Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

tmpfile cleanup

Browse source
This commit is contained in:
Grimmauld 2025-01-12 23:00:12 +01:00
parent c76eaacb28
commit 53795ecb66
No known key found for this signature in database
3 changed files with 37 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
hardening/ssh-as-sudo.nix
View file

@ -3,10 +3,18 @@
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.challengeResponseAuthentication = false;
# settings.UsePAM = false;
openFirewall = lib.mkDefault false;
allowSFTP = lib.mkDefault false;
# startWhenNeeded = true;
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
users.users.root = {

1
hm/grimmauld/default.nix
View file

@ -9,6 +9,7 @@ in
file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk;
file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub;
file.".cups/lpoptions".text = "Default pdf\n";
};
};
}

32
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -179,12 +179,36 @@ in
# systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
systemd.tmpfiles.rules = [
"D! ${nix_build} 0755 root root"
"D! /var/cache 0755 root root"
"D! /var/.Trash-0 0755 root root"
"D! /var/tmp 0755 root root"
"D! ${nix_build} 0755 root root 7d"
"D! /var/cache 0755 root root 7d"
"e! /var/.Trash-0 0755 root root 14d"
"D! /var/tmp 0755 root root 14d"
# "D! /root 0700 root root"
];
systemd.user.tmpfiles.users =
let
forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; };
in
lib.mergeAttrsList (
forEachUser (name: user: {
"${name}".rules = [
# "d /home/${user}/Downloads - - - 14d"
"e ${user.home}/.vim/undodir - - - 7d"
"d ${user.home}/.cache - - - 7d"
"e ${user.home}/.java - - - 7d"
"e ${user.home}/.gradle - - - 7d"
"e ${user.home}/.cargo - - - 7d"
"e ${user.home}/.rustup - - - 7d"
"e ${user.home}/.templateengine - - - 7d"
"e ${user.home}/.sane - - - 7d"
"e ${user.home}/.dotnet - - - 7d"
"e ${user.home}/.nuget - - - 7d"
# "d /home/${user}/.local/state/mpv/watch_later - - - 14d"
];
})
);
systemd.services.nix-daemon.environment.TMPDIR = nix_build;
fileSystems."/etc/nixos" = {