WIP: Add new configuration for rin

.sops.yaml

@@ -2,10 +2,18 @@ keys:
   - &tlater 535B61015823443941C744DD12264F6BBDFABA89
   - &yui 71132A2D171E79E6A20E81E6C33BC9C8C67C5948
   - &ren 4F82D975EFA78365B552A8B7A0FEFBBAE3259F52
+  - &tlater-famedly E3A01E05CDB7D42E9909 B9394D863FBF16FE6D51
+  - &rin age1qne0ry5pxn4pfqzney9hxy9dedst02qtvfrmnf2p7dhr560mgcusg3tpz6
 
 creation_rules:
   - key_groups:
       - pgp:
           - *tlater
           - *yui
           - *ren
+  - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - pgp:
+          - *tlater-famedly
+        age:
+          - *rin

flake.nix

@@ -78,7 +78,7 @@
         system = "x86_64-linux";
         modules = [
           ./nixos-config
-          ./nixos-config/yui
+          ./nixos-config/hosts/yui
         ];
 
         specialArgs.flake-inputs = inputs;
@@ -88,7 +88,17 @@
         system = "x86_64-linux";
         modules = [
           ./nixos-config
-          ./nixos-config/ren
+          ./nixos-config/hosts/ren
+        ];
+
+        specialArgs.flake-inputs = inputs;
+      };
+
+      rin = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./nixos-config
+          ./nixos-config/hosts/rin
         ];
 
         specialArgs.flake-inputs = inputs;
@@ -132,11 +142,13 @@
     devShells.x86_64-linux.default = let
       inherit (sops-nix.packages.x86_64-linux) sops-init-gpg-key sops-import-keys-hook;
       inherit (self.packages.x86_64-linux) commit-nvfetcher;
+      inherit (nixpkgs.legacyPackages.x86_64-linux) nvchecker;
       home-manager-bin = home-manager.packages.x86_64-linux.default;
     in
       nixpkgs.legacyPackages.x86_64-linux.mkShell {
         packages = [
           nvfetcher.packages.x86_64-linux.default
+          nvchecker
           commit-nvfetcher
           home-manager-bin
           sops-init-gpg-key

home-config/config/work/famedly.nix

@@ -1,16 +1,18 @@
-{
+{lib, flake-inputs, ...}: {
   programs.git = {
     userEmail = "t.maat@famedly.com";
 
     signing = {
-      key = "";
+      key = "0x4D863FBF16FE6D51";
       signByDefault = true;
     };
 
     # For magit
     extraConfig.github.user = "famedly-tlater";
   };
 
+  home.file.".ssh/famedly-tlater.pub".source = "${flake-inputs.self}/keys/famedly-tlater.pub";
+
   programs.ssh.matchBlocks = {
     "*" = {
       identitiesOnly = true;
@@ -19,8 +21,8 @@
   };
 
   programs.firefox.webapps = {
-    discord.enable = false;
-    whatsapp.enable = false;
-    element.enable = false;
+    discord.enable = lib.mkForce false;
+    whatsapp.enable = lib.mkForce false;
+    element.enable = lib.mkForce false;
   };
 }

home-config/hosts/rin/default.nix

@@ -0,0 +1,12 @@
+{
+  imports = [
+    ../../config
+    ../../config/applications/tty
+    ../../config/desktop
+    ../../config/services
+    ../../config/shell
+    ../../config/xdg-settings.nix
+
+    ../../config/work/famedly.nix
+  ];
+}

nixos-config/default.nix

@@ -11,7 +11,6 @@
 
     ./greeter
     ./sway.nix
-    ./wireguard.nix
     ./yubikey.nix
     ../modules
   ];

nixos-config/ren/default.nix → nixos-config/hosts/ren/default.nix

@@ -6,7 +6,8 @@
     ./hardware-configuration.nix
     ./nixos-hardware-precursor.nix
     ./disko.nix
-    ../networks/personal.nix
+    ../../networks/personal.nix
+    ../../wireguard.nix
   ];
 
   home-manager.users.tlater = import "${flake-inputs.self}/home-config/hosts/personal-desktop.nix";

nixos-config/hosts/rin/default.nix

@@ -0,0 +1,35 @@
+{lib, flake-inputs, ...}: {
+  imports = [
+    flake-inputs.disko.nixosModules.disko
+
+    ../../networks/personal.nix
+
+    ./hardware-configuration.nix
+    ./disko.nix
+
+    ./hardware-policy.nix
+  ];
+
+  home-manager.users.tlater = import "${flake-inputs.self}/home-config/hosts/rin";
+
+  sops = {
+    gnupg = lib.mkForce {};
+    age.keyFile = "/var/lib/sops/host.age";
+  };
+
+  networking = {
+    hostName = "rin";
+    hostId = "e6aaf496";
+    wireless.interfaces = ["wlp2s0"];
+  };
+
+  systemd.network = {
+    networks = {
+      "40-wlp2s0" = {
+        matchConfig.Name = "wlp2s0";
+        networkConfig.DHCP = "yes";
+        linkConfig.RequiredForOnline = "yes";
+      };
+    };
+  };
+}

nixos-config/hosts/rin/disko.nix

@@ -0,0 +1,69 @@
+{
+  disko.devices.disk = {
+    nvme0n1 = {
+      type = "disk";
+      device = "/dev/nvme0n1";
+      content = {
+        type = "gpt";
+        partitions = {
+          ESP = {
+            label = "EFI";
+            name = "ESP";
+            size = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [
+                "defaults"
+                "umask=0077"
+              ];
+            };
+          };
+
+          main = {
+            end = "-32G";
+            content = {
+              type = "luks";
+              name = "main";
+              passwordFile = "/tmp/secret.key";
+              settings.allowDiscards = true;
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  "/root" = {
+                    mountpoint = "/";
+                    mountOptions = ["compress=zstd" "noatime"];
+                  };
+                  "/home" = {
+                    mountpoint = "/home";
+                    mountOptions = ["compress=zstd" "noatime"];
+                  };
+                  "/var" = {
+                    mountpoint = "/var";
+                    mountOptions = ["compress=zstd" "noatime"];
+                  };
+                  "/nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = ["compress=zstd" "noatime" "noxattr" "noacl"];
+                  };
+                };
+              };
+            };
+          };
+
+          swap = {
+            size = "100%";
+            content = {
+              type = "swap";
+              randomEncryption = true;
+              resumeDevice = true;
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixos-config/hosts/rin/hardware-configuration.nix

