RGBCube/ncc
1
Fork 0
mirror of https://github.com/RGBCube/ncc synced 2025-07-27 18:17:44 +00:00
Code Issues Activity

Start refactor

Browse source
This commit is contained in:
RGBCube 2025-01-11 15:51:21 +03:00
parent 99b7ccfadb
commit 06cce18e72
155 changed files with 2139 additions and 3738 deletions
Download patch file Download diff file Expand all files Collapse all files

7
modules/linux/crash.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, lib, pkgs, ... }: let
inherit (lib) getExe;
in {
environment.sessionVariables.SHELLS = getExe config.environment.sessionVariables.SHELL;
users.defaultUserShell = pkgs.crash;
}

12
modules/linux/documentation.nix Normal file
View file

@ -0,0 +1,12 @@
{ lib, ... }: let
inherit (lib) enabled disabled;
in {
documentation = {
doc = disabled;
info = disabled;
man = enabled {
generateCaches = true;
};
};
}

9
modules/linux/emulated-systems.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, lib, ... }: let
inherit (lib) remove;
in {
boot.binfmt.emulatedSystems = remove config.nixpkgs.hostPlatform.system [
"aarch64-linux"
"riscv64-linux"
"x86_64-linux"
];
}

50
modules/linux/endlessh-go.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, lib, pkgs, ... }: let
inherit (lib) enabled merge mkEnableOption mkIf mkOption types;
fakeSSHPort = 22;
in merge <| mkIf config.isServer {
config.services.prometheus.exporters.endlessh-go = enabled {
listenAddress = "[::]";
};
# `services.endlessh-go.openFirewall` exposes both the Prometheus
# exporters port and the SSH port, and we don't want the metrics
# to leak, so we manually expose this like so.
config.networking.firewall.allowedTCPPorts = [ fakeSSHPort ];
config.services.endlessh-go = enabled {
listenAddress = "[::]";
port = fakeSSHPort;
extraOptions = [
"-alsologtostderr"
"-geoip_supplier max-mind-db"
"-max_mind_db ${pkgs.clash-geoip}/etc/clash/Country.mmdb"
];
prometheus = config.services.prometheus.exporters.endlessh-go;
};
# And yes, I've tried lib.mkAliasOptionModule.
# It doesn't work for a mysterious reason,
# says it can't find `services.prometheus.exporters.endlessh-go`.
#
# This works, however.
#
# TODO: I may be stupid, because the above note says that I tried
# to alias to a nonexistent option, rather than the other way around.
# Let's try mkAliasOptionModule again later.
options.services.prometheus.exporters.endlessh-go = {
enable = mkEnableOption "Prometheus integration";
listenAddress = mkOption {
type = types.str;
default = "0.0.0.0";
};
port = mkOption {
type = types.port;
default = 2112;
};
};
}

28
modules/linux/firefox.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, ... }: let
inherit (lib) enabled merge mkIf;
in merge <| mkIf config.isDesktop {
home-manager.sharedModules = [{
programs.firefox = enabled {
profiles.default = {
settings = with config.theme.font; {
"general.autoScroll" = true;
"privacy.donottrackheader.enabled" = true;
"browser.fixup.domainsuffixwhitelist.idk" = true;
"font.name.serif.x-western" = sans.name;
"font.size.variable.x-western" = builtins.ceil (1.3 * size.normal);
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
};
userChrome = ''
#TabsToolbar {
visibility: collapse;
}
'';
};
};
}];
}

25
modules/linux/fonts.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }: let
inherit (lib) disabled merge mkIf;
in merge
(mkIf config.isDesktop {
console = {
earlySetup = true;
font = "Lat2-Terminus16";
packages = [ pkgs.terminus_font ];
};
fonts.packages = [
config.theme.font.sans.package
config.theme.font.mono.package
pkgs.noto-fonts
pkgs.noto-fonts-cjk-sans
pkgs.noto-fonts-lgc-plus
pkgs.noto-fonts-emoji
];
})
(mkIf config.isServer {
fonts.fontconfig = disabled;
})

26
modules/linux/gtk.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }: let
inherit (lib) enabled mkIf merge;
in merge <| mkIf config.isDesktop {
programs.dconf = enabled;
home-manager.sharedModules = [{
gtk = enabled {
gtk3.extraCss = config.theme.adwaitaGtkCss;
gtk4.extraCss = config.theme.adwaitaGtkCss;
font = with config.theme.font; {
inherit (sans) name package;
size = size.normal;
};
iconTheme = config.theme.icons;
theme = {
name = "Adwaita-dark";
package = pkgs.gnome-themes-extra;
};
};
}];
}

