diff --git a/nixos/profiles/core/default.nix b/nixos/profiles/core/default.nix index 4da299e..45c1b0c 100644 --- a/nixos/profiles/core/default.nix +++ b/nixos/profiles/core/default.nix @@ -5,9 +5,9 @@ ... }: { imports = [ + ./hardening ./nix ./packages - ./sysctl.nix # Flake modules inputs.self.nixosModules.default @@ -18,124 +18,65 @@ inputs.sops-nix.nixosModules.sops ]; - # Flake overlays - nixpkgs.overlays = [ - inputs.berberman.overlays.default - ]; - - boot.initrd.systemd.enable = true; - boot.loader = { - efi.canTouchEfiVariables = true; - systemd-boot = { - enable = lib.mkDefault true; # mkDefault for Lanzaboote - editor = false; # Disabled for security - ### Utilities - #netbootxyz.enable = true; - #memtest86.enable = true; - }; - }; - users.mutableUsers = false; - - # Programs - environment.defaultPackages = []; - programs = { - dconf.enable = true; - nano.enable = false; # make sure to add another editor and set the $EDITOR variable, in this case I am using neovim - neovim = { - enable = true; - viAlias = true; - vimAlias = true; - defaultEditor = true; - }; - }; - - # WORKAROUND: Revert to NVIDIA version 470.223.02 due to performance issues in version 545.29.06, - # this shouldn't affect non-nvidia machines. - nixpkgs.config.nvidia.acceptLicense = true; - hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470; - - # Services - services = { - getty.greetingLine = let - inherit (config.system) nixos; - in '' - NixOS ${nixos.label} ${nixos.codeName} (\m) - \l - ${lib.strings.optionalString (builtins.elem "nvidia" config.services.xserver.videoDrivers) - "--my-next-gpu-wont-be-nvidia"} - ${lib.strings.optionalString (builtins.elem "amdgpu" config.boot.initrd.kernelModules) - "[ 5.996722] amdgpu 0000:67:00.0: Fatal error during GPU init"} - ''; - - openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - }; - }; - - #cron.enable = true; - #dbus.enable = true; - - # BTRFS De-Dupe - # bruh how to make it not a background job - # i want to run it manually - #beesd.filesystems = { - # root = { - # spec = "UUID=3e10ff73-e1f7-4b39-88f5-7f31dcc8f38c"; - # hashTableSizeMB = 2048; - # verbosity = "crit"; - # #extraOptions = [ "--loadavg-target" "5.0" ]; - # }; - #}; - }; - home-manager = { useGlobalPkgs = true; useUserPackages = true; extraSpecialArgs = {inherit inputs;}; # ??? isnt specialArgs imported by default ??? }; - ### Basic hardening - # ref: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix - # ref: https://madaidans-insecurities.github.io/guides/linux-hardening.html - # - # also see: ./sysctl.nix - - environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id - security = { - apparmor.enable = true; - sudo.execWheelOnly = true; + ### Boot + boot.initrd.systemd.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.systemd-boot = { + enable = lib.mkDefault true; # mkDefault for Lanzaboote + editor = false; # Disabled for security + ### Utilities + #netbootxyz.enable = true; + #memtest86.enable = true; }; - boot.blacklistedKernelModules = [ - # Obscure network protocols - "ax25" - "netrom" - "rose" + ### Default Programs + environment.defaultPackages = []; + programs.dconf.enable = true; + programs.nano.enable = false; # make sure to add another editor and set the $EDITOR variable + programs.neovim = { + enable = true; + viAlias = true; + vimAlias = true; + defaultEditor = true; + }; + services.openssh = { + enable = true; + settings.PermitRootLogin = "no"; + settings.PasswordAuthentication = false; + }; + services.getty.greetingLine = let + inherit (config.system) nixos; + in '' + NixOS ${nixos.label} ${nixos.codeName} (\m) - \l + ${lib.strings.optionalString (builtins.elem "nvidia" config.services.xserver.videoDrivers) + "--my-next-gpu-wont-be-nvidia"} + ${lib.strings.optionalString (builtins.elem "amdgpu" config.boot.initrd.kernelModules) + "[ 5.996722] amdgpu 0000:67:00.0: Fatal error during GPU init"} + ''; - # Old or rare or insufficiently audited filesystems - "adfs" - "affs" - "bfs" - "befs" - "cramfs" - "efs" - "erofs" - "exofs" - "freevxfs" - "f2fs" - "hfs" - "hpfs" - "jfs" - "minix" - "nilfs2" - "ntfs" - "omfs" - "qnx4" - "qnx6" - "sysv" - "ufs" - ]; + ### WORKAROUND: Revert to NVIDIA version 470.223.02 due to performance issues in version 545.29.06, + # this shouldn't affect non-nvidia machines. + nixpkgs.config.nvidia.acceptLicense = true; + hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470; + + ### https://wiki.archlinux.org/title/Sysctl#Improving_performance + boot.kernelModules = ["tcp_bbr"]; + boot.kernel.sysctl = { + "net.ipv4.tcp_fastopen" = "3"; + + "net.ipv4.tcp_keepalive_time" = "80"; + "net.ipv4.tcp_keepalive_intvl" = "10"; + "net.ipv4.tcp_keepalive_probes" = "6"; + "net.ipv4.tcp_mtu_probing" = "1"; + + "net.core.default_qdisc" = "cake"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; } diff --git a/nixos/profiles/core/hardening/default.nix b/nixos/profiles/core/hardening/default.nix new file mode 100644 index 0000000..6c8b30f --- /dev/null +++ b/nixos/profiles/core/hardening/default.nix @@ -0,0 +1,39 @@ +_: { + ### Basic hardening + # ref: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix + # ref: https://madaidans-insecurities.github.io/guides/linux-hardening.html + + environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id + security.apparmor.enable = true; + security.sudo.execWheelOnly = true; + + boot.blacklistedKernelModules = [ + # Obscure network protocols + "ax25" + "netrom" + "rose" + + # Old or rare or insufficiently audited filesystems + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" + ]; +} diff --git a/nixos/profiles/core/sysctl.nix b/nixos/profiles/core/hardening/sysctl.nix similarity index 82% rename from nixos/profiles/core/sysctl.nix rename to nixos/profiles/core/hardening/sysctl.nix index 7725401..28dda70 100644 --- a/nixos/profiles/core/sysctl.nix +++ b/nixos/profiles/core/hardening/sysctl.nix @@ -1,5 +1,4 @@ _: { - boot.kernelModules = ["tcp_bbr"]; boot.kernel.sysctl = { ### https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl # Kernel self-protection @@ -47,16 +46,5 @@ _: { "fs.protected_hardlinks" = "1"; "fs.protected_fifos" = "2"; "fs.protected_regular" = "2"; - - ### https://wiki.archlinux.org/title/Sysctl#Improving_performance - "net.ipv4.tcp_fastopen" = "3"; - - "net.ipv4.tcp_keepalive_time" = "80"; - "net.ipv4.tcp_keepalive_intvl" = "10"; - "net.ipv4.tcp_keepalive_probes" = "6"; - "net.ipv4.tcp_mtu_probing" = "1"; - - "net.core.default_qdisc" = "cake"; - "net.ipv4.tcp_congestion_control" = "bbr"; }; } diff --git a/users/guanranwang/home-manager/applications/fcitx5/default.nix b/users/guanranwang/home-manager/applications/fcitx5/default.nix index 61164b7..7e93015 100644 --- a/users/guanranwang/home-manager/applications/fcitx5/default.nix +++ b/users/guanranwang/home-manager/applications/fcitx5/default.nix @@ -1,13 +1,19 @@ -{pkgs, ...}: { +{ + pkgs, + inputs, + ... +}: { i18n.inputMethod = { enabled = "fcitx5"; - fcitx5.addons = with pkgs; [ - fcitx5-chinese-addons - fcitx5-pinyin-moegirl # Using Berberman's Flake overlay - fcitx5-pinyin-zhwiki - - #fcitx5-rime - ]; + fcitx5.addons = + (with pkgs; [ + fcitx5-chinese-addons + #fcitx5-rime + ]) + ++ (with inputs.berberman.packages.${pkgs.system}; [ + fcitx5-pinyin-moegirl + fcitx5-pinyin-zhwiki + ]); }; home.sessionVariables = {