summary refs log tree commit diff
path: root/profiles
diff options
context:
space:
mode:
authortzlil <tzlils@protonmail.com>2023-07-29 20:53:14 +0300
committertzlil <tzlils@protonmail.com>2023-07-29 20:53:14 +0300
commitfeefcfc89b00d4955dbb3314c20be035f3db206f (patch)
tree5099a13763dcfd274cae83af4dbac0bf4bef6cce /profiles
parent11526bdd2bb3b4b445665aa671e4bc72021b8183 (diff)
disko for laptop, wip rewrite
Diffstat (limited to 'profiles')
-rw-r--r--profiles/core.nix65
-rw-r--r--profiles/default.nix8
-rw-r--r--profiles/impermanence.nix29
-rw-r--r--profiles/nix.nix44
-rw-r--r--profiles/security.nix135
-rw-r--r--profiles/ssh.nix1
-rw-r--r--profiles/tzlil.nix (renamed from profiles/user.nix)14
7 files changed, 185 insertions, 111 deletions
diff --git a/profiles/core.nix b/profiles/core.nix
index 3eca577..4fefbdd 100644
--- a/profiles/core.nix
+++ b/profiles/core.nix
@@ -5,44 +5,39 @@
   inputs,
   ...
 }: {
-  imports = [
-    ../profiles/security.nix
-    ../profiles/network.nix
-  ];
+  # imports = [
+  #   ../profiles/security.nix
+  #   ../profiles/network.nix
+  # ];
   config = {
-    system.stateVersion = "22.5";
-    nix = {
-      registry.nixpkgs.flake = inputs.nixpkgs;
-      gc.automatic = true;
-      optimise.automatic = true;
-      settings = {
-        allowed-users = ["root"];
-        trusted-users = ["root"];
-        sandbox = true;
-      };
-      extraOptions = ''
-        experimental-features = nix-command flakes
-      '';
-    };
-    users.mutableUsers = false;
-    environment.defaultPackages = lib.mkForce [];
+    # system.stateVersion = "22.5";
+    # nix = {
+    #   registry.nixpkgs.flake = inputs.nixpkgs;
+    #   gc.automatic = true;
+    #   optimise.automatic = true;
+    #   settings = {
+    #     allowed-users = ["root"];
+    #     trusted-users = ["root"];
+    #     sandbox = true;
+    #   };
+    #   extraOptions = ''
+    #     experimental-features = nix-command flakes
+    #   '';
+    # };
+    # users.mutableUsers = false;
+    # environment.defaultPackages = lib.mkForce [];
 
-    age.identityPaths = ["/nix/persist/etc/ssh/ssh_host_ed25519_key"];
-    # causing issues, fix this
     programs.command-not-found.dbPath = inputs.programsdb.packages.${pkgs.system}.programs-sqlite;
 
-    # save uid/guid
-    environment.persistence."/nix/persist".directories = ["/var/lib/nixos"];
-
-    boot = {
-      tmp.cleanOnBoot = true;
-      kernelParams = [
-        "init_on_free=1"
-        "page_poison=1"
-        "page_alloc.shuffle=1"
-        "slab_nomerge"
-        "vsyscall=none"
-      ];
-    };
+    # boot = {
+    #   tmp.cleanOnBoot = true;
+    #   kernelParams = [
+    #     "init_on_free=1"
+    #     "page_poison=1"
+    #     "page_alloc.shuffle=1"
+    #     "slab_nomerge"
+    #     "vsyscall=none"
+    #   ];
+    # };
   };
 }
diff --git a/profiles/default.nix b/profiles/default.nix
new file mode 100644
index 0000000..77921b6
--- /dev/null
+++ b/profiles/default.nix
@@ -0,0 +1,8 @@
+{inputs, ...}: {
+  flake.nixosModules = {
+    nix = import ./nix.nix {inherit inputs;};
+    security = ./security.nix;
+    tzlil = ./tzlil.nix;
+    ssh = ./ssh.nix;
+  };
+}
diff --git a/profiles/impermanence.nix b/profiles/impermanence.nix
new file mode 100644
index 0000000..5ee9c97
--- /dev/null
+++ b/profiles/impermanence.nix
@@ -0,0 +1,29 @@
+{inputs, ...}: {
+  config,
+  lib,
+  options,
+  ...