50
modules/linux/hyprland/dunst.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, lib, ... }: let
inherit (lib) merge mkIf;
in merge <| mkIf config.isDesktop {
home-manager.sharedModules = [{
services.dunst = with config.theme.withHashtag; enabled {
iconTheme = icons;
settings.global = {
width = "(300, 900)";
dmenu = "fuzzel --dmenu";
corner_radius = cornerRadius;
gap_size = margin;
horizontal_padding = padding;
padding = padding;
frame_color = base0A;
frame_width = borderWidth;
separator_color = "frame";
background = base00;
foreground = base05;
alignment = "center";
font = "${font.sans.name} ${toString font.size.normal}";
min_icon_size = 64;
offset = "0x${toString margin}";
origin = "top-center";
};
settings.urgency_low = {
frame_color = base0A;
timeout = 5;
};
settings.urgency_normal = {
frame_color = base09;
timeout = 10;
};
settings.urgency_critical = {
frame_color = base08;
timeout = 15;
};
};
}];
}

1849
modules/linux/hyprland/emojis.txt Normal file
View file

File diff suppressed because it is too large Load diff

61
modules/linux/hyprland/fuzzel.nix Normal file
View file

@ -0,0 +1,61 @@
{ config, lib, ... }: let
inherit (lib) enabled mapAttrs merge mkIf replaceStrings;
in merge <| mkIf config.isDesktop {
home-manager.sharedNodules = [{
wayland.windowManager.hyprland.settings = {
bindl = [(replaceStrings [ "\n;" "\n" ] [ ";" "" ] ''
, XF86PowerOff, exec,
pkill fuzzel;
echo -en "Suspend\0icon\x1fsystem-suspend\nHibernate\0icon\x1fsystem-suspend-hibernate-alt2\nPower Off\0icon\x1fsystem-shutdown\nReboot\0icon\x1fsystem-reboot"
| fuzzel --dmenu
| tr --delete " "
| tr '[:upper:]' '[:lower:]'
| ifne xargs systemctl
'')];
bind = [
"SUPER , SPACE, exec, pkill fuzzel; fuzzel"
"SUPER , E , exec, pkill fuzzel; cat ${./emojis.txt} | fuzzel --no-fuzzy --dmenu | cut -d ' ' -f 1 | tr -d '\\n' | wl-copy"
"SUPER+ALT, E , exec, pkill fuzzel; cat ${./emojis.txt} | fuzzel --no-fuzzy --dmenu | cut -d ' ' -f 1 | tr -d '\\n' | wtype -"
"SUPER , V , exec, pkill fuzzel; cliphist list | fuzzel --dmenu | cliphist decode | wl-copy"
];
};
services.cliphist = enabled {
extraOptions = [ "-max-items" "1000" ];
};
programs.fuzzel = with config.theme; enabled {
settings.main = {
dpi-aware = false;
font = "${font.sans.name}:size=${toString font.size.big}";
icon-theme = icons.name;
layer = "overlay";
prompt = ''" "'';
terminal = "ghostty -e";
tabs = 4;
horizontal-pad = padding;
vertical-pad = padding;
inner-pad = padding;
};
settings.colors = mapAttrs (_: color: color + "FF") {
background = base00;
text = base05;
match = base0A;
selection = base05;
selection-text = base00;
border = base0A;
};
settings.border = {
radius = cornerRadius;
width = borderWidth;
};
};
}];
}

16
modules/linux/hyprland/gammastep.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, ... }: let
inherit (lib) enabled merge mkIf;
in merge <| mkIf config.isDesktop {
services.geoclue2 = enabled {
appConfig.gammstep = {
isAllowed = true;
isSystem = false;
};
};
home-manager.sharedModules = [{
services.gammastep = enabled {
provider = "geoclue2";
};
}];
}

