more paranoia
This commit is contained in:
parent
aa4317d795
commit
4f4653b772
13 changed files with 246 additions and 60 deletions
|
@ -64,7 +64,7 @@ in
|
|||
|
||||
boot = {
|
||||
kernelParams = [
|
||||
"intel_iommu=on"
|
||||
# "intel_iommu=on"
|
||||
"nohibernate"
|
||||
"pcie_aspm=off"
|
||||
];
|
||||
|
@ -83,7 +83,7 @@ in
|
|||
kernelModules = [
|
||||
# "ddcci_backlight"
|
||||
# "i2c-dev"
|
||||
"ec_sys"
|
||||
# "ec_sys"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -16,6 +16,7 @@ in
|
|||
security.auditd.enable = true;
|
||||
|
||||
security.apparmor.enableCache = true;
|
||||
security.apparmor.killUnconfinedConfinables = false;
|
||||
|
||||
security.apparmor.includes."tunables/alias.d/programs" = ''
|
||||
# alias / -> @{nix_store}/,
|
||||
|
@ -26,7 +27,7 @@ in
|
|||
|
||||
# security.apparmor.aa-alias-manager.enable = false;
|
||||
|
||||
security.audit.backlogLimit = 512;
|
||||
security.audit.backlogLimit = 8192;
|
||||
|
||||
security.apparmor_d = {
|
||||
enable = true;
|
||||
|
|
|
@ -48,6 +48,7 @@
|
|||
"pipe-operator"
|
||||
];
|
||||
warn-dirty = false;
|
||||
allowed-users = [ "@wheel" ];
|
||||
};
|
||||
|
||||
programs.nh = {
|
||||
|
|
|
@ -50,6 +50,7 @@ in
|
|||
DefaultAction = "deny";
|
||||
Firewall = "iptables";
|
||||
LogLevel = 1;
|
||||
ProcMonitorMethod = "proc";
|
||||
};
|
||||
|
||||
rules = {
|
||||
|
|
48
flake.lock
48
flake.lock
|
@ -10,11 +10,11 @@
|
|||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1732741943,
|
||||
"narHash": "sha256-ZPGI3RjfDqajlIlEO6xL9dQhtyXQMhlFMPnYoKNtPRI=",
|
||||
"lastModified": 1734971839,
|
||||
"narHash": "sha256-LrhWr5Smmd1aFyK7OkTonrsaKYOOapxZd7hp4JPebXk=",
|
||||
"owner": "LordGrimmauld",
|
||||
"repo": "aa-alias-manager",
|
||||
"rev": "cb4dd424befe24976ecbbc09505efa0c5477d9c6",
|
||||
"rev": "813f7a2886c12086f896814816378d3ac6f39d6d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -137,14 +137,15 @@
|
|||
"jovian": "jovian",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
],
|
||||
"nixpkgs-small": "nixpkgs-small"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1734915121,
|
||||
"narHash": "sha256-iSEzSBeGwNmg/F95taw9POJiWq4iEZ2VGcOaBUabCtc=",
|
||||
"lastModified": 1734987419,
|
||||
"narHash": "sha256-2K4V615Y29QhMUShX9k52l7gXF2erkq9yH9qGRZGKQ0=",
|
||||
"owner": "chaotic-cx",
|
||||
"repo": "nyx",
|
||||
"rev": "914e86e0d0c1ce969bd4c4184cfd2188ee51b891",
|
||||
"rev": "d61084b851dbf3072f8b40c3870b0f7938ca3f22",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -362,17 +363,16 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1734942126,
|
||||
"narHash": "sha256-4543MvF57F6lpQYaC0+TkVVgLJvEsIr7LlYdOKYAXnk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "8bea1a2005c64a8c9c430d0dddb6b2e5db5f6f12",
|
||||
"type": "github"
|
||||
"dirtyRev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84-dirty",
|
||||
"dirtyShortRev": "35b98d20-dirty",
|
||||
"lastModified": 1735053786,
|
||||
"narHash": "sha256-HOjO2DoyhxGy0nA1Bk816WjsHKtOACVKVtkjHo4CbXI=",
|
||||
"type": "git",
|
||||
"url": "file:///home/grimmauld/coding/home-manager"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
"type": "git",
|
||||
"url": "file:///home/grimmauld/coding/home-manager"
|
||||
}
|
||||
},
|
||||
"jovian": {
|
||||
|
@ -559,6 +559,22 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-small": {
|
||||
"locked": {
|
||||
"lastModified": 1734838250,
|
||||
"narHash": "sha256-Xi8ST/QiyuYXc3ujnMYOBuRUaMh6p16XWH6BKARa7xQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "da8a31d09dd004be34b5c54eda83f9a27b357726",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable-small",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1730741070,
|
||||
|
|
