move around security

Signed-off-by: unexplrd <unexplrd@linerds.us>

hosts/dunamis/configuration.nix

@@ -38,7 +38,6 @@
   locale.ukrainian.enable = true;
   opentabletdriver.enable = false;
   qmk-vial.enable = true;
-  security.basic.enable = true;
   virtual.libvirt.enable = true;
 
   nix = let

hosts/eldrid/configuration.nix

@@ -33,7 +33,6 @@
   locale.ukrainian.enable = true;
   opentabletdriver.enable = false;
   qmk-vial.enable = true;
-  security.basic.enable = true;
   virtual.libvirt.enable = false;
 
   swapDevices = [

hosts/legion/configuration.nix

@@ -23,7 +23,7 @@
   };
   opentabletdriver.enable = false;
   qmk-vial.enable = true;
-  security.basic.enable = true;
+
   system.stateVersion = "25.05";
   time.timeZone = "Europe/Kyiv";
   virtual.libvirt.enable = true;

hosts/sarien/configuration.nix

@@ -35,6 +35,5 @@
   locale.ukrainian.enable = true;
   opentabletdriver.enable = false;
   qmk-vial.enable = true;
-  security.basic.enable = true;
   virtual.libvirt.enable = true;
 }

modules/nixos/config/boot/default.nix

@@ -1,5 +1,4 @@
 {
-  config,
   inputs,
   pkgs,
   ...
@@ -13,21 +12,6 @@
     plymouth.enable = true;
     consoleLogLevel = 0;
     kernelPackages = pkgs.linuxPackages_cachyos;
-    kernelParams = [
-      "amd_iommu=force_isolation"
-      "debugfs=off"
-      "efi=disable_early_pci_dma"
-      "gather_data_sampling=force"
-      "intel_iommu=on"
-      "iommu.passthrough=0"
-      "iommu.strict=1"
-      "iommu=force"
-      "page_alloc.shuffle=1"
-      "vsyscall=none"
-      # "ia32_emulation=0"
-      # "lockdown=confidentiality"
-      # "module.sig_enforce=1"
-    ];
     initrd = {
       systemd.enable = true;
       systemd.tpm2.enable = false;

modules/nixos/config/default.nix

@@ -13,6 +13,7 @@ in {
     ./hardware
     ./networking
     ./nix
+    ./security
     ./programs.nix
     ./services.nix
     ./users.nix

modules/nixos/config/nix/default.nix

@@ -2,6 +2,5 @@
   imports = [
     ./common.nix
     ./substituters.nix
-    # ./ssh-serve.nix
   ];
 }

modules/nixos/config/nix/distributed-build.nix

@@ -1,30 +0,0 @@
-{
-  config,
-  inputs,
-  ...
-}: let
-  inherit (builtins) readFile;
-  inherit (config.networking) hostName;
-  inherit (config.sops) secrets;
-  inherit (inputs) mysecrets;
-  pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
-in {
-  nix = {
-    distributedBuilds = true;
-    buildMachines = [
-      {
-        hostName = "dunamis";
-        publicHostKey = pubHost;
-        sshKey = secrets."ssh-${hostName}-user".path;
-        sshUser = "nix-ssh";
-        supportedFeatures = [
-          "benchmark"
-          "big-parallel"
-          "kvm"
-          "nixos-test"
-        ];
-        system = "x86_64-linux";
-      }
-    ];
-  };
-}

modules/nixos/config/nix/ssh-serve.nix

@@ -1,11 +0,0 @@
-{config, ...}: let
-  inherit (builtins) readFile;
-  inherit (config.users.users) user;
-in {
-  nix.settings.trusted-users = ["nix-ssh"];
-  nix.sshServe = {
-    enable = true;
-    write = true;
-    keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
-  };
-}

