core: move kansai security to desktop

10 files changed, 0 insertions, 424 deletions

diff --git a/modules/core/security/apparmor.nix b/modules/core/security/apparmor.nix
deleted file mode 100644
index 170838c..0000000
--- a/modules/core/security/apparmor.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = with pkgs; [
-    apparmor-pam
-    apparmor-utils
-    apparmor-parser
-    apparmor-profiles
-    apparmor-bin-utils
-    apparmor-kernel-patches
-    libapparmor
-  ];
-
-  services.dbus.apparmor = "enabled";
-
-  security.apparmor = {
-    enable = true;
-    enableCache = true;
-    killUnconfinedConfinables = true;
-    packages = [ pkgs.apparmor-profiles ];
-    policies.dummy.profile = "/dummy { }";
-  };
-}
diff --git a/modules/core/security/audit.nix b/modules/core/security/audit.nix
deleted file mode 100644
index 9922213..0000000
--- a/modules/core/security/audit.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-let
-  enable = false;
-in
-{
-  security = {
-    auditd.enable = enable;
-
-    audit = {
-      inherit enable;
-
-      rules = [
-        "-a exit,always -F arch=b64 -S execve"
-        "-a exit,always -F arch=b32 -S execve"
-      ];
-    };
-  };
-}
diff --git a/modules/core/security/default.nix b/modules/core/security/default.nix
deleted file mode 100644
index a71b590..0000000
--- a/modules/core/security/default.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, lib, ... }:
-{
-  imports = [
-    ./apparmor.nix
-    ./audit.nix
-    ./doas.nix
-    ./kernel.nix
-    ./pam.nix
-    ./pki.nix
-    ./polkit.nix
-    ./sops.nix
-    ./sudo.nix
-  ];
-
-  security = {
-    rtkit.enable = lib.modules.mkForce config.services.pipewire.enable;
-    virtualisation.flushL1DataCache = "always";
-  };
-
-  programs.firejail.enable = true;
-}
diff --git a/modules/core/security/doas.nix b/modules/core/security/doas.nix
deleted file mode 100644
index af717ca..0000000
--- a/modules/core/security/doas.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-  security.doas = {
-    enable = true;
-    extraRules = [
-      {
-        keepEnv = true;
-        # persist = true;
-        noPass = true;
-        users = [ "ebisu" ];
-      }
-    ];
-  };
-}
diff --git a/modules/core/security/kernel.nix b/modules/core/security/kernel.nix
deleted file mode 100644
index 62b2f28..0000000
--- a/modules/core/security/kernel.nix
+++ /dev/null
@@ -1,160 +0,0 @@
-{ lib, ... }:
-{
-  boot = {
-    # https://docs.kernel.org/admin-guide/sysctl/vm.html
-    kernel.sysctl = {
-      # The Magic SysRq key is a key combo that allows users connected to the
-      # system console of a Linux kernel to perform some low-level commands.
-      # Disable it, since we don't need it, and is a potential security concern.
-      "kernel.sysrq" = lib.mkForce 0;
-
-      # Restrict ptrace() usage to processes with a pre-defined relationship
-      # (e.g., parent/child)
-      # FIXME: this breaks game launchers, find a way to launch them with privileges (steam)
-      # gamescope wrapped with the capabilities *might* solve the issue
-      # spoiler: it didn't
-      # "kernel.yama.ptrace_scope" = 2;
-
-      # Hide kptrs even for processes with CAP_SYSLOG
-      # also prevents printing kernel pointers
-      "kernel.kptr_restrict" = 2;
-
-      # Disable bpf() JIT (to eliminate spray attacks)
-      "net.core.bpf_jit_enable" = false;
-
-      # Disable ftrace debugging
-      "kernel.ftrace_enabled" = false;
-
-      # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).
-      "kernel.dmesg_restrict" = 1;
-
-      # Prevent creating files in potentially attacker-controlled environments such
-      # as world-writable directories to make data spoofing attacks more difficult
-      "fs.protected_fifos" = 2;
-
-      # Prevent unintended writes to already-created files
-      "fs.protected_regular" = 2;
-
-      # Disable SUID binary dump
-      "fs.suid_dumpable" = 0;
-
-      # Prevent unprivileged users from creating hard or symbolic links to files
-      "fs.protected_symlinks" = 1;
-      "fs.protected_hardlinks" = 1;
-
-      # Disable late module loading
-      # "kernel.modules_disabled" = 1;
-
-      # Disallow profiling at all levels without CAP_SYS_ADMIN
-      "kernel.perf_event_paranoid" = 3;
-
-      # Require CAP_BPF to use bpf
-      "kernel.unprivileged_bpf_disabled" = true;
-
-      # Prevent boot console kernel log information leaks
-      "kernel.printk" = "3 3 3 3";
-
-      # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to
-      # prevent unprivileged attackers from loading vulnerable line disciplines with
-      # the TIOCSETD ioctl
-      "dev.tty.ldisc_autoload" = 0;
-
-      # Kexec allows replacing the current running kernel. There may be an edge case where
-      # you wish to boot into a different kernel, but I do not require kexec. Disabling it
-      # patches a potential security hole in our system.
