From 24637dfdfdd6dc8d116542f16a07d808c9e43c36 Mon Sep 17 00:00:00 2001
From: tzlil <tzlils@protonmail.com>
Date: Tue, 13 Dec 2022 02:15:50 +0200
Subject: first commit

---
 .gitignore             |  2 ++
 flake.nix              | 31 +++++++++++++++++++++++
 hosts/vm/cfg.nix       | 17 +++++++++++++
 mixins/cli.nix         | 42 +++++++++++++++++++++++++++++++
 mixins/tailscale.nix   | 11 +++++++++
 profiles/core.nix      | 26 ++++++++++++++++++++
 profiles/network.nix   | 19 ++++++++++++++
 profiles/security.nix  | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 profiles/user.nix      | 50 +++++++++++++++++++++++++++++++++++++
 run.sh                 |  2 ++
 secrets/id_ed25519.age | 11 +++++++++
 secrets/secrets.nix    |  9 +++++++
 12 files changed, 287 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 flake.nix
 create mode 100644 hosts/vm/cfg.nix
 create mode 100644 mixins/cli.nix
 create mode 100644 mixins/tailscale.nix
 create mode 100644 profiles/core.nix
 create mode 100644 profiles/network.nix
 create mode 100644 profiles/security.nix
 create mode 100644 profiles/user.nix
 create mode 100755 run.sh
 create mode 100644 secrets/id_ed25519.age
 create mode 100644 secrets/secrets.nix

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..af6411a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.img
+*.fd
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..299e906
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,31 @@
+{
+  description = "tzlil's system";
+	
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    impermanence.url = "github:nix-community/impermanence";
+    agenix.url = "github:ryantm/agenix";
+    nixos-hardware.url = "github:nixos/nixos-hardware";
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = inputs: let
+    mkSystem_ = pkgs: system: h: modules:
+      pkgs.lib.nixosSystem {
+        system = system;
+        modules = [./hosts/${h}/cfg.nix] ++ modules;
+        specialArgs = {inherit inputs;};
+      };
+    mkSystem = pkgs: system: h: (mkSystem_ pkgs system h [
+        inputs.agenix.nixosModule inputs.impermanence.nixosModules.impermanence
+      ]);
+  in {
+    nixosConfigurations = {
+      # pc = mkSystem inputs.nixpkgs "x86_64-linux" "pc";
+      vm = mkSystem inputs.nixpkgs "x86_64-linux" "vm";
+    };
+  };
+}
diff --git a/hosts/vm/cfg.nix b/hosts/vm/cfg.nix
new file mode 100644
index 0000000..1b17ea6
--- /dev/null
+++ b/hosts/vm/cfg.nix
@@ -0,0 +1,17 @@
+{config}: {
+  imports = [
+    "../profiles/core.nix"
+    "../profiles/user.nix"
+    "../mixins/tailscale.nix"
+  ]
+
+  config = {
+    boot.supportedFilesystems = ["9p"];
+    fileSystems."/flake" = {
+      fsType = "9p";
+      device = "host0";
+      options = ["_netdev"];
+    };
+    boot.kernelParams = [ "console=ttyS0" ];
+  };
+}
\ No newline at end of file
diff --git a/mixins/cli.nix b/mixins/cli.nix
new file mode 100644
index 0000000..c5ff7b9
--- /dev/null
+++ b/mixins/cli.nix
@@ -0,0 +1,42 @@
+{
+  pkgs,
+  lib,
+  config,
+  inputs,
+  ...
