"flake": false,
"locked": {
"lastModified": 1720809814,
"narHash": "sha256-numb3xigRGnr/deF7wdjBwVg7fpbTH7reFDkJ75AJkY=",
"owner": "tinted-theming",
"repo": "base16-helix",
"rev": "34f41987bec14c0f3f6b2155c19787b1f6489625",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-helix",
"type": "github"
}
},
"base16-kitty": {
"flake": false,
"locked": {
"lastModified": 1665001328,
"narHash": "sha256-aRaizTYPpuWEcvoYE9U+YRX+Wsc8+iG0guQJbvxEdJY=",
"owner": "kdrag0n",
"repo": "base16-kitty",
"rev": "06bb401fa9a0ffb84365905ffbb959ae5bf40805",
"type": "github"
},
"original": {
"owner": "kdrag0n",
"repo": "base16-kitty",
"type": "github"
}
},
"base16-tmux": {
"flake": false,
"locked": {
"lastModified": 1696725902,
"narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=",
"owner": "tinted-theming",
"repo": "base16-tmux",
"rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-tmux",
"type": "github"
}
},
"base16-vim": {
"flake": false,
"locked": {
"lastModified": 1716150083,
"narHash": "sha256-ZMhnNmw34ogE5rJZrjRv5MtG3WaqKd60ds2VXvT6hEc=",
"owner": "tinted-theming",
"repo": "base16-vim",
"rev": "6e955d704d046b0dc3e5c2d68a2a6eeffd2b5d3d",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-vim",
"type": "github"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1711386353,
"narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "colmena",
"type": "github"
}
},
"crane": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1721842668,
"narHash": "sha256-k3oiD2z2AAwBFLa4+xfU+7G5fisRXfkvrMTCJrjZzXo=",
"owner": "ipetkov",
"repo": "crane",
"rev": "529c1a0b1f29f0d78fa3086b8f6a134c71ef3aaf",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"fromYaml": {
"flake": false,
"locked": {
"lastModified": 1689549921,
"narHash": "sha256-iX0pk/uB019TdBGlaJEWvBCfydT6sRq+eDcGPifVsCM=",
"owner": "SenchoPens",
"repo": "fromYaml",
"rev": "11fbbbfb32e3289d3c631e0134a23854e7865c84",
"type": "github"
},
"original": {
"owner": "SenchoPens",
"repo": "fromYaml",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gnome-shell": {
"flake": false,
"locked": {
"lastModified": 1713702291,
"narHash": "sha256-zYP1ehjtcV8fo+c+JFfkAqktZ384Y+y779fzmR9lQAU=",
"owner": "GNOME",
"repo": "gnome-shell",
"rev": "0d0aadf013f78a7f7f1dc984d0d812971864b934",
"type": "github"
},
"original": {
"owner": "GNOME",
"ref": "46.1",
"repo": "gnome-shell",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723986931,
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1722329086,
"narHash": "sha256-e/fSi0WER06N8WCvpht62fkGtWfe5ckDxr6zNYkwkFw=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "f5a3a7dff44d131807fc1a89fbd8576cd870334a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"lix": {
"flake": false,
"locked": {
"lastModified": 1723503926,
"narHash": "sha256-Rosl9iA9MybF5Bud4BTAQ9adbY81aGmPfV8dDBGl34s=",
"rev": "bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2.tar.gz?rev=bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723510904,
"narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
"rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz?rev=622a2253a071a1fb97a4d3c8103a91114acc1140"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"
}
},
"nix-index-database": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723950649,
"narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "392828aafbed62a6ea6ccab13728df2e67481805",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-index-database",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1724067415,
"narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1724177844,
"narHash": "sha256-G7Mf9uN9m8FimeP3eMHu/dOC4QS8QAzo0h4ZIlDHcCA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d13fa5a45a34e7c8be33474f58003914430bdc5a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": {
"locked": {
"lastModified": 1724219095,
"narHash": "sha256-+HhSPWqM1VJlQTNwgJE2RmTVUMoF6FuCRKzzTgxjNcM=",
"owner": "nix-community",
"repo": "NUR",
"rev": "cb4a85f95c647cf5aa7ce75b77ff2c049137160a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "NUR",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1721042469,
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"colmena": "colmena",
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"lix-module": "lix-module",
"nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nur": "nur",
"rust-overlay": "rust-overlay_2",
"stylix": "stylix"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722219664,
"narHash": "sha256-xMOJ+HW4yj6e69PvieohUJ3dBSdgCfvI0nnCEe6/yVc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "a6fbda5d9a14fb5f7c69b8489d24afeb349c7bb4",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1724206841,
"narHash": "sha256-L8dKaX4T3k+TR2fEHCfGbH4UXdspovz/pj87iai9qmc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "45e98fbd62c32e5927e952d2833fa1ba4fb35a61",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"stable": {
"locked": {
"lastModified": 1696039360,
"narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "32dcb45f66c0487e92db8303a798ebc548cadedc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"stylix": {
"inputs": {
"base16": "base16",
"base16-fish": "base16-fish",
"base16-foot": "base16-foot",
"base16-helix": "base16-helix",
"base16-kitty": "base16-kitty",
"base16-tmux": "base16-tmux",
"base16-vim": "base16-vim",
"flake-compat": "flake-compat_3",
"gnome-shell": "gnome-shell",
"home-manager": [
"home-manager"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1724091143,
"narHash": "sha256-55CrA0BNqmnS4qB812D7JY9hNBB0r36sJlErepkfeTo=",
"owner": "danth",
"repo": "stylix",
"rev": "94d70292d0c687ebacb65d00bd516cbefa18d3ca",
"type": "github"
},
"original": {
"owner": "danth",
"repo": "stylix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

140
flake.nix Normal file
View file

@ -0,0 +1,140 @@
{
description = "I do not have to explain myself";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware";
nur.url = "github:nix-community/NUR";
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
colmena = {
url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
stylix = {
url = "github:danth/stylix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
};
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
rust-overlay = {
url = "github:oxalica/rust-overlay";
inputs.nixpkgs.follows = "nixpkgs";
};
};
nixConfig = {
allow-import-form-derivation = true;
extra-experimental-features = [ "pipe-operator" ];
extra-substituters = [
"https://colmena.cachix.org"
"https://nix-community.cachix.org"
"https://cache.kyouma.net"
];
extra-trusted-public-keys = [
"colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg="
];
};
outputs = { self, nixpkgs, ... }@inputs:
let
inherit (nixpkgs) lib;
load = base: default: builtins.readDir base
|> lib.filterAttrs (name: type: builtins.match "(regular|directory)" type != null)
|> lib.mapAttrs' (name: type: {
name = if type == "regular" then lib.removeSuffix ".nix" name else name;
value =
let path = if type == "directory" then "${name}/${default}.nix" else name;
in import "${base}/${path}" inputs;
});
eachFlakeSystem = lib.genAttrs lib.systems.flakeExposed;
eachNixosSystem = lib.systems.flakeExposed
|> lib.systems.parse
|> builtins.filter (sys: sys.isLinux)
|> builtins.attrNames
|> lib.genAttrs;
in {
lib = load ./lib "lib" // {
inherit load;
};
overlays = load ./overlay "overlay";
legacyPackages = eachFlakeSystem (system:
import nixpkgs {
inherit system;
overlays = [ self.overlays.default ];
});
packages = eachFlakeSystem (system: let pkgs = self.legacyPackages.${system};
in load ./package "package"
|> lib.mapAttrs (name: pkg: self.legacyPackages.${system}.callPackage pkg { }));
nixosModules = load ./nixos/module "module";
colmena = load ./nixos/config "configuration" // {
meta = {
nixpkgs = self.legacyPackages.x86_64-linux;
};
defaults = { name, config, ... }: {
deployment = {
allowLocalDeployment = true;
targetHost = config.networking.fqdnOrHostName;
targetUser = null;
};
};
};
nixosConfigurations =
let hive = inputs.colmena.lib.makeHive self.outputs.colmena;
in hive.nodes;
homeModules = load ./home/module "module";
homeConfigurations = load ./home/config "home";
devShells = eachFlakeSystem (system: load ./shell "shell"
|> lib.mapAttrs (name: shell: self.legacyPackages.${system}.callPackage shell { }));
checks = eachFlakeSystem (system: {
packages = self.packages.${system};
devShells = self.devShells.${system};
}) // (self.nixosConfigurations
|> lib.mapAttrsToList (name: host: {
${host.pkgs.system} = {
nixos = {
${name} = host.config.system.build.toplevel;
};
};
})
|> lib.mergeAttrsList);
hydraJobs = { inherit (self) checks; };
};
}

246
home/config/nil/firefox.nix Normal file
View file

@ -0,0 +1,246 @@
{ ... }: { config, lib, pkgs, ... }@args:
let
osConfig = args.osConfig or { };
firefox-csshacks = pkgs.fetchFromGitHub {
owner = "MrOtherGuy";
repo = "firefox-csshacks";
rev = "7eca4b1050c4065130a2cf696302b4ef5d88d932";
sparseCheckout = [ "!/*" "/chrome" "/content" ];
hash = "sha256-rk0jC5AMw41xt5yItY7CAxuYAFhoe5Jy2tvwgh59cPI=";
};
in lib.mkIf (osConfig.hardware.graphics.enable or false) {
programs.firefox = {
enable = true;
package = pkgs.firefox;
profiles = let
extensions = with config.nur.repos.rycee.firefox-addons; [
clearurls
consent-o-matic
decentraleyes
keepassxc-browser
multi-account-containers
ublock-origin
];
settings = {
# use OS locale
"intl.regional_prefs.use_os_locales" = true;
# localisation
"intl.accept_languages" = "en-gb,en,de,fr,es-es,es,pt,ja";
"intl.locale.requested" = "en-GB,en,de,fr,es-ES,es,pt,ja";
# use OS resolver
"network.trr.mode" = 5;
# force HTTPS
"dom.security.https_only_mode" = true;
"dom.security.https_only_mode_ever_enabled" = true;
# enable EME
"media.eme.enabled" = true;
# founts
"font.default.x-unicode" = "sans-serif";
"font.default.x-western" = "sans-serif";
"font.name.sans-serif.x-unicode" = "Lato";
"font.name.sans-serif.x-western" = "Lato";
"font.name.monospace.x-unicode" = "Fira Code";
"font.name.monospace.x-western" = "Fira Code";
# hardware acceleration
"gfx.webrender.all" = true;
"layers.acceleration.force-enabled" = true;
"media.ffmpeg.vaapi.enabled" = true;
# always ask for download location
"browser.download.useDownloadDir" = false;
# disable firefox tab
"browser.tabs.firefox-view" = false;
# disable firefox intro tab
"browser.startup.homepage_override.mstone" = "ignore";
# disable default browser check
"browser.shell.checkDefaultBrowser" = false;
# private containor for new tab page thumbnails
"privacy.usercontext.about_newtab_segregation.enabled" = true;
# disable Beacons API
"beacon.enabled" = false;
# disable pings
"browser.send_pings" = false;
# strip query parameters
"privacy.query_stripping" = true;
# disable access to device sensors
"device.sensors.enabled" = false;
"dom.battery.enabled" = false;
# disable media autoplay
"media.autoplay.enabled" = false;
# block thirdparty cookies
"network.cookie.cookieBehavior" = 1;
# spoof referrer header
"network.http.referer.spoofSource" = true;
# isolate all browser identifier sources
"privacy.firstparty.isolate" = true;
# resist fingerprinting
#"privacy.resistFingerprinting" = true;
# enable builtin tracking protection
"privacy.trackingprotection.enabled" = true;
"privacy.trackingprotection.emailtracking.enabled" = true;
"privacy.trackingprotection.socialtracking.enabled" = true;
# disable data sharing
"app.normandy.enabled" = false;
"app.shield.optoutstudies.enabled" = false;
"datareporting.healthreport.uploadEnabled" = false;
# disable safebrowsing
"browser.safebrowsing.downloads.enabled" = false;
"browser.safebrowsing.malware.enabled" = false;
"browser.safebrowsing.phishing.enabled" = false;
# disable firefox account
"identity.fxaccounts.enabled" = false;
# disable sponsored items
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
"browser.newtabpage.enhanced" = false;
# disable Pocket
"extensions.pocket.enabled" = false;
# disable crash reporting
"browser.tabs.crashReporting.sendReport" = false;
"breakpad.reportURL" = "";
# disable accessibility services
"accessibility.force_disabled" = true;
# disable password autofill
"signon.autofillForms" = false;
# enable user profile customisation
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
};
userChrome = lib.concatMapStrings (css:
"@import url('${firefox-csshacks}/chrome/${css}.css');\n"
) [
"hide_tabs_with_one_tab"
"autohide_bookmarks_and_main_toolbars"
];
search = {
default = "Google Search";
force = true;
engines = {
"Google Search" = {
urls = [{ template = "https://www.google.com/search?q={searchTerms}"; }];
definedAliases = [ "g" ];
};
"Nix Packages" = {
urls = [{
template = "https://search.nixos.org/packages";
params = [
{ name = "channel"; value = "unstable"; }
{ name = "type"; value = "packages"; }
{ name = "query"; value = "{searchTerms}"; }
];
}];
definedAliases = [ "np" ];
};
"Gentoo Packages" = {
urls = [{ template = "https://packages.gentoo.org/packages/search?q={searchTerms}"; }];
definedAliases = [ "gp" ];
};
"Alpine Packages" = {
urls = [{ template = "https://pkgs.alpinelinux.org/packages?name={searchTerms}"; }];
definedAliases = [ "ap" ];
};
"NixOS Wiki" = {
urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
definedAliases = [ "nw" ];
};
"Wikipedia (eng)" = {
urls = [{ template = "https://en.wikipedia.org/wiki/Special:Search?search={searchTerms}"; }];
definedAliases = [ "w" ];
};
"Wikipedia (deu)" = {
urls = [{ template = "https://de.wikipedia.org/wiki/Spezial:Suche?search={searchTerms}"; }];
definedAliases = [ "wd" ];
};
"Wiktionary (eng)" = {
urls = [{ template = "https://en.wiktionary.org/wiki/Special:Search?search={searchTerms}"; }];
definedAliases = [ "k" ];
};
"Wiktionary (deu)" = {
urls = [{ template = "https://de.wiktionary.org/wiki/Spezial:Suche?search={searchTerms}"; }];
definedAliases = [ "kd" ];
};
"Linguee (ende)" = {
urls = [{ template = "https://www.linguee.com/english-german/search?query={searchTerms}"; }];
definedAliases = [ "en" ];
};
"Linguee (enfr)" = {
urls = [{ template = "https://www.linguee.com/english-french/search?query={searchTerms}"; }];
definedAliases = [ "fr" ];
};
"Linguee (enes)" = {
urls = [{ template = "https://www.linguee.com/english-spanish/search?query={searchTerms}"; }];
definedAliases = [ "es" ];
};
"Linguee (enpt)" = {
urls = [{ template = "https://www.linguee.com/english-portuguese/search?query={searchTerms}"; }];
definedAliases = [ "pt" ];
};
"Jisho" = {
urls = [{ template = "https://jisho.org/search/{searchTerms}"; }];
definedAliases = [ "ja" ];
};
"DeepL" = {
urls = [{ template = "https://www.deepl.com/translator#en//{searchTerms}"; }];
definedAliases = [ "dpl" ];
};
};
};
in {
default = {
inherit extensions settings userChrome search;
isDefault = true;
};
sneaky = {
inherit extensions settings userChrome search;
id = 1;
};
vanilla = {
inherit userChrome search;
id = 2;
};
};
};
}

73
home/config/nil/greedy.xkb Normal file
View file

@ -0,0 +1,73 @@
xkb_symbols "greedy" {
name[Group1]= "Greedy";
// Modifier keys
include "ctrl(nocaps)"
include "altwin(alt_super_win)"
include "level3(ralt_switch)"
include "level5(rctrl_switch)"
include "compose(lwin-altgr)"
include "compose(102)"
include "nbsp(level3n)"
include "keypad(future)"
key <TAB> { [ Escape ] };
key <ESC> { [ Tab ] };
key <TLDE> { [ dollar, asciitilde, EuroSign, dead_tilde ] };
key <AE01> { [ ampersand, percent, dead_breve, dead_caron ] };
key <AE02> { [ bracketleft, 7, 0x100201E, 0x100201A ] };
key <AE03> { [ braceleft, 5, 0x100201C, 0x1002018 ] };
key <AE04> { [ braceright, 3, 0x100201D, 0x1002019 ] };
key <AE05> { [ parenleft, 1, 0x1002039, NoSymbol ] };
key <AE06> { [ equal, 9, 0x1002260, NoSymbol ] };
key <AE07> { [ asterisk, 0, 0x10022C5, NoSymbol ] };
key <AE08> { [ parenright, 2, 0x100203A, NoSymbol ] };
key <AE09> { [ plus, 4, plusminus, NoSymbol ] };
key <AE10> { [ bracketright, 6, endash, emdash ] };
key <AE11> { [ exclam, 8, exclamdown, infinity ] };
key <AE12> { [ numbersign, grave, numerosign, dead_grave ] };
key <AD01> { [ k, K, odiaeresis, Odiaeresis ] };
key <AD02> { [ comma, less, dead_cedilla, guillemotleft ] };
key <AD03> { [ u, U, oacute, Oacute ] };
key <AD04> { [ y, Y, udiaeresis, Udiaeresis ] };
key <AD05> { [ p, P, NoSymbol, NoSymbol ] };
key <AD06> { [ w, W, NoSymbol, NoSymbol ] };
key <AD07> { [ l, L, NoSymbol, NoSymbol ] };
key <AD08> { [ m, M, mu, NoSymbol ] };
key <AD09> { [ f, F, NoSymbol, NoSymbol ] };
key <AD10> { [ c, C, copyright, NoSymbol ] };
key <AD11> { [ slash, question, division, questiondown ] };
key <AD12> { [ at, asciicircum, 0x100203D, dead_circumflex ] };
key <AC01> { [ o, O, oacute, Oacute ] };
key <AC02> { [ a, A, aacute, Aacute ] };
key <AC03> { [ e, E, eacute, Eacute ] };
key <AC04> { [ i, I, iacute, Iacute ] };
key <AC05> { [ d, D, eth, ETH ] };
key <AC06> { [ r, R, NoSymbol, NoSymbol ] };
key <AC07> { [ n, N, ntilde, Ntilde ] };
key <AC08> { [ t, T, thorn, Thorn ] };
key <AC09> { [ h, H, NoSymbol, NoSymbol ] };
key <AC10> { [ s, S, ssharp, section ] };
key <AC11> { [ minus, underscore, 0x1002010, dead_macron ] };
key <BKSL> { [ backslash, bar, NoSymbol, NoSymbol ] };
key <AB01> { [ q, Q, adiaeresis, Adiaeresis ] };
key <AB02> { [ period, greater, ellipsis, guillemotright ] };
key <AB03> { [ apostrophe, quotedbl, dead_acute, dead_diaeresis ] };
key <AB04> { [ semicolon, colon, periodcentered, NoSymbol ] };
key <AB05> { [ z, Z, NoSymbol, NoSymbol ] };
key <AB06> { [ x, X, multiply, NoSymbol ] };
key <AB07> { [ v, V, NoSymbol, NoSymbol ] };
key <AB08> { [ g, G, NoSymbol, NoSymbol ] };
key <AB09> { [ b, B, NoSymbol, NoSymbol ] };
key <AB10> { [ j, J, NoSymbol, NoSymbol ] };
key <UP> { [ Up, NoSymbol, uparrow, 0x10021D1 ] };
key <LEFT> { [ Left, NoSymbol, leftarrow, 0x10021D0 ] };
key <DOWN> { [ Down, NoSymbol, downarrow, 0x10021D3 ] };
key <RGHT> { [ Right, NoSymbol, rightarrow, 0x10021D2 ] };
};

