initial commit

modules/sec_auth/firejail.nix

@@ -0,0 +1,63 @@
+# TODO refine firejail it seems that / is not shielded enough and app armor does not work
+
+
+{ pkgs, ... }:
+{
+  programs.firejail = {
+  enable = true;
+  wrappedBinaries = {
+      firefox = {
+        executable = "${pkgs.firefox}/bin/firefox";
+        profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+        extraArgs = [
+          # Required for U2F USB stick
+          "--ignore=private-dev"
+          # Enforce dark mode
+          "--env=GTK_THEME=Adwaita:dark"
+          # Enable system notifications
+          "--dbus-user.talk=org.freedesktop.Notifications"
+	        # For screen sharing
+	        "--dbus-user.talk=org.freedesktop.portal.*"
+        ];
+      };
+
+      element-desktop = {
+        executable = "${pkgs.element-desktop}/bin/element-desktop";
+        profile = "${pkgs.firejail}/etc/firejail/element-desktop.profile";
+        extraArgs = [
+          # Required for U2F USB stick
+          "--ignore=private-dev"
+          # Enforce dark mode
+          "--env=GTK_THEME=Adwaita:dark"
+          # Enable system notifications
+          "--dbus-user.talk=org.freedesktop.Notifications"
+          # For screen sharing
+          "--dbus-user.talk=org.freedesktop.portal.*"
+        ];
+      };
+
+      brave = {
+        executable = "${pkgs.brave}/bin/brave";
+        profile = "${pkgs.firejail}/etc/firejail/brave.profile";
+        extraArgs = [
+          # Required for U2F USB stick
+          "--ignore=private-dev"
+          # Enforce dark mode
+          "--env=GTK_THEME=Adwaita:dark"
+          # Enable system notifications
+          "--dbus-user.talk=org.freedesktop.Notifications"
+          # For screen sharing
+          "--dbus-user.talk=org.freedesktop.portal.*"
+        ];
+      };
+    };
+  };
+  environment.etc = {
+  "firejail/brave.local".text = ''
+      whitelist ''${HOME}/.config/brave
+      whitelist ''${HOME}/.local
+      whitelist ''${HOME}/Downloads
+  '';
+  };
+
+}

modules/sec_auth/login-manager.nix

@@ -0,0 +1,22 @@
+{ pkgs, ... }:
+{
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+  services.greetd = {
+    enable = true;
+    vt = 7;
+    settings = {
+      default_session = {
+        command = ''${pkgs.greetd.tuigreet}/bin/tuigreet \
+	  --time \
+	  --time-format '%Y-%m-%dT%H:%M:%S %A' \
+	  --remember \
+	  --user-menu \
+	  --theme 'border=lightgreen;text=lightgreen;prompt=lightgreen;time=lightgreen;action=lightgreen;button=lightgreen;input=lightgreen' \
+	  --cmd hyprland'';
+	  # removed elements from theme: container
+        user = "greeter";
+      };
+    };
+  };
+}

modules/sec_auth/ssh.nix

@@ -0,0 +1,29 @@
+{ pkgs, ... }:
+{
+  programs.ssh = {
+    startAgent = true;
+    enableAskPassword = true;
+    #askPassword = "${pkgs.ssh-askpass-fullscreen}/bin/ssh-askpass-fullscreen";
+    askPassword = "${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
+  };
+
+  # This is using a rec (recursive) expression to set and access XDG_BIN_HOME within the expression
+  # For more on rec expressions see https://nix.dev/tutorials/first-steps/nix-language#recursive-attribute-set-rec
+  environment.sessionVariables = rec {
+    SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/ssh-agent";
+  };
+
+  environment.systemPackages = with pkgs; [
+    #ssh-askpass-fullscreen
+    lxqt.lxqt-openssh-askpass
+  ];
+
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+}

modules/sec_auth/users_and_permissions.nix

@@ -0,0 +1,59 @@
+{ pkgs, ... }:
+{
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.ranomier = {
+    isNormalUser = true;
+    description = "Ranomier";
+    extraGroups = [ "networkmanager" "wheel" ];
+    #packages = with pkgs; [];
+  };
+
+  environment.etc = {
+    "xdg/user-dirs.defaults".text = ''
+      DESKTOP=Desktop
+      DOWNLOAD=Downloads
+      TEMPLATES=Documents/Templates
+      PUBLICSHARE=Public
+      DOCUMENTS=Documents
+      MUSIC=Media/Music
+      PICTURES=Media/Pictures
+      VIDEOS=Media/Videos
+    '';
+  };
+  # This is using a rec (recursive) expression to set and access XDG_BIN_HOME within the expression
+  # For more on rec expressions see https://nix.dev/tutorials/first-steps/nix-language#recursive-attribute-set-rec
+  environment.sessionVariables = rec {
+    XDG_CACHE_HOME  = "$HOME/.cache";
+    XDG_CONFIG_HOME = "$HOME/.config";
+    XDG_DATA_HOME   = "$HOME/.local/share";
+    XDG_STATE_HOME  = "$HOME/.local/state";
+
+    # Not officially in the specification
+    XDG_BIN_HOME    = "$HOME/.local/mybin";
+    PATH = [ 
+      "${XDG_BIN_HOME}"
+    ];
+  };
+
+  # XDG-USER-DIR package and config
+  environment.systemPackages = with pkgs; [
+    xdg-user-dirs
+
+    apparmor-pam
+    apparmor-utils
+    apparmor-parser
+    apparmor-profiles
+    roddhjav-apparmor-rules
+  ];
+
+  security.apparmor.enable = true;
+
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+}