modules/nixos/config/security/default.nix

@@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf mkDefault;
+in {
+  security = {
+    sudo.enable = false;
+    # doas.enable = true;
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+    };
+    polkit.enable = true;
+    polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (
+          subject.isInGroup("users")
+            && (
+              action.id == "org.freedesktop.login1.reboot" ||
+              action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+              action.id == "org.freedesktop.login1.power-off" ||
+              action.id == "org.freedesktop.login1.power-off-multiple-sessions"
+            )
+          )
+        {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+    apparmor.enable = mkDefault true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
+  ];
+
+  services.dbus = {
+    apparmor = "enabled";
+    implementation = "broker";
+  };
+  services.ntpd-rs = {
+    enable = true;
+    #settings = {
+    #  server = {
+    #    require-nts = true;
+    #  };
+    #};
+  };
+
+  boot.kernelParams = [
+    "amd_iommu=force_isolation"
+    "debugfs=off"
+    "efi=disable_early_pci_dma"
+    "gather_data_sampling=force"
+    "intel_iommu=on"
+    "iommu.passthrough=0"
+    "iommu.strict=1"
+    "iommu=force"
+    "page_alloc.shuffle=1"
+    "vsyscall=none"
+    # "ia32_emulation=0"
+    # "lockdown=confidentiality"
+    # "module.sig_enforce=1"
+  ];
+
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "ax25"
+    "netrom"
+    "rose"
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "hfs"
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "ntfs"
+    "omfs"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ufs"
+  ];
+
+  nix.settings.allowed-users = mkDefault ["@users"];
+}

modules/nixos/system/default.nix

@@ -2,8 +2,6 @@
   imports = [
     ./common.nix
     ./misc
-    ./security
     ./virtual
-    ./wireless
   ];
 }

modules/nixos/system/misc/locale.nix

@@ -4,12 +4,13 @@
   ...
 }: let
   inherit (lib) mkIf mkEnableOption;
+  cfg = config.locale.ukrainian;
 in {
   options = {
     locale.ukrainian.enable =
       mkEnableOption "enables ukrainian locale";
   };
-  config = mkIf config.locale.ukrainian.enable {
+  config = mkIf cfg.enable {
     i18n = let
       locale = "uk_UA.UTF-8";
     in {

modules/nixos/system/misc/mullvad-vpn.nix

@@ -1,6 +0,0 @@
-{pkgs, ...}: {
-  services.mullvad-vpn = {
-    enable = true;
-    package = pkgs.mullvad-vpn;
-  };
-}

modules/nixos/system/security/basic.nix

@@ -1,90 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  inherit (lib) mkIf mkEnableOption mkDefault;
-  cfg = config.security.basic;
-in {
-  options = {
-    security.basic.enable =
-      mkEnableOption "enable basic security";
-  };
-  config = mkIf cfg.enable {
-    security = {
-      sudo.enable = false;
-      # doas.enable = true;
-      sudo-rs = {
-        enable = true;
-        execWheelOnly = true;
-      };
-      polkit.enable = true;
-      polkit.extraConfig = ''
-        polkit.addRule(function(action, subject) {
-          if (
-            subject.isInGroup("users")
-              && (
-                action.id == "org.freedesktop.login1.reboot" ||
-                action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
-                action.id == "org.freedesktop.login1.power-off" ||
-                action.id == "org.freedesktop.login1.power-off-multiple-sessions"
-              )
-            )
-          {
-            return polkit.Result.YES;
-          }
-        });
-      '';
-      apparmor.enable = mkDefault true;
-    };
-
-    environment.systemPackages = with pkgs; [
-      (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
-    ];
-
-    services.dbus = {
-      apparmor = "enabled";
-      implementation = "broker";
-    };
-    services.ntpd-rs = {
-      enable = true;
-      #settings = {
-      #  server = {
-      #    require-nts = true;
-      #  };
-      #};
-    };
-
-    boot.blacklistedKernelModules = [
-      # Obscure network protocols
-      "ax25"
-      "netrom"
-      "rose"
-      # Old or rare or insufficiently audited filesystems
-      "adfs"
-      "affs"
-      "bfs"
-      "befs"
-      "cramfs"
-      "efs"
-      "erofs"
-      "exofs"
-      "freevxfs"
-      "f2fs"
-      "hfs"
-      "hpfs"
-      "jfs"
-      "minix"
-      "nilfs2"
-      "ntfs"
-      "omfs"
-      "qnx4"
-      "qnx6"
-      "sysv"
-      "ufs"
-    ];
-
-    nix.settings.allowed-users = mkDefault ["@users"];
-  };
-}

modules/nixos/system/security/default.nix

@@ -1,7 +0,0 @@
-{
-  imports = [
-    ./basic.nix
-    ./extensive.nix
-    ./dnscrypt-proxy.nix
-  ];
-}