343
home/config/nil/home.nix Normal file
View file

@ -0,0 +1,343 @@
{ self, nur, stylix, nix-index-database, ... }: { config, lib, pkgs, ... }@args:
let
osConfig = args.osConfig or { };
in {
imports = [
nur.hmModules.nur
self.homeModules.locale-en_EU
nix-index-database.hmModules.nix-index
stylix.homeManagerModules.stylix
] ++ self.lib.mods [
./firefox.nix
./wayland.nix
];
home.stateVersion = "24.11";
home.enableNixpkgsReleaseCheck = false;
home.activation = {
fish = lib.hm.dag.entryAfter ["writeBoundary"] ''
run ${lib.getExe config.programs.fish.package} -c 'set -U fish_greeting'
'';
};
home.packages = with pkgs; [
# Terminfo
kitty.terminfo
# Core utilities
(lib.meta.setPrio 0 uutils-coreutils-noprefix)
# Text manipulation
#delta
sd
skim
# Networking
dogdns
whois
xh
# Filesystem
file
#xcp
# Development
pijul
# Calculator
fend
];
home.sessionVariables = {
TMPDIR = "$XDG_RUNTIME_DIR/tmp";
};
editorconfig = {
enable = true;
settings = {
"*" = {
indent_style = "tab";
tab_width = 4;
end_of_line = "lf";
charset = "utf-8";
trim_trailing_whitespace = true;
insert_final_newline = true;
};
"*.nix" = {
indent_style = "space";
indent_size = 2;
};
};
};
home.shellAliases = {
icat = "kitten icat";
};
home.preferXdgDirectories = true;
programs.aria2 = {
enable = true;
settings = {
max-concurrent-downloads = 4;
max-connection-per-server = 2;
min-split-size = "16M";
remote-time = true;
split = 4;
http-accept-gzip = true;
max-overall-upload-limit = "256K";
dscp = 8;
enable-mmap = true;
file-allocation = "falloc";
};
};
programs.bat.enable = true;
programs.bottom = {
enable = true;
settings.flags = {
group = true;
battery = true;
color = "gruvbox";
mem_as_value = true;
network_use_binary_prefix = true;
network_use_bytes = true;
};
};
programs.eza = {
enable = true;
icons = true;
git = true;
extraOptions = [
"--binary"
"--colour=automatic"
"--colour-scale=all"
"--colour-scale-mode=gradient"
"--group-directories-first"
];
};
programs.fd.enable = true;
programs.fish = {
enable = true;
functions = {
fish_prompt = ''
set -l user_colour 'green'
if fish_is_root_user
set user_colour 'red'
end
echo -n -s (set_color $user_colour --bold) $USER@ (prompt_hostname) \
(set_color blue --bold) ' ' (prompt_pwd) ' ' (set_color normal)
'';
fish_right_prompt = ''
set -l st $status
if test $st -ne 0
set_color red --bold
printf "%s " (sysexit $st)
set_color normal
end
'';
fish_title = "prompt_pwd";
sysexit = builtins.readFile ./sysexit.fish;
};
interactiveShellInit = ''
if type -q tabs
tabs -4
end
'';
};
programs.git = {
enable = true;
#delta.enable = true;
userName = "Mikael Voss";
userEmail = "mvs@nyantec.com";
extraConfig = {
core = {
eol = "lf";
fsync = "committed";
};
user.signingKey = "key::sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICczPHRwY9MAwDGlcB0QgMOJjcpLJhVU3covrW9RBS62AAAABHNzaDo= primary";
init.defaultBranch = "main";
pull.rebase = true;
push.autoSetupRemote = true;
rebase.autoStash = true;
gpg.format = "ssh";
gpg.ssh.allowedSignersFile = toString (pkgs.writeText "allowed-signers" ''
${config.programs.git.userEmail} AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICczPHRwY9MAwDGlcB0QgMOJjcpLJhVU3covrW9RBS62AAAABHNzaDo=
'');
commit.gpgSign = true;
tag.gpgSign = true;
};
};
programs.helix = {
enable = true;
defaultEditor = true;
settings = {
editor.auto-pairs = {
"" = "";
"" = "";
"" = "";
"" = "";
};
editor.whitespace.render = {
nbsp = "all";
nnbsp = "all";
tab = "all";
};
editor.whitespace.characters = {
nbsp = "";
nnbsp = "";
tab = "»";
tabpad = "·";
};
keys.normal = {
minus = "command_mode";
r = "move_char_left";
n = "move_visual_line_down";
t = "move_visual_line_up";
h = "move_char_right";
};
};
};
programs.jq.enable = true;
programs.man.generateCaches =
osConfig.documentation.man.generateCaches or false;
programs.ripgrep.enable = true;
programs.ssh = {
enable = true;
compression = true;
controlMaster = "auto";
controlPath = "\${XDG_RUNTIME_DIR}/ssh/%r@%n:%p";
controlPersist = "1m";
matchBlocks = {
"*.nyantec.com".user = "mvs";
"solitary.social" = {
user = "nil";
forwardAgent = true;
};
};
serverAliveInterval = 10;
serverAliveCountMax = 60;
};
programs.vim = {
enable = true;
settings = {
background = "dark";
expandtab = false;
number = true;
shiftwidth = 4;
tabstop = 4;
};
extraConfig = ''
" no Vi compatibility
set nocompatible
" Unicode support
set encoding=utf-8
" special characters
set list
set listchars=tab:»·,trail:·,extends:
set ruler
" movement
noremap r h
noremap R H
noremap n j
noremap t k
noremap h l
noremap H L
" beginning of previous word
noremap p b
" end of word
noremap l e
noremap L E
" change one char
noremap X s
" repeat search
noremap ; n
noremap : N
" paste
noremap s p
noremap S P
" join lines
noremap N J
" change
noremap e c
noremap E C
" replace
noremap z r
noremap Z R
" inclusive jump
noremap m f
noremap M F
" exlusive jump
noremap f t
noremap F T
" command mode
noremap - :
'';
};
services.ssh-agent.enable = true;
systemd.user.tmpfiles.rules = [
"d %t/ssh 700"
"d %t/tmp 700 - - 24h"
];
xdg.userDirs =
let
home = config.home.homeDirectory;
in {
enable = true;
desktop = "${home}/tmp";
documents = "${home}/var";
download = "${home}/tmp";
pictures = "${home}/img";
music = "${home}/msc";
publicShare = null;
templates = null;
videos = null;
};
}

104
home/config/nil/sysexit.fish Normal file
View file

@ -0,0 +1,104 @@
if status is-interactive
function sysexit
switch $argv[1]
case 0
echo OK
case 64
echo USAGE
case 65
echo DATAERR
case 66
echo NOINPUT
case 67
echo NOUSER
case 68
echo NOHOST
case 69
echo UNAVAILABLE
case 70
echo SOFTWARE
case 71
echo OSERR
case 72
echo OSFILE
case 73
echo CANTCREAT
case 74
echo IOERR
case 75
echo TEMPFAIL
case 76
echo PROTOCOL
case 77
echo NOPERM
case 78
echo CONFIG
case 127
echo NOTFOUND
case 129
echo SIGHUP
case 130
echo SIGINT
case 131
echo SIGQUIT
case 132
echo SIGILL
case 133
echo SIGTRAP
case 134
echo SIGABRT
case 135
echo SIGBUS
case 136
echo SIGFPE
case 137
echo SIGKILL
case 138
echo SIGUSR1
case 139
echo SIGSEGV
case 140
echo SIGUSR2
case 141
echo SIGPIPE
case 142
echo SIGALRM
case 143
echo SIGTERM
case 144
echo SIGSTKFLT
case 145
echo SIGCHLD
case 146
echo SIGCONT
case 147
echo SIGSTOP
case 148
echo SIGTSTP
case 149
echo SIGTTIN
case 150
echo SIGTTOU
case 151
echo SIGURG
case 152
echo SIGXCPU
case 153
echo SIGXFSZ
case 154
echo SIGVTALRM
case 155
echo SIGPROF
case 156
echo SIGWINCH
case 157
echo SIGIO
case 158
echo SIGPWR
case 159
echo SIGSYS
case '*'
echo $argv[1]
end
end
end

BIN
home/config/nil/wallpaper.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1.5 MiB

665
home/config/nil/wayland.nix Normal file
View file

@ -0,0 +1,665 @@
{ ... }: { config, lib, pkgs, ... }@args:
let
osConfig = args.osConfig or { };
fira-code-features = [
"cv01"
"cv06"
"onum"
"ss01"
"ss03"
"ss06"
"ss07"
"ss08"
"zero"
];
cmd = {
brightnessctl = "${pkgs.brightnessctl}/bin/brightnessctl";
fish = "${osConfig.programs.fish.package}/bin/fish";
grim = "${pkgs.grim}/bin/grim -l 9";
jq = "${config.programs.jq.package}/bin/jq";
keepassxc = "${pkgs.keepassxc}/bin/keepassxc";
kill = "${pkgs.procps}/bin/kill";
kitty = ''${config.programs.kitty.package}/bin/kitty --single-instance --instance-group "$XDG_SESSION_ID"'';
loginctl = "${osConfig.systemd.package}/bin/loginctl";
mdless = "${pkgs.mdcat}/bin/mdless";
mpv = "${config.programs.mpv.package}/bin/mpv";
pidof = "${pkgs.procps}/bin/pidof";
playerctl = "${pkgs.playerctl}/bin/playerctl";
pwvucontrol = "${pkgs.pwvucontrol}/bin/pwvucontrol";
slurp = "${pkgs.slurp}/bin/slurp";
swaylock = "${config.programs.swaylock.package}/bin/swaylock";
swaymsg = "${config.wayland.windowManager.sway.package}/bin/swaymsg";
swayrbar = "${pkgs.swayrbar.override { withPulseaudio = true; }}/bin/swayrbar";
tofi-drun = "${config.programs.tofi.package}/bin/tofi-drun";
wl-copy = "${pkgs.wl-clipboard}/bin/wl-copy";
wpctl = "${osConfig.services.pipewire.wireplumber.package}/bin/wpctl";
xargs = "${pkgs.findutils}/bin/xargs";
xdg-open = "${pkgs.xdg-utils}/bin/xdg-open";
};
in lib.mkIf (osConfig.hardware.graphics.enable or false) {
fonts.fontconfig = {
enable = true;
defaultFonts = {
sansSerif = [
"Lato"
"M PLUS 1"
"Noto Sans"
"Symbols Nerd Font"
"Unifont"
"Unifont Upper"
];
serif = [ "Noto Serif"];
monospace = [
"Fira Code"
"M PLUS 1 Code"
"Noto Sans Mono"
"Symbols Nerd Font Mono"
];
emoji = [ "Noto Color Emoji" ];
};
};
home.file.".xkb/symbols/greedy".source = ./greedy.xkb;
home.keyboard = {
layout = "greedy";
options = [ "ctrl:nocaps" ];
};
home.packages = with pkgs; [
# Founts
lato
fira-code
mplus-outline-fonts.githubRelease
(nerdfonts.override { fonts = [ "NerdFontsSymbolsOnly" ]; })
noto-fonts
noto-fonts-color-emoji
unifont
# Image processing
oxipng
# Documentation
linux-manual
man-pages
man-pages-posix
# System operations
restic
# Cryptography
rage
# Messaging
fractal
signal-desktop
# Audio control
pwvucontrol
evince
inkscape
obsidian
kicad
calibre
keepassxc
# Multimedia
jellyfin-mpv-shim
libreoffice
];
programs.beets = {
enable = true;
settings = {
directory = "~/msc";
import.reflink = "auto";
plugins = [
"chroma"
"spotify"
"fromfilename"
"fetchart"
"lyrics"
"replaygain"
"duplicates"
"hook"
];
hook.hooks = [
{
event = "import";
command = "systemctl --user start mopidy-scan.service";
}
];
};
};
programs.eza.extraOptions = lib.mkAfter [ "--hyperlink" ];
programs.imv.enable = true;
programs.kitty = {
enable = true;
theme = "Catppuccin-Mocha";
settings = {
disable_ligatures = "cursor";
cursor_blink_interval = 0;
scrollback_lines = 65536;
scrollback_fill_enlarged_window = true;
enable_audio_bell = false;
close_on_child_death = true;
clear_all_shortcuts = true;
# Mouse
click_interval = "0.2";
};
keybindings = {
"ctrl+shift+c" = "copy_to_clipboard";
"ctrl+shift+v" = "paste_from_clipboard";
"ctrl+shift+s" = "paste_from_selection";
"shift+insert" = "paste_from_selection";
"ctrl+up" = "scroll_line_up";
"ctrl+down" = "scroll_line_down";
"ctrl+page_up" = "scroll_page_up";
"ctrl+page_down" = "scroll_page_down";
"shift+page_up" = "scroll_page_up";
"shift+page_down" = "scroll_page_down";
"ctrl+home" = "scroll_home";
"ctrl+end" = "scroll_end";
"ctrl+print_screen" = "show_scrollback";
"ctrl+equal" = "change_font_size all 0";
"ctrl+plus" = "change_font_size all +1";
"ctrl+minus" = "change_font_size all -1";
"ctrl+shift+u" = "kitten unicode_input";
};
extraConfig = let
mouse = {
"left click ungrabbed" = "mouse_handle_click selection prompt";
"ctrl+left click ungrabbed" = "mouse_handle_click link";
"left press ungrabbed" = "mouse_selection normal";
"shift+left press ungrabbed" = "mouse_selection line";
"ctrl+left press ungrabbed" = "mouse_selection rectangle";
"left doublepress ungrabbed" = "mouse_selection word";
"left triplepress ungrabbed" = " mouse_selection line";
} |> lib.mapAttrsToList (n: v: "mouse_map ${n} ${v}\n")
|> lib.concatStrings;
in ''
clear_all_mouse_actions yes
${mouse}
'';
};
programs.mpv = {
enable = true;
defaultProfiles = [ "high-quality" ];
config = {
#access-references = false;
# Video output
vo = "gpu";
#gpu-api = "vulkan";
hwdec = "vulkan,vaapi,auto-safe";
vd-lavc-dr = true;
scale = "ewa_lanczos4sharpest";
cscale = "spline64";
dscale = "mitchell";
tscale = "oversample";
# A/V sync
video-sync = "display-resample";
interpolation = true;
# Audio
volume = 100;
volume-max = 100;
# Subtitles
sub-auto = "fuzzy";
# Screenshots
screenshot-format = "avif";
# Cache
demuxer-max-bytes = "768MiB";
demuxer-max-back-bytes = "256MiB";
};
profiles = {
highres = {
scale = "spline64";
};
};
scripts = with pkgs.mpvScripts; [
mpris
autocrop
autodeint
];
scriptOpts = {
autocrop.auto = false;
};
};
programs.swaylock = {
enable = true;
package = pkgs.swaylock-effects;
settings = {
screenshots = true;
effect-blur = "5x3";
grace = 2;
};
};
programs.texlive = {
enable = true;
extraPackages = tpkgs: {
inherit (tpkgs)
texlive-scripts
xelatex-dev
fontspec
polyglossia
hyphen-english
hyphen-french
hyphen-german
hyphen-portuguese
hyphen-spanish
koma-script
amsmath
bookmark
booktabs
csquotes
hyperref
multirow
paralist
preprint
realscripts
textpos
unicode-math
units
xecjk
xecolor
xltxtra
xtab
;
};
};
programs.thunderbird = {
enable = true;
package = pkgs.thunderbird;
profiles = { };
};
programs.tofi = {
enable = true;
settings = {
history = true;
fuzzy-match = true;
num-results = 8;
font = pkgs.runCommand "fount-path" {
preferLocal = true;
nativeBuildInputs = with pkgs; [ fontconfig fira-code ];
} ''
fc-match -f "%{file}" "Fira Code" >"$out"
'' |> builtins.readFile |> lib.mkForce;
font-size = lib.mkForce 14;
font-features = fira-code-features |> lib.concatStringsSep ",";
font-variations = "wght 450";
font-hint = true;
anchor = "top";
horizontal = true;
width = "100%";
height = 30;
min-input-width = 120;
result-spacing = 20;
border-width = 0;
outline-width = 0;
padding-top = 4;
padding-bottom = 4;
padding-left = 12;
padding-right = 12;
};
};
programs.yt-dlp.enable = true;
services.gammastep = lib.optionalAttrs (osConfig ? location) (
let inherit (osConfig) location; in {
inherit (location) provider;
enable = true;
settings = {
general.adjustment-method = "wayland";
};
} // lib.optionalAttrs (location.provider == "manual") {
#inherit (location) latitude longitude;
});
services.mako = {
enable = true;
defaultTimeout = 5000;
};
services.mopidy = {
enable = true;
extensionPackages = with pkgs; [
mopidy-iris
mopidy-local
mopidy-mpd
mopidy-mpris
];
settings = {
core = {
cache_dir = "$XDG_CACHE_DIR/mopidy";
config_dir = "$XDG_CONFIG_DIR/mopidy";
data_dir = "$XDG_DATA_DIR/mopidy";
};
audio.mixer = "none";
file.media_dirs = [ "$XDG_MUSIC_DIR" ];
local.media_dir = "$XDG_MUSIC_DIR";
mpd.hostname = "localhost";
http = {
hostname = "localhost";
port = 6680;
default_app = "iris";
};
};
};
services.swayidle = {
enable = true;
events = with cmd; [
{ event = "lock"; command = "${swaylock} -f"; }
{ event = "before-sleep"; command = "${loginctl} lock-session"; }
];
timeouts = with cmd; [
{
timeout = 210;
command = "${brightnessctl} --save -e set 20%-";
resumeCommand = "${brightnessctl} --restore";
}
{
timeout = 240;
command = "${loginctl} lock-session";
}
{
timeout = 270;
command = "${swaymsg} output '* dpms off'";
resumeCommand = "${swaymsg} output '* dpms on'";
}
];
};
services.syncthing = {
enable = true;
tray.enable = true;
};
services.udiskie = {
enable = true;
automount = false;
};
stylix = {
enable = true;
image = ./wallpaper.png;
base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-macchiato.yaml";
polarity = "dark";
opacity = {
applications = 0.98;
desktop = 0.98;
popups = 0.99;
terminal = 0.98;
};
fonts = {
sansSerif = {
package = pkgs.lato;
name = "sans-serif";
};
serif = {
package = pkgs.noto-fonts;
name = "serif";
};
monospace = {
package = pkgs.fira-code;
name = "monospace";
};
emoji = {
package = pkgs.noto-fonts-color-emoji;
name = "emoji";
};
sizes = {
terminal = 11;
};
};
};
systemd.user.services = lib.genAttrs [ "syncthing" ] (service: {
Unit = {
ConditionACPower = true;
StopPropagatedFrom = [ "power-external.target" ];
};
});
wayland.windowManager.sway = {
enable = true;
checkConfig = false;
xwayland = false;
wrapperFeatures = {
base = true;
gtk = true;
};
systemd.variables = lib.mkAfter [ "PATH" ];
extraSessionCommands = let
env = {
WLR_RENDERER = "vulkan";
NIXOS_OZONE_WL = 1;
};
in env
|> lib.mapAttrsToList (n: v: "export ${lib.toShellVar n v}\n")
|> lib.concatStrings;
config = with cmd; {
input."*" = {
xkb_layout = "us,${config.home.keyboard.layout}";
xkb_options = lib.concatStringsSep ","
config.home.keyboard.options;
xkb_switch_layout = "1";
};
output = {
"*" = {
scale = "1";
background = "${./wallpaper.png} fill";
adaptive_sync = "on";
};
"Lenovo Group Limited P40w-20 V9084N0R" = {
resolution = "5120x2160";
position = "0 0";
subpixel = "rgb";
};
"LG Display 0x06AA Unknown" = {
position = "0 2160";
subpixel = "rgb";
};
};
bars = [
{
fonts = lib.mkForce {
names = [ "monospace" ];
size = 11.0;
};
statusCommand = swayrbar;
}
];
gaps = {
inner = 4;
outer = 4;
};
window.titlebar = false;
bindkeysToCode = true;
modifier = "Mod4";
terminal = kitty;
menu = "${tofi-drun} | ${xargs} ${swaymsg} exec --";
keybindings = let
mod = config.wayland.windowManager.sway.config.modifier;
in lib.mkOptionDefault {
# Workspaces
"${mod}+Grave" = "workspace number 0";
"${mod}+Shift+Grave" = "move container to workspace number 0";
"${mod}+Shift+Return" = "exec ${kitty} ${fish} --private";
# Function keys
XF86MonBrightnessUp = "exec ${brightnessctl} -e set +5%";
XF86MonBrightnessDown = "exec ${brightnessctl} -e set 5%-";
XF86AudioRaiseVolume = "exec ${wpctl} set-volume @DEFAULT_AUDIO_SINK@ +2dB";
XF86AudioLowerVolume = "exec ${wpctl} set-volume @DEFAULT_AUDIO_SINK@ -2dB";
XF86AudioMute = "exec set-mute @DEFAULT_AUDIO_SINK@ toggle";
XF86AudioMicMute = "exec set-mute @DEFAULT_AUDIO_SOURCE@ toggle";
XF86AudioNext = "exec ${playerctl} next";
XF86AudioPrev = "exec ${playerctl} previous";
XF86AudioPlay = "exec ${playerctl} play";
XF86AudioStop = "exec ${playerctl} pause";
XF86Explorer = "exec ${xdg-open} https:";
# Screenshots
"${mod}+Print" = "exec ${grim} -g - - | ${wl-copy}";
"${mod}+Shift+Print" = "exec ${slurp} | ${grim} -g - - | ${wl-copy}";
"${mod}+Ctrl+Print" = ''
exec ${swaymsg} -t get_tree \
| ${jq} -r '.. | select(.focused?) | .rect | "\(.x),\(.y) \(.width)x\(.height)"' \
| ${grim} -g - - \
| ${wl-copy}
'';
};
startup = [
{ command = "${swaymsg} input '*' xkb_switch_layout 1"; always = true; }
{ command = "${keepassxc}"; }
];
};
};
xdg.configFile."fontconfig/conf.d/80-fira-code.conf".text = ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'urn:fontconfig:fonts.dtd'>
<fontconfig>
<match target="font">
<test name="family" compare="eq" ignore-blanks="true">
<string>Fira Code</string>
</test>
<edit name="fontfeatures" mode="append">
${fira-code-features
|> map (tag: "<string>${lib.escapeXML tag}</string>")
|> lib.concatStrings}
</edit>
</match>
</fontconfig>
'';
xdg.configFile."kitty/open-actions.conf".text = with cmd; ''
protocol file
mime image/*
action launch --type overlay kitten icat --hold -- "$FILE_PATH"
protocol file
mime text/markdown
action launch --type overlay ${mdless} -- "$FILE_PATH"
protocol file
mime text/*
action launch --type overlay $EDITOR -- "$FILE_PATH"
protocol file
mime video/*
action launch --type background ${mpv} -- "$FILE_PATH"
protocol file
mime audio/*
action launch --type overlay ${mpv} -- "$FILE_PATH"
protocol
action launch --type background ${xdg-open} "$FILE_PATH"
'';
xdg.desktopEntries = {
kitty = {
name = "kitty";
exec = builtins.replaceStrings [ "$" ] [ ''\\$'' ] cmd.kitty;
};
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"default-web-browser" = [ "firefox.desktop" ];
"application/pdf" = [ "org.gnome.Evince.desktop" ];
};
};
xdg.portal = {
enable = true;
config.common.default = [ "wlr" "gtk" ];
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
(xdg-desktop-portal-gtk.override { buildPortalsInGnome = false; })
];
};
}

