grimm-nixos-laptop/hardening/systemd/default.nix

{ lib, config, ... }:
let
  inherit (lib) mkDefault types mkIf;
  eq = a: b: a == b;
  noPred =
    preds: x:
    if preds == [ ] then
      true
    else if (lib.head preds) x then
      false
    else
      noPred (lib.tail preds) x;
in
{
  imports = [
    ./NetworkManager.nix
    ./wpa_supplicant.nix
    ./auditd.nix
    ./acpid.nix
    ./cups.nix
    ./bluetooth.nix
    ./tty.nix
    ./ask-password.nix
    ./nix-daemon.nix
    ./nscd.nix
    ./rtkit.nix
    ./sshd.nix

    ./global
  ];

  options.systemd.services = lib.mkOption {
    type =
      let
        osConfig = config;
      in
      types.attrsOf (
        lib.types.submodule (
          { config, name, ... }:
          {
            config.serviceConfig =
              let
                shouldMakeIntrusive = (
                  noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
                );
              in
              mkIf (osConfig.specialisation != { }) (
                {
                  ProtectHome = mkDefault true;
                  # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
                }
                // (lib.optionalAttrs shouldMakeIntrusive {
                  # PrivateTmp = mkDefault true;
                  # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
                  # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
                  # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
                  SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
                })
              );
          }
        )
      );
  };

  config = mkIf (config.specialisation != { }) {

    systemd.services = {
      opensnitchd.serviceConfig = {
        ProtectHome = false;
        PrivateTmp = false;
        ProtectKernelLogs = false;
      };
      "user-runtime-dir@".serviceConfig.ProtectHome = false;
      "user@".serviceConfig.ProtectHome = false;
      systemd-homed.serviceConfig.ProtectHome = false;
      systemd-homed-activate.serviceConfig.ProtectHome = false;
      sshd.serviceConfig.ProtectHome = false;
      display-manager.serviceConfig.ProtectHome = "read-only";
      dbus-broker.serviceConfig.ProtectHome = "read-only";
      systemd-logind.serviceConfig.ProtectHome = false;

      nix-daemon.serviceConfig.ProtectHome = false;

      zfs-mount.serviceConfig.PrivateTmp = false;
      kmod-static-nodes.serviceConfig.PrivateTmp = false;
      mount-pstore.serviceConfig.PrivateTmp = false;
      # todo: tpm things

      #polkit.serviceConfig.NoNewPrivileges = false;
      #"getty@".serviceConfig.NoNewPrivileges = false;
      #"user@".serviceConfig.NoNewPrivileges = false;

      # todo: dbus?

      auditd.serviceConfig.ProtectKernelLogs = false;
      audit.serviceConfig.ProtectKernelLogs = false;

      "getty@".serviceConfig.SystemCallFilter = "";
      display-manager.serviceConfig.SystemCallFilter = "";
      sshd.serviceConfig.SystemCallFilter = "";
      rtkit-daemon.serviceConfig.SystemCallFilter = "";
    };
  };
}
hardening WIP 2025-01-03 15:57:36 +01:00			`{ lib, config, ... }:`
			`let`
			`inherit (lib) mkDefault types mkIf;`
			`eq = a: b: a == b;`
			`noPred =`
			`preds: x:`
			`if preds == [ ] then`
			`true`
			`else if (lib.head preds) x then`
			`false`
			`else`
			`noPred (lib.tail preds) x;`
			`in`
			`{`
systemd network hardening 2025-01-05 13:27:12 +01:00			`imports = [`
			`./NetworkManager.nix`
			`./wpa_supplicant.nix`
more sysd hardening 2025-01-05 23:03:11 +01:00			`./auditd.nix`
			`./acpid.nix`
nscd and rtkit hardening 2025-01-10 11:36:19 +01:00			`./cups.nix`
more sysd hardening 2025-01-07 11:31:43 +01:00			`./bluetooth.nix`
			`./tty.nix`
			`./ask-password.nix`
nix-daemon confinement 2025-01-08 19:06:22 +01:00			`./nix-daemon.nix`
nscd and rtkit hardening 2025-01-10 11:36:19 +01:00			`./nscd.nix`
			`./rtkit.nix`
ssh hardening 2025-01-15 11:01:27 +01:00			`./sshd.nix`
more sysd hardening 2025-01-07 11:31:43 +01:00
			`./global`
systemd network hardening 2025-01-05 13:27:12 +01:00			`];`

