Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop

Browse source
This commit is contained in:
Grimmauld 2025-01-15 13:29:26 +01:00
commit 5efba3d0fe
70 changed files with 1811 additions and 530 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/default.nix
View file

@ -15,7 +15,7 @@ with lib;
./graphics
./gaming.nix
./firefox.nix
./cloudsync.nix
# ./cloudsync.nix
./hardware
./databases
];

4
common/firefox.nix
View file

@ -8,7 +8,6 @@ let
inherit (config.grimmShared)
enable
firefox
tooling
locale
sway
;
@ -28,9 +27,6 @@ in
programs.firefox = {
# package = pkgs.firefox-beta;
enable = true;
nativeMessagingHosts.packages =
[ ]
++ lib.optionals (tooling.enable && tooling.pass) [ pkgs.passff-host ];
languagePacks = optionals locale [
"de"
"en-US"

11
common/gaming.nix
View file

@ -47,15 +47,11 @@ in
GAMEMODERUNEXEC = "env DRI_PRIME=1";
};
environment.systemPackages =
with pkgs;
[
heroic
environment.systemPackages = with pkgs; [
# heroic
prismlauncher
mangohud
the-powder-toy
factorio
pactorio
(symlinkJoin {
name = "osu";
paths = [
@ -65,8 +61,7 @@ in
osu-lazer-bin
];
})
]
++ optional (!isNull factorio.passthru.updateScript) factorio;
];
};
options.grimmShared.gaming = mkEnableOption "enables steam, heroic, prism and gamemoded";

10
common/graphics/qt.nix
View file

@ -49,10 +49,10 @@ in
kdePackages.breeze-qt5
];
boot.plymouth = {
themePackages = with pkgs; [ catppuccin-plymouth ];
theme = "catppuccin-macchiato";
enable = true;
};
#boot.plymouth = {
# themePackages = with pkgs; [ catppuccin-plymouth ];
# theme = "catppuccin-macchiato";
# enable = true;
#};
};
}

4
common/hardware/laptop.nix
View file

@ -64,7 +64,7 @@ in
boot = {
kernelParams = [
"intel_iommu=on"
# "intel_iommu=on"
"nohibernate"
"pcie_aspm=off"
];
@ -83,7 +83,7 @@ in
kernelModules = [
# "ddcci_backlight"
# "i2c-dev"
"ec_sys"
# "ec_sys"
];
};
};

2
common/hardware/tlp.nix
View file

@ -80,7 +80,7 @@ in
};
powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power";
powerManagement.cpuFreqGovernor = lib.mkDefault "normal";
# powerManagement.cpuFreqGovernor = lib.mkDefault "normal";
services.power-profiles-daemon.enable = false;
services.upower.enable = true;

10
common/network/bluetooth.nix
View file

@ -17,15 +17,5 @@ in
services.blueman.enable = lib.mkIf graphical true;
environment.systemPackages = [ pkgs.bluetuith ] ++ lib.optional sound.enable pkgs.bluez;
systemd.user.services.mpris-proxy = lib.mkIf sound.enable {
description = "Mpris proxy";
after = [
"network.target"
"sound.target"
];
wantedBy = [ "default.target" ];
serviceConfig.ExecStart = lib.getExe' pkgs.bluez "mpris-proxy";
};
};
}

4
common/network/default.nix
View file

@ -22,6 +22,8 @@ in
openconnect
];
users.users.nscd.uid = 997;
networking.firewall = {
enable = true;
allowPing = true;
@ -31,6 +33,8 @@ in
"1.1.1.1"
"9.9.9.9"
];
environment.etc."NetworkManager/certs/telekom-root.crt".source = ./telekom-root.crt;
};
imports = [ ./bluetooth.nix ];

BIN
common/network/telekom-root.crt Normal file
View file

Binary file not shown.

2
common/printing.nix
View file

@ -14,7 +14,7 @@ in
brgenml1cupswrapper
];
services.avahi = {
enable = true;
# enable = true;
nssmdns4 = true;
openFirewall = true;
};

2
common/sound/default.nix
View file

@ -9,7 +9,7 @@ let
in
{
config = lib.mkIf (enable && sound.enable) {
hardware.pulseaudio.enable = false;
services.pulseaudio.enable = false;
services.pipewire = {
enable = true;

3
common/sound/midi.nix
View file

@ -20,7 +20,8 @@ in
environment.pathsToLink = [ "/share/soundfonts" ];
environment.etc."timidity/timidity.cfg".text = "soundfont ${sound_font}/share/soundfonts/FluidR3_GM2-2.sf2";
environment.etc."timidity/timidity.cfg".text =
"soundfont ${sound_font}/share/soundfonts/FluidR3_GM2-2.sf2";
};
options.grimmShared.sound.midi = lib.mkEnableOption "enable midi";

2
common/sound/spotify.nix
View file

@ -21,5 +21,5 @@ in
enable = lib.mkEnableOption "grimm-spotify";
};
imports = [ ./spotifyd.nix ];
# imports = [ ./spotifyd.nix ];
}

50
common/tooling/default.nix
View file

@ -17,18 +17,16 @@ in
imports = [
# ./lilypond.nix
./nix.nix
./security.nix
./python.nix
./rust.nix
./lsp.nix
./helix.nix
./git.nix
./wine.nix
# ./wine.nix
./c.nix
./java.nix
./opensnitch
./ranger.nix
./apparmor
./nix-index.nix
# ./defaultProtectHome.nix
];
config = mkIf (enable && tooling.enable) {
@ -69,29 +67,12 @@ in
]
++ optionals graphical [
wev
qdirstat
k4dirstat
libva-utils
gparted
bottles
];
environment.shellAliases = {
":q" = "exit";
"ls" = "eza";
"lix" = "nix";
"l" = "eza -hla";
"vi" = "hx";
"bat" = "bat --theme=Dracula";
};
programs.tmux = {
enable = true;
historyLimit = 42000;
#keyMode = "vi";
};
programs.fzf.fuzzyCompletion = true;
environment.sessionVariables = {
MANPAGER = "sh -c 'col -bx | ${getExe pkgs.bat} -l man -p'";
MANROFFOPT = "-c";
@ -105,29 +86,6 @@ in
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false;
#programs.ssh = {
# # startAgent = true;
# enableAskPassword = graphical;
# askPassword = mkIf graphical (getExe pkgs.lxqt.lxqt-openssh-askpass);
#};
programs.thefuck.enable = true;
programs.starship = {
enable = true;
settings = {
format = "$all$directory$character";
nodejs.disabled = true;
cmake.symbol = "cmake ";
custom.shell = {
command = "basename $SHELL";
when = "test -v SHELL";
format = " in [$output]($style)";
# ignore_timeout = true;
};
# env_var.SHELL = {variable = "SHELL"; default = ""; };
};
};
};
options.grimmShared.tooling = {

2
common/tooling/java.nix
View file

@ -21,7 +21,7 @@ in
pkgs.jdk17
pkgs.visualvm
pkgs.gradle_7
] ++ optionals graphical [ pkgs.jetbrains.idea-community ];
]; # ++ optionals graphical [ pkgs.jetbrains.idea-community ];
environment.sessionVariables.JAVA_HOME = pkgs.jdk17.home;

