Make the firewall managed completely on the server

2024-08-12 03:28:24 -04:00 · 2024-08-12 03:28:24 -04:00 · 5c1ec4d677
parent 2260afc205
commit 5c1ec4d677
2 changed files with 168 additions and 203 deletions
--- a/PC/configuration.nix
+++ b/PC/configuration.nix
@ -39,6 +39,10 @@ in
          inherit pkgs;
          config.allowUnfree = true;
        };
+	nur = import (builtins.fetchTarball 
+	  "https://github.com/nix-community/NUR/archive/master.tar.gz") {
+          inherit pkgs;
+        };
      };
    };

@ -102,12 +106,12 @@ in
  hardware.enableRedistributableFirmware = true;

  # Enable the Nouveau drivers
-  services.xserver.videoDrivers = [ "nouveau" ];
-  #hardware.nvidia = {
-  #  modesetting.enable = true;
-  #  nvidiaSettings = false;
-  #  package = config.boot.kernelPackages.nvidiaPackages.beta;
-  #};
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.nvidia = {
+    modesetting.enable = true;
+    nvidiaSettings = false;
+    package = config.boot.kernelPackages.nvidiaPackages.beta;
+  };

  # Enable a permissioning system
  security = {
@ -174,8 +178,6 @@ in
    enable = true;
    driSupport = true;
    driSupport32Bit = true;
-    package = pkgs.unstable.mesa.drivers;
-    package32 = pkgs.unstable.pkgsi686Linux.mesa.drivers;
    extraPackages = with pkgs; [
      vulkan-loader
      vulkan-validation-layers
@ -201,20 +203,12 @@ in
    # Enable nftables over iptables
    nftables.enable = true;

-    # Enable firewall passthrough
+    # Enable firewall
    firewall = {
-      allowedTCPPorts = [ 
-	# Sunshine TCP
-	47984 47989 48010
-      ];
-      allowedUDPPorts = [
-        # Sunshine UDP
-	47998 47999 48000
-
-	# Games
-	27005 27015 7777
-      ];
      allowPing = false;
+      extraInputRules = ''
+        ip saddr 192.168.2.11 accept comment "Accept Server Connections"
+      '';
    };
    
    # Set hostnames
@ -364,6 +358,7 @@ in
  # Enable SSH
  services.openssh = {
    enable = true;
+    openFirewall = false;
    settings = {
      LogLevel = "VERBOSE";
      PermitRootLogin = "no";
@ -376,7 +371,8 @@ in
  # Block SSH connections after numerous attempts
  services.fail2ban = {
    enable = true;
-    maxretry = 10;
+    maxretry = 5;
+    bantime = "5m";
  };

  # Enable AppImages
@ -385,6 +381,13 @@ in
   binfmt = true;
  };

+  # Enable Sunshine as a service
+  services.sunshine = {
+    enable = true;
+    settings.port = 57989;
+    autoStart = false;
+  };
+
  # Enable MPD
  services.mpd = {
    enable = true;
--- a/PC/jimbo.nix
+++ b/PC/jimbo.nix
@ -141,17 +141,6 @@ let
      esac
    }
    
-    # Media launcher
-    handle_media() {
-      RET=$(echo -e "YouTube\nMusic\nHistory\nAnime" | bemenu ${bemenuOpts} -p "Media")
-      case $RET in
-        YouTube) ytfzf -D;;
-        Music) ytfzf -D -m;;
-        History) ytfzf -D -H;;
-        Anime) ${terminal} ani-cli -q 720;;
-      esac
-    }
-    
    # Resolutions
    handle_resolutions() {
      RET=$(echo -e "Default\nWide\nGPU2" | bemenu ${bemenuOpts} -p "Resolutions")
@ -1153,29 +1142,6 @@ let
    s:/home/jimbo/JimboNFS/School
  '';

