more paranoia

common/hardware/laptop.nix

@@ -64,7 +64,7 @@ in
 
     boot = {
       kernelParams = [
-        "intel_iommu=on"
+        # "intel_iommu=on"
         "nohibernate"
         "pcie_aspm=off"
       ];
@@ -83,7 +83,7 @@ in
       kernelModules = [
         #        "ddcci_backlight"
         #        "i2c-dev"
-        "ec_sys"
+        # "ec_sys"
       ];
     };
   };

common/tooling/apparmor/default.nix

@@ -16,6 +16,7 @@ in
     security.auditd.enable = true;
 
     security.apparmor.enableCache = true;
+    security.apparmor.killUnconfinedConfinables = false;
 
     security.apparmor.includes."tunables/alias.d/programs" = ''
       # alias / -> @{nix_store}/,
@@ -26,7 +27,7 @@ in
 
     #    security.apparmor.aa-alias-manager.enable = false;
 
-    security.audit.backlogLimit = 512;
+    security.audit.backlogLimit = 8192;
 
     security.apparmor_d = {
       enable = true;

common/tooling/nix.nix

@@ -48,6 +48,7 @@
       "pipe-operator"
     ];
     warn-dirty = false;
+    allowed-users = [ "@wheel" ];
   };
 
   programs.nh = {

common/tooling/opensnitch/default.nix

@@ -50,6 +50,7 @@ in
         DefaultAction = "deny";
         Firewall = "iptables";
         LogLevel = 1;
+        ProcMonitorMethod = "proc";
       };
 
       rules = {

flake.lock

@@ -10,11 +10,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1732741943,
+        "lastModified": 1734971839,
-        "narHash": "sha256-ZPGI3RjfDqajlIlEO6xL9dQhtyXQMhlFMPnYoKNtPRI=",
+        "narHash": "sha256-LrhWr5Smmd1aFyK7OkTonrsaKYOOapxZd7hp4JPebXk=",
         "owner": "LordGrimmauld",
         "repo": "aa-alias-manager",
-        "rev": "cb4dd424befe24976ecbbc09505efa0c5477d9c6",
+        "rev": "813f7a2886c12086f896814816378d3ac6f39d6d",
         "type": "github"
       },
       "original": {
@@ -137,14 +137,15 @@
         "jovian": "jovian",
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "nixpkgs-small": "nixpkgs-small"
       },
       "locked": {
-        "lastModified": 1734915121,
+        "lastModified": 1734987419,
-        "narHash": "sha256-iSEzSBeGwNmg/F95taw9POJiWq4iEZ2VGcOaBUabCtc=",
+        "narHash": "sha256-2K4V615Y29QhMUShX9k52l7gXF2erkq9yH9qGRZGKQ0=",
         "owner": "chaotic-cx",
         "repo": "nyx",
-        "rev": "914e86e0d0c1ce969bd4c4184cfd2188ee51b891",
+        "rev": "d61084b851dbf3072f8b40c3870b0f7938ca3f22",
         "type": "github"
       },
       "original": {
@@ -362,17 +363,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1734942126,
+        "dirtyRev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84-dirty",
-        "narHash": "sha256-4543MvF57F6lpQYaC0+TkVVgLJvEsIr7LlYdOKYAXnk=",
+        "dirtyShortRev": "35b98d20-dirty",
-        "owner": "nix-community",
+        "lastModified": 1735053786,
-        "repo": "home-manager",
+        "narHash": "sha256-HOjO2DoyhxGy0nA1Bk816WjsHKtOACVKVtkjHo4CbXI=",
-        "rev": "8bea1a2005c64a8c9c430d0dddb6b2e5db5f6f12",
+        "type": "git",
-        "type": "github"
+        "url": "file:///home/grimmauld/coding/home-manager"
       },
       "original": {
-        "owner": "nix-community",
+        "type": "git",
-        "repo": "home-manager",
+        "url": "file:///home/grimmauld/coding/home-manager"
-        "type": "github"
       }
     },
     "jovian": {
@@ -559,6 +559,22 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-small": {
+      "locked": {
+        "lastModified": 1734838250,
+        "narHash": "sha256-Xi8ST/QiyuYXc3ujnMYOBuRUaMh6p16XWH6BKARa7xQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "da8a31d09dd004be34b5c54eda83f9a27b357726",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1730741070,

