Merge remote-tracking branch 'refs/remotes/origin/nixos' into nixos

2023-09-29 20:10:17 +02:00 · 2023-09-29 20:10:17 +02:00 · 99c3cbb12e
commit 99c3cbb12e
parent 184243d945 b6684e1c31
20 changed files with 666 additions and 588 deletions
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@ -6,21 +6,6 @@

 with lib;
 let
-  nom-system = pkgs.writeFishApplication {
-    name = "nom-system";
-    runtimeInputs = with pkgs; [ nix-output-monitor ];
-    text = /* fish */ ''
-      nom build --no-link "/home/moritz/.dotfiles#nixosConfigurations.$(hostname).config.system.build.toplevel" $argv
-    '';
-  };
-  nom-system-command = name: command: pkgs.writeFishApplication {
-    inherit name;
-    runtimeInputs = with pkgs; [ nom-system nix ];
-    text = /* fish */ ''
-      nom-system $argv && ${command}
-    '';
-  };
-
  f = pkgs.writeFishApplication {
    name = "f";
    runtimeInputs = with pkgs; [ fzf bat ];
@ -158,9 +143,6 @@ in
    bottom

    # nix
-    (nom-system-command "nixos-boot" "sudo nixos-rebuild boot --flake ~/.dotfiles")
-    (nom-system-command "nixos-switch" "sudo nixos-rebuild switch --flake ~/.dotfiles")
-    (nom-system-command "nixos-test" "sudo nixos-rebuild test --flake ~/.dotfiles")
    nix-output-monitor
    nixpkgs-fmt
    which-nix
--- a/modules/programs/hyprland/default.nix
+++ b/modules/programs/hyprland/default.nix
@ -54,88 +54,94 @@ in
      services.wallpaper.enable = true;
    };

-    # enable home-manager module
    home-manager.users.moritz = {
+
      # import home-manager module
      imports = [ inputs.hyprland.homeManagerModules.default ];

+      # enable home-manager module
      wayland.windowManager.hyprland = {
        enable = true;
        package = hyprland;
        recommendedEnvironment = true;
        extraConfig = import ./_config.nix args;
      };
-    };

-
-    # add waybar as a status bar
-    home-manager.users.moritz.programs.waybar = {
-      enable = true;
-
-      # start using systemd service
-      systemd = {
+      # add waybar as a status bar
+      programs.waybar = {
        enable = true;
-        target = "graphical-session.target";
-      };

-      settings = {
-        mainBar = {
-          start_hidden = true;
-          layer = "top";
-          position = "top";
-          height = 20;
-          modules-left = [ "hyprland/workspaces" ];
-          modules-center = [ "hyprland/window" ];
-          modules-right = [ "hyprland/language" "network" "memory" "cpu" "battery" "clock" ];
+        # start using systemd service
+        systemd = {
+          enable = true;
+          target = "graphical-session.target";
+        };
+
+        settings = {
+          mainBar = {
+            start_hidden = true;
+            layer = "top";
+            position = "top";
+            height = 20;
+            modules-left = [ "hyprland/workspaces" ];
+            modules-center = [ "hyprland/window" ];
+            modules-right = [ "hyprland/language" "network" "memory" "cpu" "battery" "clock" ];
+          };
        };
      };
-    };