25
flake.nix
25
flake.nix
|
@ -40,8 +40,14 @@
|
|||
url = "github:LordGrimmauld/apparmor-dev";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
home-manager.url = "github:nix-community/home-manager";
|
||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||
home-manager = {
|
||||
# https://github.com/nix-community/home-manager/issues/3415
|
||||
# https://github.com/nix-community/home-manager/pull/2548
|
||||
# url = "github:nix-community/home-manager";
|
||||
url = "git+file:///home/grimmauld/coding/home-manager";
|
||||
# url = "github:pasqui23/home-manager/nixos-late-start";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs =
|
||||
|
@ -61,10 +67,10 @@
|
|||
}:
|
||||
let
|
||||
patches = [
|
||||
# {
|
||||
# url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch";
|
||||
# hash = "sha256-hiXVdMeoKYbzJ4QxtTF85huRTe4EwgD3E1qXKhJGw1U=";
|
||||
# }
|
||||
{
|
||||
url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/368415.patch";
|
||||
hash = "sha256-P5+8Y/XLF1xv66kr69idNWKsD9WYyTAE3twv5C5NvIg=";
|
||||
}
|
||||
];
|
||||
|
||||
customNixosSystem =
|
||||
|
@ -120,6 +126,13 @@
|
|||
# apparmor-dev.nixosModules.default
|
||||
|
||||
./specific/grimm-nixos-ssd/configuration.nix
|
||||
#(
|
||||
# { modulesPath, lib, ... }:
|
||||
# {
|
||||
# imports = lib.singleton "${modulesPath}/profiles/hardened.nix";
|
||||
# }
|
||||
#)
|
||||
./hardened.nix
|
||||
|
||||
home-manager.nixosModules.home-manager
|
||||
./hm
|
||||
|
|
119
hardened.nix
Normal file
119
hardened.nix
Normal file
|
@ -0,0 +1,119 @@
|
|||
# A profile with most (vanilla) hardening options enabled by default,
|
||||
# potentially at the cost of stability, features and performance.
|
||||
#
|
||||
# This profile enables options that are known to affect system
|
||||
# stability. If you experience any stability issues when using the
|
||||
# profile, try disabling it. If you report an issue and use this
|
||||
# profile, always mention that you do.
|
||||
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
|
||||
# boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
|
||||
|
||||
#nix.settings.allowed-users = mkDefault [ "@users" ];
|
||||
|
||||
#environment.memoryAllocator.provider = mkDefault "scudo";
|
||||
#environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
|
||||
|
||||
#security.lockKernelModules = mkDefault true;
|
||||
|
||||
#security.protectKernelImage = mkDefault true;
|
||||
|
||||
#security.allowSimultaneousMultithreading = mkDefault false;
|
||||
|
||||
#security.forcePageTableIsolation = mkDefault true;
|
||||
|
||||
# This is required by podman to run containers in rootless mode.
|
||||
#security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
|
||||
|
||||
#security.virtualisation.flushL1DataCache = mkDefault "always";
|
||||
|
||||
#security.apparmor.enable = mkDefault true;
|
||||
#security.apparmor.killUnconfinedConfinables = mkDefault true;
|
||||
|
||||
boot.kernelParams = [
|
||||
# Don't merge slabs
|
||||
"slab_nomerge"
|
||||
|
||||
# Overwrite free'd pages
|
||||
"page_poison=1"
|
||||
|
||||
# Enable page allocator randomization
|
||||
"page_alloc.shuffle=1"
|
||||
|
||||
# Disable debugfs
|
||||
"debugfs=off"
|
||||
];
|
||||
|
||||
boot.blacklistedKernelModules = [
|
||||
# Obscure network protocols
|
||||
"ax25"
|
||||
"netrom"
|
||||
"rose"
|
||||
|
||||
# Old or rare or insufficiently audited filesystems
|
||||
"adfs"
|
||||
"affs"
|
||||
"bfs"
|
||||
"befs"
|
||||
"cramfs"
|
||||
"efs"
|
||||
"erofs"
|
||||
"exofs"
|
||||
"freevxfs"
|
||||
"f2fs"
|
||||
"hfs"
|
||||
"hpfs"
|
||||
"jfs"
|
||||
"minix"
|
||||
"nilfs2"
|
||||
"ntfs"
|
||||
"omfs"
|
||||
"qnx4"
|
||||
"qnx6"
|
||||
"sysv"
|
||||
"ufs"
|
||||
];