76
common/tooling/nix-index.nix Normal file
View file

@ -0,0 +1,76 @@
{
pkgs,
lib,
config,
...
}:
let
db_path = "/var/nix-index/current";
mode = "755";
user = "nix-index";
in
{
users.users."${user}" = {
isSystemUser = true;
group = user;
};
users.groups."${user}" = { };
nix.settings.allowed-users = [ user ];
environment.systemPackages = with pkgs; [
nix-index
];
systemd.tmpfiles.rules = [
"d /var/nix-index 0${mode} ${user} ${user} 14d"
];
environment.sessionVariables.NIX_INDEX_DATABASE = db_path;
systemd.services.nix-index-update = {
description = "update nix-index database";
after = [
"network-online.target"
"nix-daemon.service"
];
wants = [
"network-online.target"
"nix-daemon.service"
];
serviceConfig = {
Type = "simple";
Nice = 19;
# UMask = mode;
# DynamicUser = true;
ReadWritePaths = "/var/nix-index/";
CacheDirectory = "index-cache";
User = user;
Group = user;
};
environment.NIX_PATH = lib.concatStringsSep ":" config.nix.nixPath;
script = ''
platform="$(uname -m | sed 's/^arm64$/aarch64/')-$(uname | tr "[:upper:]" "[:lower:]")"
path="/var/nix-index/index-$platform-$(date -I)"
mkdir -p "$path" -m ${mode}
XDG_CACHE_HOME=$CACHE_DIRECTORY ${lib.getExe' pkgs.nix-index "nix-index"} --show-trace -c 0 -s $platform --db "$path" || exit 1
rm -f ${db_path}
ln -s "$path" ${db_path}
# && chmod ${mode} ${db_path}
echo "link success"
'';
enable = true;
};
systemd.timers.nix-index-update = {
description = "regularly update nix-index database";
timerConfig.Persistent = true;
timerConfig.OnCalendar = "Mon *-*-* 00:00:00";
wantedBy = [
"multi-user.target"
"timers.target"
];
enable = true;
};
}

7
common/tooling/nix.nix
View file

@ -20,7 +20,7 @@
nvd
vulnix
nix-init
inputs.nixpkgs-update.packages."${system}".default
# inputs.nixpkgs-update.packages."${system}".default
];
environment.sessionVariables =
@ -45,8 +45,13 @@
experimental-features = [
"nix-command"
"flakes"
"pipe-operator"
];
warn-dirty = false;
allowed-users = [
"@wheel"
"grimmauld"
];
};
programs.nh = {

2
common/tooling/python.nix
View file

@ -31,7 +31,7 @@ in
config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) {
environment.systemPackages = [
(pkgs.python3.withPackages pyLibs)
] ++ lib.optionals graphical (with pkgs; [ jetbrains.pycharm-community ]);
]; # ++ lib.optionals graphical (with pkgs; [ jetbrains.pycharm-community ]);
programs.xonsh = {
enable = true;

8
common/xdg/alacritty.toml
View file

@ -1,8 +0,0 @@
[font]
# Point size
size=16.0
normal = { family="Noto Sans Mono" }
[window]
opacity=0.85

13
common/xdg/default.nix
View file

@ -1,6 +1,17 @@
{
imports = [
./portals.nix
./mime.nix
# ./mime.nix
];
xdg.terminal-exec = {
enable = true;
settings = {
default = [
"Alacritty.desktop"
"kitty.desktop"
];
};
};
}

154
common/xdg/mime.nix
View file

@ -1,154 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable portals graphical;
browsers = [
"firefox-beta.desktop"
"firefox.desktop"
];
text_editors = [
"nvim.desktop"
"geany.desktop"
"imhex.desktop"
];
image_viewers = [
"org.nomacs.ImageLounge.desktop"
"org.kde.krita.desktop"
"draw.desktop"
];
audio_players = [ "vlc.desktop" ];
video_viewers = [ "vlc.desktop" ];
document_viewers = [
"org.pwmt.zathura-pdf-mupdf.desktop"
"com.github.jeromerobert.pdfarranger.desktop"
] ++ browsers;
cad = [
"org.freecadweb.FreeCAD.desktop"
"PrusaSlicer.desktop"
"openscad.desktop"
"blender.desktop"
];
tex_editors = [ ] ++ text_editors;
alacritty_pkg = pkgs.symlinkJoin {
name = "alacritty";
paths = [ pkgs.alacritty ];
buildInputs = [ pkgs.makeWrapper ];
postBuild = ''
wrapProgram $out/bin/alacritty \
--add-flags "--config-file ${./alacritty.toml}"
'';
};
in
{
config = lib.mkIf (enable && portals && graphical) {
environment.systemPackages = with pkgs; [
deskwhich
zathura
gnome-console
alacritty_pkg
imhex
libreoffice-qt
filezilla
obsidian
nomacs
pdfarranger
geany
krita
weasis
# kicad
prusa-slicer
freecad
openscad
vlc
# blender
thunderbird
xdg-terminal-exec
xdg-utils
];
xdg.terminal-exec = {
enable = true;
settings = {
default = [
"Alacritty.desktop"
"kitty.desktop"
];
};
};
xdg.mime.enable = true;
xdg.mime.addedAssociations = {
"application/java-vm" = [
"idea-community.desktop"
"imhex.desktop"
];
"application/json" = text_editors ++ [ "firefox-beta.desktop" ];
"application/mp4" = video_viewers;
"application/ogg" = audio_players;
"application/octet-stream" = "imhex.desktop";
"application/pdf" = document_viewers;
"application/rss+xml" = text_editors;
"application/x-chess-pgn" = [ ] ++ text_editors; # fixme
"application/x-krita" = "org.kde.krita.desktop";
"application/x-latex" = tex_editors;
"application/x-tex" = tex_editors;
"application/x-texinfo" = tex_editors;
"application/xml" = text_editors;
"image/svg+xml" = image_viewers ++ browsers ++ text_editors;
"image/*" = image_viewers;
"image/vnd.dwg" = cad;
"model/*" = cad;
"gcode" = [
"PrusaGcodeviewer.desktop"
"PrusaSlicer.desktop"
];
"audio/*" = audio_players;
"text/*" = text_editors;
"text/plain" = text_editors;
"text/markdown" = [ "obsidian.desktop" ] ++ text_editors;
"text/csv" = [ "calc.desktop" ] ++ text_editors;
"text/html" = browsers ++ text_editors;
"text/x-python" = [ "pycharm-community.desktop" ] ++ text_editors;
"text/x-c" = [ "clion.desktop" ] ++ text_editors;
"text/x-java-source" = [ "idea-community.desktop" ] ++ text_editors;
"video/*" = video_viewers;
"inode/directory" = [
"ranger.desktop"
"dolphin.desktop"
];
"x-scheme-handler/mailto" = "thunderbird.desktop";
"application/vnd.oasis.opendocument.chart" = "calc.desktop";
"application/vnd.oasis.opendocument.chart-template" = "calc.desktop";
"application/vnd.oasis.opendocument.database" = "base.desktop";
"application/vnd.oasis.opendocument.formula" = "math.desktop";
"application/vnd.oasis.opendocument.formula-template" = "math.desktop";
"application/vnd.oasis.opendocument.graphics" = "draw.desktop";
"application/vnd.oasis.opendocument.graphics-template" = "draw.desktop";
"application/vnd.oasis.opendocument.image" = "draw.desktop";
"application/vnd.oasis.opendocument.image-template" = "draw.desktop";
"application/vnd.oasis.opendocument.presentation" = "impress.desktop";
"application/vnd.oasis.opendocument.presentation-template" = "impress.desktop";
"application/vnd.oasis.opendocument.spreadsheet" = "calc.desktop";
"application/vnd.oasis.opendocument.spreadsheet-template" = "calc.desktop";
"application/vnd.oasis.opendocument.text" = "writer.desktop";
"application/vnd.oasis.opendocument.text-master" = "writer.desktop";
"application/vnd.oasis.opendocument.text-template" = "writer.desktop";
"application/vnd.oasis.opendocument.text-web" = "writer.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.presentation" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.slide" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.slideshow" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.template" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" = "calc.desktop";
"application/vnd.openxmlformats-officedocument.spreadsheetml.template" = "calc.desktop";
"application/vnd.openxmlformats-officedocument.wordprocessingml.document" = "writer.desktop";
"application/vnd.openxmlformats-officedocument.wordprocessingml.template" = "writer.desktop";
};
};
}

4
configuration.nix
View file

@ -1,4 +1,4 @@
{ lib, pkgs, ... }:
{ pkgs, ... }:
{
imports = [
./overlays
@ -13,8 +13,6 @@
# kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
};
services.logrotate.checkConfig = false; # fixme: actually needed?
nix.package = pkgs.lix;
nixpkgs.config.allowUnfree = true;