-    # lock screen after timeout
-    home-manager.users.moritz.programs.swaylock = {
-      enable = true;
-      settings = {
-        color = "000000";
+      # lock screen after timeout
+      programs.swaylock = {
+        enable = true;
+        settings = {
+          color = "000000";
+        };
+      };
+      services.swayidle = {
+        enable = true;
+        events = [
+          {
+            event = "before-sleep";
+            command = "${getExe pkgs.swaylock} -fF";
+          }
+          {
+            event = "lock";
+            command = "${getExe pkgs.swaylock} -fF";
+          }
+        ];
+        timeouts =
+          let
+            lockTimeout = 10;
+          in
+          [
+            {
+              timeout = lockTimeout * 60 - 10;
+              command = "${pkgs.libnotify}/bin/notify-send 'Locking screen!'";
+            }
+            {
+              timeout = lockTimeout * 60;
+              command = "${hyprland}/bin/hyprctl dispatch dpms off";
+              resumeCommand = "${hyprland}/bin/hyprctl dispatch dpms on";
+            }
+            {
+              timeout = lockTimeout * 60 + 10;
+              command = "${pkgs.systemd}/bin/loginctl lock-session";
+            }
+          ] ++ optional
+            (!cfg.nvidiaSupport) # TODO https://github.com/hyprwm/Hyprland/issues/1728
+            {
+              timeout = 30 * 60;
+              command = "${pkgs.systemd}/bin/systemctl suspend-and-hibernate";
+            };
+        systemdTarget = "hyprland-session.target";
+      };
+
+      systemd.user.services.nextcloud-client.Service = {
+        RestartSec = "500ms";
+        Restart = "on-failure";
      };
    };
-    home-manager.users.moritz.services.swayidle = {
-      enable = true;
-      events = [
-        {
-          event = "before-sleep";
-          command = "${getExe pkgs.swaylock} -fF";
-        }
-        {
-          event = "lock";
-          command = "${getExe pkgs.swaylock} -fF";
-        }
-      ];
-      timeouts =
-        let
-          lockTimeout = 10;
-        in
-        [
-          {
-            timeout = lockTimeout * 60 - 10;
-            command = "${pkgs.libnotify}/bin/notify-send 'Locking screen!'";
-          }
-          {
-            timeout = lockTimeout * 60;
-            command = "${hyprland}/bin/hyprctl dispatch dpms off";
-            resumeCommand = "${hyprland}/bin/hyprctl dispatch dpms on";
-          }
-          {
-            timeout = lockTimeout * 60 + 10;
-            command = "${pkgs.systemd}/bin/loginctl lock-session";
-          }
-        ] ++ optional
-          (!cfg.nvidiaSupport) # TODO https://github.com/hyprwm/Hyprland/issues/1728
-          {
-            timeout = 30 * 60;
-            command = "${pkgs.systemd}/bin/systemctl suspend-and-hibernate";
-          };
-      systemdTarget = "hyprland-session.target";
-    };
+

    # adds pam module for swaylock
    security.pam.services.swaylock = { };
@ -152,11 +158,6 @@ in
      requiredBy = [ "xdg-desktop-portal.service" ];
    };

-    home-manager.users.moritz.systemd.user.services.nextcloud-client.Service = {
-      RestartSec = "500ms";
-      Restart = "on-failure";
-    };
-
    # add user packages for wayland and hyprland in particular
    users.users.moritz.packages = with pkgs; [
      brightnessctl # control brightness
--- a/modules/programs/nvim/default.nix
+++ b/modules/programs/nvim/default.nix
@ -33,7 +33,7 @@ in
            deadnix
            isort
            jq
-            nil
+            nixd
            nixpkgs-fmt
            nodePackages.bash-language-server
            rustfmt
--- a/modules/programs/nvim/plugins/coding.nix
+++ b/modules/programs/nvim/plugins/coding.nix
@ -313,5 +313,9 @@ with builtins;
      ];
      opts = { };
    }
+    {
+      plugin = nvim-puppeteer;
+      lazy = false; # NOTE: plugin lazy-loads itself.
+    }
  ];
 }
--- a/modules/programs/nvim/plugins/lua/nvim-lspconfig.lua
+++ b/modules/programs/nvim/plugins/lua/nvim-lspconfig.lua
@ -134,7 +134,7 @@ end

 local servers = {
  "bashls",
-  "nil_ls",
+  "nixd",
  "pylsp",
  "ruff_lsp",
  "typst_lsp",
--- a/modules/security/default.nix
+++ b/modules/security/default.nix
@ -5,62 +5,64 @@
  ## System security tweaks
  # Prevent replacing the running kernel w/o reboot
  # security.protectKernelImage = lib.mkDefault true; # NOTE disabled for now to enable hibernate
+  boot = {

