diff options
Diffstat (limited to 'configuration.nix')
| -rw-r--r-- | configuration.nix | 396 |
1 files changed, 204 insertions, 192 deletions
diff --git a/configuration.nix b/configuration.nix index 9c84dc1..303e697 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, inputs, ... }: { imports = @@ -6,33 +6,167 @@ ./hardware-configuration.nix ]; + documentation = { + enable = true; + man.enable = true; + dev.enable = true; + }; + + environment = { + etc = { + securetty.text = '' + # /etc/securetty: list of terminals on which root is allowed to login. + # See securetty(5) and login(1). + ''; + }; + }; + # environment = { + # memoryAllocator.provider = "scudo"; + # variables.SCUDO_OPTIONS = "ZeroContents=1"; + # }; + + # environment = { + # memoryAllocator.provider = "graphene-hardened-light"; + # }; + + systemd = { + coredump.enable = false; + network.config.networkConfig.IPv6PrivacyExtensions = "kernel"; + tmpfiles.settings = { + "restricthome"."/home/*".Z.mode = "~0700"; + + "restrictetcnixos"."/etc/nixos/*".Z = { + mode = "0000"; + user = "root"; + group = "root"; + }; + }; + }; boot = { + initrd.luks.devices."luks-30d6b69f-1ec0-4111-b5d3-c0138d485a49".device = "/dev/disk/by-uuid/30d6b69f-1ec0-4111-b5d3-c0138d485a49"; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + loader = { - systemd-boot.enable = true; + systemd-boot.enable = lib.mkForce false; efi.canTouchEfiVariables = true; }; + kernelModules = [ "snd-seq" "snd-rawmidi" "xhci_hcd" ]; + kernelParams = [ - "usbcore.autosuspend=-1" - "usbcore.quirks=0763:0015:i" + "debugfs=off" + "page_alloc.shuffle=1" + "slab_nomerge" + "page_poison=1" + + # madaidan + "pti=on" + "randomize_kstack_offset=on" + "vsyscall=none" + "module.sig_enforce=1" + "lockdown=confidentiality" + + # cpu + "spectre_v2=on" + "spec_store_bypass_disable=on" + "tsx=off" + "tsx_async_abort=full,nosmt" + "mds=full,nosmt" + "l1tf=full,force" + "nosmt=force" + "kvm.nx_huge_pages=force" + + # hardened + "extra_latent_entropy" + + # mineral + "init_on_alloc=1" + "random.trust_cpu=off" + "random.trust_bootloader=off" + "intel_iommu=on" + "amd_iommu=force_isolation" + "iommu=force" + "iommu.strict=1" + "init_on_free=1" + "quiet" + "loglevel=0" + ]; + + blacklistedKernelModules = [ + "netrom" + "rose" + + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" ]; - # kernelPackages = pkgs.linuxKernel.packages.linux_6_1; + + kernel.sysctl = { + "kernel.ftrace_enabled" = false; + "net.core.bpf_jit_enable" = false; + "kernel.kptr_restrict" = 2; + + # madaidan + "vm.swappiness" = 1; + "vm.unprivileged_userfaultfd" = 0; + "dev.tty.ldisc_autoload" = 0; + "kernel.kexec_load_disabled" = 1; + "kernel.sysrq" = 4; + "kernel.perf_event_paranoid" = 3; + + # net + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + + "net.ipv4.conf.all.accept_redirects" = false; + "net.ipv4.conf.all.secure_redirects" = false; + "net.ipv4.conf.default.accept_redirects" = false; + "net.ipv4.conf.default.secure_redirects" = false; + "net.ipv6.conf.all.accept_redirects" = false; + "net.ipv6.conf.default.accept_redirects" = false; + }; }; networking = { - hostName = "continuity"; - networkmanager.enable = true; + hostName = "continuity-dell"; + networkmanager = { + enable = true; + # wifi.macAddress = ""; + }; firewall = { - allowedTCPPorts = [ 22 80 443 6600 8000 8080 18080 37889 11434 7777 ]; + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; }; }; hardware = { + cpu.intel.updateMicrocode = true; bluetooth = { enable = true; powerOnBoot = true; @@ -40,32 +174,43 @@ opengl = { enable = true; - extraPackages = with pkgs; [ - vaapiVdpau - libvdpau-va-gl - nvidia-vaapi-driver - ]; - }; - - nvidia = { - modesetting.enable = true; - powerManagement = { - enable = true; - finegrained = false; - }; - nvidiaSettings = true; - open = false; - package = config.boot.kernelPackages.nvidiaPackages.stable; }; pulseaudio.enable = false; }; services = { + chrony = { + enable = true; + enableNTS = true; + servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ]; + }; + + jitterentropy-rngd.enable = true; + resolved.dnssec = true; + usbguard.enable = true; dbus = { apparmor = "enabled"; }; + tor = { + enable = true; + openFirewall = true; + client = { + enable = true; + socksListenAddress = { + IsolateDestAddr = true; + addr = "127.0.0.1"; + port = 9050; + }; + dns.enable = true; + }; + torsocks = { + enable = true; + server = "127.0.0.1:9050"; + }; + }; + xserver = { displayManager = { startx.enable = true; @@ -88,7 +233,7 @@ options = "caps:escape"; }; - videoDrivers = [ "nvidia" ]; + videoDrivers = []; enable = true; }; @@ -126,70 +271,6 @@ enable = true; }; - # External - calibre-web = { - enable = true; - user = "preston"; - openFirewall = true; - - listen = { - port = 9999; - ip = "0.0.0.0"; - }; - - options = { - enableBookUploading = true; - enableKepubify = true; - enableBookConversion = true; - calibreLibrary = "/home/preston/books/physics/"; - }; - }; - - monero = { - enable = true; - }; - - tor = { - enable = true; - openFirewall = true; - }; - - i2pd = { - enable = true; - address = "0.0.0.0"; - inTunnels = { - }; - outTunnels = { - }; - }; - - ollama = { - enable = true; - acceleration = "cuda"; - # host = "0.0.0.0"; - }; - - # Email Service - dovecot2 = { - enable = true; - enableImap = true; - enablePop3 = true; - }; - - postfix = { - enable = true; - config = { - }; - }; - - # Git server - gitDaemon = { - enable = true; - exportAll = true; - listenAddress = "0.0.0.0"; - basePath = "/srv/git"; - }; - openssh = { enable = true; settings = { @@ -200,70 +281,6 @@ }; }; - nginx = { - enable = true; - - # Use recommended settings - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - - appendHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - - virtualHosts = { - "ret2pop.net" = { - # addSSL = true; - # enableACME = true; - root = "/home/preston/ret2pop-website/"; - }; - }; - }; - - # xmrig = { - # enable = true; - # package = pkgs.xmrig-mo; - # settings = { - # autosave = true; - # cpu = true; - # opencl = false; - # cuda = false; - # pools = [ - # { - # url = "pool.supportxmr.com:443"; - # user = "49Yyj1PBXSefihA88bm8RzaKiaBizrDoWTnQy4kKVRWU5vnnqx7CfWbEe9ioKTozYWBMa9Am81q9uMgBdhj8iAriF47TQnM"; - # keepalive = true; - # tls = true; - # } - # ]; - # }; - # }; - # Misc. udev.packages = with pkgs; [ platformio-core @@ -273,20 +290,10 @@ printing.enable = true; udisks2.enable = true; - blueman.enable = true; }; programs = { - # nix-autobahn.enable = true; nix-ld.enable = true; - - nix-ld.libraries = with pkgs; [ - - # Add any missing dynamic libraries for unpackaged programs - - # here, NOT in environment.systemPackages - - ]; zsh.enable = true; light.enable = true; ssh.enableAskPassword = false; @@ -294,17 +301,14 @@ nixpkgs.config = { allowUnfree = true; - cudaSupport = true; - permittedInsecurePackages = [ - "nix-2.15.3" - ]; + cudaSupport = false; }; security = { - # acme = { - # acceptTerms = true; - # defaults.email = "ret2pop@gmail.com"; - # }; + apparmor = { + enable = true; + killUnconfinedConfinables = true; + }; pam.loginLimits = [ { domain = "*"; item = "nofile"; type = "-"; value = "32768"; } @@ -314,6 +318,27 @@ lockKernelModules = true; protectKernelImage = true; + allowSimultaneousMultithreading = false; + forcePageTableIsolation = true; + + tpm2 = { + enable = true; + pkcs11.enable = true; + tctiEnvironment.enable = true; + }; + + auditd.enable = true; + audit.enable = true; + chromiumSuidSandbox.enable = true; + sudo.enable = false; + doas = { + enable = true; + extraRules = [{ + users = [ "preston" ]; + keepEnv = true; + persist = true; + }]; + }; }; xdg.portal = { @@ -324,15 +349,13 @@ }; environment.systemPackages = with pkgs; [ - curl - git - groff - nixd - cudatoolkit + cryptsetup restic - cudaPackages.cudnn - cudaPackages.libcublas - linuxPackages.nvidia_x11 + sbctl + linux-manual + man-pages + man-pages-posix + tree ]; users = { @@ -341,19 +364,10 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch" ]; - git = { - isSystemUser = true; - home = "/srv/git"; - shell = "${pkgs.git}/bin/git-shell"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch" - ]; - }; - preston = { isNormalUser = true; description = "Preston Pan"; - extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" ]; + extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" ]; shell = pkgs.zsh; packages = [ ]; @@ -363,12 +377,10 @@ nix.settings.experimental-features = "nix-command flakes"; - virtualisation.docker.enable = true; - time.timeZone = "America/Vancouver"; i18n.defaultLocale = "en_CA.UTF-8"; system = { - stateVersion = "23.11"; + stateVersion = "24.11"; nixos = { tags = [ "fixing-hammer88" ]; }; |