hardening WIP 2025-01-03 15:57:36 +01:00			`options.systemd.services = lib.mkOption {`
			`type =`
			`let`
			`osConfig = config;`
			`in`
			`types.attrsOf (`
			`lib.types.submodule (`
			`{ config, name, ... }:`
			`{`
			`config.serviceConfig =`
			`let`
			`shouldMakeIntrusive = (`
			`noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name`
			`);`
			`in`
systemd network hardening 2025-01-05 13:27:12 +01:00			`mkIf (osConfig.specialisation != { }) (`
			`{`
			`ProtectHome = mkDefault true;`
			`# LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!`
			`}`
			`// (lib.optionalAttrs shouldMakeIntrusive {`
improve hardening rules 2025-01-11 11:54:34 +01:00			`# PrivateTmp = mkDefault true;`
systemd network hardening 2025-01-05 13:27:12 +01:00			`# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical`
			`# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");`
improve hardening rules 2025-01-11 11:54:34 +01:00			`# ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);`
			`SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");`
systemd network hardening 2025-01-05 13:27:12 +01:00			`})`
			`);`
hardening WIP 2025-01-03 15:57:36 +01:00			`}`
			`)`
			`);`
			`};`

			`config = mkIf (config.specialisation != { }) {`

			`systemd.services = {`
update and fix opensnitch 2025-01-09 13:54:25 +01:00			`opensnitchd.serviceConfig = {`
			`ProtectHome = false;`
			`PrivateTmp = false;`
			`ProtectKernelLogs = false;`
			`};`
hardening WIP 2025-01-03 15:57:36 +01:00			`"user-runtime-dir@".serviceConfig.ProtectHome = false;`
			`"user@".serviceConfig.ProtectHome = false;`
			`systemd-homed.serviceConfig.ProtectHome = false;`
			`systemd-homed-activate.serviceConfig.ProtectHome = false;`
			`sshd.serviceConfig.ProtectHome = false;`
			`display-manager.serviceConfig.ProtectHome = "read-only";`
			`dbus-broker.serviceConfig.ProtectHome = "read-only";`
more sysd hardening 2025-01-07 11:31:43 +01:00			`systemd-logind.serviceConfig.ProtectHome = false;`
hardening WIP 2025-01-03 15:57:36 +01:00
systemd network hardening 2025-01-05 13:27:12 +01:00			`nix-daemon.serviceConfig.ProtectHome = false;`

hardening WIP 2025-01-03 15:57:36 +01:00			`zfs-mount.serviceConfig.PrivateTmp = false;`
			`kmod-static-nodes.serviceConfig.PrivateTmp = false;`
			`mount-pstore.serviceConfig.PrivateTmp = false;`
			`# todo: tpm things`

systemd network hardening 2025-01-05 13:27:12 +01:00			`#polkit.serviceConfig.NoNewPrivileges = false;`
			`#"getty@".serviceConfig.NoNewPrivileges = false;`
			`#"user@".serviceConfig.NoNewPrivileges = false;`
hardening WIP 2025-01-03 15:57:36 +01:00
			`# todo: dbus?`

			`auditd.serviceConfig.ProtectKernelLogs = false;`
			`audit.serviceConfig.ProtectKernelLogs = false;`

			`"getty@".serviceConfig.SystemCallFilter = "";`
			`display-manager.serviceConfig.SystemCallFilter = "";`
			`sshd.serviceConfig.SystemCallFilter = "";`
			`rtkit-daemon.serviceConfig.SystemCallFilter = "";`
			`};`
			`};`
			`}`