diff --git a/common/network/bluetooth.nix b/common/network/bluetooth.nix index ad3c7d1..42f2753 100644 --- a/common/network/bluetooth.nix +++ b/common/network/bluetooth.nix @@ -17,15 +17,5 @@ in services.blueman.enable = lib.mkIf graphical true; environment.systemPackages = [ pkgs.bluetuith ] ++ lib.optional sound.enable pkgs.bluez; - - systemd.user.services.mpris-proxy = lib.mkIf sound.enable { - description = "Mpris proxy"; - after = [ - "network.target" - "sound.target" - ]; - wantedBy = [ "default.target" ]; - serviceConfig.ExecStart = lib.getExe' pkgs.bluez "mpris-proxy"; - }; }; } diff --git a/common/network/default.nix b/common/network/default.nix index cd1e238..ec90698 100644 --- a/common/network/default.nix +++ b/common/network/default.nix @@ -31,6 +31,8 @@ in "1.1.1.1" "9.9.9.9" ]; + + environment.etc."NetworkManager/certs/telekom-root.crt".source = ./telekom-root.crt; }; imports = [ ./bluetooth.nix ]; diff --git a/common/network/telekom-root.crt b/common/network/telekom-root.crt new file mode 100644 index 0000000..0911a56 Binary files /dev/null and b/common/network/telekom-root.crt differ diff --git a/common/printing.nix b/common/printing.nix index 916614e..1e804ec 100644 --- a/common/printing.nix +++ b/common/printing.nix @@ -14,7 +14,7 @@ in brgenml1cupswrapper ]; services.avahi = { - enable = true; + # enable = true; nssmdns4 = true; openFirewall = true; }; diff --git a/common/sound/default.nix b/common/sound/default.nix index 04fe73e..2db7db1 100644 --- a/common/sound/default.nix +++ b/common/sound/default.nix @@ -9,7 +9,7 @@ let in { config = lib.mkIf (enable && sound.enable) { - hardware.pulseaudio.enable = false; + services.pulseaudio.enable = false; services.pipewire = { enable = true; diff --git a/common/sound/spotify.nix b/common/sound/spotify.nix index afe53e0..9e65e5f 100644 --- a/common/sound/spotify.nix +++ b/common/sound/spotify.nix @@ -21,5 +21,5 @@ in enable = lib.mkEnableOption "grimm-spotify"; }; - imports = [ ./spotifyd.nix ]; + # imports = [ ./spotifyd.nix ]; } diff --git a/common/tooling/default.nix b/common/tooling/default.nix index a6d9b1b..4d2fefe 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -27,7 +27,7 @@ in ./java.nix ./opensnitch ./ranger.nix - ./defaultProtectHome.nix + # ./defaultProtectHome.nix ./apparmor ]; diff --git a/common/tooling/defaultProtectHome.nix b/common/tooling/defaultProtectHome.nix deleted file mode 100644 index 7a22744..0000000 --- a/common/tooling/defaultProtectHome.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ lib, ... }: -with lib; -{ - options.systemd.services = mkOption { - type = types.attrsOf ( - types.submodule { - config.serviceConfig.ProtectHome = lib.mkDefault true; - } - ); - }; - - config.systemd.services = { - "user-runtime-dir@".serviceConfig.ProtectHome = false; - "user@".serviceConfig.ProtectHome = false; - - display-manager.serviceConfig.ProtectHome = "read-only"; - - systemd-homed.serviceConfig.ProtectHome = false; - systemd-homed-activate.serviceConfig.ProtectHome = false; - - dbus-broker.serviceConfig.ProtectHome = "read-only"; - }; - - # config.systemd.units."service.d/protect-user-home-by-default.conf".text = '' - # [Service] - # ProtectHome=yes - # ''; -} diff --git a/common/tooling/security.nix b/common/tooling/security.nix index 6776955..448a9f2 100644 --- a/common/tooling/security.nix +++ b/common/tooling/security.nix @@ -13,6 +13,7 @@ let optionals filterAttrs mkForce + mkDefault mkIf attrNames mkEnableOption @@ -22,7 +23,7 @@ let in { config = mkIf enable { - security.polkit.enable = true; + security.polkit.enable = mkDefault true; security.rtkit.enable = true; security.pam.yubico = { @@ -34,7 +35,7 @@ in }; # security.doas.enable = true; - security.sudo.enable = true; + security.sudo.enable = mkDefault true; security.sudo.execWheelOnly = true; security.doas.extraRules = [ diff --git a/configuration.nix b/configuration.nix index 531bcea..6fabc9d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,10 +1,11 @@ -{ lib, pkgs, ... }: +{ pkgs, ... }: { imports = [ ./overlays ./common # ./fake_flake.nix ./users.nix + ./hardening ]; # Bootloader. @@ -13,8 +14,6 @@ # kernelPackages = lib.mkDefault pkgs.linuxPackages_zen; }; - services.logrotate.checkConfig = false; # fixme: actually needed? - nix.package = pkgs.lix; nixpkgs.config.allowUnfree = true; diff --git a/flake.lock b/flake.lock index 2547a68..82a5590 100644 --- a/flake.lock +++ b/flake.lock @@ -140,11 +140,11 @@ ] }, "locked": { - "lastModified": 1735509923, - "narHash": "sha256-oepXx1SWadUMvRWn7dXmIMpwfRC0ZLD0d/6ZW0meFN0=", + "lastModified": 1735566338, + "narHash": "sha256-9sYGJZCGeb11WBVsE2u0gwuTk8LpbOgnrJvyDbHpOoY=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "5ace86fdaab9ab74d6a4ab8ecf64c57230d3cb8a", + "rev": "446ad45313df3dbc93ad9e9d8dd6d094b16f6fb4", "type": "github" }, "original": { @@ -529,11 +529,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1735530358, - "narHash": "sha256-4ZbiXBWFK0gHsl5VT9dih7RVaEV3rRh0XUV0jW0ibOM=", + "lastModified": 1735801820, + "narHash": "sha256-tOAdzu1ck58BA3hZItecyqrhe2fdoQgJiWm4iyUyhgc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5000219208d860bafd1ee26eadb403449f3d9ab9", + "rev": "3da6bd3e69891c1e20bbf083a1c8738d6c814060", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index c3e5dec..3d60558 100644 --- a/flake.nix +++ b/flake.nix @@ -67,10 +67,6 @@ }: let patches = [ - { - url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/368415.patch"; - hash = "sha256-P5+8Y/XLF1xv66kr69idNWKsD9WYyTAE3twv5C5NvIg="; - } ]; customNixosSystem = diff --git a/grimm-nixos-ssd.qcow2 b/grimm-nixos-ssd.qcow2 deleted file mode 100644 index 97f54c6..0000000 Binary files a/grimm-nixos-ssd.qcow2 and /dev/null differ diff --git a/hardening/default.nix b/hardening/default.nix new file mode 100644 index 0000000..65e5bd8 --- /dev/null +++ b/hardening/default.nix @@ -0,0 +1,16 @@ +{ lib, config, ... }: +{ + imports = [ + # ./systemd.nix + ./ssh-as-sudo.nix + ]; + + specialisation.unhardened.configuration = { }; + services.opensnitch.enable = lib.mkForce false; + + systemd.tpm2.enable = false; + systemd.enableEmergencyMode = false; + virtualisation.vswitch.enable = false; + services.resolved.enable = false; + security.unprivilegedUsernsClone = true; +} diff --git a/hardening/ssh-as-sudo.nix b/hardening/ssh-as-sudo.nix new file mode 100644 index 0000000..ee1b550 --- /dev/null +++ b/hardening/ssh-as-sudo.nix @@ -0,0 +1,25 @@ +{ pkgs, lib, ... }: +{ + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + # settings.UsePAM = false; + openFirewall = lib.mkDefault false; + allowSFTP = lib.mkDefault false; + # startWhenNeeded = true; + }; + + users.users.root = { + # isSystemUser = true; + # isNormalUser = true; + uid = 0; + openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ]; + # home = "/root"; + hashedPassword = null; + createHome = lib.mkForce true; + }; + + programs.ssh.startAgent = true; + # security.sudo.enable = false; + # services.yubikey-agent.enable = true; +} diff --git a/hardening/systemd.nix b/hardening/systemd.nix new file mode 100644 index 0000000..6dbf4c9 --- /dev/null +++ b/hardening/systemd.nix @@ -0,0 +1,116 @@ +{ lib, config, ... }: +let + inherit (lib) mkDefault types mkIf; + eq = a: b: a == b; + noPred = + preds: x: + if preds == [ ] then + true + else if (lib.head preds) x then + false + else + noPred (lib.tail preds) x; +in +{ + options.systemd.services = lib.mkOption { + type = + let + osConfig = config; + in + types.attrsOf ( + lib.types.submodule ( + { config, name, ... }: + { + config.serviceConfig = + let + shouldMakeIntrusive = ( + noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name + ); + in + mkIf (osConfig.specialisation != { }) { + ProtectHome = mkDefault true; + # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical + PrivateTmp = mkIf shouldMakeIntrusive (mkDefault true); + # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service"); + ProtectClock = mkDefault true; + # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true); + # SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native"); + ProtectHostname = mkDefault true; + # LockPersonality = mkDefault true; + }; + } + ) + ); + }; + + config = mkIf (config.specialisation != { }) { + + systemd.services = { + "user-runtime-dir@".serviceConfig.ProtectHome = false; + "user@".serviceConfig.ProtectHome = false; + systemd-homed.serviceConfig.ProtectHome = false; + systemd-homed-activate.serviceConfig.ProtectHome = false; + sshd.serviceConfig.ProtectHome = false; + display-manager.serviceConfig.ProtectHome = "read-only"; + dbus-broker.serviceConfig.ProtectHome = "read-only"; + + zfs-mount.serviceConfig.PrivateTmp = false; + kmod-static-nodes.serviceConfig.PrivateTmp = false; + mount-pstore.serviceConfig.PrivateTmp = false; + # todo: tpm things + + # "user@".serviceConfig.PrivateTmp = false; # make sddm happy + # "user-runtime-dir@".serviceConfig.PrivateTmp = false; # make sddm happy + + polkit.serviceConfig.NoNewPrivileges = false; + "getty@".serviceConfig.NoNewPrivileges = false; + "user@".serviceConfig.NoNewPrivileges = false; + + # todo: dbus? + + NetworkManager.serviceConfig = { + CapabilityBoundingSet = [ + "" + (lib.concatStringsSep " " [ + "cap_net_bind_service" + "cap_net_admin" + "cap_net_raw" + ]) + ]; + UMask = "0022"; + NoNewPrivileges = true; + RestrictNamespaces = "net uts"; + ProtectControlGroups = true; + # PrivateDevices + ProtectKernelModules = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + }; + + auditd.serviceConfig.ProtectKernelLogs = false; + audit.serviceConfig.ProtectKernelLogs = false; + + "getty@".serviceConfig.SystemCallFilter = ""; + # "user@".serviceConfig.SystemCallFilter = ""; + # "user-runtime-dir@".serviceConfig.SystemCallFilter = ""; + display-manager.serviceConfig.SystemCallFilter = ""; + # nix-daemon.serviceConfig.SystemCallFilter = ""; + sshd.serviceConfig.SystemCallFilter = ""; + rtkit-daemon.serviceConfig.SystemCallFilter = ""; + + systemd-timesync.serviceConfig = { + ProtectClock = false; + SystemCallFilter = "@system-service @clock"; + }; + + pipewire.serviceConfig = { + LockPersonality = false; + }; + + save-hwclock.serviceConfig = { + ProtectClock = false; + SystemCallFilter = "@system-service @clock"; + }; + }; + }; +} diff --git a/hm/common/default.nix b/hm/common/default.nix index 2195bff..eac188b 100644 --- a/hm/common/default.nix +++ b/hm/common/default.nix @@ -69,6 +69,9 @@ in enableCompletion = true; }; + services.mpris-proxy.enable = true; + # services.ssh-agent.enable = true; + programs.alacritty = { enable = graphical; settings = { @@ -159,5 +162,4 @@ in }; xdg.mimeApps.enable = true; - services.ssh-agent.enable = true; } diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index 4058b40..e264163 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -1,6 +1,3 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, @@ -97,7 +94,19 @@ in ]; }; - environment.etc."machine-id".source = "${persist}/etc/machine-id"; + environment.etc = + lib.genAttrs + [ + "machine-id" + "ssh/ssh_host_ed25519_key" + "ssh/ssh_host_ed25519_key.pub" + "ssh/ssh_host_rsa_key" + "ssh/ssh_host_rsa_key.pub" + ] + (n: { + source = "${persist}/etc/${n}"; + }); + environment.memoryAllocator.provider = "libc"; fileSystems."/nix/var" = { @@ -157,7 +166,6 @@ in options = [ "defaults" "size=2G" - "mode=755" "exec" "nosuid" "nodev" @@ -165,11 +173,14 @@ in ]; }; - environment.sessionVariables."java.io.tmpdir" = tmp-exec; + # environment.sessionVariables."java.io.tmpdir" = tmp-exec; # systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root"; - systemd.tmpfiles.rules = lib.singleton "D! ${nix_build} 0755 root root"; + systemd.tmpfiles.rules = [ + "D! ${nix_build} 0755 root root" + # "D! /root 0700 root root" + ]; systemd.services.nix-daemon.environment.TMPDIR = nix_build; fileSystems."/etc/nixos" = { @@ -194,6 +205,8 @@ in "nosuid" "nodev" ]; + # noCheck = true; + # neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out... }; grimmShared = { diff --git a/users.nix b/users.nix index ffaea98..941441e 100644 --- a/users.nix +++ b/users.nix @@ -27,6 +27,7 @@ "libvirtd" "pipewire" "gamemode" + "systemd-journal" "i2c" ]; # only add to groups that actually exist on this system