hardening WIP

common/network/bluetooth.nix

@@ -17,15 +17,5 @@ in
     services.blueman.enable = lib.mkIf graphical true;
 
     environment.systemPackages = [ pkgs.bluetuith ] ++ lib.optional sound.enable pkgs.bluez;
-
-    systemd.user.services.mpris-proxy = lib.mkIf sound.enable {
-      description = "Mpris proxy";
-      after = [
-        "network.target"
-        "sound.target"
-      ];
-      wantedBy = [ "default.target" ];
-      serviceConfig.ExecStart = lib.getExe' pkgs.bluez "mpris-proxy";
-    };
   };
 }

common/network/default.nix

@@ -31,6 +31,8 @@ in
       "1.1.1.1"
       "9.9.9.9"
     ];
+
+    environment.etc."NetworkManager/certs/telekom-root.crt".source = ./telekom-root.crt;
   };
 
   imports = [ ./bluetooth.nix ];

common/printing.nix

@@ -14,7 +14,7 @@ in
       brgenml1cupswrapper
     ];
     services.avahi = {
-      enable = true;
+      # enable = true;
       nssmdns4 = true;
       openFirewall = true;
     };

common/sound/default.nix

@@ -9,7 +9,7 @@ let
 in
 {
   config = lib.mkIf (enable && sound.enable) {
-    hardware.pulseaudio.enable = false;
+    services.pulseaudio.enable = false;
 
     services.pipewire = {
       enable = true;

common/sound/spotify.nix

@@ -21,5 +21,5 @@ in
     enable = lib.mkEnableOption "grimm-spotify";
   };
 
-  imports = [ ./spotifyd.nix ];
+  # imports = [ ./spotifyd.nix ];
 }

common/tooling/default.nix

@@ -27,7 +27,7 @@ in
     ./java.nix
     ./opensnitch
     ./ranger.nix
-    ./defaultProtectHome.nix
+    # ./defaultProtectHome.nix
     ./apparmor
   ];
 

common/tooling/defaultProtectHome.nix

@@ -1,28 +0,0 @@
-{ lib, ... }:
-with lib;
-{
-  options.systemd.services = mkOption {
-    type = types.attrsOf (
-      types.submodule {
-        config.serviceConfig.ProtectHome = lib.mkDefault true;
-      }
-    );
-  };
-
-  config.systemd.services = {
-    "user-runtime-dir@".serviceConfig.ProtectHome = false;
-    "user@".serviceConfig.ProtectHome = false;
-
-    display-manager.serviceConfig.ProtectHome = "read-only";
-
-    systemd-homed.serviceConfig.ProtectHome = false;
-    systemd-homed-activate.serviceConfig.ProtectHome = false;
-
-    dbus-broker.serviceConfig.ProtectHome = "read-only";
-  };
-
-  # config.systemd.units."service.d/protect-user-home-by-default.conf".text = ''
-  # [Service]
-  # ProtectHome=yes
-  # '';
-}

common/tooling/security.nix

@@ -13,6 +13,7 @@ let
     optionals
     filterAttrs
     mkForce
+    mkDefault
     mkIf
     attrNames
     mkEnableOption
@@ -22,7 +23,7 @@ let
 in
 {
   config = mkIf enable {
-    security.polkit.enable = true;
+    security.polkit.enable = mkDefault true;
     security.rtkit.enable = true;
 
     security.pam.yubico = {
@@ -34,7 +35,7 @@ in
     };
 
     # security.doas.enable = true;
-    security.sudo.enable = true;
+    security.sudo.enable = mkDefault true;
     security.sudo.execWheelOnly = true;
 
     security.doas.extraRules = [

configuration.nix

@@ -1,10 +1,11 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 {
   imports = [
     ./overlays
     ./common
     #    ./fake_flake.nix
     ./users.nix
+    ./hardening
   ];
 