73
dual_monitor_otd.json Normal file
View file

@ -0,0 +1,73 @@
{
"Profiles": [
{
"Tablet": "Wacom PTH-660",
"OutputMode": {
"Path": "OpenTabletDriver.Desktop.Output.AbsoluteMode",
"Settings": [],
"Enable": true
},
"Filters": [],
"AbsoluteModeSettings": {
"Display": {
"Width": 3840.0,
"Height": 1080.0,
"X": 1920.0,
"Y": 540.0,
"Rotation": 0.0
},
"Tablet": {
"Width": 148.0,
"Height": 42.0,
"X": 112.0,
"Y": 74.0,
"Rotation": 90.0
},
"EnableClipping": true,
"EnableAreaLimiting": false,
"LockAspectRatio": false
},
"RelativeModeSettings": {
"XSensitivity": 10.0,
"YSensitivity": 10.0,
"RelativeRotation": 0.0,
"RelativeResetDelay": "00:00:00.1000000"
},
"Bindings": {
"TipActivationThreshold": 0.0,
"TipButton": {
"Path": "OpenTabletDriver.Desktop.Binding.MouseBinding",
"Settings": [
{
"Property": "Button",
"Value": "Left"
}
],
"Enable": true
},
"EraserActivationThreshold": 0.0,
"EraserButton": null,
"PenButtons": [
null,
null
],
"AuxButtons": [
null,
null,
null,
null,
null,
null,
null,
null
],
"MouseButtons": [],
"MouseScrollUp": null,
"MouseScrollDown": null
}
}
],
"LockUsableAreaDisplay": true,
"LockUsableAreaTablet": true,
"Tools": []
}

278
flake.lock
View file

@ -10,11 +10,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1732741943,
"narHash": "sha256-ZPGI3RjfDqajlIlEO6xL9dQhtyXQMhlFMPnYoKNtPRI=",
"lastModified": 1736590503,
"narHash": "sha256-w69DFuUM6F92rQMl5mcnsx9Zv7Pk8ozcLffIYfOa2LI=",
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"rev": "cb4dd424befe24976ecbbc09505efa0c5477d9c6",
"rev": "72da6960bac5f84804a2ea36a90dbd25ed1bbf93",
"type": "github"
},
"original": {
@ -31,11 +31,11 @@
]
},
"locked": {
"lastModified": 1732889580,
"narHash": "sha256-67MC0DhkRPTPy/g76sm/jzMqcmUBIlX5qoSH5B27Twk=",
"lastModified": 1736877444,
"narHash": "sha256-K25atZ9alRsGb6TW+rRcpJTbtP5tnb3qusd762B2qWw=",
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "5b6ceba740feaf260ec205e41e3dde8af510a547",
"rev": "a1f0ce3bfbe9f0cc81e8b7def5e652a021e95c98",
"type": "github"
},
"original": {
@ -92,6 +92,28 @@
"type": "github"
}
},
"apparmor-dev": {
"inputs": {
"flake-utils": "flake-utils_2",
"nix-github-actions": "nix-github-actions_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1734881868,
"narHash": "sha256-ONpu806E6j/23ZCgvfAR7bNusDjC5bVThTOjNkUMIqQ=",
"owner": "LordGrimmauld",
"repo": "apparmor-dev",
"rev": "032cb3469176411d5bda5642049abc468073e18a",
"type": "github"
},
"original": {
"owner": "LordGrimmauld",
"repo": "apparmor-dev",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
@ -118,11 +140,11 @@
]
},
"locked": {
"lastModified": 1733072746,
"narHash": "sha256-Rds19CCMsbT+eo5HoJahl2N/wLrvGZ0Nw6Vlu+hvfmE=",
"lastModified": 1736848948,
"narHash": "sha256-P9XZoUzRxjq5AJxR1+F0HEyzggNX/zt+A3cuwXER4qM=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "36d157737c1682d31721f68c812353225956471b",
"rev": "e75f332c423ae95164ec188c0406c2d47b8a4a65",
"type": "github"
},
"original": {
@ -189,11 +211,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
@ -250,6 +272,24 @@
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
@ -302,11 +342,11 @@
]
},
"locked": {
"lastModified": 1732884235,
"narHash": "sha256-r8j6R3nrvwbT1aUp4EPQ1KC7gm0pu9VcV1aNaB+XG6Q=",
"lastModified": 1736508663,
"narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "819f682269f4e002884702b87e445c82840c68f2",
"rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
"type": "github"
},
"original": {
@ -315,20 +355,39 @@
"type": "github"
}
},
"home-manager_3": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"dirtyRev": "0d7908bd09165db6699908b7e3970f137327cbf0-dirty",
"dirtyShortRev": "0d7908bd-dirty",
"lastModified": 1736013363,
"narHash": "sha256-1UN8758BA6XDgte9AfHu5fZ35zqVPPq3GGuca3JJOZU=",
"type": "git",
"url": "file:///home/grimmauld/coding/home-manager"
},
"original": {
"type": "git",
"url": "file:///home/grimmauld/coding/home-manager"
}
},
"jovian": {
"inputs": {
"nix-github-actions": "nix-github-actions_2",
"nix-github-actions": "nix-github-actions_3",
"nixpkgs": [
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1732739177,
"narHash": "sha256-iL32+TA/8geCzcL1r3uthrH/GPvbUak5QE++WJUkaiI=",
"lastModified": 1736580596,
"narHash": "sha256-t+BygGMcg1yyyTBXCAJWx4ZnH1StDzbd8CfzQonAJp8=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "8d7b2149e618696d5100c2683af1ffa893f02a75",
"rev": "1ddf0b3bfe076fa50b84244e42a55b9234f96083",
"type": "github"
},
"original": {
@ -337,28 +396,6 @@
"type": "github"
}
},
"mmdoc": {
"inputs": {
"nixpkgs": [
"nixpkgs-update",
"nixpkgs"
],
"systems": "systems_3"
},
"locked": {
"lastModified": 1710694589,
"narHash": "sha256-5wa+Jzxr+LygoxSZuZg0YU81jgdnx2IY/CqDIJMOgec=",
"owner": "ryantm",
"repo": "mmdoc",
"rev": "b6ddf748b1d1c01ca582bb1b3dafd6bc3a4c83a6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "mmdoc",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
@ -381,6 +418,27 @@
}
},
"nix-github-actions_2": {
"inputs": {
"nixpkgs": [
"apparmor-dev",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731952509,
"narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_3": {
"inputs": {
"nixpkgs": [
"chaotic",
@ -410,14 +468,14 @@
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-24_05": "nixpkgs-24_05"
"nixpkgs-24_11": "nixpkgs-24_11"
},
"locked": {
"lastModified": 1722877200,
"narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
"lastModified": 1735230346,
"narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
"rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b",
"type": "gitlab"
},
"original": {
@ -434,11 +492,11 @@
]
},
"locked": {
"lastModified": 1727410897,
"narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
"lastModified": 1735857245,
"narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
"rev": "da9dc0479ffe22362793c87dc089035facf6ec4d",
"type": "github"
},
"original": {
@ -449,11 +507,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1733015953,
"narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=",
"lastModified": 1736798957,
"narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff",
"rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
"type": "github"
},
"original": {
@ -463,69 +521,18 @@
"type": "github"
}
},
"nixpkgs-24_05": {
"nixpkgs-24_11": {
"locked": {
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"lastModified": 1734083684,
"narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-update": {
"inputs": {
"mmdoc": "mmdoc",
"nixpkgs": "nixpkgs_2",
"runtimeDeps": "runtimeDeps",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1732958734,
"narHash": "sha256-DY1Aq+pAU/n0loBjCRfeSbEG/ji2M+mrEkcEnsN/AHk=",
"owner": "nix-community",
"repo": "nixpkgs-update",
"rev": "dffb2930904b08ca8d226594b543cbae150b5f67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs-update",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1672428209,
"narHash": "sha256-eejhqkDz2cb2vc5VeaWphJz8UXNuoNoM8/Op8eWv2tQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "293a28df6d7ff3dec1e61e37cc4ee6e6c0fb0847",
"rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.11",
"type": "indirect"
}
},
@ -536,15 +543,14 @@
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
]
},
"locked": {
"lastModified": 1732021966,
"narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=",
"lastModified": 1735882644,
"narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "3308484d1a443fc5bc92012435d79e80458fe43c",
"rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github"
},
"original": {
@ -558,27 +564,12 @@
"aa-alias-manager": "aa-alias-manager",
"aagl-gtk-on-nix": "aagl-gtk-on-nix",
"agenix": "agenix",
"apparmor-dev": "apparmor-dev",
"chaotic": "chaotic",
"home-manager": "home-manager_3",
"nixos-mailserver": "nixos-mailserver",
"nixos-matrix-modules": "nixos-matrix-modules",
"nixpkgs": "nixpkgs",
"nixpkgs-update": "nixpkgs-update"
}
},
"runtimeDeps": {
"locked": {
"lastModified": 1714247354,
"narHash": "sha256-6dFKqP/aCKIdpOgqgIQUrRT0NOfVc14ftNcdELa4Pu4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c8d7c8a78fb516c0842cc65346506a565c88014d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
"nixpkgs": "nixpkgs"
}
},
"rust-overlay": {
@ -589,11 +580,11 @@
]
},
"locked": {
"lastModified": 1732674798,
"narHash": "sha256-oM1gjCv9R4zxDFO3as9wqQ4FI3+pDA9MKZ72L7tTIII=",
"lastModified": 1736572187,
"narHash": "sha256-it8mU8UkbaeVup7GpCI6n2cWPJ/O4U980CxKAMKUGF0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "1d569430326b0a7807ccffdb2a188b814091976c",
"rev": "06871d5c5f78b0ae846c5758702531b4cabfab9b",
"type": "github"
},
"original": {
@ -667,27 +658,6 @@
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs-update",
"nixpkgs"
]
},
"locked": {
"lastModified": 1711963903,
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