modules/nixos/system/security/dnscrypt-proxy.nix

@@ -1,49 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib; {
-  options = {
-    security.dnscrypt-proxy.enable =
-      mkEnableOption "enable dnscrypt-proxy";
-  };
-  config = mkIf config.security.dnscrypt-proxy.enable {
-    networking = {
-      nameservers = ["127.0.0.1" "::1"];
-      # If using dhcpcd:
-      dhcpcd.extraConfig = "nohook resolv.conf";
-      # If using NetworkManager:
-      networkmanager.dns = "none";
-    };
-
-    # Make sure you don't have services.resolved.enable on.
-    services.dnscrypt-proxy2 = {
-      enable = true;
-      settings = {
-        ipv6_servers = false;
-        require_dnssec = true;
-
-        sources.public-resolvers = {
-          urls = [
-            "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-            "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-          ];
-          cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
-          minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
-        };
-
-        # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
-        server_names = [
-          #"quad9-dnscrypt-ip4-filter-pri"
-          "cloudflare"
-        ];
-      };
-    };
-
-    systemd.services.dnscrypt-proxy2.serviceConfig = {
-      StateDirectory = "dnscrypt-proxy";
-    };
-  };
-}

modules/nixos/system/security/extensive.nix

@@ -1,66 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib; let
-  cfg = config.security.extensive;
-in {
-  options = {
-    security.extensive.enable =
-      mkEnableOption "enable extensive security";
-  };
-  config = mkIf cfg.enable {
-    security.basic.enable = true;
-
-    environment.memoryAllocator.provider = mkDefault "scudo";
-    environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
-
-    security = {
-      lockKernelModules = mkDefault false;
-      protectKernelImage = mkDefault true;
-      # allowSimultaneousMultithreading = mkDefault false;
-      forcePageTableIsolation = mkDefault true;
-      unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
-      virtualisation.flushL1DataCache = mkDefault "always";
-      apparmor.enable = mkDefault true;
-      apparmor.killUnconfinedConfinables = mkDefault true;
-    };
-
-    boot.kernel.sysctl = {
-      # Hide kptrs even for processes with CAP_SYSLOG
-      "kernel.kptr_restrict" = mkOverride 500 2;
-      # Disable bpf() JIT (to eliminate spray attacks)
-      "net.core.bpf_jit_enable" = mkDefault false;
-      # Disable ftrace debugging
-      "kernel.ftrace_enabled" = mkDefault false;
-    };
-
-    boot.kernel.sysctl = {
-      # Enable strict reverse path filtering (that is, do not attempt to route
-      # packets that "obviously" do not belong to the iface's network; dropped
-      # packets are logged as martians).
-      "net.ipv4.conf.all.log_martians" = mkDefault true;
-      "net.ipv4.conf.all.rp_filter" = mkDefault "1";
-      "net.ipv4.conf.default.log_martians" = mkDefault true;
-      "net.ipv4.conf.default.rp_filter" = mkDefault "1";
-
-      # Ignore broadcast ICMP (mitigate SMURF)
-      "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
-
-      # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-      # setting is applied to interfaces added after the sysctls are set)
-      "net.ipv4.conf.all.accept_redirects" = mkDefault false;
-      "net.ipv4.conf.all.secure_redirects" = mkDefault false;
-      "net.ipv4.conf.default.accept_redirects" = mkDefault false;
-      "net.ipv4.conf.default.secure_redirects" = mkDefault false;
-      "net.ipv6.conf.all.accept_redirects" = mkDefault false;
-      "net.ipv6.conf.default.accept_redirects" = mkDefault false;
-
-      # Ignore outgoing ICMP redirects (this is ipv4 only)
-      "net.ipv4.conf.all.send_redirects" = mkDefault false;
-      "net.ipv4.conf.default.send_redirects" = mkDefault false;
-    };
-  };
-}

modules/nixos/system/wireless/bluetooth.nix

@@ -1,20 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  cfg = config.wireless.bluetooth;
-in {
-  options = {
-    wireless.bluetooth = {
-      enable = mkEnableOption "enable bluetooth";
-      enableBlueman = mkEnableOption "enable bluetooth manager";
-    };
-  };
-  config = mkIf cfg.enable {
-    hardware.bluetooth.enable = true;
-    hardware.bluetooth.powerOnBoot = true;
-    services.blueman.enable = cfg.enableBlueman;
-  };
-}

modules/nixos/system/wireless/default.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ./bluetooth.nix
-  ];
-}