Add dotfiles

2026-03-09 11:53:12 +00:00 · 2024-03-26 11:39:16 +00:00 · 2024-03-26 11:39:16 +00:00 · 39fe550b3e
commit 39fe550b3e
45 changed files with 4363 additions and 0 deletions
--- a/modules/core/schizo.nix
+++ b/modules/core/schizo.nix
@ -0,0 +1,152 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  services.tor = {
+    enable = true;
+    client.enable = true;
+    torsocks.enable = true;
+  };
+  environment.systemPackages = with pkgs; [
+    (writeScriptBin "sudo" ''exec doas "$@"'')
+  ];
+  security = {
+    protectKernelImage = true;
+    lockKernelModules = false;
+    rtkit.enable = true;
+    apparmor = {
+      enable = true;
+      killUnconfinedConfinables = true;
+      packages = [pkgs.apparmor-profiles];
+    };
+    pam = {
+      loginLimits = [
+        {
+          domain = "@wheel";
+          item = "nofile";
+          type = "soft";
+          value = "524288";
+        }
+        {
+          domain = "@wheel";
+          item = "nofile";
+          type = "hard";
+          value = "1048576";
+        }
+      ];
+      services = {
+        login.enableGnomeKeyring = true;
+      };
+    };
+
+
+    doas = {
+      enable = true;
+      extraRules = [
+        {
+          groups = ["wheel"];
+          persist = true;
+          keepEnv = false;
+        }
+        {
+          groups = ["power"];
+          noPass = true;
+          cmd = "${pkgs.systemd}/bin/poweroff";
+        }
+        {
+          groups = ["power"];
+          noPass = true;
+          cmd = "${pkgs.systemd}/bin/reboot";
+        }
+        {
+          groups = ["nix"];
+          cmd = "nix-collect-garbage";
+          noPass = true;
+        }
+        {
+          groups = ["nix"];
+          cmd = "nixos-rebuild";
+          keepEnv = true;
+        }
+      ];
+    };
+    sudo.enable = false;
+  };
+
+  boot.kernel.sysctl = {
+    "kernel.yama.ptrace_scope" = 2;
+    "kernel.kptr_restrict" = 2;
+    "kernel.sysrq" = 0;
+    "net.core.bpf_jit_enable" = false;
+    "kernel.ftrace_enabled" = false;
+    "net.ipv4.conf.all.log_martians" = true;
+    "net.ipv4.conf.all.rp_filter" = "1";
+    "net.ipv4.conf.default.log_martians" = true;
+    "net.ipv4.conf.default.rp_filter" = "1";
+    "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+    "net.ipv4.conf.all.accept_redirects" = false;
+    "net.ipv4.conf.all.secure_redirects" = false;
+    "net.ipv4.conf.default.accept_redirects" = false;
+    "net.ipv4.conf.default.secure_redirects" = false;
+    "net.ipv6.conf.all.accept_redirects" = false;
+    "net.ipv6.conf.default.accept_redirects" = false;
+    "net.ipv4.conf.all.send_redirects" = false;
+    "net.ipv4.conf.default.send_redirects" = false;
+    "net.ipv6.conf.default.accept_ra" = 0;
+    "net.ipv6.conf.all.accept_ra" = 0;
+    "net.ipv4.tcp_syncookies" = 1;
+    "net.ipv4.tcp_timestamps" = 0;
+    "net.ipv4.tcp_rfc1337" = 1;
+    "net.ipv4.tcp_fastopen" = 3;
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+
+  # Security
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "ax25"
+    "netrom"
+    "rose"
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "vivid"
+    "gfs2"
+    "ksmbd"
+    "nfsv4"
+    "nfsv3"
+    "cifs"
+    "nfs"
+    "cramfs"
+    "freevxfs"
+    "jffs2"
+    "hfs"
+    "hfsplus"
+    "squashfs"
+    "udf"
+    "bluetooth"
+    "btusb"
+    # "uvcvideo" # thats why your webcam not worky
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "omfs"
+    # "uvcvideo"
+    "qnx4"
+    "qnx6"
+    "sysv"
+  ];
+}