|
||||
|
||||
# Hide kptrs even for processes with CAP_SYSLOG
|
||||
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
|
||||
|
||||
# Disable bpf() JIT (to eliminate spray attacks)
|
||||
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
|
||||
|
||||
# Disable ftrace debugging
|
||||
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
|
||||
|
||||
# Enable strict reverse path filtering (that is, do not attempt to route
|
||||
# packets that "obviously" do not belong to the iface's network; dropped
|
||||
# packets are logged as martians).
|
||||
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
|
||||
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
|
||||
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
|
||||
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
|
||||
|
||||
# Ignore broadcast ICMP (mitigate SMURF)
|
||||
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
|
||||
|
||||
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
|
||||
# setting is applied to interfaces added after the sysctls are set)
|
||||
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
|
||||
boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
|
||||
boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
|
||||
boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
|
||||
boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
|
||||
boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
|
||||
|
||||
# Ignore outgoing ICMP redirects (this is ipv4 only)
|
||||
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
|
||||
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
|
||||
}
|
|
@ -24,26 +24,29 @@ in
|
|||
{
|
||||
home.preferXdgDirectories = true;
|
||||
|
||||
home.packages = with pkgs; [
|
||||
deskwhich
|
||||
] ++ lib.optionals graphical [
|
||||
# imhex
|
||||
# libreoffice-qt
|
||||
filezilla
|
||||
obsidian
|
||||
nomacs
|
||||
pdfarranger
|
||||
krita
|
||||
# weasis
|
||||
home.packages =
|
||||
with pkgs;
|
||||
[
|
||||
deskwhich
|
||||
]
|
||||
++ lib.optionals graphical [
|
||||
# imhex
|
||||
# libreoffice-qt
|
||||
filezilla
|
||||
obsidian
|
||||
nomacs
|
||||
pdfarranger
|
||||
krita
|
||||
# weasis
|
||||
|
||||
# kicad
|
||||
prusa-slicer
|
||||
freecad
|
||||
openscad
|
||||
# kicad
|
||||
prusa-slicer
|
||||
freecad
|
||||
openscad
|
||||
|
||||
vlc
|
||||
# blender
|
||||
];
|
||||
vlc
|
||||
# blender
|
||||
];
|
||||
|
||||
home.shellAliases = {
|
||||
":q" = "exit";
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
home-manager = {
|
||||
useGlobalPkgs = true;
|
||||
useUserPackages = true;
|
||||
useUserService = true;
|
||||
|
||||
sharedModules = [
|
||||
{ home.stateVersion = "24.11"; }
|
||||
|
|
|
@ -9,6 +9,11 @@
|
|||
...
