commit 3bff5623699c83a351d0af9ac8b5b8aa164983fb
parent 4330257cea5845da05a934b1e0de0427abefba0d
Author: Katja (ctucx) <git@ctu.cx>
Date: Fri, 16 May 2025 20:23:35 +0200
parent 4330257cea5845da05a934b1e0de0427abefba0d
Author: Katja (ctucx) <git@ctu.cx>
Date: Fri, 16 May 2025 20:23:35 +0200
refactor directory structure
112 files changed, 1164 insertions(+), 1154 deletions(-)
R
|
0
A
|
437
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R
|
0
R
|
0
A
|
144
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
|
99
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
|
85
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
|
96
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D
|
54
------------------------------------------------------
D
|
144
-------------------------------------------------------------------------------
D
|
436
-------------------------------------------------------------------------------
D
|
85
-------------------------------------------------------------------------------
D
|
101
-------------------------------------------------------------------------------
D
|
95
-------------------------------------------------------------------------------
diff --git a/config/nixos/modules/boot/plymouth.nix b/config/nixos/modules/boot/plymouth.nix @@ -0,0 +1,40 @@ +{ + povSelf, + lib, + config, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + options = { + enable = { + type = types.bool; + default = false; + }; + theme = { + type = types.str; + default = "bgrt"; + }; + }; + + config = lib.mkIf cfg.enable { + boot = { + consoleLogLevel = 0; + initrd.verbose = false; + kernelParams = [ + "quiet" + "udev.log_level=3" + ]; + plymouth = { + enable = true; + inherit (cfg) theme; + }; + }; + }; + +}
diff --git a/config/nixos/modules/gnomeMinimal.nix b/config/nixos/modules/gnomeMinimal.nix @@ -0,0 +1,437 @@ +{ + inputs, + povSelf, + config, + lib, + pkgs, + utils, + ... +}: + +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + + settingsFormat = pkgs.formats.ini { }; + +in +{ + + options = { + enable = { + type = types.bool; + default = false; + }; + gdm = { + dconfSettings = { + type = lib.types.attrs; + default = { }; + }; + settings = { + type = settingsFormat.type; + default = { }; + }; + }; + }; + + config = lib.mkIf cfg.enable ( + let + configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings; + + nixos-background-info = pkgs.writeTextFile rec { + name = "nixos-background-info"; + destination = "/share/gnome-background-properties/nixos.xml"; + text = '' + <?xml version="1.0"?> + <!DOCTYPE wallpapers SYSTEM "gnome-wp-list.dtd"> + <wallpapers> + <wallpaper deleted="false"> + <name>Blobs</name> + <filename>${pkgs.nixos-artwork.wallpapers.simple-blue.gnomeFilePath}</filename> + <filename-dark>${pkgs.nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}</filename-dark> + <options>zoom</options> + <shade_type>solid</shade_type> + <pcolor>#3a4ba0</pcolor> + <scolor>#2f302f</scolor> + </wallpaper> + </wallpapers> + ''; + }; + + in + { + + # patched to remove xorg and xwayland completely + nixpkgs.overlays = [ + (final: prev: { + # deactivate some backends + gnome-online-accounts = prev.gnome-online-accounts.overrideAttrs (prevAttrs: { + mesonFlags = prevAttrs.mesonFlags ++ [ + "-Dexchange=false" + "-Dgoogle=false" + "-Dkerberos=false" + "-Downcloud=false" + "-Dwindows_live=false" + "-Dms_graph=false" + ]; + }); + + mutter = prev.mutter.overrideAttrs (prevAttrs: { + mesonFlags = [ + "-Dinstalled_tests=false" + "-Dtests=disabled" + "-Ddocs=true" + "-Dx11=false" + "-Dxwayland=false" + "-Degl_device=true" + "-Dwayland_eglstream=true" + "-Dwayland=true" + "-Dprofiler=true" + "-Dsm=false" + ]; + buildInputs = + (utils.removePackagesByName prevAttrs.buildInputs [ + prev.xorg.libSM + prev.xwayland + prev.gtk4 + prev.xorg.libICE + prev.xorg.libX11 + prev.xorg.libXcomposite + prev.xorg.libXcursor + prev.xorg.libXdamage + prev.xorg.libXext + prev.xorg.libXfixes + prev.xorg.libXi + prev.xorg.libXtst + prev.xorg.libxkbfile + prev.xkeyboard_config + prev.xorg.libxcb + prev.xorg.libXrandr + prev.xorg.libXinerama + prev.xorg.libXau + ]) + ++ [ prev.libGL ]; + nativeBuildInputs = utils.removePackagesByName prevAttrs.nativeBuildInputs [ + prev.xorg.xorgserver + ]; + }); + + gdm = prev.gdm.overrideAttrs (prevAttrs: { + mesonFlags = prev.lib.lists.remove "--Dgdm-xsession=true" ( + prevAttrs.mesonFlags + ++ [ + "-Dgdm-xsession=false" + "-Dx11-support=false" + ] + ); + patches = [ + # GDM fails to find g-s with the following error in the journal. + # gdm-x-session[976]: dbus-run-session: failed to exec 'gnome-session': No such file or directory + # https://gitlab.gnome.org/GNOME/gdm/-/merge_requests/92 + (prev.fetchpatch { + url = "https://gitlab.gnome.org/GNOME/gdm/-/commit/ccecd9c975d04da80db4cd547b67a1a94fa83292.patch"; + hash = "sha256-5hKS9wjjhuSAYwXct5vS0dPbmPRIINJoLC0Zm1naz6Q="; + revert = true; + }) + + inputs.self.resources.patches.gdm-fix-wayland + + # Change hardcoded paths to nix store paths. + (prev.substituteAll { + src = inputs.self.resources.patches.gdm-fix-paths; + coreutils = final.coreutils; + plymouth = final.plymouth; + dbus = final.dbus; + }) + ]; + postPatch = '' + # Reverts https://gitlab.gnome.org/GNOME/gdm/-/commit/b0f802e36ff948a415bfd2bccaa268b6990515b7 + # The gdm-auth-config tool is probably not too useful for NixOS, but we still want the dconf profile + # installed (mostly just because .passthru.tests can make use of it). + substituteInPlace meson.build \ + --replace-fail "dconf_prefix = dconf_dep.get_variable(pkgconfig: 'prefix')" "dconf_prefix = gdm_prefix" + ''; + buildInputs = utils.removePackagesByName prevAttrs.buildInputs [ + prev.xorg.libX11 + prev.xorg.libXdmcp + prev.xorg.libxcb + ]; + }); + + gnome-session = prev.gnome-session.overrideAttrs (prevAttrs: { + mesonFlags = [ "-Dx11=false" ]; + buildInputs = utils.removePackagesByName prevAttrs.buildInputs [ + prev.xorg.libICE + prev.xorg.xtrans + ]; + }); + + }) + ]; + + users.groups.gdm.gid = config.ids.gids.gdm; + users.users.gdm = { + name = "gdm"; + uid = config.ids.uids.gdm; + group = "gdm"; + home = "/run/gdm"; + description = "GDM user"; + }; + + security.polkit.enable = true; + networking.networkmanager.enable = lib.mkDefault true; + + hardware = { + graphics.enable = true; + bluetooth.enable = lib.mkDefault true; + }; + + fonts.packages = with pkgs; [ + cantarell-fonts + dejavu_fonts + source-code-pro + source-sans + ]; + + environment = { + etc."gdm/custom.conf".source = configFile; + + systemPackages = with pkgs; [ + (lib.mkIf config.hardware.bluetooth.enable gnome-bluetooth) + (lib.mkIf config.services.colord.enable gnome-color-manager) + gnome-shell + gnome-control-center + ghostty + adwaita-icon-theme + sound-theme-freedesktop + nixos-icons + nixos-background-info + glib # for gsettings program + gnome-menus + gtk3.out # for gtk-launch program + xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ + xdg-user-dirs-gtk + ]; + + # Needed for themes and backgrounds + pathsToLink = [ + "/share" # TODO: https://github.com/NixOS/nixpkgs/issues/47173 + "/share/nautilus-python/extensions" + ]; + }; + + services = { + gnome.gnome-settings-daemon.enable = true; + gnome.glib-networking.enable = true; + udisks2.enable = true; + libinput.enable = true; + accounts-daemon.enable = true; + gnome.at-spi2-core.enable = lib.mkDefault true; + gnome.gnome-keyring.enable = lib.mkDefault true; + pipewire.enable = lib.mkDefault true; + hardware.bolt.enable = lib.mkDefault true; + colord.enable = lib.mkDefault true; + power-profiles-daemon.enable = lib.mkDefault true; + upower.enable = lib.mkDefault config.powerManagement.enable; + system-config-printer.enable = lib.mkDefault config.services.printing.enable; + + gvfs.enable = true; + gvfs.package = + (pkgs.gvfs.overrideAttrs (old: { + mesonFlags = (old.mesonFlags or [ ]) ++ [ + "-Dafp=false" + "-Dafc=false" + "-Dmtp=false" + "-Dgphoto2=false" + ]; + })).override + { + samba = null; + }; + + udev.packages = [ pkgs.mutter ]; + dbus.packages = [ pkgs.gdm ]; + + geoclue2.enable = lib.mkDefault true; + geoclue2.enableDemoAgent = false; # GNOME has its own geoclue agent + geoclue2.appConfig = + lib.genAttrs [ "gnome-datetime-panel" "gnome-color-panel" "org.gnome.Shell" ] + (name: { + isAllowed = true; + isSystem = true; + }); + }; + + programs = { + dconf.enable = true; + dconf.profiles.gdm.databases = [ + { settings = cfg.gdm.dconfSettings; } + "${pkgs.gdm}/share/gdm/greeter-dconf-defaults" + ]; + }; + + xdg = { + mime.enable = true; + icons.enable = true; + + portal.enable = true; + portal.configPackages = lib.mkDefault [ pkgs.gnome-session ]; + portal.extraPortals = with pkgs; [ + xdg-desktop-portal-gnome + xdg-desktop-portal-gtk + ]; + }; + + systemd = { + user.services.dbus.wantedBy = [ "default.target" ]; + + tmpfiles.rules = [ "d /run/gdm/.config 0711 gdm gdm" ]; + + packages = with pkgs; [ + gdm + gnome-session + gnome-shell + ]; + + # We dont use the upstream gdm service + # it has to be disabled since the gdm package has it + # https://github.com/NixOS/nixpkgs/issues/108672 + services.gdm.enable = false; + + services.display-manager = { + description = "Display Manager"; + + wants = [ + "systemd-machined.service" + "accounts-daemon.service" + ]; + conflicts = [ + "getty@${pkgs.gdm.initialVT}.service" + "plymouth-quit.service" + ]; + onFailure = [ "plymouth-quit.service" ]; + wantedBy = [ "multi-user.target" ]; + after = [ + "systemd-logind.service" + "systemd-user-sessions.service" + "systemd-machined.service" + "getty@${pkgs.gdm.initialVT}.service" + "acpid.service" + "plymouth-quit.service" + "plymouth-start.service" + ]; + + path = [ pkgs.gnome-session ]; + environment = { + XDG_DATA_DIRS = lib.makeSearchPath "share" ( + with pkgs; + [ + gdm + gnome-session.sessions + gnome-control-center # for accessibility icon + adwaita-icon-theme + hicolor-icon-theme + ] + ); + }; + + serviceConfig = { + KillMode = "mixed"; + IgnoreSIGPIPE = "no"; + BusName = "org.gnome.DisplayManager"; + StandardError = "inherit"; + ExecStart = "${pkgs.gdm}/bin/gdm"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; + KeyringMode = "shared"; + EnvironmentFile = "-/etc/locale.conf"; + Restart = "always"; + RestartSec = "200ms"; + SyslogIdentifier = "display-manager"; + }; + + restartIfChanged = false; + + # Stop restarting if the display manager stops (crashes) 2 times in one minute. + startLimitIntervalSec = 30; + startLimitBurst = 3; + }; + + # Prevent nixos-rebuild switch from bringing down the graphical + # session. (If multi-user.target wants plymouth-quit.service which + # conflicts display-manager.service, then when nixos-rebuild + # switch starts multi-user.target, display-manager.service is + # stopped so plymouth-quit.service can be started.) + services.plymouth-quit = lib.mkIf config.boot.plymouth.enable { + wantedBy = lib.mkForce [ ]; + }; + }; + + # GDM LFS PAM modules, adapted somehow to NixOS + security.pam.services = { + gdm-launch-environment.text = '' + auth required pam_succeed_if.so audit quiet_success user = gdm + auth optional pam_permit.so + + account required pam_succeed_if.so audit quiet_success user = gdm + account sufficient pam_unix.so + + password required pam_deny.so + + session required pam_succeed_if.so audit quiet_success user = gdm + session required pam_env.so conffile=/etc/pam/environment readenv=0 + session optional ${config.systemd.package}/lib/security/pam_systemd.so + session optional pam_keyinit.so force revoke + session optional pam_permit.so + ''; + + gdm-password.text = '' + auth substack login + account include login + password substack login + session include login + ''; + + gdm-autologin.text = '' + auth requisite pam_nologin.so + auth required pam_succeed_if.so uid >= 1000 quiet + ${lib.optionalString config.security.pam.services.login.enableGnomeKeyring '' + auth [success=ok default=1] ${pkgs.gdm}/lib/security/pam_gdm.so + auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so + ''} + auth required pam_permit.so + + account sufficient pam_unix.so + + password requisite pam_unix.so nullok yescrypt + + session optional pam_keyinit.so revoke + session include login + ''; + + # This would block password prompt when included by gdm-password. + # GDM will instead run gdm-fingerprint in parallel. + login.fprintAuth = lib.mkIf config.services.fprintd.enable false; + + gdm-fingerprint.text = lib.mkIf config.services.fprintd.enable '' + auth required pam_shells.so + auth requisite pam_nologin.so + auth requisite pam_faillock.so preauth + auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so + auth required pam_env.so + ${lib.optionalString config.security.pam.services.login.enableGnomeKeyring '' + auth [success=ok default=1] ${pkgs.gdm}/lib/security/pam_gdm.so + auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so + ''} + + account include login + + password required pam_deny.so + + session include login + ''; + }; + + } + ); + +}
