motiejus/config
1
Fork 0
Code Packages Releases Activity

statix

Browse Source
This commit is contained in:
Motiejus Jakštys
2023-11-27 18:17:27 +02:00
parent 896c5086d0
commit 8e78a31f20
9 changed files with 532 additions and 666 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
modules/profiles/desktop/default.nix
View File

@@ -8,8 +8,10 @@
services.blueman.enable = true;
services.udev.packages = [pkgs.yubikey-personalization];
programs.firefox.enable = true;
programs.wireshark.enable = true;
programs = {
firefox.enable = true;
wireshark.enable = true;
};
mj.base.users.passwd.motiejus.extraGroups = ["adbusers" "networkmanager" "wireshark"];
@@ -191,28 +193,30 @@
};
};
services.cbatticon.enable = true;
services.blueman-applet.enable = true;
services = {
cbatticon.enable = true;
blueman-applet.enable = true;
services.syncthing.tray = {
enable = true;
#extraOptions = ["--wait"];
};
syncthing.tray = {
enable = true;
#extraOptions = ["--wait"];
};
services.pasystray = {
enable = true;
extraOptions = ["--key-grabbing" "--notify=all"];
};
pasystray = {
enable = true;
extraOptions = ["--key-grabbing" "--notify=all"];
};
services.gpg-agent = {
enable = true;
enableSshSupport = true;
};
gpg-agent = {
enable = true;
enableSshSupport = true;
};
services.screen-locker = {
enable = true;
xautolock.enable = false;
lockCmd = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/sleep 0.2; ${pkgs.xorg.xset}/bin/xset dpms force off; /run/wrappers/bin/slock"'';
screen-locker = {
enable = true;
xautolock.enable = false;
lockCmd = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/sleep 0.2; ${pkgs.xorg.xset}/bin/xset dpms force off; /run/wrappers/bin/slock"'';
};
};
# https://github.com/nix-community/home-manager/issues/2064

106
modules/services/jakstpub/default.nix
View File

@@ -16,60 +16,62 @@ in {
};
config = lib.mkIf cfg.enable {
services.caddy = {
enable = true;
virtualHosts.":80".extraConfig = with myData.subnets; ''
root * ${cfg.dataDir}
@denied not remote_ip ${vno1.cidr} ${vno3.cidr} ${tailscale.cidr}
file_server browse {
hide .stfolder
}
encode gzip
'';
};
services.samba = {
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
enable = true;
securityType = "user";
enableNmbd = false;
enableWinbindd = false;
extraConfig = ''
map to guest = Bad User
guest account = jakstpub
server role = standalone server
'';
shares = let
defaults = {
"public" = "yes";
"mangled names" = "no";
"guest ok" = "yes";
"force user" = "jakstpub";
"force group" = "jakstpub";
};
in {
public =
defaults
// {
"path" = cfg.dataDir;
"writeable" = "yes";
"read only" = "no";
"create mask" = "0664";
"directory mask" = "0775";
};
snapshots =
defaults
// {
"path" = cfg.dataDir + "/.zfs/snapshot";
"writeable" = "no";
"read only" = "yes";
};
services = {
caddy = {
enable = true;
virtualHosts.":80".extraConfig = with myData.subnets; ''
root * ${cfg.dataDir}
@denied not remote_ip ${vno1.cidr} ${vno3.cidr} ${tailscale.cidr}
file_server browse {
hide .stfolder
}
encode gzip
'';
};
};
services.samba-wsdd = {
enable = true;
inherit (cfg) hostname;
samba = {
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
enable = true;
securityType = "user";
enableNmbd = false;
enableWinbindd = false;
extraConfig = ''
map to guest = Bad User
guest account = jakstpub
server role = standalone server
'';
shares = let
defaults = {
"public" = "yes";
"mangled names" = "no";
"guest ok" = "yes";
"force user" = "jakstpub";
"force group" = "jakstpub";
};
in {
public =
defaults
// {
"path" = cfg.dataDir;
"writeable" = "yes";
"read only" = "no";
"create mask" = "0664";
"directory mask" = "0775";
};
snapshots =
defaults
// {
"path" = cfg.dataDir + "/.zfs/snapshot";
"writeable" = "no";
"read only" = "yes";
};
};
};
samba-wsdd = {
enable = true;
inherit (cfg) hostname;
};
};
users.users.jakstpub = {

