1 files changed, 53 insertions, 7 deletions

diff --git a/nixos/configurations/alpha.nix b/nixos/configurations/alpha.nix
index 1e84872..67a8416 100644
--- a/nixos/configurations/alpha.nix
+++ b/nixos/configurations/alpha.nix
@@ -3,16 +3,46 @@
 {
   imports = [];
 
-  security.chromiumSuidSandbox.enable = true;
+  security = {
+    acme.acceptTerms = true;
+    protectKernelImage = true;
+    rtkit.enable = true;
+    chromiumSuidSandbox.enable = true;
+    sudo.wheelNeedsPassword = false;
+  };
 
   boot.kernelPackages = pkgs.linuxPackages_xanmod;
+  boot.kernelParams = [
+    "nmi_watchdog=0"
+    "systemd.watchdog-device/dev/watchdog"
+  ];
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.default.log_martians" = 1;
+    "net.ipv4.conf.all.log_martians" = 1;
+    "net.ipv4.tcp_mtu_probing" = 1;
+    "net.ipv4.tcp_syncookies" = 1;
+    "net.ipv4.tcp_congestion_control" = "bbr2";
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv4.tcp_rfc1337" = 1;
+  };
   # GRUB bootloader
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.grub = {
     enable = true;
     version = 2;
 
-    efiSupport = true;  
+    efiSupport = true; 
     configurationLimit = 10;
     device = "nodev";
     useOSProber = true;
@@ -27,8 +57,6 @@
     '';
   };
 
-  boot.plymouth.enable = true;
-
   networking.networkmanager.enable = true;
   networking.useDHCP = false;
   networking.firewall.enable = true;
@@ -46,9 +74,11 @@
   services.openssh.enable = true;
 
   sound.enable = true;
-  hardware.pulseaudio = {
+  services.pipewire = {
     enable = true;
-    package = pkgs.pulseaudioFull;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
   };
 
   hardware.bluetooth.enable = true;
@@ -56,9 +86,16 @@
   services.greetd = {
     enable = true;
 
-    settings.default_session.command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
+    settings.default_session.command = "${pkgs.greetd.tuigreet}/bin/tuigreet -t -c sway";
   };
 
+  # https://github.com/apognu/tuigreet/issues/17
+  systemd.services.greetd.unitConfig.After = lib.mkOverride 0 [ "multi-user.target" ];
+
+  services.journald.extraConfig = lib.mkForce "";
+
+  systemd.extraConfig =  "RebootWatchdogSec=5";
+
   programs = {
     sway = {
       enable = true;
@@ -90,6 +127,15 @@
   hardware.opengl.driSupport32Bit = true;
   hardware.opengl.extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ];
 
+  xdg.portal = {
+    enable = true;
+    gtkUsePortal = true;
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-gtk
+      xdg-desktop-portal-wlr
+    ];
+  };
+
   virtualisation.libvirtd.enable = true;
 
   users.users = {