Add dotfiles

modules/core/blocker.nix

@@ -0,0 +1,30 @@
+{
+  pkgs,
+  ...
+}:
+# this should block *most* junk sites
+# make sure to ALWAYS lock commit hash to avoid fed honeypots
+# three letter agencies go fuck yourself
+{
+  networking.extraHosts =
+    builtins.readFile (pkgs.fetchurl {
+      url = "https://raw.githubusercontent.com/StevenBlack/hosts/e1bb5f08e6f9f4daef93cc327580a95f83959f38/alternates/fakenews-gambling/hosts";
+      sha256 = "LZt3/AvsbYuW+TWsnGnRQNXhvGYO0tMc7uHY/A19bUc=";
+      # blocks fakenews, gambling and coomer sites
+    })
+    + builtins.readFile (pkgs.fetchurl {
+      url = "https://raw.githubusercontent.com/shreyasminocha/shady-hosts/fc9cc4020e80b3f87024c96178cba0f766b95e7a/hosts";
+      sha256 = "jbsEiIcOjoglqLeptHhwWhvL/p0PI3DVMdGCzSXFgNA=";
+      # blocks some shady fed sites
+    })
+    + builtins.readFile (pkgs.fetchurl {
+      # blocks crypto phishing scams
+      url = "https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/3be0b9594f0bc6e3e699ee30cb2e809618539597/src/hosts.txt";
+      sha256 = "b3HvaLxnUJZOANUL/p+XPNvu9Aod9YLHYYtCZT5Lan0=";
+    })
+    + builtins.readFile (pkgs.fetchurl {
+      # generic ads
+      url = "https://raw.githubusercontent.com/AdAway/adaway.github.io/04f783e1d9f48bd9ac156610791d7f55d0f7d943/hosts.txt";
+      sha256 = "mp0ka7T0H53rJ3f7yAep3ExXmY6ftpHpAcwWrRWzWYI=";
+    });
+}

modules/core/bootloader.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  boot = {
+    tmp.cleanOnBoot = true;
+    bootspec.enable = true;
+    consoleLogLevel = 0;
+
+    kernelParams = [
+      "cgroup_no_v1=all"
+      "systemd.unified_cgroup_hierarchy=yes"
+    ];
+    initrd.verbose = false;
+
+    loader = {
+      systemd-boot.enable = true;
+      systemd-boot.editor = false;
+      efi.canTouchEfiVariables = true;
+      timeout = 1;
+    };
+  };
+}

modules/core/default.nix

@@ -0,0 +1,18 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./system.nix
+    ./nix.nix
+    ./users.nix
+    ./xdg.nix
+
+    ./schizo.nix
+    ./network.nix
+    ./blocker.nix
+
+    ./display.nix
+  ];
+}

