Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

updates

Browse source
This commit is contained in:
Grimmauld 2025-01-21 19:27:00 +01:00
parent e7a8f6c1f7
commit d50a73ab06
No known key found for this signature in database
10 changed files with 87 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
common/tooling/default.nix
View file

@ -49,8 +49,6 @@ in
starship starship
unzip unzip
p7zip
fbcat fbcat
# gomuks # gomuks
@ -64,6 +62,9 @@ in
man-pages man-pages
man-pages-posix man-pages-posix
undollar
openssl
] ]
++ optionals graphical [ ++ optionals graphical [
wev wev
@ -71,6 +72,7 @@ in
libva-utils libva-utils
gparted gparted
bottles bottles
wlvncc
]; ];
environment.sessionVariables = { environment.sessionVariables = {

64
flake.lock
View file

@ -132,6 +132,7 @@
}, },
"chaotic": { "chaotic": {
"inputs": { "inputs": {
"fenix": "fenix",
"flake-schemas": "flake-schemas", "flake-schemas": "flake-schemas",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"jovian": "jovian", "jovian": "jovian",
@ -140,11 +141,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736848948, "lastModified": 1737474213,
"narHash": "sha256-P9XZoUzRxjq5AJxR1+F0HEyzggNX/zt+A3cuwXER4qM=", "narHash": "sha256-p4hHWikaYgtZmZlas1b/p2+R72j7ZtUmGp2qoC1VcbI=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "e75f332c423ae95164ec188c0406c2d47b8a4a65", "rev": "04e70503425690319c25814497f682145dd442c6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -192,6 +193,28 @@
"type": "github" "type": "github"
} }
}, },
"fenix": {
"inputs": {
"nixpkgs": [
"chaotic",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1737268357,
"narHash": "sha256-J3At8JDKpQGDeDUcz1eh0h5yFwNH7fPfm+N95TxiOq4=",
"owner": "nix-community",
"repo": "fenix",
"rev": "f9662e6ea6020671e1e17102bd20d6692bb38aba",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -342,11 +365,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736508663, "lastModified": 1737221749,
"narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=", "narHash": "sha256-igllW0yG+UbetvhT11jnt9RppSHXYgMykYhZJeqfHs0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc", "rev": "97d7946b5e107dd03cc82f21165251d4e0159655",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -384,11 +407,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736580596, "lastModified": 1737126697,
"narHash": "sha256-t+BygGMcg1yyyTBXCAJWx4ZnH1StDzbd8CfzQonAJp8=", "narHash": "sha256-k1YhjONkiKBHzbjNy4ZsjysBac5UJSolCVq9cTKLeKM=",
"owner": "Jovian-Experiments", "owner": "Jovian-Experiments",
"repo": "Jovian-NixOS", "repo": "Jovian-NixOS",
"rev": "1ddf0b3bfe076fa50b84244e42a55b9234f96083", "rev": "27a0ddac1a14e10ba98530f59db728951495f2ce",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -508,11 +531,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1736798957, "lastModified": 1737062831,
"narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=", "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3", "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -573,6 +596,23 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
}, },
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1737215993,
"narHash": "sha256-W8xioeq+h9dzGvtXPlQAn2nXtgNDN6C8uA1/9F2JP5I=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "248bd511aee2c1c1cb2d5314649521d6d93b854a",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"rust-overlay": { "rust-overlay": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

6
hardening/apparmor/apparmor-d-package.nix
View file

@ -6,13 +6,13 @@
}: }:
buildGoModule { buildGoModule {
pname = "apparmor-d"; pname = "apparmor-d";
version = "unstable-2025-01-13"; version = "unstable-2025-01-19";
src = fetchFromGitHub { src = fetchFromGitHub {
rev = "f1182b27bb64a3bf44e92a4bafb58178ebfbf5ac"; rev = "e41c5f6055197b3ad0985f5af735b7d272148360";
owner = "roddhjav"; owner = "roddhjav";
repo = "apparmor.d"; repo = "apparmor.d";
hash = "sha256-3Ofv7Eam2/CXRNM84E0H97RrLWQEzDeSM6wYykzlLAM="; hash = "sha256-Dyn8aMh63VIBb7mhyP/bEp3NhmIlDZs1WHse8jgi5o4=";
}; };
vendorHash = null; vendorHash = null;

