From 5658bb7f8bf3522c501864ea73024f544b14de3a Mon Sep 17 00:00:00 2001 From: Fuwn Date: Sun, 22 Sep 2024 15:23:35 -0700 Subject: core: move kansai security to desktop --- modules/core/default.nix | 2 +- modules/core/security/apparmor.nix | 22 ----- modules/core/security/audit.nix | 17 ---- modules/core/security/default.nix | 21 ----- modules/core/security/doas.nix | 13 --- modules/core/security/kernel.nix | 160 ---------------------------------- modules/core/security/pam.nix | 50 ----------- modules/core/security/pki.nix | 42 --------- modules/core/security/polkit.nix | 7 -- modules/core/security/sops.nix | 17 ---- modules/core/security/sudo.nix | 75 ---------------- modules/core/sops.nix | 17 ++++ modules/desktop/default.nix | 1 + modules/desktop/security/apparmor.nix | 22 +++++ modules/desktop/security/audit.nix | 17 ++++ modules/desktop/security/default.nix | 20 +++++ modules/desktop/security/doas.nix | 13 +++ modules/desktop/security/kernel.nix | 160 ++++++++++++++++++++++++++++++++++ modules/desktop/security/pam.nix | 50 +++++++++++ modules/desktop/security/pki.nix | 42 +++++++++ modules/desktop/security/polkit.nix | 7 ++ modules/desktop/security/sudo.nix | 75 ++++++++++++++++ modules/server/default.nix | 2 +- 23 files changed, 426 insertions(+), 426 deletions(-) delete mode 100644 modules/core/security/apparmor.nix delete mode 100644 modules/core/security/audit.nix delete mode 100644 modules/core/security/default.nix delete mode 100644 modules/core/security/doas.nix delete mode 100644 modules/core/security/kernel.nix delete mode 100644 modules/core/security/pam.nix delete mode 100644 modules/core/security/pki.nix delete mode 100644 modules/core/security/polkit.nix delete mode 100644 modules/core/security/sops.nix delete mode 100644 modules/core/security/sudo.nix create mode 100644 modules/core/sops.nix create mode 100644 modules/desktop/security/apparmor.nix create mode 100644 modules/desktop/security/audit.nix create mode 100644 modules/desktop/security/default.nix create mode 100644 modules/desktop/security/doas.nix create mode 100644 modules/desktop/security/kernel.nix create mode 100644 modules/desktop/security/pam.nix create mode 100644 modules/desktop/security/pki.nix create mode 100644 modules/desktop/security/polkit.nix create mode 100644 modules/desktop/security/sudo.nix (limited to 'modules') diff --git a/modules/core/default.nix b/modules/core/default.nix index f44e8ff..06eab1d 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -2,6 +2,6 @@ imports = [ ./networking ./nix - ./security + ./sops.nix ]; } diff --git a/modules/core/security/apparmor.nix b/modules/core/security/apparmor.nix deleted file mode 100644 index 170838c..0000000 --- a/modules/core/security/apparmor.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - apparmor-pam - apparmor-utils - apparmor-parser - apparmor-profiles - apparmor-bin-utils - apparmor-kernel-patches - libapparmor - ]; - - services.dbus.apparmor = "enabled"; - - security.apparmor = { - enable = true; - enableCache = true; - killUnconfinedConfinables = true; - packages = [ pkgs.apparmor-profiles ]; - policies.dummy.profile = "/dummy { }"; - }; -} diff --git a/modules/core/security/audit.nix b/modules/core/security/audit.nix deleted file mode 100644 index 9922213..0000000 --- a/modules/core/security/audit.nix +++ /dev/null @@ -1,17 +0,0 @@ -let - enable = false; -in -{ - security = { - auditd.enable = enable; - - audit = { - inherit enable; - - rules = [ - "-a exit,always -F arch=b64 -S execve" - "-a exit,always -F arch=b32 -S execve" - ]; - }; - }; -} diff --git a/modules/core/security/default.nix b/modules/core/security/default.nix deleted file mode 100644 index a71b590..0000000 --- a/modules/core/security/default.