diff options
author | tzlil <tzlils@protonmail.com> | 2023-05-21 19:20:18 +0300 |
---|---|---|
committer | tzlil <tzlils@protonmail.com> | 2023-05-21 19:20:18 +0300 |
commit | be9cadd49f079f3e4a6cdd8bdee463436a21723b (patch) | |
tree | 8f9e8912bcd37253e4da9b573d8a9e03ef8bac22 | |
parent | 2e361cef77f8696870d0b204b1ce95868133c29a (diff) |
fix nixinate, add mullvad firejail
-rw-r--r-- | flake.lock | 46 | ||||
-rw-r--r-- | flake.nix | 5 | ||||
-rw-r--r-- | hosts/laptop/cfg.nix | 7 | ||||
-rw-r--r-- | hosts/vps/git.nix | 8 | ||||
-rw-r--r-- | mixins/cli.nix | 8 | ||||
-rw-r--r-- | profiles/network.nix | 4 | ||||
-rw-r--r-- | profiles/security.nix | 4 |
7 files changed, 40 insertions, 42 deletions
diff --git a/flake.lock b/flake.lock index e3a1200..8d34479 100644 --- a/flake.lock +++ b/flake.lock @@ -85,11 +85,11 @@ ] }, "locked": { - "lastModified": 1684484967, - "narHash": "sha256-P3ftCqeJmDYS9LSr2gGC4XGGcp5vv8TOasJX6fVHWsw=", + "lastModified": 1684596126, + "narHash": "sha256-4RZZmygeEXpuBqEXGs38ZAcWjWKGwu13Iqbxub6wuJk=", "owner": "nix-community", "repo": "home-manager", - "rev": "b9a52ad20e58ebd003444915e35e3dd2c18fc715", + "rev": "27ef11f0218d9018ebb2948d40133df2b1de622d", "type": "github" }, "original": { @@ -115,7 +115,9 @@ }, "nixinate": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1671116920, @@ -149,27 +151,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1653060744, - "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "dfd82985c273aac6eced03625f454b334daae2e8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1684385584, - "narHash": "sha256-O7y0gK8OLIDqz+LaHJJyeu09IGiXlZIS3+JgEzGmmJA=", + "lastModified": 1684570954, + "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "48a0fb7aab511df92a17cf239c37f2bd2ec9ae3a", + "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3", "type": "github" }, "original": { @@ -187,11 +173,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1684490584, - "narHash": "sha256-Mb1Qy+py0OHJ42ZpUVO4KUPVUKuDp+Igt0U6hafvxD0=", + "lastModified": 1684603398, + "narHash": "sha256-ViwldcC0X2QR6pw1SI1BRl9U7+XL+8qyTelysh1MePE=", "owner": "wamserma", "repo": "flake-programs-sqlite", - "rev": "ad44c0a27f9418d2bee9a515e861abfe662e2118", + "rev": "f81a2062c106fa85b0b4ecd1fa60b196f041c284", "type": "github" }, "original": { @@ -207,7 +193,7 @@ "home-manager": "home-manager_2", "impermanence": "impermanence", "nixinate": "nixinate", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "programsdb": "programsdb", "viper-nix-common": "viper-nix-common" } @@ -234,11 +220,11 @@ ] }, "locked": { - "lastModified": 1684329129, - "narHash": "sha256-0SSHyWU/3Qy/wAj3DCn7eKfK3Hqq/+09JEbcU6b20Vg=", + "lastModified": 1684655198, + "narHash": "sha256-Rg2+w1ZQnA3XjLXxAV5O9C8d3po8deNnqwHPI1cW340=", "owner": "viperML", "repo": "nix-common", - "rev": "72566be990e4af366d0d0d2f40c26adfb6ebe545", + "rev": "f29f6f737ff4be5eeb6b56e494dcdfc1aa132acf", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3a4cd31..9c5352a 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,10 @@ impermanence.url = "github:nix-community/impermanence"; agenix.url = "github:ryantm/agenix"; hardware.url = "github:nixos/nixos-hardware"; - nixinate.url = "github:matthewcroughan/nixinate"; + nixinate = { + url = "github:matthewcroughan/nixinate"; + inputs.nixpkgs.follows = "nixpkgs"; + }; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/laptop/cfg.nix b/hosts/laptop/cfg.nix index 2b4023a..5b30561 100644 --- a/hosts/laptop/cfg.nix +++ b/hosts/laptop/cfg.nix @@ -111,6 +111,13 @@ }; }; + programs.firejail.wrappedBinaries = { + mullvad-browser = { + executable = lib.getExe pkgs.mullvad-browser; + # profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + }; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix index 6882e69..d9c638d 100644 --- a/hosts/vps/git.nix +++ b/hosts/vps/git.nix @@ -43,9 +43,9 @@ } handle /cgit.css { try_files ${pkgs.fetchurl { - url = "https://jeremias.stotter.eu/cgi-bin/cgit.cgi/cgit-dark/plain/cgit.css"; - sha256 = "sha256-wqszujnWV5PRh3L23L1BFj/PKUElpyu1KhjqrHS8lCw="; - }} / + url = "https://jeremias.stotter.eu/cgi-bin/cgit.cgi/cgit-dark/plain/cgit.css"; + sha256 = "sha256-wqszujnWV5PRh3L23L1BFj/PKUElpyu1KhjqrHS8lCw="; + }} / file_server } handle /favicon.ico { @@ -74,7 +74,7 @@ source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; logo-link = "/"; virtual-root = "/cgit"; - readme=":README.md"; + readme = ":README.md"; })} } } diff --git a/mixins/cli.nix b/mixins/cli.nix index 6e1f1f3..8853576 100644 --- a/mixins/cli.nix +++ b/mixins/cli.nix @@ -40,10 +40,10 @@ userName = "tzlil"; userEmail = "tzlils@protonmail.com"; enable = true; - extraConfig = { - push.autoSetupRemote = true; - init.defaultBranch = "master"; - }; + extraConfig = { + push.autoSetupRemote = true; + init.defaultBranch = "master"; + }; }; direnv = { enable = true; diff --git a/profiles/network.nix b/profiles/network.nix index c959824..461106f 100644 --- a/profiles/network.nix +++ b/profiles/network.nix @@ -17,7 +17,7 @@ networkmanager.enable = true; useDHCP = false; nameservers = ["127.0.0.1" "::1"]; - # networkmanager.dns = "none"; + networkmanager.dns = "none"; extraHosts = '' 100.99.246.128 pc 100.105.242.70 phone @@ -49,7 +49,7 @@ }; # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md - server_names = []; # tailscale magicdns + # server_names = [ ... ]; }; }; diff --git a/profiles/security.nix b/profiles/security.nix index 9ae5cef..63c5fe4 100644 --- a/profiles/security.nix +++ b/profiles/security.nix @@ -7,16 +7,18 @@ }: { imports = []; config = { + programs.firejail.enable = true; security.auditd.enable = true; security.audit.enable = true; security.audit.rules = [ "-a exit,always -F arch=b64 -S execve" ]; + # https://source.android.com/docs/security/test/scudo environment.memoryAllocator.provider = "scudo"; environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; - # security.lockKernelModules = true; + security.lockKernelModules = true; security.protectKernelImage = true; security.allowSimultaneousMultithreading = false; security.forcePageTableIsolation = true; |