modules/core/display.nix

@@ -0,0 +1,111 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}: {
+  # Display manager
+  services.xserver.enable = true;
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.displayManager.autoLogin.enable = true;
+  services.xserver.displayManager.autoLogin.user = "muon";
+
+  # Window manager
+  #services.xserver.windowManager.leftwm.enable = true;
+  #services.xserver.windowManager.herbstluftwm.enable = true;
+
+  services.xserver.windowManager.xmonad = {
+    enable = true;
+    enableContribAndExtras = true;
+  };
+  systemd.user.services.xmobar = {
+    script = "${lib.getExe pkgs.xmobar}";
+    wantedBy = [ "graphical-session.target" ];
+    partOf = [ "graphical-session.target" ];
+  };
+
+  # system.activationScripts = {
+  #   screenlayout.text = ''
+  #     ${lib.getExe pkgs.xrandr} --output DVI-D-0 --off --output HDMI-0 --off --output HDMI-1 --mode 1920x1080 --pos 2560x0 --rotate right --output DP-0 --off --output DP-1 --off --output DP-2 --primary --mode 2560x1440 --pos 0x480 --rotate normal --output DP-3 --off
+  #   '';
+  # };
+  systemd.services.screensetter = {
+    enable = true;
+    description = "sets correct screen resolution";
+    wantedBy = [ "graphical-session.target"];
+    # Add this line in your nixos configuration (E.G. the "configuration.nix" file or a module imported into it)
+    # this allows you to use `xrandr` inside of scripts called by this service
+    # https://www.reddit.com/r/NixOS/comments/w4fj6p/comment/ih1oa5e/?utm_source=reddit&utm_medium=web2x&context=3
+    path = [ pkgs.xorg.xrandr ];
+
+    unitConfig = {
+      type = "simple";
+    };
+
+    serviceConfig = {
+      # ExecStart = "/home/<this_user>/.screenlayout/nixos-screenlayout.sh";
+      ExecStart = "${config.users.users.muon.home}/.screenlayout/main.sh";
+    };
+  };
+
+  # systemd.user.services.screenlayout = {
+  #   script = "${config.users.users.muon.home}/.screenlayout/main.sh";
+  #   wantedBy = [ "graphical-session.target" ];
+  #   partOf = [ "graphical-session.target" ];
+  # };
+
+  # Wayland
+  # services.xserver.displayManager.gdm.wayland = true;
+  # programs.hyprland.package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
+  # programs.hyprland.enable = true;
+
+  # environment.variables = {
+  #   GDK_SCALE="2";
+  #   XCURSOR_SIZE="24";
+  # };
+
+  # hardware = {
+  #   opengl = {
+  #     enable = true;
+  #     driSupport = true;
+  #     driSupport32Bit = true;
+  #     extraPackages = with pkgs; [
+  #       vaapiVdpau
+  #       libvdpau-va-gl
+  #     ];
+  #   };
+  #   pulseaudio.support32Bit = true;
+  # };
+
+  # xdg.portal = {
+  #   enable = true;
+  #   wlr.enable = false;
+  #   extraPortals = [
+  #     pkgs.xdg-desktop-portal-gtk
+  #   ];
+  # };
+
+  # sound = {
+  #   enable = true;
+  #   mediaKeys.enable = true;
+  # };
+
+  # Hide cursor
+  services.xbanish.enable = true;
+
+  # Install fonts
+  fonts = {
+      fonts = with pkgs; [
+          mononoki
+          openmoji-color
+          (nerdfonts.override { fonts = [ "Mononoki" ]; })
+      ];
+      fontconfig = {
+          hinting.autohint = true;
+          defaultFonts = {
+            emoji = [ "OpenMoji Color" ];
+          };
+      };
+  };
+}

modules/core/network.nix

@@ -0,0 +1,80 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  networking = {
+    interfaces.enp0s31f6.mtu = 1200;
+    networkmanager = {
+      enable = true;
+      wifi.macAddress = "random";
+    };
+    firewall = {
+      enable = true;
+      # if your minecraft server is not worky
+      # this is probably why
+      # Steam Remote UDP ports 27031 and 27036 and TCP ports 27036 and 27037
+      allowedTCPPorts = [443 80 22 7000 8080 5432 27036 27037 9122];
+      allowedUDPPorts = [443 80 44857 8080 27031 51820];
+      allowPing = true;
+      logReversePathDrops = true;
+    };
+    # nameservers = ["10.8.0.1"];
+  };
+  environment.etc = {
+    "resolv.conf".text = ''
+      options timeout:1
+      nameserver 192.168.1.1
+    '';
+  };
+
+  # slows down boot time
+  systemd.services.NetworkManager-wait-online.enable = false;
+
+  # services.openvpn.servers = {
+  #   remote = { config = ''config ${config.users.users.muon.home}/documents/openvpn/muon.ovpn''; };
+  # };
+
+  # services.openssh = {
+  #   enable = true;
+  #   ports = [9122];
+  # };
+
+  # # Enable WireGuard
+  # networking.wireguard.interfaces = {
+  #   # "wg0" is the network interface name. You can name the interface arbitrarily.
+  #   wg0 = {
+  #     # Determines the IP address and subnet of the client's end of the tunnel interface.
+  #     ips = [ "10.10.10.2/24" ];
+  #     listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+  #     # Path to the private key file.
+  #     #
+  #     # Note: The private key can also be included inline via the privateKey option,
+  #     # but this makes the private key world-readable; thus, using privateKeyFile is
+  #     # recommended.
+  #     privateKeyFile = ''${config.users.users.muon.home}/documents/wireguard/vpn-client-private.key'';
+
+  #     peers = [
+  #       # For a client configuration, one peer entry for the server will suffice.
+
+  #       {
+  #         # Public key of the server (not a file path).
+  #         publicKey = "iBuHEKkNftQHXHJbj1wJS2D/PwXHkldvkdQQCPsCRH0=";
+
+  #         # Forward all the traffic via VPN.
+  #         allowedIPs = [ "0.0.0.0/0" ];
+  #         # Or forward only particular subnets
+  #         #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ];
+
+  #         # Set this to the server IP and port.
+  #         endpoint = "93.95.230.11:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+
+  #         # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+  #         persistentKeepalive = 25;
+  #       }
+  #     ];
+  #   };
+  # };
+}

