Compare commits

..

12 Commits

13 changed files with 179 additions and 14 deletions

View File

@ -190,6 +190,7 @@
useGlobalPkgs = true;
extraSpecialArgs = {
inherit inputs;
inherit unstable-pkgs;
inherit (self) extendedLib;
inherit (config) machineVars;
secrets = secrets.outputs.settings;

View File

@ -99,6 +99,7 @@ in {
sessionVariables = {
CARGO_NET_GIT_FETCH_WITH_CLI = "true";
PYTHONSTARTUP = "${config.xdg.configHome}/python/pyrc";
_JAVA_AWT_WM_NONREPARENTING = "1";
};
};

View File

@ -17,6 +17,7 @@
gpg-tui
gping
graphviz
hexyl
httpie
imagemagick
jq
@ -24,6 +25,7 @@
# keybase
keymapviz
libwebp
lnav
lolcat
mdcat
mediainfo
@ -44,6 +46,7 @@
pandoc
parallel
progress
pwntools
python3
rclone
ripgrep
@ -89,10 +92,12 @@
discord
element-desktop
geogebra
ghidra
gimp
gnome.gnome-font-viewer
gnome.seahorse
google-chrome
imhex
inkscape
insomnia
iwgtk

View File

@ -4,7 +4,7 @@
enable = true;
settings = {
gitProtocol = "ssh";
pager = "${pkgs.bat}/git/bat";
pager = "${pkgs.bat}/bin/bat";
aliases = {
co = "pr checkout";
pv = "pr view";

View File

@ -10,26 +10,35 @@ let
proxyJump = lib.mkDefault null;
addressFamily = "inet";
}
"dagali"
"drolsum"
"demiurgen"
"eirin"
[ "bekkalokk" "pvv-web" "pvv-wiki" "pvv-webmail" ]
"ildkule"
"shark"
"buskerud"
[ "bicep" "pvv-databases" ]
"bob"
"knutsen"
[ "brzeczyszczykiewicz" "brez" "bokhylle" ]
"buskerud"
"dagali"
"demiurgen"
"drolsum"
"eirin"
"georg"
"ildkule"
"isvegg"
"tom"
"knutsen"
[ "microbel" "pvv-users" "pvv-mail" ]
"orchid"
"shark"
"tallulah"
"tom"
"venture"
];
rootMachines = [
[ "sleipner" "pvv-salt" ]
[ "ameno" "pvv-dns" ]
[ "balduzius" "pvv-krb" ]
[ "innovation" "pvv-minecraft" ]
"ludvigsen"
[ "principal" "pvv-backup" ]
[ "skrott" "dibbler" ]
[ "sleipner" "pvv-salt" ]
];
# Either( String [String] AttrSet{String} ) -> AttrSet{String}

View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, unstable-pkgs, lib, ... }:
{
home.packages = with pkgs; [ zed-editor ];
home.packages = with unstable-pkgs; [ zed-editor ];
xdg.configFile."zed/settings.json".source = let
format = pkgs.formats.json { };

View File

@ -12,7 +12,9 @@ in {
./programs/ssh.nix
./programs/usbtop.nix
./services/cups.nix
./services/dbus.nix
./services/logrotate.nix
./services/openssh.nix
./services/pcscd.nix
./services/pipewire.nix

View File

@ -0,0 +1,71 @@
{ config, lib, ... }:
{
systemd.services = lib.mkIf config.services.printing.enable {
cups.serviceConfig = {
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock= true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
PrivateDevices = true;
NoNewPrivileges = true;
# User =
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
RemoveIPC = true;
# RestrictAddressFamilies = [ "" ];
RestrictNamespaces=true;
RestrictRealtime=true;
RestrictSUIDSGID=true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
cups-browsed.serviceConfig = {
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock= true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
PrivateDevices = true;
NoNewPrivileges = true;
# User =
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
RemoveIPC = true;
# RestrictAddressFamilies = [ "" ];
RestrictNamespaces=true;
RestrictRealtime=true;
RestrictSUIDSGID=true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
};
}

View File

@ -0,0 +1,42 @@
{ ... }:
{
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig = {
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [ "/var/log" ];
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
};
}

View File

@ -0,0 +1,19 @@
{ ... }:
{
# TODO: Reproducible certificates
services.journald.remote = {
enable = true;
settings.Remote = {
# ServerKeyFile = "/run/credentials/systemd-journald-remote.service/key.pem";
# ServerCertificateFile = "/run/credentials/systemd-journald-remote.service/.pem";
ServerKeyFile = "/etc/journald-remote-certs/key.pem";
ServerCertificateFile = "/etc/journald-remote-certs/cert.pem";
TrustedCertificateFile = "-";
};
};
# systemd.services.systemd-journal-remote.serviceConfig.LoadCredential = [
# "key.pem:/etc/journald-remote-certs/key.pem"
# "cert.pem:/etc/journald-remote-certs/cert.pem"
# ];
}

View File

@ -5,6 +5,7 @@
./services/avahi.nix
./services/docker.nix
./services/journald-remote.nix
];
boot.loader.systemd-boot.enable = true;

View File

@ -0,0 +1,14 @@
{ ... }:
{
services.journald.upload = {
enable = true;
settings.Upload = {
URL = "https://10.250.14.105:19532";
# ServerKeyFile = toString ./key.pem;
# ServerCertificateFile = toString ./cert.pem;
ServerKeyFile = "-";
ServerCertificateFile = "-";
TrustedCertificateFile = "-";
};
};
}