protect user home by default and more hardening

2025-01-01 13:39:44 +01:00 · 2025-01-01 13:39:44 +01:00 · ddcbf54896
commit ddcbf54896
parent 96df3f3c9a
11 changed files with 85 additions and 62 deletions
--- a/common/gaming.nix
+++ b/common/gaming.nix
@ -50,7 +50,7 @@ in
    environment.systemPackages =
      with pkgs;
      [
-        heroic
+        # heroic
        prismlauncher
        mangohud
        the-powder-toy
--- a/common/graphics/qt.nix
+++ b/common/graphics/qt.nix
@ -49,10 +49,10 @@ in
      kdePackages.breeze-qt5
    ];

-    boot.plymouth = {
-      themePackages = with pkgs; [ catppuccin-plymouth ];
-      theme = "catppuccin-macchiato";
-      enable = true;
-    };
+    #boot.plymouth = {
+    #  themePackages = with pkgs; [ catppuccin-plymouth ];
+    #  theme = "catppuccin-macchiato";
+    #  enable = true;
+    #};
  };
 }
--- a/common/tooling/default.nix
+++ b/common/tooling/default.nix
@ -27,6 +27,7 @@ in
    ./java.nix
    ./opensnitch
    ./ranger.nix
+    ./defaultProtectHome.nix
    ./apparmor
  ];

--- a/common/tooling/defaultProtectHome.nix
+++ b/common/tooling/defaultProtectHome.nix
@ -0,0 +1,28 @@
+{ lib, ... }:
+with lib;
+{
+  options.systemd.services = mkOption {
+    type = types.attrsOf (
+      types.submodule {
+        config.serviceConfig.ProtectHome = lib.mkDefault true;
+      }
+    );
+  };
+
+  config.systemd.services = {
+    "user-runtime-dir@".serviceConfig.ProtectHome = false;
+    "user@".serviceConfig.ProtectHome = false;
+
+    display-manager.serviceConfig.ProtectHome = "read-only"; # false;
+
+    systemd-homed.serviceConfig.ProtectHome = false;
+    systemd-homed-activate.serviceConfig.ProtectHome = false;
+
+    dbus-broker.serviceConfig.ProtectHome = "read-only"; # false;
+  };
+
+  # config.systemd.units."service.d/protect-user-home-by-default.conf".text = ''
+  # [Service]
+  # ProtectHome=yes
+  # '';
+}
--- a/common/tooling/opensnitch/default.nix
+++ b/common/tooling/opensnitch/default.nix
@ -51,6 +51,7 @@ in
        Firewall = "iptables";
        LogLevel = 1;
        ProcMonitorMethod = "ftrace";
+        # ProcMonitorMethod = "audit";
      };

      rules = {
--- a/common/tooling/security.nix
+++ b/common/tooling/security.nix
@ -35,6 +35,7 @@ in

    # security.doas.enable = true;
    security.sudo.enable = true;
+    security.sudo.execWheelOnly = true;

    security.doas.extraRules = [
      {
--- a/flake.lock
+++ b/flake.lock
@ -137,15 +137,14 @@
        "jovian": "jovian",
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "nixpkgs-small": "nixpkgs-small"
+        ]
      },
      "locked": {
-        "lastModified": 1734987419,
-        "narHash": "sha256-2K4V615Y29QhMUShX9k52l7gXF2erkq9yH9qGRZGKQ0=",
+        "lastModified": 1735509923,
+        "narHash": "sha256-oepXx1SWadUMvRWn7dXmIMpwfRC0ZLD0d/6ZW0meFN0=",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "d61084b851dbf3072f8b40c3870b0f7938ca3f22",
+        "rev": "5ace86fdaab9ab74d6a4ab8ecf64c57230d3cb8a",
        "type": "github"
      },
      "original": {
@ -384,11 +383,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734725857,
-        "narHash": "sha256-bivlV9l/UjMtTfz/CZaoNJ5RfH2Lre4P9Ds64conoUQ=",
+        "lastModified": 1735330405,
+        "narHash": "sha256-MhXgu1oymyjhhZGY9yewNonJknNAjilzMGPY1FfMR7s=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "dbae2fd6adaf34c947d310bec08deac7c4ed265b",
+        "rev": "a86d9cf841eff8b33a05d2bf25788abd8e018dbd",
        "type": "github"
      },
      "original": {
@ -494,11 +493,11 @@
        "nixpkgs-24_11": "nixpkgs-24_11"
      },
      "locked": {
-        "lastModified": 1734884447,
-        "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
+        "lastModified": 1735230346,
+        "narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "63209b1def2c9fc891ad271f474a3464a5833294",
+        "rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b",
        "type": "gitlab"
      },
      "original": {
@ -530,16 +529,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1734649271,
-        "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=",
+        "lastModified": 1735530358,
+        "narHash": "sha256-4ZbiXBWFK0gHsl5VT9dih7RVaEV3rRh0XUV0jW0ibOM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507",
+        "rev": "5000219208d860bafd1ee26eadb403449f3d9ab9",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -559,22 +558,6 @@
        "type": "indirect"
      }
    },
-    "nixpkgs-small": {
-      "locked": {
-        "lastModified": 1734838250,
-        "narHash": "sha256-Xi8ST/QiyuYXc3ujnMYOBuRUaMh6p16XWH6BKARa7xQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "da8a31d09dd004be34b5c54eda83f9a27b357726",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1730741070,
--- a/flake.nix
+++ b/flake.nix
@ -3,7 +3,7 @@

