chore(template): update

dr460nf1r3 · Mar 12, 2024 · 20ba9d8 · 20ba9d8
1 parent 5609abe
commit 20ba9d8
Show file tree

Hide file tree

Showing 10 changed files with 115 additions and 42 deletions.
diff --git a/template/flake.nix b/template/flake.nix
@@ -34,7 +34,6 @@
     garuda-nix.inputs.chaotic-nyx.follows = "chaotic-nyx";
     garuda-nix.inputs.devshell.follows = "devshell";
     garuda-nix.inputs.flake-parts.follows = "flake-parts";
-    garuda-nix.inputs.flake-utils.follows = "flake-utils";
     garuda-nix.inputs.home-manager.follows = "home-manager";
     garuda-nix.inputs.nix-index-database.follows = "nix-index-database";
     garuda-nix.inputs.nixpkgs.follows = "nixpkgs";

diff --git a/template/nixos/modules/apps.nix b/template/nixos/modules/apps.nix
@@ -57,12 +57,10 @@ in {
       movit
       obs-studio-wrapped
       okular
-      tdesktop
       usbutils
       vulkan-tools
     ])
     ++ optionals cfg.yubikey (with pkgs; [
-      yubikey-manager-qt
       yubioath-flutter
     ]);
 

diff --git a/template/nixos/modules/common.nix b/template/nixos/modules/common.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 with lib; let
@@ -39,7 +40,7 @@ in {
   };
 
   config = mkIf cfg.common.enable {
-    # Allow unprivileged users to create user namespaces
+    ## A few kernel tweaks
     boot.kernel.sysctl = {"kernel.unprivileged_userns_clone" = 1;};
 
     # Allow wheel group users to use sudo
@@ -70,7 +71,7 @@ in {
       # The GnuPG agent
       gnupg.agent = {
         enable = true;
-        pinentryFlavor = "curses";
+        pinentryPackage = lib.mkForce pkgs.pinentry-curses;
       };
     };
 

diff --git a/template/nixos/modules/desktops.nix b/template/nixos/modules/desktops.nix
@@ -25,9 +25,12 @@ in {
     # Only install fonts I personally use
     fonts.enableDefaultPackages = false;
 
-    # Enable the dr460nized desktop's settings
+    # Enable the dr460nized desktops settings
     garuda.dr460nized.enable = true;
 
+    # # Kernel paramters & settings
+    boot.kernelParams = ["mitigations=off"];
+
     # Fancy themed, enhanced Spotify
     programs.spicetify = {
       enable = true;

diff --git a/template/nixos/modules/development.nix b/template/nixos/modules/development.nix
@@ -20,19 +20,16 @@ in {
   };
 
   config = mkIf cfg.enable {
-    # Conflicts with virtualisation.containers if enabled
-    boot.enableContainers = false;
-
     # Libvirt & Podman with docker alias
     virtualisation = {
-      containerd.enable = true;
       docker = {
         autoPrune = {
           enable = true;
           flags = ["--all"];
         };
         enable = true;
         enableOnBoot = false;
+        storageDriver = "overlay2";
       };
       libvirtd = {
         enable = true;
@@ -51,20 +48,6 @@ in {
     # Allow cross-compiling to aarch64
     boot.binfmt.emulatedSystems = ["aarch64-linux"];
 
-    # Configure nspawn containers
-    systemd.nspawn."garuda" = {
-      execConfig = {
-        Boot = true;
-      };
-      enable = true;
-      filesConfig = {
-        Bind = ["/home/nico"];
-      };
-      networkConfig = {
-        VirtualEthernet = false;
-      };
-    };
-
     # In case I need to fix my phone
     programs.adb.enable = true;
   };

diff --git a/template/nixos/modules/hardening.nix b/template/nixos/modules/hardening.nix
@@ -11,11 +11,22 @@ in {
       mkOption
       {
         default = true;
+        example = false;
         type = types.bool;
         description = mdDoc ''
           Whether the operating system should be hardened.
         '';
       };
+    duosec =
+      mkOption
+      {
+        default = false;
+        example = true;
+        type = types.bool;
+        description = mdDoc ''
+          Whether logins should be protected by Duo Security.
+        '';
+      };
   };
 
   config = mkIf cfg.enable {
@@ -73,20 +84,48 @@ in {
       "vivid"
     ];
 
