clean up hardening

common/firefox.nix

@@ -8,7 +8,6 @@ let
   inherit (config.grimmShared)
     enable
     firefox
-    tooling
     locale
     sway
     ;
@@ -28,9 +27,6 @@ in
     programs.firefox = {
       #      package = pkgs.firefox-beta;
       enable = true;
-      nativeMessagingHosts.packages =
-        [ ]
-        ++ lib.optionals (tooling.enable && tooling.pass) [ pkgs.passff-host ];
       languagePacks = optionals locale [
         "de"
         "en-US"

common/tooling/default.nix

@@ -17,7 +17,6 @@ in
   imports = [
     #    ./lilypond.nix
     ./nix.nix
-    ./security.nix
     ./python.nix
     ./rust.nix
     ./lsp.nix
@@ -25,10 +24,8 @@ in
     # ./wine.nix
     ./c.nix
     ./java.nix
-    ./opensnitch
     ./ranger.nix
     # ./defaultProtectHome.nix
-    ./apparmor
   ];
 
   config = mkIf (enable && tooling.enable) {

hardening/default.nix

@@ -3,6 +3,9 @@
   imports = [
     ./systemd
     ./ssh-as-sudo.nix
+    ./apparmor
+    ./opensnitch
+    ./security.nix
   ];
 
   specialisation.unhardened.configuration = { };

hardening/opensnitch/default.nix

@@ -110,7 +110,7 @@ in
             data = "${lib.escapeRegex pkgs.git.outPath}/.*";
           };
         };
-        
+
         ssh = {
           name = "ssh-allow-all";
           enabled = true;

hardening/security.nix

@@ -7,22 +7,17 @@
   ...
 }:
 let
-  inherit (config.grimmShared) enable tooling graphical;
   inherit (lib)
     optional
-    optionals
     filterAttrs
-    mkForce
     mkDefault
-    mkIf
     attrNames
-    mkEnableOption
     ;
 
   age_plugins = with pkgs; [ age-plugin-yubikey ];
 in
 {
-  config = mkIf enable {
+  config = {
     security.polkit.enable = mkDefault true;
     security.rtkit.enable = true;
 
@@ -61,7 +56,7 @@ in
       in
       lib.getExe' rage_wrapped "rage";
 
-    programs.yubikey-touch-detector.enable = graphical;
+    programs.yubikey-touch-detector.enable = config.programs.sway.enable;
     services.yubikey-agent.enable = true;
 
     environment.systemPackages =
@@ -75,16 +70,13 @@ in
         yubikey-manager
         yubico-pam
         yubikey-personalization
+        pkgs.pass
       ])
       ++ age_plugins
-      ++ (optionals (tooling.enable && tooling.pass) [
+      ++ (optional config.security.doas.enable pkgs.sudo-doas-shim);
-        pkgs.pass
+    #  ++ (optional graphical pkgs.lxqt.lxqt-policykit);
-        (pkgs.writeShellScriptBin "passw" "pass $@")
-      ])
-      ++ (optional config.security.doas.enable pkgs.sudo-doas-shim)
-      ++ (optional graphical pkgs.lxqt.lxqt-policykit);
 
-    services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
+    services.passSecretService.enable = true;
     services.openssh.settings.LoginGraceTime = 0;
 
     #    programs.gnupg.agent = {
@@ -96,10 +88,10 @@ in
     #      enableSSHSupport = true;
     #    };
 
-    grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) {
+    grimmShared.firefox.plugins = {
       "passff@invicem.pro" = "passff";
     };
-  };
 
-  options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
+    programs.firefox.nativeMessagingHosts.packages = [ pkgs.passff-host ];
+  };
 }

specific/grimm-nixos-ssd/configuration.nix

@@ -29,7 +29,8 @@
 
   grimmShared = {
     tooling = {
-      pass = true;
+      enable = true;
+#      pass = true;
     };
     gaming = true;
     portals = true;