From 5c1ec4d677eedcc5a54a7502c254eb1d4e4f5463 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Mon, 12 Aug 2024 03:28:24 -0400 Subject: [PATCH] Make the firewall managed completely on the server --- PC/configuration.nix | 45 +++--- PC/jimbo.nix | 326 +++++++++++++++++++------------------------ 2 files changed, 168 insertions(+), 203 deletions(-) diff --git a/PC/configuration.nix b/PC/configuration.nix index 9ac06cb..ce024b2 100644 --- a/PC/configuration.nix +++ b/PC/configuration.nix @@ -39,6 +39,10 @@ in inherit pkgs; config.allowUnfree = true; }; + nur = import (builtins.fetchTarball + "https://github.com/nix-community/NUR/archive/master.tar.gz") { + inherit pkgs; + }; }; }; @@ -102,12 +106,12 @@ in hardware.enableRedistributableFirmware = true; # Enable the Nouveau drivers - services.xserver.videoDrivers = [ "nouveau" ]; - #hardware.nvidia = { - # modesetting.enable = true; - # nvidiaSettings = false; - # package = config.boot.kernelPackages.nvidiaPackages.beta; - #}; + services.xserver.videoDrivers = [ "nvidia" ]; + hardware.nvidia = { + modesetting.enable = true; + nvidiaSettings = false; + package = config.boot.kernelPackages.nvidiaPackages.beta; + }; # Enable a permissioning system security = { @@ -174,8 +178,6 @@ in enable = true; driSupport = true; driSupport32Bit = true; - package = pkgs.unstable.mesa.drivers; - package32 = pkgs.unstable.pkgsi686Linux.mesa.drivers; extraPackages = with pkgs; [ vulkan-loader vulkan-validation-layers @@ -201,20 +203,12 @@ in # Enable nftables over iptables nftables.enable = true; - # Enable firewall passthrough + # Enable firewall firewall = { - allowedTCPPorts = [ - # Sunshine TCP - 47984 47989 48010 - ]; - allowedUDPPorts = [ - # Sunshine UDP - 47998 47999 48000 - - # Games - 27005 27015 7777 - ]; allowPing = false; + extraInputRules = '' + ip saddr 192.168.2.11 accept comment "Accept Server Connections" + ''; }; # Set hostnames @@ -364,6 +358,7 @@ in # Enable SSH services.openssh = { enable = true; + openFirewall = false; settings = { LogLevel = "VERBOSE"; PermitRootLogin = "no"; @@ -376,7 +371,8 @@ in # Block SSH connections after numerous attempts services.fail2ban = { enable = true; - maxretry = 10; + maxretry = 5; + bantime = "5m"; }; # Enable AppImages @@ -385,6 +381,13 @@ in binfmt = true; }; + # Enable Sunshine as a service + services.sunshine = { + enable = true; + settings.port = 57989; + autoStart = false; + }; + # Enable MPD services.mpd = { enable = true; diff --git a/PC/jimbo.nix b/PC/jimbo.nix index fef2bfb..7dd2f9d 100644 --- a/PC/jimbo.nix +++ b/PC/jimbo.nix @@ -141,17 +141,6 @@ let esac } - # Media launcher - handle_media() { - RET=$(echo -e "YouTube\nMusic\nHistory\nAnime" | bemenu ${bemenuOpts} -p "Media") - case $RET in - YouTube) ytfzf -D;; - Music) ytfzf -D -m;; - History) ytfzf -D -H;; - Anime) ${terminal} ani-cli -q 720;; - esac - } - # Resolutions handle_resolutions() { RET=$(echo -e "Default\nWide\nGPU2" | bemenu ${bemenuOpts} -p "Resolutions") @@ -1153,29 +1142,6 @@ let s:/home/jimbo/JimboNFS/School ''; - # Sunshine apps config - sunshineApps = '' - { - "env": { - "PATH": "$(PATH):$(HOME)\/.local\/bin" - }, - "apps": [{ - "name": "Desktop", - "image-path": "desktop.png" - }] - } - ''; - - # ytfzf config - ytfzfConf = '' - external_menu () { - bemenu ${bemenuOpts} -s -l 30 -p "Search" - } - video_player () { - mpv --loop-playlist=no --keep-open=yes "$@" - } - ''; - # Some sound settings use alsoft, which needs to be configured to use pipewire alsoftConf = '' drivers=pulse @@ -1187,7 +1153,7 @@ let user_interface = "alternative" ''; - # FireFox/LibreWolf colors + # FireFox colors foxJimCol = '' :root { --tab-active-bg-color: #${primeCol}; @@ -1351,6 +1317,7 @@ let #TabsToolbar, .tabbrowser-tab { max-height: var(--tab-min-height) !important; font-size: 14px !important; + outline: none !important; } /* Change color of normal tabs */ @@ -1470,75 +1437,6 @@ let overflow: hidden !important; } ''; - foxProfiles = '' - [Profile0] - Name=Jimbo - IsRelative=1 - Path=Jimbo - Default=1 - - [Profile1] - Name=School - IsRelative=1 - Path=School - - [Profile2] - Name=Variety - IsRelative=1 - Path=Variety - - [General] - StartWithLastProfile=1 - Version=2 - ''; - foxUserJS = '' - // Enable Compact Mode - user_pref("browser.uidensity", 1); - - // Tracking protection - user_pref("browser.contentblocking.category", "strict"); - user_pref("urlclassifier.trackingSkipURLs", "*.reddit.com, *.twitter.com, *.twimg.com, *.tiktok.com"); - user_pref("urlclassifier.features.socialtracking.skipURLs", "*.instagram.com, *.twitter.com, *.twimg.com"); - user_pref("network.cookie.sameSite.noneRequiresSecure", true); - user_pref("browser.helperApps.deleteTempFileOnExit", true); - user_pref("browser.uitour.enabled", false); - user_pref("privacy.globalprivacycontrol.enabled", true); - user_pref("privacy.globalprivacycontrol.functionality.enabled", true); - - // Disable Telemetry - user_pref("datareporting.policy.dataSubmissionEnabled", false); - user_pref("datareporting.healthreport.uploadEnabled", false); - user_pref("toolkit.telemetry.unified", false); - user_pref("toolkit.telemetry.enabled", false); - user_pref("toolkit.telemetry.server", "data:,"); - user_pref("toolkit.telemetry.archive.enabled", false); - user_pref("toolkit.telemetry.newProfilePing.enabled", false); - user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); - user_pref("toolkit.telemetry.updatePing.enabled", false); - user_pref("toolkit.telemetry.bhrPing.enabled", false); - user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); - user_pref("toolkit.telemetry.coverage.opt-out", true); - user_pref("toolkit.coverage.opt-out", true); - user_pref("toolkit.coverage.endpoint.base", ""); - user_pref("browser.ping-centre.telemetry", false); - user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false); - user_pref("browser.newtabpage.activity-stream.telemetry", false); - - // Disable Experiments - user_pref("app.shield.optoutstudies.enabled", false); - user_pref("app.normandy.enabled", false); - user_pref("app.normandy.api_url", ""); - - // Disable Crash Reports - user_pref("breakpad.reportURL", ""); - user_pref("browser.tabs.crashReporting.sendReport", false); - user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); - - // Detection - user_pref("captivedetect.canonicalURL", ""); - user_pref("network.captive-portal-service.enabled", false); - user_pref("network.connectivity-service.enabled", false); - ''; in { @@ -1573,7 +1471,7 @@ in remmina freerdp globalprotect-openconnect python3 zoom-us # Audio/Video