summary refs log tree commit diff
path: root/profiles
diff options
context:
space:
mode:
Diffstat (limited to 'profiles')
-rw-r--r--profiles/core.nix26
-rw-r--r--profiles/network.nix19
-rw-r--r--profiles/security.nix67
-rw-r--r--profiles/user.nix50
4 files changed, 162 insertions, 0 deletions
diff --git a/profiles/core.nix b/profiles/core.nix
new file mode 100644
index 0000000..01ec85a
--- /dev/null
+++ b/profiles/core.nix
@@ -0,0 +1,26 @@
+{ pkgs, lib, config, inputs, ... }:
+
+{
+  imports = [
+    ../profiles/security.nix
+    ../profiles/network.nix
+  ];
+  config = {
+    system.stateVersion = "22.5";
+    nix = {
+      registry.nixpgs.flake = inputs.nixpkgs;
+      gc.automatic = true;
+      optimise.automatic = true;
+      settings = {
+        allowed-users = ["root"];
+        trusted-users = ["root"];
+        sandbox = true;
+      };
+      extraOptions = ''
+        experimental-features = nix-command flakes
+      '';
+    };
+    users.mutableUsers = false;
+    environment.defaultPackages = lib.mkForce [];
+  };
+}
\ No newline at end of file
diff --git a/profiles/network.nix b/profiles/network.nix
new file mode 100644
index 0000000..5aee7a1
--- /dev/null
+++ b/profiles/network.nix
@@ -0,0 +1,19 @@
+{ pkgs, lib, config, inputs, ... }:
+
+{
+  imports = [];
+  config = {
+    networking = {
+      firewall = {
+        enable = true;
+        allowPing = false;
+        allowedTCPPorts = [];
+        checkReversePath = "loose";
+      };
+      networkmanager.enable = true;
+      useDHCP = false;
+      nameservers = ["127.0.0.1" "::1"];
+      networkmanager.dns = "none";
+    };
+  };
+}
\ No newline at end of file
diff --git a/profiles/security.nix b/profiles/security.nix
new file mode 100644
index 0000000..e28431b
--- /dev/null
+++ b/profiles/security.nix
@@ -0,0 +1,67 @@
+{ pkgs, lib, config, inputs, ... }:
+
+{
+  imports = [];
+  config = {
+    security.auditd.enable = true;
+    security.audit.enable = true;
+    security.audit.rules = [
+      "-a exit,always -F arch=b64 -S execve"
+    ];
+
+    environment.memoryAllocator.provider = "scudo";
+    environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
+
+    security.lockKernelModules = true;
+    security.protectKernelImage = true;
+    security.allowSimultaneousMultithreading = false;
+    security.forcePageTableIsolation = true;
+
+    security.virtualisation.flushL1DataCache = "always";
+
+    security.apparmor.enable = true;
+    security.apparmor.killUnconfinedConfinables = true;
+
+    # Restrict ptrace() usage to processes with a pre-defined relationship
+    # (e.g., parent/child)
+    boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
+
+    # Hide kptrs even for processes with CAP_SYSLOG
+    boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
+
+    # Disable bpf() JIT (to eliminate spray attacks)
+    boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
+
+    # Disable ftrace debugging
+    boot.kernel.sysctl."kernel.ftrace_enabled" = false;
+
+    # Enable strict reverse path filtering (that is, do not attempt to route
+    # packets that "obviously" do not belong to the iface's network; dropped
+    # packets are logged as martians).
+    boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
+    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
+    boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
+    boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
+
+    # Ignore broadcast ICMP (mitigate SMURF)
+    boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+    # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+    # setting is applied to interfaces added after the sysctls are set)
+    boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
+    boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
+    boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
+
+    # Ignore outgoing ICMP redirects (this is ipv4 only)
+    boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
+    boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+
+    security.chromiumSuidSandbox.enable = true;
+    
+    security.sudo.execWheelOnly = true;
+    security.sudo.extraConfig = "Defaults        lecture = never";
+  };
+}
\ No newline at end of file
diff --git a/profiles/user.nix b/profiles/user.nix
new file mode 100644
index 0000000..ee29bad
--- /dev/null
+++ b/profiles/user.nix
@@ -0,0 +1,50 @@
+{
+  pkgs,
+  lib,
+  config,
+  inputs,
+  ...
+}: {
+  imports = [
+    inputs.home-manager.nixosModules."home-manager"
+    inputs.agenix.nixosModules
+  ];
+  config = {
+    users.users.tzlil = {
+      isNormalUser = true;
+      description = "Me";
+      extraGroups = ["wheel"];
+      packages = [pkgs.git];
+      shell = pkgs.fish;
+      hashedPassword = "$5$itsrHkJPRhLdik0x$RxCXp8KmiPVa1dMQhHMQsjLgvx27MmeQ9ZVybV8bzE8";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA"
+      ];
+    };
+
+    nix.settings.allowed-users = ["root" "tzlil"];
+    nix.settings.trusted-users = ["root" "tzlil"];
+
+    age.secrets.id_ed25519 = {
+      file = ../secrets/id_ed25519.age;
+      mode = "600";
+      owner = "tzlil";
+      group = "tzlil";
+    };
+
+    home-manager.nixosModules.home-manager = {
+      home-manager.useGlobalPkgs = true;
+      home-manager.useUserPackages = true;
+      home-manager.backupFileExtension = "backup";
+    };
+
+    home-manager.users.tzlil = {pkgs, ...}@hm: {
+      home = {
+        stateVersion = "22.05";
+        username = "tzlil";
+        homeDirectory = "/home/tzlil";
+      };
+      programs.ssh.matchBlocks."*".identityFile = config.age.secrets."id_ed25519".path;
+    };
+  };
+}
\ No newline at end of file