s0me1newithhand7s/reNixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: s0me1newithhand7s:a65cbaee81ef5519ea82d41cc9c6348f227b44ac
Branches Tags
s0me1newithhand7s:master
..
compare: s0me1newithhand7s:32f40cac94f0d5c6e0c21bd8cc82b5edae0cbc67
Branches Tags
s0me1newithhand7s:master

No commits in common. "a65cbaee81ef5519ea82d41cc9c6348f227b44ac" and "32f40cac94f0d5c6e0c21bd8cc82b5edae0cbc67" have entirely different histories.
a65cbaee81 ... 32f40cac94

52 changed files with 1120 additions and 1799 deletions
Download patch file Download diff file Expand all files Collapse all files

3
ada/security/sudo-rs.nix
View file

@ -4,9 +4,6 @@ _: {
enable = true; enable = true;
wheelNeedsPassword = true; wheelNeedsPassword = true;
execWheelOnly = true; execWheelOnly = true;
extraConfig = ''
Defaults !pwfeedback
'';
}; };
}; };
} }

837
flake.lock generated
View file

File diff suppressed because it is too large Load diff

2
hand7s/nix/settings/substituters.nix
View file

@ -13,8 +13,6 @@ _: {
"https://chaotic-nyx.cachix.org/" "https://chaotic-nyx.cachix.org/"
# nix-community # nix-community
"https://hydra.nix-community.org/" "https://hydra.nix-community.org/"
# yandex mirror
"https://mirror.yandex.ru/nixos/"
]; ];
}; };
}; };

2
hand7s/programs/yazi.nix
View file

@ -84,7 +84,7 @@
"exfil" = [ "exfil" = [
{ {
run = ''${lib.getExe pkgs.ouch} d "%s"''; run = ''${lib.getExe pkgs.ouch} de "%s"'';
block = true; block = true;
for = "unix"; for = "unix";
} }

3
isla/security/sudo-rs.nix
View file

@ -4,9 +4,6 @@ _: {
enable = true; enable = true;
wheelNeedsPassword = true; wheelNeedsPassword = true;
execWheelOnly = true; execWheelOnly = true;
extraConfig = ''
Defaults !pwfeedback
'';
}; };
}; };
} }

228
kyra/boot/initrd.nix
View file

@ -1,228 +0,0 @@
{
lib,
name,
pkgs,
...
}: {
boot = {
initrd = {
availableKernelModules = [
"virtio_rng"
"virtio_pci"
"virtio_net"
"virtio_scsi"
"virtio_blk"
"sd_mod"
"sr_mod"
"dm_crypt"
];
luks = {
mitigateDMAAttacks = true;
cryptoModules = [
"aesni_intel"
"cryptd"
];
};
systemd = {
enable = true;
emergencyAccess = false;
extraBin = {
"pw" = "${lib.getExe' pkgs.systemd "systemd-tty-ask-password-agent"}";
};
network = {
networks = lib.mkMerge [
(
lib.mkIf (
name == "ivy"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "93.115.203.92/24";
}
{
Address = "2001:67c:263c::8fa/64";
}
];
routes = [
{
Gateway = "93.115.203.1";
}
{
Gateway = "2001:67c:263c::1";
}
];
};
}
)
(
lib.mkIf (
name == "mel"
)
{
"10-eth0" = {
matchConfig = {
Name = "eth0";
};
addresses = [
{
Address = "45.11.229.245/24";
}
{
Address = "2a0e:97c0:3e3:20a::1/64";
}
];
networkConfig = {
IPv6AcceptRA = false;
};
routes = [
{
Gateway = "45.11.229.1";
}
{
Gateway = "fe80::1";
GatewayOnLink = true;
}
];
};
}
)
(
lib.mkIf (
name == "yara"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "138.124.240.75/32";
}
{
Address = "2a0d:d940:1a:1500::2/56";
}
];
networkConfig = {
IPv6AcceptRA = false;
};
routes = [
{
Gateway = "10.0.0.1";
GatewayOnLink = true;
}
{
Gateway = "2a0d:d940:1a:1500::1";
GatewayOnLink = true;
}
];
};
}
)
(
lib.mkIf (
name == "hazel"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "90.156.226.152";
}
{
Address = "2a03:6f01:1:2::cb1e";
}
];
routes = [
{
Gateway = "90.156.226.1";
}
{
Gateway = "2a03:6f01:1:2::1";
GatewayOnLink = true;
}
];
networkConfig = {
IPv6AcceptRA = false;
};
};
}
)
(
lib.mkIf (
name == "lynn"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "138.124.72.244";
}
];
routes = [
{
Gateway = "138.124.72.1";
}
];
};
}
)
];
};
};
network = {
enable = true;
ssh = {
enable = true;
port = 27485;
hostKeys = [
"/etc/ssh/initrd_ssh_host_ed25519_key"
];
};
};
};
};
}

19
kyra/boot/initrd/availableKernelModules.nix Normal file
View file

@ -0,0 +1,19 @@
_: {
boot = {
initrd = {
availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
"virtio_net"
"virtio_pci"
"virtio_mmio"
"virtio_blk"
"virtio_scsi"
"9p"
"9pnet_virtio"
];
};
};
}

14
kyra/boot/initrd/kernelModules.nix Normal file
View file

@ -0,0 +1,14 @@
_: {
boot = {
initrd = {
kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_rng"
"virtio_gpu"
"nvme"
"kvm-amd"
];
};
};
}