4
home/module/locale-en_EU.nix Normal file
View file

@ -0,0 +1,4 @@
{ self, ... }: { lib, pkgs, ... }: {
home.language.base = lib.mkDefault "en_EU.UTF-8";
i18n.glibcLocales = self.packages.${pkgs.system}.locale-en_EU;
}

58
lib/kernel.nix Normal file
View file

@ -0,0 +1,58 @@
{ nixpkgs, ... }:
let
inherit (builtins)
isAttrs
isInt
length
match
toString;
inherit (nixpkgs.lib.asserts)
assertMsg;
inherit (nixpkgs.lib.attrsets)
isDerivation
mapAttrsToList
mergeAttrsList;
inherit (nixpkgs.lib.lists)
flatten;
inherit (nixpkgs.lib.strings)
concatStrings
concatStringsSep
escape;
isKey = str: match "[0-9A-Z][0-9A-Zx_]*" str != null;
isNum = str: match "(0x[0-9A-Fa-f]+|[1-9][0-9]*)" str != null;
mkValueString = v: let
v' = toString v;
in if v == true then "y"
else if isInt v || isNum v' then v'
else "\"${escape [ "\"" ] v'}\"";
in rec {
flattenAttrs = let
compose = p: n: if isKey n then p ++ [ n ] else p;
recurse = p: v:
if isValue v then { ${concatStringsSep "_" p} = v; }
else mapAttrsToList (n: v: recurse (compose p n) v) v;
in attrs: recurse [ ] attrs |> flatten |> mergeAttrsList;
option = v: { _option = v; };
isValue = x: isAttrs x -> !isDerivation x -> x ? _option;
isOptional = x: isAttrs x && !isDerivation x && x ? _option;
getValue = x: if isOptional x then x._option else x;
mkKey = n: assert isKey n; "CONFIG_${n}";
mkKeyValue = n: v: let
v' = getValue v;
in if (v' == false || v' == null)
then "# ${mkKey n} is not set"
else "${mkKey n}=${mkValueString v'}";
mkConfig = attrs: mapAttrsToList (k: v: mkKeyValue k v + "\n") attrs
|> concatStrings;
}

1
lib/mods.nix Normal file
View file

@ -0,0 +1 @@
{ ... }@inputs: map (mod: import mod inputs)

308
nixos/config/muon.nix Normal file
View file

@ -0,0 +1,308 @@
{ self, nixos-hardware, ... }: { lib, config, pkgs, ... }: {
imports = [
nixos-hardware.nixosModules.lenovo-thinkpad-x1-extreme-gen4
] ++ (with self.nixosModules; [
default
physical
portable
graphical
wireless
]);
boot.initrd = {
luks.devices."luks-2fb93d4f-a0fe-4a49-9e40-3ac38ffe4d75".device = "/dev/disk/by-uuid/2fb93d4f-a0fe-4a49-9e40-3ac38ffe4d75";
luks.devices."luks-ea77e674-847f-41b8-9e1d-8b6dd08710e6".device = "/dev/disk/by-uuid/ea77e674-847f-41b8-9e1d-8b6dd08710e6";
};
boot.kernelParams = [
"intel_iommu=on"
"nouveau.config=NvGspRm=1"
];
boot.kernelPackages = let
inherit (self.packages.x86_64-linux) linux-hardened;
in pkgs.linuxPackagesFor (linux-hardened.override {
instSetArch = "alderlake";
extraFirmware = [
"i915/adlp_dmc.bin"
"i915/adlp_dmc_ver2_16.bin"
"i915/adlp_guc_70.bin"
"i915/tgl_huc.bin"
"intel/ibt-0040-0041.sfi"
"intel/ibt-0040-0041.ddc"
"intel/sof/sof-adl.ri"
"intel/sof-tplg/sof-hda-generic-2ch.tplg"
"iwlwifi-so-a0-gf-a0-89.ucode"
"iwlwifi-so-a0-gf-a0.pnvm"
"nvidia/ga107/acr/ucode_unload.bin"
"nvidia/ga107/acr/ucode_asb.bin"
"nvidia/ga107/acr/ucode_ahesasc.bin"
"nvidia/ga107/gr/fecs_bl.bin"
"nvidia/ga107/gr/fecs_sig.bin"
"nvidia/ga107/gr/gpccs_bl.bin"
"nvidia/ga107/gr/gpccs_sig.bin"
"nvidia/ga107/gr/NET_img.bin"
"nvidia/ga107/sec2/desc.bin"
"nvidia/ga107/sec2/image.bin"
"nvidia/ga107/sec2/sig.bin"
"nvidia/ga107/sec2/hs_bl_sig.bin"
"nvidia/ga107/nvdec/scrubber.bin"
"nvidia/ga107/gsp/booter_load-535.113.01.bin"
"nvidia/ga107/gsp/booter_unload-535.113.01.bin"
"nvidia/ga107/gsp/bootloader-535.113.01.bin"
"nvidia/ga107/gsp/gsp-535.113.01.bin"
"regulatory.db"
"regulatory.db.p7s"
"rtl_nic/rtl8153b-2.fw"
];
extraConfig =
(with linux-hardened.profile; physical // portable // dm-crypt // wireless // audio)
// (with self.lib.kernel; {
X86_INTEL_LPSS = true;
CPU_SUP_INTEL = true;
CPU_SUP_AMD = false;
NR_CPUS = 20;
X86_MCE_INTEL = true;
ACPI_DPTF = true;
DPTF_POWER = true;
DPTF_PCH_FIVR = true;
INTEL_IDLE = true;
VIRTUALIZATION = true;
KVM = true;
KVM_INTEL = true;
KVM_SMM = true;
IP_MULTICAST = true;
IPV6_ROUTER_PREF = true;
IPV6_ROUTE_INFO = true;
IPV6_OPTIMISTIC_DAD = true;
BT_INTEL = true;
BT_HCIBTUSB = true;
EISA = true;
EISA_PCI_EISA = true;
EISA_VIRTUAL_ROOT = false;
EISA_NAMES = true;
NVME_CORE = true;
BLK_DEV_NVME = true;
NVME_VERBOSE_ERRORS = true;
NVME_HWMON = true;
MISC_RTSX = true;
INTEL_MEI = true;
MISC_RTSX_PCI = true;
ETHERNET = true;
AQTION = true;
WLAN = true;
IWLWIFI = true;
IWLMVM = true;
INPUT_MOUSEDEV = true;
INPUT_JOYDEV = true;
KEYBOARD_ATKBD = true;
INPUT_MOUSE = true;
MOUSE_PS2 = true;
MOUSE_PS2_TRACKPOINT = true;
INPUT_JOYSTICK = true;
INTEL_PCH_THERMAL = true;
MFD_CORE = true;
MFD_INTEL_LPSS_PCI = true;
I2C = true;
I2C_I801 = true;
SPI = true;
SPI_MEM = true;
SPI_INTEL_PCI = true;
INT340X_THERMAL = true;
VIDEO = true;
VGA_SWITCHEROO = true;
DRM = true;
DRM_FBDEV_EMULATION = true;
DRM_NOUVEAU = true;
DRM_NOUVEAU_SVM = true;
DRM_NOUVEAU_GSP_DEFAULT = true;
DRM_I915 = true;
BACKLIGHT_CLASS_DEVICE = true;
HDMI = true;
SND_HDA_INTEL = true;
SND_HDA_HWDEP = true;
SND_HDA_CODEC_REALTEK = true;
SND_HDA_CODEC_HDMI = true;
SND_HDA_POWER_SAVE_DEFAULT = 2;
SND_SOC = true;
SND_SOC_SOF_TOPLEVEL = true;
SND_SOC_SOF_PCI = true;
SND_SOC_SOF_INTEL_TOPLEVEL = true;
SND_SOC_SOF_TIGERLAKE = true;
SND_SOC_SOF_HDA_LINK = true;
SND_SOC_SOF_HDA_AUDIO_CODEC = true;
SND_SOC_DMIC = true;
HID_LENOVO = true;
HID_LOGITECH = true;
USB_ACM = true;
USB_SERIAL = true;
USB_SERIAL_PL2303 = true;
EDAC_IGEN6 = true;
ACPI_WMI = true;
MXM_WMI = true;
THINKPAD_ACPI = true;
THINKPAD_ACPI_ALSA_SUPPORT = true;
THINKPAD_ACPI_VIDEO = true;
INTEL_TURBO_MAX_3 = true;
INTEL_VSEC = true;
INTEL_IOMMU = true;
INTEL_IOMMU_DEFAULT_ON = true;
SOUNDWIRE = true;
SOUNDWIRE_INTEL = true;
INTEL_IDMA64 = true;
INTEL_RAPL = true;
EXT4_FS = true;
EXT4_USE_FOR_EXT2 = true;
EXT4_FS_POSIX_ACL = true;
BTRFS_FS = true;
BTRFS_FS_POSIX_ACL = true;
FUSE_FS = true;
EXFAT_FS = true;
});
});
hardware.cpu.clusters.performance = lib.range 0 11;
hardware.cpu.clusters.efficiency = lib.range 12 19;
hardware.cpu.intel.updateMicrocode = true;
hardware.glasgow.enable = true;
hardware.graphics.extraPackages = with pkgs; [
intel-media-driver
];
hardware.keyboard.qmk.enable = true;
hardware.nitrokey.enable = true;
hardware.sane = {
enable = true;
extraBackends = [ pkgs.utsushi ];
};
hardware.trackpoint = {
enable = true;
sensitivity = 255;
speed = 64;
};
hardware.uinput.enable = true;
ephemeral.enable = true;
ephemeral.device = "UUID=039aa386-a39d-4329-bcf0-48936b938db1";
ephemeral.boot.device = "PARTUUID=61c6f04c-0923-437e-860e-e88452b8e39e";
ephemeral.boot.fsType = "vfat";
ephemeral.subvolumes."/home" = {
options = [ "nodev" "nosuid" ];
extraOptions = [ "noatime" "compress=zstd" ];
};
networking.firewall.extraInputRules = ''
ip6 daddr { ff02::1:3, ff02::fb } udp dport 5353 accept
ip daddr { 224.0.0.251, 224.0.0.252 } udp dport 5353 accept
ip6 daddr ff12::8384 udp dport 21027 accept
ip daddr 255.255.255.255 udp dport 21027 accept
udp dport 4992 accept
'';
networking.hosts = {
"172.16.0.1" = [ "airlink.local" ];
"192.168.178.1" = [ "fritz.box" ];
};
networking.firewall.allowedTCPPorts = [ 5000 22000 ];
networking.firewall.allowedUDPPorts = [ 4992 22000 ];
networking.firewall.allowedUDPPortRanges = [
{ from = 6001; to = 6011; }
];
programs.ssh.knownHosts."zh1830.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd";
services.beesd.filesystems.root = {
spec = "UUID=039aa386-a39d-4329-bcf0-48936b938db1";
hashTableSizeMB = 1024;
verbosity = "crit";
};
services.fprintd.enable = true;
services.printing.enable = true;
services.printing.drivers = with pkgs; [
brlaser
];
services.udev.packages = with pkgs; [ utsushi ];
systemd.services."beesd@root" = {
bindsTo = [ "power-external.target" ];
serviceConfig = {
IOSchedulingClass = "idle";
CPUWeight = lib.mkForce "idle";
};
};
users.users.nil.hashedPasswordFile = "/etc/keys/users/nil";
users.users.nil.extraGroups = [
"audio" "input" "uinput" "plugdev" "video" "render" "scanner" "nitrokey"
];
nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "build-worker-03.nyantec.com";
maxJobs = 16;
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUVHcVRZNzRjNWcxNURTTlBOTTJXZHI1akF3UzdCRmdYMVhSbmh0R09uSmMgcm9vdEBidWlsZC13b3JrZXItMDMK";
sshKey = "/etc/keys/nix-ssh";
sshUser = "nix-ssh";
supportedFeatures = [ "kvm" "nixos-test" "benchmark" "big-parallel" "gccarch-x86-64-v3" ];
system = "x86_64-linux";
}
{
hostName = "build-worker-04.nyantec.com";
maxJobs = 16;
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUNPcSs1SStubEFOMmxKb090b1hyWUVEdVovVE1QTWE0M3BJbGFibFlpZ0sgcm9vdEBidWlsZC13b3JrZXItMDQK";
sshKey = "/etc/keys/nix-ssh";
sshUser = "nix-ssh";
supportedFeatures = [ "kvm" "nixos-test" "benchmark" "big-parallel" "gccarch-x86-64-v3" ];
system = "x86_64-linux";
}
];
}

