diff --git a/flake.lock b/flake.lock index 643c927..195ad1c 100644 --- a/flake.lock +++ b/flake.lock @@ -141,11 +141,11 @@ ] }, "locked": { - "lastModified": 1737534778, - "narHash": "sha256-7h/lJWRzKKCmpKmgGk2ZzWbj73Dqi607grXC/EhFQMI=", + "lastModified": 1737973837, + "narHash": "sha256-LrM+QVWUZhPKbjm2I5EkypupivGHjr/AM4rCaNbCFfE=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "a650b785c5d2b064777e0c5af7a414267a8fc934", + "rev": "f19af140dacd0e211a25cf907be46356347e190f", "type": "github" }, "original": { @@ -495,11 +495,11 @@ "nixpkgs-24_11": "nixpkgs-24_11" }, "locked": { - "lastModified": 1737201600, - "narHash": "sha256-JBh5+g8oQteQdQqbO07dGHBRQo/NGI61JPlTjdfQ1pk=", + "lastModified": 1737736848, + "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "ade37b2765032f83d2d4bd50b6204a40a4c05eb4", + "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261", "type": "gitlab" }, "original": { @@ -531,11 +531,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1737469691, - "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=", + "lastModified": 1738142207, + "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab", + "rev": "9d3ae807ebd2981d593cddd0080856873139aa40", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index efebfba..d8aec34 100644 --- a/flake.nix +++ b/flake.nix @@ -69,8 +69,8 @@ let patches = [ { - url = "https://github.com/NixOS/nixpkgs/pull/376376.patch?full_index=1"; - hash = "sha256-LtMtv1SiCAS/gotcc8MLny4IXCjY/EnLR0pH9XaCVCo="; + url = "https://github.com/NixOS/nixpkgs/pull/377927.patch?full_index=1"; + hash = "sha256-5nFQs0fcU50I6gdmDzCggH2wzaJgM1kwurkS1HHuxnE="; } ]; diff --git a/hardening/encrypt-dns.nix b/hardening/encrypt-dns.nix index 664504f..97d3ef8 100644 --- a/hardening/encrypt-dns.nix +++ b/hardening/encrypt-dns.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ pkgs, config, lib, ... }: { networking = { nameservers = lib.mkForce [ "127.0.0.1" "::1" ]; @@ -19,10 +19,17 @@ require_nolog = true; require_nofilter = true; - sources.public-resolvers = { + sources.public-resolvers = let + serverList = pkgs.fetchurl { + # fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong + url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"; + hash = "sha256-NrcMn57GS38qrE7f6GYcdUJCMAr9drl57omVnuS6oEU="; + }; + in { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + # "file://${serverList}" ]; cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; diff --git a/hardening/systemd/bluetooth.nix b/hardening/systemd/bluetooth.nix index 5302fcd..27b557a 100644 --- a/hardening/systemd/bluetooth.nix +++ b/hardening/systemd/bluetooth.nix @@ -5,12 +5,6 @@ CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" # sockets and tethering ]; - RestrictAddressFamilies = [ - "AF_UNIX" # sockets - "AF_INET" # tethering - "AF_INET6" # tethering - "AF_NETLINK" # deamon callback - ]; NoNewPrivileges = true; RestrictNamespaces = [ "~pid" diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index fe9bf4b..0df3226 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -18,7 +18,7 @@ in ./auditd.nix ./acpid.nix ./cups.nix - ./bluetooth.nix + # ./bluetooth.nix # ./tty.nix ./ask-password.nix # ./nix-daemon.nix