8 files changed, 110 insertions, 23 deletions

diff --git a/system/battery.nix b/system/battery.nix
index 42ee269..a904051 100644
--- a/system/battery.nix
+++ b/system/battery.nix
@@ -9,7 +9,7 @@ in {
   config = mkIf config.battery {
     # power monterting
     services.upower = {
-      enable = !config.minimal;
+      enable = true;
       percentageLow = 20;
       percentageCritical = 10;
       percentageAction = 4;
@@ -17,21 +17,8 @@ in {
     };
 
     # power profiles
-    services.tlp = {
-      enable = !config.minimal;
-      settings = {
-        CPU_SCALING_GOVERNOR_ON_AC = "performance";
-        CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
-
-        CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
-        CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
-
-        CPU_MIN_PERF_ON_AC = 0;
-        CPU_MAX_PERF_ON_AC = 100;
-        CPU_MIN_PERF_ON_BAT = 0;
-        CPU_MAX_PERF_ON_BAT = 20;
-      };
-    };
+    services.power-profiles-daemon.enable = true;
+    #services.tlp.enable = true;
 
     # packages
     environment.systemPackages = with pkgs; [
diff --git a/system/default.nix b/system/default.nix
index 9e8ab90..17b3f99 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -15,6 +15,7 @@
     ./bluetooth.nix
     ./desktop.nix
     ./fingerprint.nix
+    ./hardened.nix
     ./hardware.nix
     ./networking.nix
     ./sshd.nix
@@ -22,8 +23,17 @@
   ];
 
   # allow flakes
-  nix.settings.experimental-features = ["nix-command" "flakes"];
-  nix.settings.use-xdg-base-directories = true;
+  nix = {
+    channel.enable = false;
+    extraOptions = ''
+      warn-dirty = false
+    '';
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = ["nix-command" "flakes"];
+      use-xdg-base-directories = true;
+    };
+  };
 
   # allow defined unfree packages
   nixpkgs.config.allowUnfreePredicate = pkg:
@@ -38,6 +48,8 @@
     tmpfsSize = "50%";
   };
 
+  services.seatd.enable = true;
+
   # use system packages in home manager
   home-manager.useGlobalPkgs = true;
 
@@ -113,8 +125,11 @@
 
   # docs
   documentation = {
-    info.enable = false;
+    enable = true;
+    doc.enable = false;
+    man.enable = true;
     dev.enable = false;
+    info.enable = false;
     nixos.enable = false;
   };
 
diff --git a/system/desktop.nix b/system/desktop.nix
index 410f144..8a37148 100644
--- a/system/desktop.nix
+++ b/system/desktop.nix
@@ -28,6 +28,9 @@ in {
     # services
     services.libinput.enable = true;
 
+    # gtk portal?
+    programs.dconf.enable = true;
+
     # audio / video
     services.pipewire = {
       enable = true;
@@ -43,7 +46,14 @@ in {
     security.rtkit.enable = true;
 
     # printing
-    services.printing.enable = true;
+    services.printing = {
+      enable = true;
+      drivers = with pkgs; [
+        brlaser
+        cnijfilter2
+        gutenprint
+      ];
+    };
     services.avahi = {
       enable = true;
       nssmdns4 = true;
@@ -69,6 +79,7 @@ in {
     unfreePackages = [
       "corefonts"
       "vista-fonts"
+      "cnijfilter2"
     ];
   };
 }
diff --git a/system/desktops/hyprland.nix b/system/desktops/hyprland.nix
index 26fa283..b0281a3 100644
--- a/system/desktops/hyprland.nix
+++ b/system/desktops/hyprland.nix
@@ -16,14 +16,18 @@ in {
         inputs.hyprland.packages.${system}.xdg-desktop-portal-hyprland
       ];
       config.hyprland = {
-        default = ["hyprland" "gtk"];
+        default = lib.mkForce ["gtk"];
+        "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
         "org.freedesktop.impl.portal.FileChooser" = ["gtk"];
         "org.freedesktop.impl.portal.OpenURI" = ["gtk"];
+        "org.freedesktop.impl.portal.Screencast" = ["hyprland"];
+        "org.freedesktop.impl.portal.Screenshot" = ["hyprland"];
       };
     };
 
