gwg313/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial commit

Browse source
This commit is contained in:
gwg313 2026-04-15 18:26:05 -04:00
commit ebc1be5217
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
143 changed files with 7721 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

34
modules/features/containers-podman.nix Normal file
View file

@ -0,0 +1,34 @@
{ ... }:
{
config.dendritic.features.containers-podman = {
nixosModules = [
(
{ pkgs, ... }:
{
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
};
environment.systemPackages = with pkgs; [
buildah # Tool for building OCI (Open Container Initiative) and Docker container images.
distrobox # Lightweight utility for running Linux distributions in containers.
dive # A tool for exploring a Docker image, allowing inspection of layer contents.
grype # A vulnerability scanner for container images and filesystems.
hadolint # Dockerfile linter to analyze and enforce best practices in containerization.
podman-compose # Podman plugin for managing multi-container applications.
podman-tui # Text-based user interface (TUI) for Podman, facilitating container management.
syft # Open-source tool for scanning and analyzing container images for software composition and vulnerabilities.
];
}
)
];
};
}

45
modules/features/desktop/audio.nix Normal file
View file

@ -0,0 +1,45 @@
{ ... }:
{
config.dendritic.features.audio = {
nixosModules = [
(
{ pkgs, ... }:
{
# Enable sound with pipewire.
services.pulseaudio.enable = false;
# hardware.alsa.enablePersistence = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
extraConfig.pipewire.adjust-sample-rate = {
"context.properties" = {
"default.clock.rate" = 192000;
#"defautlt.allowed-rates" = [ 192000 48000 44100 ];
"defautlt.allowed-rates" = [ 192000 ];
#"default.clock.quantum" = 32;
#"default.clock.min-quantum" = 32;
#"default.clock.max-quantum" = 32;
};
};
};
environment.systemPackages = with pkgs; [
pipewire
wireplumber
easyeffects
pavucontrol
];
}
)
];
};
}

22
modules/features/desktop/bluetooth.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
config.dendritic.features.bluetooth = {
nixosModules = [
(
{ lib, ... }:
{
services.blueman.enable = true;
hardware.bluetooth = {
enable = lib.mkForce true;
powerOnBoot = true;
};
services.upower = {
enable = true;
};
}
)
];
};
}

148
modules/features/desktop/dolphin.nix Normal file
View file

@ -0,0 +1,148 @@
{ ... }:
{
config.dendritic.features.dolphin.homeModules = [
(
{ pkgs, config, ... }:
let
user = config.dendritic.current.primaryUser;
placesXbel = ''
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xbel>
<xbel version="1.0"
xmlns:bookmark="http://www.freedesktop.org/standards/desktop-bookmarks">
<bookmark href="file:///home/${user}/Documents">
<title>Documents</title>
<info>
<metadata owner="http://freedesktop.org">
<bookmark:icon name="folder-documents"/>
<bookmark:isSystemItem>false</bookmark:isSystemItem>
</metadata>
</info>
</bookmark>
<bookmark href="file:///home/${user}/Downloads">
<title>Downloads</title>
<info>
<metadata owner="http://freedesktop.org">
<bookmark:icon name="folder-download"/>
<bookmark:isSystemItem>false</bookmark:isSystemItem>
</metadata>
</info>
</bookmark>
<bookmark href="file:///home/${user}/repos">
<title>Repositories</title>
<info>
<metadata owner="http://freedesktop.org">
<bookmark:icon name="folder-git"/>
<bookmark:isSystemItem>false</bookmark:isSystemItem>
</metadata>
</info>
</bookmark>
</xbel>
'';
in
{
home.packages = with pkgs; [
kdePackages.dolphin
kdePackages.kio
kdePackages.kio-extras
kdePackages.kio-fuse
kdePackages.ark
kdePackages.ffmpegthumbs
kdePackages.kdegraphics-thumbnailers
# whitesur-icon-theme
];
# Helps some non-KDE apps pick Dolphin for directory browsing.
xdg.mimeApps = {
enable = true;
defaultApplications = {
"inode/directory" = [ "org.kde.dolphin.desktop" ];
};
};
# Dolphin / KDE bookmarks ("Places" in the sidebar).
home.file.".local/share/user-places.xbel".text = placesXbel;
# Optional: keep GTK bookmarks too, for apps that still use them.
gtk.gtk3.bookmarks = [
"file:///home/${user}/Documents Documents"
"file:///home/${user}/Downloads Downloads"
"file:///home/${user}/repos Repositories"
];
# Basic KDE config so Dolphin behaves sanely outside Plasma.
xdg.configFile."kdeglobals".text = ''
[Icons]
Theme=WhiteSur
[KDE]
SingleClick=false
'';
# Dolphin settings.
xdg.configFile."dolphinrc".text = ''
[General]
BrowseThroughArchives=true
ShowFullPath=false
ShowSpaceInfo=true
ShowZoomSlider=true
[KFileDialog Settings]
Places Icons Auto-resize=false
Places Icons Static Size=22
[MainWindow]
MenuBar=Disabled
ToolBarsMovable=Disabled
[PreviewSettings]
Plugins=appimagethumbnail,audiothumbnail,blenderthumbnail,comicbookthumbnail,directorythumbnail,ebookthumbnail,exrthumbnail,fontthumbnail,gvsthumbnail,htmlthumbnail,imagethumbnail,jpegthumbnail,opendocumentthumbnail,postscriptthumbnail,rawthumbnail,svgthumbnail,windowsexethumbnail
[UiSettings]
ShowStatusBar=false
ShowZoomSlider=true
'';
# File dialog / view settings.
xdg.configFile."kiorc".text = ''
[Confirmations]
ConfirmDelete=true
ConfirmEmptyTrash=true
[Executable scripts]
behaviourOnLaunch=alwaysAsk
'';
# Optional: make Ark the preferred archive app in many cases.
xdg.desktopEntries.ark = {
name = "Ark";
exec = "ark %U";
terminal = false;
categories = [
"Qt"
"KDE"
"Utility"
"Archiving"
];
mimeType = [
"application/zip"
"application/x-tar"
"application/x-compressed-tar"
"application/x-bzip-compressed-tar"
"application/x-xz-compressed-tar"
"application/x-7z-compressed"
"application/x-rar"
];
};
home.sessionVariables = {
XDG_ICON_DIR = "${pkgs.whitesur-icon-theme}/share/icons/WhiteSur";
};
}
)
];
}

29
modules/features/desktop/earlyoom.nix Normal file
View file

@ -0,0 +1,29 @@
{ ... }:
{
config.dendritic.features.earlyoom = {
nixosModules = [
(
{ ... }:
{
services.earlyoom = {
enable = true;
freeMemThreshold = 15;
freeSwapThreshold = 10;
extraArgs = [
"-g"
"--sort-by-rss"
"--avoid"
"^(niri|ghostty|systemd|qemu-system.*)"
"--prefer"
"^(brave|electron|chromium|firefox|libreoffice|gimp|podman|conmon)"
];
};
}
)
];
};
}

21
modules/features/desktop/gnupg-agent.nix Normal file
View file

@ -0,0 +1,21 @@
{ ... }:
{
config.dendritic.features.gnupg-agent = {
nixosModules = [
(
{ pkgs, ... }:
{
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-qt;
};
environment.sessionVariables = {
SSH_AUTH_SOCK = "/run/user/1000/gnupg/S.gpg-agent.ssh";
};
}
)
];
};
}