243
modules/linux/hyprland/hyprland.nix Normal file
View file

@ -0,0 +1,243 @@
{ config, lib, pkgs, ... }: let
inherit (lib) enabled merge mkIf flatten range;
in merge <| mkIf config.isDesktop {
hardware.graphics = enabled;
services.logind.powerKey = "ignore";
xdg.portal = enabled {
config.common.default = "*";
extraPortals = with pkgs; [
xdg-desktop-portal-hyprland
];
configPackages = with pkgs; [
hyprland
];
};
programs.xwayland = enabled;
environment.systemPackages = [
pkgs.brightnessctl
pkgs.grim
# pkgs.hyprpicker
pkgs.slurp
pkgs.swappy
pkgs.swaybg
pkgs.wl-clipboard
pkgs.wtype
pkgs.xdg-utils
pkgs.xwaylandvideobridge
];
home-manager.sharedModules = [{
xdg.configFile."xkb/symbols/tr-swapped-i".text = ''
default partial
xkb_symbols "basic" {
include "tr(basic)"
name[Group1]="Turkish (i and ı swapped)";
key <AC11> { type[group1] = "FOUR_LEVEL_SEMIALPHABETIC", [ idotless, Iabovedot, paragraph , none ]};
key <AD08> { type[group1] = "FOUR_LEVEL_SEMIALPHABETIC", [ i , I , apostrophe, dead_caron ]};
};
'';
wayland.windowManager.hyprland = enabled {
systemd = enabled {
enableXdgAutostart = true;
};
# plugins = with pkgs; [ hyprcursors ];
# settings.plugin.dynamic-cursors = {
# mode = "rotate";
# shake = {
# threshold = 3;
# effects = true;
# nearest = false;
# };
# };
settings = {
monitor = [ ", preferred, auto, 1.5" ];
windowrule = [ "noinitialfocus" ];
windowrulev2 = [ "workspace special silent, initialclass:^(xwaylandvideobridge)$" ];
exec = [ "pkill swaybg; swaybg --image ${./wallpaper.png}" ];
bindle = [
", XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+ --limit 1.5"
", XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
", XF86MonBrightnessUp , exec, brightnessctl set 5%+"
", XF86MonBrightnessDown, exec, brightnessctl set --min-value=0 5%-"
"SUPER, Prior, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+ --limit 1.5"
"SUPER, Next , exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
"SUPER, Home, exec, brightnessctl set 5%+"
"SUPER, End , exec, brightnessctl set --min-value=0 5%-"
];
bindl = [
", XF86AudioMute , exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
", XF86AudioMicMute, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"
"SUPER+ALT, Insert, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
"SUPER+ALT, Delete, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"
];
bindm = [
"SUPER, mouse:272, movewindow"
"SUPER, mouse:274, movewindow"
"SUPER, mouse:273, resizewindow"
];
binde = [
"SUPER, left , movefocus, l"
"SUPER, down , movefocus, d"
"SUPER, up , movefocus, u"
"SUPER, right, movefocus, r"
"SUPER, h, movefocus, l"
"SUPER, j, movefocus, d"
"SUPER, k, movefocus, u"
"SUPER, l, movefocus, r"
"SUPER+CTRL, left , resizeactive, -100 0"
"SUPER+CTRL, down , resizeactive, 0 100"
"SUPER+CTRL, up , resizeactive, 0 -100"
"SUPER+CTRL, right, resizeactive, 100 0"
"SUPER+CTRL, h, resizeactive, -100 0"
"SUPER+CTRL, j, resizeactive, 0 100"
"SUPER+CTRL, k, resizeactive, 0 -100"
"SUPER+CTRL, l, resizeactive, 100 0"
];
bind = flatten [
"SUPER , TAB, workspace, e+1"
"SUPER+ALT, TAB, workspace, e-1"
"SUPER, mouse_up, workspace, e+1"
"SUPER, mouse_down, workspace, e-1"
(map (n: [
"SUPER , ${toString n}, workspace , ${toString n}"
"SUPER+ALT, ${toString n}, movetoworkspacesilent, ${toString n}"
]) <| range 1 9)
"SUPER , 0, workspace , 10"
"SUPER+ALT, 0, movetoworkspacesilent, 10"
"SUPER+ALT, left , movewindow, l"
"SUPER+ALT, down , movewindow, d"
"SUPER+ALT, up , movewindow, u"
"SUPER+ALT, right, movewindow, r"
"SUPER+ALT, h, movewindow, l"
"SUPER+ALT, j, movewindow, d"
"SUPER+ALT, k, movewindow, u"
"SUPER+ALT, l, movewindow, r"
"SUPER , Q, killactive"
"SUPER , F, fullscreen"
"SUPER+ALT, F, togglefloating"
"SUPER+ALT, RETURN, exec, kitty"
"SUPER , RETURN, exec, ghostty --gtk-single-instance=true"
"SUPER , W , exec, firefox"
"SUPER , D , exec, discord"
"SUPER , Z , exec, zulip"
"SUPER , M , exec, thunderbird"
"SUPER , T , exec, thunar"
# "SUPER , C , exec, hyprpicker --autocopy"
" , PRINT, exec, pkill grim; grim -g \"$(slurp -w 0)\" - | swappy -f - -o - | wl-copy --type image/png"
"ALT, PRINT, exec, pkill grim; grim - | swappy -f - -o - | wl-copy --type image/png"
];
general = with config.theme; {
gaps_in = margin / 2;
gaps_out = margin;
border_size = borderWidth;
"col.active_border" = "0xFF${base0A}";
"col.nogroup_border_active" = "0xFF${base0A}";
"col.inactive_border" = "0xFF${base01}";
"col.nogroup_border" = "0xFF${base01}";
resize_on_border = true;
};
decoration = {
drop_shadow = false;
rounding = config.theme.cornerRadius;
blur.enabled = false;
};
input = {
follow_mouse = 1;
kb_layout = "tr-swapped-i";
repeat_delay = 400;
repeat_rate = 100;
touchpad = {
clickfinger_behavior = true;
drag_lock = true;
natural_scroll = true;
scroll_factor = 0.7;
};
};
gestures.workspace_swipe = true;
animations = {
bezier = [ "material_decelerate, 0.05, 0.7, 0.1, 1" ];
animation = [
"border , 1, 2, material_decelerate"
"fade , 1, 2, material_decelerate"
"layers , 1, 2, material_decelerate"
"windows , 1, 2, material_decelerate, popin 80%"
"workspaces, 1, 2, material_decelerate"
];
};
misc = {
animate_manual_resizes = true;
background_color = config.theme.with0x.base00;
disable_hyprland_logo = true;
disable_splash_rendering = true;
key_press_enables_dpms = true;
mouse_move_enables_dpms = true;
};
cursor = {
hide_on_key_press = true;
inactive_timeout = 10;
no_warps = true;
};
dwindle = {
preserve_split = true;
smart_resizing = false;
};
debug.error_position = 1;
};
};
}];
}

