feat: increase system security

profiles/common/nixos/default.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, inputs, ... }:
 {
   imports = [
     ./xserver.nix
@@ -12,12 +12,14 @@
     ./network.nix
     ./time.nix
     ./hardware.nix
+    ./pipewire.nix
     ./sops.nix
     ./packages.nix
     ./programs.nix
     ./zsh.nix
     ./syncthing.nix
     ./blueman.nix
+    ./safeeyes.nix
     ./networkdevices.nix
     ./gvfs.nix
     ./interceptiontools.nix
@@ -26,11 +28,32 @@
     ./stylix.nix
     ./power-profiles-daemon.nix
     # ./impermanence.nix
+    ./nvd-rebuild.nix
     ./nix-ld.nix
     ./gnome-keyring.nix
+    ./sway.nix
+    ./xdg-portal.nix
   ];
 
-  nix.settings.trusted-users = [ "swarsel" ];
+  nix =
+    let
+      flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+    in
+    {
+      settings = {
+        experimental-features = [
+          "nix-command"
+          "flakes"
+          "ca-derivations"
+        ];
+        trusted-users = [ "swarsel" ];
+        flake-registry = "";
+        warn-dirty = false;
+      };
+      channel.enable = false;
+      registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
+      nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+    };
 
   home-manager = {
     useGlobalPkgs = true;

profiles/common/nixos/packages.nix

@@ -9,6 +9,7 @@
     yubioath-flutter
     yubikey-manager
     yubikey-manager-qt
+    yubikey-touch-detector
     yubico-piv-tool
     cfssl
     pcsctools
@@ -18,6 +19,8 @@
     ledger-live-desktop
 
     # pinentry
+    dbus
+    swaylock-effects
 
     # secure boot
     sbctl

profiles/common/nixos/polkit.nix

@@ -1,4 +1,12 @@
 _:
 {
+
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+    swaylock.u2fAuth = true;
+    swaylock.fprintAuth = false;
+  };
   security.polkit.enable = true;
+
 }