From dff2baacb3e982898e29e1343b233e382552fb0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sat, 24 Feb 2024 03:00:08 +0100 Subject: [PATCH] fixup! WIP: Add new configuration for rin --- .../config/applications/graphical/firefox.nix | 194 +++++++++--------- home-config/config/shell/default.nix | 1 + home-config/config/work/famedly.nix | 24 ++- home-config/hosts/rin/default.nix | 1 + keys/famedly-tlater.pub | 1 + nixos-config/default.nix | 2 +- nixos-config/hosts/rin/default.nix | 58 +++++- nixos-config/hosts/rin/firefox.nix | 16 ++ nixos-config/hosts/rin/hardware-policy.nix | 68 +++++- 9 files changed, 258 insertions(+), 107 deletions(-) create mode 100644 keys/famedly-tlater.pub create mode 100644 nixos-config/hosts/rin/firefox.nix diff --git a/home-config/config/applications/graphical/firefox.nix b/home-config/config/applications/graphical/firefox.nix index 4652245b..65b23cae 100644 --- a/home-config/config/applications/graphical/firefox.nix +++ b/home-config/config/applications/graphical/firefox.nix @@ -1,4 +1,5 @@ { + lib, config, pkgs, flake-inputs, @@ -21,107 +22,116 @@ settings-file = runCommandNoCC "firefox-settings" {} '' cat '${firefox-ui-fix}/user.js' '${settings}' > $out ''; -in { - xdg.configFile."tridactyl/tridactylrc".text = '' - source ${tlaterpkgs.tridactyl-emacs}/share/tridactyl/emacs_bindings - # Remove the update function; Really don't want this since it's nix-packaged - comclear emacs-bindings-update - # Remove annoying pre-defined "searchurls" - duckduckgo is just better - jsb Object.keys(tri.config.get("searchurls")).reduce((prev, u) => prev.then(_ => tri.config.set("searchurls", u, null)), Promise.resolve()) - ''; - home.file.".mozilla/firefox/tlater/chrome/icons" = { - source = "${firefox-ui-fix}/icons"; - }; + thirdParty = config.programs.firefox.enableThirdPartyRepositories; +in { + options.programs.firefox.enableThirdPartyRepositories = lib.mkEnableOption "third party repositories"; - programs.firefox = { - enable = true; - package = pkgs.firefox.override { - nativeMessagingHosts = [ - pkgs.tridactyl-native - ]; - }; - profiles."tlater" = { - extensions = with pkgs.nur.repos.rycee.firefox-addons; [ - aria2-integration - buster-captcha-solver - clearurls - decentraleyes - indie-wiki-buddy - keepassxc-browser - libredirect - no-pdf-download - react-devtools - reduxdevtools - tridactyl - ublock-origin + config = { + programs.firefox = { + enable = true; + package = lib.mkIf thirdParty (pkgs.firefox.override { + nativeMessagingHosts = [ + pkgs.tridactyl-native + ]; + }); + profiles."tlater" = { + extensions = with pkgs.nur.repos.rycee.firefox-addons; + lib.mkIf thirdParty [ + aria2-integration + buster-captcha-solver + clearurls + decentraleyes + indie-wiki-buddy + keepassxc-browser + libredirect + no-pdf-download + react-devtools + reduxdevtools + tridactyl + ublock-origin - # # Missing: - # cloudhole - # devtools-adb-extension - # firefox-sticky-window-containers - # warframe-reliquary-prime - ]; + # # Missing: + # cloudhole + # devtools-adb-extension + # firefox-sticky-window-containers + # warframe-reliquary-prime + ]; - userChrome = - builtins.readFile "${firefox-ui-fix}/css/leptonChrome.css"; - userContent = - builtins.readFile "${firefox-ui-fix}/css/leptonContent.css"; - settings = { - # Re-bind ctrl to super (would interfere with tridactyl otherwise) - "ui.key.accelKey" = 91; + userChrome = + lib.mkIf thirdParty + (builtins.readFile "${firefox-ui-fix}/css/leptonChrome.css"); + userContent = + lib.mkIf thirdParty + (builtins.readFile "${firefox-ui-fix}/css/leptonContent.css"); + settings = { + # Re-bind ctrl to super (would interfere with tridactyl otherwise) + "ui.key.accelKey" = 91; - # Keep the reader button enabled at all times; really don't - # care if it doesn't work 20% of the time, most websites are - # crap and unreadable without this - "reader.parse-on-load.force-enabled" = true; + # Keep the reader button enabled at all times; really don't + # care if it doesn't