modules/core/nix.nix

@@ -0,0 +1,98 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}: {
+  environment = {
+    # set channels (backwards compatibility)
+    etc = {
+      "nix/flake-channels/nixpkgs".source = inputs.nixpkgs;
+      "nix/flake-channels/home-manager".source = inputs.home-manager;
+    };
+
+    systemPackages = with pkgs; [git deadnix alejandra statix];
+    defaultPackages = [];
+  };
+
+  nixpkgs = {
+    config = {
+      allowUnfree = false;
+      allowBroken = true;
+    };
+  };
+
+  # faster rebuilding
+  documentation = {
+    enable = true;
+    doc.enable = false;
+    man.enable = true;
+    dev.enable = false;
+  };
+
+  nix = {
+    gc = {
+      automatic = true;
+      dates = "daily";
+      options = "--delete-older-than 3d";
+    };
+    package = pkgs.nixUnstable;
+
+    # Make builds run with low priority so my system stays responsive
+    daemonCPUSchedPolicy = "idle";
+    daemonIOSchedClass = "idle";
+
+    # pin the registry to avoid downloading and evaling a new nixpkgs version every time
+    registry = lib.mapAttrs (_: v: {flake = v;}) inputs;
+
+    # This will additionally add your inputs to the system's legacy channels
+    # Making legacy nix commands consistent as well, awesome!
+    nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
+
+    # Free up to 1GiB whenever there is less than 100MiB left.
+    extraOptions = ''
+      experimental-features = nix-command flakes
+      keep-outputs = true
+      warn-dirty = false
+      keep-derivations = true
+      min-free = ${toString (100 * 1024 * 1024)}
+      max-free = ${toString (1024 * 1024 * 1024)}
+      use-xdg-base-directories = true
+    '';
+    settings = {
+      auto-optimise-store = true;
+      # use binary cache, its not gentoo
+      builders-use-substitutes = true;
+      # allow sudo users to mark the following values as trusted
+      allowed-users = ["@wheel"];
+      # only allow sudo users to manage the nix store
+      trusted-users = ["@wheel"];
+      sandbox = true;
+      max-jobs = "auto";
+      # continue building derivations if one fails
+      keep-going = true;
+      log-lines = 20;
+      extra-experimental-features = ["flakes" "nix-command" "recursive-nix" "ca-derivations"];
+
+      # use binary cache, its not gentoo
+      substituters = [
+        "https://cache.nixos.org"
+        "https://nix-community.cachix.org"
+        "https://nixpkgs-unfree.cachix.org"
+        "https://oxalica.cachix.org"
+        "https://hyprland.cachix.org"
+      ];
+
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs="
+        "oxalica.cachix.org-1:h0iRBw6tQD8+51ZvnNEBPbwLR58UD7klauDBWzBdugQ="
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      ];
+    };
+  };
+  system.autoUpgrade.enable = false;
+  system.stateVersion = "23.05"; # DONT TOUCH THIS
+}

