From a58a31b91affb4487f9b57e394154cd538a1749a Mon Sep 17 00:00:00 2001 From: "Casper V. Kristensen" Date: Tue, 5 Mar 2024 22:17:26 +0100 Subject: [PATCH] srvos --- README.md | 3 ++ modules/base/default.nix | 5 ++- modules/base/hardware.nix | 4 ++ modules/base/impermanence.nix | 6 +-- modules/base/locale.nix | 23 ++++++++++ modules/base/network.nix | 2 + modules/base/{system.nix => nix.nix} | 67 +++------------------------- modules/base/packages.nix | 35 +++++++++++++++ modules/base/ssh.nix | 2 + modules/base/sudo.nix | 15 +++++++ modules/desktop/pipewire.nix | 2 +- 11 files changed, 98 insertions(+), 66 deletions(-) create mode 100644 modules/base/hardware.nix create mode 100644 modules/base/locale.nix rename modules/base/{system.nix => nix.nix} (59%) create mode 100644 modules/base/packages.nix create mode 100644 modules/base/sudo.nix diff --git a/README.md b/README.md index bdf8428..0f1ab51 100644 --- a/README.md +++ b/README.md @@ -137,3 +137,6 @@ nix repl :p inputs.nixpkgs.outputs.legacyPackages.${builtins.currentSystem}.openssh.version ``` + +## References + - https://github.com/nix-community/srvos/tree/29a48ae201fbd69b6b71acdae5e19fa2ceaa8181 diff --git a/modules/base/default.nix b/modules/base/default.nix index 43cc93a..7a9c7ef 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -4,12 +4,15 @@ ./docker.nix ./fish.nix ./git.nix + ./hardware.nix ./home-manager.nix ./impermanence.nix + ./locale.nix ./network.nix + ./nix.nix + ./packages.nix ./ripgrep.nix ./ssh.nix - ./system.nix ./users.nix ./vim ]; diff --git a/modules/base/hardware.nix b/modules/base/hardware.nix new file mode 100644 index 0000000..08fcd16 --- /dev/null +++ b/modules/base/hardware.nix @@ -0,0 +1,4 @@ +{ ... }: { + # Enable all firmware with a license allowing redistribution + hardware.enableRedistributableFirmware = true; +} diff --git a/modules/base/impermanence.nix b/modules/base/impermanence.nix index 48bf5ff..48ff313 100644 --- a/modules/base/impermanence.nix +++ b/modules/base/impermanence.nix @@ -29,9 +29,7 @@ directories = [ # See comment above for /tmp { directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; } - # With great power comes great responsibility, we get it - { directory = "/var/db/sudo/lectured"; user = "root"; group = "root"; mode = "0700"; } - # Save the last run time of persistent timers so systemd knows if they was missed + # Save the last run time of persistent timers so systemd knows if they were missed { directory = "/var/lib/systemd/timers"; user = "root"; group = "root"; mode = "0755"; } { directory = "/var/log"; user = "root"; group = "root"; mode = "0755"; } ]; @@ -40,7 +38,7 @@ ]; users.caspervk = { directories = [ - "/" # entire home directory (TODO) + "/" # entire home directory (TODO?) ]; }; }; diff --git a/modules/base/locale.nix b/modules/base/locale.nix new file mode 100644 index 0000000..b2e568d --- /dev/null +++ b/modules/base/locale.nix @@ -0,0 +1,23 @@ +{ lib, ... }: { + i18n = { + defaultLocale = "en_DK.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "en_DK.UTF-8"; + LC_IDENTIFICATION = "en_DK.UTF-8"; + LC_MEASUREMENT = "en_DK.UTF-8"; + LC_MONETARY = "en_DK.UTF-8"; + LC_NAME = "en_DK.UTF-8"; + LC_NUMERIC = "en_DK.UTF-8"; + LC_PAPER = "en_DK.UTF-8"; + LC_TELEPHONE = "en_DK.UTF-8"; + LC_TIME = "en_DK.UTF-8"; + }; + supportedLocales = lib.mkOptionDefault [ + "da_DK.UTF-8/UTF-8" + ]; + }; + + time = { + timeZone = "Europe/Copenhagen"; + }; +} diff --git a/modules/base/network.nix b/modules/base/network.nix index 13dac28..012bdd8 100644 --- a/modules/base/network.nix +++ b/modules/base/network.nix @@ -7,6 +7,8 @@ # Allow some ports for ad-hoc use allowedTCPPorts = [ 1234 1337 8000 8080 ]; allowedUDPPorts = [ 1234 1337 8000 8080 ]; + # Do not spam dmesg/journalctl with refused connections + logRefusedConnections = false; }; nameservers = [ "127.0.0.53" ]; # resolved stub resolver search = [ "caspervk.net" ]; diff --git a/modules/base/system.nix b/modules/base/nix.nix similarity index 59% rename