Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

clean up hardening

Browse source
This commit is contained in:
Grimmauld 2025-01-10 12:50:01 +01:00
parent 28e5a83716
commit 68529879d2
No known key found for this signature in database
14 changed files with 15 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
common/firefox.nix
View file

@ -8,7 +8,6 @@ let
inherit (config.grimmShared)
enable
firefox
tooling
locale
sway
;
@ -28,9 +27,6 @@ in
programs.firefox = {
# package = pkgs.firefox-beta;
enable = true;
nativeMessagingHosts.packages =
[ ]
++ lib.optionals (tooling.enable && tooling.pass) [ pkgs.passff-host ];
languagePacks = optionals locale [
"de"
"en-US"

3
common/tooling/default.nix
View file

@ -17,7 +17,6 @@ in
imports = [
# ./lilypond.nix
./nix.nix
./security.nix
./python.nix
./rust.nix
./lsp.nix
@ -25,10 +24,8 @@ in
# ./wine.nix
./c.nix
./java.nix
./opensnitch
./ranger.nix
# ./defaultProtectHome.nix
./apparmor
];
config = mkIf (enable && tooling.enable) {

0
common/tooling/apparmor/apparmor-d-module.nix → hardening/apparmor/apparmor-d-module.nix
View file

0
common/tooling/apparmor/apparmor-d-package.nix → hardening/apparmor/apparmor-d-package.nix
View file

0
common/tooling/apparmor/apparmor-d-prebuild.patch → hardening/apparmor/apparmor-d-prebuild.patch
View file

0
common/tooling/apparmor/bare.nix → hardening/apparmor/bare.nix
View file

0
common/tooling/apparmor/default.nix → hardening/apparmor/default.nix
View file

3
hardening/default.nix
View file

@ -3,6 +3,9 @@
imports = [
./systemd
./ssh-as-sudo.nix
./apparmor
./opensnitch
./security.nix
];
specialisation.unhardened.configuration = { };

0
common/tooling/opensnitch/block_lists.nix → hardening/opensnitch/block_lists.nix
View file

0
common/tooling/opensnitch/default.nix → hardening/opensnitch/default.nix
View file

0
common/tooling/opensnitch/discord_hosts/hosts.list → hardening/opensnitch/discord_hosts/hosts.list
View file

0
common/tooling/opensnitch/spotify_hosts/hosts.list → hardening/opensnitch/spotify_hosts/hosts.list
View file

26
common/tooling/security.nix → hardening/security.nix
View file

@ -7,22 +7,17 @@
...
}:
let
inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
optional
optionals
filterAttrs
mkForce
mkDefault
mkIf
attrNames
mkEnableOption
;
age_plugins = with pkgs; [ age-plugin-yubikey ];
in
{
config = mkIf enable {
config = {
security.polkit.enable = mkDefault true;
security.rtkit.enable = true;
@ -61,7 +56,7 @@ in
in
lib.getExe' rage_wrapped "rage";
programs.yubikey-touch-detector.enable = graphical;
programs.yubikey-touch-detector.enable = config.programs.sway.enable;
services.yubikey-agent.enable = true;
environment.systemPackages =
@ -75,16 +70,13 @@ in
yubikey-manager
yubico-pam
yubikey-personalization
pkgs.pass
])
++ age_plugins
++ (optionals (tooling.enable && tooling.pass) [
pkgs.pass
(pkgs.writeShellScriptBin "passw" "pass $@")
])
++ (optional config.security.doas.enable pkgs.sudo-doas-shim)
++ (optional graphical pkgs.lxqt.lxqt-policykit);
++ (optional config.security.doas.enable pkgs.sudo-doas-shim);
# ++ (optional graphical pkgs.lxqt.lxqt-policykit);
services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
services.passSecretService.enable = true;
services.openssh.settings.LoginGraceTime = 0;
# programs.gnupg.agent = {
@ -96,10 +88,10 @@ in
# enableSSHSupport = true;
# };
grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) {
grimmShared.firefox.plugins = {
"passff@invicem.pro" = "passff";
};
};
options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
programs.firefox.nativeMessagingHosts.packages = [ pkgs.passff-host ];
};
}

3
specific/grimm-nixos-ssd/configuration.nix
View file

@ -29,7 +29,8 @@
grimmShared = {
tooling = {
pass = true;
enable = true;
# pass = true;
};
gaming = true;
portals = true;