diff options
| author | tzlil <tzlils@protonmail.com> | 2023-07-29 20:53:14 +0300 |
|---|---|---|
| committer | tzlil <tzlils@protonmail.com> | 2023-07-29 20:53:14 +0300 |
| commit | feefcfc89b00d4955dbb3314c20be035f3db206f (patch) | |
| tree | 5099a13763dcfd274cae83af4dbac0bf4bef6cce | |
| parent | 11526bdd2bb3b4b445665aa671e4bc72021b8183 (diff) | |
disko for laptop, wip rewrite
| -rw-r--r-- | flake.lock | 21 | ||||
| -rw-r--r-- | flake.nix | 33 | ||||
| -rw-r--r-- | hosts/default.nix | 47 | ||||
| -rw-r--r-- | hosts/navi/default.nix (renamed from hosts/laptop/cfg.nix) | 97 | ||||
| -rw-r--r-- | hosts/navi/hardware-configuration.nix | 71 | ||||
| -rw-r--r-- | hosts/pc/default.nix (renamed from hosts/pc/cfg.nix) | 0 | ||||
| -rw-r--r-- | hosts/vm/default.nix (renamed from hosts/vm/cfg.nix) | 0 | ||||
| -rw-r--r-- | hosts/vps/default.nix (renamed from hosts/vps/cfg.nix) | 0 | ||||
| -rw-r--r-- | hosts/vps/git.nix | 3 | ||||
| -rw-r--r-- | mixins/syncthing.nix | 16 | ||||
| -rw-r--r-- | profiles/core.nix | 65 | ||||
| -rw-r--r-- | profiles/default.nix | 8 | ||||
| -rw-r--r-- | profiles/impermanence.nix | 29 | ||||
| -rw-r--r-- | profiles/nix.nix | 44 | ||||
| -rw-r--r-- | profiles/security.nix | 135 | ||||
| -rw-r--r-- | profiles/ssh.nix | 1 | ||||
| -rw-r--r-- | profiles/tzlil.nix (renamed from profiles/user.nix) | 14 | ||||
| -rw-r--r-- | secrets/id_ed25519.age | bin | 1066 -> 1092 bytes | |||
| -rw-r--r-- | secrets/matrix.age | bin | 565 -> 605 bytes |
19 files changed, 377 insertions, 207 deletions
diff --git a/flake.lock b/flake.lock index 98b5ce3..75ee543 100644 --- a/flake.lock +++ b/flake.lock @@ -42,6 +42,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690548222, + "narHash": "sha256-EcVjLOpbAuL/y55fLlEl3BNM4FP5Pwtp+6DbTiL6FDM=", + "owner": "nix-community", + "repo": "disko", + "rev": "43f17a8b31c49f6696b8b258d317161afdc7e36b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "hardware": { "locked": { "lastModified": 1689320556, @@ -189,6 +209,7 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "hardware": "hardware", "home-manager": "home-manager_2", "impermanence": "impermanence", diff --git a/flake.nix b/flake.nix index 9c5352a..c5f559c 100644 --- a/flake.nix +++ b/flake.nix @@ -18,39 +18,24 @@ url = "github:wamserma/flake-programs-sqlite"; inputs.nixpkgs.follows = "nixpkgs"; }; - # hyprland = { - # url = "github:hyprwm/Hyprland"; - # inputs.nixpkgs.follows = "nixpkgs"; - # }; viper-nix-common = { url = "github:viperML/nix-common"; inputs.nixpkgs-lib.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = inputs @ {self, ...}: let - mkSystem_ = pkgs: system: h: modules: - pkgs.lib.nixosSystem { - system = system; - modules = [./hosts/${h}/cfg.nix] ++ modules; - specialArgs = {inherit inputs;}; - }; - mkSystem = pkgs: system: h: (mkSystem_ pkgs system h [ - inputs.agenix.nixosModules.age - inputs.impermanence.nixosModules.impermanence - inputs.home-manager.nixosModules."home-manager" - ]); - in { + outputs = inputs @ {self, ...}: { apps = inputs.nixinate.nixinate.x86_64-linux self; - nixosConfigurations = { - laptop = mkSystem inputs.nixpkgs "x86_64-linux" "laptop"; - # pc = mkSystem inputs.nixpkgs "x86_64-linux" "pc"; - vm = mkSystem inputs.nixpkgs "x86_64-linux" "vm"; - vps = mkSystem inputs.nixpkgs "x86_64-linux" "vps"; - }; - formatter = { x86_64-linux = inputs.nixpkgs.legacyPackages.x86_64-linux.alejandra; }; + imports = [ + ./profiles + ]; + nixosConfigurations = import ./hosts inputs; }; } diff --git a/hosts/default.nix b/hosts/default.nix new file mode 100644 index 0000000..0b9bd1c --- /dev/null +++ b/hosts/default.nix @@ -0,0 +1,47 @@ +inputs: let + commonProfiles = [ + { + imports = [ + ../profiles/nix.nix + ../profiles/tzlil.nix + ../profiles/security.nix + ../profiles/ssh.nix + ]; + } + inputs.agenix.nixosModules.age + inputs.impermanence.nixosModules.impermanence + ]; + + commonHome = [ + inputs.home-manager.nixosModule + { + home-manager = { + useGlobalPkgs = true; + extraSpecialArgs = {inherit inputs;}; + }; + } + ]; + + nixinate = host: { + _module.args.nixinate = { + inherit host; + sshUser = "tzlil"; + buildOn = "remote"; # valid args are "local" or "remote" + substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" + hermetic = false; + }; + }; +in { + navi = inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = {inherit inputs;}; + modules = + [ + "${inputs.self}/hosts/navi" + {networking.hostName = "navi";} + (nixinate "navi") + ] + ++ commonProfiles + ++ commonHome; + }; +} diff --git a/hosts/laptop/cfg.nix b/hosts/navi/default.nix index ab372c2..a8702a8 100644 --- a/hosts/laptop/cfg.nix +++ b/hosts/navi/default.nix @@ -6,11 +6,8 @@ ... }: { imports = [ - inputs.hardware.nixosModules.common-cpu-intel - inputs.hardware.nixosModules.common-gpu-intel - ../../profiles/core.nix - ../../profiles/user.nix - ../../profiles/ssh.nix + ./hardware-configuration.nix + # ../../profiles/core.nix ../../profiles/graphical.nix ../../mixins/tailscale.nix ../../mixins/cli.nix @@ -24,16 +21,9 @@ ]; config = { - _module.args.nixinate = { - host = "100.121.226.3"; - sshUser = "tzlil"; - buildOn = "remote"; # valid args are "local" or "remote" - substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" - hermetic = false; - }; - networking.hostName = "navi"; - + system.stateVersion = "23.11"; boot = { + tmp.cleanOnBoot = true; initrd = { supportedFilesystems = ["btrfs"]; availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "usbhid" "snd_usb_audio"]; @@ -53,26 +43,24 @@ }; }; - hardware.firmware = [pkgs.rtw88-firmware]; - time.timeZone = lib.mkDefault "Israel"; - fileSystems."/" = { - device = "none"; - fsType = "tmpfs"; - # hyprland doesnt compile with noexec root - options = ["defaults" "size=8G" "mode=755"]; - }; + # fileSystems."/" = { + # device = "none"; + # fsType = "tmpfs"; + # # hyprland doesnt compile with noexec root + # options = ["defaults" "size=8G" "mode=755"]; + # }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/34CB-F158"; - fsType = "vfat"; - }; + # fileSystems."/boot" = { + # device = "/dev/disk/by-uuid/34CB-F158"; + # fsType = "vfat"; + # }; - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/8a8cc550-034e-4545-a958-564779f51061"; - fsType = "btrfs"; - }; + # fileSystems."/nix" = { + # device = "/dev/disk/by-uuid/8a8cc550-034e-4545-a958-564779f51061"; + # fsType = "btrfs"; + # }; zramSwap = { enable = true; @@ -94,12 +82,12 @@ # networking.wireless.enable = true; # services.connman.enable = true; - services.tor = { - enable = true; - openFirewall = true; - client.enable = true; - torsocks.enable = true; - }; + # services.tor = { + # enable = true; + # openFirewall = true; + # client.enable = true; + # torsocks.enable = true; + # }; environment.persistence."/nix/persist".directories = [ "/etc/NetworkManager/system-connections" { @@ -131,23 +119,16 @@ programs.steam.enable = true; - programs.firejail.wrappedBinaries = { - mullvad-browser = { - executable = lib.getExe pkgs.mullvad-browser; - extraArgs = [ - "--env=MOZ_ENABLE_WAYLAND=1" - "--env=GTK_THEME=Adwaita:dark" - ]; - # profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; - }; - }; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - nixpkgs.config.allowUnfree = true; - hardware.enableAllFirmware = true; + # programs.firejail.wrappedBinaries = { + # mullvad-browser = { + # executable = lib.getExe pkgs.mullvad-browser; + # extraArgs = [ + # "--env=MOZ_ENABLE_WAYLAND=1" + # "--env=GTK_THEME=Adwaita:dark" + # ]; + # # profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; + # }; + # }; # greeter.initialSession = "${pkgs.fish}/bin/fish"; @@ -174,19 +155,9 @@ acpid.enable = true; }; - hardware.bluetooth.enable = true; services.blueman.enable = true; - # dont know if i like this - nix.settings.trusted-public-keys = [ - "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" - ]; - nix.settings.substituters = [ - "https://cache.iog.io" - ]; - virtualisation.docker.enable = true; virtualisation.docker.storageDriver = "btrfs"; - users.users.tzlil.extraGroups = ["docker"]; }; } diff --git a/hosts/navi/hardware-configuration.nix b/hosts/navi/hardware-configuration.nix new file mode 100644 index 0000000..7b24c68 --- /dev/null +++ b/hosts/navi/hardware-configuration.nix @@ -0,0 +1,71 @@ +{ + inputs, + pkgs, + lib, + config, + ... +}: let + device = "/dev/nvme0n1"; +in { + imports = [ + inputs.disko.nixosModules.disko + inputs.hardware.nixosModules.common-cpu-intel + inputs.hardware.nixosModules.common-gpu-intel + ]; + + hardware.firmware = [pkgs.rtw88-firmware]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + hardware.enableAllFirmware = true; + + hardware.bluetooth.enable = true; + + disko.devices = { + disk.${baseNameOf device} = { + inherit device; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + type = "EF00"; + size = "512M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/nix" = { + mountOptions = ["compress=zstd" "noatime"]; + mountpoint = "/nix"; + }; + }; + }; + }; + }; + }; + }; + }; + nodev."/" = { + fsType = "tmpfs"; + mountOptions = [ + "size=8G" + "defaults" + "mode=755" + ]; + }; + }; +} diff --git a/hosts/pc/cfg.nix b/hosts/pc/default.nix index ee3b716..ee3b716 100644 --- a/hosts/pc/cfg.nix +++ b/hosts/pc/default.nix diff --git a/hosts/vm/cfg.nix b/hosts/vm/default.nix index 99ed8b9..99ed8b9 100644 --- a/hosts/vm/cfg.nix +++ b/hosts/vm/default.nix diff --git a/hosts/vps/cfg.nix b/hosts/vps/default.nix index 3597c5c..3597c5c 100644 --- a/hosts/vps/cfg.nix +++ b/hosts/vps/default.nix diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix index d9c638d..8bd4653 100644 --- a/hosts/vps/git.nix +++ b/hosts/vps/git.nix @@ -13,8 +13,7 @@ packages = [pkgs.git]; shell = "${pkgs.git}/bin/git-shell"; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhN4Iq070J9rFJhOwP9RUyUJG9MC1W5KnDGqBqWZnlu" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" ]; }; diff --git a/mixins/syncthing.nix b/mixins/syncthing.nix index 3e219ae..7faf5db 100644 --- a/mixins/syncthing.nix +++ b/mixins/syncthing.nix @@ -11,13 +11,15 @@ configDir = "/home/tzlil/.config/syncthing"; overrideDevices = true; overrideFolders = true; - devices = { - "phone" = {id = "UHWVTEZ-BERNFCH-3ZXQHNE-ZRBHLU6-MBAVEHB-TKLQJM7-ZGHLJ4R-6E4SAA7";}; - }; - folders = { - "passwords" = { - path = "/home/tzlil/sync/passwords"; - devices = ["phone"]; + settings = { + devices = { + "phone" = {id = "UHWVTEZ-BERNFCH-3ZXQHNE-ZRBHLU6-MBAVEHB-TKLQJM7-ZGHLJ4R-6E4SAA7";}; + }; + folders = { + "passwords" = { + path = "/home/tzlil/sync/passwords"; + devices = ["phone"]; + }; }; }; }; diff --git a/profiles/core.nix b/profiles/core.nix index 3eca577..4fefbdd 100644 --- a/profiles/core.nix +++ b/profiles/core.nix @@ -5,44 +5,39 @@ inputs, ... }: { - imports = [ - ../profiles/security.nix - ../profiles/network.nix - ]; + # imports = [ + # ../profiles/security.nix + # ../profiles/network.nix + # ]; config = { - system.stateVersion = "22.5"; - nix = { - registry.nixpkgs.flake = inputs.nixpkgs; - gc.automatic = true; - optimise.automatic = true; - settings = { - allowed-users = ["root"]; - trusted-users = ["root"]; - sandbox = true; - }; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - users.mutableUsers = false; - environment.defaultPackages = lib.mkForce []; + # system.stateVersion = "22.5"; + # nix = { + # registry.nixpkgs.flake = inputs.nixpkgs; + # gc.automatic = true; + # optimise.automatic = true; + # settings = { + # allowed-users = ["root"]; + # trusted-users = ["root"]; + # sandbox = true; + # }; + # extraOptions = '' + # experimental-features = nix-command flakes + # ''; + # }; + # users.mutableUsers = false; + # environment.defaultPackages = lib.mkForce []; - age.identityPaths = ["/nix/persist/etc/ssh/ssh_host_ed25519_key"]; - # causing issues, fix this programs.command-not-found.dbPath = inputs.programsdb.packages.