reorganization

modules/core/default.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.modules.core;
+in {
+  options.modules.core = {
+    laptop = mkEnableOption "Enable laptop specific tweaks";
+  };
+
+  config = {
+    # TODO: add something here loooool
+  };
+}

modules/core/fs/fstrim.nix

@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+
+with lib;
+{
+  # if lvm is enabled, then tell it to issue discards
+  # (this is good for SSDs and has almost no downsides on HDDs, so
+  # it's a good idea to enable it unconditionally)
+  environment.etc."lvm/lvm.conf".text = mkIf config.services.lvm.enable ''
+    devices {
+      issue_discards = 1
+    }
+  '';
+
+  # discard blocks that are not in use by the filesystem, good for SSDs
+  services.fstrim = {
+    # we may enable this unconditionally across all systems becuase it's performance
+    # impact is negligible on systems without a SSD - which means it's a no-op with
+    # almost no downsides aside from the service firing once per week
+    enable = true;
+
+    # the default value, good enough for average-load systems
+    interval = "weekly";
+  };
+
+  # tweak fstrim service to run only when on AC power
+  # and to be nice to other processes
+  # (this is a good idea for any service that runs periodically)
+  systemd.services.fstrim = {
+    unitConfig.ConditionACPower = true;
+
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "idle";
+    };
+  };
+}

modules/core/fs/lvm.nix

@@ -0,0 +1,7 @@
+{ config, lib, ... }:
+
+with lib;
+{
+  # i don't use lvm, can be disabled
+  services.lvm.enable = mkDefault false;
+}

modules/core/fs/scrub.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+with lib;
+let
+  supportedFilesystems = builtins.map (builtins.getAttr "fsType") (builtins.attrValues config.fileSystems);
+  mkScrubConfig = fsType: {
+    enable = builtins.elem fsType supportedFilesystems;
+    interval = "weekly";
+  };
+in {
+  services.btrfs.autoScrub = mkScrubConfig "btrfs";
+  services.zfs.autoScrub = mkScrubConfig "zfs";
+
+  # bcachefs exists but it was "ejected from the kernel" for "repeated violations of kernel dev. guidelines"
+  # linus "tech tips" torvalds said himself "nobody sane uses bcachefs and expects it to be stable" (https://en.wikipedia.org/wiki/Bcachefs#Stability)
+}

modules/core/kernel.nix

@@ -0,0 +1,27 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.modules.core.kernel;
+in {
+  options.modules.core.kernel = {
+    zswap = mkEnableOption "Enable zswap, a compressed RAM cache for swap pages";
+    v4l2 = mkEnableOption "Enable support for v4l2 loopback devices";
+  };
+
+  config = mkMerge [
+    (mkIf cfg.zswap {
+      boot.kernelParams = [
+        "zswap.enabled=1"
+        "zswap.shrinker_enabled=1"
+        "zswap.max_pool_percent=20"
+        "zswap.compressor=zstd"
+        "zswap.zpool=zsmalloc"
+      ];
+    })
+    (mkIf cfg.v4l2 {
+      boot.kernelModules = ["v4l2loopback"];
+      boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
+    })
+  ];
+}

modules/core/locale.nix

@@ -0,0 +1,13 @@
+{ lib, pkgs, inputs, config, ... }:
+
+with lib;
+{
+  i18n.defaultLocale = mkDefault "en_US.UTF-8";
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "qwerty";
+  };
+  console = {
+    useXkbConfig = mkDefault true;
+  };
+}

modules/core/nix.nix

@@ -0,0 +1,61 @@
+{ lib, pkgs, inputs, config, ... }:
+let
+  gcConfig = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 14d";
+  };
+in {
+  environment.variables = {
+    NIXPKGS_ALLOW_UNFREE = "1";
+  };
+
+  nixpkgs.flake.setNixPath = true;
+  nixpkgs.flake.setFlakeRegistry = true;
+
+  nix = {
+    package = pkgs.nixVersions.latest;
+
+    settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+
+      auto-optimise-store = true;
+
+      keep-outputs = true;
+      keep-derivations = true;
+
+      substituters = [
+        "https://nix-community.cachix.org"
+        "https://nixpkgs-wayland.cachix.org"
+        "https://wezterm.cachix.org"
+        "https://niri.cachix.org"
+        "https://vicinae.cachix.org"
+        "https://cache.garnix.io"
+        # "https://cache.soopy.moe"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
+        "wezterm.cachix.org-1:kAbhjYUC9qvblTE+s7S+kl5XM1zVa4skO+E/1IDWdH0="
+        "niri.cachix.org-1:Wv0OmO7PsuocRKzfDoJ3mulSl7Z6oezYhGhR+3W2964="
+        "vicinae.cachix.org-1:1kDrfienkGHPYbkpNj1mWTr7Fm1+zcenzgTizIcI3oc="
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+        # "cache.soopy.moe-1:0RZVsQeR+GOh0VQI9rvnHz55nVXkFardDqfm4+afjPo="
+      ];
+    };
+  };
+
+  nix.optimise.automatic = true; # likely not needed w/ auto-optimise-store, comfy to keep though
+  nix.gc = gcConfig;
+  hm.nix.gc = gcConfig;
+
+  programs.command-not-found.enable = false;
+  programs.nix-index.enable = true;
+
+  # compat w/ non-nix programs
+  programs.nix-ld.enable = true;
+  programs.appimage = {
+    enable = true;
+    binfmt = true;
+  };
+}

