From 55ee036fd7ebed24097c8da1ca8a0b0829264670 Mon Sep 17 00:00:00 2001 From: Emile Date: Sat, 9 Mar 2024 22:56:01 +0100 Subject: big bang --- nix/hosts/hacknix/configuration.nix | 396 ++++++++++++++++++++++++++++++++++++ 1 file changed, 396 insertions(+) create mode 100644 nix/hosts/hacknix/configuration.nix (limited to 'nix/hosts/hacknix/configuration.nix') diff --git a/nix/hosts/hacknix/configuration.nix b/nix/hosts/hacknix/configuration.nix new file mode 100644 index 0000000..48aa1e0 --- /dev/null +++ b/nix/hosts/hacknix/configuration.nix @@ -0,0 +1,396 @@ +# Edit ths configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ nixpkgs, nixpkgs-unstable, config, lib, pkgs, ... }: + +let + burppro = pkgs.callPackage ./burpsuitepro { inherit pkgs; nixpkgs=pkgs; }; + # TODO: pull licence from git +in { + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./overlay + ]; + + nixpkgs = { + config.allowUnfree = true; # for virtualisation.virtualbox + }; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "hacknix"; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + i18n.defaultLocale = "en_US.UTF-8"; + + # fileSystems."/home/hack/Documents/datapool.lan" = { + # device = "datapool.lan:/mnt/data/dump"; + # fsType = "nfs"; + # }; + + services = { + dbus.enable = true; + xserver = { + enable = true; + + # Keyboard settings + layout = "us"; + xkbOptions = "caps:compose"; + + desktopManager = { + xterm.enable = false; + + # we don't use the xfce interface, only the fancy desktopManager + # settings and the session + xfce = { + enable = true; + noDesktop = true; + enableXfwm = false; + }; + }; + + # default display manager when logging in + displayManager = { + defaultSession = "xfce+i3"; + sessionCommands = '' + ''; + }; + + windowManager.i3 = { + enable = true; + configFile = "/etc/i3.conf"; # see environment.etc."i3.conf".text + extraPackages = with pkgs; [ + dmenu + i3status i3blocks + ]; + }; + }; + }; + + environment.etc."i3.conf".text = pkgs.callPackage ./i3-config.nix {}; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + hardware.opengl.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + users.users.hack = { + isNormalUser = true; + extraGroups = [ + "wheel" # Enable ‘sudo’ for the user. + "vboxsf" # Allow access to the shared /pentest folder mounted in via virtualbox + "docker" # access to the docker socket + ]; + shell = pkgs.zsh; + }; + + environment = { + shellAliases = { + #ls = "lsd"; + ls = "eza"; + }; + systemPackages = with pkgs; [ + unstable.obsidian + + kitty + + # editors + vim + + helix + marksman # markdown lsp + cuelsp # cue lsp + terraform-lsp terraform-ls # terraform lsp + rnix-lsp # nix lsp + + # command line tools + fd + ripgrep + htop + fzf + jq + eza + lsd + du-dust + pwgen + + # x11 foo + arandr + feh + + # shell + zsh oh-my-zsh + + # browser + chromium + firefox + + # programming languages + go + gopls # (Official language server for the Go language) + go-outline # (Utility to extract JSON representation of declarations from a Go source file) + go-tools # staticcheck (A collection of tools and libraries for working with Go code, including linters and static analysis) + gocode-gomod # (An autocompletion daemon for the Go programming language) + gotest # (go test with colors) + gotests # (Generate Go tests from your source code) + gomodifytags # (Go tool to modify struct field tags) + impl # (Generate method stubs for implementing an interface) + delve # dlv (debugger for the Go programming language) + + (pkgs.python3.withPackages (ps: with ps; [ + pwntools + requests + tqdm + beautifulsoup4 + mitmproxy + + ( + buildPythonPackage rec { + pname = "pandoc"; + version = "2.3"; + src = fetchPypi { + inherit pname version; + sha256 = "sha256-53LCxthxFGiUV5go268e/VOOtk/H5x1KazoRoYuu+Q0="; + }; + doCheck = false; + propagatedBuildInputs = [ + # pkgs.python310Packages.ply + # pkgs.python310Packages.plumbum + # Specify dependencies + #pkgs.python3Packages.numpy + ]; + } + ) + ])) + + # dev + vscode + docker-compose + + # analysis + binwalk + file + + # communication + element-desktop + + # view pdfs + zathura okular + + # infra + cue + cuetools + + #radare2 + r2 + capstone # Advanced disassembly library + keystone # Lightweight multi-platform, multi-architecture assembler framework + unicorn # Lightweight multi-platform CPU emulator library + + # hashicorp stuff + # vault vault-bin vaultenv vault-medusa + # nomad_1_4 + # consul + # terraform + + #unstable.mitmproxy + #mitmproxy_bs4 + + dex + xss-lock + networkmanagerapplet + + p7zip + m4 + + libreoffice + + pandoc + tmux + + python311Packages.python-lsp-server + ] ++ [ + burppro + ]; + }; + + fonts.packages = with pkgs; [ + ubuntu_font_family # the font used in the "Sogeti" logo + #nerdfonts + #font-awesome + #powerline-fonts + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs = { + + vim.defaultEditor = true; + + htop = { + enable = true; + settings = { + hide_kernel_threads = true; + }; + }; + + #fish.enable = true; + zsh = { + enable = true; + syntaxHighlighting = { + enable = true; + }; + ohMyZsh = { + enable = true; + plugins = [ "nmap" ]; + }; + + # this par in ~/.zshrc: + # + # PROMPT="; " + # RPROMPT="%F{green}%/%F{reset}" + # ZSH_THEME= + # PATH=$PATH:/home/hack/.cargo/bin + }; + + chromium = { + enable = true; + homepageLocation = "https://emile.space"; + extraOpts = { + "ClientCertificateManagementAllowed" = 0; + }; + }; + + git = { + enable = true; + config = { + core.editor = "vim"; + user = { + name = "Emile Hansmaennel"; + email = "emile.hansmaennel@sogeti.com"; + }; + }; + }; + }; + + # virtualbox guest additions + virtualisation.virtualbox.guest.enable = true; + virtualisation.virtualbox.guest.x11 = true; + + nix = { + settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + gc = { + automatic = true; + dates = "12:00"; # daily, docs on format in `man 7 systemd.time` + persistent = true; + }; + + settings = { + substituters = [ + "https://nix-community.cachix.org" + "https://cache.nixos.org/" + ]; + trusted-public-keys = [ + "nixbinarycache.lan:JDjlVLc+5VUKOtFAFBGCDtlgVpLEaaR2JdTw2mQUIb8=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + }; + + # the office root_ca + security.pki.certificates = [ + # office.lan + '' + *.office.lan + ============ + -----BEGIN CERTIFICATE----- + MIIBezCCASGgAwIBAgIQdkxWKinry5WWfV2CTRRHfzAKBggqhkjOPQQDAjAcMRow + GAYDVQQDExFPZmZpY2UgQ0EgUm9vdCBDQTAeFw0yMDEwMjYxMjQ2MTlaFw0zMDEw + MjYxMjQ2MTlaMBwxGjAYBgNVBAMTEU9mZmljZSBDQSBSb290IENBMFkwEwYHKoZI + zj0CAQYIKoZIzj0DAQcDQgAEZ/Ac4kmThYXE0ZUBWvTSvgi4fcR19dgL2hROxSfH + 2RLW7hQzArloxhOzs+28VttiVh13lB4rSCvHe3TGA44c5KNFMEMwDgYDVR0PAQH/ + BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFE0i80PVvdecDvDp + MpO2VtGluzxcMAoGCCqGSM49BAMCA0gAMEUCIQDP9Z1J3Z++6atOdHNTqd0PZ/pi + w7HjGPxpRneD4/3vTwIgSoE5Gb3umt+FxIvv9WDFlsWSVRJ5wE6KpCkdGWWzWuU= + -----END CERTIFICATE----- + '' + ]; + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + networking = { + nameservers = [ + "192.168.1.1" + #"8.8.8.8" + ]; + + hosts = { + # 127.0.0.1 localhost + # ::1 localhost + }; + + firewall = { + enable = true; + + # open further TCP and/or UDP ports in the firewall + allowedTCPPorts = [ 80 443 8123 8080 ]; + #allowedUDPPorts = [ 53 ]; + }; + + wg-quick.interfaces = { + "wg0" = { + address = [ + "10.10.10.12/24" # our IP + ]; + dns = [ "192.168.1.1" ]; + mtu = 1380; + listenPort = 51820; + + # TODO: add private key to repo using agenix, then link here + privateKeyFile = "/etc/wireguard/private_key"; + + peers = [ + { + publicKey = "9+4OWuqZ0rZsi/oaaXd3YhE1p+Z0tbxwfNbcDnVqRxg="; + allowedIPs = [ "0.0.0.0/0" ]; + endpoint = "PUBLIC_IP:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; + + virtualisation.docker.enable = true; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + -- cgit 1.4.1