19
hardening/apparmor/apparmor-d-prebuild.patch
View file

@ -1,5 +1,5 @@
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 0a95d183..6be12d34 100644 index 0a95d183..4e15d5e3 100644
--- a/apparmor.d/tunables/multiarch.d/system --- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@ @@ -106,8 +106,8 @@
@ -8,8 +8,8 @@ index 0a95d183..6be12d34 100644
# Common places for binaries and libraries across distributions # Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin -@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64} -@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/bin +@{bin}=/{nix/store/*/,}{,usr/}bin
+@{lib}=/{nix/store/*/,}{,usr/}lib{,exec,32,64} +@{lib}=/{nix/store/*/,/run/wrappers,}{,usr/}lib{,exec,32,64}
# Common places for temporary files # Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/ @{tmp}=/tmp/ /tmp/user/@{uid}/
@ -27,18 +27,25 @@ index 3f2dd9f4..39a8b64a 100644
case "ubuntu": case "ubuntu":
if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) { if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index a887d4b9..606b4643 100644 index a887d4b9..eb0cc2ef 100644
--- a/pkg/aa/apparmor.go --- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go
@@ -33,7 +33,7 @@ func DefaultTunables() *AppArmorProfileFile { @@ -33,13 +33,13 @@ func DefaultTunables() *AppArmorProfileFile {
return &AppArmorProfileFile{ return &AppArmorProfileFile{
Preamble: Rules{ Preamble: Rules{
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+ &Variable{Name: "bin", Values: []string{"/bin"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/{nix/store/*/,/run/wrappers,}{,usr/}{,s}bin"}, Define: true},
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
&Variable{Name: "int2", Values: []string{"[0-9][0-9]"}, Define: true},
- &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
+ &Variable{Name: "lib", Values: []string{"/{nix/store/*/,}{,usr/}lib{,exec,32,64}"}, Define: true},
&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 4b8e11ec..11eab5f7 100644 index 4b8e11ec..11eab5f7 100644
--- a/pkg/prebuild/prepare/configure.go --- a/pkg/prebuild/prepare/configure.go