738
nixos/config/solitary.nix Normal file
View file

@ -0,0 +1,738 @@
{ self, ... }: { lib, config, pkgs, ... }:
with lib; let
ports = {
acme = 1360;
nginx = 8080;
synapse = 8008;
syncv3 = 8009;
unbound = 8484;
};
security-txt = pkgs.writeText "security.txt" ''
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Canonical: https://solitary.social/.well-known/security.txt
Contact: mailto:mvs@nya.yt
Encryption: openpgp4fpr:950623eb2f52402e0cf56ccbee49e25700058dd6
Preferred-Languages: en, de
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRbjUmg6ccaTk940M7ZkbGDPEZ7AwUCYz2XrwAKCRDZkbGDPEZ7
A4w5AQD3Mzb5Bi8CERe3j3NjQhgeEkMVBcfM3RumuWdjs6i+LgD9HHuY3Bp6ljtR
LnLJRZt4Q8CYKoPaYkSO0vBaYKmUnwY=
=iQpI
-----END PGP SIGNATURE-----
'';
in {
imports = with self.nixosModules; [
default
headless
acme-ocsp
];
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
boot.kernelPackages = let
inherit (self.packages.x86_64-linux) linux-hardened;
in pkgs.linuxPackagesFor (linux-hardened.override {
instSetArch = "x86-64-v3";
extraConfig = linux-hardened.profile.paravirt;
});
environment.etc."machine-id".text = "1c97ae368741530de77aad42b5a6ae42";
ephemeral.device = "UUID=07a91cc3-4dd4-48e6-81d7-eb5d31fcf720";
ephemeral.boot.device = "UUID=24c72e0c-b467-4def-a641-ae09100465f0";
ephemeral.boot.fsType = "ext4";
i18n.supportedLocales = [ "C.UTF-8/UTF-8" "en_EU.UTF-8/UTF-8" "en_GB.UTF-8/UTF-8" ];
networking = {
hostName = "solitary";
domain = "social";
firewall.allowedTCPPorts = [ 22 80 443 853 ];
firewall.allowedUDPPorts = [ 443 ];
};
security.acme = {
certs.${config.networking.fqdn} = {
email = "mvs@nya.yt";
listenHTTP = "127.0.0.1:${toString ports.acme}";
reloadServices = [ "haproxy.service" "unbound.service" ];
extraDomainNames = [
"cache.solitary.social"
"matrix.solitary.social"
"media.solitary.social"
"resolve.solitary.social"
"syncv3.solitary.social"
];
};
};
services.akkoma.enable = true;
services.akkoma.extraStatic."emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg;
services.akkoma.extraStatic."static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" ''
<h2>Commitments</h2>
<p>This is currently a singleuser instance and therefore I decided to formulate what would be <em>Terms of Service</em> for a multiuser user instance as commitments. These are still incomplete and subject to expansion in the future.</p>
<ul>
<li>I shall observe and respect your boundaries.</li>
<li>I shall respect your right to disengage, and support you if you wish to disengage from others.</li>
<li>I shall accept that you may not want to be confronted with certain content and tag my posts appropriately.</li>
</ul>
'';
services.akkoma.extraStatic."favicon.png" = let
rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c";
in pkgs.stdenvNoCC.mkDerivation {
name = "favicon.png";
src = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/TilCreator/NixOwO/${rev}/NixOwO_plain.svg";
hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E=";
};
nativeBuildInputs = with pkgs; [ librsvg ];
dontUnpack = true;
installPhase = ''
rsvg-convert -o $out -w 96 -h 96 $src
'';
};
services.akkoma.config = let
elixir = pkgs.formats.elixirConf { };
in with elixir.lib; {
":pleroma" = {
":instance" = {
name = "solitary.social";
email = "mvs+solitary.social@nya.yt";
notify_email = "akkoma@solitary.social";
description = "Singleuser fediverse instance";
instance_thumbnail = "/instance/thumbnail.avif";
limit = 5120;
description_limit = 5120;
remote_limit = 131072;
upload_limit = 160 * 1024 * 1024;
avatar_upload_limit = 2097152;
background_upload_limit = 4194304;
banner_upload_limit = 4194304;
registrations_open = false;
account_approval_required = true;
remote_post_retention_days = 180;
user_bio_length = 5120;
user_name_length = 64;
max_account_fields = 8;
cleanup_attachments = true;
};
"Pleroma.Web.Endpoint" = {
secret_key_base._secret = "/var/lib/secrets/akkoma/key-base";
signing_salt._secret = "/var/lib/secrets/akkoma/signing-salt";
live_view.signing_salt._secret = "/var/lib/secrets/akkoma/liveview-salt";
};
"Pleroma.Emails.Mailer" = {
enabled = true;
adapter = mkRaw "Swoosh.Adapters.SMTP";
relay = "localhost";
dkim = {
a = "ed25519-sha256";
s = "akkoma";
d = config.networking.fqdn;
private_key = mkTuple [
(mkAtom ":pem_plain")
(mkRaw ''File.read!("/var/lib/akkoma/dkim.pem")'')
];
};
};
":database".rum_enabled = true;
":media_proxy" = {
enabled = true;
base_url = "https://cache.solitary.social";
proxy_opts.redirect_on_failure = true;
proxy_opts.max_body_length = 64 * 1024 * 1024;
};
":media_preview_proxy" = {
enabled = false;
thumbnail_max_width = 1920;
thumbnail_max_height = 1080;
min_content_length = 128 * 1024;
};
"Pleroma.Upload".base_url = "https://media.solitary.social";
"Pleroma.Upload".filters = map mkRaw [
"Pleroma.Upload.Filter.Exiftool.ReadDescription"
"Pleroma.Upload.Filter.Exiftool.StripMetadata"
"Pleroma.Upload.Filter.Dedupe"
"Pleroma.Upload.Filter.AnonymizeFilename"
];
":mrf".policies = map mkRaw [
"Pleroma.Web.ActivityPub.MRF.SimplePolicy"
"Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy"
];
":mrf_simple" = {
reject = mkMap {
"bae.st" = "harassment";
"brighteon.social" = "incompatible";
"detroitriotcity.com" = "incompatible";
"freeatlantis.com" = "incompatible";
"freespeechextremist.com" = "incompatible";
"gab.com" = "incompatible";
"gleasonator.com" = "incompatible";
"kitsunemimi.club" = "incompatible";
"poa.st" = "incompatible";
"seal.cafe" = "harassment";
"social.quodverum.com" = "incompatible";
"spinster.xyz" = "incompatible";
"truthsocial.co.in" = "incompatible";
"varishangout.net" = "incompatible";
"activitypub-troll.cf" = "security";
"misskey-forkbomb.cf" = "security";
"repl.co" = "security";
};
followers_only = mkMap {
"bitcoinhackers.org" = "annoying";
};
};
":mrf_object_age".threshold = 90 * 24 * 3600;
":frontend_configurations" = {
pleroma_fe = mkMap {
collapseMessageWithSubject = true;
hideSiteFavicon = true;
streaming = true;
webPushNotifications = true;
useStreamingApi = true;
scopeCopy = true;
showFeaturesPanel = false;
subjectLineBehavior = "masto";
alwaysShowSubjectInput = true;
postContentType = "text/markdown";
modalOnRepeat = true;
minimalScopesMode = true;
redirectRootNoLogin = "/mkl";
translationLanguage = "EN";
};
};
":restrict_unauthenticated" = {
timelines = mkMap {
local = false;
federated = true;
};
};
":translator" = {
enabled = true;
module = mkRaw "Pleroma.Akkoma.Translators.DeepL";
};
":deepl" = {
tier = mkAtom ":free";
api_key._secret = "/var/lib/secrets/akkoma/deepl";
};
};
":web_push_encryption".":vapid_details" = {
subject = "mailto:mvs+solitary.social@nya.yt";
public_key = "BPwdJZjBeZw_ZkWU_RQ48RdPI2pHIhMAYaNJc6xut4nQRi2YSaKnfP_kLrXzRjETQh5VJsDI-azYCeEhtk-C33s";
private_key._secret = "/var/lib/secrets/akkoma/vapid";
};
":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer";
};
services.haproxy.enable = true;
services.haproxy.config =
let
ciphers = "ECDHE+CHACHA20:ECDHE+AESGCM";
cipherSuites = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";
options = "ssl-min-ver TLSv1.2 no-tls-tickets";
acmeDir = config.security.acme.certs.${config.networking.fqdn}.directory;
compTypes = [
"application/javascript"
"application/json"
"image/svg+xml"
"text/css"
"text/html"
"text/javascript"
"text/plain"
];
in ''
global
expose-experimental-directives
log stderr format short alert notice
maxconn 9216
nbthread 2
cpu-map auto:1/all 0-63
ssl-default-bind-ciphers ${ciphers}
ssl-default-bind-ciphersuites ${cipherSuites}
ssl-default-bind-options prefer-client-ciphers ${options}
ssl-default-server-ciphers ${ciphers}
ssl-default-server-ciphersuites ${cipherSuites}
ssl-default-server-options ${options}
defaults
log global
mode http
option abortonclose
option checkcache
option forwardfor
option http-keep-alive
option http-restrict-req-hdr-names reject
option httpchk
option splice-auto
option tcp-smart-connect
timeout connect 5s
timeout client 30s
timeout http-request 5s
timeout client-fin 5s
timeout tunnel 1h
timeout server 30s
timeout check 5s
cache default
total-max-size 16
max-age 240
frontend http
bind :::443 v4v6 defer-accept tfo ssl crt ${acmeDir}/full.pem allow-0rtt alpn h2,http/1.1
bind quic6@:443 v4v6 ssl crt ${acmeDir}/full.pem allow-0rtt alpn h3
bind :::80 v4v6 defer-accept tfo
acl replay-safe method GET HEAD OPTIONS req.body_size eq 0
acl host-solitary hdr(host),host_only solitary.social
acl host-cache hdr(host),host_only cache.solitary.social
acl host-media hdr(host),host_only media.solitary.social
acl host-matrix hdr(host),host_only matrix.solitary.social
acl host-syncv3 hdr(host),host_only syncv3.solitary.social
acl host-resolve hdr(host),host_only resolve.solitary.social
acl path-acme path_dir /.well-known/acme-challenge
acl path-security.txt path /.well-known/security.txt
acl path-matrix-well-known path_dir /.well-known/matrix
acl path-proxy path_dir /proxy
acl path-media path_dir /media
#http-request normalize-uri fragment-strip
#http-request normalize-uri path-strip-dot
#http-request normalize-uri path-strip-dotdot full
#http-request normalize-uri path-merge-slashes
#http-request normalize-uri percent-decode-unreserved strict
#http-request normalize-uri percent-to-uppercase strict
#http-request normalize-uri query-sort-by-name
http-request redirect scheme https code 301 unless { ssl_fc } or path-acme
http-request wait-for-handshake unless replay-safe
http-response set-tos 20 if path-acme # AF22 (lowlatency, med drop)
http-response set-tos 20 if host-resolve # AF22 (lowlatency, med drop)
http-response set-tos 10 if host-matrix # AF11 (highthroughput, low drop)
http-response set-tos 10 if host-syncv3 # AF11 (highthroughput, low drop)
http-response set-tos 12 if host-solitary # AF12 (highthroughput, med drop)
http-response set-tos 14 if host-media # AF13 (highthroughput, high drop)
http-response set-tos 14 if host-cache # AF13 (highthroughput, high drop)
http-request cache-use default
http-request set-header X-Forwarded-Proto %[ssl_fc,iif(https,http)]
acl no-coep res.hdr(Cross-Origin-Embedder-Policy) -m len 0
acl no-coop res.hdr(Cross-Origin-Opener-Policy) -m len 0
acl no-corp res.hdr(Cross-Origin-Resource-Policy) -m len 0
acl no-csp res.hdr(Content-Security-Policy) -m len 0
acl no-rp res.hdr(Referrer-Policy) -m len 0
http-response set-header Alt-Svc "h3=\":443\""
http-response set-header Cross-Origin-Embedder-Policy require-corp if no-coep
http-response set-header Cross-Origin-Opener-Policy same-origin if no-coop
http-response set-header Cross-Origin-Resource-Policy same-origin if no-corp
http-response set-header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'" if no-csp
http-response set-header Referrer-Policy same-origin if no-rp
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
http-response set-header X-Frame-Options DENY
http-response set-header X-Content-Type-Options nosniff
http-response set-header X-XSS-Protection "1; mode=block"
compression algo gzip
compression type ${concatStringsSep " " compTypes}
http-response cache-store default
http-request redirect code 308 location https://media.solitary.social%[capture.req.uri,regsub("^/media","")] if host-solitary path-media
http-request redirect code 308 location https://media.solitary.social%[capture.req.uri,regsub("^/media","")] if host-media path-media
http-request redirect code 308 location https://cache.solitary.social%[capture.req.uri] if host-solitary path-proxy
http-request set-path "/media%[path]" if host-media !path-media
use_backend acme if path-acme
use_backend security.txt if path-security.txt
use_backend unbound if host-resolve
use_backend synapse if host-matrix
use_backend syncv3 if host-syncv3
use_backend wellknown-matrix if host-solitary path-matrix-well-known
use_backend nginx if host-cache
use_backend akkoma if host-solitary
use_backend akkoma if host-media
default_backend notfound
backend acme
server acme 127.0.0.1:${toString ports.acme}
retry-on all-retryable-errors
backend akkoma
server akkoma /run/akkoma/socket
backend nginx
server nginx [::1]:${toString ports.nginx} tfo proto h2
retry-on conn-failure empty-response response-timeout
backend synapse
server synapse [::1]:${toString ports.synapse}
backend syncv3
server syncv3 [::1]:${toString ports.syncv3}
backend unbound
server unbound [::1]:${toString ports.unbound} tfo ssl ssl-min-ver TLSv1.3 alpn h2 allow-0rtt ca-file ${acmeDir}/chain.pem
retry-on conn-failure empty-response response-timeout 0rtt-rejected
backend security.txt
http-request return status 200 content-type text/plain file ${security-txt} if { path /.well-known/security.txt }
backend wellknown-matrix
http-request return status 200 content-type application/json file ${pkgs.writeText "client.json" (builtins.toJSON {
"m.homeserver".base_url = config.services.matrix-synapse.settings.public_baseurl;
"m.identity_server".base_url = "https://vector.im";
"org.matrix.msc3575.proxy".url = "https://syncv3.solitary.social";
})} if { path /.well-known/matrix/client }
http-request return status 200 content-type application/json file ${pkgs.writeText "server.json" (builtins.toJSON {
"m.server" = "matrix.solitary.social:443";
})} if { path /.well-known/matrix/server }
backend notfound
http-request return status 404
'';
services.matrix-synapse.enable = true;
services.matrix-synapse.settings = {
database_type = "psycopg2";
server_name = "solitary.social";
public_baseurl = "https://matrix.solitary.social/";
default_identity_server = "https://vector.im";
enable_registration = false;
listeners = [ {
bind_addresses = [ "::1" ];
port = ports.synapse;
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = true;
} ];
} ];
log_config = ./log_config.yaml;
};
services.nginx = {
enable = true;
package = pkgs.tengine;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
commonHttpConfig = ''
charset utf-8;
proxy_cache_path /var/cache/nginx/cache/akkoma_media_cache
levels= keys_zone=akkoma_media_cache:16m max_size=16g
inactive=1y use_temp_path=off;
access_log off;
set_real_ip_from ::1;
real_ip_header X-Forwarded-For;
'';
};
services.matrix-sliding-sync = {
enable = true;
environmentFile = "/etc/keys/sliding-sync.env";
settings = {
SYNCV3_BINDADDR = "[::1]:${toString ports.syncv3}";
SYNCV3_LOG_LEVEL = "warn";
SYNCV3_SERVER = "https://matrix.solitary.social";
};
};
services.nginx.virtualHosts."cache.solitary.social" = {
listen = [ {
addr = "[::1]";
port = ports.nginx;
extraParameters = [ "http2" "fastopen=512" ];
} ];
locations."/" = {
proxyPass = "http://unix:/run/akkoma/socket";
extraConfig = ''
proxy_cache akkoma_media_cache;
slice 1m;
proxy_cache_key $host$uri$is_args$args$slice_range;
proxy_set_header Range $slice_range;
proxy_buffering on;
proxy_cache_lock on;
proxy_ignore_client_abort on;
proxy_cache_valid 200 1y;
proxy_cache_valid 206 301 304 1h;
proxy_cache_use_stale error timeout invalid_header updating;
'';
};
};
services.postfix = {
enable = true;
destination = [ ];
localRecipients = [ ];
networks = [ "localhost" ];
hostname = config.networking.fqdn;
masterConfig.smtp_inet.name = mkForce "localhost:smtp";
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
extraPlugins = with pkgs.postgresql_14.pkgs; [
rum
];
initialScript = pkgs.writeText "init.psql" ''
CREATE ROLE "matrix-synapse";
CREATE DATABASE "matrix-synapse" OWNER "matrix-synapse"
TEMPLATE template0
ENCODING 'utf8'
LOCALE 'C';
'';
};
services.unbound = {
enable = true;
package = pkgs.unbound-with-systemd.override {
withDoH = true;
withTFO = true;
};
enableRootTrustAnchor = true;
};
services.unbound.settings = {
server = let
acmeDir = config.security.acme.certs.${config.networking.fqdn}.directory;
num-threads = 2;
in {
inherit num-threads;
interface = [
"::1@53"
"127.0.0.1@53"
"::1@${toString ports.unbound}"
"::@853"
"0.0.0.0@853"
];
so-reuseport = true;
ip-dscp = 20;
outgoing-range = 8192;
edns-buffer-size = 1472;
udp-upstream-without-downstream = true;
num-queries-per-thread = 4096;
incoming-num-tcp = 1024;
outgoing-num-tcp = 16;
stream-wait-size = "64m";
msg-cache-size = "128m";
msg-cache-slabs = num-threads;
rrset-cache-size = "256m";
rrset-cache-slabs = num-threads;
infra-cache-slabs = num-threads;
key-cache-slabs = num-threads;
cache-min-ttl = 60;
cache-max-negative-ttl = 360;
prefer-ip6 = true;
tls-service-pem = "${acmeDir}/fullchain.pem";
tls-service-key = "${acmeDir}/key.pem";
https-port = ports.unbound;
http-query-buffer-size = "64m";
http-response-buffer-size = "64m";
access-control = [ "::/0 allow" "0.0.0.0/0 allow" ];
harden-dnssec-stripped = true;
hide-identity = true;
hide-version = true;
prefetch = true;
prefetch-key = true;
serve-expired-client-timeout = 1800;
};
};
systemd = let
backendServices = [
"akkoma.service"
"matrix-synapse.service"
"nginx.service"
"unbound.service"
];
in {
services.akkoma.confinement.enable = false;
services.akkoma.serviceConfig.BindReadOnlyPaths = [ "/var/lib/akkoma:/var/lib/akkoma:norbind" ];
services.haproxy = {
confinement.enable = false;
wants = [ "acme-finished-${config.networking.fqdn}.service" ]
++ backendServices;
after = [ "acme-selfsigned-${config.networking.fqdn}.service" ]
++ backendServices;
before = [ "acme-${config.networking.fqdn}.service" ];
reloadTriggers = [ "${config.security.acme.certs.${config.networking.fqdn}.directory}/cert.ocsp" ];
serviceConfig = {
BindReadOnlyPaths = [
"/etc/haproxy.cfg"
"/etc/hosts"
"/etc/resolv.conf"
"/run/akkoma"
config.security.acme.certs."solitary.social".directory
security-txt
];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
SocketBindAllow = [ "tcp:80" "tcp:443" "udp:443" ];
SocketBindDeny = "any";
};
};
services.matrix-sliding-sync = {
after = [ "matrix-synapse.service" ];
serviceConfig.ReadOnlyPaths = [
"/run/postgres"
];
};
services.nginx = {
confinement.enable = true;
after = [ "akkoma.service" ];
serviceConfig = {
BindReadOnlyPaths = [
"/etc/hosts"
"/etc/resolv.conf"
"/run"
];
BindPaths = [
"/var/cache/nginx"
];
ProtectSystem = mkForce false;
SocketBindAllow = [ "tcp:${toString ports.nginx}" ];
SocketBindDeny = "any";
RestrictNetworkInterfaces = [ "lo" ];
};
};
services.unbound = {
wants = [ "acme-finished-${config.networking.fqdn}.service" ];
after = [ "acme-selfsigned-${config.networking.fqdn}.service" ];
};
services.synapse-compress-state = {
confinement.enable = true;
after = [ "postgresql.service" ];
description = "Compress Synapse state tables";
serviceConfig = {
Type = "oneshot";
ExecStart = ''
${pkgs.matrix-synapse-tools.rust-synapse-compress-state}/bin/synapse_auto_compressor \
-p "host=/run/postgresql \
user=${config.services.matrix-synapse.settings.database.args.database} \
dbname=${config.services.matrix-synapse.settings.database.args.database}" \
-c 512 -n 128
'';
User = "matrix-synapse";
WorkingDirectory = "/tmp";
BindReadOnlyPaths = [
"/run/postgresql"
];
ProtectProc = "noaccess";
ProcSubset = "pid";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateIPC = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" ];
RestrictNamespaces = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
CapabilityBoundingSet = null;
NoNewPrivileges = true;
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
SystemCallArchitectures = "native";
UMask = "0077";
};
};
timers.synapse-compress-state = {
enable = true;
description = "Compress Synapse state tables daily";
timerConfig = {
OnCalendar = "04:00";
};
wantedBy = [ "timers.target" ];
};
};
users.users.${config.services.haproxy.user}.extraGroups = [ config.security.acme.certs.${config.networking.fqdn}.group ];
users.users.${config.services.unbound.user}.extraGroups = [ config.security.acme.certs.${config.networking.fqdn}.group ];
}

85
nixos/module/acme-ocsp.nix Normal file
View file

@ -0,0 +1,85 @@
{ ... }: { config, pkgs, lib, ...}:
let
cfg = config.security.acme;
script = pkgs.writeShellApplication {
name = "ocsp-query";
runtimeInputs = with pkgs; [ openssl ];
text = ''
cd "$1"
tmp="$(mktemp ocsp.der.XXXXXXXXXX)"
trap 'rm -f "$tmp"' EXIT TERM
url="$(openssl x509 -in cert.pem -noout -ocsp_uri)"
openssl ocsp -issuer chain.pem -cert cert.pem -url "$url" -respout "$tmp"
chown "$(id -u):$(id -g)" "$tmp"
chmod 644 "$tmp"
mv "$tmp" ocsp.der
ln -s -f ocsp.der full.ocsp
'';
};
in {
options.security.acme.ocspTimer = lib.mkOption {
type = with lib.types; nullOr nonEmptyStr;
default = "daily";
description = "Realtime (wall clock) timer for regular OCSP queries.";
};
config = lib.mkIf (cfg.ocspTimer != null) {
systemd.services = lib.mapAttrs' (cert: conf: lib.nameValuePair "ocsp-${cert}" {
description = "Query OCSP endpoint for ${cert}";
after = [ "network.target" "network-online.target" "acme-${cert}.service" ];
wants = [ "network.target" "network-online.target" "acme-${cert}.service" ];
confinement.enable = true;
confinement.packages = with pkgs; [ openssl ];
serviceConfig = {
Type = "oneshot";
User = "acme";
Group = conf.group;
UMask = "0022";
BindPaths = [ conf.directory ];
ExecStart = "${script}/bin/ocsp-query ${lib.escapeShellArg conf.directory}";
ProtectProc = "noaccess";
ProcSubset = "pid";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateIPC = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
CapabilityBoundingSet = null;
NoNewPrivileges = true;
SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ];
SystemCallArchitectures = "native";
DeviceAllow = null;
DevicePolicy = "closed";
SocketBindDeny = "any";
};
}) cfg.certs;
systemd.timers = lib.mapAttrs' (cert: conf: lib.nameValuePair "ocsp-${cert}" {
description = "Query OCSP endpoint for ${cert} regularly";
timerConfig.OnCalendar = cfg.ocspTimer;
}) cfg.certs;
};
}

