Verified Commit fc1ade65 authored by GovanifY's avatar GovanifY
Browse files

initial switch to profiles, add canary check

parent a4742439
navi
=====
== ===
navi(NixOS Advanced Virtual Infrastructure) is a set of NixOS configuration
files handling my own internal infrastructure.
files handling my own internal infrastructure.
Currently the machines populated by this configuration are:
......
TODO list sorted by priority:
* workflow: set up patchouli to have regular and automated backups
* security: security hardening through sandboxing
* security: tor profiles and fix iana
* xdg: nixpkgs PR, check if xdg patches actually work
* workflow: set up patchouli to have regular and automated backups
* security: security hardening through sandboxing
* security: tor profiles and fix iana
* xdg: nixpkgs PR, check if xdg patches actually work
* locale: sync mozc/ibus settings, saner defaults
* workflow: fix GTK theme
* workflow: fix re-scaling after swaylock
......
......@@ -6,7 +6,7 @@ echo "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6 ../secret
| sha256sum --check --status &> /dev/null
if [ "$?" -ne 0 ]; then
echo "failed to verify canary"
echo "failed to verify canary, TODO: start whole-infra bootstrap"
fi
if [ "$#" -ne 2 ]; then
......
{ config, pkgs, ... }:
{
home-manager.users.govanify = {
programs.git = {
enable = true;
package = pkgs.gitAndTools.gitFull;
userEmail = "gauvain@govanify.com";
userName = "Gauvain 'GovanifY' Roussel-Tarbouriech";
ignores = [ "compile_commands.json" ];
extraConfig = {
pull.rebase = true;
sendemail = {
smtpserver = "${pkgs.msmtp}/bin/msmtp";
smtpserveroption = [ "-a" "govanify" ];
};
};
# use our gpg key by default
signing = {
signByDefault = true;
key = "52142D39A7CEF8FA872BCA7FDE62E1E2A6145556";
};
};
};
navi.components.mail = {
enable = true;
accounts.govanify = {
email = "gauvain@govanify.com";
name = "Gauvain Roussel-Tarbouriech";
pgp_key = "52142D39A7CEF8FA872BCA7FDE62E1E2A6145556";
host = "govanify.com";
signature = ''
Respectfully,
Gauvain Roussel-Tarbouriech
'';
primary = true;
};
accounts.esgi-nf = {
email = "esgi-nf@govanify.com";
name = "Gauvain Roussel-Tarbouriech";
host = "govanify.com";
signature = ''
Respectfully,
Gauvain Roussel-Tarbouriech
'';
primary = false;
};
unread_notif = [ "govanify/INBOX" ];
};
# all our trusted build bots
nix.buildMachines = [{
hostName = "alastor";
system = "x86_64-linux";
maxJobs = 4;
speedFactor = 2;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
mandatoryFeatures = [ ];
}];
}
......@@ -75,19 +75,25 @@ in
'';
nixpkgs.overlays = [
(self: super: {
grub2 = super.grub2.overrideAttrs (oldAttrs: rec {
postPatch = grubPatch;
});
})
(
self: super: {
grub2 = super.grub2.overrideAttrs (
oldAttrs: rec {
postPatch = grubPatch;
}
);
}
)
];
boot.kernelPatches = [{
name = "silent-boot";
patch = null;
extraConfig = ''
X86_VERBOSE_BOOTUP n
'';
}];
boot.kernelPatches = [
{
name = "silent-boot";
patch = null;
extraConfig = ''
X86_VERBOSE_BOOTUP n
'';
}
];
};
}
......@@ -2,8 +2,10 @@
with lib;
{
imports = [
(import "${builtins.fetchTarball
https://github.com/rycee/home-manager/archive/master.tar.gz}/nixos")
(
import "${builtins.fetchTarball
https://github.com/rycee/home-manager/archive/master.tar.gz}/nixos"
)
./tor.nix
./bootloader.nix
./xdg.nix
......
