diff --git a/common/default.nix b/common/default.nix index 4f4c620..e868bc1 100644 --- a/common/default.nix +++ b/common/default.nix @@ -15,7 +15,7 @@ with lib; ./graphics ./gaming.nix ./firefox.nix - ./cloudsync.nix + # ./cloudsync.nix ./hardware ./databases ]; diff --git a/common/firefox.nix b/common/firefox.nix index 85ffd41..632f05d 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -8,7 +8,6 @@ let inherit (config.grimmShared) enable firefox - tooling locale sway ; @@ -28,9 +27,6 @@ in programs.firefox = { # package = pkgs.firefox-beta; enable = true; - nativeMessagingHosts.packages = - [ ] - ++ lib.optionals (tooling.enable && tooling.pass) [ pkgs.passff-host ]; languagePacks = optionals locale [ "de" "en-US" diff --git a/common/gaming.nix b/common/gaming.nix index 9184308..29517dc 100644 --- a/common/gaming.nix +++ b/common/gaming.nix @@ -47,26 +47,21 @@ in GAMEMODERUNEXEC = "env DRI_PRIME=1"; }; - environment.systemPackages = - with pkgs; - [ - heroic - prismlauncher - mangohud - the-powder-toy - factorio - pactorio - (symlinkJoin { - name = "osu"; - paths = [ - (writeShellScriptBin "osu!" '' - exec gamemoderun ${getExe osu-lazer-bin} - '') - osu-lazer-bin - ]; - }) - ] - ++ optional (!isNull factorio.passthru.updateScript) factorio; + environment.systemPackages = with pkgs; [ + # heroic + prismlauncher + mangohud + the-powder-toy + (symlinkJoin { + name = "osu"; + paths = [ + (writeShellScriptBin "osu!" '' + exec gamemoderun ${getExe osu-lazer-bin} + '') + osu-lazer-bin + ]; + }) + ]; }; options.grimmShared.gaming = mkEnableOption "enables steam, heroic, prism and gamemoded"; diff --git a/common/graphics/qt.nix b/common/graphics/qt.nix index cda30b7..2f638fc 100644 --- a/common/graphics/qt.nix +++ b/common/graphics/qt.nix @@ -49,10 +49,10 @@ in kdePackages.breeze-qt5 ]; - boot.plymouth = { - themePackages = with pkgs; [ catppuccin-plymouth ]; - theme = "catppuccin-macchiato"; - enable = true; - }; + #boot.plymouth = { + # themePackages = with pkgs; [ catppuccin-plymouth ]; + # theme = "catppuccin-macchiato"; + # enable = true; + #}; }; } diff --git a/common/hardware/laptop.nix b/common/hardware/laptop.nix index dc4f3a7..c82b244 100644 --- a/common/hardware/laptop.nix +++ b/common/hardware/laptop.nix @@ -64,7 +64,7 @@ in boot = { kernelParams = [ - "intel_iommu=on" + # "intel_iommu=on" "nohibernate" "pcie_aspm=off" ]; @@ -83,7 +83,7 @@ in kernelModules = [ # "ddcci_backlight" # "i2c-dev" - "ec_sys" + # "ec_sys" ]; }; }; diff --git a/common/hardware/tlp.nix b/common/hardware/tlp.nix index 0a01d25..4ac0123 100644 --- a/common/hardware/tlp.nix +++ b/common/hardware/tlp.nix @@ -80,7 +80,7 @@ in }; powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power"; - powerManagement.cpuFreqGovernor = lib.mkDefault "normal"; + # powerManagement.cpuFreqGovernor = lib.mkDefault "normal"; services.power-profiles-daemon.enable = false; services.upower.enable = true; diff --git a/common/network/bluetooth.nix b/common/network/bluetooth.nix index ad3c7d1..42f2753 100644 --- a/common/network/bluetooth.nix +++ b/common/network/bluetooth.nix @@ -17,15 +17,5 @@ in services.blueman.enable = lib.mkIf graphical true; environment.systemPackages = [ pkgs.bluetuith ] ++ lib.optional sound.enable pkgs.bluez; - - systemd.user.services.mpris-proxy = lib.mkIf sound.enable { - description = "Mpris proxy"; - after = [ - "network.target" - "sound.target" - ]; - wantedBy = [ "default.target" ]; - serviceConfig.ExecStart = lib.getExe' pkgs.bluez "mpris-proxy"; - }; }; } diff --git a/common/network/default.nix b/common/network/default.nix index cd1e238..d4c19eb 100644 --- a/common/network/default.nix +++ b/common/network/default.nix @@ -22,6 +22,8 @@ in openconnect ]; + users.users.nscd.uid = 997; + networking.firewall = { enable = true; allowPing = true; @@ -31,6 +33,8 @@ in "1.1.1.1" "9.9.9.9" ]; + + environment.etc."NetworkManager/certs/telekom-root.crt".source = ./telekom-root.crt; }; imports = [ ./bluetooth.nix ]; diff --git a/common/network/telekom-root.crt b/common/network/telekom-root.crt new file mode 100644 index 0000000..0911a56 Binary files /dev/null and b/common/network/telekom-root.crt differ diff --git a/common/printing.nix b/common/printing.nix index 916614e..1e804ec 100644 --- a/common/printing.nix +++ b/common/printing.nix @@ -14,7 +14,7 @@ in brgenml1cupswrapper ]; services.avahi = { - enable = true; + # enable = true; nssmdns4 = true; openFirewall = true; }; diff --git a/common/sound/default.nix b/common/sound/default.nix index 04fe73e..2db7db1 100644 --- a/common/sound/default.nix +++ b/common/sound/default.nix @@ -9,7 +9,7 @@ let in { config = lib.mkIf (enable && sound.enable) { - hardware.pulseaudio.enable = false; + services.pulseaudio.enable = false; services.pipewire = { enable = true; diff --git a/common/sound/midi.nix b/common/sound/midi.nix index 839b518..b4ac719 100644 --- a/common/sound/midi.nix +++ b/common/sound/midi.nix @@ -20,7 +20,8 @@ in environment.pathsToLink = [ "/share/soundfonts" ]; - environment.etc."timidity/timidity.cfg".text = "soundfont ${sound_font}/share/soundfonts/FluidR3_GM2-2.sf2"; + environment.etc."timidity/timidity.cfg".text = + "soundfont ${sound_font}/share/soundfonts/FluidR3_GM2-2.sf2"; }; options.grimmShared.sound.midi = lib.mkEnableOption "enable midi"; diff --git a/common/sound/spotify.nix b/common/sound/spotify.nix index afe53e0..9e65e5f 100644 --- a/common/sound/spotify.nix +++ b/common/sound/spotify.nix @@ -21,5 +21,5 @@ in enable = lib.mkEnableOption "grimm-spotify"; }; - imports = [ ./spotifyd.nix ]; + # imports = [ ./spotifyd.nix ]; } diff --git a/common/tooling/default.nix b/common/tooling/default.nix index c44b079..04ed1f9 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -17,18 +17,16 @@ in imports = [ # ./lilypond.nix ./nix.nix - ./security.nix ./python.nix ./rust.nix ./lsp.nix - ./helix.nix ./git.nix - ./wine.nix + # ./wine.nix ./c.nix ./java.nix - ./opensnitch ./ranger.nix - ./apparmor + ./nix-index.nix + # ./defaultProtectHome.nix ]; config = mkIf (enable && tooling.enable) { @@ -69,29 +67,12 @@ in ] ++ optionals graphical [ wev - qdirstat + k4dirstat libva-utils gparted bottles ]; - environment.shellAliases = { - ":q" = "exit"; - "ls" = "eza"; - "lix" = "nix"; - "l" = "eza -hla"; - "vi" = "hx"; - "bat" = "bat --theme=Dracula"; - }; - - programs.tmux = { - enable = true; - historyLimit = 42000; - #keyMode = "vi"; - }; - - programs.fzf.fuzzyCompletion = true; - environment.sessionVariables = { MANPAGER = "sh -c 'col -bx | ${getExe pkgs.bat} -l man -p'"; MANROFFOPT = "-c"; @@ -105,29 +86,6 @@ in boot.tmp.cleanOnBoot = true; zramSwap.enable = false; - - #programs.ssh = { - # # startAgent = true; - # enableAskPassword = graphical; - # askPassword = mkIf graphical (getExe pkgs.lxqt.lxqt-openssh-askpass); - #}; - programs.thefuck.enable = true; - - programs.starship = { - enable = true; - settings = { - format = "$all$directory$character"; - nodejs.disabled = true; - cmake.symbol = "cmake "; - custom.shell = { - command = "basename $SHELL"; - when = "test -v SHELL"; - format = " in [$output]($style)"; - # ignore_timeout = true; - }; - # env_var.SHELL = {variable = "SHELL"; default = ""; }; - }; - }; }; options.grimmShared.tooling = { diff --git a/common/tooling/java.nix b/common/tooling/java.nix index b9aa770..473de3e 100644 --- a/common/tooling/java.nix +++ b/common/tooling/java.nix @@ -21,7 +21,7 @@ in pkgs.jdk17 pkgs.visualvm pkgs.gradle_7 - ] ++ optionals graphical [ pkgs.jetbrains.idea-community ]; + ]; # ++ optionals graphical [ pkgs.jetbrains.idea-community ]; environment.sessionVariables.JAVA_HOME = pkgs.jdk17.home; diff --git a/common/tooling/nix-index.nix b/common/tooling/nix-index.nix new file mode 100644 index 0000000..3416036 --- /dev/null +++ b/common/tooling/nix-index.nix @@ -0,0 +1,76 @@ +{ + pkgs, + lib, + config, + ... +}: +let + db_path = "/var/nix-index/current"; + mode = "755"; + user = "nix-index"; +in +{ + users.users."${user}" = { + isSystemUser = true; + group = user; + }; + users.groups."${user}" = { }; + + nix.settings.allowed-users = [ user ]; + + environment.systemPackages = with pkgs; [ + nix-index + ]; + + systemd.tmpfiles.rules = [ + "d /var/nix-index 0${mode} ${user} ${user} 14d" + ]; + + environment.sessionVariables.NIX_INDEX_DATABASE = db_path; + + systemd.services.nix-index-update = { + description = "update nix-index database"; + after = [ + "network-online.target" + "nix-daemon.service" + ]; + wants = [ + "network-online.target" + "nix-daemon.service" + ]; + serviceConfig = { + Type = "simple"; + Nice = 19; + # UMask = mode; + # DynamicUser = true; + ReadWritePaths = "/var/nix-index/"; + CacheDirectory = "index-cache"; + + User = user; + Group = user; + }; + environment.NIX_PATH = lib.concatStringsSep ":" config.nix.nixPath; + script = '' + platform="$(uname -m | sed 's/^arm64$/aarch64/')-$(uname | tr "[:upper:]" "[:lower:]")" + path="/var/nix-index/index-$platform-$(date -I)" + mkdir -p "$path" -m ${mode} + XDG_CACHE_HOME=$CACHE_DIRECTORY ${lib.getExe' pkgs.nix-index "nix-index"} --show-trace -c 0 -s $platform --db "$path" || exit 1 + rm -f ${db_path} + ln -s "$path" ${db_path} + # && chmod ${mode} ${db_path} + echo "link success" + ''; + enable = true; + }; + + systemd.timers.nix-index-update = { + description = "regularly update nix-index database"; + timerConfig.Persistent = true; + timerConfig.OnCalendar = "Mon *-*-* 00:00:00"; + wantedBy = [ + "multi-user.target" + "timers.target" + ]; + enable = true; + }; +} diff --git a/common/tooling/nix.nix b/common/tooling/nix.nix index f46a15d..fde7643 100644 --- a/common/tooling/nix.nix +++ b/common/tooling/nix.nix @@ -20,7 +20,7 @@ nvd vulnix nix-init - inputs.nixpkgs-update.packages."