From e128b42bdb5d9904bfe8bb8bb46a9a75abda7b10 Mon Sep 17 00:00:00 2001
From: installer <installer@gmail.com>
Date: Sat, 25 Jan 2025 16:09:09 -0800
Subject: [PATCH] Add hardening

---
 modules/components/nix/default.nix     |   5 +-
 modules/profiles/base.nix              |   2 +-
 modules/profiles/default.nix           |   2 +-
 modules/profiles/hardening/default.nix | 217 +++++++++++++++++++++++++
 todo                                   |   2 +-
 5 files changed, 224 insertions(+), 4 deletions(-)
 create mode 100644 modules/profiles/hardening/default.nix

diff --git a/modules/components/nix/default.nix b/modules/components/nix/default.nix
index 8f05ba5..d03b3ad 100644
--- a/modules/components/nix/default.nix
+++ b/modules/components/nix/default.nix
@@ -62,6 +62,9 @@ in
       config = {
         allowBroken = false;
         allowUnfree = true;
+        permittedInsecurePackages = [
+          "electron-27.3.11" # Logseq
+        ];
       };
       overlays = [
         (import ../../../packages/overlay.nix)
@@ -133,4 +136,4 @@ in
         };
       };
   };
-}
\ No newline at end of file
+}
diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix
index d5d4dad..3a55b05 100644
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@@ -59,7 +59,7 @@ in
     # System
     # flatpak.enable = true;
     # fonts.enable = true;
-    # hardening.enable = true;
+    hardening.enable = true;
     # mounts.enable = true;
     networking.enable = true;
     nixConfig.enable = true;
diff --git a/modules/profiles/default.nix b/modules/profiles/default.nix
index 027f89e..139b95c 100644
--- a/modules/profiles/default.nix
+++ b/modules/profiles/default.nix
@@ -3,7 +3,7 @@
     ./base.nix
     ./desktop.nix
     ./gaming.nix
-    # ./hardening.nix
+    ./hardening.nix
     ./unfree.nix
     # ./office.nix
     ./packages.nix
diff --git a/modules/profiles/hardening/default.nix b/modules/profiles/hardening/default.nix
new file mode 100644
index 0000000..0286f33
--- /dev/null
+++ b/modules/profiles/hardening/default.nix
@@ -0,0 +1,217 @@
+{
+  lib,
+  config,
+  username,
+  vars,
+  ...
+}:
+let
+  cfg = config.hardening;
+in
+{
+  options = {
+    hardening = {
+      enable = lib.mkEnableOption "Enable hardening in NixOS & home-manager";
+    };
+    clamav = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+    opensnitch = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    boot = {
+      blacklistedKernelModules = [
+        # Filesystems
+        "adfs"
+        "affs"
+        "bfs"
+        "befs"
+        "cramfs"
+        "efs"
+        "erofs"
+        "exofs"
+        "f2fs"
+        "freevxfs"
+        "gfs2"
+        "hfs"
+        "hfsplus"
+        "hpfs"
+        "jffs2"
+        "jfs"
+        "ksmbd"
+        "minix"
+        "nilfs2"
+        "omfs"
+        "qnx4"
+        "qnx6"
+        "squashfs"
+        "sysv"
+        #"udf" PS3 games
+        "vivid"
+        # Networking
+        "af_802154"
+        "appletalk"
+        "atm"
+        "ax25"
+        "can"
+        "dccp"
+        "decnet"
+        "econet"
+        "ipx"
+        "n-hdlc"
+        "netrom"
+        "p8022"
+        "p8023"
+        "psnap"
+        "rds"
+        "rose"
+        "sctp"
+        "tipc"
+        "x25"
+      ];
+      kernel = {
+        sysctl = {
+          # Hardening https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl and https://github.com/sioodmy/dotfiles/blob/main/system/core/schizo.nix
+          "dev.tty.ldisc_autoload" = 0;
+          "kernel.dmesg_restrict" = 1;
+          "kernel.kexec_load_disabled" = 1;
+          "kernel.kptr_restrict" = 2;
+          "kernel.printk" = "3 3 3 3";
+          "kernel.unprivileged_bpf_disabled" = 1;
+          #"kernel.yama.ptrace_scope" = 2; Breaks Hunt: Showdown
+          "net.core.bpf_jit_harden" = 2;
+          /*
+            "net.ipv4.conf.default.rp_filter" = 1;
+            "net.ipv4.conf.all.rp_filter" = 1;
+            "net.ipv4.conf.all.accept_source_route" = 0;
