Refactor.

2024-11-16 06:38:48 +03:00 · 2024-11-16 06:38:48 +03:00 · 77f294fc37
parent a54f8699a4
commit 77f294fc37
24 changed files with 314 additions and 225 deletions
--- a/config/Dpi.nix
+++ b/config/Dpi.nix
@ -0,0 +1,43 @@
+{
+	config,
+	inputs,
+	lib,
+	pkgsMaster,
+	...
+}: let
+	cfg = config.module.dpi;
+in {
+	disabledModules = [ "services/networking/zapret.nix" ];
+	imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ];
+
+	config = lib.mkIf cfg.bypass.enable {
+		services.zapret = {
+			inherit (cfg.bypass) params;
+			enable  = true;
+			package = pkgsMaster.zapret;
+			whitelist = [
+				"youtube.com"
+				"googlevideo.com"
+				"ytimg.com"
+				"youtu.be"
+				"rutracker.org"
+				"rutracker.cc"
+				"rutrk.org"
+				"t-ru.org"
+				"medium.com"
+				"dis.gd"
+				"discord.co"
+				"discord.com"
+				"discord.dev"
+				"discord.gg"
+				"discord.gift"
+				"discord.media"
+				"discord.new"
+				"discordapp.com"
+				"discordapp.net"
+				"discordcdn.com"
+				"discordstatus.com"
+			];
+		};
+	};
+}
--- a/config/Kernel.nix
+++ b/config/Kernel.nix
@ -28,7 +28,7 @@ in {

 				# Packet forwarding.
 				"net.ipv4.ip_forward"          = 0;
-				"net.ipv6.conf.all.forwarding" = 1;
+				"net.ipv6.conf.all.forwarding" = 0;

 				# MITM protection.
 				"net.ipv4.conf.all.accept_redirects" = 0;
@ -48,19 +48,6 @@ in {
 				# Lynis config.
 				"kernel.core_uses_pid" = 1;
 				"kernel.kptr_restrict" = 2;
-
-				# IP hardening.
-				"net.ipv4.conf.all.log_martians"            = 1;
-				"net.ipv4.conf.default.accept_redirects"    = 0;
-				"net.ipv4.conf.default.accept_source_route" = 0;
-				"net.ipv4.conf.default.log_martians"        = 0;
-				"net.ipv4.tcp_timestamps"                   = 0;
-				"net.ipv6.conf.default.accept_redirects"    = 0;
-
-				# Disable ipv6.
-				"net.ipv6.conf.all.disable_ipv6"     = 1;
-				"net.ipv6.conf.default.disable_ipv6" = 1;
-				"net.ipv6.conf.lo.disable_ipv6"      = 1;
 			};
 		})

--- a/config/Package.nix
+++ b/config/Package.nix
@ -10,7 +10,7 @@
 in {
 	config = lib.mkMerge [
 		# Core apps.
-		(lib.mkIf cfg.core.enable {
+		(lib.mkIf cfg.core {
 			environment.systemPackages = package.core;

 			programs = {
@ -27,7 +27,7 @@ in {
 		})

 		# Common apps.
-		(lib.mkIf cfg.common.enable {
+		(lib.mkIf cfg.common {
 			environment.systemPackages = package.common;

 			xdg.mime.defaultApplications = {
@ -53,12 +53,12 @@ in {
 		})

 		# Desktop apps.
-		(lib.mkIf cfg.desktop.enable {
+		(lib.mkIf cfg.desktop {
 			environment.systemPackages = package.desktop;
 		})

 		# Gaming.
-		(lib.mkIf cfg.gaming.enable {
+		(lib.mkIf cfg.gaming {
 			programs.steam.enable = true;
 			environment.systemPackages = package.gaming;
 			hardware.graphics = let
@ -74,18 +74,18 @@ in {
 			};
 		})

-		# Creative.
-		(lib.mkIf cfg.creative.enable {
+		# Creativity.
+		(lib.mkIf cfg.creativity {
 			environment.systemPackages = package.creative;
 		})