......@@ -3,9 +3,13 @@ with lib;
let
cfg = config.navi.components.hardening;
kernelPackages = with pkgs;
recurseIntoAttrs (linuxPackagesFor (linux_latest_hardened.override {
features.ia32Emulation = true;
}));
recurseIntoAttrs (
linuxPackagesFor (
linux_latest_hardened.override {
features.ia32Emulation = true;
}
)
);
in
{
options.navi.components.hardening = {
......@@ -42,13 +46,15 @@ in
config = mkIf cfg.enable {
# Use the hardened kernel but keep IA32 emulation.
boot.kernelPackages = mkIf cfg.legacy kernelPackages;
boot.kernelPatches = mkIf cfg.legacy [{
name = "keep-ia32";
patch = null;
extraConfig = ''
IA32_EMULATION y
'';
}];
boot.kernelPatches = mkIf cfg.legacy [
{
name = "keep-ia32";
patch = null;
extraConfig = ''
IA32_EMULATION y
'';
}
];
environment.memoryAllocator.provider = if cfg.scudo then "scudo" else "libc";
security.lockKernelModules = cfg.modules;
......
......@@ -4,16 +4,18 @@ let
cfg = config.navi.components.editor;
# contains some patches for syntastic and Tagbar support since upstream is
# abandonned
workspace = pkgs.vimPlugins.vim-obsession.overrideAttrs (oldAttrs: rec {
src = pkgs.fetchFromGitHub {
owner = "GovanifY";
repo = "vim-session";
rev = "13b906f18ad0fa88f0be038237a71aa34b3335da";
sha256 = "1hf8gzh42iq46z6b471w6bl44nhwa9h8s02pmg1w482bvhc621w4";
};
version = "2020-12-16";
pname = "vim-session";
});
workspace = pkgs.vimPlugins.vim-obsession.overrideAttrs (
oldAttrs: rec {
src = pkgs.fetchFromGitHub {
owner = "GovanifY";
repo = "vim-session";
rev = "13b906f18ad0fa88f0be038237a71aa34b3335da";
sha256 = "1hf8gzh42iq46z6b471w6bl44nhwa9h8s02pmg1w482bvhc621w4";
};
version = "2020-12-16";
pname = "vim-session";
}
);
vimConf = {
programs.neovim = {
enable = true;
......
......@@ -59,81 +59,92 @@ in
};
config = mkIf cfg.enable {
nixpkgs.overlays = [
(self: super: {
firefox = super.wrapFirefox super.firefox-unwrapped {
# automatic updates are not possible at the moment: https://github.com/NixOS/nixpkgs/issues/105783
# probably should drop within the next year (i hope)
nixExtensions = [
(pkgs.fetchFirefoxAddon {
name = "ublock-origin";
url = "https://github.com/gorhill/uBlock/releases/download/1.32.4/uBlock0_1.32.4.firefox.xpi";
sha256 = "05ld465vs92ahaia0z8ifj0m9sdx85k9dshdy8nvil0r0si7cwrh";
})
(pkgs.fetchFirefoxAddon {
name = "decentraleyes";
url = "https://git.synz.io/Synzvato/decentraleyes/uploads/a36861e0609e43d87379805ca0db063f/Decentraleyes.v2.0.15-firefox.xpi";
sha256 = "1pvdb0fz7jqbzwlrhdkjxhafai70bncywdsx3qsw3325d28hcm15";
})
(pkgs.fetchFirefoxAddon {
name = "stylus";
url = "https://addons.mozilla.org/firefox/downloads/file/3614089/stylus-1.5.13-fx.xpi";
sha256 = "0nd1g3vr9vbpk6hqixsg1dqyh7pi075b7fiir4706khlapk7kcrb";
})
(pkgs.fetchFirefoxAddon {
name = "noscript";
url = "https://addons.mozilla.org/firefox/downloads/file/3705391/noscript_security_suite-11.1.8-an+fx.xpi";
sha256 = "0w1q2ah2g23fkjxiwr1ky9icjzgknyqypdlg50a4d86z1iag3g46";
})
(pkgs.fetchFirefoxAddon {
name = "forget-me-not";
url = "https://addons.mozilla.org/firefox/downloads/file/3577046/forget_me_not_forget_cookies_other_data-2.2.8-an+fx.xpi";
sha256 = "1qrbfsf5vmbyis29mhlmwb6dj933rrwpislpg0xi8b4r9xplb107";
})
];
extraPolicies = {
CaptivePortal = false;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DisableFirefoxAccounts = true;
EncryptedMediaExtensions.Enable = false;
SearchSuggestEnabled = false;
OfferToSaveLogins = false;
NetworkPrediction = false;
