diff --git a/configuration.nix b/configuration.nix index 8741fab..412e98b 100644 --- a/configuration.nix +++ b/configuration.nix @@ -14,12 +14,11 @@ ./modules/packages.nix ./modules/hardware.nix ./modules/services.nix - ./modules/security.nix ./modules/aliases.nix ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; - xdg.portal.config.common.default = [ "gnome" ]; + # xdg.portal.config.common.default = [ "gnome" ]; system.stateVersion = "25.11"; } diff --git a/modules/desktop.nix b/modules/desktop.nix index e60c88d..d8efe17 100644 --- a/modules/desktop.nix +++ b/modules/desktop.nix @@ -1,8 +1,11 @@ { config, pkgs, ... }: { - services.displayManager.gdm.enable = true; - services.desktopManager.gnome.enable = true; + # Enable the COSMIC login manager + services.displayManager.cosmic-greeter.enable = true; + + # Enable the COSMIC desktop environment + services.desktopManager.cosmic.enable = true; services.printing.enable = true; } diff --git a/modules/networking.nix b/modules/networking.nix index 45dac04..3187843 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -13,35 +13,16 @@ in networking.firewall = { enable = true; - + # Allowed ports - allowedTCPPorts = [ + allowedTCPPorts = [ # Sunshine - 47984 47989 48010 + 47984 47989 48010 ]; - allowedUDPPorts = [ + allowedUDPPorts = [ # Sunshine - 47998 47999 48000 48010 + 47998 47999 48000 48010 ]; - - # Firewall - logReversePathDrops = true; - logRefusedConnections = true; - - # Connection tracking - connectionTrackingModules = []; - autoLoadConntrackHelpers = false; - - extraCommands = '' - iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP - iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set - iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP - ''; - extraStopCommands = '' - iptables -D INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP 2>/dev/null || true - iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 2>/dev/null || true - iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 2>/dev/null || true - ''; }; networking.nameservers = [ "1.1.1.1" "9.9.9.9" ]; diff --git a/modules/packages.nix b/modules/packages.nix index fd358a6..972e386 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -27,6 +27,7 @@ # Browsers and comms discord signal-desktop + librewolf # Development tools git @@ -40,6 +41,7 @@ openssh nodePackages."pnpm" openssl + killall ffmpeg zed-editor usbutils @@ -61,9 +63,6 @@ streamcontroller easyeffects onlyoffice-desktopeditors - - # GNOME extensions - gnomeExtensions.appindicator ]; # Programs with extra configuration @@ -74,6 +73,8 @@ localNetworkGameTransfers.openFirewall = true; }; - programs.thunderbird.enable = true; + programs.java.enable = true; + programs.steam.extraPackages = [ pkgs.jdk ]; + programs.obs-studio.enable = true; } diff --git a/modules/security.nix b/modules/security.nix deleted file mode 100644 index cd5f8be..0000000 --- a/modules/security.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, pkgs, ... }: - -{ - security.sudo = { - execWheelOnly = true; - extraConfig = '' - # Reduce sudo timeout to 5 minutes - Defaults timestamp_timeout=5 - # Require password for sudo even in same terminal session after timeout - Defaults timestamp_type=global - # Show asterisks when typing password - Defaults pwfeedback - ''; - }; - - nix.settings.allowed-users = [ "@wheel" ]; - - security.apparmor = { - enable = true; - }; - - services.fail2ban = { - enable = true; - maxretry = 5; - bantime = "1h"; - bantime-increment = { - enable = true; - maxtime = "168h"; # 1 week max ban - factor = "4"; - }; - }; - - security.pam.loginLimits = [ - { domain = "*"; type = "hard"; item = "core"; value = "0"; } - ]; - - boot.kernelParams = [ - "slab_nomerge" - "init_on_alloc=1" - "init_on_free=1" - "page_alloc.shuffle=1" - "randomize_kstack_offset=on" - "vsyscall=none" - "mitigations=auto" - ]; - - boot.kernel.sysctl = { - "kernel.dmesg_restrict" = 1; - "kernel.kptr_restrict" = 2; - "kernel.perf_event_paranoid" = 3; - "kernel.yama.ptrace_scope" = 1; - "kernel.sysrq" = 0; - "kernel.randomize_va_space" = 2; - "kernel.kexec_load_disabled" = 1; - - "net.ipv4.conf.all.log_martians" = 1; - "net.ipv4.conf.default.log_martians" = 1; - "net.ipv4.icmp_echo_ignore_broadcasts" = 1; - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv4.conf.default.accept_source_route" = 0; - "net.ipv4.conf.all.rp_filter" = 1; - "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.tcp_syncookies" = 1; - "net.ipv4.tcp_rfc1337" = 1; - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - "net.ipv6.conf.default.accept_source_route" = 0; - "net.ipv6.conf.all.accept_ra" = 0; - "net.ipv6.conf.default.accept_ra" = 0; - - "net.core.rmem_max" = 16777216; - "net.core.wmem_max" = 16777216; - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "fq"; - - "vm.swappiness" = 10; - "vm.vfs_cache_pressure" = 50; - "vm.dirty_ratio" = 10; - "vm.dirty_background_ratio" = 5; - - "fs.protected_hardlinks" = 1; - "fs.protected_symlinks" = 1; - "fs.protected_fifos" = 2; - "fs.protected_regular" = 2; - "fs.suid_dumpable" = 0; - }; - - system.autoUpgrade = { - enable = true; - allowReboot = false; - dates = "04:00"; - }; -} diff --git a/modules/services.nix b/modules/services.nix index 07257cf..4c4c3b7 100644 --- a/modules/services.nix +++ b/modules/services.nix @@ -58,5 +58,5 @@ services.avahi.publish.enable = true; services.avahi.publish.userServices = true; - services.gnome.gnome-remote-desktop.enable = true; + services.system76-scheduler.enable = true; }