 		# Development.
-		(lib.mkIf cfg.dev.enable {
+		(lib.mkIf cfg.dev {
 			environment.systemPackages = package.dev;
 		})

 		# Extras.
-		(lib.mkIf cfg.extra.enable {
+		(lib.mkIf cfg.extra {
 			environment.systemPackages = package.extra;
 		})
 	];
--- a/config/Purpose.nix
+++ b/config/Purpose.nix
@ -0,0 +1,134 @@
+{
+	config,
+	lib,
+	...
+}: let
+	cfg = config.module.purpose;
+in {
+	config = lib.mkMerge [
+		(lib.mkIf cfg.creativity {
+			module = {
+				tablet.enable = true;
+				package.creativity = true;
+			};
+		})
+
+		(lib.mkIf cfg.desktop {
+			module = {
+				keyd.enable = true;
+				sway.enable = true;
+				kernel = {
+					enable = true;
+					latest = true;
+				};
+				package = {
+					common  = true;
+					core    = true;
+					desktop = true;
+				};
+			};
+		})
+
+		(lib.mkIf cfg.disown {
+			module = {
+				autoupdate.enable = true;
+				kernel = {
+					enable    = true;
+					hardening = true;
+				};
+			};
+		})
+
+		(lib.mkIf cfg.gaming {
+			module.package.gaming = true;
+		})
+
+		(lib.mkIf cfg.laptop {
+			services.tlp.enable = true; # Automatic powersaving based on Pluged/AC states.
+			module = {
+				keyd.enable = true;
+				sway.enable = true;
+				kernel = {
+					enable    = true;
+					hardening = true;
+					latest    = true;
+				};
+				package = {
+					common  = true;
+					core    = true;
+					desktop = true;
+				};
+			};
+		})
+
+		(lib.mkIf cfg.phone {
+		})
+
+		(lib.mkIf cfg.router {
+			module = {
+				kernel = {
+					enable    = true;
+					hardening = true;
+				};
+				package = {
+					common = true;
+					core   = true;
+				};
+			};
+			# De-harden some stuff.
+			boot.kernel.sysctl = {
+				# Allow spoofing.
+				"net.ipv4.conf.all.rp_filter"     = lib.mkForce 0;
+				"net.ipv4.conf.default.rp_filter" = lib.mkForce 0;
+
+				# Forward packets.
+				"net.ipv4.ip_forward"              = lib.mkForce 1;
+				"net.ipv6.conf.all.forwarding"     = lib.mkForce 1;
+				"net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;
+
+				# Allow redirects.
+				"net.ipv4.conf.all.accept_redirects" = lib.mkForce 1;
+				"net.ipv6.conf.all.accept_redirects" = lib.mkForce 1;
+
+				# Send ICMP.
+				"net.ipv4.conf.all.send_redirects" = lib.mkForce 1;
+
+				# Accept IP source route packets.
+				"net.ipv4.conf.all.accept_source_route" = lib.mkForce 1;
+				"net.ipv6.conf.all.accept_source_route" = lib.mkForce 1;
+			};
+		})
+
+		(lib.mkIf cfg.server {
+			module = {
+				keyd.enable = true;
+				kernel = {
+					enable    = true;
+					hardening = true;
+				};
+				package = {
+					common = true;
+					core   = true;
+				};
+			};
+		})
+
+		(lib.mkIf cfg.work {
+			module = {
+				distrobox.enable   = true;
+				ollama.enable      = true;
+				package.dev        = true;
+				virtmanager.enable = true;
+				docker = {
+					enable    = true;
+					autostart = false;
+					rootless  = false;
+				};
+				kernel = {
+					enable    = true;
+					hardening = true;
+				};
+			};
+		})
+	];
+}
--- a/container/Frkn.nix
+++ b/container/Frkn.nix
@ -57,15 +57,10 @@ in {
 					"net.ipv4.ip_forward" = 1;
 				};

