4 changed files with 75 additions and 76 deletions
--- a/default.nix
+++ b/default.nix
@ -24,7 +24,7 @@ in {

  boot = {
    kernelPackages = mkDefault pkgs.linuxPackages_latest;
-    kernelParams = [ "pcie_aspm.policy=performance" ];
+    kernelParams = [ "pci_aspm.policy=performance" ];
  };

  # configure keymap in x11
--- a/hosts/flubber-machine/hardware.nix
+++ b/hosts/flubber-machine/hardware.nix
@ -3,6 +3,7 @@
 {
  imports =
    [
+      inputs.hardware.nixosModules.gigabyte-b550
      inputs.hardware.nixosModules.common-cpu-amd
      inputs.hardware.nixosModules.common-gpu-amd
      inputs.hardware.nixosModules.common-pc-ssd
--- a/hosts/flubber-machine/omen-30l-gt13-1xxx.nix
+++ b/hosts/flubber-machine/omen-30l-gt13-1xxx.nix
@ -11,8 +11,9 @@

  environment.systemPackages = with pkgs; [ amdgpu_top ];

-  # fix audio issues: https://forums.linuxmint.com/viewtopic.php?t=445461
-  boot.extraModprobeConfig = ''
-    options snd_hda_intel model=generic
-  '';
+  # fix audio issues
+  # Is this even needed. I'm losing my mindddddd
+  # https://forums.linuxmint.com/viewtopic.php?t=445461
+  # https://help.ubuntu.com/community/HdaIntelSoundHowto
+  boot.extraModprobeConfig = ''options snd_hda_intel model=generic'';
 }
--- a/modules/security.nix
+++ b/modules/security.nix
@ -8,85 +8,82 @@ in {
    useDoas = mkEnableOption "use opendoas instead of sudo";
  };

-  config = mkMerge [
-    {
-      boot = {
-        tmp.useTmpfs = lib.mkDefault true;
-        tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+  config = mkIf cfg.enable {
+    boot = {
+      tmp.useTmpfs = lib.mkDefault true;
+      tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);

-        # disable kernel parameter editing on boot
-        loader.systemd-boot.editor = false;
+      # disable kernel parameter editing on boot
+      loader.systemd-boot.editor = false;

-        kernel.sysctl = {
-          # magic sysrq key, allows low-level commands through keyboard input
-          "kernel.sysrq" = 0;
+      kernel.sysctl = {
+        # magic sysrq key, allows low-level commands through keyboard input
+        "kernel.sysrq" = 0;

-          ## TCP hardening
-          # prevent bogus ICMP errors from filling up logs
-          "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
-          # do not accept IP source packets (we are not a router)
-          "net.ipv4.conf.all.accept_source_route" = 0;
-          "net.ipv6.conf.all.accept_source_route" = 0;
-          # don't send ICMP redirects (again, we're not a router)
-          "net.ipv4.conf.all.send_redirects" = 0;
-          "net.ipv4.conf.default.send_redirects" = 0;
-          # refuse ICMP redirects (MITM mitigations)
-          "net.ipv4.conf.all.accept_redirects" = 0;
-          "net.ipv4.conf.default.accept_redirects" = 0;
-          "net.ipv4.conf.all.secure_redirects" = 0;
-          "net.ipv4.conf.default.secure_redirects" = 0;
-          "net.ipv6.conf.all.accept_redirects" = 0;
-          "net.ipv6.conf.default.accept_redirects" = 0;
-          # protects against SYN flood attacks
-          "net.ipv4.tcp_syncookies" = 1;
-          # incomplete protection against TIME-WAIT assassination
-          "net.ipv4.tcp_rfc1337" = 1;
+        ## TCP hardening
+        # prevent bogus ICMP errors from filling up logs
+        "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+        # do not accept IP source packets (we are not a router)
+        "net.ipv4.conf.all.accept_source_route" = 0;
+        "net.ipv6.conf.all.accept_source_route" = 0;
+        # don't send ICMP redirects (again, we're not a router)
+        "net.ipv4.conf.all.send_redirects" = 0;
+        "net.ipv4.conf.default.send_redirects" = 0;
+        # refuse ICMP redirects (MITM mitigations)
+        "net.ipv4.conf.all.accept_redirects" = 0;
+        "net.ipv4.conf.default.accept_redirects" = 0;
+        "net.ipv4.conf.all.secure_redirects" = 0;
+        "net.ipv4.conf.default.secure_redirects" = 0;
+        "net.ipv6.conf.all.accept_redirects" = 0;
+        "net.ipv6.conf.default.accept_redirects" = 0;
+        # protects against SYN flood attacks
+        "net.ipv4.tcp_syncookies" = 1;
+        # incomplete protection against TIME-WAIT assassination
+        "net.ipv4.tcp_rfc1337" = 1;

