commit 1c60d751daf2510c8daf6a256ab7826390a0c600 Author: Damian Wessels Date: Mon Sep 15 22:39:41 2025 +0200 first commit diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..c4ac444 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,161 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, + lib, + modulesPath, + pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + + ./hardware-configuration.nix + ./modules/firefox.nix + ./modules/bluetooth.nix + ./modules/wireshark.nix + ./modules/ollama.nix + ./modules/opensnitch.nix + ./modules/rust.nix + ./modules/steam.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Use latest kernel. + boot.kernelPackages = pkgs.linuxPackages_latest; + + + networking.hostName = "raidy"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Select internationalisation properties. + i18n.defaultLocale = "de_DE.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + # Enable the X11 windowing system. + # You can disable this if you're only using the Wayland session. + services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.displayManager.sddm.enable = true; + services.displayManager.sddm.autoNumlock = true; + services.desktopManager.plasma6.enable = true; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + services.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.dwessels = { + isNormalUser = true; + description = "Damian Wessels"; + extraGroups = [ "networkmanager" "wheel" ]; + # packages = with pkgs; [ + # kdePackages.kate + # thunderbird + # ]; + }; + + home-manager.users.dwessels = import ./home.nix; + # Enable automatic login for the user. + services.displayManager.autoLogin.enable = true; + services.displayManager.autoLogin.user = "dwessels"; + + # Install firefox. + #programs.firefox.enable = true; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + helix + home-manager + qmk + via + ]; + + services.pcscd.enable = true; + services.udev.packages = [ pkgs.yubikey-personalization pkgs.via ]; + + + hardware.keyboard.qmk.enable = true; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "25.05"; # Did you read the comment? + +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..8b71f31 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/24cf3bad-f49c-416a-81b1-a2cef90e7d32"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/7C62-54E8"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/e9c95d55-b793-446b-9147-f6d0796517c5"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/home.nix b/home.nix new file mode 100644 index 0000000..a9dc09d --- /dev/null +++ b/home.nix @@ -0,0 +1,78 @@ +{ lib, pkgs, ... }: + +let + unstable_pkgs = import (pkgs.fetchgit { + name = "nixpkgs-unstable-aug-29-2025"; + url = "https://github.com/nixos/nixpkgs/"; + rev = "604f22e0304b679e96edd9f47cbbfc4d513a3751"; + hash = "sha256-9+O/hi9UjnF4yPjR3tcUbxhg/ga0OpFGgVLvSW5FfbE="; + }) { }; + +in +{ + home.username = "dwessels"; + home.homeDirectory = "/home/dwessels"; + home.stateVersion = "22.11"; + + home.packages = with pkgs; [ + kdePackages.kate + alacritty + dig + evince + gnupg + htop + jq + openssl + pciutils + ripgrep + meld + nixfmt-rfc-style + neovim + nmap + tokei + tree + trivy + usbutils + whois + vlc + zellij + ]; + + + programs.alacritty = { + enable = true; + settings = { + window = { + dynamic_padding = true; + }; + }; + }; + + programs.bash = { + enable = true; + # bashrcExtra = '' + # if [ "$TERM_PROGRAM" != "zed" ]; then + # eval "$(zellij setup --generate-auto-start bash)" + # fi + # # Needed to use yubkiey for SSH key + # export GPG_TTY="$(tty)" + # export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + # ''; + }; + + programs.helix = { + enable = true; + }; + + programs.zellij = { + enable = true; + settings = { + show_startup_tips = false; + ui = { + pane_frames = { + hide_session_name = true; + }; + }; + }; + }; +} diff --git a/modules/bluetooth.nix b/modules/bluetooth.nix new file mode 100644 index 0000000..316d038 --- /dev/null +++ b/modules/bluetooth.nix @@ -0,0 +1,6 @@ +{ pkgs, lib, ... }: + +{ + hardware.bluetooth.enable = true; + services.blueman.enable = true; +} diff --git a/modules/firefox.nix b/modules/firefox.nix new file mode 100644 index 0000000..08fde54 --- /dev/null +++ b/modules/firefox.nix @@ -0,0 +1,81 @@ +{ pkgs, lib, ... }: +let + managed-firefox = ( + pkgs.firefox.override { + extraPolicies = { + AutofillCreditCardEnabled = false; + DisableFirefoxAccounts = true; + DisableFirefoxScreenshots = true; + DisableFirefoxStudies = true; + DisablePocket = true; + DisableTelemetry = true; + DontCheckDefaultBrowser = true; + EnableTrackingProtection = { + Value = true; + Locked = true; + Cryptomining = true; + Fingerprinting = true; + EmailTracking = true; + }; + ExtensionSettings = { + "*".installation_mode = "blocked"; # blocks all addons except the ones specified below + # 1Password: + "{d634138d-c276-4fc8-924b-40a0ea21d284}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi"; + installation_mode = "force_installed"; + }; + # Facebook container + "@contain-facebook" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/facebook-container/latest.xpi"; + installation_mode = "force_installed"; + }; + # Kagi search + "search@kagi.com" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/kagi-search-for-firefox/latest.xpi"; + installation_mode = "force_installed"; + }; + # ublock origin + "uBlock0@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + installation_mode = "force_installed"; + }; + # bitwarden + "" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"; + installation_mode = "force_installed"; + }; + }; + + FirefoxSuggest = { + WebSuggestions = false; + SponsoredSuggestions = false; + ImproveSuggest = false; + Locked = true; + }; + PasswordManagerEnabled = false; + PictureInPicture = { + Enabled = true; + Locked = true; + }; + }; + } + ); +in +{ + environment.systemPackages = [ managed-firefox ]; + + services.opensnitch.rules = { + rule-000-firefox = { + name = "Allow Firefox"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin managed-firefox}/lib/firefox/firefox"; + }; + }; + }; +} diff --git a/modules/ollama.nix b/modules/ollama.nix new file mode 100644 index 0000000..80db686 --- /dev/null +++ b/modules/ollama.nix @@ -0,0 +1,36 @@ +{ pkgs, lib, ... }: + + +{ + services.ollama = { + enable = true; + acceleration = "rocm"; + }; + + services.opensnitch.rules = { + rule-500-download-models = { + name = "Allow ollama to fetch models"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.ollama-rocm}/bin/.ollama-wrapped"; + } + { + type = "regexp"; + operand = "dest.host"; + sensitive = false; + data = "^(registry.ollama.ai)|(([a-z0-9|-]+\\.)*cloudflarestorage.com)$"; + } + ]; + }; + }; + }; +} diff --git a/modules/opensnitch.nix b/modules/opensnitch.nix new file mode 100644 index 0000000..7c4cf83 --- /dev/null +++ b/modules/opensnitch.nix @@ -0,0 +1,185 @@ +{ pkgs, lib, ... }: +{ + environment.systemPackages = [ pkgs.opensnitch-ui ]; + + # Set start up applications + # shitty version of this https://github.com/nix-community/home-manager/issues/3447#issuecomment-1328294558 + environment.etc."xdg/autostart/opensnitch_ui.desktop".source = ( + pkgs.opensnitch-ui + "/share/applications/opensnitch_ui.desktop" + ); + + # A list of general rules needed no matter how the system is configured + services.opensnitch = { + enable = true; + settings.DefaultAction = "deny"; + rules = { + rule-000-localhost = { + name = "Allow all localhost"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "regexp"; + operand = "dest.ip"; + sensitive = false; + data = "^(127\\.0\\.0\\.1|::1)$"; + list = [ ]; + }; + }; + rule-100-avahi-ipv4 = { + name = "Allow avahi daemon IPv4"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + operand = "process.path"; + sensitive = false; + data = "${lib.getBin pkgs.avahi}/bin/avahi-daemon"; + } + { + type = "network"; + operand = "dest.network"; + data = "224.0.0.0/24"; + } + ]; + }; + }; + rule-100-avahi-ipv6 = { + name = "Allow avahi daemon IPv6"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + operand = "process.path"; + sensitive = false; + data = "${lib.getBin pkgs.avahi}/bin/avahi-daemon"; + } + { + type = "simple"; + operand = "dest.ip"; + data = "ff02::fb"; + } + ]; + }; + }; + rule-100-ntp = { + name = "Allow NTP"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; + } + { + type = "simple"; + operand = "dest.port"; + sensitive = false; + data = "123"; + } + { + type = "simple"; + operand = "protocol"; + sensitive = false; + data = "udp"; + } + ]; + }; + }; + rule-100-nix-update = { + name = "Allow Nix"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "^.*/bin/nix$"; + } + { + type = "regexp"; + operand = "dest.host"; + sensitive = false; + data = "^(([a-z0-9|-]+\\.)*github\\.com|([a-z0-9|-]+\\.)