tools - yt-dlp ytfzf spotdl ani-cli playerctl ffmpeg + yt-dlp spotdl ani-cli playerctl ffmpeg # Unlimited games steam steam-run heroic mangohud prismlauncher @@ -1582,7 +1480,7 @@ in #dolphin-emu cemu ryujinx duckstation pcsx2 unstable.lime3ds # Remote desktop - sunshine #moonlight-qt + #moonlight-qt # Window manager apps swaybg wdisplays wl-clipboard clipman bemenu @@ -1658,14 +1556,13 @@ in { command = "wl-paste -t text --watch clipman store -P"; } { command = "wl-copy"; } { command = "mako"; } - { command = "sunshine"; } { command = "${pkgs.rot8}/bin/rot8"; } # Polkit agent { command = "${pkgs.mate.mate-polkit}/libexec/polkit-mate-authentication-agent-1"; } # Foreground apps - { command = "librewolf -P Variety --name=Variety"; } + { command = "librewolf -P Misc --name=MiscBrowser"; } { command = "vesktop --ozone-platform-hint=auto"; } { command = "element-desktop"; } { command = "thunderbird"; } @@ -1788,9 +1685,9 @@ in ## Launcher keys # LibreWolf profiles - "${primeMod}+F1" = ''exec librewolf -P Jimbo --name=JimBrowser | ${sendNotif} "LibreWolf Main"''; - "${primeMod}+F2" = ''exec librewolf -P School --name=SchoolBrowser | ${sendNotif} "LibreWolf School"''; - "${primeMod}+F3" = ''exec librewolf -P Variety --name=Variety | ${sendNotif} "LibreWolf Variety"''; + "${primeMod}+F1" = ''exec librewolf -P Jimbo --name=JimBrowser | ${sendNotif} "Main Browser"''; + "${primeMod}+F2" = ''exec librewolf -P School --name=SchoolBrowser | ${sendNotif} "School Browser"''; + "${primeMod}+F3" = ''exec librewolf -P Misc --name=MiscBrowser | ${sendNotif} "Miscellaneous Browser"''; # Discord "${primeMod}+F4" = ''exec vesktop --ozone-platform-hint=auto | ${sendNotif} "Discord"''; @@ -1849,13 +1746,13 @@ in "XF86AudioStop" = ''exec mpc stop''; # Play MPD, Firefox, or MPV - "XF86AudioPlay" = ''exec playerctl --player=firefox play-pause''; + "XF86AudioPlay" = ''exec playerctl --player=librewolf play-pause''; "Ctrl+XF86AudioPlay" = ''exec playerctl --player=mpv play-pause''; "${altMod}+XF86AudioPlay" = ''exec mpc toggle''; # Next/Previous - "XF86AudioNext" = ''exec playerctl --player=firefox next''; - "XF86AudioPrev" = ''exec playerctl --player=firefox previous''; + "XF86AudioNext" = ''exec playerctl --player=librewolf next''; + "XF86AudioPrev" = ''exec playerctl --player=librewolf previous''; "${altMod}+XF86AudioNext" = ''exec mpc next''; "${altMod}+XF86AudioPrev" = ''exec mpc prev''; @@ -2038,7 +1935,7 @@ in # Browsers "${w1}" = [{ app_id = "JimBrowser"; }]; "${w1a}" = [{ app_id = "SchoolBrowser"; }]; - "${w7}" = [{ app_id = "Variety"; }]; + "${w7}" = [{ app_id = "MiscBrowser"; }]; # Communication "${w3a}" = [{ class = "zoom"; }]; @@ -2095,9 +1992,9 @@ in all-outputs = true; tooltip = false; rewrite = { - "(.*) — LibreWolf" = " $1"; - "LibreWolf" = " LibreWolf"; - "(.*) - YouTube — LibreWolf" = "󰗃 $1"; + "(.*) — Firefox" = " $1"; + "Firefox" = " Firefox"; + "(.