faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

added stuff

Browse source
This commit is contained in:
Charlie Root 2024-04-09 23:11:33 +02:00
commit 9d0ebdfbd0
907 changed files with 70990 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
nyx/modules/core/roles/workstation/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./system
];
system.nixos.tags = ["workstation"];
}

9
nyx/modules/core/roles/workstation/system/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./programs
./services
./security
./fonts.nix
];
}

80
nyx/modules/core/roles/workstation/system/fonts.nix Normal file
View file

@ -0,0 +1,80 @@
{pkgs, ...}: {
config = {
fonts = {
enableDefaultPackages = false;
fontconfig = {
defaultFonts = let
common = [
"Iosevka Nerd Font"
"Symbols Nerd Font"
"Noto Color Emoji"
];
in {
monospace =
[
"Source Code Pro Medium"
"Source Han Mono"
]
++ common;
sansSerif =
[
"Lexend"
]
++ common;
serif =
[
"Noto Serif"
]
++ common;
emoji = ["Noto Color Emoji"] ++ common;
};
};
fontDir = {
enable = true;
decompressFonts = true;
};
# font packages that should be installed
packages = with pkgs; [
# programming fonts
sarasa-gothic
# desktop fonts
corefonts # MS fonts
b612 # high legibility
material-icons
material-design-icons
roboto
work-sans
comic-neue
source-sans
inter
lato
lexend
dejavu_fonts
noto-fonts
noto-fonts-cjk
# emojis
noto-fonts-color-emoji
twemoji-color-font
openmoji-color
openmoji-black
# defaults worth keeping
dejavu_fonts
freefont_ttf
gyre-fonts
liberation_ttf
unifont
(nerdfonts.override {fonts = ["Iosevka" "JetBrainsMono" "NerdFontsSymbolsOnly"];})
];
};
};
}

21
nyx/modules/core/roles/workstation/system/misc.nix Normal file
View file

@ -0,0 +1,21 @@
{lib, ...}: let
inherit (lib) mkForce;
in {
# Firefox cache on tmpfs
fileSystems."/home/notashelf/.cache/mozilla/firefox" = {
device = "tmpfs";
fsType = "tmpfs";
noCheck = true;
options = [
"noatime"
"nodev"
"nosuid"
"size=128M"
];
};
# enable the unified cgroup hierarchy (cgroupsv2)
# NOTE: we use mkForce ensure that we are making cgroupsv2 the default
# some services, i.e. lxd, tries to disable it
systemd.enableUnifiedCgroupHierarchy = mkForce true;
}

48
nyx/modules/core/roles/workstation/system/programs/ccache.nix Normal file
View file

@ -0,0 +1,48 @@
{
config,
lib,
...
}: {
programs.ccache = {
enable = true;
cacheDir = "/var/cache/sccache";
};
systemd.tmpfiles.rules = [
"z ${config.programs.ccache.cacheDir} 770 root nixbld - -"
];
nix.settings.extra-sandbox-paths = [
config.programs.ccache.cacheDir
];
nixpkgs.overlays = lib.mkIf (config.programs.ccache.enable && config.programs.ccache.packageNames == []) [
(_: super: {
ccacheWrapper = super.ccacheWrapper.override {
extraConfig = ''
export CCACHE_COMPRESS=1
export CCACHE_DIR="${config.programs.ccache.cacheDir}"
export CCACHE_UMASK=007
export CCACHE_SLOPPINESS=include_file_mtime,time_macros
export CCACHE_NODIRECT=1
if [ ! -d "$CCACHE_DIR" ]; then
echo "====="
echo "Directory '$CCACHE_DIR' does not exist"
echo "Please create it with:"
echo " sudo mkdir -m0770 '$CCACHE_DIR'"
echo " sudo chown root:nixbld '$CCACHE_DIR'"
echo "====="
exit 1
fi
if [ ! -w "$CCACHE_DIR" ]; then
echo "====="
echo "Directory '$CCACHE_DIR' is not accessible for user $(whoami)"
echo "Please verify its access permissions"
echo "====="
exit 1
fi
'';
};
})
];
}

12
nyx/modules/core/roles/workstation/system/programs/default.nix Normal file
View file