206
modules/services/nsd-acme/default.nix
View File

@@ -92,112 +92,114 @@ in {
zonefile: "/var/lib/nsd/acmezones/%s.zone"
'';
systemd.tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"];
systemd = {
tmpfiles.rules = ["d /var/lib/nsd/acmezones 0755 nsd nsd -"];
systemd.services =
{
nsd-control-setup = {
requiredBy = ["nsd.service"];
before = ["nsd.service"];
unitConfig.ConditionPathExists = let
rc = config.services.nsd.remoteControl;
in [
"|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}"
"|!${rc.serverKeyFile}"
"|!${rc.serverCertFile}"
];
serviceConfig = {
Type = "oneshot";
UMask = 0077;
};
script = ''
${pkgs.nsd}/bin/nsd-control-setup
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
'';
path = [pkgs.openssl];
};
}
// lib.mapAttrs'
(
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [pkgs.openssh pkgs.nsd];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
services =
{
nsd-control-setup = {
requiredBy = ["nsd.service"];
before = ["nsd.service"];
unitConfig.ConditionPathExists = let
rc = config.services.nsd.remoteControl;
in [
"|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}"
"|!${rc.serverKeyFile}"
"|!${rc.serverCertFile}"
];
serviceConfig = {
ExecStart = let
hook = mkHook zone;
days = builtins.toString cfg.days;
in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
UMask = "0022";
User = "nsd";
Group = "nsd";
StateDirectory = "nsd-acme/${zone}";
LoadCredential = ["letsencrypt-account-key:${cfg.accountKey}"];
ReadWritePaths = ["/var/lib/nsd/acmezones"];
SuccessExitStatus = [0 1];
# from nixos/modules/security/acme/default.nix
ProtectSystem = "strict";
PrivateTmp = true;
CapabilityBoundingSet = [""];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
Type = "oneshot";
UMask = 0077;
};
}
)
cfg.zones;
script = ''
${pkgs.nsd}/bin/nsd-control-setup
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
'';
path = [pkgs.openssl];
};
}
// lib.mapAttrs'
(
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [pkgs.openssh pkgs.nsd];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
serviceConfig = {
ExecStart = let
hook = mkHook zone;
days = builtins.toString cfg.days;
in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
systemd.timers =
lib.mapAttrs'
(
zone: _:
lib.nameValuePair "nsd-acme-${zone}" {
description = "nsd-acme for zone ${zone}";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 01:30";
};
after = ["network-online.target"];
}
)
cfg.zones;
UMask = "0022";
User = "nsd";
Group = "nsd";
StateDirectory = "nsd-acme/${zone}";
LoadCredential = ["letsencrypt-account-key:${cfg.accountKey}"];
ReadWritePaths = ["/var/lib/nsd/acmezones"];
SuccessExitStatus = [0 1];
# from nixos/modules/security/acme/default.nix
ProtectSystem = "strict";
PrivateTmp = true;
CapabilityBoundingSet = [""];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
};
}
)
cfg.zones;
timers =
lib.mapAttrs'
(
zone: _:
lib.nameValuePair "nsd-acme-${zone}" {
description = "nsd-acme for zone ${zone}";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 01:30";
};
after = ["network-online.target"];
}
)
cfg.zones;
};
mj.base.unitstatus.units =
lib.mkIf config.mj.base.unitstatus.enable

2
modules/services/syncthing/default.nix
View File

@@ -121,7 +121,6 @@ in {
in "${jakstIP}:${guiPortStr}";
extraOptions.gui.insecureAdminAccess = true;
devices =
{}
// (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") {
@@ -149,7 +148,6 @@ in {
;
})
// {};
folders = with folders;
{}
// (