90
kyra/boot/kernel.nix
View file

@ -1,93 +1,11 @@
{self, ...}: { _: {
boot = { boot = {
kernelPackages = self.inputs."nix-cachyos-kernel".legacyPackages.x86_64-linux.linuxPackages-cachyos-hardened-lto;
kernelParams = [
"slab_nomerge"
"init_on_alloc=1"
"init_on_free=1"
"page_alloc.shuffle=1"
"oops=panic"
"mitigations=all"
"spectre_v2=on"
"spec_store_bypass_disable=on"
"l1tf=full,force"
"mds=full,force"
"tsx=off"
"tsx_async_abort=full,force"
"kvm.nx_huge_pages=force"
"page_poison=1"
"iommu=force"
"intel_iommu=on"
"amd_iommu=on"
"bpf_jit_enable=0"
];
blacklistedKernelModules = [
"dccp"
"sctp"
"rds"
"tipc"
"hfs"
"hfsplus"
"squashfs"
"jfs"
"minix"
"nilfs2"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
"zfs"
"ntfs"
"bluetooth"
"btusb"
"uvcvideo"
"joydev"
"pcspkr"
"snd_pcsp"
];
kernel = { kernel = {
sysctl = { sysctl = {
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv4.conf.all.rp_filter" = 1; "net.ipv4.ip_nonlocal_bind" = 1;
"net.ipv4.conf.all.accept_redirects" = 0; "net.ipv6.ip_nonlocal_bind" = 1;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.tcp_rfc1337" = 1;
"net.ipv4.tcp_syncookies" = 1;
"net.core.bpf_jit_harden" = 2;
"dev.tty.ldisc_autoload" = 0;
"kernel.yama.ptrace_scope" = 2;
"kernel.core_pattern" = "|/bin/false";
"kernel.kptr_restrict" = 2;
"kernel.dmesg_restrict" = 1;
"kernel.unprivileged_bpf_disabled" = 1;
"kernel.unprivileged_userns_clone" = 0;
"kernel.perf_event_paranoid" = 3;
"kernel.kstack_override" = 0;
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
"fs.protected_hardlinks" = 1;
"fs.protected_symlinks" = 1;
}; };
}; };
}; };

2
kyra/boot/loader/limine.nix → kyra/boot/loader/grub.nix
View file

@ -1,7 +1,7 @@
_: { _: {
boot = { boot = {
loader = { loader = {
liminie = { grub = {
enable = true; enable = true;
efiSupport = true; efiSupport = true;
efiInstallAsRemovable = true; efiInstallAsRemovable = true;

4
kyra/boot/tmp.nix
View file

@ -2,10 +2,6 @@ _: {
boot = { boot = {
tmp = { tmp = {
cleanOnBoot = true; cleanOnBoot = true;
useZram = true;
useTmpfs = true;
tmpfsSize = "50%";
tmpfsHugeMemoryPages = "within_size";
}; };
}; };
} }

126
kyra/containers/mihomo.nix
View file

@ -1,126 +0,0 @@
_: {
containers = {
"mihomo" = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.1";
localAddress = "192.168.101.2";
bindMounts = {
"acme" = {
isReadOnly = true;
hostPath = "/var/lib/acme/hand7s.org";
mountPoint = "/var/lib/acme/hand7s.org";
};
};
config = {
pkgs,
name,
lib,
...
}: {
services = {
mihomo = {
enable = true;
configFile = (pkgs.formats.yaml {}).generate "config.yaml" {
dns = {
enable = true;
enhanced-mode = "fake-ip";
respect-rules = true;
nameserver = [
"tcp://192.168.101.1:8853"
];
};
sniffer = {
enable = true;
sniff = {
quic = {
ports = [
443
];
};
tls = {
override-destination = true;
ports = [
443
8443
];
};
};
};
rules = [
"IP-CIDR,10.0.0.0/8,DIRECT,no-resolve"
"IP-CIDR,127.0.0.0/8,DIRECT,no-resolve"
"MATCH,direct"
];
experimental = {
udp-base-routing = true;
};
profile = {
store-selected = false;
store-fake-ip = false;
};
listeners = [
{
name = "hy2-in";
type = "hysteria2";
listen = "[::]";
port = 443;
masquerade = "https://hand7s.org";
up = "100 Mbps";
down = "100 Mpbs";
obfs = "salamander";
obfs-password = lib.hashString "md5" "password";
certificate = "/var/lib/acme/hand7s.org/cert.pem";
private-key = "/var/lib/acme/hand7s.org/key.pem";
users = [
"hand7s:"
];
}
{
name = "vless-in";
type = "vless";
listen = "[::]";
port = 8443;
udp = true;
reality-config = {
dest = "192.168.101.1:444";
private-key = lib.hasString "md5" "pkb";
short-id = [
"shortie"
];
server-names = [
"${name}.hand7s.org"
];
};
users = [
{
username = "hand7s";
flow = "xtls-rprx-vision";
uuid = "very-real-uuid-btws";
}
];
}
];
};
};
};
};
};
};
}

16
kyra/disko/disk.nix
View file

@ -21,7 +21,7 @@
ESP = { ESP = {
name = "ESP"; name = "ESP";
size = "128M"; size = "1024M";
type = "EF00"; type = "EF00";
content = { content = {
type = "filesystem"; type = "filesystem";
@ -29,23 +29,12 @@
mountpoint = "/boot"; mountpoint = "/boot";
mountOptions = [ mountOptions = [
"umask=0077" "umask=0077"
"noexec"
"nosuid"
"nodev"
"ro"
]; ];
}; };
}; };
luks = { root = {
size = "100%"; size = "100%";
content = {
type = "luks";
name = "crypted";
settings = {
allowDiscards = true;
};
content = { content = {
type = "lvm_pv"; type = "lvm_pv";
vg = "pool"; vg = "pool";
@ -57,5 +46,4 @@
}; };
}; };
}; };
};
} }

