API tools faq
paste
Advertisement
Guest User

configuration.nix

a guest
Jan 4th, 2015
215
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.81 KB | None | 0 0
raw download clone embed print report
  1. # Edit this configuration file to define what should be installed on
  2. # your system. Help is available in the configuration.nix(5) man page
  3. # and in the NixOS manual (accessible by running ‘nixos-help’).
  4.  
  5. { config, pkgs, ... }:
  6.  
  7. {
  8. imports =
  9. [ # Include the results of the hardware scan.
  10. ./hardware-configuration.nix
  11. ];
  12.  
  13. boot.kernelPackages = pkgs.linuxPackages_3_14;
  14. #boot.kernelPackages = pkgs.linuxPackages_grsecurity_stable;
  15. nixpkgs.config = {
  16. allowUnfree = true;
  17. #grsecurity = true;
  18. #packageOverrides = pkgs: {
  19. # linuxPackages = pkgs.linuxPackages_grsecurity_stable;
  20. # stdenv = pkgs.stdenv // {
  21. # platform = pkgs.stdenv.platform // {
  22. # kernelExtraConfig = ''
  23. # XEN n
  24. # HIBERNATION n
  25. # DEVKMEM? n
  26. # GRKERNSEC y
  27. # GRKERNSEC_CONFIG_AUTO y
  28. # GRKERNSEC_CONFIG_DESKTOP y
  29. # GRKERNSEC_CONFIG_VIRT_HOST y
  30. # GRKERNSEC_CONFIG_VIRT_EPT y
  31. # GRKERNSEC_CONFIG_VIRT_KVM y
  32. # GRKERNSEC_CONFIG_PRIORITY_SECURITY y
  33. # GRKERNSEC_PROC_USER y
  34. # GRKERNSEC_PROC_GID 0
  35. # GRKERNSEC_CHROOT_CHMOD n
  36. # '';
  37. # };
  38. # };
  39. #};
  40. };
  41. #security.grsecurity = {
  42. # enable = true;
  43. # stable = true;
  44. # config = {
  45. # verboseVersion = true;
  46. # priority = "security";
  47. # system = "desktop";
  48. # virtualisationConfig = "host";
  49. # hardwareVirtualisation = true;
  50. # virtualisationSoftware = "kvm";
  51. # kernelExtraConfig = ''
  52. #XEN n
  53. #HIBERNATION n
  54. #DEVKMEM? n
  55. # '';
  56. # };
  57. #};
  58. boot.kernel.sysctl = {
  59. "kernel.grsecurity.grsec_lock" = 1;
  60. "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
  61. "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
  62. "net.ipv4.tcp_syncookies" = 1;
  63. "net.ipv4.conf.all.log_martians" = 1;
  64. "net.ipv4.conf.default.log_martians" = 1;
  65. "net.ipv4.conf.all.accept_source_route" = 0;
  66. "net.ipv4.conf.default.accept_source_route" = 0;
  67. "net.ipv4.conf.all.rp_filter" = 1;
  68. "net.ipv4.conf.default.rp_filter" = 1;
  69. "net.ipv4.conf.all.accept_redirects" = 0;
  70. "net.ipv4.conf.default.accept_redirects" = 0;
  71. "net.ipv4.conf.all.secure_redirects" = 0;
  72. "net.ipv4.conf.default.secure_redirects" = 0;
  73. "net.ipv4.ip_forward" = 0;
  74. "net.ipv4.conf.all.send_redirects" = 0;
  75. "net.ipv4.conf.default.send_redirects" = 0;
  76. "kernel.sysrq" = 0;
  77. "net.ipv4.tcp_synack_retries" = 2;
  78. "net.ipv6.conf.default.router_solicitations" = 0;
  79. "net.ipv6.conf.default.accept_ra_rtr_pref" = 0;
  80. "net.ipv6.conf.default.accept_ra_pinfo" = 0;
  81. "net.ipv6.conf.default.accept_ra_defrtr" = 0;
  82. "net.ipv6.conf.default.autoconf" = 0;
  83. "net.ipv6.conf.default.dad_transmits" = 0;
  84. "net.ipv6.conf.default.max_addresses" = 1;
  85. "kernel.exec-shield" = 1;
  86. "kernel.randomize_va_space" = 1;
  87. };
  88. boot.initrd.luks.devices = [
  89. {name = "root"; device = "/dev/sda3"; preLVM = true;}
  90. ];
  91. boot.loader.grub = {
  92. enable = true;
  93. version = 2;
  94. device = "/dev/sda";
  95. };
  96.  
  97. time.timeZone = "Asia/Hong_Kong";
  98.  
  99. networking = {
  100. hostName = "thunderbird"; # Define your hostname.
  101. firewall = {
  102. enable = true;
  103. allowedTCPPorts = [28303 443];
  104. };
  105. extraHosts = ''
  106. 127.0.0.1 localhost
  107. '';
  108. };
  109. # networking.wireless.enable = true; # Enables wireless.
  110.  
  111. security.sudo.enable = true;
  112.  
  113. i18n = {
  114. consoleFont = "lat9w-16";
  115. consoleKeyMap = "us";
  116. defaultLocale = "en_US.UTF-8";
  117. };
  118.  
  119. environment.variables.EDITOR = pkgs.lib.mkOverride 0 "vim";
  120. environment.systemPackages = with pkgs; [
  121. wget vim sudo psmisc gnupg1orig pwgen subversion tcpdump git
  122. thunderbird firefoxWrapper skype chromium
  123. ];
  124.  
  125. programs.bash.enableCompletion = true;
  126.  
  127. hardware.pulseaudio.enable = true;
  128.  
  129. services = {
  130. openssh.enable = false;
  131. fail2ban.enable = true;
  132. printing.enable = true;
  133. xserver = {
  134. enable = true;
  135. layout = "us";
  136. xkbOptions = "eurosign:e";
  137. displayManager.kdm.enable = true;
  138. desktopManager.kde4.enable = true;
  139. };
  140. logrotate = {
  141. enable = true;
  142. config = ''
  143. /var/log/kdm.log {
  144. maxage 365
  145. size=+1024k
  146. notifempty
  147. missingok
  148. compress
  149. copytruncate
  150. }
  151. '';
  152. };
  153. };
  154.  
  155. nix.gc = {
  156. automatic = true;
  157. options = "--max-freed $((64 * 1024**3))";
  158. };
  159.  
  160. users.mutableUsers = false;
  161. users.extraUsers = {
  162. peter = {
  163. name = "peter";
  164. group = "users";
  165. description = "peter@example.com";
  166. uid = 1000;
  167. createHome = true;
  168. home = "/home/peter";
  169. shell = "/run/current-system/sw/bin/bash";
  170. extraGroups = ["wheel"];
  171. hashedPassword = "$6$iomeh";
  172. };
  173. root = {
  174. hashedPassword = "$6$Hmeh";
  175. };
  176. };
  177. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!