   # Bootloader.
@@ -13,8 +14,6 @@
     # kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
   };
 
-  services.logrotate.checkConfig = false; # fixme: actually needed?
-
   nix.package = pkgs.lix;
   nixpkgs.config.allowUnfree = true;
 

flake.lock

@@ -140,11 +140,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1735509923,
-        "narHash": "sha256-oepXx1SWadUMvRWn7dXmIMpwfRC0ZLD0d/6ZW0meFN0=",
+        "lastModified": 1735566338,
+        "narHash": "sha256-9sYGJZCGeb11WBVsE2u0gwuTk8LpbOgnrJvyDbHpOoY=",
         "owner": "chaotic-cx",
         "repo": "nyx",
-        "rev": "5ace86fdaab9ab74d6a4ab8ecf64c57230d3cb8a",
+        "rev": "446ad45313df3dbc93ad9e9d8dd6d094b16f6fb4",
         "type": "github"
       },
       "original": {
@@ -529,11 +529,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1735530358,
-        "narHash": "sha256-4ZbiXBWFK0gHsl5VT9dih7RVaEV3rRh0XUV0jW0ibOM=",
+        "lastModified": 1735801820,
+        "narHash": "sha256-tOAdzu1ck58BA3hZItecyqrhe2fdoQgJiWm4iyUyhgc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5000219208d860bafd1ee26eadb403449f3d9ab9",
+        "rev": "3da6bd3e69891c1e20bbf083a1c8738d6c814060",
         "type": "github"
       },
       "original": {

flake.nix

@@ -67,10 +67,6 @@
     }:
     let
       patches = [
-        {
-          url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/368415.patch";
-          hash = "sha256-P5+8Y/XLF1xv66kr69idNWKsD9WYyTAE3twv5C5NvIg=";
-        }
       ];
 
       customNixosSystem =

hardening/default.nix

@@ -0,0 +1,16 @@
+{ lib, config, ... }:
+{
+  imports = [
+    # ./systemd.nix
+    ./ssh-as-sudo.nix
+  ];
+
+  specialisation.unhardened.configuration = { };
+  services.opensnitch.enable = lib.mkForce false;
+
+  systemd.tpm2.enable = false;
+  systemd.enableEmergencyMode = false;
+  virtualisation.vswitch.enable = false;
+  services.resolved.enable = false;
+  security.unprivilegedUsernsClone = true;
+}

hardening/ssh-as-sudo.nix

@@ -0,0 +1,25 @@
+{ pkgs, lib, ... }:
+{
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+    # settings.UsePAM = false;
+    openFirewall = lib.mkDefault false;
+    allowSFTP = lib.mkDefault false;
+    # startWhenNeeded = true;
+  };
+
+  users.users.root = {
+    # isSystemUser = true;
+    # isNormalUser = true;
+    uid = 0;
+    openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ];
+    # home = "/root";
+    hashedPassword = null;
+    createHome = lib.mkForce true;
+  };
+
+  programs.ssh.startAgent = true;
+  # security.sudo.enable = false;
+  # services.yubikey-agent.enable = true;
+}

