1 files changed, 80 insertions, 5 deletions

diff --git a/config/nix.org b/config/nix.org
index a8f8a75..b82978e 100644
--- a/config/nix.org
+++ b/config/nix.org
@@ -1196,7 +1196,7 @@ This is my impermanence profile, which removes all files on reboot except for th
       umount /btrfs_tmp
     '' else "");
 
-    boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then {
+    boot.initrd.luks.devices = (if (! (config.monorepo.vars.fileSystem == "btrfs")) then {
       crypted = {
         device = "/dev/disk/by-partlabel/disk-main-luks";
       };
@@ -1260,6 +1260,31 @@ This is my impermanence profile, which removes all files on reboot except for th
     };
   }
 #+end_src
+** Firejail
+I know there are some security issues with firejail, but it's probably better than nothing. I'm looking to replace this with bubblewrap in the
+future. Note that I am also going to use AppArmor more often.
+#+begin_src nix :tangle ../nix/modules/firejail.nix
+  { pkgs, lib, ... }:
+  {
+    programs.firejail = {
+      enable = true;
+      wrappedBinaries = {
+        firefox = {
+          executable = "${lib.getBin pkgs.firefox-bin}/bin/firefox";
+          profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+        };
+        emacs = {
+          executable = "${lib.getBin pkgs.emacs-pgtk}/bin/emacs";
+          profile = "${pkgs.firejail}/etc/firejail/emacs.profile";
+        };
+        zathura = {
+          executable = "${lib.getBin pkgs.zathura}/bin/zathura";
+          profile = "${pkgs.firejail}/etc/firejail/zathura.profile";
+        };
+      };
+    };
+  }
+#+end_src
 ** Main Configuration
 This is the backbone of the all the NixOS configurations, with all these options being shared
 because they enhance security.
@@ -1288,6 +1313,7 @@ because they enhance security.
       ./znc.nix
       ./docker.nix
       ./impermanence.nix
+      ./firejail.nix
     ];
 
     documentation = {
@@ -1321,7 +1347,10 @@ because they enhance security.
 
 
     boot = {
-
+      supportedFilesystems = {
+        btrfs = true;
+        ext4 = true;
+      };
       extraModprobeConfig = ''
     options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1
   '';
@@ -1451,9 +1480,49 @@ because they enhance security.
     };
 
     networking = {
-      useDHCP = lib.mkDefault true;
+      useDHCP = false;
+      dhcpcd.enable = false;
+      nameservers = [
+        "1.1.1.1"
+        "8.8.8.8"
+      ];
       networkmanager = {
     	  enable = true;
+        wifi.powersave = false;
+        ensureProfiles = {
+          profiles = {
+            home-wifi = {
+              connection = {
+                id = "home-wifi";
+                permissions = "";
+                type = "wifi";
+              };
+              ipv4 = {
+                dns-search = "";
+                method = "auto";
+              };
+              ipv6 = {
+                addr-gen-mode = "stable-privacy";
+                dns-search = "";
+                method = "auto";
+              };
+              wifi = {
+                mac-address-blacklist = "";
+                mode = "infrastructure";
+                ssid = "TELUS6572";
+              };
+              wifi-security = {
+                auth-alg = "open";
+                key-mgmt = "wpa-psk";
+                # when someone actually steals my internet then I will be concerned.
+                # This password only matters if you actually show up to my house in real life.
+                # That would perhaps allow for some nasty networking related shenanigans.
+                # I guess we'll cross that bridge when I get there.
+                psk = "b4xnrv6cG6GX";
+              };
+            };
+          };
+        };
       };
       firewall = {
     	  allowedTCPPorts = [ 22 11434 ];
@@ -1541,6 +1610,7 @@ because they enhance security.
 
       lockKernelModules = true;
       protectKernelImage = true;
+
       allowSimultaneousMultithreading = true;
       forcePageTableIsolation = true;
 
@@ -3669,7 +3739,8 @@ system. Also more common configuration can go here.
     # Put configuration (e.g. monorepo variable configuration) common to all configs here
   }
 #+end_src
-** Home Manager Common
+*** Home Manager Common
+Also I want to have the same kind of file for the home namespace.
 #+begin_src nix :tangle ../nix/systems/home-common.nix
   { lib, config, ... }:
   {
@@ -3696,6 +3767,7 @@ This is pretty understandable, if you understand all the above.
           fileSystem = "btrfs";
         };
       };
+      networking.networkmanager.wifi.backend = "iwd";
     };
   }
 #+end_src
@@ -3917,7 +3989,10 @@ This contains the installation script I use to install my systems.
     cd "$HOME"
   fi
 
-  gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select `new` in order to create a new system."
+  gum style --border normal --margin "1" --padding "1 2" "Enter a password for the encrypted disk. If you're not installing a profile with an encrypted disk, you can leave this blank."
+  echo "$(gum input --password)" > /tmp/secret.key
+
+  gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select \`new\` in order to create a new system."
 
   SYSTEM="$(gum choose $(find "$HOME/monorepo/nix/systems" -mindepth 1 -maxdepth 1 -type d -printf "%f\n" | grep -v -E 'installer'; printf "New"))"