Husky/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Damian Wessels
2025-09-15 22:39:41 +02:00
commit 1c60d751da
10 changed files with 803 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/bluetooth.nix Normal file
View File

@@ -0,0 +1,6 @@
{ pkgs, lib, ... }:
{
hardware.bluetooth.enable = true;
services.blueman.enable = true;
}

81
modules/firefox.nix Normal file
View File

@@ -0,0 +1,81 @@
{ pkgs, lib, ... }:
let
managed-firefox = (
pkgs.firefox.override {
extraPolicies = {
AutofillCreditCardEnabled = false;
DisableFirefoxAccounts = true;
DisableFirefoxScreenshots = true;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DontCheckDefaultBrowser = true;
EnableTrackingProtection = {
Value = true;
Locked = true;
Cryptomining = true;
Fingerprinting = true;
EmailTracking = true;
};
ExtensionSettings = {
"*".installation_mode = "blocked"; # blocks all addons except the ones specified below
# 1Password:
"{d634138d-c276-4fc8-924b-40a0ea21d284}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi";
installation_mode = "force_installed";
};
# Facebook container
"@contain-facebook" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/facebook-container/latest.xpi";
installation_mode = "force_installed";
};
# Kagi search
"search@kagi.com" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/kagi-search-for-firefox/latest.xpi";
installation_mode = "force_installed";
};
# ublock origin
"uBlock0@raymondhill.net" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
installation_mode = "force_installed";
};
# bitwarden
"" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
installation_mode = "force_installed";
};
};
FirefoxSuggest = {
WebSuggestions = false;
SponsoredSuggestions = false;
ImproveSuggest = false;
Locked = true;
};
PasswordManagerEnabled = false;
PictureInPicture = {
Enabled = true;
Locked = true;
};
};
}
);
in
{
environment.systemPackages = [ managed-firefox ];
services.opensnitch.rules = {
rule-000-firefox = {
name = "Allow Firefox";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin managed-firefox}/lib/firefox/firefox";
};
};
};
}

36
modules/ollama.nix Normal file
View File

@@ -0,0 +1,36 @@
{ pkgs, lib, ... }:
{
services.ollama = {
enable = true;
acceleration = "rocm";
};
services.opensnitch.rules = {
rule-500-download-models = {
name = "Allow ollama to fetch models";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.ollama-rocm}/bin/.ollama-wrapped";
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^(registry.ollama.ai)|(([a-z0-9|-]+\\.)*cloudflarestorage.com)$";
}
];
};
};
};
}

185
modules/opensnitch.nix Normal file
View File

@@ -0,0 +1,185 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = [ pkgs.opensnitch-ui ];
# Set start up applications
# shitty version of this https://github.com/nix-community/home-manager/issues/3447#issuecomment-1328294558
environment.etc."xdg/autostart/opensnitch_ui.desktop".source = (
pkgs.opensnitch-ui + "/share/applications/opensnitch_ui.desktop"
);
# A list of general rules needed no matter how the system is configured
services.opensnitch = {
enable = true;
settings.DefaultAction = "deny";
rules = {
rule-000-localhost = {
name = "Allow all localhost";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "regexp";
operand = "dest.ip";
sensitive = false;
data = "^(127\\.0\\.0\\.1|::1)$";
list = [ ];
};
};
rule-100-avahi-ipv4 = {
name = "Allow avahi daemon IPv4";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
operand = "process.path";
sensitive = false;
data = "${lib.getBin pkgs.avahi}/bin/avahi-daemon";
}
{
type = "network";
operand = "dest.network";
data = "224.0.0.0/24";
}
];
};
};
rule-100-avahi-ipv6 = {
name = "Allow avahi daemon IPv6";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
operand = "process.path";
sensitive = false;
data = "${lib.getBin pkgs.avahi}/bin/avahi-daemon";
}
{
type = "simple";
operand = "dest.ip";
data = "ff02::fb";
}
];
};
};
rule-100-ntp = {
name = "Allow NTP";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type = "simple";
operand = "dest.port";
sensitive = false;
data = "123";
}
{
type = "simple";
operand = "protocol";
sensitive = false;
data = "udp";
}
];
};
};
rule-100-nix-update = {
name = "Allow Nix";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "^.*/bin/nix$";
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^(([a-z0-9|-]+\\.)*github\\.com|([a-z0-9|-]+\\.)*nixos\\.org)$";
}
];
};
};
rule-100-NetworkManager = {
name = "Allow NetworkManager";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.networkmanager}/bin/NetworkManager";
}
{
type = "simple";
operand = "dest.port";
sensitive = false;
data = "67";
}
{
type = "simple";
operand = "protocol";
sensitive = false;
data = "udp";
}
];
};
};
rule-500-ssh-github = {
name = "Allow SSH to github";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.openssh}/bin/ssh";
}
{
type = "simple";
operand = "dest.host";
sensitive = false;
data = "github.com";
}
];
};
};
};
};
}

