diff --git a/common/hardware/laptop.nix b/common/hardware/laptop.nix index c82b244..6854b0f 100644 --- a/common/hardware/laptop.nix +++ b/common/hardware/laptop.nix @@ -59,14 +59,14 @@ in # serviceConfig.Type = "oneshot"; #}; - systemd.enableCgroupAccounting = true; + # systemd.enableCgroupAccounting = true; # systemd.enableUnifiedCgroupHierarchy = false; boot = { kernelParams = [ # "intel_iommu=on" "nohibernate" - "pcie_aspm=off" + # "pcie_aspm=off" ]; loader.efi.canTouchEfiVariables = true; initrd.availableKernelModules = [ diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 343f04d..d7e6900 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -38,24 +38,22 @@ in (writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'') urlencode - rfindup - pstree - file wget bat - hyfetch - btop + fastfetch + eza starship + fd + ripgrep + file + pstree + rfindup + btop unzip fbcat - # gomuks - imagemagick - nmap - - parted expect gptfdisk qrencode @@ -78,8 +76,12 @@ in environment.sessionVariables = { MANPAGER = "sh -c 'col -bx | ${getExe pkgs.bat} -l man -p'"; MANROFFOPT = "-c"; + SYSTEMD_PAGER = getExe pkgs.bat; + SYSTEMD_PAGERSECURE = "true"; }; + programs.command-not-found.enable = true; + documentation.dev.enable = true; # virtualisation.docker.enable = true; @@ -87,7 +89,7 @@ in services.dbus.implementation = "broker"; boot.tmp.cleanOnBoot = true; - # zramSwap.enable = false; + # zramSwap.enable = false; }; options.grimmShared.tooling = { diff --git a/common/tooling/nix-index.nix b/common/tooling/nix-index.nix index 3416036..8c33658 100644 --- a/common/tooling/nix-index.nix +++ b/common/tooling/nix-index.nix @@ -16,6 +16,9 @@ in }; users.groups."${user}" = { }; + # programs.nix-index.enable = true; + # programs.nix-index.enableBashIntegration = true; + nix.settings.allowed-users = [ user ]; environment.systemPackages = with pkgs; [ diff --git a/common/tooling/nix.nix b/common/tooling/nix.nix index fde7643..200d4e2 100644 --- a/common/tooling/nix.nix +++ b/common/tooling/nix.nix @@ -16,7 +16,8 @@ nixpkgs-hammering nix-output-monitor nix-search-cli - niv + nix-update + # niv nvd vulnix nix-init diff --git a/common/xdg/default.nix b/common/xdg/default.nix index c02c6f9..b68da0c 100644 --- a/common/xdg/default.nix +++ b/common/xdg/default.nix @@ -14,4 +14,6 @@ }; }; + xdg.icons.enable = true; + } diff --git a/common/xdg/portals.nix b/common/xdg/portals.nix index 3d93c06..44e338c 100644 --- a/common/xdg/portals.nix +++ b/common/xdg/portals.nix @@ -32,9 +32,9 @@ in xdgOpenUsePortal = true; extraPortals = with pkgs; [ xdg-desktop-portal-wlr - xdg-desktop-portal-kde - xdg-desktop-portal-gtk - lxqt.xdg-desktop-portal-lxqt + # xdg-desktop-portal-kde + # xdg-desktop-portal-gtk + # lxqt.xdg-desktop-portal-lxqt ]; wlr.enable = true; diff --git a/flake.lock b/flake.lock index de23f45..643c927 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1736590503, - "narHash": "sha256-w69DFuUM6F92rQMl5mcnsx9Zv7Pk8ozcLffIYfOa2LI=", + "lastModified": 1737538029, + "narHash": "sha256-I4mWZEWV1c+sPb5f8liQxYdEjRxMR0UzY6dgP5zj2Kc=", "owner": "LordGrimmauld", "repo": "aa-alias-manager", - "rev": "72da6960bac5f84804a2ea36a90dbd25ed1bbf93", + "rev": "14b4d3f64c06f6c4457a1d117bb201410422009d", "type": "github" }, "original": { @@ -141,11 +141,11 @@ ] }, "locked": { - "lastModified": 1737474213, - "narHash": "sha256-p4hHWikaYgtZmZlas1b/p2+R72j7ZtUmGp2qoC1VcbI=", + "lastModified": 1737534778, + "narHash": "sha256-7h/lJWRzKKCmpKmgGk2ZzWbj73Dqi607grXC/EhFQMI=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "04e70503425690319c25814497f682145dd442c6", + "rev": "a650b785c5d2b064777e0c5af7a414267a8fc934", "type": "github" }, "original": { @@ -495,11 +495,11 @@ "nixpkgs-24_11": "nixpkgs-24_11" }, "locked": { - "lastModified": 1735230346, - "narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=", + "lastModified": 