treewide: cleanup

2024-08-02 06:17:30 +08:00 · 2024-08-02 06:17:30 +08:00 · 814a5863a8
commit 814a5863a8
parent 8d6491129b
13 changed files with 73 additions and 106 deletions
--- a/darwin/profiles/common/core/default.nix
+++ b/darwin/profiles/common/core/default.nix
@ -14,7 +14,6 @@

    inputs.self.darwinModules.default
    inputs.home-manager.darwinModules.home-manager
-    inputs.nur.nixosModules.nur # doesn't sound very smart
  ];

  users = {
--- a/flake.lock
+++ b/flake.lock
@ -249,21 +249,6 @@
        "type": "github"
      }
    },
-    "nixos-sensible": {
-      "locked": {
-        "lastModified": 1711451092,
-        "narHash": "sha256-17X9t5IL4cerDvoympJPIkECVG/L/yaGr+Ic3kBBYdE=",
-        "owner": "Guanran928",
-        "repo": "nixos-sensible",
-        "rev": "23a6d9d6d5dfb2c2b89b413d900e9a4456d2c28f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Guanran928",
-        "repo": "nixos-sensible",
-        "type": "github"
-      }
-    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1722415718,
@ -280,21 +265,6 @@
        "type": "github"
      }
    },
-    "nur": {
-      "locked": {
-        "lastModified": 1722465185,
-        "narHash": "sha256-vNu8ztiqTTAvgqYBatM/AuFn9qpJXfNuqGFYA95oVWk=",
-        "owner": "nix-community",
-        "repo": "NUR",
-        "rev": "9ba05057d90d2c8fda1f40685871c0d8dbf81402",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "NUR",
-        "type": "github"
-      }
-    },
    "pre-commit-hooks-nix": {
      "inputs": {
        "flake-compat": [
@ -338,13 +308,10 @@
        "neovim": "neovim",
        "nix-darwin": "nix-darwin",
        "nixos-hardware": "nixos-hardware",
-        "nixos-sensible": "nixos-sensible",
        "nixpkgs": "nixpkgs",
-        "nur": "nur",
        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
        "rust-overlay": "rust-overlay",
        "sops-nix": "sops-nix",
-        "srvos": "srvos",
        "systems": "systems",
        "treefmt-nix": "treefmt-nix"
      }
@ -392,26 +359,6 @@
        "type": "github"
      }
    },
-    "srvos": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722473484,
-        "narHash": "sha256-gl0NnSdNwjuAgIHfmGSVx/2jKHNfN5ie8Ex6OTjfczY=",
-        "owner": "nix-community",
-        "repo": "srvos",
-        "rev": "46a59095dc9228a945bf1ee8160b397eb502ad6c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "srvos",
-        "type": "github"
-      }
-    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -47,21 +47,11 @@
    nixos-hardware = {
      url = "github:NixOS/nixos-hardware";
    };
-    nixos-sensible = {
-      url = "github:Guanran928/nixos-sensible";
-    };
-    nur = {
-      url = "github:nix-community/NUR";
-    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs-stable.follows = "nixpkgs";
    };
-    srvos = {
-      url = "github:nix-community/srvos";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
    systems.url = "github:nix-systems/default";
    treefmt-nix = {
      url = "github:numtide/treefmt-nix";
--- a/home/default.nix
+++ b/home/default.nix
@ -1,5 +1,4 @@
 {
-  inputs,
  pkgs,
  config,
  lib,
@ -28,8 +27,6 @@

  # Default applications
  imports = [
-    inputs.nur.hmModules.nur
-
    ./applications/atuin
    ./applications/bash
    ./applications/bat
--- a/hosts/blacksteel/anti-feature.nix
+++ b/hosts/blacksteel/anti-feature.nix
@ -1,8 +1,5 @@
 {lib, ...}: {
  nixpkgs.config = {
-    # only needed on older version of nvidia
-    #nvidia.acceptLicense = true;
-
    allowNonSource = false;
    allowNonSourcePredicate = pkg:
      lib.elem (lib.getName pkg) [
--- a/hosts/blacksteel/default.nix
+++ b/hosts/blacksteel/default.nix
@ -20,8 +20,6 @@
  time.timeZone = "Asia/Shanghai";
  system.stateVersion = "23.11";

-  services.openssh.settings.PermitRootLogin = "prohibit-password";
-
  ######## Secrets
  sops = {
    secrets = lib.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
--- a/hosts/blacksteel/hardware-configuration.nix
+++ b/hosts/blacksteel/hardware-configuration.nix
@ -7,7 +7,6 @@
    inputs.nixpkgs.nixosModules.notDetected
    inputs.nixos-hardware.nixosModules.apple-macbook-pro
    inputs.nixos-hardware.nixosModules.common-cpu-intel
-    #inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
    inputs.nixos-hardware.nixosModules.common-hidpi
    inputs.nixos-hardware.nixosModules.common-pc-laptop
    inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd
@ -19,9 +18,6 @@
  boot.kernelModules = ["kvm-intel" "wl"];
  boot.extraModulePackages = [config.boot.kernelPackages.broadcom_sta];

-  #hardware.nvidia.modesetting.enable = true;
-  #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
-
  nixpkgs.hostPlatform = "x86_64-linux";

  # no disko because dual booting with macOS isnt very flexible
--- a/hosts/dust/default.nix
+++ b/hosts/dust/default.nix
@ -35,16 +35,11 @@
  programs.adb.enable = true;
  programs.localsend.enable = true;
  programs.seahorse.enable = true;
-  programs.kdeconnect = {
-    enable = true;
-    package = pkgs.valent;
-  };

  services.power-profiles-daemon.enable = true;
  services.gvfs.enable = true;
  services.gnome = {
    gnome-keyring.enable = true;
-    gnome-online-accounts.enable = true;
    sushi.enable = true;
  };