90
modules/features/desktop/niri.nix Normal file
View file

@ -0,0 +1,90 @@
{ ... }:
{
config.dendritic.features.wm-niri = {
homeModules = [
(
{ pkgs, inputs, ... }:
{
imports = [
inputs.niri.homeModules.niri
../../home/programs/niri/settings.nix
../../home/programs/niri/keybinds.nix
../../home/programs/niri/rules.nix
../../home/programs/niri/autostart.nix
../../home/programs/niri/noctaliashell.nix
];
services.gnome-keyring.enable = true;
}
)
];
nixosModules = [
(
{ pkgs, lib, ... }:
{
imports = [
../../nixos/gui/xdg.nix
];
services.greetd =
let
niri-config = pkgs.writeText "niri-config" ''
hotkey-overlay {
skip-at-startup
}
environment {
GTK_USE_PORTAL "0"
GDK_DEBUG "no-portals"
}
// other settings
spawn-at-startup "sh" "-c" "${pkgs.greetd.regreet}/bin/regreet; pkill -f niri"
'';
in
{
enable = true;
settings = {
default_session = {
command = "niri -c ${niri-config}";
user = "greeter";
};
};
};
programs.regreet.enable = true;
# services.displayManager.enable = false;
# services.displayManager = {
# sddm = {
# package = pkgs.kdePackages.sddm;
# enable = true;
# wayland.enable = true;
# };
# };
# services.displayManager.gdm = {
# enable = false;
# wayland = true;
# };
services.displayManager.enable = lib.mkForce false;
services.xserver = {
enable = true;
xkb = {
variant = "";
layout = "us";
};
};
environment = {
variables = {
TERMINAL = "ghostty";
EDITOR = "nvim";
VISUAL = "nvim";
PAGER = "moar";
PASSWORD_STORE_DIR = "$HOME/.local/share/password-store";
};
};
}
)
];
};
}

36
modules/features/desktop/theme-stylix.nix Normal file
View file

@ -0,0 +1,36 @@
{ ... }:
{
config.dendritic.features = {
theme-home-stylix = {
includeInEmbeddedHomeManager = false;
homeModules = [
({ inputs, pkgs, ... }: {
imports = [
inputs.stylix.homeModules.stylix
];
stylix.enable = true;
stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-sulphurpool-light.yaml";
})
];
};
theme-system-stylix.nixosModules = [
({ inputs, pkgs, ... }: {
imports = [
inputs.stylix.nixosModules.stylix
];
stylix = {
enable = true;
base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-sulphurpool-light.yaml";
fonts = {
monospace = {
name = "JetBrainsMono Nerd Font";
};
};
};
})
];
};
}

36
modules/features/desktop/wayland.nix Normal file
View file

@ -0,0 +1,36 @@
{ ... }:
{
config.dendritic.features.wayland = {
nixosModules = [
(
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wlr-randr
wl-clipboard
];
environment.sessionVariables = {
POLKIT_AUTH_AGENT = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
GSETTINGS_SCHEMA_DIR = "${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}/glib-2.0/schemas";
WLR_NO_HARDWARE_CURSORS = "1";
NIXOS_OZONE_WL = "1";
MOZ_ENABLE_WAYLAND = "1";
SDL_VIDEODRIVER = "wayland";
_JAVA_AWT_WM_NONREPARENTING = "1";
CLUTTER_BACKEND = "wayland";
# WLR_RENDERER = "vulkan";
GTK_USE_PORTAL = "1";
#NIXOS_XDG_OPEN_USE_PORTAL = "1"; # Sets the desktop portal to use flatpak
WLR_NO_HARDWARE_CURSOR = "1";
GDK_BACKEND = "wayland";
QT_QPA_PLATFORM = "wayland;xcb";
QT_AUTO_SCREEN_SCALE_FACTOR = "1";
QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
QT_QPA_PLATFORMTHEME = "qt5ct";
};
}
)
];
};
}

15
modules/features/developer-cli.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }:
{
config.dendritic.features.developer-cli.nixosModules = [
(
{ pkgs, inputs, ... }:
{
imports = [ inputs.nix-index-database.nixosModules.default ];
environment.systemPackages = with pkgs; [ git ];
programs.command-not-found.enable = false;
programs.nix-index-database.comma.enable = true;
}
)
];
}

8
modules/features/editor-neovim-package.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
config.dendritic.features.editor-neovim.homeModules = [
({ pkgs, ... }: {
home.packages = with pkgs; [ neovim ];
})
];
}

18
modules/features/hardware-laptop.nix Normal file
View file

@ -0,0 +1,18 @@
{ ... }:
{
config.dendritic.features.hardware-laptop = {
nixosModules = [
(
{ config, ... }:
{
networking.networkmanager.enable = true;
powerManagement.enable = true;
services.tlp.enable = true;
}
)
];
};
}

95
modules/features/nvim.nix Normal file
View file

@ -0,0 +1,95 @@
{ inputs, ... }:
{
config.dendritic.features.editor-neovim.homeModules = [
({ pkgs, lib, ... }: {
imports = [
inputs.nvf.homeManagerModules.default
../home/programs/neovim/options.nix
../home/programs/neovim/languages.nix
../home/programs/neovim/picker.nix
../home/programs/neovim/snacks.nix
../home/programs/neovim/keymaps.nix
../home/programs/neovim/utils.nix
../home/programs/neovim/mini.nix
];
programs.nvf = {
enable = true;
settings.vim = {
startPlugins = with pkgs; [
vimPlugins.grug-far-nvim
vimPlugins.image-nvim
vimPlugins.vim-hoogle
vimPlugins.telescope_hoogle
vimPlugins.zk-nvim
vimPlugins.cyberdream-nvim
vimPlugins.octo-nvim
];
luaConfigRC.colorscheme = ''
vim.cmd.colorscheme("cyberdream-light")
'';
luaConfigRC.zk_nvim = ''
local ok, zk = pcall(require, "zk")
if not ok then return end
zk.setup({
picker = "select",
lsp = {
config = {
name = "zk",
cmd = { "zk", "lsp" },
filetypes = { "markdown" },
},
auto_attach = { enabled = true },
},
})
'';
};
settings.vim.augroups = [
{ name = "SwiftSetup"; }
];
settings.vim.autocmds = [
{
event = [ "FileType" ];
pattern = [ "swift" ];
group = "SwiftSetup";
desc = "Start sourcekit-lsp for Swift files";
callback = lib.generators.mkLuaInline ''
function()
local lspconfig = require("lspconfig")
for _, client in pairs(vim.lsp.get_active_clients()) do
if client.name == "sourcekit" then return end
end
lspconfig.sourcekit.setup({
cmd = { "sourcekit-lsp" },
filetypes = { "swift", "swiftpm" },
root_dir = lspconfig.util.root_pattern("Package.swift", ".git"),
})
end
'';
}
{
event = [ "BufWritePost" ];
pattern = [ "*.swift" ];
group = "SwiftSetup";
desc = "Format Swift files on save";
callback = lib.generators.mkLuaInline ''
function()
if vim.fn.executable("swift-format") == 1 then
vim.cmd("silent! noautocmd !swift-format -i %")
vim.cmd("checktime")
end
end
'';
}
];
};
})
];
}

23
modules/features/ops/ops-k8s.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }:
{
config.dendritic.features.ops-k8s.homeModules = [ ];
config.dendritic.features.ops-k8s.nixosModules = [
(
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
argocd # Declarative, GitOps continuous delivery tool for Kubernetes.
k3d # Lightweight utility to run Kubernetes clusters using Docker.
k9s # Kubernetes CLI to visually navigate and manage resources in clusters.
kind # Kubernetes IN Docker: Tool for running local Kubernetes clusters using Docker container nodes.
kubectl # Kubernetes command-line tool for interacting with clusters.
kubectx # Switch between Kubernetes contexts and namespaces with ease.
kubernetes-helm # Package manager for Kubernetes applications, simplifying deployment and management.
minikube # Local Kubernetes cluster for easy testing and development.
stern # Multi-container log tailing and streaming for Kubernetes.
];
}
)
];
}

59
modules/features/ops/ops-nh.nix Normal file
View file

@ -0,0 +1,59 @@
{ ... }:
{
config.dendritic.features.nh = {
homeModules = [
(
{ config, ... }:
let
NH_NO_CHECKS = "1";
configFor = flakePath: {
enable = true;
clean = {
enable = true;
extraArgs = "--keep 3 --keep-since 8d";
};
flake = flakePath;
};
in
{
home.sessionVariables = {
inherit NH_NO_CHECKS;
};
programs.nh = configFor "${config.home.homeDirectory}/nix-config";
}
)
];
nixosModules = [
(
{ config, ... }:
let
NH_NO_CHECKS = "1";
user = config.dendritic.current.primaryUser;
configFor = flakePath: {
enable = true;
clean = {
enable = true;
extraArgs = "--keep 3 --keep-since 8d";
};
flake = flakePath;
};
in
{
environment.variables = {
inherit NH_NO_CHECKS;
};
programs.nh = configFor "/home/${user}/nix-config";
}
)
];
};
}

