pull bluetooth hardening from PR

flake.lock

@@ -141,11 +141,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737534778,
+        "lastModified": 1737973837,
-        "narHash": "sha256-7h/lJWRzKKCmpKmgGk2ZzWbj73Dqi607grXC/EhFQMI=",
+        "narHash": "sha256-LrM+QVWUZhPKbjm2I5EkypupivGHjr/AM4rCaNbCFfE=",
         "owner": "chaotic-cx",
         "repo": "nyx",
-        "rev": "a650b785c5d2b064777e0c5af7a414267a8fc934",
+        "rev": "f19af140dacd0e211a25cf907be46356347e190f",
         "type": "github"
       },
       "original": {
@@ -495,11 +495,11 @@
         "nixpkgs-24_11": "nixpkgs-24_11"
       },
       "locked": {
-        "lastModified": 1737201600,
+        "lastModified": 1737736848,
-        "narHash": "sha256-JBh5+g8oQteQdQqbO07dGHBRQo/NGI61JPlTjdfQ1pk=",
+        "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "ade37b2765032f83d2d4bd50b6204a40a4c05eb4",
+        "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261",
         "type": "gitlab"
       },
       "original": {
@@ -531,11 +531,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1737469691,
+        "lastModified": 1738142207,
-        "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
+        "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
+        "rev": "9d3ae807ebd2981d593cddd0080856873139aa40",
         "type": "github"
       },
       "original": {

flake.nix

@@ -69,8 +69,8 @@
     let
       patches = [
         {
-          url = "https://github.com/NixOS/nixpkgs/pull/376376.patch?full_index=1";
+          url = "https://github.com/NixOS/nixpkgs/pull/377927.patch?full_index=1";
-          hash = "sha256-LtMtv1SiCAS/gotcc8MLny4IXCjY/EnLR0pH9XaCVCo=";
+          hash = "sha256-5nFQs0fcU50I6gdmDzCggH2wzaJgM1kwurkS1HHuxnE=";
         }
       ];
 

hardening/encrypt-dns.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ pkgs, config, lib, ... }:
 {
   networking = {
     nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
@@ -19,10 +19,17 @@
       require_nolog = true;
       require_nofilter = true;
 
-      sources.public-resolvers = {
+      sources.public-resolvers = let
+        serverList = pkgs.fetchurl {
+          # fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong
+          url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md";
+          hash = "sha256-NrcMn57GS38qrE7f6GYcdUJCMAr9drl57omVnuS6oEU=";
+        };
+      in {
         urls = [
           "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
           "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+          # "file://${serverList}"
         ];
         cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
         minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";

hardening/systemd/bluetooth.nix

@@ -5,12 +5,6 @@
       CapabilityBoundingSet = [
         "CAP_NET_BIND_SERVICE" # sockets and tethering
       ];
-      RestrictAddressFamilies = [
-        "AF_UNIX" # sockets
-        "AF_INET" # tethering
-        "AF_INET6" # tethering
-        "AF_NETLINK" # deamon callback
-      ];
       NoNewPrivileges = true;
       RestrictNamespaces = [
           "~pid"

hardening/systemd/default.nix

@@ -18,7 +18,7 @@ in
     ./auditd.nix
     ./acpid.nix
     ./cups.nix
-    ./bluetooth.nix
+    # ./bluetooth.nix
     # ./tty.nix
     ./ask-password.nix
     # ./nix-daemon.nix