From feefcfc89b00d4955dbb3314c20be035f3db206f Mon Sep 17 00:00:00 2001 From: tzlil Date: Sat, 29 Jul 2023 20:53:14 +0300 Subject: disko for laptop, wip rewrite --- profiles/core.nix | 65 +++++++++++----------- profiles/default.nix | 8 +++ profiles/impermanence.nix | 29 ++++++++++ profiles/nix.nix | 44 +++++++++++++++ profiles/security.nix | 135 +++++++++++++++++++++++----------------------- profiles/ssh.nix | 1 - profiles/tzlil.nix | 78 +++++++++++++++++++++++++++ profiles/user.nix | 76 -------------------------- 8 files changed, 255 insertions(+), 181 deletions(-) create mode 100644 profiles/default.nix create mode 100644 profiles/impermanence.nix create mode 100644 profiles/nix.nix create mode 100644 profiles/tzlil.nix delete mode 100644 profiles/user.nix (limited to 'profiles') diff --git a/profiles/core.nix b/profiles/core.nix index 3eca577..4fefbdd 100644 --- a/profiles/core.nix +++ b/profiles/core.nix @@ -5,44 +5,39 @@ inputs, ... }: { - imports = [ - ../profiles/security.nix - ../profiles/network.nix - ]; + # imports = [ + # ../profiles/security.nix + # ../profiles/network.nix + # ]; config = { - system.stateVersion = "22.5"; - nix = { - registry.nixpkgs.flake = inputs.nixpkgs; - gc.automatic = true; - optimise.automatic = true; - settings = { - allowed-users = ["root"]; - trusted-users = ["root"]; - sandbox = true; - }; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - users.mutableUsers = false; - environment.defaultPackages = lib.mkForce []; + # system.stateVersion = "22.5"; + # nix = { + # registry.nixpkgs.flake = inputs.nixpkgs; + # gc.automatic = true; + # optimise.automatic = true; + # settings = { + # allowed-users = ["root"]; + # trusted-users = ["root"]; + # sandbox = true; + # }; + # extraOptions = '' + # experimental-features = nix-command flakes + # ''; + # }; + # users.mutableUsers = false; + # environment.defaultPackages = lib.mkForce []; - age.identityPaths = ["/nix/persist/etc/ssh/ssh_host_ed25519_key"]; - # causing issues, fix this programs.command-not-found.dbPath = inputs.programsdb.packages.${pkgs.system}.programs-sqlite; - # save uid/guid - environment.persistence."/nix/persist".directories = ["/var/lib/nixos"]; - - boot = { - tmp.cleanOnBoot = true; - kernelParams = [ - "init_on_free=1" - "page_poison=1" - "page_alloc.shuffle=1" - "slab_nomerge" - "vsyscall=none" - ]; - }; + # boot = { + # tmp.cleanOnBoot = true; + # kernelParams = [ + # "init_on_free=1" + # "page_poison=1" + # "page_alloc.shuffle=1" + # "slab_nomerge" + # "vsyscall=none" + # ]; + # }; }; } diff --git a/profiles/default.nix b/profiles/default.nix new file mode 100644 index 0000000..77921b6 --- /dev/null +++ b/profiles/default.nix @@ -0,0 +1,8 @@ +{inputs, ...}: { + flake.nixosModules = { + nix = import ./nix.nix {inherit inputs;}; + security = ./security.nix; + tzlil = ./tzlil.nix; + ssh = ./ssh.nix; + }; +} diff --git a/profiles/impermanence.nix b/profiles/impermanence.nix new file mode 100644 index 0000000..5ee9c97 --- /dev/null +++ b/profiles/impermanence.nix @@ -0,0 +1,29 @@ +{inputs, ...}: { + config, + lib, + options, + ... +}: let + sshHostKeys = builtins.catAttrs "path" config.services.openssh.hostKeys; +in { + imports = [inputs.impermanence.nixosModules.impermanence]; + + config = lib.mkMerge [ + { + environment.persistence."/nix/persistent" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/systemd/coredump" + "/tmp" # Make builds not crash by running them on disk instead of RAM (We still clean /tmp on boot) + ]; + files = + [ + "/etc/machine-id" + ] + ++ sshHostKeys; + }; + } + (lib.optionalAttrs (options ? age) {age.identityPaths = map (x: "/nix/persistent" + x) sshHostKeys;}) + ]; +} diff --git a/profiles/nix.nix b/profiles/nix.nix new file mode 100644 index 0000000..769a06a --- /dev/null +++ b/profiles/nix.nix @@ -0,0 +1,44 @@ +{ + inputs, + pkgs, + ... +}: { + nix = { + package = pkgs.nixUnstable; + registry.nixpkgs.flake = inputs.nixpkgs; + nixPath = [ + "nixpkgs=flake:nixpkgs" + ]; + gc.automatic = true; + optimise.automatic = true; + settings = { + experimental-features = [ + "nix-command" + "flakes" + "cgroups" + "auto-allocate-uids" + "repl-flake" + "no-url-literals" + ]; + use-cgroups = true; + auto-allocate-uids = true; + builders-use-substitutes = true; + auto-optimise-store = true; + warn-dirty = false; + trusted-users = [ + "@wheel" + ]; + substituters = [ + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + }; + + nixpkgs.config.allowUnfree = true; + + # save uid/guid + environment.persistence."