#+begin_src bash
cd $HOME/monorepo && git pull
#+end_src
-That's all! Note that if you install with an encrypted disk, you will have to run:
-#+begin_src bash
- echo "password123" > /tmp/secret.key
-#+end_src
-before ~nix_installer~.
+That's all!
** Post-setup
In emacs, run ~M-x all-the-icons-install-fonts, ~~M-x nerd-icons-install-fonts~, and ~M-x org-roam-db-sync~. Install your music to ~$HOME/music~ for
emms. In firefox, go to the three-bar menu and enable all the add-ons that were automatically installed. Set up the ~mu~ program in order to
umount /btrfs_tmp
'' else "");
- boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then {
+ boot.initrd.luks.devices = (if (! (config.monorepo.vars.fileSystem == "btrfs")) then {
crypted = {
device = "/dev/disk/by-partlabel/disk-main-luks";
};
};
}
#+end_src
+** Firejail
+I know there are some security issues with firejail, but it's probably better than nothing. I'm looking to replace this with bubblewrap in the
+future. Note that I am also going to use AppArmor more often.
+#+begin_src nix :tangle ../nix/modules/firejail.nix
+ { pkgs, lib, ... }:
+ {
+ programs.firejail = {
+ enable = true;
+ wrappedBinaries = {
+ firefox = {
+ executable = "${lib.getBin pkgs.firefox-bin}/bin/firefox";
+ profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+ };
+ emacs = {
+ executable = "${lib.getBin pkgs.emacs-pgtk}/bin/emacs";
+ profile = "${pkgs.firejail}/etc/firejail/emacs.profile";
+ };
+ zathura = {
+ executable = "${lib.getBin pkgs.zathura}/bin/zathura";
+ profile = "${pkgs.firejail}/etc/firejail/zathura.profile";
+ };
+ };
+ };
+ }
+#+end_src
** Main Configuration
This is the backbone of the all the NixOS configurations, with all these options being shared
because they enhance security.
./znc.nix
./docker.nix
./impermanence.nix
+ ./firejail.nix
];
documentation = {
boot = {
-
+ supportedFilesystems = {
+ btrfs = true;
+ ext4 = true;
+ };
extraModprobeConfig = ''
options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1
'';
};
networking = {
- useDHCP = lib.mkDefault true;
+ useDHCP = false;
+ dhcpcd.enable = false;
+ nameservers = [
+ "1.1.1.1"
+ "8.8.8.8"
+ ];
networkmanager = {
enable = true;
+ wifi.powersave = false;
+ ensureProfiles = {
+ profiles = {
+ home-wifi = {
+ connection = {
+ id = "home-wifi";
+ permissions = "";
+ type = "wifi";
+ };
+ ipv4 = {
+ dns-search = "";
+ method = "auto";
+ };
+ ipv6 = {
+ addr-gen-mode = "stable-privacy";
+ dns-search = "";
+ method = "auto";
+ };
+ wifi = {
+ mac-address-blacklist = "";
+ mode = "infrastructure";
+ ssid = "TELUS6572";
+ };
+ wifi-security = {
+ auth-alg = "open";
+ key-mgmt = "wpa-psk";
+ # when someone actually steals my internet then I will be concerned.
+ # This password only matters if you actually show up to my house in real life.
+ # That would perhaps allow for some nasty networking related shenanigans.
+ # I guess we'll cross that bridge when I get there.
+ psk = "b4xnrv6cG6GX";
+ };
+ };
+ };
+ };
};
firewall = {
allowedTCPPorts = [ 22 11434 ];
lockKernelModules = true;
protectKernelImage = true;
+
allowSimultaneousMultithreading = true;
forcePageTableIsolation = true;
# Put configuration (e.g. monorepo variable configuration) common to all configs here
}
#+end_src
-** Home Manager Common
+*** Home Manager Common
+Also I want to have the same kind of file for the home namespace.
#+begin_src nix :tangle ../nix/systems/home-common.nix
{ lib, config, ... }:
{
fileSystem = "btrfs";
};
};
+ networking.networkmanager.wifi.backend = "iwd";
};
}
#+end_src
cd "$HOME"
fi
- gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select `new` in order to create a new system."
+ gum style --border normal --margin "1" --padding "1 2" "Enter a password for the encrypted disk. If you're not installing a profile with an encrypted disk, you can leave this blank."
+ echo "$(gum input --password)" > /tmp/secret.key
+
+ gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select \`new\` in order to create a new system."
