chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

.

Browse source
This commit is contained in:
Chris Kruining 2024-07-23 17:46:03 +02:00
parent a22dfad11d
commit 6eade157b3
17 changed files with 306 additions and 289 deletions
Download patch file Download diff file Expand all files Collapse all files

10
modules/_programs/harden.nix
View file

@ -1,10 +0,0 @@
{ config, user, sensitive, lib, ... }: {
networking.firewall.enable = true;
# security.sudo.execWheelOnly = true;
# security.auditd.enable = true;
# security.audit.enable = !config.boot.isContainer;
# PGP set up.
programs.gnupg.agent.enable = true;
}

12
modules/_programs/security.nix
View file

@ -1,12 +0,0 @@
{ pkgs, security, ... }:
{
environment.systemPackages = with pkgs; [
kdePackages.kwallet-pam
bitwarden
];
security.pam.services.kwallet = {
name = "kwallet";
enableKwallet = true;
};
}

12
modules/develop/rust.nix
View file

@ -13,23 +13,21 @@ in
config = mkMerge [
(mkIf config.modules.develop.rust.enable {
nixpkgs.overlays = [ inputs.rust.overlays.default ];
user.packages = attrValues {
rust-package = pkgs.rust-bin.nightly.latest.default;
inherit (pkgs) rust-analyser rust-script;
};
environment.shellAlliases = {
environment.shellAliases = {
rs = "rustc";
ca = "cargo";
};
})
(mkIf config.modules.develop.cdg.enable {
env = {
CARGO_HOME = "$XDG_DATA_HOME/cargo";
PATH = [ "$CARGO_HOME/bin" ];
(mkIf config.modules.develop.xdg.enable {
home = {
sessionVariables.CARGO_HOME = "$XDG_DATA_HOME/cargo";
sessionPath = ["$CARGO_HOME/bin"];
};
})
];

33
modules/options.nix
View file

@ -20,15 +20,44 @@ in
"${config.user.home}/Workspace/public/kaas"
"/etc/kaas"
]);
hostDir = mkOpt path "${config.kaas.dir}/hosts/${config.networking.hostName}";
homeDir = mkOpt path "${config.kaas.dir}/hosts/${config.networking.hostName}";
binDir = mkOpt path "${config.kaas.dir}/bin";
configDir = mkOpt path "${config.kaas.dir}/config";
modulesDir = mkOpt path "${config.kaas.dir}/modules";
themesDir = mkOpt path "${config.kaas.modulesDir}/themes";
};
};
config = {
user = let
user = builtins.getEnv "USER";
name =
if builtins.elem user [ "" "root" ] then "chris"
else user;
in
{
inherit name;
description = "Primary user account";
extraGroups = [ "wheel" ];
isNormalUser = true;
home = "/home/${name}";
group = "users";
uid = 1000;
};
home-manager.useUserPackages = true;
home = {
# HIER BEN IK GEBLEVEN!!!
stateVersion = config.system.stateVersion;
sessionPath = [ "$KAAS_BIN" "$XDG_BIN_HOME" "$PATH" ];
};
users.users.${config.user.name} = mkAliasDefinitions options.user;
nix.settings = let users = [ "" config.user.name ]; in
{
trusted-users = users;
allowed-users = users;
};
};
}

