add grymforge

common/networking/zerotier.nix

@@ -8,12 +8,14 @@
 }: {
   services.zerotierone = {
     joinNetworks = [
-      "48d6023c46b60a94"
+      "ebe7fbd445359e9d"
     ];
     enable = true;
   };
 
   networking.extraHosts = ''
     192.168.194.241 nothing.zt
+    192.168.191.213 candlekeep.zt
+    192.168.191.168 grymforge.zt
   '';
 }

flake.nix

@@ -117,6 +117,16 @@
       };
     };
 
+    nixosConfigurations = {
+      grymforge = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit user inputs outputs;};
+        modules = [
+          # > Our main nixos configuration file <
+          ./hosts/grymforge/configuration.nix
+        ];
+      };
+    };
+
     # Standalone home-manager configuration entrypoint
     # Available through 'home-manager --flake .#your-username@your-hostname'
     homeConfigurations = {
@@ -131,6 +141,18 @@
       };
     };
 
+    homeConfigurations = {
+      "gwg313@grymforge" = home-manager.lib.homeManagerConfiguration {
+        pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
+        extraSpecialArgs = {inherit inputs outputs;};
+        modules = [
+          # > Our main home-manager configuration file <
+          ./home-manager/machines/grymforge.nix
+          inputs.stylix.homeManagerModules.stylix
+        ];
+      };
+    };
+
     homeConfigurations = {
       "gwg313@dorino" = home-manager.lib.homeManagerConfiguration {
         pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance

home-manager/machines/grymforge.nix

@@ -0,0 +1,113 @@
+# This is your home-manager configuration file
+# Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix)
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  # You can import other home-manager modules here
+  imports = [
+    # If you want to use modules your own flake exports (from modules/home-manager):
+    # outputs.homeManagerModules.example
+
+    # Or modules exported from other flakes (such as nix-colors):
+    # inputs.nix-colors.homeManagerModules.default
+
+    # You can also split up your configuration and import pieces of it here:
+    # ./nvim.nix
+    ../modules/common.nix
+    ../modules/hyprland.nix
+    ../modules/common-gui.nix
+    ../modules/linux-gui.nix
+    ../modules/devenv.nix
+  ];
+
+  nixpkgs = {
+    # You can add overlays here
+    overlays = [
+      # Add overlays your own flake exports (from overlays and pkgs dir):
+      outputs.overlays.additions
+      outputs.overlays.modifications
+      outputs.overlays.unstable-packages
+
+      # You can also add overlays exported from other flakes:
+      # neovim-nightly-overlay.overlays.default
+      (final: prev: {
+        neovim = inputs.neovim-config.packages."x86_64-linux".default;
+      })
+      # Or define it inline, for example:
+      # (final: prev: {
+      #   hi = final.hello.overrideAttrs (oldAttrs: {
+      #     patches = [ ./change-hello-to-hi.patch ];
+      #   });
+      # })
+    ];
+    # Configure your nixpkgs instance
+    config = {
+      # Disable if you don't want unfree packages
+      allowUnfree = true;
+      # Workaround for https://github.com/nix-community/home-manager/issues/2942
+      allowUnfreePredicate = _: true;
+    };
+  };
+
+  home = {
+    username = "gwg313";
+    homeDirectory = "/home/gwg313";
+  };
+
+  stylix = {
+    base16Scheme = "${pkgs.base16-schemes}/share/themes/tokyo-night-terminal-storm.yaml";
+    image = ./wallpaper.jpg;
+    autoEnable = true;
+
+    opacity.terminal = 1.0;
+    fonts.sizes.terminal = 20;
+
+    fonts = {
+      serif = {
+        package = pkgs.meslo-lgs-nf;
+        name = "MesloLGS NF";
+      };
+
+      sansSerif = {
+        package = pkgs.meslo-lgs-nf;
+        name = "MesloLGS NF";
+      };
+
+      monospace = {
+        package = pkgs.ibm-plex;
+        name = "IBM Plex Mono";
+      };
+
+      emoji = {
+        package = pkgs.noto-fonts-emoji;
+        name = "Noto Color Emoji";
+      };
+    };
+    cursor = {
+      package = pkgs.bibata-cursors;
+      name = "Bibata-Modern-Classic";
+      size = 20;
+    };
+  };
+
+  # Add stuff for your user as you see fit:
+  # programs.neovim.enable = true;
+  home.packages = with pkgs; [
+    openvpn
+  ];
+
+  # Enable home-manager and git
+  programs.home-manager.enable = true;
+  programs.git.enable = true;
+
+  # Nicely reload system units when changing configs
+  systemd.user.startServices = "sd-switch";
+
+  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+  home.stateVersion = "23.05";
+}

