diff options
| -rw-r--r-- | README.org | 6 | ||||
| -rw-r--r-- | config/nix.org | 85 | ||||
| -rw-r--r-- | nix/flake.lock | 71 | ||||
| -rw-r--r-- | nix/modules/configuration.nix | 49 | ||||
| -rw-r--r-- | nix/modules/firejail.nix | 20 | ||||
| -rw-r--r-- | nix/modules/impermanence.nix | 2 | ||||
| -rw-r--r-- | nix/systems/continuity/default.nix | 1 | ||||
| -rw-r--r-- | nix/systems/installer/default.nix | 5 |
8 files changed, 224 insertions, 15 deletions
@@ -28,11 +28,7 @@ then reboot, and run: #+begin_src bash cd $HOME/monorepo && git pull #+end_src -That's all! Note that if you install with an encrypted disk, you will have to run: -#+begin_src bash - echo "password123" > /tmp/secret.key -#+end_src -before ~nix_installer~. +That's all! ** Post-setup In emacs, run ~M-x all-the-icons-install-fonts, ~~M-x nerd-icons-install-fonts~, and ~M-x org-roam-db-sync~. Install your music to ~$HOME/music~ for emms. In firefox, go to the three-bar menu and enable all the add-ons that were automatically installed. Set up the ~mu~ program in order to diff --git a/config/nix.org b/config/nix.org index a8f8a75..b82978e 100644 --- a/config/nix.org +++ b/config/nix.org @@ -1196,7 +1196,7 @@ This is my impermanence profile, which removes all files on reboot except for th umount /btrfs_tmp '' else ""); - boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then { + boot.initrd.luks.devices = (if (! (config.monorepo.vars.fileSystem == "btrfs")) then { crypted = { device = "/dev/disk/by-partlabel/disk-main-luks"; }; @@ -1260,6 +1260,31 @@ This is my impermanence profile, which removes all files on reboot except for th }; } #+end_src +** Firejail +I know there are some security issues with firejail, but it's probably better than nothing. I'm looking to replace this with bubblewrap in the +future. Note that I am also going to use AppArmor more often. +#+begin_src nix :tangle ../nix/modules/firejail.nix + { pkgs, lib, ... }: + { + programs.firejail = { + enable = true; + wrappedBinaries = { + firefox = { + executable = "${lib.getBin pkgs.firefox-bin}/bin/firefox"; + profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + emacs = { + executable = "${lib.getBin pkgs.emacs-pgtk}/bin/emacs"; + profile = "${pkgs.firejail}/etc/firejail/emacs.profile"; + }; + zathura = { + executable = "${lib.getBin pkgs.zathura}/bin/zathura"; + profile = "${pkgs.firejail}/etc/firejail/zathura.profile"; + }; + }; + }; + } +#+end_src ** Main Configuration This is the backbone of the all the NixOS configurations, with all these options being shared because they enhance security. @@ -1288,6 +1313,7 @@ because they enhance security. ./znc.nix ./docker.nix ./impermanence.nix + ./firejail.nix ]; documentation = { @@ -1321,7 +1347,10 @@ because they enhance security. boot = { - + supportedFilesystems = { + btrfs = true; + ext4 = true; + }; extraModprobeConfig = '' options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1 ''; @@ -1451,9 +1480,49 @@ because they enhance security. }; networking = { - useDHCP = lib.mkDefault true; + useDHCP = false; + dhcpcd.enable = false; + nameservers = [ + "1.1.1.1" + "8.8.8.8" + ]; networkmanager = { enable = true; + wifi.powersave = false; + ensureProfiles = { + profiles = { + home-wifi = { + connection = { + id = "home-wifi"; + permissions = ""; + type = "wifi"; + }; + ipv4 = { + dns-search = ""; + method = "auto"; + }; + ipv6 = { + addr-gen-mode = "stable-privacy"; + dns-search = ""; + method = "auto"; + }; + wifi = { + mac-address-blacklist = ""; + mode = "infrastructure"; + ssid = "TELUS6572"; + }; + wifi-security = { + auth-alg = "open"; + key-mgmt = "wpa-psk"; + # when