diff --git a/common/gui/default.nix b/common/gui/default.nix new file mode 100644 index 0000000..fda0dd1 --- /dev/null +++ b/common/gui/default.nix @@ -0,0 +1,5 @@ +{lib, ...}: { + imports = [./thunar.nix]; + + thunar.enable = lib.mkDefault true; +} diff --git a/common/gui/thunar.nix b/common/gui/thunar.nix index 8783de9..ec88797 100644 --- a/common/gui/thunar.nix +++ b/common/gui/thunar.nix @@ -1,15 +1,21 @@ { pkgs, config, + lib, ... }: { - programs.thunar = { - enable = true; - plugins = with pkgs.xfce; [ - thunar-archive-plugin - thunar-volman - ]; + options = { + thunar.enable = lib.mkEnableOption "Enables thunar and its plugins"; + }; + config = lib.mkIf config.thunar.enable { + programs.thunar = { + enable = true; + plugins = with pkgs.xfce; [ + thunar-archive-plugin + thunar-volman + ]; + }; + services.gvfs.enable = true; # Mount, trash, and other functionalities + services.tumbler.enable = true; # Thumbnail support for images }; - services.gvfs.enable = true; # Mount, trash, and other functionalities - services.tumbler.enable = true; # Thumbnail support for images } diff --git a/common/gui/thunar.sync-conflict-20240508-115349-N2TYFZ4.nix b/common/gui/thunar.sync-conflict-20240508-115349-N2TYFZ4.nix new file mode 100644 index 0000000..ec88797 --- /dev/null +++ b/common/gui/thunar.sync-conflict-20240508-115349-N2TYFZ4.nix @@ -0,0 +1,21 @@ +{ + pkgs, + config, + lib, + ... +}: { + options = { + thunar.enable = lib.mkEnableOption "Enables thunar and its plugins"; + }; + config = lib.mkIf config.thunar.enable { + programs.thunar = { + enable = true; + plugins = with pkgs.xfce; [ + thunar-archive-plugin + thunar-volman + ]; + }; + services.gvfs.enable = true; # Mount, trash, and other functionalities + services.tumbler.enable = true; # Thumbnail support for images + }; +} diff --git a/common/nixos/common.nix b/common/nixos/common.nix index fb86d63..291c804 100644 --- a/common/nixos/common.nix +++ b/common/nixos/common.nix @@ -4,6 +4,7 @@ pkgs, inputs, outputs, + user, ... }: { imports = [ @@ -20,6 +21,8 @@ nix.settings.auto-optimise-store = true; nix.optimise.automatic = true; + nix.settings.trusted-users = ["${user}"]; + # Disable so comma can be installed programs.command-not-found.enable = false; programs.nix-index-database.comma.enable = true; diff --git a/common/nixos/ssh.nix b/common/nixos/ssh.nix deleted file mode 100644 index af71952..0000000 --- a/common/nixos/ssh.nix +++ /dev/null @@ -1,93 +0,0 @@ -{user, ...}: { - # https://www.ssh-audit.com/hardening_guides.html - # https://github.com/jtesta/ssh-audit - services.openssh = { - enable = true; - settings = { - ########## Features ########## - - # disallow ssh-agent forwarding to prevent lateral movement - AllowAgentForwarding = false; - - # prevent TCP ports from being forwarded over SSH tunnels - # **please be aware that disabling TCP forwarding does not prevent port forwarding** - # any user with an interactive login shell can spin up his/her own instance of sshd - AllowTcpForwarding = false; - - # prevent StreamLocal (Unix-domain socket) forwarding - AllowStreamLocalForwarding = false; - - # disables all forwarding features - # overrides all other forwarding switches - DisableForwarding = true; - - # disallow remote hosts from connecting to forwarded ports - # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0 - GatewayPorts = "no"; - - # prevent tun device forwarding - PermitTunnel = false; - - # suppress MOTD - PrintMotd = false; - - # disable X11 forwarding since it is not necessary - X11Forwarding = false; - - ########## Authentication ########## - - AllowUsers = ["${user}"]; - - # Use keys only. Remove if you want to