${system}".default + # inputs.nixpkgs-update.packages."${system}".default ]; environment.sessionVariables = @@ -45,8 +45,13 @@ experimental-features = [ "nix-command" "flakes" + "pipe-operator" ]; warn-dirty = false; + allowed-users = [ + "@wheel" + "grimmauld" + ]; }; programs.nh = { diff --git a/common/tooling/python.nix b/common/tooling/python.nix index 67d18fd..6dbe274 100644 --- a/common/tooling/python.nix +++ b/common/tooling/python.nix @@ -31,7 +31,7 @@ in config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) { environment.systemPackages = [ (pkgs.python3.withPackages pyLibs) - ] ++ lib.optionals graphical (with pkgs; [ jetbrains.pycharm-community ]); + ]; # ++ lib.optionals graphical (with pkgs; [ jetbrains.pycharm-community ]); programs.xonsh = { enable = true; diff --git a/common/xdg/alacritty.toml b/common/xdg/alacritty.toml deleted file mode 100644 index 7a6a20a..0000000 --- a/common/xdg/alacritty.toml +++ /dev/null @@ -1,8 +0,0 @@ -[font] - # Point size - size=16.0 - normal = { family="Noto Sans Mono" } - -[window] - opacity=0.85 - diff --git a/common/xdg/default.nix b/common/xdg/default.nix index 23d1b5d..c02c6f9 100644 --- a/common/xdg/default.nix +++ b/common/xdg/default.nix @@ -1,6 +1,17 @@ { imports = [ ./portals.nix - ./mime.nix + # ./mime.nix ]; + + xdg.terminal-exec = { + enable = true; + settings = { + default = [ + "Alacritty.desktop" + "kitty.desktop" + ]; + }; + }; + } diff --git a/common/xdg/mime.nix b/common/xdg/mime.nix deleted file mode 100644 index d4be56c..0000000 --- a/common/xdg/mime.nix +++ /dev/null @@ -1,154 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: -let - inherit (config.grimmShared) enable portals graphical; - browsers = [ - "firefox-beta.desktop" - "firefox.desktop" - ]; - text_editors = [ - "nvim.desktop" - "geany.desktop" - "imhex.desktop" - ]; - image_viewers = [ - "org.nomacs.ImageLounge.desktop" - "org.kde.krita.desktop" - "draw.desktop" - ]; - audio_players = [ "vlc.desktop" ]; - video_viewers = [ "vlc.desktop" ]; - document_viewers = [ - "org.pwmt.zathura-pdf-mupdf.desktop" - "com.github.jeromerobert.pdfarranger.desktop" - ] ++ browsers; - cad = [ - "org.freecadweb.FreeCAD.desktop" - "PrusaSlicer.desktop" - "openscad.desktop" - "blender.desktop" - ]; - tex_editors = [ ] ++ text_editors; - - alacritty_pkg = pkgs.symlinkJoin { - name = "alacritty"; - paths = [ pkgs.alacritty ]; - buildInputs = [ pkgs.makeWrapper ]; - postBuild = '' - wrapProgram $out/bin/alacritty \ - --add-flags "--config-file ${./alacritty.toml}" - ''; - }; -in -{ - config = lib.mkIf (enable && portals && graphical) { - environment.systemPackages = with pkgs; [ - deskwhich - - zathura - gnome-console - alacritty_pkg - imhex - libreoffice-qt - filezilla - obsidian - nomacs - pdfarranger - geany - krita - weasis - # kicad - prusa-slicer - freecad - openscad - vlc - # blender - thunderbird - xdg-terminal-exec - xdg-utils - ]; - - xdg.terminal-exec = { - enable = true; - settings = { - default = [ - "Alacritty.desktop" - "kitty.desktop" - ]; - }; - }; - - xdg.mime.enable = true; - xdg.mime.addedAssociations = { - "application/java-vm" = [ - "idea-community.desktop" - "imhex.desktop" - ]; - "application/json" = text_editors ++ [ "firefox-beta.desktop" ]; - "application/mp4" = video_viewers; - "application/ogg" = audio_players; - "application/octet-stream" = "imhex.desktop"; - "application/pdf" = document_viewers; - "application/rss+xml" = text_editors; - "application/x-chess-pgn" = [ ] ++ text_editors; # fixme - "application/x-krita" = "org.kde.krita.desktop"; - "application/x-latex" = tex_editors; - "application/x-tex" = tex_editors; - "application/x-texinfo" = tex_editors; - "application/xml" = text_editors; - "image/svg+xml" = image_viewers ++ browsers ++ text_editors; - "image/*" = image_viewers; - "image/vnd.dwg" = cad; - "model/*" = cad; - "gcode" = [ - "PrusaGcodeviewer.desktop" - "PrusaSlicer.desktop" - ]; - "audio/*" = audio_players; - "text/*" = text_editors; - "text/plain" = text_editors; - "text/markdown" = [ "obsidian.desktop" ] ++ text_editors; - "text/csv" = [ "calc.desktop" ] ++ text_editors; - "text/html" = browsers ++ text_editors; - "text/x-python" = [ "pycharm-community.desktop" ] ++ text_editors; - "text/x-c" = [ "clion.desktop" ] ++ text_editors; - "text/x-java-source" = [ "idea-community.desktop" ] ++ text_editors; - "video/*" = video_viewers; - "inode/directory" = [ - "ranger.desktop" - "dolphin.desktop" - ]; - "x-scheme-handler/mailto" = "thunderbird.desktop"; - - "application/vnd.oasis.opendocument.chart" = "calc.desktop"; - "application/vnd.oasis.opendocument.chart-template" = "calc.desktop"; - "application/vnd.oasis.opendocument.database" = "base.desktop"; - "application/vnd.oasis.opendocument.formula" = "math.desktop"; - "application/vnd.oasis.opendocument.formula-template" = "math.desktop"; - "application/vnd.oasis.opendocument.graphics" = "draw.desktop"; - "application/vnd.oasis.opendocument.graphics-template" = "draw.desktop"; - "application/vnd.oasis.opendocument.image" = "draw.desktop"; - "application/vnd.oasis.opendocument.image-template" = "draw.desktop"; - "application/vnd.oasis.opendocument.presentation" = "impress.desktop"; - "application/vnd.oasis.opendocument.presentation-template" = "impress.desktop"; - "application/vnd.oasis.opendocument.spreadsheet" = "calc.desktop"; - "application/vnd.oasis.opendocument.spreadsheet-template" = "calc.desktop"; - "application/vnd.oasis.opendocument.text" = "writer.desktop"; - "application/vnd.oasis.opendocument.text-master" = "writer.desktop"; - "application/vnd.oasis.opendocument.text-template" = "writer.desktop"; - "application/vnd.oasis.opendocument.text-web" = "writer.desktop"; - "application/vnd.openxmlformats-officedocument.presentationml.presentation" = "impress.desktop"; - "application/vnd.openxmlformats-officedocument.presentationml.slide" = "impress.desktop"; - "application/vnd.openxmlformats-officedocument.presentationml.slideshow" = "impress.desktop"; - "application/vnd.openxmlformats-officedocument.presentationml.template" = "impress.desktop"; - "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" = "calc.desktop"; - "application/vnd.openxmlformats-officedocument.spreadsheetml.template" = "calc.desktop"; - "application/vnd.openxmlformats-officedocument.wordprocessingml.document" = "writer.desktop"; - "application/vnd.openxmlformats-officedocument.wordprocessingml.template" = "writer.desktop"; - }; - }; -} diff --git a/configuration.nix b/configuration.nix index 531bcea..ae3eb8a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, ... }: +{ pkgs, ... }: { imports = [ ./overlays @@ -13,8 +13,6 @@ # kernelPackages = lib.mkDefault pkgs.linuxPackages_zen; }; - services.logrotate.checkConfig = false; # fixme: actually needed? - nix.package = pkgs.lix; nixpkgs.config.allowUnfree = true; diff --git a/dual_monitor_otd.json b/dual_monitor_otd.json new file mode 100644 index 0000000..41a9793 --- /dev/null +++ b/dual_monitor_otd.json @@ -0,0 +1,73 @@ +{ + "Profiles": [ + { + "Tablet": "Wacom PTH-660", + "OutputMode": { + "Path": "OpenTabletDriver.Desktop.Output.AbsoluteMode", + "Settings": [], + "Enable": true + }, + "Filters": [], + "AbsoluteModeSettings": { + "Display": { + "Width": 3840.0, + "Height": 1080.0, + "X": 1920.0, + "Y": 540.0, + "Rotation": 0.0 + }, + "Tablet": { + "Width": 148.0, + "Height": 42.0, + "X": 112.0, + "Y": 74.0, + "Rotation": 90.0 + }, + "EnableClipping": true, + "EnableAreaLimiting": false, + "LockAspectRatio": false + }, + "RelativeModeSettings": { + "XSensitivity": 10.0, + "YSensitivity": 10.0, + "RelativeRotation": 0.0, + "RelativeResetDelay": "00:00:00.1000000" + }, + "Bindings": { + "TipActivationThreshold": 0.0, + "TipButton": { + "Path": "OpenTabletDriver.Desktop.Binding.MouseBinding", + "Settings": [ + { + "Property": "Button", + "Value": "Left" + } + ], + "Enable": true + }, + "EraserActivationThreshold": 0.0, + "EraserButton": null, + "PenButtons": [ + null, + null + ], + "AuxButtons": [ + null, + null, + null, + null, + null, + null, + null, + null + ], + "MouseButtons": [], + "MouseScrollUp": null, + "MouseScrollDown": null + } + } + ], + "LockUsableAreaDisplay": true, + "LockUsableAreaTablet": true, + "Tools": [] +} \ No newline at end of file diff --git a/flake.lock b/flake.lock index 9c98f7a..19461fe 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1732741943, - "narHash": "sha256-ZPGI3RjfDqajlIlEO6xL9dQhtyXQMhlFMPnYoKNtPRI=", + "lastModified": 1736590503, + "narHash": "sha256-w69DFuUM6F92rQMl5mcnsx9Zv7Pk8ozcLffIYfOa2LI=", "owner": "LordGrimmauld", "repo": "aa-alias-manager", - "rev": "cb4dd424befe24976ecbbc09505efa0c5477d9c6", + "rev": "72da6960bac5f84804a2ea36a90dbd25ed1bbf93", "type": "github" }, "original": { @@ -31,11 +31,11 @@ ] }, "locked": { - "lastModified": 1732889580, - "narHash": "sha256-67MC0DhkRPTPy/g76sm/jzMqcmUBIlX5qoSH5B27Twk=", + "lastModified": 