Declarative NixOS + Home Manager flake for a single x86_64-linux workstation. Follows nixpkgs-unstable. Wayland-first (Hyprland), monochrome aesthetic.
flake.nix Flake entry point, dev shells, custom packages
modules/
hardening.nix Reusable workstation hardening (importable via nixosModules.hardening)
hosts/p16s/
configuration.nix Boot, locale, GC, earlyoom, user account
hardware-configuration.nix Generated hardware scan (LUKS, AMD)
hardware.nix GPU, bluetooth, TLP power management, SSD TRIM
security.nix Host-specific PAM config, enables hardening module
apparmor.nix Enforce profiles for thunar, mpv, imv
usbguard.nix USB device whitelist (hash-pinned)
networking.nix NetworkManager, firewall, WireGuard VPN, encrypted DNS
desktop.nix Hyprland/UWSM, greetd, PipeWire, XDG portals
home/
default.nix User env, GTK/cursor theme, core packages
shell.nix Bash, direnv, zoxide, starship prompt
cli.nix Eza, bat, btop, fastfetch
hyprland.nix Compositor keybinds, monitors, input, appearance
waybar.nix Top bar modules and styling
kitty.nix Terminal emulator
nvim.nix Neovim IDE (LSP, treesitter, direnv-aware)
firefox.nix Privacy hardening, containers, extensions
chromium.nix Chromium (Wayland, VA-API)
git.nix SSH commit signing
claude.nix Claude Code hooks and permissions
taskwarrior.nix Task manager
hyprlock.nix Lock screen
dunst.nix / wofi.nix / mpv.nix Notifications, launcher, media player
The security hardening is extracted into a standalone NixOS module that can be imported independently:
{
inputs.nixos-scttpr.url = "github:scttpr/nixos";
outputs = { nixos-scttpr, ... }: {
nixosConfigurations.myhost = {
modules = [
nixos-scttpr.nixosModules.hardening
{ modules.hardening.enable = true; }
];
};
};
}This enables: kernel module blacklist, sysctl hardening (network + memory + process), proc hidepid, tmpfs hardening, core dump disabling, and umask 077. See modules/hardening.nix for details. (Escalation is doas + FIDO2, configured per-host in auth.nix.)
- Kernel: module blacklist (firewire, rare protocols/filesystems), ASLR hardening, ptrace/dmesg/kptr restrictions, BPF disabled for unprivileged, slab_nomerge
- Network: firewall with connection logging, ICMP/redirect hardening, TCP syncookies, encrypted DNS (Quad9 DoT via systemd-resolved), MAC randomization, IPv6 privacy extensions
- Boot: Secure Boot via lanzaboote (signed UKIs, sbctl-enrolled keys)
- Disk: LUKS root with TPM2 auto-unlock (PCR7); zram swap (no disk swap)
- Auth: FIDO2-only PAM (Nitrokey, no password fallback); doas replaces sudo (5-min persist)
- AppArmor: enforce mode on file manager and media apps
- USBGuard: whitelist-only policy with hash-pinned devices
- Process isolation: hidepid=2, core dumps disabled, umask 077
- Browser: HTTPS-only, TLS 1.2+, OCSP, container isolation, no telemetry, speculative connections disabled
- Shell: auto-logout after 15 min idle, clipboard auto-clear
nix develop .#rust # Rust toolchain (rustc, cargo, analyzer, clippy)
nix develop .#netsec # Pentesting (nmap, metasploit, sqlmap, wireshark)
nix develop .#binanalysis # Reverse engineering (radare2, gdb/gef, yara)
nix develop .#hamradio # SDR and digital modes (sdrpp, wsjtx, gnuradio)
nix develop .#llm # Local AI (ollama, aichat, python3, uv)This config is designed for a single machine. To adapt it:
- Change
userinflake.nix(single variable, propagated everywhere) - Rename
hosts/p16s/to your machine and update thenixosConfigurationskey inflake.nix - Replace
hardware-configuration.nixwith your own (nixos-generate-config) - Replace USBGuard rules in
hosts/p16s/usbguard.nix(usbguard generate-policy) - Update WireGuard config in
hosts/p16s/networking.nix - Update monitor config in
home/hyprland.nix - Update git identity in
home/git.nix
sudo nixos-rebuild switch --flake .#p16s # Apply configuration
sudo nixos-rebuild dry-build --flake .#p16s # Verify without applying
nix flake check # Validate flake
nix fmt # Format nix filesMIT