58
modules/rust.nix Normal file
View File

@@ -0,0 +1,58 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
clang
rustup
];
services.opensnitch.rules = {
rule-500-cargo = {
name = "Allow cargo to reach needed sites";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "^(/home/dwessels/\\.rustup/toolchains/(.*)/bin/cargo)|(${lib.getBin pkgs.cargo}/bin/cargo)$";
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^(([a-z0-9|-]+\\.)*crates\\.io)|(([a-z0-9|-]+\\.)*github\\.com)$";
}
];
};
};
rule-500-rustup = {
name = "Allow rustup to reach needed sites";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.rustup}/bin/.rustup-wrapped";
}
{
type = "simple";
operand = "dest.host";
sensitive = false;
data = "static.rust-lang.org";
}
];
};
};
};
}

144
modules/steam.nix Normal file
View File

@@ -0,0 +1,144 @@
{ pkgs, lib, ... }:
let
steamRegex = "^/home/dwessels/\\.local/share/Steam/ubuntu12_32/steam|/home/dwessels/\\.local/share/Steam/ubuntu12_64/steamwebhelper$";
in
{
environment.systemPackages = with pkgs; [ steam ];
# We need 32bit versions of all the OpenGL etc libraries for steam to run
hardware.graphics.enable32Bit = true;
programs.steam = {
remotePlay.openFirewall = true;
};
services.opensnitch.rules = {
rule-600-steam-lan = {
name = "Allow Steam to reach out on LAN";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "/home/dwessels/.local/share/Steam/ubuntu12_32/steam";
}
{
type = "network";
operand = "dest.network";
data = "192.168.1.0/24";
}
{
type = "simple";
operand = "dest.port";
sensitive = false;
data = "27036";
}
];
};
};
rule-600-steam-akamaihd = {
name = "Allow Steam to reach akamaihd";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "/home/dwessels/.local/share/Steam/ubuntu12_64/steamwebhelper";
}
{
type = "simple";
operand = "dest.host";
sensitive = false;
data = "steamcommunity-a.akamaihd.net";
}
];
};
};
rule-600-steam-to-steam-domain = {
name = "Allow Steam to reach steam domains";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = steamRegex;
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^([a-z0-9|-]+\\.)*(steampowered\\.com|steamcommunity\\.com|steamserver\\.net|steamstatic\\.com|steamcontent\\.com)$";
}
];
};
};
rule-600-steam-webhelper-google = {
name = "Allow Steam web helper to reach google APIs";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "/home/dwessels/.local/share/Steam/ubuntu12_64/steamwebhelper";
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^(update|steamcloud-us-east1\\.storage\\.)\\.googleapis\\.com$";
}
];
};
};
rule-600-steam-webhelper-youtube = {
name = "Allow Steam web helper to reach youtube";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "/home/dwessels/.local/share/Steam/ubuntu12_64/steamwebhelper";
}
{
type = "simple";
operand = "dest.host";
sensitive = false;
data = "www.youtube.com";
}
];
};
};
};
}

13
modules/wireshark.nix Normal file
View File

@@ -0,0 +1,13 @@
{ pkgs, ... }:
{
users.groups.wireshark = { };
security.wrappers.dumpcap = {
source = "${pkgs.wireshark}/bin/dumpcap";
permissions = "u+xs,g+x";
owner = "root";
group = "wireshark";
};
users.users.dwessels.extraGroups = [ "wireshark" ];
environment.systemPackages = [ pkgs.wireshark ];
}