From 24637dfdfdd6dc8d116542f16a07d808c9e43c36 Mon Sep 17 00:00:00 2001 From: tzlil Date: Tue, 13 Dec 2022 02:15:50 +0200 Subject: first commit --- .gitignore | 2 ++ flake.nix | 31 +++++++++++++++++++++++ hosts/vm/cfg.nix | 17 +++++++++++++ mixins/cli.nix | 42 +++++++++++++++++++++++++++++++ mixins/tailscale.nix | 11 +++++++++ profiles/core.nix | 26 ++++++++++++++++++++ profiles/network.nix | 19 ++++++++++++++ profiles/security.nix | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++ profiles/user.nix | 50 +++++++++++++++++++++++++++++++++++++ run.sh | 2 ++ secrets/id_ed25519.age | 11 +++++++++ secrets/secrets.nix | 9 +++++++ 12 files changed, 287 insertions(+) create mode 100644 .gitignore create mode 100644 flake.nix create mode 100644 hosts/vm/cfg.nix create mode 100644 mixins/cli.nix create mode 100644 mixins/tailscale.nix create mode 100644 profiles/core.nix create mode 100644 profiles/network.nix create mode 100644 profiles/security.nix create mode 100644 profiles/user.nix create mode 100755 run.sh create mode 100644 secrets/id_ed25519.age create mode 100644 secrets/secrets.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..af6411a --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.img +*.fd diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..299e906 --- /dev/null +++ b/flake.nix @@ -0,0 +1,31 @@ +{ + description = "tzlil's system"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + impermanence.url = "github:nix-community/impermanence"; + agenix.url = "github:ryantm/agenix"; + nixos-hardware.url = "github:nixos/nixos-hardware"; + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = inputs: let + mkSystem_ = pkgs: system: h: modules: + pkgs.lib.nixosSystem { + system = system; + modules = [./hosts/${h}/cfg.nix] ++ modules; + specialArgs = {inherit inputs;}; + }; + mkSystem = pkgs: system: h: (mkSystem_ pkgs system h [ + inputs.agenix.nixosModule inputs.impermanence.nixosModules.impermanence + ]); + in { + nixosConfigurations = { + # pc = mkSystem inputs.nixpkgs "x86_64-linux" "pc"; + vm = mkSystem inputs.nixpkgs "x86_64-linux" "vm"; + }; + }; +} diff --git a/hosts/vm/cfg.nix b/hosts/vm/cfg.nix new file mode 100644 index 0000000..1b17ea6 --- /dev/null +++ b/hosts/vm/cfg.nix @@ -0,0 +1,17 @@ +{config}: { + imports = [ + "../profiles/core.nix" + "../profiles/user.nix" + "../mixins/tailscale.nix" + ] + + config = { + boot.supportedFilesystems = ["9p"]; + fileSystems."/flake" = { + fsType = "9p"; + device = "host0"; + options = ["_netdev"]; + }; + boot.kernelParams = [ "console=ttyS0" ]; + }; +} \ No newline at end of file diff --git a/mixins/cli.nix b/mixins/cli.nix new file mode 100644 index 0000000..c5ff7b9 --- /dev/null +++ b/mixins/cli.nix @@ -0,0 +1,42 @@ +{ + pkgs, + lib, + config, + inputs, + ... +}: { + imports = [ + inputs.home-manager.nixosModules."home-manager" + inputs.agenix.nixosModules + ]; + config = { + home-manager.users.tzlil = {pkgs, ...}@hm: { + home = { + packages = with pkgs; [ + rsync + curl + ripgrep + ]; + programs = { + ssh.enable = true; + git = { + userName = "tzlil"; + userEmail = "tzlils@protonmail.com"; + enable = true; + }; + fish = { + enable = true; + shellAliases = { + gc = "git clone"; + l = "ls -alh"; + }; + functions = { + sb.body = "sudo nixos-rebuild build --flake ~/sources/nixcfg#(hostname)"; + sw.body = "sudo nixos-rebuild switch --flake ~/sources/nixcfg#(hostname)"; + }; + }; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/mixins/tailscale.nix b/mixins/tailscale.nix new file mode 100644 index 0000000..8be3147 --- /dev/null +++ b/mixins/tailscale.nix @@ -0,0 +1,11 @@ +{ pkgs, config, ... }: + +{ + config = { + services.tailscale.enable = true; + networking.firewall = { + trustedInterfaces = [ "tailscale0" ]; + allowedUDPPorts = [41641]; + }; + }; +} \ No newline at end of file diff --git a/profiles/core.nix b/profiles/core.nix new file mode 100644 index 0000000..01ec85a --- /dev/null +++ b/profiles/core.nix @@ -0,0 +1,26 @@ +{ pkgs, lib, config, inputs, ... }: + +{ + imports = [ + ../profiles/security.nix + ../profiles/network.nix + ]; + config = { + system.stateVersion = "22.5"; + nix = { + registry.nixpgs.flake = inputs.nixpkgs; + gc.automatic = true; + optimise.automatic = true; + settings = { + allowed-users = ["root"]; + trusted-users = ["root"]; + sandbox = true; + }; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + users.mutableUsers = false; + environment.defaultPackages = lib.mkForce []; + }; +} \ No newline at end of file diff --git a/profiles/network.nix b/profiles/network.nix new file mode 100644 index 0000000..5aee7a1 --- /dev/null +++ b/profiles/network.nix @@ -0,0 +1,19 @@ +{ pkgs, lib, config, inputs, ... }: + +{ + imports = []; + config = { + networking = { + firewall = { + enable = true; + allowPing = false; + allowedTCPPorts = []; + checkReversePath = "loose"; + }; + networkmanager.enable = true; + useDHCP = false; + nameservers = ["127.0.0.1" "::1"]; + networkmanager.dns = "none"; + }; + }; +} \ No newline at end of file diff --git a/profiles/security.nix b/profiles/security.nix new file mode 100644 index 0000000..e28431b --- /dev/null +++ b/profiles/security.nix @@ -0,0 +1,67 @@ +{ pkgs, lib, config, inputs, ... }: + +{ + imports = []; + config = { + security.auditd.enable = true; + security.audit.enable = true; + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + + environment.memoryAllocator.provider = "scudo"; + environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; + + security.lockKernelModules = true; + security.protectKernelImage = true; + security.allowSimultaneousMultithreading = false; + security.forcePageTableIsolation = true; + + security.virtualisation.flushL1DataCache = "always"; + + security.apparmor.enable = true; + security.apparmor.killUnconfinedConfinables = true; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; + + # Hide kptrs even for processes with CAP_SYSLOG + boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; + + # Disable bpf() JIT (to eliminate spray attacks) + boot.kernel.sysctl."net.core.bpf_jit_enable" = false; + + # Disable ftrace debugging + boot.kernel.sysctl."kernel.ftrace_enabled" = false; + + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; + + # Ignore broadcast ICMP (mitigate SMURF) + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; + + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; + + # Ignore outgoing ICMP redirects (this is ipv4 only) + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; + + security.chromiumSuidSandbox.enable = true; + + security.sudo.execWheelOnly = true; + security.sudo.extraConfig = "Defaults lecture = never"; + }; +} \ No newline at end of file diff --git a/profiles/user.nix b/profiles/user.nix new file mode 100644 index 0000000..ee29bad --- /dev/null +++ b/profiles/user.nix @@ -0,0 +1,50 @@ +{ + pkgs, + lib, + config, + inputs, + ... +}: { + imports = [ + inputs.home-manager.nixosModules."home-manager" + inputs.agenix.nixosModules + ]; + config = { + users.users.tzlil = { + isNormalUser = true; + description = "Me"; + extraGroups = ["wheel"]; + packages = [pkgs.git]; + shell = pkgs.fish; + hashedPassword = "$5$itsrHkJPRhLdik0x$RxCXp8KmiPVa1dMQhHMQsjLgvx27MmeQ9ZVybV8bzE8"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" + ]; + }; + + nix.settings.allowed-users = ["root" "tzlil"]; + nix.settings.trusted-users = ["root" "tzlil"]; + + age.secrets.id_ed25519 = { + file = ../secrets/id_ed25519.age; + mode = "600"; + owner = "tzlil"; + group = "tzlil"; + }; + + home-manager.nixosModules.home-manager = { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.backupFileExtension = "backup"; + }; + + home-manager.users.tzlil = {pkgs, ...}@hm: { + home = { + stateVersion = "22.05"; + username = "tzlil"; + homeDirectory = "/home/tzlil"; + }; + programs.ssh.matchBlocks."*".identityFile = config.age.secrets."id_ed25519".path; + }; + }; +} \ No newline at end of file diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..7e89e0d --- /dev/null +++ b/run.sh @@ -0,0 +1,2 @@ +#!/bin/sh +qemu-kvm -enable-kvm -m 4G -cpu host -smp 2 -hda nixos-test.img -virtfs local,path=/home/tzlil/newflake,mount_tag=host0,security_model=passthrough,id=host0 -bios OVMF.fd -vga virtio -display gtk,gl=on,show-cursor=on -usb -device usb-mouse diff --git a/secrets/id_ed25519.age b/secrets/id_ed25519.age new file mode 100644 index 0000000..64ee68f --- /dev/null +++ b/secrets/id_ed25519.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 BCUvfQ dvwbiu7/kFy2YfjSXbVdFAWMwbG3sDWXlHv5X4Hn92Q +lbTPW6ic0euvWIOi5Te2tSbtvQPAUn2CfZcseSTDOa4 +-> ssh-ed25519 7WlLXw wJeviJZ+bZLUJVqe3kVu5TC1bXb2uY7nYC+7c2xigTc +3Sm9erDBILh5R2GxcwoVEsUqGJ5TNyFrhe3Bx9NlQJ8 +-> y1$)b6-grease ?`{4V#EJ +w;l9w bb\|(<9 3Gx*xD +NF2bdrX6TVFaUyMp044VRi7ZikFB6Wfn/U5WEYRxTszdMwXtlw +--- kGm0bJlpAeNm9HT6uMIhQArcAIccwXf46G96IqUBWZM +A.&3(sDHfD-3siDH+߶Ò/4["@ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..bf4b037 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,9 @@ +let + tzlil = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA"; + + vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHS6LK6rCmJCR/rKVJYVmJTL8fAdyJSLlgC3mesd6QVS"; + systems = [ vm ]; +in +{ + "id_ed25519.age".publicKeys = [ tzlil ] ++ systems; +} \ No newline at end of file -- cgit 1.4.1