NixOS configuration file (scroll down to line 738 for where I presume the problem is):
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
let
home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/master.tar.gz";
plasma-manager = builtins.fetchTarball "https://github.com/nix-community/plasma-manager/archive/trunk.tar.gz";
in
{
config,
stdenv,
fetchurl,
lib,
pkgs,
...
}:
{
nixpkgs.overlays = [
(final: prev: {
# Always spoof user agent to fix the problem of curl having a hard time
# downloading certain files
final.fetchurl = prev.fetchurl.overrideAttrs(_: {
curlOptsList = [
"-HUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36"
"-L"
"-sSf"
];
mirrors.gnu = [
# This one used to redirect to a (supposedly) nearby
# and (supposedly) up-to-date mirror but no longer does
# "https://ftpmirror.gnu.org/"
"https://ftp.nluug.nl/pub/gnu/"
"https://mirrors.kernel.org/gnu/"
"https://mirror.ibcp.fr/pub/gnu/"
"https://mirror.dogado.de/gnu/"
"https://mirror.tochlab.net/pub/gnu/"
# This one is the master repository, and thus it's always up-to-date
"https://ftp.gnu.org/pub/gnu/"
"ftp://ftp.funet.fi/pub/mirrors/ftp.gnu.org/gnu/"
];
});
})
];
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
# Needed for ensuring desktop layout reproducibility
(import "${home-manager}/nixos")
];
# Nix package manager settings
nix.settings = {
# Enable flakes permanently
experimental-features = [ "nix-command" "flakes" ];
# Some things just don't download if you don't push things
download-attempts = 1000000;
# Don't abort the entire system build because some obscure download failed
keep-going = true;
# Fetching from master Git branches is impossible otherwise
require-sigs = false;
};
# Nvidia drivers
hardware = {
nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
powerManagement.finegrained = false;
open = true;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.beta;
};
graphics = {
enable = true;
extraPackages = with pkgs; [
cudaPackages.cudatoolkit
vaapiVdpau
nvidia-vaapi-driver
];
# enable32bit = true; # Deprecated
};
};
# Git configuration
programs.git.config = {
user = {
name = "Kenny Strawn";
email = "kstrawn0@saddleback.edu";
};
http = {
postBuffer = 1048576000;
};
https = {
postBuffer = 1048576000;
};
};
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 0;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot";
# Clean /tmp on reboot
boot.tmp = {
cleanOnBoot = true;
useTmpfs = true;
tmpfsSize = "300%";
};
# Plymouth
boot.consoleLogLevel = 0;
boot.initrd = {
verbose = false;
availableKernelModules = [
"nvidia"
"nvme"
"xhci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
"kvm-intel"
];
};
boot.blacklistedKernelModules = [ "nouveau" ];
boot.plymouth.enable = true;
boot.kernelParams = [
"quiet"
"splash"
"boot.shell_on_fail"
"nvidia_drm.modeset=1"
"nvidia_drm.fbdev=1"
"loglevel=3"
"rd.systemd.show_status=false"
"rd.udev.log_level=3"
"udev.log_priority=3"
"sysrq_always_enabled=1"
"usbcore.autosuspend=\"-1\""
# Fix refresh rate
"video=HDMI-A-1:3840x2160@60"
];
boot.extraModulePackages = [ config.boot.kernelPackages.nvidiaPackages.beta ];
# What to do in case of OOM condition
systemd.oomd = {
enableRootSlice = true;
extraConfig = {
DefaultMemoryPressureDurationSec = "2s";
};
};
boot.supportedFilesystems = [
"btrfs"
"f2fs"
];
networking.hostName = "kennystrawnmusic-pwnaegisr2";
# NetworkManager already depends on wpa_supplicant, so no need to pull it in separately.
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Absolute newest kernel possible
boot.kernelPackages = pkgs.linuxPackages_testing;
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
# Enable the X11 windowing system.
services.xserver.enable = true;
# SDDM
services.displayManager.sddm = {
enable = true;
wayland.enable = true;
settings = {
Autologin = {
User = "htb-ac-1424625";
Session = "plasma.desktop";
};
};
autoLogin.relogin = true;
};
# KDE Plasma
services.desktopManager.plasma6.enable = true;
# Configure keymap in X11
services.xserver.xkb = {
layout = "us";
variant = "";
};
# Enable CUPS to print documents.
services.printing.enable = true;
# SSH
services.openssh = {
enable = true;
settings = {
X11Forwarding = true;
PasswordAuthentication = true;
};
};
