gwg313/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

formatting: new formatting'

Browse source
This commit is contained in:
gwg313 2024-06-01 15:32:26 -04:00
parent 7efcab98a9
commit ef1b9f6c91
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
15 changed files with 358 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

5
common/gui/default.nix Normal file
View file

@ -0,0 +1,5 @@
{lib, ...}: {
imports = [./thunar.nix];
thunar.enable = lib.mkDefault true;
}

22
common/gui/thunar.nix
View file

@ -1,15 +1,21 @@
{
pkgs,
config,
lib,
...
}: {
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [
thunar-archive-plugin
thunar-volman
];
options = {
thunar.enable = lib.mkEnableOption "Enables thunar and its plugins";
};
config = lib.mkIf config.thunar.enable {
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [
thunar-archive-plugin
thunar-volman
];
};
services.gvfs.enable = true; # Mount, trash, and other functionalities
services.tumbler.enable = true; # Thumbnail support for images
};
services.gvfs.enable = true; # Mount, trash, and other functionalities
services.tumbler.enable = true; # Thumbnail support for images
}

21
common/gui/thunar.sync-conflict-20240508-115349-N2TYFZ4.nix Normal file
View file

@ -0,0 +1,21 @@
{
pkgs,
config,
lib,
...
}: {
options = {
thunar.enable = lib.mkEnableOption "Enables thunar and its plugins";
};
config = lib.mkIf config.thunar.enable {
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [
thunar-archive-plugin
thunar-volman
];
};
services.gvfs.enable = true; # Mount, trash, and other functionalities
services.tumbler.enable = true; # Thumbnail support for images
};
}

3
common/nixos/common.nix
View file

@ -4,6 +4,7 @@
pkgs,
inputs,
outputs,
user,
...
}: {
imports = [
@ -20,6 +21,8 @@
nix.settings.auto-optimise-store = true;
nix.optimise.automatic = true;
nix.settings.trusted-users = ["${user}"];
# Disable so comma can be installed
programs.command-not-found.enable = false;
programs.nix-index-database.comma.enable = true;

93
common/nixos/ssh.nix
View file

@ -1,93 +0,0 @@
{user, ...}: {
# https://www.ssh-audit.com/hardening_guides.html
# https://github.com/jtesta/ssh-audit
services.openssh = {
enable = true;
settings = {
########## Features ##########
# disallow ssh-agent forwarding to prevent lateral movement
AllowAgentForwarding = false;
# prevent TCP ports from being forwarded over SSH tunnels
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
# any user with an interactive login shell can spin up his/her own instance of sshd
AllowTcpForwarding = false;
# prevent StreamLocal (Unix-domain socket) forwarding
AllowStreamLocalForwarding = false;
# disables all forwarding features
# overrides all other forwarding switches
DisableForwarding = true;
# disallow remote hosts from connecting to forwarded ports
# i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
GatewayPorts = "no";
# prevent tun device forwarding
PermitTunnel = false;
# suppress MOTD
PrintMotd = false;
# disable X11 forwarding since it is not necessary
X11Forwarding = false;
########## Authentication ##########
AllowUsers = ["${user}"];
# Use keys only. Remove if you want to SSH using password (not recommended)
PasswordAuthentication = false;
HostbasedAuthentication = false;
# enable pubkey authentication
PubkeyAuthentication = true;
# Forbid root login through SSH.
PermitRootLogin = "no";
# nix enables pam by default
#UsePam = true;
########## Cryptography ##########
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
########## Connection Preferences ##########
# enforce SSH server to only use SSH protocol version 2
# SSHv1 contains security issues and should be avoided at all costs
# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
# specified anyways to ensure this configuration file's compatibility
# with older versions of OpenSSH server
Protocol = 2;
# number of client alive messages sent without client responding
ClientAliveCountMax = 2;
# send a keepalive message to the client when the session has been idle for 300 seconds
# this prevents/detects connection timeouts
ClientAliveInterval = 300;
# compression before encryption might cause security issues
Compression = false;
# prevent SSH trust relationships from allowing lateral movements
IgnoreRhosts = true;
# log verbosely for addtional information
LogLevel = "VERBOSE";
# allow a maximum of two multiplexed sessions over a single TCP connection
MaxSessions = 2;
};
};
}

7
common/nixos/ssh/default.nix Normal file
View file

@ -0,0 +1,7 @@
{lib, ...}: {
imports = [./ssh.nix ./ssh_client.nix ./ssh_guard.nix];
ssh_client.enable = lib.mkDefault true;
ssh.enable = lib.mkDefault false;
ssh_guard.enable = lib.mkDefault false;
}

