diff --git a/common/networking/zerotier.nix b/common/networking/zerotier.nix index 167b140..137cf4f 100644 --- a/common/networking/zerotier.nix +++ b/common/networking/zerotier.nix @@ -8,12 +8,14 @@ }: { services.zerotierone = { joinNetworks = [ - "48d6023c46b60a94" + "ebe7fbd445359e9d" ]; enable = true; }; networking.extraHosts = '' 192.168.194.241 nothing.zt + 192.168.191.213 candlekeep.zt + 192.168.191.168 grymforge.zt ''; } diff --git a/flake.nix b/flake.nix index 78d9bb0..7c6830f 100644 --- a/flake.nix +++ b/flake.nix @@ -117,6 +117,16 @@ }; }; + nixosConfigurations = { + grymforge = nixpkgs.lib.nixosSystem { + specialArgs = {inherit user inputs outputs;}; + modules = [ + # > Our main nixos configuration file < + ./hosts/grymforge/configuration.nix + ]; + }; + }; + # Standalone home-manager configuration entrypoint # Available through 'home-manager --flake .#your-username@your-hostname' homeConfigurations = { @@ -131,6 +141,18 @@ }; }; + homeConfigurations = { + "gwg313@grymforge" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance + extraSpecialArgs = {inherit inputs outputs;}; + modules = [ + # > Our main home-manager configuration file < + ./home-manager/machines/grymforge.nix + inputs.stylix.homeManagerModules.stylix + ]; + }; + }; + homeConfigurations = { "gwg313@dorino" = home-manager.lib.homeManagerConfiguration { pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance diff --git a/home-manager/machines/grymforge.nix b/home-manager/machines/grymforge.nix new file mode 100644 index 0000000..5d53e42 --- /dev/null +++ b/home-manager/machines/grymforge.nix @@ -0,0 +1,113 @@ +# This is your home-manager configuration file +# Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix) +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + # You can import other home-manager modules here + imports = [ + # If you want to use modules your own flake exports (from modules/home-manager): + # outputs.homeManagerModules.example + + # Or modules exported from other flakes (such as nix-colors): + # inputs.nix-colors.homeManagerModules.default + + # You can also split up your configuration and import pieces of it here: + # ./nvim.nix + ../modules/common.nix + ../modules/hyprland.nix + ../modules/common-gui.nix + ../modules/linux-gui.nix + ../modules/devenv.nix + ]; + + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.unstable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + (final: prev: { + neovim = inputs.neovim-config.packages."x86_64-linux".default; + }) + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + # Workaround for https://github.com/nix-community/home-manager/issues/2942 + allowUnfreePredicate = _: true; + }; + }; + + home = { + username = "gwg313"; + homeDirectory = "/home/gwg313"; + }; + + stylix = { + base16Scheme = "${pkgs.base16-schemes}/share/themes/tokyo-night-terminal-storm.yaml"; + image = ./wallpaper.jpg; + autoEnable = true; + + opacity.terminal = 1.0; + fonts.sizes.terminal = 20; + + fonts = { + serif = { + package = pkgs.meslo-lgs-nf; + name = "MesloLGS NF"; + }; + + sansSerif = { + package = pkgs.meslo-lgs-nf; + name = "MesloLGS NF"; + }; + + monospace = { + package = pkgs.ibm-plex; + name = "IBM Plex Mono"; + }; + + emoji = { + package = pkgs.noto-fonts-emoji; + name = "Noto Color Emoji"; + }; + }; + cursor = { + package = pkgs.bibata-cursors; + name = "Bibata-Modern-Classic"; + size = 20; + }; + }; + + # Add stuff for your user as you see fit: + # programs.neovim.enable = true; + home.packages = with pkgs; [ + openvpn + ]; + + # Enable home-manager and git + programs.home-manager.enable = true; + programs.git.enable = true; + + # Nicely reload system units when changing configs + systemd.user.startServices = "sd-switch"; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + home.stateVersion = "23.05"; +} diff --git a/hosts/grymforge/auditd.nix b/hosts/grymforge/auditd.nix new file mode 100644 index 0000000..cf1b81e --- /dev/null +++ b/hosts/grymforge/auditd.nix @@ -0,0 +1,7 @@ +{...}: { + security.auditd.enable = true; + security.audit.enable = true; + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; +} diff --git a/hosts/grymforge/configuration.nix b/hosts/grymforge/configuration.nix new file mode 100644 index 0000000..3f5dd80 --- /dev/null +++ b/hosts/grymforge/configuration.nix @@ -0,0 +1,131 @@ +# This is your system's configuration file. +# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix) +{ + inputs, + outputs, + lib, + config, + pkgs, + user, + ... +}: { + # You can import other NixOS modules here + imports = [ + # If you want to use modules your own flake exports (from modules/nixos): + # outputs.nixosModules.example + ../../common/nixos/common.nix + ../../common/networking/zerotier.nix + ../../common/nixos/bluetooth.nix + ../../common/nixos/restic.nix + ../../common/nixos/ssh.nix + ../../common/gui/hyprland.nix + ../../common/gui/thunar.nix + ../../common/style/stylix.nix + ../../common/virtualization/podman.nix + ../../common/virtualization/kubernetes.nix + ../../common/virtualization/libvirt.nix + + ./auditd.nix + ./kernel.nix + ./sysctl.nix + ./earlyoom.nix + + # Or modules from other flakes (such as nixos-hardware): + # inputs.hardware.nixosModules.common-cpu-amd + # inputs.hardware.nixosModules.common-ssd + inputs.nix-index-database.nixosModules.nix-index + inputs.stylix.nixosModules.stylix + inputs.sops-nix.nixosModules.sops + # You can also split up your configuration and import pieces of it here: + # ./users.nix + + # Import your generated (nixos-generate-config) hardware configuration + ./hardware-configuration.nix + ]; + + # Bootloader. + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd.luks.devices."luks-276bd2e3-9d6d-4df6-9155-3684907b48f0".device = "/dev/disk/by-uuid/276bd2e3-9d6d-4df6-9155-3684907b48f0"; + }; + + # sops + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + age.keyFile = "/home/${user}/.config/sops/age/keys.txt"; + }; + + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.unstable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + }; + }; + + # This will add each flake input as a registry + # To make nix3 commands consistent with your flake + nix.registry = (lib.mapAttrs (_: flake: {inherit flake;})) ((lib.filterAttrs (_: lib.isType "flake")) inputs); + + # This will additionally add your inputs to the system's legacy channels + # Making legacy nix commands consistent as well, awesome! + nix.nixPath = ["/etc/nix/path"]; + environment.etc = + lib.mapAttrs' + (name: value: { + name = "nix/path/${name}"; + value.source = value.flake; + }) + config.nix.registry; + + networking.hostName = "grymforge"; + networking.networkmanager.enable = true; + + users.users = { + gwg313 = { + initialPassword = "correcthorsebatterystaple"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILq54YrM3BbhBs0oDLOrc1bkg6FCCmkV4E3pWLZp0ejN gwg313@pm.me" + ]; + extraGroups = ["wheel"]; + }; + }; + + environment = { + loginShellInit = '' + if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then + exec Hyprland + fi + ''; # Will automatically open Hyprland when logged into tty1 + variables = { + TERMINAL = "alacritty"; + EDITOR = "nvim"; + VISUAL = "nvim"; + PAGER = "moar"; + }; + }; + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "23.05"; +} diff --git a/hosts/grymforge/earlyoom.nix b/hosts/grymforge/earlyoom.nix new file mode 100644 index 0000000..5aace10 --- /dev/null +++ b/hosts/grymforge/earlyoom.nix @@ -0,0 +1,12 @@ +{ + services.earlyoom = { + enable = true; + freeSwapThreshold = 2; + freeMemThreshold = 2; + extraArgs = [ + "-g" + "--avoid '^(.Hyrpland-wrapp|alacritty|zerotier-one|.waybar-wrapped)$'" + "--prefer '^(electron|libreoffice|gimp|Isolated Web Co)$'" + ]; + }; +} diff --git a/hosts/grymforge/hardware-configuration.nix b/hosts/grymforge/hardware-configuration.nix new file mode 100644 index 0000000..21c53cd --- /dev/null +++ b/hosts/grymforge/hardware-configuration.nix @@ -0,0 +1,47 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ../../common/nixos/nfs.nix + ]; + + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-amd"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/c4c90d75-9f16-45a2-94f8-dd0ba0fecc43"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-35f61924-e22a-458a-841c-9cc8dc3e35e4".device = "/dev/disk/by-uuid/35f61924-e22a-458a-841c-9cc8dc3e35e4"; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2ECE-9C7E"; + fsType = "vfat"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/04f457e4-1bd2-417f-bcb7-f8b770e71c21";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/grymforge/kernel.nix b/hosts/grymforge/kernel.nix new file mode 100644 index 0000000..9096e08 --- /dev/null +++ b/hosts/grymforge/kernel.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + stdenv, + ... +}: { + boot.kernelPackages = pkgs.linuxPackages_hardened; + boot.kernelParams = [ + # Disable slab merging to prevent heap exploitation + "slab_nomerge" + # Enable zeroing memory during allocation and free time + "init_on_alloc=1" + "init_on_free=1" + # Randomize page allocator freelists + "page_alloc.shuffle=1" + # Mitigations + "pti=on" + + "vsyscall=none" + "debugfs=off" + "oops=panic" + + # Enable lockdown LSM + "lockdown=confidentiality" + ]; +} diff --git a/hosts/grymforge/sysctl.nix b/hosts/grymforge/sysctl.nix new file mode 100644 index 0000000..33ed331 --- /dev/null +++ b/hosts/grymforge/sysctl.nix @@ -0,0 +1,62 @@ +{ + config, + pkgs, + ... +}: { + boot.kernel.sysctl = { + # Restrict kernel pointers + "kernel.kptr_restrict" = 2; + + "kernel.dmesg_restrict" = 1; + + # Restrict eBPF + "kernel.unprivileged_bpf_disabled" = 1; + + # Harden JIT + "net.core.bpf_jit_harden" = 2; + + "dev.tty.ldisc_autoload" = 0; + "vm.unprivileged_userfaultfd" = 0; + + # Disable loading other kernels at runtime + "kernel.kexec_load_disabled" = 1; + + # Disable SysRq key for non-users (can be used in remote exploits) + "kernel.sysrq" = 4; + + "kernel.perf_event_paranoid" = 3; + "kernel.unprivileged_userns_clone" = 1; + + ## NETWORK + + # SYN flood attack prevention + "net.ipv4.tcp_syncookies" = 1; + + # Prevent IP spoofing + "net.ipv4.conf.all.rp_filter" = 1; + "net.ipv4.conf.default.rp_filter" = 1; + + # MITM attack prevention (disable redirect acceptance) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + + # Clock fingerprinting prevention (disabled ICMP requests) + "net.ipv4.icmp_echo_ignore_all" = 1; + + # Restrict ptrace usage + "kernel.yama.ptrace_scope" = 2; + + # ASLR exploit mitigation + "vm.mmap_rnd_bits" = 32; + "vm.mmap_rnd_compat_bits" = 16; + + "fs.protected_fifos" = 2; + "fs.protected_regular" = 2; + }; +}