${pkgs.system}.programs-sqlite; - # save uid/guid - environment.persistence."/nix/persist".directories = ["/var/lib/nixos"]; - - boot = { - tmp.cleanOnBoot = true; - kernelParams = [ - "init_on_free=1" - "page_poison=1" - "page_alloc.shuffle=1" - "slab_nomerge" - "vsyscall=none" - ]; - }; + # boot = { + # tmp.cleanOnBoot = true; + # kernelParams = [ + # "init_on_free=1" + # "page_poison=1" + # "page_alloc.shuffle=1" + # "slab_nomerge" + # "vsyscall=none" + # ]; + # }; }; } diff --git a/profiles/default.nix b/profiles/default.nix new file mode 100644 index 0000000..77921b6 --- /dev/null +++ b/profiles/default.nix @@ -0,0 +1,8 @@ +{inputs, ...}: { + flake.nixosModules = { + nix = import ./nix.nix {inherit inputs;}; + security = ./security.nix; + tzlil = ./tzlil.nix; + ssh = ./ssh.nix; + }; +} diff --git a/profiles/impermanence.nix b/profiles/impermanence.nix new file mode 100644 index 0000000..5ee9c97 --- /dev/null +++ b/profiles/impermanence.nix @@ -0,0 +1,29 @@ +{inputs, ...}: { + config, + lib, + options, + ... +}: let + sshHostKeys = builtins.catAttrs "path" config.services.openssh.hostKeys; +in { + imports = [inputs.impermanence.nixosModules.impermanence]; + + config = lib.mkMerge [ + { + environment.persistence."/nix/persistent" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/systemd/coredump" + "/tmp" # Make builds not crash by running them on disk instead of RAM (We still clean /tmp on boot) + ]; + files = + [ + "/etc/machine-id" + ] + ++ sshHostKeys; + }; + } + (lib.optionalAttrs (options ? age) {age.identityPaths = map (x: "/nix/persistent" + x) sshHostKeys;}) + ]; +} diff --git a/profiles/nix.nix b/profiles/nix.nix new file mode 100644 index 0000000..769a06a --- /dev/null +++ b/profiles/nix.nix @@ -0,0 +1,44 @@ +{ + inputs, + pkgs, + ... +}: { + nix = { + package = pkgs.nixUnstable; + registry.nixpkgs.flake = inputs.nixpkgs; + nixPath = [ + "nixpkgs=flake:nixpkgs" + ]; + gc.automatic = true; + optimise.automatic = true; + settings = { + experimental-features = [ + "nix-command" + "flakes" + "cgroups" + "auto-allocate-uids" + "repl-flake" + "no-url-literals" + ]; + use-cgroups = true; + auto-allocate-uids = true; + builders-use-substitutes = true; + auto-optimise-store = true; + warn-dirty = false; + trusted-users = [ + "@wheel" + ]; + substituters = [ + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + }; + + nixpkgs.config.allowUnfree = true; + + # save uid/guid + environment.persistence."/nix/persist".directories = ["/var/lib/nixos"]; +} diff --git a/profiles/security.nix b/profiles/security.nix index 63c5fe4..40d5bf4 100644 --- a/profiles/security.nix +++ b/profiles/security.nix @@ -1,75 +1,72 @@ { - pkgs, lib, config, - inputs, ... }: { - imports = []; - config = { - programs.firejail.enable = true; - security.auditd.enable = true; - security.audit.enable = true; - security.audit.rules = [ - "-a exit,always -F arch=b64 -S execve" - ]; - - # https://source.android.com/docs/security/test/scudo - environment.memoryAllocator.provider = "scudo"; - environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; - - security.lockKernelModules = true; - security.protectKernelImage = true; - security.allowSimultaneousMultithreading = false; - security.forcePageTableIsolation = true; - - security.unprivilegedUsernsClone = config.virtualisation.containers.enable; - - security.virtualisation.flushL1DataCache = "always"; - - security.apparmor.enable = true; - security.apparmor.killUnconfinedConfinables = true; - - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; - - # Hide kptrs even for processes with CAP_SYSLOG - boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; - - # Disable bpf() JIT (to eliminate spray attacks) - boot.kernel.sysctl."net.core.bpf_jit_enable" = false; - - # Disable ftrace debugging - boot.kernel.sysctl."kernel.ftrace_enabled" = false; - - # Enable strict reverse path filtering (that is, do not attempt to route - # packets that "obviously" do not belong to the iface's