modules/core/schizo.nix

@@ -0,0 +1,152 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  services.tor = {
+    enable = true;
+    client.enable = true;
+    torsocks.enable = true;
+  };
+  environment.systemPackages = with pkgs; [
+    (writeScriptBin "sudo" ''exec doas "$@"'')
+  ];
+  security = {
+    protectKernelImage = true;
+    lockKernelModules = false;
+    rtkit.enable = true;
+    apparmor = {
+      enable = true;
+      killUnconfinedConfinables = true;
+      packages = [pkgs.apparmor-profiles];
+    };
+    pam = {
+      loginLimits = [
+        {
+          domain = "@wheel";
+          item = "nofile";
+          type = "soft";
+          value = "524288";
+        }
+        {
+          domain = "@wheel";
+          item = "nofile";
+          type = "hard";
+          value = "1048576";
+        }
+      ];
+      services = {
+        login.enableGnomeKeyring = true;
+      };
+    };
+
+
+    doas = {
+      enable = true;
+      extraRules = [
+        {
+          groups = ["wheel"];
+          persist = true;
+          keepEnv = false;
+        }
+        {
+          groups = ["power"];
+          noPass = true;
+          cmd = "${pkgs.systemd}/bin/poweroff";
+        }
+        {
+          groups = ["power"];
+          noPass = true;
+          cmd = "${pkgs.systemd}/bin/reboot";
+        }
+        {
+          groups = ["nix"];
+          cmd = "nix-collect-garbage";
+          noPass = true;
+        }
+        {
+          groups = ["nix"];
+          cmd = "nixos-rebuild";
+          keepEnv = true;
+        }
+      ];
+    };
+    sudo.enable = false;
+  };
+
+  boot.kernel.sysctl = {
+    "kernel.yama.ptrace_scope" = 2;
+    "kernel.kptr_restrict" = 2;
+    "kernel.sysrq" = 0;
+    "net.core.bpf_jit_enable" = false;
+    "kernel.ftrace_enabled" = false;
+    "net.ipv4.conf.all.log_martians" = true;
+    "net.ipv4.conf.all.rp_filter" = "1";
+    "net.ipv4.conf.default.log_martians" = true;
+    "net.ipv4.conf.default.rp_filter" = "1";
+    "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+    "net.ipv4.conf.all.accept_redirects" = false;
+    "net.ipv4.conf.all.secure_redirects" = false;
+    "net.ipv4.conf.default.accept_redirects" = false;
+    "net.ipv4.conf.default.secure_redirects" = false;
+    "net.ipv6.conf.all.accept_redirects" = false;
+    "net.ipv6.conf.default.accept_redirects" = false;
+    "net.ipv4.conf.all.send_redirects" = false;
+    "net.ipv4.conf.default.send_redirects" = false;
+    "net.ipv6.conf.default.accept_ra" = 0;
+    "net.ipv6.conf.all.accept_ra" = 0;
+    "net.ipv4.tcp_syncookies" = 1;
+    "net.ipv4.tcp_timestamps" = 0;
+    "net.ipv4.tcp_rfc1337" = 1;
+    "net.ipv4.tcp_fastopen" = 3;
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+
+  # Security
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "ax25"
+    "netrom"
+    "rose"
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "vivid"
+    "gfs2"
+    "ksmbd"
+    "nfsv4"
+    "nfsv3"
+    "cifs"
+    "nfs"
+    "cramfs"
+    "freevxfs"
+    "jffs2"
+    "hfs"
+    "hfsplus"
+    "squashfs"
+    "udf"
+    "bluetooth"
+    "btusb"
+    # "uvcvideo" # thats why your webcam not worky
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "omfs"
+    # "uvcvideo"
+    "qnx4"
+    "qnx6"
+    "sysv"
+  ];
+}