130
modules/features/programs/browsers/browser-brave.nix Normal file
View file

@ -0,0 +1,130 @@
{ ... }:
{
config.dendritic.features.browser-brave.homeModules = [
(
{ pkgs, ... }:
{
programs.brave = {
enable = true;
commandLineArgs = [
# Wayland Native
"--enable-features=UseOzonePlatform"
"--ozone-platform=wayland"
# Hardware Acceleration (NVIDIA optimized)
"--enable-accelerated-video-decode"
"--enable-gpu-rasterization"
"--enable-zero-copy"
"--ignore-gpu-blocklist"
# Performance
"--enable-features=VaapiVideoDecoder"
"--enable-features=VaapiVideoEncoder"
"--enable-features=CanvasOopRasterization"
"--disable-features=UseChromeOSDirectVideoDecoder"
# Privacy & Security
"--disable-features=MediaRouter" # Disable Chromecast
"--disable-features=OptimizationHints" # No Google suggestions
"--disable-features=AutofillSavePaymentMethods"
"--disable-background-networking" # No telemetry
"--disable-sync" # Manual sync control
# Wayland-specific fixes
"--disable-features=WaylandWpColorManagerV1" # Color management fix
# UI/UX
"--force-dark-mode" # Match Stylix theme
"--enable-features=WebUIDarkMode"
"--no-default-browser-check"
];
extensions = [
# let
# ids = [
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
"dbepggeogbaibhgnhhndojpepiihcmeb" # vimium
"eimadpbcbfnmbkopoojfekhnkhdbieeh" # dark reader
"pkehgijcmpdhfbdbbnkijodmdjhbjlgp" # privacy badger
"ghmbeldphafepmbegfdlkpapadhbakde" # proton pass
"mmjbdbjnoablegbkcklggeknkfcjkjia" # custom new tab page
];
# in
# map (id: { inherit id; }) ids;
};
xdg.configFile."BraveSoftware/Brave-Browser/Policies/managed/policy.json".text = builtins.toJSON {
BraveShieldsAdControl = 2;
BraveShieldsTrackersBlocked = 1;
BraveShieldsHttpsEverywhere = 1;
BraveRewardsDisabled = 1;
BraveWalletDisabled = 1;
BraveVPNDisabled = 1;
BraveAIChatEnabled = 0;
PasswordManagerEnabled = 0;
BravePlaylistEnabled = 0;
BraveWebDiscoveryEnabled = 0;
BraveStatsPingEnabled = 0;
DnsOverHttpsMode = "automatic";
BraveDarkMode = 1;
};
home.sessionVariables = {
DEFAULT_BROWSER = "${pkgs.brave}/bin/brave";
BROWSER = "${pkgs.brave}/bin/brave";
};
xdg.desktopEntries = {
brave-incognito = {
name = "Brave (Private window)";
genericName = "Navigateur Web";
exec = "brave --incognito";
icon = "brave-browser";
terminal = false;
categories = [
"Network"
"WebBrowser"
];
mimeType = [
"text/html"
"text/xml"
];
};
brave-tor = {
name = "Brave (Private window w/Tor)";
genericName = "Navigateur Web";
exec = "brave --tor";
icon = "brave-browser";
terminal = false;
categories = [
"Network"
"WebBrowser"
];
};
};
# =================================================================
# BRAVE SETTINGS (via brave://flags)
# =================================================================
# These need to be set manually in brave://flags on first launch:
# - Enable Tab Groups (UI)
# - Enable Parallel Downloading
# - Enable Reader Mode
# - GPU Rasterization: Enabled
# - Override software rendering list: Enabled
#
# Privacy settings (brave://settings/privacy):
# - Block trackers & ads: Aggressive
# - Block all fingerprinting
# - Upgrade connections to HTTPS
# - Block scripts: Off (breaks sites, use uBlock instead)
# - Block cookies: Only 3rd party
#
# Appearance (brave://settings/appearance):
# - Show home button: Off
# - Show bookmarks bar: Only on new tab
# - Use wide address bar: On
}
)
];
}

23
modules/features/programs/cli/cli-zoxide.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }:
{
config.dendritic.features.cli-zoxide = {
homeModules = [
(
{ ... }:
{
programs.zoxide = {
enable = true;
enableZshIntegration = true;
};
programs.zsh = {
shellAliases = {
cd = "z";
};
};
}
)
];
};
}

150
modules/features/programs/cli/cli-zsh.nix Normal file
View file

@ -0,0 +1,150 @@
{ ... }:
{
config.dendritic.features.cli-zsh = {
homeModules = [
(
{ config, pkgs, ... }:
{
programs.zsh = {
enable = true;
enableCompletion = true;
autosuggestion.enable = true;
syntaxHighlighting.enable = true;
syntaxHighlighting.highlighters = [
"main"
"brackets"
"pattern"
"regexp"
"root"
"line"
];
historySubstringSearch.enable = true;
shellAliases = {
update = "sudo nixos-rebuild switch";
clean = "nix-collect-garbage -d";
repair = "nix-store --repair --verify --check-contents";
reload = "source ~/.zshrc";
"." = "cd ../";
".." = "cd ../../";
"..." = "cd ../../../";
"...." = "cd ../../../../";
ps = "procs";
grep = "rg";
cat = "bat --theme=base16 --color=always --paging=never --tabs=2 --wrap=never --plain";
vim = "nvim";
# Default flags
rm = "rm -i";
chmod = "chmod -R";
cp = "cp -R -i -v";
mv = "mv -i -v";
mkdir = "mkdir -p -v";
df = "df -h";
du = "du -h -s";
dd = "dd status=progress bs=4M conv=fdatasync ";
wgetpaste = "wgetpaste -Xx";
sudo = "sudo "; # Makes sudo work with es
ssh = "TERM=xterm ssh"; # Fixes some issues with ssh on some terminals
wget = "wget -c";
ping = "ping -c 5";
ftp = "ftp -p";
# Misc alieses I use often
ports = "ss -tulanp";
rmd = "rm -rf";
mine = "sudo chown -R $(whoami):users";
benchmark = "hyperfine --warmup 3 ";
c = "clear";
listen = "lsof -P -i -n";
octal = "stat -c '%a %n'";
f = "$(pay-respects zsh)";
};
history = {
size = 10000;
path = "${config.xdg.dataHome}/zsh/history";
};
initContent = ''
eval "$(pay-respects zsh --alias)"
# search history based on what's typed in the prompt
autoload -U history-search-end
zle -N history-beginning-search-backward-end history-search-end
zle -N history-beginning-search-forward-end history-search-end
bindkey "^[OA" history-beginning-search-backward-end
bindkey "^[OB" history-beginning-search-forward-end
# General completion behavior
zstyle ':completion:*' completer _extensions _complete _approximate
# Use cache
zstyle ':completion:*' use-cache on
zstyle ':completion:*' cache-path "$XDG_CACHE_HOME/zsh/.zcompcache"
# Complete the alias
zstyle ':completion:*' complete true
# Autocomplete options
zstyle ':completion:*' complete-options true
# Completion matching control
zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}' 'r:|[._-]=* r:|=*' 'l:|=* r:|=*'
zstyle ':completion:*' keep-prefix true
# Group matches and describe
zstyle ':completion:*' menu select
zstyle ':completion:*' list-grouped false
zstyle ':completion:*' list-separator '''
zstyle ':completion:*' group-name '''
zstyle ':completion:*' verbose yes
zstyle ':completion:*:matches' group 'yes'
zstyle ':completion:*:warnings' format '%F{red}%B-- No match for: %d --%b%f'
zstyle ':completion:*:messages' format '%d'
zstyle ':completion:*:corrections' format '%B%d (errors: %e)%b'
zstyle ':completion:*:descriptions' format '[%d]'
# Colors
zstyle ':completion:*' list-colors ''${(s.:.)LS_COLORS}
# case insensitive tab completion
zstyle ':completion:*:*:cd:*' tag-order local-directories directory-stack path-directories
zstyle ':completion:*:*:cd:*:directory-stack' menu yes select
zstyle ':completion:*:-tilde-:*' group-order 'named-directories' 'path-directories' 'users' 'expand'
zstyle ':completion:*:*:-command-:*:*' group-order aliases builtins functions commands
zstyle ':completion:*' special-dirs true
zstyle ':completion:*' squeeze-slashes true
# Sort
zstyle ':completion:*' sort false
zstyle ":completion:*:git-checkout:*" sort false
zstyle ':completion:*' file-sort modification
zstyle ':completion:*:eza' sort false
zstyle ':completion:complete:*:options' sort false
zstyle ':completion:files' sort false
autoload -U compinit && compinit
export CARAPACE_BRIDGES='zsh,fish,bash,inshellisense' # optional
zstyle ':completion:*' format $'\e[2;37mCompleting %d\e[m'
source <(carapace _carapace)
zstyle ':completion:*:git:*' group-order 'main commands' 'alias commands' 'external commands'
'';
};
home.packages = with pkgs; [
fastfetch
pay-respects
];
}
)
];
};
}

