# NixOS Configuration Personal NixOS configuration with Hyprland, containerized services, and security hardening. > **Note:** Parts of this configuration were created with the assistance of AI tools. ## Quick Start ```bash # Apply configuration doas nixos-rebuild switch --flake ~/nixos#nixos # Update flake inputs nix flake update # Test configuration without applying doas nixos-rebuild dry-run --flake ~/nixos#nixos ``` ## Using These Modules Others can import individual modules from this flake: ```nix { inputs.ashie-nixos.url = "github:ashisgreat22/nixos"; outputs = { nixpkgs, ashie-nixos, ... }: { nixosConfigurations.myhost = nixpkgs.lib.nixosSystem { modules = [ ashie-nixos.nixosModules.security ashie-nixos.nixosModules.kernelHardening { myModules.security.enable = true; myModules.kernelHardening.enable = true; } ]; }; }; } ``` ### Available Modules | Module | Description | | --------------------------------------- | ------------------------------ | | `nixosModules.security` | doas, audit logging, AppArmor | | `nixosModules.kernelHardening` | Boot params, sysctl, ZRAM | | `nixosModules.dnsOverTls` | DNSSEC + DNS-over-TLS | | `nixosModules.cloudflareFirewall` | nftables Cloudflare-only rules | | `nixosModules.caddyCloudflare` | Caddy with DNS-01 ACME | | `nixosModules.podman` | Podman container runtime | | `nixosModules.browserVpn` | VPN-isolated browsers | | `homeManagerModules.hyprlandCatppuccin` | Themed Hyprland config | | `homeManagerModules.gluetunUser` | Rootless VPN container | | `homeManagerModules.qbittorrentVpn` | qBittorrent through VPN | ## Structure ``` ~/nixos/ ├── configuration.nix # Main config (enables modules via myModules.*) ├── flake.nix # Flake inputs, outputs, and module exports ├── hardware-configuration.nix ├── home.nix # Home Manager entry point ├── modules/ # Reusable NixOS modules │ ├── default.nix # Imports all system modules │ ├── system/ # System-level modules │ │ ├── security.nix # doas, audit, AppArmor │ │ ├── kernel-hardening.nix # Boot params, sysctl, ZRAM │ │ ├── dns-over-tls.nix # DNSSEC + DoT │ │ ├── cloudflare-firewall.nix # nftables rules │ │ ├── caddy-cloudflare.nix # Caddy + DNS-01 │ │ ├── podman.nix # Container runtime │ │ └── browser-vpn.nix # VPN-isolated browsers │ └── home/ # Home Manager modules │ ├── hyprland-catppuccin.nix │ ├── gluetun-user.nix │ ├── qbittorrent-vpn.nix │ └── browser-container-update.nix ├── system/ # Host-specific system config │ ├── boot.nix # Bootloader │ ├── hardware.nix # GPU, USBGuard, fonts │ ├── networking.nix # Hostname, ddclient │ ├── packages.nix # System packages │ ├── services.nix # Steam, Caddy vhosts │ └── secrets.nix # SOPS secrets ├── home/ # Host-specific Home Manager config │ ├── fastfetch.nix, kitty.nix, steam.nix, vscode.nix ├── containers/ # Container Dockerfiles │ ├── firefox-wayland/ # Isolated Firefox │ ├── thorium-wayland/ # Isolated Thorium │ └── tor-browser-wayland/ ├── unified_router/ # API routing service ├── codex2api/ # Codex API proxy ├── antigravity-src/ # Antigravity2API source └── secrets/ # SOPS-encrypted secrets ``` ## Integrated Services ### API Ecosystem A microservices architecture for managing LLM interactions: - **Unified Router** (`unified_router/`) - **Codex2API** (`codex2api/`) - **Antigravity2API** (`antigravity-src/`) - **Data Generator** (`scripts/data_generator/`): Tool for generating synthetic training data. ### Web Services (via Caddy) | Service | URL | Port | | --------------- | --------------------- | ----------- | | Open WebUI | `chat.ashisgreat.xyz` | 3000 → 8080 | | Unified Router | `api.ashisgreat.xyz` | 6767 | | Antigravity2API | (Internal) | 8045 | ### Containers ```bash # View running containers podman ps # View container logs podman logs open-webui podman logs antigravity2api ``` ## Isolated Browsers (VPN) Browsers running in containers routed through WireGuard VPN. ### Firefox ```bash # Launch isolated Firefox firefox-vpn-podman # Or use commands directly firefox-vpn-podman run # Start Firefox firefox-vpn-podman stop # Stop containers firefox-vpn-podman status # Check status firefox-vpn-podman build # Rebuild container image ``` ### Tor Browser ```bash # Launch isolated Tor Browser tor-browser-vpn-podman # Or use commands directly tor-browser-vpn-podman run # Start Tor Browser tor-browser-vpn-podman stop # Stop containers tor-browser-vpn-podman status # Check status tor-browser-vpn-podman build # Rebuild container image ``` > **Note:** Traffic flows through both the VPN and Tor network for double isolation. ### Thorium Browser ```bash # Launch isolated Thorium Browser thorium-vpn-podman # Or use commands directly thorium-vpn-podman run # Start Thorium thorium-vpn-podman stop # Stop containers thorium-vpn-podman status # Check status thorium-vpn-podman build # Rebuild container image ``` ### Auto-Updates Browser containers are automatically rebuilt weekly via systemd timer. ```bash # Check timer status systemctl --user status browser-containers-update.timer # Manually trigger update systemctl --user start browser-containers-update # View update logs journalctl --user -u browser-containers-update -n 50 ``` ## qBittorrent (VPN) User service running through gluetun VPN container. ```bash # Start/stop systemctl --user start qbittorrent systemctl --user stop qbittorrent # View status systemctl --user status gluetun systemctl --user status qbittorrent # Access WebUI (through VPN container) # http://127.0.0.1:8080 ``` ## Secrets Management (SOPS) Secrets are encrypted with AGE and decrypted at activation time. ```bash # Edit secrets sops secrets/secrets.yaml # Add new secret to secrets.nix, then re-encrypt sops updatekeys secrets/secrets.yaml ``` ## Security Features & Hardening ### Kernel Hardening **Boot Parameters** (runtime protection): - `slab_nomerge` - Prevents slab cache merging - `init_on_alloc/free=1` - Zeros memory (use-after-free mitigation) - `page_alloc.shuffle=1` - Randomizes page allocator - `randomize_kstack_offset=on` - Randomizes kernel stack - `vsyscall=none` - Disables legacy vsyscall - `oops=panic` - Panics on kernel oops **Sysctl Settings**: - `kptr_restrict=2` - Hide kernel pointers - `dmesg_restrict=1` - Restrict kernel logs - `ptrace_scope=1` - Restrict debugging - `unprivileged_bpf_disabled=1` - Disable BPF for users ```bash # Verify boot params after reboot cat /proc/cmdline ``` ### Network Security - **DNS-over-TLS (DoT)**: Enabled via `systemd-resolved`. Encrypts all DNS queries to Quad9 and Cloudflare. - **Firewall**: `nftables` with Cloudflare-only access on ports 80/443. Direct connections are blocked. - **Caddy**: Uses DNS-01 ACME challenge (via Cloudflare API) for SSL certs. Configured with security headers (HSTS, CSP, etc.). ### Audit Logging ```bash # View audit logs sudo ausearch -ts today # Today's events sudo ausearch -k sudoers # Sudoers changes sudo aureport --summary # Summary report ``` ### Automatic Updates - Runs daily at 4 AM - Downloads updates but doesn't auto-reboot - Apply manually: `sudo nixos-rebuild switch --flake ~/nixos#nixos` ### Known Security Considerations - **Secrets**: `cloudflare.key` is currently a raw file, not managed by SOPS. - **Containers**: Custom service containers may run as root internally. ## Useful Commands ```bash # System sudo nixos-rebuild switch --flake ~/nixos#nixos # Apply config sudo nixos-rebuild boot --flake ~/nixos#nixos # Apply on next boot nix flake update # Update all inputs nix-collect-garbage -d # Clean old generations # Containers podman system prune -a # Clean unused images podman volume ls # List volumes # Firewall sudo nft list ruleset # View nftables sudo nft list set inet cloudflare cloudflare_ipv4 # View Cloudflare IPs # Logs journalctl -u caddy -f # Caddy logs journalctl --user -u gluetun -f # VPN logs ``` ## Troubleshooting ### Container network issues ```bash # Recreate podman network podman network rm antigravity-net sudo systemctl restart podman-network-antigravity-net ``` ### Firefox VPN not starting ```bash # Check gluetun status first systemctl --user status gluetun journalctl --user -u gluetun -n 50 # Rebuild image if needed firefox-vpn-podman build ``` ### Secrets not decrypting ```bash # Check SOPS key ls -la ~/.config/sops/age/keys.txt sops -d secrets/secrets.yaml # Test decryption ```