modules/nixos/default-config/security.nix at d3087cca6490a340aa9d0710acf3702cb49e956b · pyrox.dev/nix

pyrox.dev / nix

My Nix Configuration

nix / modules / nixos / default-config / security.nix

at d3087cca6490a340aa9d0710acf3702cb49e956b 1.0 kB view raw

 1{ pkgs, ... }:
 2{
 3  # Everything should use doas instead of sudo
 4  # Sudo is kept enabled for tools that ~can't~ won't use doas.
 5  security = {
 6    doas = {
 7      enable = true;
 8      wheelNeedsPassword = false;
 9    };
10    # Needed for nixos-rebuild to work properly
11    sudo.enable = true;
12
13    # TPM configuration
14    tpm2 = {
15      enable = true;
16      abrmd.enable = true;
17      applyUdevRules = true;
18      pkcs11.enable = false;
19    };
20
21    # Set up extra certificates for DN42 specifically
22    pki.certificateFiles = [
23      (pkgs.fetchurl {
24        url = "https://dn42.burble.com/burble-dn42-ca.pem";
25        name = "burble-dn42-ca.pem";
26        sha256 = "0wcrjkiav018bpl87583g0v60clx3jg3wfyf8d9h8zdkwcb16b2g";
27      })
28      (pkgs.fetchurl {
29        url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29";
30        name = "dn42.crt";
31        sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs=";
32      })
33    ];
34  };
35}