+}: let
+  sshHostKeys = builtins.catAttrs "path" config.services.openssh.hostKeys;
+in {
+  imports = [inputs.impermanence.nixosModules.impermanence];
+
+  config = lib.mkMerge [
+    {
+      environment.persistence."/nix/persistent" = {
+        hideMounts = true;
+        directories = [
+          "/var/log"
+          "/var/lib/systemd/coredump"
+          "/tmp" # Make builds not crash by running them on disk instead of RAM (We still clean /tmp on boot)
+        ];
+        files =
+          [
+            "/etc/machine-id"
+          ]
+          ++ sshHostKeys;
+      };
+    }
+    (lib.optionalAttrs (options ? age) {age.identityPaths = map (x: "/nix/persistent" + x) sshHostKeys;})
+  ];
+}
diff --git a/profiles/nix.nix b/profiles/nix.nix
new file mode 100644
index 0000000..769a06a
--- /dev/null
+++ b/profiles/nix.nix
@@ -0,0 +1,44 @@
+{
+  inputs,
+  pkgs,
+  ...
+}: {
+  nix = {
+    package = pkgs.nixUnstable;
+    registry.nixpkgs.flake = inputs.nixpkgs;
+    nixPath = [
+      "nixpkgs=flake:nixpkgs"
+    ];
+    gc.automatic = true;
+    optimise.automatic = true;
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "cgroups"
+        "auto-allocate-uids"
+        "repl-flake"
+        "no-url-literals"
+      ];
+      use-cgroups = true;
+      auto-allocate-uids = true;
+      builders-use-substitutes = true;
+      auto-optimise-store = true;
+      warn-dirty = false;
+      trusted-users = [
+        "@wheel"
+      ];
+      substituters = [
+        "https://nix-community.cachix.org"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  # save uid/guid
+  environment.persistence."/nix/persist".directories = ["/var/lib/nixos"];
+}
diff --git a/profiles/security.nix b/profiles/security.nix
index 63c5fe4..40d5bf4 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -1,75 +1,72 @@
 {
-  pkgs,
   lib,
   config,
-  inputs,
   ...
 }: {
-  imports = [];
-  config = {
-    programs.firejail.enable = true;
-    security.auditd.enable = true;
-    security.audit.enable = true;
-    security.audit.rules = [
-      "-a exit,always -F arch=b64 -S execve"
-    ];
-
-    # https://source.android.com/docs/security/test/scudo
-    environment.memoryAllocator.provider = "scudo";
-    environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
-
-    security.lockKernelModules = true;
-    security.protectKernelImage = true;
-    security.allowSimultaneousMultithreading = false;
-    security.forcePageTableIsolation = true;
-
-    security.unprivilegedUsernsClone = config.virtualisation.containers.enable;
-
-    security.virtualisation.flushL1DataCache = "always";
-
-    security.apparmor.enable = true;
-    security.apparmor.killUnconfinedConfinables = true;
-
-    # Restrict ptrace() usage to processes with a pre-defined relationship
-    # (e.g., parent/child)
-    boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
-
-    # Hide kptrs even for processes with CAP_SYSLOG
-    boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
-
-    # Disable bpf() JIT (to eliminate spray attacks)
-    boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
-
-    # Disable ftrace debugging
-    boot.kernel.sysctl."kernel.ftrace_enabled" = false;
-
-    # Enable strict reverse path filtering (that is, do not attempt to route
-    # packets that "obviously" do not belong to the iface's network; dropped
-    # packets are logged as martians).