-    # Disable coredumps
-    systemd.coredump.enable = false;
+    # Protect logins and sudo on servers via DUO
+    # leaving EnvFactor enabled for other apps
+    security.duosec = mkIf cfg.duosec {
+      acceptEnvFactor = true;
+      autopush = true;
+      failmode = "safe";
+      host = "api-a7b9f5f3.duosecurity.com";
+      integrationKey = "DID3CH2NCQ2H24L1GUUN";
+      pam.enable = true;
+      prompts = 1;
+      pushinfo = true;
+      secretKeyFile = config.sops.secrets."api_keys/duo".path;
+      ssh.enable = true;
+    };
+    sops.secrets."api_keys/duo" = mkIf cfg.duosec {
+      mode = "0600";
+      path = "/run/secrets/api_keys/duo";
+    };
+    security.pam.services = mkIf cfg.duosec {
+      "login".duoSecurity.enable = true;
+      "sddm".duoSecurity.enable = mkIf config.dr460nixed.desktops.enable true;
+      "sudo".duoSecurity.enable = mkIf config.dr460nixed.servers.enable true;
+    };
 
     # Disable root login & password authentication on sshd
     # also, apply recommendations of ssh-audit.com and enable Duo 2FA
     # (for whatever reason the default config did not work a at all?
     # maybe related to https://github.com/NixOS/nixpkgs/issues/115044)
     services.openssh = {
-      extraConfig = ''
-        AllowTcpForwarding no
-        ForceCommand /usr/bin/env login_duo
-        HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]
-        PermitTunnel no
-      '';
+      extraConfig =
+        if cfg.duosec
+        then ''
+          AllowTcpForwarding no
+          ForceCommand /usr/bin/env login_duo
+          HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]
+          PermitTunnel no
+        ''
+        else ''
+          AllowTcpForwarding no
+          HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]
+          PermitTunnel no
+        '';
       settings = {
         Ciphers = [
           "[email protected]"

diff --git a/template/nixos/modules/locales.nix b/template/nixos/modules/locales.nix
@@ -52,6 +52,7 @@ in {
       };
 
       supportedLocales = [
+        "C.UTF-8/UTF-8"
         "de_DE.UTF-8/UTF-8"
         "en_GB.UTF-8/UTF-8"
         "en_US.UTF-8/UTF-8"