1736877444, + "narHash": "sha256-K25atZ9alRsGb6TW+rRcpJTbtP5tnb3qusd762B2qWw=", "owner": "ezKEa", "repo": "aagl-gtk-on-nix", - "rev": "5b6ceba740feaf260ec205e41e3dde8af510a547", + "rev": "a1f0ce3bfbe9f0cc81e8b7def5e652a021e95c98", "type": "github" }, "original": { @@ -92,6 +92,28 @@ "type": "github" } }, + "apparmor-dev": { + "inputs": { + "flake-utils": "flake-utils_2", + "nix-github-actions": "nix-github-actions_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734881868, + "narHash": "sha256-ONpu806E6j/23ZCgvfAR7bNusDjC5bVThTOjNkUMIqQ=", + "owner": "LordGrimmauld", + "repo": "apparmor-dev", + "rev": "032cb3469176411d5bda5642049abc468073e18a", + "type": "github" + }, + "original": { + "owner": "LordGrimmauld", + "repo": "apparmor-dev", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -118,11 +140,11 @@ ] }, "locked": { - "lastModified": 1733072746, - "narHash": "sha256-Rds19CCMsbT+eo5HoJahl2N/wLrvGZ0Nw6Vlu+hvfmE=", + "lastModified": 1736848948, + "narHash": "sha256-P9XZoUzRxjq5AJxR1+F0HEyzggNX/zt+A3cuwXER4qM=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "36d157737c1682d31721f68c812353225956471b", + "rev": "e75f332c423ae95164ec188c0406c2d47b8a4a65", "type": "github" }, "original": { @@ -189,11 +211,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -250,6 +272,24 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -302,11 +342,11 @@ ] }, "locked": { - "lastModified": 1732884235, - "narHash": "sha256-r8j6R3nrvwbT1aUp4EPQ1KC7gm0pu9VcV1aNaB+XG6Q=", + "lastModified": 1736508663, + "narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=", "owner": "nix-community", "repo": "home-manager", - "rev": "819f682269f4e002884702b87e445c82840c68f2", + "rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc", "type": "github" }, "original": { @@ -315,20 +355,39 @@ "type": "github" } }, + "home-manager_3": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "dirtyRev": "0d7908bd09165db6699908b7e3970f137327cbf0-dirty", + "dirtyShortRev": "0d7908bd-dirty", + "lastModified": 1736013363, + "narHash": "sha256-1UN8758BA6XDgte9AfHu5fZ35zqVPPq3GGuca3JJOZU=", + "type": "git", + "url": "file:///home/grimmauld/coding/home-manager" + }, + "original": { + "type": "git", + "url": "file:///home/grimmauld/coding/home-manager" + } + }, "jovian": { "inputs": { - "nix-github-actions": "nix-github-actions_2", + "nix-github-actions": "nix-github-actions_3", "nixpkgs": [ "chaotic", "nixpkgs" ] }, "locked": { - "lastModified": 1732739177, - "narHash": "sha256-iL32+TA/8geCzcL1r3uthrH/GPvbUak5QE++WJUkaiI=", + "lastModified": 1736580596, + "narHash": "sha256-t+BygGMcg1yyyTBXCAJWx4ZnH1StDzbd8CfzQonAJp8=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "8d7b2149e618696d5100c2683af1ffa893f02a75", + "rev": "1ddf0b3bfe076fa50b84244e42a55b9234f96083", "type": "github" }, "original": { @@ -337,28 +396,6 @@ "type": "github" } }, - "mmdoc": { - "inputs": { - "nixpkgs": [ - "nixpkgs-update", - "nixpkgs" - ], - "systems": "systems_3" - }, - "locked": { - "lastModified": 1710694589, - "narHash": "sha256-5wa+Jzxr+LygoxSZuZg0YU81jgdnx2IY/CqDIJMOgec=", - "owner": "ryantm", - "repo": "mmdoc", - "rev": "b6ddf748b1d1c01ca582bb1b3dafd6bc3a4c83a6", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "mmdoc", - "type": "github" - } - }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -381,6 +418,27 @@ } }, "nix-github-actions_2": { + "inputs": { + "nixpkgs": [ + "apparmor-dev", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731952509, + "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "7b5f051df789b6b20d259924d349a9ba3319b226", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_3": { "inputs": { "nixpkgs": [ "chaotic", @@ -410,14 +468,14 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-24_05": "nixpkgs-24_05" + "nixpkgs-24_11": "nixpkgs-24_11" }, "locked": { - "lastModified": 1722877200, - "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", + "lastModified": 1735230346, + "narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", + "rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b", "type": "gitlab" }, "original": { @@ -434,11 +492,11 @@ ] }, "locked": { - "lastModified": 1727410897, - "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=", + "lastModified": 1735857245, + "narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=", "owner": "dali99", "repo": "nixos-matrix-modules", - "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c", + "rev": "da9dc0479ffe22362793c87dc089035facf6ec4d", "type": "github" }, "original": { @@ -449,11 +507,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1733015953, - "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=", + "lastModified": 1736798957, + "narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff", + "rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3", "type": "github" }, "original": { @@ -463,69 +521,18 @@ "type": "github" } }, - "nixpkgs-24_05": { + "nixpkgs-24_11": { "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "lastModified": 1734083684, + "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-24.05", - "type": "indirect" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1730741070, - "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-update": { - "inputs": { - "mmdoc": "mmdoc", - "nixpkgs": "nixpkgs_2", - "runtimeDeps": "runtimeDeps", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1732958734, - "narHash": "sha256-DY1Aq+pAU/n0loBjCRfeSbEG/ji2M+mrEkcEnsN/AHk=", - "owner": "nix-community", - "repo": "nixpkgs-update", - "rev": "dffb2930904b08ca8d226594b543cbae150b5f67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs-update", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1672428209, - "narHash": "sha256-eejhqkDz2cb2vc5VeaWphJz8UXNuoNoM8/Op8eWv2tQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "293a28df6d7ff3dec1e61e37cc4ee6e6c0fb0847", + "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84", "type": "github" }, "original": { "id": "nixpkgs", + "ref": "nixos-24.11", "type": "indirect" } }, @@ -536,15 +543,14 @@ "nixpkgs": [ "aa-alias-manager", "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1732021966, - "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", + "lastModified": 1735882644, + "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", + "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656", "type": "github" }, "original": { @@ -558,27 +564,12 @@ "aa-alias-manager": "aa-alias-manager", "aagl-gtk-on-nix": "aagl-gtk-on-nix", "agenix": "agenix", + "apparmor-dev": "apparmor-dev", "chaotic": "chaotic", + "home-manager": "home-manager_3", "nixos-mailserver": "nixos-mailserver", "nixos-matrix-modules": "nixos-matrix-modules", - "nixpkgs": "nixpkgs", - "nixpkgs-update": "nixpkgs-update" - } - }, - "runtimeDeps": { - "locked": { - "lastModified": 1714247354, - "narHash": "sha256-6dFKqP/aCKIdpOgqgIQUrRT0NOfVc14ftNcdELa4Pu4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c8d7c8a78fb516c0842cc65346506a565c88014d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" + "nixpkgs": "nixpkgs" } }, "rust-overlay": { @@ -589,11 +580,11 @@ ] }, "locked": { - "lastModified": 1732674798, - "narHash": "sha256-oM1gjCv9R4zxDFO3as9wqQ4FI3+pDA9MKZ72L7tTIII=", + "lastModified": 1736572187, + "narHash": "sha256-it8mU8UkbaeVup7GpCI6n2cWPJ/O4U980CxKAMKUGF0=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "1d569430326b0a7807ccffdb2a188b814091976c", + "rev": "06871d5c5f78b0ae846c5758702531b4cabfab9b", "type": "github" }, "original": { @@ -667,27 +658,6 @@ "repo": "default", "type": "github" } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs-update", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1711963903, - "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 5a703ba..5fe6211 100644 --- a/flake.nix +++ b/flake.nix @@ -32,9 +32,21 @@ url = "github:LordGrimmauld/aa-alias-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixpkgs-update = { - url = "github:nix-community/nixpkgs-update"; - # inputs.nixpkgs.follows = "nixpkgs"; + # nixpkgs-update = { + # url = "github:nix-community/nixpkgs-update"; + # # inputs.nixpkgs.follows = "nixpkgs"; + # }; + apparmor-dev = { + url = "github:LordGrimmauld/apparmor-dev"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { + # https://github.com/nix-community/home-manager/issues/3415 + # https://github.com/nix-community/home-manager/pull/2548 + # url = "github:nix-community/home-manager"; + url = "git+file:///home/grimmauld/coding/home-manager"; + # url = "github:pasqui23/home-manager/nixos-late-start"; + inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -48,15 +60,13 @@ nixos-mailserver, nixos-matrix-modules, aa-alias-manager, - nixpkgs-update, + # nixpkgs-update, + apparmor-dev, + home-manager, ... }: let patches = [ - { - url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch"; - hash = "sha256-nlyqFxvD6O7MDNJxs/9pCRWzo4XvG++Znc3HvDFkiiY="; - } ]; customNixosSystem = @@ -68,7 +78,8 @@ src = inputs.nixpkgs; patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches; }; - nixosSystem = import (patched + "/nixos/lib/eval-config.nix"); + nixosSystem = + if patches == [ ] then nixpkgs.lib.nixosSystem else import (patched + "/nixos/lib/eval-config.nix"); in nixosSystem ( { @@ -104,12 +115,27 @@ grimm-nixos-ssd = customNixosSystem "x86_64-linux" { modules = [ agenix.nixosModules.default - chaotic.nixosModules.default + # chaotic.nixosModules.default aagl-gtk-on-nix.nixosModules.default ./configuration.nix aa-alias-manager.nixosModules.default + # apparmor-dev.nixosModules.default + ./perlless.nix ./specific/grimm-nixos-ssd/configuration.nix + ( + { modulesPath, ... }: + { + imports = [ + "${modulesPath}/profiles/hardened.nix" + # "${modulesPath}/profiles/perlless.nix" + ]; + } + ) + + home-manager.nixosModules.home-manager + ./hm + ./hardening ]; }; grimmauld-nixos-server = customNixosSystem "x86_64-linux" { diff --git a/common/tooling/apparmor/apparmor-d-module.nix b/hardening/apparmor/apparmor-d-module.nix similarity index 100% rename from common/tooling/apparmor/apparmor-d-module.nix rename to hardening/apparmor/apparmor-d-module.nix diff --git a/common/tooling/apparmor/apparmor-d-package.nix b/hardening/apparmor/apparmor-d-package.nix similarity index 82% rename from common/tooling/apparmor/apparmor-d-package.nix rename to hardening/apparmor/apparmor-d-package.nix index e9555de..6632b6b 100644 --- a/common/tooling/apparmor/apparmor-d-package.nix +++ b/hardening/apparmor/apparmor-d-package.nix @@ -1,27 +1,24 @@ { buildGoModule, fetchFromGitHub, - git, lib, unstableGitUpdater, }: buildGoModule { pname = "apparmor-d"; - version = "unstable-2024-10-12"; + version = "unstable-2025-01-13"; src = fetchFromGitHub { - rev = "db6c94ba5ad97112bc577cb66c2e1fa66df83a29"; + rev = "f1182b27bb64a3bf44e92a4bafb58178ebfbf5ac"; owner = "roddhjav"; repo = "apparmor.d"; - hash = "sha256-3qVSMLIzVd9hcvj2V2eaacNOjOFTUHkTslaTETYYg4U="; + hash = "sha256-3Ofv7Eam2/CXRNM84E0H97RrLWQEzDeSM6wYykzlLAM="; }; vendorHash = null; doCheck = false; - nativeBuildInputs = [ git ]; - patches = [ ./apparmor-d-prebuild.patch ]; diff --git a/common/tooling/apparmor/apparmor-d-prebuild.patch b/hardening/apparmor/apparmor-d-prebuild.patch similarity index 100% rename from common/tooling/apparmor/apparmor-d-prebuild.patch rename to hardening/apparmor/apparmor-d-prebuild.patch diff --git a/hardening/apparmor/bare.nix b/hardening/apparmor/bare.nix new file mode 100644 index 0000000..4ebac2c --- /dev/null +++ b/hardening/apparmor/bare.nix @@ -0,0 +1,25 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) enable tooling; + inherit (lib) mkIf; +in +{ + config = mkIf (enable && tooling.enable && config.security.apparmor.enable) { + services.dbus.apparmor = "enabled"; + security.auditd.enable = true; + + security.apparmor.enableCache = true; + + environment.systemPackages = with pkgs; [ apparmor-parser ]; + + # security.apparmor.aa-alias-manager.enable = false; + + security.audit.backlogLimit = 512; + + }; +} diff --git a/common/tooling/apparmor/default.nix b/hardening/apparmor/default.nix similarity index 97% rename from common/tooling/apparmor/default.nix rename to hardening/apparmor/default.nix index 1f72afd..03d77aa 100644 --- a/common/tooling/apparmor/default.nix +++ b/hardening/apparmor/default.nix @@ -16,15 +16,18 @@ in security.auditd.enable = true; security.apparmor.enableCache = true; + security.apparmor.killUnconfinedConfinables = false; security.apparmor.includes."tunables/alias.d/programs" = '' # alias / -> @{nix_store}/, alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify, ''; + environment.systemPackages = with pkgs; [ apparmor-parser ]; + # security.apparmor.aa-alias-manager.enable = false; - security.audit.backlogLimit = 512; + security.audit.backlogLimit = 8192; security.apparmor_d = { enable = true; @@ -36,7 +39,7 @@ in pass = "enforce"; spotify = "enforce"; "thunderbird.apparmor.d" = "enforce"; - xdg-open = "enforce"; + # xdg-open = "enforce"; child-open-any = "enforce"; child-open = "enforce"; firefox-glxtest = "enforce"; @@ -115,6 +118,7 @@ in "local/xdg-open" = '' @{bin}/grep rix, + /** r, ''; "local/child-open" = '' diff --git a/hardening/default.nix b/hardening/default.nix new file mode 100644 index 0000000..79af69b --- /dev/null +++ b/hardening/default.nix @@ -0,0 +1,26 @@ +{ + lib, + pkgs, + config, + ... +}: +{ + imports = [ + ./systemd + ./ssh-as-sudo.nix + ./apparmor + ./opensnitch + ./security.nix + ]; + + specialisation.unhardened.configuration = { }; + # services.opensnitch.enable = lib.mkForce false; + + systemd.tpm2.enable = false; + systemd.enableEmergencyMode = false; + virtualisation.vswitch.enable = false; + # services.resolved.enable = false; + security.unprivilegedUsernsClone = true; + environment.defaultPackages = lib.mkForce [ ]; + environment.systemPackages = with pkgs; [ nano ]; +} diff --git a/common/tooling/opensnitch/block_lists.nix b/hardening/opensnitch/block_lists.nix similarity index 100% rename from common/tooling/opensnitch/block_lists.nix rename to hardening/opensnitch/block_lists.nix diff --git a/common/tooling/opensnitch/default.nix b/hardening/opensnitch/default.nix similarity index 84% rename from common/tooling/opensnitch/default.nix rename to hardening/opensnitch/default.nix index ba6381b..201384d 100644 --- a/common/tooling/opensnitch/default.nix +++ b/hardening/opensnitch/default.nix @@ -43,13 +43,20 @@ in config = mkIf (enable && tooling.enable && network) { environment.systemPackages = optional graphical pkgs.opensnitch-ui; grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; + networking.nftables.enable = true; + + # security.audit.enable = true; + systemd.services.opensnitchd.path = lib.optional ( + config.services.opensnitch.settings.ProcMonitorMethod == "audit" + ) pkgs.audit.bin; services.opensnitch = { enable = true; settings = { DefaultAction = "deny"; - Firewall = "iptables"; - LogLevel = 1; + Firewall = if config.networking.nftables.enable then "nftables" else "iptables"; + ProcMonitorMethod = "ftrace"; + # ProcMonitorMethod = "audit"; }; rules = { @@ -95,6 +102,34 @@ in }; }; + git = { + name = "git-allow-all"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "${lib.escapeRegex pkgs.git.outPath}/.*"; + }; + }; + + ssh = { + name = "ssh-allow-all"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "${lib.escapeRegex pkgs.openssh.outPath}/.*"; + }; + }; + nsncd = mkIf (config.services.nscd.enableNsncd) { name = "nsncd-dns"; enabled = true; @@ -126,12 +161,76 @@ in { type = "simple"; operand = "user.id"; - data = "998"; + data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid); } ]; }; }; + nix-index = { + name = "nix-index"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.nix-index-unwrapped "nix-index"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "53|443"; + } + { + type = "simple"; + sensitive = false; + operand = "dest.host"; + data = "cache.nixos.org"; + } + + ]; + }; + }; + + nix = { + name = "nix"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe pkgs.nix; + } + { + type = "regexp"; + operand = "dest.port"; + data = "53|443"; + } + { + type = "regexp"; + sensitive = false; + operand = "dest.host"; + data = "(channels|cache)\\.nixos\\.org"; + } + + ]; + }; + }; + localhost = { name = "localhost"; enabled = true; @@ -337,13 +436,13 @@ in }; }; - vesktop_daemon_allow_udp = mkIf (graphical) { + vesktop_daemon_allow_udp = mkIf graphical { name = "vesktop-allow-udp"; enabled = true; action = "allow"; precedence = true; duration = "always"; - # inherit created; + inherit created; operator = { type = "list"; operand = "list"; @@ -470,9 +569,9 @@ in data = getExe' pkgs.networkmanager "networkmanager"; } { - type = "simple"; + type = "regexp"; operand = "dest.port"; - data = "547"; + data = "547|67"; } # { # type ="simple"; @@ -549,7 +648,8 @@ in }; }; - nextcloud = mkIf (config.grimmShared.cloudSync.enable) { + nextcloud = mkIf (false) { + # config.grimmShared.cloudSync.enable name = "nextcloud"; enabled = true; action = "allow"; diff --git a/common/tooling/opensnitch/discord_hosts/hosts.list b/hardening/opensnitch/discord_hosts/hosts.list similarity index 100% rename from common/tooling/opensnitch/discord_hosts/hosts.list rename to hardening/opensnitch/discord_hosts/hosts.list diff --git a/common/tooling/opensnitch/spotify_hosts/hosts.list b/hardening/opensnitch/spotify_hosts/hosts.list similarity index 100% rename from common/tooling/opensnitch/spotify_hosts/hosts.list rename to hardening/opensnitch/spotify_hosts/hosts.list diff --git a/common/tooling/security.nix b/hardening/security.nix similarity index 61% rename from common/tooling/security.nix rename to hardening/security.nix index 596c533..848a14c 100644 --- a/common/tooling/security.nix +++ b/hardening/security.nix @@ -7,22 +7,18 @@ ... }: let - inherit (config.grimmShared) enable tooling graphical; inherit (lib) optional - optionals filterAttrs - mkForce - mkIf + mkDefault attrNames - mkEnableOption ; age_plugins = with pkgs; [ age-plugin-yubikey ]; in { - config = mkIf enable { - security.polkit.enable = true; + config = { + security.polkit.enable = mkDefault true; security.rtkit.enable = true; security.pam.yubico = { @@ -34,7 +30,8 @@ in }; # security.doas.enable = true; - security.sudo.enable = true; + security.sudo.enable = mkDefault true; + security.sudo.execWheelOnly = true; security.doas.extraRules = [ { @@ -59,12 +56,13 @@ in in lib.getExe' rage_wrapped "rage"; - programs.yubikey-touch-detector.enable = graphical; + programs.yubikey-touch-detector.enable = config.programs.sway.enable; + services.yubikey-agent.enable = true; environment.systemPackages = (with pkgs; [ mkpasswd - gnupg + # gnupg libsecret vulnix (inputs.agenix.packages."