tasiaiso/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

awawa

Browse source
This commit is contained in:
Tasia Iso 2024-04-23 16:19:33 +02:00
parent 04c97a404a
commit a970493019
Signed by: tasiaiso
SSH key fingerprint: SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw
14 changed files with 56 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
common/base.nix
View file

@ -27,6 +27,8 @@
experimental-features = "nix-command flakes";
# Deduplicate and optimize nix store
auto-optimise-store = true;
warn-dirty = false;
};
# This will add each flake input as a registry
@ -55,16 +57,16 @@
# Unfree packages that can be installes regardless of the mchine's fre software policy
config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
# Steam
"steam"
"steam-original"
"steam-run"
builtins.elem (lib.getName pkg) [
# Steam
"steam"
"steam-original"
"steam-run"
# Nvidia drivers
"nvidia-x11"
"nvidia-settings"
];
# Nvidia drivers
"nvidia-x11"
"nvidia-settings"
];
};
# Some programs need SUID wrappers, can be configured further or are

20
common/components/bootloader.nix
View file

@ -1,15 +1,19 @@
{
boot.loader = {
systemd-boot = {
enable = true;
editor = false;
};
boot = {
loader = {
systemd-boot = {
enable = true;
editor = false;
};
efi.canTouchEfiVariables = true;
efi.canTouchEfiVariables = true;
};
initrd = {
enable = true;
systemd.enable = true;
};
};
boot.initrd.enable = true;
boot.initrd.systemd.enable = true;
# boot.plymouth = {
# enable = true;
# font = "${pkgs.jetbrains-mono}/share/fonts/truetype/JetBrainsMono-Regular.ttf";

1
common/components/de/plasma-packages.nix
View file

@ -2,6 +2,7 @@
environment.systemPackages = with pkgs; [
# See ./plasma6.nix
ksshaskpass
aha
libreoffice
kleopatra

2
common/components/printing.nix
View file

@ -1,4 +1,4 @@
{
# Enable CUPS to print documents.
services.printing.enable = true;
}
}

10
common/components/security.nix
View file

@ -1,5 +1,13 @@
{
# sudo and nix can only be used by the wheel group
nix.settings.allowed-users = ["@wheel"];
security.sudo.execWheelOnly = true;
security.sudo = {
enable = true;
execWheelOnly = true;
extraConfig = "Defaults insults";
};
# services.fail2ban.enable = true;
}

4
common/components/sound.nix
View file

@ -3,11 +3,11 @@
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
}
}

2
common/full-install.nix
View file

@ -4,4 +4,4 @@
./components/printing.nix
./components/packages-full.nix
];
}
}

8
common/hardware/tpm2.nix
View file

@ -1,5 +1,7 @@
{
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
security.tpm2 = {
enable = true;
pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
};
}

2
common/programs/zsh.nix
View file

@ -7,6 +7,8 @@
shellAliases = {
ll = "ls -al";
done = "curl -d 'Done' ntfy.sh/tasiaiso_done";
rebuild = "sudo nixos-rebuild switch -flake -I nixos-config=/home/tasia/nixos-config"; # .#hostname
};
ohMyZsh = {

1
common/services/adguardhome.nix
View file

@ -1,5 +1,6 @@
{
# Ad-blocking DNS server
# Web UI available at http://localhost:3000
services.adguardhome.enable = true;
networking.nameservers = ["127.0.0.1"];

3
common/services/sshd.nix
View file

@ -1,10 +1,9 @@
{
# Hardened OpenSSH server
# Resources:
# https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations
# https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)
services.openssh = {
enable = true;
# banner = "hello world";
allowSFTP = false;

1
common/services/syncthing.nix
View file

@ -1,5 +1,6 @@
{lib, ...}: {
# File sync service
# Web UI available at http://localhost:8384
services.syncthing = {
enable = true;
user = lib.mkDefault "user";

15
common/services/usbguard.nix
View file

@ -1,17 +1,20 @@
{
# USBGuard is a service that allows you to create a whitelist of the USB device you want your system to connect to.
# Other devices will be blocked by default
# This minimizes the impact of BadUSB attacks
services.usbguard = {
enable = true;
dbus.enable = true;
# Regular users can interact with usbguard
IPCAllowedGroups = ["wheel"];
rules = ''
# new-new-phoenix
allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW" hash "om34qyRbPxnt/bsdFrR3g2SWxDVsInxWWsiFkDIyEnY=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface ff:06:50 with-connect-type "hotplug"
allow id 048d:ce00 serial "" name "ITE Device(8291)" hash "snB5qcpdMc66wcxBmMAn+LStZHfOTO/c5RtrU9nzyHc=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-6" with-interface { 03:01:01 03:00:00 } with-connect-type "hardwired"
allow id 8087:0025 serial "" name "" hash "N/wLaNIwbl3mtRa9CDFbUH7EfSZDhv2X+d2xcrwsw8Q=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-14" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "hardwired"
allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller"
allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller"
allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW"
allow id 048d:ce00 serial "" name "ITE Device(8291)"
allow id 8087:0025 serial "" name ""
# USB Drives

0
tailscale-acl.jsonc → stuff/tailscale-acl.jsonc
View file