Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fixes and qol

Browse source
This commit is contained in:
Grimmauld 2025-01-26 21:43:23 +01:00
parent d50a73ab06
commit e6205dd705
No known key found for this signature in database
30 changed files with 878 additions and 187 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
common/hardware/laptop.nix
View file

@ -59,14 +59,14 @@ in
# serviceConfig.Type = "oneshot";
#};
systemd.enableCgroupAccounting = true;
# systemd.enableCgroupAccounting = true;
# systemd.enableUnifiedCgroupHierarchy = false;
boot = {
kernelParams = [
# "intel_iommu=on"
"nohibernate"
"pcie_aspm=off"
# "pcie_aspm=off"
];
loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [

22
common/tooling/default.nix
View file

@ -38,24 +38,22 @@ in
(writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'')
urlencode
rfindup
pstree
file
wget
bat
hyfetch
btop
fastfetch
eza
starship
fd
ripgrep
file
pstree
rfindup
btop
unzip
fbcat
# gomuks
imagemagick
nmap
parted
expect
gptfdisk
qrencode
@ -78,8 +76,12 @@ in
environment.sessionVariables = {
MANPAGER = "sh -c 'col -bx | ${getExe pkgs.bat} -l man -p'";
MANROFFOPT = "-c";
SYSTEMD_PAGER = getExe pkgs.bat;
SYSTEMD_PAGERSECURE = "true";
};
programs.command-not-found.enable = true;
documentation.dev.enable = true;
# virtualisation.docker.enable = true;

3
common/tooling/nix-index.nix
View file

@ -16,6 +16,9 @@ in
};
users.groups."${user}" = { };
# programs.nix-index.enable = true;
# programs.nix-index.enableBashIntegration = true;
nix.settings.allowed-users = [ user ];
environment.systemPackages = with pkgs; [

3
common/tooling/nix.nix
View file

@ -16,7 +16,8 @@
nixpkgs-hammering
nix-output-monitor
nix-search-cli
niv
nix-update
# niv
nvd
vulnix
nix-init

2
common/xdg/default.nix
View file

@ -14,4 +14,6 @@
};
};
xdg.icons.enable = true;
}

6
common/xdg/portals.nix
View file

@ -32,9 +32,9 @@ in
xdgOpenUsePortal = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-kde
xdg-desktop-portal-gtk
lxqt.xdg-desktop-portal-lxqt
# xdg-desktop-portal-kde
# xdg-desktop-portal-gtk
# lxqt.xdg-desktop-portal-lxqt
];
wlr.enable = true;

24
flake.lock generated
View file

@ -10,11 +10,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1736590503,
"narHash": "sha256-w69DFuUM6F92rQMl5mcnsx9Zv7Pk8ozcLffIYfOa2LI=",
"lastModified": 1737538029,
"narHash": "sha256-I4mWZEWV1c+sPb5f8liQxYdEjRxMR0UzY6dgP5zj2Kc=",
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"rev": "72da6960bac5f84804a2ea36a90dbd25ed1bbf93",
"rev": "14b4d3f64c06f6c4457a1d117bb201410422009d",
"type": "github"
},
"original": {
@ -141,11 +141,11 @@
]
},
"locked": {
"lastModified": 1737474213,
"narHash": "sha256-p4hHWikaYgtZmZlas1b/p2+R72j7ZtUmGp2qoC1VcbI=",
"lastModified": 1737534778,
"narHash": "sha256-7h/lJWRzKKCmpKmgGk2ZzWbj73Dqi607grXC/EhFQMI=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "04e70503425690319c25814497f682145dd442c6",
"rev": "a650b785c5d2b064777e0c5af7a414267a8fc934",
"type": "github"
},
"original": {
@ -495,11 +495,11 @@
"nixpkgs-24_11": "nixpkgs-24_11"
},
"locked": {
"lastModified": 1735230346,
"narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=",
"lastModified": 1737201600,
"narHash": "sha256-JBh5+g8oQteQdQqbO07dGHBRQo/NGI61JPlTjdfQ1pk=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b",
"rev": "ade37b2765032f83d2d4bd50b6204a40a4c05eb4",
"type": "gitlab"
},
"original": {
@ -531,11 +531,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1737062831,
"narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
"lastModified": 1737469691,
"narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
"rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
"type": "github"
},
"original": {

4
flake.nix
View file

@ -68,6 +68,10 @@
}:
let
patches = [
{
url = "https://github.com/NixOS/nixpkgs/pull/376376.patch?full_index=1";
hash = "sha256-LtMtv1SiCAS/gotcc8MLny4IXCjY/EnLR0pH9XaCVCo=";
}
];
customNixosSystem =