OverridePostUpdatePage = "";
FirefoxHome = {
Search = false;
Pocket = false;
Snippets = false;
Highlights = false;
TopSites = true;
(
self: super: {
firefox = super.wrapFirefox super.firefox-unwrapped {
# automatic updates are not possible at the moment: https://github.com/NixOS/nixpkgs/issues/105783
# probably should drop within the next year (i hope)
nixExtensions = [
(
pkgs.fetchFirefoxAddon {
name = "ublock-origin";
url = "https://github.com/gorhill/uBlock/releases/download/1.32.4/uBlock0_1.32.4.firefox.xpi";
sha256 = "05ld465vs92ahaia0z8ifj0m9sdx85k9dshdy8nvil0r0si7cwrh";
}
)
(
pkgs.fetchFirefoxAddon {
name = "decentraleyes";
url = "https://git.synz.io/Synzvato/decentraleyes/uploads/a36861e0609e43d87379805ca0db063f/Decentraleyes.v2.0.15-firefox.xpi";
sha256 = "1pvdb0fz7jqbzwlrhdkjxhafai70bncywdsx3qsw3325d28hcm15";
}
)
(
pkgs.fetchFirefoxAddon {
name = "stylus";
url = "https://addons.mozilla.org/firefox/downloads/file/3614089/stylus-1.5.13-fx.xpi";
sha256 = "0nd1g3vr9vbpk6hqixsg1dqyh7pi075b7fiir4706khlapk7kcrb";
}
)
(
pkgs.fetchFirefoxAddon {
name = "noscript";
url = "https://addons.mozilla.org/firefox/downloads/file/3705391/noscript_security_suite-11.1.8-an+fx.xpi";
sha256 = "0w1q2ah2g23fkjxiwr1ky9icjzgknyqypdlg50a4d86z1iag3g46";
}
)
(
pkgs.fetchFirefoxAddon {
name = "forget-me-not";
url = "https://addons.mozilla.org/firefox/downloads/file/3577046/forget_me_not_forget_cookies_other_data-2.2.8-an+fx.xpi";
sha256 = "1qrbfsf5vmbyis29mhlmwb6dj933rrwpislpg0xi8b4r9xplb107";
}
)
];
extraPolicies = {
CaptivePortal = false;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DisableFirefoxAccounts = true;
EncryptedMediaExtensions.Enable = false;
SearchSuggestEnabled = false;
OfferToSaveLogins = false;
NetworkPrediction = false;
OverridePostUpdatePage = "";
FirefoxHome = {
Search = false;
Pocket = false;
Snippets = false;
Highlights = false;
TopSites = true;
};
UserMessaging = {
ExtensionRecommendations = false;
SkipOnboarding = true;
};
SupportMenu = {
Title = "${config.navi.branding}'s browser";
URL = "https://govanify.com";
};
SearchBar = "unified";
PictureInPicture.Enabled = false;
PasswordManagerEnabled = false;
NoDefaultBookmarks = false;
DontCheckDefaultBrowser = true;
DisableSetDesktopBackground = true;
# probably handled by nix extensions but oh well
DisableSystemAddonUpdate = true;
ExtensionUpdate = false;
EnableTrackingProtection = {
Value = false;
Locked = true;
};
DisableFeedbackCommands = true;
SearchEngines.Default = "DuckDuckGo";
BlockAboutAddons = true;
};
UserMessaging = {
ExtensionRecommendations = false;
SkipOnboarding = true;
};
SupportMenu = {
Title = "${config.navi.branding}'s browser";
URL = "https://govanify.com";
};
SearchBar = "unified";
PictureInPicture.Enabled = false;
PasswordManagerEnabled = false;
NoDefaultBookmarks = false;
DontCheckDefaultBrowser = true;
DisableSetDesktopBackground = true;
# probably handled by nix extensions but oh well
DisableSystemAddonUpdate = true;
ExtensionUpdate = false;
EnableTrackingProtection = {
Value = false;
Locked = true;
};
DisableFeedbackCommands = true;
SearchEngines.Default = "DuckDuckGo";
BlockAboutAddons = true;
};
extraPrefs = ''
extraPrefs = ''
// make tracking much harder
lockPref("privacy.resistFingerprinting", true);
lockPref("privacy.firstparty.isolate", true);
......@@ -191,10 +202,11 @@ in
lockPref("devtools.theme", "dark");
lockPref("extensions.activeThemeID", "firefox-compact-dark@mozilla.org");
'';
