phundrak/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Lucien Cartier-Tilet
2025-05-04 02:47:36 +02:00
commit d5e06f3f49
91 changed files with 9063 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
modules/amdgpu.nix Normal file
View File

@@ -0,0 +1,17 @@
{
pkgs,
lib,
config,
...
}:
with lib; let
cfg = config.modules.amdgpu;
in {
options.modules.amdgpu.enable = mkEnableOption "Enables an AMD GPU configuration";
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"
];
hardware.graphics.extraPackages = with pkgs; [rocmPackages.clr.icd];
};
}

88
modules/boot.nix Normal file
View File

@@ -0,0 +1,88 @@
{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.modules.boot;
in {
options.modules.boot = {
amdgpu.enable = mkEnableOption "Enables an AMD GPU configuration";
kernel = {
package = mkOption {
type = types.raw;
default = pkgs.linuxPackages_zen;
};
modules = mkOption {
type = types.listOf types.str;
default = [];
};
cpuVendor = mkOption {
description = "Intel or AMD?";
type = types.enum ["intel" "amd"];
default = "amd";
};
v4l2loopback = mkOption {
description = "Enables v4l2loopback";
type = types.bool;
default = true;
};
hardened = mkEnableOption "Enables hardened Linux kernel";
};
zfs = {
enable = mkEnableOption "Enables ZFS";
pools = mkOption {
type = types.listOf types.str;
default = [];
};
};
};
config.boot = {
initrd.kernelModules = lists.optional cfg.amdgpu.enable "amdgpu";
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = mkIf cfg.zfs.enable ["zfs"];
zfs.extraPools = mkIf cfg.zfs.enable cfg.zfs.pools;
kernelPackages =
if cfg.kernel.hardened
then pkgs.linuxPackages_hardened
else cfg.kernel.package;
kernelModules =
cfg.kernel.modules
++ ["kvm-${cfg.kernel.cpuVendor}"]
++ lists.optional cfg.kernel.v4l2loopback "v4l2loopback"
++ lists.optional cfg.kernel.hardened "tcp_bbr";
kernel.sysctl = mkIf cfg.kernel.hardened {
"kernel.sysrq" = 0; # Disable magic SysRq key
# Ignore ICMP broadcasts to avoid participating in Smurf attacks
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
# Ignore bad ICMP errors
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# SYN flood protection
"net.ipv4.tcp_syncookies" = 1;
# Do not accept ICMP redirects (prevent MITM attacks)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default_accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Do not send ICMP redirects (we are not a router)
"net.ipv4.conf.all.send_redirects" = 0;
# Do not accept IP source route packets (we are not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Protect against tcp time-wait assassination hazards
"net.ipv4.tcp_rfc1337" = 1;
# Latency reduction
"net.ipv4.tcp_fastopen" = 3;
# Bufferfloat mitigations
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
}

32
modules/dev/docker.nix Normal file
View File

@@ -0,0 +1,32 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.modules.docker;
in {
options.modules.docker = {
enable = mkEnableOption "Enable Docker";
podman.enable = mkEnableOption "Enable Podman rather than Docker";
nvidia.enable = mkEnableOption "Activate Nvidia support";
autoprune.enable = mkEnableOption "Enable autoprune";
};
config = {
virtualisation = {
docker = mkIf (cfg.enable && !cfg.podman.enable) {
enable = true;
enableNvidia = cfg.nvidia.enable;
autoPrune.enable = cfg.autoprune.enable;
};
podman = mkIf cfg.podman.enable {
enable = true;
dockerCompat = cfg.enable;
enableNvidia = cfg.nvidia.enable;
dockerSocket.enable = cfg.enable;
autoPrune.enable = cfg.autoprune.enable;
};
};
};
}

21
modules/endlessh.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.modules.endlessh;
in {
options.modules.endlessh = {
enable = mkEnableOption "Enables endlessh.";
port = mkOption {
type = types.port;
default = 2222;
example = 22;
};
};
config.services.endlessh-go = mkIf cfg.enable {
inherit (cfg) enable port;
openFirewall = true;
};
}

1
modules/keys/id_gampo.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBPhP4p9KGk6jSOxJzBu+RzJPHI6baT0o+xrgPeNRwfq lucien@phundrak.com

