Compare commits
12 Commits
592632c068
...
e2e97ac31e
Author | SHA1 | Date |
---|---|---|
Oystein Kristoffer Tveit | e2e97ac31e | |
Oystein Kristoffer Tveit | 7c79a6c37b | |
Oystein Kristoffer Tveit | fbd5b3798b | |
Oystein Kristoffer Tveit | e8db1d6612 | |
Oystein Kristoffer Tveit | 46e12cfc9e | |
Oystein Kristoffer Tveit | 2b81c752f0 | |
Oystein Kristoffer Tveit | c533a7df56 | |
Oystein Kristoffer Tveit | 3de3b459ad | |
Oystein Kristoffer Tveit | 28364a66f1 | |
Oystein Kristoffer Tveit | 94bddadd50 | |
Oystein Kristoffer Tveit | 810311bbc2 | |
Oystein Kristoffer Tveit | 0a5e8774c7 |
|
@ -190,6 +190,7 @@
|
|||
useGlobalPkgs = true;
|
||||
extraSpecialArgs = {
|
||||
inherit inputs;
|
||||
inherit unstable-pkgs;
|
||||
inherit (self) extendedLib;
|
||||
inherit (config) machineVars;
|
||||
secrets = secrets.outputs.settings;
|
||||
|
|
|
@ -99,6 +99,7 @@ in {
|
|||
sessionVariables = {
|
||||
CARGO_NET_GIT_FETCH_WITH_CLI = "true";
|
||||
PYTHONSTARTUP = "${config.xdg.configHome}/python/pyrc";
|
||||
_JAVA_AWT_WM_NONREPARENTING = "1";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
gpg-tui
|
||||
gping
|
||||
graphviz
|
||||
hexyl
|
||||
httpie
|
||||
imagemagick
|
||||
jq
|
||||
|
@ -24,6 +25,7 @@
|
|||
# keybase
|
||||
keymapviz
|
||||
libwebp
|
||||
lnav
|
||||
lolcat
|
||||
mdcat
|
||||
mediainfo
|
||||
|
@ -44,6 +46,7 @@
|
|||
pandoc
|
||||
parallel
|
||||
progress
|
||||
pwntools
|
||||
python3
|
||||
rclone
|
||||
ripgrep
|
||||
|
@ -89,10 +92,12 @@
|
|||
discord
|
||||
element-desktop
|
||||
geogebra
|
||||
ghidra
|
||||
gimp
|
||||
gnome.gnome-font-viewer
|
||||
gnome.seahorse
|
||||
google-chrome
|
||||
imhex
|
||||
inkscape
|
||||
insomnia
|
||||
iwgtk
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
enable = true;
|
||||
settings = {
|
||||
gitProtocol = "ssh";
|
||||
pager = "${pkgs.bat}/git/bat";
|
||||
pager = "${pkgs.bat}/bin/bat";
|
||||
aliases = {
|
||||
co = "pr checkout";
|
||||
pv = "pr view";
|
||||
|
|
|
@ -10,26 +10,35 @@ let
|
|||
proxyJump = lib.mkDefault null;
|
||||
addressFamily = "inet";
|
||||
}
|
||||
"dagali"
|
||||
"drolsum"
|
||||
"demiurgen"
|
||||
"eirin"
|
||||
[ "bekkalokk" "pvv-web" "pvv-wiki" "pvv-webmail" ]
|
||||
"ildkule"
|
||||
"shark"
|
||||
"buskerud"
|
||||
[ "bicep" "pvv-databases" ]
|
||||
"bob"
|
||||
"knutsen"
|
||||
[ "brzeczyszczykiewicz" "brez" "bokhylle" ]
|
||||
"buskerud"
|
||||
"dagali"
|
||||
"demiurgen"
|
||||
"drolsum"
|
||||
"eirin"
|
||||
"georg"
|
||||
"ildkule"
|
||||
"isvegg"
|
||||
"tom"
|
||||
"knutsen"
|
||||
[ "microbel" "pvv-users" "pvv-mail" ]
|
||||
"orchid"
|
||||
"shark"
|
||||
"tallulah"
|
||||
"tom"
|
||||
"venture"
|
||||
];
|
||||
|
||||
rootMachines = [
|
||||
[ "sleipner" "pvv-salt" ]
|
||||
[ "ameno" "pvv-dns" ]
|
||||
[ "balduzius" "pvv-krb" ]
|
||||
[ "innovation" "pvv-minecraft" ]
|
||||
"ludvigsen"
|
||||
[ "principal" "pvv-backup" ]
|
||||
[ "skrott" "dibbler" ]
|
||||
[ "sleipner" "pvv-salt" ]
|
||||
];
|
||||
|
||||
# Either( String [String] AttrSet{String} ) -> AttrSet{String}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, unstable-pkgs, lib, ... }:
|
||||
{
|
||||
home.packages = with pkgs; [ zed-editor ];
|
||||
home.packages = with unstable-pkgs; [ zed-editor ];
|
||||
|
||||
xdg.configFile."zed/settings.json".source = let
|
||||
format = pkgs.formats.json { };
|
||||
|
|
|
@ -12,7 +12,9 @@ in {
|
|||
./programs/ssh.nix
|
||||
./programs/usbtop.nix
|
||||
|
||||
./services/cups.nix
|
||||
./services/dbus.nix
|
||||
./services/logrotate.nix
|
||||
./services/openssh.nix
|
||||
./services/pcscd.nix
|
||||
./services/pipewire.nix
