summary refs log tree commit diff
diff options
context:
space:
mode:
authortzlil <tzlils@protonmail.com>2023-07-29 20:53:14 +0300
committertzlil <tzlils@protonmail.com>2023-07-29 20:53:14 +0300
commitfeefcfc89b00d4955dbb3314c20be035f3db206f (patch)
tree5099a13763dcfd274cae83af4dbac0bf4bef6cce
parent11526bdd2bb3b4b445665aa671e4bc72021b8183 (diff)
disko for laptop, wip rewrite
-rw-r--r--flake.lock21
-rw-r--r--flake.nix33
-rw-r--r--hosts/default.nix47
-rw-r--r--hosts/navi/default.nix (renamed from hosts/laptop/cfg.nix)97
-rw-r--r--hosts/navi/hardware-configuration.nix71
-rw-r--r--hosts/pc/default.nix (renamed from hosts/pc/cfg.nix)0
-rw-r--r--hosts/vm/default.nix (renamed from hosts/vm/cfg.nix)0
-rw-r--r--hosts/vps/default.nix (renamed from hosts/vps/cfg.nix)0
-rw-r--r--hosts/vps/git.nix3
-rw-r--r--mixins/syncthing.nix16
-rw-r--r--profiles/core.nix65
-rw-r--r--profiles/default.nix8
-rw-r--r--profiles/impermanence.nix29
-rw-r--r--profiles/nix.nix44
-rw-r--r--profiles/security.nix135
-rw-r--r--profiles/ssh.nix1
-rw-r--r--profiles/tzlil.nix (renamed from profiles/user.nix)14
-rw-r--r--secrets/id_ed25519.agebin1066 -> 1092 bytes
-rw-r--r--secrets/matrix.agebin565 -> 605 bytes
19 files changed, 377 insertions, 207 deletions
diff --git a/flake.lock b/flake.lock
index 98b5ce3..75ee543 100644
--- a/flake.lock
+++ b/flake.lock
@@ -42,6 +42,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1690548222,
+        "narHash": "sha256-EcVjLOpbAuL/y55fLlEl3BNM4FP5Pwtp+6DbTiL6FDM=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "43f17a8b31c49f6696b8b258d317161afdc7e36b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "hardware": {
       "locked": {
         "lastModified": 1689320556,
@@ -189,6 +209,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "disko": "disko",
         "hardware": "hardware",
         "home-manager": "home-manager_2",
         "impermanence": "impermanence",
diff --git a/flake.nix b/flake.nix
index 9c5352a..c5f559c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,39 +18,24 @@
       url = "github:wamserma/flake-programs-sqlite";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    # hyprland = {
-    # url = "github:hyprwm/Hyprland";
-    # inputs.nixpkgs.follows = "nixpkgs";
-    # };
     viper-nix-common = {
       url = "github:viperML/nix-common";
       inputs.nixpkgs-lib.follows = "nixpkgs";
     };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = inputs @ {self, ...}: let
-    mkSystem_ = pkgs: system: h: modules:
-      pkgs.lib.nixosSystem {
-        system = system;
-        modules = [./hosts/${h}/cfg.nix] ++ modules;
-        specialArgs = {inherit inputs;};
-      };
-    mkSystem = pkgs: system: h: (mkSystem_ pkgs system h [
-      inputs.agenix.nixosModules.age
-      inputs.impermanence.nixosModules.impermanence
-      inputs.home-manager.nixosModules."home-manager"
-    ]);
-  in {
+  outputs = inputs @ {self, ...}: {
     apps = inputs.nixinate.nixinate.x86_64-linux self;
-    nixosConfigurations = {
-      laptop = mkSystem inputs.nixpkgs "x86_64-linux" "laptop";
-      # pc = mkSystem inputs.nixpkgs "x86_64-linux" "pc";
-      vm = mkSystem inputs.nixpkgs "x86_64-linux" "vm";
-      vps = mkSystem inputs.nixpkgs "x86_64-linux" "vps";
-    };
-
     formatter = {
       x86_64-linux = inputs.nixpkgs.legacyPackages.x86_64-linux.alejandra;
     };
+    imports = [
+      ./profiles
+    ];
+    nixosConfigurations = import ./hosts inputs;
   };
 }
diff --git a/hosts/default.nix b/hosts/default.nix
new file mode 100644
index 0000000..0b9bd1c
--- /dev/null
+++ b/hosts/default.nix
@@ -0,0 +1,47 @@
+inputs: let
+  commonProfiles = [
+    {
+      imports = [
+        ../profiles/nix.nix
+        ../profiles/tzlil.nix
+        ../profiles/security.nix
+        ../profiles/ssh.nix
+      ];
+    }
+    inputs.agenix.nixosModules.age
+    inputs.impermanence.nixosModules.impermanence
+  ];
+
+  commonHome = [
+    inputs.home-manager.nixosModule
+    {
+      home-manager = {
+        useGlobalPkgs = true;
+        extraSpecialArgs = {inherit inputs;};
+      };
+    }
+  ];
+
+  nixinate = host: {
+    _module.args.nixinate = {
+      inherit host;
+      sshUser = "tzlil";
+      buildOn = "remote"; # valid args are "local" or "remote"
+      substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s"
+      hermetic = false;
+    };
+  };
+in {
+  navi = inputs.nixpkgs.lib.nixosSystem {
+    system = "x86_64-linux";
+    specialArgs = {inherit inputs;};
+    modules =
+      [
+        "${inputs.self}/hosts/navi"
+        {networking.hostName = "navi";}
+        (nixinate "navi")
+      ]
+      ++ commonProfiles
+      ++ commonHome;
+  };
+}
diff --git a/hosts/laptop/cfg.nix b/hosts/navi/default.nix
index ab372c2..a8702a8 100644
--- a/hosts/laptop/cfg.nix
+++ b/hosts/navi/default.nix
@@ -6,11 +6,8 @@
   ...
 }: {
   imports = [
-    inputs.hardware.nixosModules.common-cpu-intel
-    inputs.hardware.nixosModules.common-gpu-intel
-    ../../profiles/core.nix
-    ../../profiles/user.nix
-    ../../profiles/ssh.nix
+    ./hardware-configuration.nix
+    # ../../profiles/core.nix
     ../../profiles/graphical.nix
     ../../mixins/tailscale.nix
     ../../mixins/cli.nix
@@ -24,16 +21,9 @@
   ];
 
