Refactor.

This commit is contained in:
Dmitry Voronin 2024-11-16 06:38:48 +03:00
parent a54f8699a4
commit 77f294fc37
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
24 changed files with 314 additions and 225 deletions

43
config/Dpi.nix Normal file
View file

@ -0,0 +1,43 @@
{
config,
inputs,
lib,
pkgsMaster,
...
}: let
cfg = config.module.dpi;
in {
disabledModules = [ "services/networking/zapret.nix" ];
imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ];
config = lib.mkIf cfg.bypass.enable {
services.zapret = {
inherit (cfg.bypass) params;
enable = true;
package = pkgsMaster.zapret;
whitelist = [
"youtube.com"
"googlevideo.com"
"ytimg.com"
"youtu.be"
"rutracker.org"
"rutracker.cc"
"rutrk.org"
"t-ru.org"
"medium.com"
"dis.gd"
"discord.co"
"discord.com"
"discord.dev"
"discord.gg"
"discord.gift"
"discord.media"
"discord.new"
"discordapp.com"
"discordapp.net"
"discordcdn.com"
"discordstatus.com"
];
};
};
}

View file

@ -28,7 +28,7 @@ in {
# Packet forwarding. # Packet forwarding.
"net.ipv4.ip_forward" = 0; "net.ipv4.ip_forward" = 0;
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 0;
# MITM protection. # MITM protection.
"net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.all.accept_redirects" = 0;
@ -48,19 +48,6 @@ in {
# Lynis config. # Lynis config.
"kernel.core_uses_pid" = 1; "kernel.core_uses_pid" = 1;
"kernel.kptr_restrict" = 2; "kernel.kptr_restrict" = 2;
# IP hardening.
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.default.log_martians" = 0;
"net.ipv4.tcp_timestamps" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Disable ipv6.
"net.ipv6.conf.all.disable_ipv6" = 1;
"net.ipv6.conf.default.disable_ipv6" = 1;
"net.ipv6.conf.lo.disable_ipv6" = 1;
}; };
}) })

View file

@ -10,7 +10,7 @@
in { in {
config = lib.mkMerge [ config = lib.mkMerge [
# Core apps. # Core apps.
(lib.mkIf cfg.core.enable { (lib.mkIf cfg.core {
environment.systemPackages = package.core; environment.systemPackages = package.core;
programs = { programs = {
@ -27,7 +27,7 @@ in {
}) })
# Common apps. # Common apps.
(lib.mkIf cfg.common.enable { (lib.mkIf cfg.common {
environment.systemPackages = package.common; environment.systemPackages = package.common;
xdg.mime.defaultApplications = { xdg.mime.defaultApplications = {
@ -53,12 +53,12 @@ in {
}) })
# Desktop apps. # Desktop apps.
(lib.mkIf cfg.desktop.enable { (lib.mkIf cfg.desktop {
environment.systemPackages = package.desktop; environment.systemPackages = package.desktop;
}) })
# Gaming. # Gaming.
(lib.mkIf cfg.gaming.enable { (lib.mkIf cfg.gaming {
programs.steam.enable = true; programs.steam.enable = true;
environment.systemPackages = package.gaming; environment.systemPackages = package.gaming;
hardware.graphics = let hardware.graphics = let
@ -74,18 +74,18 @@ in {
}; };
}) })
# Creative. # Creativity.
(lib.mkIf cfg.creative.enable { (lib.mkIf cfg.creativity {
environment.systemPackages = package.creative; environment.systemPackages = package.creative;
}) })
# Development. # Development.
(lib.mkIf cfg.dev.enable { (lib.mkIf cfg.dev {
environment.systemPackages = package.dev; environment.systemPackages = package.dev;
}) })
# Extras. # Extras.
(lib.mkIf cfg.extra.enable { (lib.mkIf cfg.extra {
environment.systemPackages = package.extra; environment.systemPackages = package.extra;
}) })
]; ];

