WIP: home/{hyprland,waybar}: init

flake.nix

@@ -190,6 +190,7 @@
                   useGlobalPkgs = true;
                   extraSpecialArgs = {
                     inherit inputs;
+                    inherit unstable-pkgs;
                     inherit (self) extendedLib;
                     inherit (config) machineVars;
                     secrets = secrets.outputs.settings;

home/home.nix

@@ -99,6 +99,7 @@ in {
     sessionVariables = {
       CARGO_NET_GIT_FETCH_WITH_CLI = "true";
       PYTHONSTARTUP = "${config.xdg.configHome}/python/pyrc";
+      _JAVA_AWT_WM_NONREPARENTING = "1";
     };
   };
 

home/packages.nix

@@ -17,6 +17,7 @@
     gpg-tui
     gping
     graphviz
+    hexyl
     httpie
     imagemagick
     jq
@@ -24,6 +25,7 @@
     # keybase
     keymapviz
     libwebp
+    lnav
     lolcat
     mdcat
     mediainfo
@@ -44,6 +46,7 @@
     pandoc
     parallel
     progress
+    pwntools
     python3
     rclone
     ripgrep
@@ -89,10 +92,12 @@
       discord
       element-desktop
       geogebra
+      ghidra
       gimp
       gnome.gnome-font-viewer
       gnome.seahorse
       google-chrome
+      imhex
       inkscape
       insomnia
       iwgtk

home/programs/gh.nix

@@ -4,7 +4,7 @@
     enable = true;
     settings = {
       gitProtocol = "ssh";
-      pager = "${pkgs.bat}/git/bat";
+      pager = "${pkgs.bat}/bin/bat";
       aliases = {
         co = "pr checkout";
         pv = "pr view";

home/programs/ssh/pvv.nix

@@ -10,26 +10,35 @@ let
       proxyJump = lib.mkDefault null;
       addressFamily = "inet";
     }
-    "dagali"
-    "drolsum"
-    "demiurgen"
-    "eirin"
     [ "bekkalokk" "pvv-web" "pvv-wiki" "pvv-webmail" ]
-    "ildkule"
-    "shark"
-    "buskerud"
     [ "bicep" "pvv-databases" ]
     "bob"
-    "knutsen"
+    [ "brzeczyszczykiewicz" "brez" "bokhylle" ]
+    "buskerud"
+    "dagali"
+    "demiurgen"
+    "drolsum"
+    "eirin"
+    "georg"
+    "ildkule"
     "isvegg"
-    "tom"
+    "knutsen"
     [ "microbel" "pvv-users" "pvv-mail" ]
+    "orchid"
+    "shark"
+    "tallulah"
+    "tom"
+    "venture"
   ];
 
   rootMachines = [
-    [ "sleipner" "pvv-salt" ]
+    [ "ameno" "pvv-dns" ]
     [ "balduzius" "pvv-krb" ]
     [ "innovation" "pvv-minecraft" ]
+    "ludvigsen"
+    [ "principal" "pvv-backup" ]
+    [ "skrott" "dibbler" ]
+    [ "sleipner" "pvv-salt" ]
   ];
 
   # Either( String [String] AttrSet{String} ) -> AttrSet{String}

home/programs/vscode/default.nix

@@ -24,7 +24,7 @@ in
     onChange = ''install -m660 $(realpath "${configFilePath}.ro") "${configFilePath}"'';
   };
 
-  programs.vscode ={
+  programs.vscode = {
     enable = true;
 
     package = pkgs.vscode;

home/programs/zed/default.nix

@@ -1,6 +1,6 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, unstable-pkgs, lib, ... }:
 {
-  home.packages = with pkgs; [ zed-editor ];
+  home.packages = with unstable-pkgs; [ zed-editor ];
 
   xdg.configFile."zed/settings.json".source = let
     format = pkgs.formats.json { };

hosts/common/default.nix

@@ -12,7 +12,9 @@ in {
     ./programs/ssh.nix
     ./programs/usbtop.nix
 
+    ./services/cups.nix
     ./services/dbus.nix
+    ./services/logrotate.nix
     ./services/openssh.nix
     ./services/pcscd.nix
     ./services/pipewire.nix

hosts/common/services/cups.nix

@@ -0,0 +1,71 @@
+{ config, lib, ... }:
+{
+  systemd.services = lib.mkIf config.services.printing.enable {
+    cups.serviceConfig = {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true; 
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+    cups-browsed.serviceConfig = {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+  };
+}

hosts/common/services/logrotate.nix

@@ -0,0 +1,42 @@
+{ ... }:
+{
+  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
+  systemd.services.logrotate = {
+    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
+    unitConfig.RequiresMountsFor = "/var/log";
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [ "/var/log" ];
+
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true; # disable for third party rotate scripts
+      PrivateDevices = true;
+      PrivateNetwork = true; # disable for mail delivery
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true; # disable for userdir logs
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true; # disable for creating setgid directories
+      SocketBindDeny = [ "any" ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
+  };
+}

hosts/dosei/services/journald-remote.nix

@@ -0,0 +1,19 @@
+{ ... }:
+{
+  # TODO: Reproducible certificates
+  services.journald.remote = {
+    enable = true;
+    settings.Remote = {
+      # ServerKeyFile = "/run/credentials/systemd-journald-remote.service/key.pem";
+      # ServerCertificateFile = "/run/credentials/systemd-journald-remote.service/.pem";
+      ServerKeyFile = "/etc/journald-remote-certs/key.pem";
+      ServerCertificateFile = "/etc/journald-remote-certs/cert.pem";
+      TrustedCertificateFile = "-";
+    };
+  };
+
+  # systemd.services.systemd-journal-remote.serviceConfig.LoadCredential = [
+  #   "key.pem:/etc/journald-remote-certs/key.pem"
+  #   "cert.pem:/etc/journald-remote-certs/cert.pem"
+  # ];
+}

hosts/europa/configuration.nix

@@ -5,6 +5,7 @@
 
     ./services/avahi.nix
     ./services/docker.nix
+    ./services/journald-remote.nix
   ];
 
   boot.loader.systemd-boot.enable = true;

hosts/europa/services/journald-remote.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.journald.upload = {
+    enable = true;
+    settings.Upload = {
+      URL = "https://10.250.14.105:19532";
+      # ServerKeyFile = toString ./key.pem;
+      # ServerCertificateFile = toString ./cert.pem;
+      ServerKeyFile = "-";
+      ServerCertificateFile = "-";
+      TrustedCertificateFile = "-";
+    };
+  };  
+}