${system}".default.override { plugins = age_plugins; }) @@ -72,30 +70,28 @@ in yubikey-manager yubico-pam yubikey-personalization + pkgs.pass ]) ++ age_plugins - ++ (optionals (tooling.enable && tooling.pass) [ - pkgs.pass - (pkgs.writeShellScriptBin "passw" "pass $@") - ]) - ++ (optional config.security.doas.enable pkgs.sudo-doas-shim) - ++ (optional graphical pkgs.lxqt.lxqt-policykit); + ++ (optional config.security.doas.enable pkgs.sudo-doas-shim); + # ++ (optional graphical pkgs.lxqt.lxqt-policykit); - services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true; + services.passSecretService.enable = true; services.openssh.settings.LoginGraceTime = 0; - programs.gnupg.agent = { - settings = { - # default-cache-ttl = 6000; - }; - pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty); - enable = true; - enableSSHSupport = true; - }; - grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) { + # programs.gnupg.agent = { + # settings = { + # # default-cache-ttl = 6000; + # }; + # pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty); + # enable = true; + # enableSSHSupport = true; + # }; + + grimmShared.firefox.plugins = { "passff@invicem.pro" = "passff"; }; - }; - options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling"; + programs.firefox.nativeMessagingHosts.packages = [ pkgs.passff-host ]; + }; } diff --git a/hardening/ssh-as-sudo.nix b/hardening/ssh-as-sudo.nix new file mode 100644 index 0000000..3743775 --- /dev/null +++ b/hardening/ssh-as-sudo.nix @@ -0,0 +1,33 @@ +{ pkgs, lib, ... }: +{ + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.challengeResponseAuthentication = false; + # settings.UsePAM = false; + openFirewall = lib.mkDefault false; + allowSFTP = lib.mkDefault false; + # startWhenNeeded = true; + extraConfig = '' + AllowTcpForwarding yes + X11Forwarding no + AllowAgentForwarding no + AllowStreamLocalForwarding no + AuthenticationMethods publickey + ''; + }; + + users.users.root = { + # isSystemUser = true; + # isNormalUser = true; + uid = 0; + openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ]; + # home = "/root"; + hashedPassword = null; + createHome = lib.mkForce true; + }; + + programs.ssh.startAgent = true; + # security.sudo.enable = false; + # services.yubikey-agent.enable = true; +} diff --git a/hardening/systemd/NetworkManager.nix b/hardening/systemd/NetworkManager.nix new file mode 100644 index 0000000..a1b4c45 --- /dev/null +++ b/hardening/systemd/NetworkManager.nix @@ -0,0 +1,61 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + NetworkManager.serviceConfig = { + CapabilityBoundingSet = [ + "" + (lib.concatStringsSep " " [ + "cap_net_bind_service" + "cap_net_admin" + "cap_net_raw" + ]) + ]; + NoNewPrivileges = true; + RestrictNamespaces = "net uts"; + ProtectControlGroups = true; + ProtectKernelModules = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + ProtectProc = "invisible"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + + PrivateDevices = true; + LockPersonality = true; + # PrivateUsers = true; # BAD + # ProtectKernelTunables = true; # BAD + + ProcSubset = "pid"; + ProtectSystem = true; + }; + + NetworkManager-dispatcher.serviceConfig = { + CapabilityBoundingSet = [ + "" + (lib.concatStringsSep " " [ + "cap_net_bind_service" + "cap_net_admin" + "cap_net_raw" + ]) + ]; + UMask = "0700"; + NoNewPrivileges = true; + RestrictNamespaces = "net uts"; + ProtectControlGroups = true; + ProtectKernelModules = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + ProtectProc = "invisible"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + + PrivateDevices = true; + LockPersonality = true; + # PrivateUsers = true; # BAD + # ProtectKernelTunables = true; # BAD + + ProcSubset = "pid"; + ProtectSystem = true; + }; + }; +} diff --git a/hardening/systemd/acpid.nix b/hardening/systemd/acpid.nix new file mode 100644 index 0000000..bc5ca16 --- /dev/null +++ b/hardening/systemd/acpid.nix @@ -0,0 +1,26 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + acpid.serviceConfig = { + CapabilityBoundingSet = [ + "" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + ProtectSystem = true; + PrivateUsers = true; + PrivateNetwork = true; + RestrictRealtime = true; + IPAddressAllow = [ ]; + RestrictAddressFamilies = "AF_NETLINK AF_UNIX"; + }; + }; +} diff --git a/hardening/systemd/ask-password.nix b/hardening/systemd/ask-password.nix new file mode 100644 index 0000000..249c1dc --- /dev/null +++ b/hardening/systemd/ask-password.nix @@ -0,0 +1,41 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + systemd-ask-password-console.serviceConfig = { + CapabilityBoundingSet = [ + "" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + PrivateUsers = true; + }; + systemd-ask-password-wall.serviceConfig = { + CapabilityBoundingSet = [ + "" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + PrivateUsers = true; + }; + }; +} diff --git a/hardening/systemd/auditd.nix b/hardening/systemd/auditd.nix new file mode 100644 index 0000000..2228b67 --- /dev/null +++ b/hardening/systemd/auditd.nix @@ -0,0 +1,23 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + auditd.serviceConfig = { + # CapabilityBoundingSet = [ "CAP_AUDIT_*" "CAP_SYSLOG" "CAP_SYS_NICE" "CAP_SYS_PACCT" "CAP_SYS_PTRACE" ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + ProtectControlGroups = true; + ProtectKernelModules = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + ProtectSystem = true; + # PrivateUsers=true; + # PrivateNetwork=true; + RestrictRealtime = true; + IPAddressAllow = [ ]; + RestrictAddressFamilies = "AF_NETLINK"; + }; + }; +} diff --git a/hardening/systemd/bluetooth.nix b/hardening/systemd/bluetooth.nix new file mode 100644 index 0000000..8832dc2 --- /dev/null +++ b/hardening/systemd/bluetooth.nix @@ -0,0 +1,42 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + bluetooth.serviceConfig = { + CapabilityBoundingSet = [ + "" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + PrivateUsers = true; + }; + + blueman-mechanism.serviceConfig = { + CapabilityBoundingSet = [ + "" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + PrivateUsers = true; + }; + }; +} diff --git a/hardening/systemd/cups.nix b/hardening/systemd/cups.nix new file mode 100644 index 0000000..961cf9a --- /dev/null +++ b/hardening/systemd/cups.nix @@ -0,0 +1,30 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + cups.serviceConfig = { + + CapabilityBoundingSet = [ + "CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN" + ]; + NoNewPrivileges = true; + RestrictNamespaces = "pid"; + + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service @privileged"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + ReadWritePaths = "/var/run/cups"; + + # PrivateUsers=true; + PrivateNetwork = true; + RestrictAddressFamilies = "AF_UNIX"; + # ProtectSystem=true; + }; + }; +} diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix new file mode 100644 index 0000000..7f20815 --- /dev/null +++ b/hardening/systemd/default.nix @@ -0,0 +1,104 @@ +{ lib, config, ... }: +let + inherit (lib) mkDefault types mkIf; + eq = a: b: a == b; + noPred = + preds: x: + if preds == [ ] then + true + else if (lib.head preds) x then + false + else + noPred (lib.tail preds) x; +in +{ + imports = [ + ./NetworkManager.nix + ./wpa_supplicant.nix + ./auditd.nix + ./acpid.nix + ./cups.nix + ./bluetooth.nix + ./tty.nix + ./ask-password.nix + ./nix-daemon.nix + ./nscd.nix + ./rtkit.nix + ./sshd.nix + + ./global + ]; + + options.systemd.services = lib.mkOption { + type = + let + osConfig = config; + in + types.attrsOf ( + lib.types.submodule ( + { config, name, ... }: + { + config.serviceConfig = + let + shouldMakeIntrusive = ( + noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name + ); + in + mkIf (osConfig.specialisation != { }) ( + { + ProtectHome = mkDefault true; + # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH! + } + // (lib.optionalAttrs shouldMakeIntrusive { + # PrivateTmp = mkDefault true; + # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical + # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service"); + # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true); + SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native"); + }) + ); + } + ) + ); + }; + + config = mkIf (config.specialisation != { }) { + + systemd.services = { + opensnitchd.serviceConfig = { + ProtectHome = false; + PrivateTmp = false; + ProtectKernelLogs = false; + }; + "user-runtime-dir@".serviceConfig.ProtectHome = false; + "user@".serviceConfig.ProtectHome = false; + systemd-homed.serviceConfig.ProtectHome = false; + systemd-homed-activate.serviceConfig.ProtectHome = false; + sshd.serviceConfig.ProtectHome = false; + display-manager.serviceConfig.ProtectHome = "read-only"; + dbus-broker.serviceConfig.ProtectHome = "read-only"; + systemd-logind.serviceConfig.ProtectHome = false; + + nix-daemon.serviceConfig.ProtectHome = false; + + zfs-mount.serviceConfig.PrivateTmp = false; + kmod-static-nodes.serviceConfig.PrivateTmp = false; + mount-pstore.serviceConfig.PrivateTmp = false; + # todo: tpm things + + #polkit.serviceConfig.NoNewPrivileges = false; + #"getty@".serviceConfig.NoNewPrivileges = false; + #"user@".serviceConfig.NoNewPrivileges = false; + + # todo: dbus? + + auditd.serviceConfig.ProtectKernelLogs = false; + audit.serviceConfig.ProtectKernelLogs = false; + + "getty@".serviceConfig.SystemCallFilter = ""; + display-manager.serviceConfig.SystemCallFilter = ""; + sshd.serviceConfig.SystemCallFilter = ""; + rtkit-daemon.serviceConfig.SystemCallFilter = ""; + }; + }; +} diff --git a/hardening/systemd/global/clock.nix b/hardening/systemd/global/clock.nix new file mode 100644 index 0000000..6ffcb2e --- /dev/null +++ b/hardening/systemd/global/clock.nix @@ -0,0 +1,37 @@ +{ lib, config, ... }: +let + inherit (lib) mkDefault types mkIf; +in +{ + options.systemd.services = lib.mkOption { + type = + let + osConfig = config; + in + types.attrsOf ( + lib.types.submodule ( + { config, name, ... }: + { + config.serviceConfig = mkIf (osConfig.specialisation != { }) { + ProtectClock = mkDefault true; + }; + } + ) + ); + }; + + config = mkIf (config.specialisation != { }) { + + systemd.services = { + systemd-timesyncd.serviceConfig = { + ProtectClock = false; + SystemCallFilter = "@system-service @clock"; + }; + + save-hwclock.serviceConfig = { + ProtectClock = false; + SystemCallFilter = "@system-service @clock"; + }; + }; + }; +} diff --git a/hardening/systemd/global/default.nix b/hardening/systemd/global/default.nix new file mode 100644 index 0000000..65572f2 --- /dev/null +++ b/hardening/systemd/global/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./hostname.nix + ./clock.nix + ./realtime.nix + ]; +} diff --git a/hardening/systemd/global/hostname.nix b/hardening/systemd/global/hostname.nix new file mode 100644 index 0000000..6ef5e25 --- /dev/null +++ b/hardening/systemd/global/hostname.nix @@ -0,0 +1,29 @@ +{ lib, config, ... }: +let + inherit (lib) types mkIf mkDefault; +in +{ + options.systemd.services = lib.mkOption { + type = + let + osConfig = config; + in + types.attrsOf ( + lib.types.submodule ( + { config, name, ... }: + { + config.serviceConfig = mkIf (osConfig.specialisation != { }) { + ProtectHostname = mkDefault true; + }; + } + ) + ); + }; + + config = mkIf (config.specialisation != { }) { + systemd.services = { + systemd-hostnamed.serviceConfig.ProtectHostname = false; + nix-daemon.serviceConfig.ProtectHostname = false; + }; + }; +} diff --git a/hardening/systemd/global/realtime.nix b/hardening/systemd/global/realtime.nix new file mode 100644 index 0000000..53aaea9 --- /dev/null +++ b/hardening/systemd/global/realtime.nix @@ -0,0 +1,27 @@ +{ lib, config, ... }: +let + inherit (lib) mkDefault types mkIf; +in +{ + options.systemd.services = lib.mkOption { + type = + let + osConfig = config; + in + types.attrsOf ( + lib.types.submodule { + config.serviceConfig = mkIf (osConfig.specialisation != { }) { + RestrictRealtime = mkDefault true; + }; + } + + ); + }; + + config = mkIf (config.specialisation != { }) { + + systemd.services = { + rtkit-daemon.serviceConfig.RestrictRealtime = false; + }; + }; +} diff --git a/hardening/systemd/nix-daemon.nix b/hardening/systemd/nix-daemon.nix new file mode 100644 index 0000000..09c1dee --- /dev/null +++ b/hardening/systemd/nix-daemon.nix @@ -0,0 +1,76 @@ +{ + lib, + config, + ... +}: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + nix-daemon.serviceConfig = { + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + SystemCallArchitectures = "native"; + RestrictSUIDSGID = true; # good, somehow??? + + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + "AF_NETLINK" # needed for some checks + ]; # needed to download sources and caches + RestrictNamespaces = [ + "user" + "net" + "uts" + "mnt" + "ipc" + "pid" + ]; # namespaces needed for sandboxing + SystemCallFilter = [ + "@system-service" + "@cpu-emulation" + "@mount" + "@privileged" + ]; + + LockPersonality = true; + ProtectControlGroups = true; + ProtectKernelModules = true; # todo: does kvm need a modprobe here? + PrivateMounts = true; + ProtectProc = "invisible"; + ProtectClock = true; + + # file system + # PrivateTmp = true; # breaks --keep-failed + ProtectSystem = "strict"; + ReadWritePaths = [ + "/nix" + "/tmp" + ]; + + # Scheduling: only do as much as resources are available + LimitNICE = 1; + Nice = 19; + RestrictRealtime = true; + + # devices + DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices + DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests + + CapabilityBoundingSet = [ + "CAP_FOWNER" + "CAP_CHOWN" + "CAP_SETUID" + "CAP_SETGID" + "CAP_SYS_ADMIN" + "CAP_DAC_OVERRIDE" + ]; + + # ProtectKernelLogs=true; # BAD + # ProtectKernelTunables = true; # BAD + # PrivateUsers=true; BAD + # ProtectHome = "read-only"; # BAD + # ProtectHostname = true; # BAD! + # PrivateNetwork = true; # BAD! + }; + }; +} diff --git a/hardening/systemd/nscd.nix b/hardening/systemd/nscd.nix new file mode 100644 index 0000000..1079d21 --- /dev/null +++ b/hardening/systemd/nscd.nix @@ -0,0 +1,55 @@ +{ + lib, + config, + ... +}: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + nscd.serviceConfig = { + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + SystemCallArchitectures = "native"; + RestrictSUIDSGID = true; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = [ + "~pid" + "~user" + "~net" + "~uts" + "~mnt" + "~cgroup" + "~ipc" + ]; + SystemCallFilter = "@system-service"; + + LockPersonality = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + PrivateMounts = true; + ProtectProc = "invisible"; + ProtectClock = true; + + # file system + PrivateTmp = true; + ProtectSystem = "strict"; + RestrictRealtime = true; + + PrivateUsers = true; + PrivateDevices = true; + + CapabilityBoundingSet = [ + "CAP_SETGID" + "CAP_SETUID" + "cap_dac_override" + ]; + + ProtectKernelLogs = true; + ProtectKernelTunables = true; + ProtectHostname = true; + }; + }; +} diff --git a/hardening/systemd/rtkit.nix b/hardening/systemd/rtkit.nix new file mode 100644 index 0000000..7a3aa6c --- /dev/null +++ b/hardening/systemd/rtkit.nix @@ -0,0 +1,56 @@ +{ + lib, + config, + ... +}: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + rtkit-daemon.serviceConfig = { + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + SystemCallArchitectures = "native"; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_UNIX"; + RestrictNamespaces = [ + "~pid" + "~user" + "~net" + "~uts" + "~mnt" + "~cgroup" + "~ipc" + ]; + SystemCallFilter = [ + "@system-service" + "@chroot" + "@mount" + ]; + + LockPersonality = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + PrivateMounts = true; + ProtectClock = true; + + PrivateTmp = true; + ProtectSystem = "strict"; + RestrictRealtime = false; # important + PrivateDevices = true; + ProcSubset = "pid"; + + CapabilityBoundingSet = [ + "CAP_SYS_NICE" + "CAP_DAC_READ_SEARCH" + "CAP_SYS_CHROOT" + "CAP_SETGID" + "CAP_SETUID" + ]; + + ProtectKernelLogs = true; + ProtectKernelTunables = true; + ProtectHome = true; + ProtectHostname = true; + PrivateNetwork = true; + }; + }; +} diff --git a/hardening/systemd/sshd.nix b/hardening/systemd/sshd.nix new file mode 100644 index 0000000..ce3d2e9 --- /dev/null +++ b/hardening/systemd/sshd.nix @@ -0,0 +1,62 @@ +{ + lib, + config, + ... +}: +{ + config.systemd.services = { + sshd.serviceConfig = { + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + RestrictSUIDSGID = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = [ + "~pid" + "~user" + "~net" + "~uts" + "~mnt" + "~cgroup" + "~ipc" + ]; + SystemCallFilter = [ + "@system-service" + "@privileged" + ]; + + LockPersonality = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + PrivateMounts = true; + ProtectProc = "invisible"; + ProtectClock = true; + ProtectHostname = true; + + # file system + PrivateTmp = true; + ProtectSystem = "strict"; + ReadWritePaths = "/etc/ssh"; + RestrictRealtime = true; + DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices + + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + "CAP_SETGID" + "CAP_SETUID" + "CAP_SYS_CHROOT" + "cap_dac_override" + ]; + + ProtectKernelLogs = true; + ProtectKernelTunables = true; + PrivateUsers = false; # important + ProtectHome = false; # important + NoNewPrivileges = false; # IMPORTANT: allow new privileges for spawned shells + PrivateNetwork = false; # important + }; + }; +} diff --git a/hardening/systemd/tty.nix b/hardening/systemd/tty.nix new file mode 100644 index 0000000..0dd1476 --- /dev/null +++ b/hardening/systemd/tty.nix @@ -0,0 +1,47 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + "getty@".serviceConfig = { + + CapabilityBoundingSet = [ + "CAP_CHOWN" + "CAP_FOWNER" + "CAP_FSETID" + "CAP_SETGID" + "CAP_SETUID" + "CAP_SYS_NICE" + "CAP_SYS_RESOURCE" + "CAP_SYS_TTY_CONFIG" + ]; + + # NoNewPrivileges = true; + + RestrictNamespaces = [ + "~pid" + "~user" + "~net" + "~uts" + "~mnt" + "~cgroup" + "~ipc" + ]; + + ProtectControlGroups = true; + ProtectHome = false; + # ProtectClock = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + MemoryDenyWriteExecute = true; + # RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = lib.mkForce "@system-service"; + LockPersonality = true; + ProtectProc = "invisible"; + + # PrivateUsers=true; + PrivateNetwork = true; + RestrictAddressFamilies = "AF_UNIX"; + # ProtectSystem=true; + }; + }; +} diff --git a/hardening/systemd/wpa_supplicant.nix b/hardening/systemd/wpa_supplicant.nix new file mode 100644 index 0000000..008fadd --- /dev/null +++ b/hardening/systemd/wpa_supplicant.nix @@ -0,0 +1,29 @@ +{ lib, config, ... }: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + wpa_supplicant.serviceConfig = { + CapabilityBoundingSet = [ + "" + (lib.concatStringsSep " " [ + "cap_net_bind_service" + "cap_net_admin" + "cap_net_raw" + "cap_net_broadcast" + ]) + ]; + NoNewPrivileges = true; + RestrictNamespaces = "net"; + ProtectControlGroups = true; + ProtectKernelModules = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + ProtectProc = "invisible"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + + ProcSubset = "pid"; + ProtectSystem = true; + }; + }; +} diff --git a/hm/common/default.nix b/hm/common/default.nix new file mode 100644 index 0000000..eac188b --- /dev/null +++ b/hm/common/default.nix @@ -0,0 +1,165 @@ +{ + pkgs, + config, + osConfig, + lib, + ... +}: +let + getIfHas = + path: attrs: + if path == [ ] then + attrs + else if builtins.hasAttr (builtins.head path) attrs then + getIfHas (builtins.tail path) (builtins.getAttr (builtins.head path) attrs) + else + null; + + osConfigGetIfHasOrFalse = path: lib.defaultTo false (getIfHas (lib.splitString "." path) osConfig); + + user = config.home.username; + homedir = config.home.homeDirectory; + graphical = osConfigGetIfHasOrFalse "grimmShared.graphical"; +in +{ + home.preferXdgDirectories = true; + + home.packages = + with pkgs; + [ + deskwhich + ] + ++ lib.optionals graphical [ + # imhex + # libreoffice-qt + filezilla + obsidian + nomacs + pdfarranger + krita + # weasis + + # kicad + prusa-slicer + freecad + openscad + + vlc + # blender + ]; + + home.shellAliases = { + ":q" = "exit"; + "ls" = "eza"; + "lix" = "nix"; + "l" = "eza -hla"; + "vi" = "hx"; + "bat" = "bat --theme=Dracula"; + }; + programs.thunderbird = { + enable = graphical; + profiles.default = { + isDefault = true; + }; + }; + + programs.zathura.enable = graphical; + programs.bash = { + enable = true; + enableCompletion = true; + }; + + services.mpris-proxy.enable = true; + # services.ssh-agent.enable = true; + + programs.alacritty = { + enable = graphical; + settings = { + font.size = 16; + font.normal = { + family = "Noto Sans Mono"; + }; + window.opacity = 0.85; + }; + }; + + programs.starship = { + enable = true; + enableBashIntegration = true; + settings = { + format = "$all$directory$character"; + nodejs.disabled = true; + cmake.symbol = "cmake "; + custom.shell = { + command = "basename $SHELL"; + when = "test -v SHELL"; + format = " in [$output]($style)"; + # ignore_timeout = true; + }; + # env_var.SHELL = {variable = "SHELL"; default = ""; }; + }; + }; + + programs.fzf.enable = true; + programs.fzf.tmux.enableShellIntegration = true; + + programs.thefuck = { + enable = true; + enableBashIntegration = true; + }; + + programs.helix = { + enable = true; + defaultEditor = true; + settings = { + editor.cursor-shape.insert = "bar"; + theme = "base16_transparent"; + }; + extraPackages = with pkgs; [ + marksman + nixd + ]; + }; + + programs.tmux = { + enable = true; + clock24 = true; + historyLimit = 50000; + newSession = true; + }; + + systemd.user.enable = true; + systemd.user.tmpfiles.rules = lib.optional (osConfigGetIfHasOrFalse "services.printing.cups-pdf.enable") "L ${homedir}/PDF - - - - /var/spool/cups-pdf-pdf/users/${user}"; + + xdg.userDirs = { + enable = true; + createDirectories = true; + }; + + programs.gradle = { + enable = true; + settings = { + "org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk"; + "org.gradle.java.installations.auto-detect" = false; + }; + }; + + programs.gpg = { + enable = true; + mutableKeys = true; + publicKeys = [ + { + source = ./grimmauld.gpg; + trust = 5; + } + ]; + }; + + services.gpg-agent = { + enable = true; + enableBashIntegration = true; + pinentryPackage = if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty; + }; + + xdg.mimeApps.enable = true; +} diff --git a/hm/common/grimmauld.gpg b/hm/common/grimmauld.gpg new file mode 100644 index 0000000..6608f8c --- /dev/null +++ b/hm/common/grimmauld.gpg @@ -0,0 +1,13 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZeWqmhYJKwYBBAHaRw8BAQdACKQ7AccQjQMiMDY6+nphi8oSUohhxZj7RsIM +njgO4Y+0ImdyaW1tYXVsZCA8Z3JpbW1hdWxkQGdyaW1tYXVsZC5kZT6IkwQTFgoA +OwIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBEG7Bl4dtk7UdboqKcKU +Zmh2n5H7BQJl5auwAAoJEMKUZmh2n5H72YUBAJ3zrSkZcDG2v0ukGNKpnJVNua97 +fahtqNyP4v7k9RJsAP46aa/bvBaI5SnW1r77HJhDVCVQiVmd7OwDBpJt2pbsDbg4 +BGXlqpoSCisGAQQBl1UBBQEBB0CAWlTea3qf9fYaCFWSRVrwze1KsLgxzwhTpXu1 +VPuwYQMBCAeIeAQYFgoAIAIbDBYhBEG7Bl4dtk7UdboqKcKUZmh2n5H7BQJl5awq +AAoJEMKUZmh2n5H7VeIA/25BgwoLifMQBhcGwqC+9LVmi7RMDZn1exOH/6QFFmUf +AQCwC1kQCg1IXozYp666CmUAWy7L/5v14N6v8iOGlQUlAQ== +=JIcg +-----END PGP PUBLIC KEY BLOCK----- diff --git a/hm/default.nix b/hm/default.nix new file mode 100644 index 0000000..a107340 --- /dev/null +++ b/hm/default.nix @@ -0,0 +1,13 @@ +{ + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + useUserService = true; + + sharedModules = [ + { home.stateVersion = "24.11"; } + ./common + ]; + }; + imports = [ ./grimmauld ]; +} diff --git a/hm/gradle.properties b/hm/gradle.properties new file mode 100644 index 0000000..49d538f --- /dev/null +++ b/hm/gradle.properties @@ -0,0 +1,2 @@ +org.gradle.java.home=/nix/store/1fylwjqscywqb5xxsi258h0ka3pz4ax6-openjdk-17.0.11+9/lib/openjdk +org.gradle.java.installations.auto-detect=false diff --git a/hm/grimmauld/default.nix b/hm/grimmauld/default.nix new file mode 100644 index 0000000..6268946 --- /dev/null +++ b/hm/grimmauld/default.nix @@ -0,0 +1,15 @@ +let + username = "grimmauld"; +in +{ + home-manager.users."${username}" = { + home = { + inherit username; + homeDirectory = "/home/${username}"; + + file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk; + file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub; + file.".cups/lpoptions".text = "Default pdf\n"; + }; + }; +} diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 85f169d..b96d4cc 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -35,13 +35,14 @@ in port = ports.redis_nextcloud_port.port; }; - systemd.services.nextcloud-setup.serviceConfig.ExecStartPost = pkgs.writeScript "nextcloud-redis.sh" '' - #!${pkgs.runtimeShell} - nextcloud-occ config:system:set redis 'host' --value '::1' --type string - nextcloud-occ config:system:set redis '${builtins.toString config.services.redis.servers.nextcloud.port}' --value 6379 --type integer - nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string - nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string - ''; + systemd.services.nextcloud-setup.serviceConfig.ExecStartPost = + pkgs.writeScript "nextcloud-redis.sh" '' + #!${pkgs.runtimeShell} + nextcloud-occ config:system:set redis 'host' --value '::1' --type string + nextcloud-occ config:system:set redis '${builtins.toString config.services.redis.servers.nextcloud.port}' --value 6379 --type integer + nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string + nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string + ''; services.nextcloud = { enable = true; diff --git a/overlays/default.nix b/overlays/default.nix index d6c64f1..bebf9bf 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -38,7 +38,8 @@ ./ooye.nix ./factorio.nix ./ranger.nix - ./ncspot.nix - ./grpcio-tools.nix + ./opensnitch-ui.nix + # ./ncspot.nix + # ./grpcio-tools.nix ]; } diff --git a/overlays/opensnitch-ui.nix b/overlays/opensnitch-ui.nix new file mode 100644 index 0000000..9b8d440 --- /dev/null +++ b/overlays/opensnitch-ui.nix @@ -0,0 +1,6 @@ +{ final, prev, ... }: +{ + opensnitch-ui = prev.opensnitch-ui.overrideAttrs (old: { + propagatedBuildInputs = old.propagatedBuildInputs or [ ] ++ [ final.python311Packages.packaging ]; + }); +} diff --git a/perlless.nix b/perlless.nix new file mode 100644 index 0000000..b469e38 --- /dev/null +++ b/perlless.nix @@ -0,0 +1,27 @@ +{ lib, pkgs, ... }: + +{ + + # Remove perl from activation + boot.initrd.systemd.enable = lib.mkDefault true; + system.etc.overlay.enable = lib.mkDefault true; + services.userborn.enable = lib.mkDefault true; + + # Random perl remnants + system.disableInstallerTools = lib.mkDefault true; + programs.less.lessopen = lib.mkDefault null; + programs.command-not-found.enable = lib.mkDefault false; + boot.enableContainers = lib.mkDefault false; + boot.loader.grub.enable = lib.mkDefault false; + environment.defaultPackages = lib.mkDefault [ ]; + documentation.info.enable = lib.mkDefault false; + + # Check that the system does not contain a Nix store path that contains the + # string "perl". + # system.forbiddenDependenciesRegexes = [ "perl" ]; + + # Re-add nixos-rebuild to the systemPackages that was removed by the + # `system.disableInstallerTools` option. + environment.systemPackages = [ pkgs.nixos-rebuild ]; + +} diff --git a/result-man b/result-man new file mode 120000 index 0000000..5b1e78b --- /dev/null +++ b/result-man @@ -0,0 +1 @@ +/nix/store/vb62k4zn31h6angn81biw3avkscjva9s-perl-5.40.0-man \ No newline at end of file diff --git a/specific/grimm-nixos-ssd/configuration.nix b/specific/grimm-nixos-ssd/configuration.nix index bb39fbe..f2617a1 100644 --- a/specific/grimm-nixos-ssd/configuration.nix +++ b/specific/grimm-nixos-ssd/configuration.nix @@ -1,5 +1,6 @@ { config, + lib, ... }: { @@ -15,6 +16,8 @@ services.zfs.trim.enable = true; boot.supportedFilesystems.zfs = true; + # systemd.services = lib.mapAttrs' (n: v: { serviceConfig.ProtectHome = lib.mkDefault true; }) (filterAttrs: (n: v: false) config.systemd.services); + # security.pam.yubico.control = "required"; services.printing.cups-pdf.enable = true; # implies printing enable @@ -26,7 +29,8 @@ grimmShared = { tooling = { - pass = true; + enable = true; + # pass = true; }; gaming = true; portals = true; @@ -49,20 +53,20 @@ "shinigamieyes@shinigamieyes" = "shinigami-eyes"; }; }; - cloudSync = { - enable = true; - username = "Grimmauld"; - server = "cloud.grimmauld.de"; - passwordFile = config.age.secrets.nextcloud_pass.path; - }; + # cloudSync = { + # enable = true; + # username = "Grimmauld"; + # server = "cloud.grimmauld.de"; + # passwordFile = config.age.secrets.nextcloud_pass.path; + # }; spotify.enable = true; }; - age.secrets.nextcloud_pass = { - file = ./../../secrets/nextcloud_pass.age; - mode = "777"; - }; + # age.secrets.nextcloud_pass = { + # file = ./../../secrets/nextcloud_pass.age; + # mode = "777"; + # }; networking.hostName = "grimm-nixos-ssd"; diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index 98fb981..fe7d6fa 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -1,6 +1,3 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, @@ -9,6 +6,12 @@ ... }: +let + nix_build = "/nix/build-sandbox"; + persist = "/nix/persist"; + tmp-exec = "/tmp-exec"; +in + { imports = [ (modulesPath + "/installer/scan/not-detected.nix") @@ -21,7 +24,7 @@ "usbhid" "uas" "sd_mod" - "kvm-intel" + # "kvm-intel" ]; boot.initrd.kernelModules = [ "zfs" @@ -31,51 +34,196 @@ "usb_storage" "nvme" ]; + + boot.kernelModules = [ + "iwlwifi" + "iwlmvm" + "mac80211" + "bluetooth" + "cfg80211" + "kvm-intel" + ]; + boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y"; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + boot.kernelParams = [ "nosgx" ]; + + security.lockKernelModules = false; # PAIN on an intended-portable setup + # security.protectKernelImage = false; + + boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work? + boot.loader.systemd-boot.consoleMode = "auto"; + + systemd.tmpfiles.settings."mount"."/mnt".d = { + group = "root"; + mode = "755"; + user = "root"; + }; + boot.zfs = { forceImportRoot = false; requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. - # [ - # "zpool/home" - # "zpool/root" - # "zpool/nix" - # "zpool/var" - # ]; }; - boot.kernelModules = [ "kvm-intel" ]; + boot.supportedFilesystems.zfs = true; networking.hostId = "40fa5ea8"; # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - boot.kernelPackages = pkgs.linuxPackages_6_6; + boot.kernelPackages = pkgs.linuxPackages_6_12; boot.extraModulePackages = [ ]; - boot.kernelParams = [ "mds=full,nosmt" ]; services.homed.enable = true; fileSystems."/" = { - device = "zpool/root"; + device = "none"; + fsType = "tmpfs"; + options = [ + "defaults" + "size=2G" + "mode=755" + "noexec" + "nosuid" + "nodev" + ]; + }; + + fileSystems."${persist}" = { + device = "zpool/persistent"; fsType = "zfs"; + options = [ + "noexec" + "nosuid" + "nodev" + ]; + }; + + environment.etc = + lib.genAttrs + [ + "machine-id" + "ssh/ssh_host_ed25519_key" + "ssh/ssh_host_ed25519_key.pub" + "ssh/ssh_host_rsa_key" + "ssh/ssh_host_rsa_key.pub" + ] + (n: { + source = "${persist}/etc/${n}"; + }); + + environment.memoryAllocator.provider = "libc"; + + fileSystems."/nix/var" = { + device = "/nix/var"; + options = [ + "bind" + "noexec" + "nosuid" + "nodev" + ]; + }; + + fileSystems."/etc/NetworkManager/system-connections" = { + device = "${persist}/etc/NetworkManager/system-connections"; + options = [ + "bind" + "noexec" + "nosuid" + "nodev" + ]; }; fileSystems."/nix" = { device = "zpool/nix"; fsType = "zfs"; + options = [ + "exec" + "suid" + "nodev" + ]; }; fileSystems."/var" = { device = "zpool/var"; fsType = "zfs"; + options = [ + "noexec" + "nosuid" + "nodev" + ]; }; + fileSystems."${nix_build}" = { + # can execute + device = "zpool/nix-build"; + fsType = "zfs"; + options = [ + "exec" + "nosuid" + "nodev" + ]; + }; + + fileSystems."${tmp-exec}" = { + device = "none"; + fsType = "tmpfs"; + options = [ + "defaults" + "size=2G" + "exec" + "nosuid" + "nodev" + "mode=1777" + ]; + }; + + # environment.sessionVariables."java.io.tmpdir" = tmp-exec; + + # systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root"; + + systemd.tmpfiles.rules = [ + "D! ${nix_build} 0755 root root 7d" + "D! /var/cache 0755 root root 7d" + "e! /var/.Trash-0 0755 root root 14d" + "D! /var/tmp 0755 root root 14d" + # "D! /root 0700 root root" + ]; + + systemd.user.tmpfiles.users = + let + forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; }; + in + lib.mergeAttrsList ( + forEachUser ( + name: user: { + "${name}".rules = [ + # "d /home/${user}/Downloads - - - 14d" + "e ${user.home}/.vim/undodir - - - 7d" + "d ${user.home}/.cache - - - 7d" + "e ${user.home}/.java - - - 7d" + "e ${user.home}/.gradle - - - 7d" + "e ${user.home}/.cargo - - - 7d" + "e ${user.home}/.rustup - - - 7d" + "e ${user.home}/.templateengine - - - 7d" + "e ${user.home}/.sane - - - 7d" + "e ${user.home}/.dotnet - - - 7d" + "e ${user.home}/.nuget - - - 7d" + # "d /home/${user}/.local/state/mpv/watch_later - - - 14d" + ]; + } + ) + ); + + systemd.services.nix-daemon.environment.TMPDIR = nix_build; + fileSystems."/etc/nixos" = { device = "zpool/nix_conf"; fsType = "zfs"; - options = [ "noacl" ]; + options = [ + "noacl" + "noexec" + "nosuid" + "nodev" + ]; }; - # fileSystems."/home" = - # { device = "zpool/home"; - # fsType = "zfs"; - # }; - fileSystems."/boot" = { device = "/dev/disk/by-uuid/12CE-A600"; fsType = "vfat"; @@ -83,7 +231,12 @@ "fmask=0022" "dmask=0022" "umask=077" + "noexec" + "nosuid" + "nodev" ]; + # noCheck = true; + # neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out... }; grimmShared = { @@ -110,11 +263,6 @@ # options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless. # }; - # fileSystems."/home/grimmauld" = - # { device = "zpool/home/grimmauld"; - # fsType = "zfs"; - # }; - security.pam = { zfs = { enable = true; @@ -122,7 +270,11 @@ }; }; + boot.initrd.systemd.enable = false; # breaks with luks + system.etc.overlay.enable = false; # requires systemd initrd1 + boot.initrd.luks.yubikeySupport = true; # enable yubikey support + boot.initrd.luks.reusePassphrases = false; boot.initrd.luks.devices."root" = { device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3 diff --git a/ssh/id_ed25519_sk b/ssh/id_ed25519_sk old mode 100644 new mode 100755 index 5a69d12..7c11587 --- a/ssh/id_ed25519_sk +++ b/ssh/id_ed25519_sk @@ -1,8 +1,9 @@ -----BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBCVqu7bW -JXmNfwjGd1xpahAAAAGAAAAAEAAABKAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t -AAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDoAAACgig1MsV -LNCxt4ktfo7rMgPmBdBRmETuj08L/3XGD5A668Y7q4GfC731ghAuBlJ9YtnU1PwbbyLNmU -xszcWVAVOqc5Ntq1R1Hk3bJnSIVV8HTR1Zxkj9JkYy0jpfC+7PbNbFq3/u7bbyWfrw5vSH -26GE2kZOk79ArdNOCxcjx+o9i+AE4svF2WUrRLf9s8rDNm2tu5BAn5yCCkaQv75h9bsA== +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC74ZK+2l +Hxn0SSjHwUqW/+AAAAGAAAAAEAAABRAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t +AAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFsAA +AAsDn6O66Anaiqld0n6TanhawcxAnkGgunRTDvzzTC1y/3Fb6cJAKkw05HuvyCosqqHlUv +4k4I3ppv6pH85xe0nDXDw28IC9Y9OvfkwyHc/MrgnJ0kZz1gX/SIL9BdEQZ0Ne9SeIcvqK +DEDn20CLPU8QT7RbCmku4Aj7nJgOxVxu4ICXPIz5ufBU6IM5eGEbqzonWBX/M19ElKz6NN +Nmn5jc+z5aMw4O8mBMQ/5EYaSSbo -----END OPENSSH PRIVATE KEY----- diff --git a/ssh/id_ed25519_sk.pub b/ssh/id_ed25519_sk.pub index 6a70669..7d030a5 100644 --- a/ssh/id_ed25519_sk.pub +++ b/ssh/id_ed25519_sk.pub @@ -1 +1 @@ -sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDo= Yubi ssh +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd diff --git a/sway/default.nix b/sway/default.nix index f6cedea..244c1bc 100644 --- a/sway/default.nix +++ b/sway/default.nix @@ -65,7 +65,8 @@ "$mod+Return" = "exec ${getExe xdg-terminal-exec}"; "$mod+Shift+q" = "kill"; "$mod+Shift+c" = "reload"; - "$mod+Shift+e" = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'"; + "$mod+Shift+e" = + "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'"; # Move your focus around "$mod+$left" = "focus left"; @@ -193,7 +194,7 @@ (getExe' pkgs.xdg-user-dirs "xdg-user-dirs-update") ''${getExe' pkgs.coreutils-full "sleep"} 3 && ${getExe' pkgs.blueman "blueman-applet"}'' (getExe' pkgs.lxqt.lxqt-policykit "lxqt-policykit-agent") - (getExe' config.hardware.opentabletdriver.package "otd-daemon") + # (getExe' config.hardware.opentabletdriver.package "otd-daemon") pkgs.swaynotificationcenter pkgs.networkmanagerapplet aw-bundle diff --git a/users.nix b/users.nix index 010cf19..941441e 100644 --- a/users.nix +++ b/users.nix @@ -5,6 +5,8 @@ ... }: { + users.mutableUsers = false; + users.users.grimmauld = { isNormalUser = true; # shell = pkgs.xonsh; @@ -25,15 +27,18 @@ "libvirtd" "pipewire" "gamemode" + "systemd-journal" "i2c" ]; # only add to groups that actually exist on this system - syncPaths = [ - { remote = "3d"; } - { remote = "Pictures"; } - { remote = "Documents"; } - { remote = "Videos"; } - ]; + # syncPaths = [ + # { remote = "3d"; } + # { remote = "Pictures"; } + # { remote = "Documents"; } + # { remote = "Videos"; } + # ]; + + hashedPassword = "$y$j9T$HmVEEG6w96IUWynzJsLjT/$MCNKOTOUkku4ybBJiXPIHasXEkNVe6Ouu5gRTl2ab00"; packages = lib.optionals config.grimmShared.graphical ( with pkgs;