/nix/persist".directories = ["/var/lib/nixos"]; +} diff --git a/profiles/security.nix b/profiles/security.nix index 63c5fe4..40d5bf4 100644 --- a/profiles/security.nix +++ b/profiles/security.nix @@ -1,75 +1,72 @@ { - pkgs, lib, config, - inputs, ... }: { - imports = []; - config = { - programs.firejail.enable = true; - security.auditd.enable = true; - security.audit.enable = true; - security.audit.rules = [ - "-a exit,always -F arch=b64 -S execve" - ]; - - # https://source.android.com/docs/security/test/scudo - environment.memoryAllocator.provider = "scudo"; - environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; - - security.lockKernelModules = true; - security.protectKernelImage = true; - security.allowSimultaneousMultithreading = false; - security.forcePageTableIsolation = true; - - security.unprivilegedUsernsClone = config.virtualisation.containers.enable; - - security.virtualisation.flushL1DataCache = "always"; - - security.apparmor.enable = true; - security.apparmor.killUnconfinedConfinables = true; - - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; - - # Hide kptrs even for processes with CAP_SYSLOG - boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; - - # Disable bpf() JIT (to eliminate spray attacks) - boot.kernel.sysctl."net.core.bpf_jit_enable" = false; - - # Disable ftrace debugging - boot.kernel.sysctl."kernel.ftrace_enabled" = false; - - # Enable strict reverse path filtering (that is, do not attempt to route - # packets that "obviously" do not belong to the iface's network; dropped - # packets are logged as martians). - boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; - boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; - - # Ignore broadcast ICMP (mitigate SMURF) - boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; - - # Ignore incoming ICMP redirects (note: default is needed to ensure that the - # setting is applied to interfaces added after the sysctls are set) - boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; - - # Ignore outgoing ICMP redirects (this is ipv4 only) - boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; - - security.chromiumSuidSandbox.enable = true; - - security.sudo.execWheelOnly = true; - security.sudo.extraConfig = "Defaults lecture = never"; - }; + programs.firejail.enable = true; + security.auditd.enable = true; + security.audit.enable = true; + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + + # https://source.android.com/docs/security/test/scudo + environment.memoryAllocator.provider = "scudo"; + environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; + + security.lockKernelModules = true; + security.protectKernelImage = true; + security.allowSimultaneousMultithreading = false; + security.forcePageTableIsolation = true; + + security.unprivilegedUsernsClone = config.virtualisation.containers.enable; + + security.virtualisation.flushL1DataCache = "always"; + + security.apparmor.enable = true; + security.apparmor.killUnconfinedConfinables = true; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; + + # Hide kptrs even for processes with CAP_SYSLOG + boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; + + # Disable bpf() JIT (to eliminate spray attacks) + boot.kernel.sysctl."net.core.bpf_jit_enable" = false; + + # Disable ftrace debugging + boot.kernel.sysctl."kernel.ftrace_enabled" = false; + + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; + + # Ignore broadcast ICMP (mitigate SMURF) + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; + + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; + + # Ignore outgoing ICMP redirects (this is ipv4 only) + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; + + security.chromiumSuidSandbox.enable = true; + + security.sudo.execWheelOnly = true; + security.sudo.extraConfig = "Defaults lecture = never"; + + environment.defaultPackages = lib.mkForce []; } diff --git a/profiles/ssh.nix b/profiles/ssh.nix index 294f015..a753e86 100644 --- a/profiles/ssh.nix +++ b/profiles/ssh.nix @@ -2,7 +2,6 @@ pkgs, lib, config, - inputs, ... }: { config = { diff --git a/profiles/tzlil.nix b/profiles/tzlil.nix new file mode 100644 index 