diff options
author | tzlil <tzlils@protonmail.com> | 2023-07-29 20:53:14 +0300 |
---|---|---|
committer | tzlil <tzlils@protonmail.com> | 2023-07-29 20:53:14 +0300 |
commit | feefcfc89b00d4955dbb3314c20be035f3db206f (patch) | |
tree | 5099a13763dcfd274cae83af4dbac0bf4bef6cce /profiles | |
parent | 11526bdd2bb3b4b445665aa671e4bc72021b8183 (diff) |
disko for laptop, wip rewrite
Diffstat (limited to 'profiles')
-rw-r--r-- | profiles/core.nix | 65 | ||||
-rw-r--r-- | profiles/default.nix | 8 | ||||
-rw-r--r-- | profiles/impermanence.nix | 29 | ||||
-rw-r--r-- | profiles/nix.nix | 44 | ||||
-rw-r--r-- | profiles/security.nix | 135 | ||||
-rw-r--r-- | profiles/ssh.nix | 1 | ||||
-rw-r--r-- | profiles/tzlil.nix (renamed from profiles/user.nix) | 14 |
7 files changed, 185 insertions, 111 deletions
diff --git a/profiles/core.nix b/profiles/core.nix index 3eca577..4fefbdd 100644 --- a/profiles/core.nix +++ b/profiles/core.nix @@ -5,44 +5,39 @@ inputs, ... }: { - imports = [ - ../profiles/security.nix - ../profiles/network.nix - ]; + # imports = [ + # ../profiles/security.nix + # ../profiles/network.nix + # ]; config = { - system.stateVersion = "22.5"; - nix = { - registry.nixpkgs.flake = inputs.nixpkgs; - gc.automatic = true; - optimise.automatic = true; - settings = { - allowed-users = ["root"]; - trusted-users = ["root"]; - sandbox = true; - }; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - users.mutableUsers = false; - environment.defaultPackages = lib.mkForce []; + # system.stateVersion = "22.5"; + # nix = { + # registry.nixpkgs.flake = inputs.nixpkgs; + # gc.automatic = true; + # optimise.automatic = true; + # settings = { + # allowed-users = ["root"]; + # trusted-users = ["root"]; + # sandbox = true; + # }; + # extraOptions = '' + # experimental-features = nix-command flakes + # ''; + # }; + # users.mutableUsers = false; + # environment.defaultPackages = lib.mkForce []; - age.identityPaths = ["/nix/persist/etc/ssh/ssh_host_ed25519_key"]; - # causing issues, fix this programs.command-not-found.dbPath = inputs.programsdb.packages.${pkgs.system}.programs-sqlite; - # save uid/guid - environment.persistence."/nix/persist".directories = ["/var/lib/nixos"]; - - boot = { - tmp.cleanOnBoot = true; - kernelParams = [ - "init_on_free=1" - "page_poison=1" - "page_alloc.shuffle=1" - "slab_nomerge" - "vsyscall=none" - ]; - }; + # boot = { + # tmp.cleanOnBoot = true; + # kernelParams = [ + # "init_on_free=1" + # "page_poison=1" + # "page_alloc.shuffle=1" + # "slab_nomerge" + # "vsyscall=none" + # ]; + # }; }; } diff --git a/profiles/default.nix b/profiles/default.nix new file mode 100644 index 0000000..77921b6 --- /dev/null +++ b/profiles/default.nix @@ -0,0 +1,8 @@ +{inputs, ...}: { + flake.nixosModules = { + nix = import ./nix.nix {inherit inputs;}; + security = ./security.nix; + tzlil = ./tzlil.nix; + ssh = ./ssh.nix; + }; +} diff --git a/profiles/impermanence.nix b/profiles/impermanence.nix new file mode 100644 index 0000000..5ee9c97 --- /dev/null +++ b/profiles/impermanence.nix @@ -0,0 +1,29 @@ +{inputs, ...}: { + config, + lib, + options, + ... +}: let + sshHostKeys = builtins.catAttrs "path" config.services.openssh.hostKeys; +in { + imports = [inputs.impermanence.nixosModules.impermanence]; + + config = lib.mkMerge [ + { + environment.persistence."/nix/persistent" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/systemd/coredump" + "/tmp" # Make builds not crash by running them on disk instead of RAM (We still clean /tmp on boot) + ]; + files = + [ + "/etc/machine-id" + ] + ++ sshHostKeys; + }; + } + (lib.optionalAttrs (options ? age) {age.identityPaths = map (x: "/nix/persistent" + x) sshHostKeys;}) + ]; +} diff --git a/profiles/nix.nix b/profiles/nix.nix new file mode 100644 index 0000000..769a06a --- /dev/null +++ b/profiles/nix.nix @@ -0,0 +1,44 @@ +{ + inputs, + pkgs, + ... +}: { + nix = { + package = pkgs.nixUnstable; + registry.nixpkgs.flake = inputs.nixpkgs; + nixPath = [ + "nixpkgs=flake:nixpkgs" + ]; + gc.automatic = true; + optimise.automatic = true; + settings = { + experimental-features = [ + "nix-command" + "flakes" + "cgroups" + "auto-allocate-uids" + "repl-flake" + "no-url-literals" + ]; + use-cgroups = true; + auto-allocate-uids = true; + builders-use-substitutes = true; + auto-optimise-store = true; + warn-dirty = false; + trusted-users = [ + "@wheel" + ]; + substituters = [ + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + }; + + nixpkgs.config.allowUnfree = true; + + # save uid/guid + environment.persistence."