2024-11-13 01:17:17 +00:00
22 changed files with 13 additions and 335 deletions
--- a/home/programs/terminal/tools/default.nix
+++ b/home/programs/terminal/tools/default.nix
@ -12,6 +12,5 @@ _: {
    ./btop.nix
    ./bottom.nix
    ./bat.nix
    ./nix-index.nix
  ];
 }
--- a/home/programs/terminal/tools/git/default.nix
+++ b/home/programs/terminal/tools/git/default.nix
@ -17,7 +17,7 @@ in
    userEmail = myGitConf.userEmail;
    signing = {
-      signByDefault = myGitConf.signing.enable;
+      signByDefault = myGitConf.signing.enabled;
      key = myGitConf.signing.key;
    };
--- a/home/programs/terminal/tools/nix-index.nix
+++ b/home/programs/terminal/tools/nix-index.nix
@ -1,12 +0,0 @@
 { config, ... }: {
  programs = {
    # nix-index is a file database for nixpkgs
    # this provides `nix-locate` command.
    nix-index = {
      enable = true;
      # Attempt to find the package that contains the non-existent command
      enableBashIntegration = config.programs.bash.enable;
      enableZshIntegration = config.programs.zsh.enable;
    };
  };
 }
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -16,7 +16,6 @@ in
      ./vbox_nix
      inputs.home-manager.nixosModules.home-manager
      inputs.impermanence.nixosModules.impermanence
      inputs.lanzaboote.nixosModules.lanzaboote
    ] ++ shared;
  };
--- a/hosts/herugrim/default.nix
+++ b/hosts/herugrim/default.nix
@ -59,13 +59,6 @@
      hasTPM = true;
    };
    security = {
      auditd = {
        enable = true;
        autoPrune.enable = true;
      };
    };
    workstation = {
      printing.enable = true;
    };
@ -77,7 +70,7 @@
        userName = "ItsDrike";
        userEmail = "itsdrike@protonmail.com";
        signing = {
-          enable = true;
+          enabled = true;
          key = "FA2745890B7048C0";
        };
      };
--- a/hosts/vbox_nix/default.nix
+++ b/hosts/vbox_nix/default.nix
@ -22,48 +22,19 @@
    system = {
      hostname = "vboxnix";
      username = "itsdrike";
      impermanence = {
        root.enable = false;
        autoWipeBtrfs.enable = false;
      };
      boot = {
        secure-boot.enable = false;
        tmpOnTmpfs = false;
      };
    };
    device = {
-      roles = {
+      type = "desktop";
-        type = "desktop";
+      virtual-machine = true;
        virtual-machine = true;
      };
      cpu.type = "amd";
      hasTPM = false;
    };
    security = {
      auditd = {
        enable = true;
        autoPrune.enable = true;
      };
    };
    workstation = {
      printing.enable = false;
    };
    home-manager = {
      enable = true;
      stateVersion = "23.11";
      git = {
        userName = "ItsDrike";
        userEmail = "itsdrike@protonmail.com";
-        signing = {
+        signing.key = "FA2745890B7048C0";
          enable = true;
          key = "FA2745890B7048C0";
        };
      };
    };
  };
--- a/options/default.nix
+++ b/options/default.nix
@ -4,6 +4,5 @@ _: {
    ./home
    ./system
    ./workstation
    ./security
  ];
 }
--- a/options/home/git.nix
+++ b/options/home/git.nix
@ -15,7 +15,7 @@ in
    };
    signing = {
-      enable = mkEnableOption ''
+      enabled = mkEnableOption ''
        git commit signing.
        Requires `myOptions.home-manager.git.signing.key` to be set.
      '';
--- a/options/security/auditd.nix
+++ b/options/security/auditd.nix
@ -1,61 +0,0 @@
 { lib, config, ... }: with lib; let
  inherit (lib) mkEnableOption mkOption literalExpression types;
 in
 {
  options.myOptions.security.auditd = {
    enable = mkEnableOption "the audit daemon.";
    autoPrune = {
      enable = mkEnableOption ''
        automatic pruning of audit logs.
        Enabling this is HEAVILY recommended, as audit logs
        can grow very large very quickly.
      '';
      size = mkOption {
        type = types.int;
        default = 524288000; # roughly 500MB
        description = ''
          The maximum size of the audit log in bytes.
