diff --git a/darwin/profiles/common/core/default.nix b/darwin/profiles/common/core/default.nix index 5b30ab0..ad5d2bc 100644 --- a/darwin/profiles/common/core/default.nix +++ b/darwin/profiles/common/core/default.nix @@ -14,7 +14,6 @@ inputs.self.darwinModules.default inputs.home-manager.darwinModules.home-manager - inputs.nur.nixosModules.nur # doesn't sound very smart ]; users = { diff --git a/flake.lock b/flake.lock index 276cc42..83301c5 100644 --- a/flake.lock +++ b/flake.lock @@ -249,21 +249,6 @@ "type": "github" } }, - "nixos-sensible": { - "locked": { - "lastModified": 1711451092, - "narHash": "sha256-17X9t5IL4cerDvoympJPIkECVG/L/yaGr+Ic3kBBYdE=", - "owner": "Guanran928", - "repo": "nixos-sensible", - "rev": "23a6d9d6d5dfb2c2b89b413d900e9a4456d2c28f", - "type": "github" - }, - "original": { - "owner": "Guanran928", - "repo": "nixos-sensible", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1722415718, @@ -280,21 +265,6 @@ "type": "github" } }, - "nur": { - "locked": { - "lastModified": 1722465185, - "narHash": "sha256-vNu8ztiqTTAvgqYBatM/AuFn9qpJXfNuqGFYA95oVWk=", - "owner": "nix-community", - "repo": "NUR", - "rev": "9ba05057d90d2c8fda1f40685871c0d8dbf81402", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -338,13 +308,10 @@ "neovim": "neovim", "nix-darwin": "nix-darwin", "nixos-hardware": "nixos-hardware", - "nixos-sensible": "nixos-sensible", "nixpkgs": "nixpkgs", - "nur": "nur", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay", "sops-nix": "sops-nix", - "srvos": "srvos", "systems": "systems", "treefmt-nix": "treefmt-nix" } @@ -392,26 +359,6 @@ "type": "github" } }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1722473484, - "narHash": "sha256-gl0NnSdNwjuAgIHfmGSVx/2jKHNfN5ie8Ex6OTjfczY=", - "owner": "nix-community", - "repo": "srvos", - "rev": "46a59095dc9228a945bf1ee8160b397eb502ad6c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "srvos", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 8d44309..757ff5b 100644 --- a/flake.nix +++ b/flake.nix @@ -47,21 +47,11 @@ nixos-hardware = { url = "github:NixOS/nixos-hardware"; }; - nixos-sensible = { - url = "github:Guanran928/nixos-sensible"; - }; - nur = { - url = "github:nix-community/NUR"; - }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs-stable.follows = "nixpkgs"; }; - srvos = { - url = "github:nix-community/srvos"; - inputs.nixpkgs.follows = "nixpkgs"; - }; systems.url = "github:nix-systems/default"; treefmt-nix = { url = "github:numtide/treefmt-nix"; diff --git a/home/default.nix b/home/default.nix index 40a480f..ca3fa79 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,5 +1,4 @@ { - inputs, pkgs, config, lib, @@ -28,8 +27,6 @@ # Default applications imports = [ - inputs.nur.hmModules.nur - ./applications/atuin ./applications/bash ./applications/bat diff --git a/hosts/blacksteel/anti-feature.nix b/hosts/blacksteel/anti-feature.nix index e0211a2..f8e20ef 100644 --- a/hosts/blacksteel/anti-feature.nix +++ b/hosts/blacksteel/anti-feature.nix @@ -1,8 +1,5 @@ {lib, ...}: { nixpkgs.config = { - # only needed on older version of nvidia - #nvidia.acceptLicense = true; - allowNonSource = false; allowNonSourcePredicate = pkg: lib.elem (lib.getName pkg) [ diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix index e43a24b..2651782 100644 --- a/hosts/blacksteel/default.nix +++ b/hosts/blacksteel/default.nix @@ -20,8 +20,6 @@ time.timeZone = "Asia/Shanghai"; system.stateVersion = "23.11"; - services.openssh.settings.PermitRootLogin = "prohibit-password"; - ######## Secrets sops = { secrets = lib.