-				# TODO: Single place.
 				services.zapret = {
+					inherit (config.services.zapret) params;
 					enable  = true;
 					package = pkgsMaster.zapret;
-					params = [
-						"--dpi-desync=fake,disorder2"
-						"--dpi-desync-ttl=1"
-						"--dpi-desync-autottl=2"
-					];
 				};

 				services = {
--- a/home/file/foot/default.nix
+++ b/home/file/foot/default.nix
@ -4,7 +4,7 @@
 	...
 }: let
 	borderSize = toString config.module.style.window.border;
-	dpiAware   = if config.module.dpi.aware then "yes" else "no";
+	dpiAware   = if config.module.display.dpiAware then "yes" else "no";
 	fontStep   = 1;
 in {
 	file = (pkgs.formats.iniWithGlobalSection { }).generate "FootConfig" {
--- a/home/file/fuzzel/default.nix
+++ b/home/file/fuzzel/default.nix
@ -3,7 +3,7 @@
 	config,
 	...
 }: let
-	dpiAware = if config.module.dpi.aware then "yes" else "no";
+	dpiAware = if config.module.display.dpiAware then "yes" else "no";
 in {
 	file = (pkgs.formats.ini { }).generate "FuzzelConfig" {
 		main = {
--- a/host/x86_64-linux/dasha/default.nix
+++ b/host/x86_64-linux/dasha/default.nix
@ -1,19 +1,22 @@
 { ... }: {
 	home.nixos.enable = true;
 	user = {
-		dasha.enable = true;
-		root.enable  = true;
+		dasha = true;
+		root  = true;
 	};

 	module = {
-		amd.gpu.enable        = true;
-		autoupdate.enable     = true;
 		builder.client.enable = true;
-		sway.enable           = true;
-		kernel.enable         = true;
-		keyd.enable           = true;
+		amd.gpu.enable = true;
+		package.extra  = true;
 		print.enable   = true;
-		tablet.enable         = true;
+		purpose = {
+			creativity = true;
+			desktop    = true;
+			disown     = true;
+			gaming     = true;
+			work       = true;
+		};
 		hwmon = {
 			file = "temp1_input";
 			path = "/sys/devices/platform/coretemp.0/hwmon";
@ -22,14 +25,5 @@
 			enable    = true;
 			powersave = true;
 		};
-		package = {
-			common.enable   = true;
-			core.enable     = true;
-			creative.enable = true;
-			desktop.enable  = true;
-			dev.enable      = true;
-			extra.enable    = true;
-			gaming.enable   = true;
-		};
 	};
 }
--- a/host/x86_64-linux/desktop/default.nix
+++ b/host/x86_64-linux/desktop/default.nix
@ -1,17 +1,19 @@
 { ... }: {
 	home.nixos.enable = true;
 	user = {
-		root.enable     = true;
-		voronind.enable = true;
+		root     = true;
+		voronind = true;
 	};

 	module = {
 		builder.client.enable = true;
-		distrobox.enable      = true;
-		keyd.enable           = true;
-		ollama.enable         = true;
+		package.extra = true;
 		print.enable  = true;
-		virtmanager.enable    = true;
+		purpose = {
+			desktop = true;
+			gaming  = true;
+			work    = true;
+		};
 		amd = {
 			compute.enable = true;
 			gpu.enable     = true;
@ -20,35 +22,14 @@
 				powersave = true;
 			};
 		};
-		sway = {
-			enable = true;
-			extraConfig = ''
+		sway.extraConfig = ''
 			output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165" mode 1920x1080@74.986Hz transform 180 pos 780,0
 			output "Huawei Technologies Co., Inc. ZQE-CBA 0xC080F622" pos 0,1080
 			workspace 1 output "ASUSTek COMPUTER INC ASUS VA24E R2LMTF127165"
 		'';
-		};
-		docker = {
-			enable    = true;
-			autostart = false;
-			rootless  = false;
-		};
 		hwmon = {
 			file = "temp1_input";
 			path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon";
 		};
-		kernel = {
-			enable = true;
-			latest = true;
-		};
-		package = {
-			common.enable   = true;
-			core.enable     = true;
-			creative.enable = true;
-			desktop.enable  = true;
-			dev.enable      = true;
-			extra.enable    = true;
-			gaming.enable   = true;
-		};
 	};
 }
--- a/host/x86_64-linux/home/Network.nix
+++ b/host/x86_64-linux/home/Network.nix
@ -11,12 +11,6 @@
 	lan = "br0";    # Lan interface.
 	wan = "enp8s0"; # Wan interface.
 in {
-	# Allow packet routing (we are a router).
-	boot.kernel.sysctl = {
-		"net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;
-		"net.ipv4.ip_forward"              = lib.mkForce 1;
-	};
-
 	# Disable SSH access from everywhere, configure access bellow.
 	services.openssh.openFirewall = false;