diff --git a/config/nixos/modules/hardware/fprint.nix b/config/nixos/modules/hardware/fprint.nix @@ -0,0 +1,54 @@ +{ + povSelf, + hostConfig, + config, + lib, + pkgs, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + cfgRoot = lib.getAttrFromPath (lib.remove [ "hardware" "fpint" ] povSelf) config; + +in +{ + + options = { + enable = { + type = types.bool; + default = false; + }; + enableGoodixDriver = { + type = types.bool; + default = false; + }; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + services.fprintd.enable = true; + } + ( + lib.mkIf cfg.enableGoodixDriver { + assertions = [ + { + assertion = cfg.enableGoodixDriver -> cfgRoot.modules.unfree.enable; + message = '' + The hardware.fprint.enableGoodixDriver option uses unfree software. + To use it you need to set modules.unfree.enable to true. + ''; + } + ]; + + modules.unfree.list = [ "libfprint-2-tod1-goodix" ]; + + services.fprintd.tod = { + enable = lib.mkDefault true; + driver = lib.mkDefault pkgs.libfprint-2-tod1-goodix; + }; + } + ) + ]); + +}
diff --git a/config/nixos/modules/hardware/video/nvidia.nix b/config/nixos/modules/hardware/video/nvidia.nix @@ -0,0 +1,144 @@ +{ + pov, + config, + lib, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath pov config; + cfgRoot = lib.getAttrFromPath (lib.remove [ "hardware" "video" ] pov) config; + +in +{ + + options = { + enable = { + type = types.bool; + default = false; + description = '' + Enable NVIDIA hardware support + ''; + }; + open = { + type = types.bool; + default = false; + }; + powerManagement = { + type = types.enum [ + "on" + "off" + "finegrained" + ]; + default = "on"; + description = '' + on/off: Whether to enable experimental power management through systemd. For more information, see the NVIDIA docs, + on Chapter 21. Configuring Power Management Support. + + finegrained: Whether to enable experimental power management of PRIME offload. For more information, see the NVIDIA docs, + on Chapter 22. PCI-Express Runtime D3 (RTD3) Power Management. + ''; + }; + integrated = { + enable = { + type = types.bool; + default = false; + description = '' + Enable support for integrated hardware + ''; + }; + integratedBus = { + type = types.str; + default = if config.hardware.cpu.vendor == "intel" then "PCI:0:2:0" else null; + description = '' + Bus ID of the integrated GPU. You can find it using lspci, either under 3D or VGA + ''; + }; + dedicatedBus = { + type = types.str; + default = "PCI:1:0:0"; + description = '' + Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA + ''; + }; + }; + }; + + config = lib.mkIf (cfg.enable && cfg.nvidia.enable) ( + lib.mkMerge [ + { + assertions = [ + { + assertion = !cfg.nvidia.open -> cfgRoot.modules.unfree.enable; + message = '' + The programs.nvidia module uses unfree software if open is set to false. + To use it you need to + - set modules.unfree.enable to true + OR + - set.modules.video.nvidia.open to true + ''; + } + ]; + + boot = { + initrd.availableKernelModules = [ + "nvidia" + "nvidia_modeset" + "nvidia_drm" + "nvidia_uvm" + ]; + kernelParams = [ "nvidia.NVreg_UsePageAttributeTable=1" ]; + }; + + environment.sessionVariables = { + _JAVA_AWT_WM_NONREPARENTING = "1"; + GBM_BACKEND = "nvidia-drm"; + NIXOS_OZONE_WL = "1"; + SDL_VIDEODRIVER = "wayland"; # Can break some native games + WLR_NO_HARDWARE_CURSORS = "1"; + }; + + services.xserver.videoDrivers = [ + "fbdev" + "modesetting" + "nvidia" + ]; + + hardware = { + # NVIDIA + nvidia = { + inherit (cfg.nvidia) open; + + nvidiaSettings = false; + + # Kernel modesetting + modesetting.enable = true; + + package = config.boot.kernelPackages.nvidiaPackages.latest; + + # PowerManagement + powerManagement.enable = cfg.powerManagement == "on" || cfg.powerManagement == "finegrained"; + + powerManagement.finegrained = cfg.nvidia.powerManagement == "finegrained"; + + # Integrated GPU + prime = + if cfg.nvidia.integrated.enable then + { + offload.enable = true; + "${config.hardware.cpu.vendor}BusId" = cfg.nvidia.integrated.integratedBus; + nvidiaBusId = cfg.nvidia.integrated.dedicatedBus; + } + else + { }; + }; + }; + } + + (lib.mkIf (!cfg.nvidia.open) { + modules.unfree.list = [ "nvidia-x11" ]; + }) + ] + ); + +}
diff --git a/config/nixos/modules/presets/base.nix b/config/nixos/modules/presets/base.nix @@ -0,0 +1,99 @@ +{ + povSelf, + pkgs, + lib, + config, + hostConfig, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + options = { + enable = { + type = types.bool; + default = false; + }; + }; + + config = lib.mkIf cfg.enable { + environment.defaultPackages = lib.mkForce []; + + users.mutableUsers = lib.mkForce false; + + programs.command-not-found.enable = false; + + # Remove perl from activation + system.etc.overlay.enable = lib.mkDefault true; + services.userborn.enable = lib.mkDefault true; + + networking = { + hostId = builtins.substring 0 8 (builtins.hashString "sha256" hostConfig.hostName); + hostName = hostConfig.hostName; + domain = lib.mkDefault hostConfig.domain; + + useNetworkd = lib.mkDefault true; + useDHCP = lib.mkDefault false; + + nftables.enable = lib.mkDefault true; + firewall.enable = lib.mkDefault true; + }; + + hardware.enableRedistributableFirmware = true; + + modules = { + boot.enable = lib.mkDefault true; + boot.type = lib.mkDefault "uefi"; + + locale.enable = lib.mkDefault true; + unfree.enable = lib.mkDefault true; + nix.enable = lib.mkDefault true; + homeManager.enable = lib.mkDefault true; + sops.enable = lib.mkDefault true; + + security = { + enable = lib.mkDefault true; + kernel = lib.mkDefault true; + networking = lib.mkDefault true; + }; + + programs = { + shellUtilities.enable = lib.mkDefault true; + systemUtilities.enable = lib.mkDefault true; + networkUtilities.enable = lib.mkDefault true; + + fish.enable = lib.mkDefault true; + git.enable = lib.mkDefault true; + }; + }; + + services = { + fstrim.enable = lib.mkDefault true; + }; + + # thanks piegames (https://git.darmstadt.ccc.de/piegames/home-config/-/blob/master/modules/generic.nix#L84) + system.activationScripts = { + diff = { + supportsDryActivation = true; + text = '' + ${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff "$(readlink /run/current-system)" "$systemConfig" + # Ignore "failures" because these tools have weird exit codes + ${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \ + -- "$(readlink /run/current-system)/activate" "$systemConfig/activate" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true + ${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \ + -x "os-release" -x "issue" \ + -- "$(readlink /run/current-system)/etc" "$systemConfig/etc" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true + ${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \ + -x "environment.d" \ + -x "hwdb.d" \ + -- "$(readlink /run/current-system)/systemd" "$systemConfig/systemd" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true + ''; + }; + }; + }; + +}
diff --git a/config/nixos/modules/presets/graphical/enable.nix b/config/nixos/modules/presets/graphical/enable.nix @@ -0,0 +1,29 @@ +{ + povSelf, + config, + lib, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + option = { + type = types.bool; + default = false; + }; + + config = lib.mkIf cfg { + modules = { + boot.secureboot = lib.mkDefault true; + boot.plymouth.enable = true; + + font.enable = true; + audio.enable = true; + }; + }; + +}