7
nixos/module/broken.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }: { config, lib, ... }: {
nixpkgs.config = {
permittedInsecurePackages = [
"jitsi-meet-1.0.8043"
];
};
}

66
nixos/module/btrfs.nix Normal file
View file

@ -0,0 +1,66 @@
{ self, ... }: { config, lib, pkgs, ... }: let
monthly = {
OnCalendar = "monthly";
RandomizedDelaySec = "1w";
};
timers = {
"btrfs-scrub@nix" = monthly;
"btrfs-scrub@home" = monthly;
"btrfs-scrub@var" = monthly;
"btrfs-balance@nix" = monthly;
};
in {
imports = with self.nixosModules; [
powersupply
];
systemd = {
services =
let
btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
service = serviceConfig: {
unitConfig = {
ConditionPathIsMountPoint = "%f";
RequiresMountsFor = "%f";
Requisite = [ "power-external.target" ];
StopPropagatedFrom = [ "power-external.target" ];
};
serviceConfig = {
Type = "exec";
KillSignal = "SIGINT";
CPUSchedulingPolicy = "batch";
IOSchedulingClass = "idle";
CPUWeight = "idle";
} // serviceConfig;
};
in {
"btrfs-scrub@" = service {
ExecStart = "${btrfs} scrub start -B %f";
BindPaths = [ "%f:%f:norbind" ];
};
"btrfs-balance@" = service {
ExecStart = "${btrfs} balance start -dusage=10 -musage=5 %f";
};
} // lib.mapAttrs (name: _: {
overrideStrategy = "asDropin";
}) timers;
timers = lib.mapAttrs (name: timerConfig: {
bindsTo = [ "power-external.target" ];
unitConfig = {
ConditionPathIsMountPoint = "%f";
RequiresMountsFor = "%f";
};
timerConfig = timerConfig // {
Persistent = true;
};
}) timers;
};
}

46
nixos/module/clusters.nix Normal file
View file

@ -0,0 +1,46 @@
{ ... }: { config, lib, ... }:
let
cfg = config.hardware.cpu.clusters;
concat = lib.concatMapStringsSep "," toString;
performance = concat cfg.performance;
efficiency = concat cfg.efficiency;
in {
options = {
hardware.cpu.clusters = {
performance = lib.mkOption {
type = with lib.types; listOf ints.unsigned;
default = [ ];
description = "List of performance CPUs";
};
efficiency = lib.mkOption {
type = with lib.types; listOf ints.unsigned;
default = [ ];
description = "List of efficiency CPUs";
};
};
};
config = lib.mkIf (cfg.performance != [ ] && cfg.efficiency != [ ]) {
boot.kernelParams = [
"irqaffinity=${efficiency}"
"nohz_full=${performance}"
"rcu_nocbs=all"
];
systemd.slices = lib.genAttrs [ "system" ] (slice: {
sliceConfig.AllowedCPUs = efficiency;
});
systemd.user.slices = lib.genAttrs [ "session" "app" ] (slice: {
sliceConfig.AllowedCPUs = efficiency;
});
assertions = lib.singleton {
assertion = lib.mutuallyExclusive cfg.performance cfg.efficiency;
message = "Performance and efficiency clusters must not overlap";
};
};
}

15
nixos/module/datacow.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }: { config, lib, pkgs, ... }:
let
cfg = config.services;
noDataCow = dir: ''
mkdir -p ${lib.escapeShellArg dir}
${pkgs.e2fsprogs}/bin/chattr +C ${lib.escapeShellArg dir}
'';
in {
systemd.services.mysql.preStart = lib.mkIf cfg.mysql.enable
(lib.mkBefore (noDataCow cfg.mysql.dataDir));
systemd.services.postgresql.preStart = lib.mkIf cfg.postgresql.enable
(lib.mkBefore (noDataCow cfg.postgresql.dataDir));
}

82
nixos/module/default.nix Normal file
View file

@ -0,0 +1,82 @@
{ self, ... }: { config, lib, pkgs, ... }: {
imports = with self.nixosModules; [
broken
btrfs
clusters
datacow
email
ephemeral
iosched
kernel
locale-en_EU
network
nix
openssh
powersupply
security
users
zram
];
#boot.initrd.systemd.enable = true;
boot.tmp.useTmpfs = true;
documentation = {
dev.enable = true;
doc.enable = false;
info.enable = false;
man.generateCaches = false;
};
environment = {
binsh = "${pkgs.dash}${pkgs.dash.shellPath}";
shellAliases = builtins.mapAttrs (name: lib.mkOverride 999) {
ls = null;
ll = null;
l = null;
};
systemPackages = with pkgs; [
# Terminfo
kitty.terminfo
# Utilities
(lib.meta.setPrio 0 uutils-coreutils-noprefix)
# Hardware info
pciutils
usbutils
];
};
hardware.block = {
defaultScheduler = "kyber";
defaultSchedulerRotational = "bfq";
scheduler = {
"mmcblk*" = "bfq";
};
};
hardware.enableRedistributableFirmware = false;
hardware.firmware = with pkgs; [
linux-firmware
#alsa-firmware
sof-firmware
];
ephemeral.enable = lib.mkDefault true;
location.provider = lib.mkIf config.hardware.graphics.enable "geoclue2";
services.dbus.implementation = "broker";
services.lvm.enable = lib.mkDefault false;
#system.etc.overlay.enable = true;
system.stateVersion = "24.11";
time.timeZone = lib.mkDefault "CET";
users.mutableUsers = false;
}

5
nixos/module/email.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }: { lib, ... }: {
services.postfix.config = lib.mkDefault {
smtpd_tls_security_level = "may";
};
}

237
nixos/module/ephemeral.nix Normal file
View file

@ -0,0 +1,237 @@
{ ... }: { config, lib, ...}:
let
cfg = config.ephemeral;
device = lib.mkOption {
type = lib.types.nonEmptyStr;
description = "Device to mount.";
};
options = lib.mkOption {
type = with lib.types; listOf nonEmptyStr;
readOnly = true;
description = "Options used to mount the file system.";
};
extraOptions = lib.mkOption {
type = with lib.types; listOf nonEmptyStr;
default = [ ];
description = "Additional options used to mount the file system.";
};
filesystem = {
options = {
inherit device options extraOptions;
fsType = lib.mkOption {
type = lib.types.nonEmptyStr;
description = "Type of the file system.";
};
};
};
tmpfs = {
options = {
inherit options extraOptions;
name = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "none";
description = "Name of the file system.";
};
size = lib.mkOption {
type = with lib.types; either nonEmptyStr ints.positive;
description = "Size of the file system.";
};
mode = lib.mkOption {
type = lib.types.nonEmptyStr;
description = "Initial permissions of the root directory.";
};
uid = lib.mkOption {
type = with lib.types; either nonEmptyStr ints.unsigned;
default = 0;
description = "Initial user ID of the root directory";
};
gid = lib.mkOption {
type = with lib.types; either nonEmptyStr ints.unsigned;
default = 0;
description = "Initial group ID of the root directory";
};
};
};
subvol = {
options = {
inherit options extraOptions;
subvolume = lib.mkOption {
type = with lib.types; nullOr nonEmptyStr;
default = null;
description = "Source path of the subvolume.";
};
};
};
ephemeralDefaults = {
"/" = {
size = "64m";
mode = "755";
uid = 0;
gid = 0;
options = [ "nodev" "noexec" "nosuid" ];
extraOptions = [ ];
};
"/run/nix" = {
size = "80%";
mode = "1775";
uid = 0;
gid = "nixbld";
options = [ "nodev" "nosuid" ];
extraOptions = [ ];
};
"/tmp" = {
size = "256m";
mode = "1777";
uid = 0;
gid = 0;
options = [ "nodev" "noexec" "nosuid" ];
extraOptions = [ ];
};
};
subvolumeDefaults = {
"/etc/keys" = {
options = [ "nodev" "noexec" "nosuid" ];
extraOptions = [ "noatime" "compress=zstd" ];
};
"/etc/credstore" = {
options = [ "nodev" "noexec" "nosuid" ];
extraOptions = [ "noatime" "compress=zstd" ];
};
"/etc/credstore.encrypted" = {
options = [ "nodev" "noexec" "nosuid" ];
extraOptions = [ "noatime" ];
};
"/nix" = {
options = [ "nodev" "nosuid" ];
extraOptions = [ "noatime" "compress=zstd" ];
};
"/var" = {
options = [ "nodev" "noexec" "nosuid" ];
extraOptions = [ "noatime" "compress=zstd" ];
};
};
in {
options = {
ephemeral = {
enable = lib.mkEnableOption "ephemeral filesystem";
device = lib.mkOption {
type = lib.types.nonEmptyStr;
description = "Persistent btrfs device.";
};
boot = {
inherit device;
fsType = lib.mkOption {
type = lib.types.nonEmptyStr;
};
options = lib.mkOption {
inherit (options) type readOnly description;
default = [ "nodev" "noexec" "nosuid" ]
++ lib.optionals (cfg.boot.fsType == "vfat") [ "fmask=0137" "dmask=022" ]
++ lib.optionals (builtins.match "ext[34]" cfg.boot.fsType != null) [ "data=journal" ];
};
extraOptions = lib.mkOption {
inherit (extraOptions) type description;
default = [ "noatime" ];
};
};
ephemeral = lib.mkOption {
type = with lib.types; attrsOf (submodule tmpfs);
description = "Ephemeral filesystems.";
default = ephemeralDefaults;
};
subvolumes = lib.mkOption {
type = with lib.types; attrsOf (submodule subvol);
description = "Persistent subvolumes.";
default = subvolumeDefaults;
example = {
"/home" = {
options = [ "nodev" "noexec" "nosuid" ];
extraOptions = [ "noatime" "compress=zstd" ];
};
};
};
};
};
config = lib.mkIf cfg.enable {
boot.initrd.availableKernelModules = [ "zstd" ];
boot.supportedFilesystems = [ "btrfs" ];
environment.etc.machine-id.source = lib.mkDefault "/etc/keys/machine-id";
environment.etc.secureboot.source = lib.mkDefault "/etc/keys/secureboot";
fileSystems = {
"/boot" = {
device = cfg.boot.device;
fsType = cfg.boot.fsType;
options = cfg.boot.options ++ cfg.boot.extraOptions;
};
} //
(builtins.mapAttrs (key: val: {
fsType = "tmpfs";
options = val.options ++ val.extraOptions
++ [
"strictatime"
"size=${toString val.size}"
"mode=${val.mode}"
"uid=${toString val.uid}"
"gid=${toString val.gid}"
"huge=within_size"
];
}) (ephemeralDefaults // cfg.ephemeral)) //
(builtins.mapAttrs (key: val: {
device = cfg.device;
fsType = "btrfs";
options = val.options ++ val.extraOptions
++ [ "subvol=${if (val ? subvolume && val.subvolume != null) then val.subvolume else key}" ];
neededForBoot = true;
}) (subvolumeDefaults // cfg.subvolumes));
nix.settings.build-dir = lib.mkDefault "/run/nix";
systemd.services.nix-daemon.environment.TMPDIR = lib.mkDefault "/run/nix";
systemd.tmpfiles.settings.ephemeral = {
"/etc/keys".z = {
mode = "0751";
user = "root";
group = "root";
};
"/etc/credentials".z = {
mode = "0750";
user = "root";
group = "root";
};
"/etc/credentials.encrypted".z = {
mode = "0750";
user = "root";
group = "root";
};
"/run/nix".D = {
mode = "1775";
user = "root";
group = "nixbld";
age = "1d";
};
};
};
}

21
nixos/module/graphical.nix Normal file
View file

@ -0,0 +1,21 @@
{ ... }: { config, lib, pkgs, ... }: {
boot.kernel.sysctl = {
"kernel.sysrq" = lib.mkDefault "0x1f4";
"kernel.unprivileged_userns_clone" = lib.mkDefault 1;
};
environment.pathsToLink = [
"/share/applications"
"/share/xdg-desktop-portal"
];
hardware.graphics.enable = true;
security.polkit.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
pulse.enable = true;
};
}

31
nixos/module/headless.nix Normal file
View file

@ -0,0 +1,31 @@
{ self, ... }: { config, lib, pkgs, ... }: {
imports = with self.nixosModules; [
mimalloc
];
boot.kernelParams = [ "panic=-1" ];
boot.initrd.network = {
enable = false;
ssh.enable = true;
ssh.authorizedKeys = lib.flatten (lib.mapAttrsToList (_: user: user.openssh.authorizedKeys.keys) (lib.filterAttrs (_: user: lib.any (group: group == "wheel") user.extraGroups) config.users.users));
};
hardware.graphics.enable = false;
security.lockKernelModules = true;
security.pam.sshAgentAuth.enable = true;
security.protectKernelImage = true;
services.openssh.enable = true;
services.openssh.openFirewall = true;
systemd.network.networks."97-ethernet-default-dhcp-static.network" = {
matchConfig.Type = "ether";
matchConfig.Name = "en*";
networkConfig.DHCP = "yes";
dhcpV4Config.UseDNS = false;
dhcpV6Config.UseDNS = false;
ipv6AcceptRAConfig.Token = lib.mkDefault "static:::1";
};
}

118
nixos/module/iosched.nix Normal file
View file

@ -0,0 +1,118 @@
{ ... }: { config, lib, pkgs, ... }:
let
cfg = config.hardware.block;
escape = lib.strings.escape [ ''"'' ];
inherit (lib)
mkIf
mkOption
types
concatStrings
mapAttrsToList
optionalString;
in {
options.hardware.block = {
defaultScheduler = mkOption {
type = with types; nullOr nonEmptyStr;
default = null;
description = ''
Default block I/O scheduler.
Unless `null`, the value is assigned through a udev rule matching all
block devices.
'';
example = "kyber";
};
defaultSchedulerRotational = mkOption {
type = with types; nullOr nonEmptyStr;
default = null;
description = ''
Default block I/O scheduler for rotational drives (e.g. hard disks).
Unless `null`, the value is assigned through a udev rule matching all
rotational block devices.
This option takes precedence over
{option}`config.hardware.block.defaultScheduler`.
'';
example = "bfq";
};
scheduler = mkOption {
type = with types; attrsOf nonEmptyStr;
default = { };
description = ''
Assign block I/O scheduler by device name pattern.
Names are matched using the {manpage}`udev(7)` pattern syntax:
`*`
: Matches zero or more characters.
`?`
: Matches any single character.
`[]`
: Matches any single character specified in the brackets. Ranges are
supported via the `-` character.
`|`
: Separates alternative patterns.
Please note that overlapping patterns may produce unexpected results.
More complex configurations requiring these should instead be specified
directly through custom udev rules, for example via
[{option}`config.services.udev.extraRules`](#opt-services.udev.extraRules),
to ensure correct ordering.
Available schedulers depend on the kernel configuration but modern
Linux systems typically support:
`none`
: Nooperation scheduler with no reordering of requests. Suitable
for devices with fast random I/O such as NVMe SSDs.
[`mq-deadline`](https://www.kernel.org/doc/html/latest/block/deadline-iosched.html)
: Simple latencyoriented generalpurpose scheduler.
[`kyber`](https://www.kernel.org/doc/html/latest/block/kyber-iosched.html)
: Simple latencyoriented scheduler for fast multiqueue devices
like NVMe SSDs.
[`bfq`](https://www.kernel.org/doc/html/latest/block/bfq-iosched.html)
: Complex fairnessoriented scheduler. Higher processing overhead,
but good interactive response, especially with slower devices.
Schedulers assigned through this option take precedence over
{option}`config.hardware.block.defaultScheduler` and
{option}`config.hardware.block.defaultSchedulerRotational` but may be
overridden by other udev rules.
'';
example = {
"mmcblk[0-9]*" = "bfq";
"nvme[0-9]*" = "kyber";
};
};
};
config = mkIf (cfg.defaultScheduler != null ||
cfg.defaultSchedulerRotational != null || cfg.scheduler != { }) {
services.udev.packages = [
(pkgs.writeTextDir "etc/udev/rules.d/98-block-io-scheduler.rules"
(optionalString (cfg.defaultScheduler != null) ''
SUBSYSTEM=="block", ACTION=="add|change", TEST=="queue/scheduler", ATTR{queue/scheduler}="${escape cfg.defaultScheduler}"
'' + optionalString (cfg.defaultSchedulerRotational != null) ''
SUBSYSTEM=="block", ACTION=="add|change", ATTR{queue/rotational}=="1", TEST=="queue/scheduler", ATTR{queue/scheduler}="${escape cfg.defaultSchedulerRotational}"
'' + concatStrings (mapAttrsToList (name: sched: ''
SUBSYSTEM=="block", ACTION=="add|change", KERNEL=="${escape name}", ATTR{queue/scheduler}="${escape sched}"
'') cfg.scheduler)))
];
};
meta.maintainers = with lib.maintainers; [ mvs ];
}

