gwg313/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add grymforge

Browse source
This commit is contained in:
gwg313 2024-02-01 00:03:16 -05:00
parent c5d2fbe031
commit 980f180b88
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
9 changed files with 423 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
hosts/grymforge/auditd.nix Normal file
View file

@ -0,0 +1,7 @@
{...}: {
security.auditd.enable = true;
security.audit.enable = true;
security.audit.rules = [
"-a exit,always -F arch=b64 -S execve"
];
}

131
hosts/grymforge/configuration.nix Normal file
View file

@ -0,0 +1,131 @@
# This is your system's configuration file.
# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
{
inputs,
outputs,
lib,
config,
pkgs,
user,
...
}: {
# You can import other NixOS modules here
imports = [
# If you want to use modules your own flake exports (from modules/nixos):
# outputs.nixosModules.example
../../common/nixos/common.nix
../../common/networking/zerotier.nix
../../common/nixos/bluetooth.nix
../../common/nixos/restic.nix
../../common/nixos/ssh.nix
../../common/gui/hyprland.nix
../../common/gui/thunar.nix
../../common/style/stylix.nix
../../common/virtualization/podman.nix
../../common/virtualization/kubernetes.nix
../../common/virtualization/libvirt.nix
./auditd.nix
./kernel.nix
./sysctl.nix
./earlyoom.nix
# Or modules from other flakes (such as nixos-hardware):
# inputs.hardware.nixosModules.common-cpu-amd
# inputs.hardware.nixosModules.common-ssd
inputs.nix-index-database.nixosModules.nix-index
inputs.stylix.nixosModules.stylix
inputs.sops-nix.nixosModules.sops
# You can also split up your configuration and import pieces of it here:
# ./users.nix
# Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix
];
# Bootloader.
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd.luks.devices."luks-276bd2e3-9d6d-4df6-9155-3684907b48f0".device = "/dev/disk/by-uuid/276bd2e3-9d6d-4df6-9155-3684907b48f0";
};
# sops
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
};
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
# This will add each flake input as a registry
# To make nix3 commands consistent with your flake
nix.registry = (lib.mapAttrs (_: flake: {inherit flake;})) ((lib.filterAttrs (_: lib.isType "flake")) inputs);
# This will additionally add your inputs to the system's legacy channels
# Making legacy nix commands consistent as well, awesome!
nix.nixPath = ["/etc/nix/path"];
environment.etc =
lib.mapAttrs'
(name: value: {
name = "nix/path/${name}";
value.source = value.flake;
})
config.nix.registry;
networking.hostName = "grymforge";
networking.networkmanager.enable = true;
users.users = {
gwg313 = {
initialPassword = "correcthorsebatterystaple";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILq54YrM3BbhBs0oDLOrc1bkg6FCCmkV4E3pWLZp0ejN gwg313@pm.me"
];
extraGroups = ["wheel"];
};
};
environment = {
loginShellInit = ''
if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then
exec Hyprland
fi
''; # Will automatically open Hyprland when logged into tty1
variables = {
TERMINAL = "alacritty";
EDITOR = "nvim";
VISUAL = "nvim";
PAGER = "moar";
};
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "23.05";
}

12
hosts/grymforge/earlyoom.nix Normal file
View file

@ -0,0 +1,12 @@
{
services.earlyoom = {
enable = true;
freeSwapThreshold = 2;
freeMemThreshold = 2;
extraArgs = [
"-g"
"--avoid '^(.Hyrpland-wrapp|alacritty|zerotier-one|.waybar-wrapped)$'"
"--prefer '^(electron|libreoffice|gimp|Isolated Web Co)$'"
];
};
}

47
hosts/grymforge/hardware-configuration.nix Normal file
View file

@ -0,0 +1,47 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
../../common/nixos/nfs.nix
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/c4c90d75-9f16-45a2-94f8-dd0ba0fecc43";
fsType = "ext4";
};
boot.initrd.luks.devices."luks-35f61924-e22a-458a-841c-9cc8dc3e35e4".device = "/dev/disk/by-uuid/35f61924-e22a-458a-841c-9cc8dc3e35e4";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2ECE-9C7E";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-uuid/04f457e4-1bd2-417f-bcb7-f8b770e71c21";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

26
hosts/grymforge/kernel.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
pkgs,
stdenv,
...
}: {
boot.kernelPackages = pkgs.linuxPackages_hardened;
boot.kernelParams = [
# Disable slab merging to prevent heap exploitation
"slab_nomerge"
# Enable zeroing memory during allocation and free time
"init_on_alloc=1"
"init_on_free=1"
# Randomize page allocator freelists
"page_alloc.shuffle=1"
# Mitigations
"pti=on"
"vsyscall=none"
"debugfs=off"
"oops=panic"
# Enable lockdown LSM
"lockdown=confidentiality"
];
}

62
hosts/grymforge/sysctl.nix Normal file
View file

@ -0,0 +1,62 @@
{
config,
pkgs,
...
}: {
boot.kernel.sysctl = {
# Restrict kernel pointers
"kernel.kptr_restrict" = 2;
"kernel.dmesg_restrict" = 1;
# Restrict eBPF
"kernel.unprivileged_bpf_disabled" = 1;
# Harden JIT
"net.core.bpf_jit_harden" = 2;
"dev.tty.ldisc_autoload" = 0;
"vm.unprivileged_userfaultfd" = 0;
# Disable loading other kernels at runtime
"kernel.kexec_load_disabled" = 1;
# Disable SysRq key for non-users (can be used in remote exploits)
"kernel.sysrq" = 4;
"kernel.perf_event_paranoid" = 3;
"kernel.unprivileged_userns_clone" = 1;
## NETWORK
# SYN flood attack prevention
"net.ipv4.tcp_syncookies" = 1;
# Prevent IP spoofing
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
# MITM attack prevention (disable redirect acceptance)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Clock fingerprinting prevention (disabled ICMP requests)
"net.ipv4.icmp_echo_ignore_all" = 1;
# Restrict ptrace usage
"kernel.yama.ptrace_scope" = 2;
# ASLR exploit mitigation
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
};
}