localhost/security.nix

{ config, pkgs, ... }:

{
  security.allowUserNamespaces = true;
  security.allowSimultaneousMultithreading = true;
  security.lockKernelModules = false;

  programs.ssh.startAgent = false;
  programs.gnupg = {
    agent.enable = true;
    agent.enableSSHSupport = true;
    agent.enableExtraSocket = true;
    agent.enableBrowserSocket = true;
    dirmngr.enable = true;
  };

  # Bus 001 Device 002: ID 1050:0404 Yubico.com Yubikey 4 CCID
  services.udev = {
    extraRules = ''
      ACTION=="add|change", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", MODE="0666"
    '';
  };

  systemd = {
    services = {
      "force-lock-after-suspend" = {
        serviceConfig.User = "user";
        description = "Force xsecurelock after suspend";
        before = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
        wantedBy = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
        script = ''
          DISPLAY=:0 ${pkgs.xsecurelock}/bin/xsecurelock
        '';
      };
    };
  };

  # Allow manage backlight without sudo
  security.sudo = {
    enable = true;
    extraConfig = ''
      %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
      %wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
      %wheel ALL=(out-of-tree) NOPASSWD: ${pkgs.out-of-tree}/bin/out-of-tree
    '';
  };

  users.users.out-of-tree = {
    home = "/var/out-of-tree";
    group = "out-of-tree";
    isSystemUser = true;
    createHome = true;
    extraGroups = [ "docker" "kvm" ];
  };
  users.groups.out-of-tree = {};

  environment.systemPackages = with pkgs; [
    (writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
    (writeShellScriptBin "out-of-tree"
      "sudo -H -u out-of-tree ${pkgs.out-of-tree}/bin/out-of-tree $@")
  ];
}
Initial 2019-05-31 00:02:30 +00:00			`{ config, pkgs, ... }:`

remove fhs env 2023-02-13 09:14:21 +00:00			`{`
Initial 2019-05-31 00:02:30 +00:00			`security.allowUserNamespaces = true;`
			`security.allowSimultaneousMultithreading = true;`
Disable kernel modules locking 2019-11-19 16:31:28 +00:00			`security.lockKernelModules = false;`
Initial 2019-05-31 00:02:30 +00:00
			`programs.ssh.startAgent = false;`
			`programs.gnupg = {`
			`agent.enable = true;`
			`agent.enableSSHSupport = true;`
			`agent.enableExtraSocket = true;`
			`agent.enableBrowserSocket = true;`
			`dirmngr.enable = true;`
			`};`

			`# Bus 001 Device 002: ID 1050:0404 Yubico.com Yubikey 4 CCID`
			`services.udev = {`
			`extraRules = ''`
			`ACTION=="add\|change", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", MODE="0666"`
			`'';`
			`};`

			`systemd = {`
			`services = {`
			`"force-lock-after-suspend" = {`
			`serviceConfig.User = "user";`
i3lock -> xsecurelock 2020-01-06 15:29:14 +00:00			`description = "Force xsecurelock after suspend";`
Initial 2019-05-31 00:02:30 +00:00			`before = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];`
			`wantedBy = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];`
			`script = ''`
i3lock -> xsecurelock 2020-01-06 15:29:14 +00:00			`DISPLAY=:0 ${pkgs.xsecurelock}/bin/xsecurelock`
Initial 2019-05-31 00:02:30 +00:00			`'';`
			`};`
			`};`
			`};`

			`# Allow manage backlight without sudo`
			`security.sudo = {`
			`enable = true;`
			`extraConfig = ''`
			`%wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light`
Allow to use captive portals without disabling VPN-only 2019-06-01 18:35:58 +00:00			`%wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox`
Get rid of unstable 2020-11-20 18:44:01 +00:00			`%wheel ALL=(out-of-tree) NOPASSWD: ${pkgs.out-of-tree}/bin/out-of-tree`
Initial 2019-05-31 00:02:30 +00:00			`'';`
			`};`

Run out-of-tree from special user 2019-09-05 16:03:51 +00:00			`users.users.out-of-tree = {`
			`home = "/var/out-of-tree";`
Explicitly define user group 2022-05-11 14:29:25 +00:00			`group = "out-of-tree";`
Compatibility with the new NixOS version 2021-10-07 13:46:24 +00:00			`isSystemUser = true;`
Run out-of-tree from special user 2019-09-05 16:03:51 +00:00			`createHome = true;`
			`extraGroups = [ "docker" "kvm" ];`
			`};`
Explicitly define user group 2022-05-11 14:29:25 +00:00			`users.groups.out-of-tree = {};`
Run out-of-tree from special user 2019-09-05 16:03:51 +00:00
Allow to use captive portals without disabling VPN-only 2019-06-01 18:35:58 +00:00			`environment.systemPackages = with pkgs; [`
			`(writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")`
Run out-of-tree from special user 2019-09-05 16:03:51 +00:00			`(writeShellScriptBin "out-of-tree"`
Get rid of unstable 2020-11-20 18:44:01 +00:00			`"sudo -H -u out-of-tree ${pkgs.out-of-tree}/bin/out-of-tree $@")`
Allow to use captive portals without disabling VPN-only 2019-06-01 18:35:58 +00:00			`];`
Initial 2019-05-31 00:02:30 +00:00			`}`