46
flake.nix
View file

@ -32,9 +32,21 @@
url = "github:LordGrimmauld/aa-alias-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs-update = {
url = "github:nix-community/nixpkgs-update";
# inputs.nixpkgs.follows = "nixpkgs";
# nixpkgs-update = {
# url = "github:nix-community/nixpkgs-update";
# # inputs.nixpkgs.follows = "nixpkgs";
# };
apparmor-dev = {
url = "github:LordGrimmauld/apparmor-dev";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
# https://github.com/nix-community/home-manager/issues/3415
# https://github.com/nix-community/home-manager/pull/2548
# url = "github:nix-community/home-manager";
url = "git+file:///home/grimmauld/coding/home-manager";
# url = "github:pasqui23/home-manager/nixos-late-start";
inputs.nixpkgs.follows = "nixpkgs";
};
};
@ -48,15 +60,13 @@
nixos-mailserver,
nixos-matrix-modules,
aa-alias-manager,
nixpkgs-update,
# nixpkgs-update,
apparmor-dev,
home-manager,
...
}:
let
patches = [
{
url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch";
hash = "sha256-nlyqFxvD6O7MDNJxs/9pCRWzo4XvG++Znc3HvDFkiiY=";
}
];
customNixosSystem =
@ -68,7 +78,8 @@
src = inputs.nixpkgs;
patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches;
};
nixosSystem = import (patched + "/nixos/lib/eval-config.nix");
nixosSystem =
if patches == [ ] then nixpkgs.lib.nixosSystem else import (patched + "/nixos/lib/eval-config.nix");
in
nixosSystem (
{
@ -104,12 +115,27 @@
grimm-nixos-ssd = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
chaotic.nixosModules.default
# chaotic.nixosModules.default
aagl-gtk-on-nix.nixosModules.default
./configuration.nix
aa-alias-manager.nixosModules.default
# apparmor-dev.nixosModules.default
./perlless.nix
./specific/grimm-nixos-ssd/configuration.nix
(
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/profiles/hardened.nix"
# "${modulesPath}/profiles/perlless.nix"
];
}
)
home-manager.nixosModules.home-manager
./hm
./hardening
];
};
grimmauld-nixos-server = customNixosSystem "x86_64-linux" {

0
common/tooling/apparmor/apparmor-d-module.nix → hardening/apparmor/apparmor-d-module.nix
View file

9
common/tooling/apparmor/apparmor-d-package.nix → hardening/apparmor/apparmor-d-package.nix
View file

@ -1,27 +1,24 @@
{
buildGoModule,
fetchFromGitHub,
git,
lib,
unstableGitUpdater,
}:
buildGoModule {
pname = "apparmor-d";
version = "unstable-2024-10-12";
version = "unstable-2025-01-13";
src = fetchFromGitHub {
rev = "db6c94ba5ad97112bc577cb66c2e1fa66df83a29";
rev = "f1182b27bb64a3bf44e92a4bafb58178ebfbf5ac";
owner = "roddhjav";
repo = "apparmor.d";
hash = "sha256-3qVSMLIzVd9hcvj2V2eaacNOjOFTUHkTslaTETYYg4U=";
hash = "sha256-3Ofv7Eam2/CXRNM84E0H97RrLWQEzDeSM6wYykzlLAM=";
};
vendorHash = null;
doCheck = false;
nativeBuildInputs = [ git ];
patches = [
./apparmor-d-prebuild.patch
];

0
common/tooling/apparmor/apparmor-d-prebuild.patch → hardening/apparmor/apparmor-d-prebuild.patch
View file

25
hardening/apparmor/bare.nix Normal file
View file

@ -0,0 +1,25 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib) mkIf;
in
{
config = mkIf (enable && tooling.enable && config.security.apparmor.enable) {
services.dbus.apparmor = "enabled";
security.auditd.enable = true;
security.apparmor.enableCache = true;
environment.systemPackages = with pkgs; [ apparmor-parser ];
# security.apparmor.aa-alias-manager.enable = false;
security.audit.backlogLimit = 512;
};
}

8
common/tooling/apparmor/default.nix → hardening/apparmor/default.nix
View file

@ -16,15 +16,18 @@ in
security.auditd.enable = true;
security.apparmor.enableCache = true;
security.apparmor.killUnconfinedConfinables = false;
security.apparmor.includes."tunables/alias.d/programs" = ''
# alias / -> @{nix_store}/,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
'';
environment.systemPackages = with pkgs; [ apparmor-parser ];
# security.apparmor.aa-alias-manager.enable = false;
security.audit.backlogLimit = 512;
security.audit.backlogLimit = 8192;
security.apparmor_d = {
enable = true;
@ -36,7 +39,7 @@ in
pass = "enforce";
spotify = "enforce";
"thunderbird.apparmor.d" = "enforce";
xdg-open = "enforce";
# xdg-open = "enforce";
child-open-any = "enforce";
child-open = "enforce";
firefox-glxtest = "enforce";
@ -115,6 +118,7 @@ in
"local/xdg-open" = ''
@{bin}/grep rix,
/** r,
'';
"local/child-open" = ''

26
hardening/default.nix Normal file
View file

@ -0,0 +1,26 @@
{
lib,
pkgs,
config,
...
}:
{
imports = [
./systemd
./ssh-as-sudo.nix
./apparmor
./opensnitch
./security.nix
];
specialisation.unhardened.configuration = { };
# services.opensnitch.enable = lib.mkForce false;
systemd.tpm2.enable = false;
systemd.enableEmergencyMode = false;
virtualisation.vswitch.enable = false;
# services.resolved.enable = false;
security.unprivilegedUsernsClone = true;
environment.defaultPackages = lib.mkForce [ ];
environment.systemPackages = with pkgs; [ nano ];
}

0
common/tooling/opensnitch/block_lists.nix → hardening/opensnitch/block_lists.nix
View file

116
common/tooling/opensnitch/default.nix → hardening/opensnitch/default.nix
View file

