protect user home by default and more hardening

This commit is contained in:
Grimmauld 2025-01-01 13:39:44 +01:00
parent 96df3f3c9a
commit ddcbf54896
No known key found for this signature in database
11 changed files with 85 additions and 62 deletions

View file

@ -50,7 +50,7 @@ in
environment.systemPackages =
with pkgs;
[
heroic
# heroic
prismlauncher
mangohud
the-powder-toy

View file

@ -49,10 +49,10 @@ in
kdePackages.breeze-qt5
];
boot.plymouth = {
themePackages = with pkgs; [ catppuccin-plymouth ];
theme = "catppuccin-macchiato";
enable = true;
};
#boot.plymouth = {
# themePackages = with pkgs; [ catppuccin-plymouth ];
# theme = "catppuccin-macchiato";
# enable = true;
#};
};
}

View file

@ -27,6 +27,7 @@ in
./java.nix
./opensnitch
./ranger.nix
./defaultProtectHome.nix
./apparmor
];

View file

@ -0,0 +1,28 @@
{ lib, ... }:
with lib;
{
options.systemd.services = mkOption {
type = types.attrsOf (
types.submodule {
config.serviceConfig.ProtectHome = lib.mkDefault true;
}
);
};
config.systemd.services = {
"user-runtime-dir@".serviceConfig.ProtectHome = false;
"user@".serviceConfig.ProtectHome = false;
display-manager.serviceConfig.ProtectHome = "read-only"; # false;
systemd-homed.serviceConfig.ProtectHome = false;
systemd-homed-activate.serviceConfig.ProtectHome = false;
dbus-broker.serviceConfig.ProtectHome = "read-only"; # false;
};
# config.systemd.units."service.d/protect-user-home-by-default.conf".text = ''
# [Service]
# ProtectHome=yes
# '';
}

View file

@ -51,6 +51,7 @@ in
Firewall = "iptables";
LogLevel = 1;
ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit";
};
rules = {

View file

@ -35,6 +35,7 @@ in
# security.doas.enable = true;
security.sudo.enable = true;
security.sudo.execWheelOnly = true;
security.doas.extraRules = [
{

View file

@ -137,15 +137,14 @@
"jovian": "jovian",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-small": "nixpkgs-small"
]
},
"locked": {
"lastModified": 1734987419,
"narHash": "sha256-2K4V615Y29QhMUShX9k52l7gXF2erkq9yH9qGRZGKQ0=",
"lastModified": 1735509923,
"narHash": "sha256-oepXx1SWadUMvRWn7dXmIMpwfRC0ZLD0d/6ZW0meFN0=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "d61084b851dbf3072f8b40c3870b0f7938ca3f22",
"rev": "5ace86fdaab9ab74d6a4ab8ecf64c57230d3cb8a",
"type": "github"
},
"original": {
@ -384,11 +383,11 @@
]
},
"locked": {
"lastModified": 1734725857,
"narHash": "sha256-bivlV9l/UjMtTfz/CZaoNJ5RfH2Lre4P9Ds64conoUQ=",
"lastModified": 1735330405,
"narHash": "sha256-MhXgu1oymyjhhZGY9yewNonJknNAjilzMGPY1FfMR7s=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "dbae2fd6adaf34c947d310bec08deac7c4ed265b",
"rev": "a86d9cf841eff8b33a05d2bf25788abd8e018dbd",
"type": "github"
},
"original": {
@ -494,11 +493,11 @@
"nixpkgs-24_11": "nixpkgs-24_11"
},
"locked": {
"lastModified": 1734884447,
"narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
"lastModified": 1735230346,
"narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "63209b1def2c9fc891ad271f474a3464a5833294",
"rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b",
"type": "gitlab"
},
"original": {
@ -530,16 +529,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1734649271,
"narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=",
"lastModified": 1735530358,
"narHash": "sha256-4ZbiXBWFK0gHsl5VT9dih7RVaEV3rRh0XUV0jW0ibOM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507",
"rev": "5000219208d860bafd1ee26eadb403449f3d9ab9",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
@ -559,22 +558,6 @@
"type": "indirect"
}
},
"nixpkgs-small": {
"locked": {
"lastModified": 1734838250,
"narHash": "sha256-Xi8ST/QiyuYXc3ujnMYOBuRUaMh6p16XWH6BKARa7xQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "da8a31d09dd004be34b5c54eda83f9a27b357726",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,