*nixos\\.org)$"; + } + ]; + }; + }; + rule-100-NetworkManager = { + name = "Allow NetworkManager"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.networkmanager}/bin/NetworkManager"; + } + { + type = "simple"; + operand = "dest.port"; + sensitive = false; + data = "67"; + } + { + type = "simple"; + operand = "protocol"; + sensitive = false; + data = "udp"; + } + ]; + }; + }; + rule-500-ssh-github = { + name = "Allow SSH to github"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.openssh}/bin/ssh"; + } + { + type = "simple"; + operand = "dest.host"; + sensitive = false; + data = "github.com"; + } + ]; + }; + }; + }; + }; +} diff --git a/modules/rust.nix b/modules/rust.nix new file mode 100644 index 0000000..fe89c6b --- /dev/null +++ b/modules/rust.nix @@ -0,0 +1,58 @@ +{ pkgs, lib, ... }: +{ + environment.systemPackages = with pkgs; [ + clang + rustup + ]; + + services.opensnitch.rules = { + rule-500-cargo = { + name = "Allow cargo to reach needed sites"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "^(/home/dwessels/\\.rustup/toolchains/(.*)/bin/cargo)|(${lib.getBin pkgs.cargo}/bin/cargo)$"; + } + { + type = "regexp"; + operand = "dest.host"; + sensitive = false; + data = "^(([a-z0-9|-]+\\.)*crates\\.io)|(([a-z0-9|-]+\\.)*github\\.com)$"; + } + ]; + }; + }; + rule-500-rustup = { + name = "Allow rustup to reach needed sites"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.rustup}/bin/.rustup-wrapped"; + } + { + type = "simple"; + operand = "dest.host"; + sensitive = false; + data = "static.rust-lang.org"; + } + ]; + }; + }; + }; +} diff --git a/modules/steam.nix b/modules/steam.nix new file mode 100644 index 0000000..da14388 --- /dev/null +++ b/modules/steam.nix @@ -0,0 +1,144 @@ +{ pkgs, lib, ... }: +let + steamRegex = "^/home/dwessels/\\.local/share/Steam/ubuntu12_32/steam|/home/dwessels/\\.local/share/Steam/ubuntu12_64/steamwebhelper$"; + +in +{ + environment.systemPackages = with pkgs; [ steam ]; + + # We need 32bit versions of all the OpenGL etc libraries for steam to run + hardware.graphics.enable32Bit = true; + + programs.steam = { + remotePlay.openFirewall = true; + }; + + services.opensnitch.rules = { + rule-600-steam-lan = { + name = "Allow Steam to reach out on LAN"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "/home/dwessels/.local/share/Steam/ubuntu12_32/steam"; + } + { + type = "network"; + operand = "dest.network"; + data = "192.168.1.0/24"; + } + { + type = "simple"; + operand = "dest.port"; + sensitive = false; + data = "27036"; + } + + ]; + }; + }; + rule-600-steam-akamaihd = { + name = "Allow Steam to reach akamaihd"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "/home/dwessels/.local/share/Steam/ubuntu12_64/steamwebhelper"; + } + { + type = "simple"; + operand = "dest.host"; + sensitive = false; + data = "steamcommunity-a.akamaihd.net"; + } + ]; + }; + }; + rule-600-steam-to-steam-domain = { + name = "Allow Steam to reach steam domains"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = steamRegex; + } + { + type = "regexp"; + operand = "dest.host"; + sensitive = false; + data = "^([a-z0-9|-]+\\.)*(steampowered\\.com|steamcommunity\\.com|steamserver\\.net|steamstatic\\.com|steamcontent\\.com)$"; + } + ]; + }; + }; + rule-600-steam-webhelper-google = { + name = "Allow Steam web helper to reach google APIs"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "/home/dwessels/.local/share/Steam/ubuntu12_64/steamwebhelper"; + } + { + type = "regexp"; + operand = "dest.host"; + sensitive = false; + data = "^(update|steamcloud-us-east1\\.storage\\.)\\.googleapis\\.com$"; + } + ]; + }; + }; + rule-600-steam-webhelper-youtube = { + name = "Allow Steam web helper to reach youtube"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "/home/dwessels/.local/share/Steam/ubuntu12_64/steamwebhelper"; + } + { + type = "simple"; + operand = "dest.host"; + sensitive = false; + data = "www.youtube.com"; + } + ]; + }; + }; + }; +} diff --git a/modules/wireshark.nix b/modules/wireshark.nix new file mode 100644 index 0000000..ac3c7dc --- /dev/null +++ b/modules/wireshark.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +{ + users.groups.wireshark = { }; + security.wrappers.dumpcap = { + source = "${pkgs.wireshark}/bin/dumpcap"; + permissions = "u+xs,g+x"; + owner = "root"; + group = "wireshark"; + }; + + users.users.dwessels.extraGroups = [ "wireshark" ]; + environment.systemPackages = [ pkgs.wireshark ]; +}