treewide: cleanup

darwin/profiles/common/core/default.nix

@@ -14,7 +14,6 @@
 
     inputs.self.darwinModules.default
     inputs.home-manager.darwinModules.home-manager
-    inputs.nur.nixosModules.nur # doesn't sound very smart
   ];
 
   users = {

flake.lock

@@ -249,21 +249,6 @@
         "type": "github"
       }
     },
-    "nixos-sensible": {
-      "locked": {
-        "lastModified": 1711451092,
-        "narHash": "sha256-17X9t5IL4cerDvoympJPIkECVG/L/yaGr+Ic3kBBYdE=",
-        "owner": "Guanran928",
-        "repo": "nixos-sensible",
-        "rev": "23a6d9d6d5dfb2c2b89b413d900e9a4456d2c28f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Guanran928",
-        "repo": "nixos-sensible",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1722415718,
@@ -280,21 +265,6 @@
         "type": "github"
       }
     },
-    "nur": {
-      "locked": {
-        "lastModified": 1722465185,
-        "narHash": "sha256-vNu8ztiqTTAvgqYBatM/AuFn9qpJXfNuqGFYA95oVWk=",
-        "owner": "nix-community",
-        "repo": "NUR",
-        "rev": "9ba05057d90d2c8fda1f40685871c0d8dbf81402",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "NUR",
-        "type": "github"
-      }
-    },
     "pre-commit-hooks-nix": {
       "inputs": {
         "flake-compat": [
@@ -338,13 +308,10 @@
         "neovim": "neovim",
         "nix-darwin": "nix-darwin",
         "nixos-hardware": "nixos-hardware",
-        "nixos-sensible": "nixos-sensible",
         "nixpkgs": "nixpkgs",
-        "nur": "nur",
         "pre-commit-hooks-nix": "pre-commit-hooks-nix",
         "rust-overlay": "rust-overlay",
         "sops-nix": "sops-nix",
-        "srvos": "srvos",
         "systems": "systems",
         "treefmt-nix": "treefmt-nix"
       }
@@ -392,26 +359,6 @@
         "type": "github"
       }
     },
-    "srvos": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722473484,
-        "narHash": "sha256-gl0NnSdNwjuAgIHfmGSVx/2jKHNfN5ie8Ex6OTjfczY=",
-        "owner": "nix-community",
-        "repo": "srvos",
-        "rev": "46a59095dc9228a945bf1ee8160b397eb502ad6c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "srvos",
-        "type": "github"
-      }
-    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -47,21 +47,11 @@
     nixos-hardware = {
       url = "github:NixOS/nixos-hardware";
     };
-    nixos-sensible = {
-      url = "github:Guanran928/nixos-sensible";
-    };
-    nur = {
-      url = "github:nix-community/NUR";
-    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.nixpkgs-stable.follows = "nixpkgs";
     };
-    srvos = {
-      url = "github:nix-community/srvos";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     systems.url = "github:nix-systems/default";
     treefmt-nix = {
       url = "github:numtide/treefmt-nix";

home/default.nix

@@ -1,5 +1,4 @@
 {
-  inputs,
   pkgs,
   config,
   lib,
@@ -28,8 +27,6 @@
 
   # Default applications
   imports = [
-    inputs.nur.hmModules.nur
-
     ./applications/atuin
     ./applications/bash
     ./applications/bat

hosts/blacksteel/anti-feature.nix

@@ -1,8 +1,5 @@
 {lib, ...}: {
   nixpkgs.config = {
-    # only needed on older version of nvidia
-    #nvidia.acceptLicense = true;
-
     allowNonSource = false;
     allowNonSourcePredicate = pkg:
       lib.elem (lib.getName pkg) [

hosts/blacksteel/default.nix

@@ -20,8 +20,6 @@
   time.timeZone = "Asia/Shanghai";
   system.stateVersion = "23.11";
 
-  services.openssh.settings.PermitRootLogin = "prohibit-password";
-
   ######## Secrets
   sops = {
     secrets = lib.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {

hosts/blacksteel/hardware-configuration.nix

@@ -7,7 +7,6 @@
     inputs.nixpkgs.nixosModules.notDetected
     inputs.nixos-hardware.nixosModules.apple-macbook-pro
     inputs.nixos-hardware.nixosModules.common-cpu-intel
-    #inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
     inputs.nixos-hardware.nixosModules.common-hidpi
     inputs.nixos-hardware.nixosModules.common-pc-laptop
     inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd
@@ -19,9 +18,6 @@
   boot.kernelModules = ["kvm-intel" "wl"];
   boot.extraModulePackages = [config.boot.kernelPackages.broadcom_sta];
 
-  #hardware.nvidia.modesetting.enable = true;
-  #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
-
   nixpkgs.hostPlatform = "x86_64-linux";
 
   # no disko because dual booting with macOS isnt very flexible

hosts/dust/default.nix

@@ -35,16 +35,11 @@
   programs.adb.enable = true;
   programs.localsend.enable = true;
   programs.seahorse.enable = true;
-  programs.kdeconnect = {
-    enable = true;
-    package = pkgs.valent;
-  };
 
   services.power-profiles-daemon.enable = true;
   services.gvfs.enable = true;
   services.gnome = {
     gnome-keyring.enable = true;
-    gnome-online-accounts.enable = true;
     sushi.enable = true;
   };
 