modules/core/system.nix

@@ -0,0 +1,258 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  xdg,
+  ...
+}: {
+  # compress half of the ram to use as swap
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+  };
+
+  # TODO Move?
+  environment.variables = {
+    EDITOR = "nvim";
+    BROWSER = "chromium";
+  };
+
+  nixpkgs.overlays = [ inputs.rust-overlay.overlays.default ];
+  environment.systemPackages = with pkgs; [
+    git
+    clang
+    llvmPackages_16.bintools
+    rust-bin.nightly.latest.default
+    # support both 32- and 64-bit applications
+    wineWowPackages.stable
+    # winetricks (all versions)
+    winetricks
+    texlive.combined.scheme-small
+  ];
+
+  virtualisation.virtualbox.host.enable = true;
+  users.extraGroups.vboxusers.members = [ "muon" ];
+
+  # Set your time zone.
+  time.timeZone = "Atlantic/Reykjavik";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_DK.UTF-8";
+    LC_IDENTIFICATION = "en_DK.UTF-8";
+    LC_MEASUREMENT = "en_DK.UTF-8";
+    LC_MONETARY = "en_DK.UTF-8";
+    LC_NAME = "en_DK.UTF-8";
+    LC_NUMERIC = "en_DK.UTF-8";
+    LC_PAPER = "en_DK.UTF-8";
+    LC_TELEPHONE = "en_DK.UTF-8";
+    LC_TIME = "en_DK.UTF-8";
+  };
+
+  # Configure keymap in X11
+  services.xserver = {
+    layout = "us";
+    xkbVariant = "";
+    xkbOptions = "caps:escape";
+  };
+
+  # Use keymap in console
+  console.useXkbConfig = true;
+
+  programs.thunar.enable = true;
+  services.gvfs.enable = true; # Mount, trash, and other functionalities
+  services.tumbler.enable = true; # Thumbnail support for images
+
+  # Sound
+  sound = {
+    enable = true;
+  };
+
+  hardware.pulseaudio.enable = true;
+  security.rtkit.enable = true;
+
+  services.pipewire = {
+    enable = false;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+
+  virtualisation.docker.enable = true;
+
+  services.syncthing = with config.users.users.muon; {
+    enable = true;
+    user = "muon";
+    dataDir = "${config.xdg.userDirs.documents}";
+    configDir = "${home}/.config/syncthing";
+
+    overrideDevices = true;
+    overrideFolders = true;
+
+    devices = {
+      "syncthing" = { 
+        id = "SDFDQ4N-UPPGKQH-JWVII4O-FT4XTH3-FT2RPMZ-EQC57PQ-VXL7BBD-4LLPTA4";
+      };
+    };
+
+    folders = {
+      "documents" = {
+        path = "${home}/documents";
+        devices = ["syncthing"];
+      };
+      "librewolf" = {
+        path = "${home}/.librewolf";
+        devices = ["syncthing"];
+      };
+      "logseq" = {
+        path = "${home}/.logseq";
+        devices = ["syncthing"];
+      };
+      "zotero" = {
+        path = "${home}/Zotero";
+        devices = ["syncthing"];
+      };
+      "zotero-conf" = {
+        path = "${home}/.zotero";
+        devices = ["syncthing"];
+      };
+    };
+  };
+
+  programs.nix-ld = {
+    enable = true;
+    libraries = with pkgs; [
+      stdenv.cc.cc
+      openssl
+      curl
+      glib
+      util-linux
+      glibc
+      icu
+      libunwind
+      libuuid
+      zlib
+      libsecret
+      # graphical
+      freetype
+      libglvnd
+      libnotify
+      SDL2
+      vulkan-loader
+      gdk-pixbuf
+      xorg.libX11
+    ];
+  };
+
+  systemd = let
+    extraConfig = ''
+      DefaultTimeoutStopSec=15s
+    '';
+  in {
+    inherit extraConfig;
+    user = {inherit extraConfig;};
+    services."getty@tty1".enable = false;
+    services."autovt@tty1".enable = false;
+    services."getty@tty7".enable = false;
+    services."autovt@tty7".enable = false;
+    # Systemd OOMd
+    # Fedora enables these options by default. See the 10-oomd-* files here:
+    # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255
+    oomd = {
+      enableRootSlice = true;
+      enableUserServices = true;
+    };
+  };
+
+  services.udev.extraRules = ''
+# Atmel DFU
+### ATmega16U2
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2fef", TAG+="uaccess"
+### ATmega32U2
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2ff0", TAG+="uaccess"
+### ATmega16U4
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2ff3", TAG+="uaccess"
+### ATmega32U4
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2ff4", TAG+="uaccess"
+### AT90USB64
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2ff9", TAG+="uaccess"
+### AT90USB162
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2ffa", TAG+="uaccess"
+### AT90USB128
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2ffb", TAG+="uaccess"
+