10
hardening/default.nix
View file

@ -1,7 +1,6 @@
{
lib,
pkgs,
config,
...
}:
{
@ -13,13 +12,16 @@
./security.nix
];
specialisation.unhardened.configuration = { };
# services.opensnitch.enable = lib.mkForce false;
specialisation.unhardened.configuration = {
services.opensnitch.enable = lib.mkForce false;
security.apparmor.enable = lib.mkForce false;
};
#
systemd.tpm2.enable = false;
systemd.enableEmergencyMode = false;
virtualisation.vswitch.enable = false;
# services.resolved.enable = false;
services.resolved.enable = false;
security.unprivilegedUsernsClone = true;
environment.defaultPackages = lib.mkForce [ ];
environment.systemPackages = with pkgs; [ nano ];

690
hardening/opensnitch/vesktop.nix Normal file
View file

@ -0,0 +1,690 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
optional
getBin
getExe
concatLines
getExe'
escapeRegex
getVersion
mkIf
filter
split
strings
concatStringsSep
length
isString
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
networking.nftables.enable = true;
# security.audit.enable = true;
systemd.services.opensnitchd.path = lib.optional (
config.services.opensnitch.settings.ProcMonitorMethod == "audit"
) pkgs.audit.bin;
services.opensnitch = {
enable = true;
settings = {
DefaultAction = "deny";
Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit";
};
rules = {
firefox =
let
cfg = config.programs.firefox;
pkg = (
cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
})
);
in
# pkg = pkgs.firefox-unwrapped;
mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
};
};
block-list = {
name = "block-list";
action = "deny";
enabled = true;
duration = "always";
inherit created;
operator = {
type = "lists";
operand = "lists.domains";
data = pkgs.callPackage ./block_lists.nix { };
};
};
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.nsncd;
}
{
type = "simple";
operand = "dest.port";
data = "53";
}
{
type = "lists";
operand = "lists.nets";
data = pkgs.writeTextDir "cidr_dns.list" (
concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
);
}
{
type = "simple";
operand = "user.id";
data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
}
];
};
};
nix-index = {
name = "nix-index";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nix-index-unwrapped "nix-index";
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "simple";
sensitive = false;
operand = "dest.host";
data = "cache.nixos.org";
}
];
};
};
nix = {
name = "nix";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe config.nix.package;
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(channels|cache)\\.nixos\\.org";
}
];
};
};
localhost = {
name = "localhost";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "dest.ip";
data = "^(127\\.0\\.0\\.1|::1)$";
};
};
spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
};
};
osu_deny = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
};
};
osu_allow = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|53";
}
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(api\.github\.com)|((.+\.)?ppy\.sh)";
}
];
};
};
ncspot = mkIf (config.grimmShared.spotify.enable) {
name = "ncspot";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe pkgs.ncspot;
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow-local";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
vesktop_deny = mkIf (graphical) {
name = "vesktop-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
};
};
vesktop_allow = mkIf (graphical) {
name = "vesktop-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
vesktop_daemon_allow_udp = mkIf graphical {
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
operand = "protocol";
data = "udp";
}
{
type = "regexp";
operand = "dest.port";
data = "500[0-9]{2}";
}
];
};
};
vesktop_daemon_deny = mkIf (graphical) {
name = "vesktop-daemon-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
};
};
vesktop_daemon_allow = mkIf (graphical) {
name = "vesktop-daemon-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
type = "regexp";
operand = "dest.port";
data = "5353|53";
}
{
type = "simple";
operand = "user.id";
data = "996";
}
];
};
};
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type = "regexp";
operand = "dest.port";
data = "547|67";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.cups-filters "cups-browsed";
}
{
type = "regexp";
operand = "dest.port";
data = "53|631|80";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type = "regexp";
operand = "dest.port";
data = "123|37|53";
}
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
{
type = "simple";
operand = "user.id";
data = "154";
}
];
};
};
nextcloud = mkIf (false) {
# config.grimmShared.cloudSync.enable
name = "nextcloud";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data =
let
l = (filter isString (split "\\." config.grimmShared.cloudSync.server));
in
(strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
# config.grimmShared.cloudSync.server;
}
{
type = "regexp";
operand = "dest.port";
data = "443|53";
}
];
};
};
};
};
};
}