@ -0,0 +1,12 @@
{
imports = [
./ccache.nix
./flatpak.nix
./java.nix
./misc.nix
./nh.nix
./thunar.nix
./wine.nix
./xdg-ninja.nix
];
}

6
nyx/modules/core/roles/workstation/system/programs/flatpak.nix Normal file
View file

@ -0,0 +1,6 @@
{
# enable flatpak, as well as xdgp to communicate with the host filesystems
services.flatpak.enable = false;
environment.sessionVariables.XDG_DATA_DIRS = ["/var/lib/flatpak/exports/share"];
}

24
nyx/modules/core/roles/workstation/system/programs/java.nix Normal file
View file

@ -0,0 +1,24 @@
{
pkgs,
lib,
...
}: {
# "saying java is good because it runs on all systems is like saying
# anal sex is good because it works on all species"
# - sun tzu
programs.java = {
# adds JAVA_HOME to the global environment
# by sourcing the jdks setup-hook on shell init
# slightly slows down the shell since the java path needs
# to be realised
enable = true;
# jdk package to use
package = pkgs.jre;
# whether to enable binfmt for executing
# java jars and classes. This can be a security
# exploit.
binfmt = lib.mkForce false;
};
}

21
nyx/modules/core/roles/workstation/system/programs/misc.nix Normal file
View file

@ -0,0 +1,21 @@
{
programs = {
# allow users to mount fuse filesystems with allow_other
fuse.userAllowOther = true;
# show network usage
bandwhich.enable = true;
# registry for linux, thanks to gnome
dconf.enable = true;
# network inspection utility
wireshark.enable = true;
# gnome's keyring manager
seahorse.enable = true;
# networkmanager tray uility
nm-applet.enable = true;
};
}

23
nyx/modules/core/roles/workstation/system/programs/nh.nix Normal file
View file

@ -0,0 +1,23 @@
{
inputs,
pkgs,
...
}: {
imports = [inputs.nh.nixosModules.default];
config = {
nh = {
enable = true;
package = pkgs.nh;
# whether to let nh run gc on the store daily
# this is overall good for storage, but has negative
# implications on disk health and the performance
# of the nix daemon - which will be slowed during gc
clean = {
enable = true;
dates = "daily";
};
};
};
}

26
nyx/modules/core/roles/workstation/system/programs/thunar.nix Normal file
View file

@ -0,0 +1,26 @@
{pkgs, ...}: {
# the thunar file manager
# we enable thunar here and add plugins instead of in systemPackages
# it is enabled unconditionally as a relatively lightweight fallback
# option for my system file manager. I still use dolphin most of the time
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [
thunar-archive-plugin
thunar-media-tags-plugin
];
};
environment = {
systemPackages = with pkgs; [
# packages necessery for thunar thumbnails
xfce.tumbler
libgsf # odf files
ffmpegthumbnailer
ark # GUI archiver for thunar archive plugin
];
};
# thumbnail support on thunar
services.tumbler.enable = true;
}

16
nyx/modules/core/roles/workstation/system/programs/wine.nix Normal file
View file

@ -0,0 +1,16 @@
{
config,
pkgs,
...
}: let
env = config.modules.usrEnv;
in {
# determine which version of wine to be used
# then add it to systemPackages
environment.systemPackages = with pkgs; let
winePackage =
if env.isWayland
then wineWowPackages.waylandFull
else wineWowPackages.stableFull;
in [winePackage];
}

9
nyx/modules/core/roles/workstation/system/programs/xdg-ninja.nix Normal file
View file

@ -0,0 +1,9 @@
{lib, ...}: let
template = import lib.xdgTemplate "nixos";
in {
environment = {
variables = template.glEnv;
sessionVariables = template.sysEnv;
etc = {inherit (template) pythonrc npmrc;};
};
}

6
nyx/modules/core/roles/workstation/system/security/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./firejail.nix
./tor.nix
];
}

39
nyx/modules/core/roles/workstation/system/security/firejail.nix Normal file
View file