@ -121,10 +116,15 @@

  services.greetd = {
    enable = true;
-    settings.default_session.command = "${lib.getExe pkgs.greetd.tuigreet} --cmd sway";
+    settings.default_session.command = "${lib.getExe pkgs.greetd.tuigreet} --cmd ${pkgs.writeShellScript "sway" ''
+      while read -r l; do
+        eval export $l
+      done < <(/run/current-system/systemd/lib/systemd/user-environment-generators/30-systemd-environment-d-generator)
+
+      exec systemd-cat --identifier=sway sway
+    ''}";
  };

-  # polkit
  security.polkit.enable = true;
  systemd.user.services.polkit-gnome-authentication-agent-1 = {
    description = "polkit-gnome-authentication-agent-1";
@ -143,7 +143,6 @@
  security.pam.services.swaylock = {};
  xdg.portal = {
    enable = true;
-    xdgOpenUsePortal = true;
    wlr.enable = true;
    extraPortals = [pkgs.xdg-desktop-portal-gtk];
    # https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf
--- a/nixos/profiles/core/default.nix
+++ b/nixos/profiles/core/default.nix
@ -10,16 +10,13 @@
      ./hardening.nix
      ./networking.nix
      ./nix.nix
-      "${inputs.srvos}/nixos/common/well-known-hosts.nix"
+      ./zram.nix
    ]
    ++ (with inputs; [
      disko.nixosModules.disko
      home-manager.nixosModules.home-manager
      impermanence.nixosModules.impermanence
      lanzaboote.nixosModules.lanzaboote
-      nixos-sensible.nixosModules.default
-      nixos-sensible.nixosModules.zram
-      nur.nixosModules.nur
      self.nixosModules.default
      sops-nix.nixosModules.sops
    ]);
@ -32,13 +29,11 @@
    users.guanranwang = import ../../../home;
    useGlobalPkgs = true;
    useUserPackages = true;
-    extraSpecialArgs = {inherit inputs;}; # ??? isnt specialArgs imported by default ???
+    extraSpecialArgs = {inherit inputs;};
  };

  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;

-  ### Default Programs
-  # In addition of https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/system-path.nix
  environment.systemPackages = with pkgs; [
    unzip
    wget
@ -55,12 +50,7 @@
    usbutils
  ];

-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena
-    settings.PasswordAuthentication = false;
-  };
-
+  users.mutableUsers = false;
  users.users = rec {
    "guanranwang" = {
      isNormalUser = true;
@ -72,7 +62,6 @@
        "nix-access-tokens"
      ];
      openssh.authorizedKeys.keys = [
-        # same as git signing
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
      ];
    };
@ -82,10 +71,43 @@
    };
  };

+  boot.initrd.systemd.enable = true;
+  environment.stub-ld.enable = false;
+
+  programs.command-not-found.enable = false;
  programs.dconf.enable = true;
  programs.fish.enable = true;
-  programs.command-not-found.enable = false;
-  environment.stub-ld.enable = false;
+  programs.nano.enable = false;
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
+
+  # Avoid TOFU MITM with github by providing their public key here.
+  programs.ssh.knownHosts = {
+    "github.com".hostNames = ["github.com"];
+    "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+
+    "gitlab.com".hostNames = ["gitlab.com"];
+    "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+
+    "git.sr.ht".hostNames = ["git.sr.ht"];
+    "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+  };
+
+  # https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/
+  services.dbus.implementation = lib.mkDefault "broker";
+
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena
+    settings.PasswordAuthentication = false;
+  };
+
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';

  documentation = {
    doc.enable = false;
--- a/nixos/profiles/core/hardening.nix
+++ b/nixos/profiles/core/hardening.nix
@ -1,7 +1,5 @@
 {
  environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id
-  security.sudo.execWheelOnly = true;
-
  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "ax25"
--- a/nixos/profiles/core/nix.nix
+++ b/nixos/profiles/core/nix.nix
@ -26,7 +26,7 @@
      "no-url-literals"
    ];
    flake-registry = "";
-    trusted-users = ["@wheel"];
+    trusted-users = ["root" "@wheel"];
    allow-import-from-derivation = false;
    auto-allocate-uids = true;
    auto-optimise-store = true;
--- a/nixos/profiles/core/zram.nix
+++ b/nixos/profiles/core/zram.nix
@ -0,0 +1,17 @@
+{lib, ...}: {
+  services.zram-generator = {
+    enable = true;
+    settings.zram0 = {
+      compression-algorithm = lib.mkDefault "zstd";
+      zram-size = lib.mkDefault "ram";
+    };
+  };
+
+  # https://wiki.archlinux.org/title/Zram#Optimizing_swap_on_zram
+  boot.kernel.sysctl = {
+    "vm.swappiness" = 180;
+    "vm.watermark_boost_factor" = 0;
+    "vm.watermark_scale_factor" = 125;
+    "vm.page-cluster" = 0;
+  };
+}
--- a/nixos/profiles/server/default.nix
+++ b/nixos/profiles/server/default.nix
@ -1,5 +1,12 @@
-{inputs, ...}: {
-  imports = [
-    inputs.srvos.nixosModules.mixins-terminfo
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    alacritty.terminfo
+    kitty.terminfo
+    foot.terminfo
+    tmux.terminfo
+    wezterm.terminfo
  ];
+
+  # TODO: colmena
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
 }