diff --git a/home-config/config/applications/graphical/firefox.nix b/home-config/config/applications/graphical/firefox.nix index 4652245b..65b23cae 100644 --- a/home-config/config/applications/graphical/firefox.nix +++ b/home-config/config/applications/graphical/firefox.nix @@ -1,4 +1,5 @@ { + lib, config, pkgs, flake-inputs, @@ -21,107 +22,116 @@ settings-file = runCommandNoCC "firefox-settings" {} '' cat '${firefox-ui-fix}/user.js' '${settings}' > $out ''; -in { - xdg.configFile."tridactyl/tridactylrc".text = '' - source ${tlaterpkgs.tridactyl-emacs}/share/tridactyl/emacs_bindings - # Remove the update function; Really don't want this since it's nix-packaged - comclear emacs-bindings-update - # Remove annoying pre-defined "searchurls" - duckduckgo is just better - jsb Object.keys(tri.config.get("searchurls")).reduce((prev, u) => prev.then(_ => tri.config.set("searchurls", u, null)), Promise.resolve()) - ''; - home.file.".mozilla/firefox/tlater/chrome/icons" = { - source = "${firefox-ui-fix}/icons"; - }; + thirdParty = config.programs.firefox.enableThirdPartyRepositories; +in { + options.programs.firefox.enableThirdPartyRepositories = lib.mkEnableOption "third party repositories"; - programs.firefox = { - enable = true; - package = pkgs.firefox.override { - nativeMessagingHosts = [ - pkgs.tridactyl-native - ]; - }; - profiles."tlater" = { - extensions = with pkgs.nur.repos.rycee.firefox-addons; [ - aria2-integration - buster-captcha-solver - clearurls - decentraleyes - indie-wiki-buddy - keepassxc-browser - libredirect - no-pdf-download - react-devtools - reduxdevtools - tridactyl - ublock-origin + config = { + programs.firefox = { + enable = true; + package = lib.mkIf thirdParty (pkgs.firefox.override { + nativeMessagingHosts = [ + pkgs.tridactyl-native + ]; + }); + profiles."tlater" = { + extensions = with pkgs.nur.repos.rycee.firefox-addons; + lib.mkIf thirdParty [ + aria2-integration + buster-captcha-solver + clearurls + decentraleyes + indie-wiki-buddy + keepassxc-browser + libredirect + no-pdf-download + react-devtools + reduxdevtools + tridactyl + ublock-origin - # # Missing: - # cloudhole - # devtools-adb-extension - # firefox-sticky-window-containers - # warframe-reliquary-prime - ]; + # # Missing: + # cloudhole + # devtools-adb-extension + # firefox-sticky-window-containers + # warframe-reliquary-prime + ]; - userChrome = - builtins.readFile "${firefox-ui-fix}/css/leptonChrome.css"; - userContent = - builtins.readFile "${firefox-ui-fix}/css/leptonContent.css"; - settings = { - # Re-bind ctrl to super (would interfere with tridactyl otherwise) - "ui.key.accelKey" = 91; + userChrome = + lib.mkIf thirdParty + (builtins.readFile "${firefox-ui-fix}/css/leptonChrome.css"); + userContent = + lib.mkIf thirdParty + (builtins.readFile "${firefox-ui-fix}/css/leptonContent.css"); + settings = { + # Re-bind ctrl to super (would interfere with tridactyl otherwise) + "ui.key.accelKey" = 91; - # Keep the reader button enabled at all times; really don't - # care if it doesn't work 20% of the time, most websites are - # crap and unreadable without this - "reader.parse-on-load.force-enabled" = true; + # Keep the reader button enabled at all times; really don't + # care if it doesn't work 20% of the time, most websites are + # crap and unreadable without this + "reader.parse-on-load.force-enabled" = true; - # Hide the "sharing indicator", it's especially annoying - # with tiling WMs on wayland - "privacy.webrtc.legacyGlobalIndicator" = false; + # Hide the "sharing indicator", it's especially annoying + # with tiling WMs on wayland + "privacy.webrtc.legacyGlobalIndicator" = false; - # Actual settings - "app.shield.optoutstudies.enabled" = false; - "app.update.auto" = false; - "browser.bookmarks.restore_default_bookmarks" = false; - "browser.contentblocking.category" = "strict"; - "browser.ctrlTab.recentlyUsedOrder" = false; - "browser.discovery.enabled" = false; - "browser.laterrun.enabled" = false; - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = - false; - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = - false; - "browser.newtabpage.activity-stream.feeds.snippets" = false; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned" = ""; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" = ""; - "browser.newtabpage.activity-stream.section.highlights.includePocket" = - false; - "browser.newtabpage.activity-stream.showSponsored" = false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; - "browser.newtabpage.pinned" = false; - "browser.protections_panel.infoMessage.seen" = true; - "browser.quitShortcut.disabled" = true; - "browser.shell.checkDefaultBrowser" = false; - "browser.ssb.enabled" = true; - "browser.toolbars.bookmarks.visibility" = "never"; - "browser.urlbar.placeholderName" = "DuckDuckGo"; - "browser.urlbar.suggest.openpage" = false; - "datareporting.policy.dataSubmissionEnable" = false; - "datareporting.policy.dataSubmissionPolicyAcceptedVersion" = 2; - "dom.security.https_only_mode" = true; - "dom.security.https_only_mode_ever_enabled" = true; - "extensions.getAddons.showPane" = false; - "extensions.htmlaboutaddons.recommendations.enabled" = false; - "extensions.pocket.enabled" = false; - "identity.fxaccounts.enabled" = false; - "privacy.trackingprotection.enabled" = true; - "privacy.trackingprotection.socialtracking.enabled" = true; + # Actual settings + "app.shield.optoutstudies.enabled" = false; + "app.update.auto" = false; + "browser.bookmarks.restore_default_bookmarks" = false; + "browser.contentblocking.category" = "strict"; + "browser.ctrlTab.recentlyUsedOrder" = false; + "browser.discovery.enabled" = false; + "browser.laterrun.enabled" = false; + "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = + false; + "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = + false; + "browser.newtabpage.activity-stream.feeds.snippets" = false; + "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned" = ""; + "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" = ""; + "browser.newtabpage.activity-stream.section.highlights.includePocket" = + false; + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.pinned" = false; + "browser.protections_panel.infoMessage.seen" = true; + "browser.quitShortcut.disabled" = true; + "browser.shell.checkDefaultBrowser" = false; + "browser.ssb.enabled" = true; + "browser.toolbars.bookmarks.visibility" = "never"; + "browser.urlbar.placeholderName" = "DuckDuckGo"; + "browser.urlbar.suggest.openpage" = false; + "datareporting.policy.dataSubmissionEnable" = false; + "datareporting.policy.dataSubmissionPolicyAcceptedVersion" = 2; + "dom.security.https_only_mode" = true; + "dom.security.https_only_mode_ever_enabled" = true; + "extensions.getAddons.showPane" = false; + "extensions.htmlaboutaddons.recommendations.enabled" = false; + "extensions.pocket.enabled" = false; + "identity.fxaccounts.enabled" = false; + "privacy.trackingprotection.enabled" = true; + "privacy.trackingprotection.socialtracking.enabled" = true; + }; }; }; - }; - home.file.".mozilla/firefox/${config.programs.firefox.profiles.tlater.path}/user.js" = { - source = settings-file; + home.file.".mozilla/firefox/${config.programs.firefox.profiles.tlater.path}/user.js" = + lib.mkIf thirdParty + {source = settings-file;}; + + xdg.configFile."tridactyl/tridactylrc" = lib.mkIf thirdParty { + text = '' + source ${tlaterpkgs.tridactyl-emacs}/share/tridactyl/emacs_bindings + # Remove the update function; Really don't want this since it's nix-packaged + comclear emacs-bindings-update + # Remove annoying pre-defined "searchurls" - duckduckgo