1
modules/keys/id_marpa.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILw9oiK8tZ5Vpz82RaRLpITU8qeJrT2hjvudGEDQu2QW lucien@phundrak.com

1
modules/keys/id_opn4.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFVzXgt8Md+PgOMM3qcBIR/a8uf5s6dnxGbFlG9yD+Gx lucien@phundrak.com

1
modules/keys/id_tilo.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7GXp4OfK2j1+7TMjVBL29Ol/6nsEMbfE2wRGkjk3Ya lucien@phundrak.com

16
modules/locale.nix Normal file
View File

@@ -0,0 +1,16 @@
{
i18n = {
defaultLocale = "en_DK.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "fr_FR.UTF-8";
LC_IDENTIFICATION = "fr_FR.UTF-8";
LC_MEASUREMENT = "fr_FR.UTF-8";
LC_MONETARY = "fr_FR.UTF-8";
LC_NAME = "fr_FR.UTF-8";
LC_NUMERIC = "fr_FR.UTF-8";
LC_PAPER = "fr_FR.UTF-8";
LC_TELEPHONE = "fr_FR.UTF-8";
LC_TIME = "fr_FR.UTF-8";
};
};
}

65
modules/networking.nix Normal file
View File

@@ -0,0 +1,65 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.modules.networking;
in {
options.modules.networking = {
hostname = mkOption {
type = types.str;
example = "gampo";
};
id = mkOption {
type = types.str;
example = "deadb33f";
};
hostFiles = mkOption {
type = types.listOf types.path;
example = [/path/to/hostFile];
default = [];
};
firewall = {
openPorts = mkOption {
type = types.listOf types.int;
example = [22 80 443];
default = [];
};
openPortRanges = mkOption {
type = types.listOf (types.attrsOf types.port);
default = [];
example = [
{
from = 8080;
to = 8082;
}
];
description = ''
A range of TCP and UDP ports on which incoming connections are
accepted.
'';
};
extraCommands = mkOption {
type = types.nullOr types.lines;
example = "iptables -A INPUTS -p icmp -j ACCEPT";
default = null;
};
};
};
config.networking = {
hostName = cfg.hostname; # Define your hostname.
hostId = cfg.id;
networkmanager.enable = true;
inherit (cfg) hostFiles;
firewall = {
enable = true;
allowedTCPPorts = cfg.firewall.openPorts;
allowedUDPPorts = cfg.firewall.openPorts;
allowedTCPPortRanges = cfg.firewall.openPortRanges;
allowedUDPPortRanges = cfg.firewall.openPortRanges;
extraCommands = (mkIf (cfg.firewall.extraCommands != null)) cfg.firewall.extraCommands;
};
};
}

38
modules/nix.nix Normal file
View File

@@ -0,0 +1,38 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.modules.nix;
in {
options.modules.nix = {
disableSandbox = mkEnableOption "Disables Nix sandbox";
gc = {
automatic = mkOption {
type = types.bool;
default = true;
};
dates = mkOption {
type = types.str;
default = "Monday 01:00 UTC";
};
options = mkOption {
type = types.str;
default = "--delete-older-than 30d";
};
};
};
config = {
nix = {
settings = {
sandbox = cfg.disableSandbox;
experimental-features = ["nix-command" "flakes"];
auto-optimise-store = true;
};
inherit (cfg) gc;
};
nixpkgs.config.allowUnfree = true;
};
}

6
modules/opentablet.nix Normal file
View File

@@ -0,0 +1,6 @@
{
hardware.opentabletdriver = {
enable = true;
daemon.enable = true;
};
}

33
modules/plymouth.nix Normal file
View File

@@ -0,0 +1,33 @@
{
pkgs,
lib,
config,
...
}:
with lib; let
cfg = config.modules.boot.plymouth;
in {
options.modules.boot.plymouth.enable = mkEnableOption "Enables Plymouth at system boot";
config.boot = mkIf cfg.enable {
plymouth = {
inherit (cfg) enable;
theme = "circle_hud";
themePackages = with pkgs; [
(adi1090x-plymouth-themes.override {
selected_themes = ["circle_hud"];
})
];
};
consoleLogLevel = 3;
initrd.verbose = false;
kernelParams = [
"quiet"
"splash"
"boot.shell_on_fail"
"udev.log_priority=3"
"rd.systemd.show_status=auto"
];
# Loader appears only if a key is pressed
loader.timeout = 0;
};
}

