diff --git a/README.md b/README.md index 5b48597..ffd0bdb 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,146 @@ -# Felix's NixOS Config +# Felix's NixOS Configuration -## +A modular, flake-based NixOS configuration supporting multiple hosts with shared and host-specific configurations. -Note: `hardware-configuration.nix` is hardware-specific. Generate your own with: `sudo nixos-generate-config` +## 🏗️ Structure Overview + +``` +nixos/ +├── flake.nix # Main flake definition with inputs and outputs +├── hosts/ # Host-specific configurations +│ ├── wildfire/ # Desktop workstation (AMD GPU) +│ └── hurricane/ # Laptop/secondary system +├── modules/ # Shared configuration modules +│ ├── common.nix # Base system configuration +│ ├── programs.nix # System-wide packages and programs +│ ├── home/ # Home Manager configurations +│ └── desktops/ # Desktop environment configurations +└── rebuild-nix-system.sh # Helper script for system rebuilds +``` + +## 🖥️ Hosts + +### Wildfire (Desktop Workstation) + +- **GPU**: AMD with `lact` daemon for GPU control +- **Features**: Gaming setup with Steam, DaVinci Resolve, Ardour +- **Special**: LUKS encryption, dedicated GPU configuration + +### Hurricane (Laptop/Secondary) + +- **Type**: Portable system +- **Features**: Basic desktop setup with power management +- **Special**: Touchpad support, power profiles + +Both hosts use: + +- **Desktop**: Hyprland (Wayland compositor) +- **Display Manager**: regreet (lightweight Wayland greeter) +- **Audio**: PipeWire with ALSA and PulseAudio compatibility +- **Security**: Firejail sandboxing for browsers, Yubikey support + +## 🧩 Modules + +### `modules/common.nix` + +Base system configuration shared across all hosts: + +- **User Management**: Main user `schulze` with shell and groups +- **Boot**: systemd-boot with latest kernel +- **Networking**: NetworkManager with firewall +- **Localization**: Swedish locale with English UI +- **Security**: Core dump disabled, firewall enabled, ClamAV antivirus +- **Home Manager**: Integration and user-specific imports +- **System**: Auto-upgrades, fonts, and core settings + +### `modules/programs.nix` + +System-wide packages and program configurations: + +- **Development**: VS Code (Cursor), Git, Python, Node.js, etc. +- **CLI Tools**: Modern alternatives (zoxide, starship, fish) +- **Security**: GPG, OpenSSL, Yubikey tools +- **Applications**: Firefox, Thunderbird, LibreOffice, media tools +- **Virtualization**: Docker, libvirt/QEMU with virt-manager + +### `modules/desktops/hyprland-desktop.nix` + +Hyprland desktop environment setup: + +- **Compositor**: Hyprland with UWSM session management +- **Portal**: XDG desktop portal for Wayland +- **Workflow**: Waybar, Rofi, Mako notifications +- **Theming**: Gruvbox theme with consistent fonts +- **Tools**: Screenshot tools, clipboard manager, file manager + +### `modules/home/` + +Home Manager configurations: + +- **`hyprland.nix`**: User-specific Hyprland configuration +- **`home-manager.nix`**: Base Home Manager settings + +## 🚀 Usage + +### Building and Switching + +```bash +# Build and switch to new configuration +sudo nixos-rebuild switch --flake .#hostname + +# Or use the helper script +./rebuild-nix-system.sh +``` + +### Updating the System + +```bash +# Update flake inputs +nix flake update + +# Update and rebuild +./update-nix-system.sh +``` + +## 🔒 Security Features + +- **Sandboxing**: Browsers run in Firejail containers +- **Firewall**: Enabled by default, minimal open ports +- **Antivirus**: ClamAV with automatic signature updates +- **Authentication**: Yubikey U2F support +- **Encryption**: LUKS disk encryption (wildfire) +- **Updates**: Automatic security updates at 02:00 + +## 🎨 Theming and UI + +- **Theme**: Gruvbox Dark +- **Icons**: Flat-Remix-Red-Dark +- **Fonts**: Intel One Mono, Noto Sans +- **Terminal**: Ghostty with Fish shell +- **Launcher**: Rofi (Wayland) +- **Notifications**: Mako + +## 📦 Package Management + +### System Packages + +- Defined in `modules/programs.nix` +- Available system-wide for all users + +### Host-Specific Packages + +- Added in individual host `configuration.nix` files +- Only installed on that specific host + +### User Packages + +- Managed through Home Manager +- Per-user configurations in `modules/home/` + +## 🔄 Development Workflow + +### Code Style + +- Use `alejandra` for Nix code formatting +- Comment