From 53795ecb66d3dabb4a096633c0a5d9c81b68afb0 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Sun, 12 Jan 2025 23:00:12 +0100
Subject: [PATCH] tmpfile cleanup

---
 hardening/ssh-as-sudo.nix                     |  8 +++++
 hm/grimmauld/default.nix                      |  1 +
 .../hardware-configuration.nix                | 32 ++++++++++++++++---
 3 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/hardening/ssh-as-sudo.nix b/hardening/ssh-as-sudo.nix
index ee1b550..3743775 100644
--- a/hardening/ssh-as-sudo.nix
+++ b/hardening/ssh-as-sudo.nix
@@ -3,10 +3,18 @@
   services.openssh = {
     enable = true;
     settings.PasswordAuthentication = false;
+    settings.challengeResponseAuthentication = false;
     # settings.UsePAM = false;
     openFirewall = lib.mkDefault false;
     allowSFTP = lib.mkDefault false;
     # startWhenNeeded = true;
+    extraConfig = ''
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
   };
 
   users.users.root = {
diff --git a/hm/grimmauld/default.nix b/hm/grimmauld/default.nix
index 3854686..6268946 100644
--- a/hm/grimmauld/default.nix
+++ b/hm/grimmauld/default.nix
@@ -9,6 +9,7 @@ in
 
       file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk;
       file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub;
+      file.".cups/lpoptions".text = "Default pdf\n";
     };
   };
 }
diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix
index 4b743a9..ff1a0a7 100644
--- a/specific/grimm-nixos-ssd/hardware-configuration.nix
+++ b/specific/grimm-nixos-ssd/hardware-configuration.nix
@@ -179,12 +179,36 @@ in
   # systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
 
   systemd.tmpfiles.rules = [
-    "D! ${nix_build} 0755 root root"
-    "D! /var/cache 0755 root root"
-    "D! /var/.Trash-0 0755 root root"
-    "D! /var/tmp 0755 root root"
+    "D! ${nix_build} 0755 root root 7d"
+    "D! /var/cache 0755 root root 7d"
+    "e! /var/.Trash-0 0755 root root 14d"
+    "D! /var/tmp 0755 root root 14d"
     # "D! /root 0700 root root"
   ];
+
+  systemd.user.tmpfiles.users =
+    let
+      forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; };
+    in
+    lib.mergeAttrsList (
+      forEachUser (name: user: {
+        "${name}".rules = [
+          # "d /home/${user}/Downloads - - - 14d"
+          "e ${user.home}/.vim/undodir - - - 7d"
+          "d ${user.home}/.cache - - - 7d"
+          "e ${user.home}/.java - - - 7d"
+          "e ${user.home}/.gradle - - - 7d"
+          "e ${user.home}/.cargo - - - 7d"
+          "e ${user.home}/.rustup - - - 7d"
+          "e ${user.home}/.templateengine - - - 7d"
+          "e ${user.home}/.sane - - - 7d"
+          "e ${user.home}/.dotnet - - - 7d"
+          "e ${user.home}/.nuget - - - 7d"
+          # "d /home/${user}/.local/state/mpv/watch_later - - - 14d"
+        ];
+      })
+    );
+
   systemd.services.nix-daemon.environment.TMPDIR = nix_build;
 
   fileSystems."/etc/nixos" = {