From 719c14f9549be9f69452a6276d026ac83aa1eb32 Mon Sep 17 00:00:00 2001
From: reidlab <reidlab325@gmail.com>
Date: Mon, 26 Feb 2024 16:23:49 -0800
Subject: [PATCH] changed some module stuf

---
 default.nix              | 27 ++++++++++++++++---
 hosts/server/default.nix |  9 +------
 modules/security.nix     | 58 +++++++++++++++++++++++-----------------
 readme.md                |  3 +++
 4 files changed, 61 insertions(+), 36 deletions(-)

diff --git a/default.nix b/default.nix
index 465ddb6..c6e0ae6 100755
--- a/default.nix
+++ b/default.nix
@@ -7,13 +7,32 @@ in {
     [ inputs.home-manager.nixosModules.home-manager ]
     ++ _.mapModulesRec' ./modules import;
 
+  nix = {
+  	settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+      auto-optimise-store = true;
+      keep-outputs = true;
+      keep-derivations = true;
+      substituters = [ 
+        "https://nix-community.cachix.org" 
+      ];
+      trusted-public-keys = [
+      	"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+  	};
+  };
+
   environment.systemPackages = with pkgs; [
-    curl git
+    unrar unzip
+    curl wget
+    # hello! if you remove this, good luck
+    # ever rebuilding your system using flakes!
+    git
   ];
 
-  i18n.defaultLocale = "en_US.UTF-8";
+  time.timeZone = lib.mkDefault "America/Los_Angeles";
+
+  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
 
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  
   system.stateVersion = lib.mkDefault "23.11";
 }
diff --git a/hosts/server/default.nix b/hosts/server/default.nix
index b2a06d8..431ca38 100755
--- a/hosts/server/default.nix
+++ b/hosts/server/default.nix
@@ -10,13 +10,6 @@ in {
     ./webapps/default.nix
   ];
 
-  user = {
-    packages = with pkgs; [
-      git
-      curl
-    ];
-  };
-
   users.groups.dotfiles = {};
 
   normalUsers = {
@@ -57,7 +50,7 @@ in {
       mosh.enable = true;
     };
 
-    security.enable = true;
+    security.useDoas = true;
   };
 
   time.timeZone = "America/Los_Angeles";
diff --git a/modules/security.nix b/modules/security.nix
index 4dc2268..a00b377 100755
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -5,33 +5,43 @@ let
   cfg = config.modules.security;
 in {
   options.modules.security = {
-    enable = mkOption {
-      type = types.bool;
-      default = true;
-    };
+    useDoas = mkEnableOption "use doas instead of sudo";
   };
 
   config = mkIf cfg.enable {
-    security.rtkit.enable = true;
+	boot = {
+		tmp.useTmpfs = lib.mkDefault true;
+		tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+		
+    	kernel.sysctl = {
+      	  "kernel.sysrq" = 0;
 
-    boot.kernel.sysctl = {
-      "kernel.sysrq" = 0;
+          "net.ipv4.conf.all.accept_source_code" = 0;
+          "net.ipv6.conf.all.accept_source_code" = 0;
+          "net.ipv4.conf.default.send_redirects" = 0;
+          "net.ipv4.conf.all.send_redirects" = 0;
+          "net.ipv4.conf.default.accept_redirects" = 0;
+          "net.ipv4.conf.all.accept_redirects" = 0;
+          "net.ipv6.conf.default.accept_redirects" = 0;
+          "net.ipv6.conf.all.accept_redirects" = 0;
+          "net.ipv4.conf.default.secure_redirects" = 0;
+          "net.ipv4.conf.all.secure_redirects" = 0;
+          "net.ipv4.tcp_syncookies" = 1;
+          "net.ipv4.tcp_rfc1337" = 1;
+          "net.ipv4.tcp_fastopen" = 3;
+          "net.ipv4.tcp_conjestion_control" = "bbr";
+          "net.core.default_qdisc" = "cake";
+        };
+      };
 
-      "net.ipv4.conf.all.accept_source_code" = 0;
-      "net.ipv6.conf.all.accept_source_code" = 0;
-      "net.ipv4.conf.default.send_redirects" = 0;
-      "net.ipv4.conf.all.send_redirects" = 0;
-      "net.ipv4.conf.default.accept_redirects" = 0;
-      "net.ipv4.conf.all.accept_redirects" = 0;
-      "net.ipv6.conf.default.accept_redirects" = 0;
-      "net.ipv6.conf.all.accept_redirects" = 0;
-      "net.ipv4.conf.default.secure_redirects" = 0;
-      "net.ipv4.conf.all.secure_redirects" = 0;
-      "net.ipv4.tcp_syncookies" = 1;
-      "net.ipv4.tcp_rfc1337" = 1;
-      "net.ipv4.tcp_fastopen" = 3;
-      "net.ipv4.tcp_conjestion_control" = "bbr";
-      "net.core.default_qdisc" = "cake";
-    };
-  };
+      security = {
+      	protectKernelImage = true;
+      	polkit.enable = true;
+      	rtkit.enable = true;
+      };
+    } // (mkIf cfg.useDoas {
+    	security.sudo.enable = false;
+    	security.doas.enable = true;
+    	environment.systemPackages = with pkgs; [ doas-sudo-shim ];
+    });
 }
diff --git a/readme.md b/readme.md
index a8d3650..a0fc4d7 100755
--- a/readme.md
+++ b/readme.md
@@ -18,5 +18,8 @@ before committing, please run `nix flake check` and make sure everything is ok
 
 ## todo
 
+- analytics using matomo
 - php support in staticsites
 - no more luapackagepath. please stop.
+- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error
+- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz