From 23c382bb8ef283471cf9d027fe635cd5a65d2cfc Mon Sep 17 00:00:00 2001
From: cnst <adam@cnst.dev>
Date: Mon, 14 Jul 2025 18:38:23 +0200
Subject: [PATCH] some sobotka changes and pkgs refactor

---
 hosts/bunk/modules.nix                      |  3 ++
 hosts/kima/modules.nix                      |  3 ++
 hosts/sobotka/modules.nix                   | 14 +++---
 hosts/toothpc/modules.nix                   |  3 ++
 modules/nixos/boot/kernel/default.nix       |  4 ++
 modules/nixos/boot/kernel/security.nix      | 56 +++++++++++++++++++++
 modules/nixos/hardware/graphics/default.nix |  1 +
 modules/nixos/programs/pkgs/default.nix     | 32 ++++++++----
 modules/nixos/services/pipewire/default.nix |  1 -
 9 files changed, 97 insertions(+), 20 deletions(-)
 create mode 100644 modules/nixos/boot/kernel/security.nix

diff --git a/hosts/bunk/modules.nix b/hosts/bunk/modules.nix
index 5117fa8b..e8c1f60f 100644
--- a/hosts/bunk/modules.nix
+++ b/hosts/bunk/modules.nix
@@ -82,6 +82,9 @@
       };
       pkgs = {
         enable = true;
+        common = {
+          enable = true;
+        };
         desktop = {
           enable = false;
         };
diff --git a/hosts/kima/modules.nix b/hosts/kima/modules.nix
index 2aed1670..01bde471 100644
--- a/hosts/kima/modules.nix
+++ b/hosts/kima/modules.nix
@@ -89,6 +89,9 @@
         desktop = {
           enable = true;
         };
+        common = {
+          enable = true;
+        };
         laptop = {
           enable = false;
         };
diff --git a/hosts/sobotka/modules.nix b/hosts/sobotka/modules.nix
index 106d4820..f1c3759f 100644
--- a/hosts/sobotka/modules.nix
+++ b/hosts/sobotka/modules.nix
@@ -3,13 +3,8 @@
     boot = {
       kernel = {
         variant = "latest";
-        hardware = ["intel"];
-        extraKernelParams = [
-          "fbcon=rotate:1"
-          "efi=keep_bootcon"
-          "amd_iommu=on"
-          "iommu=pt"
-        ];
+        hardware = ["amd"];
+        extraKernelParams = [];
       };
       loader = {
         default = {
@@ -87,10 +82,13 @@
         enable = true;
       };
       pkgs = {
-        enable = false;
+        enable = true;
         desktop = {
           enable = false;
         };
+        common = {
+          enable = false;
+        };
         laptop = {
           enable = false;
         };
diff --git a/hosts/toothpc/modules.nix b/hosts/toothpc/modules.nix
index 79ba3709..4bc6239b 100644
--- a/hosts/toothpc/modules.nix
+++ b/hosts/toothpc/modules.nix
@@ -85,6 +85,9 @@
       };
       pkgs = {
         enable = true;
+        common = {
+          enable = true;
+        };
         desktop = {
           enable = true;
         };
diff --git a/modules/nixos/boot/kernel/default.nix b/modules/nixos/boot/kernel/default.nix
index 061c0223..1925fd18 100644
--- a/modules/nixos/boot/kernel/default.nix
+++ b/modules/nixos/boot/kernel/default.nix
@@ -9,6 +9,10 @@
 
