configuration.nix

1. # Edit this configuration file to define what should be installed on
2. # your system. Help is available in the configuration.nix(5) man page
3. # and in the NixOS manual (accessible by running ‘nixos-help’).
4.  
5. { config, pkgs, ... }:
6.  
7. {
8. imports =
9. [ # Include the results of the hardware scan.
10. ./hardware-configuration.nix
11. ];
12.  
13. boot.kernelPackages = pkgs.linuxPackages_3_14;
14. #boot.kernelPackages = pkgs.linuxPackages_grsecurity_stable;
15. nixpkgs.config = {
16. allowUnfree = true;
17. #grsecurity = true;
18. #packageOverrides = pkgs: {
19. # linuxPackages = pkgs.linuxPackages_grsecurity_stable;
20. # stdenv = pkgs.stdenv // {
21. # platform = pkgs.stdenv.platform // {
22. # kernelExtraConfig = ''
23. # XEN n
24. # HIBERNATION n
25. # DEVKMEM? n
26. # GRKERNSEC y
27. # GRKERNSEC_CONFIG_AUTO y
28. # GRKERNSEC_CONFIG_DESKTOP y
29. # GRKERNSEC_CONFIG_VIRT_HOST y
30. # GRKERNSEC_CONFIG_VIRT_EPT y
31. # GRKERNSEC_CONFIG_VIRT_KVM y
32. # GRKERNSEC_CONFIG_PRIORITY_SECURITY y
33. # GRKERNSEC_PROC_USER y
34. # GRKERNSEC_PROC_GID 0
35. # GRKERNSEC_CHROOT_CHMOD n
36. # '';
37. # };
38. # };
39. #};
40. };
41. #security.grsecurity = {
42. # enable = true;
43. # stable = true;
44. # config = {
45. # verboseVersion = true;
46. # priority = "security";
47. # system = "desktop";
48. # virtualisationConfig = "host";
49. # hardwareVirtualisation = true;
50. # virtualisationSoftware = "kvm";
51. # kernelExtraConfig = ''
52. #XEN n
53. #HIBERNATION n
54. #DEVKMEM? n
55. # '';
56. # };
57. #};
58. boot.kernel.sysctl = {
59. "kernel.grsecurity.grsec_lock" = 1;
60. "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
61. "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
62. "net.ipv4.tcp_syncookies" = 1;
63. "net.ipv4.conf.all.log_martians" = 1;
64. "net.ipv4.conf.default.log_martians" = 1;
65. "net.ipv4.conf.all.accept_source_route" = 0;
66. "net.ipv4.conf.default.accept_source_route" = 0;
67. "net.ipv4.conf.all.rp_filter" = 1;
68. "net.ipv4.conf.default.rp_filter" = 1;
69. "net.ipv4.conf.all.accept_redirects" = 0;
70. "net.ipv4.conf.default.accept_redirects" = 0;
71. "net.ipv4.conf.all.secure_redirects" = 0;
72. "net.ipv4.conf.default.secure_redirects" = 0;
73. "net.ipv4.ip_forward" = 0;
74. "net.ipv4.conf.all.send_redirects" = 0;
75. "net.ipv4.conf.default.send_redirects" = 0;
76. "kernel.sysrq" = 0;
77. "net.ipv4.tcp_synack_retries" = 2;
78. "net.ipv4.tcp_rfc1337" = 1;
79. "net.ipv6.conf.default.router_solicitations" = 0;
80. "net.ipv6.conf.default.accept_ra_rtr_pref" = 0;
81. "net.ipv6.conf.default.accept_ra_pinfo" = 0;
82. "net.ipv6.conf.default.accept_ra_defrtr" = 0;
83. "net.ipv6.conf.default.autoconf" = 0;
84. "net.ipv6.conf.default.dad_transmits" = 0;
85. "net.ipv6.conf.default.max_addresses" = 1;
86. "kernel.exec-shield" = 1;
87. "kernel.randomize_va_space" = 1;
88. };
89. boot.initrd.luks.devices = [
90. {name = "root"; device = "/dev/sda3"; preLVM = true;}
91. ];
92. boot.loader.grub = {
93. enable = true;
94. version = 2;
95. device = "/dev/sda";
96. };
97.  
98. time.timeZone = "Asia/Hong_Kong";
99.  
100. networking = {
101. hostName = "thunderbird"; # Define your hostname.
102. firewall = {
103. enable = true;
104. allowedTCPPorts = [28303 443];
105. };
106. extraHosts = ''
107. 127.0.0.1 localhost
108. '';
109. };
110. # networking.wireless.enable = true; # Enables wireless.
111.  
112. security.sudo.enable = true;
113.  
114. i18n = {
115. consoleFont = "lat9w-16";
116. consoleKeyMap = "us";
117. defaultLocale = "en_US.UTF-8";
118. };
119.  
120. environment.variables.EDITOR = pkgs.lib.mkOverride 0 "vim";
121. environment.systemPackages = with pkgs; [
122. wget vim sudo psmisc gnupg1orig pwgen subversion tcpdump
123. git groff awscli
124. thunderbird firefoxWrapper skype chromium
125. virtmanager kvm qemu libvirt
126. perlPackages.DateTimeFormatStrptime perlPackages.DBDSQLite
127. ];
128. # keepass
129. # gnome3.seahorse
130. # kde4.kwalletmanager keychain
131.  
132. programs.bash.shellAliases = {
133. restart = "systemctl restart";
134. start = "systemctl start";
135. status = "systemctl status";
136. stop = "systemctl stop";
137. which = "type -P";
138. ll = "ls -al";
139. findpass = "/home/peter/Documents/Scripts/repo-diver.pl password";
140. findhow = "/home/peter/Documents/Scripts/repo-diver.pl hostconfig";
141. findssh = "/home/peter/Documents/Scripts/repo-diver.pl sshkey";
142. findgpg = "/home/peter/Documents/Scripts/repo-diver.pl gpgkey";
143. reposcan = "/home/peter/Documents/Scripts/repo-diver.pl --scan";
144. recrypt = "/home/peter/Documents/Scripts/recrypt.py";
145. };
146. #environment.profileRelativeEnvVars = {
147. # PATH = ["/home/peter/envs/bin"];
148. #};
149.  
150. programs.bash.enableCompletion = true;
151.  
152. hardware.pulseaudio.enable = true;
153.  
154. services = {
155. openssh.enable = false;
156. fail2ban.enable = true;
157. printing.enable = true;
158. xserver = {
159. enable = true;
160. layout = "us";
161. xkbOptions = "eurosign:e";
162. displayManager.kdm.enable = true;
163. desktopManager.kde4.enable = true;
164. };
165. logrotate = {
166. enable = true;
167. config = ''
168. /var/log/kdm.log {
169. maxage 365
170. size=+1024k
171. notifempty
172. missingok
173. compress
174. copytruncate
175. }
176. '';
177. };
178. };
179.  
180. nix.gc = {
181. automatic = true;
182. options = "--max-freed $((64 * 1024**3))";
183. };
184.  
185. users.mutableUsers = false;
186. users.extraUsers = {
187. peter = {
188. name = "peter";
189. group = "users";
190. description = "peter.meh@meh.com";
191. uid = 1000;
192. createHome = true;
193. home = "/home/peter";
194. shell = "/run/current-system/sw/bin/bash";
195. extraGroups = ["wheel"];
196. hashedPassword = "$6$ioOmeh";
197. };
198. root = {
199. hashedPassword = "$6$HFZmeh";
200. };
201. };
202. }