144
modules/linux/hyprland/waybar.nix Normal file
View file

@ -0,0 +1,144 @@
{ config, lib, ... }: let
inherit (lib) enabled merge mkIf;
in merge <| mkIf config.isDesktop {
home-manager.sharedModules = [{
wayland.windowManager.hyprland.settings = {
exec = [ "pkill --signal SIGUSR2 waybar" ];
bind = [ "SUPER, B, exec, pkill --signal SIGUSR1 waybar" ];
};
programs.waybar = with config.theme.withHashtag; enabled {
systemd = enabled;
settings = [{
layer = "top";
height = 2 * cornerRadius;
margin-right = margin;
margin-left = margin;
margin-top = margin;
modules-left = [ "hyprland/workspaces" ];
"hyprland/workspaces" = {
format = "{icon}";
format-icons.default = "";
format-icons.active = "";
persistent-workspaces."*" = 10;
};
modules-center = [
"hyprland/window"
];
"hyprland/window" = {
separate-outputs = true;
rewrite."(.*) - Discord" = "󰙯$1";
rewrite."(.*) Mozilla Firefox" = "󰖟$1";
rewrite."(.*) nu" = "$1";
};
modules-right = [ "tray" "pulseaudio" "backlight" "cpu" "memory" "network" "battery" "clock" ];
tray = {
reverse-direction = true;
spacing = 5;
};
pulseaudio = {
format = "{format_source} {icon}{volume}%";
format-muted = "{format_source} 󰸈";
format-bluetooth = "{format_source} 󰋋󰂯{volume}%";
format-bluetooth-muted = "{format_source} 󰟎󰂯";
format-source = "󰍬";
format-source-muted = "󰍭";
format-icons.default = [ "󰕿" "󰖀" "󰕾" ];
};
backlight = {
format = "{icon}{percent}%";
format-icons = [ "" "" "" "" "" "" "" "" "" ];
};
cpu.format = "{usage}%";
memory.format = "󰽘{}%";
network = {
format-disconnected = "󰤮";
format-ethernet = "󰈀{ipaddr}/{cidr}";
format-linked = "{ifname} (No IP)";
format-wifi = "{signalStrength}%";
};
battery = {
format = "{icon}{capacity}%";
format-charging = "󰂄{capacity}%";
format-plugged = "󰂄{capacity}%";
format-icons = [ "󰁺" "󰁻" "󰁼" "󰁽" "󰁾" "󰁿" "󰂀" "󰂁" "󰂂" "󰁹" ];
states.warning = 30;
states.critical = 15;
};
clock.tooltip-format = "<big>{:%Y %B}</big>\n<tt><small>{calendar}</small></tt>";
}];
style = ''
* {
border: none;
border-radius: ${toString cornerRadius}px;
font-family: "${font.sans.name}";
}
.modules-right {
margin-right: ${toString padding}px;
}
#waybar {
background: ${base00};
color: ${base05};
}
#workspaces button:nth-child(1) { color: ${base08}; }
#workspaces button:nth-child(2) { color: ${base09}; }
#workspaces button:nth-child(3) { color: ${base0A}; }
#workspaces button:nth-child(4) { color: ${base0B}; }
#workspaces button:nth-child(5) { color: ${base0C}; }
#workspaces button:nth-child(6) { color: ${base0D}; }
#workspaces button:nth-child(7) { color: ${base0E}; }
#workspaces button:nth-child(8) { color: ${base0F}; }
#workspaces button:nth-child(9) { color: ${base04}; }
#workspaces button:nth-child(10) { color: ${base06}; }
#workspaces button.empty {
color: ${base02};
}
#tray, #pulseaudio, #backlight, #cpu, #memory, #network, #battery, #clock {
margin-left: 20px;
}
@keyframes blink {
to {
color: ${base05};
}
}
#battery.critical:not(.charging) {
animation-direction: alternate;
animation-duration: 0.5s;
animation-iteration-count: infinite;
animation-name: blink;
animation-timing-function: linear;
color: ${base08};
}
'';
};
}];
}

