# NixOS Configuration A modular, security-hardened NixOS flake featuring multiple desktop environments (Niri, Cosmic), sophisticated application sandboxing via `nix-bwrapper`, and a containerized service ecosystem. ## ๐Ÿ›ก๏ธ Core Pillars - **Security Hardening**: Aggressive kernel parameters, DNS-over-TLS, AppArmor, and an `nftables` firewall with Cloudflare-specific rules. - **Application Sandboxing**: Granular isolation for browsers, games, and proprietary apps using `bubblewrap` via a custom `nix-bwrapper` framework. - **Modular Architecture**: A clean `myModules` namespace that decouples configuration logic from host-specific implementation. - **Modern Desktop**: Support for **Niri** (scrollable tiling) and **Cosmic** (Epoch), with **Noctalia** shell integration. --- ## ๐Ÿš€ Quick Start ```bash # Apply system configuration doas nixos-rebuild switch --flake .#nixos # Update all flake inputs nix flake update # Check active security parameters cat /proc/cmdline sudo nft list ruleset ``` --- ## ๐Ÿ—๏ธ Repository Structure ```text /home/ashie/nixos/ โ”œโ”€โ”€ flake.nix # Entry point & input management โ”œโ”€โ”€ hosts/nixos/ # Host-specific configurations โ”‚ โ”œโ”€โ”€ configuration.nix # System entry point โ”‚ โ”œโ”€โ”€ default.nix # Enabled system modules (myModules.*) โ”‚ โ”œโ”€โ”€ home-modules.nix # Enabled HM modules (myModules.*) โ”‚ โ””โ”€โ”€ home.nix # Home Manager entry point โ”œโ”€โ”€ modules/ # Reusable logic โ”‚ โ”œโ”€โ”€ nixos/ # System modules (Hardening, Podman, etc.) โ”‚ โ””โ”€โ”€ home-manager/ # User modules (DEs, Tools, Services) โ”œโ”€โ”€ containers/ # Dockerfiles for isolated environments โ””โ”€โ”€ secrets/ # SOPS-encrypted secrets (AGE) ``` --- ## ๐Ÿ“ฆ Modular System (`myModules`) This flake uses a unified module system. You can toggle features in `hosts/nixos/default.nix` (system) and `hosts/nixos/home-modules.nix` (user). ### Key System Modules | Module | Description | Status | | :--- | :--- | :--- | | `security` | AppArmor, doas, and system audit | Enabled | | `kernelHardening` | Sysctl & boot-time mitigations | Enabled | | `dnsOverTls` | Encrypted DNS via systemd-resolved | Enabled | | `cloudflareFirewall` | nftables rules restricted to CF IPs | Enabled | | `podman` | OCI container runtime | Enabled | | `ollamaRocm` | Local LLM acceleration for AMD GPUs | Enabled | ### Key User Modules | Module | Description | Status | | :--- | :--- | :--- | | `niri` | Scrollable tiling window manager | **Active** | | `cosmic` | System76's modern desktop environment | Available | | `noctalia` | Custom shell and UI components | Enabled | | `protonCachyos` | Auto-updating gaming runtime | Enabled | --- ## ๐Ÿ”’ Application Sandboxing Applications are wrapped in `bubblewrap` namespaces using the `mkSandboxedApp` utility (see `modules/nixos/sandbox-utils.nix`). This ensures: - **No Home Access**: Apps only see specific, required directories. - **D-Bus Isolation**: Access to the system/session bus is filtered via `xdg-dbus-proxy`. - **Resource Limiting**: Isolated `/proc`, `/dev`, and `/sys` nodes. ### Sandboxed Applications - **Browsers**: Firefox, Brave, Tor Browser, Thorium. - **Gaming**: Steam, Prism Launcher, Lutris. - **Social**: Vesktop (Discord), Spotify, Tutanota. --- ## ๐Ÿ› ๏ธ Integrated Services - **SearXNG**: Privacy-focused search engine at `search.ashisgreat.xyz`. - **Antigravity2API**: LLM API proxy. - **Ollama**: Local AI inference backend with ROCm support. - **Redlib**: Privacy-friendly Reddit front-end. - **OpenClaw**: Modern AI Agent --- ## ๐Ÿ” Secrets Management Secrets are managed via **SOPS** and encrypted with **AGE**. - **Edit secrets**: `sops secrets/secrets.yaml` - **Key location**: `~/.config/sops/age/keys.txt` --- ## ๐Ÿงน Maintenance ```bash # Clean old system generations nix-collect-garbage -d # Optimize the nix store nix store optimise # View container status podman ps -a ```