nixosModules/default-config/security.nix at e8e102ffb9871e527e35add3e75a2d64437fa800 · pyrox.dev/nix

pyrox.dev / nix

My Nix Configuration

nix / nixosModules / default-config / security.nix

at e8e102ffb9871e527e35add3e75a2d64437fa800 1.1 kB view raw

 1{ pkgs, lib, ... }:
 2let
 3  inherit (lib) mkDefault;
 4in
 5{
 6  # Everything should use doas instead of sudo
 7  # Sudo is kept enabled for tools that ~can't~ won't use doas.
 8  security = {
 9    doas = {
10      enable = true;
11      wheelNeedsPassword = false;
12    };
13    # Needed for nixos-rebuild to work properly
14    sudo.enable = true;
15
16    # TPM configuration
17    tpm2 = {
18      enable = mkDefault true;
19      abrmd.enable = mkDefault true;
20      applyUdevRules = mkDefault true;
21      pkcs11.enable = mkDefault false;
22    };
23
24    # Set up extra certificates for DN42 specifically
25    pki.certificateFiles = [
26      (pkgs.fetchurl {
27        url = "https://dn42.burble.com/burble-dn42-ca.pem";
28        name = "burble-dn42-ca.pem";
29        sha256 = "0wcrjkiav018bpl87583g0v60clx3jg3wfyf8d9h8zdkwcb16b2g";
30      })
31      (pkgs.fetchurl {
32        url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29";
33        name = "dn42.crt";
34        sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs=";
35      })
36    ];
37  };
38}