1737201600, + "narHash": "sha256-JBh5+g8oQteQdQqbO07dGHBRQo/NGI61JPlTjdfQ1pk=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b", + "rev": "ade37b2765032f83d2d4bd50b6204a40a4c05eb4", "type": "gitlab" }, "original": { @@ -531,11 +531,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1737062831, - "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", + "lastModified": 1737469691, + "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", + "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 77e5b4e..efebfba 100644 --- a/flake.nix +++ b/flake.nix @@ -68,6 +68,10 @@ }: let patches = [ + { + url = "https://github.com/NixOS/nixpkgs/pull/376376.patch?full_index=1"; + hash = "sha256-LtMtv1SiCAS/gotcc8MLny4IXCjY/EnLR0pH9XaCVCo="; + } ]; customNixosSystem = diff --git a/hardening/default.nix b/hardening/default.nix index 79af69b..df4b1e5 100644 --- a/hardening/default.nix +++ b/hardening/default.nix @@ -1,7 +1,6 @@ { lib, pkgs, - config, ... }: { @@ -13,13 +12,16 @@ ./security.nix ]; - specialisation.unhardened.configuration = { }; - # services.opensnitch.enable = lib.mkForce false; + specialisation.unhardened.configuration = { + services.opensnitch.enable = lib.mkForce false; + security.apparmor.enable = lib.mkForce false; + }; + # systemd.tpm2.enable = false; systemd.enableEmergencyMode = false; virtualisation.vswitch.enable = false; - # services.resolved.enable = false; + services.resolved.enable = false; security.unprivilegedUsernsClone = true; environment.defaultPackages = lib.mkForce [ ]; environment.systemPackages = with pkgs; [ nano ]; diff --git a/hardening/opensnitch/vesktop.nix b/hardening/opensnitch/vesktop.nix new file mode 100644 index 0000000..8c9f30b --- /dev/null +++ b/hardening/opensnitch/vesktop.nix @@ -0,0 +1,690 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + graphical + network + ; + inherit (lib) + optional + getBin + getExe + concatLines + getExe' + escapeRegex + getVersion + mkIf + + filter + split + strings + concatStringsSep + length + isString + ; + + local_network = [ + "192.168.0.0/16" + "10.0.0.0/8" + "172.16.0.0/12" + "fc00::/7" + ]; + local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + environment.systemPackages = optional graphical pkgs.opensnitch-ui; + grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; + networking.nftables.enable = true; + + # security.audit.enable = true; + systemd.services.opensnitchd.path = lib.optional ( + config.services.opensnitch.settings.ProcMonitorMethod == "audit" + ) pkgs.audit.bin; + + services.opensnitch = { + enable = true; + settings = { + DefaultAction = "deny"; + Firewall = if config.networking.nftables.enable then "nftables" else "iptables"; + ProcMonitorMethod = "ftrace"; + # ProcMonitorMethod = "audit"; + }; + + rules = { + firefox = + let + cfg = config.programs.firefox; + pkg = ( + cfg.package.override (old: { + extraPrefsFiles = + old.extraPrefsFiles or [ ] + ++ cfg.autoConfigFiles + ++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ]; + nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages; + cfg = (old.cfg or { }) // cfg.wrapperConfig; + }) + ); + in + # pkg = pkgs.firefox-unwrapped; + mkIf (config.programs.firefox.enable) { + name = "firefox"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${getBin pkg}/lib/firefox/firefox"; + }; + }; + + block-list = { + name = "block-list"; + action = "deny"; + enabled = true; + duration = "always"; + inherit created; + operator = { + type = "lists"; + operand = "lists.domains"; + data = pkgs.callPackage ./block_lists.nix { }; + }; + }; + + git = { + name = "git-allow-all"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "${lib.escapeRegex pkgs.git.outPath}/.*"; + }; + }; + + ssh = { + name = "ssh-allow-all"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "${lib.escapeRegex pkgs.openssh.outPath}/.