diff --git a/README.md b/README.md index 097bf9b..d03a573 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,6 @@ SHA256:hV3Kumt4I9Bt0/IAX3D9Y1kN93COAQFNSsAdiv9mpIg new-new-phoenix SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@new-new-phoenix - ``` -New laptop. Main driver. TODO: give it a name. \ No newline at end of file +New laptop. Main driver. TODO: give it a name. diff --git a/common/default.nix b/common/default.nix index 22a720f..178615a 100644 --- a/common/default.nix +++ b/common/default.nix @@ -64,24 +64,32 @@ services.fwupd.enable = true; + services.tailscale.enable = true; + networking = { networkmanager.enable = true; - firewall.enable = true; + firewall = { + enable = true; + + trustedInterfaces = ["tailscale0"]; + }; }; nix.settings.allowed-users = ["@wheel"]; security.sudo.execWheelOnly = true; - services.tailscale.enable = true; - programs.git = { enable = true; config = { user = { name = "Tasia Iso"; email = "tasiaiso@proton.me"; + gpg.format = "ssh"; + commit.gpgsign = "true"; + # git config --global user.signingkey ~/.ssh/id_ed25519 }; + init = { defaultBranch = "master"; }; diff --git a/common/hardware/nvidiagpu.nix b/common/hardware/nvidiagpu.nix index f1ba7fc..8650634 100644 --- a/common/hardware/nvidiagpu.nix +++ b/common/hardware/nvidiagpu.nix @@ -1,4 +1,15 @@ -{config, ...}: { +{ + config, + pkgs, + ... +}: { + # Enable OpenGL + hardware.opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + # Load nvidia driver for Xorg and Wayland services.xserver.videoDrivers = ["nvidia"]; @@ -32,4 +43,8 @@ # Optionally, you may need to select the appropriate driver version for your specific GPU. package = config.boot.kernelPackages.nvidiaPackages.stable; }; + + environment.systemPackages = with pkgs; [ + glxinfo + ]; } diff --git a/common/hardware/ssd.nix b/common/hardware/ssd.nix index 9f2c39b..84d7613 100644 --- a/common/hardware/ssd.nix +++ b/common/hardware/ssd.nix @@ -1,3 +1,3 @@ { services.fstrim.enable = true; -} \ No newline at end of file +} diff --git a/common/packages/sshd.nix b/common/packages/sshd.nix new file mode 100644 index 0000000..19178e9 --- /dev/null +++ b/common/packages/sshd.nix @@ -0,0 +1,45 @@ +{ + # Hardened OpenSSH server + # Resources: + # https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations + services.openssh = { + enable = true; + banner = "hello world"; + + allowSFTP = false; + + settings = { + PermitRootLogin = "no"; + + # Public key authentiation only + PasswordAuthentication = false; + ChallengeResponseAuthentication = false; + }; + extraConfig = '' + # Only allow SSH v2 + Protocol 2 + + + # Check file modes in /etc/ssh + StrictModes yes + + UsePrivilegeSeparation sandbox + PrintLastLog yes + + # Don't mess with environment variables + PermitUserEnvironment no + # AcceptEnv + + AllowTcpForwarding no + + # wip + AllowTcpForwarding yes + X11Forwarding no + AllowAgentForwarding no + AllowStreamLocalForwarding no + AuthenticationMethods publickey + ''; + }; +} +# ssh R6: StrictHostKeyChecking ask + diff --git a/common/tasia-packages.nix b/common/tasia-packages.nix index 60c6429..0650b54 100644 --- a/common/tasia-packages.nix +++ b/common/tasia-packages.nix @@ -53,6 +53,7 @@ gotty gping yazi + vulnix # once im on stable tildefriends ]; diff --git a/flake.lock b/flake.lock index 6956fd9..f4d0395 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1713248628, - "narHash": "sha256-NLznXB5AOnniUtZsyy/aPWOk8ussTuePp2acb9U+ISA=", + "lastModified": 1713537308, + "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5672bc9dbf9d88246ddab5ac454e82318d094bb8", + "rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f", "type": "github" }, "original": { @@ -25,11 +25,11 @@ }, "stable": { "locked": { - "lastModified": 1713145326, - "narHash": "sha256-m7+IWM6mkWOg22EC5kRUFCycXsXLSU7hWmHdmBfmC3s=", + "lastModified": 1713564160, + "narHash": "sha256-YguPZpiejgzLEcO36/SZULjJQ55iWcjAmf3lYiyV1Fo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e", + "rev": "bc194f70731cc5d2b046a6c1b3b15f170f05999c", "type": "github" }, "original": { @@ -41,11 +41,11 @@ }, "unstable": { "locked": { - "lastModified": 1713248628, - "narHash": "sha256-NLznXB5AOnniUtZsyy/aPWOk8ussTuePp2acb9U+ISA=", + "lastModified": 1713537308, + "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5672bc9dbf9d88246ddab5ac454e82318d094bb8", + "rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8c7bad8..32bb51b 100644 --- a/flake.nix +++ b/flake.nix @@ -27,7 +27,6 @@ # pass to it, with each system as an argument forAllSystems = nixpkgs.lib.genAttrs systems; in { - # Your custom packages # Accessible through 'nix build', 'nix shell', etc packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); diff --git a/hosts/enry/configuration.nix b/hosts/enry/configuration.nix index df0f2ff..02a305d 100644 --- a/hosts/enry/configuration.nix +++ b/hosts/enry/configuration.nix @@ -28,6 +28,7 @@ initialPassword = "correcthorsebatterystaple"; openssh.authorizedKeys.keys = [ "SHA256:RrcbPCE9BPVLAEhERm81NwXA28OKpn9U6irR2vG7K5I user@phoenix" + "SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix" ]; }; diff --git a/hosts/new-new-phoenix/configuration.nix b/hosts/new-new-phoenix/configuration.nix index 5b8d024..35bd12c 100644 --- a/hosts/new-new-phoenix/configuration.nix +++ b/hosts/new-new-phoenix/configuration.nix @@ -12,14 +12,14 @@ ../../common/locales/en.nix ../../common/locales/fr-keymap.nix ../../common/hardware/intelcpu.nix - ../../common/hardware/amdgpu.nix + ../../common/hardware/nvidiagpu.nix ../../common/hardware/ssd.nix ../../common/de/plasma6.nix # ../../common/de/hyprland.nix # ../../common/packages/syncthing.nix - ../../common/packages/adguardhome.nix + ../../common/packages/sshd.nix ../../common/tasia-packages.nix # ../../modules/nixos/vedirect-reader.nix @@ -30,6 +30,17 @@ # boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ]; }; + hardware.nvidia.prime = { + # Make sure to use the correct Bus ID values for your system! + intelBusId = "PCI:1:0:0"; + nvidiaBusId = "PCI:0:2:0"; + + offload = { + enable = true; + enableOffloadCmd = true; + }; + }; + networking = { hostName = "new-new-phoenix"; @@ -52,7 +63,7 @@ extraGroups = ["networkmanager" "wheel" "syncthing"]; initialPassword = "correcthorsebatterystaple"; openssh.authorizedKeys.keys = [ - # TODO: Add your SSH public key(s) here, if you plan on using SSH to connect + "SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix" # self ]; }; @@ -93,6 +104,13 @@ # ]; + # security.auditd.enable = true; + # security.audit.enable = true; + # security.audit.rules = [ + # "-a exit,always -F arch=b64 -S execve" + # ]; + # You can monitor these logs with journalctl -f. If you don't see any audit logs show up, ssh in from another window and run some commands like ls. You should see a flurry of them show up. + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "23.11"; } diff --git a/hosts/new-new-phoenix/hardware-configuration.nix b/hosts/new-new-phoenix/hardware-configuration.nix new file mode 100644 index 0000000..377088d --- /dev/null +++ b/hosts/new-new-phoenix/hardware-configuration.nix @@ -0,0 +1,45 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_usb_sdmmc"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/cee0ceca-3ea6-43d8-a483-00882f9ae6bb"; + fsType = "btrfs"; + options = ["subvol=@"]; + }; + + boot.initrd.luks.devices."luks-ab9bf3d3-8c4f-415b-944e-a8e8d355d11c".device = "/dev/disk/by-uuid/ab9bf3d3-8c4f-415b-944e-a8e8d355d11c"; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/E290-4D47"; + fsType = "vfat"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/phoenix/configuration.nix b/hosts/phoenix/configuration.nix index a93bb38..c243a49 100644 --- a/hosts/phoenix/configuration.nix +++ b/hosts/phoenix/configuration.nix @@ -52,7 +52,7 @@ extraGroups = ["networkmanager" "wheel" "syncthing"]; initialPassword = "correcthorsebatterystaple"; openssh.authorizedKeys.keys = [ - # TODO: Add your SSH public key(s) here, if you plan on using SSH to connect + "SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix" ]; }; diff --git a/tailscale-acl.jsonc b/tailscale-acl.jsonc new file mode 100644 index 0000000..5581a44 --- /dev/null +++ b/tailscale-acl.jsonc @@ -0,0 +1,41 @@ +// Example/default ACLs for unrestricted connections. +{ + // Declare static groups of users. Use autogroups for all users or users with a specific role. + // "groups": { + // "group:example": ["alice@example.com", "bob@example.com"], + // }, + + // Define the tags which can be applied to devices and by which users. + "tagOwners": { + "tag:trusted": ["autogroup:admin"], + }, + + // Define access control lists for users, groups, autogroups, tags, + // Tailscale IP addresses, and subnet ranges. + "acls": [ + // Allow all connections. + // Comment this section out if you want to define specific restrictions. + {"action": "accept", "src": ["*"], "dst": ["*:*"]}, + ], + + // Define users and devices that can use Tailscale SSH. + "ssh": [ + // Allow all users to SSH into their own devices in check mode. + // Comment this section out if you want to define specific restrictions. + { + "action": "check", + "src": ["autogroup:member"], + "dst": ["autogroup:self"], + "users": ["autogroup:nonroot"], + }, + ], + + // Test access rules every time they're saved. + // "tests": [ + // { + // "src": "alice@example.com", + // "accept": ["tag:example"], + // "deny": ["100.101.102.103:443"], + // }, + // ], +}