25
kyra/disko/lvm_vg.nix
View file

@ -1,40 +1,23 @@
_: { {
disko = { disko = {
devices = { devices = {
lvm_vg = { lvm_vg = {
"pool" = { pool = {
type = "lvm_vg"; type = "lvm_vg";
lvs = { lvs = {
"root" = { root = {
size = "100%FREE"; size = "100%FREE";
content = { content = {
type = "btrfs"; type = "btrfs";
mountpoint = "/";
extraArgs = [ extraArgs = [
"-f" "-f"
]; ];
subvolumes = {
"/nix" = {
mountpoint = "/nix";
mountOptions = [ mountOptions = [
"compress=zstd" "compress=zstd"
"noatime"
"nodev"
"nosuid"
]; ];
}; };
"/persist" = {
mountpoint = "/persist";
mountOptions = [
"compress=zstd"
"noatime"
"nodev"
"nosuid"
];
};
};
};
}; };
}; };
}; };

18
kyra/disko/nodev.nix
View file

@ -1,18 +0,0 @@
_: {
disko = {
devices = {
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"size=1G"
"mode=755"
"nodev"
"nosuid"
"rw"
];
};
};
};
};
}

7
kyra/environment/memoryAllocator.nix
View file

@ -1,7 +0,0 @@
{pkgs, ...}: {
environment = {
memoryAllocator = {
provider = pkgs.graphene-hardened;
};
};
}

64
kyra/environment/persistence.nix
View file

@ -1,64 +0,0 @@
_: {
environment = {
persistence = {
"/persist" = {
enable = true;
hideMounts = true;
directories = [
"/var/log"
"/etc/ssh"
"/var/lib/nixos"
"/var/lib/netbird"
"/var/lib/netbird-wt0"
"/var/lib/firewalld"
{
directory = "/var/lib/traefik";
user = "traefik";
group = "traefik";
mode = "0700";
}
{
directory = "/var/lib/crowdsec";
user = "crowdsec";
group = "crowdsec";
mode = "0750";
}
{
directory = "/var/lib/sing-box";
user = "sing-box";
group = "sing-box";
mode = "0700";
}
{
directory = "/var/lib/step-ca";
user = "step-ca";
group = "step-ca";
mode = "0700";
}
{
directory = "/var/lib/acme";
user = "acme";
group = "acme";
mode = "0751";
}
{
directory = "/var/lib/otel-collector";
user = "otel-collector";
group = "otel-collector";
mode = "0700";
}
];
files = [
"/etc/machine-id"
];
};
};
};
}

6
kyra/environment/systemPackages.nix
View file

@ -1,8 +1,8 @@
{pkgs, ...}: { {pkgs, ...}: {
environment = { environment = {
systemPackages = with pkgs; [ systemPackages = [
# (lib.hiPrio uutils-coreutils-noprefix) pkgs.helix
# unless fix pkgs.comma
]; ];
enableAllTerminfo = true; enableAllTerminfo = true;

7
kyra/fileSystems/persist.nix
View file

@ -1,7 +0,0 @@
_: {
fileSystems = {
"/persist" = {
neededForBoot = true;
};
};
}

25
kyra/home-manager/users.nix Normal file
View file

@ -0,0 +1,25 @@
{self, ...}: {
home-manager = {
users = {
"hand7s" = {
imports = [
"${self}/hand7s/"
self.inputs.spicetify-nix.homeManagerModules.default
self.inputs.hyprland.homeManagerModules.default
self.inputs.chaotic.homeManagerModules.default
self.inputs.sops-nix.homeManagerModules.sops
self.inputs.nix-index-database.homeModules.nix-index
self.inputs.noctalia.homeModules.default
];
};
};
backupFileExtension = "force";
extraSpecialArgs = {
inherit
self
;
};
};
}

29
kyra/networking/dns.nix Normal file
View file

@ -0,0 +1,29 @@
_: {
networking = {
nameservers = [
# cf dns
"1.1.1.1"
"1.0.0.1"
"2606:4700:4700::1111"
"2606:4700:4700::1001"
# google dns
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
# q9 dns
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
# open dns
"208.67.222.222"
"208.67.220.220"
"2620:119:35::35"
"2620:119:53::53"
];
};
}

9
kyra/nix/settings/substituters.nix
View file

@ -4,6 +4,15 @@ _: {
substituters = [ substituters = [
# cache.nixos.org # cache.nixos.org
"https://cache.nixos.org" "https://cache.nixos.org"
# cache.garnix.org
"https://cache.garnix.io"
# cachix
"https://nix-community.cachix.org/"
"https://chaotic-nyx.cachix.org/"
"https://hyprland.cachix.org"
"https://chaotic-nyx.cachix.org/"
# nix-community
"https://hydra.nix-community.org/"
]; ];
}; };
}; };

8
kyra/nix/settings/trusted-public-keys.nix
View file

@ -4,6 +4,14 @@ _: {
trusted-public-keys = [ trusted-public-keys = [
# cache.nixos.org # cache.nixos.org
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
# cache.garnix.io
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
# cachix.org
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
"ags.cachix.org-1:naAvMrz0CuYqeyGNyLgE010iUiuf/qx6kYrUv3NwAJ8="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
]; ];
}; };
}; };

7
kyra/programs/fuse.nix
View file

@ -1,7 +0,0 @@
_: {
programs = {
fuse = {
userAllowOther = true;
};
};
}

8
kyra/programs/nh.nix
View file

@ -2,14 +2,6 @@ _: {
programs = { programs = {
nh = { nh = {
enable = true; enable = true;
clean = {
enable = true;
dates = "daily";
extraArgs = [
"-k 2"
"-K 1d"
];
};
}; };
}; };
} }