*"; + }; + }; + + nsncd = mkIf (config.services.nscd.enableNsncd) { + name = "nsncd-dns"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe pkgs.nsncd; + } + { + type = "simple"; + operand = "dest.port"; + data = "53"; + } + { + type = "lists"; + operand = "lists.nets"; + data = pkgs.writeTextDir "cidr_dns.list" ( + concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network) + ); + } + { + type = "simple"; + operand = "user.id"; + data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid); + } + ]; + }; + }; + + nix-index = { + name = "nix-index"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.nix-index-unwrapped "nix-index"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "53|443"; + } + { + type = "simple"; + sensitive = false; + operand = "dest.host"; + data = "cache.nixos.org"; + } + + ]; + }; + }; + + nix = { + name = "nix"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe config.nix.package; + } + { + type = "regexp"; + operand = "dest.port"; + data = "53|443"; + } + { + type = "regexp"; + sensitive = false; + operand = "dest.host"; + data = "(channels|cache)\\.nixos\\.org"; + } + + ]; + }; + }; + + localhost = { + name = "localhost"; + enabled = true; + action = "allow"; + duration = "always"; + precedence = true; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "dest.ip"; + data = "^(127\\.0\\.0\\.1|::1)$"; + }; + }; + + spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) { + name = "spotify-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + inherit created; + operator = { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; + }; + }; + + osu_deny = mkIf (config.grimmShared.gaming && graphical) { + name = "osu-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; + }; + }; + + osu_allow = mkIf (config.grimmShared.gaming && graphical) { + name = "osu-allow"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + operand = "dest.port"; + data = "443|53"; + } + { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; + } + { + type = "regexp"; + sensitive = false; + operand = "dest.host"; + data = "(api\.github\.com)|((.+\.)?ppy\.sh)"; + } + ]; + }; + }; + + ncspot = mkIf (config.grimmShared.spotify.enable) { + name = "ncspot"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + operand = "dest.port"; + data = "443|4070"; + } + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = lib.getExe pkgs.ncspot; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./spotify_hosts; + } + ]; + }; + }; + + spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) { + name = "spotify-allow"; + enabled = true; + action = "allow"; + duration = "always"; + precedence = true; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + operand = "dest.port"; + data = "443|4070"; + } + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./spotify_hosts; + } + ]; + }; + }; + + spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) { + name = "spotify-allow-local"; + enabled = true; + action = "allow"; + duration = "always"; + precedence = true; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; + } + { + type = "lists"; + operand = "lists.nets"; + data = local_ips; + } + ]; + }; + }; + + vesktop_deny = mkIf (graphical) { + name = "vesktop-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + }; + }; + + vesktop_allow = mkIf (graphical) { + name = "vesktop-allow"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./discord_hosts; + } + ]; + }; + }; + + vesktop_daemon_allow_udp = mkIf graphical { + name = "vesktop-allow-udp"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + } + { + type = "simple"; + operand = "protocol"; + data = "udp"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "500[0-9]{2}"; + } + ]; + }; + }; + + vesktop_daemon_deny = mkIf (graphical) { + name = "vesktop-daemon-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + }; + }; + + vesktop_daemon_allow = mkIf (graphical) { + name = "vesktop-daemon-allow"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./discord_hosts; + } + ]; + }; + }; + + avahi = mkIf (config.services.avahi.enable) { + name = "avahi"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' config.services.avahi.package "avahi-daemon"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "5353|53"; + } + { + type = "simple"; + operand = "user.id"; + data = "996"; + } + ]; + }; + }; + + icmp = { + name = "icmp"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + operand = "protocol"; + sensitive = false; + data = "icmp(4|6)?"; + }; + }; + + network-manager = mkIf (config.networking.networkmanager.enable) { + name = "network-manager"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.networkmanager "networkmanager"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "547|67"; + } + # { + # type ="simple"; + # operand = "dest.network"; + # data = "ff02::1:2"; + # } + ]; + }; + }; + + cups-filters = mkIf (config.services.printing.enable) { + name = "cups-filters"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.cups-filters "cups-browsed"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "53|631|80"; + } + { + type = "lists"; + operand = "lists.nets"; + data = local_ips; + } + ]; + }; + }; + + systemd-timesyncd = mkIf (config.services.timesyncd.enable) { + name = "systemd-timesyncd"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "123|37|53"; + } + # { + # type = "regexp"; + # sensitive = false; + # operand = "dest.host"; + # data = ".*\.nixos\.pool\.ntp\.org"; + # } + { + type = "simple"; + operand = "user.id"; + data = "154"; + } + ]; + }; + }; + + nextcloud = mkIf (false) { + # config.grimmShared.cloudSync.enable + name = "nextcloud"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped"; + } + { + type = "regexp"; + sensitive = false; + operand = "dest.host"; + data = + let + l = (filter isString (split "\\." config.grimmShared.cloudSync.server)); + in + (strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l); + # config.grimmShared.cloudSync.server; + } + { + type = "regexp"; + operand = "dest.port"; + data = "443|53"; + } + ]; + }; + }; + }; + }; + }; +} diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index 6a9348e..f153985 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -19,7 +19,7 @@ in ./acpid.nix ./cups.nix ./bluetooth.nix - ./tty.nix + # ./tty.nix ./ask-password.nix # ./nix-daemon.nix ./nscd.nix @@ -28,77 +28,4 @@ in ./global ]; - - options.systemd.services = lib.mkOption { - type = - let - osConfig = config; - in - types.attrsOf ( - lib.types.submodule ( - { config, name, ... }: - { - config.serviceConfig = - let - shouldMakeIntrusive = ( - noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name - ); - in - mkIf (osConfig.specialisation != { }) ( - { - ProtectHome = mkDefault true; - # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH! - } - // (lib.optionalAttrs shouldMakeIntrusive { - # PrivateTmp = mkDefault true; - # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical - # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service"); - # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true); - SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native"); - }) - ); - } - ) - ); - }; - - config = mkIf (config.specialisation != { }) { - - systemd.services = { - opensnitchd.serviceConfig = { - ProtectHome = false; - PrivateTmp = false; - ProtectKernelLogs = false; - }; - "user-runtime-dir@".serviceConfig.ProtectHome = false; - "user@".serviceConfig.ProtectHome = false; - systemd-homed.serviceConfig.ProtectHome = false; - systemd-homed-activate.serviceConfig.ProtectHome = false; - sshd.serviceConfig.ProtectHome = false; - display-manager.serviceConfig.ProtectHome = "read-only"; - dbus-broker.serviceConfig.ProtectHome = "read-only"; - systemd-logind.serviceConfig.ProtectHome = false; - - nix-daemon.serviceConfig.ProtectHome = false; - - zfs-mount.serviceConfig.PrivateTmp = false; - kmod-static-nodes.serviceConfig.PrivateTmp = false; - mount-pstore.serviceConfig.PrivateTmp = false; - # todo: tpm things - - #polkit.serviceConfig.NoNewPrivileges = false; - #"getty@".serviceConfig.NoNewPrivileges = false; - #"user@".serviceConfig.NoNewPrivileges = false; - - # todo: dbus? - - auditd.serviceConfig.ProtectKernelLogs = false; - audit.serviceConfig.ProtectKernelLogs = false; - - "getty@".serviceConfig.SystemCallFilter = ""; - display-manager.serviceConfig.SystemCallFilter = ""; - sshd.serviceConfig.SystemCallFilter = ""; - rtkit-daemon.serviceConfig.SystemCallFilter = ""; - }; - }; } diff --git a/hardening/systemd/global/default.nix b/hardening/systemd/global/default.nix index 65572f2..1a2348d 100644 --- a/hardening/systemd/global/default.nix +++ b/hardening/systemd/global/default.nix @@ -3,5 +3,6 @@ ./hostname.nix ./clock.nix ./realtime.nix + ./syscall_arch.nix ]; } diff --git a/hardening/systemd/global/syscall_arch.nix b/hardening/systemd/global/syscall_arch.nix new file mode 100644 index 0000000..5a1ec5d --- /dev/null +++ b/hardening/systemd/global/syscall_arch.nix @@ -0,0 +1,22 @@ +{ lib, config, ... }: +let + inherit (lib) types mkIf mkDefault; + osConfig = config; +in +{ + options.systemd.services = lib.mkOption { + type = types.attrsOf ( + lib.types.submodule { + config.serviceConfig = mkIf (osConfig.specialisation != { }) { + SystemCallArchitectures = mkDefault "native"; + }; + } + + ); + }; + + config = mkIf (config.specialisation != { }) { + systemd.services = { + }; + }; +} diff --git a/hardening/systemd/nix-daemon.nix b/hardening/systemd/nix-daemon.nix index 09c1dee..5159aac 100644 --- a/hardening/systemd/nix-daemon.nix +++ b/hardening/systemd/nix-daemon.nix @@ -7,7 +7,6 @@ config.systemd.services = lib.mkIf (config.specialisation != { }) { nix-daemon.serviceConfig = { MemoryDenyWriteExecute = true; - NoNewPrivileges = true; SystemCallArchitectures = "native"; RestrictSUIDSGID = true; # good, somehow??? @@ -15,7 +14,7 @@ "AF_UNIX" "AF_INET" "AF_INET6" - "AF_NETLINK" # needed for some checks + # "AF_NETLINK" # needed for some checks ]; # needed to download sources and caches RestrictNamespaces = [ "user" @@ -65,6 +64,8 @@ "CAP_DAC_OVERRIDE" ]; + NoNewPrivileges = false; # build processes might need more + # ProtectKernelLogs=true; # BAD # ProtectKernelTunables = true; # BAD # PrivateUsers=true; BAD diff --git a/hardening/systemd/sshd.nix b/hardening/systemd/sshd.nix index ce3d2e9..7d5ce6b 100644 --- a/hardening/systemd/sshd.nix +++ b/hardening/systemd/sshd.nix @@ -4,7 +4,7 @@ ... }: { - config.systemd.services = { + config.systemd.services = lib.mkIf (config.specialisation != { }) { sshd.serviceConfig = { MemoryDenyWriteExecute = true; SystemCallArchitectures = "native"; diff --git a/hm/common/default.nix b/hm/common/default.nix index 1c726e6..5790dbd 100644 --- a/hm/common/default.nix +++ b/hm/common/default.nix @@ -41,8 +41,10 @@ in # kicad prusa-slicer - freecad + # freecad openscad + iamb + confy vlc # blender @@ -121,6 +123,18 @@ in ]; }; + gtk.iconTheme = { + package = pkgs.adwaita-icon-theme; + name = "Adwaita"; + }; + + gtk.theme = { + package = pkgs.gnome-themes-extra; + name = "Adwaita-dark"; + }; + + gtk.enable = true; + programs.tmux = { enable = true; clock24 = true; @@ -161,5 +175,5 @@ in pinentryPackage = if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty; }; - xdg.mimeApps.enable = true; + # xdg.mimeApps.enable = true; } diff --git a/hm/grimmauld/default.nix b/hm/grimmauld/default.nix index 0714b8b..981e68f 100644 --- a/hm/grimmauld/default.nix +++ b/hm/grimmauld/default.nix @@ -7,9 +7,10 @@ in inherit username; homeDirectory = "/home/${username}"; -# file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk; -# file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub; + file.".ssh/id_ed25519_sk".source = ../../ssh/id_ed25519_sk; + file.".ssh/id_ed25519_sk.pub".source = ../../ssh/id_ed25519_sk.pub; file.".cups/lpoptions".text = "Default pdf\n"; + file.".config/iamb/config.toml".source = ./iamb_config.toml; }; }; } diff --git a/hm/grimmauld/iamb_config.toml b/hm/grimmauld/iamb_config.toml new file mode 100644 index 0000000..5ff4055 --- /dev/null +++ b/hm/grimmauld/iamb_config.toml @@ -0,0 +1,2 @@ +[profiles."grimmauld.de"] +user_id = "@grimmauld:grimmauld.de" diff --git a/modules/default.nix b/modules/default.nix index 1e9327e..cbd003b 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -6,7 +6,7 @@ in { imports = [ ./wireguard.nix -# ./matrix.nix + # ./matrix.nix ./matrix_legacy.nix ./puffer.nix ./gitea.nix diff --git a/modules/matrix_legacy.nix b/modules/matrix_legacy.nix index 1d20f9f..a6326ea 100644 --- a/modules/matrix_legacy.nix +++ b/modules/matrix_legacy.nix @@ -67,11 +67,11 @@ in args = { user = "synapse"; database = "synapse"; - port = config.services.postgresql.settings.port; - cp_max = 10; - cp_min = 5; - client_encoding = "auto"; - passfile = config.age.secrets.synapse_db_pass_prepared.path; + port = config.services.postgresql.settings.port; + cp_max = 10; + cp_min = 5; + client_encoding = "auto"; + passfile = config.age.secrets.synapse_db_pass_prepared.path; }; }; settings.log_config = ./matrix_synapse_log_config.yaml; diff --git a/modules/ooye/default.nix b/modules/ooye/default.nix index 9a70f30..ecd09a5 100644 --- a/modules/ooye/default.nix +++ b/modules/ooye/default.nix @@ -2,6 +2,5 @@ { environment.systemPackages = with pkgs; [ ooye ]; - -services.matrix-synapse-next.settings.app_service_config_files = [ ./registration.yaml ]; + services.matrix-synapse-next.settings.app_service_config_files = [ ./registration.yaml ]; } diff --git a/overlays/default.nix b/overlays/default.nix index bebf9bf..7a34fd3 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -28,6 +28,7 @@ ) ) [ + ./lua_update.nix ./matrix-appservice-discord.nix ./deskwhich.nix ./tlpui.nix @@ -38,7 +39,7 @@ ./ooye.nix ./factorio.nix ./ranger.nix - ./opensnitch-ui.nix + ./vesktop.nix # ./ncspot.nix # ./grpcio-tools.nix ]; diff --git a/overlays/grpcio-tools.nix b/overlays/grpcio-tools.nix deleted file mode 100644 index b9a2bc1..0000000 --- a/overlays/grpcio-tools.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ prev, final, ... }: -{ - pythonPackagesOverlays = [ - (python-final: python-prev: { - - grpcio-tools = python-prev.grpcio-tools.overrideAttrs (old: { - version = "1.64.1"; - - src = prev.fetchPypi { - pname = "grpcio_tools"; - version = "1.64.1"; - hash = "sha256-crNVC5GtuDVGVuzw9tHUYRKZBEuuEfsefMHRu2a4wes="; - }; - }); - }) - ]; - - python311 = - let - self = prev.python311.override { - inherit self; - packageOverrides = prev.lib.composeManyExtensions final.pythonPackagesOverlays; - }; - in - self; - - python311Packages = final.python311.pkgs; -} diff --git a/overlays/lua_update.nix b/overlays/lua_update.nix new file mode 100644 index 0000000..be56361 --- /dev/null +++ b/overlays/lua_update.nix @@ -0,0 +1,4 @@ +{ prev, ... }: +{ + lua = prev.lua5_4_compat; +} diff --git a/overlays/ncspot.nix b/overlays/ncspot.nix deleted file mode 100644 index ad572ea..0000000 --- a/overlays/ncspot.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, config, ... }: -{ - ncspot = prev.callPackage ../custom/ncspot/package.nix { }; -} diff --git a/overlays/opensnitch-ui.nix b/overlays/opensnitch-ui.nix deleted file mode 100644 index 9b8d440..0000000 --- a/overlays/opensnitch-ui.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ final, prev, ... }: -{ - opensnitch-ui = prev.opensnitch-ui.overrideAttrs (old: { - propagatedBuildInputs = old.propagatedBuildInputs or [ ] ++ [ final.python311Packages.packaging ]; - }); -} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ca0150f..1e81df6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -8,25 +8,67 @@ let contabo_nix_2 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyQYHq0tZBye/lTVz1aEI8UdmvHRu/NADNqr1C49fpBnfOAbMV7NkswHaIGvl9IG6oJlQmC+2vJCfriHocRBvLZ4/eA3oTWPsU7/wrLJBAjjYdwWiwZLit6QMSVISFEs47PoGOmLf+bIcX2SyQ8JGImhSFjEN9qwZFsHv1b+gd2CSowcAnfGyyEnn1X56eMWGW+YXzWQsBkjZL0orTNg89so1MleefdUDgj5AdAsqpdo+oIFouB+572mBKyhvh/v1roHg0Q4g/xZo3sUlH+qWQwR/JAM1MZtIH7WzNZXpEZR0hPClgdz8MYqHwZUAGyKmJmjBwUHqjK2hR6NcO7OxaGoyXWBUEZuYUzfGssOQAnP5PVYCaRvdaY5WQ4brE+EU0oYBCm5/DfrYbKSE1swZeggun0fuA3KFPVlK8ohVqVkbLwg1XwcqqR9+uh1WzLt4upIGT2rPISBVlj/pRgkQbzQ4g9T+FR7ieWZT77C2hxiKURHu/SKKUVLgfD8Vsr7s="; in { -# "nextcloud_pass.age".publicKeys = [ -# laptop_pub -# yubi -# laptop_pub_ed -# ]; + # "nextcloud_pass.age".publicKeys = [ + # laptop_pub + # yubi + # laptop_pub_ed + # ]; # "duckdns_token.age".publicKeys = [ contabo_nix_pub ]; - "synapse_db_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "openldap_admin.