0000000..0e242e1 --- /dev/null +++ b/profiles/tzlil.nix @@ -0,0 +1,78 @@ +{ + pkgs, + lib, + config, + inputs, + ... +}: { + config = { + age.secrets.id_ed25519 = { + file = ../secrets/id_ed25519.age; + mode = "600"; + owner = "tzlil"; + group = "users"; + }; + + programs.fish.enable = true; # needed now + users.users.tzlil = { + isNormalUser = true; + extraGroups = + ["wheel"] + ++ lib.optional config.virtualisation.docker.enable "docker" + ++ lib.optional config.virtualisation.libvirtd.enable "libvirtd" + ++ lib.optional config.networking.networkmanager.enable "networkmanager" + ++ lib.optional config.programs.light.enable "video" + ++ lib.optional config.programs.adb.enable "adbusers"; + packages = [pkgs.git]; + shell = pkgs.fish; + hashedPassword = "$6$FAQYKz3OCtRNOP7h$XsApvP.r./Jv5MRI1idDI9BMnA26xxEvXFlE61Zls.QA3EK2x76XsetdpxSlgViylnRwRuq5XQMc3GeAJ7tum1"; + # passwordFile = config.age.secrets.password.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" + ]; + }; + + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + backupFileExtension = "backup"; + }; + + home-manager.users.tzlil = {pkgs, ...} @ hm: { + home = { + stateVersion = "22.05"; + username = "tzlil"; + homeDirectory = "/home/tzlil"; + sessionVariables.SSH_AUTH_SOCK = "/run/user/1000/ssh-agent"; + }; + programs.ssh = { + enable = true; + userKnownHostsFile = builtins.toFile "known_hosts" " + pc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINu5lRKb1Ao4uj1tAV10QHKIvXfC8ncQ65b+oJtxrd1e + vm ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHS6LK6rCmJCR/rKVJYVmJTL8fAdyJSLlgC3mesd6QVS + vps ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdOuj27GB703ZRKRqhytlaLJsKucaRa//yswxijAZT7 + "; + matchBlocks."*".identityFile = config.age.secrets."id_ed25519".path; + }; + systemd.user.services.ssh-agent = let + agentTimeout = "1h"; + in { + Unit = { + Description = "SSH Agent"; + After = ["default.target"]; + }; + Service = { + ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent"; + ExecStart = + "${pkgs.openssh}/bin/ssh-agent " + + "-t ${agentTimeout} " + + "-a %t/ssh-agent"; + StandardOutput = "null"; + Type = "forking"; + Restart = "on-failure"; + SuccessExitStatus = "0 2"; + }; + }; + }; + }; +} diff --git a/profiles/user.nix b/profiles/user.nix deleted file mode 100644 index 7355e85..0000000 --- a/profiles/user.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ - pkgs, - lib, - config, - inputs, - ... -}: { - config = { - age.secrets.id_ed25519 = { - file = ../secrets/id_ed25519.age; - mode = "600"; - owner = "tzlil"; - group = "users"; - }; - - programs.fish.enable = true; # needed now - users.users.tzlil = { - isNormalUser = true; - description = "Me"; - extraGroups = ["wheel"]; - packages = [pkgs.git]; - shell = pkgs.fish; - hashedPassword = "$6$FAQYKz3OCtRNOP7h$XsApvP.r./Jv5MRI1idDI9BMnA26xxEvXFlE61Zls.QA3EK2x76XsetdpxSlgViylnRwRuq5XQMc3GeAJ7tum1"; - # passwordFile = config.age.secrets.password.path; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" - ]; - }; - - nix.settings.allowed-users = ["root" "tzlil"]; - nix.settings.trusted-users = ["root" "tzlil"]; - - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - backupFileExtension = "backup"; - }; - - home-manager.users.tzlil = {pkgs, ...} @ hm: { - home = { - stateVersion = "22.05"; - username = "tzlil"; - homeDirectory = "/home/tzlil"; - sessionVariables.SSH_AUTH_SOCK = "/run/user/1000/ssh-agent"; - }; - programs.ssh = { - enable = true; - userKnownHostsFile = builtins.toFile "known_hosts" " - pc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINu5lRKb1Ao4uj1tAV10QHKIvXfC8ncQ65b+oJtxrd1e - vm ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHS6LK6rCmJCR/rKVJYVmJTL8fAdyJSLlgC3mesd6QVS - vps ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdOuj27GB703ZRKRqhytlaLJsKucaRa//yswxijAZT7 - "; - matchBlocks."*".identityFile = config.age.secrets."id_ed25519".path; - }; - systemd.user.services.ssh-agent = let - agentTimeout = "1h"; - in { - Unit = { - Description = "SSH Agent"; - After = ["default.target"]; - }; - Service = { - ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent"; - ExecStart = - "${pkgs.openssh}/bin/ssh-agent " - + "-t ${agentTimeout} " - + "-a %t/ssh-agent"; - StandardOutput = "null"; - Type = "forking"; - Restart = "on-failure"; - SuccessExitStatus = "0 2"; - }; - }; - }; - }; -} -- cgit 1.4.1