nixos-config/profiles/security.nix

{ config, pkgs, lib, ... }:
with config.deviceSpecific; {
  security.apparmor.enable = !isContainer;
  programs.firejail.enable = true;
  users.mutableUsers = false;
  users.users.${config.mainuser} = {
    isNormalUser = true;
    extraGroups = [
      "adbusers"
      "audio"
      "cdrom"
      "corectrl"
      "dialout"
      "disk"
      "docker"
      "input"
      "kvm"
      "libvirtd"
      "lp"
      "lxd"
      "networkmanager"
      "podman"
      "qemu-libvirtd"
      "scanner"
      "systemd-journal"
      "smbuser"
      "video"
      # "wheel" # remove?
    ];
    description = "AtaraxiaDev";
    uid = 1000;
    hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";

    shell = pkgs.zsh;
  };
  # Safe, because we using doas
  users.allowNoPasswordLogin = true;
  # FIXME
  security.sudo = {
    enable = true;
    extraRules = [{
      users = [ config.mainuser ];
      commands = [{
        command = "/run/current-system/sw/bin/nixos-rebuild";
        options = [ "SETENV" "NOPASSWD" ];
      } {
        command = "/run/current-system/sw/bin/nix";
        options = [ "SETENV" "NOPASSWD" ];
      } {
        command = "/run/current-system/sw/bin/nix-shell";
        options = [ "SETENV" "NOPASSWD" ];
      }];
    }];
    # extraConfig = lib.concatStrings [''
    #   ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/btrfs fi usage /
    # ''
    # (if (isLaptop) then ''
    #   ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp-stat
    #   ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp ac
    #   ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp bat
    # '' else "")
    # ];
  };
  security.doas = {
    enable = true;
    extraRules = [{
      users = [ config.mainuser ];
      keepEnv = true;
      persist = true;
    } {
      users = [ config.mainuser ];
      noPass = true;
      keepEnv = true;
      cmd = "/run/current-system/sw/bin/btrfs";
      args = [ "fi" "usage" "/" ];
    }] ++ lib.optionals isLaptop [{
      users = [ config.mainuser ];
      noPass = true;
      keepEnv = true;
      cmd = "/run/current-system/sw/bin/tlp";
    } {
      users = [ config.mainuser ];
      noPass = true;
      keepEnv = true;
      cmd = "/run/current-system/sw/bin/tlp-stat";
    }];
  };
  systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
  services.getty.autologinUser = config.mainuser;
}
some changes 2020-08-29 17:47:21 +04:00			`{ config, pkgs, lib, ... }:`
			`with config.deviceSpecific; {`
fix lxc 2022-02-11 21:09:58 +03:00			`security.apparmor.enable = !isContainer;`
init commit 2019-08-27 23:41:02 +04:00			`programs.firejail.enable = true;`
			`users.mutableUsers = false;`
use users module 2022-12-10 22:34:39 +03:00			`users.users.${config.mainuser} = {`
init commit 2019-08-27 23:41:02 +04:00			`isNormalUser = true;`
			`extraGroups = [`
fixes... fixes everywhere 2022-07-02 19:30:20 +03:00			`"adbusers"`
init commit 2019-08-27 23:41:02 +04:00			`"audio"`
fixes... fixes everywhere 2022-07-02 19:30:20 +03:00			`"cdrom"`
			`"corectrl"`
			`"dialout"`
			`"disk"`
init commit 2019-08-27 23:41:02 +04:00			`"docker"`
			`"input"`
massive refactoring 2021-02-07 02:38:11 +03:00			`"kvm"`
fixes... fixes everywhere 2022-07-02 19:30:20 +03:00			`"libvirtd"`
massive refactoring 2021-02-07 02:38:11 +03:00			`"lp"`
fixes... fixes everywhere 2022-07-02 19:30:20 +03:00			`"lxd"`
			`"networkmanager"`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`"podman"`
			`"qemu-libvirtd"`
fixes... fixes everywhere 2022-07-02 19:30:20 +03:00			`"scanner"`
update 2022-12-14 23:51:59 +03:00			`"systemd-journal"`
fixes... fixes everywhere 2022-07-02 19:30:20 +03:00			`"smbuser"`
some changes in theme module 2021-09-16 01:03:52 +03:00			`"video"`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`# "wheel" # remove?`
init commit 2019-08-27 23:41:02 +04:00			`];`
upgrade system 2022-12-07 22:05:00 +03:00			`description = "AtaraxiaDev";`
init commit 2019-08-27 23:41:02 +04:00			`uid = 1000;`
update 2022-12-14 23:51:59 +03:00			`hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";`

init commit 2019-08-27 23:41:02 +04:00			`shell = pkgs.zsh;`
			`};`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`# Safe, because we using doas`
			`users.allowNoPasswordLogin = true;`
			`# FIXME`
Too many changes 2019-09-14 22:12:56 +04:00			`security.sudo = {`
			`enable = true;`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`extraRules = [{`
use users module 2022-12-10 22:34:39 +03:00			`users = [ config.mainuser ];`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`commands = [{`
			`command = "/run/current-system/sw/bin/nixos-rebuild";`
			`options = [ "SETENV" "NOPASSWD" ];`
			`} {`
			`command = "/run/current-system/sw/bin/nix";`
			`options = [ "SETENV" "NOPASSWD" ];`
			`} {`
			`command = "/run/current-system/sw/bin/nix-shell";`
			`options = [ "SETENV" "NOPASSWD" ];`
			`}];`
			`}];`
			`# extraConfig = lib.concatStrings [''`
use users module 2022-12-10 22:34:39 +03:00			`# ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/btrfs fi usage /`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`# ''`
			`# (if (isLaptop) then ''`
use users module 2022-12-10 22:34:39 +03:00			`# ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp-stat`
			`# ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp ac`
			`# ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp bat`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`# '' else "")`
			`# ];`
Too many changes 2019-09-14 22:12:56 +04:00			`};`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`security.doas = {`
			`enable = true;`
			`extraRules = [{`
use users module 2022-12-10 22:34:39 +03:00			`users = [ config.mainuser ];`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`keepEnv = true;`
			`persist = true;`
			`} {`
use users module 2022-12-10 22:34:39 +03:00			`users = [ config.mainuser ];`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`noPass = true;`
			`keepEnv = true;`
			`cmd = "/run/current-system/sw/bin/btrfs";`
			`args = [ "fi" "usage" "/" ];`
			`}] ++ lib.optionals isLaptop [{`
use users module 2022-12-10 22:34:39 +03:00			`users = [ config.mainuser ];`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`noPass = true;`
			`keepEnv = true;`
			`cmd = "/run/current-system/sw/bin/tlp";`
			`} {`
use users module 2022-12-10 22:34:39 +03:00			`users = [ config.mainuser ];`
use doas instead of sudo 2022-12-07 22:13:34 +03:00			`noPass = true;`
			`keepEnv = true;`
			`cmd = "/run/current-system/sw/bin/tlp-stat";`
			`}];`
some changes in theme module 2021-09-16 01:03:52 +03:00			`};`
mass refactoring 2020-08-07 23:27:49 +04:00			`systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };`
use users module 2022-12-10 22:34:39 +03:00			`services.getty.autologinUser = config.mainuser;`
init commit 2019-08-27 23:41:02 +04:00			`}`