Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

updates

Browse source
This commit is contained in:
Grimmauld 2025-01-21 19:27:00 +01:00
parent e7a8f6c1f7
commit d50a73ab06
No known key found for this signature in database
10 changed files with 87 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
common/tooling/default.nix
View file

@ -49,8 +49,6 @@ in
starship
unzip
p7zip
fbcat
# gomuks
@ -64,6 +62,9 @@ in
man-pages
man-pages-posix
undollar
openssl
]
++ optionals graphical [
wev
@ -71,6 +72,7 @@ in
libva-utils
gparted
bottles
wlvncc
];
environment.sessionVariables = {

64
flake.lock
View file

@ -132,6 +132,7 @@
},
"chaotic": {
"inputs": {
"fenix": "fenix",
"flake-schemas": "flake-schemas",
"home-manager": "home-manager_2",
"jovian": "jovian",
@ -140,11 +141,11 @@
]
},
"locked": {
"lastModified": 1736848948,
"narHash": "sha256-P9XZoUzRxjq5AJxR1+F0HEyzggNX/zt+A3cuwXER4qM=",
"lastModified": 1737474213,
"narHash": "sha256-p4hHWikaYgtZmZlas1b/p2+R72j7ZtUmGp2qoC1VcbI=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "e75f332c423ae95164ec188c0406c2d47b8a4a65",
"rev": "04e70503425690319c25814497f682145dd442c6",
"type": "github"
},
"original": {
@ -192,6 +193,28 @@
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"chaotic",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1737268357,
"narHash": "sha256-J3At8JDKpQGDeDUcz1eh0h5yFwNH7fPfm+N95TxiOq4=",
"owner": "nix-community",
"repo": "fenix",
"rev": "f9662e6ea6020671e1e17102bd20d6692bb38aba",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -342,11 +365,11 @@
]
},
"locked": {
"lastModified": 1736508663,
"narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
"lastModified": 1737221749,
"narHash": "sha256-igllW0yG+UbetvhT11jnt9RppSHXYgMykYhZJeqfHs0=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
"rev": "97d7946b5e107dd03cc82f21165251d4e0159655",
"type": "github"
},
"original": {
@ -384,11 +407,11 @@
]
},
"locked": {
"lastModified": 1736580596,
"narHash": "sha256-t+BygGMcg1yyyTBXCAJWx4ZnH1StDzbd8CfzQonAJp8=",
"lastModified": 1737126697,
"narHash": "sha256-k1YhjONkiKBHzbjNy4ZsjysBac5UJSolCVq9cTKLeKM=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "1ddf0b3bfe076fa50b84244e42a55b9234f96083",
"rev": "27a0ddac1a14e10ba98530f59db728951495f2ce",
"type": "github"
},
"original": {
@ -508,11 +531,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1736798957,
"narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
"lastModified": 1737062831,
"narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
"rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
"type": "github"
},
"original": {
@ -573,6 +596,23 @@
"nixpkgs": "nixpkgs"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1737215993,
"narHash": "sha256-W8xioeq+h9dzGvtXPlQAn2nXtgNDN6C8uA1/9F2JP5I=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "248bd511aee2c1c1cb2d5314649521d6d93b854a",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [

6
hardening/apparmor/apparmor-d-package.nix
View file

@ -6,13 +6,13 @@
}:
buildGoModule {
pname = "apparmor-d";
version = "unstable-2025-01-13";
version = "unstable-2025-01-19";
src = fetchFromGitHub {
rev = "f1182b27bb64a3bf44e92a4bafb58178ebfbf5ac";
rev = "e41c5f6055197b3ad0985f5af735b7d272148360";
owner = "roddhjav";
repo = "apparmor.d";
hash = "sha256-3Ofv7Eam2/CXRNM84E0H97RrLWQEzDeSM6wYykzlLAM=";
hash = "sha256-Dyn8aMh63VIBb7mhyP/bEp3NhmIlDZs1WHse8jgi5o4=";
};
vendorHash = null;

19
hardening/apparmor/apparmor-d-prebuild.patch
View file

@ -1,5 +1,5 @@
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 0a95d183..6be12d34 100644
index 0a95d183..4e15d5e3 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@
@ -8,8 +8,8 @@ index 0a95d183..6be12d34 100644
# Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/bin
+@{lib}=/{nix/store/*/,}{,usr/}lib{,exec,32,64}
+@{bin}=/{nix/store/*/,}{,usr/}bin
+@{lib}=/{nix/store/*/,/run/wrappers,}{,usr/}lib{,exec,32,64}
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/
@ -27,18 +27,25 @@ index 3f2dd9f4..39a8b64a 100644
case "ubuntu":
if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index a887d4b9..606b4643 100644
index a887d4b9..eb0cc2ef 100644
--- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go
@@ -33,7 +33,7 @@ func DefaultTunables() *AppArmorProfileFile {
@@ -33,13 +33,13 @@ func DefaultTunables() *AppArmorProfileFile {
return &AppArmorProfileFile{
Preamble: Rules{
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+ &Variable{Name: "bin", Values: []string{"/bin"}, Define: true},
+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,/run/wrappers,}{,usr/}{,s}bin"}, Define: true},
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
&Variable{Name: "int2", Values: []string{"[0-9][0-9]"}, Define: true},
- &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
+ &Variable{Name: "lib", Values: []string{"/{nix/store/*/,}{,usr/}lib{,exec,32,64}"}, Define: true},
&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 4b8e11ec..11eab5f7 100644
--- a/pkg/prebuild/prepare/configure.go