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, ... }: -{ - imports = [ - ./apparmor.nix - ./audit.nix - ./doas.nix - ./kernel.nix - ./pam.nix - ./pki.nix - ./polkit.nix - ./sops.nix - ./sudo.nix - ]; - - security = { - rtkit.enable = lib.modules.mkForce config.services.pipewire.enable; - virtualisation.flushL1DataCache = "always"; - }; - - programs.firejail.enable = true; -} diff --git a/modules/core/security/doas.nix b/modules/core/security/doas.nix deleted file mode 100644 index af717ca..0000000 --- a/modules/core/security/doas.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - security.doas = { - enable = true; - extraRules = [ - { - keepEnv = true; - # persist = true; - noPass = true; - users = [ "ebisu" ]; - } - ]; - }; -} diff --git a/modules/core/security/kernel.nix b/modules/core/security/kernel.nix deleted file mode 100644 index 62b2f28..0000000 --- a/modules/core/security/kernel.nix +++ /dev/null @@ -1,160 +0,0 @@ -{ lib, ... }: -{ - boot = { - # https://docs.kernel.org/admin-guide/sysctl/vm.html - kernel.sysctl = { - # The Magic SysRq key is a key combo that allows users connected to the - # system console of a Linux kernel to perform some low-level commands. - # Disable it, since we don't need it, and is a potential security concern. - "kernel.sysrq" = lib.mkForce 0; - - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - # FIXME: this breaks game launchers, find a way to launch them with privileges (steam) - # gamescope wrapped with the capabilities *might* solve the issue - # spoiler: it didn't - # "kernel.yama.ptrace_scope" = 2; - - # Hide kptrs even for processes with CAP_SYSLOG - # also prevents printing kernel pointers - "kernel.kptr_restrict" = 2; - - # Disable bpf() JIT (to eliminate spray attacks) - "net.core.bpf_jit_enable" = false; - - # Disable ftrace debugging - "kernel.ftrace_enabled" = false; - - # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). - "kernel.dmesg_restrict" = 1; - - # Prevent creating files in potentially attacker-controlled environments such - # as world-writable directories to make data spoofing attacks more difficult - "fs.protected_fifos" = 2; - - # Prevent unintended writes to already-created files - "fs.protected_regular" = 2; - - # Disable SUID binary dump - "fs.suid_dumpable" = 0; - - # Prevent unprivileged users from creating hard or symbolic links to files - "fs.protected_symlinks" = 1; - "fs.protected_hardlinks" = 1; - - # Disable late module loading - # "kernel.modules_disabled" = 1; - - # Disallow profiling at all levels without CAP_SYS_ADMIN - "kernel.perf_event_paranoid" = 3; - - # Require CAP_BPF to use bpf - "kernel.unprivileged_bpf_disabled" = true; - - # Prevent boot console kernel log information leaks - "kernel.printk" = "3 3 3 3"; - - # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to - # prevent unprivileged attackers from loading vulnerable line disciplines with - # the TIOCSETD ioctl - "dev.tty.ldisc_autoload" = 0; - - # Kexec allows replacing the current running kernel. There may be an edge case where - # you wish to boot into a different kernel, but I do not require kexec. Disabling it - # patches a potential security hole in our system. - "kernel.kexec_load_disabled" = true; - - # Borrowed by NixOS/nixpkgs. Since the security module does not explain what those - # options do, it is up you to educate yourself dear reader. - # See: - # - - # - - "vm.mmap_rnd_bits" = 32; - "vm.mmap_min_addr" = 65536; - }; - - # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html - kernelParams = [ - # I'm sure we break hibernation in at least 5 other sections of this config, so - # let's disable hibernation explicitly. Allowing hibernation makes it possible - # to replace the booted kernel with a malicious one, akin to kexec. This helps - # us prevent an attack called "Evil Maid" where an attacker with physical access - # to the device. P.S. I chose to mention "Evil Maid" specifically because it sounds - # funny. Do not think that is the only attack you are vulnerable to. - # See: - "nohibernate" - - # make