diff --git a/common/firefox.nix b/common/firefox.nix index a89195d..6561109 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -67,6 +67,7 @@ in "network.connectivity-service.DNSv6.domain" = "::1"; network.dns.localDomains = "::1"; network.dns.forceResolve = true; + "media.peerconnection.enabled" = false; "media.rdd-ffmpeg.enabled" = true; "media.navigator.mediadatadecoder_vpx_enabled" = true; } // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; }; diff --git a/custom/confwhich/package.nix b/custom/confwhich/package.nix index 3f39c58..26eb0eb 100644 --- a/custom/confwhich/package.nix +++ b/custom/confwhich/package.nix @@ -15,7 +15,8 @@ rustPlatform.buildRustPackage { hash = "sha256-dMkUJMQjlKzmSsgtH0xOZ5Bk654+h84M1cTx8hVM5SQ="; }; - cargoHash = "sha256-cn9vtRO+negpIVs0rnp2y5q7L4w554dfBK9MtbWd8FA="; + useFetchCargoVendor = true; + cargoHash = "sha256-YSi7sObmclTR6BSQPSN54/2aurXxCl/q2i8hutlJXkw="; meta = { description = "tool to find the path of xdg config files"; diff --git a/custom/rfindup/package.nix b/custom/rfindup/package.nix index 859f6c5..f4a6abb 100644 --- a/custom/rfindup/package.nix +++ b/custom/rfindup/package.nix @@ -15,7 +15,8 @@ rustPlatform.buildRustPackage { hash = "sha256-nbC/nM6orM19Qh/1bpN6gxOqvhCO4cVBumgEFl9G4Rs="; }; - cargoHash = "sha256-l7uRTGV2iYbWbJSvs+YHwMSYmVW3FHa7sgbO2mub7a0="; + useFetchCargoVendor = true; + cargoHash = "sha256-S+NpQti2fgaz1UogqXbo+1mgkmetf/brQFcDrW00ZiU="; meta = { description = "tool to find files by name in parent directories"; diff --git a/hardening/apparmor/default.nix b/hardening/apparmor/default.nix index dc6874f..eb68826 100644 --- a/hardening/apparmor/default.nix +++ b/hardening/apparmor/default.nix @@ -42,7 +42,7 @@ in spotify = "enforce"; "thunderbird.apparmor.d" = "enforce"; xdg-open = "enforce"; - child-open-any = "enforce"; + # child-open-any = "enforce"; child-open = "enforce"; firefox-glxtest = "enforce"; firefox-vaapitest = "enforce"; diff --git a/hardening/default.nix b/hardening/default.nix index d88c28e..b28fcaf 100644 --- a/hardening/default.nix +++ b/hardening/default.nix @@ -68,7 +68,6 @@ systemd.tpm2.enable = false; systemd.enableEmergencyMode = false; virtualisation.vswitch.enable = false; - services.resolved.enable = false; security.unprivilegedUsernsClone = true; security.apparmor.enable = true; security.allowSimultaneousMultithreading = true; diff --git a/hardening/encrypt-dns.nix b/hardening/encrypt-dns.nix index 97d3ef8..a09364e 100644 --- a/hardening/encrypt-dns.nix +++ b/hardening/encrypt-dns.nix @@ -2,11 +2,23 @@ { networking = { nameservers = lib.mkForce [ "127.0.0.1" "::1" ]; + # nameservers = lib.mkForce [ "127.0.0.1:8053" "[::1]:8053" ]; dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp networkmanager.dns = "none"; # nm resolvconf.useLocalResolver = true; # resoved }; + services.tor = { + enable = true; + client.enable = true; + torsocks = { + enable = true; + allowInbound = false; + }; + settings.SafeSocks = true; + settings.TestSocks = true; + }; + services.dnscrypt-proxy2 = { enable = true; settings = { @@ -18,20 +30,22 @@ odoh_servers = false; require_nolog = true; require_nofilter = true; + listen_addresses = [ "127.0.0.1:53" ]; + proxy = "socks5://${config.services.tor.torsocks.server}"; + force_tcp = true; sources.public-resolvers = let serverList = pkgs.fetchurl { # fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"; - hash = "sha256-NrcMn57GS38qrE7f6GYcdUJCMAr9drl57omVnuS6oEU="; + hash = "sha256-2Pjs37mMolfWaaTf2c+tTbc1mzjCncK9qLyyZJn0LgA="; }; in { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - # "file://${serverList}" ]; - cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + cache_file = serverList; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; }; diff --git a/hardening/opensnitch/default.nix b/hardening/opensnitch/default.nix index fc7f795..a901c18 100644 --- a/hardening/opensnitch/default.nix +++ b/hardening/opensnitch/default.nix @@ -30,6 +30,7 @@ in ./firefox.nix ./tooling.nix ./dns.nix + ./tor.nix ]; config = mkIf (enable && tooling.enable && network) { diff --git a/hardening/opensnitch/nix.nix b/hardening/opensnitch/nix.nix index 7b23aec..dbd2871 100644 --- a/hardening/opensnitch/nix.nix +++ b/hardening/opensnitch/nix.nix @@ -72,13 +72,6 @@ in operand = "dest.port"; data = "443"; } - { - type = "regexp"; - sensitive = false; - operand = "dest.host"; - data = "(channels|cache)\\.nixos\\.org"; - } - ]; }; }; diff --git a/hardening/opensnitch/tor.nix b/hardening/opensnitch/tor.nix new file mode 100644 index 0000000..832ca8a --- /dev/null +++ b/hardening/opensnitch/tor.nix @@ -0,0 +1,37 @@ +{ + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) + mkIf + ; + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + tor = mkIf (config.services.tor.enable) { + name = "tor"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = lib.getExe' config.services.tor.package "tor"; + }; + }; + }; + }; +} diff --git a/hardening/opensnitch/vesktop.nix b/hardening/opensnitch/vesktop.nix index 7da2e9e..ebb9595 100644 --- a/hardening/opensnitch/vesktop.nix +++ b/hardening/opensnitch/vesktop.nix @@ -33,7 +33,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; }; }; @@ -52,7 +52,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; } { type = "lists"; @@ -78,7 +78,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "simple"; @@ -105,7 +105,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; }; }; @@ -124,7 +124,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "lists";