-  # Sunshine apps config
-  sunshineApps = ''
-    {
-      "env": {
-        "PATH": "$(PATH):$(HOME)\/.local\/bin"
-      },
-      "apps": [{
-        "name": "Desktop",
-        "image-path": "desktop.png"
-      }]
-    }
-  '';
-
-  # ytfzf config
-  ytfzfConf = ''
-    external_menu () {
-      bemenu ${bemenuOpts} -s -l 30 -p "Search"
-    }
-    video_player () {
-      mpv --loop-playlist=no --keep-open=yes "$@"
-    }
-  '';
-
  # Some sound settings use alsoft, which needs to be configured to use pipewire
  alsoftConf = ''
    drivers=pulse
@ -1187,7 +1153,7 @@ let
    user_interface = "alternative"
  '';

-  # FireFox/LibreWolf colors
+  # FireFox colors
  foxJimCol = ''
    :root {
      --tab-active-bg-color: #${primeCol};
@ -1351,6 +1317,7 @@ let
    #TabsToolbar, .tabbrowser-tab {
      max-height: var(--tab-min-height) !important;
      font-size: 14px !important;
+      outline: none !important;
    }
    
    /* Change color of normal tabs */
@ -1470,75 +1437,6 @@ let
      overflow: hidden !important;
    }
  '';
-  foxProfiles = ''
-    [Profile0]
-    Name=Jimbo
-    IsRelative=1
-    Path=Jimbo
-    Default=1
-    
-    [Profile1]
-    Name=School
-    IsRelative=1
-    Path=School
-    
-    [Profile2]
-    Name=Variety
-    IsRelative=1
-    Path=Variety
-
-    [General]
-    StartWithLastProfile=1
-    Version=2
-  '';
-  foxUserJS = ''
-    // Enable Compact Mode
-    user_pref("browser.uidensity", 1);
-    
-    // Tracking protection
-    user_pref("browser.contentblocking.category", "strict");
-    user_pref("urlclassifier.trackingSkipURLs", "*.reddit.com, *.twitter.com, *.twimg.com, *.tiktok.com");
-    user_pref("urlclassifier.features.socialtracking.skipURLs", "*.instagram.com, *.twitter.com, *.twimg.com");
-    user_pref("network.cookie.sameSite.noneRequiresSecure", true);
-    user_pref("browser.helperApps.deleteTempFileOnExit", true);
-    user_pref("browser.uitour.enabled", false);
-    user_pref("privacy.globalprivacycontrol.enabled", true);
-    user_pref("privacy.globalprivacycontrol.functionality.enabled", true);
-    
-    // Disable Telemetry
-    user_pref("datareporting.policy.dataSubmissionEnabled", false);
-    user_pref("datareporting.healthreport.uploadEnabled", false);
-    user_pref("toolkit.telemetry.unified", false);
-    user_pref("toolkit.telemetry.enabled", false);
-    user_pref("toolkit.telemetry.server", "data:,");
-    user_pref("toolkit.telemetry.archive.enabled", false);
-    user_pref("toolkit.telemetry.newProfilePing.enabled", false);
-    user_pref("toolkit.telemetry.shutdownPingSender.enabled", false);
-    user_pref("toolkit.telemetry.updatePing.enabled", false);
-    user_pref("toolkit.telemetry.bhrPing.enabled", false);
-    user_pref("toolkit.telemetry.firstShutdownPing.enabled", false);
-    user_pref("toolkit.telemetry.coverage.opt-out", true);
-    user_pref("toolkit.coverage.opt-out", true);
-    user_pref("toolkit.coverage.endpoint.base", "");
-    user_pref("browser.ping-centre.telemetry", false);
-    user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
-    user_pref("browser.newtabpage.activity-stream.telemetry", false);
-    
-    // Disable Experiments
-    user_pref("app.shield.optoutstudies.enabled", false);
-    user_pref("app.normandy.enabled", false);
-    user_pref("app.normandy.api_url", "");
-    
-    // Disable Crash Reports
-    user_pref("breakpad.reportURL", "");
-    user_pref("browser.tabs.crashReporting.sendReport", false);
-    user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);
-    
-    // Detection
-    user_pref("captivedetect.canonicalURL", "");
-    user_pref("network.captive-portal-service.enabled", false);
-    user_pref("network.connectivity-service.enabled", false);
-  '';
 in

