fixup! WIP: Add new configuration for rin

home-config/config/applications/graphical/firefox.nix

@@ -1,4 +1,5 @@
 {
+  lib,
   config,
   pkgs,
   flake-inputs,
@@ -21,107 +22,116 @@
   settings-file = runCommandNoCC "firefox-settings" {} ''
     cat '${firefox-ui-fix}/user.js' '${settings}' > $out
   '';
-in {
-  xdg.configFile."tridactyl/tridactylrc".text = ''
-    source ${tlaterpkgs.tridactyl-emacs}/share/tridactyl/emacs_bindings
-    # Remove the update function; Really don't want this since it's nix-packaged
-    comclear emacs-bindings-update
-    # Remove annoying pre-defined "searchurls" - duckduckgo is just better
-    jsb Object.keys(tri.config.get("searchurls")).reduce((prev, u) => prev.then(_ => tri.config.set("searchurls", u, null)), Promise.resolve())
-  '';
 
-  home.file.".mozilla/firefox/tlater/chrome/icons" = {
-    source = "${firefox-ui-fix}/icons";
-  };
+  thirdParty = config.programs.firefox.enableThirdPartyRepositories;
+in {
+  options.programs.firefox.enableThirdPartyRepositories = lib.mkEnableOption "third party repositories";
 
-  programs.firefox = {
-    enable = true;
-    package = pkgs.firefox.override {
-      nativeMessagingHosts = [
-        pkgs.tridactyl-native
-      ];
-    };
-    profiles."tlater" = {
-      extensions = with pkgs.nur.repos.rycee.firefox-addons; [
-        aria2-integration
-        buster-captcha-solver
-        clearurls
-        decentraleyes
-        indie-wiki-buddy
-        keepassxc-browser
-        libredirect
-        no-pdf-download
-        react-devtools
-        reduxdevtools
-        tridactyl
-        ublock-origin
+  config = {
+    programs.firefox = {
+      enable = true;
+      package = lib.mkIf thirdParty (pkgs.firefox.override {
+        nativeMessagingHosts = [
+          pkgs.tridactyl-native
+        ];
+      });
+      profiles."tlater" = {
+        extensions = with pkgs.nur.repos.rycee.firefox-addons;
+          lib.mkIf thirdParty [
+            aria2-integration
+            buster-captcha-solver
+            clearurls
+            decentraleyes
+            indie-wiki-buddy
+            keepassxc-browser
+            libredirect
+            no-pdf-download
+            react-devtools
+            reduxdevtools
+            tridactyl
+            ublock-origin
 
-        # # Missing:
-        # cloudhole
-        # devtools-adb-extension
-        # firefox-sticky-window-containers
-        # warframe-reliquary-prime
-      ];
+            # # Missing:
+            # cloudhole
+            # devtools-adb-extension
+            # firefox-sticky-window-containers
+            # warframe-reliquary-prime
+          ];
 
-      userChrome =
-        builtins.readFile "${firefox-ui-fix}/css/leptonChrome.css";
-      userContent =
-        builtins.readFile "${firefox-ui-fix}/css/leptonContent.css";
-      settings = {
-        # Re-bind ctrl to super (would interfere with tridactyl otherwise)
-        "ui.key.accelKey" = 91;
+        userChrome =
+          lib.mkIf thirdParty
+          (builtins.readFile "${firefox-ui-fix}/css/leptonChrome.css");
+        userContent =
+          lib.mkIf thirdParty
+          (builtins.readFile "${firefox-ui-fix}/css/leptonContent.css");
+        settings = {
+          # Re-bind ctrl to super (would interfere with tridactyl otherwise)
+          "ui.key.accelKey" = 91;
 
-        # Keep the reader button enabled at all times; really don't
-        # care if it doesn't work 20% of the time, most websites are
-        # crap and unreadable without this
-        "reader.parse-on-load.force-enabled" = true;
+          # Keep the reader button enabled at all times; really don't
+          # care if it doesn't work 20% of the time, most websites are
+          # crap and unreadable without this
+          "reader.parse-on-load.force-enabled" = true;
 
