init

README.md

@@ -0,0 +1,320 @@
+# NixOS Configuration
+
+Personal NixOS configuration with Hyprland, containerized services, and security hardening.
+
+> **Note:** Parts of this configuration were created with the assistance of AI tools.
+
+## Quick Start
+
+```bash
+# Apply configuration
+doas nixos-rebuild switch --flake ~/nixos#nixos
+
+# Update flake inputs
+nix flake update
+
+# Test configuration without applying
+doas nixos-rebuild dry-run --flake ~/nixos#nixos
+```
+
+## Using These Modules
+
+Others can import individual modules from this flake:
+
+```nix
+{
+  inputs.ashie-nixos.url = "github:ashisgreat22/nixos";
+
+  outputs = { nixpkgs, ashie-nixos, ... }: {
+    nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
+      modules = [
+        ashie-nixos.nixosModules.security
+        ashie-nixos.nixosModules.kernelHardening
+        {
+          myModules.security.enable = true;
+          myModules.kernelHardening.enable = true;
+        }
+      ];
+    };
+  };
+}
+```
+
+### Available Modules
+
+| Module                                  | Description                    |
+| --------------------------------------- | ------------------------------ |
+| `nixosModules.security`                 | doas, audit logging, AppArmor  |
+| `nixosModules.kernelHardening`          | Boot params, sysctl, ZRAM      |
+| `nixosModules.dnsOverTls`               | DNSSEC + DNS-over-TLS          |
+| `nixosModules.cloudflareFirewall`       | nftables Cloudflare-only rules |
+| `nixosModules.caddyCloudflare`          | Caddy with DNS-01 ACME         |
+| `nixosModules.podman`                   | Podman container runtime       |
+| `nixosModules.browserVpn`               | VPN-isolated browsers          |
+| `homeManagerModules.hyprlandCatppuccin` | Themed Hyprland config         |
+| `homeManagerModules.gluetunUser`        | Rootless VPN container         |
+| `homeManagerModules.qbittorrentVpn`     | qBittorrent through VPN        |
+
+## Structure
+
+```
+~/nixos/
+├── configuration.nix      # Main config (enables modules via myModules.*)
+├── flake.nix              # Flake inputs, outputs, and module exports
+├── hardware-configuration.nix
+├── home.nix               # Home Manager entry point
+├── modules/               # Reusable NixOS modules
+│   ├── default.nix        # Imports all system modules
+│   ├── system/            # System-level modules
+│   │   ├── security.nix          # doas, audit, AppArmor
+│   │   ├── kernel-hardening.nix  # Boot params, sysctl, ZRAM
+│   │   ├── dns-over-tls.nix      # DNSSEC + DoT
+│   │   ├── cloudflare-firewall.nix  # nftables rules
+│   │   ├── caddy-cloudflare.nix  # Caddy + DNS-01
+│   │   ├── podman.nix            # Container runtime
+│   │   └── browser-vpn.nix       # VPN-isolated browsers
+│   └── home/              # Home Manager modules
+│       ├── hyprland-catppuccin.nix
+│       ├── gluetun-user.nix
+│       ├── qbittorrent-vpn.nix
+│       └── browser-container-update.nix
+├── system/                # Host-specific system config
+│   ├── boot.nix           # Bootloader
+│   ├── hardware.nix       # GPU, USBGuard, fonts
+│   ├── networking.nix     # Hostname, ddclient
+│   ├── packages.nix       # System packages
+│   ├── services.nix       # Steam, Caddy vhosts
+│   └── secrets.nix        # SOPS secrets
+├── home/                  # Host-specific Home Manager config
+│   ├── fastfetch.nix, kitty.nix, steam.nix, vscode.nix
+├── containers/            # Container Dockerfiles
+│   ├── firefox-wayland/   # Isolated Firefox
+│   ├── thorium-wayland/   # Isolated Thorium
+│   └── tor-browser-wayland/
+├── unified_router/        # API routing service
+├── codex2api/             # Codex API proxy
+├── antigravity-src/       # Antigravity2API source
+└── secrets/               # SOPS-encrypted secrets
+```
+
+## Integrated Services
+
+### API Ecosystem
+
+A microservices architecture for managing LLM interactions:
+
+- **Unified Router** (`unified_router/`)
+- **Codex2API** (`codex2api/`)
+- **Antigravity2API** (`antigravity-src/`)
+- **Data Generator** (`scripts/data_generator/`): Tool for generating synthetic training data.
+
+### Web Services (via Caddy)
+
+| Service         | URL                   | Port        |
+| --------------- | --------------------- | ----------- |
+| Open WebUI      | `chat.ashisgreat.xyz` | 3000 → 8080 |
+| Unified Router  | `api.ashisgreat.xyz`  | 6767        |
+| Antigravity2API | (Internal)            | 8045        |
+
+### Containers
+
+```bash
+# View running containers
+podman ps
+
+# View container logs
+podman logs open-webui
+podman logs antigravity2api
+```
+
+## Isolated Browsers (VPN)
+
+Browsers running in containers routed through WireGuard VPN.