someone actually steals my internet then I will be concerned. + # This password only matters if you actually show up to my house in real life. + # That would perhaps allow for some nasty networking related shenanigans. + # I guess we'll cross that bridge when I get there. + psk = "b4xnrv6cG6GX"; + }; + }; + }; + }; }; firewall = { allowedTCPPorts = [ 22 11434 ]; @@ -1541,6 +1610,7 @@ because they enhance security. lockKernelModules = true; protectKernelImage = true; + allowSimultaneousMultithreading = true; forcePageTableIsolation = true; @@ -3669,7 +3739,8 @@ system. Also more common configuration can go here. # Put configuration (e.g. monorepo variable configuration) common to all configs here } #+end_src -** Home Manager Common +*** Home Manager Common +Also I want to have the same kind of file for the home namespace. #+begin_src nix :tangle ../nix/systems/home-common.nix { lib, config, ... }: { @@ -3696,6 +3767,7 @@ This is pretty understandable, if you understand all the above. fileSystem = "btrfs"; }; }; + networking.networkmanager.wifi.backend = "iwd"; }; } #+end_src @@ -3917,7 +3989,10 @@ This contains the installation script I use to install my systems. cd "$HOME" fi - gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select `new` in order to create a new system." + gum style --border normal --margin "1" --padding "1 2" "Enter a password for the encrypted disk. If you're not installing a profile with an encrypted disk, you can leave this blank." + echo "$(gum input --password)" > /tmp/secret.key + + gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select \`new\` in order to create a new system." SYSTEM="$(gum choose $(find "$HOME/monorepo/nix/systems" -mindepth 1 -maxdepth 1 -type d -printf "%f\n" | grep -v -E 'installer'; printf "New"))" diff --git a/nix/flake.lock b/nix/flake.lock index 2baf2b2..06f3f02 100644 --- a/nix/flake.lock +++ b/nix/flake.lock @@ -152,6 +152,27 @@ "flake-parts_2": { "inputs": { "nixpkgs-lib": [ + "nixpak", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1756770412, + "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "4524271976b625a4a605beefd893f270620fd751", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ "nur", "nixpkgs" ] @@ -250,6 +271,31 @@ "type": "github" } }, + "hercules-ci-effects": { + "inputs": { + "flake-parts": [ + "nixpak", + "flake-parts" + ], + "nixpkgs": [ + "nixpak", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1758022363, + "narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "1a3667d33e247ad35ca250698d63f49a5453d824", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -359,6 +405,28 @@ "type": "github" } }, + "nixpak": { + "inputs": { + "flake-parts": "flake-parts_2", + "hercules-ci-effects": "hercules-ci-effects", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1758163506, + "narHash": "sha256-eGksZmv1ie834yfgJW0z85eZZo10A/JE+6dhHNWQajQ=", + "owner": "nixpak", + "repo": "nixpak", + "rev": "17df00be4383dbf88c42ed1fa519cc6dd71df042", + "type": "github" + }, + "original": { + "owner": "nixpak", + "repo": "nixpak", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1755615617, @@ -441,7 +509,7 @@ }, "nur": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -521,6 +589,7 @@ "lanzaboote": "lanzaboote", "nix-topology": "nix-topology", "nixos-dns": "nixos-dns", + "nixpak": "nixpak", "nixpkgs": "nixpkgs_2", "nur": "nur", "scripts": "scripts", diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index 5b44fc4..bf73117 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -22,6 +22,7 @@ ./znc.nix ./docker.nix ./impermanence.nix + ./firejail.nix ]; documentation = { @@ -55,7 +56,10 @@ boot = { - + supportedFilesystems = { + btrfs = true; + ext4 = true; + }; extraModprobeConfig = '' options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1 ''; @@ -185,9 +189,49 @@ }; networking = { - useDHCP = lib.mkDefault true; + useDHCP = false; + dhcpcd.enable = false; + nameservers = [ + "1.1.1.1" + "8.8.8.8" + ]; networkmanager = { enable = true; + wifi.powersave = false; + ensureProfiles = { + profiles = { + home-wifi = { + connection = { + id = "home-wifi"; + permissions = ""; + type = "wifi"; + }; + ipv4 = { + dns-search = ""; + method = "auto"; + }; + ipv6 = { + addr-gen-mode = "stable-privacy"; + dns-search = ""; + method = "auto"; + }; + wifi = { + mac-address-blacklist = ""; + mode = "infrastructure"; + ssid = "TELUS6572"; + }; + wifi-security = { + auth-alg = "open"; + key-mgmt = "wpa-psk"; + # when someone actually steals my internet then I will be concerned. + # This password only matters if you actually show up to my house in real life. + # That would perhaps allow for some nasty networking related shenanigans. + # I guess we'll cross that bridge when I get there. + psk = "b4xnrv6cG6GX"; + }; + }; + }; + }; }; firewall = { allowedTCPPorts = [ 22 11434 ]; @@ -275,6 +319,7 @@ lockKernelModules = true; protectKernelImage = true; + allowSimultaneousMultithreading = true; forcePageTableIsolation = true; diff --git a/nix/modules/firejail.nix b/nix/modules/firejail.nix new file mode 100644 index 0000000..054171a --- /dev/null +++ b/nix/modules/firejail.nix @@ -0,0 +1,20 @@ +{ pkgs, lib, ... }: +{ + programs.firejail = { + enable = true; + wrappedBinaries = { + firefox = { + executable = "${lib.getBin pkgs.firefox-bin}/bin/firefox"; + profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + emacs = { + executable = "${lib.getBin pkgs.emacs-pgtk}/bin/emacs"; + profile = "${pkgs.firejail}/etc/firejail/emacs.profile"; + }; + zathura = { + executable = "${lib.getBin pkgs.zathura}/bin/zathura"; + profile = "${pkgs.firejail}/etc/firejail/zathura.profile"; + }; + }; + }; +} diff --git a/nix/modules/impermanence.nix b/nix/modules/impermanence.nix index aa876d9..d728b6a 100644 --- a/nix/modules/impermanence.nix +++ b/nix/modules/impermanence.nix @@ -32,7 +32,7 @@ umount /btrfs_tmp '' else ""); - boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then { + boot.initrd.luks.devices = (if (! (config.monorepo.vars.fileSystem == "btrfs")) then { crypted = { device = "/dev/disk/by-partlabel/disk-main-luks"; }; diff --git a/nix/systems/continuity/default.nix b/nix/systems/continuity/default.nix index d1484c2..2520712 100644 --- a/nix/systems/continuity/default.nix +++ b/nix/systems/continuity/default.nix @@ -12,5 +12,6 @@ fileSystem = "btrfs"; }; }; + networking.networkmanager.wifi.backend = "iwd"; }; } diff --git a/nix/systems/installer/default.nix b/nix/systems/installer/default.nix index 780e2ee..6b63984 100644 --- a/nix/systems/installer/default.nix +++ b/nix/systems/installer/default.nix @@ -65,7 +65,10 @@ if [ ! -d "$HOME/monorepo/" ]; then cd "$HOME" fi -gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select `new` in order to create a new system." +gum style --border normal --margin "1" --padding "1 2" "Enter a password for the encrypted disk. If you're not installing a profile with an encrypted disk, you can leave this blank." +echo "$(gum input --password)" > /tmp/secret.key + +gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select \`new\` in order to create a new system." SYSTEM="$(gum choose $(find "$HOME/monorepo/nix/systems" -mindepth 1 -maxdepth 1 -type d -printf "%f\n" | grep -v -E 'installer'; printf "New"))" |