From 553b1863d32ad14dcb9ae1d2c674e4e4d43a3286 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Thu, 9 Jan 2025 13:54:25 +0100 Subject: [PATCH] update and fix opensnitch --- common/hardware/tlp.nix | 2 +- common/tooling/nix.nix | 5 +++- common/tooling/opensnitch/default.nix | 32 ++++++++++++++++++++-- flake.lock | 24 ++++++++--------- flake.nix | 8 +++--- hardening/default.nix | 2 +- hardening/systemd/bluetooth.nix | 4 --- hardening/systemd/default.nix | 5 ++++ hardening/systemd/nix-daemon.nix | 38 ++++++++++++++++++++++----- overlays/default.nix | 1 + overlays/opensnitch-ui.nix | 6 +++++ sway/default.nix | 2 +- 12 files changed, 96 insertions(+), 33 deletions(-) create mode 100644 overlays/opensnitch-ui.nix diff --git a/common/hardware/tlp.nix b/common/hardware/tlp.nix index 0a01d25..4ac0123 100644 --- a/common/hardware/tlp.nix +++ b/common/hardware/tlp.nix @@ -80,7 +80,7 @@ in }; powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power"; - powerManagement.cpuFreqGovernor = lib.mkDefault "normal"; + # powerManagement.cpuFreqGovernor = lib.mkDefault "normal"; services.power-profiles-daemon.enable = false; services.upower.enable = true; diff --git a/common/tooling/nix.nix b/common/tooling/nix.nix index d48776d..fde7643 100644 --- a/common/tooling/nix.nix +++ b/common/tooling/nix.nix @@ -48,7 +48,10 @@ "pipe-operator" ]; warn-dirty = false; - allowed-users = [ "@wheel" "grimmauld" ]; + allowed-users = [ + "@wheel" + "grimmauld" + ]; }; programs.nh = { diff --git a/common/tooling/opensnitch/default.nix b/common/tooling/opensnitch/default.nix index 515c94f..831a5f8 100644 --- a/common/tooling/opensnitch/default.nix +++ b/common/tooling/opensnitch/default.nix @@ -97,6 +97,34 @@ in }; }; + git = { + name = "git-allow-all"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "${lib.escapeRegex pkgs.git.outPath}/.*"; + }; + }; + + ssh = { + name = "ssh-allow-all"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "${lib.escapeRegex pkgs.openssh.outPath}/.*"; + }; + }; + nsncd = mkIf (config.services.nscd.enableNsncd) { name = "nsncd-dns"; enabled = true; @@ -339,13 +367,13 @@ in }; }; - vesktop_daemon_allow_udp = mkIf (graphical) { + vesktop_daemon_allow_udp = mkIf graphical { name = "vesktop-allow-udp"; enabled = true; action = "allow"; precedence = true; duration = "always"; - # inherit created; + inherit created; operator = { type = "list"; operand = "list"; diff --git a/flake.lock b/flake.lock index 0a5c366..3b2daf8 100644 --- a/flake.lock +++ b/flake.lock @@ -140,11 +140,11 @@ ] }, "locked": { - "lastModified": 1735943654, - "narHash": "sha256-rXmcRRQfXXYAKOa5IXlrMISTwgScA2Dx04JpONXRA+Q=", + "lastModified": 1736112920, + "narHash": "sha256-MME0HoMWJtk67vW4lop1eTK4//EXJB/hefo6+JbdHZs=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "5edcf7fb24c73ff9665f299461af33fa6171836f", + "rev": "aa7b9944e164d9284939b78d05b8cf8df319a5d5", "type": "github" }, "original": { @@ -342,11 +342,11 @@ ] }, "locked": { - "lastModified": 1735774425, - "narHash": "sha256-C73gLFnEh8ZI0uDijUgCDWCd21T6I6tsaWgIBHcfAXg=", + "lastModified": 1736066484, + "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=", "owner": "nix-community", "repo": "home-manager", - "rev": "5f6aa268e419d053c3d5025da740e390b12ac936", + "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0", "type": "github" }, "original": { @@ -383,11 +383,11 @@ ] }, "locked": { - "lastModified": 1735330405, - "narHash": "sha256-MhXgu1oymyjhhZGY9yewNonJknNAjilzMGPY1FfMR7s=", + "lastModified": 1735931035, + "narHash": "sha256-f3WRxasPYVKzrvAlLq+/3FRHQVfxVf5xxf0WWwnO99k=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "a86d9cf841eff8b33a05d2bf25788abd8e018dbd", + "rev": "7e530766a5fd9b7577296fedd655f3255f7495d8", "type": "github" }, "original": { @@ -507,11 +507,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1735834308, - "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", + "lastModified": 1736344531, + "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6df24922a1400241dae323af55f30e4318a6ca65", + "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 83ef999..37e8b89 100644 --- a/flake.nix +++ b/flake.nix @@ -32,10 +32,10 @@ url = "github:LordGrimmauld/aa-alias-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; -# nixpkgs-update = { -# url = "github:nix-community/nixpkgs-update"; -# # inputs.nixpkgs.follows = "nixpkgs"; -# }; + # nixpkgs-update = { + # url = "github:nix-community/nixpkgs-update"; + # # inputs.nixpkgs.follows = "nixpkgs"; + # }; apparmor-dev = { url = "github:LordGrimmauld/apparmor-dev"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hardening/default.nix b/hardening/default.nix index 3195442..4b2221e 100644 --- a/hardening/default.nix +++ b/hardening/default.nix @@ -6,7 +6,7 @@ ]; specialisation.unhardened.configuration = { }; - services.opensnitch.enable = lib.mkForce false; + # services.opensnitch.enable = lib.mkForce false; systemd.tpm2.enable = false; systemd.enableEmergencyMode = false; diff --git a/hardening/systemd/bluetooth.nix b/hardening/systemd/bluetooth.nix index a8aab2a..8832dc2 100644 --- a/hardening/systemd/bluetooth.nix +++ b/hardening/systemd/bluetooth.nix @@ -7,7 +7,6 @@ ]; NoNewPrivileges = true; RestrictNamespaces = "pid"; - ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; @@ -18,7 +17,6 @@ LockPersonality = true; RestrictRealtime = true; ProtectProc = "invisible"; - PrivateUsers = true; }; @@ -28,7 +26,6 @@ ]; NoNewPrivileges = true; RestrictNamespaces = "pid"; - ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; @@ -39,7 +36,6 @@ LockPersonality = true; RestrictRealtime = true; ProtectProc = "invisible"; - PrivateUsers = true; }; }; diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index 04f716f..b88a99f 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -62,6 +62,11 @@ in config = mkIf (config.specialisation != { }) { systemd.services = { + opensnitchd.serviceConfig = { + ProtectHome = false; + PrivateTmp = false; + ProtectKernelLogs = false; + }; "user-runtime-dir@".serviceConfig.ProtectHome = false; "user@".serviceConfig.ProtectHome = false; systemd-homed.serviceConfig.ProtectHome = false; diff --git a/hardening/systemd/nix-daemon.nix b/hardening/systemd/nix-daemon.nix index 9a576e8..0798174 100644 --- a/hardening/systemd/nix-daemon.nix +++ b/hardening/systemd/nix-daemon.nix @@ -11,9 +11,25 @@ SystemCallArchitectures = "native"; RestrictSUIDSGID = true; # good, somehow??? - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; # needed to download sources and caches - RestrictNamespaces = "user net uts mnt ipc pid"; # namespaces needed for sandboxing - SystemCallFilter = "@system-service @cpu-emulation @mount @privileged"; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; # needed to download sources and caches + RestrictNamespaces = [ + "user" + "net" + "uts" + "mnt" + "ipc" + "pid" + ]; # namespaces needed for sandboxing + SystemCallFilter = [ + "@system-service" + "@cpu-emulation" + "@mount" + "@privileged" + ]; LockPersonality = true; ProtectControlGroups = true; @@ -23,9 +39,12 @@ ProtectClock = true; # file system - PrivateTmp = true; + # PrivateTmp = true; # breaks --keep-failed ProtectSystem = "strict"; - ReadWritePaths = "/nix"; + ReadWritePaths = [ + "/nix" + "/tmp" + ]; # Scheduling: only do as much as resources are available LimitNICE = 1; @@ -37,8 +56,13 @@ DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests CapabilityBoundingSet = [ - "CAP_FOWNER CAP_CHOWN CAP_SETUID CAP_SETGID CAP_SYS_ADMIN CAP_DAC_OVERRIDE" - ]; + "CAP_FOWNER" + "CAP_CHOWN" + "CAP_SETUID" + "CAP_SETGID" + "CAP_SYS_ADMIN" + "CAP_DAC_OVERRIDE" + ]; # ProtectKernelLogs=true; # BAD # ProtectKernelTunables = true; # BAD diff --git a/overlays/default.nix b/overlays/default.nix index 40e346b..bebf9bf 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -38,6 +38,7 @@ ./ooye.nix ./factorio.nix ./ranger.nix + ./opensnitch-ui.nix # ./ncspot.nix # ./grpcio-tools.nix ]; diff --git a/overlays/opensnitch-ui.nix b/overlays/opensnitch-ui.nix new file mode 100644 index 0000000..9b8d440 --- /dev/null +++ b/overlays/opensnitch-ui.nix @@ -0,0 +1,6 @@ +{ final, prev, ... }: +{ + opensnitch-ui = prev.opensnitch-ui.overrideAttrs (old: { + propagatedBuildInputs = old.propagatedBuildInputs or [ ] ++ [ final.python311Packages.packaging ]; + }); +} diff --git a/sway/default.nix b/sway/default.nix index 653c3d8..2309a21 100644 --- a/sway/default.nix +++ b/sway/default.nix @@ -197,7 +197,7 @@ (getExe' config.hardware.opentabletdriver.package "otd-daemon") pkgs.swaynotificationcenter pkgs.networkmanagerapplet - # aw-bundle + aw-bundle # (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart ]; extraConfig = ''