   config = {
-    _module.args.nixinate = {
-      host = "100.121.226.3";
-      sshUser = "tzlil";
-      buildOn = "remote"; # valid args are "local" or "remote"
-      substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s"
-      hermetic = false;
-    };
-    networking.hostName = "navi";
-
+    system.stateVersion = "23.11";
     boot = {
+      tmp.cleanOnBoot = true;
       initrd = {
         supportedFilesystems = ["btrfs"];
         availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "usbhid" "snd_usb_audio"];
@@ -53,26 +43,24 @@
       };
     };
 
-    hardware.firmware = [pkgs.rtw88-firmware];
-
     time.timeZone = lib.mkDefault "Israel";
 
-    fileSystems."/" = {
-      device = "none";
-      fsType = "tmpfs";
-      # hyprland doesnt compile with noexec root
-      options = ["defaults" "size=8G" "mode=755"];
-    };
+    # fileSystems."/" = {
+    #   device = "none";
+    #   fsType = "tmpfs";
+    #   # hyprland doesnt compile with noexec root
+    #   options = ["defaults" "size=8G" "mode=755"];
+    # };
 
-    fileSystems."/boot" = {
-      device = "/dev/disk/by-uuid/34CB-F158";
-      fsType = "vfat";
-    };
+    # fileSystems."/boot" = {
+    #   device = "/dev/disk/by-uuid/34CB-F158";
+    #   fsType = "vfat";
+    # };
 
-    fileSystems."/nix" = {
-      device = "/dev/disk/by-uuid/8a8cc550-034e-4545-a958-564779f51061";
-      fsType = "btrfs";
-    };
+    # fileSystems."/nix" = {
+    #   device = "/dev/disk/by-uuid/8a8cc550-034e-4545-a958-564779f51061";
+    #   fsType = "btrfs";
+    # };
 
     zramSwap = {
       enable = true;
@@ -94,12 +82,12 @@
     # networking.wireless.enable = true;
     # services.connman.enable = true;
 
