From a970493019c681c966ca64dba570d36c12a27efb Mon Sep 17 00:00:00 2001
From: Tasia Iso <tasiaiso@proton.me>
Date: Tue, 23 Apr 2024 16:19:33 +0200
Subject: [PATCH] awawa

---
 common/base.nix                               | 20 ++++++++++---------
 common/components/bootloader.nix              | 20 +++++++++++--------
 common/components/de/plasma-packages.nix      |  1 +
 common/components/printing.nix                |  2 +-
 common/components/security.nix                | 10 +++++++++-
 common/components/sound.nix                   |  4 ++--
 common/full-install.nix                       |  2 +-
 common/hardware/tpm2.nix                      |  8 +++++---
 common/programs/zsh.nix                       |  2 ++
 common/services/adguardhome.nix               |  1 +
 common/services/sshd.nix                      |  3 +--
 common/services/syncthing.nix                 |  1 +
 common/services/usbguard.nix                  | 15 ++++++++------
 .../tailscale-acl.jsonc                       |  0
 14 files changed, 56 insertions(+), 33 deletions(-)
 rename tailscale-acl.jsonc => stuff/tailscale-acl.jsonc (100%)

diff --git a/common/base.nix b/common/base.nix
index 6da8fff..37c72c7 100644
--- a/common/base.nix
+++ b/common/base.nix
@@ -27,6 +27,8 @@
       experimental-features = "nix-command flakes";
       # Deduplicate and optimize nix store
       auto-optimise-store = true;
+
+      warn-dirty = false;
     };
 
     # This will add each flake input as a registry
@@ -55,16 +57,16 @@
 
     # Unfree packages that can be installes regardless of the mchine's fre software policy
     config.allowUnfreePredicate = pkg:
-    builtins.elem (lib.getName pkg) [
-      # Steam
-      "steam"
-      "steam-original"
-      "steam-run"
+      builtins.elem (lib.getName pkg) [
+        # Steam
+        "steam"
+        "steam-original"
+        "steam-run"
 
-      # Nvidia drivers
-      "nvidia-x11"
-      "nvidia-settings"
-    ];
+        # Nvidia drivers
+        "nvidia-x11"
+        "nvidia-settings"
+      ];
   };
 
   # Some programs need SUID wrappers, can be configured further or are
diff --git a/common/components/bootloader.nix b/common/components/bootloader.nix
index cb33e6f..035e5ec 100644
--- a/common/components/bootloader.nix
+++ b/common/components/bootloader.nix
@@ -1,15 +1,19 @@
 {
-  boot.loader = {
-    systemd-boot = {
-      enable = true;
-      editor = false;
-    };
+  boot = {
+    loader = {
+      systemd-boot = {
+        enable = true;
+        editor = false;
+      };
 
-    efi.canTouchEfiVariables = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd = {
+      enable = true;
+      systemd.enable = true;
+    };
   };
 
-  boot.initrd.enable = true;
-  boot.initrd.systemd.enable = true;
   # boot.plymouth = {
   #   enable = true;
   #   font = "${pkgs.jetbrains-mono}/share/fonts/truetype/JetBrainsMono-Regular.ttf";
diff --git a/common/components/de/plasma-packages.nix b/common/components/de/plasma-packages.nix
index 7c5ab5b..e80ab33 100644
--- a/common/components/de/plasma-packages.nix
+++ b/common/components/de/plasma-packages.nix
@@ -2,6 +2,7 @@
   environment.systemPackages = with pkgs; [
     # See ./plasma6.nix
     ksshaskpass
+    aha
 