   hasHardware = hw: builtins.elem hw cfg.hardware;
 in {
+  imports = [
+    ./security.nix
+  ];
+
   options = {
     nixos.boot.kernel = {
       variant = mkOption {
diff --git a/modules/nixos/boot/kernel/security.nix b/modules/nixos/boot/kernel/security.nix
new file mode 100644
index 00000000..dbd3118f
--- /dev/null
+++ b/modules/nixos/boot/kernel/security.nix
@@ -0,0 +1,56 @@
+# From https://github.com/hlissner/dotfiles/@hlissner
+{
+  boot.kernel.sysctl = {
+    # The Magic SysRq key is a key combo that allows users connected to the
+    # system console of a Linux kernel to perform some low-level commands.
+    # Disable it, since we don't need it, and is a potential security concern.
+    "kernel.sysrq" = 0;
+
+    ## TCP hardening
+    # Prevent bogus ICMP errors from filling up logs.
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+    # Reverse path filtering causes the kernel to do source validation of
+    # packets received from all interfaces. This can mitigate IP spoofing.
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Do not accept IP source route packets (we're not a router)
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Don't send ICMP redirects (again, we're not a router)
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Refuse ICMP redirects (MITM mitigations)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Protects against SYN flood attacks
+    "net.ipv4.tcp_syncookies" = 1;
+    # Incomplete protection again TIME-WAIT assassination
+    "net.ipv4.tcp_rfc1337" = 1;
+
+    ## TCP optimization
+    # TCP Fast Open is a TCP extension that reduces network latency by packing
+    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+    # both incoming and outgoing connections:
+    "net.ipv4.tcp_fastopen" = 3;
+    # Bufferbloat mitigations + slight improvement in throughput & latency
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+
+  boot.kernelModules = ["tcp_bbr"];
+
+  security = {
+    # allow wayland lockers to unlock the screen
+    pam.services.hyprlock.text = "auth include login";
+
+    # userland niceness
+    rtkit.enable = true;
+
+    # don't ask for password for wheel group
+    sudo.wheelNeedsPassword = false;
+  };
+}
diff --git a/modules/nixos/hardware/graphics/default.nix b/modules/nixos/hardware/graphics/default.nix
index be2b64a2..1ca817bc 100644
--- a/modules/nixos/hardware/graphics/default.nix
+++ b/modules/nixos/hardware/graphics/default.nix
@@ -92,6 +92,7 @@ in {
           commonPackages
           ++ mesaVulkanPackages
           ++ (with pkgs; [
+            vpl-gpu-rt
             intel-media-driver
             intel-compute-runtime
           ]);
diff --git a/modules/nixos/programs/pkgs/default.nix b/modules/nixos/programs/pkgs/default.nix
index 6f408bf3..6766ea43 100644
--- a/modules/nixos/programs/pkgs/default.nix
+++ b/modules/nixos/programs/pkgs/default.nix
@@ -15,6 +15,12 @@ in {
         default = true;
         description = "Whether to install default core packages.";
       };
+      common.enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to install common packages.";
+      };
+
       desktop.enable = mkOption {
         type = types.bool;
         default = false;
@@ -37,35 +43,39 @@ in {
     environment.systemPackages = with pkgs;
       mkMerge [
         [
+          pciutils
           ddcutil
           app2unit
           cava
           lm_sensors
-          qt6.full
-          swappy
-          wayfreeze
           socat
-          fuzzel
-          imagemagick
-          wl-screenrec
           jq
           fd
-          libqalculate
           resources
           git
           stow
           tree
           traceroute
-          gnome-disk-utility
-          networkmanagerapplet
           progress
-          wf-recorder
-          inotify-tools
           git-crypt
           gparted
           ntfs3g
         ]
 
+        (mkIf cfg.common.enable [
+          qt6.full
+          swappy
+          wayfreeze
+          imagemagick
+          wl-screenrec
+          libqalculate
+          fuzzel
+          gnome-disk-utility
+          networkmanagerapplet
+          inotify-tools
+          wf-recorder
+        ])
+
         (mkIf cfg.desktop.enable [
           protonup
           winetricks
diff --git a/modules/nixos/services/pipewire/default.nix b/modules/nixos/services/pipewire/default.nix
index 1c0640dd..ecb1399b 100644
--- a/modules/nixos/services/pipewire/default.nix
+++ b/modules/nixos/services/pipewire/default.nix
@@ -10,7 +10,6 @@ in {
     nixos.services.pipewire.enable = mkEnableOption "Enables pipewire";
   };
   config = mkIf cfg.enable {
-    security.rtkit.enable = true;
     services = {
       pulseaudio.enable = false;
       pipewire = {