diff --git a/common/gaming.nix b/common/gaming.nix index 9184308..50822c1 100644 --- a/common/gaming.nix +++ b/common/gaming.nix @@ -50,7 +50,7 @@ in environment.systemPackages = with pkgs; [ - heroic + # heroic prismlauncher mangohud the-powder-toy diff --git a/common/graphics/qt.nix b/common/graphics/qt.nix index cda30b7..2f638fc 100644 --- a/common/graphics/qt.nix +++ b/common/graphics/qt.nix @@ -49,10 +49,10 @@ in kdePackages.breeze-qt5 ]; - boot.plymouth = { - themePackages = with pkgs; [ catppuccin-plymouth ]; - theme = "catppuccin-macchiato"; - enable = true; - }; + #boot.plymouth = { + # themePackages = with pkgs; [ catppuccin-plymouth ]; + # theme = "catppuccin-macchiato"; + # enable = true; + #}; }; } diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 0057a4d..a6d9b1b 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -27,6 +27,7 @@ in ./java.nix ./opensnitch ./ranger.nix + ./defaultProtectHome.nix ./apparmor ]; diff --git a/common/tooling/defaultProtectHome.nix b/common/tooling/defaultProtectHome.nix new file mode 100644 index 0000000..bc0d3b9 --- /dev/null +++ b/common/tooling/defaultProtectHome.nix @@ -0,0 +1,28 @@ +{ lib, ... }: +with lib; +{ + options.systemd.services = mkOption { + type = types.attrsOf ( + types.submodule { + config.serviceConfig.ProtectHome = lib.mkDefault true; + } + ); + }; + + config.systemd.services = { + "user-runtime-dir@".serviceConfig.ProtectHome = false; + "user@".serviceConfig.ProtectHome = false; + + display-manager.serviceConfig.ProtectHome = "read-only"; # false; + + systemd-homed.serviceConfig.ProtectHome = false; + systemd-homed-activate.serviceConfig.ProtectHome = false; + + dbus-broker.serviceConfig.ProtectHome = "read-only"; # false; + }; + + # config.systemd.units."service.d/protect-user-home-by-default.conf".text = '' + # [Service] + # ProtectHome=yes + # ''; +} diff --git a/common/tooling/opensnitch/default.nix b/common/tooling/opensnitch/default.nix index 43adc0a..515c94f 100644 --- a/common/tooling/opensnitch/default.nix +++ b/common/tooling/opensnitch/default.nix @@ -51,6 +51,7 @@ in Firewall = "iptables"; LogLevel = 1; ProcMonitorMethod = "ftrace"; + # ProcMonitorMethod = "audit"; }; rules = { diff --git a/common/tooling/security.nix b/common/tooling/security.nix index cf738b3..6776955 100644 --- a/common/tooling/security.nix +++ b/common/tooling/security.nix @@ -35,6 +35,7 @@ in # security.doas.enable = true; security.sudo.enable = true; + security.sudo.execWheelOnly = true; security.doas.extraRules = [ { diff --git a/flake.lock b/flake.lock index 2ffb95b..2547a68 100644 --- a/flake.lock +++ b/flake.lock @@ -137,15 +137,14 @@ "jovian": "jovian", "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-small": "nixpkgs-small" + ] }, "locked": { - "lastModified": 1734987419, - "narHash": "sha256-2K4V615Y29QhMUShX9k52l7gXF2erkq9yH9qGRZGKQ0=", + "lastModified": 1735509923, + "narHash": "sha256-oepXx1SWadUMvRWn7dXmIMpwfRC0ZLD0d/6ZW0meFN0=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "d61084b851dbf3072f8b40c3870b0f7938ca3f22", + "rev": "5ace86fdaab9ab74d6a4ab8ecf64c57230d3cb8a", "type": "github" }, "original": { @@ -384,11 +383,11 @@ ] }, "locked": { - "lastModified": 1734725857, - "narHash": "sha256-bivlV9l/UjMtTfz/CZaoNJ5RfH2Lre4P9Ds64conoUQ=", + "lastModified": 1735330405, + "narHash": "sha256-MhXgu1oymyjhhZGY9yewNonJknNAjilzMGPY1FfMR7s=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "dbae2fd6adaf34c947d310bec08deac7c4ed265b", + "rev": "a86d9cf841eff8b33a05d2bf25788abd8e018dbd", "type": "github" }, "original": { @@ -494,11 +493,11 @@ "nixpkgs-24_11": "nixpkgs-24_11" }, "locked": { - "lastModified": 1734884447, - "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=", + "lastModified": 1735230346, + "narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "63209b1def2c9fc891ad271f474a3464a5833294", + "rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b", "type": "gitlab" }, "original": { @@ -530,16 +529,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1734649271, - "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=", + "lastModified": 1735530358, + "narHash": "sha256-4ZbiXBWFK0gHsl5VT9dih7RVaEV3rRh0XUV0jW0ibOM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507", + "rev": "5000219208d860bafd1ee26eadb403449f3d9ab9", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } @@ -559,22 +558,6 @@ "type": "indirect" } }, - "nixpkgs-small": { - "locked": { - "lastModified": 1734838250, - "narHash": "sha256-Xi8ST/QiyuYXc3ujnMYOBuRUaMh6p16XWH6BKARa7xQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "da8a31d09dd004be34b5c54eda83f9a27b357726", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1730741070, diff --git a/flake.nix b/flake.nix index 78bf4fb..c3e5dec 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ inputs = { nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-unstable"; + url = "github:NixOS/nixpkgs/nixos-unstable-small"; # url = "git+file:///home/grimmauld/coding/nixpkgs"; }; chaotic = { diff --git a/grimm-nixos-ssd.qcow2 b/grimm-nixos-ssd.qcow2 new file mode 100644 index 0000000..97f54c6 Binary files /dev/null and b/grimm-nixos-ssd.qcow2 differ diff --git a/specific/grimm-nixos-ssd/configuration.nix b/specific/grimm-nixos-ssd/configuration.nix index 2f35f5b..b461cfa 100644 --- a/specific/grimm-nixos-ssd/configuration.nix +++ b/specific/grimm-nixos-ssd/configuration.nix @@ -1,5 +1,6 @@ { config, + lib, ... }: { @@ -15,6 +16,8 @@ services.zfs.trim.enable = true; boot.supportedFilesystems.zfs = true; + # systemd.services = lib.mapAttrs' (n: v: { serviceConfig.ProtectHome = lib.mkDefault true; }) (filterAttrs: (n: v: false) config.systemd.services); + # security.pam.yubico.control = "required"; services.printing.cups-pdf.enable = true; # implies printing enable diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index a5cbf50..4058b40 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -12,6 +12,7 @@ let nix_build = "/nix/build-sandbox"; persist = "/nix/persist"; + tmp-exec = "/tmp-exec"; in { @@ -38,7 +39,6 @@ in ]; boot.kernelModules = [ - "tmpfs" "iwlwifi" "iwlmvm" "mac80211" @@ -46,11 +46,15 @@ in "cfg80211" ]; # "kvm-intel" boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y"; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + boot.kernelParams = [ "nosgx" ]; security.lockKernelModules = false; # PAIN on an intended-portable setup # security.protectKernelImage = false; boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work? + boot.loader.systemd-boot.consoleMode = "auto"; systemd.tmpfiles.settings."mount"."/mnt".d = { group = "root"; @@ -66,7 +70,7 @@ in boot.supportedFilesystems.zfs = true; networking.hostId = "40fa5ea8"; # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - boot.kernelPackages = pkgs.linuxPackages_6_6; + boot.kernelPackages = pkgs.linuxPackages_6_12; boot.extraModulePackages = [ ]; services.homed.enable = true; @@ -79,7 +83,7 @@ in "mode=755" "noexec" "nosuid" - # "nodev" + "nodev" ]; }; @@ -96,16 +100,6 @@ in environment.etc."machine-id".source = "${persist}/etc/machine-id"; environment.memoryAllocator.provider = "libc"; -# fileSystems."/nix/var" = { -# device = "${persist}/nix/var"; -# options = [ -# "bind" -# "noexec" -# "nosuid" -# "nodev" -# ]; -# }; - fileSystems."/nix/var" = { device = "/nix/var"; options = [ @@ -132,7 +126,7 @@ in options = [ "exec" "suid" - "dev" + "nodev" ]; }; @@ -148,18 +142,34 @@ in fileSystems."${nix_build}" = { # can execute - device = "none"; - fsType = "tmpfs"; + device = "zpool/nix-build"; + fsType = "zfs"; options = [ - "defaults" - "size=30%" - "mode=755" "exec" "nosuid" "nodev" ]; }; + fileSystems."${tmp-exec}" = { + device = "none"; + fsType = "tmpfs"; + options = [ + "defaults" + "size=2G" + "mode=755" + "exec" + "nosuid" + "nodev" + "mode=1777" + ]; + }; + + environment.sessionVariables."java.io.tmpdir" = tmp-exec; + + # systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root"; + + systemd.tmpfiles.rules = lib.singleton "D! ${nix_build} 0755 root root"; systemd.services.nix-daemon.environment.TMPDIR = nix_build; fileSystems."/etc/nixos" = { @@ -210,11 +220,6 @@ in # options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless. # }; - # fileSystems."/home/grimmauld" = - # { device = "zpool/home/grimmauld"; - # fsType = "zfs"; - # }; - security.pam = { zfs = { enable = true; @@ -223,6 +228,7 @@ in }; boot.initrd.luks.yubikeySupport = true; # enable yubikey support + boot.initrd.luks.reusePassphrases = false; boot.initrd.luks.devices."root" = { device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3