clean up hardening
This commit is contained in:
parent
28e5a83716
commit
68529879d2
14 changed files with 15 additions and 26 deletions
|
|
@ -8,7 +8,6 @@ let
|
|||
inherit (config.grimmShared)
|
||||
enable
|
||||
firefox
|
||||
tooling
|
||||
locale
|
||||
sway
|
||||
;
|
||||
|
|
@ -28,9 +27,6 @@ in
|
|||
programs.firefox = {
|
||||
# package = pkgs.firefox-beta;
|
||||
enable = true;
|
||||
nativeMessagingHosts.packages =
|
||||
[ ]
|
||||
++ lib.optionals (tooling.enable && tooling.pass) [ pkgs.passff-host ];
|
||||
languagePacks = optionals locale [
|
||||
"de"
|
||||
"en-US"
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ in
|
|||
imports = [
|
||||
# ./lilypond.nix
|
||||
./nix.nix
|
||||
./security.nix
|
||||
./python.nix
|
||||
./rust.nix
|
||||
./lsp.nix
|
||||
|
|
@ -25,10 +24,8 @@ in
|
|||
# ./wine.nix
|
||||
./c.nix
|
||||
./java.nix
|
||||
./opensnitch
|
||||
./ranger.nix
|
||||
# ./defaultProtectHome.nix
|
||||
./apparmor
|
||||
];
|
||||
|
||||
config = mkIf (enable && tooling.enable) {
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@
|
|||
imports = [
|
||||
./systemd
|
||||
./ssh-as-sudo.nix
|
||||
./apparmor
|
||||
./opensnitch
|
||||
./security.nix
|
||||
];
|
||||
|
||||
specialisation.unhardened.configuration = { };
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ in
|
|||
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
ssh = {
|
||||
name = "ssh-allow-all";
|
||||
enabled = true;
|
||||
|
|
@ -7,22 +7,17 @@
|
|||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.grimmShared) enable tooling graphical;
|
||||
inherit (lib)
|
||||
optional
|
||||
optionals
|
||||
filterAttrs
|
||||
mkForce
|
||||
mkDefault
|
||||
mkIf
|
||||
attrNames
|
||||
mkEnableOption
|
||||
;
|
||||
|
||||
age_plugins = with pkgs; [ age-plugin-yubikey ];
|
||||
in
|
||||
{
|
||||
config = mkIf enable {
|
||||
config = {
|
||||
security.polkit.enable = mkDefault true;
|
||||
security.rtkit.enable = true;
|
||||
|
||||
|
|
@ -61,7 +56,7 @@ in
|
|||
in
|
||||
lib.getExe' rage_wrapped "rage";
|
||||
|
||||
programs.yubikey-touch-detector.enable = graphical;
|
||||
programs.yubikey-touch-detector.enable = config.programs.sway.enable;
|
||||
services.yubikey-agent.enable = true;
|
||||
|
||||
environment.systemPackages =
|
||||
|
|
@ -75,16 +70,13 @@ in
|
|||
yubikey-manager
|
||||
yubico-pam
|
||||
yubikey-personalization
|
||||
pkgs.pass
|
||||
])
|
||||
++ age_plugins
|
||||
++ (optionals (tooling.enable && tooling.pass) [
|
||||
pkgs.pass
|
||||
(pkgs.writeShellScriptBin "passw" "pass $@")
|
||||
])
|
||||
++ (optional config.security.doas.enable pkgs.sudo-doas-shim)
|
||||
++ (optional graphical pkgs.lxqt.lxqt-policykit);
|
||||
++ (optional config.security.doas.enable pkgs.sudo-doas-shim);
|
||||
# ++ (optional graphical pkgs.lxqt.lxqt-policykit);
|
||||
|
||||
services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
|
||||
services.passSecretService.enable = true;
|
||||
services.openssh.settings.LoginGraceTime = 0;
|
||||
|
||||
# programs.gnupg.agent = {
|
||||
|
|
@ -96,10 +88,10 @@ in
|
|||
# enableSSHSupport = true;
|
||||
# };
|
||||
|
||||
grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) {
|
||||
grimmShared.firefox.plugins = {
|
||||
"passff@invicem.pro" = "passff";
|
||||
};
|
||||
};
|
||||
|
||||
options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
|
||||
programs.firefox.nativeMessagingHosts.packages = [ pkgs.passff-host ];
|
||||
};
|
||||
}
|
||||
|
|
@ -29,7 +29,8 @@
|
|||
|
||||
grimmShared = {
|
||||
tooling = {
|
||||
pass = true;
|
||||
enable = true;
|
||||
# pass = true;
|
||||
};
|
||||
gaming = true;
|
||||
portals = true;
|
||||
|
|
|
|||
Loading…
Reference in a new issue