20
modules/features/programs/cli/dev-devenv.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
config.dendritic.features.dev-devenv = {
homeModules = [
(
{ pkgs, ... }:
{
home.packages = with pkgs; [
cachix
devenv
];
programs.direnv.enable = true;
programs.direnv.nix-direnv.enable = true;
}
)
];
};
}

136
modules/features/programs/cli/filemanager-yazi.nix Normal file
View file

@ -0,0 +1,136 @@
{ ... }:
{
config.dendritic.features.filemanager-yazi = {
homeModules = [
(
{ pkgs, lib, ... }:
{
programs.yazi = {
enable = true;
enableZshIntegration = true;
shellWrapperName = "y";
plugins = {
starship = pkgs.yaziPlugins.starship;
full-border = pkgs.yaziPlugins.full-border;
chmod = pkgs.yaziPlugins.chmod;
compress = pkgs.yaziPlugins.compress;
smart-paste = pkgs.yaziPlugins.smart-paste;
smart-enter = pkgs.yaziPlugins.smart-enter;
smart-filter = pkgs.yaziPlugins.smart-filter;
};
settings = {
yazi = {
ratio = [
1
4
3
];
sort_by = "natural";
sort_sensitive = true;
sort_reverse = false;
sort_dir_first = true;
linemode = "none";
show_hidden = true;
show_symlink = true;
};
preview = {
image_filter = "lanczos3";
image_quality = 90;
tab_size = 1;
max_width = 600;
max_height = 900;
cache_dir = "";
ueberzug_scale = 1;
ueberzug_offset = [
0
0
0
0
];
};
tasks = {
micro_workers = 5;
macro_workers = 10;
bizarre_retry = 5;
};
};
initLua = ''
require("starship"):setup()
require("full-border"):setup()
require("smart-enter"):setup {
open_multi = true,
}
'';
keymap = {
mgr.prepend_keymap = [
{
on = [
"c"
"a"
"a"
];
run = "plugin compress";
desc = "Archive selected files";
}
{
on = [
"c"
"a"
"p"
];
run = "plugin compress -p";
desc = "Archive selected files (password)";
}
{
on = [
"c"
"a"
"h"
];
run = "plugin compress -ph";
desc = "Archive selected files (password+header)";
}
{
on = [
"c"
"a"
"l"
];
run = "plugin compress -l";
desc = "Archive selected files (compression level)";
}
{
on = [
"c"
"a"
"u"
];
run = "plugin compress -phl";
desc = "Archive selected files (password+header+level)";
}
{
on = "p";
run = "plugin smart-paste";
desc = "Paste into the hovered directory or CWD";
}
{
on = "l";
run = "plugin smart-enter";
desc = "Enter the child directory, or open the file";
}
{
on = "F";
run = "plugin smart-filter";
desc = "Smart filter";
}
];
};
};
}
)
];
};
}

46
modules/features/programs/cli/git-lazygit.nix Normal file
View file

@ -0,0 +1,46 @@
{ ... }:
{
config.dendritic.features.git-lazygit = {
homeModules = [
(
{ config, lib, ... }:
let
accent = "#${config.lib.stylix.colors.base0D}";
muted = "#${config.lib.stylix.colors.base03}";
in
{
programs.lazygit = {
enable = true;
settings = lib.mkForce {
disableStartupPopups = true;
notARepository = "skip";
promptToReturnFromSubprocess = false;
update.method = "never";
git = {
commit.signOff = true;
overrideGpg = true;
};
gui = {
theme = {
activeBorderColor = [
accent
"bold"
];
inactiveBorderColor = [ muted ];
};
showListFooter = false;
showRandomTip = false;
showCommandLog = false;
showBottomLine = false;
nerdFontsVersion = "3";
};
};
};
}
)
];
};
}

38
modules/features/programs/cli/terminal-ghostty.nix Normal file
View file

@ -0,0 +1,38 @@
{ ... }:
{
config.dendritic.features.terminal-ghostty = {
homeModules = [
(
{ pkgs, lib, ... }:
{
programs.ghostty = {
enable = true;
enableZshIntegration = true;
installVimSyntax = true;
settings = {
window-padding-x = 10;
window-padding-y = 10;
auto-update = "off";
working-directory = "home";
window-inherit-working-directory = false; # avoid inheritance
keybinds = [ ];
# background-opacity = 0.8;
background-opacity = 1;
confirm-close-surface = false;
font-family = lib.mkForce "Comic Code Ligatures";
# font-family = lib.mkForce "Terminus";
font-size = 14;
gtk-titlebar = false;
# theme = "Teerb";
};
};
home.packages = with pkgs; [
ueberzugpp
terminus_font_ttf
];
}
)
];
};
}

27
modules/features/programs/proton.nix Normal file
View file

@ -0,0 +1,27 @@
{ ... }:
{
config.dendritic.features.proton.homeModules = [
(
{ pkgs, ... }:
{
home.packages = with pkgs; [
proton-vpn
proton-pass
proton-authenticator
];
# Fix Proton Authenticator desktop entry
xdg.desktopEntries = {
"Proton Authenticator" = {
name = "Proton Authenticator";
exec = "env WEBKIT_DISABLE_COMPOSITING_MODE=1 ${pkgs.proton-authenticator}/bin/proton-authenticator";
icon = "proton-authenticator";
type = "Application";
categories = [ "Utility" ];
terminal = false;
};
};
}
)
];
}

34
modules/features/secrets-sops.nix Normal file
View file

@ -0,0 +1,34 @@
{ ... }:
{
config.dendritic.features = {
secrets-home-sops.homeModules = [
({ inputs, config, ... }: {
imports = [
inputs.sops-nix.homeModules.sops
];
sops.defaultSopsFile = ../../secrets/users/${config.dendritic.current.primaryUser}.yaml;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
sops.secrets."user/test" = {
path = ".config/secrets/test";
};
})
];
secrets-system-sops.nixosModules = [
({ inputs, config, ... }: {
imports = [
inputs.sops-nix.nixosModules.sops
];
sops.defaultSopsFile = ../../secrets/hosts/${config.dendritic.current.hostName}.yaml;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/home/${config.dendritic.current.primaryUser}/.config/sops/age/keys.txt";
sops.secrets."system/example" = { };
})
];
};
}

22
modules/features/security/security-auditd.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
config.dendritic.features.security-auditd = {
nixosModules = [
(
{ ... }:
{
# start as early in the boot process as possible
boot.kernelParams = [ "audit=1" ];
security.auditd.enable = true;
security.audit.enable = true;
security.audit.rules = [
# Log all program executions on 64-bit architecture
"-a exit,always -F arch=b64 -S execve"
];
}
)
];
};
}

