Skip to content

sukhmancs/nixos-configs

Repository files navigation

built with nix Linux Top Language NeoVim Commit Activity Commit Since Repo Size


Firefox, Neovim, pfetch, yazi ISO Preview

More Catppuccin Previews Rofi Preview Anyrun Preview Neovim Preview VSCode Preview Discord Preview
Gruvbox-light-hard gruvbox-light-hard Theme gruvbox-light-hard-common Theme gruvbox-light-hard-discord Theme
Alph Alph Theme
Ashes Ashes Theme
Gruvbox-dark-hard gruvbox-dark-hard Theme
Catppuccin-frappe Catppuccin-frappe Theme
ember ember Theme
emil emil Theme emil Theme
fairy-floss fairy-floss Theme fairy-floss Theme

Todo

  • Tailnet - TailScale, WireGuard, ...
  • Icons - Icon fonts (gtk/qt) are not dynamic. Try to use base16 colors.
  • Qemu - Virtualization with GPU passthrough (Done but not tested)
  • Hardened Systemd
  • Modularize - Anyrun, qt.nix, ...
  • Refactor - Remove dead code, unused files, ...

AppArmor

One profile a day keeps the hacker away

  • Chrome - google-chrome, chromium

Structure

.
β”œβ”€β”€ homes 🏠          # Common home-manager configuration for all hosts.
β”œβ”€β”€ hosts πŸ’»          # Host-specific configurations.
β”œβ”€β”€ modules πŸ”§        # Contains the common modules used across all hosts.
β”‚   β”œβ”€β”€ exclusive πŸšͺ  # Modules that need to be enabled exclusively.
β”‚   β”œβ”€β”€ roles 🎭      # Roles that can be assigned to a host.
β”‚   └── shared 🀝     # Modules that are shared across multiple hosts.
β”œβ”€β”€ flake-parts ❄️    # flake.parts.
β”‚   β”œβ”€β”€ default πŸ“¦    # Custom packages that are available to all hosts.
β”‚   β”œβ”€β”€ git-hooks πŸ”—  # Git hooks.
β”‚   β”œβ”€β”€ lib πŸ“š        # Common functions and variables.
β”‚   β”œβ”€β”€ npins πŸ“Œ      # Nix packages that are pinned.
β”‚   β”œβ”€β”€ shell 🐚      # Direnv shell for this project.
β”‚   β”œβ”€β”€ templates πŸ“‘  # Flake templates for different languages.
β”‚   β”œβ”€β”€ keys πŸ”‘       # Public keys for the hosts.
β”‚   β”œβ”€β”€ live-media πŸ“€ # Live media available for build.
β”‚   └── treefmt 🌳    # Treefmt configuration.
β”œβ”€β”€ options βš™οΈ        # Custom options for the hosts.
β”œβ”€β”€ secrets πŸ”’        # Agenix secrets.
└── themes 🎨         # Custom base16 themes.

Privacy and Security

πŸ›‘οΈ Measures
  • Firewall - nftables
  • DNS - adguard
  • VPN - wireguard
  • Secrets - agenix
  • Encryption - LUKS
  • Sandboxing - firejail
  • Security Profiles - apparmor, selinux
  • Physical Security - yubikey
  • Ban IPs - fail2ban
  • Malware scanner - clamav
  • USB Device Control - usbguard
  • Software auditing - lynis vulnix auditd
  • Hardened Firefox - Schizofox
  • Stateless System - Impermanence
  • Kernel Hardening

Host

Following hosts are available:

Host Type
milkyway Laptop
triangulum Server
andromeda Desktop
messier ISO

Tools

Here are the tools I am using:

Tool Milkyway/Andromeda Messier
πŸͺŸ Window Manager Hyprland River
πŸ–₯️ Display Manager swaylock swaylock
πŸ“Š Bar AGS Waybar
πŸš€ Launcher Anyrun, Rofi Rofi
🎨 GTK Theme adw-gtk3-dark adw-gtk3-dark
πŸ–₯️ Terminal Foot Foot
πŸ”” Notifications Dunst, AGS Mako

Note

Triangulum is a headless server, so no graphical stuff there.

Color Scheme

Default Color Scheme: cappuccino-mocha

Element Color Name Hex Code
Background Color base00 #1e1e1e
Secondary Background Color base02 #313244
Text Color base05 #cdd6f4
Secondary Text Color base00 #1e1e1e
Accent Color (Button focused, Border color, Button active) base0E #cba6f7
Overlay Color (Button hover, Button disabled) base03 #45475a

Available Color Schemes

Scheme Variants
cappuccino mocha, frappe
dracula -
gruvbox light, dark, medium, hard
henna -
helios -
horizon dark
nord -
monokai -
selenized dark, light
solarized dark, light
tomorrow-night -
twilight -
ubuntu -
uwunicorn -
windows-95 -
doom-one -
alph -
ashes -
atelier cave, dune, estuary, forest, heath, lakeside, meadow, plateu, savanna, seaside, studio, sulphurpool
ayu-dark -
bespin -
caret -
darkmoss -
ember -
emil -
eris -
eva -
everforest -
fairy-floss -
gigavolt -
io -
isotope -
manegarm -
material-vivid -
miramare -
monokai -
oceanic-next -
old-hope -
outrun-dark -
spaceduck -
stella -
summerfruit-dark -
woodland -
xcode-dusk -