network; dropped - # packets are logged as martians). - boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; - boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; - - # Ignore broadcast ICMP (mitigate SMURF) - boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; - - # Ignore incoming ICMP redirects (note: default is needed to ensure that the - # setting is applied to interfaces added after the sysctls are set) - boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; - - # Ignore outgoing ICMP redirects (this is ipv4 only) - boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; - - security.chromiumSuidSandbox.enable = true; - - security.sudo.execWheelOnly = true; - security.sudo.extraConfig = "Defaults lecture = never"; - }; + programs.firejail.enable = true; + security.auditd.enable = true; + security.audit.enable = true; + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + + # https://source.android.com/docs/security/test/scudo + environment.memoryAllocator.provider = "scudo"; + environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; + + security.lockKernelModules = true; + security.protectKernelImage = true; + security.allowSimultaneousMultithreading = false; + security.forcePageTableIsolation = true; + + security.unprivilegedUsernsClone = config.virtualisation.containers.enable; + + security.virtualisation.flushL1DataCache = "always"; + + security.apparmor.enable = true; + security.apparmor.killUnconfinedConfinables = true; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; + + # Hide kptrs even for processes with CAP_SYSLOG + boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; + + # Disable bpf() JIT (to eliminate spray attacks) + boot.kernel.sysctl."net.core.bpf_jit_enable" = false; + + # Disable ftrace debugging + boot.kernel.sysctl."kernel.ftrace_enabled" = false; + + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; + + # Ignore broadcast ICMP (mitigate SMURF) + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; + + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; + + # Ignore outgoing ICMP redirects (this is ipv4 only) + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; + + security.chromiumSuidSandbox.enable = true; + + security.sudo.execWheelOnly = true; + security.sudo.extraConfig = "Defaults lecture = never"; + + environment.defaultPackages = lib.mkForce []; } diff --git a/profiles/ssh.nix b/profiles/ssh.nix index 294f015..a753e86 100644 --- a/profiles/ssh.nix +++ b/profiles/ssh.nix @@ -2,7 +2,6 @@ pkgs, lib, config, - inputs, ... }: { config = { diff --git a/profiles/user.nix b/profiles/tzlil.nix index 7355e85..0e242e1 100644 --- a/profiles/user.nix +++ b/profiles/tzlil.nix @@ -16,20 +16,22 @@ programs.fish.enable = true; # needed now users.users.tzlil = { isNormalUser = true; - description = "Me"; - extraGroups = ["wheel"]; + extraGroups = + ["wheel"] + ++ lib.optional config.virtualisation.docker.enable "docker" + ++ lib.optional config.virtualisation.libvirtd.enable "libvirtd" + ++ lib.optional config.networking.networkmanager.enable "networkmanager" + ++ lib.optional config.programs.light.enable "video" + ++ lib.optional config.programs.adb.enable "adbusers"; packages = [pkgs.git]; shell = pkgs.fish; hashedPassword = "$6$FAQYKz3OCtRNOP7h$XsApvP.r./Jv5MRI1idDI9BMnA26xxEvXFlE61Zls.QA3EK2x76XsetdpxSlgViylnRwRuq5XQMc3GeAJ7tum1"; # passwordFile = config.age.secrets.password.path; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" ]; }; - nix.settings.allowed-users = ["root" "tzlil"]; - nix.settings.trusted-users = ["root" "tzlil"]; - home-manager = { useGlobalPkgs = true; useUserPackages = true; diff --git a/secrets/id_ed25519.age b/secrets/id_ed25519.age index 4136ecc..00c540e 100644 --- a/secrets/id_ed25519.age +++ b/secrets/id_ed25519.age Binary files differdiff --git a/secrets/matrix.age b/secrets/matrix.age index 3ccb99d..0cf30e0 100644 --- a/secrets/matrix.age +++ b/secrets/matrix.age Binary files differ |