-    services.tor = {
-      enable = true;
-      openFirewall = true;
-      client.enable = true;
-      torsocks.enable = true;
-    };
+    # services.tor = {
+    #   enable = true;
+    #   openFirewall = true;
+    #   client.enable = true;
+    #   torsocks.enable = true;
+    # };
     environment.persistence."/nix/persist".directories = [
       "/etc/NetworkManager/system-connections"
       {
@@ -131,23 +119,16 @@
 
     programs.steam.enable = true;
 
-    programs.firejail.wrappedBinaries = {
-      mullvad-browser = {
-        executable = lib.getExe pkgs.mullvad-browser;
-        extraArgs = [
-          "--env=MOZ_ENABLE_WAYLAND=1"
-          "--env=GTK_THEME=Adwaita:dark"
-        ];
-        # profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
-      };
-    };
-
-    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-    powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-
-    nixpkgs.config.allowUnfree = true;
-    hardware.enableAllFirmware = true;
+    # programs.firejail.wrappedBinaries = {
+    #   mullvad-browser = {
+    #     executable = lib.getExe pkgs.mullvad-browser;
+    #     extraArgs = [
+    #       "--env=MOZ_ENABLE_WAYLAND=1"
+    #       "--env=GTK_THEME=Adwaita:dark"
+    #     ];
+    #     # profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+    #   };
+    # };
 
     # greeter.initialSession = "${pkgs.fish}/bin/fish";
 
@@ -174,19 +155,9 @@
       acpid.enable = true;
     };
 
-    hardware.bluetooth.enable = true;
     services.blueman.enable = true;
 
-    # dont know if i like this
-    nix.settings.trusted-public-keys = [
-      "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="
-    ];
-    nix.settings.substituters = [
-      "https://cache.iog.io"
-    ];
-
     virtualisation.docker.enable = true;
     virtualisation.docker.storageDriver = "btrfs";
-    users.users.tzlil.extraGroups = ["docker"];
   };
 }
diff --git a/hosts/navi/hardware-configuration.nix b/hosts/navi/hardware-configuration.nix
new file mode 100644
index 0000000..7b24c68
--- /dev/null
+++ b/hosts/navi/hardware-configuration.nix
@@ -0,0 +1,71 @@
+{
+  inputs,
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  device = "/dev/nvme0n1";
+in {
+  imports = [
+    inputs.disko.nixosModules.disko
+    inputs.hardware.nixosModules.common-cpu-intel
+    inputs.hardware.nixosModules.common-gpu-intel
+  ];
+
+  hardware.firmware = [pkgs.rtw88-firmware];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  hardware.enableAllFirmware = true;
+
+  hardware.bluetooth.enable = true;
+
+  disko.devices = {
+    disk.${baseNameOf device} = {
+      inherit device;
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            type = "EF00";
+            size = "512M";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "cryptroot";
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  "/nix" = {
+                    mountOptions = ["compress=zstd" "noatime"];
+                    mountpoint = "/nix";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+    nodev."/" = {
+      fsType = "tmpfs";
+      mountOptions = [
+        "size=8G"
+        "defaults"
+        "mode=755"
+      ];
+    };
+  };
+}
diff --git a/hosts/pc/cfg.nix b/hosts/pc/default.nix
index ee3b716..ee3b716 100644
--- a/hosts/pc/cfg.nix
+++ b/hosts/pc/default.nix
diff --git a/hosts/vm/cfg.nix b/hosts/vm/default.nix
index 99ed8b9..99ed8b9 100644
--- a/hosts/vm/cfg.nix
+++ b/hosts/vm/default.nix
diff --git a/hosts/vps/cfg.nix b/hosts/vps/default.nix
index 3597c5c..3597c5c 100644
--- a/hosts/vps/cfg.nix
+++ b/hosts/vps/default.nix
diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix
index d9c638d..8bd4653 100644
--- a/hosts/vps/git.nix
+++ b/hosts/vps/git.nix
@@ -13,8 +13,7 @@
       packages = [pkgs.git];
       shell = "${pkgs.git}/bin/git-shell";
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhN4Iq070J9rFJhOwP9RUyUJG9MC1W5KnDGqBqWZnlu"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe"
       ];
     };
 