Installation

Disk Partitioning

Here is what our disk partitioning will look like:

+-----------------------+------------------------+-----------------------+
| Boot partition        | Swap partition         | LUKS encrypted root   |
|                       |                        | partition             |
|                       |                        |                       |
| /boot                 | [SWAP]                 | /                     |
|                       |                        |                       |
|                       |                        | /dev/mapper/crypted   |
|                       |                        |                       |
| /dev/sda1             | /dev/sda2              | /dev/sda3             |
|                       |                        |                       |
| 1GB                   | 8GB                    | Remaining space       |
+-----------------------+------------------------+-----------------------+
Option 1 - Partition and mount the drives using disko
# Change the disk id according to your system
DISK='/dev/disk/by-id/ata-Samsung_SSD_870_EVO_250GB_S6PENL0T902873K'

curl https://raw.githubusercontent.com/sukhmancs/nixos-configs/main/disko/luks-btrfs-subvolumes/default.nix \
-o /tmp/disko.nix
sed -i "s|to-be-filled-during-installation|$DISK|" /tmp/disko.nix
nix --experimental-features "nix-command flakes" run github:nix-community/disko\
-- --mode disko /tmp/disko.nix
Option 2 - Manual Partitioning

Create Partitions

# Create boot, swap, and root partitions
DISK=/dev/sda

parted "$DISK" -- mklabel gpt
parted "$DISK" -- mkpart ESP fat32 1MiB 1GiB
parted "$DISK" -- set 1 boot on

parted "$DISK" -- mkpart Swap linux-swap 1GiB 9GiB

parted "$DISK" -- mkpart primary 9GiB 100%

Setup Swap Partition

mkswap -L SWAP "$DISK"2
swapon "$DISK"2

Btrfs with LUKS (Root Partition)

cryptsetup --verify-passphrase -v luksFormat "$DISK"3 # /dev/sda3
cryptsetup open "$DISK"3 crypted

mkfs.btrfs -L NIXOS /dev/mapper/crypted

mount -t btrfs /dev/mapper/crypted /mnt

# Setups subvolumes
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/nix
btrfs subvolume create /mnt/persist
btrfs subvolume create /mnt/log
btrfs subvolume create /mnt/snapshots

# Blank snapshot of the root subvolume
btrfs subvolume snapshot -r /mnt/root /mnt/root-blank

# Unmount the root partition
umount /mnt

# Create mount points
mkdir /mnt/home
mkdir /mnt/nix
mkdir /mnt/persist
mkdir -p /mnt/var/log
mkdir /mnt/snapshots

# Mount the subvolumes
mount -o subvol=root,compress=zstd,noatime /dev/mapper/crypted /mnt
mount -o subvol=home,compress=zstd,noatime /dev/mapper/crypted /mnt/home
mount -o subvol=nix,compress=zstd,noatime /dev/mapper/crypted /mnt/nix
mount -o subvol=persist,compress=zstd,noatime /dev/mapper/crypted /mnt/persist
mount -o subvol=log,compress=zstd,noatime /dev/mapper/crypted /mnt/var/log
mount -o subvol=snapshots,compress=zstd,noatime /dev/mapper/crypted /mnt/snapshots

Setup Boot Partition

mkfs.vfat -n BOOT "$DISK"1
mount --mkdir "$DISK"1 /mnt/boot

Install NixOS

# Generate the configuration
nixos-generate-config --root /mnt

Run nixos-install to install NixOS.

Install the dotfiles

git clone https://github.com/sukhmancs/nixos-configs/ ~/.config/nixos-configs
cd ~/.config/nixos-configs

Caution

If Impermanence is enabled, we need to add the neededForBoot = true to some mounted subvolumes in hardware-configuration.nix. It will look something like this:

fileSystems."/persist" = {
   device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
   fsType = "btrfs";
   options = ["subvol=persist"];
   neededForBoot = true; # <- add this
 };

 fileSystems."/var/log" = {
   device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
   fsType = "btrfs";
   options = ["subvol=log"];
   neededForBoot = true; # <- add this
 };

 fileSystems."/snapshots" = {
   device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
   fsType = "btrfs";
   options = ["subvol=snapshots"];
   neededForBoot = true; # <- add this
 };

Also, ensure that the password files are located in a volume marked with neededForBoot = true otherwise the user will not be able to login.

mkdir -p /persist/passwords/root /persist/passwords/<user>
mkpasswd -m sha-512 > /persist/passwords/<user>
mkpasswd -m sha-512 > /persist/passwords/root
nixos-rebuild switch --flake .#<host>

Thanks to these amazing people

Credit and Attribution

I’m totally cool with you borrowing my codeβ€”no need to give me a shout-out. Just make sure to tip your hat to the original authors whose code I’ve borrowed for this project. They deserve the applause!