diff --git a/config/nixos/modules/presets/graphical/typeGnomeMinimal.nix b/config/nixos/modules/presets/graphical/typeGnomeMinimal.nix @@ -0,0 +1,30 @@ +{ + inputs, + pov, + config, + lib, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath pov config; + +in +{ + + config = lib.mkIf (cfg.enable && (cfg.type == "gnomeMinimal")) { + nixpkgs.overlays = [ + (final: prev: { + # patch gdm to automaticly select the first user + gnome-shell = prev.gnome-shell.overrideAttrs (prevAttrs: { + patches = prevAttrs.patches ++ [ inputs.self.resources.patches.gdm-autoselect-user ]; + }); + }) + ]; + + modules.gnomeMinimal.enable = true; + + networking.networkmanager.enable = true; + }; + +}
diff --git a/config/nixos/modules/presets/katja/enable.nix b/config/nixos/modules/presets/katja/enable.nix @@ -0,0 +1,36 @@ +{ + povSelf, + pkgs, + lib, + config, + hostConfig, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + option = { + type = types.bool; + default = false; + }; + + config = lib.mkIf cfg { + users.users.root.openssh.authorizedKeys.keys = [ + (builtins.readFile "${pkgs.ctucx-website}/ssh_pubkey.asc") + ]; + + modules = { + presets.katja = { + syncthing.enable = lib.mkDefault true; + }; + + services.keyd.enable = lib.mkDefault true; + hardware.smartcard.enable = lib.mkDefault config.modules.presets.graphical.enable; + }; + }; + +}
diff --git a/config/nixos/modules/security/kernel.nix b/config/nixos/modules/security/kernel.nix @@ -0,0 +1,85 @@ +{ + pov, + hostConfig, + config, + lib, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath pov config; + +in +{ + + option = { + type = types.bool; + default = false; + }; + + config = lib.mkIf (cfg.enable && cfg.kernel) { + environment = { + # memoryAllocator.provider = mkDefault "scudo"; # Breaks stuff + # variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; # Breaks stuff + }; + + boot = { + blacklistedKernelModules = [ + # Obscure network protocols + "ax25" + "netrom" + "rose" + + # Old or rare or insufficiently audited filesystems + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" + ]; + kernel.sysctl = { + "kernel.yama.ptrace_scope" = lib.mkOverride 500 1; + "kernel.kptr_restrict" = lib.mkOverride 500 2; + "net.core.bpf_jit_enable" = lib.mkDefault false; + "kernel.ftrace_enabled" = lib.mkDefault false; + }; + kernelParams = lib.mkMerge [ + [ + # Slab/slub sanity checks, redzoning, and poisoning + "slub_debug=FZP" + + # Overwrite free'd memory + "page_poison=1" + + # Enable page allocator randomization + "page_alloc.shuffle=1" + ] + # Disable hibernation (allows replacing the running kernel) unless requested + (lib.mkIf (!hostConfig.hardware.allowHibernation) [ "nohibernate" ]) + ]; + }; + + # Disable kernel module loading once the system is fully initialised. + # FIXME: Remove reverse dependencies + security.lockKernelModules = lib.mkDefault (!config.modules.presets.graphical.enable); + # Prevent replacing the running kernel image w/o reboot + boot.kernel.sysctl."kernel.kexec_load_disabled" = lib.mkDefault true; + }; + +}
diff --git a/config/nixos/modules/sops.nix b/config/nixos/modules/sops.nix @@ -0,0 +1,29 @@ +{ + inputs, + povSelf, + config, + lib, + pkgs, + ... +}: + +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + options.enable = { + type = types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + sops = { + defaultSopsFile = inputs.self.sopsSecrets.${config.networking.hostName}; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; + }; + +}
diff --git a/config/nixos/modules/users/katja.nix b/config/nixos/modules/users/katja.nix @@ -0,0 +1,96 @@ +{ + inputs, + povSelf, + config, + lib, + pkgs, + homeManagerModules, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + options.enable = { + type = types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + sops.secrets.katjaPassword = { + neededForUsers = true; + sopsFile = inputs.self.sopsSecrets.common; + }; + + users.users.katja = { + uid = 1001; + description = "Katja"; + hashedPasswordFile = config.sops.secrets.katjaPassword.path; + isNormalUser = true; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + (builtins.readFile "${pkgs.ctucx-website}/ssh_pubkey.asc") + ]; + }; + + home-manager.users.katja.imports = lib.concatLists [ + [ + homeManagerModules.katja.common + ] + (lib.optionals config.modules.presets.graphical.enable ( + with homeManagerModules.katja; + [ + configure.xdg + + programs.ghostty + programs.ssh + programs.git + programs.gpg + + programs.yt-dlp + programs.phockup + programs.bitwarden-cli + + programs.nautilus + + programs.firefox + programs.thunderbird + + programs.fractal + programs.tuba + + programs.typst + programs.ocrmypdf + programs.papers + programs.pdfarranger + programs.libreoffice + programs.apostrophe + + programs.celluloid + + programs.javascript + ] + )) + (lib.optionals (config.modules.presets.graphical.type == "gnomeMinimal") ( + with homeManagerModules.katja; + [ + configure.gnome + + gnomeExtensions.dash-to-dock + gnomeExtensions.just-perfection + gnomeExtensions.space-bar + gnomeExtensions.search-light + gnomeExtensions.emoji-copy + gnomeExtensions.pip-on-top + gnomeExtensions.bluetoothBatteryMeter + ] + )) + ]; + }; + +}
diff --git a/config/nixosModules.nix b/config/nixosModules.nix @@ -0,0 +1,71 @@ +{ + inputs, + lib, + utils, + pkgs, + config, + hostConfig, + ... +}: + +let + modules = inputs.haumea.lib.load { + src = ./nixos; + transformer = [ + (inputs.haumea.lib.transformers.liftDefault) + ( + _: + lib.mapAttrs ( + name: value: + ( + if value ? option then + ( + (lib.removeAttrs value [ "option" ]) + // { + nixosOptions = lib.mkOption value.option; + } + ) + else if value ? options then + ( + (lib.removeAttrs value [ "options" ]) + // { + nixosOptions = ( + lib.mapAttrsRecursiveCond (element: !(element ? type)) ( + path: value: lib.mkOption value + ) value.options + ); + } + ) + else + (value) + ) + ) + ) + (inputs.haumea.lib.transformers.hoistAttrs "nixosOptions" "options") + ]; + inputs = { + inherit (inputs.self) homeManagerModules; + inherit + inputs + lib + utils + pkgs + config + hostConfig + ; + }; + }; + +in +{ + + options = modules.options; + + config = lib.mkMerge ( + modules + |> lib.filterAttrs (name: value: name != "options") + |> lib.collect (element: element ? config) + |> lib.map (element: element.config) + ); + +}