-        # Hide the "sharing indicator", it's especially annoying
-        # with tiling WMs on wayland
-        "privacy.webrtc.legacyGlobalIndicator" = false;
+          # Hide the "sharing indicator", it's especially annoying
+          # with tiling WMs on wayland
+          "privacy.webrtc.legacyGlobalIndicator" = false;
 
-        # Actual settings
-        "app.shield.optoutstudies.enabled" = false;
-        "app.update.auto" = false;
-        "browser.bookmarks.restore_default_bookmarks" = false;
-        "browser.contentblocking.category" = "strict";
-        "browser.ctrlTab.recentlyUsedOrder" = false;
-        "browser.discovery.enabled" = false;
-        "browser.laterrun.enabled" = false;
-        "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" =
-          false;
-        "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" =
-          false;
-        "browser.newtabpage.activity-stream.feeds.snippets" = false;
-        "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned" = "";
-        "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" = "";
-        "browser.newtabpage.activity-stream.section.highlights.includePocket" =
-          false;
-        "browser.newtabpage.activity-stream.showSponsored" = false;
-        "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
-        "browser.newtabpage.pinned" = false;
-        "browser.protections_panel.infoMessage.seen" = true;
-        "browser.quitShortcut.disabled" = true;
-        "browser.shell.checkDefaultBrowser" = false;
-        "browser.ssb.enabled" = true;
-        "browser.toolbars.bookmarks.visibility" = "never";
-        "browser.urlbar.placeholderName" = "DuckDuckGo";
-        "browser.urlbar.suggest.openpage" = false;
-        "datareporting.policy.dataSubmissionEnable" = false;
-        "datareporting.policy.dataSubmissionPolicyAcceptedVersion" = 2;
-        "dom.security.https_only_mode" = true;
-        "dom.security.https_only_mode_ever_enabled" = true;
-        "extensions.getAddons.showPane" = false;
-        "extensions.htmlaboutaddons.recommendations.enabled" = false;
-        "extensions.pocket.enabled" = false;
-        "identity.fxaccounts.enabled" = false;
-        "privacy.trackingprotection.enabled" = true;
-        "privacy.trackingprotection.socialtracking.enabled" = true;
+          # Actual settings
+          "app.shield.optoutstudies.enabled" = false;
+          "app.update.auto" = false;
+          "browser.bookmarks.restore_default_bookmarks" = false;
+          "browser.contentblocking.category" = "strict";
+          "browser.ctrlTab.recentlyUsedOrder" = false;
+          "browser.discovery.enabled" = false;
+          "browser.laterrun.enabled" = false;
+          "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" =
+            false;
+          "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" =
+            false;
+          "browser.newtabpage.activity-stream.feeds.snippets" = false;
+          "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned" = "";
+          "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" = "";
+          "browser.newtabpage.activity-stream.section.highlights.includePocket" =
+            false;
+          "browser.newtabpage.activity-stream.showSponsored" = false;
+          "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+          "browser.newtabpage.pinned" = false;
+          "browser.protections_panel.infoMessage.seen" = true;
+          "browser.quitShortcut.disabled" = true;
+          "browser.shell.checkDefaultBrowser" = false;
+          "browser.ssb.enabled" = true;
+          "browser.toolbars.bookmarks.visibility" = "never";
+          "browser.urlbar.placeholderName" = "DuckDuckGo";
+          "browser.urlbar.suggest.openpage" = false;
+          "datareporting.policy.dataSubmissionEnable" = false;
+          "datareporting.policy.dataSubmissionPolicyAcceptedVersion" = 2;
+          "dom.security.https_only_mode" = true;
+          "dom.security.https_only_mode_ever_enabled" = true;
+          "extensions.getAddons.showPane" = false;
+          "extensions.htmlaboutaddons.recommendations.enabled" = false;
+          "extensions.pocket.enabled" = false;
+          "identity.fxaccounts.enabled" = false;
+          "privacy.trackingprotection.enabled" = true;
+          "privacy.trackingprotection.socialtracking.enabled" = true;
+        };
       };
     };
-  };
 
