- Tailnet - TailScale, WireGuard, ...
- Icons - Icon fonts (gtk/qt) are not dynamic. Try to use base16 colors.
- Qemu - Virtualization with GPU passthrough (Done but not tested)
- Hardened Systemd
- Modularize - Anyrun, qt.nix, ...
- Refactor - Remove dead code, unused files, ...
One profile a day keeps the hacker away
- Chrome -
google-chrome
,chromium
.
βββ homes π # Common home-manager configuration for all hosts.
βββ hosts π» # Host-specific configurations.
βββ modules π§ # Contains the common modules used across all hosts.
β βββ exclusive πͺ # Modules that need to be enabled exclusively.
β βββ roles π # Roles that can be assigned to a host.
β βββ shared π€ # Modules that are shared across multiple hosts.
βββ flake-parts βοΈ # flake.parts.
β βββ default π¦ # Custom packages that are available to all hosts.
β βββ git-hooks π # Git hooks.
β βββ lib π # Common functions and variables.
β βββ npins π # Nix packages that are pinned.
β βββ shell π # Direnv shell for this project.
β βββ templates π # Flake templates for different languages.
β βββ keys π # Public keys for the hosts.
β βββ live-media π # Live media available for build.
β βββ treefmt π³ # Treefmt configuration.
βββ options βοΈ # Custom options for the hosts.
βββ secrets π # Agenix secrets.
βββ themes π¨ # Custom base16 themes.
π‘οΈ Measures
- Firewall -
nftables
- DNS -
adguard
- VPN -
wireguard
- Secrets -
agenix
- Encryption -
LUKS
- Sandboxing -
firejail
- Security Profiles -
apparmor
,selinux
- Physical Security -
yubikey
- Ban IPs -
fail2ban
- Malware scanner -
clamav
- USB Device Control -
usbguard
- Software auditing -
lynis
vulnix
auditd
- Hardened Firefox -
Schizofox
- Stateless System -
Impermanence
- Kernel Hardening
Following hosts are available:
Host | Type |
---|---|
milkyway |
Laptop |
triangulum |
Server |
andromeda |
Desktop |
messier |
ISO |
Here are the tools I am using:
Tool | Milkyway/Andromeda | Messier |
---|---|---|
πͺ Window Manager | Hyprland | River |
π₯οΈ Display Manager | swaylock | swaylock |
π Bar | AGS | Waybar |
π Launcher | Anyrun, Rofi | Rofi |
π¨ GTK Theme | adw-gtk3-dark | adw-gtk3-dark |
π₯οΈ Terminal | Foot | Foot |
π Notifications | Dunst, AGS | Mako |
Note
Triangulum is a headless server, so no graphical stuff there.
Element | Color Name | Hex Code |
---|---|---|
Background Color | base00 | #1e1e1e |
Secondary Background Color | base02 | #313244 |
Text Color | base05 | #cdd6f4 |
Secondary Text Color | base00 | #1e1e1e |
Accent Color (Button focused, Border color, Button active) | base0E | #cba6f7 |
Overlay Color (Button hover, Button disabled) | base03 | #45475a |
Scheme | Variants |
---|---|
cappuccino |
mocha, frappe |
dracula |
- |
gruvbox |
light, dark, medium, hard |
henna |
- |
helios |
- |
horizon |
dark |
nord |
- |
monokai |
- |
selenized |
dark, light |
solarized |
dark, light |
tomorrow-night |
- |
twilight |
- |
ubuntu |
- |
uwunicorn |
- |
windows-95 |
- |
doom-one |
- |
alph |
- |
ashes |
- |
atelier |
cave, dune, estuary, forest, heath, lakeside, meadow, plateu, savanna, seaside, studio, sulphurpool |
ayu-dark |
- |
bespin |
- |
caret |
- |
darkmoss |
- |
ember |
- |
emil |
- |
eris |
- |
eva |
- |
everforest |
- |
fairy-floss |
- |
gigavolt |
- |
io |
- |
isotope |
- |
manegarm |
- |
material-vivid |
- |
miramare |
- |
monokai |
- |
oceanic-next |
- |
old-hope |
- |
outrun-dark |
- |
spaceduck |
- |
stella |
- |
summerfruit-dark |
- |
woodland |
- |
xcode-dusk |
- |
Here is what our disk partitioning will look like:
+-----------------------+------------------------+-----------------------+
| Boot partition | Swap partition | LUKS encrypted root |
| | | partition |
| | | |
| /boot | [SWAP] | / |
| | | |
| | | /dev/mapper/crypted |