  inputs = {
    nixpkgs = {
-      url = "github:NixOS/nixpkgs/nixos-unstable";
+      url = "github:NixOS/nixpkgs/nixos-unstable-small";
      # url = "git+file:///home/grimmauld/coding/nixpkgs";
    };
    chaotic = {
--- a/grimm-nixos-ssd.qcow2
+++ b/grimm-nixos-ssd.qcow2
--- a/specific/grimm-nixos-ssd/configuration.nix
+++ b/specific/grimm-nixos-ssd/configuration.nix
@ -1,5 +1,6 @@
 {
  config,
+  lib,
  ...
 }:
 {
@ -15,6 +16,8 @@
  services.zfs.trim.enable = true;
  boot.supportedFilesystems.zfs = true;

+  # systemd.services = lib.mapAttrs' (n: v: { serviceConfig.ProtectHome = lib.mkDefault true; }) (filterAttrs: (n: v: false) config.systemd.services);
+
  # security.pam.yubico.control = "required";

  services.printing.cups-pdf.enable = true; # implies printing enable
--- a/specific/grimm-nixos-ssd/hardware-configuration.nix
+++ b/specific/grimm-nixos-ssd/hardware-configuration.nix
@ -12,6 +12,7 @@
 let
  nix_build = "/nix/build-sandbox";
  persist = "/nix/persist";
+  tmp-exec = "/tmp-exec";
 in

 {
@ -38,7 +39,6 @@ in
  ];

  boot.kernelModules = [
-    "tmpfs"
    "iwlwifi"
    "iwlmvm"
    "mac80211"
@ -46,11 +46,15 @@ in
    "cfg80211"
  ]; # "kvm-intel"
  boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  boot.kernelParams = [ "nosgx" ];

  security.lockKernelModules = false; # PAIN on an intended-portable setup
  # security.protectKernelImage = false;

  boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
+  boot.loader.systemd-boot.consoleMode = "auto";

  systemd.tmpfiles.settings."mount"."/mnt".d = {
    group = "root";
@ -66,7 +70,7 @@ in
  boot.supportedFilesystems.zfs = true;
  networking.hostId = "40fa5ea8";
  # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-  boot.kernelPackages = pkgs.linuxPackages_6_6;
+  boot.kernelPackages = pkgs.linuxPackages_6_12;
  boot.extraModulePackages = [ ];
  services.homed.enable = true;

@ -79,7 +83,7 @@ in
      "mode=755"
      "noexec"
      "nosuid"
-      # "nodev"
+      "nodev"
    ];
  };

@ -96,16 +100,6 @@ in
  environment.etc."machine-id".source = "${persist}/etc/machine-id";
  environment.memoryAllocator.provider = "libc";

-#  fileSystems."/nix/var" = {
-#    device = "${persist}/nix/var";
-#    options = [
-#      "bind"
-#      "noexec"
-#      "nosuid"
-#      "nodev"
-#    ];
-#  };
-
  fileSystems."/nix/var" = {
    device = "/nix/var";
    options = [
@ -132,7 +126,7 @@ in
    options = [
      "exec"
      "suid"
-      "dev"
+      "nodev"
    ];
  };

@ -148,18 +142,34 @@ in

  fileSystems."${nix_build}" = {
    # can execute
-    device = "none";
-    fsType = "tmpfs";
+    device = "zpool/nix-build";
+    fsType = "zfs";
    options = [
-      "defaults"
-      "size=30%"
-      "mode=755"
      "exec"
      "nosuid"
      "nodev"
    ];
  };

+  fileSystems."${tmp-exec}" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "defaults"
+      "size=2G"
+      "mode=755"
+      "exec"
+      "nosuid"
+      "nodev"
+      "mode=1777"
+    ];
+  };
+
+  environment.sessionVariables."java.io.tmpdir" = tmp-exec;
+
+  # systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
+
+  systemd.tmpfiles.rules = lib.singleton "D! ${nix_build} 0755 root root";
  systemd.services.nix-daemon.environment.TMPDIR = nix_build;

  fileSystems."/etc/nixos" = {
@ -210,11 +220,6 @@ in
  #      options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
  #    };

-  #  fileSystems."/home/grimmauld" =
-  #    { device = "zpool/home/grimmauld";
-  #      fsType = "zfs";
-  #    };
-
  security.pam = {
    zfs = {
      enable = true;
@ -223,6 +228,7 @@ in
  };

  boot.initrd.luks.yubikeySupport = true; # enable yubikey support
+  boot.initrd.luks.reusePassphrases = false;

  boot.initrd.luks.devices."root" = {
    device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3