9.4 KiB
9.4 KiB
NixOS Configuration
Personal NixOS configuration with Hyprland, containerized services, and security hardening.
Note: Parts of this configuration were created with the assistance of AI tools.
Quick Start
# Apply configuration
doas nixos-rebuild switch --flake ~/nixos#nixos
# Update flake inputs
nix flake update
# Test configuration without applying
doas nixos-rebuild dry-run --flake ~/nixos#nixos
Using These Modules
Others can import individual modules from this flake:
{
inputs.ashie-nixos.url = "github:ashisgreat22/nixos";
outputs = { nixpkgs, ashie-nixos, ... }: {
nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
modules = [
ashie-nixos.nixosModules.security
ashie-nixos.nixosModules.kernelHardening
{
myModules.security.enable = true;
myModules.kernelHardening.enable = true;
}
];
};
};
}
Available Modules
| Module | Description |
|---|---|
nixosModules.security |
doas, audit logging, AppArmor |
nixosModules.kernelHardening |
Boot params, sysctl, ZRAM |
nixosModules.dnsOverTls |
DNSSEC + DNS-over-TLS |
nixosModules.cloudflareFirewall |
nftables Cloudflare-only rules |
nixosModules.caddyCloudflare |
Caddy with DNS-01 ACME |
nixosModules.podman |
Podman container runtime |
nixosModules.browserVpn |
VPN-isolated browsers |
homeManagerModules.hyprlandCatppuccin |
Themed Hyprland config |
homeManagerModules.gluetunUser |
Rootless VPN container |
homeManagerModules.qbittorrentVpn |
qBittorrent through VPN |
Structure
~/nixos/
├── configuration.nix # Main config (enables modules via myModules.*)
├── flake.nix # Flake inputs, outputs, and module exports
├── hardware-configuration.nix
├── home.nix # Home Manager entry point
├── modules/ # Reusable NixOS modules
│ ├── default.nix # Imports all system modules
│ ├── system/ # System-level modules
│ │ ├── security.nix # doas, audit, AppArmor
│ │ ├── kernel-hardening.nix # Boot params, sysctl, ZRAM
│ │ ├── dns-over-tls.nix # DNSSEC + DoT
│ │ ├── cloudflare-firewall.nix # nftables rules
│ │ ├── caddy-cloudflare.nix # Caddy + DNS-01
│ │ ├── podman.nix # Container runtime
│ │ └── browser-vpn.nix # VPN-isolated browsers
│ └── home/ # Home Manager modules
│ ├── hyprland-catppuccin.nix
│ ├── gluetun-user.nix
│ ├── qbittorrent-vpn.nix
│ └── browser-container-update.nix
├── system/ # Host-specific system config
│ ├── boot.nix # Bootloader
│ ├── hardware.nix # GPU, USBGuard, fonts
│ ├── networking.nix # Hostname, ddclient
│ ├── packages.nix # System packages
│ ├── services.nix # Steam, Caddy vhosts
│ └── secrets.nix # SOPS secrets
├── home/ # Host-specific Home Manager config
│ ├── fastfetch.nix, kitty.nix, steam.nix, vscode.nix
├── containers/ # Container Dockerfiles
│ ├── firefox-wayland/ # Isolated Firefox
│ ├── thorium-wayland/ # Isolated Thorium
│ └── tor-browser-wayland/
├── unified_router/ # API routing service
├── codex2api/ # Codex API proxy
├── antigravity-src/ # Antigravity2API source
└── secrets/ # SOPS-encrypted secrets
Integrated Services
API Ecosystem
A microservices architecture for managing LLM interactions:
- Unified Router (
unified_router/) - Codex2API (
codex2api/) - Antigravity2API (
antigravity-src/) - Data Generator (
scripts/data_generator/): Tool for generating synthetic training data.
Web Services (via Caddy)
| Service | URL | Port |
|---|---|---|
| Open WebUI | chat.ashisgreat.xyz |
3000 → 8080 |
| Unified Router | api.ashisgreat.xyz |
6767 |
| Antigravity2API | (Internal) | 8045 |
Containers
# View running containers
podman ps
# View container logs
podman logs open-webui
podman logs antigravity2api
Isolated Browsers (VPN)
Browsers running in containers routed through WireGuard VPN.