136
modules/linux/kernel.nix Normal file
View file

@ -0,0 +1,136 @@
{ pkgs, ... }: {
boot.kernelPackages = pkgs.linuxPackages_latest;
# Credits:
# - https://github.com/NotAShelf/nyx/blob/main/modules/core/common/system/security/kernel.nix
# - "hsslister" user - raf (NotAShelf) - "I actually forgot the dudes GitHub"
boot.kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
# Hide kptrs even for processes with CAP_SYSLOG.
# Also prevents printing kernel pointers.
"kernel.kptr_restrict" = 2;
# Disable bpf() JIT (to eliminate spray attacks).
"net.core.bpf_jit_enable" = false;
# Disable ftrace debugging.
"kernel.ftrace_enabled" = false;
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).
"kernel.dmesg_restrict" = 1;
# Prevent unintentional fifo writes.
"fs.protected_fifos" = 2;
# Prevent unintended writes to already-created files.
"fs.protected_regular" = 2;
# Disable SUID binary dump.
"fs.suid_dumpable" = 0;
# Disallow profiling at all levels without CAP_SYS_ADMIN.
"kernel.perf_event_paranoid" = 3;
# Require CAP_BPF to use bpf.
"kernel.unprvileged_bpf_disabled" = 1;
};
# https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
boot.kernelParams = [
# Make stack-based attacks on the kernel harder.
"randomize_kstack_offset=on"
# Controls the behavior of vsyscalls. This has been defaulted to none back in 2016 - break really old binaries for security.
"vsyscall=none"
# Reduce most of the exposure of a heap attack to a single cache.
"slab_nomerge"
# Only allow signed modules.
"module.sig_enforce=1"
# Blocks access to all kernel memory, even preventing administrators from being able to inspect and probe the kernel.
"lockdown=confidentiality"
# Enable buddy allocator free poisoning.
"page_poison=1"
# Performance improvement for direct-mapped memory-side-cache utilization, reduces the predictability of page allocations.
"page_alloc.shuffle=1"
# Disable sysrq keys. sysrq is seful for debugging, but also insecure.
"sysrq_always_enabled=0"
# Ignore access time (atime) updates on files, except when they coincide with updates to the ctime or mtime.
"rootflags=noatime"
# Linux security modules.
"lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
# Prevent the kernel from blanking plymouth out of the fb.
"fbcon=nodefer"
];
boot.blacklistedKernelModules = [
# Obscure network protocols.
"af_802154" # IEEE 802.15.4
"appletalk" # Appletalk
"atm" # ATM
"ax25" # Amatuer X.25
"can" # Controller Area Network
"dccp" # Datagram Congestion Control Protocol
"decnet" # DECnet
"econet" # Econet
"ipx" # Internetwork Packet Exchange
"n-hdlc" # High-level Data Link Control
"netrom" # NetRom
"p8022" # IEEE 802.3
"p8023" # Novell raw IEEE 802.3
"psnap" # SubnetworkAccess Protocol
"rds" # Reliable Datagram Sockets
"rose" # ROSE
"sctp" # Stream Control Transmission Protocol
"tipc" # Transparent Inter-Process Communication
"x25" # X.25
# Old or rare or insufficiently audited filesystems.
"adfs" # Active Directory Federation Services
"affs" # Amiga Fast File System
"befs" # "Be File System"
"bfs" # BFS, used by SCO UnixWare OS for the /stand slice
"cifs" # Common Internet File System
"cramfs" # compressed ROM/RAM file system
"efs" # Extent File System
"erofs" # Enhanced Read-Only File System
"exofs" # EXtended Object File System
"f2fs" # Flash-Friendly File System
"freevxfs" # Veritas filesystem driver
"gfs2" # Global File System 2
"hfs" # Hierarchical File System (Macintosh)
"hfsplus" # Same as above, but with extended attributes.
"hpfs" # High Performance File System (used by OS/2)
"jffs2" # Journalling Flash File System (v2)
"jfs" # Journaled File System - only useful for VMWare sessions
"ksmbd" # SMB3 Kernel Server
"minix" # minix fs - used by the minix OS
"nfs" # Network File System
"nfsv3" # Network File System (v3)
"nfsv4" # Network File System (v4)
"nilfs2" # New Implementation of a Log-structured File System
"omfs" # Optimized MPEG Filesystem
"qnx4" # Extent-based file system used by the QNX4 OS.
"qnx6" # Extent-based file system used by the QNX6 OS.
"squashfs" # compressed read-only file system (used by live CDs)
"sysv" # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
"udf" # https://docs.kernel.org/5.15/filesystems/udf.html
"vivid" # Virtual Video Test Driver (unnecessary)
# Disable Thunderbolt and FireWire to prevent DMA attacks
"firewire-core"
"thunderbolt"
];
}

