stuff

2025-01-08 21:08:08 +01:00 · 2025-01-08 21:08:08 +01:00 · 25934a0e7c
commit 25934a0e7c
parent 82a40e6678
10 changed files with 37 additions and 6 deletions
--- a/base.nix
+++ b/base.nix
@ -54,7 +54,13 @@
  nixpkgs.config.allowUnfreePredicate = pkg: true;
  nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg

+  # apply microcode to fix functional and security issues
  hardware.enableRedistributableFirmware = true;
+  hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64;
+  hardware.cpu.intel.updateMicrocode = pkgs.stdenv.isx86_64;
+  
+  # enable kernel same-page merging for improved vm test performance
+  hardware.ksm.enable = true;

  boot.initrd.systemd.enable = true; # systemd manages initfs boot, systemd-analyse can see what happened
  # https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049
@ -67,6 +73,7 @@
  #networking.nftables.enable = true; # wirewall backend, instead of iptables, breaks docker which uses iptables
  #networking.firewall.allowPing = false;
  #networking.networkmanager.wifi.backend = "iwd"; # default is wpa_supplicant, iwd doesn't support eduroam
+  networking.firewall.logRefusedConnections = false; # too spammy, rotates dmesg too quickly

  #system.switch.enable = false;
  #system.switch.enableNg = true; # rewritten in rust
@ -85,8 +92,8 @@
    /* "pipe-operator" # not supported on lix 2.91 */
  ];
  #nix.settings.allowed-users = [ "@builders" ]; # TODO: this
-  nix.settings.allowed-users = [ "root" "pbsds" "@wheel" ]; # default is [ "*" ]
-  nix.settings.trusted-users = [ "root" "pbsds" "@wheel" ];
+  nix.settings.allowed-users = [ "root" "@wheel" ]; # default is [ "*" ]
+  nix.settings.trusted-users = [ "root" "@wheel" ];
  nix.settings.keep-derivations = true; # keep .drv in store, great with nix-diff
  nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
  nix.settings.max-silent-time = 3600;
@ -99,6 +106,8 @@
  nix.settings.min-free =  3 * 1024 * 1024 * 1024; # starts cg
  nix.settings.max-free = 20 * 1024 * 1024 * 1024; # condition to end gc triggered by min-free

+  security.sudo.execWheelOnly = true;
+
  services.thermald.enable = lib.all (x: x) [
    (config.nixpkgs.system == "x86_64-linux")
    (!config.boot.isContainer or false)
--- a/hosts/nixos/bjarte/configuration.nix
+++ b/hosts/nixos/bjarte/configuration.nix
@ -52,6 +52,10 @@
    ../../../profiles/known-hosts.nix
  ];

+  environment.systemPackages = with pkgs; [
+    krita
+  ];
+
  time.timeZone = null; # allows imperative configuring

  networking.firewall.allowedTCPPorts = [ 57621 ]; # spotify local discovery
--- a/hosts/nixos/bolle/configuration.nix
+++ b/hosts/nixos/bolle/configuration.nix
@ -29,6 +29,9 @@
  # Networking
  networking.networkmanager.enable = true;

+  # use memory more efficiently at the cost of some compute
+  zramSwap.enable = true;
+
  # TODO: remove? Move?
  programs.dconf.enable = true;
 }
--- a/hosts/nixos/garp/configuration.nix
+++ b/hosts/nixos/garp/configuration.nix
@ -43,6 +43,9 @@
  # Networking
  networking.networkmanager.enable = true;

+  # use memory more efficiently at the cost of some compute
+  zramSwap.enable = true;
+
  # TODO: remove? Move?
  programs.dconf.enable = true;
 }
--- a/hosts/nixos/sopp/configuration.nix
+++ b/hosts/nixos/sopp/configuration.nix
@ -68,6 +68,10 @@
    #../../../profiles/domeneshop-dyndns.nix # handled by noximilien
  ];

+  environment.systemPackages = with pkgs; [
+    krita
+  ];
+
  networking.firewall.allowedTCPPorts = [ 57621 ]; # spotify local discovery

  hardware.bluetooth.enable = true;
--- a/profiles/sshd.nix
+++ b/profiles/sshd.nix
@ -2,5 +2,6 @@
  services.openssh.enable = true;
  services.openssh.settings.X11Forwarding = true;
  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.settings.KbdInteractiveAuthentication = false;
  services.fail2ban.enable = true;
 }
--- a/users/pbsds/home/profiles/desktop/default.nix
+++ b/users/pbsds/home/profiles/desktop/default.nix
@ -29,7 +29,7 @@

    discord
    element-desktop
-    signal-desktop
+    unstable.signal-desktop
    #element-desktop-wayland
    #nheko
    #fluffychat
@ -47,6 +47,8 @@

    (pkgs.zxtune or unstable.zxtune or null)

+    vlc
+
    f3d
    firefox
    zotero
--- a/users/pbsds/home/profiles/desktop/gnome/dconf-gnome-theme.nix
+++ b/users/pbsds/home/profiles/desktop/gnome/dconf-gnome-theme.nix
@ -61,6 +61,8 @@ with lib.hm.gvariant;

    "org/gnome/desktop/privacy" = {
      disable-microphone = false;
+      old-files-age = mkUint32 30;
+      recent-files-max-age = -1;
    };

  };
--- a/users/pbsds/home/profiles/desktop/mime.nix
+++ b/users/pbsds/home/profiles/desktop/mime.nix
@ -101,9 +101,8 @@ let

  # Applications
  app-map = {
-    /* image = ["org.gnome.eog.desktop"]; */
-    image = ["org.gnome.Loupe.desktop"];
-    audio = ["mpv.desktop"];
+    image = ["org.gnome.Loupe.desktop" "org.gnome.eog.desktop"];
+    audio = ["mpv.desktop" "vlc.desktop" "ZXTune.desktop"];
    video = ["mpv.desktop"];
    fonts = ["org.gnome.font-viewer.desktop"];
    docs = ["org.gnome.Papers.desktop" "org.gnome.Evince.desktop"];
--- a/users/pbsds/home/profiles/gtk.nix
+++ b/users/pbsds/home/profiles/gtk.nix
@ -7,4 +7,8 @@
  gtk.theme.package = pkgs.colloid-gtk-theme;
  gtk.iconTheme.name = "Flat-Remix-Blue-Dark";
  gtk.iconTheme.package = pkgs.flat-remix-icon-theme;
+
+  # the themes are stored here, the files gets replaced by gnome-tweaks
+  xdg.configFile."gtk-3.0/settings.ini".force = true;
+  xdg.configFile."gtk-4.0/settings.ini".force = true;
 }