From f2ecc2d8b9ee6b5c0cbda2f3e8b5342e714e58b6 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 3 Oct 2022 02:30:08 +0200 Subject: [PATCH 1/7] ci: fix upload target path --- .drone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index b9718b8c..5e20924e 100644 --- a/.drone.yml +++ b/.drone.yml @@ -121,7 +121,7 @@ steps: from_secret: iso_web_ssh_port key: from_secret: iso_web_ssh_key - target: /srv/os + target: /srv/os/download source: - /var/nix/iso-cache/*.iso - /var/nix/iso-cache/*.iso.sha256 @@ -143,6 +143,6 @@ volumes: --- kind: signature -hmac: 7b0b56a97294cd563eee2bde56abeea6dd0928e01729980a25f8c165a3f6e0f6 +hmac: 8823c7103f6a075bb291a497c7ab5d5db47a91f9bc7d8ef95329b5620c9cf91d ... From 8529a15177466a14be333e0fdc83e39f3eb4ee07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Mon, 3 Oct 2022 03:57:34 +0200 Subject: [PATCH 2/7] Be more paranoid The paranoia mode now also enables the firewall and closes down a couple of small openSSH holes. `noexec` on the whole FS is left out as it will make every existing PubSolarOS installation panic. --- modules/core/networking.nix | 2 ++ modules/paranoia/default.nix | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/modules/core/networking.nix b/modules/core/networking.nix index edfef42d..c5ec9cbe 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -36,6 +36,8 @@ in wifi.backend = "iwd"; }; + networking.firewall.enable = true; + # Customized binary caches list (with fallback to official binary cache) nix.binaryCaches = cfg.binaryCaches; nix.binaryCachePublicKeys = cfg.publicKeys; diff --git a/modules/paranoia/default.nix b/modules/paranoia/default.nix index 699ab13e..f5ceaeaf 100644 --- a/modules/paranoia/default.nix +++ b/modules/paranoia/default.nix @@ -21,5 +21,35 @@ in config = mkIf cfg.enable { pub-solar.core.hibernation.enable = true; services.logind.lidSwitch = "hibernate"; + + # The options below are directly taken from or inspired by + # https://xeiaso.net/blog/paranoid-nixos-2021-07-18 + + # Don't set this if you need sftp + services.openssh.allowSFTP = false; + services.openssh.openFirewall = false; # Lock yourself out + + # Limit the use of sudo to the group wheel + security.sudo.execWheelOnly = true; + + # Remove the complete default environment of packages like + # nano, perl and rsync + environment.defaultPackages = lib.mkForce [ ]; + + # fileSystems."/".options = [ "noexec" ]; + + services.openssh = { + enable = true; + openFirewall = false; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + extraConfig = '' + AllowTcpForwarding yes + X11Forwarding no + AllowAgentForwarding no + AllowStreamLocalForwarding no + AuthenticationMethods publickey + ''; + }; }; } From 6f3885d0caff8d36508080e4db60b4c62616c3f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Mon, 3 Oct 2022 04:07:48 +0200 Subject: [PATCH 3/7] Remove doubled openssh configs in paranoia module --- modules/paranoia/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/paranoia/default.nix b/modules/paranoia/default.nix index f5ceaeaf..75275a11 100644 --- a/modules/paranoia/default.nix +++ b/modules/paranoia/default.nix @@ -39,8 +39,6 @@ in # fileSystems."/".options = [ "noexec" ]; services.openssh = { - enable = true; - openFirewall = false; passwordAuthentication = false; kbdInteractiveAuthentication = false; extraConfig = '' From b23e1e16a42465ff3905905e43f3265ef8b62846 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 3 Oct 2022 04:11:16 +0200 Subject: [PATCH 4/7] alacritty: improve selection and cursor colors --- modules/graphical/alacritty.nix | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/modules/graphical/alacritty.nix b/modules/graphical/alacritty.nix index e4e2f6ad..b389343c 100644 --- a/modules/graphical/alacritty.nix +++ b/modules/graphical/alacritty.nix @@ -100,10 +100,15 @@ foreground = "0xe3e1e4"; }; - # Colors the cursor will use if `custom_cursor_colors` is true + # Cursor colors + # + # Colors which should be