Major config overhaul: use custom modules, setup for multi-host config, and less boilerplate

2025-02-09 16:50:26 -06:00
parent 1fa8b17b07
commit 0453901d17
303 changed files with 3560 additions and 5566 deletions
--- a/modules/system/security/automount/default.nix
+++ b/modules/system/security/automount/default.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.systemSettings.security.automount;
+in {
+  options = {
+    systemSettings.security.automount = {
+      enable = lib.mkEnableOption "Enable automount";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.devmon.enable = true;
+    services.gvfs.enable = true;
+    services.udisks2.enable = true;
+  };
+}
--- a/modules/system/security/blocklist/default.nix
+++ b/modules/system/security/blocklist/default.nix
@@ -0,0 +1,18 @@
+{ config, lib, inputs, ... }:
+
+let
+  blocklist = builtins.readFile "${inputs.blocklist-hosts}/alternates/gambling-porn/hosts";
+  cfg = config.systemSettings.security.blocklist;
+in {
+  options = {
+    systemSettings.security.blocklist = {
+      enable = lib.mkEnableOption "Enable basic host blocking for bad websites";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.extraHosts = ''
+      "${blocklist}"
+    '';
+  };
+}
--- a/modules/system/security/doas/default.nix
+++ b/modules/system/security/doas/default.nix
@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.systemSettings.security.doas;
+  adminUsers = config.systemSettings.adminUsers;
+in {
+  options = {
+    systemSettings.security.doas = {
+      enable = lib.mkEnableOption "Replace sudo with doas";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Doas instead of sudo
+    security.doas.enable = true;
+    security.sudo.enable = false;
+    security.doas.extraRules = [
+      {
+        users = adminUsers;
+        cmd = "nix";
+        noPass = true;
+        keepEnv = true;
+      }
+      {
+        users = adminUsers;
+        cmd = "nixos-rebuild";
+        noPass = true;
+        keepEnv = true;
+      }
+      {
+        users = adminUsers;
+        cmd = "nix-collect-garbage";
+        noPass = true;
+        keepEnv = true;
+      }
+    ];
+
+    environment.systemPackages = [
+      pkgs.doas-sudo-shim
+    ];
+  };
+}
--- a/modules/system/security/firejail/default.nix
+++ b/modules/system/security/firejail/default.nix
@@ -0,0 +1,30 @@
+{ lib, config, pkgs, ... }:
+
+let
+  cfg = config.systemSettings.security.firejail;
+in {
+  options = {
+    systemSettings.security.firejail = {
+      enable = lib.mkEnableOption "Use firejail on some apps for extra security";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [ firejail ];
+    programs.firejail.enable = true;
+    programs.firejail.wrappedBinaries = {
+      #prismlauncher = {
+      #  executable = "${pkgs.prismlauncher}/bin/prismlauncher";
+      #  profile = ./firejail-profiles/prismlauncher.profile;
+      #};
+      #steam = {
+      #  executable = "${pkgs.steam}/bin/steam";
+      #  profile = "${pkgs.firejail}/etc/firejail/steam.profile";
+      #};
+      #steam-run = {
+      #  executable = "${pkgs.steam}/bin/steam-run";
+      #  profile = "${pkgs.firejail}/etc/firejail/steam.profile";
+      #};
+    };
+  };
+}
--- a/modules/system/security/firejail/profiles/prismlauncher.profile
+++ b/modules/system/security/firejail/profiles/prismlauncher.profile
@@ -0,0 +1,51 @@
+# Firejail profile for prismlauncher
+# Description: An Open Source Minecraft launcher that can manage multiple instances
+# This file is overwritten after every install/update
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.local/share/PrismLauncher
+
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/PrismLauncher
+whitelist ${HOME}/.local/share/PrismLauncher
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+disable-mnt
+private-bin java,java-config,minecraft-launcher,prismlauncher
+private-cache
+private-dev
+# If multiplayer or realms break, add 'private-etc <your-own-java-folder-from-/etc>'
+# or 'ignore private-etc' to your minecraft-launcher.local.
+private-tmp
+
+dbus-system none
+
+restrict-namespaces
--- a/modules/system/security/firewall/default.nix
+++ b/modules/system/security/firewall/default.nix
@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.systemSettings.security.firewall;
+in {
+  options = {
+    systemSettings.security.firewall = {
+      # TODO make this more granular and better :|
+      enable = lib.mkEnableOption "Actvate firewall with ports open only for syncthing";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Firewall
+    networking.firewall.enable = true;
+    # Open ports in the firewall.
+    networking.firewall.allowedTCPPorts = [ 22000 21027 ]; # syncthing
+    networking.firewall.allowedUDPPorts = [ 22000 21027 ]; # syncthing
+    # Or disable the firewall altogether.
+    # networking.firewall.enable = false;
+  };
+}
--- a/modules/system/security/gpg/default.nix
+++ b/modules/system/security/gpg/default.nix
@@ -0,0 +1,18 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.systemSettings.security.gpg;
+in {
+  options = {
+    systemSettings.security.gpg = {
+      enable = lib.mkEnableOption "Enable gpg";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+  };
+}
--- a/modules/system/security/openvpn/default.nix
+++ b/modules/system/security/openvpn/default.nix
@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.systemSettings.security.openvpn;
+in {
+  options = {
+    systemSettings.security.openvpn = {
+      enable = lib.mkEnableOption "Enable openvpn";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.openvpn ];
+    environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn";
+  };
+}
--- a/modules/system/security/sshd/default.nix
+++ b/modules/system/security/sshd/default.nix
@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.systemSettings.security.sshd;
+in {
+  options = {
+    systemSettings.security.sshd = {
+      enable = lib.mkEnableOption "Enable incoming ssh connections";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Enable incoming ssh
+    services.openssh = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+      };
+    };
+    # Don't forget to set:
+    # users.users.${username}.openssh.authorizedKeys.keys = "myAuthorizedKey";
+  };
+}