modified: assets/avatar.png modified: home.nix modified: hosts/blackstar/nixos/configuration.nix modified: hosts/shared/nixos/shared_config.nix modified: modules/desktop/apps/art.nix modified: modules/desktop/apps/cad.nix modified: modules/desktop/apps/cam.nix modified: modules/desktop/apps/chat.nix modified: modules/desktop/apps/code.nix modified: modules/desktop/apps/godot.nix modified: modules/desktop/apps/minecraft.nix modified: modules/desktop/apps/xiv.nix modified: modules/system/audio.nix new file: modules/system/boot/.grub.nix.swp modified: modules/system/boot/grub.nix modified: pkgs/default.nix new file: pkgs/wallpaper-engine.nix
144 lines
No EOL
5.1 KiB
Nix
144 lines
No EOL
5.1 KiB
Nix
{
|
||
inputs,
|
||
outputs,
|
||
lib,
|
||
config,
|
||
pkgs,
|
||
...
|
||
}: {
|
||
environment.systemPackages = with pkgs; [
|
||
steam
|
||
wallpaper_engine
|
||
# code
|
||
cargo rustc # Rust
|
||
jetbrains.pycharm-professional
|
||
vim
|
||
python311
|
||
python311Packages.pip
|
||
lua
|
||
git
|
||
# (vscode-with-extensions.override {
|
||
# vscodeExtensions = with vscode-extensions; [
|
||
# dracula-theme.theme-dracula
|
||
# yzhang.markdown-all-in-one
|
||
# rust-lang.rust-analyzer
|
||
# # dependi
|
||
# jscearcy.rust-doc-viewer
|
||
# swellaby.vscode-rust-test-adapter
|
||
# tamasfe.even-better-toml
|
||
# ms-vsliveshare.vsliveshare
|
||
# aaron-bond.better-comments
|
||
# bbenoist.nix
|
||
# vue.volar
|
||
# ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
|
||
# {
|
||
# name = "remote-ssh-edit";
|
||
# publisher = "ms-vscode-remote";
|
||
# version = "0.47.2";
|
||
# sha256 = "1hp6gjh4xp2m1xlm1jsdzxw9d8frkiidhph6nvl24d0h8z34w49g";
|
||
# }
|
||
# ];
|
||
#})
|
||
vscode.fhs
|
||
blockbench
|
||
wine
|
||
bottles
|
||
|
||
# other
|
||
discord
|
||
nodejs_22
|
||
|
||
# sys utils
|
||
gnupg ffmpeg unzip
|
||
mpv gparted
|
||
libappindicator-gtk3
|
||
pavucontrol
|
||
hyfetch
|
||
];
|
||
|
||
hardware.bluetooth.enable = true;
|
||
hardware.bluetooth.powerOnBoot = true;
|
||
services.blueman.enable = true;
|
||
|
||
services.pipewire.wireplumber.enable = true;
|
||
services.pipewire.wireplumber.extraConfig.bluetoothEnhancements = {
|
||
"monitor.bluez.properties" = {
|
||
"bluez5.enable-sbc-xq" = true;
|
||
"bluez5.enable-msbc" = true;
|
||
"bluez5.enable-hw-volume" = true;
|
||
"bluez5.roles" = [ "hsp_hs" "hsp_ag" "hfp_hf" "hfp_ag" ];
|
||
};
|
||
};
|
||
|
||
|
||
programs.nix-ld.enable = true;
|
||
programs.firefox.enable = true;
|
||
|
||
## System security tweaks
|
||
# sets hidepid=2 on /proc (make process info visible only to owning user)
|
||
# NOTE Was removed on nixpkgs-unstable because it doesn't do anything
|
||
# security.hideProcessInformation = true;
|
||
|
||
# tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
|
||
# on ssd systems and more secure (and volatile)! Because it's wiped on reboot.
|
||
boot.tmp.useTmpfs = lib.mkDefault true;
|
||
# If not using tmpfs, which is naturally purged on reboot, we must clean it
|
||
# /tmp ourselves. /tmp should be volatile storage!
|
||
boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
|
||
|
||
# Fix a security hole in place for backwards compatibility. See desc in
|
||
# nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
|
||
boot.loader.systemd-boot.editor = lib.mkDefault false;
|
||
|
||
boot.kernel.sysctl = {
|
||
# The Magic SysRq key is a key combo that allows users connected to the
|
||
# system console of a Linux kernel to perform some low-level commands.
|
||
# Disable it, since we don't need it, and is a potential security concern.
|
||
"kernel.sysrq" = 0;
|
||
|
||
## TCP hardening
|
||
# Prevent bogus ICMP errors from filling up logs.
|
||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||
# Reverse path filtering causes the kernel to do source validation of
|
||
# packets received from all interfaces. This can mitigate IP spoofing.
|
||
"net.ipv4.conf.default.rp_filter" = 1;
|
||
"net.ipv4.conf.all.rp_filter" = 1;
|
||
# Do not accept IP source route packets (we're not a router)
|
||
"net.ipv4.conf.all.accept_source_route" = 0;
|
||
"net.ipv6.conf.all.accept_source_route" = 0;
|
||
# Don't send ICMP redirects (again, we're not a router)
|
||
"net.ipv4.conf.all.send_redirects" = 0;
|
||
"net.ipv4.conf.default.send_redirects" = 0;
|
||
# Refuse ICMP redirects (MITM mitigations)
|
||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||
# Protects against SYN flood attacks
|
||
"net.ipv4.tcp_syncookies" = 1;
|
||
# Incomplete protection again TIME-WAIT assassination
|
||
"net.ipv4.tcp_rfc1337" = 1;
|
||
|
||
## TCP optimization
|
||
# TCP Fast Open is a TCP extension that reduces network latency by packing
|
||
# data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
|
||
# both incoming and outgoing connections:
|
||
"net.ipv4.tcp_fastopen" = 3;
|
||
# Bufferbloat mitigations + slight improvement in throughput & latency
|
||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||
"net.core.default_qdisc" = "cake";
|
||
};
|
||
boot.kernelModules = [ "tcp_bbr" ];
|
||
|
||
# Harden SSH client
|
||
programs.ssh = {
|
||
# Known vulnerability. See
|
||
# https://security.stackexchange.com/questions/110639/how-exploitable-is-the-recent-useroaming-ssh-vulnerability
|
||
extraConfig = ''
|
||
Host *
|
||
UseRoaming no
|
||
'';
|
||
};
|
||
} |