 {
@ -1573,7 +1471,7 @@ in
        remmina freerdp globalprotect-openconnect python3 zoom-us

        # Audio/Video tools
-        yt-dlp ytfzf spotdl ani-cli playerctl ffmpeg
+        yt-dlp spotdl ani-cli playerctl ffmpeg

        # Unlimited games
        steam steam-run heroic mangohud prismlauncher
@ -1582,7 +1480,7 @@ in
        #dolphin-emu cemu ryujinx duckstation pcsx2 unstable.lime3ds

 	# Remote desktop
-	sunshine #moonlight-qt
+	#moonlight-qt

        # Window manager apps
        swaybg wdisplays wl-clipboard clipman bemenu
@ -1658,14 +1556,13 @@ in
 	    { command = "wl-paste -t text --watch clipman store -P"; }
 	    { command = "wl-copy"; }
 	    { command = "mako"; }
-	    { command = "sunshine"; }
 	    { command = "${pkgs.rot8}/bin/rot8"; }

 	    # Polkit agent
 	    { command = "${pkgs.mate.mate-polkit}/libexec/polkit-mate-authentication-agent-1"; }

 	    # Foreground apps
-	    { command = "librewolf -P Variety --name=Variety"; }
+	    { command = "librewolf -P Misc --name=MiscBrowser"; }
 	    { command = "vesktop --ozone-platform-hint=auto"; }
 	    { command = "element-desktop"; }
 	    { command = "thunderbird"; }
@ -1788,9 +1685,9 @@ in
 	    ## Launcher keys

 	    # LibreWolf profiles
-	    "${primeMod}+F1" = ''exec librewolf -P Jimbo --name=JimBrowser | ${sendNotif} "LibreWolf Main"'';
-	    "${primeMod}+F2" = ''exec librewolf -P School --name=SchoolBrowser | ${sendNotif} "LibreWolf School"'';
-	    "${primeMod}+F3" = ''exec librewolf -P Variety --name=Variety | ${sendNotif} "LibreWolf Variety"'';
+	    "${primeMod}+F1" = ''exec librewolf -P Jimbo --name=JimBrowser | ${sendNotif} "Main Browser"'';
+	    "${primeMod}+F2" = ''exec librewolf -P School --name=SchoolBrowser | ${sendNotif} "School Browser"'';
+	    "${primeMod}+F3" = ''exec librewolf -P Misc --name=MiscBrowser | ${sendNotif} "Miscellaneous Browser"'';

 	    # Discord
 	    "${primeMod}+F4" = ''exec vesktop --ozone-platform-hint=auto | ${sendNotif} "Discord"'';
@ -1849,13 +1746,13 @@ in
 	    "XF86AudioStop" = ''exec mpc stop'';

 	    # Play MPD, Firefox, or MPV
-	    "XF86AudioPlay" = ''exec playerctl --player=firefox play-pause'';
+	    "XF86AudioPlay" = ''exec playerctl --player=librewolf play-pause'';
 	    "Ctrl+XF86AudioPlay" = ''exec playerctl --player=mpv play-pause'';
 	    "${altMod}+XF86AudioPlay" = ''exec mpc toggle'';

 	    # Next/Previous
-	    "XF86AudioNext" = ''exec playerctl --player=firefox next'';
-	    "XF86AudioPrev" = ''exec playerctl --player=firefox previous'';
+	    "XF86AudioNext" = ''exec playerctl --player=librewolf next'';
+	    "XF86AudioPrev" = ''exec playerctl --player=librewolf previous'';
 	    "${altMod}+XF86AudioNext" = ''exec mpc next'';
 	    "${altMod}+XF86AudioPrev" = ''exec mpc prev'';

@ -2038,7 +1935,7 @@ in
 	    # Browsers
 	    "${w1}" = [{ app_id = "JimBrowser"; }];
 	    "${w1a}" = [{ app_id = "SchoolBrowser"; }];
-	    "${w7}" = [{ app_id = "Variety"; }];
+	    "${w7}" = [{ app_id = "MiscBrowser"; }];
 	    