-  # tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
-  # on ssd systems, and volatile! Because it's wiped on reboot.
-  boot.tmp.useTmpfs = lib.mkDefault true;
-  # If not using tmpfs, which is naturally purged on reboot, we must clean it
-  # /tmp ourselves. /tmp should be volatile storage!
-  boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+    # tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
+    # on ssd systems, and volatile! Because it's wiped on reboot.
+    tmp.useTmpfs = lib.mkDefault true;
+    # If not using tmpfs, which is naturally purged on reboot, we must clean it
+    # /tmp ourselves. /tmp should be volatile storage!
+    tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);

-  # Fix a security hole in place for backwards compatibility. See desc in
-  # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
-  boot.loader.systemd-boot.editor = false;
+    # Fix a security hole in place for backwards compatibility. See desc in
+    # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+    loader.systemd-boot.editor = false;

-  boot.kernel.sysctl = {
-    # The Magic SysRq key is a key combo that allows users connected to the
-    # system console of a Linux kernel to perform some low-level commands.
-    # Disable it, since we don't need it, and is a potential security concern.
-    "kernel.sysrq" = 0;
+    kernel.sysctl = {
+      # The Magic SysRq key is a key combo that allows users connected to the
+      # system console of a Linux kernel to perform some low-level commands.
+      # Disable it, since we don't need it, and is a potential security concern.
+      "kernel.sysrq" = 0;

-    ## TCP hardening
-    # Prevent bogus ICMP errors from filling up logs.
-    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
-    # Reverse path filtering causes the kernel to do source validation of
-    # packets received from all interfaces. This can mitigate IP spoofing.
-    "net.ipv4.conf.default.rp_filter" = 1;
-    "net.ipv4.conf.all.rp_filter" = 1;
-    # Do not accept IP source route packets (we're not a router)
-    "net.ipv4.conf.all.accept_source_route" = 0;
-    "net.ipv6.conf.all.accept_source_route" = 0;
-    # Don't send ICMP redirects (again, we're on a router)
-    "net.ipv4.conf.all.send_redirects" = 0;
-    "net.ipv4.conf.default.send_redirects" = 0;
-    # Refuse ICMP redirects (MITM mitigations)
-    "net.ipv4.conf.all.accept_redirects" = 0;
-    "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.secure_redirects" = 0;
-    "net.ipv4.conf.default.secure_redirects" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
-    # Protects against SYN flood attacks
-    "net.ipv4.tcp_syncookies" = 1;
-    # Incomplete protection again TIME-WAIT assassination
-    "net.ipv4.tcp_rfc1337" = 1;
-    # Log martian packages
-    "net.ipv4.conf.all.log_martians" = 1;
-    "net.ipv4.conf.default.log_martians" = 1;
+      ## TCP hardening
+      # Prevent bogus ICMP errors from filling up logs.
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      # Reverse path filtering causes the kernel to do source validation of
+      # packets received from all interfaces. This can mitigate IP spoofing.
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      # Do not accept IP source route packets (we're not a router)
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      # Don't send ICMP redirects (again, we're on a router)
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # Refuse ICMP redirects (MITM mitigations)
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      # Protects against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # Incomplete protection again TIME-WAIT assassination
+      "net.ipv4.tcp_rfc1337" = 1;
+      # Log martian packages
+      "net.ipv4.conf.all.log_martians" = 1;
+      "net.ipv4.conf.default.log_martians" = 1;

-    ## TCP optimization
-    # TCP Fast Open is a TCP extension that reduces network latency by packing
-    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
-    # both incoming and outgoing connections:
-    "net.ipv4.tcp_fastopen" = 3;
-    # Bufferbloat mitigations + slight improvement in throughput & latency
-    "net.ipv4.tcp_congestion_control" = "bbr";
-    "net.core.default_qdisc" = "cake";
+      ## TCP optimization
+      # TCP Fast Open is a TCP extension that reduces network latency by packing
+      # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+      # both incoming and outgoing connections:
+      "net.ipv4.tcp_fastopen" = 3;
+      # Bufferbloat mitigations + slight improvement in throughput & latency
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
+    };
+    kernelModules = [ "tcp_bbr" ];
  };
-  boot.kernelModules = [ "tcp_bbr" ];

  # So we don't have to do this later...
  security.acme.acceptTerms = true;