12
kyra/security/acme.nix
View file

@ -3,20 +3,14 @@
acme = { acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {
email = "me@hand7s.org"; email = "litvinovb0@gmail.com";
}; };
certs = { certs = {
"hand7s.org" = { "hand7s.org" = {
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
environmentFile = config.sops.templates."acme.env".path; credentialsFile = config.sops.templates."acme.env".path;
group = "mihomo"; group = "sing-box";
};
"ntp.hand7s.org" = {
dnsProvider = "cloudflare";
environmentFile = config.sops.templates."acme.env".path;
group = "ntpd-rs";
}; };
}; };
}; };

10
kyra/security/polkit.nix
View file

@ -1,10 +0,0 @@
_: {
security = {
polkit = {
enable = true;
adminIdentities = [
"unix-group:wheel"
];
};
};
}

9
kyra/security/sudo-rs.nix
View file

@ -1,9 +0,0 @@
_: {
security = {
sudo-rs = {
enable = true;
wheelNeedsPassword = true;
execWheelOnly = true;
};
};
}

7
kyra/security/sudo.nix
View file

@ -1,7 +0,0 @@
{lib, ...}: {
security = {
sudo = {
enable = lib.mkDefault false;
};
};
}

99
kyra/services/alloy.nix Normal file
View file

@ -0,0 +1,99 @@
{
config,
pkgs,
...
}: {
services = {
alloy = {
enable = true;
configPath = pkgs.writeText "alloy-config.alloy" ''
loki.source.journal "system" {
max_age = "24h"
forward_to = [loki.process.production.receiver]
labels = {
host = "${config.networking.hostName}",
job = "journalctl",
}
}
loki.process "production" {
forward_to = [loki.write.viola.receiver]
stage.labels {
values = {
unit = "__journal_systemd_unit__",
}
}
stage.label_keep {
values = ["unit"]
}
stage.match {
selector = `{unit=~"(traefik|sing-box|crowdsec|alloy|netbird).*\\.service"}`
action = "drop"
}
}
prometheus.exporter.unix "node" {
enable_collectors = [
"cpu", "diskstats", "filesystem",
"loadavg", "meminfo", "netdev",
"time", "uname",
]
}
prometheus.scrape "node" {
targets = prometheus.exporter.unix.node.targets
forward_to = [prometheus.remote_write.viola.receiver]
scrape_interval = "30s"
job_name = "node"
}
prometheus.scrape "alloy" {
targets = [{"__address__" = "127.0.0.1:12345"}]
forward_to = [prometheus.remote_write.viola.receiver]
job_name = "alloy"
}
loki.write "viola" {
endpoint {
url = "http://100.109.123.164:3100/loki/api/v1/push"
}
}
prometheus.remote_write "viola" {
endpoint {
url = "http://100.109.123.164:9009/api/v1/push"
}
}
otelcol.receiver.otlp "default" {
grpc {
endpoint = "0.0.0.0:4317"
}
http {
endpoint = "0.0.0.0:4318"
}
output {
traces = [otelcol.exporter.otlp.tempo.input]
}
}
otelcol.exporter.otlp "tempo" {
client {
endpoint = "http://100.109.123.164:4317"
tls {
insecure = true
}
}
}
'';
};
};
}

187
kyra/services/consul.nix
View file

@ -1,187 +0,0 @@
_: {
services = {
consul = {
enable = true;
webUi = false;
interface = {
bind = "nb-wt0";
advertise = "nb-wt0";
};
extraConfig = {
server = false;
retry_join = [
"100.109.123.164"
];
services = [
{
name = "git-svc";
port = 53350;
tags = [
"traefik.enable=true"
"traefik.http.routers.git.rule=Host(`git.hand7s.org`)"
"traefik.http.routers.git.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "oidc-svc";
port = 8443;
tags = [
"traefik.enable=true"
"traefik.http.routers.oidc.rule=Host(`zitadel.hand7s.org`)"
"traefik.http.routers.oidc.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "bin-svc";
port = 53352;
tags = [
"traefik.enable=true"
"traefik.http.routers.bin.rule=Host(`bin.hand7s.org`)"
"traefik.http.routers.bin.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "cicd-svc";
port = 53351;
tags = [
"traefik.enable=true"
"traefik.http.routers.cicd.rule=Host(`woodpecker.hand7s.org`)"
"traefik.http.routers.cicd.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "lgtm-svc";
port = 3030;
tags = [
"traefik.enable=true"
"traefik.http.routers.lgtm.rule=Host(`grafana.hand7s.org`)"
"traefik.http.routers.lgtm.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "mc-svc";
port = 25565;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.mc.rule=HostSNI(`mc.hand7s.org`)"
"traefik.tcp.routers.mc.entrypoints=minecraft"
];
}
{
name = "smtp-svc";
port = 25;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.smtp.rule=HostSNI(`*`)"
"traefik.tcp.routers.smtp.entrypoints=smtp"
];
}
{
name = "pop3-svc";
port = 110;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.pop3.rule=HostSNI(`*`)"
"traefik.tcp.routers.pop3.entrypoints=pop3"
];
}
{
name = "imap-svc";
port = 143;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.imap.rule=HostSNI(`*`)"
"traefik.tcp.routers.imap.entrypoints=imap"
];
}
{
name = "submissions-svc";
port = 465;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.submissions.rule=HostSNI(`*`)"
"traefik.tcp.routers.submissions.entrypoints=submissions"
];
}
{
name = "submission-svc";
port = 587;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.submission.rule=HostSNI(`*`)"
"traefik.tcp.routers.submission.entrypoints=submission"
];
}
{
name = "pop3s-svc";
port = 995;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.pop3s.rule=HostSNI(`*`)"
"traefik.tcp.routers.pop3s.entrypoints=pop3s"
];
}
{
name = "imaptls-svc";
port = 993;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.imaptls.rule=HostSNI(`*`)"
"traefik.tcp.routers.imaptls.entrypoints=imaptls"
];
}
{
name = "managesieve-svc";
port = 4190;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.managesieve.rule=HostSNI(`*`)"
"traefik.tcp.routers.managesieve.entrypoints=managesieve"
];
}
];
};
};
};
}

51
kyra/services/crowdsec.nix
View file

@ -1,51 +0,0 @@
_: {
services = {
crowdsec = {
enable = true;
settings = {
hub = {
collections = [
"crowdsecurity/linux"
"crowdsecurity/traefik"
"crowdsecurity/http-dos"
"crowdsecurity/cloudflare"
];
};
acquisitions = [
{
source = "journalctl";
journalctl_filter = [
"_SYSTEMD_UNIT=traefik.service"
];
labels = {
type = "traefik";
};
}
{
source = "journalctl";
journalctl_filter = [
"_SYSTEMD_UNIT=sshd.service"
];
labels = {
type = "syslog";
};
}
];
};
};
crowdsec-firewall-bouncer = {
enable = true;
settings = {
mode = "firewalld";
};
};
};
}

14
kyra/services/fail2ban.nix Normal file
View file

@ -0,0 +1,14 @@
_: {
services = {
fail2ban = {
enable = true;
bantime-increment = {
enable = true;
factor = "10";
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
overalljails = true;
maxtime = "500h";
};
};
};
}

73
kyra/services/firewalld.nix
View file

@ -7,48 +7,7 @@
firewalld = { firewalld = {
enable = true; enable = true;
settings = {
IPv6_rpfilter = "strict";
CleanupModulesOnExit = true;
StrictForwardPorts = true;
};
services = { services = {
"ntp" = {
short = "ntpd-rs";
ports = [
{
port = 123;
protocol = "udp";
}
{
port = 4460;
protocol = "tcp";
}
];
};
"dns" = {
short = "hickory-dns";
ports = [
{
port = 853;
protocol = "tcp";
}
];
};
"quic" = {
short = "http3";
ports = [
{
port = 443;
protocol = "udp";
}
];
};
"stalwart" = { "stalwart" = {
short = "Stalwart-mail"; short = "Stalwart-mail";
ports = ports =
@ -103,28 +62,24 @@
}; };
zones = { zones = {
"netbird" = { "trusted" = {
services = [ services = [
"ssh"
"consul" "consul"
]; ];
}; };
"wan" = { "wan" = {
target = "DROP";
masquerade = true;
forwardPorts = [
{
port = 443;
protocol = "udp";
to-port = 8443;
to-addr = "192.168.101.2";
}
];
ports = [ ports = [
{
port = 2053;
protocol = "udp";
}
{
port = 8443;
protocol = "tcp";
}
{ {
port = 51820; port = 51820;
protocol = "udp"; protocol = "udp";
@ -164,17 +119,17 @@
services = lib.concatLists [ services = lib.concatLists [
[ [
"quic" "ssh"
"http" "http"
"https" "https"
"ntp"
"dns"
] ]
( (
lib.optionals ( lib.optionals (
lib.elem name [ lib.elem name [
"hazel" "hazel"
"lynn"
"mel"
] ]
) [ ) [
"minecraft" "minecraft"

58
kyra/services/hickory.nix
View file

@ -1,58 +0,0 @@
_: {
services = {
hickory-dns = {
enable = true;
settings = {
remote_resolvers = [
{
socket_addr = "1.1.1.1:853";
protocol = "tls";
tls_dns_name = "cloudflare-dns.com";
}
{
socket_addr = "1.1.1.1:443";
protocol = "https";
tls_dns_name = "cloudflare-dns.com";
}
{
socket_addr = "9.9.9.9:853";
protocol = "tls";
tls_dns_name = "dns.quad9.net";
}
{
socket_addr = "9.9.9.9:443";
protocol = "https";
tls_dns_name = "dns.quad9.net";
}
{
socket_addr = "8.8.8.8:853";
protocol = "tls";
tls_dns_name = "dns.google";
}
{
socket_addr = "8.8.8.8:443";
protocol = "https";
tls_dns_name = "dns.google";
}
];
listen_addrs_http = [
{
socket_addr = "[::]:8053";
}
];
listen_addrs_tcp = [
{
socket_addr = "[::]:8853";
}
];
};
};
};
}

42
kyra/services/ntpd-rs.nix
View file

@ -1,42 +0,0 @@
_: {
services = {
ntpd-rs = {
enable = true;
metrics = {
enable = true;
};
settings = {
source = [
{
mode = "nts";
address = "time.cloudflare.com";
}
{
mode = "nts";
address = "nts.ntp.se";
}
];
server = [
{
listen = "[::]:123";
}
];
nts-ke-server = [
{
listen = "[::]:4460";
certificate-chain-path = "/var/lib/acme/ntp.hand7s.org/fullchain.pem";
private-key-path = "/var/lib/acme/ntp.hand7s.org/key.pem";
}
];
synchronization = {
minimum-agreeing-sources = 2;
};
};
};
};
}

1
kyra/services/openssh.nix
View file

@ -2,6 +2,7 @@ _: {
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
hostKeys = [ hostKeys = [
{ {
path = "/etc/ssh/ssh_host_ed25519_key"; path = "/etc/ssh/ssh_host_ed25519_key";

53
kyra/services/otelc.nix
View file

@ -1,53 +0,0 @@
{lib, ...}: {
services = {
opentelemetry-collector = {
enable = true;
settings = {
receivers = {
otlp = {
protocols = {
grpc = {
endpoint = "127.0.0.1:4317";
};
http = {
endpoint = "127.0.0.1:4318";
};
};
};
};
exporters = {
otlp = {
endpoint = "http://100.109.123.164:4317";
tls = {
insecure = true;
};
};
};
service = {
pipelines =
lib.genAttrs [
"traces"
"metrics"
"logs"
] (
_type: {
receivers = [
"otlp"
];
exporters = [
"otlp"
];
processors = [
"batch"
];
}
);
};
};
};
};
}