134
config/Purpose.nix Normal file
View file

@ -0,0 +1,134 @@
{
config,
lib,
...
}: let
cfg = config.module.purpose;
in {
config = lib.mkMerge [
(lib.mkIf cfg.creativity {
module = {
tablet.enable = true;
package.creativity = true;
};
})
(lib.mkIf cfg.desktop {
module = {
keyd.enable = true;
sway.enable = true;
kernel = {
enable = true;
latest = true;
};
package = {
common = true;
core = true;
desktop = true;
};
};
})
(lib.mkIf cfg.disown {
module = {
autoupdate.enable = true;
kernel = {
enable = true;
hardening = true;
};
};
})
(lib.mkIf cfg.gaming {
module.package.gaming = true;
})
(lib.mkIf cfg.laptop {
services.tlp.enable = true; # Automatic powersaving based on Pluged/AC states.
module = {
keyd.enable = true;
sway.enable = true;
kernel = {
enable = true;
hardening = true;
latest = true;
};
package = {
common = true;
core = true;
desktop = true;
};
};
})
(lib.mkIf cfg.phone {
})
(lib.mkIf cfg.router {
module = {
kernel = {
enable = true;
hardening = true;
};
package = {
common = true;
core = true;
};
};
# De-harden some stuff.
boot.kernel.sysctl = {
# Allow spoofing.
"net.ipv4.conf.all.rp_filter" = lib.mkForce 0;
"net.ipv4.conf.default.rp_filter" = lib.mkForce 0;
# Forward packets.
"net.ipv4.ip_forward" = lib.mkForce 1;
"net.ipv6.conf.all.forwarding" = lib.mkForce 1;
"net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;
# Allow redirects.
"net.ipv4.conf.all.accept_redirects" = lib.mkForce 1;
"net.ipv6.conf.all.accept_redirects" = lib.mkForce 1;
# Send ICMP.
"net.ipv4.conf.all.send_redirects" = lib.mkForce 1;
# Accept IP source route packets.
"net.ipv4.conf.all.accept_source_route" = lib.mkForce 1;
"net.ipv6.conf.all.accept_source_route" = lib.mkForce 1;
};
})
(lib.mkIf cfg.server {
module = {
keyd.enable = true;
kernel = {
enable = true;
hardening = true;
};
package = {
common = true;
core = true;
};
};
})
(lib.mkIf cfg.work {
module = {
distrobox.enable = true;
ollama.enable = true;
package.dev = true;
virtmanager.enable = true;
docker = {
enable = true;
autostart = false;
rootless = false;
};
kernel = {
enable = true;
hardening = true;
};
};
})
];
}

View file

@ -57,15 +57,10 @@ in {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
}; };
# TODO: Single place.
services.zapret = { services.zapret = {
enable = true; inherit (config.services.zapret) params;
enable = true;
package = pkgsMaster.zapret; package = pkgsMaster.zapret;
params = [
"--dpi-desync=fake,disorder2"
"--dpi-desync-ttl=1"
"--dpi-desync-autottl=2"
];
}; };
services = { services = {

View file

@ -4,7 +4,7 @@
... ...
}: let }: let
borderSize = toString config.module.style.window.border; borderSize = toString config.module.style.window.border;
dpiAware = if config.module.dpi.aware then "yes" else "no"; dpiAware = if config.module.display.dpiAware then "yes" else "no";
fontStep = 1; fontStep = 1;
in { in {
file = (pkgs.formats.iniWithGlobalSection { }).generate "FootConfig" { file = (pkgs.formats.iniWithGlobalSection { }).generate "FootConfig" {

View file

@ -3,7 +3,7 @@
config, config,
... ...
}: let }: let
dpiAware = if config.module.dpi.aware then "yes" else "no"; dpiAware = if config.module.display.dpiAware then "yes" else "no";
in { in {
file = (pkgs.formats.ini { }).generate "FuzzelConfig" { file = (pkgs.formats.ini { }).generate "FuzzelConfig" {
main = { main = {

