diff options
Diffstat (limited to '')
| -rw-r--r-- | system/default.nix | 10 | ||||
| -rw-r--r-- | system/desktop.nix | 13 | ||||
| -rw-r--r-- | system/fingerprint.nix | 5 | ||||
| -rw-r--r-- | system/hardened.nix | 58 |
4 files changed, 12 insertions, 74 deletions
diff --git a/system/default.nix b/system/default.nix index 17b3f99..e912856 100644 --- a/system/default.nix +++ b/system/default.nix @@ -15,7 +15,6 @@ ./bluetooth.nix ./desktop.nix ./fingerprint.nix - ./hardened.nix ./hardware.nix ./networking.nix ./sshd.nix @@ -32,6 +31,9 @@ auto-optimise-store = true; experimental-features = ["nix-command" "flakes"]; use-xdg-base-directories = true; + trusted-users = ["root" "@wheel"]; + max-jobs = config.cores / 4; + cores = (config.cores - 2) / config.nix.settings.max-jobs; }; }; @@ -39,6 +41,11 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) config.unfreePackages; + # load overlays + nixpkgs.overlays = [ + (final: _: import ../pkgs {pkgs = final;}) + ]; + # set state version system.stateVersion = config.stateVersion; @@ -112,6 +119,7 @@ }; # use the latest kernel + boot.kernelPackages = pkgs.linuxPackages_latest; # sysrq diff --git a/system/desktop.nix b/system/desktop.nix index 162fe94..853296b 100644 --- a/system/desktop.nix +++ b/system/desktop.nix @@ -8,10 +8,6 @@ }: let inherit (lib) mkIf; in { - imports = [ - inputs.preload-ng.nixosModules.default - ]; - config = mkIf config.desktops.enable { # nix-ld programs.nix-ld.enable = true; @@ -50,8 +46,7 @@ in { enable = true; drivers = with pkgs; [ brlaser - # FIXME: failes to compile - # cnijfilter2 + cnijfilter2 gutenprint ]; }; @@ -62,12 +57,6 @@ in { }; users.groups.lp.members = [config.user]; - # preload-ng - services.preload-ng = { - enable = true; - package = inputs.preload-ng.packages.${system}.preload-ng-src; - }; - # secrets services.gnome.gnome-keyring.enable = true; diff --git a/system/fingerprint.nix b/system/fingerprint.nix index 02b0e75..35737f5 100644 --- a/system/fingerprint.nix +++ b/system/fingerprint.nix @@ -1,8 +1,7 @@ { lib, config, - inputs, - system, + pkgs, ... }: let inherit (lib) mkIf; @@ -11,7 +10,7 @@ in { services.fprintd = { enable = true; tod.enable = true; - tod.driver = inputs.self.packages.${system}.libfprint-2-tod1-vfs0090; + tod.driver = pkgs.libfprint-2-tod1-vfs0090; }; }; } diff --git a/system/hardened.nix b/system/hardened.nix deleted file mode 100644 index 223b358..0000000 --- a/system/hardened.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ - lib, - config, - inputs, - ... -}: let - inherit (lib) mkIf; -in { - imports = [ - inputs.nix-mineral.nixosModules.nix-mineral - ]; - - config = mkIf config.hardened { - nix-mineral = { - enable = true; - settings = { - debug = { - coredump = true; - zram = false; - }; - network = { - icmp = { - cast = true; - ignore-all = false; - }; - }; - kernel = { - cpu-mitigations = "smt-on"; - io-uring = true; - lockdown = true; - only-signed-modules = true; - pti = true; - sysrq = "none"; - }; - system = { - yama = "relaxed"; - }; - }; - extras = { - kernel = { - intelme-kmodules = false; - }; - system = { - secure-chrony = true; - unprivileged-userns = false; - }; - }; - filesystems = { - normal = { - # let me run shell scripts - # please and thank you - "/home".options.noexec = lib.mkForce false; - "/etc".options.noexec = lib.mkForce true; - }; - }; - }; - }; -} |