b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

core/networking: harden all the things

Browse source
This commit is contained in:
Benjamin Yule Bädorf 2024-03-30 15:35:32 +01:00
parent b3ff15b0a4
commit e127ae6062
Signed by: b12f
GPG key ID: 729956E1124F8F26
11 changed files with 74 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
flake.lock
View file

@ -423,11 +423,11 @@
}, },
"nixpkgs-master": { "nixpkgs-master": {
"locked": { "locked": {
"lastModified": 1711485334, "lastModified": 1711717242,
"narHash": "sha256-qOHrFSfo6W5J5RkkJy7xLSECKaK/NITQXfeh715fD7s=", "narHash": "sha256-PW9J9sFw5DA4Fo3Cq4Soc+an6tjTS4VV2NxG6G0UMqw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e19e9bceda53148e8dd6e8f54bf19375e5e60af9", "rev": "824952ff6b32b0019465b139b5c76d915ec074ea",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -439,11 +439,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1711333969, "lastModified": 1711523803,
"narHash": "sha256-5PiWGn10DQjMZee5NXzeA6ccsv60iLu+Xtw+mfvkUAs=", "narHash": "sha256-UKcYiHWHQynzj6CN/vTcix4yd1eCu1uFdsuarupdCQQ=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "57e6b3a9e4ebec5aa121188301f04a6b8c354c9b", "rev": "2726f127c15a4cc9810843b96cad73c7eb39e443",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -487,11 +487,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1711124224, "lastModified": 1711460390,
"narHash": "sha256-l0zlN/3CiodvWDtfBOVxeTwYSRz93muVbXWSpaMjXxM=", "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "56528ee42526794d413d6f244648aaee4a7b56c0", "rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hosts/droppie/networking.nix
View file

@ -15,7 +15,6 @@
# Allow pub.solar restic backups # Allow pub.solar restic backups
services.openssh.allowSFTP = true; services.openssh.allowSFTP = true;
services.openssh.openFirewall = true;
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age"; age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";

1
hosts/frikandel/configuration.nix
View file

@ -44,7 +44,6 @@ in {
}; };
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = pkgs.linuxPackages_6_1;
# Copy the NixOS configuration file and link it from the resulting system # Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you # (/run/current-system/configuration.nix). This is useful in case you

2
hosts/frikandel/networking.nix
View file

@ -14,8 +14,6 @@
"2a0f:fc81::" #dns0.eu "2a0f:fc81::" #dns0.eu
]; ];
services.openssh.openFirewall = true;
# Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here) # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.enp1s0 = { networking.interfaces.enp1s0 = {

2
hosts/pie/configuration.nix
View file

@ -21,7 +21,7 @@ in {
boot.loader.generic-extlinux-compatible.enable = false; boot.loader.generic-extlinux-compatible.enable = false;
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = pkgs.linuxPackages_6_1; boot.kernelPackages = pkgs.linuxPackages_6_1_hardened;
boot.kernelParams = [ boot.kernelParams = [
"boot.shell_on_fail=1" "boot.shell_on_fail=1"

1
hosts/pie/networking.nix
View file

@ -27,7 +27,6 @@
"192.168.178.3" = [ "droppie-initrd.b12f.io" ]; "192.168.178.3" = [ "droppie-initrd.b12f.io" ];
}; };
services.openssh.openFirewall = true;
services.openssh.allowSFTP = true; services.openssh.allowSFTP = true;
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age"; age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";

2
modules/core/boot.nix
View file

@ -12,7 +12,7 @@ in {
loader.systemd-boot.enable = lib.mkDefault true; loader.systemd-boot.enable = lib.mkDefault true;
# Use latest LTS linux kernel by default # Use latest LTS linux kernel by default
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelPackages = lib.mkDefault pkgs.linuxPackages_6_7_hardened;
# Support ntfs drives # Support ntfs drives
supportedFilesystems = ["ntfs"]; supportedFilesystems = ["ntfs"];

19
modules/core/default.nix
View file

@ -13,26 +13,9 @@ in {
./i18n.nix ./i18n.nix
./networking.nix ./networking.nix
./packages.nix ./packages.nix
./hardening.nix
]; ];
# Service that makes Out of Memory Killer more effective # Service that makes Out of Memory Killer more effective
services.earlyoom.enable = true; services.earlyoom.enable = true;
services.logind.lidSwitch = "hibernate";
services.tor.settings = {
UseBridges = true;
};
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [];
# fileSystems."/".options = [ "noexec" ];
} }

58
modules/core/hardening.nix Normal file
View file

@ -0,0 +1,58 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.pub-solar.core;
psCfg = config.pub-solar;
in {
services.tor.settings = {
UseBridges = true;
};
# Always go to encrypted hibernation instead of sleep
services.logind.lidSwitch = "hibernate";
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [];
# fileSystems."/".options = [ "noexec" ];
# disable coredump that could be exploited later
# and also slow down the system when something crash
systemd.coredump.enable = false;
# required to run chromium
security.chromiumSuidSandbox.enable = true;
# enable firejail
programs.firejail.enable = true;
# create system-wide executables firefox and chromium
# that will wrap the real binaries so everything
# work out of the box.
programs.firejail.wrappedBinaries = {
firefox = {
executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
};
ungoogled-chromium = {
executable = "${pkgs.lib.getBin pkgs.ungoogled-chromium}/bin/chromium";
profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
};
};
# enable antivirus clamav and
# keep the signatures' database updated
services.clamav.daemon.enable = true;
services.clamav.updater.enable = true;
}

3
modules/core/networking.nix
View file

@ -37,6 +37,9 @@
''; '';
}; };
# Don't expose SSH via public interfaces
networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 22 ];
# For rage encryption, all hosts need a ssh key pair # For rage encryption, all hosts need a ssh key pair
services.openssh = { services.openssh = {
enable = true; enable = true;

1
modules/persistence/default.nix
View file

@ -8,6 +8,7 @@
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/etc/firejail"
]; ];
files = [ files = [