ryan/lifetracker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add hardening

Browse Source
This commit is contained in:
installer 2025-01-25 16:09:09 -08:00
parent a6988f3411
commit e128b42bdb
5 changed files with 224 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
modules/components/nix/default.nix
View File

@ -62,6 +62,9 @@ in
config = {
allowBroken = false;
allowUnfree = true;
permittedInsecurePackages = [
"electron-27.3.11" # Logseq
];
};
overlays = [
(import ../../../packages/overlay.nix)
@ -133,4 +136,4 @@ in
};
};
};
}
}

2
modules/profiles/base.nix
View File

@ -59,7 +59,7 @@ in
# System
# flatpak.enable = true;
# fonts.enable = true;
# hardening.enable = true;
hardening.enable = true;
# mounts.enable = true;
networking.enable = true;
nixConfig.enable = true;

2
modules/profiles/default.nix
View File

@ -3,7 +3,7 @@
./base.nix
./desktop.nix
./gaming.nix
# ./hardening.nix
./hardening.nix
./unfree.nix
# ./office.nix
./packages.nix

217
modules/profiles/hardening/default.nix Normal file
View File

@ -0,0 +1,217 @@
{
lib,
config,
username,
vars,
...
}:
let
cfg = config.hardening;
in
{
options = {
hardening = {
enable = lib.mkEnableOption "Enable hardening in NixOS & home-manager";
};
clamav = lib.mkOption {
type = lib.types.bool;
default = false;
};
opensnitch = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
boot = {
blacklistedKernelModules = [
# Filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"f2fs"
"freevxfs"
"gfs2"
"hfs"
"hfsplus"
"hpfs"
"jffs2"
"jfs"
"ksmbd"
"minix"
"nilfs2"
"omfs"
"qnx4"
"qnx6"
"squashfs"
"sysv"
#"udf" PS3 games
"vivid"
# Networking
"af_802154"
"appletalk"
"atm"
"ax25"
"can"
"dccp"
"decnet"
"econet"
"ipx"
"n-hdlc"
"netrom"
"p8022"
"p8023"
"psnap"
"rds"
"rose"
"sctp"
"tipc"
"x25"
];
kernel = {
sysctl = {
# Hardening https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl and https://github.com/sioodmy/dotfiles/blob/main/system/core/schizo.nix
"dev.tty.ldisc_autoload" = 0;
"kernel.dmesg_restrict" = 1;
"kernel.kexec_load_disabled" = 1;
"kernel.kptr_restrict" = 2;
"kernel.printk" = "3 3 3 3";
"kernel.unprivileged_bpf_disabled" = 1;
#"kernel.yama.ptrace_scope" = 2; Breaks Hunt: Showdown
"net.core.bpf_jit_harden" = 2;
/*
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv4.icmp_echo_ignore_all" = 1;
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
"net.ipv4.tcp_sack" = 0;
"net.ipv4.tcp_dsack" = 0;
"net.ipv4.tcp_fack" = 0;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.tcp_rfc1337" = 1;
"net.ipv4.tcp_fastopen" = 3;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
*/
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
"vm.unprivileged_userfaultfd" = 0;
};
};
kernelParams = [
# Hardening https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
#"debugfs=off" OpenSnitch
"init_on_alloc=1"
"init_on_free=1"
# "ipv6.disable=1"
"lockdown=confidentiality"
"oops=panic"
"page_alloc.shuffle=1"
"pti=on"
"randomize_kstack_offset=on"
"slab_nomerge"
"vsyscall=none"
];
};
networking = {
firewall = {
enable = true;
};
};
security = {
pam = {
sshAgentAuth.enable = true;
services = {
sddm = {
enableGnomeKeyring = true;
gnupg = {
enable = true;
};
};
login = {
enableGnomeKeyring = true;
gnupg = {
enable = true;
};
};
};
};
polkit = {
enable = true;
# UDisks https://gist.github.com/Scrumplex/8f528c1f63b5f4bfabe14b0804adaba7
extraConfig = ''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
if (action.id.startsWith("org.freedesktop.udisks2.")) {
return polkit.Result.YES;
}
}
});
'';
};
sudo = {
execWheelOnly = true;
extraConfig = ''Defaults env_reset,pwfeedback '';
extraRules = [
{
commands =
builtins.map
(command: {
command = "/run/current-system/sw/bin/${command}";
options = [ "NOPASSWD" ];
})
[
"poweroff"
"reboot"
"nixos-rebuild"
"nix-env"
"shutdown"
"systemctl"
];
groups = [ "wheel" ];
}
];
};
};
services = {
clamav = lib.mkIf config.clamav {
# run 'sudo freshclam' for first time
daemon = {
enable = true;
};
fangfrisch = {
enable = true;
};
scanner = {
enable = true;
};
updater = {
enable = true;
};
};
opensnitch = lib.mkIf config.opensnitch {
enable = true;
};
};
home-manager.users.${username} = {
services = {
opensnitch-ui.enable = config.opensnitch;
};
};
};
}

2
todo
View File

@ -2,7 +2,7 @@ TODO boot into Hyprland
TODO autologin on boot
DONE syncthing
TODO Logseq
TODO secrets
DONE secrets
TODO zsh error
TODO ags
TODO sudo nopasswd