     libreoffice
     kleopatra
diff --git a/common/components/printing.nix b/common/components/printing.nix
index 771c5d7..3697cf9 100644
--- a/common/components/printing.nix
+++ b/common/components/printing.nix
@@ -1,4 +1,4 @@
 {
   # Enable CUPS to print documents.
   services.printing.enable = true;
-}
\ No newline at end of file
+}
diff --git a/common/components/security.nix b/common/components/security.nix
index 09b5625..31cdf4e 100644
--- a/common/components/security.nix
+++ b/common/components/security.nix
@@ -1,5 +1,13 @@
 {
   # sudo and nix can only be used by the wheel group
+
   nix.settings.allowed-users = ["@wheel"];
-  security.sudo.execWheelOnly = true;
+
+  security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    extraConfig = "Defaults insults";
+  };
+
+  # services.fail2ban.enable = true;
 }
diff --git a/common/components/sound.nix b/common/components/sound.nix
index 3bd0919..82644c9 100644
--- a/common/components/sound.nix
+++ b/common/components/sound.nix
@@ -3,11 +3,11 @@
   sound.enable = true;
   hardware.pulseaudio.enable = false;
   security.rtkit.enable = true;
-  
+
   services.pipewire = {
     enable = true;
     alsa.enable = true;
     alsa.support32Bit = true;
     pulse.enable = true;
   };
-}
\ No newline at end of file
+}
diff --git a/common/full-install.nix b/common/full-install.nix
index 0773af0..0e5bf4d 100644
--- a/common/full-install.nix
+++ b/common/full-install.nix
@@ -4,4 +4,4 @@
     ./components/printing.nix
     ./components/packages-full.nix
   ];
-}
\ No newline at end of file
+}
diff --git a/common/hardware/tpm2.nix b/common/hardware/tpm2.nix
index e703b8e..68f6153 100644
--- a/common/hardware/tpm2.nix
+++ b/common/hardware/tpm2.nix
@@ -1,5 +1,7 @@
 {
-  security.tpm2.enable = true;
-  security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
-  security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+    tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  };
 }
diff --git a/common/programs/zsh.nix b/common/programs/zsh.nix
index 33dcc24..586d6be 100644
--- a/common/programs/zsh.nix
+++ b/common/programs/zsh.nix
@@ -7,6 +7,8 @@
 
     shellAliases = {
       ll = "ls -al";
+      done = "curl -d 'Done' ntfy.sh/tasiaiso_done";
+      rebuild = "sudo nixos-rebuild switch -flake -I nixos-config=/home/tasia/nixos-config"; # .#hostname
     };
 
     ohMyZsh = {
diff --git a/common/services/adguardhome.nix b/common/services/adguardhome.nix
index 25ad939..96e7d02 100644
--- a/common/services/adguardhome.nix
+++ b/common/services/adguardhome.nix
@@ -1,5 +1,6 @@
 {
   # Ad-blocking DNS server
+  # Web UI available at http://localhost:3000
   services.adguardhome.enable = true;
 
   networking.nameservers = ["127.0.0.1"];
diff --git a/common/services/sshd.nix b/common/services/sshd.nix
index 2adaf04..f06c145 100644
--- a/common/services/sshd.nix
+++ b/common/services/sshd.nix
@@ -1,10 +1,9 @@
 {
   # Hardened OpenSSH server
   # Resources:
-  # https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations
+  # https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)
   services.openssh = {
     enable = true;
-    # banner = "hello world";
 
     allowSFTP = false;
 
diff --git a/common/services/syncthing.nix b/common/services/syncthing.nix
index fb7f64c..65cb04f 100644
--- a/common/services/syncthing.nix
+++ b/common/services/syncthing.nix
@@ -1,5 +1,6 @@
 {lib, ...}: {
   # File sync service
+  # Web UI available at http://localhost:8384
   services.syncthing = {
     enable = true;
     user = lib.mkDefault "user";
diff --git a/common/services/usbguard.nix b/common/services/usbguard.nix
index 2442bb5..23cd2e2 100644
--- a/common/services/usbguard.nix
+++ b/common/services/usbguard.nix
@@ -1,17 +1,20 @@
 {
+  # USBGuard is a service that allows you to create a whitelist of the USB device you want your system to connect to.
+  # Other devices will be blocked by default
+  # This minimizes the impact of BadUSB attacks
   services.usbguard = {
     enable = true;
-    dbus.enable = true;
 
+    # Regular users can interact with usbguard
     IPCAllowedGroups = ["wheel"];
 
     rules = ''
       # new-new-phoenix
-      allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
-      allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
-      allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW" hash "om34qyRbPxnt/bsdFrR3g2SWxDVsInxWWsiFkDIyEnY=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface ff:06:50 with-connect-type "hotplug"
-      allow id 048d:ce00 serial "" name "ITE Device(8291)" hash "snB5qcpdMc66wcxBmMAn+LStZHfOTO/c5RtrU9nzyHc=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-6" with-interface { 03:01:01 03:00:00 } with-connect-type "hardwired"
-      allow id 8087:0025 serial "" name "" hash "N/wLaNIwbl3mtRa9CDFbUH7EfSZDhv2X+d2xcrwsw8Q=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-14" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "hardwired"
+      allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller"
+      allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller"
+      allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW"
+      allow id 048d:ce00 serial "" name "ITE Device(8291)"
+      allow id 8087:0025 serial "" name ""
 
       # USB Drives
 
diff --git a/tailscale-acl.jsonc b/stuff/tailscale-acl.jsonc
similarity index 100%
rename from tailscale-acl.jsonc
rename to stuff/tailscale-acl.jsonc