SYSTEM="$(gum choose $(find "$HOME/monorepo/nix/systems" -mindepth 1 -maxdepth 1 -type d -printf "%f\n" | grep -v -E 'installer'; printf "New"))"
}
},
"flake-parts_2": {
+ "inputs": {
+ "nixpkgs-lib": [
+ "nixpak",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1756770412,
+ "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "rev": "4524271976b625a4a605beefd893f270620fd751",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "type": "github"
+ }
+ },
+ "flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"nur",
"type": "github"
}
},
+ "hercules-ci-effects": {
+ "inputs": {
+ "flake-parts": [
+ "nixpak",
+ "flake-parts"
+ ],
+ "nixpkgs": [
+ "nixpak",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1758022363,
+ "narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=",
+ "owner": "hercules-ci",
+ "repo": "hercules-ci-effects",
+ "rev": "1a3667d33e247ad35ca250698d63f49a5453d824",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "hercules-ci-effects",
+ "type": "github"
+ }
+ },
"home-manager": {
"inputs": {
"nixpkgs": [
"type": "github"
}
},
+ "nixpak": {
+ "inputs": {
+ "flake-parts": "flake-parts_2",
+ "hercules-ci-effects": "hercules-ci-effects",
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1758163506,
+ "narHash": "sha256-eGksZmv1ie834yfgJW0z85eZZo10A/JE+6dhHNWQajQ=",
+ "owner": "nixpak",
+ "repo": "nixpak",
+ "rev": "17df00be4383dbf88c42ed1fa519cc6dd71df042",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixpak",
+ "repo": "nixpak",
+ "type": "github"
+ }
+ },
"nixpkgs": {
"locked": {
"lastModified": 1755615617,
},
"nur": {
"inputs": {
- "flake-parts": "flake-parts_2",
+ "flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lanzaboote": "lanzaboote",
"nix-topology": "nix-topology",
"nixos-dns": "nixos-dns",
+ "nixpak": "nixpak",
"nixpkgs": "nixpkgs_2",
"nur": "nur",
"scripts": "scripts",
./znc.nix
./docker.nix
./impermanence.nix
+ ./firejail.nix
];
documentation = {
boot = {
-
+ supportedFilesystems = {
+ btrfs = true;
+ ext4 = true;
+ };
extraModprobeConfig = ''
options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1
'';
};
networking = {
- useDHCP = lib.mkDefault true;
+ useDHCP = false;
+ dhcpcd.enable = false;
+ nameservers = [
+ "1.1.1.1"
+ "8.8.8.8"
+ ];
networkmanager = {
enable = true;
+ wifi.powersave = false;
+ ensureProfiles = {
+ profiles = {
+ home-wifi = {
+ connection = {
+ id = "home-wifi";
+ permissions = "";
+ type = "wifi";
+ };
+ ipv4 = {
+ dns-search = "";
+ method = "auto";
+ };
+ ipv6 = {
+ addr-gen-mode = "stable-privacy";
+ dns-search = "";
+ method = "auto";
+ };
+ wifi = {
+ mac-address-blacklist = "";
+ mode = "infrastructure";
+ ssid = "TELUS6572";
+ };
+ wifi-security = {
+ auth-alg = "open";
+ key-mgmt = "wpa-psk";
+ # when someone actually steals my internet then I will be concerned.
+ # This password only matters if you actually show up to my house in real life.
+ # That would perhaps allow for some nasty networking related shenanigans.
+ # I guess we'll cross that bridge when I get there.
+ psk = "b4xnrv6cG6GX";
+ };
+ };
+ };
+ };
};
firewall = {
allowedTCPPorts = [ 22 11434 ];
lockKernelModules = true;
protectKernelImage = true;
+
allowSimultaneousMultithreading = true;
forcePageTableIsolation = true;
--- /dev/null
+{ pkgs, lib, ... }:
+{
+ programs.firejail = {
+ enable = true;
+ wrappedBinaries = {
+ firefox = {
+ executable = "${lib.getBin pkgs.firefox-bin}/bin/firefox";
+ profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+ };
+ emacs = {
+ executable = "${lib.getBin pkgs.emacs-pgtk}/bin/emacs";
+ profile = "${pkgs.firejail}/etc/firejail/emacs.profile";
+ };
+ zathura = {
+ executable = "${lib.getBin pkgs.zathura}/bin/zathura";
+ profile = "${pkgs.firejail}/etc/firejail/zathura.profile";
+ };
+ };
+ };
+}
umount /btrfs_tmp
'' else "");
- boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then {
+ boot.initrd.luks.devices = (if (! (config.monorepo.vars.fileSystem == "btrfs")) then {
crypted = {
device = "/dev/disk/by-partlabel/disk-main-luks";
};
fileSystem = "btrfs";
};
};
+ networking.networkmanager.wifi.backend = "iwd";
};
}
cd "$HOME"
fi
-gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select `new` in order to create a new system."
+gum style --border normal --margin "1" --padding "1 2" "Enter a password for the encrypted disk. If you're not installing a profile with an encrypted disk, you can leave this blank."
+echo "$(gum input --password)" > /tmp/secret.key
+
+gum style --border normal --margin "1" --padding "1 2" "Choose a system to install or select \`new\` in order to create a new system."
SYSTEM="$(gum choose $(find "$HOME/monorepo/nix/systems" -mindepth 1 -maxdepth 1 -type d -printf "%f\n" | grep -v -E 'installer'; printf "New"))"
projects / monorepo.git / commitdiff