diff --git a/flake.nix b/flake.nix @@ -36,11 +36,19 @@ formatter = forAllSystems (pkgs: pkgs.nixfmt-rfc-style); + resources = loadDir [ + (inputs.haumea.lib.matchers.always pathLoader) + ] ./resources; + + sopsSecrets = loadDir [ + (inputs.haumea.lib.matchers.always pathLoader) + ] ./secrets; + packages = forAllSystems (pkgs: (loadDir (pkgsLoader pkgs) ./packages)); - nixosModules.default = ./nixosModules.nix; + nixosModules.default = ./config/nixosModules.nix; - homeManagerModules = loadDir pathLoader ./homeManagerModules; + homeManagerModules = loadDir pathLoader ./config/home; lib = loadDir (path: path: import path inputs) ./lib;
diff --git a/hosts/huntii/default.nix b/hosts/huntii/default.nix @@ -13,14 +13,14 @@ }; configuration = - { ... }: + { pkgs, ... }: { imports = [ ./hardware-configuration.nix ]; - sapphicCfg = { + modules = { hardware = { video.intel.enable = true; cpu.updateMicrocode = true; @@ -38,6 +38,8 @@ users.katja.enable = true; }; + boot.kernelPackages = pkgs.linuxPackages_latest; + networking.useNetworkd = false; hardware.bluetooth.settings = {
diff --git a/nixosModules.nix b/nixosModules.nix @@ -1,71 +0,0 @@ -{ - inputs, - lib, - utils, - pkgs, - config, - hostConfig, - ... -}: - -let - modules = inputs.haumea.lib.load { - src = ./nixosModules; - transformer = [ - (inputs.haumea.lib.transformers.liftDefault) - ( - _: - lib.mapAttrs ( - name: value: - ( - if value ? option then - ( - (lib.removeAttrs value [ "option" ]) - // { - nixosOptions = lib.mkOption value.option; - } - ) - else if value ? options then - ( - (lib.removeAttrs value [ "options" ]) - // { - nixosOptions = ( - lib.mapAttrsRecursiveCond (element: !(element ? type)) ( - path: value: lib.mkOption value - ) value.options - ); - } - ) - else - (value) - ) - ) - ) - (inputs.haumea.lib.transformers.hoistAttrs "nixosOptions" "options") - ]; - inputs = { - inherit (inputs.self) homeManagerModules; - inherit - inputs - lib - utils - pkgs - config - hostConfig - ; - }; - }; - -in -{ - - options = modules.options; - - config = lib.mkMerge ( - modules - |> lib.filterAttrs (name: value: name != "options") - |> lib.collect (element: element ? config) - |> lib.map (element: element.config) - ); - -}
diff --git a/nixosModules/sapphicCfg/hardware/fprint.nix b/nixosModules/sapphicCfg/hardware/fprint.nix @@ -1,54 +0,0 @@ -{ - povSelf, - hostConfig, - config, - lib, - pkgs, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath povSelf config; - cfgRoot = lib.getAttrFromPath (lib.remove [ "hardware" "fpint" ] povSelf) config; - -in -{ - - options = { - enable = { - type = types.bool; - default = false; - }; - enableGoodixDriver = { - type = types.bool; - default = false; - }; - }; - - config = lib.mkIf cfg.enable (lib.mkMerge [ - { - services.fprintd.enable = true; - } - ( - lib.mkIf cfg.enableGoodixDriver { - assertions = [ - { - assertion = cfg.enableGoodixDriver -> cfgRoot.modules.unfree.enable; - message = '' - The hardware.fprint.enableGoodixDriver option uses unfree software. - To use it you need to set modules.unfree.enable to true. - ''; - } - ]; - - sapphicCfg.modules.unfree.list = [ "libfprint-2-tod1-goodix" ]; - - services.fprintd.tod = { - enable = lib.mkDefault true; - driver = lib.mkDefault pkgs.libfprint-2-tod1-goodix; - }; - } - ) - ]); - -}
diff --git a/nixosModules/sapphicCfg/hardware/video/nvidia.nix b/nixosModules/sapphicCfg/hardware/video/nvidia.nix @@ -1,144 +0,0 @@ -{ - pov, - config, - lib, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath pov config; - cfgRoot = lib.getAttrFromPath (lib.remove [ "hardware" "video" ] pov) config; - -in -{ - - options = { - enable = { - type = types.bool; - default = false; - description = '' - Enable NVIDIA hardware support - ''; - }; - open = { - type = types.bool; - default = false; - }; - powerManagement = { - type = types.enum [ - "on" - "off" - "finegrained" - ]; - default = "on"; - description = '' - on/off: Whether to enable experimental power management through systemd. For more information, see the NVIDIA docs, - on Chapter 21. Configuring Power Management Support. - - finegrained: Whether to enable experimental power management of PRIME offload. For more information, see the NVIDIA docs, - on Chapter 22. PCI-Express Runtime D3 (RTD3) Power Management. - ''; - }; - integrated = { - enable = { - type = types.bool; - default = false; - description = '' - Enable support for integrated hardware - ''; - }; - integratedBus = { - type = types.str; - default = if config.hardware.cpu.vendor == "intel" then "PCI:0:2:0" else null; - description = '' - Bus ID of the integrated GPU. You can find it using lspci, either under 3D or VGA - ''; - }; - dedicatedBus = { - type = types.str; - default = "PCI:1:0:0"; - description = '' - Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA - ''; - }; - }; - }; - - config = lib.mkIf (cfg.enable && cfg.nvidia.enable) ( - lib.mkMerge [ - { - assertions = [ - { - assertion = !cfg.nvidia.open -> cfgRoot.modules.unfree.enable; - message = '' - The programs.nvidia module uses unfree software if open is set to false. - To use it you need to - - set modules.unfree.enable to true - OR - - set.modules.video.nvidia.open to true - ''; - } - ]; - - boot = { - initrd.availableKernelModules = [ - "nvidia" - "nvidia_modeset" - "nvidia_drm" - "nvidia_uvm" - ]; - kernelParams = [ "nvidia.NVreg_UsePageAttributeTable=1" ]; - }; - - environment.sessionVariables = { - _JAVA_AWT_WM_NONREPARENTING = "1"; - GBM_BACKEND = "nvidia-drm"; - NIXOS_OZONE_WL = "1"; - SDL_VIDEODRIVER = "wayland"; # Can break some native games - WLR_NO_HARDWARE_CURSORS = "1"; - }; - - services.xserver.videoDrivers = [ - "fbdev" - "modesetting" - "nvidia" - ]; - - hardware = { - # NVIDIA - nvidia = { - inherit (cfg.nvidia) open; - - nvidiaSettings = false; - - # Kernel modesetting - modesetting.enable = true; - - package = config.boot.kernelPackages.nvidiaPackages.latest; - - # PowerManagement - powerManagement.enable = cfg.powerManagement == "on" || cfg.powerManagement == "finegrained"; - - powerManagement.finegrained = cfg.nvidia.powerManagement == "finegrained"; - - # Integrated GPU - prime = - if cfg.nvidia.integrated.enable then - { - offload.enable = true; - "${config.hardware.cpu.vendor}BusId" = cfg.nvidia.integrated.integratedBus; - nvidiaBusId = cfg.nvidia.integrated.dedicatedBus; - } - else - { }; - }; - }; - } - - (lib.mkIf (!cfg.nvidia.open) { - sapphicCfg.modules.unfree.list = [ "nvidia-x11" ]; - }) - ] - ); - -}
