disko for laptop, wip rewrite

1 files changed, 66 insertions, 69 deletions

diff --git a/profiles/security.nix b/profiles/security.nix
index 63c5fe4..40d5bf4 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -1,75 +1,72 @@
 {
-  pkgs,
   lib,
   config,
-  inputs,
   ...
 }: {
-  imports = [];
-  config = {
-    programs.firejail.enable = true;
-    security.auditd.enable = true;
-    security.audit.enable = true;
-    security.audit.rules = [
-      "-a exit,always -F arch=b64 -S execve"
-    ];
-
-    # https://source.android.com/docs/security/test/scudo
-    environment.memoryAllocator.provider = "scudo";
-    environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
-
-    security.lockKernelModules = true;
-    security.protectKernelImage = true;
-    security.allowSimultaneousMultithreading = false;
-    security.forcePageTableIsolation = true;
-
-    security.unprivilegedUsernsClone = config.virtualisation.containers.enable;
-
-    security.virtualisation.flushL1DataCache = "always";
-
-    security.apparmor.enable = true;
-    security.apparmor.killUnconfinedConfinables = true;
-
-    # Restrict ptrace() usage to processes with a pre-defined relationship
-    # (e.g., parent/child)
-    boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
-
-    # Hide kptrs even for processes with CAP_SYSLOG
-    boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
-
-    # Disable bpf() JIT (to eliminate spray attacks)
-    boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
-
-    # Disable ftrace debugging
-    boot.kernel.sysctl."kernel.ftrace_enabled" = false;
-
-    # Enable strict reverse path filtering (that is, do not attempt to route
-    # packets that "obviously" do not belong to the iface's network; dropped
-    # packets are logged as martians).
-    boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
-    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
-    boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
-    boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
-
-    # Ignore broadcast ICMP (mitigate SMURF)
-    boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
-
-    # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-    # setting is applied to interfaces added after the sysctls are set)
-    boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
-    boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
-    boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
-
-    # Ignore outgoing ICMP redirects (this is ipv4 only)
-    boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
-    boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
-
-    security.chromiumSuidSandbox.enable = true;
-
-    security.sudo.execWheelOnly = true;
-    security.sudo.extraConfig = "Defaults        lecture = never";
-  };
+  programs.firejail.enable = true;
+  security.auditd.enable = true;
+  security.audit.enable = true;
+  security.audit.rules = [
+    "-a exit,always -F arch=b64 -S execve"
+  ];
+
+  # https://source.android.com/docs/security/test/scudo
+  environment.memoryAllocator.provider = "scudo";
+  environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
+
+  security.lockKernelModules = true;
+  security.protectKernelImage = true;
+  security.allowSimultaneousMultithreading = false;
+  security.forcePageTableIsolation = true;
+
+  security.unprivilegedUsernsClone = config.virtualisation.containers.enable;
+
+  security.virtualisation.flushL1DataCache = "always";
+
+  security.apparmor.enable = true;
+  security.apparmor.killUnconfinedConfinables = true;
+
+  # Restrict ptrace() usage to processes with a pre-defined relationship
+  # (e.g., parent/child)
+  boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
+
+  # Hide kptrs even for processes with CAP_SYSLOG
+  boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
+
+  # Disable bpf() JIT (to eliminate spray attacks)
+  boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
+
+  # Disable ftrace debugging
+  boot.kernel.sysctl."kernel.ftrace_enabled" = false;
+
+  # Enable strict reverse path filtering (that is, do not attempt to route
+  # packets that "obviously" do not belong to the iface's network; dropped
+  # packets are logged as martians).
+  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
+  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
+
+  # Ignore broadcast ICMP (mitigate SMURF)
+  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+  # setting is applied to interfaces added after the sysctls are set)
+  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
+  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
+  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
+
+  # Ignore outgoing ICMP redirects (this is ipv4 only)
+  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+
+  security.chromiumSuidSandbox.enable = true;
+
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = "Defaults        lecture = never";
+
+  environment.defaultPackages = lib.mkForce [];
 }