diff --git a/common/firefox.nix b/common/firefox.nix index a89195d..cfa0536 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -25,7 +25,23 @@ in ++ optionals config.services.desktopManager.plasma6.enable [ pkgs.plasma-browser-integration ]; programs.firefox = { - # package = pkgs.firefox-beta; + package = pkgs.firefox.override { + extraPrefsFiles = [ + "${pkgs.arkenfox-userjs}/user.cfg" + + (pkgs.writeText "arkenfox-userjs-overrides.cfg" # javascript + '' + /// arkenfox user.js overrides. + // We want session restore to work, for that we need to save history: + // https://github.com/arkenfox/user.js/issues/1080#issue-774750296 + lockPref("privacy.clearOnShutdown.history", false); + lockPref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false); + lockPref("privacy.clearOnShutdown.offlineApps", false); // Site Data + lockPref("privacy.clearOnShutdown_v2.cookiesAndStorage", false); // Cookies, Site Data, Active Logins [FF128+] + '' + ) + ]; + }; enable = true; languagePacks = optionals locale [ "de" @@ -56,19 +72,99 @@ in OverrideFirstRunPage = ""; OverridePostUpdatePage = ""; DontCheckDefaultBrowser = true; + + FirefoxHome = { + TopSites = true; + SponsoredTopSites = false; + + Pocket = false; + Snippets = false; + Highlights = false; + Locked = true; + }; + + FirefoxSuggest = { + WebSuggestions = false; + SponsoredSuggestions = false; + ImproveSuggest = false; + Locked = true; + }; + + SearchEngines = { + # Default = "DuckDuckGo"; + Remove = ["Bing" "Amazon.ca" "eBay"]; + Add = [ + { + Name = "Nix Package Search"; + URLTemplate = "https://search.nixos.org/packages?channel=unstable&query={searchTerms}"; + IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg"; + Alias = "np"; + } + { + Name = "NixOS Option Search"; + URLTemplate = "https://search.nixos.org/options?channel=unstable&query={searchTerms}"; + IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg"; + Alias = "no"; + } + { + Name = "NixOS Wiki"; + URLTemplate = "https://nixos.wiki/index.php?search={searchTerms}"; + IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg"; + Alias = "nw"; + } + { + Name = "Home Manager Option Search"; + URLTemplate = "https://mipmip.github.io/home-manager-option-search?query={searchTerms}"; + IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg"; + Alias = "hm"; + } + ]; + }; + Preferences = { "pdfjs.enableScripting" = false; + "signon.rememberSignons" = false; "media.hardware-video-decoding.enabled" = true; "media.ffmpeg.vaapi.enabled" = true; - "network.dns.disableIPv6" = true; - # "network.dns.DNS_HTTPS.domain" = "::1"; - "network.connectivity-service.DNSv4.domain" = "127.0.0.1"; - "network.connectivity-service.DNSv6.domain" = "::1"; - network.dns.localDomains = "::1"; - network.dns.forceResolve = true; "media.rdd-ffmpeg.enabled" = true; "media.navigator.mediadatadecoder_vpx_enabled" = true; + "media.eme.enabled" = true; + # "media.peerconnection.enabled" = false; + + "browser.startup.homepage" = "about:home"; + "browser.startup.page" = 1; + "browser.newtabpage.enabled" = true; + "browser.toolbars.bookmarks.visibility" = "newtab"; + "browser.download.useDownloadDir" = true; + + # "general.useragent.override" = ""; + # "permissions.memory_only" = true; + "privacy.resistFingerprinting" = true; + "privacy.resistFingerprinting.block_mozAddonManager" = true; + "network.http.referer.XOriginPolicy" = 