17
modules/features/security/security-firewall-nftables.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
config.dendritic.features.security-firewall = {
nixosModules = [
(
{ ... }:
{
networking.nftables.enable = true;
networking.firewall = {
enable = true;
};
}
)
];
};
}

102
modules/features/security/security-kernel-hardened.nix Normal file
View file

@ -0,0 +1,102 @@
{ ... }:
{
config.dendritic.features.security-kernel-hardened = {
nixosModules = [
(
{ pkgs, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_hardened;
security = {
protectKernelImage = true;
lockKernelModules = false; # this breaks iptables, wireguard, and virtd
# force-enable the Page Table Isolation (PTI) Linux kernel feature
forcePageTableIsolation = true;
# User namespaces are required for sandboxing.
# this means you cannot set `"user.max_user_namespaces" = 0;` in sysctl
allowUserNamespaces = true;
# Disable unprivileged user namespaces, unless containers are enabled
# unprivilegedUsernsClone = true;
allowSimultaneousMultithreading = true;
};
boot.kernelParams = [
# make it harder to influence slab cache layout
"slab_nomerge"
# enables zeroing of memory during allocation and free time
# helps mitigate use-after-free vulnerabilaties
"init_on_alloc=1"
"init_on_free=1"
# randomizes page allocator freelist, improving security by
# making page allocations less predictable
"page_alloc.shuffel=1"
# enables Kernel Page Table Isolation, which mitigates Meltdown and
# prevents some KASLR bypasses
"pti=on"
# randomizes the kernel stack offset on each syscall
# making attacks that rely on a deterministic stack layout difficult
"randomize_kstack_offset=on"
# disables vsyscalls, they've been replaced with vDSO
"vsyscall=none"
# disables debugfs, which exposes sensitive info about the kernel
"debugfs=off"
# certain exploits cause an "oops", this makes the kernel panic if an "oops" occurs
"oops=panic"
# only alows kernel modules that have been signed with a valid key to be loaded
# making it harder to load malicious kernel modules
# can make VirtualBox or Nvidia drivers unusable
"module.sig_enforce=1"
# prevents user space code excalation
"lockdown=confidentiality"
# "rd.udev.log_level=3"
# "udev.log_priority=3"
];
boot.blacklistedKernelModules = [
# Obscure networking protocols
"dccp"
"sctp"
"rds"
"tipc"
"n-hdlc"
"ax25"
"netrom"
"x25"
"rose"
"decnet"
"econet"
"af_802154"
"ipx"
"appletalk"
"psnap"
"p8023"
"p8022"
"can"
"atm"
# Various rare filesystems
"cramfs"
"freevxfs"
"jffs2"
"hfs"
"hfsplus"
"udf"
# Not so rare filesystems
"squashfs"
"cifs"
"nfs"
"nfsv3"
"nfsv4"
"ksmbd"
"gfs2"
# vivid driver is only useful for testing purposes and has been the
# cause of privilege escalation vulnerabilities
"vivid"
];
}
)
];
};
}

33
modules/features/security/security-malware-clamav.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
config.dendritic.features.security-malware-clamav = {
nixosModules = [
(
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
clamav
];
services.clamav = {
daemon.enable = true;
updater.enable = true;
updater.frequency = 12; # Number of database checks per day
scanner = {
enable = true;
# 4:00 AM
interval = "*-*-* 04:00:00";
scanDirectories = [
"/home"
"/var/lib"
"/tmp"
"/etc"
"/var/tmp"
];
};
};
}
)
];
};
}

87
modules/features/security/security-ssh-client.nix Normal file
View file

@ -0,0 +1,87 @@
{ ... }:
{
config.dendritic.features.security-ssh-client = {
nixosModules = [
(
{ ... }:
{
programs.ssh = {
# disable unnecessary forwardings
forwardX11 = false;
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
hostKeyAlgorithms = [
"ssh-ed25519"
"ssh-ed25519-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"sk-ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-256"
"rsa-sha2-256-cert-v01@openssh.com"
"rsa-sha2-512"
"rsa-sha2-512-cert-v01@openssh.com"
];
macs = [
"hmac-sha2-256-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"umac-128-etm@openssh.com"
];
kexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
];
extraConfig = "
# disable unnecessary forwardings
ForwardAgent no
ForwardX11Trusted no
GatewayPorts no
Tunnel no
# disable unnecessary authentication methods
ChallengeResponseAuthentication no
HostbasedAuthentication no
# define authentication methods to be used
PasswordAuthentication yes
PubkeyAuthentication yes
PreferredAuthentications publickey,password
# disable pre-connection compression as it could cause security issues
Compression no
# in addition to checking a host's hostname, also check the host's IP address
# this provides extra safety against DNS spoofing attacks
CheckHostIP yes
# ask the user if the user wants to accept the new host's host key
StrictHostKeyChecking ask
# hash the entries in the known_hosts file to prevent disclosure
# of the file's content
HashKnownHosts yes
# send a keepalive message to the server when the session has been idle for 60 seconds
# this prevents/detects connection timeouts
ServerAliveInterval 60
# increase the number of password retries
NumberOfPasswordPrompts 5
# display an ASCII art of the server's host key
VisualHostKey yes
";
};
}
)
];
};
}

177
modules/features/security/security-ssh.nix Normal file
View file

@ -0,0 +1,177 @@
{ ... }:
{
config.dendritic.features = {
security-ssh-server-hardening.nixosModules = [
(
{ config, ... }:
{
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
# ignoreIP = [
# "172.16.0.0/12"
# "192.168.0.0/16"
# "2601:881:8100:8de0:31e6:ac52:b5be:462a"
# "matrix.org"
# "app.element.io" # don't ratelimit matrix users
# ];
bantime-increment = {
enable = true; # Enable increment of bantime after each violation
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations
};
};
# https://www.ssh-audit.com/hardening_guides.html
# https://github.com/jtesta/ssh-audit
services.openssh = {
enable = true;
settings = {
########## Features ##########
# disallow ssh-agent forwarding to prevent lateral movement
AllowAgentForwarding = false;
# prevent TCP ports from being forwarded over SSH tunnels
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
# any user with an interactive login shell can spin up his/her own instance of sshd
AllowTcpForwarding = true;
# prevent StreamLocal (Unix-domain socket) forwarding
AllowStreamLocalForwarding = false;
# disables all forwarding features
# overrides all other forwarding switches
DisableForwarding = false;
# disallow remote hosts from connecting to forwarded ports
# i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
GatewayPorts = "no";
# prevent tun device forwarding
PermitTunnel = false;
# suppress MOTD
PrintMotd = false;
# disable X11 forwarding since it is not necessary
X11Forwarding = false;
########## Authentication ##########
# AllowUsers = ["${user}"];
# Use keys only. Remove if you want to SSH using password (not recommended)
PasswordAuthentication = false;
HostbasedAuthentication = false;
# enable pubkey authentication
PubkeyAuthentication = true;
# Forbid root login through SSH.
PermitRootLogin = "no";
# nix enables pam by default
# UsePAM = false;
# challenge-response authentication backend it not configured by default
# therefore, it is set to "no" by default to avoid the use of an unconfigured backend
ChallengeResponseAuthentication = false;
# set maximum authentication retries to prevent brute force attacks
MaxAuthTries = 3;
# disallow connecting using empty passwords
PermitEmptyPasswords = false;
########## Cryptography ##########
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
Ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
Macs = [
"hmac-sha2-256-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"umac-128-etm@openssh.com"
];
KexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
];
# hostKeyAlgorithms = [
# "rsa-sha2-512"
# "rsa-sha2-256"
# "ssh-ed25519"
# ];
########## Connection Preferences ##########
# enforce SSH server to only use SSH protocol version 2
# SSHv1 contains security issues and should be avoided at all costs
# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
# specified anyways to ensure this configuration file's compatibility
# with older versions of OpenSSH server
Protocol = 2;
# number of client alive messages sent without client responding
ClientAliveCountMax = 2;
# send a keepalive message to the client when the session has been idle for 300 seconds
# this prevents/detects connection timeouts
ClientAliveInterval = 300;
# compression before encryption might cause security issues
Compression = false;
# prevent SSH trust relationships from allowing lateral movements
IgnoreRhosts = true;
# log verbosely for addtional information
LogLevel = "VERBOSE";
# allow a maximum of two multiplexed sessions over a single TCP connection
MaxSessions = 2;
# let ClientAliveInterval handle keepalive
TCPKeepAlive = false;
# disable reverse DNS lookups
# UseDNS = false;
};
extraConfig = ''
########## Features ##########
# accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
########## Connection Preferences ##########
# disable reverse DNS lookups
UseDNS no
########## Disable GSS ##########
GSSAPIAuthentication no
'';
};
}
)
];
};
}