View file

@ -1,19 +1,22 @@
{ ... }: { { ... }: {
home.nixos.enable = true; home.nixos.enable = true;
user = { user = {
dasha.enable = true; dasha = true;
root.enable = true; root = true;
}; };
module = { module = {
amd.gpu.enable = true;
autoupdate.enable = true;
builder.client.enable = true; builder.client.enable = true;
sway.enable = true; amd.gpu.enable = true;
kernel.enable = true; package.extra = true;
keyd.enable = true; print.enable = true;
print.enable = true; purpose = {
tablet.enable = true; creativity = true;
desktop = true;
disown = true;
gaming = true;
work = true;
};
hwmon = { hwmon = {
file = "temp1_input"; file = "temp1_input";
path = "/sys/devices/platform/coretemp.0/hwmon"; path = "/sys/devices/platform/coretemp.0/hwmon";
@ -22,14 +25,5 @@
enable = true; enable = true;
powersave = true; powersave = true;
}; };
package = {
common.enable = true;
core.enable = true;
creative.enable = true;
desktop.enable = true;
dev.enable = true;
extra.enable = true;
gaming.enable = true;
};
}; };
} }

View file

@ -1,17 +1,19 @@
{ ... }: { { ... }: {
home.nixos.enable = true; home.nixos.enable = true;
user = { user = {
root.enable = true; root = true;
voronind.enable = true; voronind = true;
}; };
module = { module = {
builder.client.enable = true; builder.client.enable = true;
distrobox.enable = true; package.extra = true;
keyd.enable = true; print.enable = true;
ollama.enable = true; purpose = {
print.enable = true; desktop = true;
virtmanager.enable = true; gaming = true;
work = true;
};
amd = { amd = {
compute.enable = true; compute.enable = true;
gpu.enable = true; gpu.enable = true;
@ -20,35 +22,14 @@
powersave = true; powersave = true;
}; };
}; };
sway = { sway.extraConfig = ''
enable = true; output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165" mode 1920x1080@74.986Hz transform 180 pos 780,0
extraConfig = '' output "Huawei Technologies Co., Inc. ZQE-CBA 0xC080F622" pos 0,1080
output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165" mode 1920x1080@74.986Hz transform 180 pos 780,0 workspace 1 output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165"
output "Huawei Technologies Co., Inc. ZQE-CBA 0xC080F622" pos 0,1080 '';
workspace 1 output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165"
'';
};
docker = {
enable = true;
autostart = false;
rootless = false;
};
hwmon = { hwmon = {
file = "temp1_input"; file = "temp1_input";
path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon"; path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon";
}; };
kernel = {
enable = true;
latest = true;
};
package = {
common.enable = true;
core.enable = true;
creative.enable = true;
desktop.enable = true;
dev.enable = true;
extra.enable = true;
gaming.enable = true;
};
}; };
} }

View file

@ -11,12 +11,6 @@
lan = "br0"; # Lan interface. lan = "br0"; # Lan interface.
wan = "enp8s0"; # Wan interface. wan = "enp8s0"; # Wan interface.
in { in {
# Allow packet routing (we are a router).
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;
"net.ipv4.ip_forward" = lib.mkForce 1;
};
# Disable SSH access from everywhere, configure access bellow. # Disable SSH access from everywhere, configure access bellow.
services.openssh.openFirewall = false; services.openssh.openFirewall = false;

View file

@ -1,42 +0,0 @@
{
inputs,
pkgsMaster,
...
}: {
disabledModules = [ "services/networking/zapret.nix" ];
imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ];
# TODO: Single place.
services.zapret = {
enable = true;
package = pkgsMaster.zapret;
params = [
"--dpi-desync=fake,disorder2"
"--dpi-desync-ttl=1"
"--dpi-desync-autottl=2"
];
whitelist = [
"youtube.com"
"googlevideo.com"
"ytimg.com"
"youtu.be"
"rutracker.org"
"rutracker.cc"
"rutrk.org"
"t-ru.org"
"medium.com"
"dis.gd"
"discord.co"
"discord.com"
"discord.dev"
"discord.gg"
"discord.gift"
"discord.media"
"discord.new"
"discordapp.com"
"discordapp.net"
"discordcdn.com"
"discordstatus.com"
];
};
}

