nixos/modules/system/security.nix

inputs:
{
  config =
  {
    # allow non-root users to access intel gpu performance counters
    boot.kernel.sysctl."dev.i915.perf_stream_paranoid" = false;
    security =
    {
      pam =
      {
        u2f =
        {
          enable = true;
          settings =
          {
            cue = true;
            appid = "pam://chn.moe";
            origin = "pam://chn.moe";
            # generate using: `pamu2fcfg -u chn -o pam://chn.moe -i pam://chn.moe`
            authfile = builtins.toString (inputs.pkgs.writeText "yubikey_mappings" (builtins.concatStringsSep "\n"
            [
              (builtins.concatStringsSep ":"
              [
                "chn"
                (builtins.concatStringsSep ","
                [
                  "83Y3cLxhcmwbDOH1h67SQ1xy0dFBcoKYM0VO/YVq+9lpOpdPdmFaB7BNngO3xCmAxJeO/Fg9jNmEF9vMJEmAaw=="
                  "9bSjr+12JVwtHlyoa70J7w3bEQff+MwLxg5elzdP1OGHcfWGkolRvS+luAgcWjKn1g0swaYdnklCYWYOoCAJbA=="
                  "es256"
                  "+presence"
                ])
              ])
            ]));
          };
        };
        yubico = { enable = true; id = "91291"; };
        loginLimits =
        [
          { domain = "@users"; item = "nofile"; value = 65536; }
          { domain = "@users"; item = "stack"; value = "unlimited"; }
        ];
      };
      sudo.extraConfig = "Defaults pwfeedback";
    };
    systemd.user.extraConfig = "DefaultLimitNOFILE=65536:524288";
    # needed by xray tproxy if we want to forward traffic from other machine
    networking.firewall.checkReversePath = false;
  };
}
整理 system.security 2023-09-02 21:47:12 +08:00			`inputs:`
			`{`
			`config =`
			`{`
			`# allow non-root users to access intel gpu performance counters`
			`boot.kernel.sysctl."dev.i915.perf_stream_paranoid" = false;`
system.security.sudo: enable pwfeedback 2023-12-08 21:41:53 +08:00			`security =`
整理 system.security 2023-09-02 21:47:12 +08:00			`{`
system.security.sudo: enable pwfeedback 2023-12-08 21:41:53 +08:00			`pam =`
整理 system.security 2023-09-02 21:47:12 +08:00			`{`
system.security.sudo: enable pwfeedback 2023-12-08 21:41:53 +08:00			`u2f =`
			`{`
			`enable = true;`
fix some warnings 2024-07-31 08:40:09 +08:00			`settings =`
			`{`
			`cue = true;`
			`appid = "pam://chn.moe";`
			`origin = "pam://chn.moe";`
			# generate using: `pamu2fcfg -u chn -o pam://chn.moe -i pam://chn.moe`
			`authfile = builtins.toString (inputs.pkgs.writeText "yubikey_mappings" (builtins.concatStringsSep "\n"`
整理 system.security 2023-09-02 21:47:12 +08:00			`[`
fix some warnings 2024-07-31 08:40:09 +08:00			`(builtins.concatStringsSep ":"`
system.security.sudo: enable pwfeedback 2023-12-08 21:41:53 +08:00			`[`
fix some warnings 2024-07-31 08:40:09 +08:00			`"chn"`
			`(builtins.concatStringsSep ","`
			`[`
			`"83Y3cLxhcmwbDOH1h67SQ1xy0dFBcoKYM0VO/YVq+9lpOpdPdmFaB7BNngO3xCmAxJeO/Fg9jNmEF9vMJEmAaw=="`
			`"9bSjr+12JVwtHlyoa70J7w3bEQff+MwLxg5elzdP1OGHcfWGkolRvS+luAgcWjKn1g0swaYdnklCYWYOoCAJbA=="`
			`"es256"`
			`"+presence"`
			`])`
system.security.sudo: enable pwfeedback 2023-12-08 21:41:53 +08:00			`])`
fix some warnings 2024-07-31 08:40:09 +08:00			`]));`
			`};`
system.security.sudo: enable pwfeedback 2023-12-08 21:41:53 +08:00			`};`
			`yubico = { enable = true; id = "91291"; };`
system.security.pam: fix 2024-03-22 20:06:52 +08:00			`loginLimits =`
			`[`
			`{ domain = "@users"; item = "nofile"; value = 65536; }`
			`{ domain = "@users"; item = "stack"; value = "unlimited"; }`
			`];`
整理 system.security 2023-09-02 21:47:12 +08:00			`};`
system.security.sudo: enable pwfeedback 2023-12-08 21:41:53 +08:00			`sudo.extraConfig = "Defaults pwfeedback";`
整理 system.security 2023-09-02 21:47:12 +08:00			`};`
system.security.pam: fix 2024-03-22 20:06:52 +08:00			`systemd.user.extraConfig = "DefaultLimitNOFILE=65536:524288";`
modules.services.xray: fix firewall 2024-09-20 01:43:27 +08:00			`# needed by xray tproxy if we want to forward traffic from other machine`
			`networking.firewall.checkReversePath = false;`
整理 system.security 2023-09-02 21:47:12 +08:00			`};`
			`}`