          The default is 500MB.
        '';
      };
      schedule = mkOption {
        type = types.str;
        default = "daily";
        example = "weekly";
        description = "How often cleaning is triggered. Passed to systemd.time";
      };
    };
    extraFiles = mkOption {
      default = [];
      type = types.listOf types.path;
      example = literalExpression ''["/etc/nix/id_rsa"]'';
      description = ''
        Additional files in root to link to persistent storage.
      '';
    };
    extraDirectories = mkOption {
      default = [];
      type = types.listOf types.path;
      example = literalExpression ''["/etc/nix/id_rsa"]'';
      description = ''
        Additional directories in root to link to persistent storage.
      '';
    };
    persistentMountPoint = mkOption {
      default = "/persist";
      description = ''
        Path to a persistent directory (usually a mount point to a
        standalone partition / subvolume), which will hold the persistent
        system state files.
      '';
    };
  };
 }
--- a/options/security/default.nix
+++ b/options/security/default.nix
@ -1,5 +0,0 @@
 {
  imports = [
    ./auditd.nix
  ];
 }
--- a/options/system/impermanence.nix
+++ b/options/system/impermanence.nix
@ -85,13 +85,4 @@ in
      };
    };
  };
  config = {
    assertions = [
      {
        assertion = cfg.autoWipeBtrfs.enable -> cfg.root.enable;
        message = "myOptions.system.impermanence.autoWipeBtrfs requires myOptions.system.impermanence.root to be enabled.";
      }
    ];
  };
 }
--- a/system/roles/workstation/programs/default.nix
+++ b/system/roles/workstation/programs/default.nix
@ -1,6 +1,5 @@
 {
  imports = [
    ./misc.nix
    ./physlock.nix
  ];
 }
--- a/system/roles/workstation/programs/physlock.nix
+++ b/system/roles/workstation/programs/physlock.nix
@ -1,8 +0,0 @@
 {
  # Screen locker which works across all virtual terminals
  # Use `systemctl start physlock` to securely lock the screen
  services.physlock = {
    enable = true;
    lockMessage = "System is locked...";
  };
 }
--- a/system/shared/default.nix
+++ b/system/shared/default.nix
@ -6,7 +6,6 @@ _: {
    ./nix
    ./environment
    ./impermanence
    ./security
    ./programs.nix
    ./system.nix
    ./network.nix
--- a/system/shared/programs.nix
+++ b/system/shared/programs.nix
@ -1,17 +1,10 @@
-{lib, ...}: let
+{
  inherit (lib) mkForce;
 in {
-  programs = {
+  # Install an actually usable system-wide editor
-    # Explicitly disable nano, it sucks and I don't want it
+  programs.neovim = {
-    nano.enable = mkForce false;
+    enable = true;
-
+    defaultEditor = true;
-    # Install an actually usable system-wide editor
+    vimAlias = true;
-    neovim = {
+    viAlias = true;
      enable = true;
      defaultEditor = true;
      vimAlias = true;
      viAlias = true;
    };
  };
 }
--- a/system/shared/security/apparmor.nix
+++ b/system/shared/security/apparmor.nix
@ -1,60 +0,0 @@
 { config, pkgs, ... }: {
  services.dbus.apparmor = "enabled";
  environment.systemPackages = with pkgs; [
    apparmor-pam
    apparmor-utils
    apparmor-parser
    apparmor-profiles
    apparmor-bin-utils
    apparmor-kernel-patches
    libapparmor
  ];
  # apparmor configuration
  security.apparmor = {
    enable = true;
    # whether to enable AppArmor cache
    # in /var/cache/apparmor
    enableCache = true;
    # whether to kill processes which have an AppArmor profile enabled
    # but are not confined (AppArmor can only confine new processes)
    killUnconfinedConfinables = true;
    # packages to be added to AppArmor's include path
    packages = [pkgs.apparmor-profiles];
    # AppArmor policies
    policies = {
      "default_deny" = {
        enforce = false;
        enable = false;
        profile = ''
          profile default_deny /** {}
        '';
      };
      "sudo" = {
        enforce = false;
        enable = false;
        profile = ''
          ${pkgs.sudo}/bin/sudo {
            file /** rwlkUx
          }
        '';
      };
      "nix" = {
        enforce = false;
        enable = false;
