diff --git a/config/Dpi.nix b/config/Dpi.nix new file mode 100644 index 00000000..6eb3ffd4 --- /dev/null +++ b/config/Dpi.nix @@ -0,0 +1,43 @@ +{ + config, + inputs, + lib, + pkgsMaster, + ... +}: let + cfg = config.module.dpi; +in { + disabledModules = [ "services/networking/zapret.nix" ]; + imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ]; + + config = lib.mkIf cfg.bypass.enable { + services.zapret = { + inherit (cfg.bypass) params; + enable = true; + package = pkgsMaster.zapret; + whitelist = [ + "youtube.com" + "googlevideo.com" + "ytimg.com" + "youtu.be" + "rutracker.org" + "rutracker.cc" + "rutrk.org" + "t-ru.org" + "medium.com" + "dis.gd" + "discord.co" + "discord.com" + "discord.dev" + "discord.gg" + "discord.gift" + "discord.media" + "discord.new" + "discordapp.com" + "discordapp.net" + "discordcdn.com" + "discordstatus.com" + ]; + }; + }; +} diff --git a/config/Kernel.nix b/config/Kernel.nix index a63c3ec9..1a968e11 100644 --- a/config/Kernel.nix +++ b/config/Kernel.nix @@ -28,7 +28,7 @@ in { # Packet forwarding. "net.ipv4.ip_forward" = 0; - "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.all.forwarding" = 0; # MITM protection. "net.ipv4.conf.all.accept_redirects" = 0; @@ -48,19 +48,6 @@ in { # Lynis config. "kernel.core_uses_pid" = 1; "kernel.kptr_restrict" = 2; - - # IP hardening. - "net.ipv4.conf.all.log_martians" = 1; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.default.accept_source_route" = 0; - "net.ipv4.conf.default.log_martians" = 0; - "net.ipv4.tcp_timestamps" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - - # Disable ipv6. - "net.ipv6.conf.all.disable_ipv6" = 1; - "net.ipv6.conf.default.disable_ipv6" = 1; - "net.ipv6.conf.lo.disable_ipv6" = 1; }; }) diff --git a/config/Package.nix b/config/Package.nix index bf89a387..528d5311 100644 --- a/config/Package.nix +++ b/config/Package.nix @@ -10,7 +10,7 @@ in { config = lib.mkMerge [ # Core apps. - (lib.mkIf cfg.core.enable { + (lib.mkIf cfg.core { environment.systemPackages = package.core; programs = { @@ -27,7 +27,7 @@ in { }) # Common apps. - (lib.mkIf cfg.common.enable { + (lib.mkIf cfg.common { environment.systemPackages = package.common; xdg.mime.defaultApplications = { @@ -53,12 +53,12 @@ in { }) # Desktop apps. - (lib.mkIf cfg.desktop.enable { + (lib.mkIf cfg.desktop { environment.systemPackages = package.desktop; }) # Gaming. - (lib.mkIf cfg.gaming.enable { + (lib.mkIf cfg.gaming { programs.steam.enable = true; environment.systemPackages = package.gaming; hardware.graphics = let @@ -74,18 +74,18 @@ in { }; }) - # Creative. - (lib.mkIf cfg.creative.enable { + # Creativity. + (lib.mkIf cfg.creativity { environment.systemPackages = package.creative; }) # Development. - (lib.mkIf cfg.dev.enable { + (lib.mkIf cfg.dev { environment.systemPackages = package.dev; }) # Extras. - (lib.mkIf cfg.extra.enable { + (lib.mkIf cfg.extra { environment.systemPackages = package.extra; }) ]; diff --git a/config/Purpose.nix b/config/Purpose.nix new file mode 100644 index 00000000..8f84c107 --- /dev/null +++ b/config/Purpose.nix @@ -0,0 +1,134 @@ +{ + config, + lib, + ... +}: let + cfg = config.module.purpose; +in { + config = lib.mkMerge [ + (lib.mkIf cfg.creativity { + module = { + tablet.enable = true; + package.creativity = true; + }; + }) + + (lib.mkIf cfg.desktop { + module = { + keyd.enable = true; + sway.enable = true; + kernel = { + enable = true; + latest = true; + }; + package = { + common = true; + core = true; + desktop = true; + }; + }; + }) + + (lib.mkIf cfg.disown { + module = { + autoupdate.enable = true; + kernel = { + enable = true; + hardening = true; + }; + }; + }) + + (lib.mkIf cfg.gaming { + module.package.gaming = true; + }) + + (lib.mkIf cfg.laptop { + services.tlp.enable = true; # Automatic powersaving based on Pluged/AC states. + module = { + keyd.enable = true; + sway.enable = true; + kernel = { + enable = true; + hardening = true; + latest = true; + }; + package = { + common = true; + core = true; + desktop = true; + }; + }; + }) + + (lib.mkIf cfg.phone { + }) + + (lib.mkIf cfg.router { + module = { + kernel = { + enable = true; + hardening = true; + }; + package = { + common = true; + core = true; + }; + }; + # De-harden some stuff. + boot.kernel.sysctl = { + # Allow spoofing. + "net.ipv4.conf.all.rp_filter" = lib.mkForce 0; + "net.ipv4.conf.default.rp_filter" = lib.mkForce 0; + + # Forward packets. + "net.ipv4.ip_forward" = lib.mkForce 1; + "net.ipv6.conf.all.forwarding" = lib.mkForce 1; + "net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1; + + # Allow redirects. + "net.ipv4.conf.all.accept_redirects" = lib.mkForce 1; + "net.ipv6.conf.all.accept_redirects" = lib.mkForce 1; + + # Send ICMP. + "net.ipv4.conf.all.send_redirects" = lib.mkForce 1; + + # Accept IP source route packets. + "net.ipv4.conf.all.accept_source_route" = lib.mkForce 1; + "net.ipv6.conf.all.accept_source_route" = lib.mkForce 1; + }; + }) + + (lib.mkIf cfg.server { + module = { + keyd.enable = true; + kernel = { + enable = true; + hardening = true; + }; + package = { + common = true; + core = true; + }; + }; + }) + + (lib.mkIf cfg.work { + module = { + distrobox.enable = true; + ollama.enable = true; + package.dev = true; + virtmanager.enable = true; + docker = { + enable = true; + autostart = false; + rootless = false; + }; + kernel = { + enable = true; + hardening = true; + }; + }; + }) + ]; +} diff --git a/container/Frkn.nix b/container/Frkn.nix index 8d078f23..82974b7e 100644 --- a/container/Frkn.nix +++ b/container/Frkn.nix @@ -57,15 +57,10 @@ in { "net.ipv4.ip_forward" = 1; }; - # TODO: Single place. services.zapret = { - enable = true; + inherit (config.services.zapret) params; + enable = true; package = pkgsMaster.zapret; - params = [ - "--dpi-desync=fake,disorder2" - "--dpi-desync-ttl=1" - "--dpi-desync-autottl=2" - ]; }; services = { diff --git a/home/file/foot/default.nix b/home/file/foot/default.nix index dccb86ce..56c6bc3d 100644 --- a/home/file/foot/default.nix +++ b/home/file/foot/default.nix @@ -4,7 +4,7 @@ ... }: let borderSize = toString config.module.style.window.border; - dpiAware = if config.module.dpi.aware then "yes" else "no"; + dpiAware = if config.module.display.dpiAware then "yes" else "no"; fontStep = 1; in { file = (pkgs.formats.iniWithGlobalSection { }).generate "FootConfig" { diff --git a/home/file/fuzzel/default.nix b/home/file/fuzzel/default.nix index 18594ad2..a31aaddf 100644 --- a/home/file/fuzzel/default.nix +++ b/home/file/fuzzel/default.nix @@ -3,7 +3,7 @@ config, ... }: let - dpiAware = if config.module.dpi.aware then "yes" else "no"; + dpiAware = if config.module.display.dpiAware then "yes" else "no"; in { file = (pkgs.formats.ini { }).generate "FuzzelConfig" { main = { diff --git a/host/x86_64-linux/dasha/default.nix b/host/x86_64-linux/dasha/default.nix index 07fd8a30..8100c60b 100644 --- a/host/x86_64-linux/dasha/default.nix +++ b/host/x86_64-linux/dasha/default.nix @@ -1,19 +1,22 @@ { ... }: { home.nixos.enable = true; user = { - dasha.enable = true; - root.enable = true; + dasha = true; + root = true; }; module = { - amd.gpu.enable = true; - autoupdate.enable = true; builder.client.enable = true; - sway.enable = true; - kernel.enable = true; - keyd.enable = true; - print.enable = true; - tablet.enable = true; + amd.gpu.enable = true; + package.extra = true; + print.enable = true; + purpose = { + creativity = true; + desktop = true; + disown = true; + gaming = true; + work = true; + }; hwmon = { file = "temp1_input"; path = "/sys/devices/platform/coretemp.0/hwmon"; @@ -22,14 +25,5 @@ enable = true; powersave = true; }; - package = { - common.enable = true; - core.enable = true; - creative.enable = true; - desktop.enable = true; - dev.enable = true; - extra.enable = true; - gaming.enable = true; - }; }; } diff --git a/host/x86_64-linux/desktop/default.nix b/host/x86_64-linux/desktop/default.nix index 76834a1a..e8351da8 100644 --- a/host/x86_64-linux/desktop/default.nix +++ b/host/x86_64-linux/desktop/default.nix @@ -1,17 +1,19 @@ { ... }: { home.nixos.enable = true; user = { - root.enable = true; - voronind.enable = true; + root = true; + voronind = true; }; module = { builder.client.enable = true; - distrobox.enable = true; - keyd.enable = true; - ollama.enable = true; - print.enable = true; - virtmanager.enable = true; + package.extra = true; + print.enable = true; + purpose = { + desktop = true; + gaming = true; + work = true; + }; amd = { compute.enable = true; gpu.enable = true; @@ -20,35 +22,14 @@ powersave = true; }; }; - sway = { - enable = true; - extraConfig = '' - output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165" mode 1920x1080@74.986Hz transform 180 pos 780,0 - output "Huawei Technologies Co., Inc. ZQE-CBA 0xC080F622" pos 0,1080 - workspace 1 output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165" - ''; - }; - docker = { - enable = true; - autostart = false; - rootless = false; - }; + sway.extraConfig = '' + output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165" mode 1920x1080@74.986Hz transform 180 pos 780,0 + output "Huawei Technologies Co., Inc. ZQE-CBA 0xC080F622" pos 0,1080 + workspace 1 output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165" + ''; hwmon = { file = "temp1_input"; path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon"; }; - kernel = { - enable = true; - latest = true; - }; - package = { - common.enable = true; - core.enable = true; - creative.enable = true; - desktop.enable = true; - dev.enable = true; - extra.enable = true; - gaming.enable = true; - }; }; } diff --git a/host/x86_64-linux/home/Network.nix b/host/x86_64-linux/home/Network.nix index 5458413b..e8ba82c2 100644 --- a/host/x86_64-linux/home/Network.nix +++ b/host/x86_64-linux/home/Network.nix @@ -11,12 +11,6 @@ lan = "br0"; # Lan interface. wan = "enp8s0"; # Wan interface. in { - # Allow packet routing (we are a router). - boot.kernel.sysctl = { - "net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1; - "net.ipv4.ip_forward" = lib.mkForce 1; - }; - # Disable SSH access from everywhere, configure access bellow. services.openssh.openFirewall = false; diff --git a/host/x86_64-linux/home/Zapret.nix b/host/x86_64-linux/home/Zapret.nix deleted file mode 100644 index 6a6d7b0c..00000000 --- a/host/x86_64-linux/home/Zapret.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - inputs, - pkgsMaster, - ... -}: { - disabledModules = [ "services/networking/zapret.nix" ]; - imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ]; - - # TODO: Single place. - services.zapret = { - enable = true; - package = pkgsMaster.zapret; - params = [ - "--dpi-desync=fake,disorder2" - "--dpi-desync-ttl=1" - "--dpi-desync-autottl=2" - ]; - whitelist = [ - "youtube.com" - "googlevideo.com" - "ytimg.com" - "youtu.be" - "rutracker.org" - "rutracker.cc" - "rutrk.org" - "t-ru.org" - "medium.com" - "dis.gd" - "discord.co" - "discord.com" - "discord.dev" - "discord.gg" - "discord.gift" - "discord.media" - "discord.new" - "discordapp.com" - "discordapp.net" - "discordcdn.com" - "discordstatus.com" - ]; - }; -} diff --git a/host/x86_64-linux/home/default.nix b/host/x86_64-linux/home/default.nix index 7ea881d1..48d6d9fa 100644 --- a/host/x86_64-linux/home/default.nix +++ b/host/x86_64-linux/home/default.nix @@ -1,15 +1,25 @@ { ... }: { home.nixos.enable = true; user = { - root.enable = true; - voronind.enable = true; + root = true; + voronind = true; }; module = { builder.server.enable = true; - sway.enable = true; - kernel.enable = true; - keyd.enable = true; + purpose = { + desktop = true; + router = true; + server = true; + }; + dpi.bypass = { + enable = true; + params = [ + "--dpi-desync=fake,disorder2" + "--dpi-desync-ttl=1" + "--dpi-desync-autottl=2" + ]; + }; amd = { cpu.enable = true; gpu.enable = true; @@ -22,10 +32,5 @@ file = "temp1_input"; path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon"; }; - package = { - common.enable = true; - core.enable = true; - desktop.enable = true; - }; }; } diff --git a/host/x86_64-linux/laptop/default.nix b/host/x86_64-linux/laptop/default.nix index aae65444..0ae82919 100644 --- a/host/x86_64-linux/laptop/default.nix +++ b/host/x86_64-linux/laptop/default.nix @@ -1,19 +1,21 @@ { ... }: { home.nixos.enable = true; user = { - dasha.enable = true; - root.enable = true; - voronind.enable = true; + dasha = true; + root = true; + voronind = true; }; module = { - autoupdate.enable = true; builder.client.enable = true; - sway.enable = true; - kernel.enable = true; - keyd.enable = true; - print.enable = true; - tablet.enable = true; + print.enable = true; + purpose = { + creativity = true; + disown = true; + gaming = true; + laptop = true; + work = true; + }; amd = { compute.enable = true; cpu = { @@ -22,13 +24,5 @@ }; gpu.enable = true; }; - package = { - common.enable = true; - core.enable = true; - desktop.enable = true; - gaming.enable = true; - creative.enable = true; - dev.enable = true; - }; }; } diff --git a/host/x86_64-linux/live/default.nix b/host/x86_64-linux/live/default.nix index 1122495c..5e13f770 100644 --- a/host/x86_64-linux/live/default.nix +++ b/host/x86_64-linux/live/default.nix @@ -18,5 +18,5 @@ # Root user setup. home.nixos.enable = true; - user.root.enable = true; + user.root = true; } diff --git a/host/x86_64-linux/pocket/Tlp.nix b/host/x86_64-linux/pocket/Tlp.nix deleted file mode 100644 index 1474255f..00000000 --- a/host/x86_64-linux/pocket/Tlp.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ ... }: { - services.tlp.enable = true; -} diff --git a/host/x86_64-linux/pocket/default.nix b/host/x86_64-linux/pocket/default.nix index 3d90f80f..83c3ee02 100644 --- a/host/x86_64-linux/pocket/default.nix +++ b/host/x86_64-linux/pocket/default.nix @@ -1,25 +1,23 @@ { ... }: { home.nixos.enable = true; user = { - root.enable = true; - voronind.enable = true; + root = true; + voronind = true; }; module = { builder.client.enable = true; - keyd.enable = true; - print.enable = true; - sway = { - enable = true; - extraConfig = '' - output DSI-1 transform 90 - input * map_to_output DSI-1 - ''; - }; - kernel = { - enable = true; - latest = true; + package.extra = true; + print.enable = true; + purpose = { + creativity = true; + laptop = true; + work = true; }; + sway.extraConfig = '' + output DSI-1 transform 90 + input * map_to_output DSI-1 + ''; hwmon = { file = "temp1_input"; path = "/sys/devices/platform/coretemp.0/hwmon"; @@ -28,14 +26,5 @@ enable = true; powersave = true; }; - package = { - common.enable = true; - core.enable = true; - creative.enable = true; - desktop.enable = true; - dev.enable = true; - extra.enable = true; - gaming.enable = true; - }; }; } diff --git a/host/x86_64-linux/work/default.nix b/host/x86_64-linux/work/default.nix index 8182fce3..1871faa2 100644 --- a/host/x86_64-linux/work/default.nix +++ b/host/x86_64-linux/work/default.nix @@ -4,19 +4,23 @@ home.nixos.enable = true; user = { - root.enable = true; - dasha.enable = true; - voronind.enable = true; + dasha = true; + root = true; + voronind = true; }; module = { - autoupdate.enable = true; builder.client.enable = true; - sway.enable = true; - kernel.enable = true; - keyd.enable = true; + package.extra = true; powerlimit.thinkpad.enable = true; print.enable = true; + purpose = { + creativity = true; + disown = true; + gaming = true; + laptop = true; + work = true; + }; hwmon = { file = "temp1_input"; path = "/sys/devices/platform/coretemp.0/hwmon"; @@ -25,13 +29,5 @@ enable = true; powersave = true; }; - package = { - common.enable = true; - core.enable = true; - desktop.enable = true; - dev.enable = true; - extra.enable = true; - gaming.enable = true; - }; }; } diff --git a/option/Display.nix b/option/Display.nix new file mode 100644 index 00000000..25e31a5e --- /dev/null +++ b/option/Display.nix @@ -0,0 +1,10 @@ +# Screen configuration. +{ + lib, + ... +}: { + options.module.display.dpiAware = lib.mkOption { + default = false; + type = lib.types.bool; + }; +} diff --git a/option/Dpi.nix b/option/Dpi.nix index 37f50c5b..b0974dd7 100644 --- a/option/Dpi.nix +++ b/option/Dpi.nix @@ -1,10 +1,12 @@ -# Screen density configuration. { lib, ... }: { - options.module.dpi.aware = lib.mkOption { - default = false; - type = lib.types.bool; + options.module.dpi.bypass = { + enable = lib.mkEnableOption "the DPI bypass."; + params = lib.mkOption { + default = [ ]; + type = with lib.types; listOf str; + }; }; } diff --git a/option/Package.nix b/option/Package.nix index fd9dac89..d2b4ec41 100644 --- a/option/Package.nix +++ b/option/Package.nix @@ -3,12 +3,12 @@ ... }: { options.module.package = { - common.enable = lib.mkEnableOption "Common Apps."; - core.enable = lib.mkEnableOption "Core apps."; - creative.enable = lib.mkEnableOption "Creative Apps."; - desktop.enable = lib.mkEnableOption "Desktop Apps."; - dev.enable = lib.mkEnableOption "Dev Apps."; - extra.enable = lib.mkEnableOption "Extra Apps."; - gaming.enable = lib.mkEnableOption "Gaming Apps."; + common = lib.mkEnableOption "Common Apps."; + core = lib.mkEnableOption "Core apps."; + creativity = lib.mkEnableOption "Creative Apps."; + desktop = lib.mkEnableOption "Desktop Apps."; + dev = lib.mkEnableOption "Dev Apps."; + extra = lib.mkEnableOption "Extra Apps."; + gaming = lib.mkEnableOption "Gaming Apps."; }; } diff --git a/option/Purpose.nix b/option/Purpose.nix new file mode 100644 index 00000000..885708a4 --- /dev/null +++ b/option/Purpose.nix @@ -0,0 +1,16 @@ +{ + lib, + ... +}: { + options.module.purpose = { + creativity = lib.mkEnableOption "creativity modules"; + desktop = lib.mkEnableOption "desktop modules."; + disown = lib.mkEnableOption "modules for machines not used by me."; + gaming = lib.mkEnableOption "gaming modules."; + laptop = lib.mkEnableOption "laptop modules."; + phone = lib.mkEnableOption "phone modules."; + router = lib.mkEnableOption "router modules."; + server = lib.mkEnableOption "server modules."; + work = lib.mkEnableOption "work modules."; + }; +} diff --git a/user/Dasha.nix b/user/Dasha.nix index 5f0156fc..14e01685 100644 --- a/user/Dasha.nix +++ b/user/Dasha.nix @@ -3,13 +3,11 @@ config, ... }: let - cfg = config.user.dasha; + cfg = config.user; in { - options.user.dasha = { - enable = lib.mkEnableOption "dasha"; - }; + options.user.dasha = lib.mkEnableOption "dasha."; - config = lib.mkIf cfg.enable { + config = lib.mkIf cfg.dasha { home.nixos.users = [{ homeDirectory = "/home/dasha"; username = "dasha"; diff --git a/user/Root.nix b/user/Root.nix index 821f0362..6467eea8 100644 --- a/user/Root.nix +++ b/user/Root.nix @@ -5,13 +5,11 @@ util, ... }: let - cfg = config.user.root; + cfg = config.user; in { - options.user.root = { - enable = lib.mkEnableOption "root"; - }; + options.user.root = lib.mkEnableOption "root."; - config = lib.mkIf cfg.enable { + config = lib.mkIf cfg.root { users.users.root.hashedPassword = secret.hashedPassword; home.nixos.users = [{ homeDirectory = "/root"; diff --git a/user/Voronind.nix b/user/Voronind.nix index e394fb78..2f0125f8 100644 --- a/user/Voronind.nix +++ b/user/Voronind.nix @@ -4,13 +4,11 @@ secret, ... }: let - cfg = config.user.voronind; + cfg = config.user; in { - options.user.voronind = { - enable = lib.mkEnableOption "voronind"; - }; + options.user.voronind = lib.mkEnableOption "voronind."; - config = lib.mkIf cfg.enable { + config = lib.mkIf cfg.voronind { home.nixos.users = [{ homeDirectory = "/home/voronind"; username = "voronind";