-  home.file.".mozilla/firefox/${config.programs.firefox.profiles.tlater.path}/user.js" = {
-    source = settings-file;
+    home.file.".mozilla/firefox/${config.programs.firefox.profiles.tlater.path}/user.js" =
+      lib.mkIf thirdParty
+      {source = settings-file;};
+
+    xdg.configFile."tridactyl/tridactylrc" = lib.mkIf thirdParty {
+      text = ''
+        source ${tlaterpkgs.tridactyl-emacs}/share/tridactyl/emacs_bindings
+        # Remove the update function; Really don't want this since it's nix-packaged
+        comclear emacs-bindings-update
+        # Remove annoying pre-defined "searchurls" - duckduckgo is just better
+        jsb Object.keys(tri.config.get("searchurls")).reduce((prev, u) => prev.then(_ => tri.config.set("searchurls", u, null)), Promise.resolve())
+      '';
+    };
+
+    home.file.".mozilla/firefox/tlater/chrome/icons" = lib.mkIf thirdParty {source = "${firefox-ui-fix}/icons";};
   };
 }

home-config/config/shell/default.nix

@@ -15,6 +15,7 @@
     fd
     ouch
     ripgrep
+    screen
   ];
 
   programs.ssh.enable = true;

home-config/config/work/famedly.nix

@@ -1,4 +1,8 @@
-{lib, flake-inputs, ...}: {
+{
+  lib,
+  flake-inputs,
+  ...
+}: {
   programs.git = {
     userEmail = "t.maat@famedly.com";
 
@@ -20,9 +24,14 @@
     };
   };
 
-  programs.firefox.webapps = {
-    discord.enable = lib.mkForce false;
-    whatsapp.enable = lib.mkForce false;
-    element.enable = lib.mkForce false;
+  programs.firefox = {
+    enableThirdPartyRepositories = false;
+
+    # Disable the webapps that shouldn't be on a work computer
+    webapps = {
+      discord.enable = lib.mkForce false;
+      whatsapp.enable = lib.mkForce false;
+      element.enable = lib.mkForce false;
+    };
   };
 }

home-config/hosts/rin/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ../../config
+    ../../config/applications/graphical
     ../../config/applications/tty
     ../../config/desktop
     ../../config/services

keys/famedly-tlater.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtWLp6Hoqr3izbm+J7PUOLLI+6xoZ05T/7jMJITjrQH openpgp:0x4991CF06

nixos-config/default.nix

@@ -47,7 +47,7 @@
 
   sops = {
     gnupg = {
-      home = "/var/lib/sops";
+      # home = "/var/lib/sops";
       sshKeyPaths = [];
     };
 

nixos-config/hosts/rin/hardware-policy.nix

@@ -5,6 +5,8 @@
   ...
 }: {
   services.osquery = {
+    enable = true;
+
     flags = {
       tls_hostname = "fleet.famedly.de";
 
@@ -36,20 +38,36 @@
       carver_start_endpoint = "/api/v1/osquery/carve/begin";
       carver_continue_endpoint = "/api/v1/osquery/carve/block";
       carver_block_size = "2000000";
+
+      # Fix non-fhs paths
+      tls_server_certs = "${pkgs.osquery}/share/osquery/certs/certs.pem";
     };
   };
 
-  systemd.packages = [flake-inputs.self.packages.${pkgs.system}.drivestrike];
-  systemd.services.drivestrike.wantedBy = ["multi-user.target"];
+  systemd.services.drivestrike = {
+    serviceConfig = {
+      ExecStart = "${flake-inputs.self.packages.${pkgs.system}.drivestrike}/bin/drivestrike run";
+      SyslogIdentifier = "drivestrike";
+    };
+
+    after = ["network.target" "drivestrike-lock.service"];
+    wantedBy = ["multi-user.target"];
+  };
 
   services.clamav = {
     updater.enable = true;
     daemon.enable = true;
   };
 
-  # NixOS enables an incoming-only firewall by default anyway, but
+  # NixOS enables an outgoing-only firewall by default anyway, but
   # this ensures it stays enabled even if an update turned it off or
   # something.
-  networking.firewall.enable = true;
+  networking.firewall = {
+    enable = true;
+    # Probably just don't allow pings either
+    allowPing = false;
+  };
   # Don't use nftables to prevent issues with docker.
+
+  sops.secrets."osquery/enroll" = {};
 }