-    boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
-    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
-    boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
-    boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
-
-    # Ignore broadcast ICMP (mitigate SMURF)
-    boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
-
-    # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-    # setting is applied to interfaces added after the sysctls are set)
-    boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
-    boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
-    boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
-
-    # Ignore outgoing ICMP redirects (this is ipv4 only)
-    boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
-
-    security.chromiumSuidSandbox.enable = true;
-
-    security.sudo.execWheelOnly = true;
-    security.sudo.extraConfig = "Defaults        lecture = never";
-  };
+  programs.firejail.enable = true;
+  security.auditd.enable = true;
+  security.audit.enable = true;
+  security.audit.rules = [
+    "-a exit,always -F arch=b64 -S execve"
+  ];
+
+  # https://source.android.com/docs/security/test/scudo
+  environment.memoryAllocator.provider = "scudo";
+  environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
+
+  security.lockKernelModules = true;
+  security.protectKernelImage = true;
+  security.allowSimultaneousMultithreading = false;
+  security.forcePageTableIsolation = true;
+
+  security.unprivilegedUsernsClone = config.virtualisation.containers.enable;
+
+  security.virtualisation.flushL1DataCache = "always";
+
+  security.apparmor.enable = true;
+  security.apparmor.killUnconfinedConfinables = true;
+
+  # Restrict ptrace() usage to processes with a pre-defined relationship
+  # (e.g., parent/child)
+  boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
+
+  # Hide kptrs even for processes with CAP_SYSLOG
+  boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
+
+  # Disable bpf() JIT (to eliminate spray attacks)
+  boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
+
+  # Disable ftrace debugging
+  boot.kernel.sysctl."kernel.ftrace_enabled" = false;
+
+  # Enable strict reverse path filtering (that is, do not attempt to route
+  # packets that "obviously" do not belong to the iface's network; dropped
+  # packets are logged as martians).
+  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
+  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
+
+  # Ignore broadcast ICMP (mitigate SMURF)
+  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+  # setting is applied to interfaces added after the sysctls are set)
+  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
+  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
+  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
+
+  # Ignore outgoing ICMP redirects (this is ipv4 only)
+  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+
+  security.chromiumSuidSandbox.enable = true;
+
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = "Defaults        lecture = never";
+
+  environment.defaultPackages = lib.mkForce [];
 }
diff --git a/profiles/ssh.nix b/profiles/ssh.nix
index 294f015..a753e86 100644
--- a/profiles/ssh.nix
+++ b/profiles/ssh.nix
@@ -2,7 +2,6 @@
   pkgs,
   lib,
   config,
-  inputs,
   ...
 }: {
   config = {
diff --git a/profiles/user.nix b/profiles/tzlil.nix
index 7355e85..0e242e1 100644
--- a/profiles/user.nix
+++ b/profiles/tzlil.nix
@@ -16,20 +16,22 @@
     programs.fish.enable = true; # needed now
     users.users.tzlil = {
       isNormalUser = true;
-      description = "Me";
-      extraGroups = ["wheel"];
+      extraGroups =
+        ["wheel"]
+        ++ lib.optional config.virtualisation.docker.enable "docker"
+        ++ lib.optional config.virtualisation.libvirtd.enable "libvirtd"
+        ++ lib.optional config.networking.networkmanager.enable "networkmanager"
+        ++ lib.optional config.programs.light.enable "video"
+        ++ lib.optional config.programs.adb.enable "adbusers";
       packages = [pkgs.git];
       shell = pkgs.fish;
       hashedPassword = "$6$FAQYKz3OCtRNOP7h$XsApvP.r./Jv5MRI1idDI9BMnA26xxEvXFlE61Zls.QA3EK2x76XsetdpxSlgViylnRwRuq5XQMc3GeAJ7tum1";
       # passwordFile = config.age.secrets.password.path;
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe"
       ];
     };
 
-    nix.settings.allowed-users = ["root" "tzlil"];
-    nix.settings.trusted-users = ["root" "tzlil"];
-
     home-manager = {
       useGlobalPkgs = true;
       useUserPackages = true;