Setup a basic firewall for majin

2024-03-16 21:28:24 +00:00 · 2024-03-16 21:28:24 +00:00 · 833c2c5158
parent 18ca5a18ec
commit 833c2c5158
6 changed files with 94 additions and 33 deletions
--- a/flake.lock
+++ b/flake.lock
@ -197,11 +197,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1709967935,
-        "narHash": "sha256-ZLLdGWs9njivxZsfSzfQN05g6WIyIe24bPb61y7FVqo=",
+        "lastModified": 1710427903,
+        "narHash": "sha256-sV0Q5ndvfjK9JfCg/QM/HX/fcittohvtq8dD62isxdM=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "72818e54ec29427f8d9f9cfa6fc859d01ca6dc66",
+        "rev": "21d89b333ca300bef82c928c856d48b94a9f997c",
        "type": "github"
      },
      "original": {
@ -238,18 +238,16 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
+        "dirtyRev": "70f14f5928c6cffb3be81784425b57d984a00acd-dirty",
+        "dirtyShortRev": "70f14f5-dirty",
        "lastModified": 1710021649,
-        "narHash": "sha256-erHUBiFoe08pi2wlg6PGcSTrhtt3OrE8KxohJOBV/Zc=",
-        "ref": "v4",
-        "rev": "70f14f5928c6cffb3be81784425b57d984a00acd",
-        "revCount": 1050,
+        "narHash": "sha256-3gmgWWaVJNW1xpbov8dVkf3EGucNXQggd5KsYONfTo0=",
        "type": "git",
-        "url": "https://devheroes.codes/FG42/FG42"
+        "url": "file:///home/lxsameer/src/fg42"
      },
      "original": {
-        "ref": "v4",
        "type": "git",
-        "url": "https://devheroes.codes/FG42/FG42"
+        "url": "file:///home/lxsameer/src/fg42"
      }
    },
    "flake-compat": {
@ -291,11 +289,11 @@
        "systems": "systems_3"
      },
      "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
@ -309,11 +307,11 @@
        "systems": "systems_4"
      },
      "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
@ -420,11 +418,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1709426687,
-        "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=",
+        "lastModified": 1710031547,
+        "narHash": "sha256-pkUg3hOKuGWMGF9WEMPPN/G4pqqdbNGJQ54yhyQYDVY=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c",
+        "rev": "630ebdc047ca96d8126e16bb664c7730dc52f6e6",
        "type": "github"
      },
      "original": {
@ -441,11 +439,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1709887845,
-        "narHash": "sha256-803UIoB8+vGkm/VK/g55aBAAOf/ncTGvxXyjTF4ydm0=",
+        "lastModified": 1710398463,
+        "narHash": "sha256-fQlYanU84E8uwBpcoTCcLCwU8cqn0eQ7nwTcrWfSngc=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "bef32a05496d9480b02be586fa7827748b9e597b",
+        "rev": "efd4e38532b5abfaa5c9fc95c5a913157dc20ccb",
        "type": "github"
      },
      "original": {
@ -456,11 +454,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1709410583,
-        "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
+        "lastModified": 1710123225,
+        "narHash": "sha256-j3oWlxRZxB7cFsgEntpH3rosjFHRkAo/dhX9H3OfxtY=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
+        "rev": "ad2fd7b978d5e462048729a6c635c45d3d33c9ba",
        "type": "github"
      },
      "original": {
@ -471,11 +469,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1709675310,
-        "narHash": "sha256-w61tqFEmuJ+/1rAwU7nkYZ+dN6sLwyobfLwX2Yn42FE=",
+        "lastModified": 1710346304,
+        "narHash": "sha256-vwoyBoCovK7+vdbCYqL9MssoFQjaXtZN8sElcjUdbx8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "43d259f8d726113fac056e8bb17d5ac2dea3e0a8",
+        "rev": "a0906f14161a5c5792e9883117b9471f5bf6df72",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -30,8 +30,8 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    fg42.url = "git+https://devheroes.codes/FG42/FG42?ref=v4";
-    #fg42.url = "/home/lxsameer/src/fg42";
+    #fg42.url = "git+https://devheroes.codes/FG42/FG42?ref=v4";
+    fg42.url = "/home/lxsameer/src/fg42";

    flake_utils.url = "github:numtide/flake-utils";

--- a/modules/default.nix
+++ b/modules/default.nix
@ -307,4 +307,6 @@ rec {
      pkgs.yubikey-manager
    ];
  };
+
+  virtualisation = import ./virtualisation {};
 }
--- a/modules/virtualisation/default.nix
+++ b/modules/virtualisation/default.nix
@ -0,0 +1,31 @@
+# Universe - The big bang to my universe
+#
+# Copyright (c) 2023-2024 Sameer Rahmani <lxsameer@gnu.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+params:
+{
+  podman = {...}: {
+    virtualisation = {
+      podman = {
+        enable = true;
+
+        # Create a `docker` alias for podman, to use it as a drop-in replacement
+        dockerCompat = true;
+
+        # Required for containers under podman-compose to be able to talk to each other.
+        defaultNetwork.settings.dns_enabled = true;
+      };
+    };
+  };
+}
--- a/users/lxsameer/desktop.nix
+++ b/users/lxsameer/desktop.nix
@ -139,15 +139,18 @@ in {

    # Pdf stuff
    poppler_utils
+    evince
+    calibre

    protonvpn-gui
    yubioath-flutter
    yubikey-manager
    feh

+    flameshot
    ticker
    ddgr
-
+    shotwell
    remmina
  ];

@ -272,8 +275,13 @@ in {

      Ps = "ps -aux |grep ";

-      d = "docker";
+      d = "podman";
+
      n = "nix";
+      nd = "nix develop";
+      nr = "nix run";
+      nb = "nix build";
+
      ew = "emacs -nw";
      F = "find . -iname";
      f = "fd";
@ -411,9 +419,18 @@ in {
  services.dunst.enable = true;
  services.pasystray.enable = true;
  services.network-manager-applet.enable = true;
+
+  programs.gpg = {
+    enable = true;
+    scdaemonSettings = {
+      disable-ccid = true;
+    };
+    homedir = lib.mkForce "/home/lxsameer/.gnupg";
+  };
+
  services.gpg-agent = {
    enable = true;
-    enableSshSupport = false;
+    enableSshSupport = lib.mkForce false;
  };

  gtk = {
@ -430,4 +447,10 @@ in {
  };

  services.ssh-agent.enable = true;
+
+  programs.direnv = {
+    enable = true;
+    enableBashIntegration = true; # see note on other shells below
+      nix-direnv.enable = true;
+  };
 }
--- a/worlds/majin.nix
+++ b/worlds/majin.nix
@ -46,6 +46,12 @@ let
    '';

    fileSystems."/home".neededForBoot = true;
+    services.gvfs.enable = true;
+
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [ 8000 ];
+    };
  };

  lxsameer = pkgs.callPackage ../users/lxsameer/default.nix {};
@ -78,6 +84,7 @@ in {
      desktop
      styles
      yubikey
+      virtualisation.podman
      inputs.home-manager.nixosModules.home-manager
      {
        home-manager.useGlobalPkgs = true;