update

README.md

@@ -52,7 +52,6 @@ SHA256:hV3Kumt4I9Bt0/IAX3D9Y1kN93COAQFNSsAdiv9mpIg new-new-phoenix
 
 SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@new-new-phoenix
-
 ```
 
 New laptop. Main driver. TODO: give it a name.

common/default.nix

@@ -64,24 +64,32 @@
 
   services.fwupd.enable = true;
 
+  services.tailscale.enable = true;
+
   networking = {
     networkmanager.enable = true;
 
-    firewall.enable = true;
+    firewall = {
+      enable = true;
+
+      trustedInterfaces = ["tailscale0"];
+    };
   };
 
   nix.settings.allowed-users = ["@wheel"];
   security.sudo.execWheelOnly = true;
 
-  services.tailscale.enable = true;
-
   programs.git = {
     enable = true;
     config = {
       user = {
         name = "Tasia Iso";
         email = "tasiaiso@proton.me";
+        gpg.format = "ssh";
+        commit.gpgsign = "true";
+        # git config --global user.signingkey ~/.ssh/id_ed25519
       };
+
       init = {
         defaultBranch = "master";
       };

common/hardware/nvidiagpu.nix

@@ -1,4 +1,15 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
+  # Enable OpenGL
+  hardware.opengl = {
+    enable = true;
+    driSupport = true;
+    driSupport32Bit = true;
+  };
+
   # Load nvidia driver for Xorg and Wayland
   services.xserver.videoDrivers = ["nvidia"];
 
@@ -32,4 +43,8 @@
     # Optionally, you may need to select the appropriate driver version for your specific GPU.
     package = config.boot.kernelPackages.nvidiaPackages.stable;
   };
+
+  environment.systemPackages = with pkgs; [
+    glxinfo
+  ];
 }

common/packages/sshd.nix

@@ -0,0 +1,45 @@
+{
+  # Hardened OpenSSH server
+  # Resources:
+  # https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations
+  services.openssh = {
+    enable = true;
+    banner = "hello world";
+
+    allowSFTP = false;
+
+    settings = {
+      PermitRootLogin = "no";
+
+      # Public key authentiation only
+      PasswordAuthentication = false;
+      ChallengeResponseAuthentication = false;
+    };
+    extraConfig = ''
+      # Only allow SSH v2
+      Protocol 2
+
+
+      # Check file modes in /etc/ssh
+      StrictModes yes
+
+      UsePrivilegeSeparation sandbox
+      PrintLastLog yes
+
+      # Don't mess with environment variables
+      PermitUserEnvironment no
+      # AcceptEnv
+
+      AllowTcpForwarding no
+
+      # wip
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
+  };
+}
+# ssh R6: StrictHostKeyChecking ask
+

common/tasia-packages.nix

@@ -53,6 +53,7 @@
     gotty
     gping
     yazi
+    vulnix # once im on stable
 
     tildefriends
   ];

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713248628,
-        "narHash": "sha256-NLznXB5AOnniUtZsyy/aPWOk8ussTuePp2acb9U+ISA=",
+        "lastModified": 1713537308,
+        "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5672bc9dbf9d88246ddab5ac454e82318d094bb8",
+        "rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f",
         "type": "github"
       },
       "original": {
@@ -25,11 +25,11 @@
     },
     "stable": {
       "locked": {
-        "lastModified": 1713145326,
-        "narHash": "sha256-m7+IWM6mkWOg22EC5kRUFCycXsXLSU7hWmHdmBfmC3s=",
+        "lastModified": 1713564160,
+        "narHash": "sha256-YguPZpiejgzLEcO36/SZULjJQ55iWcjAmf3lYiyV1Fo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e",
+        "rev": "bc194f70731cc5d2b046a6c1b3b15f170f05999c",
         "type": "github"
       },
       "original": {
@@ -41,11 +41,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1713248628,
-        "narHash": "sha256-NLznXB5AOnniUtZsyy/aPWOk8ussTuePp2acb9U+ISA=",
+        "lastModified": 1713537308,
+        "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5672bc9dbf9d88246ddab5ac454e82318d094bb8",
+        "rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f",
         "type": "github"
       },
       "original": {

flake.nix

@@ -27,7 +27,6 @@
     # pass to it, with each system as an argument
     forAllSystems = nixpkgs.lib.genAttrs systems;
   in {
-
     # Your custom packages
     # Accessible through 'nix build', 'nix shell', etc
     packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});

hosts/enry/configuration.nix

@@ -28,6 +28,7 @@