SSH using password (not recommended) - PasswordAuthentication = false; - HostbasedAuthentication = false; - - # enable pubkey authentication - PubkeyAuthentication = true; - - # Forbid root login through SSH. - PermitRootLogin = "no"; - - # nix enables pam by default - #UsePam = true; - - ########## Cryptography ########## - - # explicitly define cryptography algorithms to avoid the use of weak algorithms - # AES CTR modes have been removed to mitigate the Terrapin attack - # https://terrapin-attack.com/ - - Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"]; - Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"]; - KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"]; - - ########## Connection Preferences ########## - - # enforce SSH server to only use SSH protocol version 2 - # SSHv1 contains security issues and should be avoided at all costs - # SSHv1 is disabled by default after OpenSSH 7.0, but this option is - # specified anyways to ensure this configuration file's compatibility - # with older versions of OpenSSH server - Protocol = 2; - - # number of client alive messages sent without client responding - ClientAliveCountMax = 2; - - # send a keepalive message to the client when the session has been idle for 300 seconds - # this prevents/detects connection timeouts - ClientAliveInterval = 300; - - # compression before encryption might cause security issues - Compression = false; - - # prevent SSH trust relationships from allowing lateral movements - IgnoreRhosts = true; - - # log verbosely for addtional information - LogLevel = "VERBOSE"; - - # allow a maximum of two multiplexed sessions over a single TCP connection - MaxSessions = 2; - }; - }; -} diff --git a/common/nixos/ssh/default.nix b/common/nixos/ssh/default.nix new file mode 100644 index 0000000..27f2ca0 --- /dev/null +++ b/common/nixos/ssh/default.nix @@ -0,0 +1,7 @@ +{lib, ...}: { + imports = [./ssh.nix ./ssh_client.nix ./ssh_guard.nix]; + + ssh_client.enable = lib.mkDefault true; + ssh.enable = lib.mkDefault false; + ssh_guard.enable = lib.mkDefault false; +} diff --git a/common/nixos/ssh/ssh.nix b/common/nixos/ssh/ssh.nix new file mode 100644 index 0000000..45e5b6a --- /dev/null +++ b/common/nixos/ssh/ssh.nix @@ -0,0 +1,103 @@ +{ + config, + lib, + user, + ... +}: { + options = { + ssh.enable = lib.mkEnableOption "enable ssh settings"; + }; + config = lib.mkIf config.ssh.enable { + # https://www.ssh-audit.com/hardening_guides.html + # https://github.com/jtesta/ssh-audit + services.openssh = { + enable = true; + settings = { + ########## Features ########## + + # disallow ssh-agent forwarding to prevent lateral movement + AllowAgentForwarding = false; + + # prevent TCP ports from being forwarded over SSH tunnels + # **please be aware that disabling TCP forwarding does not prevent port forwarding** + # any user with an interactive login shell can spin up his/her own instance of sshd + AllowTcpForwarding = false; + + # prevent StreamLocal (Unix-domain socket) forwarding + AllowStreamLocalForwarding = false; + + # disables all forwarding features + # overrides all other forwarding switches + DisableForwarding = true; + + # disallow remote hosts from connecting to forwarded ports + # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0 + GatewayPorts = "no"; + + # prevent tun device forwarding + PermitTunnel = false; + + # suppress MOTD + PrintMotd = false; + + # disable X11 forwarding since it is not necessary + X11Forwarding = false; + + ########## Authentication ########## + + AllowUsers = ["${user}"]; + + # Use keys only. Remove if you want to SSH using password (not recommended) + PasswordAuthentication = false; + HostbasedAuthentication = false; + + # enable pubkey authentication + PubkeyAuthentication = true; + + # Forbid root login through SSH. + PermitRootLogin = "no"; + + # nix enables pam by default + #UsePam = true; + + ########## Cryptography ########## + + # explicitly define cryptography algorithms to avoid the use of weak algorithms + # AES CTR modes have been removed to mitigate the Terrapin attack + # https://terrapin-attack.com/ + + Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"]; + Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"]; + KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"]; + + ########## Connection Preferences ########## + + # enforce SSH server to only use SSH protocol version 2 + # SSHv1 contains security issues and should be avoided at all costs + # SSHv1 is disabled by default after OpenSSH 7.0, but this option is + # specified anyways to ensure this configuration file's compatibility + # with older versions of OpenSSH server + Protocol = 2; + + # number of client alive messages sent without client responding + ClientAliveCountMax = 2; + + # send a keepalive message to the client when the session has been idle for 300 seconds + # this prevents/detects connection timeouts + ClientAliveInterval = 300; + + # compression before encryption might cause security issues + Compression = false; + + # prevent SSH trust relationships from allowing lateral movements + IgnoreRhosts = true; + + # log verbosely for addtional information + LogLevel = "VERBOSE"; + + # allow a maximum of two multiplexed sessions over a single TCP connection + MaxSessions = 2; + }; + }; + }; +} diff --git a/common/nixos/ssh_client.nix b/common/nixos/ssh/ssh_client.nix similarity index 51% rename from common/nixos/ssh_client.nix rename to common/nixos/ssh/ssh_client.nix index 416cd44..6939cea 100644 --- a/common/nixos/ssh_client.nix +++ b/common/nixos/ssh/ssh_client.nix @@ -1,37 +1,45 @@ -{...}: { - programs.ssh = { - # disable unnecessary forwardings - forwardX11 = false; +{ + config, + lib, + ... +}: { + options = { + ssh_client.enable = lib.mkEnableOption "enable ssh client settings"; + }; + config = lib.mkIf config.ssh_client.enable { + programs.ssh = { + # disable unnecessary forwardings + forwardX11 = false; - # explicitly define cryptography algorithms to avoid the use of weak algorithms - # AES CTR modes have been removed to mitigate the Terrapin attack - # https://terrapin-attack.com/ - ciphers = [ - "aes256-gcm@openssh.com" - "aes128-gcm@openssh.com" - ]; - hostKeyAlgorithms = [ - "ssh-ed25519" - "ssh-ed25519-cert-v01@openssh.com" - "sk-ssh-ed25519@openssh.com" - "sk-ssh-ed25519-cert-v01@openssh.com" - "rsa-sha2-256" - "rsa-sha2-256-cert-v01@openssh.com" - "rsa-sha2-512" - "rsa-sha2-512-cert-v01@openssh.com" - ]; - macs = [ - "hmac-sha2-256-etm@openssh.com" - "hmac-sha2-512-etm@openssh.com" - "umac-128-etm@openssh.com" - ]; - kexAlgorithms = [ - "curve25519-sha256" - "curve25519-sha256@libssh.org" - "diffie-hellman-group16-sha512" - "diffie-hellman-group18-sha512" - ]; - extraConfig = " + # explicitly define cryptography algorithms to avoid the use of weak algorithms + # AES CTR modes have been removed to mitigate the Terrapin attack + # https://terrapin-attack.com/ + ciphers = [ + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + ]; + hostKeyAlgorithms = [ + "ssh-ed25519" + "ssh-ed25519-cert-v01@openssh.com" + "sk-ssh-ed25519@openssh.com" + "sk-ssh-ed25519-cert-v01@openssh.com" + "rsa-sha2-256" + "rsa-sha2-256-cert-v01@openssh.com" + "rsa-sha2-512" + "rsa-sha2-512-cert-v01@openssh.com" + ]; + macs = [ + "hmac-sha2-256-etm@openssh.com" + "hmac-sha2-512-etm@openssh.com" + "umac-128-etm@openssh.com" + ]; + kexAlgorithms = [ + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group16-sha512" + "diffie-hellman-group18-sha512" + ]; + extraConfig = " # disable unnecessary forwardings ForwardAgent no ForwardX11Trusted no @@ -72,5 +80,6 @@ # display an ASCII art of the server's host key VisualHostKey yes "; + }; }; } diff --git a/common/nixos/ssh/ssh_guard.nix b/common/nixos/ssh/ssh_guard.nix new file mode 100644 index 0000000..456040b --- /dev/null +++ b/common/nixos/ssh/ssh_guard.