@ -0,0 +1,39 @@
{
lib,
pkgs,
...
}: let
inherit (lib) getExe;
in {
programs.firejail = let
profiles = "${pkgs.firejail}/etc/firejail";
in {
enable = true;
wrappedBinaries = with pkgs; {
thunderbird = {
executable = getExe thunderbird;
profile = "${profiles}/thunderbird.profile";
};
spotify = {
executable = getExe spotify;
profile = "${profiles}/spotify.profile";
};
mpv = {
executable = getExe mpv;
profile = "${profiles}/mpv.profile";
};
imv = {
executable = pkgs.imv + /bin/imv;
profile = "${profiles}/imv.profile";
};
zathura = {
executable = getExe zathura;
profile = "${profiles}/zathura.profile";
};
};
};
}

52
nyx/modules/core/roles/workstation/system/security/tor.nix Normal file
View file

@ -0,0 +1,52 @@
{
config,
pkgs,
lib,
...
}: let
inherit (lib) mkIf;
sys = config.modules.system;
in {
config = mkIf sys.security.tor.enable {
services = {
tor = {
enable = true;
torsocks.enable = true;
client = {
enable = true;
dns.enable = true;
};
};
networkd-dispatcher = {
enable = true;
rules."restart-tor" = {
onState = ["routable" "off"];
script = ''
#!${pkgs.runtimeShell}
if [[ $IFACE == "wlan0" && $AdministrativeState == "configured" ]]; then
echo "Restarting Tor ..."
systemctl restart tor
fi
exit 0
'';
};
};
};
programs.proxychains = {
enable = true;
quietMode = false;
proxyDNS = true;
package = pkgs.proxychains-ng;
proxies = {
tor = {
type = "socks5";
host = "127.0.0.1";
port = 9050;
};
};
};
};
}

14
nyx/modules/core/roles/workstation/system/services/adb.nix Normal file
View file

@ -0,0 +1,14 @@
{pkgs, ...}: {
programs.adb.enable = true;
services.udev = {
packages = [
pkgs.android-udev-rules
];
extraRules = ''
# add my android device to adbusers
SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", MODE="0666", GROUP="adbusers"
'';
};
}

10
nyx/modules/core/roles/workstation/system/services/dbus.nix Normal file
View file

@ -0,0 +1,10 @@
{pkgs, ...}: {
services.dbus = {
enable = true;
packages = with pkgs; [dconf gcr udisks2];
# Use the faster dbus-broker instead of the classic dbus-daemon
# this setting is experimental, but after testing I've come to realise it broke nothing
implementation = "broker";
};
}

14
nyx/modules/core/roles/workstation/system/services/default.nix Normal file
View file

@ -0,0 +1,14 @@
{
imports = [
./adb.nix
./dbus.nix
./earlyoom.nix
./gnome.nix
./location.nix
./printing.nix
./misc.nix
./runners.nix
./systemd.nix
./zswap.nix
];
}

22
nyx/modules/core/roles/workstation/system/services/earlyoom.nix Normal file
View file

@ -0,0 +1,22 @@
{pkgs, ...}: {
# https://dataswamp.org/~solene/2022-09-28-earlyoom.html
# avoid the linux kernel locking itself when we're putting too much strain on the memory
# this helps avoid having to shut down forcefully when we OOM
services.earlyoom = {
enable = true;
enableNotifications = true; # annoying, but we want to know what's killed
freeSwapThreshold = 2;
freeMemThreshold = 2;
extraArgs = [
"-g" # kill all processes within a process group
"--avoid 'Hyprland|soffice|soffice.bin|firefox|thunderbird)$'" # things we want to not kill
"--prefer '^(electron|.*.exe)$'" # I wish we could kill electron permanently
];
# we should ideally write the logs into a designated log file; or even better, to the journal
# for now we can hope this echo sends the log to somewhere we can observe later
killHook = pkgs.writeShellScript "earlyoom-kill-hook" ''
echo "Process $EARLYOOM_NAME ($EARLYOOM_PID) was killed"
'';
};
}

26
nyx/modules/core/roles/workstation/system/services/gnome.nix Normal file
View file