# TODO: disable drmSupport in nix?
forceWayland = true;
};
})
# TODO: disable drmSupport in nix?
forceWayland = true;
};
}
)
];
# blame them, not me
......@@ -213,4 +225,3 @@ in
environment.systemPackages = with pkgs; [ firefox ];
};
}
......@@ -23,10 +23,12 @@ in
boot.plymouth.themePackages = [ breeze-navi ];
security.wrappers = {
plymouth-quit.source =
(pkgs.writeScriptBin "plymouth-quit" ''
#!${pkgs.bash}/bin/bash -p
${pkgs.systemd}/bin/systemctl start plymouth-quit.service
'').outPath + "/bin/plymouth-quit";
(
pkgs.writeScriptBin "plymouth-quit" ''
#!${pkgs.bash}/bin/bash -p
${pkgs.systemd}/bin/systemctl start plymouth-quit.service
''
).outPath + "/bin/plymouth-quit";
};
systemd.services.systemd-ask-password-plymouth.enable = lib.mkForce false;
# XXX: for some reason shellInit isn't called by plymouth which never starts
......
......@@ -55,17 +55,19 @@ let
bat-opt = if cfg.battery then " | bat: $battery_info" else "";
status-sh = pkgs.writeShellScript "status.sh" (''
date_formatted=$(date "+%a %d/%m/%Y %H:%M")
mail=$(cat ~/.local/share/mail/unread)
'' + optionalString cfg.battery ''
battery_status=$(cat /sys/class/power_supply/BAT/status)
battery_info=$(upower --show-info $(upower --enumerate |\
grep 'BAT') |\
egrep "state|percentage" | grep -oP '[0-9]*%')
'' + ''
echo "mail: $mail${bat-opt} | $date_formatted"
'');
status-sh = pkgs.writeShellScript "status.sh" (
''
date_formatted=$(date "+%a %d/%m/%Y %H:%M")
mail=$(cat ~/.local/share/mail/unread)
'' + optionalString cfg.battery ''
battery_status=$(cat /sys/class/power_supply/BAT/status)
battery_info=$(upower --show-info $(upower --enumerate |\
grep 'BAT') |\
egrep "state|percentage" | grep -oP '[0-9]*%')
'' + ''
echo "mail: $mail${bat-opt} | $date_formatted"
''
);
layout-keycaps =
if cfg.azerty then ''
......
......@@ -3,107 +3,123 @@ with lib;
let
cfg = config.navi.components.mail;
notmuch_email_list = concatStringsSep ";" (mapAttrsToList
(name: account: optionalString (!account.primary) "${account.email}")
cfg.accounts);
notmuch_config = concatStringsSep "\n" (mapAttrsToList
(name: account:
optionalString account.primary ''
[database]
path=/home/${config.navi.username}/.local/share/mail
[user]
name=${account.name}
primary_email=${account.email}
other_email=${notmuch_email_list}
[new]
tags=unread;inbox;
ignore=
[search]
exclude_tags=deleted;spam;
[maildir]
synchronize_flags=true
[crypto]
gpg_path=gpg
'')
cfg.accounts);
mailsync = pkgs.writeShellScript "mailsync.sh" (''
if [ ! -z "$1" ]; then
# we have to be nice to systemd apparently
# https://github.com/systemd/systemd/issues/2123
export HOME=$1
export XDG_CONFIG_HOME=$HOME/.config
export XDG_CACHE_HOME=$HOME/.cache
export XDG_DATA_HOME=$HOME/.local/share
export WGETRC=$HOME/.config/wgetrc
export PASSWORD_STORE_DIR=$HOME/.config/pass
export GNUPGHOME=$HOME/.config/gnupg
fi
# Run only if not already running in other instance
pgrep -x mbsync >/dev/null && { echo "mbsync is already running." ; exit ;}
# check if the mailserver is online || if we have internet connection
wget -q --spider https://govanify.com || { echo "No internet connection detected."; exit ;}
