From 339dc535d76be886235f59304e56fd01450abf45 Mon Sep 17 00:00:00 2001
From: xmm <dev@fault.wtf>
Date: Tue, 10 Dec 2024 20:27:46 -0300
Subject: [PATCH] Users, Networking, Firewall and whatnot

---
 hosts/micronix/default.nix |  48 ++++-
 hosts/micronix/test.nix    | 405 +++++++++++++++++++++++++++++++++++++
 2 files changed, 452 insertions(+), 1 deletion(-)
 create mode 100644 hosts/micronix/test.nix

diff --git a/hosts/micronix/default.nix b/hosts/micronix/default.nix
index 085fb4a..643b4a2 100644
--- a/hosts/micronix/default.nix
+++ b/hosts/micronix/default.nix
@@ -29,9 +29,55 @@
       enable32Bit = false;
     };
 
-    networking.networkmanager.enable = true;
+    networking.networkmanager = {
+      enable = true;
+      dns = "systemd-resolved";
+      ethernet = {
+        macAddress = "random";
+      };
+      wifi = {
+        backend = "iwd";
+        macAddress = "random";
+      };
+    };
+
+    networking.nameservers = [
+      "1.1.1.1#one.one.one.one"
+      "1.0.0.1#one.one.one.one"
+      "2606:4700:4700::1111#one.one.one.one"
+      "2606:4700:4700::1001#one.one.one.one"
+    ];
+
+    services.resolved = {
+      enable = true;
+      dnssec = "true";
+      domains = ["~."];
+      fallbackDns = [
+        "1.1.1.1#one.one.one.one"
+        "1.0.0.1#one.one.one.one"
+        "2606:4700:4700::1111#one.one.one.one"
+        "2606:4700:4700::1001#one.one.one.one"
+      ];
+      dnsovertls = "true";
+      llmnr = "false";
+    };
+
+    networking.firewall.enable = true;
+
     time.timeZone = "America/Montevideo";
     i18n.defaultLocale = "en_US.UTF-8";
+    i18n.extraLocaleSettings = {
+      LC_ADDRESS = "en_US.UTF-8";
+      LC_IDENTIFICATION = "en_US.UTF-8";
+      LC_MEASUREMENT = "en_US.UTF-8";
+      LC_MONETARY = "en_US.UTF-8";
+      LC_NAME = "en_US.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "en_US.UTF-8";
+      LC_TELEPHONE = "en_US.UTF-8";
+      LC_TIME = "en_US.UTF-8";
+    };
+
     system.stateVersion = "24.11";
   };
 }
diff --git a/hosts/micronix/test.nix b/hosts/micronix/test.nix
new file mode 100644
index 0000000..d3ab5fe
--- /dev/null
+++ b/hosts/micronix/test.nix
@@ -0,0 +1,405 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware.nix
+  ];
+
+  programs.nix-ld = {
+    enable = true;
+  };
+
+  boot.initrd.systemd = {
+    enable = true;
+    tpm2 = {enable = true;};
+    dbus = {enable = true;};
+  };
+
+  boot.kernelPackages = pkgs.linuxPackages_cachyos;
+
+  boot.kernelParams = [
+    "default_hugepagesz=1G"
+    "hugepagesz=1G"
+  ];
+
+  boot.kernel.sysctl = {
+    "vm.nr_hugepages" = 512;
+    "vm.swappiness" = 200;
+    "net.core.netdev_max_backlog" = 32768;
+    "net.core.somaxconn" = 16384;
+    "net.core.rmem_default" = 1048576;
+    "net.core.rmem_max" = 16777216;
+    "net.core.wmem_default" = 1048576;
+    "net.core.wmem_max" = 16777216;
+    "net.core.optmem_max" = 65536;
+    "net.ipv4.tcp_rmem" = "4096 1048576 2097152";
+    "net.ipv4.tcp_wmem" = "4096 65536 16777216";
+    "net.ipv4.udp_rmem_min" = 8192;
+    "net.ipv4.udp_wmem_min" = 8192;
+    "net.ipv4.tcp_fastopen" = 3;
+    "net.core.default_qdisc" = "cake";
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "vm.dirty_ratio" = 20;
+    "vm.dirty_background_ratio" = 10;
+    "vm.vfs_cache_pressure" = 25;
+    "vm.hugetlb_optimize_vmemmap" = 1;
+  };
+
+  services.scx = {
+    enable = true;
+    scheduler = "scx_lavd";
+    extraArgs = ["--performance"];
+  };
+
+  boot.runSize = "100%";
+  boot.devSize = "100%";
+  boot.devShmSize = "100%";
+  boot.tmp.useTmpfs = true;
+  boot.tmp.tmpfsSize = "100%";
+  boot.tmp.cleanOnBoot = true;
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/11a954cd-1e6b-40e5-9322-e4b5349076fd";
+    fsType = "btrfs";
+    options = ["compress=zstd:6" "discard" "flushoncommit" "subvol=@"];
+  };
+
+  services.btrfs.autoScrub = {
+    fileSystems = ["/"]; # Assuming root is formatted with Btrfs.
