ryan/lifetracker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add hardening

Browse Source
This commit is contained in:
installer 2025-01-25 16:09:09 -08:00
parent a6988f3411
commit e128b42bdb
5 changed files with 224 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
modules/components/nix/default.nix
View File

@ -62,6 +62,9 @@ in
config = { config = {
allowBroken = false; allowBroken = false;
allowUnfree = true; allowUnfree = true;
permittedInsecurePackages = [
"electron-27.3.11" # Logseq
];
}; };
overlays = [ overlays = [
(import ../../../packages/overlay.nix) (import ../../../packages/overlay.nix)

2
modules/profiles/base.nix
View File

@ -59,7 +59,7 @@ in
# System # System
# flatpak.enable = true; # flatpak.enable = true;
# fonts.enable = true; # fonts.enable = true;
# hardening.enable = true; hardening.enable = true;
# mounts.enable = true; # mounts.enable = true;
networking.enable = true; networking.enable = true;
nixConfig.enable = true; nixConfig.enable = true;

2
modules/profiles/default.nix
View File

@ -3,7 +3,7 @@
./base.nix ./base.nix
./desktop.nix ./desktop.nix
./gaming.nix ./gaming.nix
# ./hardening.nix ./hardening.nix
./unfree.nix ./unfree.nix
# ./office.nix # ./office.nix
./packages.nix ./packages.nix

217
modules/profiles/hardening/default.nix Normal file
View File

@ -0,0 +1,217 @@
{
lib,
config,
username,
vars,
...
}:
let
cfg = config.hardening;
in
{
options = {
hardening = {
enable = lib.mkEnableOption "Enable hardening in NixOS & home-manager";
};
clamav = lib.mkOption {
type = lib.types.bool;
default = false;
};
opensnitch = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
boot = {
blacklistedKernelModules = [
# Filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"f2fs"
"freevxfs"
"gfs2"
"hfs"
"hfsplus"
"hpfs"
"jffs2"
"jfs"
"ksmbd"
"minix"
"nilfs2"
"omfs"
"qnx4"
"qnx6"
"squashfs"
"sysv"
#"udf" PS3 games
"vivid"
# Networking
"af_802154"
"appletalk"
"atm"
"ax25"
"can"
"dccp"
"decnet"
"econet"
"ipx"
"n-hdlc"
"netrom"
"p8022"
"p8023"
"psnap"
"rds"
"rose"
"sctp"
"tipc"
"x25"
];
kernel = {
sysctl = {
# Hardening https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl and https://github.com/sioodmy/dotfiles/blob/main/system/core/schizo.nix
"dev.tty.ldisc_autoload" = 0;
"kernel.dmesg_restrict" = 1;
"kernel.kexec_load_disabled" = 1;
"kernel.kptr_restrict" = 2;
"kernel.printk" = "3 3 3 3";
"kernel.unprivileged_bpf_disabled" = 1;
#"kernel.yama.ptrace_scope" = 2; Breaks Hunt: Showdown
"net.core.bpf_jit_harden" = 2;
/*
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv4.icmp_echo_ignore_all" = 1;
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
"net.ipv4.tcp_sack" = 0;
"net.ipv4.tcp_dsack" = 0;
"net.ipv4.tcp_fack" = 0;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.tcp_rfc1337" = 1;
"net.ipv4.tcp_fastopen" = 3;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
*/
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
"vm.unprivileged_userfaultfd" = 0;
};
};
kernelParams = [
# Hardening https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
#"debugfs=off" OpenSnitch
"init_on_alloc=1"
"init_on_free=1"
# "ipv6.disable=1"
"lockdown=confidentiality"
"oops=panic"
"page_alloc.shuffle=1"
"pti=on"
"randomize_kstack_offset=on"
"slab_nomerge"
"vsyscall=none"
];
};
networking = {
firewall = {
enable = true;
};
};
security = {
pam = {
sshAgentAuth.enable = true;
services = {
sddm = {
enableGnomeKeyring = true;
gnupg = {
enable = true;
};
};
login = {
enableGnomeKeyring = true;
gnupg = {
enable = true;
};
};
};
};
polkit = {
enable = true;
# UDisks https://gist.github.com/Scrumplex/8f528c1f63b5f4bfabe14b0804adaba7
extraConfig = ''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
if (action.id.startsWith("org.freedesktop.udisks2.")) {
return polkit.Result.YES;
}
}
});
'';
};
sudo = {
execWheelOnly = true;
extraConfig = ''Defaults env_reset,pwfeedback '';
extraRules = [
{
commands =
builtins.map
(command: {
command = "/run/current-system/sw/bin/${command}";
options = [ "NOPASSWD" ];
})
[
"poweroff"
"reboot"
"nixos-rebuild"
"nix-env"
"shutdown"
"systemctl"
];
groups = [ "wheel" ];
}
];
};
};
services = {
clamav = lib.mkIf config.clamav {
# run 'sudo freshclam' for first time
daemon = {
enable = true;
};
fangfrisch = {
enable = true;
};
scanner = {
enable = true;
};
updater = {
enable = true;
};
};
opensnitch = lib.mkIf config.opensnitch {
enable = true;
};
};
home-manager.users.${username} = {
services = {
opensnitch-ui.enable = config.opensnitch;
};
};
};
}

2
todo
View File

@ -2,7 +2,7 @@ TODO boot into Hyprland
TODO autologin on boot TODO autologin on boot
DONE syncthing DONE syncthing
TODO Logseq TODO Logseq
TODO secrets DONE secrets
TODO zsh error TODO zsh error
TODO ags TODO ags
TODO sudo nopasswd TODO sudo nopasswd