Compare commits

..

No commits in common. "e47f41a3c05ee20399991fed9bac5b77256e90bb" and "0a9742429d80b0b9faacdebf306df377733f0a41" have entirely different histories.

22 changed files with 13 additions and 335 deletions

View file

@ -12,6 +12,5 @@ _: {
./btop.nix ./btop.nix
./bottom.nix ./bottom.nix
./bat.nix ./bat.nix
./nix-index.nix
]; ];
} }

View file

@ -17,7 +17,7 @@ in
userEmail = myGitConf.userEmail; userEmail = myGitConf.userEmail;
signing = { signing = {
signByDefault = myGitConf.signing.enable; signByDefault = myGitConf.signing.enabled;
key = myGitConf.signing.key; key = myGitConf.signing.key;
}; };

View file

@ -1,12 +0,0 @@
{ config, ... }: {
programs = {
# nix-index is a file database for nixpkgs
# this provides `nix-locate` command.
nix-index = {
enable = true;
# Attempt to find the package that contains the non-existent command
enableBashIntegration = config.programs.bash.enable;
enableZshIntegration = config.programs.zsh.enable;
};
};
}

View file

@ -16,7 +16,6 @@ in
./vbox_nix ./vbox_nix
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
] ++ shared; ] ++ shared;
}; };

View file

@ -59,13 +59,6 @@
hasTPM = true; hasTPM = true;
}; };
security = {
auditd = {
enable = true;
autoPrune.enable = true;
};
};
workstation = { workstation = {
printing.enable = true; printing.enable = true;
}; };
@ -77,7 +70,7 @@
userName = "ItsDrike"; userName = "ItsDrike";
userEmail = "itsdrike@protonmail.com"; userEmail = "itsdrike@protonmail.com";
signing = { signing = {
enable = true; enabled = true;
key = "FA2745890B7048C0"; key = "FA2745890B7048C0";
}; };
}; };

View file

@ -22,48 +22,19 @@
system = { system = {
hostname = "vboxnix"; hostname = "vboxnix";
username = "itsdrike"; username = "itsdrike";
impermanence = {
root.enable = false;
autoWipeBtrfs.enable = false;
}; };
boot = {
secure-boot.enable = false;
tmpOnTmpfs = false;
};
};
device = { device = {
roles = {
type = "desktop"; type = "desktop";
virtual-machine = true; virtual-machine = true;
};
cpu.type = "amd"; cpu.type = "amd";
hasTPM = false;
}; };
security = {
auditd = {
enable = true;
autoPrune.enable = true;
};
};
workstation = {
printing.enable = false;
};
home-manager = { home-manager = {
enable = true; enable = true;
stateVersion = "23.11"; stateVersion = "23.11";
git = { git = {
userName = "ItsDrike"; userName = "ItsDrike";
userEmail = "itsdrike@protonmail.com"; userEmail = "itsdrike@protonmail.com";
signing = { signing.key = "FA2745890B7048C0";
enable = true;
key = "FA2745890B7048C0";
};
}; };
}; };
}; };

View file

@ -4,6 +4,5 @@ _: {
./home ./home
./system ./system
./workstation ./workstation
./security
]; ];
} }

View file

@ -15,7 +15,7 @@ in
}; };
signing = { signing = {
enable = mkEnableOption '' enabled = mkEnableOption ''
git commit signing. git commit signing.
Requires `myOptions.home-manager.git.signing.key` to be set. Requires `myOptions.home-manager.git.signing.key` to be set.
''; '';

View file

@ -1,61 +0,0 @@
{ lib, config, ... }: with lib; let
inherit (lib) mkEnableOption mkOption literalExpression types;
in
{
options.myOptions.security.auditd = {
enable = mkEnableOption "the audit daemon.";
autoPrune = {
enable = mkEnableOption ''
automatic pruning of audit logs.
Enabling this is HEAVILY recommended, as audit logs
can grow very large very quickly.
'';
size = mkOption {
type = types.int;
default = 524288000; # roughly 500MB
description = ''
The maximum size of the audit log in bytes.
The default is 500MB.
'';
};
schedule = mkOption {
type = types.str;
default = "daily";
example = "weekly";
description = "How often cleaning is triggered. Passed to systemd.time";
};
};
extraFiles = mkOption {
default = [];
type = types.listOf types.path;
example = literalExpression ''["/etc/nix/id_rsa"]'';
description = ''
Additional files in root to link to persistent storage.
'';
};
extraDirectories = mkOption {
default = [];
type = types.listOf types.path;
example = literalExpression ''["/etc/nix/id_rsa"]'';
description = ''
Additional directories in root to link to persistent storage.
'';
};
persistentMountPoint = mkOption {
default = "/persist";
description = ''
Path to a persistent directory (usually a mount point to a
standalone partition / subvolume), which will hold the persistent
system state files.
'';
};
};
}

View file

@ -1,5 +0,0 @@
{
imports = [
./auditd.nix
];
}

View file

@ -85,13 +85,4 @@ in
}; };
}; };
}; };
config = {
assertions = [
{
assertion = cfg.autoWipeBtrfs.enable -> cfg.root.enable;
message = "myOptions.system.impermanence.autoWipeBtrfs requires myOptions.system.impermanence.root to be enabled.";
}
];
};
} }

View file

@ -1,6 +1,5 @@
{ {
imports = [ imports = [
./misc.nix ./misc.nix
./physlock.nix
]; ];
} }