diff --git a/mixins/syncthing.nix b/mixins/syncthing.nix
index 3e219ae..7faf5db 100644
--- a/mixins/syncthing.nix
+++ b/mixins/syncthing.nix
@@ -11,13 +11,15 @@
       configDir = "/home/tzlil/.config/syncthing";
       overrideDevices = true;
       overrideFolders = true;
-      devices = {
-        "phone" = {id = "UHWVTEZ-BERNFCH-3ZXQHNE-ZRBHLU6-MBAVEHB-TKLQJM7-ZGHLJ4R-6E4SAA7";};
-      };
-      folders = {
-        "passwords" = {
-          path = "/home/tzlil/sync/passwords";
-          devices = ["phone"];
+      settings = {
+        devices = {
+          "phone" = {id = "UHWVTEZ-BERNFCH-3ZXQHNE-ZRBHLU6-MBAVEHB-TKLQJM7-ZGHLJ4R-6E4SAA7";};
+        };
+        folders = {
+          "passwords" = {
+            path = "/home/tzlil/sync/passwords";
+            devices = ["phone"];
+          };
         };
       };
     };
diff --git a/profiles/core.nix b/profiles/core.nix
index 3eca577..4fefbdd 100644
--- a/profiles/core.nix
+++ b/profiles/core.nix
@@ -5,44 +5,39 @@
   inputs,
   ...
 }: {
-  imports = [
-    ../profiles/security.nix
-    ../profiles/network.nix
-  ];
+  # imports = [
+  #   ../profiles/security.nix
+  #   ../profiles/network.nix
+  # ];
   config = {
-    system.stateVersion = "22.5";
-    nix = {
-      registry.nixpkgs.flake = inputs.nixpkgs;
-      gc.automatic = true;
-      optimise.automatic = true;
-      settings = {
-        allowed-users = ["root"];
-        trusted-users = ["root"];
-        sandbox = true;
-      };
-      extraOptions = ''
-        experimental-features = nix-command flakes
-      '';
-    };
-    users.mutableUsers = false;
-    environment.defaultPackages = lib.mkForce [];
+    # system.stateVersion = "22.5";
+    # nix = {
+    #   registry.nixpkgs.flake = inputs.nixpkgs;
+    #   gc.automatic = true;
+    #   optimise.automatic = true;
+    #   settings = {
+    #     allowed-users = ["root"];
+    #     trusted-users = ["root"];
+    #     sandbox = true;
+    #   };
+    #   extraOptions = ''
+    #     experimental-features = nix-command flakes
+    #   '';
+    # };
+    # users.mutableUsers = false;
+    # environment.defaultPackages = lib.mkForce [];
 
-    age.identityPaths = ["/nix/persist/etc/ssh/ssh_host_ed25519_key"];
-    # causing issues, fix this
     programs.command-not-found.dbPath = inputs.programsdb.packages.${pkgs.system}.programs-sqlite;
 