103
common/nixos/ssh/ssh.nix Normal file
View file

@ -0,0 +1,103 @@
{
config,
lib,
user,
...
}: {
options = {
ssh.enable = lib.mkEnableOption "enable ssh settings";
};
config = lib.mkIf config.ssh.enable {
# https://www.ssh-audit.com/hardening_guides.html
# https://github.com/jtesta/ssh-audit
services.openssh = {
enable = true;
settings = {
########## Features ##########
# disallow ssh-agent forwarding to prevent lateral movement
AllowAgentForwarding = false;
# prevent TCP ports from being forwarded over SSH tunnels
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
# any user with an interactive login shell can spin up his/her own instance of sshd
AllowTcpForwarding = false;
# prevent StreamLocal (Unix-domain socket) forwarding
AllowStreamLocalForwarding = false;
# disables all forwarding features
# overrides all other forwarding switches
DisableForwarding = true;
# disallow remote hosts from connecting to forwarded ports
# i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
GatewayPorts = "no";
# prevent tun device forwarding
PermitTunnel = false;
# suppress MOTD
PrintMotd = false;
# disable X11 forwarding since it is not necessary
X11Forwarding = false;
########## Authentication ##########
AllowUsers = ["${user}"];
# Use keys only. Remove if you want to SSH using password (not recommended)
PasswordAuthentication = false;
HostbasedAuthentication = false;
# enable pubkey authentication
PubkeyAuthentication = true;
# Forbid root login through SSH.
PermitRootLogin = "no";
# nix enables pam by default
#UsePam = true;
########## Cryptography ##########
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
########## Connection Preferences ##########
# enforce SSH server to only use SSH protocol version 2
# SSHv1 contains security issues and should be avoided at all costs
# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
# specified anyways to ensure this configuration file's compatibility
# with older versions of OpenSSH server
Protocol = 2;
# number of client alive messages sent without client responding
ClientAliveCountMax = 2;
# send a keepalive message to the client when the session has been idle for 300 seconds
# this prevents/detects connection timeouts
ClientAliveInterval = 300;
# compression before encryption might cause security issues
Compression = false;
# prevent SSH trust relationships from allowing lateral movements
IgnoreRhosts = true;
# log verbosely for addtional information
LogLevel = "VERBOSE";
# allow a maximum of two multiplexed sessions over a single TCP connection
MaxSessions = 2;
};
};
};
}

75
common/nixos/ssh_client.nix → common/nixos/ssh/ssh_client.nix
View file

@ -1,37 +1,45 @@
{...}: {
programs.ssh = {
# disable unnecessary forwardings
forwardX11 = false;
{
config,
lib,
...
}: {
options = {
ssh_client.enable = lib.mkEnableOption "enable ssh client settings";
};
config = lib.mkIf config.ssh_client.enable {
programs.ssh = {
# disable unnecessary forwardings
forwardX11 = false;
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
hostKeyAlgorithms = [
"ssh-ed25519"
"ssh-ed25519-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"sk-ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-256"
"rsa-sha2-256-cert-v01@openssh.com"
"rsa-sha2-512"
"rsa-sha2-512-cert-v01@openssh.com"
];
macs = [
"hmac-sha2-256-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"umac-128-etm@openssh.com"
];
kexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
];
extraConfig = "
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
hostKeyAlgorithms = [
"ssh-ed25519"
"ssh-ed25519-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"sk-ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-256"
"rsa-sha2-256-cert-v01@openssh.com"
"rsa-sha2-512"
"rsa-sha2-512-cert-v01@openssh.com"
];
macs = [
"hmac-sha2-256-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"umac-128-etm@openssh.com"
];
kexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
];
extraConfig = "
# disable unnecessary forwardings
ForwardAgent no
ForwardX11Trusted no
@ -72,5 +80,6 @@
# display an ASCII art of the server's host key
VisualHostKey yes
";
};
};
}

21
common/nixos/ssh/ssh_guard.nix Normal file
View file

@ -0,0 +1,21 @@
{
config,
lib,
...
}: {
options = {
ssh_guard.enable = lib.mkEnableOption "enable ssh guard";
};
config = lib.mkIf config.ssh_guard.enable {
services.sshguard = {
enable = true;
services = [
"sshd"
];
blocktime = 120;
detection_time = 1800;
blacklist_threshold = 120;
blacklist_file = "/var/lib/sshguard/blacklist.db";
};
};
}

12
common/nixos/ssh_guard.nix
View file

@ -1,12 +0,0 @@
{...}: {
services.sshguard = {
enable = true;
services = [
"sshd"
];
blocktime = 120;
detection_time = 1800;
blacklist_threshold = 120;
blacklist_file = "/var/lib/sshguard/blacklist.db";
};
}

2
home-manager/modules/linux-gui.nix
View file

@ -14,7 +14,7 @@
element-desktop # A feature-rich client for Matrix.org
gimp # GNU Image Manipulation Program, a powerful and open-source raster graphics editor for tasks like photo editing and graphic design.
gparted # Gnome Partition Editor, a graphical partition manager for creating, resizing, and managing disk partitions.
# kicad # An open-source electronic design automation (EDA) suite for creating schematics, PCB layouts, and 3D models.
kicad # An open-source electronic design automation (EDA) suite for creating schematics, PCB layouts, and 3D models.
kodi # An open-source media center, providing a versatile platform for streaming and organizing media content.
pavucontrol # PulseAudio Volume Control, a feature-rich GUI for controlling and configuring the PulseAudio sound system.
#sublime-music # A modern and feature-rich music player with a clean user interface and advanced playback options.