+
+### Firefox
+
+```bash
+# Launch isolated Firefox
+firefox-vpn-podman
+
+# Or use commands directly
+firefox-vpn-podman run      # Start Firefox
+firefox-vpn-podman stop     # Stop containers
+firefox-vpn-podman status   # Check status
+firefox-vpn-podman build    # Rebuild container image
+```
+
+### Tor Browser
+
+```bash
+# Launch isolated Tor Browser
+tor-browser-vpn-podman
+
+# Or use commands directly
+tor-browser-vpn-podman run      # Start Tor Browser
+tor-browser-vpn-podman stop     # Stop containers
+tor-browser-vpn-podman status   # Check status
+tor-browser-vpn-podman build    # Rebuild container image
+```
+
+> **Note:** Traffic flows through both the VPN and Tor network for double isolation.
+
+### Thorium Browser
+
+```bash
+# Launch isolated Thorium Browser
+thorium-vpn-podman
+
+# Or use commands directly
+thorium-vpn-podman run      # Start Thorium
+thorium-vpn-podman stop     # Stop containers
+thorium-vpn-podman status   # Check status
+thorium-vpn-podman build    # Rebuild container image
+```
+
+### Auto-Updates
+
+Browser containers are automatically rebuilt weekly via systemd timer.
+
+```bash
+# Check timer status
+systemctl --user status browser-containers-update.timer
+
+# Manually trigger update
+systemctl --user start browser-containers-update
+
+# View update logs
+journalctl --user -u browser-containers-update -n 50
+```
+
+## qBittorrent (VPN)
+
+User service running through gluetun VPN container.
+
+```bash
+# Start/stop
+systemctl --user start qbittorrent
+systemctl --user stop qbittorrent
+
+# View status
+systemctl --user status gluetun
+systemctl --user status qbittorrent
+
+# Access WebUI (through VPN container)
+# http://127.0.0.1:8080
+```
+
+## Secrets Management (SOPS)
+
+Secrets are encrypted with AGE and decrypted at activation time.
+
+```bash
+# Edit secrets
+sops secrets/secrets.yaml
+
+# Add new secret to secrets.nix, then re-encrypt
+sops updatekeys secrets/secrets.yaml
+```
+
+## Security Features & Hardening
+
+### Kernel Hardening
+
+**Boot Parameters** (runtime protection):
+
+- `slab_nomerge` - Prevents slab cache merging
+- `init_on_alloc/free=1` - Zeros memory (use-after-free mitigation)
+- `page_alloc.shuffle=1` - Randomizes page allocator
+- `randomize_kstack_offset=on` - Randomizes kernel stack
+- `vsyscall=none` - Disables legacy vsyscall
+- `debugfs=off` - Disables kernel debug interface
+- `oops=panic` - Panics on kernel oops
+
+**Sysctl Settings**:
+
+- `kptr_restrict=2` - Hide kernel pointers
+- `dmesg_restrict=1` - Restrict kernel logs
+- `ptrace_scope=1` - Restrict debugging
+- `unprivileged_bpf_disabled=1` - Disable BPF for users
+
+```bash
+# Verify boot params after reboot
+cat /proc/cmdline
+```
+
+### Network Security
+
+- **DNS-over-TLS (DoT)**: Enabled via `systemd-resolved`. Encrypts all DNS queries to Quad9 and Cloudflare.
+- **Firewall**: `nftables` with Cloudflare-only access on ports 80/443. Direct connections are blocked.
+- **Caddy**: Uses DNS-01 ACME challenge (via Cloudflare API) for SSL certs. Configured with security headers (HSTS, CSP, etc.).
+
+### Audit Logging
+
+```bash
+# View audit logs
+sudo ausearch -ts today          # Today's events
+sudo ausearch -k sudoers         # Sudoers changes
+sudo aureport --summary          # Summary report
+```
+
+### Automatic Updates
+
+- Runs daily at 4 AM
+- Downloads updates but doesn't auto-reboot
+- Apply manually: `sudo nixos-rebuild switch --flake ~/nixos#nixos`
+
+### Known Security Considerations
+
+- **Secrets**: `cloudflare.key` is currently a raw file, not managed by SOPS.
+- **Containers**: Custom service containers may run as root internally.
+
+## Useful Commands
+
+```bash
+# System
+sudo nixos-rebuild switch --flake ~/nixos#nixos   # Apply config
+sudo nixos-rebuild boot --flake ~/nixos#nixos     # Apply on next boot
+nix flake update                                   # Update all inputs
+nix-collect-garbage -d                            # Clean old generations
+
+# Containers
+podman system prune -a                            # Clean unused images
+podman volume ls                                  # List volumes
+
+# Firewall
+sudo nft list ruleset                             # View nftables
+sudo nft list set inet cloudflare cloudflare_ipv4 # View Cloudflare IPs
+
+# Logs
+journalctl -u caddy -f                            # Caddy logs
+journalctl --user -u gluetun -f                   # VPN logs
+```
+
+## Troubleshooting
+
+### Container network issues
+
+```bash
+# Recreate podman network
+podman network rm antigravity-net
+sudo systemctl restart podman-network-antigravity-net
+```
+
+### Firefox VPN not starting
+
+```bash
+# Check gluetun status first
+systemctl --user status gluetun
+journalctl --user -u gluetun -n 50
+
+# Rebuild image if needed
+firefox-vpn-podman build
+```
+
+### Secrets not decrypting
+
+```bash
+# Check SOPS key
+ls -la ~/.config/sops/age/keys.txt
+sops -d secrets/secrets.yaml  # Test decryption
+```