--- a/host/x86_64-linux/home/Zapret.nix
+++ b/host/x86_64-linux/home/Zapret.nix
@ -1,42 +0,0 @@
-{
-	inputs,
-	pkgsMaster,
-	...
-}: {
-	disabledModules = [ "services/networking/zapret.nix" ];
-	imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ];
-
-	# TODO: Single place.
-	services.zapret = {
-		enable  = true;
-		package = pkgsMaster.zapret;
-		params = [
-			"--dpi-desync=fake,disorder2"
-			"--dpi-desync-ttl=1"
-			"--dpi-desync-autottl=2"
-		];
-		whitelist = [
-			"youtube.com"
-			"googlevideo.com"
-			"ytimg.com"
-			"youtu.be"
-			"rutracker.org"
-			"rutracker.cc"
-			"rutrk.org"
-			"t-ru.org"
-			"medium.com"
-			"dis.gd"
-			"discord.co"
-			"discord.com"
-			"discord.dev"
-			"discord.gg"
-			"discord.gift"
-			"discord.media"
-			"discord.new"
-			"discordapp.com"
-			"discordapp.net"
-			"discordcdn.com"
-			"discordstatus.com"
-		];
-	};
-}
--- a/host/x86_64-linux/home/default.nix
+++ b/host/x86_64-linux/home/default.nix
@ -1,15 +1,25 @@
 { ... }: {
 	home.nixos.enable = true;
 	user = {
-		root.enable     = true;
-		voronind.enable = true;
+		root     = true;
+		voronind = true;
 	};

 	module = {
 		builder.server.enable = true;
-		sway.enable           = true;
-		kernel.enable         = true;
-		keyd.enable           = true;
+		purpose = {
+			desktop = true;
+			router  = true;
+			server  = true;
+		};
+		dpi.bypass = {
+			enable = true;
+			params = [
+				"--dpi-desync=fake,disorder2"
+				"--dpi-desync-ttl=1"
+				"--dpi-desync-autottl=2"
+			];
+		};
 		amd = {
 			cpu.enable = true;
 			gpu.enable = true;
@ -22,10 +32,5 @@
 			file = "temp1_input";
 			path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon";
 		};
-		package = {
-			common.enable  = true;
-			core.enable    = true;
-			desktop.enable = true;
-		};
 	};
 }
--- a/host/x86_64-linux/laptop/default.nix
+++ b/host/x86_64-linux/laptop/default.nix
@ -1,19 +1,21 @@
 { ... }: {
 	home.nixos.enable = true;
 	user = {
-		dasha.enable    = true;
-		root.enable     = true;
-		voronind.enable = true;
+		dasha    = true;
+		root     = true;
+		voronind = true;
 	};

 	module = {
-		autoupdate.enable     = true;
 		builder.client.enable = true;
-		sway.enable           = true;
-		kernel.enable         = true;
-		keyd.enable           = true;
 		print.enable = true;
-		tablet.enable         = true;
+		purpose = {
+			creativity = true;
+			disown     = true;
+			gaming     = true;
+			laptop     = true;
+			work       = true;
+		};
 		amd = {
 			compute.enable = true;
 			cpu = {
@ -22,13 +24,5 @@
 			};
 			gpu.enable = true;
 		};
-		package = {
-			common.enable   = true;
-			core.enable     = true;
-			desktop.enable  = true;
-			gaming.enable   = true;
-			creative.enable = true;
-			dev.enable      = true;
-		};
 	};
 }
--- a/host/x86_64-linux/live/default.nix
+++ b/host/x86_64-linux/live/default.nix
@ -18,5 +18,5 @@

