ragusa-it/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Address PR review feedback: security, documentation, and configuration improvements

Browse Source 
Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-02-01 19:50:18 +00:00
parent 41de438583
commit df02e01ce8
6 changed files with 84 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
README.md
View File

@@ -45,6 +45,9 @@ nixos-config/
git clone <this-repo> ~/nixos-config
cd ~/nixos-config
# Create the host directory (replace <hostname> with your actual hostname)
mkdir -p hosts/<hostname>
# Replace the placeholder hardware-configuration.nix with your actual one
cp /etc/nixos/hardware-configuration.nix hosts/<hostname>/
```
@@ -60,10 +63,12 @@ Edit the following files and replace these placeholders:
| `<timezone>` | `America/New_York` | `modules/common.nix` |
| `<locale>` | `en_US.UTF-8` | `modules/common.nix` |
Also rename `hosts/hostname/` to match your actual hostname.
Also rename the `hosts/hostname/` directory to match your actual hostname, and ensure the same hostname is used for all `<hostname>` placeholders (including in `flake.nix`).
### 3. Stage Files in Git
**IMPORTANT:** Flakes require all files to be tracked by git before building.
```bash
cd ~/nixos-config
git add .
@@ -78,11 +83,16 @@ nix flake show
### 5. Build and Switch
**IMPORTANT:** Ensure all files are staged in git (step 3) before building.
```bash
# Build and switch to dev config as main system profile
sudo nixos-rebuild switch --flake .#dev
# Build gaming config as separate boot profile
# (Optional) Test gaming config without committing it as a boot option
sudo nixos-rebuild test --flake .#gaming
# Build gaming config as separate boot profile (available after next reboot)
sudo nixos-rebuild boot --profile-name gaming --flake .#gaming
```
@@ -94,20 +104,22 @@ Boot menu should show:
## Updating
**IMPORTANT:** Always update both profiles together to avoid kernel/Mesa version drift:
**IMPORTANT:** Always update both profiles together to avoid kernel/Mesa version drift.
### After Configuration Changes
```bash
cd ~/nixos-config
git add .
git add . # Stage your configuration changes
sudo nixos-rebuild switch --flake .#dev
sudo nixos-rebuild boot --profile-name gaming --flake .#gaming
```
To update flake inputs:
### Updating Flake Inputs Only
```bash
nix flake update
git add flake.lock
git add flake.lock # Only stage the lock file, not other changes
sudo nixos-rebuild switch --flake .#dev
sudo nixos-rebuild boot --profile-name gaming --flake .#gaming
```
@@ -124,19 +136,24 @@ sudo nixos-rebuild boot --profile-name gaming --flake .#gaming
### Change Password
Generate a password hash and update `modules/common.nix`:
```bash
passwd
mkpasswd -m sha-512
# Copy the output and replace <replace-with-password-hash> in common.nix
```
### Setup MangoWC
MangoWC is configured to auto-start via greetd. To customize it:
```bash
mkdir -p ~/.config/mango
cp /etc/mango/config.conf ~/.config/mango/config.conf
# Create autostart script
# Create autostart script for Noctalia shell
cat > ~/.config/mango/autostart.sh << 'EOF'
#!/bin/bash
# Ensure quickshell is in PATH (it should be as a user package)
qs -c noctalia-shell &
EOF
chmod +x ~/.config/mango/autostart.sh
@@ -147,9 +164,13 @@ Add to `~/.config/mango/config.conf`:
exec-once="~/.config/mango/autostart.sh"
```
### Auto-start MangoWC from TTY
### Dev Profile: Docker Access
Add to `~/.bash_profile` or `~/.zprofile`:
After switching to the dev profile for the first time, you must log out and log back in (or reboot) for Docker group membership to take effect.
### Auto-start MangoWC from TTY (Alternative)
If not using greetd, add to `~/.bash_profile` or `~/.zprofile`:
```bash
if [[ -z $WAYLAND_DISPLAY ]] && [[ $(tty) == /dev/tty1 ]]; then
exec mango

10
flake.nix
View File

@@ -1,6 +1,9 @@
{
description = "NixOS - Isolated Gaming & Dev configurations";
# SECURITY NOTE: After first build, commit flake.lock to pin inputs to specific
# commits. Update via `nix flake update` only from trusted sources.
# This protects against supply-chain attacks from upstream changes.
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
@@ -24,13 +27,18 @@
outputs = { self, nixpkgs, mango, quickshell, noctalia, ... }@inputs:
let
system = "x86_64-linux";
lib = nixpkgs.lib;
specialArgs = { inherit inputs system; };
# Verify mango flake exports the expected module
mangoModule = assert lib.hasAttrByPath [ "nixosModules" "mango" ] mango;
mango.nixosModules.mango;
# IMPORTANT: Replace <hostname> with actual hostname
commonModules = [
./hosts/<hostname>/hardware-configuration.nix
./modules/common.nix
mango.nixosModules.mango
mangoModule
];
in {
nixosConfigurations = {

32
hosts/hostname/hardware-configuration.nix
View File