141
nixos/module/kernel.nix Normal file
View file

@ -0,0 +1,141 @@
{ self, ... }: { lib, pkgs, ... }: {
boot.consoleLogLevel = lib.mkDefault 3;
boot.initrd = {
includeDefaultModules = lib.mkDefault false;
luks.cryptoModules = lib.mkDefault [ ];
verbose = lib.mkDefault false;
};
boot.kernelPackages = lib.mkDefault
(pkgs.linuxPackagesFor self.packages.${pkgs.system}.linux-hardened);
boot.modprobeConfig.enable = lib.mkDefault false;
boot.kernelParams = [
# Disable kernel messages on the console
"quiet"
# Zerofill page and slab allocations on free
"init_on_free=1"
# Disable I/O delay
"io_delay=none"
# Enable page allocator free list randomisation
"page_alloc.shuffle=1"
# Disable slab merging
"slab_nomerge"
# Disable vsyscall mechanism
"vsyscall=none"
# Enable transparent hugepages
"transparent_hugepage=always"
];
boot.kernel.sysctl = {
# Mitigate some TOCTOU vulnerabilities
"fs.protected_fifos" = 2;
"fs.protected_hardlinks" = 1;
"fs.protected_regular" = 2;
"fs.protected_symlinks" = 1;
# Disable automatic loading of TTY line disciplines
"dev.tty.ldisc_autoload" = 0;
# Disable first 64KiB of virtual memory for allocation
"vm.mmap_min_addr" = 65536;
# Increase ASLR randomisation
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
# Restrict ptrace()
"kernel.yama.ptrace_scope" = 1;
# Hide kernel memory addresses
"kernel.kptr_restrict" = 2;
# Restrict kernel log access
"kernel.dmesg_restrict" = 1;
# Enable hardened eBPF JIT
"kernel.unprivileged_bpf_disabled" = 1;
"net.core.bpf_jit_enable" = 1;
"net.core.bpf_jit_harden" = 2;
# Ignore ICMP redirects
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
# Set default Qdisc
"net.core.default_qdisc" = "fq";
# Increase minimum PMTU
"net.ipv4.route.min_pmtu" = 1280;
# Set default TCP congestion control algorithm
"net.ipv4.tcp_congestion_control" = "bbr";
# Enable ECN
"net.ipv4.tcp_ecn" = 1;
# Enable TCP fast open
"net.ipv4.tcp_fastopen" = 3;
# Disable TCP slow start after idling
"net.ipv4.tcp_slow_start_after_idle" = 0;
# Allow reuse of TCP ports during TIME-WAIT
"net.ipv4.tcp_tw_reuse" = 1;
# Enable TCP MTU probing
"net.ipv4.tcp_mtu_probing" = 1;
"net.ipv4.tcp_mtu_probe_floor" = 1220;
# Increase socket buffer space
# default of 16MiB should be sufficient to saturate 1GE
# maximum for 54MiB sufficient for 10GE
"net.core.rmem_default" = 16777216;
"net.core.rmem_max" = 56623104;
"net.core.wmem_default" = 16777216;
"net.core.wmem_max" = 56623104;
"net.core.optmem_max" = 65536;
"net.ipv4.tcp_rmem" = "4096 1048576 56623104";
"net.ipv4.tcp_wmem" = "4096 65536 56623104";
"net.ipv4.tcp_notsent_lowat" = 16384;
"net.ipv4.udp_rmem_min" = 9216;
"net.ipv4.udp_wmem_min" = 9216;
# Reduce TCP keepalive timeout to 2 minutes
"net.ipv4.tcp_keepalive_time" = 60;
"net.ipv4.tcp_keepalive_probes" = 6;
"net.ipv4.tcp_keepalive_intvl" = 10;
# Widen local port range
"net.ipv4.ip_local_port_range" = "16384 65535";
# Increase default MTU
"net.ipv6.conf.default.mtu" = 1452;
"net.ipv6.conf.all.mtu" = 1452;
# Set traffic class for NDP to CS6 (network control)
"net.ipv6.conf.default.ndisc_tclass" = 192;
"net.ipv6.conf.all.ndisc_tclass" = 192;
# Dirty page cache ratio
"vm.dirty_background_ratio" = 3;
"vm.dirty_ratio" = 6;
};
# Work around initrd generation bug
environment.etc."modprobe.d/nixos.conf".text = "";
systemd.tmpfiles.rules = [
"w- /sys/kernel/mm/transparent_hugepage/enabled - - - - always"
"w- /sys/kernel/mm/transparent_hugepage/defrag - - - - defer+madvise"
];
}

7
nixos/module/locale-en_EU.nix Normal file
View file

@ -0,0 +1,7 @@
{ self, ... }: { config, lib, pkgs, ... }: {
i18n.defaultLocale = lib.mkDefault "en_EU.UTF-8";
i18n.glibcLocales = self.packages.${pkgs.system}.locale-en_EU.override {
allLocales = builtins.any (x: x == "all") config.i18n.supportedLocales;
locales = config.i18n.supportedLocales;
};
}

4
nixos/module/mimalloc.nix Normal file
View file

@ -0,0 +1,4 @@
{ ... }: { config, lib, pkgs, ... }: {
environment.memoryAllocator.provider = "mimalloc";
environment.variables.MIMALLOC_LARGE_OS_PAGES = 1;
}

49
nixos/module/network.nix Normal file
View file

@ -0,0 +1,49 @@
{ ... }: { lib, name, ... }: {
networking.nameservers = [
"[2a05:f480:1800:d2e::1]:853#resolve.solitary.social"
"80.240.30.163:853#resolve.solitary.social"
"[2a01:4f8:1c0c:6c89::1]:853#resolve.nyantec.com"
"116.203.220.161:853#resolve.nyantec.com"
];
networking.hostName = lib.mkDefault name;
networking.nftables.enable = true;
networking.useNetworkd = true;
services.resolved = {
enable = true;
dnsovertls = "true";
dnssec = "true";
};
systemd.network.networks."98-ethernet-default-dhcp" = {
matchConfig.Type = "ether";
matchConfig.Name = "en*";
DHCP = lib.mkDefault "yes";
dhcpV4Config.UseDNS = false;
dhcpV6Config.UseDNS = false;
ipv6AcceptRAConfig.Token = "prefixstable";
fairQueueingConfig.Pacing = true;
};
systemd.network.networks."98-wireless-client-dhcp" = {
matchConfig.Type = "wlan";
matchConfig.WLANInterfaceType = "station";
DHCP = lib.mkDefault "yes";
dhcpV4Config.UseDNS = false;
dhcpV4Config.RouteMetric = 1025;
dhcpV6Config.UseDNS = false;
ipv6AcceptRAConfig.Token = "prefixstable";
ipv6AcceptRAConfig.RouteMetric = 1025;
cakeConfig = {
Bandwidth = lib.mkDefault "100M";
AutoRateIngress = true;
UseRawPacketSize = false;
PriorityQueueingPreset = "diffserv4";
};
};
}

23
nixos/module/nitrokey-random.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }: { config, lib, pkgs, ... }:
lib.mkIf config.hardware.nitrokey.enable {
services.udev.packages = [
(pkgs.writeTextDir "etc/udev/rules.d/98-nitrokey-random-seed.rules" ''
SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b1|42b2", TAG+="systemd", ENV{SYSTEMD_WANTS}+="nitrokey-random-seed@%k.service"
'')
];
systemd.services."nitrokey-random-seed@" = {
description = "Feed kernel from Nitrokey TRNG";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.pynitrokey}/bin/nitropy fido2 rng feedkernel";
DynamicUser = true;
SupplementaryGroups = [ "plugdev" ];
AmbientCapabilities = [ "CAP_SYS_ADMIN" ];
DeviceAllow = [ "/dev/%i rw" ];
DevicePolicy = "closed";
};
};
}

67
nixos/module/nix.nix Normal file
View file

@ -0,0 +1,67 @@
{ self, ... }: { lib, pkgs, ... }:
let
inherit (pkgs.stdenv) hostPlatform;
# inherit (inputs.idiosyn.lib.platforms.${hostPlatform.system}.gcc) arch;
in {
imports = with self.nixosModules; [
powersupply
];
nix = {
package = pkgs.lix;
channel.enable = false;
daemonCPUSchedPolicy = "batch";
daemonIOSchedClass = "best-effort";
daemonIOSchedPriority = 7;
gc = {
automatic = true;
dates = "weekly";
randomizedDelaySec = "24h";
options = "--delete-older-than 10d";
};
settings = {
experimental-features = [
"cgroups"
"flakes"
"nix-command"
"repl-flake"
"pipe-operator"
];
allowed-users = [ "@users" ];
trusted-users = [ "@wheel" ];
builders-use-substitutes = true;
download-attempts = 8;
http-connections = 128;
max-substitution-jobs = 128;
preallocate-contents = true;
use-cgroups = true;
use-xdg-base-directories = true;
/* system-features = lib.mkOptionDefault
(map (arch: "gccarch-${arch}") ([ arch ] ++ lib.systems.architectures.inferiors.${arch} or [ ]));*/
};
registry = {
nixpkgs.to = {
type = "path";
path = pkgs.path;
narHash = lib.trim (builtins.readFile
(pkgs.runCommandLocal "get-nixpkgs-hash"
{ nativeBuildInputs = [ pkgs.nix ]; }
"nix-hash --type sha256 --sri ${pkgs.path} > $out"));
};
};
};
systemd = {
services.nix-daemon.serviceConfig.Slice = "nix-build.slice";
slices.nix-build = { };
timers.nix-gc.bindsTo = [ "power-external.target" ];
};
}

64
nixos/module/openssh.nix Normal file
View file

@ -0,0 +1,64 @@
{ ... }: { lib, ...}:
let
ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
sigAlgorithms = [
"ssh-ed25519-cert-v01@openssh.com"
"ssh-ed25519"
"sk-ssh-ed25519-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
];
kexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
];
macs = [
"umac-128-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
];
in {
programs.ssh = {
inherit ciphers kexAlgorithms macs;
hostKeyAlgorithms = sigAlgorithms;
pubkeyAcceptedKeyTypes = sigAlgorithms;
setXAuthLocation = false;
};
services.openssh = {
hostKeys = lib.mkDefault [
{
path = "/etc/keys/ssh_host_ed25519_key";
type = "ed25519";
}
];
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
AuthenticationMethods = "publickey";
Ciphers = ciphers;
Macs = macs;
KexAlgorithms = kexAlgorithms;
HostKeyAlgorithms = lib.concatStringsSep "," sigAlgorithms;
PubkeyAcceptedAlgorithms = lib.concatStringsSep "," sigAlgorithms;
# Remove stale Unix sockets when forwarding
StreamLocalBindUnlink = true;
ClientAliveInterval = 900;
};
};
}

19
nixos/module/physical.nix Normal file
View file

@ -0,0 +1,19 @@
{ self, lanzaboote, ... }: { config, lib, pkgs, ... }: {
imports = [
lanzaboote.nixosModules.lanzaboote
] ++ (with self.nixosModules; [
nitrokey-random
]);
boot = {
loader.efi.canTouchEfiVariables = true;
lanzaboote = {
enable = true;
pkiBundle = lib.mkDefault "/etc/keys/secureboot";
};
};
security.tpm2.enable = true;
services.fwupd.enable = true;
}

34
nixos/module/portable.nix Normal file
View file

@ -0,0 +1,34 @@
{ ... }: { lib, config, pkgs, ... }: {
# Work around TTLbased rate limiting in mobile networks
boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
powerManagement.scsiLinkPolicy = lib.mkDefault "med_power_with_dipm";
services.auto-cpufreq = {
enable = true;
settings = {
battery = {
governor = "powersave";
turbo = "never";
};
charger = {
governor = "powersave";
turbo = "auto";
};
};
};
services.thermald.enable = lib.mkDefault true;
services.tlp.enable = false;
services.udev.packages = [
(pkgs.writeTextDir "/etc/udev/rules.d/98-power-supply-portable.rules" ''
SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", SYSCTL{vm/dirty_writeback_centisecs}="6000"
SUBSYSTEM=="power_supply", ATTR{status}!="Discharging", SYSCTL{vm/dirty_writeback_centisecs}="1500"
SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[3-5]", RUN+="${config.systemd.package}/bin/systemctl suspend"
SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-2]", RUN+="${config.systemd.package}/bin/systemctl poweroff"
'')
];
}

27
nixos/module/powersupply.nix Normal file
View file

@ -0,0 +1,27 @@
{ ... }: { config, lib, pkgs, ... }: {
services.udev.packages = [
(pkgs.writeTextDir "/etc/udev/rules.d/98-power-supply.rules" ''
SUBSYSTEM=="power_supply", KERNEL=="AC", TAG+="systemd", ENV{SYSTEMD_WANTS}+="power-internal.target power-external.target"
'')
];
systemd.targets.power-internal = {
description = "On internal power supply";
conflicts = [ "power-external.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
ConditionACPower = false;
DefaultDependencies = false;
};
};
systemd.targets.power-external = {
description = "On external power supply";
conflicts = [ "power-internal.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
ConditionACPower = true;
DefaultDependencies = false;
};
};
}

21
nixos/module/security.nix Normal file
View file

@ -0,0 +1,21 @@
{ ... }: { lib, config, ... }: {
boot.loader.systemd-boot.editor = false;
security.acme.acceptTerms = true;
security.pam.services.swaylock.fprintAuth = false;
security.pam.services.login.fprintAuth = false;
security.pam.services.sudo-rs = {
fprintAuth = config.services.fprintd.enable;
sshAgentAuth = config.security.pam.sshAgentAuth.enable;
};
security.sudo.enable = false;
security.sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = config.security.pam.services.sudo-rs.fprintAuth
|| config.security.pam.services.sudo-rs.sshAgentAuth;
};
services.logind.killUserProcesses = true;
}

59
nixos/module/users.nix Normal file
View file

@ -0,0 +1,59 @@
{ self, home-manager, ...}: { config, lib, pkgs, ... }:
let
graphical = config.hardware.graphics.enable;
in {
imports = [ home-manager.nixosModules.home-manager ];
home-manager = {
useUserPackages = lib.mkDefault true;
useGlobalPkgs = lib.mkDefault true;
users = { inherit (self.homeConfigurations) nil; };
};
nixpkgs.config.allowUnfreePredicate = lib.mkIf graphical
(pkg: builtins.elem (lib.getName pkg) [ "obsidian" ]);
programs.dconf.enable = lib.mkIf graphical true;
programs.fish.enable = true;
services.udev.packages = [
(pkgs.writeTextDir "/etc/udev/rules.d/98-user-power-supply.rules" ''
SUBSYSTEM=="power_supply", KERNEL=="AC", TAG+="systemd", ENV{SYSTEMD_USER_WANTS}+="power-internal.target power-external.target"
'')
];
systemd.user = {
targets = {
power-internal = {
description = "On internal power supply";
conflicts = [ "power-external.target" ];
wantedBy = [ "default.target" ];
unitConfig = {
ConditionACPower = false;
DefaultDependencies = false;
};
};
power-external = {
description = "On external power supply";
conflicts = [ "power-internal.target" ];
wantedBy = [ "default.target" ];
unitConfig = {
ConditionACPower = true;
DefaultDependencies = false;
};
};
};
};
users.users.nil = {
isNormalUser = true;
shell = config.programs.fish.package;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICczPHRwY9MAwDGlcB0QgMOJjcpLJhVU3covrW9RBS62AAAABHNzaDo= primary"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAgnEAwe59/yY/U55y7WxGa/QI20/XMQEsQvs1/6LitRAAAABHNzaDo= backup"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOTvXiNHTXq9wkcxdVOblHVyvcAaCfxmJp/CXI4rzMj legacy"
];
};
}

16
nixos/module/wireless.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }: { config, ...}: {
hardware.bluetooth.enable = true;
hardware.wirelessRegulatoryDatabase = true;
networking.wireless.iwd = {
enable = true;
settings = {
General = {
AddressRandomization = "network";
};
Rank = {
BandModifier2_4GHz = 0.8;
};
};
};
}

82
nixos/module/zram.nix Normal file
View file

@ -0,0 +1,82 @@
{ ... }: { lib, pkgs, ... }: {
boot.kernelParams = [
"zswap.zpool=zsmalloc"
"zram.num_devices=0"
];
boot.kernel.sysctl = {
"vm.page-cluster" = lib.mkDefault 0;
"vm.swappiness" = lib.mkDefault 180;
"vm.watermark_boost_factor" = lib.mkDefault 0;
"vm.watermark_scale_factor" = lib.mkDefault 125;
};
systemd.services.zram-swap =
let
writeShell = { name, text, runtimeInputs ? [ ] }:
pkgs.writeShellApplication { inherit name text runtimeInputs; } + "/bin/${name}";
in {
description = "Compressed in-memory swap space";
wantedBy = [ "swap.target" ];
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
RuntimeDirectory = "zram-swap";
CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_SYS_ADMIN" ];
SystemCallFilter = [ "@system-service" "@swap" ];
ExecStartPre = writeShell {
name = "zram-swap-start-pre";
runtimeInputs = with pkgs; [ coreutils getconf util-linux ];
text = ''
pages="$(getconf _PHYS_PAGES)"
pagesize="$(getconf PAGESIZE)"
dev="$(cat /sys/class/zram-control/hot_add)"
echo "$dev" >"$RUNTIME_DIRECTORY/device"
echo zstd >"/sys/block/zram$dev/comp_algorithm"
echo "$((pages * pagesize * 3 / 2))" >"/sys/block/zram$dev/disksize"
echo "$((pages * pagesize * 3 / 4))" >"/sys/block/zram$dev/mem_limit"
mkswap "/dev/zram$dev"
'';
};
ExecStart = writeShell {
name = "zram-swap-start";
runtimeInputs = with pkgs; [ util-linux ];
text = ''
swapon --discard --priority 32767 "/dev/zram$(<"$RUNTIME_DIRECTORY/device")"
'';
};
ExecStop = writeShell {
name = "zram-swap-stop";
runtimeInputs = with pkgs; [ util-linux ];
text = ''
swapoff "/dev/zram$(<"$RUNTIME_DIRECTORY/device")"
'';
};
ExecStopPost = writeShell {
name = "zram-swap-stop-post";
runtimeInputs = with pkgs; [ coreutils ];
text = ''
test -s "$RUNTIME_DIRECTORY/device" || exit 0
dev="$(<"$RUNTIME_DIRECTORY/device")"
echo 1 >"/sys/block/zram$dev/reset"
echo "$dev" >/sys/class/zram-control/hot_remove
rm -f -- "$RUNTIME_DIRECTORY/device"
'';
};
};
};
}

13
overlay/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ self, nixpkgs, lix-module, colmena, rust-overlay, ... }:
final: prev:
nixpkgs.lib.composeManyExtensions [
lix-module.overlays.default
colmena.overlays.default
rust-overlay.overlays.default
# self.overlays.no-x
# self.overlays.no-alsa
# self.overlays.no-jemalloc
# self.overlays.modern-minimal
] final prev

69
overlay/modern-minimal.nix Normal file
View file

@ -0,0 +1,69 @@
{ nixpkgs, ... }: final: prev: {
curl = prev.curl.override {
gssSupport = false;
scpSupport = false;
zstdSupport = true;
};
ffmpeg = prev.ffmpeg.override {
ffmpegVariant = "headless";
withAlsa = false;
withSsh = false;
};
firefox-unwrapped = prev.firefox-unwrapped.override {
alsaSupport = false;
gssSupport = false;
jemallocSupport = false;
sndioSupport = false;
};
firefox = final.wrapFirefox final.firefox-unwrapped { };
imv = prev.imv.override {
withWindowSystem = "wayland";
};
mesa = prev.mesa.override {
galliumDrivers = [
"iris"
"kmsro"
"nouveau"
"radeonsi"
"swrast"
"zink"
];
vulkanDrivers = [
"amd"
"intel"
"nouveau"
"swrast"
];
eglPlatforms = [ "wayland" ];
};
mpv-unwrapped = prev.mpv-unwrapped.override {
alsaSupport = false;
cacaSupport = false;
openalSupport = false;
sdl2Support = false;
vdpauSupport = false;
x11Support = false;
xineramaSupport = false;
xvSupport = false;
};
mpv = final.mpv-unwrapped.wrapper {
mpv = final.mpv-unwrapped;
};
systemd = prev.systemd.override {
withApparmor = false;
withHomed = false;
withIptables = false;
};
foo = null;
}

20
overlay/no-alsa.nix Normal file
View file

@ -0,0 +1,20 @@
{ nixpkgs, ... }: final: prev:
let
inherit (nixpkgs.lib.attrsets) genAttrs;
in genAttrs [
"SDL2"
"firefox-unwrapped"
"mpv-unwrapped"
] (pkg: prev.${pkg}.override { alsaSupport = false; })
// genAttrs [
"ffmpeg"
"libcanberra"
] (pkg: prev.${pkg}.override { withAlsa = false; })
// {
firefox = final.wrapFirefox final.firefox-unwrapped { };
mpv = final.mpv-unwrapped.wrapper {
mpv = final.mpv-unwrapped;
};
}

10
overlay/no-jemalloc.nix Normal file
View file

@ -0,0 +1,10 @@
{ nixpkgs, ... }: final: prev:
let
inherit (nixpkgs.lib.attrsets) genAttrs;
in genAttrs [
"firefox-unwrapped"
] (pkg: prev.${pkg}.override { jemallocSupport = false; })
// {
firefox = final.wrapFirefox final.firefox-unwrapped { };
}

