From 4f4653b772ff6c76136a94d6202ba21d46feb9f2 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Fri, 27 Dec 2024 15:25:49 +0100 Subject: [PATCH] more paranoia --- common/hardware/laptop.nix | 4 +- common/tooling/apparmor/default.nix | 3 +- common/tooling/nix.nix | 1 + common/tooling/opensnitch/default.nix | 1 + flake.lock | 48 ++++--- flake.nix | 25 +++- hardened.nix | 119 ++++++++++++++++++ hm/common/default.nix | 39 +++--- hm/default.nix | 1 + .../hardware-configuration.nix | 46 +++++-- ssh/id_ed25519_sk | 13 +- ssh/id_ed25519_sk.pub | 2 +- users.nix | 4 + 13 files changed, 246 insertions(+), 60 deletions(-) create mode 100644 hardened.nix mode change 100644 => 100755 ssh/id_ed25519_sk diff --git a/common/hardware/laptop.nix b/common/hardware/laptop.nix index dc4f3a7..c82b244 100644 --- a/common/hardware/laptop.nix +++ b/common/hardware/laptop.nix @@ -64,7 +64,7 @@ in boot = { kernelParams = [ - "intel_iommu=on" + # "intel_iommu=on" "nohibernate" "pcie_aspm=off" ]; @@ -83,7 +83,7 @@ in kernelModules = [ # "ddcci_backlight" # "i2c-dev" - "ec_sys" + # "ec_sys" ]; }; }; diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index 0d6f46b..03d77aa 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -16,6 +16,7 @@ in security.auditd.enable = true; security.apparmor.enableCache = true; + security.apparmor.killUnconfinedConfinables = false; security.apparmor.includes."tunables/alias.d/programs" = '' # alias / -> @{nix_store}/, @@ -26,7 +27,7 @@ in # security.apparmor.aa-alias-manager.enable = false; - security.audit.backlogLimit = 512; + security.audit.backlogLimit = 8192; security.apparmor_d = { enable = true; diff --git a/common/tooling/nix.nix b/common/tooling/nix.nix index 4d73c98..d53e9fe 100644 --- a/common/tooling/nix.nix +++ b/common/tooling/nix.nix @@ -48,6 +48,7 @@ "pipe-operator" ]; warn-dirty = false; + allowed-users = [ "@wheel" ]; }; programs.nh = { diff --git a/common/tooling/opensnitch/default.nix b/common/tooling/opensnitch/default.nix index 4d46477..0e56c01 100644 --- a/common/tooling/opensnitch/default.nix +++ b/common/tooling/opensnitch/default.nix @@ -50,6 +50,7 @@ in DefaultAction = "deny"; Firewall = "iptables"; LogLevel = 1; + ProcMonitorMethod = "proc"; }; rules = { diff --git a/flake.lock b/flake.lock index c84c95d..2ffb95b 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1732741943, - "narHash": "sha256-ZPGI3RjfDqajlIlEO6xL9dQhtyXQMhlFMPnYoKNtPRI=", + "lastModified": 1734971839, + "narHash": "sha256-LrhWr5Smmd1aFyK7OkTonrsaKYOOapxZd7hp4JPebXk=", "owner": "LordGrimmauld", "repo": "aa-alias-manager", - "rev": "cb4dd424befe24976ecbbc09505efa0c5477d9c6", + "rev": "813f7a2886c12086f896814816378d3ac6f39d6d", "type": "github" }, "original": { @@ -137,14 +137,15 @@ "jovian": "jovian", "nixpkgs": [ "nixpkgs" - ] + ], + "nixpkgs-small": "nixpkgs-small" }, "locked": { - "lastModified": 1734915121, - "narHash": "sha256-iSEzSBeGwNmg/F95taw9POJiWq4iEZ2VGcOaBUabCtc=", + "lastModified": 1734987419, + "narHash": "sha256-2K4V615Y29QhMUShX9k52l7gXF2erkq9yH9qGRZGKQ0=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "914e86e0d0c1ce969bd4c4184cfd2188ee51b891", + "rev": "d61084b851dbf3072f8b40c3870b0f7938ca3f22", "type": "github" }, "original": { @@ -362,17 +363,16 @@ ] }, "locked": { - "lastModified": 1734942126, - "narHash": "sha256-4543MvF57F6lpQYaC0+TkVVgLJvEsIr7LlYdOKYAXnk=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "8bea1a2005c64a8c9c430d0dddb6b2e5db5f6f12", - "type": "github" + "dirtyRev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84-dirty", + "dirtyShortRev": "35b98d20-dirty", + "lastModified": 1735053786, + "narHash": "sha256-HOjO2DoyhxGy0nA1Bk816WjsHKtOACVKVtkjHo4CbXI=", + "type": "git", + "url": "file:///home/grimmauld/coding/home-manager" }, "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" + "type": "git", + "url": "file:///home/grimmauld/coding/home-manager" } }, "jovian": { @@ -559,6 +559,22 @@ "type": "indirect" } }, + "nixpkgs-small": { + "locked": { + "lastModified": 1734838250, + "narHash": "sha256-Xi8ST/QiyuYXc3ujnMYOBuRUaMh6p16XWH6BKARa7xQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "da8a31d09dd004be34b5c54eda83f9a27b357726", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1730741070, diff --git a/flake.nix b/flake.nix index d1ba593..f7c3973 100644 --- a/flake.nix +++ b/flake.nix @@ -40,8 +40,14 @@ url = "github:LordGrimmauld/apparmor-dev"; inputs.nixpkgs.follows = "nixpkgs"; }; - home-manager.url = "github:nix-community/home-manager"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; + home-manager = { + # https://github.com/nix-community/home-manager/issues/3415 + # https://github.com/nix-community/home-manager/pull/2548 + # url = "github:nix-community/home-manager"; + url = "git+file:///home/grimmauld/coding/home-manager"; + # url = "github:pasqui23/home-manager/nixos-late-start"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -61,10 +67,10 @@ }: let patches = [ - # { - # url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch"; - # hash = "sha256-hiXVdMeoKYbzJ4QxtTF85huRTe4EwgD3E1qXKhJGw1U="; - # } + { + url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/368415.patch"; + hash = "sha256-P5+8Y/XLF1xv66kr69idNWKsD9WYyTAE3twv5C5NvIg="; + } ]; customNixosSystem = @@ -120,6 +126,13 @@ # apparmor-dev.nixosModules.default ./specific/grimm-nixos-ssd/configuration.nix + #( + # { modulesPath, lib, ... }: + # { + # imports = lib.singleton "${modulesPath}/profiles/hardened.nix"; + # } + #) + ./hardened.nix home-manager.nixosModules.home-manager ./hm diff --git a/hardened.nix b/hardened.nix new file mode 100644 index 0000000..ee10d54 --- /dev/null +++ b/hardened.nix @@ -0,0 +1,119 @@ +# A profile with most (vanilla) hardening options enabled by default, +# potentially at the cost of stability, features and performance. +# +# This profile enables options that are known to affect system +# stability. If you experience any stability issues when using the +# profile, try disabling it. If you report an issue and use this +# profile, always mention that you do. + +{ + config, + lib, + pkgs, + ... +}: + +with lib; + +{ + + # boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; + + #nix.settings.allowed-users = mkDefault [ "@users" ]; + + #environment.memoryAllocator.provider = mkDefault "scudo"; + #environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; + + #security.lockKernelModules = mkDefault true; + + #security.protectKernelImage = mkDefault true; + + #security.allowSimultaneousMultithreading = mkDefault false; + + #security.forcePageTableIsolation = mkDefault true; + + # This is required by podman to run containers in rootless mode. + #security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable; + + #security.virtualisation.flushL1DataCache = mkDefault "always"; + + #security.apparmor.enable = mkDefault true; + #security.apparmor.killUnconfinedConfinables = mkDefault true; + + boot.kernelParams = [ + # Don't merge slabs + "slab_nomerge" + + # Overwrite free'd pages + "page_poison=1" + + # Enable page allocator randomization + "page_alloc.shuffle=1" + + # Disable debugfs + "debugfs=off" + ]; + + boot.blacklistedKernelModules = [ + # Obscure network protocols + "ax25" + "netrom" + "rose" + + # Old or rare or insufficiently audited filesystems + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" + ]; + + # Hide kptrs even for processes with CAP_SYSLOG + boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; + + # Disable bpf() JIT (to eliminate spray attacks) + boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; + + # Disable ftrace debugging + boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; + + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; + + # Ignore broadcast ICMP (mitigate SMURF) + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; + + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false; + + # Ignore outgoing ICMP redirects (this is ipv4 only) + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; +} diff --git a/hm/common/default.nix b/hm/common/default.nix index 7cb00a0..2195bff 100644 --- a/hm/common/default.nix +++ b/hm/common/default.nix @@ -24,26 +24,29 @@ in { home.preferXdgDirectories = true; - home.packages = with pkgs; [ - deskwhich - ] ++ lib.optionals graphical [ - # imhex - # libreoffice-qt - filezilla - obsidian - nomacs - pdfarranger - krita - # weasis + home.packages = + with pkgs; + [ + deskwhich + ] + ++ lib.optionals graphical [ + # imhex + # libreoffice-qt + filezilla + obsidian + nomacs + pdfarranger + krita + # weasis - # kicad - prusa-slicer - freecad - openscad + # kicad + prusa-slicer + freecad + openscad - vlc - # blender - ]; + vlc + # blender + ]; home.shellAliases = { ":q" = "exit"; diff --git a/hm/default.nix b/hm/default.nix index b3a76ed..a107340 100644 --- a/hm/default.nix +++ b/hm/default.nix @@ -2,6 +2,7 @@ home-manager = { useGlobalPkgs = true; useUserPackages = true; + useUserService = true; sharedModules = [ { home.stateVersion = "24.11"; } diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index 98fb981..7345dfe 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -9,6 +9,11 @@ ... }: +let + nix_build = "/nix/build-sandbox"; + persist = "/nix/persist"; +in + { imports = [ (modulesPath + "/installer/scan/not-detected.nix") @@ -21,7 +26,7 @@ "usbhid" "uas" "sd_mod" - "kvm-intel" + # "kvm-intel" ]; boot.initrd.kernelModules = [ "zfs" @@ -34,25 +39,34 @@ boot.zfs = { forceImportRoot = false; requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. - # [ - # "zpool/home" - # "zpool/root" - # "zpool/nix" - # "zpool/var" - # ]; }; + boot.kernelModules = [ "kvm-intel" ]; boot.supportedFilesystems.zfs = true; networking.hostId = "40fa5ea8"; # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.kernelPackages = pkgs.linuxPackages_6_6; boot.extraModulePackages = [ ]; - boot.kernelParams = [ "mds=full,nosmt" ]; + # boot.kernelParams = [ "mds=full,nosmt" ]; services.homed.enable = true; fileSystems."/" = { - device = "zpool/root"; + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "size=2G" "mode=755" "noexec" ]; + }; + + fileSystems."${persist}" = { + device = "zpool/persistent"; fsType = "zfs"; + options = [ "noexec" ]; + }; + + environment.etc."machine-id".source = "${persist}/etc/machine-id"; + + fileSystems."/nix/var" = { + device = "${persist}/nix/var"; + options = [ "bind" ]; }; fileSystems."/nix" = { @@ -63,12 +77,23 @@ fileSystems."/var" = { device = "zpool/var"; fsType = "zfs"; + options = [ "noexec" ]; }; + fileSystems."${nix_build}" = { # can execute + device = "zpool/nix-build"; + fsType = "zfs"; + }; + + systemd.services.nix-daemon.environment.TMPDIR = nix_build; + fileSystems."/etc/nixos" = { device = "zpool/nix_conf"; fsType = "zfs"; - options = [ "noacl" ]; + options = [ + "noacl" + "noexec" + ]; }; # fileSystems."/home" = @@ -83,6 +108,7 @@ "fmask=0022" "dmask=0022" "umask=077" + "noexec" ]; }; diff --git a/ssh/id_ed25519_sk b/ssh/id_ed25519_sk old mode 100644 new mode 100755 index 5a69d12..7c11587 --- a/ssh/id_ed25519_sk +++ b/ssh/id_ed25519_sk @@ -1,8 +1,9 @@ -----BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBCVqu7bW -JXmNfwjGd1xpahAAAAGAAAAAEAAABKAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t -AAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDoAAACgig1MsV -LNCxt4ktfo7rMgPmBdBRmETuj08L/3XGD5A668Y7q4GfC731ghAuBlJ9YtnU1PwbbyLNmU -xszcWVAVOqc5Ntq1R1Hk3bJnSIVV8HTR1Zxkj9JkYy0jpfC+7PbNbFq3/u7bbyWfrw5vSH -26GE2kZOk79ArdNOCxcjx+o9i+AE4svF2WUrRLf9s8rDNm2tu5BAn5yCCkaQv75h9bsA== +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC74ZK+2l +Hxn0SSjHwUqW/+AAAAGAAAAAEAAABRAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t +AAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFsAA +AAsDn6O66Anaiqld0n6TanhawcxAnkGgunRTDvzzTC1y/3Fb6cJAKkw05HuvyCosqqHlUv +4k4I3ppv6pH85xe0nDXDw28IC9Y9OvfkwyHc/MrgnJ0kZz1gX/SIL9BdEQZ0Ne9SeIcvqK +DEDn20CLPU8QT7RbCmku4Aj7nJgOxVxu4ICXPIz5ufBU6IM5eGEbqzonWBX/M19ElKz6NN +Nmn5jc+z5aMw4O8mBMQ/5EYaSSbo -----END OPENSSH PRIVATE KEY----- diff --git a/ssh/id_ed25519_sk.pub b/ssh/id_ed25519_sk.pub index 6a70669..7d030a5 100644 --- a/ssh/id_ed25519_sk.pub +++ b/ssh/id_ed25519_sk.pub @@ -1 +1 @@ -sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDo= Yubi ssh +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd diff --git a/users.nix b/users.nix index e8fd3ab..ffaea98 100644 --- a/users.nix +++ b/users.nix @@ -5,6 +5,8 @@ ... }: { + users.mutableUsers = false; + users.users.grimmauld = { isNormalUser = true; # shell = pkgs.xonsh; @@ -35,6 +37,8 @@ # { remote = "Videos"; } # ]; + hashedPassword = "$y$j9T$HmVEEG6w96IUWynzJsLjT/$MCNKOTOUkku4ybBJiXPIHasXEkNVe6Ouu5gRTl2ab00"; + packages = lib.optionals config.grimmShared.graphical ( with pkgs; [