@ -0,0 +1,26 @@
{
pkgs,
lib,
...
}: {
config = {
services = {
udev.packages = with pkgs; [
gnome.gnome-settings-daemon
];
gnome = {
glib-networking.enable = true;
evolution-data-server.enable = true;
# optional to use google/nextcloud calendar
gnome-online-accounts.enable = true;
# optional to use google/nextcloud calendar
gnome-keyring.enable = true;
gnome-remote-desktop.enable = lib.mkForce false;
};
};
};
}

14
nyx/modules/core/roles/workstation/system/services/location.nix Normal file
View file

@ -0,0 +1,14 @@
{config, ...}: {
location.provider = "geoclue2";
services.geoclue2 = {
# enable geoclue2 only if location.provider is geoclue2
enable = config.location.provider == "geoclue2";
# TODO: make gammastep fall back to local if geoclue2 is disabled
appConfig.gammastep = {
isAllowed = true;
isSystem = false;
};
};
}

20
nyx/modules/core/roles/workstation/system/services/misc.nix Normal file
View file

@ -0,0 +1,20 @@
{
config,
pkgs,
lib,
...
}: {
config = {
services = {
# enable GVfs, a userspace virtual filesystem.
gvfs.enable = true;
# storage daemon required for udiskie auto-mount
udisks2.enable = !config.boot.isContainer;
# disable chrony in favor if systemd-timesyncd
timesyncd.enable = lib.mkDefault true;
chrony.enable = lib.mkDefault false;
};
};
}

32
nyx/modules/core/roles/workstation/system/services/printing.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkIf;
sys = config.modules.system;
in {
config = mkIf sys.printing.enable {
# enable cups and add some drivers for common printers
services = {
printing = {
enable = true;
drivers = with pkgs; [
gutenprint
hplip
];
};
# required for network discovery of printers
avahi = {
enable = true;
# resolve .local domains for printers
nssmdns4 = true;
# pass avahi port(s) to the firewall
openFirewall = true;
};
};
};
}

45
nyx/modules/core/roles/workstation/system/services/runners.nix Normal file
View file

@ -0,0 +1,45 @@
{
pkgs,
lib,
...
}: {
config = {
environment.systemPackages = [pkgs.appimage-run];
# run appimages with appimage-run
boot.binfmt.registrations = lib.genAttrs ["appimage" "AppImage"] (_: {
wrapInterpreterInShell = false;
interpreter = "${pkgs.appimage-run}/bin/appimage-run";
recognitionType = "magic";
offset = 0;
mask = "\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff";
magicOrExtension = "\\x7fELF....AI\\x02";
});
# run unpatched linux binaries with nix-ld
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
stdenv.cc.cc
openssl
curl
glib
util-linux
glibc
icu
libunwind
libuuid
zlib
libsecret
# graphical
freetype
libglvnd
libnotify
SDL2
vulkan-loader
gdk-pixbuf
xorg.libX11
];
};
};
}

21
nyx/modules/core/roles/workstation/system/services/systemd.nix Normal file
View file

@ -0,0 +1,21 @@
{
systemd = let
extraConfig = ''
DefaultTimeoutStartSec=15s
DefaultTimeoutStopSec=15s
DefaultTimeoutAbortSec=15s
DefaultDeviceTimeoutSec=15s
'';
in {
inherit extraConfig;
user = {inherit extraConfig;};
services = {
"getty@tty1".enable = false;
"autovt@tty1".enable = false;
"getty@tty7".enable = false;
"autovt@tty7".enable = false;
"kmsconvt@tty1".enable = false;
"kmsconvt@tty7".enable = false;
};
};
}

24
nyx/modules/core/roles/workstation/system/services/zswap.nix Normal file
View file

@ -0,0 +1,24 @@
{
# compress memory and store in RAM before swapping to disk
boot.kernelParams = ["zswap.enabled=1"];
# use lz4 and z3fold for zswap
boot.kernelModules = [
"lz4"
"z3fold"
];
systemd.services.config-zswap = {
description = "";
after = ["systemd-modules-load.service"];
wantedBy = ["multi-user.target"];
serviceConfig.Type = "oneshot";
script = ''
echo lz4 > /sys/module/zswap/parameters/compressor
echo z3fold > /sys/module/zswap/parameters/zpool
'';
};
}