hardening/systemd.nix

@@ -0,0 +1,116 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkDefault types mkIf;
+  eq = a: b: a == b;
+  noPred =
+    preds: x:
+    if preds == [ ] then
+      true
+    else if (lib.head preds) x then
+      false
+    else
+      noPred (lib.tail preds) x;
+in
+{
+  options.systemd.services = lib.mkOption {
+    type =
+      let
+        osConfig = config;
+      in
+      types.attrsOf (
+        lib.types.submodule (
+          { config, name, ... }:
+          {
+            config.serviceConfig =
+              let
+                shouldMakeIntrusive = (
+                  noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
+                );
+              in
+              mkIf (osConfig.specialisation != { }) {
+                ProtectHome = mkDefault true;
+                # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
+                PrivateTmp = mkIf shouldMakeIntrusive (mkDefault true);
+                # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
+                ProtectClock = mkDefault true;
+                # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
+                # SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
+                ProtectHostname = mkDefault true;
+                # LockPersonality = mkDefault true;
+              };
+          }
+        )
+      );
+  };
+
+  config = mkIf (config.specialisation != { }) {
+
+    systemd.services = {
+      "user-runtime-dir@".serviceConfig.ProtectHome = false;
+      "user@".serviceConfig.ProtectHome = false;
+      systemd-homed.serviceConfig.ProtectHome = false;
+      systemd-homed-activate.serviceConfig.ProtectHome = false;
+      sshd.serviceConfig.ProtectHome = false;
+      display-manager.serviceConfig.ProtectHome = "read-only";
+      dbus-broker.serviceConfig.ProtectHome = "read-only";
+
+      zfs-mount.serviceConfig.PrivateTmp = false;
+      kmod-static-nodes.serviceConfig.PrivateTmp = false;
+      mount-pstore.serviceConfig.PrivateTmp = false;
+      # todo: tpm things
+
+      # "user@".serviceConfig.PrivateTmp = false; # make sddm happy
+      # "user-runtime-dir@".serviceConfig.PrivateTmp = false; # make sddm happy
+
+      polkit.serviceConfig.NoNewPrivileges = false;
+      "getty@".serviceConfig.NoNewPrivileges = false;
+      "user@".serviceConfig.NoNewPrivileges = false;
+
+      # todo: dbus?
+
+      NetworkManager.serviceConfig = {
+        CapabilityBoundingSet = [
+          ""
+          (lib.concatStringsSep " " [
+            "cap_net_bind_service"
+            "cap_net_admin"
+            "cap_net_raw"
+          ])
+        ];
+        UMask = "0022";
+        NoNewPrivileges = true;
+        RestrictNamespaces = "net uts";
+        ProtectControlGroups = true;
+        # PrivateDevices
+        ProtectKernelModules = true;
+        MemoryDenyWriteExecute = true;
+        RestrictSUIDSGID = true;
+      };
+
+      auditd.serviceConfig.ProtectKernelLogs = false;
+      audit.serviceConfig.ProtectKernelLogs = false;
+
+      "getty@".serviceConfig.SystemCallFilter = "";
+      # "user@".serviceConfig.SystemCallFilter = "";
+      # "user-runtime-dir@".serviceConfig.SystemCallFilter = "";
+      display-manager.serviceConfig.SystemCallFilter = "";
+      # nix-daemon.serviceConfig.SystemCallFilter = "";
+      sshd.serviceConfig.SystemCallFilter = "";
+      rtkit-daemon.serviceConfig.SystemCallFilter = "";
+
+      systemd-timesync.serviceConfig = {
+        ProtectClock = false;
+        SystemCallFilter = "@system-service @clock";
+      };
+
+      pipewire.serviceConfig = {
+        LockPersonality = false;
+      };
+
+      save-hwclock.serviceConfig = {
+        ProtectClock = false;
+        SystemCallFilter = "@system-service @clock";
+      };
+    };
+  };
+}

hm/common/default.nix

@@ -69,6 +69,9 @@ in
     enableCompletion = true;
   };
 
+  services.mpris-proxy.enable = true;
+  # services.ssh-agent.enable = true;
+
   programs.alacritty = {
     enable = graphical;
     settings = {
@@ -159,5 +162,4 @@ in
   };
 
   xdg.mimeApps.enable = true;
-  services.ssh-agent.enable = true;
 }

specific/grimm-nixos-ssd/hardware-configuration.nix

@@ -1,6 +1,3 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 {
   config,
   lib,
@@ -97,7 +94,19 @@ in
     ];
   };
 
-  environment.etc."machine-id".source = "${persist}/etc/machine-id";
+  environment.etc =
+    lib.genAttrs
+      [
+        "machine-id"
+        "ssh/ssh_host_ed25519_key"
+        "ssh/ssh_host_ed25519_key.pub"
+        "ssh/ssh_host_rsa_key"
+        "ssh/ssh_host_rsa_key.pub"
+      ]
+      (n: {
+        source = "${persist}/etc/${n}";
+      });
+
   environment.memoryAllocator.provider = "libc";
 
   fileSystems."/nix/var" = {
@@ -157,7 +166,6 @@ in
     options = [
       "defaults"
       "size=2G"
-      "mode=755"
       "exec"
       "nosuid"
       "nodev"
@@ -165,11 +173,14 @@ in
     ];
   };
 
-  environment.sessionVariables."java.io.tmpdir" = tmp-exec;
+  # environment.sessionVariables."java.io.tmpdir" = tmp-exec;
 
   # systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
 
-  systemd.tmpfiles.rules = lib.singleton "D! ${nix_build} 0755 root root";
+  systemd.tmpfiles.rules = [
+    "D! ${nix_build} 0755 root root"
+    # "D! /root 0700 root root"
+  ];
   systemd.services.nix-daemon.environment.TMPDIR = nix_build;
 
   fileSystems."/etc/nixos" = {
@@ -194,6 +205,8 @@ in
       "nosuid"
       "nodev"
     ];
+    # noCheck = true;
+    # neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out...
   };
 
   grimmShared = {

users.nix

@@ -27,6 +27,7 @@
       "libvirtd"
       "pipewire"
       "gamemode"
+      "systemd-journal"
       "i2c"
     ]; # only add to groups that actually exist on this system