hosts/grymforge/auditd.nix

@@ -0,0 +1,7 @@
+{...}: {
+  security.auditd.enable = true;
+  security.audit.enable = true;
+  security.audit.rules = [
+    "-a exit,always -F arch=b64 -S execve"
+  ];
+}

hosts/grymforge/configuration.nix

@@ -0,0 +1,131 @@
+# This is your system's configuration file.
+# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  user,
+  ...
+}: {
+  # You can import other NixOS modules here
+  imports = [
+    # If you want to use modules your own flake exports (from modules/nixos):
+    # outputs.nixosModules.example
+    ../../common/nixos/common.nix
+    ../../common/networking/zerotier.nix
+    ../../common/nixos/bluetooth.nix
+    ../../common/nixos/restic.nix
+    ../../common/nixos/ssh.nix
+    ../../common/gui/hyprland.nix
+    ../../common/gui/thunar.nix
+    ../../common/style/stylix.nix
+    ../../common/virtualization/podman.nix
+    ../../common/virtualization/kubernetes.nix
+    ../../common/virtualization/libvirt.nix
+
+    ./auditd.nix
+    ./kernel.nix
+    ./sysctl.nix
+    ./earlyoom.nix
+
+    # Or modules from other flakes (such as nixos-hardware):
+    # inputs.hardware.nixosModules.common-cpu-amd
+    # inputs.hardware.nixosModules.common-ssd
+    inputs.nix-index-database.nixosModules.nix-index
+    inputs.stylix.nixosModules.stylix
+    inputs.sops-nix.nixosModules.sops
+    # You can also split up your configuration and import pieces of it here:
+    # ./users.nix
+
+    # Import your generated (nixos-generate-config) hardware configuration
+    ./hardware-configuration.nix
+  ];
+
+  # Bootloader.
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd.luks.devices."luks-276bd2e3-9d6d-4df6-9155-3684907b48f0".device = "/dev/disk/by-uuid/276bd2e3-9d6d-4df6-9155-3684907b48f0";
+  };
+
+  # sops
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
+  };
+
+  nixpkgs = {
+    # You can add overlays here
+    overlays = [
+      # Add overlays your own flake exports (from overlays and pkgs dir):
+      outputs.overlays.additions
+      outputs.overlays.modifications
+      outputs.overlays.unstable-packages
+
+      # You can also add overlays exported from other flakes:
+      # neovim-nightly-overlay.overlays.default
+
+      # Or define it inline, for example:
+      # (final: prev: {
+      #   hi = final.hello.overrideAttrs (oldAttrs: {
+      #     patches = [ ./change-hello-to-hi.patch ];
+      #   });
+      # })
+    ];
+    # Configure your nixpkgs instance
+    config = {
+      # Disable if you don't want unfree packages
+      allowUnfree = true;
+    };
+  };
+
+  # This will add each flake input as a registry
+  # To make nix3 commands consistent with your flake
+  nix.registry = (lib.mapAttrs (_: flake: {inherit flake;})) ((lib.filterAttrs (_: lib.isType "flake")) inputs);
+
+  # This will additionally add your inputs to the system's legacy channels
+  # Making legacy nix commands consistent as well, awesome!
+  nix.nixPath = ["/etc/nix/path"];
+  environment.etc =
+    lib.mapAttrs'
+    (name: value: {
+      name = "nix/path/${name}";
+      value.source = value.flake;
+    })
+    config.nix.registry;
+
+  networking.hostName = "grymforge";
+  networking.networkmanager.enable = true;
+
+  users.users = {
+    gwg313 = {
+      initialPassword = "correcthorsebatterystaple";
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILq54YrM3BbhBs0oDLOrc1bkg6FCCmkV4E3pWLZp0ejN gwg313@pm.me"
+      ];
+      extraGroups = ["wheel"];
+    };
+  };
+
+  environment = {
+    loginShellInit = ''
+      if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then
+        exec Hyprland
+      fi
+    ''; # Will automatically open Hyprland when logged into tty1
+    variables = {
+      TERMINAL = "alacritty";
+      EDITOR = "nvim";
+      VISUAL = "nvim";
+      PAGER = "moar";
+    };
+  };
+  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+  system.stateVersion = "23.05";
+}