*) - YouTube — Firefox" = "󰗃 $1"; }; }; @@ -2548,27 +2445,35 @@ in }; # GTK app bookmarks - gtk3.bookmarks = [ - # Local - "file:///home/jimbo/Downloads" - "file:///home/jimbo/Documents" - "file:///home/jimbo/Videos" - "file:///home/jimbo/Pictures/Screenshots" + gtk3 = { + bookmarks = [ + # Local + "file:///home/jimbo/Downloads" + "file:///home/jimbo/Documents" + "file:///home/jimbo/Videos" + "file:///home/jimbo/Pictures/Screenshots" - # Remote - "file:///home/jimbo/JimboNFS/Downloads" - "file:///home/jimbo/JimboNFS/Documents" - "file:///home/jimbo/JimboNFS/Music" - "file:///home/jimbo/JimboNFS/Photos" - "file:///home/jimbo/JimboNFS/Videos" - "file:///home/jimbo/JimboNFS/Projects" + # Remote + "file:///home/jimbo/JimboNFS/Downloads" + "file:///home/jimbo/JimboNFS/Documents" + "file:///home/jimbo/JimboNFS/Music" + "file:///home/jimbo/JimboNFS/Photos" + "file:///home/jimbo/JimboNFS/Videos" + "file:///home/jimbo/JimboNFS/Projects" - # Links and mounts - "file:///home/jimbo/VMs" + # Links and mounts + "file:///home/jimbo/VMs" - # More important stuff - "file:///home/jimbo/JimboNFS/School" - ]; + # More important stuff + "file:///home/jimbo/JimboNFS/School" + ]; + + # Disable shadows + extraCss = '' + * { outline-width: 0px; } + decoration { box-shadow: none; } + ''; + }; # Stop gtk4 from being rounded gtk4.extraCss = '' @@ -2600,25 +2505,103 @@ in }; }; - # Install LibreWolf with settings - programs.librewolf = { - enable = true; - package = pkgs.librewolf; - settings = { - "general.autoScroll" = true; - "browser.compactmode.show" = true; + # Enable Librewolf and extensions + programs.firefox = let + commonExtensions = with pkgs.nur.repos.rycee.firefox-addons; [ + ublock-origin bitwarden darkreader sponsorblock return-youtube-dislikes no-pdf-download + ]; + commonSearch = { + force = true; + default = "Google"; + engines = { + "Google" = { + urls = [{ + template = "https://www.google.com/search"; + params = [ + { name = "q"; value = "{searchTerms}"; } + ]; + }]; + definedAliases = [ "@g" ]; + }; + "NixPKGs" = { + urls = [{ + template = "https://search.nixos.org/packages"; + params = [ + { name = "type"; value = "packages"; } + { name = "query"; value = "{searchTerms}"; } + ]; + }]; + icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@pkgs" ]; + }; + }; + }; + commonSettings = { + "font.name.serif.x-western" = "${mainFont}"; + "font.name.sans-serif.x-western" = "${mainFont}"; + "font.name.monospace.x-western" = "${nerdFont}"; + "general.autoScroll" = true; + "browser.compactmode.show" = true; + "browser.uidensity" = 1; + "browser.startup.page" = 3; + "extensions.pocket.enabled" = false; + "toolkit.legacyUserProfileCustomizations.stylesheets" = true; + "privacy.userContext.newTabContainerOnLeftClick.enabled" = true; "privacy.clearOnShutdown.history" = false; "privacy.clearOnShutdown.cookies" = false; - "network.cookie.lifetimePolicy" = 0; - "toolkit.legacyUserProfileCustomizations.stylesheets" = true; - "browser.toolbars.bookmarks.visibility" = "newtab"; - "gnomeTheme.hideSingleTab" = true; + "browser.toolbars.bookmarks.visibility" = "never"; + "media.hardware-video-decoding.force-enabled" = true; "svg.context-properties.content.enabled" = true; - "media.hardware-video-decoding.force-enabled" = true; - "toolkit.tabbox.switchByScrolling" = true; - "device.sensors.motion.enabled" = false; + "toolkit.tabbox.switchByScrolling" = true; + "device.sensors.motion.enabled" = false; + "extensions.autoDisableScopes" = 