Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Edit this configuration file to define what should be installed on
- # your system. Help is available in the configuration.nix(5) man page
- # and in the NixOS manual (accessible by running ‘nixos-help’).
- { config, pkgs, ... }:
- {
- imports =
- [ # Include the results of the hardware scan.
- ./hardware-configuration.nix
- ];
- boot.kernelPackages = pkgs.linuxPackages_3_14;
- #boot.kernelPackages = pkgs.linuxPackages_grsecurity_stable;
- nixpkgs.config = {
- allowUnfree = true;
- #grsecurity = true;
- #packageOverrides = pkgs: {
- # linuxPackages = pkgs.linuxPackages_grsecurity_stable;
- # stdenv = pkgs.stdenv // {
- # platform = pkgs.stdenv.platform // {
- # kernelExtraConfig = ''
- # XEN n
- # HIBERNATION n
- # DEVKMEM? n
- # GRKERNSEC y
- # GRKERNSEC_CONFIG_AUTO y
- # GRKERNSEC_CONFIG_DESKTOP y
- # GRKERNSEC_CONFIG_VIRT_HOST y
- # GRKERNSEC_CONFIG_VIRT_EPT y
- # GRKERNSEC_CONFIG_VIRT_KVM y
- # GRKERNSEC_CONFIG_PRIORITY_SECURITY y
- # GRKERNSEC_PROC_USER y
- # GRKERNSEC_PROC_GID 0
- # GRKERNSEC_CHROOT_CHMOD n
- # '';
- # };
- # };
- #};
- };
- #security.grsecurity = {
- # enable = true;
- # stable = true;
- # config = {
- # verboseVersion = true;
- # priority = "security";
- # system = "desktop";
- # virtualisationConfig = "host";
- # hardwareVirtualisation = true;
- # virtualisationSoftware = "kvm";
- # kernelExtraConfig = ''
- #XEN n
- #HIBERNATION n
- #DEVKMEM? n
- # '';
- # };
- #};
- boot.kernel.sysctl = {
- "kernel.grsecurity.grsec_lock" = 1;
- "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
- "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
- "net.ipv4.tcp_syncookies" = 1;
- "net.ipv4.conf.all.log_martians" = 1;
- "net.ipv4.conf.default.log_martians" = 1;
- "net.ipv4.conf.all.accept_source_route" = 0;
- "net.ipv4.conf.default.accept_source_route" = 0;
- "net.ipv4.conf.all.rp_filter" = 1;
- "net.ipv4.conf.default.rp_filter" = 1;
- "net.ipv4.conf.all.accept_redirects" = 0;
- "net.ipv4.conf.default.accept_redirects" = 0;
- "net.ipv4.conf.all.secure_redirects" = 0;
- "net.ipv4.conf.default.secure_redirects" = 0;
- "net.ipv4.ip_forward" = 0;
- "net.ipv4.conf.all.send_redirects" = 0;
- "net.ipv4.conf.default.send_redirects" = 0;
- "kernel.sysrq" = 0;
- "net.ipv4.tcp_synack_retries" = 2;
- "net.ipv4.tcp_rfc1337" = 1;
- "net.ipv6.conf.default.router_solicitations" = 0;
- "net.ipv6.conf.default.accept_ra_rtr_pref" = 0;
- "net.ipv6.conf.default.accept_ra_pinfo" = 0;
- "net.ipv6.conf.default.accept_ra_defrtr" = 0;
- "net.ipv6.conf.default.autoconf" = 0;
- "net.ipv6.conf.default.dad_transmits" = 0;
- "net.ipv6.conf.default.max_addresses" = 1;
- "kernel.exec-shield" = 1;
- "kernel.randomize_va_space" = 1;
- };
- boot.initrd.luks.devices = [
- {name = "root"; device = "/dev/sda3"; preLVM = true;}
- ];
- boot.loader.grub = {
- enable = true;
- version = 2;
- device = "/dev/sda";
- };
- time.timeZone = "Asia/Hong_Kong";
- networking = {
- hostName = "thunderbird"; # Define your hostname.
- firewall = {
- enable = true;
- allowedTCPPorts = [28303 443];
- };
- extraHosts = ''
- 127.0.0.1 localhost
- '';
- };
- # networking.wireless.enable = true; # Enables wireless.
- security.sudo.enable = true;
- i18n = {
- consoleFont = "lat9w-16";
- consoleKeyMap = "us";
- defaultLocale = "en_US.UTF-8";
- };
- environment.variables.EDITOR = pkgs.lib.mkOverride 0 "vim";
- environment.systemPackages = with pkgs; [
- wget vim sudo psmisc gnupg1orig pwgen subversion tcpdump
- git groff awscli
- thunderbird firefoxWrapper skype chromium
- virtmanager kvm qemu libvirt
- perlPackages.DateTimeFormatStrptime perlPackages.DBDSQLite
- ];
- # keepass
- # gnome3.seahorse
- # kde4.kwalletmanager keychain
- programs.bash.shellAliases = {
- restart = "systemctl restart";
- start = "systemctl start";
- status = "systemctl status";
- stop = "systemctl stop";
- which = "type -P";
- ll = "ls -al";
- findpass = "/home/peter/Documents/Scripts/repo-diver.pl password";
- findhow = "/home/peter/Documents/Scripts/repo-diver.pl hostconfig";
- findssh = "/home/peter/Documents/Scripts/repo-diver.pl sshkey";
- findgpg = "/home/peter/Documents/Scripts/repo-diver.pl gpgkey";
- reposcan = "/home/peter/Documents/Scripts/repo-diver.pl --scan";
- recrypt = "/home/peter/Documents/Scripts/recrypt.py";
- };
- #environment.profileRelativeEnvVars = {
- # PATH = ["/home/peter/envs/bin"];
- #};
- programs.bash.enableCompletion = true;
- hardware.pulseaudio.enable = true;
- services = {
- openssh.enable = false;
- fail2ban.enable = true;
- printing.enable = true;
- xserver = {
- enable = true;
- layout = "us";
- xkbOptions = "eurosign:e";
- displayManager.kdm.enable = true;
- desktopManager.kde4.enable = true;
- };
- logrotate = {
- enable = true;
- config = ''
- /var/log/kdm.log {
- maxage 365
- size=+1024k
- notifempty
- missingok
- compress
- copytruncate
- }
- '';
- };
- };
- nix.gc = {
- automatic = true;
- options = "--max-freed $((64 * 1024**3))";
- };
- users.mutableUsers = false;
- users.extraUsers = {
- peter = {
- name = "peter";
- group = "users";
- description = "peter.meh@meh.com";
- uid = 1000;
- createHome = true;
- home = "/home/peter";
- shell = "/run/current-system/sw/bin/bash";
- extraGroups = ["wheel"];
- hashedPassword = "$6$ioOmeh";
- };
- root = {
- hashedPassword = "$6$HFZmeh";
- };
- };
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement