This repository has been archived on 2024-11-22. You can view files and clone it, but cannot push or open issues or pull requests.
dotfiles-old/hosts/shared/nixos/shared_config.nix
Seven Of Aces fc1fada503 modified: assets/.bashrc
modified:   assets/avatar.png
	modified:   home.nix
	modified:   hosts/blackstar/nixos/configuration.nix
	modified:   hosts/shared/nixos/shared_config.nix
	modified:   modules/desktop/apps/art.nix
	modified:   modules/desktop/apps/cad.nix
	modified:   modules/desktop/apps/cam.nix
	modified:   modules/desktop/apps/chat.nix
	modified:   modules/desktop/apps/code.nix
	modified:   modules/desktop/apps/godot.nix
	modified:   modules/desktop/apps/minecraft.nix
	modified:   modules/desktop/apps/xiv.nix
	modified:   modules/system/audio.nix
    new file:   modules/system/boot/.grub.nix.swp
	modified:   modules/system/boot/grub.nix
	modified:   pkgs/default.nix
    new file:   pkgs/wallpaper-engine.nix
2024-08-25 08:40:03 -07:00

144 lines
No EOL
5.1 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
inputs,
outputs,
lib,
config,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [
steam
wallpaper_engine
# code
cargo rustc # Rust
jetbrains.pycharm-professional
vim
python311
python311Packages.pip
lua
git
# (vscode-with-extensions.override {
# vscodeExtensions = with vscode-extensions; [
# dracula-theme.theme-dracula
# yzhang.markdown-all-in-one
# rust-lang.rust-analyzer
# # dependi
# jscearcy.rust-doc-viewer
# swellaby.vscode-rust-test-adapter
# tamasfe.even-better-toml
# ms-vsliveshare.vsliveshare
# aaron-bond.better-comments
# bbenoist.nix
# vue.volar
# ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
# {
# name = "remote-ssh-edit";
# publisher = "ms-vscode-remote";
# version = "0.47.2";
# sha256 = "1hp6gjh4xp2m1xlm1jsdzxw9d8frkiidhph6nvl24d0h8z34w49g";
# }
# ];
#})
vscode.fhs
blockbench
wine
bottles
# other
discord
nodejs_22
# sys utils
gnupg ffmpeg unzip
mpv gparted
libappindicator-gtk3
pavucontrol
hyfetch
];
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
services.pipewire.wireplumber.enable = true;
services.pipewire.wireplumber.extraConfig.bluetoothEnhancements = {
"monitor.bluez.properties" = {
"bluez5.enable-sbc-xq" = true;
"bluez5.enable-msbc" = true;
"bluez5.enable-hw-volume" = true;
"bluez5.roles" = [ "hsp_hs" "hsp_ag" "hfp_hf" "hfp_ag" ];
};
};
programs.nix-ld.enable = true;
programs.firefox.enable = true;
## System security tweaks
# sets hidepid=2 on /proc (make process info visible only to owning user)
# NOTE Was removed on nixpkgs-unstable because it doesn't do anything
# security.hideProcessInformation = true;
# tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
# on ssd systems and more secure (and volatile)! Because it's wiped on reboot.
boot.tmp.useTmpfs = lib.mkDefault true;
# If not using tmpfs, which is naturally purged on reboot, we must clean it
# /tmp ourselves. /tmp should be volatile storage!
boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
# Fix a security hole in place for backwards compatibility. See desc in
# nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
boot.loader.systemd-boot.editor = lib.mkDefault false;
boot.kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're not a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelModules = [ "tcp_bbr" ];
# Harden SSH client
programs.ssh = {
# Known vulnerability. See
# https://security.stackexchange.com/questions/110639/how-exploitable-is-the-recent-useroaming-ssh-vulnerability
extraConfig = ''
Host *
UseRoaming no
'';
};
}