diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/alt-arrow-vt.nix | 29 | ||||
| -rw-r--r-- | modules/cgit.nix | 74 | ||||
| -rw-r--r-- | modules/secureboot.nix | 66 |
3 files changed, 169 insertions, 0 deletions
diff --git a/modules/alt-arrow-vt.nix b/modules/alt-arrow-vt.nix new file mode 100644 index 0000000..d0dbb90 --- /dev/null +++ b/modules/alt-arrow-vt.nix @@ -0,0 +1,29 @@ +{ + pkgs, + ... +}: +{ + # Disable Alt+Left/Right virtual terminal switching + console.keyMap = "us"; + + # Create systemd service to disable only Alt+Arrow VT switching + systemd.services.disable-alt-arrow-vt = { + description = "Disable Alt+Arrow VT switching"; + wantedBy = [ "multi-user.target" ]; + after = [ "systemd-vconsole-setup.service" ]; + script = '' + # Define string sequences for Alt+Arrow that generate proper terminal escape sequences + cat << 'EOF' | ${pkgs.kbd}/bin/loadkeys + string F200 = "\033[1;3D" + string F201 = "\033[1;3C" + alt keycode 105 = F200 + alt keycode 106 = F201 + EOF + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + +} diff --git a/modules/cgit.nix b/modules/cgit.nix new file mode 100644 index 0000000..34fa377 --- /dev/null +++ b/modules/cgit.nix @@ -0,0 +1,74 @@ +{ + pkgs, + ... +}: +{ + nixpkgs.overlays = [ + (import ../overlays/git-fix) + ]; + + users.users.git = { + isSystemUser = true; + group = "git"; + home = "/var/lib/git"; + createHome = false; # tmpfiles creates it + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC/BtvW1c1RbBI8eeGo7oOH2y9byBaxWVDHsErgaE+s kjtsanaktsidis@KJMacbookGroq.local" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsyhMLrlNiffDrqz0s46hZF8IdR9/qX63TUyllK0LCA kj@KJ-PC" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS77sno1zVa6uO+2wCbBK489snNIp3uvymca2cHX/33 kjtsanaktsidis@labsrv01" + ]; + }; + users.groups.git = { }; + systemd.tmpfiles.rules = [ + "d /var/lib/git 0755 git git -" + ]; + + services.openssh.extraConfig = '' + Match User git + PasswordAuthentication no + PubkeyAuthentication yes + X11Forwarding no + AllowTcpForwarding no + PermitTTY no + ''; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.fcgiwrap.instances."git-http" = { + socket.user = "nginx"; + socket.group = "nginx"; + process.user = "nginx"; + process.group = "nginx"; + socket.type = "unix"; + socket.address = "/run/fcgiwrap-git-http.sock"; + }; + services.nginx = { + enable = true; + virtualHosts."git.kjtsanaktsidis.id.au" = { + forceSSL = false; + enableACME = false; + locations = { + # Block HTTP pushes explicitly (receive-pack) + "~ ^/git/.+\\.git/git-receive-pack$" = { + return = "403"; + }; + + # Smart HTTP for clone/fetch + "~ ^/git(/.+\\.git)(/.*)?$" = { + extraConfig = '' + client_max_body_size 0; + + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.git}/libexec/git-core/git-http-backend; + fastcgi_param GIT_PROJECT_ROOT /var/lib/git; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param PATH_INFO $1$2; + fastcgi_param REMOTE_USER $remote_user; + + fastcgi_pass unix:/run/fcgiwrap-git-http.sock; + ''; + }; + }; + }; + }; +} diff --git a/modules/secureboot.nix b/modules/secureboot.nix new file mode 100644 index 0000000..29bff21 --- /dev/null +++ b/modules/secureboot.nix @@ -0,0 +1,66 @@ +{ + inputs, + lib, + pkgs, + config, + ... +}: +let + sb-do-enroll-keys = pkgs.writeShellApplication { + name = "sb-do-enroll-keys"; + text = '' + set -ex; + ${pkgs.sbctl}/bin/sbctl enroll-keys + ''; + }; + sb-do-enroll-tpm = pkgs.writeShellApplication { + name = "sb-do-enroll-tpm"; + runtimeInputs = [ pkgs.tpm2-tss ]; + text = '' + set -ex; + LUKS_DEVICE="${config.disko.devices.disk.nvme0n1.content.partitions.luks.device}" + ${pkgs.systemd}/bin/systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7 "''${LUKS_DEVICE}" + ''; + }; +in +{ + imports = [ + inputs.lanzaboote.nixosModules.lanzaboote + ]; + + environment.systemPackages = [ + pkgs.sbctl + sb-do-enroll-keys + sb-do-enroll-tpm + ]; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.initrd.systemd.enable = true; + boot.initrd.systemd.tpm2.enable = true; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + + # Create and enroll Secure Boot keys on first boot + systemd.services.sbctl-setup = { + description = "Create and enroll Secure Boot keys"; + wantedBy = [ "multi-user.target" ]; + unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID"; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = '' + echo "Creating Secure Boot keys..." + ${pkgs.sbctl}/bin/sbctl create-keys + ''; + }; +} |