From 28da262b65ad3dae17477f0e076f7083cd7b9ebd Mon Sep 17 00:00:00 2001 From: Daniel Ziltener Date: Fri, 5 Jul 2024 15:54:30 +0200 Subject: [PATCH] . --- configuration.nix | 37 ++++++++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/configuration.nix b/configuration.nix index 40ff309..744e418 100644 --- a/configuration.nix +++ b/configuration.nix @@ -7,19 +7,17 @@ { imports = [ # Include the results of the hardware scan. - ./bevuta-config/bevuta.nix + # NOTE: Required bevuta config is part of this file here, and not bevuta specific. + # ./bevuta-config/bevuta.nix ./hardware-configuration.nix "${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix" ./disko-config.nix ]; # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - boot.initrd.luks.devices."root".preLVM = lib.mkForce false; boot = { + kernel.sysctl."kernel.sysrq" = 0; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; @@ -79,6 +77,35 @@ # hardware.pulseaudio.enable = true; # rtkit is optional but recommended security.rtkit.enable = true; + security = { + rtkit.enable = true; + apparmor = { + enable = true; + policies.dummy.profile = '' + /dummy { + } + ''; + }; + # This blacklist is from bevuta + pki.caCertificateBlacklist = [ + "certSIGN ROOT CA" + "certSIGN Root CA G2" + "CFCA EV ROOT" + "ePKI Root Certification Authority" + "SecureSign RootCA11" + "GDCA TrustAUTH R5 ROOT" + "Hongkong Post Root CA 3" + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" + "Hellenic Academic and Research Institutions ECC RootCA 2015" + "Hellenic Academic and Research Institutions RootCA 2015" + "NAVER Global Root Certification Authority" + "UCA Extended Validation Root" + "UCA Global G2 Root" + "TWCA Global Root CA" + "TWCA Root Certification Authority" + ]; + }; + services.pipewire = { enable = true; alsa.enable = true;