sudo -> doas

This commit is contained in:
LordGrimmauld 2024-04-13 19:16:33 +02:00
parent 639ddb7f88
commit 608b2201a3
9 changed files with 75 additions and 72 deletions

View file

@ -48,8 +48,11 @@ in
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DontCheckDefaultBrowser = true;
Preferences = lib.mkMerge ([ ]
++ lib.optionals cfg.sway.enable [{ "browser.tabs.inTitlebar" = 0; }]);
Preferences = lib.mkMerge ([{
"pdfjs.enableScripting" = false;
}]
++ lib.optional cfg.sway.enable { "browser.tabs.inTitlebar" = 0; }
);
};
};
};

View file

@ -6,7 +6,6 @@ in
config = with cfg; lib.mkIf (enable && network) {
networking.networkmanager.enable = true;
networking.useDHCP = lib.mkDefault true;
networking.firewall.enable = true;
hardware.bluetooth.enable = true;
@ -15,7 +14,7 @@ in
bluetuith
];
services.blueman.enable = graphical;
services.blueman.enable = lib.mkIf graphical true;
systemd.user.services.mpris-proxy = lib.mkIf sound {
description = "Mpris proxy";

View file

@ -1,27 +0,0 @@
{ pkgs, config, lib, ... }:
let
cfg = config.grimmShared;
in
{
config = with cfg; lib.mkIf (enable && tooling.enable && tooling.pass) {
security.polkit.enable = true;
environment.systemPackages = with pkgs; [
mkpasswd
pinentry
gnupg
pass
libsecret
(writeShellScriptBin "passw" "pass $@")
] ++ lib.optional graphical lxqt.lxqt-policykit;
services.passSecretService.enable = true;
programs.gnupg.agent = {
settings = {
# default-cache-ttl = 6000;
};
pinentryPackage = lib.mkForce pkgs.pinentry;
enable = true;
};
};
}

38
common/security.nix Normal file
View file

@ -0,0 +1,38 @@
{ pkgs, config, lib, ... }:
let
cfg = config.grimmShared;
in
{
config = with cfg; lib.mkIf enable {
security.polkit.enable = true;
networking.firewall.enable = lib.mkIf network true;
security.doas.enable = true;
security.sudo.enable = false;
security.doas.extraRules = [{
users = lib.attrNames (lib.filterAttrs (n: v: v.isNormalUser) config.users.users);
keepEnv = true;
persist = true;
}];
environment.systemPackages = with pkgs; [
mkpasswd
gnupg
libsecret
vulnix
doas-sudo-shim # muscle memory
] ++ lib.optionals (tooling.enable && tooling.pass) [
pass
(writeShellScriptBin "passw" "pass $@")
] ++ lib.optional graphical lxqt.lxqt-policykit;
services.passSecretService.enable = lib.mkIf (tooling.enable && tooling.pass) true;
programs.gnupg.agent = {
settings = {
# default-cache-ttl = 6000;
};
pinentryPackage = with pkgs; lib.mkForce (if graphical then pinentry-qt else pinentry-tty);
enable = true;
};
};
}

View file

@ -20,6 +20,8 @@ in
environment.systemPackages = with pkgs; [
pwvucontrol
playerctl
openal
flite
pulseaudio
];
};

View file

@ -41,6 +41,7 @@ in
powertop
parted
glib
glibc
] ++ lib.optionals cfg.graphical [
qdirstat
libva-utils