-          ## TCP optimization
-          # TCP fastopen
-          "net.ipv4.tcp_fastopen" = 3;
-          # bufferbloat mitigations + improvement in throughput and latency
-          "net.ipv4.tcp_congestion_control" = "bbr";
-          "net.core.default_qdisc" = "cake";
-        };
-        kernelModules = [ "tcp_bbr" ];
+        ## TCP optimization
+        # TCP fastopen
+        "net.ipv4.tcp_fastopen" = 3;
+        # bufferbloat mitigations + improvement in throughput and latency
+        "net.ipv4.tcp_conjestion_control" = "bbr";
+        "net.core.default_qdisc" = "cake";
      };
+      kernelModules = [ "tcp_bbr" ];
+    };

-      security = {
-        # prevents replacing the kernel without a reboot
-        protectKernelImage = true;
-        # rtkit allows unprivileged processes to use realtime scheduling
-        # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
-        rtkit.enable = true;
-        polkit.enable = true;
-      };
+    security = {
+      # prevents replacing the kernel without a reboot
+      protectKernelImage = true;
+      # rtkit allows unprivileged processes to use realtime scheduling
+      # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
+      rtkit.enable = true;
+      polkit.enable = true;
+    };

-      # personal computer? no firewall ty :3
-      networking.firewall.enable = false;
+    # personal computer? no firewall ty :3
+    networking.firewall.enable = false;

-      services.usbguard = {
-        IPCAllowedUsers = [ "root" "${env.mainUser}" ];
-        presentDevicePolicy = "allow";
-        rules = ''
-          allow with-interface equals { 08:*:* }
+    services.usbguard = {
+      IPCAllowedUsers = [ "root" "${env.mainUser}" ];
+      presentDevicePolicy = "allow";
+      rules = ''
+        allow with-interface equals { 08:*:* }

-          # reject devices with suspicious combination of interfaces (ex. mass storage + keyboard)
-          reject with-interface all-of { 08:*:* 03:00:* }
-          reject with-interface all-of { 08:*:* 03:01:* }
-          reject with-interface all-of { 08:*:* e0:*:* }
-          reject with-interface all-of { 08:*:* 02:*:* }
-        '';
-      };
+        # reject devices with suspicious combination of interfaces (ex. mass storage + keyboard)
+        reject with-interface all-of { 08:*:* 03:00:* }
+        reject with-interface all-of { 08:*:* 03:01:* }
+        reject with-interface all-of { 08:*:* e0:*:* }
+        reject with-interface all-of { 08:*:* 02:*:* }
+      '';
+    };

-      services.fwupd.enable = true;
-    }
-    (mkIf cfg.useDoas {
-      security.sudo.enable = false;
-      security.doas.enable = true;
-      security.doas.extraRules = [
-        { users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; }
-      ];
-      environment.systemPackages = with pkgs; [ doas-sudo-shim ];
-    })
-  ];
+    services.fwupd.enable = true;
+  } // (mkIf cfg.useDoas {
+    security.sudo.enable = false;
+    security.doas.enable = true;
+    security.doas.extraRules = [
+      { users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; }
+    ];
+    environment.systemPackages = with pkgs; [ doas-sudo-shim ];
+  });
 }