[Init]

2023-04-12 20:32:07 +02:00
parent 10fbbc2654
commit a7ef5cf996
96 changed files with 5857 additions and 4 deletions
--- a/modules/battery_monitor.nix
+++ b/modules/battery_monitor.nix
@ -0,0 +1,41 @@
+{ config, pkgs, lib, ... }:
+
+
+let conf = config.modules.battery_monitor;
+
+in {
+  options.modules.battery_monitor = with lib; {
+    enable = mkEnableOption "battery_monitor";
+  };
+
+  config = lib.mkIf conf.enable {
+    # Regularly check battery status
+    systemd.user.services.battery_monitor = {
+      wants = [ "display-manager.service" ];
+      wantedBy = [ "graphical-session.target" ];
+      script = ''
+        prev_val=100
+        check () { [[ $1 -ge $val ]] && [[ $1 -lt $prev_val ]]; }
+        notify () {
+          ${pkgs.libnotify}/bin/notify-send -a Battery "$@" \
+            -h "int:value:$val" "Discharging" "$val%, $remaining"
+        }
+        while true; do
+          IFS=: read _ bat0 < <(${pkgs.acpi}/bin/acpi -b)
+          IFS=\ , read status val remaining <<<"$bat0"
+          val=''${val%\%}
+          if [[ $status = Discharging ]]; then
+            echo "$val%, $remaining"
+            if check 30 || check 25 || check 20; then notify
+            elif check 15 || [[ $val -le 10 ]]; then notify -u critical
+            fi
+          fi
+          prev_val=$val
+          # Sleep longer when battery is high to save CPU
+          if [[ $val -gt 30 ]]; then sleep 10m; elif [[ $val -ge 20 ]]; then sleep 5m; else sleep 1m; fi
+        done
+      '';
+    };
+
+  };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -0,0 +1,13 @@
+{
+  ...
+}: {
+  imports = [
+    ./secret.nix
+    ./security.nix
+    ./udevd.nix
+    ./networking.nix
+    ./fonts.nix
+
+    ./battery_monitor.nix
+  ];
+}
--- a/modules/devshell.nix
+++ b/modules/devshell.nix
@ -0,0 +1,34 @@
+{ 
+    pkgs,
+    ...
+}:
+pkgs.mkShell {
+    buildInputs = with pkgs; [
+        #LANG & COMPILER
+        gcc (with llvmPackages; [ libcxxClang ])
+        gnumake cmake
+        go gotools
+        jdk gradle maven
+        kotlin
+        nodejs yarn-berry
+        crystal shards
+        python311Full virtualenv (with python311Packages; [ pip ]) pipenv
+        scala sbt
+
+        #LIBS
+        openssl pcre pcre2
+        ncurses patchelf zlib
+
+        #DBG & TOOLS
+        gdbgui valgrind
+        sox
+        docker-compose
+
+        #CUSTOM (custom...)
+    ];
+    shellHook = ''
+        export DEVSH="DEV"
+        export HTTP_PORT=8080
+        export HTTP_ADDR="0.0.0.0"
+    '';
+}
--- a/modules/fonts.nix
+++ b/modules/fonts.nix
@ -0,0 +1,34 @@
+{
+  pkgs,
+  ...
+}: {
+  
+  fonts = {
+    enableDefaultPackages = false;
+    fontDir.enable = true;
+    #fonts = with pkgs; [
+    packages = with pkgs; [
+      ibm-plex
+      lmmath
+      openmoji-color
+      material-design-icons
+
+      noto-fonts
+      unifont
+    ];
+
+    fontconfig = {
+      enable = true;
+      allowBitmaps = true;
+      defaultFonts = {
+        monospace = [ "IBM Plex Mono" "Openmoji" "Material Design Icons"];
+        serif = [ "IBM Plex Sans" "Openmoji" "Material Design Icons"];
+        sansSerif = [ "IBM Plex Sans" "Openmoji" "Material Design Icons"];
+        emoji = [ "Openmoji" ];
+      };
+      
+      hinting.style = "medium"; 
+    #  hinting.style = "hintfull";
+    };
+  };
+}
--- a/modules/greetd.nix
+++ b/modules/greetd.nix
@ -0,0 +1,16 @@
+{
+  ...
+}: {
+  services.greetd = {
+    enable = true;
+    settings = rec {
+      initial_session = {
+        command = "zsh";
+        user = "sora";
+      };
+      default_session = initial_session;
+    };
+  };
+}
+
+
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -0,0 +1,67 @@
+{
+  config,
+  ...
