move around security

Signed-off-by: unexplrd <unexplrd@linerds.us>

modules/nixos/system/default.nix

@@ -2,8 +2,6 @@
   imports = [
     ./common.nix
     ./misc
-    ./security
     ./virtual
-    ./wireless
   ];
 }

modules/nixos/system/misc/locale.nix

@@ -4,12 +4,13 @@
   ...
 }: let
   inherit (lib) mkIf mkEnableOption;
+  cfg = config.locale.ukrainian;
 in {
   options = {
     locale.ukrainian.enable =
       mkEnableOption "enables ukrainian locale";
   };
-  config = mkIf config.locale.ukrainian.enable {
+  config = mkIf cfg.enable {
     i18n = let
       locale = "uk_UA.UTF-8";
     in {

modules/nixos/system/misc/mullvad-vpn.nix

@@ -1,6 +0,0 @@
-{pkgs, ...}: {
-  services.mullvad-vpn = {
-    enable = true;
-    package = pkgs.mullvad-vpn;
-  };
-}

modules/nixos/system/security/basic.nix

@@ -1,90 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  inherit (lib) mkIf mkEnableOption mkDefault;
-  cfg = config.security.basic;
-in {
-  options = {
-    security.basic.enable =
-      mkEnableOption "enable basic security";
-  };
-  config = mkIf cfg.enable {
-    security = {
-      sudo.enable = false;
-      # doas.enable = true;
-      sudo-rs = {
-        enable = true;
-        execWheelOnly = true;
-      };
-      polkit.enable = true;
-      polkit.extraConfig = ''
-        polkit.addRule(function(action, subject) {
-          if (
-            subject.isInGroup("users")
-              && (
-                action.id == "org.freedesktop.login1.reboot" ||
-                action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
-                action.id == "org.freedesktop.login1.power-off" ||
-                action.id == "org.freedesktop.login1.power-off-multiple-sessions"
-              )
-            )
-          {
-            return polkit.Result.YES;
-          }
-        });
-      '';
-      apparmor.enable = mkDefault true;
-    };
-
-    environment.systemPackages = with pkgs; [
-      (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
-    ];
-
-    services.dbus = {
-      apparmor = "enabled";
-      implementation = "broker";
-    };
-    services.ntpd-rs = {
-      enable = true;
-      #settings = {
-      #  server = {
-      #    require-nts = true;
-      #  };
-      #};
-    };
-
-    boot.blacklistedKernelModules = [
-      # Obscure network protocols
-      "ax25"
-      "netrom"
-      "rose"
-      # Old or rare or insufficiently audited filesystems
-      "adfs"
-      "affs"
-      "bfs"
-      "befs"
-      "cramfs"
-      "efs"
-      "erofs"
-      "exofs"
-      "freevxfs"
-      "f2fs"
-      "hfs"
-      "hpfs"
-      "jfs"
-      "minix"
-      "nilfs2"
-      "ntfs"
-      "omfs"
-      "qnx4"
-      "qnx6"
-      "sysv"
-      "ufs"
-    ];
-
-    nix.settings.allowed-users = mkDefault ["@users"];
-  };
-}

modules/nixos/system/security/default.nix

@@ -1,7 +0,0 @@
-{
-  imports = [
-    ./basic.nix
-    ./extensive.nix
-    ./dnscrypt-proxy.nix
-  ];
-}

