diff --git a/hosts/dunamis/configuration.nix b/hosts/dunamis/configuration.nix index 3e8911f..f7799f3 100644 --- a/hosts/dunamis/configuration.nix +++ b/hosts/dunamis/configuration.nix @@ -38,7 +38,6 @@ locale.ukrainian.enable = true; opentabletdriver.enable = false; qmk-vial.enable = true; - security.basic.enable = true; virtual.libvirt.enable = true; nix = let diff --git a/hosts/eldrid/configuration.nix b/hosts/eldrid/configuration.nix index 37650c1..5079c41 100644 --- a/hosts/eldrid/configuration.nix +++ b/hosts/eldrid/configuration.nix @@ -33,7 +33,6 @@ locale.ukrainian.enable = true; opentabletdriver.enable = false; qmk-vial.enable = true; - security.basic.enable = true; virtual.libvirt.enable = false; swapDevices = [ diff --git a/hosts/legion/configuration.nix b/hosts/legion/configuration.nix index d7e7feb..831b3d6 100644 --- a/hosts/legion/configuration.nix +++ b/hosts/legion/configuration.nix @@ -23,7 +23,7 @@ }; opentabletdriver.enable = false; qmk-vial.enable = true; - security.basic.enable = true; + system.stateVersion = "25.05"; time.timeZone = "Europe/Kyiv"; virtual.libvirt.enable = true; diff --git a/hosts/sarien/configuration.nix b/hosts/sarien/configuration.nix index 6f9c755..81be10b 100644 --- a/hosts/sarien/configuration.nix +++ b/hosts/sarien/configuration.nix @@ -35,6 +35,5 @@ locale.ukrainian.enable = true; opentabletdriver.enable = false; qmk-vial.enable = true; - security.basic.enable = true; virtual.libvirt.enable = true; } diff --git a/modules/nixos/config/boot/default.nix b/modules/nixos/config/boot/default.nix index 2b40eb5..89c9042 100644 --- a/modules/nixos/config/boot/default.nix +++ b/modules/nixos/config/boot/default.nix @@ -1,5 +1,4 @@ { - config, inputs, pkgs, ... @@ -13,21 +12,6 @@ plymouth.enable = true; consoleLogLevel = 0; kernelPackages = pkgs.linuxPackages_cachyos; - kernelParams = [ - "amd_iommu=force_isolation" - "debugfs=off" - "efi=disable_early_pci_dma" - "gather_data_sampling=force" - "intel_iommu=on" - "iommu.passthrough=0" - "iommu.strict=1" - "iommu=force" - "page_alloc.shuffle=1" - "vsyscall=none" - # "ia32_emulation=0" - # "lockdown=confidentiality" - # "module.sig_enforce=1" - ]; initrd = { systemd.enable = true; systemd.tpm2.enable = false; diff --git a/modules/nixos/config/default.nix b/modules/nixos/config/default.nix index 3d231ce..2a21626 100644 --- a/modules/nixos/config/default.nix +++ b/modules/nixos/config/default.nix @@ -13,6 +13,7 @@ in { ./hardware ./networking ./nix + ./security ./programs.nix ./services.nix ./users.nix diff --git a/modules/nixos/config/nix/default.nix b/modules/nixos/config/nix/default.nix index 6131d4d..8337c0f 100644 --- a/modules/nixos/config/nix/default.nix +++ b/modules/nixos/config/nix/default.nix @@ -2,6 +2,5 @@ imports = [ ./common.nix ./substituters.nix - # ./ssh-serve.nix ]; } diff --git a/modules/nixos/config/nix/distributed-build.nix b/modules/nixos/config/nix/distributed-build.nix deleted file mode 100644 index b093581..0000000 --- a/modules/nixos/config/nix/distributed-build.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - config, - inputs, - ... -}: let - inherit (builtins) readFile; - inherit (config.networking) hostName; - inherit (config.sops) secrets; - inherit (inputs) mysecrets; - pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64"; -in { - nix = { - distributedBuilds = true; - buildMachines = [ - { - hostName = "dunamis"; - publicHostKey = pubHost; - sshKey = secrets."ssh-${hostName}-user".path; - sshUser = "nix-ssh"; - supportedFeatures = [ - "benchmark" - "big-parallel" - "kvm" - "nixos-test" - ]; - system = "x86_64-linux"; - } - ]; - }; -} diff --git a/modules/nixos/config/nix/ssh-serve.nix b/modules/nixos/config/nix/ssh-serve.nix deleted file mode 100644 index 1b270c1..0000000 --- a/modules/nixos/config/nix/ssh-serve.nix +++ /dev/null @@ -1,11 +0,0 @@ -{config, ...