# Check account for new mail. Notify if there is new content.
syncandnotify() {
acc="$(echo "$account" | sed "s/.*\///")"
mkdir -p ~/.local/share/mail/$acc
mbsync -c $XDG_CONFIG_HOME/mbsync/config "$acc" || touch /tmp/mailfail
}
# Sync accounts passed as argument or all.
accounts="$(awk '/^Channel/ {print $2}' "$XDG_CONFIG_HOME/mbsync/config")"
rm /tmp/mailfail 2>/dev/null
# Parallelize multiple accounts
for account in $accounts
do
syncandnotify &
done
wait
notmuch new 2>/dev/null
if test -f "/tmp/mailfail"; then
echo "error" > ~/.local/share/mail/unread && exit 1
fi
add=0
'' + concatStringsSep "\n" (map
(notif:
"add=$(($add+`find $XDG_DATA_HOME/mail/${notif} -type f | grep -vE ',[^,]*S[^,]*$' | xargs basename -a | grep -v \"^\\.\" | wc -l`))")
cfg.unread_notif) + "\necho $add > $XDG_DATA_HOME/mail/unread");
isync_config = concatStringsSep "\n" (mapAttrsToList
(name: account: ''
IMAPStore ${name}-remote
Host ${account.host}
Port 993
User ${account.email}
PassCmd "pass ${config.navi.branding}/${account.email} | head -n 1"
SSLType IMAPS
CertificateFile /etc/ssl/certs/ca-certificates.crt
MaildirStore ${name}-local
Subfolders Verbatim
Path ~/.local/share/mail/${name}/
Inbox ~/.local/share/mail/${name}/INBOX
Flatten .
Channel ${name}
Expunge Both
Master :${name}-remote:
Slave :${name}-local:
Create Both
Remove Both
SyncState *
MaxMessages 0
ExpireUnread no
Patterns *
'')
cfg.accounts);
notmuch_email_list = concatStringsSep ";" (
mapAttrsToList
(name: account: optionalString (!account.primary) "${account.email}")
cfg.accounts
);
notmuch_config = concatStringsSep "\n" (
mapAttrsToList
(
name: account:
optionalString account.primary ''
[database]
path=/home/${config.navi.username}/.local/share/mail
[user]
name=${account.name}
primary_email=${account.email}
other_email=${notmuch_email_list}
[new]
tags=unread;inbox;
ignore=
[search]
exclude_tags=deleted;spam;
[maildir]
synchronize_flags=true
[crypto]
gpg_path=gpg
''
)
cfg.accounts
);
mailsync = pkgs.writeShellScript "mailsync.sh" (
''
if [ ! -z "$1" ]; then
# we have to be nice to systemd apparently
# https://github.com/systemd/systemd/issues/2123
export HOME=$1
export XDG_CONFIG_HOME=$HOME/.config
export XDG_CACHE_HOME=$HOME/.cache
export XDG_DATA_HOME=$HOME/.local/share
export WGETRC=$HOME/.config/wgetrc
export PASSWORD_STORE_DIR=$HOME/.config/pass
export GNUPGHOME=$HOME/.config/gnupg
fi
# Run only if not already running in other instance
pgrep -x mbsync >/dev/null && { echo "mbsync is already running." ; exit ;}
# check if the mailserver is online || if we have internet connection
wget -q --spider https://govanify.com || { echo "No internet connection detected."; exit ;}
# Check account for new mail. Notify if there is new content.
syncandnotify() {
acc="$(echo "$account" | sed "s/.*\///")"
mkdir -p ~/.local/share/mail/$acc
mbsync -c $XDG_CONFIG_HOME/mbsync/config "$acc" || touch /tmp/mailfail
}