2
kyra/services/qemuGuest.nix
View file

@ -1,7 +1,7 @@
_: { _: {
services = { services = {
qemuGuest = { qemuGuest = {
enable = false; enable = true;
}; };
}; };
} }

47
kyra/services/resolved.nix
View file

@ -2,39 +2,38 @@ _: {
services = { services = {
resolved = { resolved = {
enable = true; enable = true;
settings = { dnsovertls = toString true;
Resolve = { dnssec = toString true;
DNSOverTLS = true; llmnr = toString true;
DNSSEC = true; domains = [
Domains = [
"~." "~."
]; ];
DNS = [ fallbackDns = [
# hand7s dns
"127.0.0.1#dns.hand7s.org"
"::1#dns.hand7s.org"
# cf dns # cf dns
"1.1.1.1#cloudflare-dns.com" "1.1.1.1"
"1.0.0.1#cloudflare-dns.com" "1.0.0.1"
"2606:4700:4700::1111#cloudflare-dns.com" "2606:4700:4700::1111"
"2606:4700:4700::1001#cloudflare-dns.com" "2606:4700:4700::1001"
# google dns # google dns
"8.8.8.8#dns.google" "8.8.8.8"
"8.8.4.4#dns.google" "8.8.4.4"
"2001:4860:4860::8888#dns.google" "2001:4860:4860::8888"
"2001:4860:4860::8844#dns.google" "2001:4860:4860::8844"
# q9 dns # q9 dns
"9.9.9.9#dns.quad9.net" "9.9.9.9"
"149.112.112.112#dns.quad9.net" "149.112.112.112"
"2620:fe::fe#dns.quad9.net" "2620:fe::fe"
"2620:fe::9#dns.quad9.net" "2620:fe::9"
# open dns
"208.67.222.222"
"208.67.220.220"
"2620:119:35::35"
"2620:119:53::53"
]; ];
}; };
}; };
};
};
} }

110
kyra/services/sing-box.nix Normal file
View file

@ -0,0 +1,110 @@
{lib, ...}: {
services = {
sing-box = {
enable = true;
settings = {
log = {
level = "error";
};
dns = {
servers = [
{
tag = "cloudflare";
type = "quic";
server = "1.1.1.1";
}
{
tag = "local";
type = "local";
}
];
final = "cloudflare";
strategy = "prefer_ipv4";
};
route = {
final = "direct-out";
default_domain_resolver = "cloudflare";
auto_detect_interface = true;
};
outbounds = [
{
tag = "direct-out";
type = "direct";
}
];
inbounds = [
{
type = "hysteria2";
tag = "hy2-in";
listen = "::";
listen_port = 2053;
masquerade = "https://hand7s.org";
up_mbps = 100;
down_mbps = 100;
obfs = {
type = "salamander";
password = lib.hashString "sha512" "randomstring"; # not a real string
};
users = [
{
name = "hand7s";
password = lib.hashString "sha512" "userstring"; # not a real string
}
];
tls = {
enabled = true;
server_name = "hand7s.org";
certificate_path = "/var/lib/acme/hand7s.org/cert.pem";
key_path = "/var/lib/acme/hand7s.org/key.pem";
};
}
{
type = "vless";
tag = "vless-inbound";
listen = "::";
listen_port = 8443;
sniff = true;
users = [
{
name = "hand7s";
uuid = lib.hashString "sha512" "uuidstring"; # not a real string
flow = "xtls-rprx-vision";
}
];
tls = {
enabled = true;
server_name = "hand7s.org";
reality = {
enabled = true;
max_time_difference = "5m";
handshake = {
server = "127.0.0.1";
server_port = 443;
};
private_key = lib.hashString "sha512" "uuidstring"; # not a real string
short_id = [
"shortie"
];
};
};
}
];
};
};
};
}

28
kyra/services/step-ca.nix
View file

@ -1,28 +0,0 @@
{config, ...}: {
services = {
step-ca = {
enable = true;
address = "[::]";
port = 8443;
intermediatePasswordFile = config.sops.secrets."stepPass".path;
settings = {
dnsNames = [
"ca.hand7s.org"
];
authority = {
provisioners = [
{
type = "ACME";
name = "cloudflare";
claims = {
enable_dns_01 = true;
};
}
];
};
};
};
};
}