diff --git a/nixosModules/sapphicCfg/modules/gnomeMinimal.nix b/nixosModules/sapphicCfg/modules/gnomeMinimal.nix @@ -1,436 +0,0 @@ -{ - povSelf, - config, - lib, - pkgs, - utils, - ... -}: - -let - inherit (lib) types; - cfg = lib.getAttrFromPath povSelf config; - - settingsFormat = pkgs.formats.ini { }; - -in -{ - - options = { - enable = { - type = types.bool; - default = false; - }; - gdm = { - dconfSettings = { - type = lib.types.attrs; - default = { }; - }; - settings = { - type = settingsFormat.type; - default = { }; - }; - }; - }; - - config = lib.mkIf cfg.enable ( - let - configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings; - - nixos-background-info = pkgs.writeTextFile rec { - name = "nixos-background-info"; - destination = "/share/gnome-background-properties/nixos.xml"; - text = '' - <?xml version="1.0"?> - <!DOCTYPE wallpapers SYSTEM "gnome-wp-list.dtd"> - <wallpapers> - <wallpaper deleted="false"> - <name>Blobs</name> - <filename>${pkgs.nixos-artwork.wallpapers.simple-blue.gnomeFilePath}</filename> - <filename-dark>${pkgs.nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}</filename-dark> - <options>zoom</options> - <shade_type>solid</shade_type> - <pcolor>#3a4ba0</pcolor> - <scolor>#2f302f</scolor> - </wallpaper> - </wallpapers> - ''; - }; - - in - { - - # patched to remove xorg and xwayland completely - nixpkgs.overlays = [ - (final: prev: { - # deactivate some backends - gnome-online-accounts = prev.gnome-online-accounts.overrideAttrs (prevAttrs: { - mesonFlags = prevAttrs.mesonFlags ++ [ - "-Dexchange=false" - "-Dgoogle=false" - "-Dkerberos=false" - "-Downcloud=false" - "-Dwindows_live=false" - "-Dms_graph=false" - ]; - }); - - mutter = prev.mutter.overrideAttrs (prevAttrs: { - mesonFlags = [ - "-Dinstalled_tests=false" - "-Dtests=disabled" - "-Ddocs=true" - "-Dx11=false" - "-Dxwayland=false" - "-Degl_device=true" - "-Dwayland_eglstream=true" - "-Dwayland=true" - "-Dprofiler=true" - "-Dsm=false" - ]; - buildInputs = - (utils.removePackagesByName prevAttrs.buildInputs [ - prev.xorg.libSM - prev.xwayland - prev.gtk4 - prev.xorg.libICE - prev.xorg.libX11 - prev.xorg.libXcomposite - prev.xorg.libXcursor - prev.xorg.libXdamage - prev.xorg.libXext - prev.xorg.libXfixes - prev.xorg.libXi - prev.xorg.libXtst - prev.xorg.libxkbfile - prev.xkeyboard_config - prev.xorg.libxcb - prev.xorg.libXrandr - prev.xorg.libXinerama - prev.xorg.libXau - ]) - ++ [ prev.libGL ]; - nativeBuildInputs = utils.removePackagesByName prevAttrs.nativeBuildInputs [ - prev.xorg.xorgserver - ]; - }); - - gdm = prev.gdm.overrideAttrs (prevAttrs: { - mesonFlags = prev.lib.lists.remove "--Dgdm-xsession=true" ( - prevAttrs.mesonFlags - ++ [ - "-Dgdm-xsession=false" - "-Dx11-support=false" - ] - ); - patches = [ - # GDM fails to find g-s with the following error in the journal. - # gdm-x-session[976]: dbus-run-session: failed to exec 'gnome-session': No such file or directory - # https://gitlab.gnome.org/GNOME/gdm/-/merge_requests/92 - (prev.fetchpatch { - url = "https://gitlab.gnome.org/GNOME/gdm/-/commit/ccecd9c975d04da80db4cd547b67a1a94fa83292.patch"; - hash = "sha256-5hKS9wjjhuSAYwXct5vS0dPbmPRIINJoLC0Zm1naz6Q="; - revert = true; - }) - - ../../../patches/gdm-fix-wayland.patch - - # Change hardcoded paths to nix store paths. - (prev.substituteAll { - src = ../../../patches/gdm-fix-paths.patch; - coreutils = final.coreutils; - plymouth = final.plymouth; - dbus = final.dbus; - }) - ]; - postPatch = '' - # Reverts https://gitlab.gnome.org/GNOME/gdm/-/commit/b0f802e36ff948a415bfd2bccaa268b6990515b7 - # The gdm-auth-config tool is probably not too useful for NixOS, but we still want the dconf profile - # installed (mostly just because .passthru.tests can make use of it). - substituteInPlace meson.build \ - --replace-fail "dconf_prefix = dconf_dep.get_variable(pkgconfig: 'prefix')" "dconf_prefix = gdm_prefix" - ''; - buildInputs = utils.removePackagesByName prevAttrs.buildInputs [ - prev.xorg.libX11 - prev.xorg.libXdmcp - prev.xorg.libxcb - ]; - }); - - gnome-session = prev.gnome-session.overrideAttrs (prevAttrs: { - mesonFlags = [ "-Dx11=false" ]; - buildInputs = utils.removePackagesByName prevAttrs.buildInputs [ - prev.xorg.libICE - prev.xorg.xtrans - ]; - }); - - }) - ]; - - users.groups.gdm.gid = config.ids.gids.gdm; - users.users.gdm = { - name = "gdm"; - uid = config.ids.uids.gdm; - group = "gdm"; - home = "/run/gdm"; - description = "GDM user"; - }; - - security.polkit.enable = true; - networking.networkmanager.enable = lib.mkDefault true; - - hardware = { - graphics.enable = true; - bluetooth.enable = lib.mkDefault true; - }; - - fonts.packages = with pkgs; [ - cantarell-fonts - dejavu_fonts - source-code-pro - source-sans - ]; - - environment = { - etc."gdm/custom.conf".source = configFile; - - systemPackages = with pkgs; [ - (lib.mkIf config.hardware.bluetooth.enable gnome-bluetooth) - (lib.mkIf config.services.colord.enable gnome-color-manager) - gnome-shell - gnome-control-center - ghostty - adwaita-icon-theme - sound-theme-freedesktop - nixos-icons - nixos-background-info - glib # for gsettings program - gnome-menus - gtk3.out # for gtk-launch program - xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ - xdg-user-dirs-gtk - ]; - - # Needed for themes and backgrounds - pathsToLink = [ - "/share" # TODO: https://github.com/NixOS/nixpkgs/issues/47173 - "/share/nautilus-python/extensions" - ]; - }; - - services = { - gnome.gnome-settings-daemon.enable = true; - gnome.glib-networking.enable = true; - udisks2.enable = true; - libinput.enable = true; - accounts-daemon.enable = true; - gnome.at-spi2-core.enable = lib.mkDefault true; - gnome.gnome-keyring.enable = lib.mkDefault true; - pipewire.enable = lib.mkDefault true; - hardware.bolt.enable = lib.mkDefault true; - colord.enable = lib.mkDefault true; - power-profiles-daemon.enable = lib.mkDefault true; - upower.enable = lib.mkDefault config.powerManagement.enable; - system-config-printer.enable = lib.mkDefault config.services.printing.enable; - - gvfs.enable = true; - gvfs.package = - (pkgs.gvfs.overrideAttrs (old: { - mesonFlags = (old.mesonFlags or [ ]) ++ [ - "-Dafp=false" - "-Dafc=false" - "-Dmtp=false" - "-Dgphoto2=false" - ]; - })).override - { - samba = null; - }; - - udev.packages = [ pkgs.mutter ]; - dbus.packages = [ pkgs.gdm ]; - - geoclue2.enable = lib.mkDefault true; - geoclue2.enableDemoAgent = false; # GNOME has its own geoclue agent - geoclue2.appConfig = - lib.genAttrs [ "gnome-datetime-panel" "gnome-color-panel" "org.gnome.Shell" ] - (name: { - isAllowed = true; - isSystem = true; - }); - }; - - programs = { - dconf.enable = true; - dconf.profiles.gdm.databases = [ - { settings = cfg.gdm.dconfSettings; } - "${pkgs.gdm}/share/gdm/greeter-dconf-defaults" - ]; - }; - - xdg = { - mime.enable = true; - icons.enable = true; - - portal.enable = true; - portal.configPackages = lib.mkDefault [ pkgs.gnome-session ]; - portal.extraPortals = with pkgs; [ - xdg-desktop-portal-gnome - xdg-desktop-portal-gtk - ]; - }; - - systemd = { - user.services.dbus.wantedBy = [ "default.target" ]; - - tmpfiles.rules = [ "d /run/gdm/.config 0711 gdm gdm" ]; - - packages = with pkgs; [ - gdm - gnome-session - gnome-shell - ]; - - # We dont use the upstream gdm service - # it has to be disabled since the gdm package has it - # https://github.com/NixOS/nixpkgs/issues/108672 - services.gdm.enable = false; - - services.display-manager = { - description = "Display Manager"; - - wants = [ - "systemd-machined.service" - "accounts-daemon.service" - ]; - conflicts = [ - "getty@${pkgs.gdm.initialVT}.service" - "plymouth-quit.service" - ]; - onFailure = [ "plymouth-quit.service" ]; - wantedBy = [ "multi-user.target" ]; - after = [ - "systemd-logind.service" - "systemd-user-sessions.service" - "systemd-machined.service" - "getty@${pkgs.gdm.initialVT}.service" - "acpid.service" - "plymouth-quit.service" - "plymouth-start.service" - ]; - - path = [ pkgs.gnome-session ]; - environment = { - XDG_DATA_DIRS = lib.makeSearchPath "share" ( - with pkgs; - [ - gdm - gnome-session.sessions - gnome-control-center # for accessibility icon - adwaita-icon-theme - hicolor-icon-theme - ] - ); - }; - - serviceConfig = { - KillMode = "mixed"; - IgnoreSIGPIPE = "no"; - BusName = "org.gnome.DisplayManager"; - StandardError = "inherit"; - ExecStart = "${pkgs.gdm}/bin/gdm"; - ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; - KeyringMode = "shared"; - EnvironmentFile = "-/etc/locale.conf"; - Restart = "always"; - RestartSec = "200ms"; - SyslogIdentifier = "display-manager"; - }; - - restartIfChanged = false; - - # Stop restarting if the display manager stops (crashes) 2 times in one minute. - startLimitIntervalSec = 30; - startLimitBurst = 3; - }; - - # Prevent nixos-rebuild switch from bringing down the graphical - # session. (If multi-user.target wants plymouth-quit.service which - # conflicts display-manager.service, then when nixos-rebuild - # switch starts multi-user.target, display-manager.service is - # stopped so plymouth-quit.service can be started.) - services.plymouth-quit = lib.mkIf config.boot.plymouth.enable { - wantedBy = lib.mkForce [ ]; - }; - }; - - # GDM LFS PAM modules, adapted somehow to NixOS - security.pam.services = { - gdm-launch-environment.text = '' - auth required pam_succeed_if.so audit quiet_success user = gdm - auth optional pam_permit.so - - account required pam_succeed_if.so audit quiet_success user = gdm - account sufficient pam_unix.so - - password required pam_deny.so - - session required pam_succeed_if.so audit quiet_success user = gdm - session required pam_env.so conffile=/etc/pam/environment readenv=0 - session optional ${config.systemd.package}/lib/security/pam_systemd.so - session optional pam_keyinit.so force revoke - session optional pam_permit.so - ''; - - gdm-password.text = '' - auth substack login - account include login - password substack login - session include login - ''; - - gdm-autologin.text = '' - auth requisite pam_nologin.so - auth required pam_succeed_if.so uid >= 1000 quiet - ${lib.optionalString config.security.pam.services.login.enableGnomeKeyring '' - auth [success=ok default=1] ${pkgs.gdm}/lib/security/pam_gdm.so - auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so - ''} - auth required pam_permit.so - - account sufficient pam_unix.so - - password requisite pam_unix.so nullok yescrypt - - session optional pam_keyinit.so revoke - session include login - ''; - - # This would block password prompt when included by gdm-password. - # GDM will instead run gdm-fingerprint in parallel. - login.fprintAuth = lib.mkIf config.services.fprintd.enable false; - - gdm-fingerprint.text = lib.mkIf config.services.fprintd.enable '' - auth required pam_shells.so - auth requisite pam_nologin.so - auth requisite pam_faillock.so preauth - auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so - auth required pam_env.so - ${lib.optionalString config.security.pam.services.login.enableGnomeKeyring '' - auth [success=ok default=1] ${pkgs.gdm}/lib/security/pam_gdm.so - auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so - ''} - - account include login - - password required pam_deny.so - - session include login - ''; - }; - - } - ); - -}
diff --git a/nixosModules/sapphicCfg/modules/plymouth.nix b/nixosModules/sapphicCfg/modules/plymouth.nix @@ -1,40 +0,0 @@ -{ - povSelf, - lib, - config, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath povSelf config; - -in -{ - - options = { - enable = { - type = types.bool; - default = false; - }; - theme = { - type = types.str; - default = "bgrt"; - }; - }; - - config = lib.mkIf cfg.enable { - boot = { - consoleLogLevel = 3; - initrd.verbose = false; - kernelParams = [ - "quiet" - "udev.log_level=3" - ]; - plymouth = { - enable = true; - inherit (cfg) theme; - }; - }; - }; - -}
diff --git a/nixosModules/sapphicCfg/modules/security/kernel.nix b/nixosModules/sapphicCfg/modules/security/kernel.nix @@ -1,85 +0,0 @@ -{ - pov, - hostConfig, - config, - lib, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath pov config; - -in -{ - - option = { - type = types.bool; - default = false; - }; - - config = lib.mkIf (cfg.enable && cfg.kernel) { - environment = { - # memoryAllocator.provider = mkDefault "scudo"; # Breaks stuff - # variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; # Breaks stuff - }; - - boot = { - blacklistedKernelModules = [ - # Obscure network protocols - "ax25" - "netrom" - "rose" - - # Old or rare or insufficiently audited filesystems - "adfs" - "affs" - "bfs" - "befs" - "cramfs" - "efs" - "erofs" - "exofs" - "freevxfs" - "f2fs" - "hfs" - "hpfs" - "jfs" - "minix" - "nilfs2" - "ntfs" - "omfs" - "qnx4" - "qnx6" - "sysv" - "ufs" - ]; - kernel.sysctl = { - "kernel.yama.ptrace_scope" = lib.mkOverride 500 1; - "kernel.kptr_restrict" = lib.mkOverride 500 2; - "net.core.bpf_jit_enable" = lib.mkDefault false; - "kernel.ftrace_enabled" = lib.mkDefault false; - }; - kernelParams = lib.mkMerge [ - [ - # Slab/slub sanity checks, redzoning, and poisoning - "slub_debug=FZP" - - # Overwrite free'd memory - "page_poison=1" - - # Enable page allocator randomization - "page_alloc.shuffle=1" - ] - # Disable hibernation (allows replacing the running kernel) unless requested - (lib.mkIf (!hostConfig.hardware.allowHibernation) [ "nohibernate" ]) - ]; - }; - - # Disable kernel module loading once the system is fully initialised. - # FIXME: Remove reverse dependencies - security.lockKernelModules = lib.mkDefault (!config.sapphicCfg.presets.graphical.enable); - # Prevent replacing the running kernel image w/o reboot - boot.kernel.sysctl."kernel.kexec_load_disabled" = lib.mkDefault true; - }; - -}