75
hardening/systemd/default.nix
View file

@ -19,7 +19,7 @@ in
./acpid.nix
./cups.nix
./bluetooth.nix
./tty.nix
# ./tty.nix
./ask-password.nix
# ./nix-daemon.nix
./nscd.nix
@ -28,77 +28,4 @@ in
./global
];
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig =
let
shouldMakeIntrusive = (
noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
);
in
mkIf (osConfig.specialisation != { }) (
{
ProtectHome = mkDefault true;
# LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
}
// (lib.optionalAttrs shouldMakeIntrusive {
# PrivateTmp = mkDefault true;
# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
# ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
})
);
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
opensnitchd.serviceConfig = {
ProtectHome = false;
PrivateTmp = false;
ProtectKernelLogs = false;
};
"user-runtime-dir@".serviceConfig.ProtectHome = false;
"user@".serviceConfig.ProtectHome = false;
systemd-homed.serviceConfig.ProtectHome = false;
systemd-homed-activate.serviceConfig.ProtectHome = false;
sshd.serviceConfig.ProtectHome = false;
display-manager.serviceConfig.ProtectHome = "read-only";
dbus-broker.serviceConfig.ProtectHome = "read-only";
systemd-logind.serviceConfig.ProtectHome = false;
nix-daemon.serviceConfig.ProtectHome = false;
zfs-mount.serviceConfig.PrivateTmp = false;
kmod-static-nodes.serviceConfig.PrivateTmp = false;
mount-pstore.serviceConfig.PrivateTmp = false;
# todo: tpm things
#polkit.serviceConfig.NoNewPrivileges = false;
#"getty@".serviceConfig.NoNewPrivileges = false;
#"user@".serviceConfig.NoNewPrivileges = false;
# todo: dbus?
auditd.serviceConfig.ProtectKernelLogs = false;
audit.serviceConfig.ProtectKernelLogs = false;
"getty@".serviceConfig.SystemCallFilter = "";
display-manager.serviceConfig.SystemCallFilter = "";
sshd.serviceConfig.SystemCallFilter = "";
rtkit-daemon.serviceConfig.SystemCallFilter = "";
};
};
}

1
hardening/systemd/global/default.nix
View file

@ -3,5 +3,6 @@
./hostname.nix
./clock.nix
./realtime.nix
./syscall_arch.nix
];
}

22
hardening/systemd/global/syscall_arch.nix Normal file
View file

@ -0,0 +1,22 @@
{ lib, config, ... }:
let
inherit (lib) types mkIf mkDefault;
osConfig = config;
in
{
options.systemd.services = lib.mkOption {
type = types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
SystemCallArchitectures = mkDefault "native";
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
};
};
}

5
hardening/systemd/nix-daemon.nix
View file

@ -7,7 +7,6 @@
config.systemd.services = lib.mkIf (config.specialisation != { }) {
nix-daemon.serviceConfig = {
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true; # good, somehow???
@ -15,7 +14,7 @@
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK" # needed for some checks
# "AF_NETLINK" # needed for some checks
]; # needed to download sources and caches
RestrictNamespaces = [
"user"
@ -65,6 +64,8 @@
"CAP_DAC_OVERRIDE"
];
NoNewPrivileges = false; # build processes might need more
# ProtectKernelLogs=true; # BAD
# ProtectKernelTunables = true; # BAD
# PrivateUsers=true; BAD

2
hardening/systemd/sshd.nix
View file

@ -4,7 +4,7 @@
...
}:
{
config.systemd.services = {
config.systemd.services = lib.mkIf (config.specialisation != { }) {
sshd.serviceConfig = {
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";

18
hm/common/default.nix
View file

@ -41,8 +41,10 @@ in
# kicad
prusa-slicer
freecad
# freecad
openscad
iamb
confy
vlc
# blender
@ -121,6 +123,18 @@ in
];
};
gtk.iconTheme = {
package = pkgs.adwaita-icon-theme;
name = "Adwaita";
};
gtk.theme = {
package = pkgs.gnome-themes-extra;
name = "Adwaita-dark";
};
gtk.enable = true;
programs.tmux = {
enable = true;
clock24 = true;
@ -161,5 +175,5 @@ in
pinentryPackage = if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty;
};
xdg.mimeApps.enable = true;
# xdg.mimeApps.enable = true;
}

5
hm/grimmauld/default.nix
View file

@ -7,9 +7,10 @@ in
inherit username;
homeDirectory = "/home/${username}";
# file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk;
# file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub;
file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk;
file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub;
file.".cups/lpoptions".text = "Default pdf\n";
file.".config/iamb/config.toml".source = ./iamb_config.toml;
};
};
}

2
hm/grimmauld/iamb_config.toml Normal file
View file

@ -0,0 +1,2 @@
[profiles."grimmauld.de"]
user_id = "@grimmauld:grimmauld.de"

2
modules/default.nix
View file

@ -6,7 +6,7 @@ in
{
imports = [
./wireguard.nix
# ./matrix.nix
# ./matrix.nix
./matrix_legacy.nix
./puffer.nix
./gitea.nix

3
modules/ooye/default.nix
View file

@ -2,6 +2,5 @@
{
environment.systemPackages = with pkgs; [ ooye ];
services.matrix-synapse-next.settings.app_service_config_files = [ ./registration.yaml ];
services.matrix-synapse-next.settings.app_service_config_files = [ ./registration.yaml ];
}