     programs.hyprland = {
       enable = true;
+      withUWSM = true;
       package = inputs.hyprland.packages.${system}.hyprland;
       portalPackage = inputs.hyprland.packages.${system}.xdg-desktop-portal-hyprland;
     };
diff --git a/system/desktops/sway.nix b/system/desktops/sway.nix
index 501ee41..6c36c12 100644
--- a/system/desktops/sway.nix
+++ b/system/desktops/sway.nix
@@ -17,7 +17,10 @@ in {
         xdg-desktop-portal-wlr
       ];
       config.sway = {
-        default = lib.mkForce ["gtk" "wlr"];
+        default = lib.mkForce ["gtk"];
+        "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
+        "org.freedesktop.impl.portal.FileChooser" = ["gtk"];
+        "org.freedesktop.impl.portal.OpenURI" = ["gtk"];
         "org.freedesktop.impl.portal.Screenshot" = ["wlr"];
         "org.freedesktop.impl.portal.ScreenCast" = ["wlr"];
       };
@@ -30,6 +33,7 @@ in {
         base = false;
         gtk = false;
       };
+      extraPackages = [];
     };
   };
 }
diff --git a/system/desktops/wayland.nix b/system/desktops/wayland.nix
index e11eca8..2f43fb3 100644
--- a/system/desktops/wayland.nix
+++ b/system/desktops/wayland.nix
@@ -10,12 +10,16 @@ in {
   config = mkIf cfg.enable {
     xdg.portal = {
       enable = true;
+      xdgOpenUsePortal = true;
       extraPortals = with pkgs; [
+        xdg-desktop-portal
         xdg-desktop-portal-gtk
       ];
       config.common = {
-        default = ["gtk"];
+        default = lib.mkForce ["gtk"];
         "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
+        "org.freedesktop.impl.portal.FileChooser" = ["gtk"];
+        "org.freedesktop.impl.portal.OpenURI" = ["gtk"];
       };
     };
 
diff --git a/system/hardened.nix b/system/hardened.nix
new file mode 100644
index 0000000..223b358
--- /dev/null
+++ b/system/hardened.nix
@@ -0,0 +1,58 @@
+{
+  lib,
+  config,
+  inputs,
+  ...
+}: let
+  inherit (lib) mkIf;
+in {
+  imports = [
+    inputs.nix-mineral.nixosModules.nix-mineral
+  ];
+
+  config = mkIf config.hardened {
+    nix-mineral = {
+      enable = true;
+      settings = {
+        debug = {
+          coredump = true;
+          zram = false;
+        };
+        network = {
+          icmp = {
+            cast = true;
+            ignore-all = false;
+          };
+        };
+        kernel = {
+          cpu-mitigations = "smt-on";
+          io-uring = true;
+          lockdown = true;
+          only-signed-modules = true;
+          pti = true;
+          sysrq = "none";
+        };
+        system = {
+          yama = "relaxed";
+        };
+      };
+      extras = {
+        kernel = {
+          intelme-kmodules = false;
+        };
+        system = {
+          secure-chrony = true;
+          unprivileged-userns = false;
+        };
+      };
+      filesystems = {
+        normal = {
+          # let me run shell scripts
+          # please and thank you
+          "/home".options.noexec = lib.mkForce false;
+          "/etc".options.noexec = lib.mkForce true;
+        };
+      };
+    };
+  };
+}
diff --git a/system/virt/qemu.nix b/system/virt/qemu.nix
index 6c068e4..64ad8c6 100644
--- a/system/virt/qemu.nix
+++ b/system/virt/qemu.nix
@@ -17,5 +17,9 @@ in {
     environment.systemPackages = with pkgs; [
       qemu
     ];
+
+    networking.firewall.trustedInterfaces = [
+      "virbr0"
+    ];
   };
 }