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) { diff --git a/hosts/blacksteel/hardware-configuration.nix b/hosts/blacksteel/hardware-configuration.nix index d8a143c..05041ce 100644 --- a/hosts/blacksteel/hardware-configuration.nix +++ b/hosts/blacksteel/hardware-configuration.nix @@ -7,7 +7,6 @@ inputs.nixpkgs.nixosModules.notDetected inputs.nixos-hardware.nixosModules.apple-macbook-pro inputs.nixos-hardware.nixosModules.common-cpu-intel - #inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime inputs.nixos-hardware.nixosModules.common-hidpi inputs.nixos-hardware.nixosModules.common-pc-laptop inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd @@ -19,9 +18,6 @@ boot.kernelModules = ["kvm-intel" "wl"]; boot.extraModulePackages = [config.boot.kernelPackages.broadcom_sta]; - #hardware.nvidia.modesetting.enable = true; - #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470; - nixpkgs.hostPlatform = "x86_64-linux"; # no disko because dual booting with macOS isnt very flexible diff --git a/hosts/dust/default.nix b/hosts/dust/default.nix index dfa3307..48f7fc2 100644 --- a/hosts/dust/default.nix +++ b/hosts/dust/default.nix @@ -35,16 +35,11 @@ programs.adb.enable = true; programs.localsend.enable = true; programs.seahorse.enable = true; - programs.kdeconnect = { - enable = true; - package = pkgs.valent; - }; services.power-profiles-daemon.enable = true; services.gvfs.enable = true; services.gnome = { gnome-keyring.enable = true; - gnome-online-accounts.enable = true; sushi.enable = true; }; @@ -121,10 +116,15 @@ services.greetd = { enable = true; - settings.default_session.command = "${lib.getExe pkgs.greetd.tuigreet} --cmd sway"; + settings.default_session.command = "${lib.getExe pkgs.greetd.tuigreet} --cmd ${pkgs.writeShellScript "sway" '' + while read -r l; do + eval export $l + done < <(/run/current-system/systemd/lib/systemd/user-environment-generators/30-systemd-environment-d-generator) + + exec systemd-cat --identifier=sway sway + ''}"; }; - # polkit security.polkit.enable = true; systemd.user.services.polkit-gnome-authentication-agent-1 = { description = "polkit-gnome-authentication-agent-1"; @@ -143,7 +143,6 @@ security.pam.services.swaylock = {}; xdg.portal = { enable = true; - xdgOpenUsePortal = true; wlr.enable = true; extraPortals = [pkgs.xdg-desktop-portal-gtk]; # https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf diff --git a/nixos/profiles/core/default.nix b/nixos/profiles/core/default.nix index b846d04..6f0fcbb 100644 --- a/nixos/profiles/core/default.nix +++ b/nixos/profiles/core/default.nix @@ -10,16 +10,13 @@ ./hardening.nix ./networking.nix ./nix.nix - "${inputs.srvos}/nixos/common/well-known-hosts.nix" + ./zram.nix ] ++ (with inputs; [ disko.nixosModules.disko home-manager.nixosModules.home-manager impermanence.nixosModules.impermanence lanzaboote.nixosModules.lanzaboote - nixos-sensible.nixosModules.default - nixos-sensible.nixosModules.zram - nur.nixosModules.nur self.nixosModules.default sops-nix.nixosModules.sops ]); @@ -32,13 +29,11 @@ users.guanranwang = import ../../../home; useGlobalPkgs = true; useUserPackages = true; - extraSpecialArgs = {inherit inputs;}; # ??? isnt specialArgs imported by default ??? + extraSpecialArgs = {inherit inputs;}; }; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - ### Default Programs - # In addition of https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/system-path.nix environment.systemPackages = with pkgs; [ unzip wget @@ -55,12 +50,7 @@ usbutils ]; - services.openssh = { - enable = true; - settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena - settings.PasswordAuthentication = false; - }; - + users.mutableUsers = false; users.users = rec { "guanranwang" = { isNormalUser = true; @@ -72,7 +62,6 @@ "nix-access-tokens" ]; openssh.authorizedKeys.keys = [ - # same as git signing "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com" ]; }; @@ -82,10 +71,43 @@ }; }; + boot.initrd.systemd.enable = true; + environment.stub-ld.enable = false; + + programs.command-not-found.enable = false; programs.dconf.enable = true; programs.fish.enable = true; - programs.command-not-found.enable = false; - environment.stub-ld.enable = false; + programs.nano.enable = false; + programs.vim = { + enable = true; + defaultEditor = true; + }; + + # Avoid TOFU MITM with github by providing their public key here. + programs.ssh.knownHosts = { + "github.com".hostNames = ["github.com"]; + "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + + "gitlab.com".hostNames = ["gitlab.com"]; + "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf"; + + "git.sr.ht".hostNames = ["git.sr.ht"]; + "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60"; + }; + + # https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/ + services.dbus.implementation = lib.mkDefault "broker"; + + services.openssh = { + enable = true; + settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena + settings.PasswordAuthentication = false; + }; + + security.sudo.execWheelOnly = true; + security.sudo.extraConfig = '' + Defaults lecture = never + ''; documentation = { doc.enable = false; diff --git a/nixos/profiles/core/hardening.nix b/nixos/profiles/core/hardening.nix index 4d67ba4..80008e3 100644 --- a/nixos/profiles/core/hardening.nix +++ b/nixos/profiles/core/hardening.nix @@ -1,7 +1,5 @@ { environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id - security.sudo.execWheelOnly = true; - boot.blacklistedKernelModules = [ # Obscure network protocols "ax25" diff --git a/nixos/profiles/core/nix.nix b/nixos/profiles/core/nix.nix index 573d7c1..7124ebf 100644 --- a/nixos/profiles/core/nix.nix +++ b/nixos/profiles/core/nix.nix @@ -26,7 +26,7 @@ "no-url-literals" ]; flake-registry = ""; - trusted-users = ["@wheel"]; + trusted-users = ["root" "@wheel"]; allow-import-from-derivation = false; auto-allocate-uids = true; auto-optimise-store = true; diff --git a/nixos/profiles/core/zram.nix b/nixos/profiles/core/zram.nix new file mode 100644 index 0000000..ad5ca34 --- /dev/null +++ b/nixos/profiles/core/zram.nix @@ -0,0 +1,17 @@ +{lib, ...}: { + services.zram-generator = { + enable = true; + settings.zram0 = { + compression-algorithm = lib.mkDefault "zstd"; + zram-size = lib.mkDefault "ram"; + }; + }; + + # https://wiki.archlinux.org/title/Zram#Optimizing_swap_on_zram + boot.kernel.sysctl = { + "vm.swappiness" = 180; + "vm.watermark_boost_factor" = 0; + "vm.watermark_scale_factor" = 125; + "vm.page-cluster" = 0; + }; +} diff --git a/nixos/profiles/server/default.nix b/nixos/profiles/server/default.nix index 2e3f8d4..28a54de 100644 --- a/nixos/profiles/server/default.nix +++ b/nixos/profiles/server/default.nix @@ -1,5 +1,12 @@ -{inputs, ...}: { - imports = [ - inputs.srvos.nixosModules.mixins-terminfo +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + alacritty.terminfo + kitty.terminfo + foot.terminfo + tmux.terminfo + wezterm.terminfo ]; + + # TODO: colmena + services.openssh.settings.PermitRootLogin = "prohibit-password"; }