     initialPassword = "correcthorsebatterystaple";
     openssh.authorizedKeys.keys = [
       "SHA256:RrcbPCE9BPVLAEhERm81NwXA28OKpn9U6irR2vG7K5I user@phoenix"
+      "SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix"
     ];
   };
 

hosts/new-new-phoenix/configuration.nix

@@ -12,14 +12,14 @@
     ../../common/locales/en.nix
     ../../common/locales/fr-keymap.nix
     ../../common/hardware/intelcpu.nix
-    ../../common/hardware/amdgpu.nix
+    ../../common/hardware/nvidiagpu.nix
     ../../common/hardware/ssd.nix
 
     ../../common/de/plasma6.nix
     # ../../common/de/hyprland.nix
 
     # ../../common/packages/syncthing.nix
-    ../../common/packages/adguardhome.nix
+    ../../common/packages/sshd.nix
     ../../common/tasia-packages.nix
 
     # ../../modules/nixos/vedirect-reader.nix
@@ -30,6 +30,17 @@
     # boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];
   };
 
+  hardware.nvidia.prime = {
+    # Make sure to use the correct Bus ID values for your system!
+    intelBusId = "PCI:1:0:0";
+    nvidiaBusId = "PCI:0:2:0";
+
+    offload = {
+      enable = true;
+      enableOffloadCmd = true;
+    };
+  };
+
   networking = {
     hostName = "new-new-phoenix";
 
@@ -52,7 +63,7 @@
     extraGroups = ["networkmanager" "wheel" "syncthing"];
     initialPassword = "correcthorsebatterystaple";
     openssh.authorizedKeys.keys = [
-      # TODO: Add your SSH public key(s) here, if you plan on using SSH to connect
+      "SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix" # self
     ];
   };
 
@@ -93,6 +104,13 @@
     #
   ];
 
+  # security.auditd.enable = true;
+  # security.audit.enable = true;
+  # security.audit.rules = [
+  #   "-a exit,always -F arch=b64 -S execve"
+  # ];
+  # You can monitor these logs with journalctl -f. If you don't see any audit logs show up, ssh in from another window and run some commands like ls. You should see a flurry of them show up.
+
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
   system.stateVersion = "23.11";
 }

hosts/new-new-phoenix/hardware-configuration.nix

@@ -0,0 +1,45 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_usb_sdmmc"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/cee0ceca-3ea6-43d8-a483-00882f9ae6bb";
+    fsType = "btrfs";
+    options = ["subvol=@"];
+  };
+
+  boot.initrd.luks.devices."luks-ab9bf3d3-8c4f-415b-944e-a8e8d355d11c".device = "/dev/disk/by-uuid/ab9bf3d3-8c4f-415b-944e-a8e8d355d11c";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/E290-4D47";
+    fsType = "vfat";
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/phoenix/configuration.nix

@@ -52,7 +52,7 @@
     extraGroups = ["networkmanager" "wheel" "syncthing"];
     initialPassword = "correcthorsebatterystaple";
     openssh.authorizedKeys.keys = [
-      # TODO: Add your SSH public key(s) here, if you plan on using SSH to connect
+      "SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix"
     ];
   };
 

tailscale-acl.jsonc

@@ -0,0 +1,41 @@
+// Example/default ACLs for unrestricted connections.
+{
+	// Declare static groups of users. Use autogroups for all users or users with a specific role.
+	// "groups": {
+	//  	"group:example": ["alice@example.com", "bob@example.com"],
+	// },
+
+	// Define the tags which can be applied to devices and by which users.
+	"tagOwners": {
+	 	"tag:trusted": ["autogroup:admin"],
+	},
+
+	// Define access control lists for users, groups, autogroups, tags,
+	// Tailscale IP addresses, and subnet ranges.
+	"acls": [
+		// Allow all connections.
+		// Comment this section out if you want to define specific restrictions.
+		{"action": "accept", "src": ["*"], "dst": ["*:*"]},
+	],
+
+	// Define users and devices that can use Tailscale SSH.
+	"ssh": [
+		// Allow all users to SSH into their own devices in check mode.
+		// Comment this section out if you want to define specific restrictions.
+		{
+			"action": "check",
+			"src":    ["autogroup:member"],
+			"dst":    ["autogroup:self"],
+			"users":  ["autogroup:nonroot"],
+		},
+	],
+
+	// Test access rules every time they're saved.
+	// "tests": [
+	//  	{
+	//  		"src": "alice@example.com",
+	//  		"accept": ["tag:example"],
+	//  		"deny": ["100.101.102.103:443"],
+	//  	},
+	// ],
+}