1; + "network.http.referer.XOriginTrimmingPolicy" = 1; + "network.http.sendRefererHeader" = 0; + + "network.proxy.socks" = builtins.head (builtins.split ":" config.services.tor.torsocks.server); + "network.proxy.socks_port" = lib.last (builtins.split ":" config.services.tor.torsocks.server); + "network.connectivity-service.DNSv4.domain" = "127.0.0.1"; + "network.connectivity-service.DNSv6.domain" = "::1"; + "network.dns.localDomains" = "::1"; + "network.dns.forceResolve" = true; + "network.dns.disableIPv6" = true; + + "extensions.formautofill.addresses.enabled" = false; + "extensions.formautofill.creditCards.enabled" = false; + + "permissions.default.geo" = 2; + "permissions.default.xr" = 2; + "privacy.fingerprintingProtection" = true; + "privacy.globalprivacycontrol.enabled" = true; + "signon.firefoxRelay.feature" = "disabled"; + "browser.display.use_document_fonts" = 0; + + # "network.dns.DNS_HTTPS.domain" = "::1"; } // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; }; }; }; diff --git a/common/printing.nix b/common/printing.nix index 1e804ec..bb076f7 100644 --- a/common/printing.nix +++ b/common/printing.nix @@ -10,8 +10,8 @@ in { config = lib.mkIf (enable && config.services.printing.enable) { services.printing.drivers = with pkgs; [ - brgenml1lpr - brgenml1cupswrapper +# brgenml1lpr +# brgenml1cupswrapper ]; services.avahi = { # enable = true; diff --git a/common/tooling/default.nix b/common/tooling/default.nix index d7e6900..88ce154 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -63,6 +63,7 @@ in undollar openssl + android-tools ] ++ optionals graphical [ wev @@ -90,6 +91,12 @@ in boot.tmp.cleanOnBoot = true; # zramSwap.enable = false; + + services.udev.packages = [ + pkgs.android-udev-rules + ]; + programs.adb.enable = true; + }; options.grimmShared.tooling = { diff --git a/common/tooling/rust.nix b/common/tooling/rust.nix index 3e0c601..56ecbad 100644 --- a/common/tooling/rust.nix +++ b/common/tooling/rust.nix @@ -22,8 +22,9 @@ in [ pkg-config cargo + rustup ] - ++ optionals graphical [ jetbrains.clion ]; + ++ optionals graphical [ jetbrains.clion jetbrains.rust-rover ]; grimmShared.tooling.lang_servers = [ { diff --git a/configuration.nix b/configuration.nix index ae3eb8a..f2218fe 100644 --- a/configuration.nix +++ b/configuration.nix @@ -5,6 +5,7 @@ ./common # ./fake_flake.nix ./users.nix + ./custom ]; # Bootloader. @@ -15,6 +16,8 @@ nix.package = pkgs.lix; nixpkgs.config.allowUnfree = true; + zramSwap.enable = true; +# zramSwap.memoryPercent = 50; grimmShared = { enable = true; diff --git a/custom/confwhich/package.nix b/custom/confwhich/package.nix index 3f39c58..26eb0eb 100644 --- a/custom/confwhich/package.nix +++ b/custom/confwhich/package.nix @@ -15,7 +15,8 @@ rustPlatform.buildRustPackage { hash = "sha256-dMkUJMQjlKzmSsgtH0xOZ5Bk654+h84M1cTx8hVM5SQ="; }; - cargoHash = "sha256-cn9vtRO+negpIVs0rnp2y5q7L4w554dfBK9MtbWd8FA="; + useFetchCargoVendor = true; + cargoHash = "sha256-YSi7sObmclTR6BSQPSN54/2aurXxCl/q2i8hutlJXkw="; meta = { description = "tool to find the path of xdg config files"; diff --git a/custom/default.nix b/custom/default.nix new file mode 100644 index 0000000..4c3da16 --- /dev/null +++ b/custom/default.nix @@ -0,0 +1,11 @@ +{ lib, ... }: { + nixpkgs.overlays = lib.singleton (final: prev: { + confwhich = prev.callPackage ./confwhich/package.nix { }; + deskwhich = prev.callPackage ./deskwhich/package.nix { }; + linux-bench = prev.callPackage ./linux-bench/package.nix { }; + ooye = prev.callPackage ./ooye/package.nix { }; + rfindup = prev.callPackage ./rfindup/package.nix { }; + searchclip = prev.callPackage ./searchclip/package.nix { }; + tlpui = prev.callPackage ./tlpui/package.nix { }; + }); +} diff --git a/custom/deskwhich/package.nix b/custom/deskwhich/package.nix index a11e683..7223f30 100644 --- a/custom/deskwhich/package.nix +++ b/custom/deskwhich/package.nix @@ -15,7 +15,8 @@ rustPlatform.buildRustPackage { hash = "sha256-uSXxUehZY1Sp08X3khSQtQc8AT00jJTAsQ+OfTTTkss="; }; - cargoHash = "sha256-x0ARqeMdmnjMF0o2oZlxHnUUj9hEdqg4a+Z/WYax2Co="; + useFetchCargoVendor = true; + cargoHash = "sha256-e4wWQ0QOl0vDRbOFs7eN49sQJXBiJGsHiDLE68NiK8Y="; meta = { description = "tool to find the path of desktop entries"; diff --git a/custom/rfindup/package.nix b/custom/rfindup/package.nix index 859f6c5..f4a6abb 100644 --- a/custom/rfindup/package.nix +++ b/custom/rfindup/package.nix @@ -15,7 +15,8 @@ rustPlatform.buildRustPackage { hash = "sha256-nbC/nM6orM19Qh/1bpN6gxOqvhCO4cVBumgEFl9G4Rs="; }; - cargoHash = "sha256-l7uRTGV2iYbWbJSvs+YHwMSYmVW3FHa7sgbO2mub7a0="; + useFetchCargoVendor = true; + cargoHash = "sha256-S+NpQti2fgaz1UogqXbo+1mgkmetf/brQFcDrW00ZiU="; meta = { description = "tool to find files by name in parent directories"; diff --git a/flake.lock b/flake.lock index 195ad1c..ad5eb82 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1737538029, - "narHash": "sha256-I4mWZEWV1c+sPb5f8liQxYdEjRxMR0UzY6dgP5zj2Kc=", + "lastModified": 1739727446, + "narHash": "sha256-t+KH1NoR/HauQlYgKaNKkxCoSQ4PwPdp5r6nGc3K/tE=", "owner": "LordGrimmauld", "repo": "aa-alias-manager", - "rev": "14b4d3f64c06f6c4457a1d117bb201410422009d", + "rev": "cf56427c87bf93537f0c4f9896beef2da146860b", "type": "github" }, "original": { @@ -141,11 +141,11 @@ ] }, "locked": { - "lastModified": 1737973837, - "narHash": "sha256-LrM+QVWUZhPKbjm2I5EkypupivGHjr/AM4rCaNbCFfE=", + "lastModified": 1740016447, + "narHash": "sha256-96hBRGwuG+CFI5+inRIDCh0Za4LOt1dlbO3pFOokw6Y=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "f19af140dacd0e211a25cf907be46356347e190f", + "rev": "ed7900391a1969bb0bde432fd3952a6dda37114c", "type": "github" }, "original": { @@ -202,11 +202,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1737268357, - "narHash": "sha256-J3At8JDKpQGDeDUcz1eh0h5yFwNH7fPfm+N95TxiOq4=", + "lastModified": 1739946876, + "narHash": "sha256-ek0u5FT5yjqYKjF/0HQKwDH2ISZzyvYwu+My5hmSwbU=", "owner": "nix-community", "repo": "fenix", - "rev": "f9662e6ea6020671e1e17102bd20d6692bb38aba", + "rev": "95c1eab59767a3dbb11d6616d4ff736813ce41d2", "type": "github" }, "original": { @@ -365,11 +365,11 @@ ] }, "locked": { - "lastModified": 1737221749, - "narHash": "sha256-igllW0yG+UbetvhT11jnt9RppSHXYgMykYhZJeqfHs0=", + "lastModified": 1739913864, + "narHash": "sha256-WhzgQjadrwnwPJQLLxZUUEIxojxa7UWDkf7raAkB1Lw=", "owner": "nix-community", "repo": "home-manager", - "rev": "97d7946b5e107dd03cc82f21165251d4e0159655", + "rev": "97ac0801d187b2911e8caa45316399de12f6f199", "type": "github" }, "original": { @@ -407,11 +407,11 @@ ] }, "locked": { - "lastModified": 1737126697, - "narHash": "sha256-k1YhjONkiKBHzbjNy4ZsjysBac5UJSolCVq9cTKLeKM=", + "lastModified": 1739952453, + "narHash": "sha256-+tyFW6nNj1fJ1VTtLeqe1PMp5F7Fb9zIkT6mUvdQHrM=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "27a0ddac1a14e10ba98530f59db728951495f2ce", + "rev": "b2ed82d3ff837960df4518308dfe409dda3ae406", "type": "github" }, "original": { @@ -495,11 +495,11 @@ "nixpkgs-24_11": "nixpkgs-24_11" }, "locked": { - "lastModified": 1737736848, - "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=", + "lastModified": 1739121270, + "narHash": "sha256-EmJhpy9U8sVlepl2QPjG019VfG67HcucsQNItTqW6cA=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261", + "rev": "8c1c4640b878c692dd3d8055e8cdea0a2bbd8cf3", "type": "gitlab" }, "original": { @@ -531,11 +531,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1738142207, - "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=", + "lastModified": 1739866667, + "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9d3ae807ebd2981d593cddd0080856873139aa40", + "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", "type": "github" }, "original": { @@ -599,11 +599,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1737215993, - "narHash": "sha256-W8xioeq+h9dzGvtXPlQAn2nXtgNDN6C8uA1/9F2JP5I=", + "lastModified": 1739913186, + "narHash": "sha256-7MSzs64dLDgq1wFw2eujZ01qdj9K+TwIlQMyWebotE8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "248bd511aee2c1c1cb2d5314649521d6d93b854a", + "rev": "3028f844c5898dcf115f6bc67a5ce793989b04a1", "type": "github" }, "original": { diff --git a/hardening/apparmor/apparmor-d-package.nix b/hardening/apparmor/apparmor-d-package.nix index cbbed8d..cc17701 100644 --- a/hardening/apparmor/apparmor-d-package.nix +++ b/hardening/apparmor/apparmor-d-package.nix @@ -6,18 +6,19 @@ }: buildGoModule { pname = "apparmor-d"; - version = "unstable-2025-01-19"; + version = "unstable-2025-02-18"; src = fetchFromGitHub { - rev = "e41c5f6055197b3ad0985f5af735b7d272148360"; + rev = "af85db9148b17bb37b4d73454e78d4efec4c2db9"; owner = "roddhjav"; repo = "apparmor.d"; - hash = "sha256-Dyn8aMh63VIBb7mhyP/bEp3NhmIlDZs1WHse8jgi5o4="; + hash = "sha256-mCc1DQXQvzeeA+sq67zK5o18tKByaB5dITmC77j9uEM="; }; vendorHash = null; doCheck = false; + dontCheckForBrokenSymlinks = true; patches = [ ./apparmor-d-prebuild.patch diff --git a/hardening/apparmor/default.nix b/hardening/apparmor/default.nix index dc6874f..eb68826 100644 --- a/hardening/apparmor/default.nix +++ b/hardening/apparmor/default.nix @@ -42,7 +42,7 @@ in spotify = "enforce"; "thunderbird.apparmor.d" = "enforce"; xdg-open = "enforce"; - child-open-any = "enforce"; + # child-open-any = "enforce"; child-open = "enforce"; firefox-glxtest = "enforce"; firefox-vaapitest = "enforce"; diff --git a/hardening/default.nix b/hardening/default.nix index 09f54a8..b28fcaf 100644 --- a/hardening/default.nix +++ b/hardening/default.nix @@ -68,10 +68,10 @@ systemd.tpm2.enable = false; systemd.enableEmergencyMode = false; virtualisation.vswitch.enable = false; - services.resolved.enable = false; security.unprivilegedUsernsClone = true; security.apparmor.enable = true; security.allowSimultaneousMultithreading = true; + security.pam.services.systemd-run0 = {}; environment.defaultPackages = lib.mkForce [ ]; environment.systemPackages = with pkgs; [ nano clamav linux-bench ]; } diff --git a/hardening/encrypt-dns.nix b/hardening/encrypt-dns.nix index 97d3ef8..a09364e 100644 --- a/hardening/encrypt-dns.nix +++ b/hardening/encrypt-dns.nix @@ -2,11 +2,23 @@ { networking = { nameservers = lib.mkForce [ "127.0.0.1" "::1" ]; + # nameservers = lib.mkForce [ "127.0.0.1:8053" "[::1]:8053" ]; dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp networkmanager.dns = "none"; # nm resolvconf.useLocalResolver = true; # resoved }; + services.tor = { + enable = true; + client.enable = true; + torsocks = { + enable = true; + allowInbound = false; + }; + settings.SafeSocks = true; + settings.TestSocks = true; + }; + services.dnscrypt-proxy2 = { enable = true; settings = { @@ -18,20 +30,22 @@ odoh_servers = false; require_nolog = true; require_nofilter = true; + listen_addresses = [ "127.0.0.1:53" ]; + proxy = "socks5://${config.services.tor.torsocks.server}"; + force_tcp = true; sources.public-resolvers = let serverList = pkgs.fetchurl { # fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"; - hash = "sha256-NrcMn57GS38qrE7f6GYcdUJCMAr9drl57omVnuS6oEU="; + hash = "sha256-2Pjs37mMolfWaaTf2c+tTbc1mzjCncK9qLyyZJn0LgA="; }; in { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - # "file://${serverList}" ]; - cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + cache_file = serverList; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; }; diff --git a/hardening/opensnitch/block_lists.nix b/hardening/opensnitch/block_lists.nix index 41e0079..f417f05 100644 --- a/hardening/opensnitch/block_lists.nix +++ b/hardening/opensnitch/block_lists.nix @@ -5,13 +5,13 @@ }: stdenv.mkDerivation rec { pname = "stevenblack_block"; - version = "3.14.116"; + version = "3.15.19"; src = fetchFromGitHub { owner = "StevenBlack"; repo = "hosts"; rev = version; - hash = "sha256-MATJK6QO//6z5CXS3zVo/s/Bz6c2z0g8C+InM5iiv2o="; + hash = "sha256-hcvOs96apLZFVv1Fn9FUxS3VQQeP7h/IC2E3xOqcrZY="; }; installPhase = '' diff --git a/hardening/opensnitch/default.nix b/hardening/opensnitch/default.nix index fc7f795..a901c18 100644 --- a/hardening/opensnitch/default.nix +++ b/hardening/opensnitch/default.nix @@ -30,6 +30,7 @@ in ./firefox.nix ./tooling.nix ./dns.nix + ./tor.nix ]; config = mkIf (enable && tooling.enable && network) { diff --git a/hardening/opensnitch/nix.nix b/hardening/opensnitch/nix.nix index 7b23aec..dbd2871 100644 --- a/hardening/opensnitch/nix.nix +++ b/hardening/opensnitch/nix.nix @@ -72,13 +72,6 @@ in operand = "dest.port"; data = "443"; } - { - type = "regexp"; - sensitive = false; - operand = "dest.host"; - data = "(channels|cache)\\.nixos\\.org"; - } - ]; }; }; diff --git a/hardening/opensnitch/tor.nix b/hardening/opensnitch/tor.nix new file mode 100644 index 0000000..832ca8a --- /dev/null +++ b/hardening/opensnitch/tor.nix @@ -0,0 +1,37 @@ +{ + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) + mkIf + ; + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + tor = mkIf (config.services.tor.enable) { + name = "tor"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = lib.getExe' config.services.tor.package "tor"; + }; + }; + }; + }; +} diff --git a/hardening/opensnitch/vesktop.nix b/hardening/opensnitch/vesktop.nix index 7da2e9e..ebb9595 100644 --- a/hardening/opensnitch/vesktop.nix +++ b/hardening/opensnitch/vesktop.nix @@ -33,7 +33,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; }; }; @@ -52,7 +52,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; } { type = "lists"; @@ -78,7 +78,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "simple"; @@ -105,7 +105,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; }; }; @@ -124,7 +124,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "lists"; diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index 0df3226..407e75a 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -13,11 +13,11 @@ let in { imports = [ - ./NetworkManager.nix + # ./NetworkManager.nix ./wpa_supplicant.nix ./auditd.nix ./acpid.nix - ./cups.nix + # ./cups.nix # ./bluetooth.nix # ./tty.nix ./ask-password.nix diff --git a/hardening/systemd/global/syscall_arch.nix b/hardening/systemd/global/syscall_arch.nix index 5a1ec5d..3bec214 100644 --- a/hardening/systemd/global/syscall_arch.nix +++ b/hardening/systemd/global/syscall_arch.nix @@ -8,7 +8,7 @@ in type = types.attrsOf ( lib.types.submodule { config.serviceConfig = mkIf (osConfig.specialisation != { }) { - SystemCallArchitectures = mkDefault "native"; + # SystemCallArchitectures = mkDefault "native"; }; } diff --git a/hardening/systemd/nscd.nix b/hardening/systemd/nscd.nix index 0fa94dd..ec1af2b 100644 --- a/hardening/systemd/nscd.nix +++ b/hardening/systemd/nscd.nix @@ -8,7 +8,6 @@ nscd.serviceConfig = { MemoryDenyWriteExecute = true; NoNewPrivileges = true; - SystemCallArchitectures = "native"; RestrictSUIDSGID = true; RestrictAddressFamilies = [ "AF_UNIX" @@ -17,6 +16,7 @@ ]; RestrictNamespaces = true; SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; LockPersonality = true; ProtectControlGroups = true; diff --git a/hm/common/default.nix b/hm/common/default.nix index ab18b24..9ad943e 100644 --- a/hm/common/default.nix +++ b/hm/common/default.nix @@ -41,10 +41,12 @@ in # kicad prusa-slicer - # freecad + freecad openscad iamb confy + authenticator + signal-desktop vlc # blender diff --git a/overlays/confwhich.nix b/overlays/confwhich.nix deleted file mode 100644 index 04a8af6..0000000 --- a/overlays/confwhich.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - confwhich = prev.callPackage ../custom/confwhich/package.nix { }; -} diff --git a/overlays/default.nix b/overlays/default.nix index 96325d8..3164955 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -2,16 +2,21 @@ config, lib, inputs, + options, ... }: { - #programs.ccache.packageNames = [ - # "agenix" - # "mcontrolcenter" - #]; + programs.ccache.enable = true; + nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; + systemd.tmpfiles.rules = [ + "d! ${config.programs.ccache.cacheDir} 770 root nixbld" + ]; + programs.ccache.packageNames = [ + # "firefox-unwrapped" + ]; nixpkgs.overlays = - map + (map ( f: ( @@ -30,17 +35,14 @@ [ ./lua_update.nix ./matrix-appservice-discord.nix - ./deskwhich.nix - ./tlpui.nix - # ./ccache-wrapper.nix - ./searchclip.nix - ./confwhich.nix - ./rfindup.nix - ./ooye.nix + ./ccache-wrapper.nix ./factorio.nix ./ranger.nix ./vesktop.nix - ./linux-bench.nix + ./firefox-search.nix # ./grpcio-tools.nix - ]; + ] + ) + ++ [ (import ./global/overlays.nix) ]; + nix.nixPath = options.nix.nixPath.default ++ [ "nixpkgs-overlays=${./global}" ]; } diff --git a/overlays/deskwhich.nix b/overlays/deskwhich.nix deleted file mode 100644 index b0cd31e..0000000 --- a/overlays/deskwhich.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - deskwhich = prev.callPackage ../custom/deskwhich/package.nix { }; -} diff --git a/overlays/firefox-search.nix b/overlays/firefox-search.nix new file mode 100644 index 0000000..9c35d73 --- /dev/null +++ b/overlays/firefox-search.nix @@ -0,0 +1,21 @@ +{ prev, final, ... }: +{ + firefox = prev.firefox.overrideAttrs (old: { + nativeBuildInputs = (old.nativeBuildInputs or []) ++ (with prev; [ zip unzip gnused ] ); + buildCommand = '' + export buildRoot="$(pwd)" + '' + old.buildCommand + '' + pushd $buildRoot + unzip $out/lib/firefox/browser/omni.ja -d patched_omni || ret=$? + if [[ $ret && $ret -ne 2 ]]; then + echo "unzip exited with unexpected error" + exit $ret + fi + rm $out/lib/firefox/browser/omni.ja + cd patched_omni + sed -i 's/"enterprise_only"\s*:\s*true,//' modules/policies/schema.sys.mjs + zip -0DXqr $out/lib/firefox/browser/omni.ja * # potentially qr9XD + popd + ''; + }); +} diff --git a/overlays/global/overlays.nix b/overlays/global/overlays.nix new file mode 100644 index 0000000..f7d6170 --- /dev/null +++ b/overlays/global/overlays.nix @@ -0,0 +1,3 @@ +final: prev: { + devenv = builtins.throw "no devenv for you!"; +} diff --git a/overlays/linux-bench.nix b/overlays/linux-bench.nix deleted file mode 100644 index f032726..0000000 --- a/overlays/linux-bench.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - linux-bench = prev.callPackage ../custom/linux-bench/package.nix { }; -} diff --git a/overlays/ooye.nix b/overlays/ooye.nix deleted file mode 100644 index ea3b36a..0000000 --- a/overlays/ooye.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - ooye = prev.callPackage ../custom/ooye/package.nix { }; -} diff --git a/overlays/rfindup.nix b/overlays/rfindup.nix deleted file mode 100644 index d8bf2ad..0000000 --- a/overlays/rfindup.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - rfindup = prev.callPackage ../custom/rfindup/package.nix { }; -} diff --git a/overlays/searchclip.nix b/overlays/searchclip.nix deleted file mode 100644 index 50bbfbd..0000000 --- a/overlays/searchclip.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - searchclip = prev.callPackage ../custom/searchclip/package.nix { }; -} diff --git a/overlays/tlpui.nix b/overlays/tlpui.nix deleted file mode 100644 index 62f4855..0000000 --- a/overlays/tlpui.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - tlpui = prev.callPackage ../custom/tlpui/package.nix { }; -} diff --git a/specific/grimm-nixos-ssd/configuration.nix b/specific/grimm-nixos-ssd/configuration.nix index 649c31a..b725b70 100644 --- a/specific/grimm-nixos-ssd/configuration.nix +++ b/specific/grimm-nixos-ssd/configuration.nix @@ -40,6 +40,7 @@ "{b9db16a4-6edc-47ec-a1f4-b86292ed211d}" = "video-downloadhelper"; "{1526fba1-ac33-4dfc-99d8-163e6129f7b9}" = "reveye-ris"; "shinigamieyes@shinigamieyes" = "shinigami-eyes"; + "{6787c9e3-c787-4e21-9449-92e301642b34}" = "proxyswitcheroo"; }; }; spotify.enable = true; diff --git a/specific/grimm-nixos-ssd/filesystems.nix b/specific/grimm-nixos-ssd/filesystems.nix index 986a3bd..49f6fe7 100644 --- a/specific/grimm-nixos-ssd/filesystems.nix +++ b/specific/grimm-nixos-ssd/filesystems.nix @@ -48,7 +48,7 @@ in "rw" "relatime" "mode=1777" - "noexec" + # "noexec" "nosuid" "nodev" ]; @@ -97,6 +97,16 @@ in ]; }; + fileSystems."/etc/NetworkManager/vpn-certs" = { + device = "${persist}/etc/NetworkManager/vpn-certs"; + options = [ + "bind" + "noexec" + "nosuid" + "nodev" + ]; + }; + fileSystems."/nix" = { device = "zpool/nix"; fsType = "zfs"; diff --git a/users.nix b/users.nix index 4a0adca..234bd99 100644 --- a/users.nix +++ b/users.nix @@ -29,6 +29,7 @@ "gamemode" "systemd-journal" "i2c" + "adbusers" ]; # only add to groups that actually exist on this system # syncPaths = [