pull bluetooth hardening from PR

2025-01-30 23:03:43 +01:00 · 2025-01-30 23:03:43 +01:00 · b9b01f1489
commit b9b01f1489
parent 24caa93a7c
5 changed files with 21 additions and 20 deletions
--- a/flake.lock
+++ b/flake.lock
@ -141,11 +141,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737534778,
-        "narHash": "sha256-7h/lJWRzKKCmpKmgGk2ZzWbj73Dqi607grXC/EhFQMI=",
+        "lastModified": 1737973837,
+        "narHash": "sha256-LrM+QVWUZhPKbjm2I5EkypupivGHjr/AM4rCaNbCFfE=",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "a650b785c5d2b064777e0c5af7a414267a8fc934",
+        "rev": "f19af140dacd0e211a25cf907be46356347e190f",
        "type": "github"
      },
      "original": {
@ -495,11 +495,11 @@
        "nixpkgs-24_11": "nixpkgs-24_11"
      },
      "locked": {
-        "lastModified": 1737201600,
-        "narHash": "sha256-JBh5+g8oQteQdQqbO07dGHBRQo/NGI61JPlTjdfQ1pk=",
+        "lastModified": 1737736848,
+        "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "ade37b2765032f83d2d4bd50b6204a40a4c05eb4",
+        "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261",
        "type": "gitlab"
      },
      "original": {
@ -531,11 +531,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1737469691,
-        "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
+        "lastModified": 1738142207,
+        "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
+        "rev": "9d3ae807ebd2981d593cddd0080856873139aa40",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -69,8 +69,8 @@
    let
      patches = [
        {
-          url = "https://github.com/NixOS/nixpkgs/pull/376376.patch?full_index=1";
-          hash = "sha256-LtMtv1SiCAS/gotcc8MLny4IXCjY/EnLR0pH9XaCVCo=";
+          url = "https://github.com/NixOS/nixpkgs/pull/377927.patch?full_index=1";
+          hash = "sha256-5nFQs0fcU50I6gdmDzCggH2wzaJgM1kwurkS1HHuxnE=";
        }
      ];

--- a/hardening/encrypt-dns.nix
+++ b/hardening/encrypt-dns.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ pkgs, config, lib, ... }:
 {
  networking = {
    nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
@ -19,10 +19,17 @@
      require_nolog = true;
      require_nofilter = true;

-      sources.public-resolvers = {
+      sources.public-resolvers = let
+        serverList = pkgs.fetchurl {
+          # fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong
+          url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md";
+          hash = "sha256-NrcMn57GS38qrE7f6GYcdUJCMAr9drl57omVnuS6oEU=";
+        };
+      in {
        urls = [
          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+          # "file://${serverList}"
        ];
        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
--- a/hardening/systemd/bluetooth.nix
+++ b/hardening/systemd/bluetooth.nix
@ -5,12 +5,6 @@
      CapabilityBoundingSet = [
        "CAP_NET_BIND_SERVICE" # sockets and tethering
      ];
-      RestrictAddressFamilies = [
-        "AF_UNIX" # sockets
-        "AF_INET" # tethering
-        "AF_INET6" # tethering
-        "AF_NETLINK" # deamon callback
-      ];
      NoNewPrivileges = true;
      RestrictNamespaces = [
          "~pid"
--- a/hardening/systemd/default.nix
+++ b/hardening/systemd/default.nix
@ -18,7 +18,7 @@ in
    ./auditd.nix
    ./acpid.nix
    ./cups.nix
-    ./bluetooth.nix
+    # ./bluetooth.nix
    # ./tty.nix
    ./ask-password.nix
    # ./nix-daemon.nix