/nix/persist".directories = ["/var/lib/nixos"]; +} diff --git a/profiles/security.nix b/profiles/security.nix index 63c5fe4..40d5bf4 100644 --- a/profiles/security.nix +++ b/profiles/security.nix @@ -1,75 +1,72 @@ { - pkgs, lib, config, - inputs, ... }: { - imports = []; - config = { - programs.firejail.enable = true; - security.auditd.enable = true; - security.audit.enable = true; - security.audit.rules = [ - "-a exit,always -F arch=b64 -S execve" - ]; - - # https://source.android.com/docs/security/test/scudo - environment.memoryAllocator.provider = "scudo"; - environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; - - security.lockKernelModules = true; - security.protectKernelImage = true; - security.allowSimultaneousMultithreading = false; - security.forcePageTableIsolation = true; - - security.unprivilegedUsernsClone = config.virtualisation.containers.enable; - - security.virtualisation.flushL1DataCache = "always"; - - security.apparmor.enable = true; - security.apparmor.killUnconfinedConfinables = true; - - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; - - # Hide kptrs even for processes with CAP_SYSLOG - boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; - - # Disable bpf() JIT (to eliminate spray attacks) - boot.kernel.sysctl."net.core.bpf_jit_enable" = false; - - # Disable ftrace debugging - boot.kernel.sysctl."kernel.ftrace_enabled" = false; - - # Enable strict reverse path filtering (that is, do not attempt to route - # packets that "obviously" do not belong to the iface's network; dropped - # packets are logged as martians). - boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; - boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; - - # Ignore broadcast ICMP (mitigate SMURF) - boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; - - # Ignore incoming ICMP redirects (note: default is needed to ensure that the - # setting is applied to interfaces added after the sysctls are set) - boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; - - # Ignore outgoing ICMP redirects (this is ipv4 only) - boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; - - security.chromiumSuidSandbox.enable = true; - - security.sudo.execWheelOnly = true; - security.sudo.extraConfig = "Defaults lecture = never"; - }; + programs.firejail.enable = true; + security.auditd.enable = true; + security.audit.enable = true; + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + + # https://source.android.com/docs/security/test/scudo + environment.memoryAllocator.provider = "scudo"; + environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; + + security.lockKernelModules = true; + security.protectKernelImage = true; + security.allowSimultaneousMultithreading = false; + security.forcePageTableIsolation = true; + + security.unprivilegedUsernsClone = config.virtualisation.containers.enable; + + security.virtualisation.flushL1DataCache = "always"; + + security.apparmor.enable = true; + security.apparmor.killUnconfinedConfinables = true; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; + + # Hide kptrs even for processes with CAP_SYSLOG + boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; + + # Disable bpf() JIT (to eliminate spray attacks) + boot.kernel.sysctl."net.core.bpf_jit_enable" = false; + + # Disable ftrace debugging + boot.kernel.sysctl."kernel.ftrace_enabled" = false; + + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; + + # Ignore broadcast ICMP (mitigate SMURF) + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; + + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; + + # Ignore outgoing ICMP redirects (this is ipv4 only) + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; + + security.chromiumSuidSandbox.enable = true; + + security.sudo.execWheelOnly = true; + security.sudo.extraConfig = "Defaults lecture = never"; + + environment.defaultPackages = lib.mkForce []; } diff --git a/profiles/ssh.nix b/profiles/ssh.nix index 294f015..a753e86 100644 --- a/profiles/ssh.nix +++ b/profiles/ssh.nix @@ -2,7 +2,6 @@ pkgs, lib, config, - inputs, ... }: { config = { diff --git a/profiles/user.nix b/profiles/tzlil.nix index 7355e85..0e242e1 100644 --- a/profiles/user.nix +++ b/profiles/tzlil.nix @@ -16,20 +16,22 @@ programs.fish.enable = true; # needed now users.users.tzlil = { isNormalUser = true; - description = "Me"; - extraGroups = ["wheel"]; + extraGroups = + ["wheel"] + ++ lib.optional config.virtualisation.docker.enable "docker" + ++ lib.optional config.virtualisation.libvirtd.enable "libvirtd" + ++ lib.optional config.networking.networkmanager.enable "networkmanager" + ++ lib.optional config.programs.light.enable "video" + ++ lib.optional config.programs.adb.enable "adbusers"; packages = [pkgs.git]; shell = pkgs.fish; hashedPassword = "$6$FAQYKz3OCtRNOP7h$XsApvP.r./Jv5MRI1idDI9BMnA26xxEvXFlE61Zls.QA3EK2x76XsetdpxSlgViylnRwRuq5XQMc3GeAJ7tum1"; # passwordFile = config.age.secrets.password.path; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" ]; }; - nix.settings.allowed-users = ["root" "tzlil"]; - nix.settings.trusted-users = ["root" "tzlil"]; - home-manager = { useGlobalPkgs = true; useUserPackages = true; |