diff --git a/nixosModules/sapphicCfg/modules/sops.nix b/nixosModules/sapphicCfg/modules/sops.nix @@ -1,28 +0,0 @@ -{ - povSelf, - config, - lib, - pkgs, - ... -}: - -let - inherit (lib) types; - cfg = lib.getAttrFromPath povSelf config; - -in -{ - - options.enable = { - type = types.bool; - default = false; - }; - - config = lib.mkIf cfg.enable { - sops = { - defaultSopsFile = ../../../secrets/${config.networking.hostName}.yaml; - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - }; - }; - -}
diff --git a/nixosModules/sapphicCfg/presets/base.nix b/nixosModules/sapphicCfg/presets/base.nix @@ -1,101 +0,0 @@ -{ - povSelf, - pkgs, - lib, - config, - hostConfig, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath povSelf config; - -in -{ - - options = { - enable = { - type = types.bool; - default = false; - }; - }; - - config = lib.mkIf cfg.enable { - environment.defaultPackages = lib.mkForce []; - - users.mutableUsers = lib.mkForce false; - - programs.command-not-found.enable = false; - - # Remove perl from activation - system.etc.overlay.enable = lib.mkDefault true; - services.userborn.enable = lib.mkDefault true; - - networking = { - hostId = builtins.substring 0 8 (builtins.hashString "sha256" hostConfig.hostName); - hostName = hostConfig.hostName; - domain = lib.mkDefault hostConfig.domain; - - useNetworkd = lib.mkDefault true; - useDHCP = lib.mkDefault false; - - nftables.enable = lib.mkDefault true; - firewall.enable = lib.mkDefault true; - }; - - hardware.enableRedistributableFirmware = true; - - sapphicCfg = { - modules = { - boot.enable = lib.mkDefault true; - boot.type = lib.mkDefault "uefi"; - - locale.enable = lib.mkDefault true; - unfree.enable = lib.mkDefault true; - nix.enable = lib.mkDefault true; - homeManager.enable = lib.mkDefault true; - sops.enable = lib.mkDefault true; - - security = { - enable = lib.mkDefault true; - kernel = lib.mkDefault true; - networking = lib.mkDefault true; - }; - }; - - programs = { - shellUtilities.enable = lib.mkDefault true; - systemUtilities.enable = lib.mkDefault true; - networkUtilities.enable = lib.mkDefault true; - - fish.enable = lib.mkDefault true; - git.enable = lib.mkDefault true; - }; - }; - - services = { - fstrim.enable = lib.mkDefault true; - }; - - # thanks piegames (https://git.darmstadt.ccc.de/piegames/home-config/-/blob/master/modules/generic.nix#L84) - system.activationScripts = { - diff = { - supportsDryActivation = true; - text = '' - ${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff "$(readlink /run/current-system)" "$systemConfig" - # Ignore "failures" because these tools have weird exit codes - ${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \ - -- "$(readlink /run/current-system)/activate" "$systemConfig/activate" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true - ${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \ - -x "os-release" -x "issue" \ - -- "$(readlink /run/current-system)/etc" "$systemConfig/etc" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true - ${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \ - -x "environment.d" \ - -x "hwdb.d" \ - -- "$(readlink /run/current-system)/systemd" "$systemConfig/systemd" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true - ''; - }; - }; - }; - -}
diff --git a/nixosModules/sapphicCfg/presets/graphical/enable.nix b/nixosModules/sapphicCfg/presets/graphical/enable.nix @@ -1,29 +0,0 @@ -{ - povSelf, - config, - lib, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath povSelf config; - -in -{ - - option = { - type = types.bool; - default = false; - }; - - config = lib.mkIf cfg { - sapphicCfg.modules = { - boot.secureboot = lib.mkDefault true; - plymouth.enable = true; - - font.enable = true; - audio.enable = true; - }; - }; - -}
diff --git a/nixosModules/sapphicCfg/presets/graphical/typeGnomeMinimal.nix b/nixosModules/sapphicCfg/presets/graphical/typeGnomeMinimal.nix @@ -1,31 +0,0 @@ -{ - pov, - config, - lib, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath pov config; - -in -{ - - config = lib.mkIf (cfg.enable && (cfg.type == "gnomeMinimal")) { - nixpkgs.overlays = [ - (final: prev: { - # patch gdm to automaticly select the first user - gnome-shell = prev.gnome-shell.overrideAttrs (prevAttrs: { - patches = prevAttrs.patches ++ [ ../../../../patches/gdm-autoselect-user.patch ]; - }); - }) - ]; - - sapphicCfg.modules = { - gnomeMinimal.enable = true; - }; - - networking.networkmanager.enable = true; - }; - -}
diff --git a/nixosModules/sapphicCfg/presets/katja/enable.nix b/nixosModules/sapphicCfg/presets/katja/enable.nix @@ -1,36 +0,0 @@ -{ - povSelf, - pkgs, - lib, - config, - hostConfig, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath povSelf config; - -in -{ - - option = { - type = types.bool; - default = false; - }; - - config = lib.mkIf cfg { - users.users.root.openssh.authorizedKeys.keys = [ - (builtins.readFile "${pkgs.ctucx-website}/ssh_pubkey.asc") - ]; - - sapphicCfg = { - presets.katja = { - syncthing.enable = lib.mkDefault true; - }; - - services.keyd.enable = lib.mkDefault true; - hardware.smartcard.enable = lib.mkDefault config.sapphicCfg.presets.graphical.enable; - }; - }; - -}
diff --git a/nixosModules/sapphicCfg/users/katja.nix b/nixosModules/sapphicCfg/users/katja.nix @@ -1,95 +0,0 @@ -{ - povSelf, - config, - lib, - pkgs, - homeManagerModules, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath povSelf config; - -in -{ - - options.enable = { - type = types.bool; - default = false; - }; - - config = lib.mkIf cfg.enable { - sops.secrets.katjaPassword = { - neededForUsers = true; - sopsFile = ../../../secrets/common.yaml; - }; - - users.users.katja = { - uid = 1001; - description = "Katja"; - hashedPasswordFile = config.sops.secrets.katjaPassword.path; - isNormalUser = true; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - (builtins.readFile "${pkgs.ctucx-website}/ssh_pubkey.asc") - ]; - }; - - home-manager.users.katja.imports = lib.concatLists [ - [ - homeManagerModules.katja.common - ] - (lib.optionals config.sapphicCfg.presets.graphical.enable ( - with homeManagerModules.katja; - [ - configure.xdg - - programs.ghostty - programs.ssh - programs.git - programs.gpg - - programs.yt-dlp - programs.phockup - programs.bitwarden-cli - - programs.nautilus - - programs.firefox - programs.thunderbird - - programs.fractal - programs.tuba - - programs.typst - programs.ocrmypdf - programs.papers - programs.pdfarranger - programs.libreoffice - programs.apostrophe - - programs.celluloid - - programs.javascript - ] - )) - (lib.optionals (config.sapphicCfg.presets.graphical.type == "gnomeMinimal") ( - with homeManagerModules.katja; - [ - configure.gnome - - gnomeExtensions.dash-to-dock - gnomeExtensions.just-perfection - gnomeExtensions.space-bar - gnomeExtensions.search-light - gnomeExtensions.emoji-copy - gnomeExtensions.pip-on-top - gnomeExtensions.bluetoothBatteryMeter - ] - )) - ]; - }; - -}