@ -43,13 +43,20 @@ in
config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
networking.nftables.enable = true;
# security.audit.enable = true;
systemd.services.opensnitchd.path = lib.optional (
config.services.opensnitch.settings.ProcMonitorMethod == "audit"
) pkgs.audit.bin;
services.opensnitch = {
enable = true;
settings = {
DefaultAction = "deny";
Firewall = "iptables";
LogLevel = 1;
Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit";
};
rules = {
@ -95,6 +102,34 @@ in
};
};
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns";
enabled = true;
@ -126,12 +161,76 @@ in
{
type = "simple";
operand = "user.id";
data = "998";
data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
}
];
};
};
nix-index = {
name = "nix-index";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nix-index-unwrapped "nix-index";
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "simple";
sensitive = false;
operand = "dest.host";
data = "cache.nixos.org";
}
];
};
};
nix = {
name = "nix";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.nix;
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(channels|cache)\\.nixos\\.org";
}
];
};
};
localhost = {
name = "localhost";
enabled = true;
@ -337,13 +436,13 @@ in
};
};
vesktop_daemon_allow_udp = mkIf (graphical) {
vesktop_daemon_allow_udp = mkIf graphical {
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
# inherit created;
inherit created;
operator = {
type = "list";
operand = "list";
@ -470,9 +569,9 @@ in
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type = "simple";
type = "regexp";
operand = "dest.port";
data = "547";
data = "547|67";
}
# {
# type ="simple";
@ -549,7 +648,8 @@ in
};
};
nextcloud = mkIf (config.grimmShared.cloudSync.enable) {
nextcloud = mkIf (false) {
# config.grimmShared.cloudSync.enable
name = "nextcloud";
enabled = true;
action = "allow";

0
common/tooling/opensnitch/discord_hosts/hosts.list → hardening/opensnitch/discord_hosts/hosts.list
View file

0
common/tooling/opensnitch/spotify_hosts/hosts.list → hardening/opensnitch/spotify_hosts/hosts.list
View file

52
common/tooling/security.nix → hardening/security.nix
View file

@ -7,22 +7,18 @@
...
}:
let
inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
optional
optionals
filterAttrs
mkForce
mkIf
mkDefault
attrNames
mkEnableOption
;
age_plugins = with pkgs; [ age-plugin-yubikey ];
in
{
config = mkIf enable {
security.polkit.enable = true;
config = {
security.polkit.enable = mkDefault true;
security.rtkit.enable = true;
security.pam.yubico = {
@ -34,7 +30,8 @@ in
};
# security.doas.enable = true;
security.sudo.enable = true;
security.sudo.enable = mkDefault true;
security.sudo.execWheelOnly = true;
security.doas.extraRules = [
{
@ -59,12 +56,13 @@ in
in
lib.getExe' rage_wrapped "rage";
programs.yubikey-touch-detector.enable = graphical;
programs.yubikey-touch-detector.enable = config.programs.sway.enable;
services.yubikey-agent.enable = true;
environment.systemPackages =
(with pkgs; [
mkpasswd
gnupg
# gnupg
libsecret
vulnix
(inputs.agenix.packages."${system}".default.override { plugins = age_plugins; })
@ -72,30 +70,28 @@ in
yubikey-manager
yubico-pam
yubikey-personalization
pkgs.pass
])
++ age_plugins
++ (optionals (tooling.enable && tooling.pass) [
pkgs.pass
(pkgs.writeShellScriptBin "passw" "pass $@")
])
++ (optional config.security.doas.enable pkgs.sudo-doas-shim)
++ (optional graphical pkgs.lxqt.lxqt-policykit);
++ (optional config.security.doas.enable pkgs.sudo-doas-shim);
# ++ (optional graphical pkgs.lxqt.lxqt-policykit);
services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
services.passSecretService.enable = true;
services.openssh.settings.LoginGraceTime = 0;
programs.gnupg.agent = {
settings = {
# default-cache-ttl = 6000;
};
pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
enable = true;
enableSSHSupport = true;
};
grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) {
# programs.gnupg.agent = {
# settings = {
# # default-cache-ttl = 6000;
# };
# pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
# enable = true;
# enableSSHSupport = true;
# };
grimmShared.firefox.plugins = {
"passff@invicem.pro" = "passff";
};
};
options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
programs.firefox.nativeMessagingHosts.packages = [ pkgs.passff-host ];
};
}

33
hardening/ssh-as-sudo.nix Normal file
View file

@ -0,0 +1,33 @@
{ pkgs, lib, ... }:
{
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.challengeResponseAuthentication = false;
# settings.UsePAM = false;
openFirewall = lib.mkDefault false;
allowSFTP = lib.mkDefault false;
# startWhenNeeded = true;
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
users.users.root = {
# isSystemUser = true;
# isNormalUser = true;
uid = 0;
openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ];
# home = "/root";
hashedPassword = null;
createHome = lib.mkForce true;
};
programs.ssh.startAgent = true;
# security.sudo.enable = false;
# services.yubikey-agent.enable = true;
}

61
hardening/systemd/NetworkManager.nix Normal file
View file

@ -0,0 +1,61 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
NetworkManager.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProcSubset = "pid";
ProtectSystem = true;
};
NetworkManager-dispatcher.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
UMask = "0700";
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProcSubset = "pid";
ProtectSystem = true;
};
};
}

26
hardening/systemd/acpid.nix Normal file
View file

@ -0,0 +1,26 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
acpid.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectSystem = true;
PrivateUsers = true;
PrivateNetwork = true;
RestrictRealtime = true;
IPAddressAllow = [ ];
RestrictAddressFamilies = "AF_NETLINK AF_UNIX";
};
};
}

41
hardening/systemd/ask-password.nix Normal file
View file

@ -0,0 +1,41 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
systemd-ask-password-console.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
systemd-ask-password-wall.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
};
}

23
hardening/systemd/auditd.nix Normal file
View file

@ -0,0 +1,23 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
auditd.serviceConfig = {
# CapabilityBoundingSet = [ "CAP_AUDIT_*" "CAP_SYSLOG" "CAP_SYS_NICE" "CAP_SYS_PACCT" "CAP_SYS_PTRACE" ];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectSystem = true;
# PrivateUsers=true;
# PrivateNetwork=true;
RestrictRealtime = true;
IPAddressAllow = [ ];
RestrictAddressFamilies = "AF_NETLINK";
};
};
}

42
hardening/systemd/bluetooth.nix Normal file
View file

@ -0,0 +1,42 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
bluetooth.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
blueman-mechanism.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
};
}

30
hardening/systemd/cups.nix Normal file
View file

@ -0,0 +1,30 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
cups.serviceConfig = {
CapabilityBoundingSet = [
"CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN"
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service @privileged";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
ReadWritePaths = "/var/run/cups";
# PrivateUsers=true;
PrivateNetwork = true;
RestrictAddressFamilies = "AF_UNIX";
# ProtectSystem=true;
};
};
}

104
hardening/systemd/default.nix Normal file
View file

@ -0,0 +1,104 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
eq = a: b: a == b;
noPred =
preds: x:
if preds == [ ] then
true
else if (lib.head preds) x then
false
else
noPred (lib.tail preds) x;
in
{
imports = [
./NetworkManager.nix
./wpa_supplicant.nix
./auditd.nix
./acpid.nix
./cups.nix
./bluetooth.nix
./tty.nix
./ask-password.nix
./nix-daemon.nix
./nscd.nix
./rtkit.nix
./sshd.nix
./global
];
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig =
let
shouldMakeIntrusive = (
noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
);
in
mkIf (osConfig.specialisation != { }) (
{
ProtectHome = mkDefault true;
# LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
}
// (lib.optionalAttrs shouldMakeIntrusive {
# PrivateTmp = mkDefault true;
# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
# ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
})
);
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
opensnitchd.serviceConfig = {
ProtectHome = false;
PrivateTmp = false;
ProtectKernelLogs = false;
};
"user-runtime-dir@".serviceConfig.ProtectHome = false;
"user@".serviceConfig.ProtectHome = false;
systemd-homed.serviceConfig.ProtectHome = false;
systemd-homed-activate.serviceConfig.ProtectHome = false;
sshd.serviceConfig.ProtectHome = false;
display-manager.serviceConfig.ProtectHome = "read-only";
dbus-broker.serviceConfig.ProtectHome = "read-only";
systemd-logind.serviceConfig.ProtectHome = false;
nix-daemon.serviceConfig.ProtectHome = false;
zfs-mount.serviceConfig.PrivateTmp = false;
kmod-static-nodes.serviceConfig.PrivateTmp = false;
mount-pstore.serviceConfig.PrivateTmp = false;
# todo: tpm things
#polkit.serviceConfig.NoNewPrivileges = false;
#"getty@".serviceConfig.NoNewPrivileges = false;
#"user@".serviceConfig.NoNewPrivileges = false;
# todo: dbus?
auditd.serviceConfig.ProtectKernelLogs = false;
audit.serviceConfig.ProtectKernelLogs = false;
"getty@".serviceConfig.SystemCallFilter = "";
display-manager.serviceConfig.SystemCallFilter = "";
sshd.serviceConfig.SystemCallFilter = "";
rtkit-daemon.serviceConfig.SystemCallFilter = "";
};
};
}

