Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
grimm-nixos-laptop/hardening/systemd/default.nix

99 lines
3.1 KiB
Nix
Raw Normal View History

hardening WIP
2025-01-03 15:57:36 +01:00
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
eq = a: b: a == b;
noPred =
preds: x:
if preds == [ ] then
true
else if (lib.head preds) x then
false
else
noPred (lib.tail preds) x;
in
{
systemd network hardening
2025-01-05 13:27:12 +01:00
imports = [
./NetworkManager.nix
./wpa_supplicant.nix
];
hardening WIP
2025-01-03 15:57:36 +01:00
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig =
let
shouldMakeIntrusive = (
noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
);
in
systemd network hardening
2025-01-05 13:27:12 +01:00
mkIf (osConfig.specialisation != { }) (
{
ProtectHome = mkDefault true;
ProtectClock = mkDefault true;
# ProtectHostname = mkDefault true;
# LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
}
// (lib.optionalAttrs shouldMakeIntrusive {
PrivateTmp = mkDefault true;
# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
# SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
})
);
hardening WIP
2025-01-03 15:57:36 +01:00
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
"user-runtime-dir@".serviceConfig.ProtectHome = false;
"user@".serviceConfig.ProtectHome = false;
systemd-homed.serviceConfig.ProtectHome = false;
systemd-homed-activate.serviceConfig.ProtectHome = false;
sshd.serviceConfig.ProtectHome = false;
display-manager.serviceConfig.ProtectHome = "read-only";
dbus-broker.serviceConfig.ProtectHome = "read-only";
systemd network hardening
2025-01-05 13:27:12 +01:00
nix-daemon.serviceConfig.ProtectHome = false;
hardening WIP
2025-01-03 15:57:36 +01:00
zfs-mount.serviceConfig.PrivateTmp = false;
kmod-static-nodes.serviceConfig.PrivateTmp = false;
mount-pstore.serviceConfig.PrivateTmp = false;
# todo: tpm things
systemd network hardening
2025-01-05 13:27:12 +01:00
#polkit.serviceConfig.NoNewPrivileges = false;
#"getty@".serviceConfig.NoNewPrivileges = false;
#"user@".serviceConfig.NoNewPrivileges = false;
hardening WIP
2025-01-03 15:57:36 +01:00
# todo: dbus?
auditd.serviceConfig.ProtectKernelLogs = false;
audit.serviceConfig.ProtectKernelLogs = false;
"getty@".serviceConfig.SystemCallFilter = "";
display-manager.serviceConfig.SystemCallFilter = "";
sshd.serviceConfig.SystemCallFilter = "";
rtkit-daemon.serviceConfig.SystemCallFilter = "";
systemd-timesync.serviceConfig = {
ProtectClock = false;
SystemCallFilter = "@system-service @clock";
};
save-hwclock.serviceConfig = {
ProtectClock = false;
SystemCallFilter = "@system-service @clock";
};
};
};
}
Reference in a new issue Copy permalink