Firefox
# Launch isolated Firefox
firefox-vpn-podman
# Or use commands directly
firefox-vpn-podman run # Start Firefox
firefox-vpn-podman stop # Stop containers
firefox-vpn-podman status # Check status
firefox-vpn-podman build # Rebuild container image
Tor Browser
# Launch isolated Tor Browser
tor-browser-vpn-podman
# Or use commands directly
tor-browser-vpn-podman run # Start Tor Browser
tor-browser-vpn-podman stop # Stop containers
tor-browser-vpn-podman status # Check status
tor-browser-vpn-podman build # Rebuild container image
Note: Traffic flows through both the VPN and Tor network for double isolation.
Thorium Browser
# Launch isolated Thorium Browser
thorium-vpn-podman
# Or use commands directly
thorium-vpn-podman run # Start Thorium
thorium-vpn-podman stop # Stop containers
thorium-vpn-podman status # Check status
thorium-vpn-podman build # Rebuild container image
Auto-Updates
Browser containers are automatically rebuilt weekly via systemd timer.
# Check timer status
systemctl --user status browser-containers-update.timer
# Manually trigger update
systemctl --user start browser-containers-update
# View update logs
journalctl --user -u browser-containers-update -n 50
qBittorrent (VPN)
User service running through gluetun VPN container.
# Start/stop
systemctl --user start qbittorrent
systemctl --user stop qbittorrent
# View status
systemctl --user status gluetun
systemctl --user status qbittorrent
# Access WebUI (through VPN container)
# http://127.0.0.1:8080
Secrets Management (SOPS)
Secrets are encrypted with AGE and decrypted at activation time.
# Edit secrets
sops secrets/secrets.yaml
# Add new secret to secrets.nix, then re-encrypt
sops updatekeys secrets/secrets.yaml
Security Features & Hardening
Kernel Hardening
Boot Parameters (runtime protection):
slab_nomerge- Prevents slab cache merginginit_on_alloc/free=1- Zeros memory (use-after-free mitigation)page_alloc.shuffle=1- Randomizes page allocatorrandomize_kstack_offset=on- Randomizes kernel stackvsyscall=none- Disables legacy vsyscalldebugfs=off- Disables kernel debug interfaceoops=panic- Panics on kernel oops
Sysctl Settings:
kptr_restrict=2- Hide kernel pointersdmesg_restrict=1- Restrict kernel logsptrace_scope=1- Restrict debuggingunprivileged_bpf_disabled=1- Disable BPF for users
# Verify boot params after reboot
cat /proc/cmdline
Network Security
- DNS-over-TLS (DoT): Enabled via
systemd-resolved. Encrypts all DNS queries to Quad9 and Cloudflare. - Firewall:
nftableswith Cloudflare-only access on ports 80/443. Direct connections are blocked. - Caddy: Uses DNS-01 ACME challenge (via Cloudflare API) for SSL certs. Configured with security headers (HSTS, CSP, etc.).
Audit Logging
# View audit logs
sudo ausearch -ts today # Today's events
sudo ausearch -k sudoers # Sudoers changes
sudo aureport --summary # Summary report
Automatic Updates
- Runs daily at 4 AM
- Downloads updates but doesn't auto-reboot
- Apply manually:
sudo nixos-rebuild switch --flake ~/nixos#nixos
Known Security Considerations
- Secrets:
cloudflare.keyis currently a raw file, not managed by SOPS. - Containers: Custom service containers may run as root internally.
Useful Commands
# System
sudo nixos-rebuild switch --flake ~/nixos#nixos # Apply config
sudo nixos-rebuild boot --flake ~/nixos#nixos # Apply on next boot
nix flake update # Update all inputs
nix-collect-garbage -d # Clean old generations
# Containers
podman system prune -a # Clean unused images
podman volume ls # List volumes
# Firewall
sudo nft list ruleset # View nftables
sudo nft list set inet cloudflare cloudflare_ipv4 # View Cloudflare IPs
# Logs
journalctl -u caddy -f # Caddy logs
journalctl --user -u gluetun -f # VPN logs
Troubleshooting
Container network issues
# Recreate podman network
podman network rm antigravity-net
sudo systemctl restart podman-network-antigravity-net
Firefox VPN not starting
# Check gluetun status first
systemctl --user status gluetun
journalctl --user -u gluetun -n 50
# Rebuild image if needed
firefox-vpn-podman build
Secrets not decrypting
# Check SOPS key
ls -la ~/.config/sops/age/keys.txt
sops -d secrets/secrets.yaml # Test decryption