small improvements & security update

changelog: - added additional commands for nixos `gc` in fish - changed default app to `mpv` for gif images in mimeapps.list - added config for clamav-scanner - added `fangfrisch` to clamav - sandboxed some apps & added profiles through firejail - changed vscode to vscodium - updated README
2025-09-15 09:45:58 +03:00 · 2024-05-04 20:00:29 +03:00
parent c05a428e38
commit fd1a80a9c3
8 changed files with 47 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -115,7 +115,7 @@ And many other useful utilities. The full list can be found in the system config

    Failure to configure USBGuard appropriately may result in the inability to connect any USB devices to your machine. If needed, you can also disable USBGuard altogether by setting `services.usbguard.enable` to `false` in the configuration:`services.usbguard.enable = false;`. This step ensures that USBGuard is not actively blocking any USB devices.

-   🚨 Also important: If you use disk encryption with LUKS and want to use encrypted swap, you need to enable swap on LUKS. This is usually auto-generated in `/etc/nixos/configuration.nix` under commented sections titled `# Setup keyfile` and `# Enable swap on luks` if you set it up during the NixOS installation process. You can simply copy this snippet to either `nixos/swap.nix`, `nixos/hardware-configuration.nix`, or `nixos/configuration.nix` (Personally, I prefer to copy it to `hardware-configuration.nix`).
+   🚨 Also, important: If you use disk encryption with LUKS and want to use encrypted swap, you need to enable swap on LUKS. This is usually auto-generated in `/etc/nixos/configuration.nix` as the `boot.initrd.luks.devices."luks-...".device = "/dev/disk/by-uuid/...";` code block, if you set this option up during the NixOS installation process. You can simply copy this snippet to either `nixos/swap.nix`, `nixos/hardware-configuration.nix`, or `nixos/configuration.nix` (Personally, I prefer to copy it to `hardware-configuration.nix`).

   Alternatively, you can set it up manually or use [swap encryption with a random key](https://nixos.wiki/wiki/Swap#Encrypt_swap_with_random_key).

@@ -123,7 +123,7 @@ And many other useful utilities. The full list can be found in the system config
 5. Enable `flake` support (more [here](https://nixos.wiki/wiki/Flakes#Enable_flakes_temporarily)) on your current system. Don't forget to run `sudo nixos-rebuild switch` after enabling `flake` in your `/etc/configuration.nix`.
 6. Copy or move all files (with replacements) from the `home` directory to your `$HOME` directory in Linux.
 7. Copy or move all files (with replacements and **sudo** permissions) from the `nixos` directory to `/etc/nixos/`. 🚨 Ensure that `system.stateVersion = "your_version";` is correctly set to the release version of the initial installation of your system in the `configuration.nix` file. 🚨 Also, for security reasons, ensure all files in the `/etc/nixos` directory are owned by **root**. If not, change ownership using the command: `sudo chown -R root:root /etc/nixos`.
-8. Run the command `sudo nixos-rebuild switch --flake /etc/nixos#your-hostname`. Replace `your-hostname` with your hostname before running the command; by default, it is set to `isitreal-laptop`.
+8. Run the command `sudo nixos-rebuild switch --flake /etc/nixos#your-hostname` or `nswitchu`. If you chose first command, replace `your-hostname` with your hostname before running the command; by default, hostname is set to `isitreal-laptop`.
 9. Post-installation configuration:

 - Import GNOME settings along with the theme by executing the following command: `dconf load / < home/.config/gnome_settings_backup.dconf`. Additionally, you can use tools like **gnome-tweaks** or **themechanger** to fine-tune specific theme preferences to your liking.
--- a/home/.config/fish/config.fish
+++ b/home/.config/fish/config.fish
@@ -9,10 +9,12 @@ alias conf="z ~/.config"
 alias nixos="z /etc/nixos"
 alias store="z /nix/store"
 alias nswitch="sudo nixos-rebuild switch --flake /etc/nixos"
-alias nswitchu="sudo nixos-rebuild switch --flake /etc/nixos --update-input nixpkgs --update-input rust-overlay --commit-lock-file --upgrade"
+alias nswitchu="sudo nixos-rebuild switch --flake /etc/nixos#isitreal-laptop --update-input nixpkgs --update-input rust-overlay --commit-lock-file --upgrade"
 alias nau="sudo nix-channel --add https://nixos.org/channels/nixos-unstable nixos"
 alias nsgc="sudo nix-store --gc"
 alias ngc="sudo nix-collect-garbage -d"
+alias ngc7="sudo nix-collect-garbage --delete-older-than 7d"
+alias ngc14="sudo nix-collect-garbage --delete-older-than 14d"