View file

@ -1,8 +0,0 @@
{
# Screen locker which works across all virtual terminals
# Use `systemctl start physlock` to securely lock the screen
services.physlock = {
enable = true;
lockMessage = "System is locked...";
};
}

View file

@ -6,7 +6,6 @@ _: {
./nix ./nix
./environment ./environment
./impermanence ./impermanence
./security
./programs.nix ./programs.nix
./system.nix ./system.nix
./network.nix ./network.nix

View file

@ -1,17 +1,10 @@
{lib, ...}: let {
inherit (lib) mkForce;
in {
programs = {
# Explicitly disable nano, it sucks and I don't want it
nano.enable = mkForce false;
# Install an actually usable system-wide editor # Install an actually usable system-wide editor
neovim = { programs.neovim = {
enable = true; enable = true;
defaultEditor = true; defaultEditor = true;
vimAlias = true; vimAlias = true;
viAlias = true; viAlias = true;
}; };
};
} }

View file

@ -1,60 +0,0 @@
{ config, pkgs, ... }: {
services.dbus.apparmor = "enabled";
environment.systemPackages = with pkgs; [
apparmor-pam
apparmor-utils
apparmor-parser
apparmor-profiles
apparmor-bin-utils
apparmor-kernel-patches
libapparmor
];
# apparmor configuration
security.apparmor = {
enable = true;
# whether to enable AppArmor cache
# in /var/cache/apparmor
enableCache = true;
# whether to kill processes which have an AppArmor profile enabled
# but are not confined (AppArmor can only confine new processes)
killUnconfinedConfinables = true;
# packages to be added to AppArmor's include path
packages = [pkgs.apparmor-profiles];
# AppArmor policies
policies = {
"default_deny" = {
enforce = false;
enable = false;
profile = ''
profile default_deny /** {}
'';
};
"sudo" = {
enforce = false;
enable = false;
profile = ''
${pkgs.sudo}/bin/sudo {
file /** rwlkUx
}
'';
};
"nix" = {
enforce = false;
enable = false;
profile = ''
${config.nix.package}/bin/nix {
unconfined
}
'';
};
};
};
}

View file

@ -1,52 +0,0 @@
{ config, lib, ... }: let
inherit (lib) mkIf;
cfg = config.myOptions.security.auditd;
in {
config = mkIf cfg.enable {
security = {
auditd.enable = true;
audit = {
enable = true;
# maximum number of outstanding audit buffers allowed
# exceeding this is considered a failure and handled in
# a manner specified by failureMode
backlogLimit = 8192;
# how to handle critical errors in the auditing system
failureMode = "printk"; # "silent" | "printk" | "panic"
rules = [
"-a exit,always -F arch=b64 -S execve"
];
};
};
systemd = mkIf cfg.autoPrune.enable {
# Systemd timer to clean /var/log/audit.log on configured schedule
timers."clean-audit-log" = {
description = "Periodically clean audit log";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = cfg.autoPrune.schedule;
Persistent = true;
};
};
# clean audit log if it's larger than the configured size
services."clean-audit-log" = {
script = ''
set -eu
if [[ $(stat -c "%s" /var/log/audit/audit.log) -gt ${builtins.toString cfg.autoPrune.size} ]]; then
echo "Clearing Audit Log";
rm -rvf /var/log/audit/audit.log;
echo "Done!"
fi
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
};
};
}

View file

@ -1,7 +0,0 @@
{
imports = [
./apparmor.nix
./auditd.nix
./polkit.nix
];
}

View file

@ -1,14 +0,0 @@
{ config, lib, ... }: {
security.polkit = {
enable = true;
debug = lib.mkDefault true;
# Have polkit log all actions, if debug is enabled
extraConfig = lib.mkIf config.security.polkit.debug ''
/* Log authorization checks. */
polkit.addRule(function(action, subject) {
polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
});
'';
};
}

View file

@ -5,7 +5,5 @@ _: {
./logrotate.nix ./logrotate.nix
./oomd.nix ./oomd.nix
./thermald.nix ./thermald.nix
./journald.nix
./fstrim.nix
]; ];
} }

View file

@ -1,35 +0,0 @@
{ config, lib, ... }: let
inherit (lib.modules) mkIf;
in {
# if lvm is enabled, then tell it to issue discards
# (this is good for SSDs and has almost no downsides on HDDs, so
# it's a good idea to enable it unconditionally)
environment.etc."lvm/lvm.conf".text = mkIf config.services.lvm.enable ''
devices {
issue_discards = 1
}
'';
# discard blocks that are not in use by the filesystem, good for SSDs
services.fstrim = {
# we may enable this unconditionally across all systems becuase it's performance
# impact is negligible on systems without a SSD - which means it's a no-op with
# almost no downsides aside from the service firing once per week
enable = true;
# the default value, good enough for average-load systems
interval = "weekly";
};
# tweak fstim service to run only when on AC power
# and to be nice to other processes
# (this is a good idea for any service that runs periodically)
systemd.services.fstrim = {
unitConfig.ConditionACPower = true;
serviceConfig = {
Nice = 19;
IOSchedulingClass = "idle";
};
};
}

View file

@ -1,9 +0,0 @@
{
# Limit systemd journal size, as the default is unlimited and
# journals get big really fast
services.journald.extraConfig = ''
SystemMaxUse=100M
RuntimeMaxUse=50M
SystemMaxFileSize=50M
'';
}