102
overlay/no-x.nix Normal file
View file

@ -0,0 +1,102 @@
{ nixpkgs, ... }: final: prev:
let
inherit (nixpkgs.lib.attrsets) genAttrs;
inherit (nixpkgs.lib.lists) remove toList;
inherit (nixpkgs.lib.strings) mesonBool mesonEnable;
in genAttrs [
"SDL2"
"cairo"
"dbus"
"ghostscript"
"gobject-introspection"
"gtk3"
"gtk4"
"imlib2"
"libcaca"
"pango"
"pipewire"
] (pkg: prev.${pkg}.override { x11Support = false; })
// genAttrs [
"intel-media-driver"
"mupdf"
] (pkg: prev.${pkg}.override { enableX11 = false; })
// genAttrs [
"hyprland"
"sway"
"sway-unwrapped"
"swayfx"
"swayfx-unwrapped"
"wlroots"
] (pkg: prev.${pkg}.override { enableXWayland = false; })
// {
beam = prev.beam_nox;
graphviz = prev.graphviz-nox;
gammastep = prev.gammastep.override {
withRandr = false;
};
gd = prev.gd.override { withXorg = false; };
gst_all_1 = prev.gst_all_1 // genAttrs [
"gst-plugins-base"
"gst-plugins-good"
] (pkg: prev.gst_all_1.${pkg}.override { enableX11 = false; });
imagemagick = prev.imagemagick.override {
libX11Support = false;
libXtSupport = false;
};
libepoxy = (prev.libepoxy.overrideAttrs (prevAttrs: {
buildInputs = prevAttrs.buildInputs or [ ]
++ [ final.libGL ];
mesonFlags = prevAttrs.mesonFlags or [ ]
|> map (flag: if flag == "-Degl=no" then "-Degl=yes" else flag);
})).override {
x11Support = false;
};
libgnomekbd = prev.libgnomekbd.overrideAttrs (prevAttrs: {
mesonFlags = prevAttrs.mesonFlags or [ ]
++ [ (mesonBool "tests" false) ];
});
mesa = (prev.mesa.overrideAttrs (prevAttrs: {
mesonFlags = prevAttrs.mesonFlags or [ ] ++ [
(mesonEnable "xlib-lease" false)
(mesonEnable "glx" false)
(mesonEnable "gallium-vdpau" false)
];
})).override {
eglPlatforms = [ "wayland" ];
};
mpv-unwrapped = prev.mpv-unwrapped.override {
x11Support = false;
xineramaSupport = false;
xvSupport = false;
};
mpv = final.mpv-unwrapped.wrapper {
mpv = final.mpv-unwrapped;
};
w3m = prev.w3m.override {
x11Support = false;
imlib2 = final.imlib2;
};
utsushi = prev.utsushi.overrideAttrs (prevAttrs: {
buildInputs = remove prev.gtkmm2.dev prevAttrs.buildInputs;
});
wayland = prev.wayland.override {
# broken
withDocumentation = false;
};
}

14
overlay/pkgconf.nix Normal file
View file

@ -0,0 +1,14 @@
{ ... }:
final: prev: {
pkg-config = prev.pkg-config.override {
pkg-config = final.libpkgconf.overrideAttrs (prevAttrs: {
postInstall = let
ext = final.hostPlatform.extensions.executable;
in prevAttrs.postInstall or "" + ''
ln -s pkgconf${ext} "$out/bin/pkg-config${ext}"
ln -s pkgconf.1 "$man/share/man/man1/pkg-config.1"
'';
});
};
}

29
package/libslz.nix Normal file
View file

@ -0,0 +1,29 @@
{ ... }: { lib, stdenv, fetchFromGitHub }:
stdenv.mkDerivation (finalAttrs: {
pname = "libslz";
version = "1.2.1";
src = fetchFromGitHub {
owner = "wtarreau";
repo = finalAttrs.pname;
rev = "v${finalAttrs.version}";
hash = "sha256-+3e0yTk6l8miQs/zBYSiPuj/gRWICR3QYTkV3OAHAtI=";
};
makeFlags = [
"TOPDIR=$(src)"
"PREFIX=$(out)"
];
buildFlags = [
"CROSS_COMPILE=${stdenv.cc.targetPrefix}"
"CC=cc"
];
meta = {
homepage = "http://www.libslz.org/";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ mvs ];
};
})

633
package/linux-hardened/config.nix Normal file
View file

@ -0,0 +1,633 @@
{ kernel, lib, hostPlatform, systemd }: with kernel; {
meta = {
EXPERT = true;
STAGING = true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
PROCESSOR_SELECT = true;
};
build = {
COMPILE_TEST = false;
WERROR = true;
STANDALONE = true;
PREVENT_FIRMWARE_BUILD = true;
JUMP_LABEL = true;
LTO_CLANG_FULL = true;
};
boot = {
KERNEL_ZSTD = true;
BLK_DEV_INITRD = true;
RD_GZIP = false;
RD_BZIP2 = false;
RD_LZMA = false;
RD_XZ = false;
RD_LZO = false;
RD_LZ4 = false;
RD_ZSTD = true;
BOOT_CONFIG = true;
EFI = true;
EFI_STUB = true;
DEVTMPFS = true;
DEVTMPFS_MOUNT = true;
DEVTMPFS_SAFE = true;
FW_LOADER = true;
FW_LOADER_COMPRESS = true;
FW_LOADER_COMPRESS_XZ = false;
FW_LOADER_COMPRESS_ZSTD = true;
FW_CACHE = true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
EFI_HANDOVER_PROTOCOL = false;
};
debug = {
KALLSYMS = true;
KALLSYMS_ALL = false;
SYMBOLIC_ERRNAME = true;
DEBUG_BUGVERBOSE = true;
DEBUG_INFO_DWARF5 = true;
DEBUG_INFO_SPLIT = true;
STRIP_ASM_SYMS = true;
MAGIC_SYSRQ = true;
MAGIC_SYSRQ_DEFAULT_ENABLE = "0x1f4";
SLUB_DEBUG = false;
DEBUG_WX = true;
WARN_ALL_UNSEEDED_RANDOM = true;
RCU_TRACE = false;
} // lib.optionalAttrs hostPlatform.isx86_64 {
X86_VERBOSE_BOOTUP = false;
EARLY_PRINTK = false;
X86_DEBUG_FPU = false;
UNWINDER_ORC = true;
};
firmware = {
EFI_DXE_MEM_ATTRIBUTES = true;
EFI_BOOTLOADER_CONTROL = true;
RESET_ATTACK_MITIGATION = true;
EFI_DISABLE_PCI_DMA = true;
EFIVAR_FS = true;
# pstore
PSTORE = true;
PSTORE_COMPRESS = true;
EFI_VARS_PSTORE = true;
};
platform = {
"64BIT" = true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
X86_MPPARSE = false;
X86_FRED = true;
X86_EXTENDED_PLATFORM = false;
CPU_SUP_HYGON = false;
CPU_SUP_CENTAUR = false;
CPU_SUP_ZHAOXIN = false;
} // lib.optionalAttrs hostPlatform.isAarch64 {
ARM64_VA_BITS_48 = true;
ARM64_PAN = true;
ARM64_USE_LSE_ATOMICS = true;
ARM64_CNP = true;
ARM64_PTR_AUTH = true;
ARM64_EPAN = true;
} // lib.optionalAttrs hostPlatform.isRiscV64 {
ARCH_RV64I = true;
COMPAT = false;
};
security = {
SECCOMP = true;
# Kernel memory base
RELOCATABLE = true;
RANDOMIZE_BASE = true;
RANDOMIZE_MEMORY = true;
# Stack protection
STACKPROTECTOR = true;
STACKPROTECTOR_STRONG = true;
VMAP_STACK = true;
RANDOMIZE_KSTACK_OFFSET = true;
RANDOMIZE_KSTACK_OFFSET_DEFAULT = true;
INIT_STACK_ALL_ZERO = true;
STRICT_KERNEL_RWX = true;
CFI_CLANG = true;
# Slab allocator
SLAB_MERGE_DEFAULT = false;
SLAB_FREELIST_RANDOM = true;
SLAB_FREELIST_HARDENED = true;
SLAB_CANARY = true;
SLUB_CPU_PARTIAL = true;
RANDOM_KMALLOC_CACHES = true;
# Page allocator
SHUFFLE_PAGE_ALLOCATOR = true;
COMPAT_BRK = false;
INIT_ON_FREE_DEFAULT_ON = true;
# False positives in combination with panic on BUG()
PAGE_SANITIZE_VERIFY = false;
SLAB_SANITIZE_VERIFY = false;
MODULES = false;
LDISC_AUTOLOAD = false;
DEVMEM = false;
DEVPORT = false;
DEBUG_FS = false;
# Bounds checking
# False positives in iwlwifi
#UBSAN = true;
#UBSAN_BOUNDS = true;
#UBSAN_SIGNED_WRAP = false;
#UBSAN_BOOL = false;
#UBSAN_ENUM = false;
# Memory safety error detection
KFENCE = true;
KFENCE_DEFERRABLE = true;
KFENCE_BUG_ON_DATA_CORRUPTION = true;
PANIC_ON_OOPS = true;
PANIC_TIMEOUT = (-1);
HARDENED_USERCOPY = true;
FORTIFY_SOURCE = true;
SECURITY_DMESG_RESTRICT = true;
SECURITY_PERF_EVENTS_RESTRICT = true;
SECURITY_TIOCSTI_RESTRICT = true;
SECURITY = true;
SECURITY_NETWORK = true;
SECURITY_SELINUX = false;
SECURITY_YAMA = true;
SECURITY_LOCKDOWN_LSM = true;
SECURITY_LOCKDOWN_LSM_EARLY = true;
LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = true;
SECURITY_LANDLOCK = true;
LIST_HARDENED = true;
BUG_ON_DATA_CORRUPTION = true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
X86_UMIP = true;
X86_USER_SHADOW_STACK = true;
STRICT_SIGALTSTACK_SIZE = true;
};
timer = {
NO_HZ_FULL = true;
HIGH_RES_TIMERS = true;
HZ_1000 = true;
RTC_CLASS = true;
RTC_HCTOSYS = true;
RTC_SYSTOHC = true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
X86_PM_TIMER = true;
RTC_DRV_CMOS = true;
};
interfaces = {
SYSVIPC = true;
USELIB = false;
UID16 = false;
SGETMASK_SYSCALL = false;
SYSFS_SYSCALL = false;
POSIX_TIMERS = true;
PCSPKR_PLATFORM = false;
FUTEX = true;
EPOLL = true;
AIO = false;
IO_URING = true;
ADVISE_SYSCALLS = true;
COMPAT_VDSO = false;
COMPAT_32BIT_TIME = false;
DNOTIFY = false;
bpf = {
BPF_SYSCALL = true;
BPF_JIT = true;
BPF_JIT_ALWAYS_ON = true;
BPF_UNPRIV_DEFAULT_OFF = true;
BPF_LSM = true;
};
namespaces = {
NAMESPACES = true;
UTS_NS = true;
TIME_NS = true;
USER_NS = true;
USER_NS_UNPRIVILEGED = false;
PID_NS = true;
NET_NS = true;
};
} // lib.optionalAttrs hostPlatform.isx86_64 {
X86_VSYSCALL_EMULATION = false;
X86_IOPL_IOPERM = false;
LEGACY_VSYSCALL_NONE = true;
MODIFY_LDT_SYSCALL = false;
IA32_EMULATION = false;
};
scheduler = {
SMP = true;
PREEMPT_DYNAMIC = false;
SCHED_CORE = true;
SCHED_CLUSTER = true;
SCHED_MC = true;
SCHED_AUTOGROUP = true;
RCU_NOCB_CPU_DEFAULT_ALL = true;
RCU_LAZY = true;
CGROUPS = true;
BLK_CGROUP = true;
CGROUP_SCHED = true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
SCHED_OMIT_FRAME_POINTER = true;
SCHED_MC_PRIO = true;
};
memory = {
NUMA = true;
NUMA_BALANCING = true;
NUMA_BALANCING_DEFAULT_ENABLED = true;
SPARSEMEM_VMEMMAP = true;
MEMORY_HOTPLUG = true;
MEMORY_HOTREMOVE = true;
COMPACTION = true;
MIGRATION = true;
KSM = true;
TRANSPARENT_HUGEPAGE = true;
TRANSPARENT_HUGEPAGE_ALWAYS = true;
READ_ONLY_THP_FOR_FS = true;
HUGETLBFS = true;
HUGETLB_PAGE_OPTIMIZE_VMEMMAP = true;
HUGETLB_PAGE_OPTIMIZE_VMEMMAP_DEFAULT_ON = true;
DEFERRED_STRUCT_PAGE_INIT = true;
ZONE_DEVICE = true;
DEVICE_PRIVATE = true;
LRU_GEN = true;
LRU_GEN_ENABLED = true;
DMADEVICES = true;
ASYNC_TX_DMA = option true;
zram = {
SWAP = true;
ZSMALLOC = true;
ZRAM = true;
ZRAM_DEF_COMP_ZSTD = true;
ZRAM_WRITEBACK = true;
CRYPTO_ZSTD = true;
};
} // lib.optionalAttrs hostPlatform.isx86_64 {
AMD_NUMA = option false;
X86_64_ACPI_NUMA = true;
X86_INTEL_TSX_MODE_AUTO = true;
ADDRESS_MASKING = false;
};
block = {
BLOCK = true;
BLOCK_LEGACY_AUTOLOAD = false;
BLK_DEV = true;
BLK_DEV_WRITE_MOUNTED = true;
BLK_WBT = true;
BLK_WBT_MQ = true;
PARTITION_ADVANCED = true;
MSDOS_PARTITION = false;
EFI_PARTITION = true;
MQ_IOSCHED_DEADLINE = true;
MQ_IOSCHED_KYBER = true;
IOSCHED_BFQ = true;
BFQ_GROUP_IOSCHED = true;
BLK_DEV_LOOP = true;
BLK_DEV_LOOP_MIN_COUNT = 0;
};
binfmt = {
BINFMT_ELF = true;
CORE_DUMP_DEFAULT_ELF_HEADERS = true;
BINFMT_SCRIPT = true;
BINFMT_MISC = true;
COREDUMP = true;
};
io = {
IOMMU_SUPPORT = true;
IOMMU_DEFAULT_DMA_STRICT = true;
IRQ_REMAP = true;
SWIOTLB_DYNAMIC = true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
X86_X2APIC = true;
AMD_IOMMU = option true;
INTEL_IOMMU = option true;
INTEL_IOMMU_SVM = option true;
INTEL_IOMMU_DEFAULT_ON = option true;
INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON = option true;
IO_DELAY_NONE = true;
} // lib.optionalAttrs hostPlatform.isAarch64 {
ARM_SMMU_V3 = true;
};
bus = {
PCI = true;
PCIEPORTBUS = true;
PCI_MSI = true;
PCIE_BUS_PERFORMANCE = true;
HID_SUPPORT = true;
HID = true;
HIDRAW = true;
UHID = true;
HID_GENERIC = true;
USB_HID = true;
USB_HIDDEV = true;
USB_SUPPORT = true;
USB = true;
USB_PCI = true;
USB_ANNOUNCE_NEW_DEVICES = true;
USB_DEFAULT_PERSIST = true;
USB_DYNAMIC_MINORS = true;
USB_XHCI_HCD = true;
USB_XHCI_PCI = true;
};
power = {
PM = true;
ENERGY_MODEL = true;
ACPI = true;
ACPI_APEI = true;
ACPI_NUMA = true;
CPU_FREQ = true;
CPU_FREQ_STAT = true;
CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = true;
CPU_FREQ_GOV_SCHEDUTIL = true;
CPU_IDLE = true;
CPU_IDLE_GOV_MENU = false;
CPU_IDLE_GOV_TEO = true;
PCIEASPM = true;
PCIEASPM_POWER_SUPERSAVE = true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
X86_ACPI_CPUFREQ = true;
X86_ACPI_CPUFREQ_CPB = false;
} // lib.optionalAttrs (hostPlatform.isAarch64 || hostPlatform.isRiscV64) {
ACPI_CPPC_CPUFREQ = true;
};
framebuffer = {
DRM_SIMPLE_DRM = option true;
FB = true;
FB_EFI = true;
FB_SIMPLE = option true;
FB_DEVICE = false;
VGA_CONSOLE = false;
FRAMEBUFFER_CONSOLE = true;
FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = true;
SYSFB_SIMPLEFB = true;
};
network = {
NET = true;
PACKET = true;
PACKET_DIAG = true;
UNIX = true;
UNIX_DIAG = true;
XDP_SOCKETS = true;
XDP_SOCKETS_DIAG = true;
INET = true;
SYN_COOKIES = true;
INET_DIAG = true;
INET_UDP_DIAG = true;
INET_RAW_DIAG = true;
TCP_CONG_ADVANCED = true;
TCP_CONG_BIC = false;
TCP_CONG_CUBIC = false;
TCP_CONG_WESTWOOD = false;
TCP_CONG_HTCP = false;
TCP_CONG_BBR = true;
DEFAULT_BBR = true;
IPV6 = true;
NETFILTER = true;
NETFILTER_ADVANCED = true;
NETFILTER_INGRESS = true;
NETFILTER_EGRESS = true;
NETFILTER_NETLINK_LOG = true;
NF_LOG_SYSLOG = true;
NF_CONNTRACK = true;
NF_TABLES = true;
NF_TABLES_INET = true;
NFT_CT = true;
NFT_CONNLIMIT = true;
NFT_LIMIT = true;
NFT_LOG = true;
NFT_REJECT = true;
NFT_FIB_INET = true;
NF_TABLES_IPV4 = true;
NFT_FIB_IPV4 = true;
NF_TABLES_IPV6 = true;
NFT_FIB_IPV6 = true;
NET_SCH_CAKE = true;
NET_SCH_FQ = true;
NET_SCH_DEFAULT = true;
DEFAULT_FQ = true;
DEFAULT_NET_SCH = "fq";
NETLINK_DIAG = true;
ETHTOOL_NETLINK = true;
NETDEVICES = true;
ETHERNET = true;
};
chardev = {
TTY = true;
VT = true;
CONSOLE_TRANSLATIONS = true;
VT_CONSOLE = true;
UNIX98_PTYS = true;
SERIAL_DEV_BUS = true;
SERIAL_DEV_CTRL_TTYPORT = true;
HW_RANDOM = true;
HW_RANDOM_INTEL = false;
HW_RANDOM_AMD = false;
HW_RANDOM_VIA = false;
TCG_TPM = true;
TCG_TPM2_HMAC = true;
HW_RANDOM_TPM = true;
TCG_TIS = true;
TCG_CRB = true;
};
input = {
INPUT = true;
INPUT_SPARSEKMAP = true;
INPUT_EVDEV = true;
INPUT_KEYBOARD = true;
};
filesystem = {
OVERLAY_FS = true;
OVERLAY_FS_REDIRECT_DIR = true;
OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW = false;
OVERLAY_FS_XINO_AUTO = true;
OVERLAY_FS_METACOPY = true;
MSDOS_FS = true;
VFAT_FS = true;
FAT_DEFAULT_UTF8 = true;
PROC_FS = true;
PROC_KCORE = false;
PROC_SYSCTL = true;
PROC_PAGE_MONITOR = true;
SYSFS = true;
TMPFS = true;
TMPFS_POSIX_ACL = true;
EFIVAR_FS = true;
EROFS_FS = true;
EROFS_FS_XATTR = true;
EROFS_FS_POSIX_ACL = true;
EROFS_FS_SECURITY = false;
EROFS_FS_ZIP = true;
EROFS_FS_ZIP_ZSTD = true;
NLS = true;
NLS_CODEPAGE_437 = true;
NLS_ISO8859_1 = true;
UNICODE = true;
};
fonts = {
FONTS = true;
FONT_TER16x32 = true;
};
systemd = lib.optionalAttrs (lib.meta.availableOn hostPlatform systemd) {
# Base requirements
DEVTMPFS = true;
CGROUPS = true;
INOTIFY_USER = true;
SIGNALFD = true;
TIMERFD = true;
EPOLL = true;
UNIX = true;
PROC_FS = true;
FHANDLE = true;
# Legacy interfaces
UEVENT_HELPER = false;
FW_LOADER_USER_HELPER = false;
# udev & virtualisation
DMIID = true;
# SCSI device serial number retrieval
BLK_DEV_BSG = option true;
# PrivateNetwork
NET_NS = true;
# PrivateUser
USER_NS = true;
# Optional but recommended
IPV6 = true;
AUTOFS_FS = true;
TMPFS_XATTR = true;
TMPFS_POSIX_ACL = true;
SECCOMP = true;
SECCOMP_FILTER = true;
KCMP = true;
NET_SCHED = true;
# CPUShares
CGROUP_SCHED = true;
FAIR_GROUP_SCHED = true;
# CPUQuota
CFS_BANDWIDTH = true;
# IPaddress{Allow,Deny}, SocketBind{Allow,Deny}, RestrictNetworkInterfaces
BPF = true;
BPF_SYSCALL = true;
BPF_JIT = true;
CGROUP_BPF = true;
# EFI
EFIVAR_FS = true;
EFI_PARTITION = true;
# SMBIOS credentials
DMI = true;
DMI_SYSFS = true;
# Realtime scheduling
RT_GROUP_SCHED = false;
# systemd-oomd
PSI = true;
MEMCG = true;
AUDIT = false;
};
}