@@ -0,0 +1,25 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nixos-config/hosts/rin/hardware-policy.nix

@@ -0,0 +1,55 @@
+{
+  flake-inputs,
+  pkgs,
+  config,
+  ...
+}: {
+  services.osquery = {
+    flags = {
+      tls_hostname = "fleet.famedly.de";
+
+      # Enrollment
+      host_identifier = "instance";
+      enroll_secret_path = config.sops.secrets."osquery/enroll".path;
+      enroll_tls_endpoint = "/api/osquery/enroll";
+
+      # Configuration
+      config_plugin = "tls";
+      config_tls_endpoint = "/api/v1/osquery/config";
+      config_refresh = "10";
+
+      # Live query
+      disable_distributed = "false";
+      distributed_plugin = "tls";
+      distributed_interval = "10";
+      distributed_tls_max_attempts = "3";
+      distributed_tls_read_endpoint = "/api/v1/osquery/distributed/read";
+      distributed_tls_write_endpoint = "/api/v1/osquery/distributed/write";
+
+      # Logging
+      logger_plugin = "tls";
+      logger_tls_endpoint = "/api/v1/osquery/log";
+      logger_tls_period = "10";
+
+      # File carving
+      disable_carver = "false";
+      carver_start_endpoint = "/api/v1/osquery/carve/begin";
+      carver_continue_endpoint = "/api/v1/osquery/carve/block";
+      carver_block_size = "2000000";
+    };
+  };
+
+  systemd.packages = [flake-inputs.self.packages.${pkgs.system}.drivestrike];
+  systemd.services.drivestrike.wantedBy = ["multi-user.target"];
+
+  services.clamav = {
+    updater.enable = true;
+    daemon.enable = true;
+  };
+
+  # NixOS enables an incoming-only firewall by default anyway, but
+  # this ensures it stays enabled even if an update turned it off or
+  # something.
+  networking.firewall.enable = true;
+  # Don't use nftables to prevent issues with docker.
+}

nixos-config/yui/default.nix → nixos-config/hosts/yui/default.nix

@@ -15,8 +15,9 @@ in {
 
     ./games.nix
     ./hardware-configuration.nix
-    ../networks/personal.nix
+    ../../networks/personal.nix
     ./wireguard.nix
+    ../../wireguard.nix
     ./nvidia
     ./networking.nix
   ];

nixos-config/sway.nix

@@ -1,17 +1,14 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  flake-inputs,
+  ...
+}: {
   nixpkgs.overlays = [
     (_: prev: {
       # Fix issues with nvidia screencapture bit depth
       # See https://github.com/emersion/xdg-desktop-portal-wlr/issues/190
-      # TODO(tlater): stop doing this when there's a new release.
-      xdg-desktop-portal-wlr = prev.xdg-desktop-portal-wlr.overrideAttrs (old: {
-        src = prev.fetchFromGitHub {
-          owner = "emersion";
-          repo = old.pname;
-          rev = "1eaa02eb18ab783b64dc89f1681909dc30baa805";
-          hash = "sha256-vRMNkMFidNmSQkhz5n+EBg7IkRjMYqrhdhM80G3K3WI=";
-        };
-      });
+      # TODO(tlater): stop doing this when stable bumps this version.
+      xdg-desktop-portal-wlr = flake-inputs.nixpkgs-unstable.legacyPackages.${prev.system}.xdg-desktop-portal-wlr;
     })
   ];
 

pkgs/_sources/generated.json

@@ -39,6 +39,21 @@
         },
         "version": "v0.5.6"
     },
+    "drivestrike": {
+        "cargoLocks": null,
+        "date": null,
+        "extract": null,
+        "name": "drivestrike",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "name": null,
+            "sha256": "sha256-2O0TjRhuwLd+QPUxV9tHeuWYtGoRnBa6icU7DMmxWyI=",
+            "type": "url",
+            "url": "https://app.drivestrike.com/static/yum/drivestrike.rpm"
+        },
+        "version": "2.1.22-31"
+    },
     "firefox-ui-fix": {
         "cargoLocks": null,
         "date": "2024-01-31",

pkgs/_sources/generated.nix

@@ -23,6 +23,14 @@
       sha256 = "sha256-5bYbfO1kmduNm9YV5niaaPvRIDRmPt4QOX7eKpK+sWY=";
     };
   };
+  drivestrike = {
+    pname = "drivestrike";
+    version = "2.1.22-31";
+    src = fetchurl {
+      url = "https://app.drivestrike.com/static/yum/drivestrike.rpm";
+      sha256 = "sha256-2O0TjRhuwLd+QPUxV9tHeuWYtGoRnBa6icU7DMmxWyI=";
+    };
+  };
   firefox-ui-fix = {
     pname = "firefox-ui-fix";
     version = "772cba205f20a447bed636ab85ba5332822f4fc4";