37
hardening/systemd/global/clock.nix Normal file
View file

@ -0,0 +1,37 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
ProtectClock = mkDefault true;
};
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
systemd-timesyncd.serviceConfig = {
ProtectClock = false;
SystemCallFilter = "@system-service @clock";
};
save-hwclock.serviceConfig = {
ProtectClock = false;
SystemCallFilter = "@system-service @clock";
};
};
};
}

7
hardening/systemd/global/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./hostname.nix
./clock.nix
./realtime.nix
];
}

29
hardening/systemd/global/hostname.nix Normal file
View file

@ -0,0 +1,29 @@
{ lib, config, ... }:
let
inherit (lib) types mkIf mkDefault;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
ProtectHostname = mkDefault true;
};
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
systemd-hostnamed.serviceConfig.ProtectHostname = false;
nix-daemon.serviceConfig.ProtectHostname = false;
};
};
}

27
hardening/systemd/global/realtime.nix Normal file
View file

@ -0,0 +1,27 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
RestrictRealtime = mkDefault true;
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
rtkit-daemon.serviceConfig.RestrictRealtime = false;
};
};
}

76
hardening/systemd/nix-daemon.nix Normal file
View file

@ -0,0 +1,76 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
nix-daemon.serviceConfig = {
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true; # good, somehow???
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK" # needed for some checks
]; # needed to download sources and caches
RestrictNamespaces = [
"user"
"net"
"uts"
"mnt"
"ipc"
"pid"
]; # namespaces needed for sandboxing
SystemCallFilter = [
"@system-service"
"@cpu-emulation"
"@mount"
"@privileged"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true; # todo: does kvm need a modprobe here?
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
# file system
# PrivateTmp = true; # breaks --keep-failed
ProtectSystem = "strict";
ReadWritePaths = [
"/nix"
"/tmp"
];
# Scheduling: only do as much as resources are available
LimitNICE = 1;
Nice = 19;
RestrictRealtime = true;
# devices
DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests
CapabilityBoundingSet = [
"CAP_FOWNER"
"CAP_CHOWN"
"CAP_SETUID"
"CAP_SETGID"
"CAP_SYS_ADMIN"
"CAP_DAC_OVERRIDE"
];
# ProtectKernelLogs=true; # BAD
# ProtectKernelTunables = true; # BAD
# PrivateUsers=true; BAD
# ProtectHome = "read-only"; # BAD
# ProtectHostname = true; # BAD!
# PrivateNetwork = true; # BAD!
};
};
}

55
hardening/systemd/nscd.nix Normal file
View file

@ -0,0 +1,55 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
nscd.serviceConfig = {
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
# file system
PrivateTmp = true;
ProtectSystem = "strict";
RestrictRealtime = true;
PrivateUsers = true;
PrivateDevices = true;
CapabilityBoundingSet = [
"CAP_SETGID"
"CAP_SETUID"
"cap_dac_override"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHostname = true;
};
};
}

56
hardening/systemd/rtkit.nix Normal file
View file

@ -0,0 +1,56 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
rtkit-daemon.serviceConfig = {
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_UNIX";
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@chroot"
"@mount"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectClock = true;
PrivateTmp = true;
ProtectSystem = "strict";
RestrictRealtime = false; # important
PrivateDevices = true;
ProcSubset = "pid";
CapabilityBoundingSet = [
"CAP_SYS_NICE"
"CAP_DAC_READ_SEARCH"
"CAP_SYS_CHROOT"
"CAP_SETGID"
"CAP_SETUID"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHome = true;
ProtectHostname = true;
PrivateNetwork = true;
};
};
}

62
hardening/systemd/sshd.nix Normal file
View file

@ -0,0 +1,62 @@
{
lib,
config,
...
}:
{
config.systemd.services = {
sshd.serviceConfig = {
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@privileged"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
ProtectHostname = true;
# file system
PrivateTmp = true;
ProtectSystem = "strict";
ReadWritePaths = "/etc/ssh";
RestrictRealtime = true;
DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_CHROOT"
"cap_dac_override"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
PrivateUsers = false; # important
ProtectHome = false; # important
NoNewPrivileges = false; # IMPORTANT: allow new privileges for spawned shells
PrivateNetwork = false; # important
};
};
}

47
hardening/systemd/tty.nix Normal file
View file

@ -0,0 +1,47 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
"getty@".serviceConfig = {
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_FOWNER"
"CAP_FSETID"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_NICE"
"CAP_SYS_RESOURCE"
"CAP_SYS_TTY_CONFIG"
];
# NoNewPrivileges = true;
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true;
ProtectHome = false;
# ProtectClock = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
# RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.mkForce "@system-service";
LockPersonality = true;
ProtectProc = "invisible";
# PrivateUsers=true;
PrivateNetwork = true;
RestrictAddressFamilies = "AF_UNIX";
# ProtectSystem=true;
};
};
}

29
hardening/systemd/wpa_supplicant.nix Normal file
View file

@ -0,0 +1,29 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
wpa_supplicant.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
"cap_net_broadcast"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProcSubset = "pid";
ProtectSystem = true;
};
};
}

165
hm/common/default.nix Normal file
View file

@ -0,0 +1,165 @@
{
pkgs,
config,
osConfig,
lib,
...
}:
let
getIfHas =
path: attrs:
if path == [ ] then
attrs
else if builtins.hasAttr (builtins.head path) attrs then
getIfHas (builtins.tail path) (builtins.getAttr (builtins.head path) attrs)
else
null;
osConfigGetIfHasOrFalse = path: lib.defaultTo false (getIfHas (lib.splitString "." path) osConfig);
user = config.home.username;
homedir = config.home.homeDirectory;
graphical = osConfigGetIfHasOrFalse "grimmShared.graphical";
in
{
home.preferXdgDirectories = true;
home.packages =
with pkgs;
[
deskwhich
]
++ lib.optionals graphical [
# imhex
# libreoffice-qt
filezilla
obsidian
nomacs
pdfarranger
krita
# weasis
# kicad
prusa-slicer
freecad
openscad
vlc
# blender
];
home.shellAliases = {
":q" = "exit";
"ls" = "eza";
"lix" = "nix";
"l" = "eza -hla";
"vi" = "hx";
"bat" = "bat --theme=Dracula";
};
programs.thunderbird = {
enable = graphical;
profiles.default = {
isDefault = true;
};
};
programs.zathura.enable = graphical;
programs.bash = {
enable = true;
enableCompletion = true;
};
services.mpris-proxy.enable = true;
# services.ssh-agent.enable = true;
programs.alacritty = {
enable = graphical;
settings = {
font.size = 16;
font.normal = {
family = "Noto Sans Mono";
};
window.opacity = 0.85;
};
};
programs.starship = {
enable = true;
enableBashIntegration = true;
settings = {
format = "$all$directory$character";
nodejs.disabled = true;
cmake.symbol = "cmake ";
custom.shell = {
command = "basename $SHELL";
when = "test -v SHELL";
format = " in [$output]($style)";
# ignore_timeout = true;
};
# env_var.SHELL = {variable = "SHELL"; default = ""; };
};
};
programs.fzf.enable = true;
programs.fzf.tmux.enableShellIntegration = true;
programs.thefuck = {
enable = true;
enableBashIntegration = true;
};
programs.helix = {
enable = true;
defaultEditor = true;
settings = {
editor.cursor-shape.insert = "bar";
theme = "base16_transparent";
};
extraPackages = with pkgs; [
marksman
nixd
];
};
programs.tmux = {
enable = true;
clock24 = true;
historyLimit = 50000;
newSession = true;
};
systemd.user.enable = true;
systemd.user.tmpfiles.rules = lib.optional (osConfigGetIfHasOrFalse "services.printing.cups-pdf.enable") "L ${homedir}/PDF - - - - /var/spool/cups-pdf-pdf/users/${user}";
xdg.userDirs = {
enable = true;
createDirectories = true;
};
programs.gradle = {
enable = true;
settings = {
"org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk";
"org.gradle.java.installations.auto-detect" = false;
};
};
programs.gpg = {
enable = true;
mutableKeys = true;
publicKeys = [
{
source = ./grimmauld.gpg;
trust = 5;
}
];
};
services.gpg-agent = {
enable = true;
enableBashIntegration = true;
pinentryPackage = if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty;
};
xdg.mimeApps.enable = true;
}