+    interval = "daily";
+    enable = true;
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-uuid/4d101e1e-8f76-472e-8282-62bb23d122e4";
+      priority = 50;
+    }
+  ];
+
+  zramSwap = {
+    enable = true;
+    priority = 100;
+    memoryPercent = 100;
+  };
+
+  nix.gc = {
+    automatic = true;
+    options = "-d";
+  };
+
+  nix.optimise.automatic = true;
+
+  nix.settings = {
+    experimental-features = "cgroups dynamic-derivations flakes nix-command recursive-nix";
+    auto-optimise-store = true;
+    http-connections = 0;
+    download-buffer-size = 671088640;
+    max-jobs = "auto";
+    sync-before-registering = true;
+    use-cgroups = true;
+  };
+
+  boot.initrd.kernelModules = ["amdgpu"];
+
+  # Processor settings for AMD
+  hardware.cpu.amd = {
+    sev.enable = true;
+    updateMicrocode = true;
+  };
+
+  # Bootloader.
+  boot.loader.systemd-boot = {
+    enable = true;
+    edk2-uefi-shell = {enable = true;};
+    memtest86 = {enable = true;};
+    configurationLimit = 3;
+  };
+
+  boot.plymouth = {
+    enable = true;
+  };
+
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "zirconium"; # Hostname.
+
+  networking.networkmanager = {
+    enable = true;
+    dns = "systemd-resolved";
+    ethernet = {
+      macAddress = "random";
+    };
+    wifi = {
+      backend = "iwd";
+      macAddress = "random";
+    };
+  };
+
+  networking.tempAddresses = "default";
+
+  # Set your time zone.
+  time.timeZone = "America/Montevideo";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_US.UTF-8";
+    LC_IDENTIFICATION = "en_US.UTF-8";
+    LC_MEASUREMENT = "en_US.UTF-8";
+    LC_MONETARY = "en_US.UTF-8";
+    LC_NAME = "en_US.UTF-8";
+    LC_NUMERIC = "en_US.UTF-8";
+    LC_PAPER = "en_US.UTF-8";
+    LC_TELEPHONE = "en_US.UTF-8";
+    LC_TIME = "en_US.UTF-8";
+  };
+
+  # Load AMD GPU drivers early
+  hardware.amdgpu.initrd = {
+    enable = true;
+  };
+
+  hardware.amdgpu.opencl = {
+    enable = true;
+  };
+
+  # Graphics
+  hardware.graphics = {
+    enable = true;
+    enable32Bit = true;
+  };
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+  services.xserver.videoDrivers = ["amdgpu"];
+  services.xserver.updateDbusEnvironment = true;
+  services.xserver.enableTearFree = true;
+
+  qt = {
+    platformTheme = "kde";
+  };
+
+  # TLP
+  services.power-profiles-daemon.enable = false; # We disable this because it sucks
+  services.tlp.enable = true;
+  services.tlp.settings = {
+    CPU_DRIVER_OPMODE_ON_AC = "active";
+    CPU_DRIVER_OPMODE_ON_BAT = "active";
+    CPU_SCALING_GOVERNOR_ON_AC = "performance";
+    CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
+    CPU_BOOST_ON_AC = 1;
+    CPU_BOOST_ON_BAT = 0;
+    PLATFORM_PROFILE_ON_AC = "performance";
+    PLATFORM_PROFILE_ON_BAT = "low-power";
+    DISK_IOSCHED = "kyber";
+    RADEON_DPM_PERF_LEVEL_ON_AC = "high";
+    WIFI_PWR_ON_AC = "off";
+    WIFI_PWR_ON_BAT = "off";
+  };
+
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  # Enable sound with pipewire.
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  services.libinput.enable = true;
+
+  users.defaultUserShell = pkgs.zsh;
+  environment.shells = with pkgs; [zsh];
+
+  programs.zsh = {
+    enable = true;
+    enableCompletion = true;
+    autosuggestions = {
+      enable = true;
+      strategy = ["completion"];
+    };
+
+    zsh-autoenv = {
+      enable = true;
+    };
+
+    syntaxHighlighting = {
+      enable = true;
+      highlighters = ["main" "brackets" "pattern" "cursor" "regexp" "root" "line"];
+    };
+
+    shellAliases = {
+      ll = "ls -l";
+      update = "sudo nixos-rebuild switch --upgrade";
+    };
+
+    ohMyZsh = {
+      enable = true;
+      plugins = ["git" "direnv" "fzf"];
+      theme = "half-life";
+    };
+  };
+
+  # DirEnv support
+  programs.direnv = {
+    enable = true;
+    enableZshIntegration = true;
+    nix-direnv = {
+      enable = true;
+    };
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.xmm = {
+    isNormalUser = true;
+    description = "xmm";
+    extraGroups = ["wheel"];
+    packages = with pkgs; [
+      (wrapOBS {
+        plugins = with pkgs.obs-studio-plugins; [
+          obs-backgroundremoval
+          obs-pipewire-audio-capture
+        ];
+      })
+      vesktop
+      vscode-fhs
+      jetbrains-toolbox
+      spotify
+      alacritty
+      halloy
+      alacritty-theme
+    ];
+  };
+
+  services.displayManager.sddm.enable = true;
+  services.desktopManager.plasma6.enable = true;
+  services.displayManager.defaultSession = "plasma";
+  services.displayManager.sddm.wayland.enable = true;
+
+  programs.dconf.enable = true;
+
+  xdg.portal.enable = true;
+  xdg.portal.xdgOpenUsePortal = true;
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  environment.plasma6.excludePackages = with pkgs.kdePackages; [
+    konsole
+    oxygen
+    libqaccessibilityclient
+  ];
+
+  environment.systemPackages = with pkgs; [
+    ripgrep
+    simp1e-cursors
+    alejandra
+    pre-commit
+    unzip
+    neovim
+    fuzzel
+    fzf
+    firefox_nightly
+    wget2
+    git
+    btop-rocm
+    llvmPackages_19.clangUseLLVM
+    llvmPackages_19.clang-tools
+    llvmPackages_19.libllvm
+    scx_git.rustscheds
+    hyfetch
+    fastfetch
+    ffmpeg-full
+    gnumake
+    cmake
+    python3
+    meson
+    ninja
+    nodePackages_latest.nodejs
+    pnpm
+    vulkanPackages_latest.vulkan-extension-layer
+    vulkanPackages_latest.vulkan-loader
+    vulkanPackages_latest.vulkan-validation-layers
+    luajitPackages.luarocks
+  ];
+
+  fonts.packages = with pkgs; [
+    noto-fonts
+    noto-fonts-cjk-sans
+    noto-fonts-cjk-serif
+    noto-fonts-lgc-plus
+    noto-fonts-color-emoji
+    cozette
+  ];
+
+  # Improve font quality
+  fonts.fontconfig = {
+    defaultFonts = {
+      serif = ["Liberation Serif"];
+      sansSerif = ["Liberation Sans"];
+      monospace = ["Liberation Mono"];
+      emoji = ["Noto Color Emoji"];
+    };
+    cache32Bit = true;
+  };
+
+  services.dbus = {
+    implementation = "broker";
+  };
+
+  # SECURITY
+  security = {
+    tpm2 = {
+      enable = true;
+    }; # Having TPM2 is nice.
+    polkit = {
+      enable = true;
+    };
+    protectKernelImage = true;
+    forcePageTableIsolation = true;
+  };
+
+  systemd.tpm2.enable = true;
+
+  networking.nameservers = [
+    "1.1.1.1#one.one.one.one"
+    "1.0.0.1#one.one.one.one"
+    "2606:4700:4700::1111#one.one.one.one"
+    "2606:4700:4700::1001#one.one.one.one"
+  ];
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = ["~."];
+    fallbackDns = [
+      "1.1.1.1#one.one.one.one"
+      "1.0.0.1#one.one.one.one"
+      "2606:4700:4700::1111#one.one.one.one"
+      "2606:4700:4700::1001#one.one.one.one"
+    ];
+    dnsovertls = "true";
+    llmnr = "false";
+  };
+
+  networking.firewall.enable = true;
+
+  system.stateVersion = "24.05"; # Did you read the comment?
+}