modules/core/security.nix

@@ -0,0 +1,77 @@
+{ config, lib, options, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.modules.core.security;
+in {
+  options.modules.core.security = {
+    useDoas = mkEnableOption "use opendoas instead of sudo";
+  };
+
+  config = mkMerge [
+    {
+      boot = {
+        tmp.useTmpfs = lib.mkDefault true;
+        tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+
+        # disable kernel parameter editing on boot
+        loader.systemd-boot.editor = false;
+
+        kernel.sysctl = {
+          # magic sysrq key, allows low-level commands through keyboard input
+          "kernel.sysrq" = 0;
+
+          ## TCP hardening
+          # prevent bogus ICMP errors from filling up logs
+          "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+          # do not accept IP source packets (we are not a router)
+          "net.ipv4.conf.all.accept_source_route" = 0;
+          "net.ipv6.conf.all.accept_source_route" = 0;
+          # don't send ICMP redirects (again, we're not a router)
+          "net.ipv4.conf.all.send_redirects" = 0;
+          "net.ipv4.conf.default.send_redirects" = 0;
+          # refuse ICMP redirects (MITM mitigations)
+          "net.ipv4.conf.all.accept_redirects" = 0;
+          "net.ipv4.conf.default.accept_redirects" = 0;
+          "net.ipv4.conf.all.secure_redirects" = 0;
+          "net.ipv4.conf.default.secure_redirects" = 0;
+          "net.ipv6.conf.all.accept_redirects" = 0;
+          "net.ipv6.conf.default.accept_redirects" = 0;
+          # protects against SYN flood attacks
+          "net.ipv4.tcp_syncookies" = 1;
+          # incomplete protection against TIME-WAIT assassination
+          "net.ipv4.tcp_rfc1337" = 1;
+
+          ## TCP optimization
+          # TCP fastopen
+          "net.ipv4.tcp_fastopen" = 3;
+          # bufferbloat mitigations + improvement in throughput and latency
+          "net.ipv4.tcp_congestion_control" = "bbr";
+          "net.core.default_qdisc" = "cake";
+        };
+        kernelModules = [ "tcp_bbr" ];
+      };
+
+      security = {
+        # prevents replacing the kernel without a reboot
+        protectKernelImage = true;
+        # rtkit allows unprivileged processes to use realtime scheduling
+        # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
+        rtkit.enable = true;
+        polkit.enable = true;
+      };
+
+      # personal computer? no firewall ty :3
+      networking.firewall.enable = false;
+
+      # stay up to date on firmware
+      services.fwupd.enable = true;
+    }
+    (mkIf cfg.useDoas {
+      security.sudo.enable = false;
+      security.doas.enable = true;
+      security.doas.extraRules = [ { users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; } ];
+      environment.systemPackages = with pkgs; [ doas-sudo-shim ];
+    })
+  ];
+}

modules/core/user.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, lib, options, ... }:
+
+with lib;
+with lib.my;
+{
+  options =  {
+    user = mkOpt types.attrs {};
+  };
+
+  config = {
+    user = rec {
+      name = "reidlab";
+      description = "reid";
+      extraGroups = ["wheel" "input" "audio" "video" "storage"];
+      isNormalUser = true;
+      home = "/home/${name}";
+      group = name;
+      uid = 1000;
+    };
+    users.groups.${config.user.group} = {};
+
+    users.users.${config.user.name} = mkAliasDefinitions options.user;
+
+    home-manager.useUserPackages = true;
+    home-manager.useGlobalPkgs = true;
+
+    hm.home.username = config.user.name;
+    hm.home.homeDirectory = lib.mkForce config.user.home;
+
+    nix.settings = let
+      users = ["root" config.user.name];
+    in {
+      trusted-users = users;
+      allowed-users = users;
+    };
+
+    users.users.root = {
+      packages = [ pkgs.shadow ];
+      shell = pkgs.shadow;
+      hashedPassword = "!";
+    };
+  };
+}

modules/core/xdg.nix

@@ -0,0 +1,29 @@
+{ pkgs, ... }:
+{
+  config = {
+    hm.xdg.enable = true;
+    hm.xdg.userDirs = rec {
+      enable = true;
+      createDirectories = true;
+      setSessionVariables = true;
+
+      desktop = "$HOME/desktop";
+      documents = "$HOME/documents";
+      download = "$HOME/downloads";
+      music = "$HOME/music";
+      pictures = "$HOME/pictures";
+      publicShare = "$HOME/public";
+      templates = "$HOME/templates";
+      videos = "$HOME/videos";
+
+      extraConfig = {
+        recordings = "${videos}/recordings";
+        screenshots = "${pictures}/screenshots";
+      };
+    };
+
+    environment.systemPackages = with pkgs; [
+      xdg-utils
+    ];
+  };
+}