+            "net.ipv4.conf.all.send_redirects" = 0;
+            "net.ipv4.conf.default.send_redirects" = 0;
+            "net.ipv4.conf.all.accept_redirects" = 0;
+            "net.ipv4.conf.default.accept_redirects" = 0;
+            "net.ipv4.conf.all.secure_redirects" = 0;
+            "net.ipv4.conf.default.secure_redirects" = 0;
+            "net.ipv4.icmp_echo_ignore_all" = 1;
+            "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+            "net.ipv4.tcp_sack" = 0;
+            "net.ipv4.tcp_dsack" = 0;
+            "net.ipv4.tcp_fack" = 0;
+            "net.ipv4.tcp_syncookies" = 1;
+            "net.ipv4.tcp_rfc1337" = 1;
+            "net.ipv4.tcp_fastopen" = 3;
+            "net.ipv6.conf.all.accept_source_route" = 0;
+            "net.ipv6.conf.all.accept_redirects" = 0;
+            "net.ipv6.conf.default.accept_redirects" = 0;
+            "net.ipv6.conf.all.accept_ra" = 0;
+            "net.ipv6.conf.default.accept_ra" = 0;
+          */
+          "vm.mmap_rnd_bits" = 32;
+          "vm.mmap_rnd_compat_bits" = 16;
+          "vm.unprivileged_userfaultfd" = 0;
+        };
+      };
+      kernelParams = [
+        # Hardening https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
+        #"debugfs=off" OpenSnitch
+        "init_on_alloc=1"
+        "init_on_free=1"
+        # "ipv6.disable=1"
+        "lockdown=confidentiality"
+        "oops=panic"
+        "page_alloc.shuffle=1"
+        "pti=on"
+        "randomize_kstack_offset=on"
+        "slab_nomerge"
+        "vsyscall=none"
+      ];
+    };
+    networking = {
+      firewall = {
+        enable = true;
+      };
+    };
+    security = {
+      pam = {
+        sshAgentAuth.enable = true;
+        services = {
+          sddm = {
+            enableGnomeKeyring = true;
+            gnupg = {
+              enable = true;
+            };
+          };
+          login = {
+            enableGnomeKeyring = true;
+            gnupg = {
+              enable = true;
+            };
+          };
+        };
+      };
+      polkit = {
+        enable = true;
+        # UDisks https://gist.github.com/Scrumplex/8f528c1f63b5f4bfabe14b0804adaba7
+        extraConfig = ''
+          polkit.addRule(function(action, subject) {
+              if (subject.isInGroup("wheel")) {
+                  if (action.id.startsWith("org.freedesktop.udisks2.")) {
+                      return polkit.Result.YES;
+                  }
+              }
+          });
+        '';
+      };
+      sudo = {
+        execWheelOnly = true;
+        extraConfig = ''Defaults env_reset,pwfeedback '';
+        extraRules = [
+          {
+            commands =
+              builtins.map
+                (command: {
+                  command = "/run/current-system/sw/bin/${command}";
+                  options = [ "NOPASSWD" ];
+                })
+                [
+                  "poweroff"
+                  "reboot"
+                  "nixos-rebuild"
+                  "nix-env"
+                  "shutdown"
+                  "systemctl"
+                ];
+            groups = [ "wheel" ];
+          }
+        ];
+      };
+    };
+    services = {
+      clamav = lib.mkIf config.clamav {
+        # run 'sudo freshclam' for first time
+        daemon = {
+          enable = true;
+        };
+        fangfrisch = {
+          enable = true;
+        };
+        scanner = {
+          enable = true;
+        };
+        updater = {
+          enable = true;
+        };
+      };
+      opensnitch = lib.mkIf config.opensnitch {
+        enable = true;
+      };
+    };
+    home-manager.users.${username} = {
+      services = {
+        opensnitch-ui.enable = config.opensnitch;
+      };
+    };
+  };
+}
diff --git a/todo b/todo
index 622f08e..9c96d10 100644
--- a/todo
+++ b/todo
@@ -2,7 +2,7 @@ TODO    boot into Hyprland
 TODO    autologin on boot
 DONE    syncthing
 TODO    Logseq
-TODO    secrets
+DONE    secrets
 TODO    zsh error
 TODO    ags
 TODO    sudo nopasswd