9
modules/linux/keyring.nix Normal file
View file

@ -0,0 +1,9 @@
{ lib, ... }: let
inherit (lib) enabled;
in {
programs.seahorse = enabled;
security.pam.services.login.enableGnomeKeyring = true;
services.gnome.gnome-keyring = enabled;
}

76
modules/linux/kitty.nix Normal file
View file

@ -0,0 +1,76 @@
{ config, lib, ... }: let
inherit (lib) enabled merge mkIf;
in merge <| mkIf config.isDesktop {
home-manager.sharedModules = [{
programs.kitty = with config.theme.withHashtag; enabled {
font = with font; {
inherit (mono) name package;
size = size.normal;
};
settings = {
allow_remote_control = true;
confirm_os_window_close = 0;
focus_follows_mouse = true;
mouse_hide_wait = 0;
window_padding_width = padding;
scrollback_lines = 100000;
scrollback_pager = "bat --chop-long-lines";
cursor = base05;
cursor_text_color = base00;
cursor_shape = "beam";
url_color = base0D;
strip_trailing_spaces = "always";
enable_audio_bell = false;
active_border_color = base0A;
inactive_border_color = base01;
window_border_width = "0pt";
background = base00;
foreground = base05;
selection_background = base02;
selection_foreground = base00;
tab_bar_edge = "top";
tab_bar_style = "powerline";
active_tab_background = base00;
active_tab_foreground = base05;
inactive_tab_background = base01;
inactive_tab_foreground = base05;
color0 = base00;
color1 = base08;
color2 = base0B;
color3 = base0A;
color4 = base0D;
color5 = base0E;
color6 = base0C;
color7 = base05;
color8 = base03;
color9 = base08;
color10 = base0B;
color11 = base0A;
color12 = base0D;
color13 = base0E;
color14 = base0C;
color15 = base07;
color16 = base09;
color17 = base0F;
color18 = base01;
color19 = base02;
color20 = base04;
color21 = base06;
};
};
}];
}