}: let - inherit (builtins) readFile; - inherit (config.users.users) user; -in { - nix.settings.trusted-users = ["nix-ssh"]; - nix.sshServe = { - enable = true; - write = true; - keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles; - }; -} diff --git a/modules/nixos/config/security/default.nix b/modules/nixos/config/security/default.nix new file mode 100644 index 0000000..7253e22 --- /dev/null +++ b/modules/nixos/config/security/default.nix @@ -0,0 +1,99 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkIf mkDefault; +in { + security = { + sudo.enable = false; + # doas.enable = true; + sudo-rs = { + enable = true; + execWheelOnly = true; + }; + polkit.enable = true; + polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + subject.isInGroup("users") + && ( + action.id == "org.freedesktop.login1.reboot" || + action.id == "org.freedesktop.login1.reboot-multiple-sessions" || + action.id == "org.freedesktop.login1.power-off" || + action.id == "org.freedesktop.login1.power-off-multiple-sessions" + ) + ) + { + return polkit.Result.YES; + } + }); + ''; + apparmor.enable = mkDefault true; + }; + + environment.systemPackages = with pkgs; [ + (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim + ]; + + services.dbus = { + apparmor = "enabled"; + implementation = "broker"; + }; + services.ntpd-rs = { + enable = true; + #settings = { + # server = { + # require-nts = true; + # }; + #}; + }; + + boot.kernelParams = [ + "amd_iommu=force_isolation" + "debugfs=off" + "efi=disable_early_pci_dma" + "gather_data_sampling=force" + "intel_iommu=on" + "iommu.passthrough=0" + "iommu.strict=1" + "iommu=force" + "page_alloc.shuffle=1" + "vsyscall=none" + # "ia32_emulation=0" + # "lockdown=confidentiality" + # "module.sig_enforce=1" + ]; + + boot.blacklistedKernelModules = [ + # Obscure network protocols + "ax25" + "netrom" + "rose" + # Old or rare or insufficiently audited filesystems + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" + ]; + + nix.settings.allowed-users = mkDefault ["@users"]; +} diff --git a/modules/nixos/system/default.nix b/modules/nixos/system/default.nix index 71a78b0..737257f 100644 --- a/modules/nixos/system/default.nix +++ b/modules/nixos/system/default.nix @@ -2,8 +2,6 @@ imports = [ ./common.nix ./misc - ./security ./virtual - ./wireless ]; } diff --git a/modules/nixos/system/misc/locale.nix b/modules/nixos/system/misc/locale.nix index 06bbb72..280a52c 100644 --- a/modules/nixos/system/misc/locale.nix +++ b/modules/nixos/system/misc/locale.nix @@ -4,12 +4,13 @@ ... }: let inherit (lib) mkIf mkEnableOption; + cfg = config.locale.ukrainian; in { options = { locale.ukrainian.enable = mkEnableOption "enables ukrainian locale"; }; - config = mkIf config.locale.ukrainian.enable { + config = mkIf cfg.enable { i18n = let locale = "uk_UA.UTF-8"; in { diff --git a/modules/nixos/system/misc/mullvad-vpn.nix b/modules/nixos/system/misc/mullvad-vpn.nix deleted file mode 100644 index 31d3c05..0000000 --- a/modules/nixos/system/misc/mullvad-vpn.nix +++ /dev/null @@ -1,6 +0,0 @@ -{pkgs, ...}: { - services.mullvad-vpn = { - enable = true; - package = pkgs.mullvad-vpn; - }; -} diff --git a/modules/nixos/system/security/basic.nix b/modules/nixos/system/security/basic.nix deleted file mode 100644 index 3c508a2..0000000 --- a/modules/nixos/system/security/basic.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkIf mkEnableOption mkDefault; - cfg = config.security.basic; -in { - options = { - security.basic.enable = - mkEnableOption "enable basic security"; - }; - config = mkIf cfg.enable { - security = { - sudo.enable = false; - # doas.enable = true; - sudo-rs = { - enable = true; - execWheelOnly = true; - }; - polkit.enable = true; - polkit.extraConfig = '' - polkit.addRule(function(action, subject) { - if ( - subject.isInGroup("users") - && ( - action.id == "org.freedesktop.login1.reboot" || - action.id == "org.freedesktop.login1.reboot-multiple-sessions" || - action.id == "org.freedesktop.login1.power-off" || - action.id == "org.freedesktop.login1.power-off-multiple-sessions" - ) - ) - { - return polkit.Result.YES; - } - }); - ''; - apparmor.enable = mkDefault true; - }; - - environment.systemPackages = with pkgs; [ - (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim - ]; - - services.dbus = { - apparmor = "enabled"; - implementation = "broker"; - }; - services.ntpd-rs = { - enable = true; - #settings = { - # server = { - # require-nts = true; - # }; - #}; - }; - - boot.blacklistedKernelModules = [ - # Obscure network protocols - "ax25" - "netrom" - "rose" - # Old or rare or insufficiently audited filesystems - "adfs" - "affs" - "bfs" - "befs" - "cramfs" - "efs" - "erofs" - "exofs" - "freevxfs" - "f2fs" - "hfs" - "hpfs" - "jfs" - "minix" - "nilfs2" - "ntfs" - "omfs" - "qnx4" - "qnx6" - "sysv" - "ufs" - ]; - - nix.settings.allowed-users = mkDefault ["@users"]; - }; -} diff --git a/modules/nixos/system/security/default.nix b/modules/nixos/system/security/default.nix deleted file mode 100644 index aee351c..0000000 --- a/modules/nixos/system/security/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./basic.nix - ./extensive.nix - ./dnscrypt-proxy.nix - ]; -} diff --git a/modules/nixos/system/security/dnscrypt-proxy.nix b/modules/nixos/system/security/dnscrypt-proxy.nix deleted file mode 100644 index 4dd9aa9..0000000 --- a/modules/nixos/system/security/dnscrypt-proxy.