diff options
Diffstat (limited to 'modules/security')
| -rw-r--r-- | modules/security/audit.nix | 6 | ||||
| -rw-r--r-- | modules/security/default.nix | 24 | ||||
| -rw-r--r-- | modules/security/doas.nix | 12 | ||||
| -rw-r--r-- | modules/security/pki.nix | 42 | ||||
| -rw-r--r-- | modules/security/polkit.nix | 6 | ||||
| -rw-r--r-- | modules/security/sudo.nix | 6 | ||||
| -rw-r--r-- | modules/security/tpm.nix | 16 |
7 files changed, 112 insertions, 0 deletions
diff --git a/modules/security/audit.nix b/modules/security/audit.nix new file mode 100644 index 0000000..67dce9d --- /dev/null +++ b/modules/security/audit.nix @@ -0,0 +1,6 @@ +{ + security.audit = { + enable = true; + rules = [ "-a exit,always -F arch=b64 -S execve" ]; + }; +} diff --git a/modules/security/default.nix b/modules/security/default.nix new file mode 100644 index 0000000..06302ea --- /dev/null +++ b/modules/security/default.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + ... +}: +let + inherit (lib.modules) mkForce; +in +{ + imports = [ + ./audit.nix + ./doas.nix + ./pki.nix + ./polkit.nix + ./sudo.nix + ./tpm.nix + ]; + + security = { + auditd.enable = true; + rtkit.enable = mkForce config.services.pipewire.enable; + virtualisation.flushL1DataCache = "always"; + }; +} diff --git a/modules/security/doas.nix b/modules/security/doas.nix new file mode 100644 index 0000000..32dcca0 --- /dev/null +++ b/modules/security/doas.nix @@ -0,0 +1,12 @@ +{ + security.doas = { + enable = true; + extraRules = [ + { + keepEnv = true; + persist = true; + users = [ "ebisu" ]; + } + ]; + }; +} diff --git a/modules/security/pki.nix b/modules/security/pki.nix new file mode 100644 index 0000000..b804fc5 --- /dev/null +++ b/modules/security/pki.nix @@ -0,0 +1,42 @@ +{ lib, ... }: +{ + security.pki = { + certificates = lib.mkForce [ ]; + + caCertificateBlacklist = [ + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" + "Autoridad de Certificacion Firmaprofesional CIF A62634068" + + # China Financial Certification Authority + "CFCA EV ROOT" + + # Chunghwa Telecom Co., Ltd + "ePKI Root Certification Authority" + "HiPKI Root CA - G1" + + # Dhimyotis + "Certigna" + "Certigna Root CA" + + # GUANG DONG CERTIFICATE AUTHORITY + "GDCA TrustAUTH R5 ROOT" + + # Hongkong Post + "Hongkong Post Root CA 3" + + # iTrusChina Co.,Ltd. + "vTrus ECC Root CA" + "vTrus Root CA" + + # Krajowa Izba Rozliczeniowa S.A. + "SZAFIR ROOT CA2" + + # NetLock Kft. + "NetLock Arany (Class Gold) Főtanúsítvány" + + # TAIWAN-CA + "TWCA Root Certification Authority" + "TWCA Global Root CA" + ]; + }; +} diff --git a/modules/security/polkit.nix b/modules/security/polkit.nix new file mode 100644 index 0000000..400ea87 --- /dev/null +++ b/modules/security/polkit.nix @@ -0,0 +1,6 @@ +{ + security.polkit = { + enable = true; + debug = true; + }; +} diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix new file mode 100644 index 0000000..bbb2e20 --- /dev/null +++ b/modules/security/sudo.nix @@ -0,0 +1,6 @@ +{ + security.sudo = { + enable = true; + execWheelOnly = true; + }; +} diff --git a/modules/security/tpm.nix b/modules/security/tpm.nix new file mode 100644 index 0000000..3277d9f --- /dev/null +++ b/modules/security/tpm.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + security.tpm2 = { + enable = true; + applyUdevRules = true; + abrmd.enable = true; + tctiEnvironment.enable = true; + pkcs11.enable = true; + }; + + environment.systemPackages = with pkgs; [ + tpm2-tools + tpm2-tss + tpm2-abrmd + ]; +} |