+}: {
+  imports = [
+    inputs.home-manager.nixosModules."home-manager"
+    inputs.agenix.nixosModules
+  ];
+  config = {
+    home-manager.users.tzlil = {pkgs, ...}@hm: {
+      home = {
+        packages = with pkgs; [
+          rsync
+          curl
+          ripgrep
+        ];
+        programs = {
+          ssh.enable = true;
+          git = {
+            userName = "tzlil";
+            userEmail = "tzlils@protonmail.com";
+            enable = true;
+          };
+          fish = {
+            enable = true;
+            shellAliases = {
+              gc = "git clone";
+              l = "ls -alh";
+            };
+            functions = {
+              sb.body = "sudo nixos-rebuild build --flake ~/sources/nixcfg#(hostname)";
+              sw.body = "sudo nixos-rebuild switch --flake ~/sources/nixcfg#(hostname)";
+            };
+          };
+        };
+      };
+    };
+  };
+}
\ No newline at end of file
diff --git a/mixins/tailscale.nix b/mixins/tailscale.nix
new file mode 100644
index 0000000..8be3147
--- /dev/null
+++ b/mixins/tailscale.nix
@@ -0,0 +1,11 @@
+{ pkgs, config, ... }:
+
+{
+  config = {
+    services.tailscale.enable = true;
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      allowedUDPPorts = [41641];
+    };
+  };
+}
\ No newline at end of file
diff --git a/profiles/core.nix b/profiles/core.nix
new file mode 100644
index 0000000..01ec85a
--- /dev/null
+++ b/profiles/core.nix
@@ -0,0 +1,26 @@
+{ pkgs, lib, config, inputs, ... }:
+
+{
+  imports = [
+    ../profiles/security.nix
+    ../profiles/network.nix
+  ];
+  config = {
+    system.stateVersion = "22.5";
+    nix = {
+      registry.nixpgs.flake = inputs.nixpkgs;
+      gc.automatic = true;
+      optimise.automatic = true;
+      settings = {
+        allowed-users = ["root"];
+        trusted-users = ["root"];
+        sandbox = true;
+      };
+      extraOptions = ''
+        experimental-features = nix-command flakes
+      '';
+    };
+    users.mutableUsers = false;
+    environment.defaultPackages = lib.mkForce [];
+  };
+}
\ No newline at end of file
diff --git a/profiles/network.nix b/profiles/network.nix
new file mode 100644
index 0000000..5aee7a1
--- /dev/null
+++ b/profiles/network.nix
@@ -0,0 +1,19 @@
+{ pkgs, lib, config, inputs, ... }:
+
+{
+  imports = [];
+  config = {
+    networking = {
+      firewall = {
+        enable = true;
+        allowPing = false;
+        allowedTCPPorts = [];
+        checkReversePath = "loose";
+      };
+      networkmanager.enable = true;
+      useDHCP = false;
+      nameservers = ["127.0.0.1" "::1"];
+      networkmanager.dns = "none";
+    };
+  };
+}
\ No newline at end of file
diff --git a/profiles/security.nix b/profiles/security.nix
new file mode 100644
index 0000000..e28431b
--- /dev/null
+++ b/profiles/security.nix
@@ -0,0 +1,67 @@
+{ pkgs, lib, config, inputs, ... }:
+
+{
+  imports = [];
+  config = {
+    security.auditd.enable = true;
+    security.audit.enable = true;
+    security.audit.rules = [
+      "-a exit,always -F arch=b64 -S execve"
+    ];
+
+    environment.memoryAllocator.provider = "scudo";
+    environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
+
+    security.lockKernelModules = true;
+    security.protectKernelImage = true;
+    security.allowSimultaneousMultithreading = false;
+    security.forcePageTableIsolation = true;
+
+    security.virtualisation.flushL1DataCache = "always";
+
+    security.apparmor.enable = true;
+    security.apparmor.killUnconfinedConfinables = true;
+
+    # Restrict ptrace() usage to processes with a pre-defined relationship
+    # (e.g., parent/child)
+    boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
+
+    # Hide kptrs even for processes with CAP_SYSLOG
+    boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
+
+    # Disable bpf() JIT (to eliminate spray attacks)
+    boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
+
+    # Disable ftrace debugging
+    boot.kernel.sysctl."kernel.ftrace_enabled" = false;
+
+    # Enable strict reverse path filtering (that is, do not attempt to route
+    # packets that "obviously" do not belong to the iface's network; dropped
+    # packets are logged as martians).
+    boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
+    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
+    boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
+    boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
+
+    # Ignore broadcast ICMP (mitigate SMURF)
+    boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+    # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+    # setting is applied to interfaces added after the sysctls are set)
+    boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
+    boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
+    boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
+
+    # Ignore outgoing ICMP redirects (this is ipv4 only)
+    boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+
+    security.chromiumSuidSandbox.enable = true;
+    
+    security.sudo.execWheelOnly = true;
+    security.sudo.extraConfig = "Defaults        lecture = never";
+  };
+}
\ No newline at end of file
diff --git a/profiles/user.nix b/profiles/user.nix
new file mode 100644
index 0000000..ee29bad
--- /dev/null
+++ b/profiles/user.nix
@@ -0,0 +1,50 @@
+{
+  pkgs,
+  lib,
+  config,
+  inputs,
+  ...