from modules/base/system.nix rename to modules/base/nix.nix index ddd0f08..7ba6a8e 100644 --- a/modules/base/system.nix +++ b/modules/base/nix.nix @@ -1,4 +1,4 @@ -{ config, nix-index-database, nixpkgs-unstable, nixpkgs, lib, pkgs, ... }: { +{ nix-index-database, nixpkgs-unstable, nixpkgs, ... }: { imports = [ nix-index-database.nixosModules.nix-index ]; @@ -13,13 +13,19 @@ dates = "weekly"; options = "--delete-older-than 7d"; }; + settings = { # Automatically optimise the store after each build. Store optimisation # reduces nix store space by 25-35% by finding identical files and # hard-linking them to each other. # https://nixos.org/manual/nix/unstable/command-ref/nix-store/optimise.html auto-optimise-store = true; + + # Enable flakes experimental-features = [ "nix-command" "flakes" ]; + + # Timeout connections to the binary cache instead of waiting forever + connect-timeout = 5; }; # The nix registry is used to refer to flakes using symbolic identifiers @@ -35,66 +41,7 @@ }; }; - # Enable all firmware with a license allowing redistribution - hardware.enableRedistributableFirmware = true; - - environment.systemPackages = with pkgs; [ - bat - black - clang - curl - dig - fd - file - fzf - gcc - git - gnumake - htop - inetutils - jq - magic-wormhole - ntp - progress - pwgen - python310 - python311 - python312 - rsync - sqlite - tmux - traceroute - tree - unzip - wget - wireguard-tools - xkcdpass - yq - ]; - # https://github.com/nix-community/comma programs.nix-index-database.comma.enable = true; programs.command-not-found.enable = false; - - i18n = { - defaultLocale = "en_DK.UTF-8"; - extraLocaleSettings = { - LC_ADDRESS = "en_DK.UTF-8"; - LC_IDENTIFICATION = "en_DK.UTF-8"; - LC_MEASUREMENT = "en_DK.UTF-8"; - LC_MONETARY = "en_DK.UTF-8"; - LC_NAME = "en_DK.UTF-8"; - LC_NUMERIC = "en_DK.UTF-8"; - LC_PAPER = "en_DK.UTF-8"; - LC_TELEPHONE = "en_DK.UTF-8"; - LC_TIME = "en_DK.UTF-8"; - }; - supportedLocales = lib.mkOptionDefault [ - "da_DK.UTF-8/UTF-8" - ]; - }; - - time = { - timeZone = "Europe/Copenhagen"; - }; } diff --git a/modules/base/packages.nix b/modules/base/packages.nix new file mode 100644 index 0000000..18b411d --- /dev/null +++ b/modules/base/packages.nix @@ -0,0 +1,35 @@ +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ + bat + black + clang + curl + dig + fd + file + fzf + gcc + git + gnumake + htop + inetutils + jq + magic-wormhole + ntp + progress + pwgen + python310 + python311 + python312 + rsync + sqlite + tmux + traceroute + tree + unzip + wget + wireguard-tools + xkcdpass + yq + ]; +} diff --git a/modules/base/ssh.nix b/modules/base/ssh.nix index dd1f6f5..8ce1517 100644 --- a/modules/base/ssh.nix +++ b/modules/base/ssh.nix @@ -2,7 +2,9 @@ services.openssh = { enable = true; settings = { + KbdInteractiveAuthentication = false; PasswordAuthentication = false; + PermitRootLogin = "no"; }; }; diff --git a/modules/base/sudo.nix b/modules/base/sudo.nix new file mode 100644 index 0000000..6e8a796 --- /dev/null +++ b/modules/base/sudo.nix @@ -0,0 +1,15 @@ +{ ... }: { + security.sudo = { + # Only allow members of the wheel group to execute sudo by setting the + # executable’s permissions accordingly. This prevents users that are not + # members of wheel from exploiting vulnerabilities in sudo such as + # CVE-2021-3156. + security.sudo.execWheelOnly = true; + + # With great power comes great responsibility, we get it.. Also means we + # don't have state in /var/db/sudo/lectured. + security.sudo.extraConfig = '' + Defaults lecture = never + ''; + }; +} diff --git a/modules/desktop/pipewire.nix b/modules/desktop/pipewire.nix index d4cdb68..d7d6b05 100644 --- a/modules/desktop/pipewire.nix +++ b/modules/desktop/pipewire.nix @@ -1,4 +1,4 @@ -{ home-manager, lib, pkgs, ... }: { +{ ... }: { # PipeWire is a new low-level multimedia framework. It aims to offer capture # and playback for both audio and video with minimal latency and support for # PulseAudio-, JACK-, ALSA- and GStreamer-based applications.