2
hosts/candlekeep/configuration.nix
View file

@ -22,7 +22,7 @@
../../common/nixos/ssh_client.nix
../../common/nixos/ssh_guard.nix
../../common/gui/hyprland.nix
../../common/gui/thunar.nix
../../common/gui/default.nix
../../common/style/stylix.nix
../../common/virtualization/default.nix
../../common/nixos/sysctl/default.nix

135
hosts/candlekeep/configuration.sync-conflict-20240508-115349-N2TYFZ4.nix Normal file
View file

@ -0,0 +1,135 @@
# This is your system's configuration file.
# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
{
inputs,
outputs,
lib,
config,
pkgs,
user,
...
}: {
# You can import other NixOS modules here
imports = [
# If you want to use modules your own flake exports (from modules/nixos):
# outputs.nixosModules.example
../../common/nixos/common.nix
../../common/nixos/laptop.nix
../../common/networking/default.nix
../../common/nixos/bluetooth.nix
../../common/nixos/restic.nix
../../common/nixos/ssh/default.nix
../../common/gui/hyprland.nix
../../common/gui/default.nix
../../common/style/stylix.nix
../../common/virtualization/default.nix
../../common/nixos/sysctl/default.nix
./auditd.nix
./kernel.nix
./sysctl.nix
./earlyoom.nix
./syncthing.nix
# Or modules from other flakes (such as nixos-hardware):
# inputs.hardware.nixosModules.common-cpu-amd
# inputs.hardware.nixosModules.common-ssd
inputs.nix-index-database.nixosModules.nix-index
inputs.stylix.nixosModules.stylix
inputs.sops-nix.nixosModules.sops
# You can also split up your configuration and import pieces of it here:
# ./users.nix
# Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix
];
ssh.enable = true;
ssh_guard.enable = true;
# Bootloader.
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd.luks.devices."luks-b13379b3-2025-4d55-a40a-c0f3ad8ec801".device = "/dev/disk/by-uuid/b13379b3-2025-4d55-a40a-c0f3ad8ec801";
};
# sops
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
};
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
# This will add each flake input as a registry
# To make nix3 commands consistent with your flake
nix.registry = (lib.mapAttrs (_: flake: {inherit flake;})) ((lib.filterAttrs (_: lib.isType "flake")) inputs);
# This will additionally add your inputs to the system's legacy channels
# Making legacy nix commands consistent as well, awesome!
nix.nixPath = ["/etc/nix/path"];
environment.etc =
lib.mapAttrs'
(name: value: {
name = "nix/path/${name}";
value.source = value.flake;
})
config.nix.registry;
networking.hostName = "candlekeep";
networking.networkmanager.enable = true;
users.users = {
gwg313 = {
initialPassword = "correcthorsebatterystaple";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILq54YrM3BbhBs0oDLOrc1bkg6FCCmkV4E3pWLZp0ejN gwg313@pm.me"
];
extraGroups = ["wheel"];
};
};
environment = {
loginShellInit = ''
if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then
exec Hyprland
fi
''; # Will automatically open Hyprland when logged into tty1
variables = {
TERMINAL = "alacritty";
EDITOR = "nvim";
VISUAL = "nvim";
PAGER = "moar";
};
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "23.05";
}

7
hosts/grymforge/configuration.nix
View file

@ -17,9 +17,7 @@
../../common/networking/zerotier.nix
../../common/nixos/bluetooth.nix
../../common/nixos/restic.nix
../../common/nixos/ssh.nix
../../common/nixos/ssh_client.nix
../../common/nixos/ssh_guard.nix
../../common/nixos/ssh/default.nix
../../common/gui/hyprland.nix
../../common/gui/steam.nix
../../common/gui/thunar.nix
@ -48,6 +46,9 @@
./hardware-configuration.nix
];
ssh.enable = true;
ssh_guard.enable = true;
# Bootloader.
boot = {
loader = {

2
hosts/grymforge/hardware-configuration.nix
View file

@ -10,7 +10,7 @@
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
../../common/nixos/nfs.nix
# ../../common/nixos/nfs.nix
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];