flake.nix

@@ -40,8 +40,14 @@
       url = "github:LordGrimmauld/apparmor-dev";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    home-manager.url = "github:nix-community/home-manager";
+    home-manager = {
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+      # https://github.com/nix-community/home-manager/issues/3415
+      # https://github.com/nix-community/home-manager/pull/2548
+      # url = "github:nix-community/home-manager";
+      url = "git+file:///home/grimmauld/coding/home-manager";
+      # url = "github:pasqui23/home-manager/nixos-late-start";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
@@ -61,10 +67,10 @@
     }:
     let
       patches = [
-        #        {
+        {
-        #          url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch";
+          url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/368415.patch";
-        #          hash = "sha256-hiXVdMeoKYbzJ4QxtTF85huRTe4EwgD3E1qXKhJGw1U=";
+          hash = "sha256-P5+8Y/XLF1xv66kr69idNWKsD9WYyTAE3twv5C5NvIg=";
-        #        }
+        }
       ];
 
       customNixosSystem =
@@ -120,6 +126,13 @@
             # apparmor-dev.nixosModules.default
 
             ./specific/grimm-nixos-ssd/configuration.nix
+            #(
+            #  { modulesPath, lib, ... }:
+            #  {
+            #    imports = lib.singleton "${modulesPath}/profiles/hardened.nix";
+            #  }
+            #)
+            ./hardened.nix
 
             home-manager.nixosModules.home-manager
             ./hm

hardened.nix

@@ -0,0 +1,119 @@
+# A profile with most (vanilla) hardening options enabled by default,
+# potentially at the cost of stability, features and performance.
+#
+# This profile enables options that are known to affect system
+# stability. If you experience any stability issues when using the
+# profile, try disabling it. If you report an issue and use this
+# profile, always mention that you do.
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+{
+
+  # boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
+
+  #nix.settings.allowed-users = mkDefault [ "@users" ];
+
+  #environment.memoryAllocator.provider = mkDefault "scudo";
+  #environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
+
+  #security.lockKernelModules = mkDefault true;
+
+  #security.protectKernelImage = mkDefault true;
+
+  #security.allowSimultaneousMultithreading = mkDefault false;
+
+  #security.forcePageTableIsolation = mkDefault true;
+
+  # This is required by podman to run containers in rootless mode.
+  #security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
+
+  #security.virtualisation.flushL1DataCache = mkDefault "always";
+
+  #security.apparmor.enable = mkDefault true;
+  #security.apparmor.killUnconfinedConfinables = mkDefault true;
+
+  boot.kernelParams = [
+    # Don't merge slabs
+    "slab_nomerge"
+
+    # Overwrite free'd pages
+    "page_poison=1"
+
+    # Enable page allocator randomization
+    "page_alloc.shuffle=1"
+
+    # Disable debugfs
+    "debugfs=off"
+  ];
+
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "ax25"
+    "netrom"
+    "rose"
+
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "hfs"
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "ntfs"
+    "omfs"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ufs"
+  ];
+
+  # Hide kptrs even for processes with CAP_SYSLOG
+  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
+
+  # Disable bpf() JIT (to eliminate spray attacks)
+  boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
+
+  # Disable ftrace debugging
+  boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
+
+  # Enable strict reverse path filtering (that is, do not attempt to route
+  # packets that "obviously" do not belong to the iface's network; dropped
+  # packets are logged as martians).
+  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
+  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
+
+  # Ignore broadcast ICMP (mitigate SMURF)
+  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
+
+  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+  # setting is applied to interfaces added after the sysctls are set)
+  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
+
+  # Ignore outgoing ICMP redirects (this is ipv4 only)
+  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
+  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
+}

hm/common/default.nix

@@ -24,26 +24,29 @@ in
 {
   home.preferXdgDirectories = true;
 
-  home.packages = with pkgs; [
+  home.packages =
-    deskwhich
+    with pkgs;
-  ] ++ lib.optionals graphical [
+    [
-    # imhex
+      deskwhich
-    # libreoffice-qt
+    ]
-    filezilla
+    ++ lib.optionals graphical [
-    obsidian
+      # imhex
-    nomacs
+      # libreoffice-qt
-    pdfarranger
+      filezilla
-    krita
+      obsidian
-    # weasis
+      nomacs
+      pdfarranger
+      krita
+      # weasis
 
-    # kicad
+      # kicad
-    prusa-slicer
+      prusa-slicer
-    freecad
+      freecad
-    openscad
+      openscad
 
-    vlc
+      vlc
-    # blender
+      # blender
-  ];
+    ];
 
   home.shellAliases = {
     ":q" = "exit";

hm/default.nix

@@ -2,6 +2,7 @@
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;
+    useUserService = true;
 
     sharedModules = [
       { home.stateVersion = "24.11"; }

specific/grimm-nixos-ssd/hardware-configuration.nix

@@ -9,6 +9,11 @@
   ...
 }:
 