24
modules/features/security/security-sudo-rs.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }:
{
config.dendritic.features.security-sudo-rs = {
nixosModules = [
(
{ config, ... }:
let
user = config.dendritic.current.primaryUser;
in
{
security = {
sudo.enable = false;
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = true;
};
};
}
)
];
};
}

50
modules/features/security/security-usbguard.nix Normal file
View file

@ -0,0 +1,50 @@
{ ... }:
{
config.dendritic.features.security-usbguard = {
nixosModules = [
(
{
config,
pkgs,
lib,
...
}:
let
user = config.dendritic.current.primaryUser;
in
{
services.usbguard = {
enable = true;
IPCAllowedUsers = [
"root"
user
];
# presentDevicePolicy refers to how to treat USB devices
# that are already connected when the daemon starts
presentDevicePolicy = "allow";
rules = lib.mkBefore ''
# allow `only` devices with mass storage interfaces (USB Mass Storage)
allow with-interface equals { 08:*:* }
# allow mice and keyboards
# allow with-interface equals { 03:*:* }
# Reject devices with suspicious combination of interfaces
reject with-interface all-of { 08:*:* 03:00:* }
reject with-interface all-of { 08:*:* 03:01:* }
reject with-interface all-of { 08:*:* e0:*:* }
reject with-interface all-of { 08:*:* 02:*:* }
'';
};
environment.systemPackages = with pkgs; [
usbguard
usbguard-notifier
];
}
)
];
};
}

18
modules/features/security/sysctl/security-sysctl-bpf.nix Normal file
View file

@ -0,0 +1,18 @@
# Breaks tracing and perf tools
{ ... }:
{
config.dendritic.features.security-sysctl-bpf = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"kernel.unprivileged_bpf_disabled" = 1;
# should be enabled along with bpf above
"net.core.bpf_jit_harden" = 2;
};
}
)
];
};
}

17
modules/features/security/sysctl/security-sysctl-debug.nix Normal file
View file

@ -0,0 +1,17 @@
# Restricts dmesg
{ ... }:
{
config.dendritic.features.security-sysctl-debug = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"kernel.kptr_restrict" = 2;
"kernel.dmesg_restrict" = 1;
};
}
)
];
};
}

29
modules/features/security/sysctl/security-sysctl-kernel.nix Normal file
View file

@ -0,0 +1,29 @@
{ ... }:
{
config.dendritic.features.security-sysctl-kernel = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"fs.suid_dumpable" = 0;
# prevent pointer leaks
# Note: certian container runtimes or browser sandboxes might rely on the following
# restrict loading TTY line disciplines to the CAP_SYS_MODULE
"dev.tty.ldisk_autoload" = 0;
# prevent exploit of use-after-free flaws
"vm.unprivileged_userfaultfd" = 0;
# kexec is used to boot another kernel during runtime and can be abused
"kernel.kexec_load_disabled" = 1;
# Kernel self-protection
# SysRq exposes a lot of potentially dangerous debugging functionality to unprivileged users
# 4 makes it so a user can only use the secure attention key. A value of 0 would disable completely
"kernel.sysrq" = 4;
# restrict all usage of performance events to the CAP_PERFMON capability
"kernel.perf_event_paranoid" = 3;
};
}
)
];
};
}

54
modules/features/security/sysctl/security-sysctl-network.nix Normal file
View file

@ -0,0 +1,54 @@
{ ... }:
{
config.dendritic.features.security-sysctl-network = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
# protect against SYN flood attacks (denial of service attack)
"net.ipv4.tcp_syncookies" = 1;
# protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
# enable source validation of packets received (prevents IP spoofing)
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
# Protect against IP spoofing
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# prevent man-in-the-middle attacks
"net.ipv4.icmp_echo_ignore_all" = 1;
# ignore ICMP request, helps avoid Smurf attacks
"net.ipv4.conf.all.forwarding" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv6.conf.default.accept_source_route" = 0;
# Reverse path filtering causes the kernel to do source validation of
"net.ipv6.conf.all.forwarding" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Disable TCP SACK
"net.ipv4.tcp_sack" = 0;
"net.ipv4.tcp_dsack" = 0;
"net.ipv4.tcp_fack" = 0;
};
}
)
];
};
}

16
modules/features/security/sysctl/security-sysctl-ptrace.nix Normal file
View file

@ -0,0 +1,16 @@
# Breaks Debuggers
{ ... }:
{
config.dendritic.features.security-sysctl-ptrace = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"kernel.yama.ptrace_scope" = 2;
};
}
)
];
};
}

12
modules/features/security/sysctl/security-sysctl-strict.nix Normal file
View file

@ -0,0 +1,12 @@
# Enable on server not dev machines
{ ... }:
{
config.dendritic.features.security-sysctl-strict = {
features = [
"security-sysctl-ptrace"
"security-sysctl-bpf"
"security-sysctl-debug"
"security-sysctl-userns"
];
};
}

16
modules/features/security/sysctl/security-sysctl-userns.nix Normal file
View file

@ -0,0 +1,16 @@
# Can break containers and flatpaks
{ ... }:
{
config.dendritic.features.security-sysctl-userns = {
nixosModules = [
(
{ lib, ... }:
{
boot.kernel.sysctl = lib.mkForce {
"kernel.unprivileged_userns_clone" = 0;
};
}
)
];
};
}

35
modules/features/security/sysctl/security-sysctl-userspace.nix Normal file
View file

@ -0,0 +1,35 @@
{ ... }:
{
config.dendritic.features.security-sysctl-userspace = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
# 0 breaks browsers
"kernel.unprivileged_userns_clone" = 1;
"vm.mmap_min_addr" = 65536;
"vm.swappiness" = 10;
# ASLR memory protection (64-bit systems)
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
# only permit symlinks to be followed when outside of a world-writable sticky directory
"fs.protected_symlinks" = 1;
"fs.protected_hardlinks" = 1;
# Prevent creating files in potentially attacker-controlled environments
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
# Randomize memory
"kernel.randomize_va_space" = 2;
# Exec Shield (Stack protection)
"kernel.exec-shield" = 1;
};
}
)
];
};
}

21
modules/features/security/sysctl/security-sysctl.nix Normal file
View file

@ -0,0 +1,21 @@
{ ... }:
{
config.dendritic.features.security-sysctl = {
features = [
"security-sysctl-kernel"
"security-sysctl-network"
"security-sysctl-userspace"
];
nixosModules = [
(
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.kernel-hardening-checker ];
}
)
];
};
}

46
modules/features/security/systemd/security-systemd-ask-password-console.nix Normal file
View file

@ -0,0 +1,46 @@
{ ... }:
{
config.dendritic.features.security-systemd-ask-password-console = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-ask-password-console.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateNetwork = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
};
}
)
];
};
}

46
modules/features/security/systemd/security-systemd-ask-password-wall.nix Normal file
View file

@ -0,0 +1,46 @@
{ ... }:
{
config.dendritic.features.security-systemd-ask-password-wall = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-ask-password-wall.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateNetwork = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
};
}
)
];
};
}

51
modules/features/security/systemd/security-systemd-auditd.nix Normal file
View file

@ -0,0 +1,51 @@
{ ... }:
{
config.dendritic.features.security-systemd-auditd = {
nixosModules = [
(
{ ... }:
{
systemd.services.auditd.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "full";
ProtectHome = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
ProtectClock = true;
PrivateTmp = true;
PrivateNetwork = true;
PrivateMounts = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallFilter = [
"~@clock"
"~@module"
"~@mount"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
CapabilityBoundingSet = [
"~CAP_CHOWN"
"~CAP_FSETID"
"~CAP_SETFCAP"
];
};
}
)
];
};
}