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + ... +}: { + options = { + ssh_guard.enable = lib.mkEnableOption "enable ssh guard"; + }; + config = lib.mkIf config.ssh_guard.enable { + services.sshguard = { + enable = true; + services = [ + "sshd" + ]; + blocktime = 120; + detection_time = 1800; + blacklist_threshold = 120; + blacklist_file = "/var/lib/sshguard/blacklist.db"; + }; + }; +} diff --git a/common/nixos/ssh_guard.nix b/common/nixos/ssh_guard.nix deleted file mode 100644 index 9dcdfd4..0000000 --- a/common/nixos/ssh_guard.nix +++ /dev/null @@ -1,12 +0,0 @@ -{...}: { - services.sshguard = { - enable = true; - services = [ - "sshd" - ]; - blocktime = 120; - detection_time = 1800; - blacklist_threshold = 120; - blacklist_file = "/var/lib/sshguard/blacklist.db"; - }; -} diff --git a/home-manager/modules/linux-gui.nix b/home-manager/modules/linux-gui.nix index 8877b58..a083b90 100644 --- a/home-manager/modules/linux-gui.nix +++ b/home-manager/modules/linux-gui.nix @@ -14,7 +14,7 @@ element-desktop # A feature-rich client for Matrix.org gimp # GNU Image Manipulation Program, a powerful and open-source raster graphics editor for tasks like photo editing and graphic design. gparted # Gnome Partition Editor, a graphical partition manager for creating, resizing, and managing disk partitions. - # kicad # An open-source electronic design automation (EDA) suite for creating schematics, PCB layouts, and 3D models. + kicad # An open-source electronic design automation (EDA) suite for creating schematics, PCB layouts, and 3D models. kodi # An open-source media center, providing a versatile platform for streaming and organizing media content. pavucontrol # PulseAudio Volume Control, a feature-rich GUI for controlling and configuring the PulseAudio sound system. #sublime-music # A modern and feature-rich music player with a clean user interface and advanced playback options. diff --git a/hosts/candlekeep/configuration.nix b/hosts/candlekeep/configuration.nix index 41c5461..3907969 100644 --- a/hosts/candlekeep/configuration.nix +++ b/hosts/candlekeep/configuration.nix @@ -22,7 +22,7 @@ ../../common/nixos/ssh_client.nix ../../common/nixos/ssh_guard.nix ../../common/gui/hyprland.nix - ../../common/gui/thunar.nix + ../../common/gui/default.nix ../../common/style/stylix.nix ../../common/virtualization/default.nix ../../common/nixos/sysctl/default.nix diff --git a/hosts/candlekeep/configuration.sync-conflict-20240508-115349-N2TYFZ4.nix b/hosts/candlekeep/configuration.sync-conflict-20240508-115349-N2TYFZ4.nix new file mode 100644 index 0000000..4a25d5b --- /dev/null +++ b/hosts/candlekeep/configuration.sync-conflict-20240508-115349-N2TYFZ4.nix @@ -0,0 +1,135 @@ +# This is your system's configuration file. +# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix) +{ + inputs, + outputs, + lib, + config, + pkgs, + user, + ... +}: { + # You can import other NixOS modules here + imports = [ + # If you want to use modules your own flake exports (from modules/nixos): + # outputs.nixosModules.example + ../../common/nixos/common.nix + ../../common/nixos/laptop.nix + ../../common/networking/default.nix + ../../common/nixos/bluetooth.nix + ../../common/nixos/restic.nix + ../../common/nixos/ssh/default.nix + ../../common/gui/hyprland.nix + ../../common/gui/default.nix + ../../common/style/stylix.nix + ../../common/virtualization/default.nix + ../../common/nixos/sysctl/default.nix + + ./auditd.nix + ./kernel.nix + ./sysctl.nix + ./earlyoom.nix + ./syncthing.nix + + # Or modules from other flakes (such as nixos-hardware): + # inputs.hardware.nixosModules.common-cpu-amd + # inputs.hardware.nixosModules.common-ssd + inputs.nix-index-database.nixosModules.nix-index + inputs.stylix.nixosModules.stylix + inputs.sops-nix.nixosModules.sops + # You can also split up your configuration and import pieces of it here: + # ./users.nix + + # Import your generated (nixos-generate-config) hardware configuration + ./hardware-configuration.nix + ]; + + ssh.enable = true; + ssh_guard.enable = true; + + # Bootloader. + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd.luks.devices."luks-b13379b3-2025-4d55-a40a-c0f3ad8ec801".device = "/dev/disk/by-uuid/b13379b3-2025-4d55-a40a-c0f3ad8ec801"; + }; + + # sops + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + age.keyFile = "/home/${user}/.config/sops/age/keys.txt"; + }; + + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.unstable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + }; + }; + + # This will add each flake input as a registry + # To make nix3 commands consistent with your flake + nix.registry = (lib.mapAttrs (_: flake: {inherit flake;})) ((lib.filterAttrs (_: lib.isType "flake")) inputs); + + # This will additionally add your inputs to the system's legacy channels + # Making legacy nix commands consistent as well, awesome! + nix.nixPath = ["/etc/nix/path"]; + environment.etc = + lib.mapAttrs' + (name: value: { + name = "nix/path/${name}"; + value.source = value.flake; + }) + config.nix.registry; + + networking.hostName = "candlekeep"; + networking.networkmanager.enable = true; + + users.users = { + gwg313 = { + initialPassword = "correcthorsebatterystaple"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILq54YrM3BbhBs0oDLOrc1bkg6FCCmkV4E3pWLZp0ejN gwg313@pm.me" + ]; + extraGroups = ["wheel"]; + }; + }; + + environment = { + loginShellInit = '' + if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then + exec Hyprland + fi + ''; # Will automatically open Hyprland when logged into tty1 + variables = { + TERMINAL = "alacritty"; + EDITOR = "nvim"; + VISUAL = "nvim"; + PAGER = "moar"; + }; + }; + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "23.05"; +} diff --git a/hosts/grymforge/configuration.nix b/hosts/grymforge/configuration.nix index c7d4493..3b94363 100644 --- a/hosts/grymforge/configuration.nix +++ b/hosts/grymforge/configuration.nix @@ -17,9 +17,7 @@ ../../common/networking/zerotier.nix ../../common/nixos/bluetooth.nix ../../common/nixos/restic.nix - ../../common/nixos/ssh.nix - ../../common/nixos/ssh_client.nix - ../../common/nixos/ssh_guard.nix + ../../common/nixos/ssh/default.nix ../../common/gui/hyprland.nix ../../common/gui/steam.nix ../../common/gui/thunar.nix @@ -48,6 +46,9 @@ ./hardware-configuration.nix ]; + ssh.enable = true; + ssh_guard.enable = true; + # Bootloader. boot = { loader = { diff --git a/hosts/grymforge/hardware-configuration.nix b/hosts/grymforge/hardware-configuration.nix index 21c53cd..61e7307 100644 --- a/hosts/grymforge/hardware-configuration.nix +++ b/hosts/grymforge/hardware-configuration.nix @@ -10,7 +10,7 @@ }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") - ../../common/nixos/nfs.nix + # ../../common/nixos/nfs.nix ]; boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];