 # if [ -z "$DISPLAY" ] && [ "$XDG_VTNR" -eq 1 ]
 #   exec Hyprland
--- a/home/.config/mimeapps.list
+++ b/home/.config/mimeapps.list
@@ -17,12 +17,12 @@ image/x-tga=imv-folder.desktop
 image/x-xbitmap=imv-folder.desktop
 application/pdf=org.pwmt.zathura-pdf-mupdf.desktop
 image/svg+xml=imv-folder.desktop
-x-scheme-handler/tg=userapp-Telegram Desktop-ULF1Y1.desktop
+x-scheme-handler/tg=org.telegram.desktop.desktop
 text/plain=Helix.desktop

 [Added Associations]
 image/bmp=imv-folder.desktop;
-image/gif=imv.desktop;imv-folder.desktop;
+image/gif=mpv.desktop;imv.desktop;imv-folder.desktop;
 image/jpg=imv-folder.desktop;
 image/pjpeg=imv-folder.desktop;
 image/png=imv.desktop;imv-folder.desktop;
@@ -38,7 +38,7 @@ image/x-tga=imv-folder.desktop;
 image/x-xbitmap=imv-folder.desktop;
 application/pdf=org.pwmt.zathura-pdf-mupdf.desktop;
 image/svg+xml=code.desktop;imv-folder.desktop;
-x-scheme-handler/tg=userapp-Telegram Desktop-ULF1Y1.desktop;
+x-scheme-handler/tg=userapp-Telegram Desktop-ULF1Y1.desktop;org.telegram.desktop.desktop;
 text/plain=Helix.desktop;
 image/jpeg=imv.desktop;
 video/mp4=umpv.desktop;
--- a/home/.config/wezterm/wezterm.lua
+++ b/home/.config/wezterm/wezterm.lua
@@ -2,6 +2,7 @@ local wezterm = require 'wezterm'
 local act = wezterm.action

 return {
+  enable_wayland = true;
  color_scheme = 'Catppuccin Macchiato',
  enable_tab_bar = false,
  inactive_pane_hsb = {
--- a/nixos/clamav-scanner.nix
+++ b/nixos/clamav-scanner.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  services.clamav.scanner = {
+    enable = true;
+    interval = "Sat *-*-* 04:00:00";
+  };
+}
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@@ -17,6 +17,7 @@
        # ./disable-nvidia.nix
        ./opengl.nix
        # ./fingerprint-scanner.nix
+        # ./clamav-scanner.nix
        ./yubikey.nix
        ./sound.nix
        ./usb.nix
--- a/nixos/security-services.nix
+++ b/nixos/security-services.nix
@@ -29,6 +29,8 @@
  programs.browserpass.enable = true;
  services.clamav = {
    daemon.enable = true;
+    fangfrisch.enable = true;
+    fangfrisch.interval = "daily";
    updater.enable = true;
    updater.interval = "daily"; #man systemd.time
    updater.frequency = 12;
@@ -50,6 +52,31 @@
      };
      discord = {
        executable = "${lib.getBin pkgs.discord}/bin/discord";
+        profile = "${pkgs.firejail}/etc/firejail/discord.profile";
+      };
+      slack = {
+        executable = "${lib.getBin pkgs.slack}/bin/slack";
+        profile = "${pkgs.firejail}/etc/firejail/slack.profile";
+      };
+      telegram-desktop = {
+        executable = "${lib.getBin pkgs.tdesktop}/bin/telegram-desktop";
+        profile = "${pkgs.firejail}/etc/firejail/telegram-desktop.profile";
+      };
+      brave = {
+        executable = "${lib.getBin pkgs.brave}/bin/brave";
+        profile = "${pkgs.firejail}/etc/firejail/brave.profile";
+      };
+      qutebrowser = {
+        executable = "${lib.getBin pkgs.qutebrowser}/bin/qutebrowser";
+        profile = "${pkgs.firejail}/etc/firejail/qutebrowser.profile";
+      };
+      thunar = {
+        executable = "${lib.getBin pkgs.xfce.thunar}/bin/thunar";
+        profile = "${pkgs.firejail}/etc/firejail/thunar.profile";
+      };
+      vscodium = {
+        executable = "${lib.getBin pkgs.vscodium}/bin/vscodium";
+        profile = "${pkgs.firejail}/etc/firejail/vscodium.profile";
      };
    };
  };
--- a/nixos/users.nix
+++ b/nixos/users.nix
@@ -12,7 +12,7 @@
      youtube-music
      discord
      tdesktop
-      vscode
+      vscodium
      brave
    ];
  };