# Enable sound with pipewire.
# sound.enable = true;
hardware.pulseaudio.enable = lib.mkForce false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
jack.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
services.libinput.enable = true;
# Use Docker to make it easy to combine multiple pentesting distros
# This way, if something isn't available in nixpkgs but is absolutely needed,
# no problem, just spin up a Parrot (or Kali) Docker container
virtualisation.docker = {
enable = true;
# storageDriver = "btrfs";
};
# Annoying ads begone!
services.adguardhome = {
enable = true;
allowDHCP = true;
openFirewall = true;
# Additional settings TBD
};
# Automatic login
services.displayManager.autoLogin.enable = true;
services.displayManager.autoLogin.user = "htb-ac-1424625";
# Suppress annoying password prompts when running stuff that requires sudo
security.sudo.extraRules = [
{
users = [ "htb-ac-1424625" ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" "SETENV" ];
}
];
}
];
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
# Essentials
git
gcc
qemu
file
wget
google-chrome
# Force this package to not use the defunct ftpmirror.gnu.org download link
(libunistring.overrideAttrs(_: rec {
src = pkgs.fetchurl {
url = "https://ftp.gnu.org/gnu/libunistring/libunistring-1.2.tar.gz";
sha256 = "sha256-/W1WYvpwZIfEg0mnWLV7wUnOlOxsMGJOyf3Ec86rvI4=";
};
}))
# KDE profile doesn't pull in Discover either
# discover # Build failure
# https://github.com/kennystrawnmusic/cryptos
rustup
rust-analyzer
(vscode-with-extensions.override {
vscodeExtensions = with vscode-extensions; [
rust-lang.rust-analyzer
gruntfuggly.todo-tree
github.copilot
github.codespaces
tamasfe.even-better-toml
serayuzgur.crates
bbenoist.nix
]
++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "remote-containers";
publisher = "ms-vscode-remote";
version = "0.327.0";
sha256 = "sha256-nx4g73fYTm5L/1s/IHMkiYBlt3v1PobAv6/0VUrlWis=";
}
{
name = "copilot-chat";
publisher = "GitHub";
version = "0.12.2024013003";
sha256 = "sha256-4ArWVFko2T6ze/i+HTdXAioWC7euWCycDsQxFTrEtUw=";
}
];
})
# System Administration
pv
kwallet-pam
kate
konsole
gwenview
okular
ark
khelpcenter
# Copy/paste from terminal
wl-clipboard
# For getting NixOS and Arch to play nicely together and vice versa
arch-install-scripts
# Development
eclipses.eclipse-cpp
gnumake
# Important personal stuff
openssl
nss.tools
pciutils
nvme-cli
hw-probe
usbutils
spotify
libreoffice-fresh
# Surprisingly not pulled in by default
kdePackages.plasma-browser-integration
# Reproducibility
nixos-install-tools
# Pentesting, Part 1: General
bat
ranger
discord-canary
wordlists
seclists
# Pentesting, Part 2: Exploitation
commix
crackle
exploitdb
metasploit
msfpc
# routersploit Build failure
social-engineer-toolkit
yersinia
# Pentesting, Part 3: Forensics
bulk_extractor
capstone
dc3dd
ddrescue
ext4magic
extundelete
ghidra-bin
git
p0f
pdf-parser
regripper
sleuthkit
# Pentesting, Part 4: Hardware
apktool
# Pentesting, Part 5: Reconnaisance
cloudbrute
dnsenum
adreaper
openldap
ldeep
linux-exploit-suggester
dnsrecon
enum4linux
hping
masscan
netcat
nmap
ntopng
sn0int
sslsplit
theharvester
wireshark
smbmap
# Pentesting, Part 6: Python
(python3.withPackages(pypkgs: [
pypkgs.binwalk-full
# pypkgs.distorm3 # NixOS/nixpkgs#328346
pypkgs.requests
pypkgs.beautifulsoup4
pypkgs.pygobject3
pypkgs.scapy
pypkgs.impacket
pypkgs.xsser
]))
