From 883d5edcd99af1b6d70742bacdd23f5b0eeb4bea Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Fri, 27 Dec 2024 22:59:07 +0100
Subject: [PATCH] enable hardened profile

---
 flake.nix                                     |  13 +-
 hardened.nix                                  | 119 ------------------
 .../hardware-configuration.nix                |  57 ++++++---
 3 files changed, 49 insertions(+), 140 deletions(-)
 delete mode 100644 hardened.nix

diff --git a/flake.nix b/flake.nix
index f7c3973..78bf4fb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -126,13 +126,12 @@
             # apparmor-dev.nixosModules.default
 
             ./specific/grimm-nixos-ssd/configuration.nix
-            #(
-            #  { modulesPath, lib, ... }:
-            #  {
-            #    imports = lib.singleton "${modulesPath}/profiles/hardened.nix";
-            #  }
-            #)
-            ./hardened.nix
+            (
+              { modulesPath, lib, ... }:
+              {
+                imports = lib.singleton "${modulesPath}/profiles/hardened.nix";
+              }
+            )
 
             home-manager.nixosModules.home-manager
             ./hm
diff --git a/hardened.nix b/hardened.nix
deleted file mode 100644
index ee10d54..0000000
--- a/hardened.nix
+++ /dev/null
@@ -1,119 +0,0 @@
-# A profile with most (vanilla) hardening options enabled by default,
-# potentially at the cost of stability, features and performance.
-#
-# This profile enables options that are known to affect system
-# stability. If you experience any stability issues when using the
-# profile, try disabling it. If you report an issue and use this
-# profile, always mention that you do.
-
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-with lib;
-
-{
-
-  # boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
-
-  #nix.settings.allowed-users = mkDefault [ "@users" ];
-
-  #environment.memoryAllocator.provider = mkDefault "scudo";
-  #environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
-
-  #security.lockKernelModules = mkDefault true;
-
-  #security.protectKernelImage = mkDefault true;
-
-  #security.allowSimultaneousMultithreading = mkDefault false;
-
-  #security.forcePageTableIsolation = mkDefault true;
-
-  # This is required by podman to run containers in rootless mode.
-  #security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
-
-  #security.virtualisation.flushL1DataCache = mkDefault "always";
-
-  #security.apparmor.enable = mkDefault true;
-  #security.apparmor.killUnconfinedConfinables = mkDefault true;
-
-  boot.kernelParams = [
-    # Don't merge slabs
-    "slab_nomerge"
-
-    # Overwrite free'd pages
-    "page_poison=1"
-
-    # Enable page allocator randomization
-    "page_alloc.shuffle=1"
-
-    # Disable debugfs
-    "debugfs=off"
-  ];
-
-  boot.blacklistedKernelModules = [
-    # Obscure network protocols
-    "ax25"
-    "netrom"
-    "rose"
-
-    # Old or rare or insufficiently audited filesystems
-    "adfs"
-    "affs"
-    "bfs"
-    "befs"
-    "cramfs"
-    "efs"
-    "erofs"
-    "exofs"
-    "freevxfs"
-    "f2fs"
-    "hfs"
-    "hpfs"
-    "jfs"
-    "minix"
-    "nilfs2"
-    "ntfs"
-    "omfs"
-    "qnx4"
-    "qnx6"
-    "sysv"
-    "ufs"
-  ];
-
-  # Hide kptrs even for processes with CAP_SYSLOG
-  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
-
-  # Disable bpf() JIT (to eliminate spray attacks)
-  boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
-
-  # Disable ftrace debugging
-  boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
-
-  # Enable strict reverse path filtering (that is, do not attempt to route
-  # packets that "obviously" do not belong to the iface's network; dropped
-  # packets are logged as martians).
-  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
-  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
-
-  # Ignore broadcast ICMP (mitigate SMURF)
-  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
-
-  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-  # setting is applied to interfaces added after the sysctls are set)
-  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
-
-  # Ignore outgoing ICMP redirects (this is ipv4 only)
-  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
-}
diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix
index 37a2ca2..6982d1e 100644
--- a/specific/grimm-nixos-ssd/hardware-configuration.nix
+++ b/specific/grimm-nixos-ssd/hardware-configuration.nix
@@ -36,24 +36,43 @@ in
     "usb_storage"
     "nvme"
   ];
+
+  boot.kernelModules = [
+    "tmpfs"
+    "iwlwifi"
+    "iwlmvm"
+    "mac80211"
+    "bluetooth"
+    "cfg80211"
+  ]; # "kvm-intel"
+  boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
+
+  security.lockKernelModules = false; # PAIN on an intended-portable setup
+  # security.protectKernelImage = false;
+
+  boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
+
   boot.zfs = {
     forceImportRoot = false;
     requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
   };
 
-  boot.kernelModules = [ "kvm-intel" ];
   boot.supportedFilesystems.zfs = true;
   networking.hostId = "40fa5ea8";
   # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
   boot.kernelPackages = pkgs.linuxPackages_6_6;
   boot.extraModulePackages = [ ];
-  # boot.kernelParams = [ "mds=full,nosmt" ];
   services.homed.enable = true;
 
   fileSystems."/" = {
     device = "none";
     fsType = "tmpfs";
-    options = [ "defaults" "size=2G" "mode=755" "noexec" ];
+    options = [
+      "defaults"
+      "size=2G"
+      "mode=755"
+      "noexec"
+    ];
   };
 
   fileSystems."${persist}" = {
@@ -63,20 +82,28 @@ in
   };
 
   environment.etc."machine-id".source = "${persist}/etc/machine-id";
+  environment.memoryAllocator.provider = "libc";
 
   fileSystems."/nix/var" = {
     device = "${persist}/nix/var";
-    options = [ "bind" ];
+    options = [
+      "bind"
+      "noexec"
+    ];
   };
-  
+
   fileSystems."/etc/NetworkManager/system-connections" = {
     device = "${persist}/etc/NetworkManager/system-connections";
-    options = [ "bind" ];
+    options = [
+      "bind"
+      "noexec"
+    ];
   };
 
   fileSystems."/nix" = {
     device = "zpool/nix";
     fsType = "zfs";
+    options = [ "exec" ];
   };
 
   fileSystems."/var" = {
@@ -85,9 +112,16 @@ in
     options = [ "noexec" ];
   };
 
-  fileSystems."${nix_build}" = { # can execute
-    device = "zpool/nix-build";
-    fsType = "zfs";
+  fileSystems."${nix_build}" = {
+    # can execute
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "defaults"
+      "size=30%"
+      "mode=755"
+      "exec"
+    ];
   };
 
   systemd.services.nix-daemon.environment.TMPDIR = nix_build;
@@ -101,11 +135,6 @@ in
     ];
   };
 
-  #  fileSystems."/home" =
-  #    { device = "zpool/home";
-  #      fsType = "zfs";
-  #    };
-
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/12CE-A600";
     fsType = "vfat";