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: -with lib; { - options = { - security.dnscrypt-proxy.enable = - mkEnableOption "enable dnscrypt-proxy"; - }; - config = mkIf config.security.dnscrypt-proxy.enable { - networking = { - nameservers = ["127.0.0.1" "::1"]; - # If using dhcpcd: - dhcpcd.extraConfig = "nohook resolv.conf"; - # If using NetworkManager: - networkmanager.dns = "none"; - }; - - # Make sure you don't have services.resolved.enable on. - services.dnscrypt-proxy2 = { - enable = true; - settings = { - ipv6_servers = false; - require_dnssec = true; - - sources.public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; - }; - - # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md - server_names = [ - #"quad9-dnscrypt-ip4-filter-pri" - "cloudflare" - ]; - }; - }; - - systemd.services.dnscrypt-proxy2.serviceConfig = { - StateDirectory = "dnscrypt-proxy"; - }; - }; -} diff --git a/modules/nixos/system/security/extensive.nix b/modules/nixos/system/security/extensive.nix deleted file mode 100644 index bc14ba3..0000000 --- a/modules/nixos/system/security/extensive.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: -with lib; let - cfg = config.security.extensive; -in { - options = { - security.extensive.enable = - mkEnableOption "enable extensive security"; - }; - config = mkIf cfg.enable { - security.basic.enable = true; - - environment.memoryAllocator.provider = mkDefault "scudo"; - environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; - - security = { - lockKernelModules = mkDefault false; - protectKernelImage = mkDefault true; - # allowSimultaneousMultithreading = mkDefault false; - forcePageTableIsolation = mkDefault true; - unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable; - virtualisation.flushL1DataCache = mkDefault "always"; - apparmor.enable = mkDefault true; - apparmor.killUnconfinedConfinables = mkDefault true; - }; - - boot.kernel.sysctl = { - # Hide kptrs even for processes with CAP_SYSLOG - "kernel.kptr_restrict" = mkOverride 500 2; - # Disable bpf() JIT (to eliminate spray attacks) - "net.core.bpf_jit_enable" = mkDefault false; - # Disable ftrace debugging - "kernel.ftrace_enabled" = mkDefault false; - }; - - boot.kernel.sysctl = { - # Enable strict reverse path filtering (that is, do not attempt to route - # packets that "obviously" do not belong to the iface's network; dropped - # packets are logged as martians). - "net.ipv4.conf.all.log_martians" = mkDefault true; - "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - "net.ipv4.conf.default.log_martians" = mkDefault true; - "net.ipv4.conf.default.rp_filter" = mkDefault "1"; - - # Ignore broadcast ICMP (mitigate SMURF) - "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; - - # Ignore incoming ICMP redirects (note: default is needed to ensure that the - # setting is applied to interfaces added after the sysctls are set) - "net.ipv4.conf.all.accept_redirects" = mkDefault false; - "net.ipv4.conf.all.secure_redirects" = mkDefault false; - "net.ipv4.conf.default.accept_redirects" = mkDefault false; - "net.ipv4.conf.default.secure_redirects" = mkDefault false; - "net.ipv6.conf.all.accept_redirects" = mkDefault false; - "net.ipv6.conf.default.accept_redirects" = mkDefault false; - - # Ignore outgoing ICMP redirects (this is ipv4 only) - "net.ipv4.conf.all.send_redirects" = mkDefault false; - "net.ipv4.conf.default.send_redirects" = mkDefault false; - }; - }; -} diff --git a/modules/nixos/system/wireless/bluetooth.nix b/modules/nixos/system/wireless/bluetooth.nix deleted file mode 100644 index 1bc280f..0000000 --- a/modules/nixos/system/wireless/bluetooth.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - lib, - config, - ... -}: -with lib; let - cfg = config.wireless.bluetooth; -in { - options = { - wireless.bluetooth = { - enable = mkEnableOption "enable bluetooth"; - enableBlueman = mkEnableOption "enable bluetooth manager"; - }; - }; - config = mkIf cfg.enable { - hardware.bluetooth.enable = true; - hardware.bluetooth.powerOnBoot = true; - services.blueman.enable = cfg.enableBlueman; - }; -} diff --git a/modules/nixos/system/wireless/default.nix b/modules/nixos/system/wireless/default.nix deleted file mode 100644 index 4dcd8fa..0000000 --- a/modules/nixos/system/wireless/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ./bluetooth.nix - ]; -}