[Init]

2023-04-12 20:32:07 +02:00
parent 10fbbc2654
commit ff4fe6e3a8
85 changed files with 5126 additions and 4 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -0,0 +1,11 @@
+{
+  ...
+}: {
+  imports = [
+    ./secret.nix
+    ./security.nix
+    ./udevd.nix
+    ./networking.nix
+    ./fonts.nix
+  ];
+}
--- a/modules/fonts.nix
+++ b/modules/fonts.nix
@@ -0,0 +1,29 @@
+{
+  pkgs,
+  ...
+}: {
+  
+  fonts = {
+    enableDefaultFonts = false;
+    fontDir.enable = true;
+    fonts = with pkgs; [
+      ibm-plex
+      openmoji-color
+      material-design-icons
+    ];
+
+    fontconfig = {
+      enable = true;
+      allowBitmaps = true;
+      defaultFonts = {
+        monospace = [ "IBM Plex Mono" "Openmoji Color" "Material Design Icons" ];
+        serif = [ "IBM Plex Sans" "Openmoji Color" "Material Design Icons" ];
+        sansSerif = [ "IBM Plex Sans" "Openmoji Color" "Material Design Icons" ];
+        emoji = [ "Openmoji Color" ];
+      };
+      
+      hinting.style = "hintfull";
+    
+    };
+  };
+}
--- a/modules/greetd.nix
+++ b/modules/greetd.nix
@@ -0,0 +1,16 @@
+{
+  ...
+}: {
+  services.greetd = {
+    enable = true;
+    settings = rec {
+      initial_session = {
+        command = "zsh";
+        user = "sora";
+      };
+      default_session = initial_session;
+    };
+  };
+}
+
+
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -0,0 +1,45 @@
+{
+  config,
+  ...
+}:
+{
+  networking = {
+
+    hostName = config.hostcfg.hostname;
+    useDHCP = true;
+    supplicant = {
+      "${config.hostcfg.wlp_if}" = {
+        configFile.path = config.sops.secrets.wifi.path;
+        extraConf = ''
+          network={
+            ssid="test"
+            psk="12345678"
+          }
+        '';
+      };
+    };
+
+    firewall = {
+      enable = true;
+    };
+
+    wireguard = {
+      enable = true;
+      interfaces = {
+        wg0 = {
+          ips = [ config.hostcfg.wg_ip4 config.hostcfg.wg_ip6 ];
+          privateKeyFile = config.hostcfg.wg_pk;
+          listenPort = 1515;
+          peers = [{
+            allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+            endpoint = "vpn.helcel.net:1515";
+            publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+            persistentKeepalive = 25;
+          }];
+        };
+      };
+    };
+
+  };
+
+}
--- a/modules/secret.nix
+++ b/modules/secret.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  ...
+}:{
+  sops.defaultSopsFile = ../secrets/common.yaml;
+  sops.age.keyFile = "/var/lib/sops-nix/age-key.txt"; #opt/nixflake/secrets/age-key.txt;
+  sops.age.generateKey = true;
+
+  sops.secrets.wifi = {};
+  
+  sops.secrets."${config.hostcfg.hostname}_ssh_priv" = {
+    mode = "0440";
+    owner = config.users.users.sora.name;
+    group = config.users.users.sora.group;
+  };
+  sops.secrets."${config.hostcfg.hostname}_ssh_pub" = {
+    mode = "0440";
+    owner = config.users.users.sora.name;
+    group = config.users.users.sora.group;
+  };
+  sops.secrets."${config.hostcfg.hostname}_wg_priv" = {};
+  sops.secrets."${config.hostcfg.hostname}_wg_pub" = {};
+
+}
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -0,0 +1,51 @@
+# security tweaks borrowed from @hlissner
+{
+  boot.kernel.sysctl = {
+    # The Magic SysRq key is a key combo that allows users connected to the
+    # system console of a Linux kernel to perform some low-level commands.
+    # Disable it, since we don't need it, and is a potential security concern.
+    "kernel.sysrq" = 0;
+
+    ## TCP hardening
+    # Prevent bogus ICMP errors from filling up logs.
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+    # Reverse path filtering causes the kernel to do source validation of
+    # packets received from all interfaces. This can mitigate IP spoofing.
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Do not accept IP source route packets (we're not a router)
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Don't send ICMP redirects (again, we're on a router)
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Refuse ICMP redirects (MITM mitigations)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Protects against SYN flood attacks
+    "net.ipv4.tcp_syncookies" = 1;
+    # Incomplete protection again TIME-WAIT assassination
+    "net.ipv4.tcp_rfc1337" = 1;
+
+    ## TCP optimization
+    # TCP Fast Open is a TCP extension that reduces network latency by packing
+    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+    # both incoming and outgoing connections:
+    "net.ipv4.tcp_fastopen" = 3;
+    # Bufferbloat mitigations + slight improvement in throughput & latency
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+  boot.kernelModules = ["tcp_bbr"];
+
+  # So we don't have to do this later...
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "soraefir+git@pm.me";
+  };
+}
+
--- a/modules/udevd.nix
+++ b/modules/udevd.nix
@@ -0,0 +1,5 @@
+{
+  ...
+}: {
+  systemd.services.systemd-udevd.restartIfChanged = false;
+}