346
kyra/services/traefik.nix
View file

@ -1,8 +1,4 @@
{ {config, ...}: {
config,
name,
...
}: {
services = { services = {
traefik = { traefik = {
enable = true; enable = true;
@ -12,44 +8,29 @@
]; ];
dynamicConfigOptions = { dynamicConfigOptions = {
providers = {
consulCatalog = {
endpoint = {
address = "127.0.0.1:8500";
exposedByDefault = false;
prefix = "traefik";
};
};
};
udp = {
routers = {
"ntp" = {
service = "ntp-svc";
entryPoints = [
"ntp"
];
};
};
services = {
"ntp-svc" = {
loadBalancer = {
servers = [
{
address = "127.0.0.1:123";
}
];
};
};
};
};
http = { http = {
routers = { routers = {
"site" = { "site" = {
rule = "Host(`hand7s.org`)"; rule = "Host(`hand7s.org`)";
service = "site-svc"; service = "site-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = "*.hand7s.org";
}
];
};
entryPoints = [
"websecure"
];
};
"git" = {
rule = "Host(`git.hand7s.org`)";
service = "git-svc";
tls = { tls = {
certResolver = "cloudflare"; certResolver = "cloudflare";
domains = [ domains = [
@ -64,16 +45,15 @@
entryPoints = [ entryPoints = [
"websecure" "websecure"
"loopback"
]; ];
}; };
"ca" = { "cicd" = {
rule = "Host(`ca.hand7s.org`)"; rule = "Host(`woodpecker.hand7s.org`)";
service = "ca-svc"; service = "cicd-svc";
tls = { tls = {
certResolver = "cloudflare"; certResolver = "cloudflare";
domain = [ domains = [
{ {
main = "hand7s.org"; main = "hand7s.org";
sans = [ sans = [
@ -82,11 +62,55 @@
} }
]; ];
}; };
entryPoints = [
"websecure"
];
}; };
"doh" = { "oidc" = {
rule = "Host(`dns.hand7s.org`) && PathPrefix(`/dns-query`)"; rule = "Host(`zitadel.hand7s.org`)";
service = "doh-svc"; service = "oidc-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"bin" = {
rule = "Host(`bin.hand7s.org`)";
service = "bin-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"lgtm" = {
rule = "Host(`grafana.hand7s.org`)";
service = "lgtm-svc";
tls = { tls = {
certResolver = "cloudflare"; certResolver = "cloudflare";
domains = [ domains = [
@ -116,21 +140,51 @@
}; };
}; };
"ca-svc" = { "git-svc" = {
loadBalancer = { loadBalancer = {
servers = [ servers = [
{ {
url = "http://127.0.0.1:8443"; url = "http://100.109.123.164:53350";
} }
]; ];
}; };
}; };
"doh-svc" = { "oidc-svc" = {
loadBalancer = { loadBalancer = {
servers = [ servers = [
{ {
url = "http://127.0.0.1:8053"; url = "http://100.109.123.164:8443";
}
];
};
};
"bin-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53352";
}
];
};
};
"cicd-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53351";
}
];
};
};
"lgtm-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:3030";
} }
]; ];
}; };
@ -140,73 +194,161 @@
tcp = { tcp = {
routers = { routers = {
"nts-ke" = { "minecraft" = {
rule = "HostSNI(`ntp.hand7s.org`)"; rule = "HostSNI(`*`)";
services = "nts-ke-svc"; service = "mc-svc";
tls = {
passthrough = true;
};
entryPoints = [ entryPoints = [
"nts-ke" "minecraft"
]; ];
}; };
"dot" = { "smtp" = {
rule = "HostSNI(`dns.hand7s.org`)"; rule = "HostSNI(`*`)";
services = "dot-svc"; service = "smtp-svc";
entryPoints = [ entryPoints = [
"dot" "smtp"
]; ];
tls = {
certResolver = "cloudflare";
};
};
"vless" = {
rule = "HostSNI(`${name}.hand7s.org`)";
service = "vless-svc";
tls = {
passthrough = true;
}; };
"pop3" = {
rule = "HostSNI(`*`)";
service = "pop-svc";
entryPoints = [ entryPoints = [
"websecure" "pop3"
]; ];
}; };
"submissions" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "submissions-svc";
entryPoints = [
"submissions"
];
};
"submission" = {
rule = "HostSNI(`*`)";
service = "submission-svc";
entryPoints = [
"submission"
];
};
"imaptls" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "imaptls-svc";
entryPoints = [
"imaptls"
];
};
"pop3s" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "pop3s-svc";
entryPoints = [
"pop3s"
];
};
"managesieve" = {
rule = "HostSNI(`*`)";
service = "managesieve-svc";
entryPoints = [
"managesieve"
];
};
};
}; };
services = { services = {
"vless-svc" = { "mc-svc" = {
loadBalancer = { loadBalancer = {
servers = [ servers = [
{ {
address = "192.168.101.2:8443"; address = "100.109.123.164:25565";
} }
]; ];
}; };
}; };
"nts-ke-svc" = { "smtp-svc" = {
loadBalancer = { loadBalancer = {
servers = [ servers = [
{ {
address = "127.0.0.1:4460"; address = "100.109.123.164:25";
} }
]; ];
}; };
}; };
"dot-svc" = { "pop3-svc" = {
loadBalancer = { loadBalancer = {
servers = [ servers = [
{ {
url = "http://127.0.0.1:8853"; address = "100.109.123.164:110";
} }
]; ];
}; };
}; };
"imap-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:143";
}
];
};
};
"submissions-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:465";
}
];
};
};
"submission-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:587";
}
];
};
};
"imaptls-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:993";
}
];
};
};
"pop3s-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:995";
}
];
};
};
"managesieve-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:4190";
}
];
};
}; };
}; };
}; };
@ -228,22 +370,17 @@
certificatesResolvers = { certificatesResolvers = {
"cloudflare" = { "cloudflare" = {
acme = { acme = {
email = "me@hand7s.com"; email = "litvinovb0@gmail.com";
storage = "${config.services.traefik.dataDir}/acme.json"; storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = { dnsChallenge = {
provider = "cloudflare"; provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
}; };
}; };
}; };
"step-ca" = {
caServer = "https://ca.hand7s.org";
acme = {
email = "me@hand7s.com";
storage = "${config.services.traefik.dataDir}/acme.json";
tlsChallenge = {};
};
};
}; };
log = { log = {
@ -280,35 +417,6 @@
}; };
}; };
"loopback" = {
address = "127.0.0.1:444";
http = {
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
};
};
"ntp" = {
address = ":123";
};
"nts-ke" = {
address = ":4460";
};
"dot" = {
address = ":853";
};
"minecraft" = { "minecraft" = {
address = ":25565"; address = ":25565";
}; };