View file

@ -1,15 +1,25 @@
{ ... }: { { ... }: {
home.nixos.enable = true; home.nixos.enable = true;
user = { user = {
root.enable = true; root = true;
voronind.enable = true; voronind = true;
}; };
module = { module = {
builder.server.enable = true; builder.server.enable = true;
sway.enable = true; purpose = {
kernel.enable = true; desktop = true;
keyd.enable = true; router = true;
server = true;
};
dpi.bypass = {
enable = true;
params = [
"--dpi-desync=fake,disorder2"
"--dpi-desync-ttl=1"
"--dpi-desync-autottl=2"
];
};
amd = { amd = {
cpu.enable = true; cpu.enable = true;
gpu.enable = true; gpu.enable = true;
@ -22,10 +32,5 @@
file = "temp1_input"; file = "temp1_input";
path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon"; path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon";
}; };
package = {
common.enable = true;
core.enable = true;
desktop.enable = true;
};
}; };
} }

View file

@ -1,19 +1,21 @@
{ ... }: { { ... }: {
home.nixos.enable = true; home.nixos.enable = true;
user = { user = {
dasha.enable = true; dasha = true;
root.enable = true; root = true;
voronind.enable = true; voronind = true;
}; };
module = { module = {
autoupdate.enable = true;
builder.client.enable = true; builder.client.enable = true;
sway.enable = true; print.enable = true;
kernel.enable = true; purpose = {
keyd.enable = true; creativity = true;
print.enable = true; disown = true;
tablet.enable = true; gaming = true;
laptop = true;
work = true;
};
amd = { amd = {
compute.enable = true; compute.enable = true;
cpu = { cpu = {
@ -22,13 +24,5 @@
}; };
gpu.enable = true; gpu.enable = true;
}; };
package = {
common.enable = true;
core.enable = true;
desktop.enable = true;
gaming.enable = true;
creative.enable = true;
dev.enable = true;
};
}; };
} }

View file

@ -18,5 +18,5 @@
# Root user setup. # Root user setup.
home.nixos.enable = true; home.nixos.enable = true;
user.root.enable = true; user.root = true;
} }

View file

@ -1,3 +0,0 @@
{ ... }: {
services.tlp.enable = true;
}

View file

@ -1,25 +1,23 @@
{ ... }: { { ... }: {
home.nixos.enable = true; home.nixos.enable = true;
user = { user = {
root.enable = true; root = true;
voronind.enable = true; voronind = true;
}; };
module = { module = {
builder.client.enable = true; builder.client.enable = true;
keyd.enable = true; package.extra = true;
print.enable = true; print.enable = true;
sway = { purpose = {
enable = true; creativity = true;
extraConfig = '' laptop = true;
output DSI-1 transform 90 work = true;
input * map_to_output DSI-1
'';
};
kernel = {
enable = true;
latest = true;
}; };
sway.extraConfig = ''
output DSI-1 transform 90
input * map_to_output DSI-1
'';
hwmon = { hwmon = {
file = "temp1_input"; file = "temp1_input";
path = "/sys/devices/platform/coretemp.0/hwmon"; path = "/sys/devices/platform/coretemp.0/hwmon";
@ -28,14 +26,5 @@
enable = true; enable = true;
powersave = true; powersave = true;
}; };
package = {
common.enable = true;
core.enable = true;
creative.enable = true;
desktop.enable = true;
dev.enable = true;
extra.enable = true;
gaming.enable = true;
};
}; };
} }

View file

@ -4,19 +4,23 @@
home.nixos.enable = true; home.nixos.enable = true;
user = { user = {
root.enable = true; dasha = true;
dasha.enable = true; root = true;
voronind.enable = true; voronind = true;
}; };
module = { module = {
autoupdate.enable = true;
builder.client.enable = true; builder.client.enable = true;
sway.enable = true; package.extra = true;
kernel.enable = true;
keyd.enable = true;
powerlimit.thinkpad.enable = true; powerlimit.thinkpad.enable = true;
print.enable = true; print.enable = true;
purpose = {
creativity = true;
disown = true;
gaming = true;
laptop = true;
work = true;
};
hwmon = { hwmon = {
file = "temp1_input"; file = "temp1_input";
path = "/sys/devices/platform/coretemp.0/hwmon"; path = "/sys/devices/platform/coretemp.0/hwmon";
@ -25,13 +29,5 @@
enable = true; enable = true;
powersave = true; powersave = true;
}; };
package = {
common.enable = true;
core.enable = true;
desktop.enable = true;
dev.enable = true;
extra.enable = true;
gaming.enable = true;
};
}; };
} }