used to draw the terminal cursor. + # + # Allowed values are CellForeground/CellBackground, which reference the + # affected cell, or hexadecimal colors like #ff00ff. cursor = { - text = "0x1a181a"; - cursor = "0xe3e1e4"; + text = "CellBackground"; + cursor = "CellForeground"; }; # Colors used for the search bar and match highlighting. @@ -115,14 +120,25 @@ background = "0x1a181a"; }; focused_match = { - foreground = "0xe5c463"; - background = "0xe3e1e4"; + foreground = "CellBackground"; + background = "CellForeground"; }; #bar = # background = "#c5c8c6"; # foreground = "#1d1f21"; }; + # Selection colors + # + # Colors which should be used to draw the selection area. + # + # Allowed values are CellForeground/CellBackground, which reference the + # affected cell, or hexadecimal colors like #ff00ff. + selection = { + text = "0x1a181a"; + background = "0xf85e84"; + }; + # Normal colors normal = { black = "0x1a181a"; From 5da560ef56cb081b4dd3bae67a3a2e67421487cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Mon, 3 Oct 2022 04:55:14 +0200 Subject: [PATCH 5/7] Open up SSH by default --- modules/core/services.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/core/services.nix b/modules/core/services.nix index 61ba6ea0..41aa45e5 100644 --- a/modules/core/services.nix +++ b/modules/core/services.nix @@ -4,7 +4,9 @@ # For rage encryption, all hosts need a ssh key pair services.openssh = { enable = true; - openFirewall = lib.mkDefault false; + # If you don't want the host to have SSH actually opened up to the net, + # set `services.openssh.openFirewall` to false in your config. + openFirewall = lib.mkDefault true; }; # Service that makes Out of Memory Killer more effective From f28d05e24eee55396773f165b40d374be795f414 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 5 Oct 2022 11:57:51 +0200 Subject: [PATCH 6/7] Change user.publicKeys to a SSH keys string list --- modules/user/default.nix | 2 +- profiles/base-user/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/user/default.nix b/modules/user/default.nix index 2fd5958e..7c869380 100644 --- a/modules/user/default.nix +++ b/modules/user/default.nix @@ -23,7 +23,7 @@ in }; publicKeys = mkOption { description = "User SSH public keys"; - type = types.listOf types.path; + type = types.listOf types.str; default = [ ]; }; fullName = mkOption { diff --git a/profiles/base-user/default.nix b/profiles/base-user/default.nix index 9ff21c8e..374dca40 100644 --- a/profiles/base-user/default.nix +++ b/profiles/base-user/default.nix @@ -25,7 +25,7 @@ in ]; initialHashedPassword = if psCfg.user.password != null then psCfg.user.password else ""; shell = pkgs.zsh; - openssh.authorizedKeys.keyFiles = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ]; + openssh.authorizedKeys.keys = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ]; }; }; } From d43bd8058058f7d3231b4422997e9a11eb03385b Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 5 Oct 2022 11:58:26 +0200 Subject: [PATCH 7/7] core: disable SSH passwordAuthentication by default --- modules/core/services.nix | 1 + modules/paranoia/default.nix | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/core/services.nix b/modules/core/services.nix index 41aa45e5..6ce74472 100644 --- a/modules/core/services.nix +++ b/modules/core/services.nix @@ -7,6 +7,7 @@ # If you don't want the host to have SSH actually opened up to the net, # set `services.openssh.openFirewall` to false in your config. openFirewall = lib.mkDefault true; + passwordAuthentication = false; }; # Service that makes Out of Memory Killer more effective diff --git a/modules/paranoia/default.nix b/modules/paranoia/default.nix index 75275a11..2dc439cf 100644 --- a/modules/paranoia/default.nix +++ b/modules/paranoia/default.nix @@ -39,7 +39,6 @@ in # fileSystems."/".options = [ "noexec" ]; services.openssh = { - passwordAuthentication = false; kbdInteractiveAuthentication = false; extraConfig = '' AllowTcpForwarding yes