-    # save uid/guid
-    environment.persistence."/nix/persist".directories = ["/var/lib/nixos"];
-
-    boot = {
-      tmp.cleanOnBoot = true;
-      kernelParams = [
-        "init_on_free=1"
-        "page_poison=1"
-        "page_alloc.shuffle=1"
-        "slab_nomerge"
-        "vsyscall=none"
-      ];
-    };
+    # boot = {
+    #   tmp.cleanOnBoot = true;
+    #   kernelParams = [
+    #     "init_on_free=1"
+    #     "page_poison=1"
+    #     "page_alloc.shuffle=1"
+    #     "slab_nomerge"
+    #     "vsyscall=none"
+    #   ];
+    # };
   };
 }
diff --git a/profiles/default.nix b/profiles/default.nix
new file mode 100644
index 0000000..77921b6
--- /dev/null
+++ b/profiles/default.nix
@@ -0,0 +1,8 @@
+{inputs, ...}: {
+  flake.nixosModules = {
+    nix = import ./nix.nix {inherit inputs;};
+    security = ./security.nix;
+    tzlil = ./tzlil.nix;
+    ssh = ./ssh.nix;
+  };
+}
diff --git a/profiles/impermanence.nix b/profiles/impermanence.nix
new file mode 100644
index 0000000..5ee9c97
--- /dev/null
+++ b/profiles/impermanence.nix
@@ -0,0 +1,29 @@
+{inputs, ...}: {
+  config,
+  lib,
+  options,
+  ...
+}: let
+  sshHostKeys = builtins.catAttrs "path" config.services.openssh.hostKeys;
+in {
+  imports = [inputs.impermanence.nixosModules.impermanence];
+
+  config = lib.mkMerge [
+    {
+      environment.persistence."/nix/persistent" = {
+        hideMounts = true;
+        directories = [
+          "/var/log"
+          "/var/lib/systemd/coredump"
+          "/tmp" # Make builds not crash by running them on disk instead of RAM (We still clean /tmp on boot)
+        ];
+        files =
+          [
+            "/etc/machine-id"
+          ]
+          ++ sshHostKeys;
+      };
+    }
+    (lib.optionalAttrs (options ? age) {age.identityPaths = map (x: "/nix/persistent" + x) sshHostKeys;})
+  ];
+}
diff --git a/profiles/nix.nix b/profiles/nix.nix
new file mode 100644
index 0000000..769a06a
--- /dev/null
+++ b/profiles/nix.nix
@@ -0,0 +1,44 @@
+{
+  inputs,
+  pkgs,
+  ...
+}: {
+  nix = {
+    package = pkgs.nixUnstable;
+    registry.nixpkgs.flake = inputs.nixpkgs;
+    nixPath = [
+      "nixpkgs=flake:nixpkgs"
+    ];
+    gc.automatic = true;
+    optimise.automatic = true;
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "cgroups"
+        "auto-allocate-uids"
+        "repl-flake"
+        "no-url-literals"
+      ];
+      use-cgroups = true;
+      auto-allocate-uids = true;
+      builders-use-substitutes = true;
+      auto-optimise-store = true;
+      warn-dirty = false;
+      trusted-users = [
+        "@wheel"
+      ];
+      substituters = [
+        "https://nix-community.cachix.org"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  # save uid/guid
+  environment.persistence."/nix/persist".directories = ["/var/lib/nixos"];
+}
diff --git a/profiles/security.nix b/profiles/security.nix
index 63c5fe4..40d5bf4 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -1,75 +1,72 @@
 {
-  pkgs,
   lib,
   config,
-  inputs,
   ...
 }: {
-  imports = [];
-  config = {
-    programs.firejail.enable = true;
-    security.auditd.enable = true;
-    security.audit.enable = true;
-    security.audit.rules = [
-      "-a exit,always -F arch=b64 -S execve"
-    ];
-
-    # https://source.android.com/docs/security/test/scudo
-    environment.memoryAllocator.provider = "scudo";
-    environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
-
-    security.lockKernelModules = true;
-    security.protectKernelImage = true;
-    security.allowSimultaneousMultithreading = false;
-    security.forcePageTableIsolation = true;
-
-    security.unprivilegedUsernsClone = config.virtualisation.containers.enable;
-
-    security.virtualisation.flushL1DataCache = "always";
-
-    security.apparmor.enable = true;
-    security.apparmor.killUnconfinedConfinables = true;
-
-    # Restrict ptrace() usage to processes with a pre-defined relationship
-    # (e.g., parent/child)
-    boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
-
-    # Hide kptrs even for processes with CAP_SYSLOG
-    boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
-
-    # Disable bpf() JIT (to eliminate spray attacks)
-    boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
-
-    # Disable ftrace debugging
-    boot.kernel.sysctl."kernel.ftrace_enabled" = false;
-
-    # Enable strict reverse path filtering (that is, do not attempt to route
-    # packets that "obviously" do not belong to the iface's network; dropped
-    # packets are logged as martians).
-    boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
-    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
-    boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