View file

@ -3,7 +3,7 @@
inputs = {
nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
url = "github:NixOS/nixpkgs/nixos-unstable-small";
# url = "git+file:///home/grimmauld/coding/nixpkgs";
};
chaotic = {

BIN
grimm-nixos-ssd.qcow2 Normal file

Binary file not shown.

View file

@ -1,5 +1,6 @@
{
config,
lib,
...
}:
{
@ -15,6 +16,8 @@
services.zfs.trim.enable = true;
boot.supportedFilesystems.zfs = true;
# systemd.services = lib.mapAttrs' (n: v: { serviceConfig.ProtectHome = lib.mkDefault true; }) (filterAttrs: (n: v: false) config.systemd.services);
# security.pam.yubico.control = "required";
services.printing.cups-pdf.enable = true; # implies printing enable

View file

@ -12,6 +12,7 @@
let
nix_build = "/nix/build-sandbox";
persist = "/nix/persist";
tmp-exec = "/tmp-exec";
in
{
@ -38,7 +39,6 @@ in
];
boot.kernelModules = [
"tmpfs"
"iwlwifi"
"iwlmvm"
"mac80211"
@ -46,11 +46,15 @@ in
"cfg80211"
]; # "kvm-intel"
boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.kernelParams = [ "nosgx" ];
security.lockKernelModules = false; # PAIN on an intended-portable setup
# security.protectKernelImage = false;
boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
boot.loader.systemd-boot.consoleMode = "auto";
systemd.tmpfiles.settings."mount"."/mnt".d = {
group = "root";
@ -66,7 +70,7 @@ in
boot.supportedFilesystems.zfs = true;
networking.hostId = "40fa5ea8";
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelPackages = pkgs.linuxPackages_6_6;
boot.kernelPackages = pkgs.linuxPackages_6_12;
boot.extraModulePackages = [ ];
services.homed.enable = true;
@ -79,7 +83,7 @@ in
"mode=755"
"noexec"
"nosuid"
# "nodev"
"nodev"
];
};
@ -96,16 +100,6 @@ in
environment.etc."machine-id".source = "${persist}/etc/machine-id";
environment.memoryAllocator.provider = "libc";
# fileSystems."/nix/var" = {
# device = "${persist}/nix/var";
# options = [
# "bind"
# "noexec"
# "nosuid"
# "nodev"
# ];
# };
fileSystems."/nix/var" = {
device = "/nix/var";
options = [
@ -132,7 +126,7 @@ in
options = [
"exec"
"suid"
"dev"
"nodev"
];
};
@ -148,18 +142,34 @@ in
fileSystems."${nix_build}" = {
# can execute
device = "none";
fsType = "tmpfs";
device = "zpool/nix-build";
fsType = "zfs";
options = [
"defaults"
"size=30%"
"mode=755"
"exec"
"nosuid"
"nodev"
];
};
fileSystems."${tmp-exec}" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
"mode=755"
"exec"
"nosuid"
"nodev"
"mode=1777"
];
};
environment.sessionVariables."java.io.tmpdir" = tmp-exec;
# systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
systemd.tmpfiles.rules = lib.singleton "D! ${nix_build} 0755 root root";
systemd.services.nix-daemon.environment.TMPDIR = nix_build;
fileSystems."/etc/nixos" = {
@ -210,11 +220,6 @@ in
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
# };
# fileSystems."/home/grimmauld" =
# { device = "zpool/home/grimmauld";
# fsType = "zfs";
# };
security.pam = {
zfs = {
enable = true;
@ -223,6 +228,7 @@ in
};
boot.initrd.luks.yubikeySupport = true; # enable yubikey support
boot.initrd.luks.reusePassphrases = false;
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3