Add all of iogamaster modules

2024-06-15 09:59:52 +02:00
parent c97f22254a
commit fa99b32cad
120 changed files with 3587 additions and 254 deletions
--- a/modules/nixos/system/security/doas/default.nix
+++ b/modules/nixos/system/security/doas/default.nix
@@ -0,0 +1,34 @@
+{
+  options,
+  config,
+  lib,
+  ...
+}:
+with lib;
+with lib.frajul; let
+  cfg = config.system.security.doas;
+in {
+  options.system.security.doas = {
+    enable = mkBoolOpt false "Whether or not to replace sudo with doas.";
+  };
+
+  config = mkIf cfg.enable {
+    # Disable sudo
+    security.sudo.enable = false;
+
+    # Enable and configure `doas`.
+    security.doas = {
+      enable = true;
+      extraRules = [
+        {
+          users = [config.user.name];
+          noPass = true;
+          keepEnv = true;
+        }
+      ];
+    };
+
+    # Add an alias to the shell for backward-compat and convenience.
+    environment.shellAliases = {sudo = "doas";};
+  };
+}
--- a/modules/nixos/system/security/lockdown/default.nix
+++ b/modules/nixos/system/security/lockdown/default.nix
@@ -0,0 +1,44 @@
+{
+  options,
+  config,
+  lib,
+  ...
+}:
+with lib;
+with lib.frajul;
+let
+  cfg = config.system.security.lockdown;
+in
+{
+  options.system.security.lockdown = {
+    enable = mkBoolOpt false "Whether or not to lockdown the system for maximum security";
+  };
+
+  config = mkIf cfg.enable {
+    # Ripped from:
+    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
+
+    nix.allowedUsers = [ "@wheel" ];
+    environment.defaultPackages = lib.mkForce [ ]; # Heres a great little piece, it disables any non defined packages for this system
+
+    services.openssh = {
+      settings.passwordAuthentication = false;
+      allowSFTP = false; # Don't set this if you need sftp
+      challengeResponseAuthentication = false;
+      extraConfig = ''
+        AllowTcpForwarding yes
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        AuthenticationMethods publickey
+      '';
+    };
+
+    fileSystems."/".options = [ "noexec" ];
+    fileSystems."/etc/nixos".options = [ "noexec" ];
+    fileSystems."/srv".options = [ "noexec" ];
+    fileSystems."/var/log".options = [ "noexec" ];
+
+    environment.systemPackages = with pkgs; [ clamav ]; # PCI Compliance
+  };
+}
--- a/modules/nixos/system/security/sops/default.nix
+++ b/modules/nixos/system/security/sops/default.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  inputs,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.frajul;
+{
+  imports = with inputs; [ sops-nix.nixosModules.sops ];
+
+  config = {
+    sops.defaultSopsFile = ../../../../../secrets/secrets.yaml;
+    sops.defaultSopsFormat = "yaml";
+
+    sops.age.keyFile = "/home/${config.user.name}/.config/sops/age/keys.txt";
+
+    home.persist.directories = [ ".config/sops" ];
+
+    environment.systemPackages = with pkgs; [
+      (writeShellScriptBin "sops" ''
+        EDITOR=${config.environment.variables.EDITOR} ${pkgs.sops}/bin/sops $@
+      '')
+      age
+    ];
+
+    # List of defined secrets
+    # sops.secrets."system/password" = {neededForUsers = true;};
+    # sops.secrets."ngrok/terraria" = {};
+  };
+}