251
package/linux-hardened/package.nix Normal file
View file

@ -0,0 +1,251 @@
{ self, ... }: {
lib,
stdenv,
buildPackages,
llvmPackages_19,
hostPlatform,
fetchFromGitHub,
buildEnv,
callPackage,
linux-firmware,
sof-firmware,
wireless-regdb,
systemd,
jq,
python3,
perl,
flex,
bison,
bc,
openssl,
zstd,
elfutils,
kmod,
...
}@args:
lib.makeOverridable ({
llvmPackages ? llvmPackages_19,
instSetArch ? hostPlatform.gccarch or null,
extraConfig ? { },
firmwarePackages ? [
linux-firmware
sof-firmware
wireless-regdb
],
extraFirmware ? [ ],
...
}:
let
inherit (self.lib) kernel;
inherit (lib.attrsets)
filterAttrs
mapAttrsToList
mergeAttrsList;
inherit (lib.strings)
concatStringsSep;
firmwareEnv = buildEnv {
name = "linux-firmware";
pathsToLink = [ "/lib/firmware" ];
paths = firmwarePackages;
} + "/lib/firmware";
config = lib.mergeAttrsList (map kernel.flattenAttrs [
(import ./config.nix { inherit kernel lib hostPlatform systemd; })
extraConfig
{
EXTRA_FIRMWARE = extraFirmware;
EXTRA_FIRMWARE_DIR = kernel.option firmwareEnv;
}
]);
in stdenv.mkDerivation (finalAttrs: {
__structuredAttrs = true;
pname = "linux-hardened";
version = "6.10.4-hardened1";
modDirVersion = lib.versions.pad 3 finalAttrs.version;
src = fetchFromGitHub {
owner = "anthraxx";
repo = finalAttrs.pname;
rev = "v${finalAttrs.version}";
hash = "sha256-qq2vmrUIYUuXEwuZoXrXbZY/li+ReFNuqhsy1R0yx0s=";
};
depsBuildBuild = [
jq
flex
bison
bc
python3
perl
openssl
zstd
];
nativeBuildInputs = [
elfutils
kmod
];
makeFlags = [
"ARCH:=${hostPlatform.linuxArch}"
"HOSTCC:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc"
"HOSTCXX:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}c++"
"HOSTLD:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}ld"
"HOSTAR:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}ar"
"CC:=${llvmPackages.clang-unwrapped}/bin/clang"
"LD:=${llvmPackages.lld}/bin/ld.lld"
"AR:=${llvmPackages.llvm}/bin/llvm-ar"
"NM:=${llvmPackages.llvm}/bin/llvm-nm"
"OBJCOPY:=${llvmPackages.llvm}/bin/llvm-objcopy"
"OBJDUMP:=${llvmPackages.llvm}/bin/llvm-objdump"
"READELF:=${llvmPackages.llvm}/bin/llvm-readelf"
"STRIP:=${llvmPackages.llvm}/bin/llvm-strip"
];
configfile = config |> kernel.mkConfig;
requiredPresent = config
|> filterAttrs (n: v: !kernel.isOptional v && kernel.getValue v != false)
|> mapAttrsToList kernel.mkKeyValue;
optionalPresent = config
|> filterAttrs (n: v: kernel.isOptional v && kernel.getValue v != false)
|> mapAttrsToList kernel.mkKeyValue;
requiredAbsent = config
|> filterAttrs (n: v: !kernel.isOptional v && kernel.getValue v == false)
|> mapAttrsToList (n: v: kernel.mkKey n);
optionalAbsent = config
|> filterAttrs (n: v: kernel.isOptional v && kernel.getValue v == false)
|> mapAttrsToList (n: v: kernel.mkKey n);
postPatch = ''
patchShebangs scripts/
'';
preConfigure = ''
mkdir build
export KBUILD_BUILD_TIMESTAMP="$(date -u -d @$SOURCE_DATE_EPOCH)"
export KBUILD_OUTPUT="$(pwd)/build"
makeFlags+=( "-j $NIX_BUILD_CORES" )
'' + lib.optionalString (hostPlatform ? linux-kernel.target) ''
export KBUILD_IMAGE=${lib.escapeShellArg hostPlatform.linux-kernel.target}
'' + lib.optionalString (instSetArch != null) ''
export KCFLAGS="-march=${lib.escapeShellArg instSetArch}"
'';
configurePhase = ''
runHook preConfigure
cat >build/.config <<<"$configfile"
make "''${makeFlags[@]}" olddefconfig
runHook postConfigure
'';
postConfigure = ''
# Verify configuration
for keyValue in "''${requiredPresent[@]}"; do
if ! grep -F -x -q "$keyValue" build/.config; then
printf 'Required: %s\nActual: %s\n\n' "$keyValue" \
"$(grep -E "''${keyValue%%=*}[ =]" build/.config || echo "(absent)")" >&2
exit 1
fi
done
for key in "''${requiredAbsent[@]}"; do
if grep -E -q "^$key=" build/.config; then
printf 'Required: %s unset or absent.\n Actual: %s\n\n' "$key" \
"$(grep -E -q "^key=" build/.config)" >&2
exit 1
fi
done
for keyValue in "''${optionalPresent[@]}"; do
if ! grep -F -x -q "$keyValue" build/.config; then
printf 'Suggested: %s\nActual: %s\n\n' "$keyValue" \
"$(grep -E "''${keyValue%%=*}[ =]" build/.config || echo "(absent)")" >&2
fi
done
for key in "''${optionalAbsent[@]}"; do
if grep -E -q "^$key=" build/.config; then
printf 'Suggested: %s unset or absent.\nActual: %s\n\n' "$key" \
"$(grep -E "^$key=" build/.config)" >&2
fi
done
'';
preInstall = let
installkernel = buildPackages.writeShellScriptBin "installkernel" ''
cp "$2" "$4"
cp "$3" "$4"
'';
in ''
export HOME=${installkernel}
'';
installFlags = [
"INSTALL_PATH=$(out)"
"INSTALL_MOD_PATH=$(out)"
];
installTargets = [
"install"
"modules_install"
];
postInstall = ''
depmod -b "$out" ${finalAttrs.modDirVersion}
touch "$out/lib/modules/${finalAttrs.modDirVersion}/modules.order"
'';
passthru = {
profile = import ./profile.nix { inherit kernel lib hostPlatform; };
config = with kernel; {
isYes = option: getValue config.${option} or false == true;
isNo = option: getValue config.${option} or false == false;
isModule = option: false;
isEnabled = option: getValue config.${option} or false == true;
isDisabled = option: getValue config.${option} or false == false;
};
isHardened = true;
isLibre = false;
isZen = false;
features = {
efiBootStub = true;
};
kernelOlder = lib.versionOlder finalAttrs.version;
kernelAtLeast = lib.versionAtLeast finalAttrs.version;
};
meta = {
homepage = "https://github.com/anthraxx/linux-hardened";
license = lib.licenses.gpl2Only;
maintainers = with lib.maintainers; [ mvs ];
platforms = [ "x86_64-linux" "aarch64-linux" "riscv64-linux" ];
};
})) args

231
package/linux-hardened/profile.nix Normal file
View file

@ -0,0 +1,231 @@
{ kernel, lib, hostPlatform }: with kernel; {
paravirt = {
HYPERVISOR_GUEST = true;
PARAVIRT = true;
PARAVIRT_SPINLOCKS = true;
KVM_GUEST = true;
ARCH_CPUIDLE_HALTPOLL = true;
PARAVIRT_CLOCK = true;
HALTPOLL_CPUIDLE = true;
FW_CFG_SYSFS = true;
BLK_MQ_VIRTIO = true;
VIRTIO_BLK = true;
VIRTIO_NET = true;
VIRTIO_CONSOLE = true;
HW_RANDOM_VIRTIO = true;
DRM = true;
DRM_FBDEV_EMULATION = true;
DRM_VIRTIO_GPU = true;
DRM_VIRTIO_GPU_KMS = true;
DRM_BOCHS = true;
DRM_SIMPLEDRM = true;
VIRT_DRIVERS = true;
VMGENID = true;
VIRTIO_MENU = true;
VIRTIO = true;
VIRTIO_PCI = true;
VIRTIO_PCI_LEGACY = false;
VIRTIO_BALLOON = true;
VIRTIO_INPUT = true;
VIRTIO_IOMMU = true;
FUSE_FS = true;
VIRTIO_FS = true;
};
physical = {
ACPI_BUTTON = true;
ACPI_VIDEO = true;
ACPI_FAN = true;
ACPI_TAD = true;
ACPI_PROCESSOR_AGGREGATOR = true;
ACPI_THERMAL = true;
ACPI_PCI_SLOT = true;
SCSI = true;
BLK_DEV_SD = true;
CHR_DEV_SG = true;
SCSI_CONSTANTS = true;
SCSI_SCAN_ASYNC = true;
USB_STORAGE = true;
USB_UAS = true;
LEDS_CLASS = true;
LEDS_TRIGGERS = true;
LEDS_TRIGGER_PANIC = true;
LEDS_TRIGGER_NETDEV = true;
EDAC = true;
THERMAL = true;
THERMAL_NETLINK = true;
THERMAL_DEFAULT_GOV_FAIR_SHARE = true;
THERMAL_GOV_FAIR_SHARE = true;
POWERCAP = true;
RAS = true;
};
portable = {
PREEMPT_VOLUNTARY = true;
SUSPEND = true;
WQ_POWER_EFFICIENT_DEFAULT = true;
ACPI_BATTERY = true;
HOTPLUG_PCI_PCIE = true;
HOTPLUG_PCI = true;
MEDIA_SUPPORT = true;
MEDIA_SUPPORT_FILTER = true;
MEDIA_SUBDRV_AUTOSELECT = true;
MEDIA_CAMERA_SUPPORT = true;
MEDIA_USB_SUPPORT = true;
USB_VIDEO_CLASS = true;
USB_VIDEO_CLASS_INPUT_EVDEV = true;
HID_BATTERY_STRENGTH = true;
USB_NET_DRIVERS = true;
USB_RTL8152 = true;
USB_USBNET = true;
USB_NET_AX88179_178A = true;
USB_NET_CDCETHER = true;
USB_NET_CDC_SUBSET = true;
BACKLIGHT_CLASS_DEVICE = true;
TYPEC = true;
TYPEC_TCPM = true;
TYPEC_TCPCI = true;
TYPEC_UCSI = true;
UCSI_ACPI = true;
TYPEC_DP_ALTMODE = true;
MMC = true;
MMC_BLOCK = true;
USB4 = true;
KFENCE_SAMPLE_INTERVAL = "500";
};
dm-crypt = {
MD = true;
MD_BITMAP_FILE = false;
BLK_DEV_DM = true;
DM_CRYPT = true;
DM_UEVENT = true;
DM_INTEGRITY = true;
CRYPTO_AES = true;
CRYPTO_XTS = true;
CRYPTO_AEGIS128 = true;
CRYPTO_SHA256 = true;
CRYPTO_USER_API_HASH = true;
CRYPTO_USER_API_SKCIPHER = true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
CRYPTO_AES_NI_INTEL = true;
CRYPTO_AEGIS128_AESNI_SSE2 = true;
CRYPTO_SHA256_SSSE3 = true;
} // lib.optionalAttrs hostPlatform.isRiscV64 {
CRYPTO_AES_RISCV64 = true;
CRYPTO_SHA256_RISCV64 = true;
} // lib.optionalAttrs hostPlatform.isAarch64 {
CRYPTO_AES_ARM64 = true;
CRYPTO_AES_ARM64_CE = true;
CRYPTO_AES_ARM64_CE_BLK = true;
CRYPTO_AES_ARM64_NEON_BLK = true;
CRYPTO_AES_ARM64_BS = true;
CRYPTO_AEGIS128_SIMD = true;
CRYPTO_SHA256_ARM64 = true;
};
wireless = {
WIRELESS = true;
CFG80211 = true;
CFG80211_DEFAULT_PS = true;
CFG80211_CRDA_SUPPORT = true;
MAC80211 = true;
MAC80211_RC_MINSTREL = true;
MAC80211_RC_DEFAULT_MINSTREL = true;
MAC80211_LEDS = true;
BT = true;
BT_BREDR = true;
BT_RFCOMM = true;
BT_HIDP = true;
BT_LE = true;
BT_LEDS = true;
BT_HCIBTUSB_AUTOSUSPEND = option true;
BT_HCIBTUSB_BCM = option false;
BT_HCIBTUSB_RTL = option false;
RFKILL = true;
RFKILL_INPUT = true;
# iwd
KEYS = true;
CRYPTO_USER_API_SKCIPHER = true;
CRYPTO_USER_API_HASH = true;
CRYPTO_HMAC = true;
CRYPTO_CMAC = true;
CRYPTO_MD4 = true;
CRYPTO_MD5 = true;
CRYPTO_SHA1 = true;
CRYPTO_SHA256 = true;
CRYPTO_SHA512 = true;
CRYPTO_AES = true;
CRYPTO_ECB = true;
CRYPTO_DES = true;
CRYPTO_CBC = true;
ASYMMETRIC_KEY_TYPE = option true;
ASYMMETRIC_PUBLIC_KEY_SUBTYPE = option true;
X509_CERTIFICATE_PARSER = option true;
PKCS7_MESSAGE_PARSER = option true;
PKCS8_PRIVATE_KEY_PARSER = option true;
} // lib.optionalAttrs hostPlatform.isx86_64 {
CRYPTO_AES_NI_INTEL = option true;
CRYPTO_DES3_EDE_X86_64 = option true;
CRYPTO_SHA1_SSSE3 = option true;
CRYPTO_SHA256_SSSE3 = option true;
CRYPTO_SHA512_SSSE3 = option true;
} // lib.optionalAttrs hostPlatform.isRiscV64 {
CRYPTO_AES_RISCV64 = option true;
CRYPTO_SHA256_RISCV64 = option true;
CRYPTO_SHA512_RISCV64 = option true;
} // lib.optionalAttrs hostPlatform.isAarch64 {
CRYPTO_AES_ARM64_CE = option true;
CRYPTO_AES_ARM64_CE_BLK = option true;
CRYPTO_SHA1_ARM64_CE = option true;
CRYPTO_SHA256_ARM64 = option true;
CRYPTO_SHA2_ARM64_CE = option true;
CRYPTO_SHA512_ARM64 = option true;
CRYPTO_SHA512_ARM64_CE = option true;
};
audio = {
SOUND = true;
SND = true;
SND_PCM_TIMER = true;
SND_DYNAMIC_MINORS = true;
SND_SUPPORT_OLD_API = false;
SND_PCI = true;
SND_USB = true;
SND_USB_AUDIO = true;
};
}

120
package/locale-en_EU/en_EU Normal file
View file

@ -0,0 +1,120 @@
comment_char %
escape_char /
LC_IDENTIFICATION
title "Custom locale"
source ""
address ""
contact "Mikael Voss"
email ""
language "en"
territory "EU"
revision "0"
date "2022-10-12"
category "i18n:2012";LC_IDENTIFICATION
category "i18n:2012";LC_CTYPE
category "i18n:2012";LC_COLLATE
category "i18n:2012";LC_MONETARY
category "i18n:2012";LC_NUMERIC
category "i18n:2012";LC_TIME
category "i18n:2012";LC_MESSAGES
category "i18n:2012";LC_PAPER
category "i18n:2012";LC_NAME
category "i18n:2012";LC_ADDRESS
category "i18n:2012";LC_TELEPHONE
category "i18n:2012";LC_MEASUREMENT
END LC_IDENTIFICATION
LC_CTYPE
copy "i18n_ctype"
translit_start
include "translit_neutral";""
translit_end
translit_start
include "translit_combining";""
translit_end
END LC_CTYPE
LC_COLLATE
copy "iso14651_t1"
END LC_COLLATE
LC_NUMERIC
decimal_point "."
thousands_sep "<U202F>"
grouping 3;3
END LC_NUMERIC
LC_MONETARY
int_curr_symbol "EUR "
currency_symbol "<U20AC>"
mon_decimal_point "."
mon_thousands_sep "<U202F>"
mon_grouping 3;3
positive_sign ""
negative_sign "-"
int_frac_digits 2
frac_digits 2
p_cs_precedes 0
p_sep_by_space 1
n_cs_precedes 0
n_sep_by_space 1
p_sign_posn 1
n_sign_posn 1
END LC_MONETARY
LC_TIME
abday "Sun";"Mon";"Tue";"Wed";"Thu";"Fri";"Sat"
day "Sunday";"Monday";"Tuesday";"Wednesday";"Thursday";"Friday";"Saturday"
abmon "Jan";"Feb";"Mar";"Apr";"May";"Jun";"Jul";"Aug";"Sep";"Oct";"Nov";"Dec"
mon "January";"February";"March";"April";"May";"June";/
"July";"August";"September";"October";"November";"December"
week 7;19971201;4
d_t_fmt "%F %T %Z"
date_fmt "%F %T %Z"
d_fmt "%F"
t_fmt "%T"
t_fmt_ampm ""
am_pm "";""
END LC_TIME
LC_MESSAGES
yesexpr "^[+1Tty]"
noexpr "^[-0Ffn]"
END LC_MESSAGES
LC_PAPER
% ISO A4
height 297
width 210
END LC_PAPER
LC_NAME
name_fmt "%p%t%g%m%t%f"
% profession + primary + additionals + family
END LC_NAME
LC_ADDRESS
postal_fmt "%n%N%a%N%d%N%f%N%b%t%e%t%r%N%s%t%h%N%z%t%T%S%N%c%N"
% persons name
% c/o person
% department
% firm
% building + floor + room
% street + number
% postal code + town
% state or provice
% country
END LC_ADDRESS
LC_TELEPHONE
tel_int_fmt "+%c %a%t%l"
END LC_TELEPHONE
LC_MEASUREMENT
% metric
measurement 1
END LC_MEASUREMENT

15
package/locale-en_EU/package.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }: { pkgs, lib, callPackage, allLocales ? false, locales ? [ "en_EU.UTF-8/UTF-8" ] }:
let glibcLocales = callPackage
(pkgs.path + "/pkgs/development/libraries/glibc/locales.nix")
{ inherit allLocales locales; };
in glibcLocales.overrideAttrs (prevAttrs: {
postPatch = prevAttrs.postPatch + ''
cp ${./en_EU} localedata/locales/en_EU
echo 'en_EU.UTF-8/UTF-8 \' >>localedata/SUPPORTED
'';
meta = prevAttrs.meta // {
maintainers = with lib.maintainers; [ mvs ];
};
})

5
shell/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ colmena, ... }: { mkShell, system }:
mkShell {
packages = [ colmena.packages.${system}.colmena ];
}