grimm-nixos-laptop/hardening/default.nix

{
  lib,
  pkgs,
  config,
  ...
}:
{
  imports = [
    ./systemd
    ./ssh-as-sudo.nix
    ./apparmor
    ./opensnitch
    ./security.nix
    ./encrypt-dns.nix
    ./filesystem-deny-mount.nix
  ];

  specialisation.unhardened.configuration = {
    services.opensnitch.enable = lib.mkForce false;
    security.apparmor.enable = lib.mkForce false;
  };

  systemd.oomd.enable = false;
  
  boot.kernel.sysctl = {
    "net.ipv6.conf.all.accept_ra" = 0;
    "net.ipv6.conf.default.accept_ra" = 0;
    "net.ipv4.conf.all.send_redirects"=0;
    "net.ipv4.conf.default.accept_source_route"=0;
    "net.ipv4.conf.all.accept_redirects"=0;
    "net.ipv4.conf.default.accept_redirects"=0;
    "net.ipv6.conf.all.accept_redirects"=0;
    "net.ipv6.conf.default.accept_redirects"=0;
    "net.ipv4.conf.all.secure_redirects"=0;
    "net.ipv4.conf.default.secure_redirects"=0;
    "net.ipv4.conf.all.log_martians"=1;
    "net.ipv4.conf.default.log_martians"=1;
    "net.ipv4.icmp_echo_ignore_broadcasts"=1;
    "net.ipv4.conf.all.rp_filter"=1;
    "net.ipv4.conf.default.rp_filter"=1;

    "fs.suid_dumpable" = 0;
  };

  environment.etc."motd" = { text = config.users.motd; mode = "644"; };
  environment.etc."limits.conf".text = "* hard core 0";
  environment.etc."hosts.allow" = { text = "ALL: LOCAL"; mode = "644"; };
  environment.etc."hosts.deny" = { text = ""; mode = "644"; };
  environment.etc."issue" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };
  environment.etc."issue.net" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };

#  systemd.tmpfiles.rules = [
#    "L+ /etc/passwd- 0644 root root - /etc/passwd"
#    "L+ /etc/shadow- 0644 root root - /etc/shadow"
#    "L+ /etc/group- 0644 root root - /etc/group"
#    "L+ /etc/gshadow- 0644 root root - /etc/gshadow"
#  ];

  users.motd = "welcome to grimms paranoid box";

  security.loginDefs.settings = {
    # PASS_MAX_DAYS = 365;
    PASS_MIN_DAYS = 7;
    PASS_WARN_AGE = 14;
    ENCRYPT_METHOD = "SHA512";
  };

  systemd.tpm2.enable = false;
  systemd.enableEmergencyMode = false;
  virtualisation.vswitch.enable = false;
  services.resolved.enable = false;
  security.unprivilegedUsernsClone = true;
  security.apparmor.enable = true;
  security.allowSimultaneousMultithreading = true;
  environment.defaultPackages = lib.mkForce [ ];
  environment.systemPackages = with pkgs; [ nano clamav linux-bench ];
}
cached and updated nix-index 2025-01-14 20:37:14 +01:00			`{`
			`lib,`
			`pkgs,`
CIS progress 2025-01-31 19:42:46 +01:00			`config,`
cached and updated nix-index 2025-01-14 20:37:14 +01:00			`...`
			`}:`
hardening WIP 2025-01-03 15:57:36 +01:00			`{`
			`imports = [`
systemd network hardening 2025-01-05 13:27:12 +01:00			`./systemd`
hardening WIP 2025-01-03 15:57:36 +01:00			`./ssh-as-sudo.nix`
clean up hardening 2025-01-10 12:50:01 +01:00			`./apparmor`
			`./opensnitch`
			`./security.nix`
encrypted dns 2025-01-28 19:54:36 +01:00			`./encrypt-dns.nix`
CIS progress 2025-01-31 19:42:46 +01:00			`./filesystem-deny-mount.nix`
hardening WIP 2025-01-03 15:57:36 +01:00			`];`

fixes and qol 2025-01-26 21:43:23 +01:00			`specialisation.unhardened.configuration = {`
			`services.opensnitch.enable = lib.mkForce false;`
			`security.apparmor.enable = lib.mkForce false;`
			`};`
CIS progress 2025-01-31 19:42:46 +01:00
			`systemd.oomd.enable = false;`

			`boot.kernel.sysctl = {`
			`"net.ipv6.conf.all.accept_ra" = 0;`
			`"net.ipv6.conf.default.accept_ra" = 0;`
			`"net.ipv4.conf.all.send_redirects"=0;`
			`"net.ipv4.conf.default.accept_source_route"=0;`
			`"net.ipv4.conf.all.accept_redirects"=0;`
			`"net.ipv4.conf.default.accept_redirects"=0;`
			`"net.ipv6.conf.all.accept_redirects"=0;`
			`"net.ipv6.conf.default.accept_redirects"=0;`
			`"net.ipv4.conf.all.secure_redirects"=0;`
			`"net.ipv4.conf.default.secure_redirects"=0;`
			`"net.ipv4.conf.all.log_martians"=1;`
			`"net.ipv4.conf.default.log_martians"=1;`
			`"net.ipv4.icmp_echo_ignore_broadcasts"=1;`
			`"net.ipv4.conf.all.rp_filter"=1;`
			`"net.ipv4.conf.default.rp_filter"=1;`

			`"fs.suid_dumpable" = 0;`
			`};`

			`environment.etc."motd" = { text = config.users.motd; mode = "644"; };`
			`environment.etc."limits.conf".text = "* hard core 0";`
			`environment.etc."hosts.allow" = { text = "ALL: LOCAL"; mode = "644"; };`
			`environment.etc."hosts.deny" = { text = ""; mode = "644"; };`
			`environment.etc."issue" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };`
			`environment.etc."issue.net" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };`

			`# systemd.tmpfiles.rules = [`
			`# "L+ /etc/passwd- 0644 root root - /etc/passwd"`
			`# "L+ /etc/shadow- 0644 root root - /etc/shadow"`
			`# "L+ /etc/group- 0644 root root - /etc/group"`
			`# "L+ /etc/gshadow- 0644 root root - /etc/gshadow"`
			`# ];`

			`users.motd = "welcome to grimms paranoid box";`

			`security.loginDefs.settings = {`
			`# PASS_MAX_DAYS = 365;`
			`PASS_MIN_DAYS = 7;`
			`PASS_WARN_AGE = 14;`
			`ENCRYPT_METHOD = "SHA512";`
			`};`
hardening WIP 2025-01-03 15:57:36 +01:00
			`systemd.tpm2.enable = false;`
			`systemd.enableEmergencyMode = false;`
			`virtualisation.vswitch.enable = false;`
fixes and qol 2025-01-26 21:43:23 +01:00			`services.resolved.enable = false;`
hardening WIP 2025-01-03 15:57:36 +01:00			`security.unprivilegedUsernsClone = true;`
cleanup, reenable HT 2025-01-27 10:38:55 +01:00			`security.apparmor.enable = true;`
			`security.allowSimultaneousMultithreading = true;`
cached and updated nix-index 2025-01-14 20:37:14 +01:00			`environment.defaultPackages = lib.mkForce [ ];`
CIS progress 2025-01-31 19:42:46 +01:00			`environment.systemPackages = with pkgs; [ nano clamav linux-bench ];`
hardening WIP 2025-01-03 15:57:36 +01:00			`}`