28
modules/linux/localisation.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }: let
inherit (lib) const genAttrs merge mkIf;
in merge {
console.keyMap = pkgs.writeText "trq-swapped-i.map" ''
include "${pkgs.kbd}/share/keymaps/i386/qwerty/trq.map"
keycode 23 = i
altgr keycode 23 = +icircumflex
altgr shift keycode 23 = +Icircumflex
keycode 40 = +dotlessi +Idotabove
'';
i18n.defaultLocale = "C.UTF-8";
} <| mkIf config.isDesktop {
i18n.extraLocaleSettings = genAttrs [
"LC_ADDRESS"
"LC_IDENTIFICATION"
"LC_MEASUREMENT"
"LC_MONETARY"
"LC_NAME"
"LC_NUMERIC"
"LC_PAPER"
"LC_TELEPHONE"
"LC_TIME"
] <| const "tr_TR.UTF-8";
}

7
modules/linux/nano.nix Normal file
View file

@ -0,0 +1,7 @@
{ lib, ... }: let
inherit (lib) disabled;
in {
environment.defaultPackages = [];
programs.nano = disabled; # Garbage.
}

12
modules/linux/network-manager.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, ... }: let
inherit (lib) attrNames const enabled filterAttrs getAttr;
in {
networking.networkmanager = enabled;
users.extraGroups.networkmanager.members = config.users.users
|> filterAttrs (const <| getAttr "isNormalUser")
|> attrNames;
environment.shellAliases.wifi = "nmcli dev wifi show-password";
}

5
modules/linux/nix-ld.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib, ... }: let
inherit (lib) enabled;
in {
programs.nix-ld = enabled;
}

9
modules/linux/node-exporter.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, lib, ... }: let
inherit (lib) enabled merge mkIf;
in merge <| mkIf config.isServer {
services.prometheus.exporters.node = enabled {
enabledCollectors = [ "processes" "systemd" ];
listenAddress = "[::]";
};
}

11
modules/linux/pipewire.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, lib, ... }: let
inherit (lib) enabled merge mkIf;
in merge <| mkIf config.isDesktop {
security.rtkit = enabled;
services.pipewire = enabled {
alsa = enabled { support32Bit = true; };
pulse = enabled;
};
}

10
modules/linux/qt.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, lib, ... }: let
inherit (lib) enabled merge mkIf;
in merge <| mkIf config.isDesktop {
home-manager.sharedModules = [{
qt = enabled {
platformTheme.name = "adwaita";
style.name = "adwaita";
};
}];
}

14
modules/linux/resolved.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, ... }: let
inherit (lib) enabled concatStringsSep map;
in {
services.resolved = enabled {
dnssec = "true";
dnsovertls = "true";
extraConfig = config.dnsServers
|> map (server: "DNS=${server}")
|> concatStringsSep "\n";
fallbackDns = config.fallbackDnsServers;
};
}

20
modules/linux/restic/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, ... }: let
inherit (lib) genAttrs merge mkConst mkIf remove;
in merge <| mkIf config.isServer {
options.resticHosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ];
config.secrets.resticPassword.file = ./password.age;
config.services.restic.backups = genAttrs config.resticHosts (host: {
repository = "sftp:backup@${host}:${config.networking.hostName}-backup";
passwordFile = config.secrets.resticPassword.path;
initialize = true;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 12"
];
});
}

11
modules/linux/restic/password.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw 06oZk46oR6ELo5J27k6yawjranT3zRItKK+rl0P9bgk
Zl9FaZ0zz7X+NNa8YZ7mF+I3NM6uIQ4OyOxHCC7tG0s
-> ssh-ed25519 spFFQA lNlbKPxx4NolZih3OdSW+Om6LfLzQGPcOateTm7PmjE
faPPdpWeJytmEGMCfNiup4hE/wjwAp9hdFBRR9PJ7JE
-> ssh-ed25519 dASlBQ 0hpF2NYQrE8k0yQWjecxaEmxPswUfqjr/isjwcuRbio
zy5tvK0/6WaxzOOzmhRdMIdWeMyE0YYvRI+UAx4sW1c
-> ssh-ed25519 CzqbPQ VuaclNfcFIo7wIFauMBcy4amv4QDMUwmWevaCaMICxg
JpO3lbn95Hfhqi7x2SRUSzVHQ7tS/Ay9Gn+mFhQpKbE
--- iuP1ypvDk453T8/jiyTnWRnVpKZ89yLdWbrMJubNwq8
nßÞâæ ìQš)pÕº1 Cbn)Tœ™<C593>íÿa±öO^VLš­ßç}„4@QÓ

