From d50a73ab06f1220b67e5912c764c026ca52efc76 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Tue, 21 Jan 2025 19:27:00 +0100 Subject: [PATCH] updates --- common/tooling/default.nix | 6 +- flake.lock | 64 +++++++++++++++---- hardening/apparmor/apparmor-d-package.nix | 6 +- hardening/apparmor/apparmor-d-prebuild.patch | 19 ++++-- hardening/apparmor/default.nix | 35 +++------- hardening/opensnitch/default.nix | 2 +- hardening/systemd/default.nix | 2 +- hm/common/default.nix | 2 +- modules/matrix.nix | 6 +- .../hardware-configuration.nix | 1 + 10 files changed, 87 insertions(+), 56 deletions(-) diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 9b6ebe2..343f04d 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -49,8 +49,6 @@ in starship unzip - p7zip - fbcat # gomuks @@ -64,6 +62,9 @@ in man-pages man-pages-posix + + undollar + openssl ] ++ optionals graphical [ wev @@ -71,6 +72,7 @@ in libva-utils gparted bottles + wlvncc ]; environment.sessionVariables = { diff --git a/flake.lock b/flake.lock index ce801eb..de23f45 100644 --- a/flake.lock +++ b/flake.lock @@ -132,6 +132,7 @@ }, "chaotic": { "inputs": { + "fenix": "fenix", "flake-schemas": "flake-schemas", "home-manager": "home-manager_2", "jovian": "jovian", @@ -140,11 +141,11 @@ ] }, "locked": { - "lastModified": 1736848948, - "narHash": "sha256-P9XZoUzRxjq5AJxR1+F0HEyzggNX/zt+A3cuwXER4qM=", + "lastModified": 1737474213, + "narHash": "sha256-p4hHWikaYgtZmZlas1b/p2+R72j7ZtUmGp2qoC1VcbI=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "e75f332c423ae95164ec188c0406c2d47b8a4a65", + "rev": "04e70503425690319c25814497f682145dd442c6", "type": "github" }, "original": { @@ -192,6 +193,28 @@ "type": "github" } }, + "fenix": { + "inputs": { + "nixpkgs": [ + "chaotic", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1737268357, + "narHash": "sha256-J3At8JDKpQGDeDUcz1eh0h5yFwNH7fPfm+N95TxiOq4=", + "owner": "nix-community", + "repo": "fenix", + "rev": "f9662e6ea6020671e1e17102bd20d6692bb38aba", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -342,11 +365,11 @@ ] }, "locked": { - "lastModified": 1736508663, - "narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=", + "lastModified": 1737221749, + "narHash": "sha256-igllW0yG+UbetvhT11jnt9RppSHXYgMykYhZJeqfHs0=", "owner": "nix-community", "repo": "home-manager", - "rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc", + "rev": "97d7946b5e107dd03cc82f21165251d4e0159655", "type": "github" }, "original": { @@ -384,11 +407,11 @@ ] }, "locked": { - "lastModified": 1736580596, - "narHash": "sha256-t+BygGMcg1yyyTBXCAJWx4ZnH1StDzbd8CfzQonAJp8=", + "lastModified": 1737126697, + "narHash": "sha256-k1YhjONkiKBHzbjNy4ZsjysBac5UJSolCVq9cTKLeKM=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "1ddf0b3bfe076fa50b84244e42a55b9234f96083", + "rev": "27a0ddac1a14e10ba98530f59db728951495f2ce", "type": "github" }, "original": { @@ -508,11 +531,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1736798957, - "narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=", + "lastModified": 1737062831, + "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3", + "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", "type": "github" }, "original": { @@ -573,6 +596,23 @@ "nixpkgs": "nixpkgs" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1737215993, + "narHash": "sha256-W8xioeq+h9dzGvtXPlQAn2nXtgNDN6C8uA1/9F2JP5I=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "248bd511aee2c1c1cb2d5314649521d6d93b854a", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "rust-overlay": { "inputs": { "nixpkgs": [ diff --git a/hardening/apparmor/apparmor-d-package.nix b/hardening/apparmor/apparmor-d-package.nix index 6632b6b..cbbed8d 100644 --- a/hardening/apparmor/apparmor-d-package.nix +++ b/hardening/apparmor/apparmor-d-package.nix @@ -6,13 +6,13 @@ }: buildGoModule { pname = "apparmor-d"; - version = "unstable-2025-01-13"; + version = "unstable-2025-01-19"; src = fetchFromGitHub { - rev = "f1182b27bb64a3bf44e92a4bafb58178ebfbf5ac"; + rev = "e41c5f6055197b3ad0985f5af735b7d272148360"; owner = "roddhjav"; repo = "apparmor.d"; - hash = "sha256-3Ofv7Eam2/CXRNM84E0H97RrLWQEzDeSM6wYykzlLAM="; + hash = "sha256-Dyn8aMh63VIBb7mhyP/bEp3NhmIlDZs1WHse8jgi5o4="; }; vendorHash = null; diff --git a/hardening/apparmor/apparmor-d-prebuild.patch b/hardening/apparmor/apparmor-d-prebuild.patch index 7fcff4d..4e4f117 100644 --- a/hardening/apparmor/apparmor-d-prebuild.patch +++ b/hardening/apparmor/apparmor-d-prebuild.patch @@ -1,5 +1,5 @@ diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system -index 0a95d183..6be12d34 100644 +index 0a95d183..4e15d5e3 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -106,8 +106,8 @@ @@ -8,8 +8,8 @@ index 0a95d183..6be12d34 100644 # Common places for binaries and libraries across distributions -@{bin}=/{,usr/}{,s}bin -@{lib}=/{,usr/}lib{,exec,32,64} -+@{bin}=/bin -+@{lib}=/{nix/store/*/,}{,usr/}lib{,exec,32,64} ++@{bin}=/{nix/store/*/,}{,usr/}bin ++@{lib}=/{nix/store/*/,/run/wrappers,}{,usr/}lib{,exec,32,64} # Common places for temporary files @{tmp}=/tmp/ /tmp/user/@{uid}/ @@ -27,18 +27,25 @@ index 3f2dd9f4..39a8b64a 100644 case "ubuntu": if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) { diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go -index a887d4b9..606b4643 100644 +index a887d4b9..eb0cc2ef 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go -@@ -33,7 +33,7 @@ func DefaultTunables() *AppArmorProfileFile { +@@ -33,13 +33,13 @@ func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, -+ &Variable{Name: "bin", Values: []string{"/bin"}, Define: true}, ++ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,/run/wrappers,}{,usr/}{,s}bin"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, + &Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true}, + &Variable{Name: "int2", Values: []string{"[0-9][0-9]"}, Define: true}, +- &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true}, ++ &Variable{Name: "lib", Values: []string{"/{nix/store/*/,}{,usr/}lib{,exec,32,64}"}, Define: true}, + &Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true}, + &Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true}, + &Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 4b8e11ec..11eab5f7 100644 --- a/pkg/prebuild/prepare/configure.go diff --git a/hardening/apparmor/default.nix b/hardening/apparmor/default.nix index 03d77aa..ac41555 100644 --- a/hardening/apparmor/default.nix +++ b/hardening/apparmor/default.nix @@ -19,8 +19,10 @@ in security.apparmor.killUnconfinedConfinables = false; security.apparmor.includes."tunables/alias.d/programs" = '' - # alias / -> @{nix_store}/, + # alias / -> /nix/store/*/, alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify, + alias /bin/spotify -> ${pkgs.spotify}/share/spotify/.spotify-wrapped, + alias /bin/firefox -> /nix/store/*/bin/.firefox-wrapped, ''; environment.systemPackages = with pkgs; [ apparmor-parser ]; @@ -39,13 +41,13 @@ in pass = "enforce"; spotify = "enforce"; "thunderbird.apparmor.d" = "enforce"; - # xdg-open = "enforce"; + xdg-open = "enforce"; child-open-any = "enforce"; child-open = "enforce"; firefox-glxtest = "enforce"; firefox-vaapitest = "enforce"; gamemoded = "disable"; - pkexec = "complain"; + # pkexec = "complain"; xdg-mime = "complain"; mimetype = "complain"; # sudo = "complain"; @@ -117,7 +119,6 @@ in ''; "local/xdg-open" = '' - @{bin}/grep rix, /** r, ''; @@ -135,7 +136,7 @@ in /sys/devices/@{pci}/boot_vga r, /sys/devices/@{pci}/**/id{Vendor,Product} r, /dev/ r, - @{bin}/xdg-open rPx, + # @{bin}/xdg-open rPx, /bin/electron rix, ''; @@ -144,8 +145,7 @@ in ''; "local/unix-chkpwd" = '' - /run/wrappers/wrappers.*/unix_chkpwd rix, - @{bin}/unix_chkpwd rix, + capability dac_read_search, ''; # "local/spotify" = '' @@ -156,8 +156,6 @@ in security.apparmor.policies = { passff = { state = "enforce"; - # enable = true; - # enforce = true; profile = '' abi , include @@ -171,8 +169,6 @@ in swaymux = { state = "enforce"; - # enable = true; - # enforce = true; profile = '' abi , include @@ -180,14 +176,12 @@ in include # read access to /nix/store, basic presets for most apps ${pkgs.swaymux}/bin/* rix, # wrapping /dev/tty r, - owner @{user_config_dirs}/Kvantum/** r, # themeing + owner @{user_config_dirs}/** r, } ''; }; # speech-dispatcher-test = { - # enable = true; - # enforce = true; # profile = ''# # #abi , @@ -221,21 +215,8 @@ in #} ''; # }; - sleep = { - state = "enforce"; - profile = '' - abi , - include - profile sleep ${getExe' pkgs.coreutils-full "sleep"} { - include - } - ''; - }; - osu-lazer = { state = "disable"; - # enable = true; - # enforce = true; profile = '' abi , include diff --git a/hardening/opensnitch/default.nix b/hardening/opensnitch/default.nix index 201384d..8c9f30b 100644 --- a/hardening/opensnitch/default.nix +++ b/hardening/opensnitch/default.nix @@ -213,7 +213,7 @@ in type = "simple"; sensitive = false; operand = "process.path"; - data = getExe pkgs.nix; + data = getExe config.nix.package; } { type = "regexp"; diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index 7f20815..6a9348e 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -21,7 +21,7 @@ in ./bluetooth.nix ./tty.nix ./ask-password.nix - ./nix-daemon.nix + # ./nix-daemon.nix ./nscd.nix ./rtkit.nix ./sshd.nix diff --git a/hm/common/default.nix b/hm/common/default.nix index eac188b..1c726e6 100644 --- a/hm/common/default.nix +++ b/hm/common/default.nix @@ -139,7 +139,7 @@ in programs.gradle = { enable = true; settings = { - "org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk"; + # "org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk"; "org.gradle.java.installations.auto-detect" = false; }; }; diff --git a/modules/matrix.nix b/modules/matrix.nix index fdc4ba3..0c5936d 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -50,12 +50,12 @@ in database = { name = "psycopg2"; args = { - host = "localhost"; - port = config.services.postgresql.settings.port; dbname = "synapse"; user = "synapse"; - cp_min = 5; + host = "localhost"; + port = config.services.postgresql.settings.port; cp_max = 10; + cp_min = 5; client_encoding = "auto"; passfile = config.age.secrets.synapse_db_pass_prepared.path; }; diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index fe7d6fa..356f1ae 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -63,6 +63,7 @@ in boot.zfs = { forceImportRoot = false; requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. + package = pkgs.zfs_2_3; }; boot.supportedFilesystems.zfs = true;