stack-based attacks on the kernel harder - "randomize_kstack_offset=on" - - # Disable vsyscalls as they are obsolete and have been replaced with vDSO. - # vsyscalls are also at fixed addresses in memory, making them a potential - # target for ROP attacks - # this breaks really old binaries for security - "vsyscall=none" - - # reduce most of the exposure of a heap attack to a single cache - # Disable slab merging which significantly increases the difficulty of heap - # exploitation by preventing overwriting objects from merged caches and by - # making it harder to influence slab cache layout - "slab_nomerge" - - # Disable debugfs which exposes a lot of sensitive information about the - # kernel. Some programs, such as powertop, use this interface to gather - # information about the system, but it is not necessary for the system to - # actually publish those. I can live without it. - "debugfs=off" - - # Sometimes certain kernel exploits will cause what is known as an "oops". - # This parameter will cause the kernel to panic on such oopses, thereby - # preventing those exploits - "oops=panic" - - # Only allow kernel modules that have been signed with a valid key to be - # loaded, which increases security by making it much harder to load a - # malicious kernel module - "module.sig_enforce=1" - - # The kernel lockdown LSM can eliminate many methods that user space code - # could abuse to escalate to kernel privileges and extract sensitive - # information. This LSM is necessary to implement a clear security boundary - # between user space and the kernel - # integrity: kernel features that allow userland to modify the running kernel - # are disabled - # confidentiality: kernel features that allow userland to extract confidential - # information from the kernel are also disabled - # ArchWiki recommends opting in for "integrity", however since we avoid modifying - # running kernel (by the virtue of using NixOS and locking module hot-loading) the - # confidentiality mode is a better solution. - "lockdown=confidentiality" - - # enable buddy allocator free poisoning - # on: memory will befilled with a specific byte pattern - # that is unlikely to occur in normal operation. - # off (default): page poisoning will be disabled - "page_poison=on" - - # performance improvement for direct-mapped memory-side-cache utilization - # reduces the predictability of page allocations - "page_alloc.shuffle=1" - - # for debugging kernel-level slab issues - "slub_debug=FZP" - - # ignore access time (atime) updates on files - # except when they coincide with updates to the ctime or mtime - "rootflags=noatime" - - # linux security modules - "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux" - - # prevent the kernel from blanking plymouth out of the fb - "fbcon=nodefer" - - # the format that will be used for integrity audit logs - # 0 (default): basic integrity auditing messages - # 1: additional integrity auditing messages - "integrity_audit=1" - ]; - }; -} diff --git a/modules/core/security/pam.nix b/modules/core/security/pam.nix deleted file mode 100644 index b7eb426..0000000 --- a/modules/core/security/pam.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - security = { - pam = { - loginLimits = [ - { - domain = "@wheel"; - item = "nofile"; - type = "soft"; - value = "524288"; - } - { - domain = "@wheel"; - item = "nofile"; - type = "hard"; - value = "1048576"; - } - ]; - - services = - let - ttyAudit = { - enable = true; - enablePattern = "*"; - }; - in - { - swaylock.text = "auth include login"; - gtklock.text = "auth include login"; - - login = { - inherit ttyAudit; - - setLoginUid = true; - }; - - sshd = { - inherit ttyAudit; - - setLoginUid = true; - }; - - sudo = { - inherit ttyAudit; - - setLoginUid = true; - }; - }; - }; - }; -} diff --git a/modules/core/security/pki.nix b/modules/core/security/pki.nix deleted file mode 100644 index b804fc5..0000000 --- a/modules/core/security/pki.