@@ -121,10 +116,15 @@
 
   services.greetd = {
     enable = true;
-    settings.default_session.command = "${lib.getExe pkgs.greetd.tuigreet} --cmd sway";
+    settings.default_session.command = "${lib.getExe pkgs.greetd.tuigreet} --cmd ${pkgs.writeShellScript "sway" ''
+      while read -r l; do
+        eval export $l
+      done < <(/run/current-system/systemd/lib/systemd/user-environment-generators/30-systemd-environment-d-generator)
+
+      exec systemd-cat --identifier=sway sway
+    ''}";
   };
 
-  # polkit
   security.polkit.enable = true;
   systemd.user.services.polkit-gnome-authentication-agent-1 = {
     description = "polkit-gnome-authentication-agent-1";
@@ -143,7 +143,6 @@
   security.pam.services.swaylock = {};
   xdg.portal = {
     enable = true;
-    xdgOpenUsePortal = true;
     wlr.enable = true;
     extraPortals = [pkgs.xdg-desktop-portal-gtk];
     # https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf

nixos/profiles/core/default.nix

@@ -10,16 +10,13 @@
       ./hardening.nix
       ./networking.nix
       ./nix.nix
-      "${inputs.srvos}/nixos/common/well-known-hosts.nix"
+      ./zram.nix
     ]
     ++ (with inputs; [
       disko.nixosModules.disko
       home-manager.nixosModules.home-manager
       impermanence.nixosModules.impermanence
       lanzaboote.nixosModules.lanzaboote
-      nixos-sensible.nixosModules.default
-      nixos-sensible.nixosModules.zram
-      nur.nixosModules.nur
       self.nixosModules.default
       sops-nix.nixosModules.sops
     ]);
@@ -32,13 +29,11 @@
     users.guanranwang = import ../../../home;
     useGlobalPkgs = true;
     useUserPackages = true;
-    extraSpecialArgs = {inherit inputs;}; # ??? isnt specialArgs imported by default ???
+    extraSpecialArgs = {inherit inputs;};
   };
 
   boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 
-  ### Default Programs
-  # In addition of https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/system-path.nix
   environment.systemPackages = with pkgs; [
     unzip
     wget
@@ -55,12 +50,7 @@
     usbutils
   ];
 
-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena
-    settings.PasswordAuthentication = false;
-  };
-
+  users.mutableUsers = false;
   users.users = rec {
     "guanranwang" = {
       isNormalUser = true;
@@ -72,7 +62,6 @@
         "nix-access-tokens"
       ];
       openssh.authorizedKeys.keys = [
-        # same as git signing
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
       ];
     };
@@ -82,10 +71,43 @@
     };
   };
 
+  boot.initrd.systemd.enable = true;
+  environment.stub-ld.enable = false;
+
+  programs.command-not-found.enable = false;
   programs.dconf.enable = true;
   programs.fish.enable = true;
-  programs.command-not-found.enable = false;
-  environment.stub-ld.enable = false;
+  programs.nano.enable = false;
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
+
+  # Avoid TOFU MITM with github by providing their public key here.
+  programs.ssh.knownHosts = {
+    "github.com".hostNames = ["github.com"];
+    "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+
+    "gitlab.com".hostNames = ["gitlab.com"];
+    "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+
+    "git.sr.ht".hostNames = ["git.sr.ht"];
+    "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+  };
+
+  # https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/
+  services.dbus.implementation = lib.mkDefault "broker";
+
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena
+    settings.PasswordAuthentication = false;
+  };
+
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
 
   documentation = {
     doc.enable = false;

nixos/profiles/core/hardening.nix

@@ -1,7 +1,5 @@
 {
   environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id
-  security.sudo.execWheelOnly = true;
-
   boot.blacklistedKernelModules = [
     # Obscure network protocols
     "ax25"

nixos/profiles/core/nix.nix

@@ -26,7 +26,7 @@
       "no-url-literals"
     ];
     flake-registry = "";
-    trusted-users = ["@wheel"];
+    trusted-users = ["root" "@wheel"];
     allow-import-from-derivation = false;
     auto-allocate-uids = true;
     auto-optimise-store = true;

nixos/profiles/core/zram.nix

@@ -0,0 +1,17 @@
+{lib, ...}: {
+  services.zram-generator = {
+    enable = true;
+    settings.zram0 = {
+      compression-algorithm = lib.mkDefault "zstd";
+      zram-size = lib.mkDefault "ram";
+    };
+  };
+
+  # https://wiki.archlinux.org/title/Zram#Optimizing_swap_on_zram
+  boot.kernel.sysctl = {
+    "vm.swappiness" = 180;
+    "vm.watermark_boost_factor" = 0;
+    "vm.watermark_scale_factor" = 125;
+    "vm.page-cluster" = 0;
+  };
+}

nixos/profiles/server/default.nix

@@ -1,5 +1,12 @@
-{inputs, ...}: {
-  imports = [
-    inputs.srvos.nixosModules.mixins-terminfo
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    alacritty.terminfo
+    kitty.terminfo
+    foot.terminfo
+    tmux.terminfo
+    wezterm.terminfo
   ];
+
+  # TODO: colmena
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
 }