17
modules/sops.nix Normal file
View File

@@ -0,0 +1,17 @@
{
sops = {
defaultSopsFile = ../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age = {
# automatically import user SSH keys as age keys
sshKeyPaths = [
"/home/phundrak/.ssh/id_ed25519"
"/etc/ssh/ssh_host_ed25519_key"
];
# this will use an age key that is expected to already be in the filesystem
keyFile = "/var/lib/sops-nix/key.txt";
# generate a new key if the key specified above does not exist
generateKey = true;
};
};
}

40
modules/sound.nix Normal file
View File

@@ -0,0 +1,40 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
cfg = config.modules.sound;
in {
options.modules.sound = {
enable = mkEnableOption "Whether to enable sounds with Pipewire";
alsa = mkOption {
type = types.bool;
example = true;
default = true;
description = "Whether to enable ALSA support with Pipewire";
};
jack = mkOption {
type = types.bool;
example = true;
default = false;
description = "Whether to enable JACK support with Pipewire";
};
package = mkOption {
type = types.package;
example = pkgs.pulseaudio;
default = pkgs.pulseaudioFull;
description = "Which base package to use for PulseAudio";
};
};
config.services.pipewire = mkIf cfg.enable {
enable = true;
alsa = mkIf cfg.alsa {
enable = mkDefault true;
support32Bit = mkDefault true;
};
jack.enable = mkDefault cfg.jack;
};
}

30
modules/ssh.nix Normal file
View File

@@ -0,0 +1,30 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.modules.ssh;
in {
options.modules.ssh = {
enable = mkEnableOption "Enables OpenSSH";
allowedUsers = mkOption {
type = types.listOf types.str;
example = ["alice" "bob"];
default = ["phundrak"];
};
passwordAuthentication = mkOption {
type = types.bool;
example = true;
default = false;
};
};
config.services.openssh = mkIf cfg.enable {
enable = true;
settings = {
AllowUsers = cfg.allowedUsers;
PermitRootLogin = "no";
PasswordAuthentication = cfg.passwordAuthentication;
};
};
}

22
modules/sunshine.nix Normal file
View File

@@ -0,0 +1,22 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.modules.sunshine;
in {
options.modules.sunshine = {
enable = mkEnableOption "Enables moonlight";
autostart = mkEnableOption "Enables autostart";
};
config.services.sunshine = mkIf cfg.enable {
enable = true;
autoStart = cfg.autostart;
capSysAdmin = true;
openFirewall = true;
settings = {
sunshine_name = "marpa";
};
};
}