-      "kernel.kexec_load_disabled" = true;
-
-      # Borrowed by NixOS/nixpkgs. Since the security module does not explain what those
-      # options do, it is up you to educate yourself dear reader.
-      # See:
-      #  - <https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-rnd-bits>
-      #  - <https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-min-addr>
-      "vm.mmap_rnd_bits" = 32;
-      "vm.mmap_min_addr" = 65536;
-    };
-
-    # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
-    kernelParams = [
-      # I'm sure we break hibernation in at least 5 other sections of this config, so
-      # let's disable hibernation explicitly. Allowing hibernation makes it possible
-      # to replace the booted kernel with a malicious one, akin to kexec. This helps
-      # us prevent an attack called "Evil Maid" where an attacker with physical access
-      # to the device. P.S. I chose to mention "Evil Maid" specifically because it sounds
-      # funny. Do not think that is the only attack you are vulnerable to.
-      # See: <https://en.wikipedia.org/wiki/Evil_maid_attack>
-      "nohibernate"
-
-      # make stack-based attacks on the kernel harder
-      "randomize_kstack_offset=on"
-
-      # Disable vsyscalls as they are obsolete and have been replaced with vDSO.
-      # vsyscalls are also at fixed addresses in memory, making them a potential
-      # target for ROP attacks
-      # this breaks really old binaries for security
-      "vsyscall=none"
-
-      # reduce most of the exposure of a heap attack to a single cache
-      # Disable slab merging which significantly increases the difficulty of heap
-      # exploitation by preventing overwriting objects from merged caches and by
-      # making it harder to influence slab cache layout
-      "slab_nomerge"
-
-      # Disable debugfs which exposes a lot of sensitive information about the
-      # kernel. Some programs, such as powertop, use this interface to gather
-      # information about the system, but it is not necessary for the system to
-      # actually publish those. I can live without it.
-      "debugfs=off"
-
-      # Sometimes certain kernel exploits will cause what is known as an "oops".
-      # This parameter will cause the kernel to panic on such oopses, thereby
-      # preventing those exploits
-      "oops=panic"
-
-      # Only allow kernel modules that have been signed with a valid key to be
-      # loaded, which increases security by making it much harder to load a
-      # malicious kernel module
-      "module.sig_enforce=1"
-
-      # The kernel lockdown LSM can eliminate many methods that user space code
-      # could abuse to escalate to kernel privileges and extract sensitive
-      # information. This LSM is necessary to implement a clear security boundary
-      # between user space and the kernel
-      #  integrity: kernel features that allow userland to modify the running kernel
-      #             are disabled
-      #  confidentiality: kernel features that allow userland to extract confidential
-      #             information from the kernel are also disabled
-      # ArchWiki recommends opting in for "integrity", however since we avoid modifying
-      # running kernel (by the virtue of using NixOS and locking module hot-loading) the
-      # confidentiality mode is a better solution.
-      "lockdown=confidentiality"
-
-      # enable buddy allocator free poisoning
-      #  on: memory will befilled with a specific byte pattern
-      #      that is unlikely to occur in normal operation.
