From 68529879d28ec9375f28aa1990d43854d4cc9083 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Fri, 10 Jan 2025 12:50:01 +0100 Subject: [PATCH] clean up hardening --- common/firefox.nix | 4 --- common/tooling/default.nix | 3 --- .../apparmor/apparmor-d-module.nix | 0 .../apparmor/apparmor-d-package.nix | 0 .../apparmor/apparmor-d-prebuild.patch | 0 .../tooling => hardening}/apparmor/bare.nix | 0 .../apparmor/default.nix | 0 hardening/default.nix | 3 +++ .../opensnitch/block_lists.nix | 0 .../opensnitch/default.nix | 2 +- .../opensnitch/discord_hosts/hosts.list | 0 .../opensnitch/spotify_hosts/hosts.list | 0 {common/tooling => hardening}/security.nix | 26 +++++++------------ specific/grimm-nixos-ssd/configuration.nix | 3 ++- 14 files changed, 15 insertions(+), 26 deletions(-) rename {common/tooling => hardening}/apparmor/apparmor-d-module.nix (100%) rename {common/tooling => hardening}/apparmor/apparmor-d-package.nix (100%) rename {common/tooling => hardening}/apparmor/apparmor-d-prebuild.patch (100%) rename {common/tooling => hardening}/apparmor/bare.nix (100%) rename {common/tooling => hardening}/apparmor/default.nix (100%) rename {common/tooling => hardening}/opensnitch/block_lists.nix (100%) rename {common/tooling => hardening}/opensnitch/default.nix (99%) rename {common/tooling => hardening}/opensnitch/discord_hosts/hosts.list (100%) rename {common/tooling => hardening}/opensnitch/spotify_hosts/hosts.list (100%) rename {common/tooling => hardening}/security.nix (75%) diff --git a/common/firefox.nix b/common/firefox.nix index 85ffd41..632f05d 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -8,7 +8,6 @@ let inherit (config.grimmShared) enable firefox - tooling locale sway ; @@ -28,9 +27,6 @@ in programs.firefox = { # package = pkgs.firefox-beta; enable = true; - nativeMessagingHosts.packages = - [ ] - ++ lib.optionals (tooling.enable && tooling.pass) [ pkgs.passff-host ]; languagePacks = optionals locale [ "de" "en-US" diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 4d2fefe..367b09f 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -17,7 +17,6 @@ in imports = [ # ./lilypond.nix ./nix.nix - ./security.nix ./python.nix ./rust.nix ./lsp.nix @@ -25,10 +24,8 @@ in # ./wine.nix ./c.nix ./java.nix - ./opensnitch ./ranger.nix # ./defaultProtectHome.nix - ./apparmor ]; config = mkIf (enable && tooling.enable) { diff --git a/common/tooling/apparmor/apparmor-d-module.nix b/hardening/apparmor/apparmor-d-module.nix similarity index 100% rename from common/tooling/apparmor/apparmor-d-module.nix rename to hardening/apparmor/apparmor-d-module.nix diff --git a/common/tooling/apparmor/apparmor-d-package.nix b/hardening/apparmor/apparmor-d-package.nix similarity index 100% rename from common/tooling/apparmor/apparmor-d-package.nix rename to hardening/apparmor/apparmor-d-package.nix diff --git a/common/tooling/apparmor/apparmor-d-prebuild.patch b/hardening/apparmor/apparmor-d-prebuild.patch similarity index 100% rename from common/tooling/apparmor/apparmor-d-prebuild.patch rename to hardening/apparmor/apparmor-d-prebuild.patch diff --git a/common/tooling/apparmor/bare.nix b/hardening/apparmor/bare.nix similarity index 100% rename from common/tooling/apparmor/bare.nix rename to hardening/apparmor/bare.nix diff --git a/common/tooling/apparmor/default.nix b/hardening/apparmor/default.nix similarity index 100% rename from common/tooling/apparmor/default.nix rename to hardening/apparmor/default.nix diff --git a/hardening/default.nix b/hardening/default.nix index 4b2221e..d84f9b9 100644 --- a/hardening/default.nix +++ b/hardening/default.nix @@ -3,6 +3,9 @@ imports = [ ./systemd ./ssh-as-sudo.nix + ./apparmor + ./opensnitch + ./security.nix ]; specialisation.unhardened.configuration = { }; diff --git a/common/tooling/opensnitch/block_lists.nix b/hardening/opensnitch/block_lists.nix similarity index 100% rename from common/tooling/opensnitch/block_lists.nix rename to hardening/opensnitch/block_lists.nix diff --git a/common/tooling/opensnitch/default.nix b/hardening/opensnitch/default.nix similarity index 99% rename from common/tooling/opensnitch/default.nix rename to hardening/opensnitch/default.nix index 831a5f8..f1df335 100644 --- a/common/tooling/opensnitch/default.nix +++ b/hardening/opensnitch/default.nix @@ -110,7 +110,7 @@ in data = "${lib.escapeRegex pkgs.git.outPath}/.*"; }; }; - + ssh = { name = "ssh-allow-all"; enabled = true; diff --git a/common/tooling/opensnitch/discord_hosts/hosts.list b/hardening/opensnitch/discord_hosts/hosts.list similarity index 100% rename from common/tooling/opensnitch/discord_hosts/hosts.list rename to hardening/opensnitch/discord_hosts/hosts.list diff --git a/common/tooling/opensnitch/spotify_hosts/hosts.list b/hardening/opensnitch/spotify_hosts/hosts.list similarity index 100% rename from common/tooling/opensnitch/spotify_hosts/hosts.list rename to hardening/opensnitch/spotify_hosts/hosts.list diff --git a/common/tooling/security.nix b/hardening/security.nix similarity index 75% rename from common/tooling/security.nix rename to hardening/security.nix index 448a9f2..848a14c 100644 --- a/common/tooling/security.nix +++ b/hardening/security.nix @@ -7,22 +7,17 @@ ... }: let - inherit (config.grimmShared) enable tooling graphical; inherit (lib) optional - optionals filterAttrs - mkForce mkDefault - mkIf attrNames - mkEnableOption ; age_plugins = with pkgs; [ age-plugin-yubikey ]; in { - config = mkIf enable { + config = { security.polkit.enable = mkDefault true; security.rtkit.enable = true; @@ -61,7 +56,7 @@ in in lib.getExe' rage_wrapped "rage"; - programs.yubikey-touch-detector.enable = graphical; + programs.yubikey-touch-detector.enable = config.programs.sway.enable; services.yubikey-agent.enable = true; environment.systemPackages = @@ -75,16 +70,13 @@ in yubikey-manager yubico-pam yubikey-personalization + pkgs.pass ]) ++ age_plugins - ++ (optionals (tooling.enable && tooling.pass) [ - pkgs.pass - (pkgs.writeShellScriptBin "passw" "pass $@") - ]) - ++ (optional config.security.doas.enable pkgs.sudo-doas-shim) - ++ (optional graphical pkgs.lxqt.lxqt-policykit); + ++ (optional config.security.doas.enable pkgs.sudo-doas-shim); + # ++ (optional graphical pkgs.lxqt.lxqt-policykit); - services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true; + services.passSecretService.enable = true; services.openssh.settings.LoginGraceTime = 0; # programs.gnupg.agent = { @@ -96,10 +88,10 @@ in # enableSSHSupport = true; # }; - grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) { + grimmShared.firefox.plugins = { "passff@invicem.pro" = "passff"; }; - }; - options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling"; + programs.firefox.nativeMessagingHosts.packages = [ pkgs.passff-host ]; + }; } diff --git a/specific/grimm-nixos-ssd/configuration.nix b/specific/grimm-nixos-ssd/configuration.nix index b461cfa..91c0983 100644 --- a/specific/grimm-nixos-ssd/configuration.nix +++ b/specific/grimm-nixos-ssd/configuration.nix @@ -29,7 +29,8 @@ grimmShared = { tooling = { - pass = true; + enable = true; +# pass = true; }; gaming = true; portals = true;