@@ -7,7 +7,8 @@
# To generate a new hardware configuration, run:
# sudo nixos-generate-config --show-hardware-config > hardware-configuration.nix
#
# This placeholder will NOT work for actual system builds.
# This placeholder will NOT work for actual system builds - the UUIDs below
# are placeholders that must be replaced with your actual disk UUIDs.
{ config, lib, pkgs, modulesPath, ... }:
@@ -22,20 +23,21 @@
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# Example filesystem configuration (replace with your actual mounts)
# fileSystems."/" = {
# device = "/dev/disk/by-uuid/YOUR-ROOT-UUID";
# fsType = "ext4";
# };
#
# fileSystems."/boot" = {
# device = "/dev/disk/by-uuid/YOUR-BOOT-UUID";
# fsType = "vfat";
# };
#
# swapDevices = [
# { device = "/dev/disk/by-uuid/YOUR-SWAP-UUID"; }
# ];
# IMPORTANT: Replace these UUIDs with your actual disk UUIDs
# Find your UUIDs with: lsblk -f
fileSystems."/" = {
device = "/dev/disk/by-uuid/REPLACE-WITH-YOUR-ROOT-UUID";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/REPLACE-WITH-YOUR-BOOT-UUID";
fsType = "vfat";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/REPLACE-WITH-YOUR-SWAP-UUID"; }
];
# CPU microcode updates for AMD
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

27
modules/common.nix
View File

@@ -21,8 +21,8 @@
# AMD GPU - RDNA 4 (RX 9060 XT) + Zen 3 CPU (5700G)
# --------------------------------------------------------------------------
# CRITICAL: RDNA 4 requires navi44 firmware blobs
hardware.enableAllFirmware = true;
# RDNA 4 requires navi44 firmware blobs (included in redistributable firmware)
hardware.enableRedistributableFirmware = true;
# Use the modern amdgpu NixOS module (cleaner than manual initrd config)
hardware.amdgpu.initrd.enable = true;
@@ -69,6 +69,16 @@
# Enable seatd for session management
services.seatd.enable = true;
# Use greetd to automatically start a MangoWC session on login
services.greetd = {
enable = true;
settings.default_session = {
command = "mango";
# IMPORTANT: Replace <username> with actual username
user = "<username>";
};
};
# --------------------------------------------------------------------------
# USER ACCOUNT
# --------------------------------------------------------------------------
@@ -76,8 +86,9 @@
users.users.<username> = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "video" "seat" ];
# Set initial password or use hashedPassword
initialPassword = "changeme";
# IMPORTANT: Generate a password hash with: mkpasswd -m sha-512
# Then replace the placeholder below with the generated hash
hashedPassword = "<replace-with-password-hash>";
packages = with pkgs; [
# -- Noctalia Shell --
inputs.quickshell.packages.${system}.default
@@ -121,9 +132,9 @@
# FONTS
# --------------------------------------------------------------------------
fonts.packages = with pkgs; [
# Nerd fonts - syntax changed in nixpkgs after 24.05
# If using older nixpkgs: (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
# Current nixpkgs-unstable uses individual packages:
# Nerd fonts: current syntax for nixos-unstable and NixOS >= 24.05
# For older nixpkgs (before this change), use:
# (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
nerd-fonts.jetbrains-mono
# Other fonts
@@ -166,5 +177,5 @@
# IMPORTANT: Set to the NixOS version of your install media
# Check with: nixos-version
# Do NOT change this after initial install
system.stateVersion = "25.05";
system.stateVersion = "24.11";
}

2
modules/dev.nix
View File

@@ -23,6 +23,8 @@
};
# IMPORTANT: Replace <username> with actual username
# NOTE: After first enabling/applying this dev profile, you must log out and
# log back in (or reboot) for the docker group membership to take effect.
users.users.<username>.extraGroups = [ "docker" ];
# --------------------------------------------------------------------------

14
modules/gaming.nix
View File

@@ -27,7 +27,7 @@
enableRenice = true;
settings = {
general = {
renice = 10;
renice = -10; # Negative value = higher priority for games
};
gpu = {
apply_gpu_optimisations = "accept-responsibility";
@@ -48,6 +48,11 @@
};
};
# NOTE: Profile-specific group membership
# The user must be in the "corectrl" and "gamemode" groups for these
# programs to function correctly. These groups are only added when using
# the gaming profile. If you need consistent group membership across
# both profiles, add these groups to common.nix instead.
# IMPORTANT: Replace <username> with actual username
users.users.<username>.extraGroups = [ "corectrl" "gamemode" ];
@@ -91,11 +96,4 @@
# may crash without this setting due to high mmap requirements.
"vm.max_map_count" = 2147483642;
};
# Additional kernel params for gaming (appends to common.nix params)
boot.kernelParams = [
"amd_pstate=active" # Inherited from common, but explicit for clarity
"mitigations=off" # Optional: Disable CPU mitigations for ~5% perf gain
# Remove this line if security is a concern
];
}