18
modules/linux/sshd.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, ...}: let
inherit (lib) enabled;
port = 2222;
in {
programs.mosh = enabled {
openFirewall = true;
};
services.openssh = enabled {
ports = [ port ];
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
AcceptEnv = "SHELLS COLORTERM";
};
};
}

8
modules/linux/steam.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }: {
# Steam uses 32-bit drivers for some unholy fucking reason.
hardware.graphics.enable32Bit = true;
environment.systemPackages = [
pkgs.steam
];
}

66
modules/linux/sudo.nix Normal file
View file

@ -0,0 +1,66 @@
{ config, lib, ... }: let
inherit (lib) enabled merge mkIf optionalString;
in merge {
security.sudo = enabled {
execWheelOnly = true;
extraConfig = ''
Defaults lecture = never
Defaults pwfeedback
Defaults env_keep += "DISPLAY EDITOR PATH"
${optionalString config.isServer ''
Defaults timestamp_timeout = 0
''}
'';
extraRules = [{
groups = [ "wheel" ];
commands = let
system = "/run/current-system";
store = "/nix/store";
in [
{
command = "${store}/*/bin/switch-to-configuration";
options = [ "SETENV" "NOPASSWD" ];
}
{
command = "${system}/sw/bin/nix system activate";
options = [ "NOPASSWD" ];
}
{
command = "${system}/sw/bin/nix system apply";
options = [ "NOPASSWD" ];
}
{
command = "${system}/sw/bin/nix system boot";
options = [ "NOPASSWD" ];
}
{
command = "${system}/sw/bin/nix system build";
options = [ "NOPASSWD" ];
}
{
command = "${system}/sw/bin/nix-collect-garbage";
options = [ "SETENV" "NOPASSWD" ];
}
{
command = "${system}/sw/bin/nix-env";
options = [ "SETENV" "NOPASSWD" ];
}
{
command = "${system}/sw/bin/nix-store";
options = [ "SETENV" "NOPASSWD" ];
}
{
command = "${system}/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}
{
command = "${system}/sw/bin/systemctl";
options = [ "NOPASSWD" ];
}
];
}];
};
} <| mkIf config.isDesktop {
security.sudo.wheelNeedsPassword = false;
}

21
modules/linux/systemd.nix Normal file
View file

@ -0,0 +1,21 @@
{
environment.shellAliases = {
sc = "systemctl";
scd = "systemctl stop";
scr = "systemctl restart";
scs = "systemctl status";
scu = "systemctl start";
suc = "systemctl --user";
sucd = "systemctl --user stop";
sucr = "systemctl --user restart";
sucs = "systemctl --user status";
sucu = "systemctl --user start";
jc = "journalctl";
jcf = "journalctl --follow --unit";
jcr = "journalctl --reverse --unit";
juc = "journalctl --user";
jucf = "journalctl --user --follow --unit";
jucr = "journalctl --user --reverse --unit";
};
}

17
modules/linux/tailscale.nix Normal file
View file

@ -0,0 +1,17 @@
{ lib, ... }: let
inherit (lib) enabled;
# Shorter is better for networking interfaces IMO.
interface = "ts0";
in {
# This doesn't work with dig but works with curl, Firefox
# and all other tools. Skill issue.
services.resolved.domains = [ "warthog-major.ts.net" ];
services.tailscale = enabled {
interfaceName = interface;
useRoutingFeatures = "both";
};
networking.firewall.trustedInterfaces = [ interface ];
}

18
modules/linux/thunar.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }: let
inherit (lib) enabled merge mkIf;
in merge <| mkIf config.isDesktop {
programs.thunar = enabled {
plugins = [
pkgs.xfce.thunar-archive-plugin
pkgs.xfce.thunar-media-tags-plugin
pkgs.xfce.thunar-volman
];
};
environment.systemPackages = [
pkgs.ark
pkgs.ffmpegthumbnailer
pkgs.libgsf
pkgs.xfce.tumbler
];
}

3
modules/linux/tmp.nix Normal file
View file

@ -0,0 +1,3 @@
{
boot.tmp.cleanOnBoot = true;
}

3
modules/linux/users.nix Normal file
View file

@ -0,0 +1,3 @@
{
users.mutableUsers = false;
}