# Pentesting, Part 7: Pivoting
httptunnel
pwnat
ligolo-ng
# Pentesting, Part 8: Brute Force
brutespray
cewl
chntpw
# crowbar # Build failure
crunch
hashcat
hashcat-utils
hash-identifier
hcxtools
john
phrasendrescher
thc-hydra
netexec
medusa
kerbrute
responder
# Pentesting, Part 9: Disassemblers
binutils
elfutils
bytecode-viewer
patchelf
radare2
# cutter Build failure
retdec
snowman
valgrind
yara
# Pentesting, Part 10: Packet Sniffers
bettercap
dsniff
mitmproxy
rshijack
sipp
sniffglue
sslstrip
# Pentesting, Part 11: Vulnerability Analyzers
grype
lynis
sqlmap
vulnix
whatweb
# Pentesting, Part 12: Web Attack Tools
wafw00f
dirb
gobuster
urlhunter
python311Packages.wfuzz
zap
burpsuite
ffuf
whatweb
wpscan
nikto
# Pentesting, Part 13: Wi-Fi
aircrack-ng
asleap
bully
cowpatty
gqrx
kalibrate-hackrf
kalibrate-rtl
killerbee
kismet
mfcuk
mfoc
multimon-ng
redfang
wifite2
# Custom packages, Part 1: PwnXSS
(pkgs.stdenv.mkDerivation rec {
pname = "pwnxss";
version = "0.5.0";
format = "pyproject";
src = builtins.fetchGit {
url = "https://github.com/Pwn0Sec/PwnXSS";
ref = "master";
};
propagatedBuildInputs = [
(python311.withPackages(pypkgs: [
pypkgs.wrapPython
pypkgs.beautifulsoup4
pypkgs.requests
]))
];
buildInputs = propagatedBuildInputs;
nativeBuildInputs = propagatedBuildInputs;
pythonPath = with python3Packages; [ beautifulsoup4 requests ];
pwnxssExecutable = placeholder "out" + "/bin/pwnxss";
installPhase = ''
# Base directories
install -dm755 $out/share/pwnxss
install -dm755 $out/bin
# Copy files
cp -a --no-preserve=ownership * "$out/share/pwnxss"
# Use wrapper script to allow execution from anywhere
cat > $out/bin/pwnxss << EOF
#!${pkgs.bash}/bin/bash
cd $out/share/pwnxss
python pwnxss.py \$@
EOF
chmod a+x $out/bin/pwnxss
'';
})
# Custom packages, Part 2: CUPP
(pkgs.stdenv.mkDerivation rec {
pname = "cupp";
version = "3.2.0-alpha";
src = builtins.fetchGit {
url = "https://github.com/Mebus/cupp";
ref = "master";
};
installPhase = ''
# Base directories
install -dm755 $out/share/cupp
install -dm755 $out/bin
# Copy files
cp -a --no-preserve=ownership * "$out/share/cupp"
# Use wrapper script to allow execution from anywhere
cat > $out/bin/cupp << EOF
#!${pkgs.bash}/bin/bash
cd $out/share/cupp
python cupp.py \$@
EOF
chmod a+x $out/bin/cupp
'';
})
];
# PAM configuration
security.pam = {
# KWallet auto-unlock
services.sddm.enableKwallet = true;
};
# Flatpak
services.flatpak.enable = true;
# Get as close to Arch as possible with rolling updates
nix.nixPath = lib.mkOverride 0 [
"nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz"
"nixos=https://github.com/NixOS/nixpkgs/archive/master.tar.gz"
"nixos-config=/etc/nixos/configuration.nix"
];
# Keep system up-to-date without intervention
system.autoUpgrade = {
enable = true;
channel = "nixos";
dates = "03:00";
rebootWindow.lower = "01:00";
rebootWindow.upper = "05:00";
persistent = true;
};
# Memory compression
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 300;
};
# System-wide shell config
environment.etc.bashrc.text = ''
# Create /opt if it doesn't already exist and set proper permissions on it
if [ ! -d /opt ]; then
if [ $UID -eq 0 ]; then
mkdir /opt
chmod -R a+rw /opt
else
sudo mkdir /opt
sudo chmod -R a+rw /opt
fi
fi
# Ensure that Rust is installed in the correct (sysmtem-wide) location
export CARGO_BUILD_JOBS=$(nproc)
export RUSTUP_HOME=/opt/rust
export CARGO_HOME=/opt/rust