diff --git a/template/nixos/modules/misc.nix b/template/nixos/modules/misc.nix
@@ -1,11 +1,37 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }:
 with lib; let
   cfg = config.dr460nixed;
+  chromium-gate = pkgs.writeShellScriptBin "chromium-gate" ''
+    set -o errexit
+
+    CHROMIUM="${pkgs.chromium-flagged}/bin/chromium"
+    KDIALOG="${pkgs.libsForQt5.kdialog}/bin/kdialog"
+    ZFS="${pkgs.zfs}/bin/zfs"
+
+    echo 'Handling encrypted Chromium profile'
+    if [ "$USER" != 'nico' ] || [ -f "$HOME/.config/chromium" ]; then
+      exec "$CHROMIUM" "$@"
+    else
+      "$KDIALOG" --title "Chromium gatekeeper" --password "Please provide the password for the Chromium vault 🔑" |\
+        (sudo "$ZFS" load-key zroot/data/chromium \
+        || ("$KDIALOG" --title "Chromium gatekeeper" --error "Unable to load ZFS key, loading fresh profile instead!" \
+        && "$CHROMIUM" "$@" && false))
+      sudo "$ZFS" mount zroot/data/chromium \
+        || ("$KDIALOG" --title "Chromium gatekeeper" --error "Unable to mount ZFS partition, loading fresh profile instead!" \
+        && "$CHROMIUM" "$@" && false)
+
+      "$CHROMIUM" "$@"
+
+      sudo "$ZFS" umount -f zroot/data/chromium
+      sudo "$ZFS" unload-key zroot/data/chromium
+    fi
+  '';
 in {
   options.dr460nixed = {
     adblock =
@@ -35,6 +61,24 @@ in {
           Whether this device uses should use Chromium.
         '';
       };
+    chromium-gate =
+      mkOption
+      {
+        default = false;
+        type = types.bool;
+        description = mdDoc ''
+          Whether to protect Chromium with a password with a ZFS encrypted partition.
+        '';
+      };
+    live-cd =
+      mkOption
+      {
+        default = false;
+        type = types.bool;
+        description = mdDoc ''
+          Whether this is live CD.
+        '';
+      };
     performance =
       mkOption
       {
@@ -44,6 +88,15 @@ in {
           Whether this device should be optimized for performance.
         '';
       };
+    school =
+      mkOption
+      {
+        default = false;
+        type = types.bool;
+        description = mdDoc ''
+          Whether this device uses should be used for school.
+        '';
+      };
     tor =
       mkOption
       {
@@ -108,7 +161,6 @@ in {
       extensions = [
         "ajhmfdgkijocedmfjonnpjfojldioehi" # Privacy Pass
         "cjpalhdlnbpafiamejdnhcphjbkeiagm" # uBlock origin
-        "doojmbjmlfjjnbmnoijecmcbfeoakpjm" # NoScript
         "edibdbjcniadpccecjdfdjjppcpchdlm" # I Still Don't Care About Cookies
         "fhnegjjodccfaliddboelcleikbmapik" # Tab Counter
         "hipekcciheckooncpjeljhnekcoolahp" # Tabliss
@@ -127,8 +179,7 @@ in {
 
     # SUID Sandbox
     security.chromiumSuidSandbox.enable = mkIf cfg.chromium true;
-
-    # Enhance performance tweaks
+    # Enhabce performance tweaks
     garuda.performance-tweaks = lib.mkIf cfg.performance {
       cachyos-kernel = true;
       enable = true;

diff --git a/template/nixos/modules/networking.nix b/template/nixos/modules/networking.nix
@@ -8,8 +8,6 @@ with lib; let
 in {
   # We want to use NetworkManager on desktops
   networking = {
-    # Pointing to our Adguard instance via Tailscale
-    # if not, Cloudflare would still be my choice
     nameservers = [
       "1.1.1.1"
       "2606:4700:4700::1111"

diff --git a/template/nixos/modules/nix.nix b/template/nixos/modules/nix.nix
@@ -11,7 +11,7 @@ in {
   options.dr460nixed = with lib; {
     nix-super = {
       enable = mkOption {
-        default = true;
+        default = false;
         type = types.bool;
         description = mdDoc ''
           Replaces nix with nix-super, which tracks future features of nix.
@@ -36,7 +36,7 @@ in {
         '';
       };
       host = mkOption {
-        default = false;
+        default = "";
         type = types.str;
         example = "dragons-ryzen";
         description = mdDoc ''
@@ -46,7 +46,7 @@ in {
       port = mkOption {
         default = 22;
         type = types.int;
-        example = "build";
+        example = 1022;
         description = mdDoc ''
           Specifies the target port for remote builds.
         '';
@@ -87,7 +87,7 @@ in {
       # Allow distributed builds
       distributedBuilds = lib.mkIf cfgRemote.enableGlobally true;
 
-      # Don't warn about dirty flakes and accept flake configs by default
+      # Dont warn about dirty flakes and accept flake configs by default
       extraOptions = ''
         http-connections = 0
         warn-dirty = false
@@ -120,7 +120,7 @@ in {
         # Enable certain system features
         system-features = ["big-parallel" "kvm"];
 
-        # Trust the remote machines' cache signatures
+        # Trust the remote machines cache signatures
         trusted-public-keys = lib.mkIf cfgRemote.enable ["${cfgRemote.trustedPublicKey}"];
         trusted-substituters = lib.mkIf cfgRemote.enable ["ssh-ng://${cfgRemote.host}"];
       };