+}: {
+  imports = [
+    inputs.home-manager.nixosModules."home-manager"
+    inputs.agenix.nixosModules
+  ];
+  config = {
+    users.users.tzlil = {
+      isNormalUser = true;
+      description = "Me";
+      extraGroups = ["wheel"];
+      packages = [pkgs.git];
+      shell = pkgs.fish;
+      hashedPassword = "$5$itsrHkJPRhLdik0x$RxCXp8KmiPVa1dMQhHMQsjLgvx27MmeQ9ZVybV8bzE8";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA"
+      ];
+    };
+
+    nix.settings.allowed-users = ["root" "tzlil"];
+    nix.settings.trusted-users = ["root" "tzlil"];
+
+    age.secrets.id_ed25519 = {
+      file = ../secrets/id_ed25519.age;
+      mode = "600";
+      owner = "tzlil";
+      group = "tzlil";
+    };
+
+    home-manager.nixosModules.home-manager = {
+      home-manager.useGlobalPkgs = true;
+      home-manager.useUserPackages = true;
+      home-manager.backupFileExtension = "backup";
+    };
+
+    home-manager.users.tzlil = {pkgs, ...}@hm: {
+      home = {
+        stateVersion = "22.05";
+        username = "tzlil";
+        homeDirectory = "/home/tzlil";
+      };
+      programs.ssh.matchBlocks."*".identityFile = config.age.secrets."id_ed25519".path;
+    };
+  };
+}
\ No newline at end of file
diff --git a/run.sh b/run.sh
new file mode 100755
index 0000000..7e89e0d
--- /dev/null
+++ b/run.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+qemu-kvm -enable-kvm -m 4G -cpu host -smp 2 -hda nixos-test.img -virtfs local,path=/home/tzlil/newflake,mount_tag=host0,security_model=passthrough,id=host0 -bios OVMF.fd -vga virtio -display gtk,gl=on,show-cursor=on -usb -device usb-mouse
diff --git a/secrets/id_ed25519.age b/secrets/id_ed25519.age
new file mode 100644
index 0000000..64ee68f
--- /dev/null
+++ b/secrets/id_ed25519.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 BCUvfQ dvwbiu7/kFy2YfjSXbVdFAWMwbG3sDWXlHv5X4Hn92Q
+lbTPW6ic0euvWIOi5Te2tSbtvQPAUn2CfZcseSTDOa4
+-> ssh-ed25519 7WlLXw wJeviJZ+bZLUJVqe3kVu5TC1bXb2uY7nYC+7c2xigTc
+3Sm9erDBILh5R2GxcwoVEsUqGJ5TNyFrhe3Bx9NlQJ8
+-> y1$)b6-grease ?`{4V#EJ +w;l9w bb\|(<9 3Gx*xD
+NF2bdrX6TVFaUyMp044VRi7ZikFB6Wfn/U5WEYRxTszdMwXtlw
+--- kGm0bJlpAeNm9HT6uMIhQArcAIccwXf46G96IqUBWZM
+A<S�{0��Ag^���"����ݕ.:.�(�����JMmU�r�􊰴J��G�2�gb�}��ɵ��i{���~�8yy��ߤ�m�
+N��f�]����WnA���Z3+���i����eۀ�Av�nx��V�jS��/����­����^���NQ~�\/=�m����m�i�T\M^�5Q5�������&���3��kJ��
�si�@�~$�3s4
+a�ɣ�½���������)���
���C�4�cDJ�Q�IUh�j��H
�bTa�B�iq��D���$U�{������*5�@����V�z��4��<I��cQ#��Q�d�S�y�J~\��('WOΑ���,.��J������ŜĚ^��S�Oa;[N�l��i(S����Ӡ�q&H���&�Lm@������U�>��.���&�3�(sD���H�����fD���-3siD��H+߶Ò/��4�[�����"@
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..bf4b037
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,9 @@
+let
+  tzlil = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA";
+
+  vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHS6LK6rCmJCR/rKVJYVmJTL8fAdyJSLlgC3mesd6QVS";
+  systems = [ vm ];
+in
+{
+  "id_ed25519.age".publicKeys = [ tzlil ] ++ systems;
+}
\ No newline at end of file
-- 
cgit 1.4.1