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "nextcloud_server_key.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "keycloak_db_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "nextcloud_db_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "synapse_registration_shared_secret.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "matrix_admin_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; - "ptero_env.age".publicKeys = [ contabo_nix_pub contabo_nix_2]; + "synapse_db_pass.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "openldap_admin.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "nextcloud_server_key.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "keycloak_db_pass.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "synapse_db_pass_prepared.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "grafana_admin_pass.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "nextcloud_admin_pass.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "nextcloud_db_pass.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "synapse_registration_shared_secret.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "matrix_admin_pass.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "matrix_mjolnir_pass.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "matrix_mjolnir_tle_pass.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "matrix_discord_bridge_token.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; + "ptero_env.age".publicKeys = [ + contabo_nix_pub + contabo_nix_2 + ]; } diff --git a/specific/grimm-nixos-server-2/configuration.nix b/specific/grimm-nixos-server-2/configuration.nix index 0e56021..03870e4 100644 --- a/specific/grimm-nixos-server-2/configuration.nix +++ b/specific/grimm-nixos-server-2/configuration.nix @@ -1,6 +1,7 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ imports = [ - ./hardware-configuration.nix + ./hardware-configuration.nix ]; environment.systemPackages = with pkgs; [ @@ -15,6 +16,8 @@ networking.hostName = "grimm-nixos-server-2"; networking.domain = "grimmauld.de"; services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd'' ]; + users.users.root.openssh.authorizedKeys.keys = [ + ''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMgGKExPve3tsl0/kjV5rCo5wb46CapnUaA1ZdZWpgXTAAAAC3NzaDpnZW5lcmFs grimmauld@grimm-nixos-ssd'' + ]; system.stateVersion = "23.11"; } diff --git a/specific/grimm-nixos-server-2/hardware-configuration.nix b/specific/grimm-nixos-server-2/hardware-configuration.nix index 5e7b44e..bd94495 100644 --- a/specific/grimm-nixos-server-2/hardware-configuration.nix +++ b/specific/grimm-nixos-server-2/hardware-configuration.nix @@ -2,8 +2,16 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot.loader.grub.device = "/dev/sda"; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + "vmw_pvscsi" + ]; boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; - + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + } diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index 356f1ae..8cbef8d 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -46,7 +46,7 @@ in boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y"; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - boot.kernelParams = [ "nosgx" ]; + # boot.kernelParams = [ "nosgx" ]; security.lockKernelModules = false; # PAIN on an intended-portable setup # security.protectKernelImage = false;