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
systemd.services = lib.mkIf config.services.printing.enable {
|
||||
cups.serviceConfig = {
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectClock= true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
PrivateDevices = true;
|
||||
NoNewPrivileges = true;
|
||||
# User =
|
||||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
KeyringMode = "private";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateUsers = true;
|
||||
RemoveIPC = true;
|
||||
# RestrictAddressFamilies = [ "" ];
|
||||
RestrictNamespaces=true;
|
||||
RestrictRealtime=true;
|
||||
RestrictSUIDSGID=true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
cups-browsed.serviceConfig = {
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectClock= true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
PrivateDevices = true;
|
||||
NoNewPrivileges = true;
|
||||
# User =
|
||||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
KeyringMode = "private";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateUsers = true;
|
||||
RemoveIPC = true;
|
||||
# RestrictAddressFamilies = [ "" ];
|
||||
RestrictNamespaces=true;
|
||||
RestrictRealtime=true;
|
||||
RestrictSUIDSGID=true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
{ ... }:
|
||||
{
|
||||
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
|
||||
systemd.services.logrotate = {
|
||||
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
|
||||
unitConfig.RequiresMountsFor = "/var/log";
|
||||
serviceConfig = {
|
||||
Nice = 19;
|
||||
IOSchedulingClass = "best-effort";
|
||||
IOSchedulingPriority = 7;
|
||||
|
||||
ReadWritePaths = [ "/var/log" ];
|
||||
|
||||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DeviceAllow = [ "" ];
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true; # disable for third party rotate scripts
|
||||
PrivateDevices = true;
|
||||
PrivateNetwork = true; # disable for mail delivery
|
||||
PrivateTmp = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true; # disable for userdir logs
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "full";
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true; # disable for creating setgid directories
|
||||
SocketBindDeny = [ "any" ];
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
{ ... }:
|
||||
{
|
||||
# TODO: Reproducible certificates
|
||||
services.journald.remote = {
|
||||
enable = true;
|
||||
settings.Remote = {
|
||||
# ServerKeyFile = "/run/credentials/systemd-journald-remote.service/key.pem";
|
||||
# ServerCertificateFile = "/run/credentials/systemd-journald-remote.service/.pem";
|
||||
ServerKeyFile = "/etc/journald-remote-certs/key.pem";
|
||||
ServerCertificateFile = "/etc/journald-remote-certs/cert.pem";
|
||||
TrustedCertificateFile = "-";
|
||||
};
|
||||
};
|
||||
|
||||
# systemd.services.systemd-journal-remote.serviceConfig.LoadCredential = [
|
||||
# "key.pem:/etc/journald-remote-certs/key.pem"
|
||||
# "cert.pem:/etc/journald-remote-certs/cert.pem"
|
||||
# ];
|
||||
}
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
./services/avahi.nix
|
||||
./services/docker.nix
|
||||
./services/journald-remote.nix
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.journald.upload = {
|
||||
enable = true;
|
||||
settings.Upload = {
|
||||
URL = "https://10.250.14.105:19532";
|
||||
# ServerKeyFile = toString ./key.pem;
|
||||
# ServerCertificateFile = toString ./cert.pem;
|
||||
ServerKeyFile = "-";
|
||||
ServerCertificateFile = "-";
|
||||
TrustedCertificateFile = "-";
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue