From 364e8a98ad25127f2a51696ec03729e3a783044f Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sat, 25 May 2024 22:16:47 +0300 Subject: 2024-05-25 --- modules/common/documentation.nix | 2 +- modules/common/home-manager.nix | 1 + modules/common/networking.nix | 16 +-- modules/common/nix.nix | 230 ++++++++++++++++++++------------------- modules/common/security.nix | 12 +- modules/common/stylix.nix | 2 + modules/common/systemd.nix | 3 +- modules/common/xdg.nix | 5 +- modules/default.nix | 10 +- modules/firefox/userContent.css | 7 ++ modules/nginx.nix | 18 ++- modules/openssh.nix | 1 - modules/postgresql.nix | 2 +- modules/profiles/default.nix | 11 +- modules/profiles/dev/default.nix | 3 + modules/profiles/headful.nix | 2 + modules/profiles/headless.nix | 14 +-- modules/qutebrowser.nix | 5 +- modules/shadowsocks.nix | 3 +- modules/soju.nix | 4 +- modules/sound.nix | 27 +++-- 21 files changed, 202 insertions(+), 176 deletions(-) (limited to 'modules') diff --git a/modules/common/documentation.nix b/modules/common/documentation.nix index 20856cb..33e767c 100644 --- a/modules/common/documentation.nix +++ b/modules/common/documentation.nix @@ -32,7 +32,7 @@ with lib; (_: _: { __contentAddressed = true; }); }; - environment.sessionVariables = { + environment.variables = { MANOPT = "--no-hyphenation"; MANPAGER = "${getExe pkgs.less} -+F"; }; diff --git a/modules/common/home-manager.nix b/modules/common/home-manager.nix index 9c4cbeb..f2fc8a8 100644 --- a/modules/common/home-manager.nix +++ b/modules/common/home-manager.nix @@ -19,6 +19,7 @@ with lib; news.display = "silent"; home = { inherit (config.system) stateVersion; + enableNixpkgsReleaseCheck = false; }; }; diff --git a/modules/common/networking.nix b/modules/common/networking.nix index 727def4..e891e58 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -18,7 +18,6 @@ in optional networkmanager.enable "/etc/NetworkManager/system-connections" ++ optional wireless.iwd.enable "/var/lib/iwd"; - # TODO Switch to systemd-networkd. networking = mkMerge [ { domain = my.domain.shire; @@ -29,12 +28,11 @@ in # Remove default hostname mappings. This is required at least by the # current implementation of the monitoring module. hosts = { - "127.0.0.2" = mkForce [ ]; + "127.0.0.1" = mkForce [ ]; "::1" = mkForce [ ]; }; nameservers = mkDefault dns.const.quad9.default; - resolvconf.enable = true; useDHCP = false; @@ -84,13 +82,17 @@ in } ) (mkIf this.isHeadful { - interfaces = { - eth0.useDHCP = mkDefault true; - wlan0.useDHCP = mkDefault true; - }; + interfaces.eth0.useDHCP = mkDefault true; networkmanager = { enable = mkDefault true; + unmanaged = [ + "bridge" + "ethernet" + "loopback" + "wireguard" + ]; + plugins = mkForce [ ]; wifi.backend = "iwd"; }; diff --git a/modules/common/nix.nix b/modules/common/nix.nix index c03c1b1..6c5bd18 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -3,7 +3,6 @@ inputs, lib, pkgs, - pkgsPr, this, ... }: @@ -12,142 +11,149 @@ let cfg = config.nixfiles.modules.common.nix; in { + imports = with inputs.srvos.nixosModules; [ + mixins-nix-experimental + mixins-trusted-nix-caches + ]; + options.nixfiles.modules.common.nix.allowedUnfreePackages = mkOption { description = "A list of allowed unfree packages."; type = with types; listOf str; default = [ ]; }; - config = { - _module.args = - let - importNixpkgs = - nixpkgs: - import nixpkgs { - inherit (config.nixpkgs) config; - inherit (this) system; - }; - in - rec { - pkgsLocal = importNixpkgs "${config.my.home}/src/nixpkgs"; # Impure! - pkgsMaster = importNixpkgs inputs.nixpkgs-master; - pkgsStable = importNixpkgs inputs.nixpkgs-stable; - pkgsRev = - rev: hash: - importNixpkgs ( - pkgs.fetchFromGitHub { - owner = "NixOS"; - repo = "nixpkgs"; - inherit rev hash; - } - ); - pkgsPr = pr: pkgsRev "refs/pull/${toString pr}/head"; + config = + let + useNixpkgs = + nixpkgs: + import nixpkgs { + inherit (config.nixpkgs) config; + inherit (this) system; + }; + + pkgsLocal = useNixpkgs "${config.my.home}/src/nixpkgs"; # Impure! + pkgsMaster = useNixpkgs inputs.nixpkgs-master; + pkgsStable = useNixpkgs inputs.nixpkgs-stable; + pkgsRev = + rev: hash: + useNixpkgs ( + pkgs.fetchFromGitHub { + owner = "NixOS"; + repo = "nixpkgs"; + inherit rev hash; + } + ); + pkgsPr = pr: pkgsRev "refs/pull/${toString pr}/head"; + in + { + _module.args = { + inherit + pkgsLocal + pkgsMaster + pkgsStable + pkgsRev + pkgsPr + ; + }; + + hm = { + # Used primarily in conjunction with the "nixfiles" script. + home.file.".nix-defexpr/default.nix".text = + let + hostname = strings.escapeNixIdentifier this.hostname; + in + optionalString this.isHeadful '' + let + self = builtins.getFlake "nixfiles"; + configurations = self.nixosConfigurations; + local = configurations.${hostname}; + in rec { + inherit self; + inherit (self) inputs lib; + inherit (lib) my; + this = my.configurations.${hostname}; + inherit (local) config; + inherit (local.config.system.build) toplevel vm vmWithBootLoader manual; + pretty = expr: lib.trace (lib.generators.toPretty {} expr) {}; + } // configurations // local._module.args + ''; + + programs.bash.shellAliases.nix = "nix --verbose --print-build-logs"; }; - hm = { - # Used primarily in conjunction with the "nixfiles" script. - home.file.".nix-defexpr/default.nix".text = + nix = let - hostname = strings.escapeNixIdentifier this.hostname; + notSelfInputs = filterAttrs (n: _: n != "self") inputs; in - optionalString this.isHeadful '' - let - self = builtins.getFlake "nixfiles"; - configurations = self.nixosConfigurations; - local = configurations.${hostname}; - in rec { - inherit self; - inherit (self) inputs lib; - inherit (lib) my; - this = my.configurations.${hostname}; - inherit (local) config; - inherit (local.config.system.build) toplevel vm vmWithBootLoader manual; - pretty = expr: lib.trace (lib.generators.toPretty {} expr) {}; - } // configurations // local._module.args - ''; - - programs.bash.shellAliases.nix = "nix --verbose --print-build-logs"; - }; + { + daemonCPUSchedPolicy = "idle"; + daemonIOSchedClass = "idle"; + daemonIOSchedPriority = 7; - nix = - let - notSelfInputs = filterAttrs (n: _: n != "self") inputs; - in - { - daemonCPUSchedPolicy = "idle"; - daemonIOSchedClass = "idle"; - daemonIOSchedPriority = 7; - - settings = { - # https://nixos.org/manual/nix/unstable/contributing/experimental-features.html#currently-available-experimental-features - # https://github.com/NixOS/nix/blob/master/src/libutil/experimental-features.cc - experimental-features = concatStringsSep " " [ - "flakes" - "nix-command" - "recursive-nix" - "repl-flake" - ]; + settings = { + keep-derivations = if this.isHeadful then "true" else "false"; + keep-outputs = if this.isHeadful then "true" else "false"; - keep-derivations = if this.isHeadful then "true" else "false"; - keep-outputs = if this.isHeadful then "true" else "false"; + warn-dirty = false; - flake-registry = "${inputs.flake-registry}/flake-registry.json"; + keep-going = true; - warn-dirty = false; + substituters = [ + "https://azahi.cachix.org" + "https://nix-community.cachix.org" + ]; - keep-going = true; + trusted-substituters = [ "https://azahi.cachix.org" ]; + trusted-public-keys = [ "azahi.cachix.org-1:2bayb+iWYMAVw3ZdEpVg+NPOHCXncw7WMQ0ElX1GO3s=" ]; - substituters = [ - "https://azahi.cachix.org" - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "azahi.cachix.org-1:2bayb+iWYMAVw3ZdEpVg+NPOHCXncw7WMQ0ElX1GO3s=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; + trusted-users = [ + "root" + my.username + ]; + }; - trusted-users = [ - "root" - my.username + nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [ + "nixfiles=${config.my.home}/src/nixfiles" ]; + + registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // { + nixfiles.flake = inputs.self; + }; }; - nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [ - "nixfiles=${config.my.home}/src/nixfiles" + nixpkgs = { + config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages; + + overlays = with inputs; [ + self.overlays.default + (_: _: { + # Global PR package overrides go here. Example: + # ``` + # inherit (pkgsPr 309018 "sha256-x3ATxjrTVdaX5eo9P6pz+8/W6D2TNYzvjZpOBa3ZRI8=") endlessh-go; + # ``` + }) ]; + }; - registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // { - nixfiles.flake = inputs.self; + environment = { + localBinInPath = true; + defaultPackages = [ ]; + systemPackages = + with pkgs; + optionals this.isHeadful [ + nix-top + nix-tree + nixfiles + ]; + variables = { + NIXFILES = "${config.my.home}/src/nixfiles"; + NIX_SHELL_PRESERVE_PROMPT = "1"; }; }; - nixpkgs = { - config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages; - - overlays = with inputs; [ - self.overlays.default - (_: _super: { - inherit (pkgsPr 309018 "sha256-x3ATxjrTVdaX5eo9P6pz+8/W6D2TNYzvjZpOBa3ZRI8=") endlessh-go; - }) - ]; - }; - - environment = { - localBinInPath = true; - defaultPackages = mkForce [ ]; - systemPackages = - with pkgs; - optionals this.isHeadful [ - nix-top - nix-tree - nixfiles - ]; - sessionVariables = { - NIXFILES = "${config.my.home}/src/nixfiles"; - NIX_SHELL_PRESERVE_PROMPT = "1"; + system = { + # HACK This lets `nix flake check` to pass. + stateVersion = if hasAttr "stateVersion" this then this.stateVersion else trivial.release; }; }; - - system.stateVersion = with builtins; head (split "\n" (readFile "${inputs.nixpkgs}/.version")); - }; } diff --git a/modules/common/security.nix b/modules/common/security.nix index c635cdc..acfc9cc 100644 --- a/modules/common/security.nix +++ b/modules/common/security.nix @@ -1,13 +1,6 @@ _: { security = { - sudo = { - enable = true; - execWheelOnly = true; - wheelNeedsPassword = false; - extraConfig = '' - Defaults lecture=never - ''; - }; + sudo.wheelNeedsPassword = false; polkit = { enable = true; @@ -24,8 +17,5 @@ _: { }); ''; }; - - # Pretty much used only for PipeWire. - rtkit.enable = true; }; } diff --git a/modules/common/stylix.nix b/modules/common/stylix.nix index 9a360ad..314aa4c 100644 --- a/modules/common/stylix.nix +++ b/modules/common/stylix.nix @@ -37,6 +37,8 @@ with lib; # [1]: https://github.com/tinted-theming/base24/blob/master/styling.md config = { stylix = { + autoEnable = this.isHeadful; + image = pkgs.fetchurl { url = "https://upload.wikimedia.org/wikipedia/commons/a/a5/Bonaparte_ante_la_Esfinge%2C_por_Jean-Léon_Gérôme.jpg"; sha256 = "sha256-qWv52oT8cF9K4ZoeawmR3jgoGB2ARfjbKKc12IljUcM="; diff --git a/modules/common/systemd.nix b/modules/common/systemd.nix index b393d9f..aac1647 100644 --- a/modules/common/systemd.nix +++ b/modules/common/systemd.nix @@ -13,7 +13,6 @@ enable = true; network = { inherit (config.systemd.network) enable; - wait-online.enable = false; }; }; @@ -35,7 +34,7 @@ }; }; - environment.sessionVariables = { + environment.variables = { SYSTEMD_PAGERSECURE = "1"; SYSTEMD_PAGER = "${pkgs.less}/bin/less"; SYSTEMD_LESS = "FRSXMK"; diff --git a/modules/common/xdg.nix b/modules/common/xdg.nix index c581369..0b807b7 100644 --- a/modules/common/xdg.nix +++ b/modules/common/xdg.nix @@ -84,7 +84,10 @@ in }; config = { - xdg.portal = mkIf this.isHeadful { enable = true; }; + xdg = { + portal.enable = this.isHeadful; + sounds.enable = this.isHeadful; + }; hm.xdg = mkMerge [ (with cfg; { diff --git a/modules/default.nix b/modules/default.nix index e41e09b..63b3aa7 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,9 +1 @@ -{ lib, ... }: -with lib; -{ - nixfiles = - { ... }: - { - imports = attrValues (modulesIn ./.); - }; -} +{ lib, ... }: with lib; { nixfiles = _: { imports = attrValues (modulesIn ./.); }; } diff --git a/modules/firefox/userContent.css b/modules/firefox/userContent.css index cf7b659..df0124a 100644 --- a/modules/firefox/userContent.css +++ b/modules/firefox/userContent.css @@ -397,3 +397,10 @@ display: none !important; } } + +@-moz-document regexp("https?://app\.slack\.com\.*") +{ + .p-client__banners.p-ia__workspace_banner { + display: none !important; + } +} diff --git a/modules/nginx.nix b/modules/nginx.nix index ed34237..b912e22 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -55,13 +55,16 @@ in serverTokens = false; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; + recommendedBrotliSettings = lib.mkDefault true; + recommendedGzipSettings = lib.mkDefault true; + recommendedOptimisation = lib.mkDefault true; + recommendedProxySettings = lib.mkDefault true; + recommendedTlsSettings = lib.mkDefault true; + recommendedZstdSettings = lib.mkDefault true; commonHttpConfig = concatStrings [ '' + access_log syslog:server=unix:/dev/log; add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"; '' (optionalString (hasAttr "wireguard" this) ( @@ -100,6 +103,8 @@ in ] ) cfg.virtualHosts )); + + sslDhparam = config.security.dhparams.params.nginx.path; }; fail2ban.jails = { @@ -114,6 +119,11 @@ in }; }; + security.dhparams = { + enable = true; + params.nginx = { }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/modules/openssh.nix b/modules/openssh.nix index 5504521..470b6c9 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix @@ -99,7 +99,6 @@ in ClientAliveCountMax = 3; ClientAliveInterval = 60; KbdInteractiveAuthentication = false; - LogLevel = if config.nixfiles.modules.fail2ban.enable then "VERBOSE" else "ERROR"; MaxAuthTries = 3; PasswordAuthentication = false; PermitRootLogin = mkForce "no"; diff --git a/modules/postgresql.nix b/modules/postgresql.nix index f9ea64f..f88831b 100644 --- a/modules/postgresql.nix +++ b/modules/postgresql.nix @@ -79,7 +79,7 @@ in cfg.extraPostStart != [ ] ) concatLines cfg.extraPostStart; - environment.sessionVariables.PSQLRC = toString ( + environment.variables.PSQLRC = toString ( pkgs.writeText "psqlrc" '' \set QUIET 1 diff --git a/modules/profiles/default.nix b/modules/profiles/default.nix index 5edfd7a..6967cb7 100644 --- a/modules/profiles/default.nix +++ b/modules/profiles/default.nix @@ -36,12 +36,15 @@ in eza.enable = true; htop.enable = true; tmux.enable = true; - vim.enable = true; }; - programs.less = { - enable = true; - envVariables.LESSHISTFILE = "-"; + programs = { + less = { + enable = true; + envVariables.LESSHISTFILE = "-"; + }; + + nano.enable = false; }; time.timeZone = "Europe/Moscow"; diff --git a/modules/profiles/dev/default.nix b/modules/profiles/dev/default.nix index eab447c..3ee2ff5 100644 --- a/modules/profiles/dev/default.nix +++ b/modules/profiles/dev/default.nix @@ -58,6 +58,7 @@ in packages = with pkgs; [ age + google-cloud-sdk htmlq httpie hydra-check @@ -65,7 +66,9 @@ in logcli nix-update nixpkgs-review + scaleway-cli sops + vultr-cli yq ]; diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix index 7060e49..83b3e4a 100644 --- a/modules/profiles/headful.nix +++ b/modules/profiles/headful.nix @@ -93,6 +93,8 @@ in configurationLimit = 10; }; }; + + consoleLogLevel = 3; }; hardware.opengl = { diff --git a/modules/profiles/headless.nix b/modules/profiles/headless.nix index 7733f3e..f739206 100644 --- a/modules/profiles/headless.nix +++ b/modules/profiles/headless.nix @@ -30,11 +30,13 @@ in ".bash_history".source = config.hm.lib.file.mkOutOfStoreSymlink "/dev/null"; }; - # Pin version to prevent any surprises. Try keeping this up-to-date[1] with - # the latest LTS release + hardened patches (just in case). - # - # [1]: https://kernel.org - boot.kernelPackages = pkgs.linuxPackages_6_6_hardened; + boot = { + # Pin version to prevent any surprises. Try keeping this up-to-date[1] + # with the latest LTS release + hardened patches (just in case). + # + # [1]: https://kernel.org + kernelPackages = pkgs.linuxPackages_6_6_hardened; # EOL Dec, 2026 + }; nix = { gc = { @@ -55,7 +57,5 @@ in ]; services.udisks2.enable = false; - - xdg.sounds.enable = false; }; } diff --git a/modules/qutebrowser.nix b/modules/qutebrowser.nix index 8fdcf48..36a71e7 100644 --- a/modules/qutebrowser.nix +++ b/modules/qutebrowser.nix @@ -12,10 +12,7 @@ in options.nixfiles.modules.qutebrowser.enable = mkEnableOption "Qutebrowser"; config = mkIf cfg.enable { - nixfiles.modules = { - mpv.enable = true; - vim.enable = true; - }; + nixfiles.modules.mpv.enable = true; hm = { programs.qutebrowser = with config.nixfiles.modules; { diff --git a/modules/shadowsocks.nix b/modules/shadowsocks.nix index 1d55cf5..a70e2d1 100644 --- a/modules/shadowsocks.nix +++ b/modules/shadowsocks.nix @@ -127,8 +127,7 @@ in "net.ipv4.tcp_mem" = mkOverride 100 (mkTcpMem 15 16 17); "net.ipv4.tcp_rmem" = mkOverride 100 (mkTcpMem 12 16 26); "net.ipv4.tcp_wmem" = mkOverride 100 (mkTcpMem 12 16 26); - "net.ipv4.tcp_mtu_probing" = 1; - "net.ipv4.tcp_congestion_control" = "hybla"; + "net.ipv4.tcp_mtu_probing" = mkOverride 100 1; }; topology = with cfg; { diff --git a/modules/soju.nix b/modules/soju.nix index f8212b5..c64b89e 100644 --- a/modules/soju.nix +++ b/modules/soju.nix @@ -89,14 +89,14 @@ in listen ircs://${cfg.address}:${toString cfg.port} tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"} ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"} - db postgres ${ + db postgres "${ concatStringsSep " " [ "host=/run/postgresql" "user=${db}" "dbname=${db}" "sslmode=disable" ] - } + }" hostname ${cfg.domain} title ${cfg.domain} ''; diff --git a/modules/sound.nix b/modules/sound.nix index ff90dfc..49ca5bc 100644 --- a/modules/sound.nix +++ b/modules/sound.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + lib, + this, + ... +}: with lib; let cfg = config.nixfiles.modules.sound; @@ -6,13 +11,19 @@ in { options.nixfiles.modules.sound.enable = mkEnableOption "sound support"; - config = mkIf cfg.enable { - services.pipewire = { - enable = true; + config = + mkIf cfg.enable { + services.pipewire = { + enable = true; + + alsa.enable = true; + jack.enable = true; + pulse.enable = true; + }; - alsa.enable = true; - jack.enable = true; - pulse.enable = true; + security.rtkit.enable = true; + } + // { + sound.enable = this.isHeadful; }; - }; } -- cgit 1.4.1