0; + "gnomeTheme.hideSingleTab" = true; + "browser.contentblocking.category" = "strict"; + "urlclassifier.trackingSkipURLs" = "*.reddit.com, *.twitter.com, *.twimg.com, *.tiktok.com"; + "urlclassifier.features.socialtracking.skipURLs" = "*.instagram.com, *.twitter.com, *.twimg.com"; + "network.cookie.sameSite.noneRequiresSecure" = true; + "browser.helperApps.deleteTempFileOnExit" = true; + "privacy.globalprivacycontrol.enabled" = true; + "privacy.globalprivacycontrol.functionality.enabled" = true; #"webgl.disabled" = false; - }; + }; + in { + enable = true; + package = pkgs.librewolf; + profiles = { + Jimbo = { + id = 0; + extensions = commonExtensions; + search = commonSearch; + settings = commonSettings; + userChrome = '' + ${foxJimCol} + ${quteFoxCSS} + ''; + }; + School = { + id = 1; + extensions = commonExtensions; + search = commonSearch; + settings = commonSettings; + userChrome = '' + ${foxWorkCol} + ${quteFoxCSS} + ''; + }; + Misc = { + id = 2; + extensions = commonExtensions; + search = commonSearch; + settings = commonSettings; + containersForce = true; + containers = { + Google = { color = "green"; icon = "fingerprint"; id = 200; }; + Seneca = { color = "red"; icon = "briefcase"; id = 201; }; + Centennial = { color = "pink"; icon = "vacation"; id = 202; }; + }; + }; + }; }; # Install Neovim and plugins @@ -2943,42 +2926,21 @@ in sha256 = "1r086apw20ryxylqgnbynx7mzz779v1w0m40wghmmhlzw4x15fmr"; }}"; - # Sunshine config - ".config/sunshine/apps.json".text = sunshineApps; - - # YTFZF config - ".config/ytfzf/conf.sh".text = ytfzfConf; - - # Alsoft config - ".alsoftrc".text = alsoftConf; - # Ncmpcpp config ".config/ncmpcpp/config".text = ncmpcppConf; - # LibreWolf profiles and theming - ".librewolf/profiles.ini".text = foxProfiles; - ".librewolf/Jimbo/chrome/userChrome.css".text = "${foxJimCol}\n${quteFoxCSS}"; - ".librewolf/Jimbo/user.js".text = foxUserJS; - ".librewolf/School/chrome/userChrome.css".text = "${foxWorkCol}\n${quteFoxCSS}"; - ".librewolf/School/user.js".text = foxUserJS; - ".librewolf/Variety/chrome".source = "${fetchTarball { - url = "https://github.com/rafaelmardojai/firefox-gnome-theme/archive/refs/tags/v120.zip"; - sha256 = "05ndzlhvw0zxxqgc9lp9w6kr764zbh5zv4aw2nk9qfyhr8j3c708"; - }}"; - ".librewolf/Variety/user.js".text = foxUserJS; + # Gnome theme + ".mozilla/firefox/Misc/chrome".source = "${fetchTarball { + url = "https://github.com/rafaelmardojai/firefox-gnome-theme/archive/refs/tags/v129.zip"; + sha256 = "14x0vp66i8b14q6c9n75sa88fcwy9jd9lik8sjnab2rnwlskvq9h"; + }}"; - # LibreWolf extension symlinks - ".librewolf/School/extensions".source = - config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.librewolf/Jimbo/extensions"; - ".librewolf/School/browser-extension-data".source = - config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.librewolf/Jimbo/browser-extension-data"; - ".librewolf/Variety/extensions".source = - config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.librewolf/Jimbo/extensions"; - ".librewolf/Variety/browser-extension-data".source = - config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.librewolf/Jimbo/browser-extension-data"; - - # Outer Symlinks + # Symlinks + ".librewolf".source = config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.mozilla/firefox"; "VMs".source = config.lib.file.mkOutOfStoreSymlink "/etc/libvirt/VMs"; + + # Alsoft config + ".alsoftrc".text = alsoftConf; }; # Define session variables