Husky/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Damian Wessels
2025-09-15 22:39:41 +02:00
commit 1c60d751da
10 changed files with 803 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
configuration.nix Normal file
View File

@@ -0,0 +1,161 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config,
lib,
modulesPath,
pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
<home-manager/nixos>
./hardware-configuration.nix
./modules/firefox.nix
./modules/bluetooth.nix
./modules/wireshark.nix
./modules/ollama.nix
./modules/opensnitch.nix
./modules/rust.nix
./modules/steam.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Use latest kernel.
boot.kernelPackages = pkgs.linuxPackages_latest;
networking.hostName = "raidy"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n.defaultLocale = "de_DE.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_DE.UTF-8";
LC_IDENTIFICATION = "de_DE.UTF-8";
LC_MEASUREMENT = "de_DE.UTF-8";
LC_MONETARY = "de_DE.UTF-8";
LC_NAME = "de_DE.UTF-8";
LC_NUMERIC = "de_DE.UTF-8";
LC_PAPER = "de_DE.UTF-8";
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
# Enable the X11 windowing system.
# You can disable this if you're only using the Wayland session.
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.displayManager.sddm.enable = true;
services.displayManager.sddm.autoNumlock = true;
services.desktopManager.plasma6.enable = true;
# Configure keymap in X11
services.xserver.xkb = {
layout = "us";
variant = "";
};
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.users.dwessels = {
isNormalUser = true;
description = "Damian Wessels";
extraGroups = [ "networkmanager" "wheel" ];
# packages = with pkgs; [
# kdePackages.kate
# thunderbird
# ];
};
home-manager.users.dwessels = import ./home.nix;
# Enable automatic login for the user.
services.displayManager.autoLogin.enable = true;
services.displayManager.autoLogin.user = "dwessels";
# Install firefox.
#programs.firefox.enable = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
helix
home-manager
qmk
via
];
services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization pkgs.via ];
hardware.keyboard.qmk.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.05"; # Did you read the comment?
}

41
hardware-configuration.nix Normal file
View File

@@ -0,0 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/24cf3bad-f49c-416a-81b1-a2cef90e7d32";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/7C62-54E8";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/e9c95d55-b793-446b-9147-f6d0796517c5"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

78
home.nix Normal file
View File

@@ -0,0 +1,78 @@
{ lib, pkgs, ... }:
let
unstable_pkgs = import (pkgs.fetchgit {
name = "nixpkgs-unstable-aug-29-2025";
url = "https://github.com/nixos/nixpkgs/";
rev = "604f22e0304b679e96edd9f47cbbfc4d513a3751";
hash = "sha256-9+O/hi9UjnF4yPjR3tcUbxhg/ga0OpFGgVLvSW5FfbE=";
}) { };
in
{
home.username = "dwessels";
home.homeDirectory = "/home/dwessels";
home.stateVersion = "22.11";
home.packages = with pkgs; [
kdePackages.kate
alacritty
dig
evince
gnupg
htop
jq
openssl
pciutils
ripgrep
meld
nixfmt-rfc-style
neovim
nmap
tokei
tree
trivy
usbutils
whois
vlc
zellij
];
programs.alacritty = {
enable = true;
settings = {
window = {
dynamic_padding = true;
};
};
};
programs.bash = {
enable = true;
# bashrcExtra = ''
# if [ "$TERM_PROGRAM" != "zed" ]; then
# eval "$(zellij setup --generate-auto-start bash)"
# fi
# # Needed to use yubkiey for SSH key
# export GPG_TTY="$(tty)"
# export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
# '';
};
programs.helix = {
enable = true;
};
programs.zellij = {
enable = true;
settings = {
show_startup_tips = false;
ui = {
pane_frames = {
hide_session_name = true;
};
};
};
};
}

6
modules/bluetooth.nix Normal file
View File

@@ -0,0 +1,6 @@
{ pkgs, lib, ... }:
{
hardware.bluetooth.enable = true;
services.blueman.enable = true;
}

