Split system config into tons of modules!

2025-07-06 06:52:13 +05:30 · 2023-06-20 22:08:25 -05:00 · 2023-06-20 22:08:25 -05:00 · 8262f63886
commit 8262f63886
parent 74c00ca4ef
21 changed files with 266 additions and 180 deletions
--- a/system/security/blocklist.nix
+++ b/system/security/blocklist.nix
@ -0,0 +1,9 @@
+{ config, blocklist-hosts, pkgs, ... }:
+
+let blocklist = builtins.readFile "${blocklist-hosts}/alternates/gambling-porn/hosts";
+in
+{
+  networking.extraHosts = ''
+    "${blocklist}"
+  '';
+}
--- a/system/security/doas.nix
+++ b/system/security/doas.nix
@ -0,0 +1,16 @@
+{ config, myName, pkgs, ... }:
+
+{
+  # Doas instead of sudo
+  security.doas.enable = true;
+  security.sudo.enable = false;
+  security.doas.extraRules = [{
+    users = [ "${myName}" ];
+    keepEnv = true;
+    persist = true;
+  }];
+
+  environment.systemPackages = [
+    (pkgs.writeScriptBin "sudo" ''exec doas "$@"'')
+  ];
+}
--- a/system/security/firewall.nix
+++ b/system/security/firewall.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  # Firewall
+  networking.firewall.enable = true;
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+}
--- a/system/security/gpg.nix
+++ b/system/security/gpg.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+}
--- a/system/security/openvpn.nix
+++ b/system/security/openvpn.nix
@ -0,0 +1,6 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = [ pkgs.openvpn ];
+  environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn";
+}
--- a/system/security/sshd.nix
+++ b/system/security/sshd.nix
@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+  # Enable incoming ssh
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    # TODO authorizedKeysFiles = "";
+  };
+}