+let
+  nix_build = "/nix/build-sandbox";
+  persist = "/nix/persist";
+in
+
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
@@ -21,7 +26,7 @@
     "usbhid"
     "uas"
     "sd_mod"
-    "kvm-intel"
+    # "kvm-intel"
   ];
   boot.initrd.kernelModules = [
     "zfs"
@@ -34,25 +39,34 @@
   boot.zfs = {
     forceImportRoot = false;
     requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
-    #    [
-    #      "zpool/home"
-    #      "zpool/root"
-    #      "zpool/nix"
-    #      "zpool/var"
-    #    ];
   };
+
   boot.kernelModules = [ "kvm-intel" ];
   boot.supportedFilesystems.zfs = true;
   networking.hostId = "40fa5ea8";
   # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
   boot.kernelPackages = pkgs.linuxPackages_6_6;
   boot.extraModulePackages = [ ];
-  boot.kernelParams = [ "mds=full,nosmt" ];
+  # boot.kernelParams = [ "mds=full,nosmt" ];
   services.homed.enable = true;
 
   fileSystems."/" = {
-    device = "zpool/root";
+    device = "none";
+    fsType = "tmpfs";
+    options = [ "defaults" "size=2G" "mode=755" "noexec" ];
+  };
+
+  fileSystems."${persist}" = {
+    device = "zpool/persistent";
     fsType = "zfs";
+    options = [ "noexec" ];
+  };
+
+  environment.etc."machine-id".source = "${persist}/etc/machine-id";
+
+  fileSystems."/nix/var" = {
+    device = "${persist}/nix/var";
+    options = [ "bind" ];
   };
 
   fileSystems."/nix" = {
@@ -63,12 +77,23 @@
   fileSystems."/var" = {
     device = "zpool/var";
     fsType = "zfs";
+    options = [ "noexec" ];
   };
 
+  fileSystems."${nix_build}" = { # can execute
+    device = "zpool/nix-build";
+    fsType = "zfs";
+  };
+
+  systemd.services.nix-daemon.environment.TMPDIR = nix_build;
+
   fileSystems."/etc/nixos" = {
     device = "zpool/nix_conf";
     fsType = "zfs";
-    options = [ "noacl" ];
+    options = [
+      "noacl"
+      "noexec"
+    ];
   };
 
   #  fileSystems."/home" =
@@ -83,6 +108,7 @@
       "fmask=0022"
       "dmask=0022"
       "umask=077"
+      "noexec"
     ];
   };
 

ssh/id_ed25519_sk

@@ -1,8 +1,9 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBCVqu7bW
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC74ZK+2l
-JXmNfwjGd1xpahAAAAGAAAAAEAAABKAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t
+Hxn0SSjHwUqW/+AAAAGAAAAAEAAABRAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t
-AAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDoAAACgig1MsV
+AAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFsAA
-LNCxt4ktfo7rMgPmBdBRmETuj08L/3XGD5A668Y7q4GfC731ghAuBlJ9YtnU1PwbbyLNmU
+AAsDn6O66Anaiqld0n6TanhawcxAnkGgunRTDvzzTC1y/3Fb6cJAKkw05HuvyCosqqHlUv
-xszcWVAVOqc5Ntq1R1Hk3bJnSIVV8HTR1Zxkj9JkYy0jpfC+7PbNbFq3/u7bbyWfrw5vSH
+4k4I3ppv6pH85xe0nDXDw28IC9Y9OvfkwyHc/MrgnJ0kZz1gX/SIL9BdEQZ0Ne9SeIcvqK
-26GE2kZOk79ArdNOCxcjx+o9i+AE4svF2WUrRLf9s8rDNm2tu5BAn5yCCkaQv75h9bsA==
+DEDn20CLPU8QT7RbCmku4Aj7nJgOxVxu4ICXPIz5ufBU6IM5eGEbqzonWBX/M19ElKz6NN
+Nmn5jc+z5aMw4O8mBMQ/5EYaSSbo
 -----END OPENSSH PRIVATE KEY-----

ssh/id_ed25519_sk.pub

@@ -1 +1 @@
-sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDo= Yubi ssh
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd

users.nix

@@ -5,6 +5,8 @@
   ...
 }:
 {
+  users.mutableUsers = false;
+
   users.users.grimmauld = {
     isNormalUser = true;
     # shell = pkgs.xonsh;
@@ -35,6 +37,8 @@
     #      { remote = "Videos"; }
     #    ];
 
+    hashedPassword = "$y$j9T$HmVEEG6w96IUWynzJsLjT/$MCNKOTOUkku4ybBJiXPIHasXEkNVe6Ouu5gRTl2ab00";
+
     packages = lib.optionals config.grimmShared.graphical (
       with pkgs;
       [