81
modules/firefox.nix Normal file
View File

@@ -0,0 +1,81 @@
{ pkgs, lib, ... }:
let
managed-firefox = (
pkgs.firefox.override {
extraPolicies = {
AutofillCreditCardEnabled = false;
DisableFirefoxAccounts = true;
DisableFirefoxScreenshots = true;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DontCheckDefaultBrowser = true;
EnableTrackingProtection = {
Value = true;
Locked = true;
Cryptomining = true;
Fingerprinting = true;
EmailTracking = true;
};
ExtensionSettings = {
"*".installation_mode = "blocked"; # blocks all addons except the ones specified below
# 1Password:
"{d634138d-c276-4fc8-924b-40a0ea21d284}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi";
installation_mode = "force_installed";
};
# Facebook container
"@contain-facebook" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/facebook-container/latest.xpi";
installation_mode = "force_installed";
};
# Kagi search
"search@kagi.com" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/kagi-search-for-firefox/latest.xpi";
installation_mode = "force_installed";
};
# ublock origin
"uBlock0@raymondhill.net" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
installation_mode = "force_installed";
};
# bitwarden
"" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
installation_mode = "force_installed";
};
};
FirefoxSuggest = {
WebSuggestions = false;
SponsoredSuggestions = false;
ImproveSuggest = false;
Locked = true;
};
PasswordManagerEnabled = false;
PictureInPicture = {
Enabled = true;
Locked = true;
};
};
}
);
in
{
environment.systemPackages = [ managed-firefox ];
services.opensnitch.rules = {
rule-000-firefox = {
name = "Allow Firefox";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin managed-firefox}/lib/firefox/firefox";
};
};
};
}

36
modules/ollama.nix Normal file
View File

@@ -0,0 +1,36 @@
{ pkgs, lib, ... }:
{
services.ollama = {
enable = true;
acceleration = "rocm";
};
services.opensnitch.rules = {
rule-500-download-models = {
name = "Allow ollama to fetch models";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.ollama-rocm}/bin/.ollama-wrapped";
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^(registry.ollama.ai)|(([a-z0-9|-]+\\.)*cloudflarestorage.com)$";
}
];
};
};
};
}

185
modules/opensnitch.nix Normal file
View File

@@ -0,0 +1,185 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = [ pkgs.opensnitch-ui ];
# Set start up applications
# shitty version of this https://github.com/nix-community/home-manager/issues/3447#issuecomment-1328294558
environment.etc."xdg/autostart/opensnitch_ui.desktop".source = (
pkgs.opensnitch-ui + "/share/applications/opensnitch_ui.desktop"
);
# A list of general rules needed no matter how the system is configured
services.opensnitch = {
enable = true;
settings.DefaultAction = "deny";
rules = {
rule-000-localhost = {
name = "Allow all localhost";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "regexp";
operand = "dest.ip";
sensitive = false;
data = "^(127\\.0\\.0\\.1|::1)$";
list = [ ];
};
};
rule-100-avahi-ipv4 = {
name = "Allow avahi daemon IPv4";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
operand = "process.path";
sensitive = false;
data = "${lib.getBin pkgs.avahi}/bin/avahi-daemon";
}
{
type = "network";
operand = "dest.network";
data = "224.0.0.0/24";
}
];
};
};
rule-100-avahi-ipv6 = {
name = "Allow avahi daemon IPv6";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
operand = "process.path";
sensitive = false;
data = "${lib.getBin pkgs.avahi}/bin/avahi-daemon";
}
{
type = "simple";
operand = "dest.ip";
data = "ff02::fb";
}
];
};
};
rule-100-ntp = {
name = "Allow NTP";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type = "simple";
operand = "dest.port";
sensitive = false;
data = "123";
}
{
type = "simple";
operand = "protocol";
sensitive = false;
data = "udp";
}
];
};
};
rule-100-nix-update = {
name = "Allow Nix";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "^.*/bin/nix$";
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^(([a-z0-9|-]+\\.)*github\\.com|([a-z0-9|-]+\\.)*nixos\\.org)$";
}
];
};
};
rule-100-NetworkManager = {
name = "Allow NetworkManager";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.networkmanager}/bin/NetworkManager";
}
{
type = "simple";
operand = "dest.port";
sensitive = false;
data = "67";
}
{
type = "simple";
operand = "protocol";
sensitive = false;
data = "udp";
}
];
};
};
rule-500-ssh-github = {
name = "Allow SSH to github";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.openssh}/bin/ssh";
}
{
type = "simple";
operand = "dest.host";
sensitive = false;
data = "github.com";
}
];
};
};
};
};
}