        profile = ''
          ${config.nix.package}/bin/nix {
            unconfined
          }
        '';
      };
    };
  };
 }
--- a/system/shared/security/auditd.nix
+++ b/system/shared/security/auditd.nix
@ -1,52 +0,0 @@
 { config, lib, ... }: let
  inherit (lib) mkIf;
  cfg = config.myOptions.security.auditd;
 in {
  config = mkIf cfg.enable {
    security = {
      auditd.enable = true;
      audit = {
        enable = true;
        # maximum number of outstanding audit buffers allowed
        # exceeding this is considered a failure and handled in
        # a manner specified by failureMode
        backlogLimit = 8192;
        # how to handle critical errors in the auditing system
        failureMode = "printk"; # "silent" | "printk" | "panic"
        rules = [
          "-a exit,always -F arch=b64 -S execve"
        ];
      };
    };
    systemd = mkIf cfg.autoPrune.enable {
      # Systemd timer to clean /var/log/audit.log on configured schedule
      timers."clean-audit-log" = {
        description = "Periodically clean audit log";
        wantedBy = ["timers.target"];
        timerConfig = {
          OnCalendar = cfg.autoPrune.schedule;
          Persistent = true;
        };
      };
      # clean audit log if it's larger than the configured size
      services."clean-audit-log" = {
        script = ''
          set -eu
          if [[ $(stat -c "%s" /var/log/audit/audit.log) -gt ${builtins.toString cfg.autoPrune.size} ]]; then
            echo "Clearing Audit Log";
            rm -rvf /var/log/audit/audit.log;
            echo "Done!"
          fi
        '';
        serviceConfig = {
          Type = "oneshot";
          User = "root";
        };
      };
    };
  };
 }
--- a/system/shared/security/default.nix
+++ b/system/shared/security/default.nix
@ -1,7 +0,0 @@
 {
  imports = [
    ./apparmor.nix
    ./auditd.nix
    ./polkit.nix
  ];
 }
--- a/system/shared/security/polkit.nix
+++ b/system/shared/security/polkit.nix
@ -1,14 +0,0 @@
 { config, lib, ... }: {
  security.polkit = {
    enable = true;
    debug = lib.mkDefault true;
    # Have polkit log all actions, if debug is enabled
    extraConfig = lib.mkIf config.security.polkit.debug ''
      /* Log authorization checks. */
      polkit.addRule(function(action, subject) {
        polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
      });
    '';
  };
 }
--- a/system/shared/services/default.nix
+++ b/system/shared/services/default.nix
@ -5,7 +5,5 @@ _: {
    ./logrotate.nix
    ./oomd.nix
    ./thermald.nix
    ./journald.nix
    ./fstrim.nix
  ];
 }
--- a/system/shared/services/fstrim.nix
+++ b/system/shared/services/fstrim.nix
@ -1,35 +0,0 @@
 { config, lib, ... }: let
  inherit (lib.modules) mkIf;
 in {
  # if lvm is enabled, then tell it to issue discards
  # (this is good for SSDs and has almost no downsides on HDDs, so
  # it's a good idea to enable it unconditionally)
  environment.etc."lvm/lvm.conf".text = mkIf config.services.lvm.enable ''
    devices {
      issue_discards = 1
    }
  '';
  # discard blocks that are not in use by the filesystem, good for SSDs
  services.fstrim = {
    # we may enable this unconditionally across all systems becuase it's performance
    # impact is negligible on systems without a SSD - which means it's a no-op with
    # almost no downsides aside from the service firing once per week
    enable = true;
    # the default value, good enough for average-load systems
    interval = "weekly";
  };
  # tweak fstim service to run only when on AC power
  # and to be nice to other processes
  # (this is a good idea for any service that runs periodically)
  systemd.services.fstrim = {
    unitConfig.ConditionACPower = true;
    serviceConfig = {
      Nice = 19;
      IOSchedulingClass = "idle";
    };
  };
 }
--- a/system/shared/services/journald.nix
+++ b/system/shared/services/journald.nix
@ -1,9 +0,0 @@
 {
  # Limit systemd journal size, as the default is unlimited and
  # journals get big really fast
  services.journald.extraConfig = ''
    SystemMaxUse=100M
    RuntimeMaxUse=50M
    SystemMaxFileSize=50M
  '';
 }