work 20% of the time, most websites are + # crap and unreadable without this + "reader.parse-on-load.force-enabled" = true; - # Hide the "sharing indicator", it's especially annoying - # with tiling WMs on wayland - "privacy.webrtc.legacyGlobalIndicator" = false; + # Hide the "sharing indicator", it's especially annoying + # with tiling WMs on wayland + "privacy.webrtc.legacyGlobalIndicator" = false; - # Actual settings - "app.shield.optoutstudies.enabled" = false; - "app.update.auto" = false; - "browser.bookmarks.restore_default_bookmarks" = false; - "browser.contentblocking.category" = "strict"; - "browser.ctrlTab.recentlyUsedOrder" = false; - "browser.discovery.enabled" = false; - "browser.laterrun.enabled" = false; - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = - false; - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = - false; - "browser.newtabpage.activity-stream.feeds.snippets" = false; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned" = ""; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" = ""; - "browser.newtabpage.activity-stream.section.highlights.includePocket" = - false; - "browser.newtabpage.activity-stream.showSponsored" = false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; - "browser.newtabpage.pinned" = false; - "browser.protections_panel.infoMessage.seen" = true; - "browser.quitShortcut.disabled" = true; - "browser.shell.checkDefaultBrowser" = false; - "browser.ssb.enabled" = true; - "browser.toolbars.bookmarks.visibility" = "never"; - "browser.urlbar.placeholderName" = "DuckDuckGo"; - "browser.urlbar.suggest.openpage" = false; - "datareporting.policy.dataSubmissionEnable" = false; - "datareporting.policy.dataSubmissionPolicyAcceptedVersion" = 2; - "dom.security.https_only_mode" = true; - "dom.security.https_only_mode_ever_enabled" = true; - "extensions.getAddons.showPane" = false; - "extensions.htmlaboutaddons.recommendations.enabled" = false; - "extensions.pocket.enabled" = false; - "identity.fxaccounts.enabled" = false; - "privacy.trackingprotection.enabled" = true; - "privacy.trackingprotection.socialtracking.enabled" = true; + # Actual settings + "app.shield.optoutstudies.enabled" = false; + "app.update.auto" = false; + "browser.bookmarks.restore_default_bookmarks" = false; + "browser.contentblocking.category" = "strict"; + "browser.ctrlTab.recentlyUsedOrder" = false; + "browser.discovery.enabled" = false; + "browser.laterrun.enabled" = false; + "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = + false; + "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = + false; + "browser.newtabpage.activity-stream.feeds.snippets" = false; + "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned" = ""; + "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" = ""; + "browser.newtabpage.activity-stream.section.highlights.includePocket" = + false; + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.pinned" = false; + "browser.protections_panel.infoMessage.seen" = true; + "browser.quitShortcut.disabled" = true; + "browser.shell.checkDefaultBrowser" = false; + "browser.ssb.enabled" = true; + "browser.toolbars.bookmarks.visibility" = "never"; + "browser.urlbar.placeholderName" = "DuckDuckGo"; + "browser.urlbar.suggest.openpage" = false; + "datareporting.policy.dataSubmissionEnable" = false; + "datareporting.policy.dataSubmissionPolicyAcceptedVersion" = 2; + "dom.security.https_only_mode" = true; + "dom.security.https_only_mode_ever_enabled" = true; + "extensions.getAddons.showPane" = false; + "extensions.htmlaboutaddons.recommendations.enabled" = false; + "extensions.pocket.enabled" = false; + "identity.fxaccounts.enabled" = false; + "privacy.trackingprotection.enabled" = true; + "privacy.trackingprotection.socialtracking.enabled" = true; + }; }; }; - }; - home.file.".mozilla/firefox/${config.programs.firefox.profiles.tlater.path}/user.js" = { - source = settings-file; + home.file.".mozilla/firefox/${config.programs.firefox.profiles.tlater.path}/user.js" = + lib.mkIf