+}:
+{
+  networking = {
+
+    hostName = config.hostcfg.hostname;
+    useDHCP = true;
+    nameservers = [ "1.1.1.1" "9.9.9.9" ];
+    supplicant = {
+      "${config.hostcfg.wlp_if}" = {
+        configFile.path = config.sops.secrets.wifi.path;
+        extraConf = ''
+          network={
+            ssid="test"
+            psk="12345678"
+          }
+          network={
+            ssid="WIFIonICE"
+          }
+          network={
+            ssid="JR-EAST_FREE_Wi-Fi"
+          }
+          network={
+            ssid="JR-WEST_FREE_Wi-Fi"
+          }
+          network={
+            ssid="tabinohotel"
+            psk="tabinohotel"
+          }
+          network={
+            ssid="comforthotel" 
+            psk="comforthotel"
+          }
+          network={
+            ssid="sotetsu-hotels" 
+            psk="sotetsux"
+          }
+        '';
+      };
+    };
+
+    firewall = {
+      enable = true;
+    };
+
+    wireguard = {
+      enable = true;
+      interfaces = {
+        wg0 = {
+          ips = [ config.hostcfg.wg_ip4 config.hostcfg.wg_ip6 ];
+          privateKeyFile = config.hostcfg.wg_pk;
+          listenPort = 1515;
+          peers = [{
+            allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+            endpoint = "vpn.helcel.net:1515";
+            publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+            persistentKeepalive = 30;
+          }];
+        };
+      };
+    };
+
+  };
+
+}
--- a/modules/secret.nix
+++ b/modules/secret.nix
@ -0,0 +1,24 @@
+{
+  config,
+  ...
+}:{
+  sops.defaultSopsFile = ../secrets/common.yaml;
+  sops.age.keyFile = "/var/lib/sops-nix/age-key.txt"; #opt/nixflake/secrets/age-key.txt;
+  sops.age.generateKey = true;
+
+  sops.secrets.wifi = {};
+  
+  sops.secrets."${config.hostcfg.hostname}_ssh_priv" = {
+    mode = "0400";
+    owner = config.users.users.sora.name;
+    group = config.users.users.sora.group;
+  };
+  sops.secrets."${config.hostcfg.hostname}_ssh_pub" = {
+    mode = "0400";
+    owner = config.users.users.sora.name;
+    group = config.users.users.sora.group;
+  };
+  sops.secrets."${config.hostcfg.hostname}_wg_priv" = {};
+  sops.secrets."${config.hostcfg.hostname}_wg_pub" = {};
+
+}
--- a/modules/security.nix
+++ b/modules/security.nix
@ -0,0 +1,50 @@
+# security tweaks borrowed from @hlissner
+{
+  boot.kernel.sysctl = {
+    # The Magic SysRq key is a key combo that allows users connected to the
+    # system console of a Linux kernel to perform some low-level commands.
+    # Disable it, since we don't need it, and is a potential security concern.
+    "kernel.sysrq" = 0;
+
+    ## TCP hardening
+    # Prevent bogus ICMP errors from filling up logs.
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+    # Reverse path filtering causes the kernel to do source validation of
+    # packets received from all interfaces. This can mitigate IP spoofing.
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Do not accept IP source route packets (we're not a router)
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Don't send ICMP redirects (again, we're on a router)
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Refuse ICMP redirects (MITM mitigations)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Protects against SYN flood attacks
+    "net.ipv4.tcp_syncookies" = 1;
+    # Incomplete protection again TIME-WAIT assassination
+    "net.ipv4.tcp_rfc1337" = 1;
+
+    ## TCP optimization
+    # TCP Fast Open is a TCP extension that reduces network latency by packing
+    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+    # both incoming and outgoing connections:
+    "net.ipv4.tcp_fastopen" = 3;
+    # Bufferbloat mitigations + slight improvement in throughput & latency
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+  boot.kernelModules = ["tcp_bbr"];
+
+  # So we don't have to do this later...
+  security.acme = {
+    acceptTerms = true;
+  };
+}
+
--- a/modules/tlp.nix
+++ b/modules/tlp.nix
@ -0,0 +1,11 @@
+{...}:{
+    services.tlp = {
+        enable = true;
+        settings = {
+            START_CHARGE_THRESH_BAT0 = 75;
+            STOP_CHARGE_THRESH_BAT0 = 90;
+            CPU_SCALING_GOVERNOR_ON_AC = "performance";
+            CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
+        };
+    };
+}
--- a/modules/udevd.nix
+++ b/modules/udevd.nix
@ -0,0 +1,15 @@
+{
+  ...
+}: {
+  systemd.services.systemd-udevd.restartIfChanged = false;
+
+  services.udev.extraRules = ''
+  SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0127", GROUP="plugdev", TAG+="uaccess"
+  SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0118", GROUP="plugdev", TAG+="uaccess"
+  SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0106", GROUP="plugdev", TAG+="uaccess"
+  SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0128", GROUP="plugdev", TAG+="uaccess"
+  SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="010a", GROUP="plugdev", TAG+="uaccess"
+  SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0102", GROUP="plugdev", TAG+="uaccess"
+  SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0313", GROUP="plugdev", TAG+="uaccess"
+  '';
+}