 	# Root user setup.
 	home.nixos.enable = true;
-	user.root.enable  = true;
+	user.root = true;
 }
--- a/host/x86_64-linux/pocket/Tlp.nix
+++ b/host/x86_64-linux/pocket/Tlp.nix
@ -1,3 +0,0 @@
-{ ... }: {
-	services.tlp.enable = true;
-}
--- a/host/x86_64-linux/pocket/default.nix
+++ b/host/x86_64-linux/pocket/default.nix
@ -1,25 +1,23 @@
 { ... }: {
 	home.nixos.enable = true;
 	user = {
-		root.enable     = true;
-		voronind.enable = true;
+		root     = true;
+		voronind = true;
 	};

 	module = {
 		builder.client.enable = true;
-		keyd.enable           = true;
+		package.extra = true;
 		print.enable  = true;
-		sway = {
-			enable = true;
-			extraConfig = ''
+		purpose = {
+			creativity = true;
+			laptop     = true;
+			work       = true;
+		};
+		sway.extraConfig = ''
 			output DSI-1 transform 90
 			input * map_to_output DSI-1
 		'';
-		};
-		kernel = {
-			enable = true;
-			latest = true;
-		};
 		hwmon = {
 			file = "temp1_input";
 			path = "/sys/devices/platform/coretemp.0/hwmon";
@ -28,14 +26,5 @@
 			enable    = true;
 			powersave = true;
 		};
-		package = {
-			common.enable   = true;
-			core.enable     = true;
-			creative.enable = true;
-			desktop.enable  = true;
-			dev.enable      = true;
-			extra.enable    = true;
-			gaming.enable   = true;
-		};
 	};
 }
--- a/host/x86_64-linux/work/default.nix
+++ b/host/x86_64-linux/work/default.nix
@ -4,19 +4,23 @@

 	home.nixos.enable = true;
 	user = {
-		root.enable     = true;
-		dasha.enable    = true;
-		voronind.enable = true;
+		dasha    = true;
+		root     = true;
+		voronind = true;
 	};

 	module = {
-		autoupdate.enable          = true;
 		builder.client.enable      = true;
-		sway.enable                = true;
-		kernel.enable              = true;
-		keyd.enable                = true;
+		package.extra              = true;
 		powerlimit.thinkpad.enable = true;
 		print.enable               = true;
+		purpose = {
+			creativity = true;
+			disown     = true;
+			gaming     = true;
+			laptop     = true;
+			work       = true;
+		};
 		hwmon = {
 			file = "temp1_input";
 			path = "/sys/devices/platform/coretemp.0/hwmon";
@ -25,13 +29,5 @@
 			enable    = true;
 			powersave = true;
 		};
-		package = {
-			common.enable  = true;
-			core.enable    = true;
-			desktop.enable = true;
-			dev.enable     = true;
-			extra.enable   = true;
-			gaming.enable  = true;
-		};
 	};
 }
--- a/option/Display.nix
+++ b/option/Display.nix
@ -0,0 +1,10 @@
+# Screen configuration.
+{
+	lib,
+	...
+}: {
+	options.module.display.dpiAware = lib.mkOption {
+		default = false;
+		type    = lib.types.bool;
+	};
+}
--- a/option/Dpi.nix
+++ b/option/Dpi.nix
@ -1,10 +1,12 @@
-# Screen density configuration.
 {
 	lib,
 	...
 }: {
-	options.module.dpi.aware = lib.mkOption {
-		default = false;
-		type    = lib.types.bool;
+	options.module.dpi.bypass = {
+		enable = lib.mkEnableOption "the DPI bypass.";
+		params = lib.mkOption {
+			default = [ ];
+			type    = with lib.types; listOf str;
+		};
 	};
 }
--- a/option/Package.nix
+++ b/option/Package.nix
@ -3,12 +3,12 @@
 	...
 }: {
 	options.module.package = {
-		common.enable   = lib.mkEnableOption "Common Apps.";
-		core.enable     = lib.mkEnableOption "Core apps.";
-		creative.enable = lib.mkEnableOption "Creative Apps.";
-		desktop.enable  = lib.mkEnableOption "Desktop Apps.";
-		dev.enable      = lib.mkEnableOption "Dev Apps.";
-		extra.enable    = lib.mkEnableOption "Extra Apps.";
-		gaming.enable   = lib.mkEnableOption "Gaming Apps.";
+		common     = lib.mkEnableOption "Common Apps.";
+		core       = lib.mkEnableOption "Core apps.";
+		creativity = lib.mkEnableOption "Creative Apps.";
+		desktop    = lib.mkEnableOption "Desktop Apps.";
+		dev        = lib.mkEnableOption "Dev Apps.";
+		extra      = lib.mkEnableOption "Extra Apps.";
+		gaming     = lib.mkEnableOption "Gaming Apps.";
 	};
 }
--- a/option/Purpose.nix
+++ b/option/Purpose.nix
@ -0,0 +1,16 @@
+{
+	lib,
+	...
+}: {
+	options.module.purpose = {
+		creativity = lib.mkEnableOption "creativity modules";
+		desktop    = lib.mkEnableOption "desktop modules.";
+		disown     = lib.mkEnableOption "modules for machines not used by me.";
+		gaming     = lib.mkEnableOption "gaming modules.";
+		laptop     = lib.mkEnableOption "laptop modules.";
+		phone      = lib.mkEnableOption "phone modules.";
+		router     = lib.mkEnableOption "router modules.";
+		server     = lib.mkEnableOption "server modules.";
+		work       = lib.mkEnableOption "work modules.";
+	};
+}
--- a/user/Dasha.nix
+++ b/user/Dasha.nix
@ -3,13 +3,11 @@
 	config,
 	...
 }: let
-	cfg = config.user.dasha;
+	cfg = config.user;
 in {
-	options.user.dasha = {
-		enable = lib.mkEnableOption "dasha";
-	};
+	options.user.dasha = lib.mkEnableOption "dasha.";

-	config = lib.mkIf cfg.enable {
+	config = lib.mkIf cfg.dasha {
 		home.nixos.users = [{
 			homeDirectory = "/home/dasha";
 			username      = "dasha";
--- a/user/Root.nix
+++ b/user/Root.nix
@ -5,13 +5,11 @@
 	util,
 	...
 }: let
-	cfg = config.user.root;
+	cfg = config.user;
 in {
-	options.user.root = {
-		enable = lib.mkEnableOption "root";
-	};
+	options.user.root = lib.mkEnableOption "root.";

-	config = lib.mkIf cfg.enable {
+	config = lib.mkIf cfg.root {
 		users.users.root.hashedPassword = secret.hashedPassword;
 		home.nixos.users = [{
 			homeDirectory = "/root";
--- a/user/Voronind.nix
+++ b/user/Voronind.nix
@ -4,13 +4,11 @@
 	secret,
 	...
 }: let
-	cfg = config.user.voronind;
+	cfg = config.user;
 in {
-	options.user.voronind = {
-		enable = lib.mkEnableOption "voronind";
-	};
+	options.user.voronind = lib.mkEnableOption "voronind.";

-	config = lib.mkIf cfg.enable {
+	config = lib.mkIf cfg.voronind {
 		home.nixos.users = [{
 			homeDirectory = "/home/voronind";
 			username      = "voronind";