hosts/grymforge/earlyoom.nix

@@ -0,0 +1,12 @@
+{
+  services.earlyoom = {
+    enable = true;
+    freeSwapThreshold = 2;
+    freeMemThreshold = 2;
+    extraArgs = [
+      "-g"
+      "--avoid '^(.Hyrpland-wrapp|alacritty|zerotier-one|.waybar-wrapped)$'"
+      "--prefer '^(electron|libreoffice|gimp|Isolated Web Co)$'"
+    ];
+  };
+}

hosts/grymforge/hardware-configuration.nix

@@ -0,0 +1,47 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    ../../common/nixos/nfs.nix
+  ];
+
+  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/c4c90d75-9f16-45a2-94f8-dd0ba0fecc43";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."luks-35f61924-e22a-458a-841c-9cc8dc3e35e4".device = "/dev/disk/by-uuid/35f61924-e22a-458a-841c-9cc8dc3e35e4";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/2ECE-9C7E";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/04f457e4-1bd2-417f-bcb7-f8b770e71c21";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/grymforge/kernel.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  pkgs,
+  stdenv,
+  ...
+}: {
+  boot.kernelPackages = pkgs.linuxPackages_hardened;
+  boot.kernelParams = [
+    # Disable slab merging to prevent heap exploitation
+    "slab_nomerge"
+    # Enable zeroing memory during allocation and free time
+    "init_on_alloc=1"
+    "init_on_free=1"
+    # Randomize page allocator freelists
+    "page_alloc.shuffle=1"
+    # Mitigations
+    "pti=on"
+
+    "vsyscall=none"
+    "debugfs=off"
+    "oops=panic"
+
+    # Enable lockdown LSM
+    "lockdown=confidentiality"
+  ];
+}

hosts/grymforge/sysctl.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  boot.kernel.sysctl = {
+    # Restrict kernel pointers
+    "kernel.kptr_restrict" = 2;
+
+    "kernel.dmesg_restrict" = 1;
+
+    # Restrict eBPF
+    "kernel.unprivileged_bpf_disabled" = 1;
+
+    # Harden JIT
+    "net.core.bpf_jit_harden" = 2;
+
+    "dev.tty.ldisc_autoload" = 0;
+    "vm.unprivileged_userfaultfd" = 0;
+
+    # Disable loading other kernels at runtime
+    "kernel.kexec_load_disabled" = 1;
+
+    # Disable SysRq key for non-users (can be used in remote exploits)
+    "kernel.sysrq" = 4;
+
+    "kernel.perf_event_paranoid" = 3;
+    "kernel.unprivileged_userns_clone" = 1;
+
+    ## NETWORK
+
+    # SYN flood attack prevention
+    "net.ipv4.tcp_syncookies" = 1;
+
+    # Prevent IP spoofing
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+
+    # MITM attack prevention (disable redirect acceptance)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+
+    # Clock fingerprinting prevention (disabled ICMP requests)
+    "net.ipv4.icmp_echo_ignore_all" = 1;
+
+    # Restrict ptrace usage
+    "kernel.yama.ptrace_scope" = 2;
+
+    # ASLR exploit mitigation
+    "vm.mmap_rnd_bits" = 32;
+    "vm.mmap_rnd_compat_bits" = 16;
+
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
+  };
+}