13
hm/common/grimmauld.gpg Normal file
View file

@ -0,0 +1,13 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZeWqmhYJKwYBBAHaRw8BAQdACKQ7AccQjQMiMDY6+nphi8oSUohhxZj7RsIM
njgO4Y+0ImdyaW1tYXVsZCA8Z3JpbW1hdWxkQGdyaW1tYXVsZC5kZT6IkwQTFgoA
OwIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBEG7Bl4dtk7UdboqKcKU
Zmh2n5H7BQJl5auwAAoJEMKUZmh2n5H72YUBAJ3zrSkZcDG2v0ukGNKpnJVNua97
fahtqNyP4v7k9RJsAP46aa/bvBaI5SnW1r77HJhDVCVQiVmd7OwDBpJt2pbsDbg4
BGXlqpoSCisGAQQBl1UBBQEBB0CAWlTea3qf9fYaCFWSRVrwze1KsLgxzwhTpXu1
VPuwYQMBCAeIeAQYFgoAIAIbDBYhBEG7Bl4dtk7UdboqKcKUZmh2n5H7BQJl5awq
AAoJEMKUZmh2n5H7VeIA/25BgwoLifMQBhcGwqC+9LVmi7RMDZn1exOH/6QFFmUf
AQCwC1kQCg1IXozYp666CmUAWy7L/5v14N6v8iOGlQUlAQ==
=JIcg
-----END PGP PUBLIC KEY BLOCK-----

13
hm/default.nix Normal file
View file

@ -0,0 +1,13 @@
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
useUserService = true;
sharedModules = [
{ home.stateVersion = "24.11"; }
./common
];
};
imports = [ ./grimmauld ];
}

2
hm/gradle.properties Normal file
View file

@ -0,0 +1,2 @@
org.gradle.java.home=/nix/store/1fylwjqscywqb5xxsi258h0ka3pz4ax6-openjdk-17.0.11+9/lib/openjdk
org.gradle.java.installations.auto-detect=false

15
hm/grimmauld/default.nix Normal file
View file

@ -0,0 +1,15 @@
let
username = "grimmauld";
in
{
home-manager.users."${username}" = {
home = {
inherit username;
homeDirectory = "/home/${username}";
file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk;
file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub;
file.".cups/lpoptions".text = "Default pdf\n";
};
};
}

3
modules/nextcloud.nix
View file

@ -35,7 +35,8 @@ in
port = ports.redis_nextcloud_port.port;
};
systemd.services.nextcloud-setup.serviceConfig.ExecStartPost = pkgs.writeScript "nextcloud-redis.sh" ''
systemd.services.nextcloud-setup.serviceConfig.ExecStartPost =
pkgs.writeScript "nextcloud-redis.sh" ''
#!${pkgs.runtimeShell}
nextcloud-occ config:system:set redis 'host' --value '::1' --type string
nextcloud-occ config:system:set redis '${builtins.toString config.services.redis.servers.nextcloud.port}' --value 6379 --type integer

5
overlays/default.nix
View file

@ -38,7 +38,8 @@
./ooye.nix
./factorio.nix
./ranger.nix
./ncspot.nix
./grpcio-tools.nix
./opensnitch-ui.nix
# ./ncspot.nix
# ./grpcio-tools.nix
];
}

6
overlays/opensnitch-ui.nix Normal file
View file

@ -0,0 +1,6 @@
{ final, prev, ... }:
{
opensnitch-ui = prev.opensnitch-ui.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs or [ ] ++ [ final.python311Packages.packaging ];
});
}

27
perlless.nix Normal file
View file

@ -0,0 +1,27 @@
{ lib, pkgs, ... }:
{
# Remove perl from activation
boot.initrd.systemd.enable = lib.mkDefault true;
system.etc.overlay.enable = lib.mkDefault true;
services.userborn.enable = lib.mkDefault true;
# Random perl remnants
system.disableInstallerTools = lib.mkDefault true;
programs.less.lessopen = lib.mkDefault null;
programs.command-not-found.enable = lib.mkDefault false;
boot.enableContainers = lib.mkDefault false;
boot.loader.grub.enable = lib.mkDefault false;
environment.defaultPackages = lib.mkDefault [ ];
documentation.info.enable = lib.mkDefault false;
# Check that the system does not contain a Nix store path that contains the
# string "perl".
# system.forbiddenDependenciesRegexes = [ "perl" ];
# Re-add nixos-rebuild to the systemPackages that was removed by the
# `system.disableInstallerTools` option.
environment.systemPackages = [ pkgs.nixos-rebuild ];
}

1
result-man Symbolic link
View file

@ -0,0 +1 @@
/nix/store/vb62k4zn31h6angn81biw3avkscjva9s-perl-5.40.0-man

26
specific/grimm-nixos-ssd/configuration.nix
View file

@ -1,5 +1,6 @@
{
config,
lib,
...
}:
{
@ -15,6 +16,8 @@
services.zfs.trim.enable = true;
boot.supportedFilesystems.zfs = true;
# systemd.services = lib.mapAttrs' (n: v: { serviceConfig.ProtectHome = lib.mkDefault true; }) (filterAttrs: (n: v: false) config.systemd.services);
# security.pam.yubico.control = "required";
services.printing.cups-pdf.enable = true; # implies printing enable
@ -26,7 +29,8 @@
grimmShared = {
tooling = {
pass = true;
enable = true;
# pass = true;
};
gaming = true;
portals = true;
@ -49,20 +53,20 @@
"shinigamieyes@shinigamieyes" = "shinigami-eyes";
};
};
cloudSync = {
enable = true;
username = "Grimmauld";
server = "cloud.grimmauld.de";
passwordFile = config.age.secrets.nextcloud_pass.path;
};
# cloudSync = {
# enable = true;
# username = "Grimmauld";
# server = "cloud.grimmauld.de";
# passwordFile = config.age.secrets.nextcloud_pass.path;
# };
spotify.enable = true;
};
age.secrets.nextcloud_pass = {
file = ./../../secrets/nextcloud_pass.age;
mode = "777";
};
# age.secrets.nextcloud_pass = {
# file = ./../../secrets/nextcloud_pass.age;
# mode = "777";
# };
networking.hostName = "grimm-nixos-ssd";

