awawa

common/base.nix

@@ -27,6 +27,8 @@
       experimental-features = "nix-command flakes";
       # Deduplicate and optimize nix store
       auto-optimise-store = true;
+
+      warn-dirty = false;
     };
 
     # This will add each flake input as a registry
@@ -55,16 +57,16 @@
 
     # Unfree packages that can be installes regardless of the mchine's fre software policy
     config.allowUnfreePredicate = pkg:
-    builtins.elem (lib.getName pkg) [
-      # Steam
-      "steam"
-      "steam-original"
-      "steam-run"
+      builtins.elem (lib.getName pkg) [
+        # Steam
+        "steam"
+        "steam-original"
+        "steam-run"
 
-      # Nvidia drivers
-      "nvidia-x11"
-      "nvidia-settings"
-    ];
+        # Nvidia drivers
+        "nvidia-x11"
+        "nvidia-settings"
+      ];
   };
 
   # Some programs need SUID wrappers, can be configured further or are

common/components/bootloader.nix

@@ -1,15 +1,19 @@
 {
-  boot.loader = {
-    systemd-boot = {
-      enable = true;
-      editor = false;
-    };
+  boot = {
+    loader = {
+      systemd-boot = {
+        enable = true;
+        editor = false;
+      };
 
-    efi.canTouchEfiVariables = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd = {
+      enable = true;
+      systemd.enable = true;
+    };
   };
 
-  boot.initrd.enable = true;
-  boot.initrd.systemd.enable = true;
   # boot.plymouth = {
   #   enable = true;
   #   font = "${pkgs.jetbrains-mono}/share/fonts/truetype/JetBrainsMono-Regular.ttf";

common/components/de/plasma-packages.nix

@@ -2,6 +2,7 @@
   environment.systemPackages = with pkgs; [
     # See ./plasma6.nix
     ksshaskpass
+    aha
 
     libreoffice
     kleopatra

common/components/security.nix

@@ -1,5 +1,13 @@
 {
   # sudo and nix can only be used by the wheel group
+
   nix.settings.allowed-users = ["@wheel"];
-  security.sudo.execWheelOnly = true;
+
+  security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    extraConfig = "Defaults insults";
+  };
+
+  # services.fail2ban.enable = true;
 }

common/hardware/tpm2.nix

@@ -1,5 +1,7 @@
 {
-  security.tpm2.enable = true;
-  security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
-  security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+    tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  };
 }

common/programs/zsh.nix

@@ -7,6 +7,8 @@
 
     shellAliases = {
       ll = "ls -al";
+      done = "curl -d 'Done' ntfy.sh/tasiaiso_done";
+      rebuild = "sudo nixos-rebuild switch -flake -I nixos-config=/home/tasia/nixos-config"; # .#hostname
     };
 
     ohMyZsh = {

common/services/adguardhome.nix

@@ -1,5 +1,6 @@
 {
   # Ad-blocking DNS server
+  # Web UI available at http://localhost:3000
   services.adguardhome.enable = true;
 
   networking.nameservers = ["127.0.0.1"];

common/services/sshd.nix

@@ -1,10 +1,9 @@
 {
   # Hardened OpenSSH server
   # Resources:
-  # https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations
+  # https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)
   services.openssh = {
     enable = true;
-    # banner = "hello world";
 
     allowSFTP = false;
 

common/services/syncthing.nix

@@ -1,5 +1,6 @@
 {lib, ...}: {
   # File sync service
+  # Web UI available at http://localhost:8384
   services.syncthing = {
     enable = true;
     user = lib.mkDefault "user";

common/services/usbguard.nix

@@ -1,17 +1,20 @@
 {
+  # USBGuard is a service that allows you to create a whitelist of the USB device you want your system to connect to.
+  # Other devices will be blocked by default
+  # This minimizes the impact of BadUSB attacks
   services.usbguard = {
     enable = true;
-    dbus.enable = true;
 
+    # Regular users can interact with usbguard
     IPCAllowedGroups = ["wheel"];
 
     rules = ''
       # new-new-phoenix
-      allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
-      allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
-      allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW" hash "om34qyRbPxnt/bsdFrR3g2SWxDVsInxWWsiFkDIyEnY=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface ff:06:50 with-connect-type "hotplug"
-      allow id 048d:ce00 serial "" name "ITE Device(8291)" hash "snB5qcpdMc66wcxBmMAn+LStZHfOTO/c5RtrU9nzyHc=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-6" with-interface { 03:01:01 03:00:00 } with-connect-type "hardwired"
-      allow id 8087:0025 serial "" name "" hash "N/wLaNIwbl3mtRa9CDFbUH7EfSZDhv2X+d2xcrwsw8Q=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-14" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "hardwired"
+      allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller"
+      allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller"
+      allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW"
+      allow id 048d:ce00 serial "" name "ITE Device(8291)"
+      allow id 8087:0025 serial "" name ""
 
       # USB Drives