From 0f64a9ff0ca13ab4a743e5e56bb9ce28bc6c44a8 Mon Sep 17 00:00:00 2001 From: LavaDesu Date: Sun, 7 Jul 2024 12:24:14 +1000 Subject: [PATCH 1/5] flake: lock inputs --- flake.lock | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/flake.lock b/flake.lock index 991f21e..84ae1c0 100644 --- a/flake.lock +++ b/flake.lock @@ -287,6 +287,27 @@ "type": "github" } }, + "home-manager-stable": { + "inputs": { + "nixpkgs": [ + "nixpkgs-stable" + ] + }, + "locked": { + "lastModified": 1706981411, + "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "652fda4ca6dafeb090943422c34ae9145787af37", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, "home-manager_2": { "inputs": { "nixpkgs": [ @@ -507,6 +528,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1710283656, + "narHash": "sha256-nI+AOy4uK6jLGBi9nsbHjL1EdSIzoo8oa+9oeVhbyFc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "51063ed4f2343a59fdeebb279bb81d87d453942b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1705133751, @@ -579,6 +616,7 @@ "fast-syntax-highlighting": "fast-syntax-highlighting", "home-manager": "home-manager_2", "home-manager-raccoon": "home-manager-raccoon", + "home-manager-stable": "home-manager-stable", "hosts-blocklists": "hosts-blocklists", "linux-tkg": "linux-tkg", "neovim-nightly": "neovim-nightly", @@ -587,6 +625,7 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", "nixpkgs-raccoon": "nixpkgs-raccoon", + "nixpkgs-stable": "nixpkgs-stable", "nvim-treesitter": "nvim-treesitter", "packwiz": "packwiz", "pure": "pure", From 0198191f38892306b43d4e80ae8b727b8d1d5994 Mon Sep 17 00:00:00 2001 From: LavaDesu Date: Sun, 7 Jul 2024 12:34:07 +1000 Subject: [PATCH 2/5] dandelion/filesystem: fix missing lib --- hosts/dandelion/filesystem.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/dandelion/filesystem.nix b/hosts/dandelion/filesystem.nix index 55c9c2a..d37cb1f 100644 --- a/hosts/dandelion/filesystem.nix +++ b/hosts/dandelion/filesystem.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, lib, ... }: let bind = src: { depends = [ "/nix" ]; From 30ba40e2ac48a89df1c81022f3290039c6be5255 Mon Sep 17 00:00:00 2001 From: LavaDesu Date: Sun, 7 Jul 2024 12:35:06 +1000 Subject: [PATCH 3/5] users/hana: change hashed password and enable zsh --- users/hana/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/users/hana/default.nix b/users/hana/default.nix index 0e9276f..482323f 100644 --- a/users/hana/default.nix +++ b/users/hana/default.nix @@ -1,10 +1,11 @@ { config, lib, modules, pkgs, ... }: { + programs.zsh.enable = true; users.users.hana = { isNormalUser = true; extraGroups = [ "wheel" ]; shell = pkgs.zsh; uid = 1002; - hashedPassword = "$y$j9T$BxnsFaGwBfSKe4jAJaaxI.$cpFtu8fzFhKalIV3WGuA2jz4//KJBwhiybpnlmoZPy."; + hashedPassword = "$y$j9T$3xCNDudmfrIu5VfQQoDkj/$ugzJWq0gORN9jnhDsREu31CkL3zwniQu6KoLbmg6Wr/"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15 rin@blossom" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5l9t8dc6mPsKKYqZlPKvhOdyqz+DS5UOcvHuh3uVGt @strawberry" From 211a9417f801a3dfd4124efd02a757959ed70b98 Mon Sep 17 00:00:00 2001 From: LavaDesu Date: Sun, 7 Jul 2024 12:38:23 +1000 Subject: [PATCH 4/5] hosts/dandelion: add postgres, and lock to v13 --- hosts/dandelion/default.nix | 2 ++ modules/services/postgres.nix | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index c3fd0a1..735cd03 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -14,6 +14,8 @@ security #wireguard + modules.services.postgres + ./filesystem.nix ./kernel.nix ./networking.nix diff --git a/modules/services/postgres.nix b/modules/services/postgres.nix index 8be69ea..bffdcee 100644 --- a/modules/services/postgres.nix +++ b/modules/services/postgres.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let dir = "/persist/postgresql/${config.services.postgresql.package.psqlSchema}"; uid = toString config.ids.uids.postgres; @@ -8,6 +8,7 @@ in { services.postgresql = { enable = true; dataDir = dir; + package = pkgs.postgresql_13; authentication = lib.mkOverride 10 '' #type database DBuser origin-address auth-method local all all trust From 86bfff26f78c85cd1d2b871f089273b376285822 Mon Sep 17 00:00:00 2001 From: LavaDesu Date: Tue, 2 Jul 2024 12:31:41 +1000 Subject: [PATCH 5/5] system/security: don't log refused connections --- modules/system/security.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/system/security.nix b/modules/system/security.nix index 6e44eae..602f108 100644 --- a/modules/system/security.nix +++ b/modules/system/security.nix @@ -11,6 +11,7 @@ allowedUDPPortRanges = [ { from = 20000; to = 20100; } ]; allowedTCPPortRanges = [ { from = 20000; to = 20100; } ]; trustedInterfaces = [ "wg0" ]; + logRefusedConnections = false; extraCommands = genCmds "I"; extraStopCommands = genCmds "D";