 	    # Communication
 	    "${w3a}" = [{ class = "zoom"; }];
@ -2095,9 +1992,9 @@ in
 	  all-outputs = true;
 	  tooltip = false;
 	  rewrite = {
-	    "(.*) — LibreWolf" = "   $1";
-	    "LibreWolf" = "   LibreWolf";
-	    "(.*) - YouTube — LibreWolf" = "󰗃   $1";
+	    "(.*) — Firefox" = "   $1";
+	    "Firefox" = "   Firefox";
+	    "(.*) - YouTube — Firefox" = "󰗃   $1";
 	  };
 	};

@ -2548,7 +2445,8 @@ in
        };

 	# GTK app bookmarks
-	gtk3.bookmarks = [
+	gtk3 = {
+	  bookmarks = [
 	    # Local
 	    "file:///home/jimbo/Downloads"
 	    "file:///home/jimbo/Documents"
@ -2570,6 +2468,13 @@ in
            "file:///home/jimbo/JimboNFS/School"
 	  ];

+	  # Disable shadows
+	  extraCss = ''
+	    * { outline-width: 0px; }
+	    decoration { box-shadow: none; }
+	  '';
+	};
+
 	# Stop gtk4 from being rounded
 	gtk4.extraCss = ''
          window {
@ -2600,25 +2505,103 @@ in
        };
      };

-      # Install LibreWolf with settings
-      programs.librewolf = {
-        enable = true;
-	package = pkgs.librewolf;
-	settings = {
+      # Enable Librewolf and extensions
+      programs.firefox = let
+	commonExtensions = with pkgs.nur.repos.rycee.firefox-addons; [
+	  ublock-origin bitwarden darkreader sponsorblock return-youtube-dislikes no-pdf-download
+	];
+	commonSearch = {
+	  force = true;
+	  default = "Google";
+	  engines = {
+            "Google" = {
+              urls = [{
+		template = "https://www.google.com/search";
+                params = [
+		  { name = "q"; value = "{searchTerms}"; }
+                ];
+              }];
+              definedAliases = [ "@g" ];
+            };
+            "NixPKGs" = {
+              urls = [{
+                template = "https://search.nixos.org/packages";
+                params = [
+                  { name = "type"; value = "packages"; }
+                  { name = "query"; value = "{searchTerms}"; }
+                ];
+              }];
+              icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
+              definedAliases = [ "@pkgs" ];
+            };
+	  };
+	};
+        commonSettings = {
+	  "font.name.serif.x-western" = "${mainFont}";
+	  "font.name.sans-serif.x-western" = "${mainFont}";
+	  "font.name.monospace.x-western" = "${nerdFont}";
          "general.autoScroll" = true;
          "browser.compactmode.show" = true;
+	  "browser.uidensity" = 1;
+	  "browser.startup.page" = 3;
+	  "extensions.pocket.enabled" = false;
+          "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+	  "privacy.userContext.newTabContainerOnLeftClick.enabled" = true;
          "privacy.clearOnShutdown.history" = false;
          "privacy.clearOnShutdown.cookies" = false;
-          "network.cookie.lifetimePolicy" = 0;
-	  "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
-	  "browser.toolbars.bookmarks.visibility" = "newtab";
-	  "gnomeTheme.hideSingleTab" = true;
-	  "svg.context-properties.content.enabled" = true;
+          "browser.toolbars.bookmarks.visibility" = "never";
          "media.hardware-video-decoding.force-enabled" = true;
+	  "svg.context-properties.content.enabled" = true;
          "toolkit.tabbox.switchByScrolling" = true;
          "device.sensors.motion.enabled" = false;
+          "extensions.autoDisableScopes" = 0;
+	  "gnomeTheme.hideSingleTab" = true;
+          "browser.contentblocking.category" = "strict";
+          "urlclassifier.trackingSkipURLs" = "*.reddit.com, *.twitter.com, *.twimg.com, *.tiktok.com";
+          "urlclassifier.features.socialtracking.skipURLs" = "*.instagram.com, *.twitter.com, *.twimg.com";
+          "network.cookie.sameSite.noneRequiresSecure" = true;
+          "browser.helperApps.deleteTempFileOnExit" = true;
+          "privacy.globalprivacycontrol.enabled" = true;
+          "privacy.globalprivacycontrol.functionality.enabled" = true;
 	  #"webgl.disabled" = false;
 	};
+      in {
+        enable = true;
+	package = pkgs.librewolf;
+	profiles = {
+	  Jimbo = {
+	    id = 0;
+	    extensions = commonExtensions;
+	    search = commonSearch;
+	    settings = commonSettings;
+	    userChrome = ''
+	      ${foxJimCol}
+	      ${quteFoxCSS}
+	    '';
+	  };
+	  School = {
+	    id = 1;
+	    extensions = commonExtensions;
+	    search = commonSearch;
+	    settings = commonSettings;
+	    userChrome = ''
+	      ${foxWorkCol}
+	      ${quteFoxCSS}
+	    '';
+	  };
+	  Misc = {
+	    id = 2;
+	    extensions = commonExtensions;
+	    search = commonSearch;
+	    settings = commonSettings;
+	    containersForce = true;
+	    containers = {
+	      Google = { color = "green"; icon = "fingerprint"; id = 200; };
+	      Seneca = { color = "red"; icon = "briefcase"; id = 201; };
+	      Centennial = { color = "pink"; icon = "vacation"; id = 202; };
+	    };
+	  };
+	};
      };