+# Input Club
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1c11", ATTRS{idProduct}=="b007", TAG+="uaccess"
+
+# STM32duino
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1eaf", ATTRS{idProduct}=="0003", TAG+="uaccess"
+# STM32 DFU
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", TAG+="uaccess"
+
+# BootloadHID
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="05df", TAG+="uaccess"
+
+# USBAspLoader
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="05dc", TAG+="uaccess"
+
+# USBtinyISP
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1782", ATTRS{idProduct}=="0c9f", TAG+="uaccess"
+
+# ModemManager should ignore the following devices
+# Atmel SAM-BA (Massdrop)
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="6124", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+
+# Caterina (Pro Micro)
+## pid.codes shared PID
+### Keyboardio Atreus 2 Bootloader
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="2302", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+## Spark Fun Electronics
+### Pro Micro 3V3/8MHz
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1b4f", ATTRS{idProduct}=="9203", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+### Pro Micro 5V/16MHz
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1b4f", ATTRS{idProduct}=="9205", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+### LilyPad 3V3/8MHz (and some Pro Micro clones)
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1b4f", ATTRS{idProduct}=="9207", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+## Pololu Electronics
+### A-Star 32U4
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1ffb", ATTRS{idProduct}=="0101", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+## Arduino SA
+### Leonardo
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", ATTRS{idProduct}=="0036", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+### Micro
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", ATTRS{idProduct}=="0037", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+## Adafruit Industries LLC
+### Feather 32U4
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="239a", ATTRS{idProduct}=="000c", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+### ItsyBitsy 32U4 3V3/8MHz
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="239a", ATTRS{idProduct}=="000d", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+### ItsyBitsy 32U4 5V/16MHz
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="239a", ATTRS{idProduct}=="000e", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+## dog hunter AG
+### Leonardo
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="2a03", ATTRS{idProduct}=="0036", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+### Micro
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="2a03", ATTRS{idProduct}=="0037", TAG+="uaccess", ENV{ID_MM_DEVICE_IGNORE}="1"
+
+# hid_listen
+KERNEL=="hidraw*", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
+
+# hid bootloaders
+## QMK HID
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2067", TAG+="uaccess"
+## PJRC's HalfKay
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="0478", TAG+="uaccess"
+
+# APM32 DFU
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="314b", ATTRS{idProduct}=="0106", TAG+="uaccess"
+
+# GD32V DFU
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="28e9", ATTRS{idProduct}=="0189", TAG+="uaccess"
+
+# WB32 DFU
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="dfa0", TAG+="uaccess"
+  '';
+}

modules/core/users.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  users.users.root.initialPassword = "changeme";
+  programs.zsh.enable = true;
+  programs.adb.enable = true;
+  users.users.muon = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "systemd-journal"
+      "vboxusers"
+      "audio"
+      "plugdev"
+      "wireshark"
+      "video"
+      "input"
+      "lp"
+      "networkmanager"
+      "power"
+      "nix"
+      "docker"
+      "adbusers"
+    ];
+    uid = 1000;
+    shell = pkgs.zsh;
+    initialPassword = "changeme";
+  };
+}

modules/core/xdg.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}: {
+  environment.variables = with config.users.users.muon; {
+    WINIT_X11_SCALE_FACTOR="1";
+
+    # XDG Base
+    XDG_CONFIG_HOME="${home}/.config";
+    XDG_CACHE_HOME="${home}/.cache";
+    XDG_DATA_HOME="${home}/.local/share";
+    XDG_STATE_HOME="${home}/.local/state";
+  };
+}