# Add Rust to $PATH if installed
if [ -f /opt/rust/env ]; then
source /opt/rust/env
elif [ -d /opt/rust/bin ]; then
export PATH=/opt/rust/bin:$PATH
fi
# Allow editing of files as root
alias pkexec="pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY KDE_SESSION_VERSION=6 KDE_FULL_SESSION=true"
#PwnBox-style shell prompt
PS1="\[\033[1;32m\]\342\224\214\342\224\200\$([[ \$(/etc/htb/vpnbash.sh) == *\"10.\"* ]] && echo \"[\[\033[1;34m\]\$(/etc/htb/vpnserver.sh)\[\033[1;32m\]]\342\224\200[\[\033[1;37m\]\$(/etc/htb/vpnbash.sh)\[\033[1;32m\]]\342\224\200\")[\[\033[1;37m\]\u\[\033[01;32m\]@\[\033[01;34m\]\h\[\033[1;32m\]]\342\224\200[\[\033[1;37m\]\w\[\033[1;32m\]]\n\[\033[1;32m\]\342\224\224\342\224\200\342\224\200\342\225\274 [\[\e[01;33m\]★\[\e[01;32m\]]\\$ \[\e[0m\]"
'';
# VPN connection name
environment.etc."htb/vpnserver.sh".text = ''
#!${pkgs.bash}/bin/bash
device=$(ip address | grep tun | grep 10.10 | sed 's/^[ \(\s|\t\)+ ]*//' | cut -d' ' -f5)
nmcli d show $device | head -n6 | tail -n1 | sed 's/[ \(\s|\t\)+ ]*//g' | cut -d\: -f2
'';
# VPN IP address
environment.etc."htb/vpnbash.sh".text = ''
#!${pkgs.bash}/bin/bash
htbip=$(ip addr | grep tun | grep inet | grep -E "(10\.10|10\.129)" | tr -s " " | cut -d " " -f 3 | cut -d "/" -f 1)
if [[ $htbip == *"10."* ]]
then
echo "$htbip"
else
echo "No VPN"
fi
'';
environment.etc."htb/vpnserver.sh".mode = "0755";
environment.etc."htb/vpnbash.sh".mode = "0755";
# Keep USB mice and keyboards awake at all times
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="on"
ACTION=="add", SUBSYSTEM=="usb", TEST=="power/autosuspend", ATTR{power/autosuspend}="0"
ACTION=="add", SUBSYSTEM=="usb", TEST=="power/autosuspend_delay_ms", ATTR{power/autosuspend_delay_ms}="0"
'';
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# Open ports in the firewall.
networking = {
firewall = {
enable = true;
allowPing = false;
allowedUDPPorts = [ 80 443 4822 57621 ];
allowedTCPPorts = [ 22 80 443 4822 5353 ];
};
extraHosts = ''
# Suspicious TLDs
0.0.0.0 (^|\.)(cn|ir|zip|mov)$
'';
nftables.enable = true;
};
users = {
# Personal user account
users.htb-ac-1424625 = {
isNormalUser = true;
description = "Kenny Strawn";
extraGroups = [ "networkmanager" "wheel" "docker" ];
createHome = true;
};
};
# User-level config
home-manager = {
backupFileExtension = "old";
users.htb-ac-1424625 = { stdenv, fetchurl, lib, pkgs, ... }: {
home.stateVersion = config.system.stateVersion;
imports = [
(import "${plasma-manager}/modules")
];
services.home-manager.autoUpgrade.enable = config.system.autoUpgrade.enable;
services.home-manager.autoUpgrade.frequency = config.system.autoUpgrade.dates;
programs.plasma = {
enable = true;
#
# Some high-level settings:
#
workspace = {
lookAndFeel = "org.kde.breezedark.desktop";
wallpaper = builtins.fetchurl "https://raw.githubusercontent.com/ParrotSec/parrot-wallpapers/refs/heads/master/backgrounds/hackthebox.jpg";
};
hotkeys.commands."launch-konsole" = {
name = "Launch Konsole";
key = "Ctrl+Alt+T";
command = "konsole";
};
panels = [
# Bottom panel: MacOS-like dock
{
location = "bottom";
floating = true;
alignment = "center";
widgets = [
#
{
iconTasks = {
launchers = [
"applications:org.kde.discover.desktop"
"applications:org.kde.dolphin.desktop"
"applications:org.kde.konsole.desktop"
# "applications:com.google.Chrome.desktop"
"applications:org.kde.kate.desktop"