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ lib, ... }: -{ - security.pki = { - certificates = lib.mkForce [ ]; - - caCertificateBlacklist = [ - "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" - "Autoridad de Certificacion Firmaprofesional CIF A62634068" - - # China Financial Certification Authority - "CFCA EV ROOT" - - # Chunghwa Telecom Co., Ltd - "ePKI Root Certification Authority" - "HiPKI Root CA - G1" - - # Dhimyotis - "Certigna" - "Certigna Root CA" - - # GUANG DONG CERTIFICATE AUTHORITY - "GDCA TrustAUTH R5 ROOT" - - # Hongkong Post - "Hongkong Post Root CA 3" - - # iTrusChina Co.,Ltd. - "vTrus ECC Root CA" - "vTrus Root CA" - - # Krajowa Izba Rozliczeniowa S.A. - "SZAFIR ROOT CA2" - - # NetLock Kft. - "NetLock Arany (Class Gold) Főtanúsítvány" - - # TAIWAN-CA - "TWCA Root Certification Authority" - "TWCA Global Root CA" - ]; - }; -} diff --git a/modules/core/security/polkit.nix b/modules/core/security/polkit.nix deleted file mode 100644 index 786d1a0..0000000 --- a/modules/core/security/polkit.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ lib, ... }: -{ - security.polkit = { - enable = true; - debug = lib.modules.mkDefault true; - }; -} diff --git a/modules/core/security/sops.nix b/modules/core/security/sops.nix deleted file mode 100644 index c98a533..0000000 --- a/modules/core/security/sops.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = [ - pkgs.sops - ]; - - sops = { - gnupg.sshKeyPaths = [ ]; - secrets.tailscale_authentication_key.sopsFile = ../../../secrets/hosts.yaml; - - age = { - sshKeyPaths = [ ]; - keyFile = "/var/lib/sops-nix/keys.txt"; - generateKey = true; - }; - }; -} diff --git a/modules/core/security/sudo.nix b/modules/core/security/sudo.nix deleted file mode 100644 index 6623b71..0000000 --- a/modules/core/security/sudo.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ pkgs, lib, ... }: -let - inherit (lib.modules) mkForce; -in -{ - security = { - sudo-rs.enable = mkForce false; - - sudo = { - enable = true; - execWheelOnly = mkForce true; - wheelNeedsPassword = lib.modules.mkDefault false; - - extraConfig = '' - Defaults lecture = never - Defaults pwfeedback - Defaults env_keep += "EDITOR PATH DISPLAY" - Defaults timestamp_timeout = 300 - ''; - - extraRules = [ - { - groups = [ "wheel" ]; - commands = - map - (rule: { - command = lib.meta.getExe' rule.package rule.command; - options = [ "NOPASSWD" ]; - }) - ( - with pkgs; - [ - { - package = coreutils; - command = "sync"; - } - { - package = hdparm; - command = "hdparm"; - } - { - package = nixos-rebuild; - command = "nixos-rebuild"; - } - { - package = nvme-cli; - command = "nvme"; - } - { - package = systemd; - command = "poweroff"; - } - { - package = systemd; - command = "reboot"; - } - { - package = systemd; - command = "shutdown"; - } - { - package = systemd; - command = "systemctl"; - } - { - package = util-linux; - command = "dmesg"; - } - ] - ); - } - ]; - }; - }; -} diff --git a/modules/core/sops.nix b/modules/core/sops.nix new file mode 100644 index 0000000..c1c9d13 --- /dev/null +++ b/modules/core/sops.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ + pkgs.sops + ]; + + sops = { + gnupg.sshKeyPaths = [ ]; + secrets.tailscale_authentication_key.sopsFile = ../../secrets/hosts.yaml; + + age = { + sshKeyPaths = [ ]; + keyFile = "/var/lib/sops-nix/keys.txt"; + generateKey = true; + }; + }; +} diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix index e9e2a80..7491d8a 100644 --- a/modules/desktop/default.nix +++ b/modules/desktop/default.nix @@ -3,6 +3,7 @@ imports = [ ./hardware ./networking + ./security ./software ./variables ./virtualisation diff --git a/modules/desktop/security/apparmor.nix b/modules/desktop/security/apparmor.nix new file mode 100644 index 0000000..170838c --- /dev/null +++ b/modules/desktop/security/apparmor.