-      #  off (default): page poisoning will be disabled
-      "page_poison=on"
-
-      # performance improvement for direct-mapped memory-side-cache utilization
-      # reduces the predictability of page allocations
-      "page_alloc.shuffle=1"
-
-      # for debugging kernel-level slab issues
-      "slub_debug=FZP"
-
-      # ignore access time (atime) updates on files
-      # except when they coincide with updates to the ctime or mtime
-      "rootflags=noatime"
-
-      # linux security modules
-      "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
-
-      # prevent the kernel from blanking plymouth out of the fb
-      "fbcon=nodefer"
-
-      # the format that will be used for integrity audit logs
-      #  0 (default): basic integrity auditing messages
-      #  1: additional integrity auditing messages
-      "integrity_audit=1"
-    ];
-  };
-}
diff --git a/modules/core/security/pam.nix b/modules/core/security/pam.nix
deleted file mode 100644
index b7eb426..0000000
--- a/modules/core/security/pam.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{
-  security = {
-    pam = {
-      loginLimits = [
-        {
-          domain = "@wheel";
-          item = "nofile";
-          type = "soft";
-          value = "524288";
-        }
-        {
-          domain = "@wheel";
-          item = "nofile";
-          type = "hard";
-          value = "1048576";
-        }
-      ];
-
-      services =
-        let
-          ttyAudit = {
-            enable = true;
-            enablePattern = "*";
-          };
-        in
-        {
-          swaylock.text = "auth include login";
-          gtklock.text = "auth include login";
-
-          login = {
-            inherit ttyAudit;
-
-            setLoginUid = true;
-          };
-
-          sshd = {
-            inherit ttyAudit;
-
-            setLoginUid = true;
-          };
-
-          sudo = {
-            inherit ttyAudit;
-
-            setLoginUid = true;
-          };
-        };
-    };
-  };
-}
diff --git a/modules/core/security/pki.nix b/modules/core/security/pki.nix
deleted file mode 100644
index b804fc5..0000000
--- a/modules/core/security/pki.nix
+++ /dev/null
@@ -1,42 +0,0 @@
-{ lib, ... }:
-{
-  security.pki = {
-    certificates = lib.mkForce [ ];
-
-    caCertificateBlacklist = [
-      "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
-      "Autoridad de Certificacion Firmaprofesional CIF A62634068"
-
-      # China Financial Certification Authority
-      "CFCA EV ROOT"
-
-      # Chunghwa Telecom Co., Ltd
-      "ePKI Root Certification Authority"
-      "HiPKI Root CA - G1"
-
-      # Dhimyotis
-      "Certigna"
-      "Certigna Root CA"
-
-      # GUANG DONG CERTIFICATE AUTHORITY
-      "GDCA TrustAUTH R5 ROOT"
-
-      # Hongkong Post
-      "Hongkong Post Root CA 3"
-
-      # iTrusChina Co.,Ltd.
-      "vTrus ECC Root CA"
-      "vTrus Root CA"
-
-      # Krajowa Izba Rozliczeniowa S.A.
-      "SZAFIR ROOT CA2"
-
-      # NetLock Kft.
-      "NetLock Arany (Class Gold) Főtanúsítvány"
-
-      # TAIWAN-CA
-      "TWCA Root Certification Authority"
-      "TWCA Global Root CA"
-    ];
-  };
-}
diff --git a/modules/core/security/polkit.nix b/modules/core/security/polkit.nix
deleted file mode 100644
index 786d1a0..0000000
--- a/modules/core/security/polkit.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ lib, ... }:
-{
-  security.polkit = {
-    enable = true;
-    debug = lib.modules.mkDefault true;
-  };
-}
diff --git a/modules/core/security/sops.nix b/modules/core/security/sops.nix
deleted file mode 100644
index c98a533..0000000
--- a/modules/core/security/sops.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = [
-    pkgs.sops
-  ];
-
-  sops = {
-    gnupg.sshKeyPaths = [ ];
-    secrets.tailscale_authentication_key.sopsFile = ../../../secrets/hosts.yaml;
-
-    age = {
-      sshKeyPaths = [ ];
-      keyFile = "/var/lib/sops-nix/keys.txt";
-      generateKey = true;
-    };
-  };
-}
diff --git a/modules/core/security/sudo.nix b/modules/core/security/sudo.nix
deleted file mode 100644
index 6623b71..0000000
--- a/modules/core/security/sudo.nix
+++ /dev/null
@@ -1,75 +0,0 @@
-{ pkgs, lib, ... }:
-let
-  inherit (lib.modules) mkForce;
-in
-{
-  security = {
-    sudo-rs.enable = mkForce false;
-
-    sudo = {
-      enable = true;
-      execWheelOnly = mkForce true;
-      wheelNeedsPassword = lib.modules.mkDefault false;
-
-      extraConfig = ''
-        Defaults lecture = never
-        Defaults pwfeedback
-        Defaults env_keep += "EDITOR PATH DISPLAY"
-        Defaults timestamp_timeout = 300
-      '';
-
-      extraRules = [
-        {
-          groups = [ "wheel" ];
-          commands =
-            map
-              (rule: {
-                command = lib.meta.getExe' rule.package rule.command;
-                options = [ "NOPASSWD" ];
-              })
-              (
-                with pkgs;
-                [
-                  {
-                    package = coreutils;
-                    command = "sync";
-                  }
-                  {
-                    package = hdparm;
-                    command = "hdparm";
-                  }
-                  {
-                    package = nixos-rebuild;
-                    command = "nixos-rebuild";
-                  }
-                  {
-                    package = nvme-cli;
-                    command = "nvme";
-                  }
-                  {
-                    package = systemd;
-                    command = "poweroff";
-                  }
-                  {
-                    package = systemd;
-                    command = "reboot";
-                  }
-                  {
-                    package = systemd;
-                    command = "shutdown";
-                  }
-                  {
-                    package = systemd;
-                    command = "systemctl";
-                  }
-                  {
-                    package = util-linux;
-                    command = "dmesg";
-                  }
-                ]
-              );
-        }
-      ];
-    };
-  };
-}