thirdParty + {source = settings-file;}; + + xdg.configFile."tridactyl/tridactylrc" = lib.mkIf thirdParty { + text = '' + source ${tlaterpkgs.tridactyl-emacs}/share/tridactyl/emacs_bindings + # Remove the update function; Really don't want this since it's nix-packaged + comclear emacs-bindings-update + # Remove annoying pre-defined "searchurls" - duckduckgo is just better + jsb Object.keys(tri.config.get("searchurls")).reduce((prev, u) => prev.then(_ => tri.config.set("searchurls", u, null)), Promise.resolve()) + ''; + }; + + home.file.".mozilla/firefox/tlater/chrome/icons" = lib.mkIf thirdParty {source = "${firefox-ui-fix}/icons";}; }; } diff --git a/home-config/config/shell/default.nix b/home-config/config/shell/default.nix index 44f088ea..991b7dea 100644 --- a/home-config/config/shell/default.nix +++ b/home-config/config/shell/default.nix @@ -15,6 +15,7 @@ fd ouch ripgrep + screen ]; programs.ssh.enable = true; diff --git a/home-config/config/work/famedly.nix b/home-config/config/work/famedly.nix index 9ca1730a..9f4dfdd0 100644 --- a/home-config/config/work/famedly.nix +++ b/home-config/config/work/famedly.nix @@ -1,4 +1,8 @@ -{lib, flake-inputs, ...}: { +{ + lib, + flake-inputs, + ... +}: { programs.git = { userEmail = "t.maat@famedly.com"; @@ -11,6 +15,11 @@ extraConfig.github.user = "famedly-tlater"; }; + home.packages = with pkgs; [ + bitwarden + pre-commit + ]; + home.file.".ssh/famedly-tlater.pub".source = "${flake-inputs.self}/keys/famedly-tlater.pub"; programs.ssh.matchBlocks = { @@ -20,9 +29,14 @@ }; }; - programs.firefox.webapps = { - discord.enable = lib.mkForce false; - whatsapp.enable = lib.mkForce false; - element.enable = lib.mkForce false; + programs.firefox = { + enableThirdPartyRepositories = false; + + # Disable the webapps that shouldn't be on a work computer + webapps = { + discord.enable = lib.mkForce false; + whatsapp.enable = lib.mkForce false; + element.enable = lib.mkForce false; + }; }; } diff --git a/home-config/hosts/rin/default.nix b/home-config/hosts/rin/default.nix index 50541b63..5230d059 100644 --- a/home-config/hosts/rin/default.nix +++ b/home-config/hosts/rin/default.nix @@ -1,6 +1,7 @@ { imports = [ ../../config + ../../config/applications/graphical ../../config/applications/tty ../../config/desktop ../../config/services diff --git a/keys/famedly-tlater.pub b/keys/famedly-tlater.pub new file mode 100644 index 00000000..1bff510d --- /dev/null +++ b/keys/famedly-tlater.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtWLp6Hoqr3izbm+J7PUOLLI+6xoZ05T/7jMJITjrQH openpgp:0x4991CF06 diff --git a/nixos-config/default.nix b/nixos-config/default.nix index aa27479c..d9f5e038 100644 --- a/nixos-config/default.nix +++ b/nixos-config/default.nix @@ -46,7 +46,7 @@ sops = { gnupg = { - home = "/var/lib/sops"; + # home = "/var/lib/sops"; sshKeyPaths = []; }; diff --git a/nixos-config/hosts/rin/default.nix b/nixos-config/hosts/rin/default.nix index dbb7ae55..d072d19f 100644 --- a/nixos-config/hosts/rin/default.nix +++ b/nixos-config/hosts/rin/default.nix @@ -1,12 +1,17 @@ -{lib, flake-inputs, ...}: { +{ + pkgs, + config, + lib, + flake-inputs, + ... +}: { imports = [ flake-inputs.disko.nixosModules.disko - ../../networks/personal.nix - ./hardware-configuration.nix ./disko.nix + ./firefox.nix ./hardware-policy.nix ]; @@ -15,12 +20,51 @@ sops = { gnupg = lib.mkForce {}; age.keyFile = "/var/lib/sops/host.age"; + secrets.wireless-env = {}; }; networking = { hostName = "rin"; hostId = "e6aaf496"; - wireless.interfaces = ["wlp2s0"]; + wireless = { + enable = lib.mkForce false; + allowAuxiliaryImperativeNetworks = lib.mkForce false; + userControlled.enable = lib.mkForce false; + }; + + networkmanager = { + enable = true; + dns = "systemd-resolved"; + + ensureProfiles = { + environmentFiles = [config.sops.secrets.wireless-env.path]; + + profiles = { + mikan-guest = { + connection = { + id = "mikan-guest"; + type = "wifi"; + }; + + wifi = { + mode = "infrastructure"; + ssid = "mikan-guest"; + }; + + wifi-security = { + key-mgmt = "wpa-psk"; + psk = "$PSK_MIKAN_GUEST"; + }; + + ipv4.method = "auto"; + ipv6 = { + addr-gen-mode = "default"; + method = "auto"; + }; + }; + }; + }; + }; }; systemd.network = { @@ -32,4 +76,10 @@ }; }; }; + + # Used extensively for testing at work + virtualisation.docker.enable = true; + users.users.tlater.extraGroups = ["docker"]; + # Install rustup system-wide for convenience + environment.systemPackages = [pkgs.rustup]; } diff --git a/nixos-config/hosts/rin/firefox.nix b/nixos-config/hosts/rin/firefox.nix new file mode 100644 index 00000000..7ee9cc8e --- /dev/null +++ b/nixos-config/hosts/rin/firefox.nix @@ -0,0 +1,16 @@ +{ + programs.firefox = { + enable = true; + + policies.preferences.ExtensionSettings = { + "uBlock0@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + installation_mode = "force_installed"; + }; + "{74145f27-f039-47ce-a470-a662b129930a}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/clearurls/latest.xpi"; + installation_mode = "force_installed"; + }; + }; + }; +} diff --git a/nixos-config/hosts/rin/hardware-policy.nix b/nixos-config/hosts/rin/hardware-policy.nix index 2e800a33..98f9d1e7 100644 --- a/nixos-config/hosts/rin/hardware-policy.nix +++ b/nixos-config/hosts/rin/hardware-policy.nix @@ -1,10 +1,13 @@ { flake-inputs, pkgs, + lib, config, ... }: { services.osquery = { + enable = true; + flags = { tls_hostname = "fleet.famedly.de"; @@ -36,20 +39,75 @@ carver_start_endpoint = "/api/v1/osquery/carve/begin"; carver_continue_endpoint = "/api/v1/osquery/carve/block"; carver_block_size = "2000000"; + + # Fix non-fhs paths + tls_server_certs = "${pkgs.osquery}/share/osquery/certs/certs.pem"; }; }; - systemd.packages = [flake-inputs.self.packages.${pkgs.system}.drivestrike]; - systemd.services.drivestrike.wantedBy = ["multi-user.target"]; + systemd.services.drivestrike = { + serviceConfig = { + ExecStart = "${flake-inputs.self.packages.${pkgs.system}.drivestrike}/bin/drivestrike run"; + SyslogIdentifier = "drivestrike"; + }; + + after = ["network.target" "drivestrike-lock.service"]; + wantedBy = ["multi-user.target"]; + }; services.clamav = { updater.enable = true; daemon.enable = true; }; - # NixOS enables an incoming-only firewall by default anyway, but + # Famedly's osquery checks for a process name of `clamd` and + # `freshclam` - by default, however, systemd will use the filename, + # which is an absolute path, and therefore this will look like clamd + # is not running. + # + # TODO(tlater): Suggest an osquery that doesn't require this + systemd.services.clamav-daemon.serviceConfig.ExecStart = lib.mkForce "@${pkgs.clamav}/bin/clamd clamd"; + + # NixOS' freshclam (clamav updater) service is run as a timer by + # default, but famedly expects it to run as a daemon. + systemd.timers.clamav-freshclam.enable = false; + systemd.services.clamav-freshclam = { + serviceConfig = { + Type = lib.mkForce "simple"; + ExecStart = lib.mkForce "@${pkgs.clamav}/bin/freshclam freshclam --daemon --foreground"; + }; + wantedBy = ["clamav-daemon.service"]; + }; + + # NixOS enables an outgoing-only firewall by default anyway, but # this ensures it stays enabled even if an update turned it off or # something. - networking.firewall.enable = true; - # Don't use nftables to prevent issues with docker. + networking.firewall = { + enable = true; + # Probably just don't allow pings either + allowPing = false; + # DO NOT USE NFTABLES + + # Allow docker containers to communicate + extraCommands = let + # Either get the docker daemon setting *or* the default value + dockerAddressPools = + config.virtualisation.docker.daemon.settings.default-address-pools + or [ + { + base = "172.30.0.0/16"; + size = 24; + } + { + base = "172.31.0.0/16"; + size = 24; + } + ]; + addresses = lib.concatMapStringsSep "," (pool: pool.base) dockerAddressPools; + in '' + iptables -A INPUT -s ${addresses} -d ${addresses} -j ACCEPT + ''; + }; + + sops.secrets."osquery/enroll" = {}; }