162
modules/shell/toolset/git.nix
View file

@ -21,95 +21,97 @@ in
# Prevent x11 askPass prompt on git push:
programs.ssh.askPassword = "";
hm.programs.zsh.initExtra = ''
# -------===[ Helpful Git Fn's ]===------- #
gitignore() {
curl -s -o .gitignore https://gitignore.io/api/$1
}
'';
home.sessionVariables.GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)";
hm.programs.fish.functions = {
gitignore = "curl -sL https://www.gitignore.io/api/$argv";
};
hm.programs = {
zsh.initExtra = ''
# -------===[ Helpful Git Fn's ]===------- #
gitignore() {
curl -s -o .gitignore https://gitignore.io/api/$1
}
'';
env = {GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)";};
hm.programs.git = {
enable = true;
package = pkgs.gitFull;
difftastic = {
enable = true;
background = "dark";
color = "always";
display = "inline";
fish.functions = {
gitignore = "curl -sL https://www.gitignore.io/api/$argv";
};
ignores = [
# General:
"*.bloop"
"*.bsp"
"*.metals"
"*.metals.sbt"
"*metals.sbt"
"*.direnv"
"*.envrc"
"*hie.yaml"
"*.mill-version"
"*.jvmopts"
# OS-related:
".DS_Store?"
".DS_Store"
".CFUserTextEncoding"
".Trash"
".Xauthority"
"thumbs.db"
"Thumbs.db"
"Icon?"
# Compiled residues:
"*.class"
"*.exe"
"*.o"
"*.pyc"
"*.elc"
];
extraConfig = {
init.defaultBranch = "main";
core = {
editor = "nvim";
whitespace = "trailing-space,space-before-tab";
};
credential.helper = "${pkgs.gitFull}/bin/git-credential-libsecret";
user = {
name = "Chris Kruining";
email = "chris@kruining.eu";
signingKey = readFile "${config.user.home}/.ssh/id_ed25519.pub";
git = {
enable = true;
package = pkgs.gitFull;
difftastic = {
enable = true;
background = "dark";
color = "always";
display = "inline";
};
gpg.format = "ssh";
commit.gpgSign = true;
tag.gpgSign = true;
ignores = [
# General:
"*.bloop"
"*.bsp"
"*.metals"
"*.metals.sbt"
"*metals.sbt"
"*.direnv"
"*.envrc"
"*hie.yaml"
"*.mill-version"
"*.jvmopts"
push = {
default = "current";
gpgSign = "if-asked";
autoSquash = true;
};
pull.rebase = true;
# OS-related:
".DS_Store?"
".DS_Store"
".CFUserTextEncoding"
".Trash"
".Xauthority"
"thumbs.db"
"Thumbs.db"
"Icon?"
filter = {
required = true;
smudge = "git-lfs smudge -- %f";
process = "git-lfs filter-process";
clean = "git-lfs clean -- %f";
};
# Compiled residues:
"*.class"
"*.exe"
"*.o"
"*.pyc"
"*.elc"
];
url = {
"https://github.com/".insteadOf = "gh:";
"git@github.com:".insteadOf = "ssh+gh:";
extraConfig = {
init.defaultBranch = "main";
core = {
editor = "nvim";
whitespace = "trailing-space,space-before-tab";
};
credential.helper = "${pkgs.gitFull}/bin/git-credential-libsecret";
user = {
name = "Chris Kruining";
email = "chris@kruining.eu";
signingKey = readFile "${config.user.home}/.ssh/id_ed25519.pub";
};
gpg.format = "ssh";
commit.gpgSign = true;
tag.gpgSign = true;
push = {
default = "current";
gpgSign = "if-asked";
autoSquash = true;
};
pull.rebase = true;
filter = {
required = true;
smudge = "git-lfs smudge -- %f";
process = "git-lfs filter-process";
clean = "git-lfs clean -- %f";
};
url = {
"https://github.com/".insteadOf = "gh:";
"git@github.com:".insteadOf = "ssh+gh:";
};
};
};
};

2
modules/system/audio.nix
View file

@ -32,7 +32,7 @@ in
};
};
home.configFile = mkIf config.module.hardware.bluetooth.enable {
home.configFile = mkIf config.modules.hardware.bluetooth.enable {
wireplumber-bluetooth = {
target = "wireplumber/bluetooth.lua.d/51-bluez-config.lua";
text = ''

2
modules/system/boot.nix
View file

@ -1,6 +1,6 @@
{ config, options, lib, pkgs, ... }:
{
boot.loader.systemd-boot-enable = true;
boot.loader.systemd-boot.enable = true;
time.timeZone = "Europe/Amsterdam";

62
modules/system/security.nix Normal file
View file

@ -0,0 +1,62 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
kdePackages.kwallet-pam
bitwarden
];
security = {
sudo.execWheelOnly = true;
acme.acceptTerms = true;
polkit.enable = true;
pam.services.kwallet = {
name = "kwallet";
enableKwallet = true;
};
};
networking.firewall.enable = true;
programs.gnupg.agent.enable = true;
boot = {
loader.systemd-boot = {
editor = false;
configurationLimit = 50;
};
kernalModules = [ "tcp_bbr" ];
kernal.sysctl = {
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're on a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# Enable TCP Fast Open for incoming and outgoing connections
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
}

32
modules/xgd.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, ... }:
{
hm.xdg.enable = true;
environment = {
sessionVariables = {
XDG_CACHE_HOME = "$HOME/.cache";
XDG_CONFIG_HOME = "$HOME/.config";
XDG_DATA_HOME = "$HOME/.local/share";
XDG_BIN_HOME = "$HOME/.local/bin";
};
variables = {
__GL_SHADER_DISK_CACHE_PATH = "$XDG_CACHE_HOME/nv";
ASPELL_CONF = ''
per-conf $XDG_CONFIG_HOME/aspell/aspell.conf;
personal $XDG_CONFIG_HOME/aspell/en_US.pws;
repl $XDG_CONFIG_HOME/aspell/en.prepl;
'';
CUDA_CACHE_PATH = "$XDG_CACHE_HOME/nv";
HISTFILE = "$XDG_DATA_HOME/bash/history";
INPUTRC = "$XDG_CONFIG_HOME/readline/inputrc";
LESSHISTFILE = "$XDG_CACHE_HOME/lesshst";
WGETRC = "$XDG_CONFIG_HOME/wgetrc";
};
extraInit = ''
export XAUTHORITY=/tmp/Xauthority
[ -e ~/.Xauthority ] && mv -f ~/.Xauthority "$XAUTHORITY"
'';
};
}