# "applications:com.visualstudio.code.desktop"
# "applications:eclipse-cpp.desktop"
"applications:discord-canary.desktop"
"applications:burpsuite.desktop"
# TODO: ZAP
];
};
}
];
hiding = "none";
}
# Top panel: Kickoff, app name, global menu, system tray
{
location = "top";
height = 32;
widgets = [
{
name = "org.kde.plasma.kickoff";
config = {
General = {
icon = builtins.fetchurl "https://gist.githubusercontent.com/kennystrawnmusic/42cef9444b40220482a62724c98618d2/raw/ecd569bea9f1598073d602b70d44007d18e9b232/start-here.svg";
alphaSort = true;
};
};
}
{
applicationTitleBar = {
behavior = {
activeTaskSource = "activeTask";
};
layout = {
elements = [ "windowTitle" ];
horizontalAlignment = "left";
showDisabledElements = "deactivated";
verticalAlignment = "center";
};
overrideForMaximized.enable = false;
titleReplacements = [
{
type = "regexp";
originalTitle = "^Brave Web Browser$";
newTitle = "Brave";
}
{
type = "regexp";
originalTitle = ''\\bDolphin\\b'';
newTitle = "File manager";
}
];
windowTitle = {
font = {
bold = true;
fit = "fixedSize";
size = 12;
};
hideEmptyTitle = true;
margins = {
bottom = 0;
left = 10;
right = 5;
top = 0;
};
source = "appName";
};
};
}
"org.kde.plasma.appmenu"
"org.kde.plasma.panelspacer"
{
digitalClock = {
date.enable = true;
calendar.firstDayOfWeek = "sunday";
time = {
format = "24h";
showSeconds = "always";
};
};
}
"org.kde.plasma.panelspacer"
{
systemTray.items = {
shown = [
"org.kde.plasma.battery"
"org.kde.plasma.bluetooth"
"org.kde.plasma.networkmanagement"
"org.kde.plasma.volume"
];
};
}
];
}
];
powerdevil = {
AC = {
powerButtonAction = "shutDown";
autoSuspend = {
action = "nothing";
idleTimeout = null;
};
turnOffDisplay = {
idleTimeout = "never";
};
};
battery = {
powerButtonAction = "sleep";
whenSleepingEnter = "standbyThenHibernate";
};
lowBattery = {
whenLaptopLidClosed = "hibernate";
};
};
kscreenlocker = {
autoLock = false;
lockOnResume = false;
lockOnStartup = false;
timeout = null;
};
#
# Some mid-level settings:
#
shortcuts = {
ksmserver = {
"Lock Session" = [
"Screensaver"
"Meta+Ctrl+Alt+L"
];
};
kwin = {
"Expose" = "Meta+,";
"Switch Window Down" = "Meta+J";
"Switch Window Left" = "Meta+H";
"Switch Window Right" = "Meta+L";
"Switch Window Up" = "Meta+K";
};
};
# configfile = {
# baloofilerc."basic settings"."indexing-enabled" = false;
# kwinrc."org.kde.kdecoration2".buttonsonleft = "sf";
# kwinrc.desktops.number = {
# value = 8;
# # forces kde to not change this value (even through the settings app).
# immutable = true;
# };
# kscreenlockerrc = {
# greeter.wallpaperplugin = "org.kde.potd";
# # to use nested groups use / as a separator. in the below example,
# # provider will be added to [greeter][wallpaper][org.kde.potd][general].
# "greeter/wallpaper/org.kde.potd/general".provider = "bing";
# };
# };
};
};
};
system.stateVersion = "24.11";
}
This is doing everything right, including replicating a custom desktop layout and properly fetching wallpapers from remote sources, except performing usably. New windows, including terminal windows, take 10-30 seconds to open, there’s a 10-second delay between when I move the mouse and when the cursor moves, and when I open top, kwin is using up an off-the-charts percentage of CPU and RAM. All this despite the fact that I’m running on hardware this powerful, which I had to probe on a non-NixOS SSD (the one running Parrot HTB edition, namely) due to this performance issue. Why?