| | | |
| /dev/sda1 | /dev/sda2 | /dev/sda3 |
| | | |
| 1GB | 8GB | Remaining space |
+-----------------------+------------------------+-----------------------+
Option 1 - Partition and mount the drives using disko
# Change the disk id according to your system
DISK='/dev/disk/by-id/ata-Samsung_SSD_870_EVO_250GB_S6PENL0T902873K'
curl https://raw.githubusercontent.com/sukhmancs/nixos-configs/main/disko/luks-btrfs-subvolumes/default.nix \
-o /tmp/disko.nix
sed -i "s|to-be-filled-during-installation|$DISK|" /tmp/disko.nix
nix --experimental-features "nix-command flakes" run github:nix-community/disko\
-- --mode disko /tmp/disko.nix
Option 2 - Manual Partitioning
Create Partitions
# Create boot, swap, and root partitions
DISK=/dev/sda
parted "$DISK" -- mklabel gpt
parted "$DISK" -- mkpart ESP fat32 1MiB 1GiB
parted "$DISK" -- set 1 boot on
parted "$DISK" -- mkpart Swap linux-swap 1GiB 9GiB
parted "$DISK" -- mkpart primary 9GiB 100%
Setup Swap Partition
mkswap -L SWAP "$DISK"2
swapon "$DISK"2
Btrfs with LUKS (Root Partition)
cryptsetup --verify-passphrase -v luksFormat "$DISK"3 # /dev/sda3
cryptsetup open "$DISK"3 crypted
mkfs.btrfs -L NIXOS /dev/mapper/crypted
mount -t btrfs /dev/mapper/crypted /mnt
# Setups subvolumes
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/nix
btrfs subvolume create /mnt/persist
btrfs subvolume create /mnt/log
btrfs subvolume create /mnt/snapshots
# Blank snapshot of the root subvolume
btrfs subvolume snapshot -r /mnt/root /mnt/root-blank
# Unmount the root partition
umount /mnt
# Create mount points
mkdir /mnt/home
mkdir /mnt/nix
mkdir /mnt/persist
mkdir -p /mnt/var/log
mkdir /mnt/snapshots
# Mount the subvolumes
mount -o subvol=root,compress=zstd,noatime /dev/mapper/crypted /mnt
mount -o subvol=home,compress=zstd,noatime /dev/mapper/crypted /mnt/home
mount -o subvol=nix,compress=zstd,noatime /dev/mapper/crypted /mnt/nix
mount -o subvol=persist,compress=zstd,noatime /dev/mapper/crypted /mnt/persist
mount -o subvol=log,compress=zstd,noatime /dev/mapper/crypted /mnt/var/log
mount -o subvol=snapshots,compress=zstd,noatime /dev/mapper/crypted /mnt/snapshots
Setup Boot Partition
mkfs.vfat -n BOOT "$DISK"1
mount --mkdir "$DISK"1 /mnt/boot
# Generate the configuration
nixos-generate-config --root /mnt
Run nixos-install
to install NixOS.
git clone https://github.com/sukhmancs/nixos-configs/ ~/.config/nixos-configs
cd ~/.config/nixos-configs
Caution
If Impermanence is enabled, we need to add the neededForBoot = true
to some
mounted subvolumes in hardware-configuration.nix. It will look something like this:
fileSystems."/persist" = {
device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
fsType = "btrfs";
options = ["subvol=persist"];
neededForBoot = true; # <- add this
};
fileSystems."/var/log" = {
device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
fsType = "btrfs";
options = ["subvol=log"];
neededForBoot = true; # <- add this
};
fileSystems."/snapshots" = {
device = "/dev/disk/by-uuid/b79d3c8b-d511-4d66-a5e0-641a75440ada";
fsType = "btrfs";
options = ["subvol=snapshots"];
neededForBoot = true; # <- add this
};
Also, ensure that the password files are located in a volume marked with
neededForBoot = true
otherwise the user will not be able to login.
mkdir -p /persist/passwords/root /persist/passwords/<user>
mkpasswd -m sha-512 > /persist/passwords/<user>
mkpasswd -m sha-512 > /persist/passwords/root
nixos-rebuild switch --flake .#<host>
- MatthiasBenaets
- raf
- end-4
- aylur
- will add more
Iβm totally cool with you borrowing my codeβno need to give me a shout-out. Just make sure to tip your hat to the original authors whose code Iβve borrowed for this project. They deserve the applause!