View file

@ -78,11 +78,11 @@
"yafas": "yafas"
},
"locked": {
"lastModified": 1712743609,
"narHash": "sha256-sbp5oZgxQGNegFqUGtsSvFyb2oZ86G/cCjwY137MnlU=",
"lastModified": 1713020398,
"narHash": "sha256-fZ9snNCxKj5sJ/hymCW8aM8Lzlbzo/VYYfl/oNLh/jc=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "ec3a7e608929f4570a5152c1226f54275452b731",
"rev": "f0e16565b38a473664977625680f08e7cc9dec50",
"type": "github"
},
"original": {
@ -138,11 +138,11 @@
]
},
"locked": {
"lastModified": 1712369716,
"narHash": "sha256-9zs+0GTfSyGHdpiA6dPJXnDKAHmfr01OE9FxDE9KvPI=",
"lastModified": 1712765734,
"narHash": "sha256-HakehmZVdhbXHNaTzoSwIHdvy1A3A7XXEIUHV2cC7d8=",
"owner": "girlbossceo",
"repo": "conduwuit",
"rev": "2516d44cb178547194a66fa9c44930ab9bddd910",
"rev": "7d92cad55f58ef55d5c95ecf3753e0fa75ab11e1",
"type": "github"
},
"original": {
@ -331,11 +331,11 @@
]
},
"locked": {
"lastModified": 1712521891,
"narHash": "sha256-qJRkB7QZo2mdR/nABeHQKi3xkQxUsSGjVVQXTSHQocI=",
"lastModified": 1712909442,
"narHash": "sha256-D+VrmsPLkEbxNcI7lp9rGFR33RumbQIyhhjJ4PooWBs=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "ec53086c76303dc8880fa7ba06c45abcae8b3398",
"rev": "8886e3da78fcefb11935ea85da3d1572bf444c55",
"type": "github"
},
"original": {
@ -357,11 +357,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1712602331,
"narHash": "sha256-pM6sB2ltcy7jtog/gv1tbpT1ZDTdmrxfXPE9mbp/zO8=",
"lastModified": 1712983637,
"narHash": "sha256-PSoOKfevRvoVZdMqijl9VcaB5OqgCoAgQ8UpsEAdEDQ=",
"owner": "martinvonz",
"repo": "jj",
"rev": "13592ce49eaa245a740c7a8cd0ca8ea622c4fe95",
"rev": "82c85ba7542b0a5c938f53d71f9a481fc37eda1d",
"type": "github"
},
"original": {
@ -394,11 +394,11 @@
]
},
"locked": {
"lastModified": 1712600195,
"narHash": "sha256-RvmOMmJjPc6if0kVLPXWyWIddzLG1yUPkL6PDrEvTrM=",
"lastModified": 1712992043,
"narHash": "sha256-xUbqDxGiDab1et16JupBHpliGNpRSUcKfm++7t0UgBo=",
"owner": "YaLTeR",
"repo": "niri",
"rev": "e448cfb0efee0efbfc769662ee77ad22a347dc02",
"rev": "71be19b234d58f4ec447e921633506beb81a52c0",
"type": "github"
},
"original": {
@ -430,11 +430,11 @@
]
},
"locked": {
"lastModified": 1712452624,
"narHash": "sha256-R35K+4krhK5B2fcV6W2HFe/uhXmP8YGTb35uZ+nDAxw=",
"lastModified": 1712969975,
"narHash": "sha256-QckL3hBXRRwapLNbPdjy7+5WQNl2n2o7onmQRpyHwYs=",
"owner": "fufexan",
"repo": "nix-gaming",
"rev": "06314bbf8fedd83c7253442994a2f0c81d47988e",
"rev": "52f21f01ecbcc48d25c94a8a1e5c98cebf519a78",
"type": "github"
},
"original": {
@ -468,11 +468,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1712608508,
"narHash": "sha256-vMZ5603yU0wxgyQeHJryOI+O61yrX2AHwY6LOFyV1gM=",
"lastModified": 1712791164,
"narHash": "sha256-3sbWO1mbpWsLepZGbWaMovSO7ndZeFqDSdX0hZ9nVyw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4cba8b53da471aea2ab2b0c1f30a81e7c451f4b6",
"rev": "1042fd8b148a9105f3c0aca3a6177fd1d9360ba5",
"type": "github"
},
"original": {

View file

@ -236,8 +236,8 @@ in
./common/opengl.nix
./common/gaming.nix
./common/firefox.nix
./common/pass.nix
./common/sway.nix
./common/cloudsync.nix
./common/security.nix
];
}

View file

@ -1,10 +1,5 @@
{
# Enable the X11 windowing system.
services.xserver = {
enable = true;
videoDrivers = [ "nouveau" "fbdev" "modesetting" ];
# videoDrivers = [ "nouveau" ];
displayManager = {
services.displayManager = {
# lightdm.enable = true;
sddm = {
enable = true;
@ -12,16 +7,8 @@
};
defaultSession = "sway";
};
desktopManager = {
# xfce.enable = true;
};
};
services.desktopManager = {
plasma6.enable = true;
# xfce.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
}