modules/nixos/system/security/dnscrypt-proxy.nix

@@ -1,49 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib; {
-  options = {
-    security.dnscrypt-proxy.enable =
-      mkEnableOption "enable dnscrypt-proxy";
-  };
-  config = mkIf config.security.dnscrypt-proxy.enable {
-    networking = {
-      nameservers = ["127.0.0.1" "::1"];
-      # If using dhcpcd:
-      dhcpcd.extraConfig = "nohook resolv.conf";
-      # If using NetworkManager:
-      networkmanager.dns = "none";
-    };
-
-    # Make sure you don't have services.resolved.enable on.
-    services.dnscrypt-proxy2 = {
-      enable = true;
-      settings = {
-        ipv6_servers = false;
-        require_dnssec = true;
-
-        sources.public-resolvers = {
-          urls = [
-            "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-            "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-          ];
-          cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
-          minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
-        };
-
-        # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
-        server_names = [
-          #"quad9-dnscrypt-ip4-filter-pri"
-          "cloudflare"
-        ];
-      };
-    };
-
-    systemd.services.dnscrypt-proxy2.serviceConfig = {
-      StateDirectory = "dnscrypt-proxy";
-    };
-  };
-}

modules/nixos/system/security/extensive.nix

@@ -1,66 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib; let
-  cfg = config.security.extensive;
-in {
-  options = {
-    security.extensive.enable =
-      mkEnableOption "enable extensive security";
-  };
-  config = mkIf cfg.enable {
-    security.basic.enable = true;
-
-    environment.memoryAllocator.provider = mkDefault "scudo";
-    environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
-
-    security = {
-      lockKernelModules = mkDefault false;
-      protectKernelImage = mkDefault true;
-      # allowSimultaneousMultithreading = mkDefault false;
-      forcePageTableIsolation = mkDefault true;
-      unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
-      virtualisation.flushL1DataCache = mkDefault "always";
-      apparmor.enable = mkDefault true;
-      apparmor.killUnconfinedConfinables = mkDefault true;
-    };
-
-    boot.kernel.sysctl = {
-      # Hide kptrs even for processes with CAP_SYSLOG
-      "kernel.kptr_restrict" = mkOverride 500 2;
-      # Disable bpf() JIT (to eliminate spray attacks)
-      "net.core.bpf_jit_enable" = mkDefault false;
-      # Disable ftrace debugging
-      "kernel.ftrace_enabled" = mkDefault false;
-    };
-
-    boot.kernel.sysctl = {
-      # Enable strict reverse path filtering (that is, do not attempt to route
-      # packets that "obviously" do not belong to the iface's network; dropped
-      # packets are logged as martians).
-      "net.ipv4.conf.all.log_martians" = mkDefault true;
-      "net.ipv4.conf.all.rp_filter" = mkDefault "1";
-      "net.ipv4.conf.default.log_martians" = mkDefault true;
-      "net.ipv4.conf.default.rp_filter" = mkDefault "1";
-
-      # Ignore broadcast ICMP (mitigate SMURF)
-      "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
-
-      # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-      # setting is applied to interfaces added after the sysctls are set)
-      "net.ipv4.conf.all.accept_redirects" = mkDefault false;
-      "net.ipv4.conf.all.secure_redirects" = mkDefault false;
-      "net.ipv4.conf.default.accept_redirects" = mkDefault false;
-      "net.ipv4.conf.default.secure_redirects" = mkDefault false;
-      "net.ipv6.conf.all.accept_redirects" = mkDefault false;
-      "net.ipv6.conf.default.accept_redirects" = mkDefault false;
-
-      # Ignore outgoing ICMP redirects (this is ipv4 only)
-      "net.ipv4.conf.all.send_redirects" = mkDefault false;
-      "net.ipv4.conf.default.send_redirects" = mkDefault false;
-    };
-  };
-}

modules/nixos/system/wireless/bluetooth.nix

@@ -1,20 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  cfg = config.wireless.bluetooth;
-in {
-  options = {
-    wireless.bluetooth = {
-      enable = mkEnableOption "enable bluetooth";
-      enableBlueman = mkEnableOption "enable bluetooth manager";
-    };
-  };
-  config = mkIf cfg.enable {
-    hardware.bluetooth.enable = true;
-    hardware.bluetooth.powerOnBoot = true;
-    services.blueman.enable = cfg.enableBlueman;
-  };
-}

modules/nixos/system/wireless/default.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ./bluetooth.nix
-  ];
-}