202
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -1,6 +1,3 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
@ -9,6 +6,12 @@
...
}:
let
nix_build = "/nix/build-sandbox";
persist = "/nix/persist";
tmp-exec = "/tmp-exec";
in
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
@ -21,7 +24,7 @@
"usbhid"
"uas"
"sd_mod"
"kvm-intel"
# "kvm-intel"
];
boot.initrd.kernelModules = [
"zfs"
@ -31,51 +34,196 @@
"usb_storage"
"nvme"
];
boot.kernelModules = [
"iwlwifi"
"iwlmvm"
"mac80211"
"bluetooth"
"cfg80211"
"kvm-intel"
];
boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.kernelParams = [ "nosgx" ];
security.lockKernelModules = false; # PAIN on an intended-portable setup
# security.protectKernelImage = false;
boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
boot.loader.systemd-boot.consoleMode = "auto";
systemd.tmpfiles.settings."mount"."/mnt".d = {
group = "root";
mode = "755";
user = "root";
};
boot.zfs = {
forceImportRoot = false;
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
# [
# "zpool/home"
# "zpool/root"
# "zpool/nix"
# "zpool/var"
# ];
};
boot.kernelModules = [ "kvm-intel" ];
boot.supportedFilesystems.zfs = true;
networking.hostId = "40fa5ea8";
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelPackages = pkgs.linuxPackages_6_6;
boot.kernelPackages = pkgs.linuxPackages_6_12;
boot.extraModulePackages = [ ];
boot.kernelParams = [ "mds=full,nosmt" ];
services.homed.enable = true;
fileSystems."/" = {
device = "zpool/root";
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
"mode=755"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."${persist}" = {
device = "zpool/persistent";
fsType = "zfs";
options = [
"noexec"
"nosuid"
"nodev"
];
};
environment.etc =
lib.genAttrs
[
"machine-id"
"ssh/ssh_host_ed25519_key"
"ssh/ssh_host_ed25519_key.pub"
"ssh/ssh_host_rsa_key"
"ssh/ssh_host_rsa_key.pub"
]
(n: {
source = "${persist}/etc/${n}";
});
environment.memoryAllocator.provider = "libc";
fileSystems."/nix/var" = {
device = "/nix/var";
options = [
"bind"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/etc/NetworkManager/system-connections" = {
device = "${persist}/etc/NetworkManager/system-connections";
options = [
"bind"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/nix" = {
device = "zpool/nix";
fsType = "zfs";
options = [
"exec"
"suid"
"nodev"
];
};
fileSystems."/var" = {
device = "zpool/var";
fsType = "zfs";
options = [
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."${nix_build}" = {
# can execute
device = "zpool/nix-build";
fsType = "zfs";
options = [
"exec"
"nosuid"
"nodev"
];
};
fileSystems."${tmp-exec}" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
"exec"
"nosuid"
"nodev"
"mode=1777"
];
};
# environment.sessionVariables."java.io.tmpdir" = tmp-exec;
# systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
systemd.tmpfiles.rules = [
"D! ${nix_build} 0755 root root 7d"
"D! /var/cache 0755 root root 7d"
"e! /var/.Trash-0 0755 root root 14d"
"D! /var/tmp 0755 root root 14d"
# "D! /root 0700 root root"
];
systemd.user.tmpfiles.users =
let
forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; };
in
lib.mergeAttrsList (
forEachUser (
name: user: {
"${name}".rules = [
# "d /home/${user}/Downloads - - - 14d"
"e ${user.home}/.vim/undodir - - - 7d"
"d ${user.home}/.cache - - - 7d"
"e ${user.home}/.java - - - 7d"
"e ${user.home}/.gradle - - - 7d"
"e ${user.home}/.cargo - - - 7d"
"e ${user.home}/.rustup - - - 7d"
"e ${user.home}/.templateengine - - - 7d"
"e ${user.home}/.sane - - - 7d"
"e ${user.home}/.dotnet - - - 7d"
"e ${user.home}/.nuget - - - 7d"
# "d /home/${user}/.local/state/mpv/watch_later - - - 14d"
];
}
)
);
systemd.services.nix-daemon.environment.TMPDIR = nix_build;
fileSystems."/etc/nixos" = {
device = "zpool/nix_conf";
fsType = "zfs";
options = [ "noacl" ];
options = [
"noacl"
"noexec"
"nosuid"
"nodev"
];
};
# fileSystems."/home" =
# { device = "zpool/home";
# fsType = "zfs";
# };
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
@ -83,7 +231,12 @@
"fmask=0022"
"dmask=0022"
"umask=077"
"noexec"
"nosuid"
"nodev"
];
# noCheck = true;
# neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out...
};
grimmShared = {
@ -110,11 +263,6 @@
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
# };
# fileSystems."/home/grimmauld" =
# { device = "zpool/home/grimmauld";
# fsType = "zfs";
# };
security.pam = {
zfs = {
enable = true;
@ -122,7 +270,11 @@
};
};
boot.initrd.systemd.enable = false; # breaks with luks
system.etc.overlay.enable = false; # requires systemd initrd1
boot.initrd.luks.yubikeySupport = true; # enable yubikey support
boot.initrd.luks.reusePassphrases = false;
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3

13
ssh/id_ed25519_sk Normal file → Executable file
View file

@ -1,8 +1,9 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBCVqu7bW
JXmNfwjGd1xpahAAAAGAAAAAEAAABKAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t
AAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDoAAACgig1MsV
LNCxt4ktfo7rMgPmBdBRmETuj08L/3XGD5A668Y7q4GfC731ghAuBlJ9YtnU1PwbbyLNmU
xszcWVAVOqc5Ntq1R1Hk3bJnSIVV8HTR1Zxkj9JkYy0jpfC+7PbNbFq3/u7bbyWfrw5vSH
26GE2kZOk79ArdNOCxcjx+o9i+AE4svF2WUrRLf9s8rDNm2tu5BAn5yCCkaQv75h9bsA==
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC74ZK+2l
Hxn0SSjHwUqW/+AAAAGAAAAAEAAABRAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t
AAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFsAA
AAsDn6O66Anaiqld0n6TanhawcxAnkGgunRTDvzzTC1y/3Fb6cJAKkw05HuvyCosqqHlUv
4k4I3ppv6pH85xe0nDXDw28IC9Y9OvfkwyHc/MrgnJ0kZz1gX/SIL9BdEQZ0Ne9SeIcvqK
DEDn20CLPU8QT7RbCmku4Aj7nJgOxVxu4ICXPIz5ufBU6IM5eGEbqzonWBX/M19ElKz6NN
Nmn5jc+z5aMw4O8mBMQ/5EYaSSbo
-----END OPENSSH PRIVATE KEY-----

2
ssh/id_ed25519_sk.pub
View file

@ -1 +1 @@
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDo= Yubi ssh
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd

5
sway/default.nix
View file

@ -65,7 +65,8 @@
"$mod+Return" = "exec ${getExe xdg-terminal-exec}";
"$mod+Shift+q" = "kill";
"$mod+Shift+c" = "reload";
"$mod+Shift+e" = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'";
"$mod+Shift+e" =
"exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'";
# Move your focus around
"$mod+$left" = "focus left";
@ -193,7 +194,7 @@
(getExe' pkgs.xdg-user-dirs "xdg-user-dirs-update")
''${getExe' pkgs.coreutils-full "sleep"} 3 && ${getExe' pkgs.blueman "blueman-applet"}''
(getExe' pkgs.lxqt.lxqt-policykit "lxqt-policykit-agent")
(getExe' config.hardware.opentabletdriver.package "otd-daemon")
# (getExe' config.hardware.opentabletdriver.package "otd-daemon")
pkgs.swaynotificationcenter
pkgs.networkmanagerapplet
aw-bundle

17
users.nix
View file

@ -5,6 +5,8 @@
...
}:
{
users.mutableUsers = false;
users.users.grimmauld = {
isNormalUser = true;
# shell = pkgs.xonsh;
@ -25,15 +27,18 @@
"libvirtd"
"pipewire"
"gamemode"
"systemd-journal"
"i2c"
]; # only add to groups that actually exist on this system
syncPaths = [
{ remote = "3d"; }
{ remote = "Pictures"; }
{ remote = "Documents"; }
{ remote = "Videos"; }
];
# syncPaths = [
# { remote = "3d"; }
# { remote = "Pictures"; }
# { remote = "Documents"; }
# { remote = "Videos"; }
# ];
hashedPassword = "$y$j9T$HmVEEG6w96IUWynzJsLjT/$MCNKOTOUkku4ybBJiXPIHasXEkNVe6Ouu5gRTl2ab00";
packages = lib.optionals config.grimmShared.graphical (
with pkgs;