-    boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
-
-    # Ignore broadcast ICMP (mitigate SMURF)
-    boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
-
-    # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-    # setting is applied to interfaces added after the sysctls are set)
-    boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
-    boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
-    boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
-
-    # Ignore outgoing ICMP redirects (this is ipv4 only)
-    boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
-
-    security.chromiumSuidSandbox.enable = true;
-
-    security.sudo.execWheelOnly = true;
-    security.sudo.extraConfig = "Defaults        lecture = never";
-  };
+  programs.firejail.enable = true;
+  security.auditd.enable = true;
+  security.audit.enable = true;
+  security.audit.rules = [
+    "-a exit,always -F arch=b64 -S execve"
+  ];
+
+  # https://source.android.com/docs/security/test/scudo
+  environment.memoryAllocator.provider = "scudo";
+  environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
+
+  security.lockKernelModules = true;
+  security.protectKernelImage = true;
+  security.allowSimultaneousMultithreading = false;
+  security.forcePageTableIsolation = true;
+
+  security.unprivilegedUsernsClone = config.virtualisation.containers.enable;
+
+  security.virtualisation.flushL1DataCache = "always";
+
+  security.apparmor.enable = true;
+  security.apparmor.killUnconfinedConfinables = true;
+
+  # Restrict ptrace() usage to processes with a pre-defined relationship
+  # (e.g., parent/child)
+  boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
+
+  # Hide kptrs even for processes with CAP_SYSLOG
+  boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
+
+  # Disable bpf() JIT (to eliminate spray attacks)
+  boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
+
+  # Disable ftrace debugging
+  boot.kernel.sysctl."kernel.ftrace_enabled" = false;
+
+  # Enable strict reverse path filtering (that is, do not attempt to route
+  # packets that "obviously" do not belong to the iface's network; dropped
+  # packets are logged as martians).
+  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
+  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
+
+  # Ignore broadcast ICMP (mitigate SMURF)
+  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+  # setting is applied to interfaces added after the sysctls are set)
+  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
+  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
+  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
+
+  # Ignore outgoing ICMP redirects (this is ipv4 only)
+  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+
+  security.chromiumSuidSandbox.enable = true;
+
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = "Defaults        lecture = never";
+
+  environment.defaultPackages = lib.mkForce [];
 }
diff --git a/profiles/ssh.nix b/profiles/ssh.nix
index 294f015..a753e86 100644
--- a/profiles/ssh.nix
+++ b/profiles/ssh.nix
@@ -2,7 +2,6 @@
   pkgs,
   lib,
   config,
-  inputs,
   ...
 }: {
   config = {
diff --git a/profiles/user.nix b/profiles/tzlil.nix
index 7355e85..0e242e1 100644
--- a/profiles/user.nix
+++ b/profiles/tzlil.nix
@@ -16,20 +16,22 @@
     programs.fish.enable = true; # needed now
     users.users.tzlil = {
       isNormalUser = true;
-      description = "Me";
-      extraGroups = ["wheel"];
+      extraGroups =
+        ["wheel"]
+        ++ lib.optional config.virtualisation.docker.enable "docker"
+        ++ lib.optional config.virtualisation.libvirtd.enable "libvirtd"
+        ++ lib.optional config.networking.networkmanager.enable "networkmanager"
+        ++ lib.optional config.programs.light.enable "video"
+        ++ lib.optional config.programs.adb.enable "adbusers";
       packages = [pkgs.git];
       shell = pkgs.fish;
       hashedPassword = "$6$FAQYKz3OCtRNOP7h$XsApvP.r./Jv5MRI1idDI9BMnA26xxEvXFlE61Zls.QA3EK2x76XsetdpxSlgViylnRwRuq5XQMc3GeAJ7tum1";
       # passwordFile = config.age.secrets.password.path;
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe"
       ];
     };
 
-    nix.settings.allowed-users = ["root" "tzlil"];
-    nix.settings.trusted-users = ["root" "tzlil"];
-
     home-manager = {
       useGlobalPkgs = true;
       useUserPackages = true;
diff --git a/secrets/id_ed25519.age b/secrets/id_ed25519.age
index 4136ecc..00c540e 100644
--- a/secrets/id_ed25519.age
+++ b/secrets/id_ed25519.age
Binary files differdiff --git a/secrets/matrix.age b/secrets/matrix.age
index 3ccb99d..0cf30e0 100644
--- a/secrets/matrix.age
+++ b/secrets/matrix.age
Binary files differ