complex configurations +- Group related settings together diff --git a/modules/common.nix b/modules/common.nix index b68eb45..5418295 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -1,25 +1,37 @@ +# Common system configuration shared across all hosts +# This module contains the base settings that every system should have { pkgs, inputs, ... }: { imports = [ + # Import Home Manager as a NixOS module for user-specific configurations inputs.home-manager.nixosModules.home-manager ]; - # Home Manager configuration + # ================================ + # HOME MANAGER INTEGRATION + # ================================ + # Configure Home Manager to manage user-specific dotfiles and applications home-manager = { + # Create backup files when Home Manager would overwrite existing files backupFileExtension = "backupHM"; + # Use system packages instead of separate user packages (saves space) useGlobalPkgs = true; useUserPackages = true; + # User-specific Home Manager configurations users.schulze.imports = [ - ./home/hyprland.nix - ./home/home-manager.nix + ./home/hyprland.nix # Hyprland window manager user config + ./home/home-manager.nix # Base user environment ]; }; - # Define the main user account + # ================================ + # USER MANAGEMENT + # ================================ users = { + # Define the main user account users.schulze = { isNormalUser = true; description = "Felix Schulze"; @@ -29,33 +41,47 @@ groups.libvirtd.members = ["schulze"]; }; - # Bootloader. + # ================================ + # BOOT CONFIGURATION + # ================================ boot = { + # Use systemd-boot (modern UEFI bootloader) loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; + # Always use the latest kernel for best hardware support kernelPackages = pkgs.linuxPackages_latest; }; + # ================================ + # NETWORKING + # ================================ networking = { - # Enable networking + # Enable NetworkManager for easy network configuration networkmanager.enable = true; - # Network security - # enable firewall and block all ports + # Security: Enable firewall and block all ports by default + # Host-specific ports are opened in individual host configurations firewall.enable = true; }; - # disable coredump that could be exploited later - # and also slow down the system when something crash + # ================================ + # SECURITY HARDENING + # ================================ + # Disable core dumps to prevent potential security exploits + # and improve system performance during crashes systemd.coredump.enable = false; - # Set your time zone. + # ================================ + # LOCALIZATION + # ================================ + # Set timezone to Swedish time time.timeZone = "Europe/Stockholm"; - # Select internationalisation properties. + # Internationalization: English UI with Swedish regional settings i18n = { - defaultLocale = "en_GB.UTF-8"; + defaultLocale = "en_GB.UTF-8"; # British English for UI extraLocaleSettings = { + # Swedish locale for regional formats (dates, currency, etc.) LC_ADDRESS = "sv_SE.UTF-8"; LC_IDENTIFICATION = "sv_SE.UTF-8"; LC_MEASUREMENT = "sv_SE.UTF-8"; @@ -68,79 +94,99 @@ }; }; - # Configure console keymap + # Configure console to use Swedish keyboard layout console.keyMap = "sv-latin1"; + # ================================ + # SYSTEM SERVICES + # ================================ services = { - # Enable CUPS to print documents. + # Disable CUPS printing (enable per-host if needed) printing.enable = false; - # Enable sound with pipewire. - pulseaudio.enable = false; + # Modern audio stack: PipeWire replaces PulseAudio + pulseaudio.enable = false; # Disable old PulseAudio pipewire = { enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - wireplumber.enable = true; + alsa.enable = true; # ALSA compatibility + alsa.support32Bit = true; # 32-bit app support + pulse.enable = true; # PulseAudio compatibility + wireplumber.enable = true; # Session manager }; - # enable antivirus clamav and keep the signatures' database updated + # Antivirus protection with automatic updates clamav = { - daemon.enable = true; - updater.enable = true; + daemon.enable = true; # Background virus scanning + updater.enable = true; # Automatic signature updates }; }; - # Realtime scheduling priority for audio + # ================================ + # SECURITY & PERMISSIONS + # ================================ + # Enable real-time scheduling for audio applications (low-latency audio) security.rtkit.enable = true; - # Polkit agent (authentication dialogs) + # Enable Polkit for GUI authentication dialogs (password prompts) security.polkit.enable = true; - # Allow unfree packages + # ================================ + # NIX CONFIGURATION + # ================================ + # Allow installation of proprietary/unfree software nixpkgs.config.allowUnfree = true; - # Enable Flakes + # Enable modern Nix features (flakes and new CLI) nix.settings.experimental-features = ["nix-command" "flakes"]; - # Automatic system upgrades + # ================================ + # AUTOMATIC MAINTENANCE + # ================================ + # Configure automatic system updates for security system.autoUpgrade = { enable = true; - flake = inputs.self.outPath; + flake = inputs.self.outPath; # Use this flake for updates flags = [ "--update-input" - "nixpkgs" - "-L" # print build logs + "nixpkgs" # Update nixpkgs input + "-L" # Print build logs for transparency ]; - dates = "02:00"; - randomizedDelaySec = "45min"; + dates = "02:00"; # Run at 2 AM + randomizedDelaySec = "45min"; # Random delay to avoid server load }; - # Fonts + # ================================ + # FONTS + # ================================ + # System-wide fonts for consistent typography fonts.packages = with pkgs; [ - intel-one-mono - noto-fonts - noto-fonts-emoji + intel-one-mono # Monospace font for coding + noto-fonts # Comprehensive Unicode support + noto-fonts-emoji # Emoji support ]; - # This improves touchscreen support and enables additional touchpad gestures. It also enables smooth scrolling as opposed to the stepped scrolling that Firefox has by default + # ================================ + # BROWSER OPTIMIZATIONS + # ================================ + # Improve touchscreen and scrolling support in Firefox environment.sessionVariables = { MOZ_USE_XINPUT2 = "1"; }; - # create system-wide executables firefox and chromium - # that will wrap the real binaries so everything work out of the box. - # enable firejail + # ================================ + # SANDBOXED APPLICATIONS + # ================================ + # Enable Firejail for application sandboxing (security) programs.firejail = { enable = true; + # Create sandboxed wrappers for browsers wrappedBinaries = { firefox = { executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox"; profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; extraArgs = [ - # Required for U2F USB stick + # Required for U2F USB security keys "--ignore=private-dev" - # Enable system notifications + # Enable desktop notifications "--dbus-user.talk=org.freedesktop.Notifications" ]; }; @@ -150,7 +196,12 @@ }; }; }; - # Yubikey Settings + + # ================================ + # HARDWARE SECURITY (YUBIKEY) + # ================================ + # Enable Yubikey support for SSH and GPG services.yubikey-agent.enable = true; + # Enable U2F authentication for login security.pam.u2f.enable = true; } diff --git a/modules/desktops/hyprland-desktop.nix b/modules/desktops/hyprland-desktop.nix index 62378d6..c99f8b8 100644 --- a/modules/desktops/hyprland-desktop.nix +++ b/modules/desktops/hyprland-desktop.nix @@ -1,35 +1,55 @@ +# Hyprland Desktop Environment Configuration +# Complete setup for Hyprland Wayland compositor with modern desktop tools { inputs, pkgs, ... }: { + # ================================ + # DISPLAY SERVER CONFIGURATION + # ================================ services = { + # X11 server configuration (for compatibility) xserver = { enable = true; - displayManager.gdm.enable = false; + displayManager.gdm.enable = false; # Disable GDM in favor of regreet }; - # Greetd is lightweight and Wayland-native + + # Lightweight Wayland-native display manager greetd.enable = true; - upower.enable = true; - power-profiles-daemon.enable = true; + # Power management services for laptops and desktops + upower.enable = true; # Battery and power device monitoring + power-profiles-daemon.enable = true; # CPU frequency scaling }; + # ================================ + # HYPRLAND BINARY CACHE + # ================================ + # Configure Cachix for faster Hyprland installations nix.settings = { substituters = ["https://hyprland.cachix.org"]; trusted-substituters = ["https://hyprland.cachix.org"]; trusted-public-keys = ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="]; }; + # ================================ + # HYPRLAND & SESSION MANAGEMENT + # ================================ programs = { + # Main Hyprland configuration hyprland = { enable = true; - withUWSM = true; - # Only enable the flake packages after Cachix has already been enabled + withUWSM = true; # Enable Universal Wayland Session Manager + # Use cutting-edge Hyprland from flake input (latest features) package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland; portalPackage = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland; }; + + # regreet: Modern, customizable greeter for greetd regreet.enable = true; + + # UWSM: Universal Wayland Session Manager uwsm = { enable = true; waylandCompositors.hyprland = { @@ -38,62 +58,96 @@ binPath = "/run/current-system/sw/bin/Hyprland"; }; }; + + # ================================ + # GTK THEMING CONFIGURATION + # ================================ + # dconf: Configure GTK applications and GNOME settings dconf = { enable = true; profiles.user.databases = [ { settings."org/gnome/desktop/interface" = { - gtk-theme = "Gruvbox-Dark-B"; - icon-theme = "Flat-Remix-Red-Dark"; - font-name = "Noto Sans Medium 11"; - document-font-name = "Noto Sans Medium 11"; - monospace-font-name = "Intel One Mono Medium 11"; + gtk-theme = "Gruvbox-Dark-B"; # Dark theme for GTK apps + icon-theme = "Flat-Remix-Red-Dark"; # Icon theme + font-name = "Noto Sans Medium 11"; # UI font + document-font-name = "Noto Sans Medium 11"; # Document font + monospace-font-name = "Intel One Mono Medium 11"; # Terminal/code font }; } ]; }; }; + # ================================ + # XDG & DESKTOP INTEGRATION + # ================================ xdg = { + # Set default applications for file types mime.defaultApplications = { "default-web-browser" = ["firefox.desktop"]; }; + + # XDG Desktop Portal for Wayland integration portal = { enable = true; - xdgOpenUsePortal = true; + xdgOpenUsePortal = true; # Use portal for opening files/URLs }; }; + # ================================ + # ENVIRONMENT VARIABLES + # ================================ environment.sessionVariables = { + # Set Firefox as default browser BROWSER = "${pkgs.lib.getBin pkgs.firefox}"; + # Enable Wayland support for Electron apps (VS Code, Discord, etc.) NIXOS_OZONE_WL = "1"; }; + # ================================ + # HYPRLAND DESKTOP PACKAGES + # ================================ + # Essential tools for a functional Hyprland desktop environment.systemPackages = with pkgs; [ - # Core Hyprland workflow tools - waybar # Panel - rofi-wayland # Launcher + # ---- CORE HYPRLAND WORKFLOW ---- + waybar # Status bar/panel + rofi-wayland # Application launcher and dmenu replacement mako # Notification daemon hyprpaper # Wallpaper daemon - hyprlock # Lock screen - wl-clipboard # Clipboard utils - cliphist # Clipboard manager - pavucontrol # GUI audio mixer - blueman # Bluetooth tray - networkmanagerapplet # System tray for network - brightnessctl # Brightness (for laptops) - wlsunset # Night light/gamma adjustment - grim - slurp - swappy - wf-recorder # Screenshots & screenrecording - libsForQt5.qt5ct # For QT application appearance - nautilus # File manager + hyprlock # Screen lock utility + + # ---- CLIPBOARD & INPUT ---- + wl-clipboard # Clipboard utilities for Wayland + cliphist # Clipboard history manager + + # ---- SYSTEM CONTROL ---- + pavucontrol # GUI audio mixer and control + blueman # Bluetooth manager with system tray + networkmanagerapplet # Network management system tray + brightnessctl # Screen brightness control (laptops) + wlsunset # Blue light filter/night mode + + # ---- SCREENSHOT & RECORDING ---- + grim # Screenshot tool for Wayland + slurp # Screen area selection for screenshots + swappy # Screenshot editing and annotation + wf-recorder # Screen recording for Wayland + + # ---- APPLICATION INTEGRATION ---- + libsForQt5.qt5ct # Qt5 application theming control + nautilus # GNOME file manager (GTK) ]; + # ================================ + # FILE MANAGER INTEGRATION + # ================================ + # Configure Nautilus to work seamlessly with the desktop programs.nautilus-open-any-terminal = { enable = true; - terminal = "ghostty"; + terminal = "ghostty"; # Use Ghostty as default terminal in file manager }; + + # Enable GNOME Sushi for file preview in Nautilus services.gnome.sushi.enable = true; }