171
modules/system.nix Normal file
View File

@@ -0,0 +1,171 @@
{
pkgs,
lib,
config,
...
}:
with lib; let
cfg = config.system;
in {
imports = [
./amdgpu.nix
./boot.nix
./locale.nix
./networking.nix
./nix.nix
./plymouth.nix
./sound.nix
./users.nix
./dev/docker.nix
];
options.system = {
amdgpu.enable = mkEnableOption "Enables AMD GPU support";
boot = {
kernel = {
package = mkOption {
type = types.raw;
default = pkgs.linuxPackages_zen;
};
modules = mkOption {
type = types.listOf types.str;
default = [];
};
cpuVendor = mkOption {
description = "Intel or AMD?";
type = types.enum ["intel" "amd"];
default = "amd";
};
v4l2loopback = mkOption {
description = "Enables v4l2loopback";
type = types.bool;
default = true;
};
hardened = mkEnableOption "Enables hardened Linux kernel";
};
plymouth.enable = mkEnableOption "Enables Plymouth";
zfs = {
enable = mkEnableOption "Enables ZFS";
pools = mkOption {
type = types.listOf types.str;
default = [];
};
};
};
docker = {
enable = mkEnableOption "Enable Docker";
podman.enable = mkEnableOption "Enable Podman rather than Docker";
nvidia.enable = mkEnableOption "Activate Nvidia support";
autoprune.enable = mkEnableOption "Enable autoprune";
};
networking = {
hostname = mkOption {
type = types.str;
example = "gampo";
};
id = mkOption {
type = types.str;
example = "deadb33f";
};
hostFiles = mkOption {
type = types.listOf types.path;
example = [/path/to/hostFile];
default = [];
};
firewall = {
openPorts = mkOption {
type = types.listOf types.int;
example = [22 80 443];
default = [];
};
openPortRanges = mkOption {
type = types.listOf (types.attrsOf types.port);
default = [];
example = [
{
from = 8080;
to = 8082;
}
];
description = ''
A range of TCP and UDP ports on which incoming connections are
accepted.
'';
};
extraCommands = mkOption {
type = types.nullOr types.lines;
example = "iptables -A INPUTS -p icmp -j ACCEPT";
default = null;
};
};
};
nix = {
disableSandbox = mkOption {
type = types.bool;
default = false;
};
gc = {
automatic = mkOption {
type = types.bool;
default = true;
};
dates = mkOption {
type = types.str;
default = "Monday 01:00 UTC";
};
options = mkOption {
type = types.str;
default = "--delete-older-than 30d";
};
};
};
sound = {
enable = mkEnableOption "Whether to enable sounds with Pipewire";
alsa = mkOption {
type = types.bool;
example = true;
default = true;
description = "Whether to enable ALSA support with Pipewire";
};
jack = mkOption {
type = types.bool;
example = true;
default = false;
description = "Whether to enable JACK support with Pipewire";
};
package = mkOption {
type = types.package;
example = pkgs.pulseaudio;
default = pkgs.pulseaudioFull;
description = "Which base package to use for PulseAudio";
};
};
users = {
root.disablePassword = mkEnableOption "Disables root password";
phundrak = mkOption {
type = types.bool;
default = true;
};
};
timezone = mkOption {
type = types.str;
default = "Europe/Paris";
};
console.keyMap = mkOption {
type = types.str;
default = "fr";
};
};
config = {
time.timeZone = cfg.timezone;
console.keyMap = cfg.console.keyMap;
modules = {
boot = {
inherit (cfg) amdgpu;
inherit (cfg.boot) kernel plymouth zfs;
};
inherit (cfg) sound users networking docker amdgpu;
};
};
}

39
modules/users.nix Normal file
View File

@@ -0,0 +1,39 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
cfg = config.modules.users;
in {
options.modules.users = {
root.disablePassword = mkEnableOption "Disables root password";
phundrak = mkOption {
type = types.bool;
default = true;
};
};
config = {
users.users = {
root = {
hashedPassword = mkIf cfg.root.disablePassword "*";
shell = pkgs.zsh;
};
phundrak = {
isNormalUser = true;
description = "Lucien Cartier-Tilet";
extraGroups = ["networkmanager" "wheel" "docker" "dialout" "podman"];
shell = pkgs.zsh;
openssh.authorizedKeys.keyFiles = [
./keys/id_gampo.pub
./keys/id_marpa.pub
./keys/id_tilo.pub
./keys/id_opn4.pub
];
};
};
programs.zsh.enable = true;
};
}

41
modules/xserver.nix Normal file
View File

@@ -0,0 +1,41 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.modules.xserver;
in {
options.modules.xserver = {
amdgpu.enable = mkEnableOption "Enables AMD GPU support";
de = mkOption {
type = types.enum ["gnome" "kde"];
default = "gnome";
example = "kde";
description = "Which DE to enable";
};
};
config.services = {
displayManager.sddm.enable = mkIf (cfg.de == "kde") true;
desktopManager.plasma6.enable = mkIf (cfg.de == "kde") true;
gnome = mkIf (cfg.de == "gnome") {
gnome-browser-connector.enable = true;
games.enable = false;
gnome-remote-desktop.enable = true;
gnome-online-accounts.enable = true;
sushi.enable = true;
};
xserver = {
enable = true;
displayManager.gdm.enable = mkIf (cfg.de == "gnome") true;
desktopManager.gnome.enable = mkIf (cfg.de == "gnome") true;
videoDrivers = lists.optional cfg.amdgpu.enable "amdgpu";
xkb = {
layout = "fr";
variant = "bepo_afnor";
};
};
};
}