111
kyra/systemd/networkd.nix
View file

@ -7,71 +7,33 @@
network = { network = {
enable = true; enable = true;
networks = lib.mkMerge [ networks = lib.mkMerge [
(
lib.mkIf (
name == "ivy"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "93.115.203.92/24";
}
{
Address = "2001:67c:263c::8fa/64";
}
];
routes = [
{
Gateway = "93.115.203.1";
}
{
Gateway = "2001:67c:263c::1";
}
];
};
}
)
( (
lib.mkIf ( lib.mkIf (
name == "mel" name == "mel"
) )
{ {
"10-eth0" = { "10-eth0" = {
matchConfig = { matchConfig.Name = "eth0";
Name = "eth0";
};
addresses = [
{
Address = "45.11.229.245/24";
}
{
Address = "2a0e:97c0:3e3:20a::1/64";
}
];
networkConfig = { networkConfig = {
IPv6AcceptRA = false; IPv6AcceptRA = false;
Address = [
"45.11.229.245/24"
"2a0e:97c0:3e3:20a::1/64"
];
}; };
routes = [ routes = [
{ {
routeConfig = {
Gateway = "45.11.229.1"; Gateway = "45.11.229.1";
};
} }
{ {
routeConfig = {
Gateway = "fe80::1"; Gateway = "fe80::1";
GatewayOnLink = true; GatewayOnLink = true;
};
} }
]; ];
}; };
@ -88,29 +50,27 @@
Name = "ens3"; Name = "ens3";
}; };
addresses = [
{
Address = "138.124.240.75/32";
}
{
Address = "2a0d:d940:1a:1500::2/56";
}
];
networkConfig = { networkConfig = {
IPv6AcceptRA = false; IPv6AcceptRA = false;
Address = [
"138.124.240.75/32"
"2a0d:d940:1a:1500::2/56"
];
}; };
routes = [ routes = [
{ {
routeConfig = {
Gateway = "10.0.0.1"; Gateway = "10.0.0.1";
GatewayOnLink = true; GatewayOnLink = true;
};
} }
{ {
routeConfig = {
Gateway = "2a0d:d940:1a:1500::1"; Gateway = "2a0d:d940:1a:1500::1";
GatewayOnLink = true; GatewayOnLink = true;
};
} }
]; ];
}; };
@ -127,28 +87,9 @@
Name = "ens3"; Name = "ens3";
}; };
addresses = [
{
Address = "90.156.226.152";
}
{
Address = "2a03:6f01:1:2::cb1e";
}
];
routes = [
{
Gateway = "90.156.226.1";
}
{
Gateway = "2a03:6f01:1:2::1";
GatewayOnLink = true;
}
];
networkConfig = { networkConfig = {
Address = "90.156.226.152/24";
Gateway = "90.156.226.1";
IPv6AcceptRA = false; IPv6AcceptRA = false;
}; };
}; };
@ -165,17 +106,11 @@
Name = "ens3"; Name = "ens3";
}; };
addresses = [ networkConfig = {
{ Address = "138.124.72.244/24";
Address = "138.124.72.244";
}
];
routes = [
{
Gateway = "138.124.72.1"; Gateway = "138.124.72.1";
} IPv6AcceptRA = false;
]; };
}; };
} }
) )

13
kyra/systemd/step-ca-service.nix
View file

@ -1,13 +0,0 @@
{config, ...}: {
systemd = {
services = {
"step-ca" = {
serviceConfig = {
EnvironmentFile = [
config.sops.templates."step-ca.env".path
];
};
};
};
};
}

1
kyra/users/users/alep0u.nix
View file

@ -6,6 +6,7 @@ _: {
isNormalUser = true; isNormalUser = true;
extraGroups = [ extraGroups = [
"wheel" "wheel"
"docker"
]; ];
openssh = { openssh = {

1
kyra/users/users/hand7s.nix
View file

@ -6,6 +6,7 @@ _: {
isNormalUser = true; isNormalUser = true;
extraGroups = [ extraGroups = [
"wheel" "wheel"
"docker"
]; ];
openssh = { openssh = {

1
kyra/users/users/root.nix
View file

@ -3,7 +3,6 @@
users = { users = {
"root" = { "root" = {
shell = "${pkgs.util-linux}/bin/nologin"; shell = "${pkgs.util-linux}/bin/nologin";
initialHashedPassword = "!";
}; };
}; };
}; };

2
viola/nix/settings/substituters.nix
View file

@ -13,8 +13,6 @@ _: {
"https://chaotic-nyx.cachix.org/" "https://chaotic-nyx.cachix.org/"
# nix-community # nix-community
"https://hydra.nix-community.org/" "https://hydra.nix-community.org/"
# yandex mirror
"https://mirror.yandex.ru/nixos/"
]; ];
}; };
}; };

3
viola/security/sudo-rs.nix
View file

@ -4,9 +4,6 @@ _: {
enable = true; enable = true;
wheelNeedsPassword = true; wheelNeedsPassword = true;
execWheelOnly = true; execWheelOnly = true;
extraConfig = ''
Defaults !pwfeedback
'';
}; };
}; };
} }

2
wanda/nix/settings/substituters.nix
View file

@ -13,8 +13,6 @@ _: {
"https://chaotic-nyx.cachix.org/" "https://chaotic-nyx.cachix.org/"
# nix-community # nix-community
"https://hydra.nix-community.org/" "https://hydra.nix-community.org/"
# yandex mirror
"https://mirror.yandex.ru/nixos/"
]; ];
}; };
}; };

3
wanda/security/sudo-rs.nix
View file

@ -4,9 +4,6 @@ _: {
enable = true; enable = true;
wheelNeedsPassword = true; wheelNeedsPassword = true;
execWheelOnly = true; execWheelOnly = true;
extraConfig = ''
Defaults !pwfeedback
'';
}; };
}; };
} }