35
hardening/apparmor/default.nix
View file

@ -19,8 +19,10 @@ in
security.apparmor.killUnconfinedConfinables = false;
security.apparmor.includes."tunables/alias.d/programs" = ''
# alias / -> @{nix_store}/,
# alias / -> /nix/store/*/,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/.spotify-wrapped,
alias /bin/firefox -> /nix/store/*/bin/.firefox-wrapped,
'';
environment.systemPackages = with pkgs; [ apparmor-parser ];
@ -39,13 +41,13 @@ in
pass = "enforce";
spotify = "enforce";
"thunderbird.apparmor.d" = "enforce";
# xdg-open = "enforce";
xdg-open = "enforce";
child-open-any = "enforce";
child-open = "enforce";
firefox-glxtest = "enforce";
firefox-vaapitest = "enforce";
gamemoded = "disable";
pkexec = "complain";
# pkexec = "complain";
xdg-mime = "complain";
mimetype = "complain";
# sudo = "complain";
@ -117,7 +119,6 @@ in
'';
"local/xdg-open" = ''
@{bin}/grep rix,
/** r,
'';
@ -135,7 +136,7 @@ in
/sys/devices/@{pci}/boot_vga r,
/sys/devices/@{pci}/**/id{Vendor,Product} r,
/dev/ r,
@{bin}/xdg-open rPx,
# @{bin}/xdg-open rPx,
/bin/electron rix,
'';
@ -144,8 +145,7 @@ in
'';
"local/unix-chkpwd" = ''
/run/wrappers/wrappers.*/unix_chkpwd rix,
@{bin}/unix_chkpwd rix,
capability dac_read_search,
'';
# "local/spotify" = ''
@ -156,8 +156,6 @@ in
security.apparmor.policies = {
passff = {
state = "enforce";
# enable = true;
# enforce = true;
profile = ''
abi <abi/4.0>,
include <tunables/global>
@ -171,8 +169,6 @@ in
swaymux = {
state = "enforce";
# enable = true;
# enforce = true;
profile = ''
abi <abi/4.0>,
include <tunables/global>
@ -180,14 +176,12 @@ in
include <abstractions/base> # read access to /nix/store, basic presets for most apps
${pkgs.swaymux}/bin/* rix, # wrapping
/dev/tty r,
owner @{user_config_dirs}/Kvantum/** r, # themeing
owner @{user_config_dirs}/** r,
}
'';
};
# speech-dispatcher-test = {
# enable = true;
# enforce = true;
# profile = ''#
#
#abi <abi/4.0>,
@ -221,21 +215,8 @@ in
#} '';
# };
sleep = {
state = "enforce";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile sleep ${getExe' pkgs.coreutils-full "sleep"} {
include <abstractions/base>
}
'';
};
osu-lazer = {
state = "disable";
# enable = true;
# enforce = true;
profile = ''
abi <abi/4.0>,
include <tunables/global>

2
hardening/opensnitch/default.nix
View file

@ -213,7 +213,7 @@ in
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.nix;
data = getExe config.nix.package;
}
{
type = "regexp";

2
hardening/systemd/default.nix
View file

@ -21,7 +21,7 @@ in
./bluetooth.nix
./tty.nix
./ask-password.nix
./nix-daemon.nix
# ./nix-daemon.nix
./nscd.nix
./rtkit.nix
./sshd.nix

2
hm/common/default.nix
View file

@ -139,7 +139,7 @@ in
programs.gradle = {
enable = true;
settings = {
"org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk";
# "org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk";
"org.gradle.java.installations.auto-detect" = false;
};
};

6
modules/matrix.nix
View file

@ -50,12 +50,12 @@ in
database = {
name = "psycopg2";
args = {
host = "localhost";
port = config.services.postgresql.settings.port;
dbname = "synapse";
user = "synapse";
cp_min = 5;
host = "localhost";
port = config.services.postgresql.settings.port;
cp_max = 10;
cp_min = 5;
client_encoding = "auto";
passfile = config.age.secrets.synapse_db_pass_prepared.path;
};

1
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -63,6 +63,7 @@ in
boot.zfs = {
forceImportRoot = false;
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
package = pkgs.zfs_2_3;
};
boot.supportedFilesystems.zfs = true;