Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

update and fix opensnitch

Browse source
This commit is contained in:
Grimmauld 2025-01-09 13:54:25 +01:00
parent a8f9e7a9c2
commit 553b1863d3
No known key found for this signature in database
12 changed files with 96 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/hardware/tlp.nix
View file

@ -80,7 +80,7 @@ in
}; };
powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power"; powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power";
powerManagement.cpuFreqGovernor = lib.mkDefault "normal"; # powerManagement.cpuFreqGovernor = lib.mkDefault "normal";
services.power-profiles-daemon.enable = false; services.power-profiles-daemon.enable = false;
services.upower.enable = true; services.upower.enable = true;

5
common/tooling/nix.nix
View file

@ -48,7 +48,10 @@
"pipe-operator" "pipe-operator"
]; ];
warn-dirty = false; warn-dirty = false;
allowed-users = [ "@wheel" "grimmauld" ]; allowed-users = [
"@wheel"
"grimmauld"
];
}; };
programs.nh = { programs.nh = {

32
common/tooling/opensnitch/default.nix
View file

@ -97,6 +97,34 @@ in
}; };
}; };
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
nsncd = mkIf (config.services.nscd.enableNsncd) { nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns"; name = "nsncd-dns";
enabled = true; enabled = true;
@ -339,13 +367,13 @@ in
}; };
}; };
vesktop_daemon_allow_udp = mkIf (graphical) { vesktop_daemon_allow_udp = mkIf graphical {
name = "vesktop-allow-udp"; name = "vesktop-allow-udp";
enabled = true; enabled = true;
action = "allow"; action = "allow";
precedence = true; precedence = true;
duration = "always"; duration = "always";
# inherit created; inherit created;
operator = { operator = {
type = "list"; type = "list";
operand = "list"; operand = "list";

24
flake.lock
View file

@ -140,11 +140,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735943654, "lastModified": 1736112920,
"narHash": "sha256-rXmcRRQfXXYAKOa5IXlrMISTwgScA2Dx04JpONXRA+Q=", "narHash": "sha256-MME0HoMWJtk67vW4lop1eTK4//EXJB/hefo6+JbdHZs=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "5edcf7fb24c73ff9665f299461af33fa6171836f", "rev": "aa7b9944e164d9284939b78d05b8cf8df319a5d5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -342,11 +342,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735774425, "lastModified": 1736066484,
"narHash": "sha256-C73gLFnEh8ZI0uDijUgCDWCd21T6I6tsaWgIBHcfAXg=", "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "5f6aa268e419d053c3d5025da740e390b12ac936", "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -383,11 +383,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735330405, "lastModified": 1735931035,
"narHash": "sha256-MhXgu1oymyjhhZGY9yewNonJknNAjilzMGPY1FfMR7s=", "narHash": "sha256-f3WRxasPYVKzrvAlLq+/3FRHQVfxVf5xxf0WWwnO99k=",
"owner": "Jovian-Experiments", "owner": "Jovian-Experiments",
"repo": "Jovian-NixOS", "repo": "Jovian-NixOS",
"rev": "a86d9cf841eff8b33a05d2bf25788abd8e018dbd", "rev": "7e530766a5fd9b7577296fedd655f3255f7495d8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -507,11 +507,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1735834308, "lastModified": 1736344531,
"narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6df24922a1400241dae323af55f30e4318a6ca65", "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
hardening/default.nix
View file

@ -6,7 +6,7 @@
]; ];
specialisation.unhardened.configuration = { }; specialisation.unhardened.configuration = { };
services.opensnitch.enable = lib.mkForce false; # services.opensnitch.enable = lib.mkForce false;
systemd.tpm2.enable = false; systemd.tpm2.enable = false;
systemd.enableEmergencyMode = false; systemd.enableEmergencyMode = false;

4
hardening/systemd/bluetooth.nix
View file

@ -7,7 +7,6 @@
]; ];
NoNewPrivileges = true; NoNewPrivileges = true;
RestrictNamespaces = "pid"; RestrictNamespaces = "pid";
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
@ -18,7 +17,6 @@
LockPersonality = true; LockPersonality = true;
RestrictRealtime = true; RestrictRealtime = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
PrivateUsers = true; PrivateUsers = true;
}; };
@ -28,7 +26,6 @@
]; ];
NoNewPrivileges = true; NoNewPrivileges = true;
RestrictNamespaces = "pid"; RestrictNamespaces = "pid";
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
@ -39,7 +36,6 @@
LockPersonality = true; LockPersonality = true;
RestrictRealtime = true; RestrictRealtime = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
PrivateUsers = true; PrivateUsers = true;
}; };
}; };