is just better + jsb Object.keys(tri.config.get("searchurls")).reduce((prev, u) => prev.then(_ => tri.config.set("searchurls", u, null)), Promise.resolve()) + ''; + }; + + home.file.".mozilla/firefox/tlater/chrome/icons" = lib.mkIf thirdParty {source = "${firefox-ui-fix}/icons";}; }; } diff --git a/home-config/config/shell/default.nix b/home-config/config/shell/default.nix index 44f088ea..991b7dea 100644 --- a/home-config/config/shell/default.nix +++ b/home-config/config/shell/default.nix @@ -15,6 +15,7 @@ fd ouch ripgrep + screen ]; programs.ssh.enable = true; diff --git a/home-config/config/work/famedly.nix b/home-config/config/work/famedly.nix index 9ca1730a..8288ba32 100644 --- a/home-config/config/work/famedly.nix +++ b/home-config/config/work/famedly.nix @@ -1,4 +1,8 @@ -{lib, flake-inputs, ...}: { +{ + lib, + flake-inputs, + ... +}: { programs.git = { userEmail = "t.maat@famedly.com"; @@ -20,9 +24,14 @@ }; }; - programs.firefox.webapps = { - discord.enable = lib.mkForce false; - whatsapp.enable = lib.mkForce false; - element.enable = lib.mkForce false; + programs.firefox = { + enableThirdPartyRepositories = false; + + # Disable the webapps that shouldn't be on a work computer + webapps = { + discord.enable = lib.mkForce false; + whatsapp.enable = lib.mkForce false; + element.enable = lib.mkForce false; + }; }; } diff --git a/home-config/hosts/rin/default.nix b/home-config/hosts/rin/default.nix index 50541b63..5230d059 100644 --- a/home-config/hosts/rin/default.nix +++ b/home-config/hosts/rin/default.nix @@ -1,6 +1,7 @@ { imports = [ ../../config + ../../config/applications/graphical ../../config/applications/tty ../../config/desktop ../../config/services diff --git a/keys/famedly-tlater.pub b/keys/famedly-tlater.pub new file mode 100644 index 00000000..1bff510d --- /dev/null +++ b/keys/famedly-tlater.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtWLp6Hoqr3izbm+J7PUOLLI+6xoZ05T/7jMJITjrQH openpgp:0x4991CF06 diff --git a/nixos-config/default.nix b/nixos-config/default.nix index e247276d..df80ed9e 100644 --- a/nixos-config/default.nix +++ b/nixos-config/default.nix @@ -47,7 +47,7 @@ sops = { gnupg = { - home = "/var/lib/sops"; + # home = "/var/lib/sops"; sshKeyPaths = []; }; diff --git a/nixos-config/hosts/rin/hardware-policy.nix b/nixos-config/hosts/rin/hardware-policy.nix index 2e800a33..32b1a8b6 100644 --- a/nixos-config/hosts/rin/hardware-policy.nix +++ b/nixos-config/hosts/rin/hardware-policy.nix @@ -5,6 +5,8 @@ ... }: { services.osquery = { + enable = true; + flags = { tls_hostname = "fleet.famedly.de"; @@ -36,20 +38,36 @@ carver_start_endpoint = "/api/v1/osquery/carve/begin"; carver_continue_endpoint = "/api/v1/osquery/carve/block"; carver_block_size = "2000000"; + + # Fix non-fhs paths + tls_server_certs = "${pkgs.osquery}/share/osquery/certs/certs.pem"; }; }; - systemd.packages = [flake-inputs.self.packages.${pkgs.system}.drivestrike]; - systemd.services.drivestrike.wantedBy = ["multi-user.target"]; + systemd.services.drivestrike = { + serviceConfig = { + ExecStart = "${flake-inputs.self.packages.${pkgs.system}.drivestrike}/bin/drivestrike run"; + SyslogIdentifier = "drivestrike"; + }; + + after = ["network.target" "drivestrike-lock.service"]; + wantedBy = ["multi-user.target"]; + }; services.clamav = { updater.enable = true; daemon.enable = true; }; - # NixOS enables an incoming-only firewall by default anyway, but + # NixOS enables an outgoing-only firewall by default anyway, but # this ensures it stays enabled even if an update turned it off or # something. - networking.firewall.enable = true; + networking.firewall = { + enable = true; + # Probably just don't allow pings either + allowPing = false; + }; # Don't use nftables to prevent issues with docker. + + sops.secrets."osquery/enroll" = {}; }