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + apparmor-pam + apparmor-utils + apparmor-parser + apparmor-profiles + apparmor-bin-utils + apparmor-kernel-patches + libapparmor + ]; + + services.dbus.apparmor = "enabled"; + + security.apparmor = { + enable = true; + enableCache = true; + killUnconfinedConfinables = true; + packages = [ pkgs.apparmor-profiles ]; + policies.dummy.profile = "/dummy { }"; + }; +} diff --git a/modules/desktop/security/audit.nix b/modules/desktop/security/audit.nix new file mode 100644 index 0000000..9922213 --- /dev/null +++ b/modules/desktop/security/audit.nix @@ -0,0 +1,17 @@ +let + enable = false; +in +{ + security = { + auditd.enable = enable; + + audit = { + inherit enable; + + rules = [ + "-a exit,always -F arch=b64 -S execve" + "-a exit,always -F arch=b32 -S execve" + ]; + }; + }; +} diff --git a/modules/desktop/security/default.nix b/modules/desktop/security/default.nix new file mode 100644 index 0000000..7a571a9 --- /dev/null +++ b/modules/desktop/security/default.nix @@ -0,0 +1,20 @@ +{ config, lib, ... }: +{ + imports = [ + ./apparmor.nix + ./audit.nix + ./doas.nix + ./kernel.nix + ./pam.nix + ./pki.nix + ./polkit.nix + ./sudo.nix + ]; + + security = { + rtkit.enable = lib.modules.mkForce config.services.pipewire.enable; + virtualisation.flushL1DataCache = "always"; + }; + + programs.firejail.enable = true; +} diff --git a/modules/desktop/security/doas.nix b/modules/desktop/security/doas.nix new file mode 100644 index 0000000..af717ca --- /dev/null +++ b/modules/desktop/security/doas.nix @@ -0,0 +1,13 @@ +{ + security.doas = { + enable = true; + extraRules = [ + { + keepEnv = true; + # persist = true; + noPass = true; + users = [ "ebisu" ]; + } + ]; + }; +} diff --git a/modules/desktop/security/kernel.nix b/modules/desktop/security/kernel.nix new file mode 100644 index 0000000..62b2f28 --- /dev/null +++ b/modules/desktop/security/kernel.nix @@ -0,0 +1,160 @@ +{ lib, ... }: +{ + boot = { + # https://docs.kernel.org/admin-guide/sysctl/vm.html + kernel.sysctl = { + # The Magic SysRq key is a key combo that allows users connected to the + # system console of a Linux kernel to perform some low-level commands. + # Disable it, since we don't need it, and is a potential security concern. + "kernel.sysrq" = lib.mkForce 0; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + # FIXME: this breaks game launchers, find a way to launch them with privileges (steam) + # gamescope wrapped with the capabilities *might* solve the issue + # spoiler: it didn't + # "kernel.yama.ptrace_scope" = 2; + + # Hide kptrs even for processes with CAP_SYSLOG + # also prevents printing kernel pointers + "kernel.kptr_restrict" = 2; + + # Disable bpf() JIT (to eliminate spray attacks) + "net.core.bpf_jit_enable" = false; + + # Disable ftrace debugging + "kernel.ftrace_enabled" = false; + + # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). + "kernel.dmesg_restrict" = 1; + + # Prevent creating files in potentially attacker-controlled environments such + # as world-writable directories to make data spoofing attacks more difficult + "fs.protected_fifos" = 2; + + # Prevent unintended writes to already-created files + "fs.protected_regular" = 2; + + # Disable SUID binary dump + "fs.suid_dumpable" = 0; + + # Prevent unprivileged users from creating hard or symbolic links to files + "fs.protected_symlinks" = 1; + "fs.protected_hardlinks" = 1; + + # Disable late module loading + # "kernel.modules_disabled" = 1; + + # Disallow profiling at all levels without CAP_SYS_ADMIN + "kernel.perf_event_paranoid" = 3; + + # Require CAP_BPF to use bpf + "kernel.unprivileged_bpf_disabled" = true; + + # Prevent boot console kernel log information leaks + "kernel.printk" = "3 3 3 3"; + + # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to + # prevent unprivileged attackers from loading vulnerable line disciplines with + # the TIOCSETD ioctl + "dev.tty.ldisc_autoload" = 0; + + # Kexec allows replacing the current running kernel. There may be an edge case where + # you wish to boot into a different kernel, but I do not require kexec. Disabling it + # patches a potential security hole in our system. + "kernel.kexec_load_disabled" = true; + + # Borrowed by NixOS/nixpkgs. Since the security module does not explain what those + # options do, it is up you to educate yourself dear reader. + # See: + # - + # - + "vm.mmap_rnd_bits" = 32; + "vm.mmap_min_addr" = 65536; + }; + + # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html + kernelParams = [ + # I'm sure we break hibernation in at least 5 other sections of this config, so + # let's disable hibernation explicitly. Allowing hibernation makes it possible + # to replace the booted kernel with a malicious one, akin to kexec. This helps + # us prevent an attack called "Evil Maid" where an attacker with physical access + # to the device. P.S. I chose to mention "Evil Maid" specifically because it sounds + # funny. Do not think that is the only attack you are vulnerable to. + # See: + "nohibernate" + + # make stack-based attacks on the kernel harder + "randomize_kstack_offset=on" + + # Disable vsyscalls as they are obsolete and have been replaced with vDSO. + # vsyscalls are also at fixed addresses in memory, making them a potential + # target for ROP attacks + # this breaks really old binaries for security + "vsyscall=none" + + # reduce most of the exposure of a heap attack to a single cache + # Disable slab merging which significantly increases the difficulty of heap + # exploitation by preventing overwriting objects from merged caches and by + # making it harder to influence slab cache layout + "slab_nomerge" + + # Disable debugfs which exposes a lot of sensitive information about the + # kernel. Some programs, such as powertop, use this interface to gather + # information about the system, but it is not necessary for the system to + # actually publish those. I can live without it. + "debugfs=off" + + # Sometimes certain kernel exploits will cause what is known as an "oops". + # This parameter will cause the kernel to panic on such oopses, thereby + # preventing those exploits + "oops=panic" + + # Only allow kernel modules that have been signed with a valid key to be + # loaded, which increases security by making it much harder to load a + # malicious kernel module + "module.sig_enforce=1" + + # The kernel lockdown LSM can eliminate many methods that user space code + # could abuse to escalate to kernel privileges and extract sensitive + # information. This LSM is necessary to implement a clear security boundary + # between user space and the kernel + # integrity: kernel features that allow userland to modify the running kernel + # are disabled + # confidentiality: kernel features that allow userland to extract confidential + # information from the kernel are also disabled + # ArchWiki recommends opting in for "integrity", however since we avoid modifying + # running kernel (by the virtue of using NixOS and locking module hot-loading) the + # confidentiality mode is a better solution. + "lockdown=confidentiality" + + # enable buddy allocator free poisoning + # on: memory will befilled with a specific byte pattern + # that is unlikely to occur in normal operation. + # off (default): page poisoning will be disabled + "page_poison=on" + + # performance improvement for direct-mapped memory-side-cache utilization + # reduces the predictability of page allocations + "page_alloc.shuffle=1" + + # for debugging kernel-level slab issues + "slub_debug=FZP" + + # ignore access time (atime) updates on files + # except when they coincide with updates to the ctime or mtime + "rootflags=noatime" + + # linux security modules + "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux" + + # prevent the kernel from blanking plymouth out of the fb + "fbcon=nodefer" + + # the format that will be used for integrity audit logs + # 0 (default): basic integrity auditing messages + # 1: additional integrity auditing messages + "integrity_audit=1" + ]; + }; +} diff --git a/modules/desktop/security/pam.nix b/modules/desktop/security/pam.nix new file mode 100644 index 0000000..b7eb426 --- /dev/null +++ b/modules/desktop/security/pam.nix @@ -0,0 +1,50 @@ +{ + security = { + pam = { + loginLimits = [ + { + domain = "@wheel"; + item = "nofile"; + type = "soft"; + value = "524288"; + } + { + domain = "@wheel"; + item = "nofile"; + type = "hard"; + value = "1048576"; + } + ]; + + services = + let + ttyAudit = { + enable = true; + enablePattern = "*"; + }; + in + { + swaylock.text = "auth include login"; + gtklock.text = "auth include login"; + + login = { + inherit ttyAudit; + + setLoginUid = true; + }; + + sshd = { + inherit ttyAudit; + + setLoginUid = true; + }; + + sudo = { + inherit ttyAudit; + + setLoginUid = true; + }; + }; + }; + }; +} diff --git a/modules/desktop/security/pki.nix b/modules/desktop/security/pki.nix new file mode 100644 index 0000000..b804fc5 --- /dev/null +++ b/modules/desktop/security/pki.nix @@ -0,0 +1,42 @@ +{ lib, ... }: +{ + security.pki = { + certificates = lib.mkForce [ ]; + + caCertificateBlacklist = [ + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" + "Autoridad de Certificacion Firmaprofesional CIF A62634068" + + # China Financial Certification Authority + "CFCA EV ROOT" + + # Chunghwa Telecom Co., Ltd + "ePKI Root Certification Authority" + "HiPKI Root CA - G1" + + # Dhimyotis + "Certigna" + "Certigna Root CA" + + # GUANG DONG CERTIFICATE AUTHORITY + "GDCA TrustAUTH R5 ROOT" + + # Hongkong Post + "Hongkong Post Root CA 3" + + # iTrusChina Co.,Ltd. + "vTrus ECC Root CA" + "vTrus Root CA" + + # Krajowa Izba Rozliczeniowa S.A. + "SZAFIR ROOT CA2" + + # NetLock Kft. + "NetLock Arany (Class Gold) Főtanúsítvány" + + # TAIWAN-CA + "TWCA Root Certification Authority" + "TWCA Global Root CA" + ]; + }; +} diff --git a/modules/desktop/security/polkit.nix b/modules/desktop/security/polkit.nix new file mode 100644 index 0000000..786d1a0 --- /dev/null +++ b/modules/desktop/security/polkit.nix @@ -0,0 +1,7 @@ +{ lib, ... }: +{ + security.polkit = { + enable = true; + debug = lib.modules.mkDefault true; + }; +} diff --git a/modules/desktop/security/sudo.nix b/modules/desktop/security/sudo.nix new file mode 100644 index 0000000..6623b71 --- /dev/null +++ b/modules/desktop/security/sudo.nix @@ -0,0 +1,75 @@ +{ pkgs, lib, ... }: +let + inherit (lib.modules) mkForce; +in +{ + security = { + sudo-rs.enable = mkForce false; + + sudo = { + enable = true; + execWheelOnly = mkForce true; + wheelNeedsPassword = lib.modules.mkDefault false; + + extraConfig = '' + Defaults lecture = never + Defaults pwfeedback + Defaults env_keep += "EDITOR PATH DISPLAY" + Defaults timestamp_timeout = 300 + ''; + + extraRules = [ + { + groups = [ "wheel" ]; + commands = + map + (rule: { + command = lib.meta.getExe' rule.package rule.command; + options = [ "NOPASSWD" ]; + }) + ( + with pkgs; + [ + { + package = coreutils; + command = "sync"; + } + { + package = hdparm; + command = "hdparm"; + } + { + package = nixos-rebuild; + command = "nixos-rebuild"; + } + { + package = nvme-cli; + command = "nvme"; + } + { + package = systemd; + command = "poweroff"; + } + { + package = systemd; + command = "reboot"; + } + { + package = systemd; + command = "shutdown"; + } + { + package = systemd; + command = "systemctl"; + } + { + package = util-linux; + command = "dmesg"; + } + ] + ); + } + ]; + }; + }; +} diff --git a/modules/server/default.nix b/modules/server/default.nix index c5df823..4667be4 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -2,7 +2,7 @@ { imports = [ ../core/networking/tailscale.nix - ../core/security/sops.nix + ../core/sops.nix ../core/nix ./networking ./sops.nix -- cgit v1.2.3