28
modules/features/security/systemd/security-systemd-bluetooth.nix Normal file
View file

@ -0,0 +1,28 @@
{ ... }:
{
config.dendritic.features.security-systemd-bluetooth = {
nixosModules = [
(
{ lib, ... }:
{
systemd.services.bluetooth.serviceConfig = lib.mkForce {
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
SystemCallFilter = [
"~@obsolete"
"~@cpu-emulation"
"~@swap"
"~@reboot"
"~@mount"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

50
modules/features/security/systemd/security-systemd-dbus.nix Normal file
View file

@ -0,0 +1,50 @@
{ ... }:
{
config.dendritic.features.security-systemd-dbus = {
nixosModules = [
(
{ ... }:
{
systemd.services.dbus.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "stric";
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
PrivateMounts = true;
PrivateDevices = true;
PrivateTmp = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
];
RestrictNamespaces = true;
SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@obsolete"
"~@resources"
"~@debug"
"~@mount"
"~@reboot"
"~@swap"
"~@cpu-emulation"
];
LockPersonality = true;
IPAddressDeny = [
"0.0.0.0/0"
"::/0"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
UMask = 0077;
};
}
)
];
};
}

49
modules/features/security/systemd/security-systemd-getty.nix Normal file
View file

@ -0,0 +1,49 @@
{ ... }:
{
config.dendritic.features.security-systemd-getty = {
nixosModules = [
(
{ ... }:
{
systemd.services."getty@".serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "stric";
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectClock = true;
PrivateMounts = true;
PrivateTmp = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
];
RestrictNamespaces = true;
SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@obsolete"
"~@debug"
"~@reboot"
"~@swap"
"~@clock"
"~@cpu-emulation"
];
LockPersonality = true;
IPAddressDeny = [
"0.0.0.0/0"
"::/0"
];
MemoryDenyWriteExecute = true;
UMask = 0077;
};
}
)
];
};
}

18
modules/features/security/systemd/security-systemd-journald.nix Normal file
View file

@ -0,0 +1,18 @@
{ ... }:
{
config.dendritic.features.security-systemd-journald = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-journald.serviceConfig = {
NoNewPrivileges = true;
ProtectProc = "invisible";
ProtectHostname = true;
PrivateMounts = true;
};
}
)
];
};
}

33
modules/features/security/systemd/security-systemd-machined.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
config.dendritic.features.security-systemd-machined = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-machined.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateUsers = true;
PrivateNetwork = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [ "AF_UNIX" ];
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
};
}
)
];
};
}

38
modules/features/security/systemd/security-systemd-ncsd.nix Normal file
View file

@ -0,0 +1,38 @@
{ ... }:
{
config.dendritic.features.security-systemd-ncsd = {
nixosModules = [
(
{ ... }:
{
systemd.services.nscd.serviceConfig = {
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
RestrictRealtime = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallFilter = [
"~@mount"
"~@swap"
"~@clock"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
CapabilityBoundingSet = [
"~CAP_CHOWN"
"~CAP_FSETID"
"~CAP_SETFCAP"
];
};
}
)
];
};
}

47
modules/features/security/systemd/security-systemd-networkmanager-dispatcher.nix Normal file
View file

@ -0,0 +1,47 @@
{ ... }:
{
config.dendritic.features.security-systemd-networkmanager-dispatcher = {
nixosModules = [
(
{ ... }:
{
systemd.services.NetworkManager-dispatcher.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectHostname = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET"
"AF_INET6"
"AF_PACKET"
];
RestrictNamespaces = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
SystemCallFilter = [
"~@mount"
"~@module"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
"ptrace"
];
SystemCallArchitectures = "native";
LockPersonality = true;
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
};
}
)
];
};
}

44
modules/features/security/systemd/security-systemd-networkmanager.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }:
{
config.dendritic.features.security-systemd-networkmanager = {
nixosModules = [
(
{ ... }:
{
systemd.services.NetworkManager.serviceConfig = {
NoNewPrivileges = true;
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectHostname = true;
ProtectProc = "invisible";
PrivateTmp = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET"
"AF_INET6"
"AF_PACKET"
];
RestrictNamespaces = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
SystemCallFilter = [
"~@mount"
"~@module"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
"ptrace"
];
SystemCallArchitectures = "native";
LockPersonality = true;
};
}
)
];
};
}

68
modules/features/security/systemd/security-systemd-nix-daemon.nix Normal file
View file

@ -0,0 +1,68 @@
{ ... }:
{
config.dendritic.features.security-systemd-nix-daemon = {
nixosModules = [
(
{ ... }:
{
systemd.services.nix-daemon.serviceConfig = {
NoNewPrivileges = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateDevices = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictNamespaces = [ "~cgroup" ];
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET6"
"AF_INET"
];
CapabilityBoundingSet = [
"~CAP_SYS_CHROOT"
"~CAP_BPF"
"~CAP_AUDIT_WRITE"
"~CAP_AUDIT_CONTROL"
"~CAP_AUDIT_READ"
"~CAP_SYS_PTRACE"
"~CAP_SYS_NICE"
"~CAP_SYS_RESOURCE"
"~CAP_SYS_RAWIO"
"~CAP_SYS_TIME"
"~CAP_SYS_PACCT"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_WAKE_ALARM"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_BOOT"
"~CAP_LEASE"
"~CAP_BLOCK_SUSPEND"
"~CAP_MAC_ADMIN"
"~CAP_MAC_OVERRIDE"
];
SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@resources"
"~@module"
"~@obsolete"
"~@debug"
"~@reboot"
"~@swap"
"~@cpu-emulation"
"~@clock"
"~@raw-io"
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
UMask = 0077;
};
}
)
];
};
}

44
modules/features/security/systemd/security-systemd-reload-systemd-vconsole-setup.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }:
{
config.dendritic.features.security-systemd-reload-vconsole = {
nixosModules = [
(
{ ... }:
{
systemd.services.reload-systemd-vconsole-setup.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateNetwork = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

48
modules/features/security/systemd/security-systemd-rescue.nix Normal file
View file

@ -0,0 +1,48 @@
{ ... }:
{
config.dendritic.features.security-systemd-rescue = {
nixosModules = [
(
{ ... }:
{
systemd.services.rescue.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "full";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateNetwork = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallFilter = [
"~@swap"
"~@clock"
"~@obsolete"
"~@cpu-emulation"
"~@resources"
];
SystemCallArchitectures = "native";
CapabilityBoundingSet = [
"~CAP_CHOWN"
"~CAP_FSETID"
"~CAP_SETFCAP"
];
};
}
)
];
};
}

44
modules/features/security/systemd/security-systemd-rtkit.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }:
{
config.dendritic.features.security-systemd-rtkit = {
nixosModules = [
(
{ lib, ... }:
{
systemd.services.rtkit-daemon.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = lib.mkDefault true;
PrivateTmp = lib.mkDefault true;
PrivateMounts = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
};
}
)
];
};
}

42
modules/features/security/systemd/security-systemd-sshd.nix Normal file
View file

@ -0,0 +1,42 @@
{ ... }:
{
config.dendritic.features.security-systemd-sshd = {
nixosModules = [
(
{ ... }:
{
systemd.services.sshd.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = "read-only";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
DevicePolicy = "closed";
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

23
modules/features/security/systemd/security-systemd-udevd.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }:
{
config.dendritic.features.security-systemd-udevd = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-udevd.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
CapabilityBoundingSet = "~CAP_SYS_PTRACE ~CAP_SYS_PACCT";
};
}
)
];
};
}

41
modules/features/security/systemd/security-systemd-user.nix Normal file
View file

@ -0,0 +1,41 @@
{ ... }:
{
config.dendritic.features.security-systemd-user = {
nixosModules = [
(
{ ... }:
{
systemd.services."user@".serviceConfig = {
ProtectSystem = "strict";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateNetwork = true;
MemoryDenyWriteExecute = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_BLUETOOTH"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@debug"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

58
modules/features/security/systemd/security-systemd.nix Normal file
View file

@ -0,0 +1,58 @@
{ ... }:
{
config.dendritic.features.security-systemd = {
features = [
"security-systemd-ask-password-console"
"security-systemd-ask-password-wall"
"security-systemd-auditd"
# "security-systemd-dbus" using dbus-broker
"security-systemd-display-manager"
# "security-systemd-getty"
"security-systemd-journald"
"security-systemd-machined"
"security-systemd-ncsd"
"security-systemd-networkmanager"
"security-systemd-networkmanager-dispatcher"
"security-systemd-nix-daemon"
"security-systemd-reload-vconsole"
"security-systemd-rescue"
"security-systemd-rtkit"
"security-systemd-sshd"
"security-systemd-udevd"
#"security-systemd-user"
];
nixosModules = [
(
{ lib, ... }:
{
services = {
# mDNS/DNS-SD
avahi.enable = false;
# Geoclue (location services)
geoclue2.enable = false;
# udisks2.enable = false;
# accounts-daemon.enable = lib.mkDefault false;
};
# Only needed for WWAN/3G/4G modems, otherwise it runs `mmcli` unnecessarily
networking.modemmanager.enable = false;
# Bluetooth has a long history of vulnerabilities
hardware.bluetooth.enable = false;
# Prefer manual upgrades on a hardened system
system.autoUpgrade.enable = false;
systemd.coredump.enable = false;
# ➡️ Sets the kernel's resource limit (ulimit -c 0)
security.pam.loginLimits = [
{
domain = "*"; # Applies to all users/sessions
type = "-"; # Set both soft and hard limits
item = "core"; # The soft/hard limit item
value = "0"; # Core dumps size is limited to 0 (effectively disabled)
}
];
}
)
];
};
}

68
modules/features/security/systemd/services-systemd-display-manager.nix Normal file
View file

@ -0,0 +1,68 @@
{ ... }:
{
config.dendritic.features.security-systemd-display-manager = {
nixosModules = [
(
{ lib, ... }:
{
systemd.services.display-manager.serviceConfig = {
ProtectSystem = "full";
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelModules = true;
PrivateMounts = true;
PrivateIPC = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictNamespaces = [
"~cgroup"
];
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET"
"AF_INET6"
];
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"~@obsolete"
"~@cpu-emulation"
"~@clock"
"~@swap"
"~@module"
"~@reboot"
"~@raw-io"
"~@debug"
];
SystemCallArchitectures = "native";
LockPersonality = true;
IPAddressDeny = [
"0.0.0.0/0"
"::/0"
];
CapabilityBoundingSet = [
"CAP_SYS_ADMIN"
"CAP_SETUID"
"CAP_SETGID"
"CAP_SETPCAP"
"CAP_KILL"
"CAP_SYS_TTY_CONFIG"
"CAP_DAC_OVERRIDE"
"CAP_DAC_READ_SEARCH"
"CAP_FOWNER"
"CAP_IPC_OWNER"
"CAP_FSETID"
"CAP_SETFCAP"
"CAP_CHOWN"
];
DeviceAllow = "/dev/tty7 rw";
DevicePolicy = "closed";
UMask = 0077;
LogLevelMax = "debug";
KeyringMode = lib.mkForce "private";
};
}
)
];
};
}

41
modules/features/shell.nix Normal file
View file

@ -0,0 +1,41 @@
{ ... }:
{
config.dendritic.features.shell = {
features = [
"filemanager-yazi"
"cli-zoxide"
"git-lazygit"
"cli-zsh"
];
homeModules = [
(
{ pkgs, ... }:
{
programs.home-manager.enable = true;
programs.zsh.enable = true;
home.packages = with pkgs; [ ripgrep ];
}
)
../home/programs/starship.nix
../home/programs/eza.nix
../home/programs/bat.nix
../home/programs/carapace.nix
../home/programs/fzf.nix
../home/programs/btop.nix
../home/programs/atuin.nix
../home/programs/broot.nix
];
nixosModules = [
(
{ config, pkgs, ... }:
{
programs.zsh.enable = true;
users.users.${config.dendritic.current.primaryUser}.shell = pkgs.zsh;
}
)
];
};
}

16
modules/features/system/networking-networkmanager.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
config.dendritic.features.networkmanager = {
nixosModules = [
(
{ ... }:
{
networking.networkmanager = {
enable = true;
wifi.scanRandMacAddress = true;
};
}
)
];
};
}

45
modules/features/system/ntp-chrony.nix Normal file
View file

@ -0,0 +1,45 @@
{ ... }:
{
config.dendritic.features.ntp-chrony = {
nixosModules = [
(
{ ... }:
{
services.chrony = {
enable = true;
enableNTS = true;
servers = [
"time.cloudflare.com iburst nts"
"ntppool1.time.nl iburst nts"
"nts.netnod.se iburst nts"
"ptbtime1.ptb.de iburst nts"
"time.dfm.dk iburst nts"
"time.cifelli.xyz iburst nts"
];
# havent worked out the kinks yet
# extraConfig = ''
# minsources 3
# authselectmode require
# # EF
# dscp 46
# driftfile /var/lib/chrony/drift
# dumpdir /var/lib/chrony
# ntsdumpdir /var/lib/chrony
# leapseclist /usr/share/zoneinfo/leap-seconds.list
# makestep 1.0 3
# rtconutc
# cmdport 0
# noclientlog
# '';
};
}
)
];
};
}

36
modules/features/system/system-nix.nix Normal file
View file

@ -0,0 +1,36 @@
{ ... }:
{
config.dendritic.features.system-nix = {
nixosModules = [
(
{ config, ... }:
let
user = config.dendritic.current.primaryUser;
in
{
nixpkgs.config.allowUnfree = true;
nix.settings = {
experimental-features = [
"nix-command"
"flakes"
];
auto-optimise-store = true;
download-buffer-size = 262144000;
trusted-users = [ user ];
warn-dirty = false;
accept-flake-config = true;
};
services.fstrim.enable = true;
time.timeZone = "America/Toronto";
}
)
];
};
}

41
modules/features/system/system-services.nix Normal file
View file

@ -0,0 +1,41 @@
{ ... }:
{
config.dendritic.features.system-services = {
nixosModules = [
(
{ ... }:
{
users.groups.netdev = { };
services = {
dbus.implementation = "broker";
logrotate = {
enable = true;
settings = {
header = {
dateext = true;
};
"var/log/audit/audit.log" = {
frequency = "daily";
rotate = 3;
size = "100k";
};
};
};
journald = {
storage = "volatile"; # Store logs in memory
upload.enable = false; # Disable remote log upload (the default)
extraConfig = ''
SystemMaxUse=500M
SystemMaxFileSize=50M
'';
};
};
}
)
];
};
}

63
modules/features/virtualization-libvirt.nix Normal file
View file

@ -0,0 +1,63 @@
{ ... }:
{
config.dendritic.features.virtualization-libvirt = {
nixosModules = [
(
{ config, pkgs, ... }:
let
user = config.dendritic.current.primaryUser;
in
{
networking.firewall.trustedInterfaces = [ "virbr0" ];
boot.kernelModules = [ "kvm-amd" ];
environment.systemPackages = with pkgs; [
virt-manager
virtiofsd
vagrant
];
users.users.${user} = {
extraGroups = [
"libvirtd"
"qemu-libvirtd"
"kvm"
];
};
# Allow VM to run as non-root without ulimit
security.pam.loginLimits = [
{
domain = "${user}";
type = "soft";
item = "memlock";
value = "20000000";
}
{
domain = "${user}";
type = "hard";
item = "memlock";
value = "20000000";
}
];
virtualisation.libvirtd = {
enable = true;
# qemu.ovmf.enable = true;
# qemu.runAsRoot = false;
onBoot = "ignore";
onShutdown = "shutdown";
qemu = {
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
};
};
users.extraGroups.libvirtd.members = [ "${user}" ];
}
)
];
};
}