3
overlays/default.nix
View file

@ -28,6 +28,7 @@
)
)
[
./lua_update.nix
./matrix-appservice-discord.nix
./deskwhich.nix
./tlpui.nix
@ -38,7 +39,7 @@
./ooye.nix
./factorio.nix
./ranger.nix
./opensnitch-ui.nix
./vesktop.nix
# ./ncspot.nix
# ./grpcio-tools.nix
];

28
overlays/grpcio-tools.nix
View file

@ -1,28 +0,0 @@
{ prev, final, ... }:
{
pythonPackagesOverlays = [
(python-final: python-prev: {
grpcio-tools = python-prev.grpcio-tools.overrideAttrs (old: {
version = "1.64.1";
src = prev.fetchPypi {
pname = "grpcio_tools";
version = "1.64.1";
hash = "sha256-crNVC5GtuDVGVuzw9tHUYRKZBEuuEfsefMHRu2a4wes=";
};
});
})
];
python311 =
let
self = prev.python311.override {
inherit self;
packageOverrides = prev.lib.composeManyExtensions final.pythonPackagesOverlays;
};
in
self;
python311Packages = final.python311.pkgs;
}

4
overlays/lua_update.nix Normal file
View file

@ -0,0 +1,4 @@
{ prev, ... }:
{
lua = prev.lua5_4_compat;
}

4
overlays/ncspot.nix
View file

@ -1,4 +0,0 @@
{ prev, config, ... }:
{
ncspot = prev.callPackage ../custom/ncspot/package.nix { };
}

6
overlays/opensnitch-ui.nix
View file

@ -1,6 +0,0 @@
{ final, prev, ... }:
{
opensnitch-ui = prev.opensnitch-ui.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs or [ ] ++ [ final.python311Packages.packaging ];
});
}

80
secrets/secrets.nix
View file

@ -8,25 +8,67 @@ let
contabo_nix_2 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyQYHq0tZBye/lTVz1aEI8UdmvHRu/NADNqr1C49fpBnfOAbMV7NkswHaIGvl9IG6oJlQmC+2vJCfriHocRBvLZ4/eA3oTWPsU7/wrLJBAjjYdwWiwZLit6QMSVISFEs47PoGOmLf+bIcX2SyQ8JGImhSFjEN9qwZFsHv1b+gd2CSowcAnfGyyEnn1X56eMWGW+YXzWQsBkjZL0orTNg89so1MleefdUDgj5AdAsqpdo+oIFouB+572mBKyhvh/v1roHg0Q4g/xZo3sUlH+qWQwR/JAM1MZtIH7WzNZXpEZR0hPClgdz8MYqHwZUAGyKmJmjBwUHqjK2hR6NcO7OxaGoyXWBUEZuYUzfGssOQAnP5PVYCaRvdaY5WQ4brE+EU0oYBCm5/DfrYbKSE1swZeggun0fuA3KFPVlK8ohVqVkbLwg1XwcqqR9+uh1WzLt4upIGT2rPISBVlj/pRgkQbzQ4g9T+FR7ieWZT77C2hxiKURHu/SKKUVLgfD8Vsr7s=";
in
{
# "nextcloud_pass.age".publicKeys = [
# laptop_pub
# yubi
# laptop_pub_ed
# ];
# "nextcloud_pass.age".publicKeys = [
# laptop_pub
# yubi
# laptop_pub_ed
# ];
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"openldap_admin.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"nextcloud_server_key.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"keycloak_db_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"grafana_admin_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"nextcloud_db_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"synapse_registration_shared_secret.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"matrix_admin_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"ptero_env.age".publicKeys = [ contabo_nix_pub contabo_nix_2];
"synapse_db_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"openldap_admin.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"nextcloud_server_key.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"keycloak_db_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"synapse_db_pass_prepared.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"grafana_admin_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"nextcloud_admin_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"nextcloud_db_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"synapse_registration_shared_secret.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"matrix_admin_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"matrix_mjolnir_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"matrix_mjolnir_tle_pass.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"matrix_discord_bridge_token.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
"ptero_env.age".publicKeys = [
contabo_nix_pub
contabo_nix_2
];
}

7
specific/grimm-nixos-server-2/configuration.nix
View file

@ -1,4 +1,5 @@
{ pkgs, lib, ... }: {
{ pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
@ -15,6 +16,8 @@
networking.hostName = "grimm-nixos-server-2";
networking.domain = "grimmauld.de";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd'' ];
users.users.root.openssh.authorizedKeys.keys = [
''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd''
];
system.stateVersion = "23.11";
}

12
specific/grimm-nixos-server-2/hardware-configuration.nix
View file

@ -2,8 +2,16 @@
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

2
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -46,7 +46,7 @@ in
boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.kernelParams = [ "nosgx" ];
# boot.kernelParams = [ "nosgx" ];
security.lockKernelModules = false; # PAIN on an intended-portable setup
# security.protectKernelImage = false;