      # Install Neovim and plugins
@ -2943,42 +2926,21 @@ in
 	  sha256 = "1r086apw20ryxylqgnbynx7mzz779v1w0m40wghmmhlzw4x15fmr";
 	}}";

-	# Sunshine config
-	".config/sunshine/apps.json".text = sunshineApps;
-
-	# YTFZF config
-	".config/ytfzf/conf.sh".text = ytfzfConf;
-
-	# Alsoft config
-	".alsoftrc".text = alsoftConf;
-
 	# Ncmpcpp config
 	".config/ncmpcpp/config".text = ncmpcppConf;

-	# LibreWolf profiles and theming
-	".librewolf/profiles.ini".text = foxProfiles;
-	".librewolf/Jimbo/chrome/userChrome.css".text = "${foxJimCol}\n${quteFoxCSS}";
-	".librewolf/Jimbo/user.js".text = foxUserJS;
-	".librewolf/School/chrome/userChrome.css".text = "${foxWorkCol}\n${quteFoxCSS}";
-	".librewolf/School/user.js".text = foxUserJS;
-	".librewolf/Variety/chrome".source = "${fetchTarball {
-	  url = "https://github.com/rafaelmardojai/firefox-gnome-theme/archive/refs/tags/v120.zip";
-	  sha256 = "05ndzlhvw0zxxqgc9lp9w6kr764zbh5zv4aw2nk9qfyhr8j3c708";
+	# Gnome theme
+        ".mozilla/firefox/Misc/chrome".source = "${fetchTarball {
+          url = "https://github.com/rafaelmardojai/firefox-gnome-theme/archive/refs/tags/v129.zip";
+          sha256 = "14x0vp66i8b14q6c9n75sa88fcwy9jd9lik8sjnab2rnwlskvq9h";
        }}";
-	".librewolf/Variety/user.js".text = foxUserJS;

-	# LibreWolf extension symlinks
-	".librewolf/School/extensions".source =
-	  config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.librewolf/Jimbo/extensions";
-	".librewolf/School/browser-extension-data".source =
-	  config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.librewolf/Jimbo/browser-extension-data";
-	".librewolf/Variety/extensions".source =
-	config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.librewolf/Jimbo/extensions";
-	".librewolf/Variety/browser-extension-data".source =
-	  config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.librewolf/Jimbo/browser-extension-data";
-
-	# Outer Symlinks
+	# Symlinks
+	".librewolf".source = config.lib.file.mkOutOfStoreSymlink "/home/jimbo/.mozilla/firefox";
 	"VMs".source = config.lib.file.mkOutOfStoreSymlink "/etc/libvirt/VMs";
+
+	# Alsoft config
+	".alsoftrc".text = alsoftConf;
      };

      # Define session variables