35
hardening/apparmor/default.nix
View file

@ -19,8 +19,10 @@ in
security.apparmor.killUnconfinedConfinables = false; security.apparmor.killUnconfinedConfinables = false;
security.apparmor.includes."tunables/alias.d/programs" = '' security.apparmor.includes."tunables/alias.d/programs" = ''
# alias / -> @{nix_store}/, # alias / -> /nix/store/*/,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify, alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/.spotify-wrapped,
alias /bin/firefox -> /nix/store/*/bin/.firefox-wrapped,
''; '';
environment.systemPackages = with pkgs; [ apparmor-parser ]; environment.systemPackages = with pkgs; [ apparmor-parser ];
@ -39,13 +41,13 @@ in
pass = "enforce"; pass = "enforce";
spotify = "enforce"; spotify = "enforce";
"thunderbird.apparmor.d" = "enforce"; "thunderbird.apparmor.d" = "enforce";
# xdg-open = "enforce"; xdg-open = "enforce";
child-open-any = "enforce"; child-open-any = "enforce";
child-open = "enforce"; child-open = "enforce";
firefox-glxtest = "enforce"; firefox-glxtest = "enforce";
firefox-vaapitest = "enforce"; firefox-vaapitest = "enforce";
gamemoded = "disable"; gamemoded = "disable";
pkexec = "complain"; # pkexec = "complain";
xdg-mime = "complain"; xdg-mime = "complain";
mimetype = "complain"; mimetype = "complain";
# sudo = "complain"; # sudo = "complain";
@ -117,7 +119,6 @@ in
''; '';
"local/xdg-open" = '' "local/xdg-open" = ''
@{bin}/grep rix,
/** r, /** r,
''; '';
@ -135,7 +136,7 @@ in
/sys/devices/@{pci}/boot_vga r, /sys/devices/@{pci}/boot_vga r,
/sys/devices/@{pci}/**/id{Vendor,Product} r, /sys/devices/@{pci}/**/id{Vendor,Product} r,
/dev/ r, /dev/ r,
@{bin}/xdg-open rPx, # @{bin}/xdg-open rPx,
/bin/electron rix, /bin/electron rix,
''; '';
@ -144,8 +145,7 @@ in
''; '';
"local/unix-chkpwd" = '' "local/unix-chkpwd" = ''
/run/wrappers/wrappers.*/unix_chkpwd rix, capability dac_read_search,
@{bin}/unix_chkpwd rix,
''; '';
# "local/spotify" = '' # "local/spotify" = ''
@ -156,8 +156,6 @@ in
security.apparmor.policies = { security.apparmor.policies = {
passff = { passff = {
state = "enforce"; state = "enforce";
# enable = true;
# enforce = true;
profile = '' profile = ''
abi <abi/4.0>, abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@ -171,8 +169,6 @@ in
swaymux = { swaymux = {
state = "enforce"; state = "enforce";
# enable = true;
# enforce = true;
profile = '' profile = ''
abi <abi/4.0>, abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@ -180,14 +176,12 @@ in
include <abstractions/base> # read access to /nix/store, basic presets for most apps include <abstractions/base> # read access to /nix/store, basic presets for most apps
${pkgs.swaymux}/bin/* rix, # wrapping ${pkgs.swaymux}/bin/* rix, # wrapping
/dev/tty r, /dev/tty r,
owner @{user_config_dirs}/Kvantum/** r, # themeing owner @{user_config_dirs}/** r,
} }
''; '';
}; };
# speech-dispatcher-test = { # speech-dispatcher-test = {
# enable = true;
# enforce = true;
# profile = ''# # profile = ''#
# #
#abi <abi/4.0>, #abi <abi/4.0>,
@ -221,21 +215,8 @@ in
#} ''; #} '';
# }; # };
sleep = {
state = "enforce";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile sleep ${getExe' pkgs.coreutils-full "sleep"} {
include <abstractions/base>
}
'';
};
osu-lazer = { osu-lazer = {
state = "disable"; state = "disable";
# enable = true;
# enforce = true;
profile = '' profile = ''
abi <abi/4.0>, abi <abi/4.0>,
include <tunables/global> include <tunables/global>

2
hardening/opensnitch/default.nix
View file

@ -213,7 +213,7 @@ in
type = "simple"; type = "simple";
sensitive = false; sensitive = false;
operand = "process.path"; operand = "process.path";
data = getExe pkgs.nix; data = getExe config.nix.package;
} }
{ {
type = "regexp"; type = "regexp";

2
hardening/systemd/default.nix
View file

@ -21,7 +21,7 @@ in
./bluetooth.nix ./bluetooth.nix
./tty.nix ./tty.nix
./ask-password.nix ./ask-password.nix
./nix-daemon.nix # ./nix-daemon.nix
./nscd.nix ./nscd.nix
./rtkit.nix ./rtkit.nix
./sshd.nix ./sshd.nix

2
hm/common/default.nix
View file

@ -139,7 +139,7 @@ in
programs.gradle = { programs.gradle = {
enable = true; enable = true;
settings = { settings = {
"org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk"; # "org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk";
"org.gradle.java.installations.auto-detect" = false; "org.gradle.java.installations.auto-detect" = false;
}; };
}; };

6
modules/matrix.nix
View file

@ -50,12 +50,12 @@ in
database = { database = {
name = "psycopg2"; name = "psycopg2";
args = { args = {
host = "localhost";
port = config.services.postgresql.settings.port;
dbname = "synapse"; dbname = "synapse";
user = "synapse"; user = "synapse";
cp_min = 5; host = "localhost";
port = config.services.postgresql.settings.port;
cp_max = 10; cp_max = 10;
cp_min = 5;
client_encoding = "auto"; client_encoding = "auto";
passfile = config.age.secrets.synapse_db_pass_prepared.path; passfile = config.age.secrets.synapse_db_pass_prepared.path;
}; };

1
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -63,6 +63,7 @@ in
boot.zfs = { boot.zfs = {
forceImportRoot = false; forceImportRoot = false;
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
package = pkgs.zfs_2_3;
}; };
boot.supportedFilesystems.zfs = true; boot.supportedFilesystems.zfs = true;