diff options
Diffstat (limited to '')
| -rw-r--r-- | system/default.nix | 15 | ||||
| -rw-r--r-- | system/desktop.nix | 16 | ||||
| -rw-r--r-- | system/desktops/default.nix | 2 | ||||
| -rw-r--r-- | system/desktops/hyprland.nix | 3 | ||||
| -rw-r--r-- | system/desktops/ly.nix | 3 | ||||
| -rw-r--r-- | system/desktops/sway.nix | 2 | ||||
| -rw-r--r-- | system/fingerprint.nix | 1 | ||||
| -rw-r--r-- | system/gaming/default.nix | 2 | ||||
| -rw-r--r-- | system/hardened.nix | 58 | ||||
| -rw-r--r-- | system/virt/default.nix | 2 | ||||
| -rw-r--r-- | system/virt/docker.nix | 1 | ||||
| -rw-r--r-- | system/virt/qemu.nix | 4 |
12 files changed, 96 insertions, 13 deletions
diff --git a/system/default.nix b/system/default.nix index f6a6fa3..be64ff0 100644 --- a/system/default.nix +++ b/system/default.nix @@ -15,6 +15,7 @@ ./bluetooth.nix ./desktop.nix ./fingerprint.nix + ./hardened.nix ./hardware.nix ./networking.nix ./sshd.nix @@ -32,6 +33,12 @@ # set state version system.stateVersion = config.stateVersion; + # use tmpfs on /tmp + boot.tmp = { + useTmpfs = true; + tmpfsSize = "50%"; + }; + # use system packages in home manager home-manager.useGlobalPkgs = true; @@ -83,6 +90,7 @@ wget ]; + environment.defaultPackages = lib.mkForce []; environment.systemPackages = config.extraPackages; # system shell @@ -125,4 +133,11 @@ # certs security.pki.certificateFiles = inputs.self.lib.certs; + + # sudo + security.sudo.enable = false; + security.sudo-rs = { + enable = true; + execWheelOnly = true; + }; } diff --git a/system/desktop.nix b/system/desktop.nix index d22a475..9c87d85 100644 --- a/system/desktop.nix +++ b/system/desktop.nix @@ -6,7 +6,7 @@ system, ... }: let - inherit (lib) mkIf optionals; + inherit (lib) mkIf; in { imports = [ inputs.preload-ng.nixosModules.default @@ -43,7 +43,15 @@ in { security.rtkit.enable = true; # printing - services.printing.enable = true; + services.printing = { + enable = true; + drivers = with pkgs; [ + brlaser + # FIXME: failes to compile + # cnijfilter2 + gutenprint + ]; + }; services.avahi = { enable = true; nssmdns4 = true; @@ -57,6 +65,9 @@ in { package = inputs.preload-ng.packages.${system}.preload-ng-src; }; + # secrets + services.gnome.gnome-keyring.enable = true; + # system fonts fonts.packages = with pkgs; [ corefonts @@ -66,6 +77,7 @@ in { unfreePackages = [ "corefonts" "vista-fonts" + "cnijfilter2" ]; }; } diff --git a/system/desktops/default.nix b/system/desktops/default.nix index 8f9270f..476dd72 100644 --- a/system/desktops/default.nix +++ b/system/desktops/default.nix @@ -1,4 +1,4 @@ -{...}: { +_: { imports = [ ./hyprland.nix ./ly.nix diff --git a/system/desktops/hyprland.nix b/system/desktops/hyprland.nix index 42a45be..26fa283 100644 --- a/system/desktops/hyprland.nix +++ b/system/desktops/hyprland.nix @@ -1,12 +1,11 @@ { inputs, config, - pkgs, lib, system, ... }: let - inherit (lib) mkIf mkDefault; + inherit (lib) mkIf; cfg = config.desktops.hyprland; in { config = mkIf cfg.enable { diff --git a/system/desktops/ly.nix b/system/desktops/ly.nix index 49469b2..298fc4c 100644 --- a/system/desktops/ly.nix +++ b/system/desktops/ly.nix @@ -1,9 +1,6 @@ { lib, config, - pkgs, - inputs, - system, ... }: let inherit (lib) mkIf; diff --git a/system/desktops/sway.nix b/system/desktops/sway.nix index d0838a4..501ee41 100644 --- a/system/desktops/sway.nix +++ b/system/desktops/sway.nix @@ -4,7 +4,7 @@ pkgs, ... }: let - inherit (lib) mkIf mkDefault; + inherit (lib) mkIf; cfg = config.desktops.sway; in { config = mkIf cfg.enable { diff --git a/system/fingerprint.nix b/system/fingerprint.nix index 1fe0560..02b0e75 100644 --- a/system/fingerprint.nix +++ b/system/fingerprint.nix @@ -1,6 +1,5 @@ { lib, - pkgs, config, inputs, system, diff --git a/system/gaming/default.nix b/system/gaming/default.nix index acb0a1f..734ece0 100644 --- a/system/gaming/default.nix +++ b/system/gaming/default.nix @@ -1,4 +1,4 @@ -{...}: { +_: { imports = [ ./steam.nix ]; diff --git a/system/hardened.nix b/system/hardened.nix new file mode 100644 index 0000000..223b358 --- /dev/null +++ b/system/hardened.nix @@ -0,0 +1,58 @@ +{ + lib, + config, + inputs, + ... +}: let + inherit (lib) mkIf; +in { + imports = [ + inputs.nix-mineral.nixosModules.nix-mineral + ]; + + config = mkIf config.hardened { + nix-mineral = { + enable = true; + settings = { + debug = { + coredump = true; + zram = false; + }; + network = { + icmp = { + cast = true; + ignore-all = false; + }; + }; + kernel = { + cpu-mitigations = "smt-on"; + io-uring = true; + lockdown = true; + only-signed-modules = true; + pti = true; + sysrq = "none"; + }; + system = { + yama = "relaxed"; + }; + }; + extras = { + kernel = { + intelme-kmodules = false; + }; + system = { + secure-chrony = true; + unprivileged-userns = false; + }; + }; + filesystems = { + normal = { + # let me run shell scripts + # please and thank you + "/home".options.noexec = lib.mkForce false; + "/etc".options.noexec = lib.mkForce true; + }; + }; + }; + }; +} diff --git a/system/virt/default.nix b/system/virt/default.nix index d37b637..3b422be 100644 --- a/system/virt/default.nix +++ b/system/virt/default.nix @@ -1,4 +1,4 @@ -{...}: { +_: { imports = [ ./docker.nix ./qemu.nix diff --git a/system/virt/docker.nix b/system/virt/docker.nix index 97c57ad..9dcb7e2 100644 --- a/system/virt/docker.nix +++ b/system/virt/docker.nix @@ -1,7 +1,6 @@ { lib, config, - pkgs, ... }: let inherit (lib) mkIf; diff --git a/system/virt/qemu.nix b/system/virt/qemu.nix index 6c068e4..64ad8c6 100644 --- a/system/virt/qemu.nix +++ b/system/virt/qemu.nix @@ -17,5 +17,9 @@ in { environment.systemPackages = with pkgs; [ qemu ]; + + networking.firewall.trustedInterfaces = [ + "virbr0" + ]; }; } |