5
hardening/systemd/default.nix
View file

@ -62,6 +62,11 @@ in
config = mkIf (config.specialisation != { }) { config = mkIf (config.specialisation != { }) {
systemd.services = { systemd.services = {
opensnitchd.serviceConfig = {
ProtectHome = false;
PrivateTmp = false;
ProtectKernelLogs = false;
};
"user-runtime-dir@".serviceConfig.ProtectHome = false; "user-runtime-dir@".serviceConfig.ProtectHome = false;
"user@".serviceConfig.ProtectHome = false; "user@".serviceConfig.ProtectHome = false;
systemd-homed.serviceConfig.ProtectHome = false; systemd-homed.serviceConfig.ProtectHome = false;

36
hardening/systemd/nix-daemon.nix
View file

@ -11,9 +11,25 @@
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
RestrictSUIDSGID = true; # good, somehow??? RestrictSUIDSGID = true; # good, somehow???
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; # needed to download sources and caches RestrictAddressFamilies = [
RestrictNamespaces = "user net uts mnt ipc pid"; # namespaces needed for sandboxing "AF_UNIX"
SystemCallFilter = "@system-service @cpu-emulation @mount @privileged"; "AF_INET"
"AF_INET6"
]; # needed to download sources and caches
RestrictNamespaces = [
"user"
"net"
"uts"
"mnt"
"ipc"
"pid"
]; # namespaces needed for sandboxing
SystemCallFilter = [
"@system-service"
"@cpu-emulation"
"@mount"
"@privileged"
];
LockPersonality = true; LockPersonality = true;
ProtectControlGroups = true; ProtectControlGroups = true;
@ -23,9 +39,12 @@
ProtectClock = true; ProtectClock = true;
# file system # file system
PrivateTmp = true; # PrivateTmp = true; # breaks --keep-failed
ProtectSystem = "strict"; ProtectSystem = "strict";
ReadWritePaths = "/nix"; ReadWritePaths = [
"/nix"
"/tmp"
];
# Scheduling: only do as much as resources are available # Scheduling: only do as much as resources are available
LimitNICE = 1; LimitNICE = 1;
@ -37,7 +56,12 @@
DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests
CapabilityBoundingSet = [ CapabilityBoundingSet = [
"CAP_FOWNER CAP_CHOWN CAP_SETUID CAP_SETGID CAP_SYS_ADMIN CAP_DAC_OVERRIDE" "CAP_FOWNER"
"CAP_CHOWN"
"CAP_SETUID"
"CAP_SETGID"
"CAP_SYS_ADMIN"
"CAP_DAC_OVERRIDE"
]; ];
# ProtectKernelLogs=true; # BAD # ProtectKernelLogs=true; # BAD

1
overlays/default.nix
View file

@ -38,6 +38,7 @@
./ooye.nix ./ooye.nix
./factorio.nix ./factorio.nix
./ranger.nix ./ranger.nix
./opensnitch-ui.nix
# ./ncspot.nix # ./ncspot.nix
# ./grpcio-tools.nix # ./grpcio-tools.nix
]; ];

6
overlays/opensnitch-ui.nix Normal file
View file

@ -0,0 +1,6 @@
{ final, prev, ... }:
{
opensnitch-ui = prev.opensnitch-ui.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs or [ ] ++ [ final.python311Packages.packaging ];
});
}

2
sway/default.nix
View file

@ -197,7 +197,7 @@
(getExe' config.hardware.opentabletdriver.package "otd-daemon") (getExe' config.hardware.opentabletdriver.package "otd-daemon")
pkgs.swaynotificationcenter pkgs.swaynotificationcenter
pkgs.networkmanagerapplet pkgs.networkmanagerapplet
# aw-bundle aw-bundle
# (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart # (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart
]; ];
extraConfig = '' extraConfig = ''