58
modules/rust.nix Normal file
View File

@@ -0,0 +1,58 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
clang
rustup
];
services.opensnitch.rules = {
rule-500-cargo = {
name = "Allow cargo to reach needed sites";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "^(/home/dwessels/\\.rustup/toolchains/(.*)/bin/cargo)|(${lib.getBin pkgs.cargo}/bin/cargo)$";
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^(([a-z0-9|-]+\\.)*crates\\.io)|(([a-z0-9|-]+\\.)*github\\.com)$";
}
];
};
};
rule-500-rustup = {
name = "Allow rustup to reach needed sites";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.rustup}/bin/.rustup-wrapped";
}
{
type = "simple";
operand = "dest.host";
sensitive = false;
data = "static.rust-lang.org";
}
];
};
};
};
}

144
modules/steam.nix Normal file
View File

@@ -0,0 +1,144 @@
{ pkgs, lib, ... }:
let
steamRegex = "^/home/dwessels/\\.local/share/Steam/ubuntu12_32/steam|/home/dwessels/\\.local/share/Steam/ubuntu12_64/steamwebhelper$";
in
{
environment.systemPackages = with pkgs; [ steam ];
# We need 32bit versions of all the OpenGL etc libraries for steam to run
hardware.graphics.enable32Bit = true;
programs.steam = {
remotePlay.openFirewall = true;
};
services.opensnitch.rules = {
rule-600-steam-lan = {
name = "Allow Steam to reach out on LAN";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "/home/dwessels/.local/share/Steam/ubuntu12_32/steam";
}
{
type = "network";
operand = "dest.network";
data = "192.168.1.0/24";
}
{
type = "simple";
operand = "dest.port";
sensitive = false;
data = "27036";
}
];
};
};
rule-600-steam-akamaihd = {
name = "Allow Steam to reach akamaihd";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "/home/dwessels/.local/share/Steam/ubuntu12_64/steamwebhelper";
}
{
type = "simple";
operand = "dest.host";
sensitive = false;
data = "steamcommunity-a.akamaihd.net";
}
];
};
};
rule-600-steam-to-steam-domain = {
name = "Allow Steam to reach steam domains";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = steamRegex;
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^([a-z0-9|-]+\\.)*(steampowered\\.com|steamcommunity\\.com|steamserver\\.net|steamstatic\\.com|steamcontent\\.com)$";
}
];
};
};
rule-600-steam-webhelper-google = {
name = "Allow Steam web helper to reach google APIs";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "/home/dwessels/.local/share/Steam/ubuntu12_64/steamwebhelper";
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^(update|steamcloud-us-east1\\.storage\\.)\\.googleapis\\.com$";
}
];
};
};
rule-600-steam-webhelper-youtube = {
name = "Allow Steam web helper to reach youtube";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "/home/dwessels/.local/share/Steam/ubuntu12_64/steamwebhelper";
}
{
type = "simple";
operand = "dest.host";
sensitive = false;
data = "www.youtube.com";
}
];
};
};
};
}

13
modules/wireshark.nix Normal file
View File

@@ -0,0 +1,13 @@
{ pkgs, ... }:
{
users.groups.wireshark = { };
security.wrappers.dumpcap = {
source = "${pkgs.wireshark}/bin/dumpcap";
permissions = "u+xs,g+x";
owner = "root";
group = "wireshark";
};
users.users.dwessels.extraGroups = [ "wireshark" ];
environment.systemPackages = [ pkgs.wireshark ];
}