10
option/Display.nix Normal file
View file

@ -0,0 +1,10 @@
# Screen configuration.
{
lib,
...
}: {
options.module.display.dpiAware = lib.mkOption {
default = false;
type = lib.types.bool;
};
}

View file

@ -1,10 +1,12 @@
# Screen density configuration.
{ {
lib, lib,
... ...
}: { }: {
options.module.dpi.aware = lib.mkOption { options.module.dpi.bypass = {
default = false; enable = lib.mkEnableOption "the DPI bypass.";
type = lib.types.bool; params = lib.mkOption {
default = [ ];
type = with lib.types; listOf str;
};
}; };
} }

View file

@ -3,12 +3,12 @@
... ...
}: { }: {
options.module.package = { options.module.package = {
common.enable = lib.mkEnableOption "Common Apps."; common = lib.mkEnableOption "Common Apps.";
core.enable = lib.mkEnableOption "Core apps."; core = lib.mkEnableOption "Core apps.";
creative.enable = lib.mkEnableOption "Creative Apps."; creativity = lib.mkEnableOption "Creative Apps.";
desktop.enable = lib.mkEnableOption "Desktop Apps."; desktop = lib.mkEnableOption "Desktop Apps.";
dev.enable = lib.mkEnableOption "Dev Apps."; dev = lib.mkEnableOption "Dev Apps.";
extra.enable = lib.mkEnableOption "Extra Apps."; extra = lib.mkEnableOption "Extra Apps.";
gaming.enable = lib.mkEnableOption "Gaming Apps."; gaming = lib.mkEnableOption "Gaming Apps.";
}; };
} }

16
option/Purpose.nix Normal file
View file

@ -0,0 +1,16 @@
{
lib,
...
}: {
options.module.purpose = {
creativity = lib.mkEnableOption "creativity modules";
desktop = lib.mkEnableOption "desktop modules.";
disown = lib.mkEnableOption "modules for machines not used by me.";
gaming = lib.mkEnableOption "gaming modules.";
laptop = lib.mkEnableOption "laptop modules.";
phone = lib.mkEnableOption "phone modules.";
router = lib.mkEnableOption "router modules.";
server = lib.mkEnableOption "server modules.";
work = lib.mkEnableOption "work modules.";
};
}

View file

@ -3,13 +3,11 @@
config, config,
... ...
}: let }: let
cfg = config.user.dasha; cfg = config.user;
in { in {
options.user.dasha = { options.user.dasha = lib.mkEnableOption "dasha.";
enable = lib.mkEnableOption "dasha";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.dasha {
home.nixos.users = [{ home.nixos.users = [{
homeDirectory = "/home/dasha"; homeDirectory = "/home/dasha";
username = "dasha"; username = "dasha";

View file

@ -5,13 +5,11 @@
util, util,
... ...
}: let }: let
cfg = config.user.root; cfg = config.user;
in { in {
options.user.root = { options.user.root = lib.mkEnableOption "root.";
enable = lib.mkEnableOption "root";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.root {
users.users.root.hashedPassword = secret.hashedPassword; users.users.root.hashedPassword = secret.hashedPassword;
home.nixos.users = [{ home.nixos.users = [{
homeDirectory = "/root"; homeDirectory = "/root";

View file

@ -4,13 +4,11 @@
secret, secret,
... ...
}: let }: let
cfg = config.user.voronind; cfg = config.user;
in { in {
options.user.voronind = { options.user.voronind = lib.mkEnableOption "voronind.";
enable = lib.mkEnableOption "voronind";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.voronind {
home.nixos.users = [{ home.nixos.users = [{
homeDirectory = "/home/voronind"; homeDirectory = "/home/voronind";
username = "voronind"; username = "voronind";