|
||||
}:
|
||||
|
||||
let
|
||||
nix_build = "/nix/build-sandbox";
|
||||
persist = "/nix/persist";
|
||||
in
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
|
@ -21,7 +26,7 @@
|
|||
"usbhid"
|
||||
"uas"
|
||||
"sd_mod"
|
||||
"kvm-intel"
|
||||
# "kvm-intel"
|
||||
];
|
||||
boot.initrd.kernelModules = [
|
||||
"zfs"
|
||||
|
@ -34,25 +39,34 @@
|
|||
boot.zfs = {
|
||||
forceImportRoot = false;
|
||||
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
|
||||
# [
|
||||
# "zpool/home"
|
||||
# "zpool/root"
|
||||
# "zpool/nix"
|
||||
# "zpool/var"
|
||||
# ];
|
||||
};
|
||||
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.supportedFilesystems.zfs = true;
|
||||
networking.hostId = "40fa5ea8";
|
||||
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_6;
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.kernelParams = [ "mds=full,nosmt" ];
|
||||
# boot.kernelParams = [ "mds=full,nosmt" ];
|
||||
services.homed.enable = true;
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "zpool/root";
|
||||
device = "none";
|
||||
fsType = "tmpfs";
|
||||
options = [ "defaults" "size=2G" "mode=755" "noexec" ];
|
||||
};
|
||||
|
||||
fileSystems."${persist}" = {
|
||||
device = "zpool/persistent";
|
||||
fsType = "zfs";
|
||||
options = [ "noexec" ];
|
||||
};
|
||||
|
||||
environment.etc."machine-id".source = "${persist}/etc/machine-id";
|
||||
|
||||
fileSystems."/nix/var" = {
|
||||
device = "${persist}/nix/var";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
|
||||
fileSystems."/nix" = {
|
||||
|
@ -63,12 +77,23 @@
|
|||
fileSystems."/var" = {
|
||||
device = "zpool/var";
|
||||
fsType = "zfs";
|
||||
options = [ "noexec" ];
|
||||
};
|
||||
|
||||
fileSystems."${nix_build}" = { # can execute
|
||||
device = "zpool/nix-build";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
systemd.services.nix-daemon.environment.TMPDIR = nix_build;
|
||||
|
||||
fileSystems."/etc/nixos" = {
|
||||
device = "zpool/nix_conf";
|
||||
fsType = "zfs";
|
||||
options = [ "noacl" ];
|
||||
options = [
|
||||
"noacl"
|
||||
"noexec"
|
||||
];
|
||||
};
|
||||
|
||||
# fileSystems."/home" =
|
||||
|
@ -83,6 +108,7 @@
|
|||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
"umask=077"
|
||||
"noexec"
|
||||
];
|
||||
};
|
||||
|
||||
|
|
13
ssh/id_ed25519_sk
Normal file → Executable file
13
ssh/id_ed25519_sk
Normal file → Executable file
|
@ -1,8 +1,9 @@
|
|||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBCVqu7bW
|
||||
JXmNfwjGd1xpahAAAAGAAAAAEAAABKAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t
|
||||
AAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDoAAACgig1MsV
|
||||
LNCxt4ktfo7rMgPmBdBRmETuj08L/3XGD5A668Y7q4GfC731ghAuBlJ9YtnU1PwbbyLNmU
|
||||
xszcWVAVOqc5Ntq1R1Hk3bJnSIVV8HTR1Zxkj9JkYy0jpfC+7PbNbFq3/u7bbyWfrw5vSH
|
||||
26GE2kZOk79ArdNOCxcjx+o9i+AE4svF2WUrRLf9s8rDNm2tu5BAn5yCCkaQv75h9bsA==
|
||||
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC74ZK+2l
|
||||
Hxn0SSjHwUqW/+AAAAGAAAAAEAAABRAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t
|
||||
AAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFsAA
|
||||
AAsDn6O66Anaiqld0n6TanhawcxAnkGgunRTDvzzTC1y/3Fb6cJAKkw05HuvyCosqqHlUv
|
||||
4k4I3ppv6pH85xe0nDXDw28IC9Y9OvfkwyHc/MrgnJ0kZz1gX/SIL9BdEQZ0Ne9SeIcvqK
|
||||
DEDn20CLPU8QT7RbCmku4Aj7nJgOxVxu4ICXPIz5ufBU6IM5eGEbqzonWBX/M19ElKz6NN
|
||||
Nmn5jc+z5aMw4O8mBMQ/5EYaSSbo
|
||||
-----END OPENSSH PRIVATE KEY-----
|
||||
|
|
|
@ -1 +1 @@
|
|||
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIjwxJAnq4Z83CgU15LOMNK/ARTUPFALAexYMmax4bXVAAAABHNzaDo= Yubi ssh
|
||||
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd
|
||||
|
|
|
@ -5,6 +5,8 @@
|
|||
...
|
||||
}:
|
||||
{
|
||||
users.mutableUsers = false;
|
||||
|
||||
users.users.grimmauld = {
|
||||
isNormalUser = true;
|
||||
# shell = pkgs.xonsh;
|
||||
|
@ -35,6 +37,8 @@
|
|||
# { remote = "Videos"; }
|
||||
# ];
|
||||
|
||||
hashedPassword = "$y$j9T$HmVEEG6w96IUWynzJsLjT/$MCNKOTOUkku4ybBJiXPIHasXEkNVe6Ouu5gRTl2ab00";
|
||||
|
||||
packages = lib.optionals config.grimmShared.graphical (
|
||||
with pkgs;
|
||||
[
|
||||
|
|
Loading…
Reference in a new issue