move around security

Signed-off-by: unexplrd <unexplrd@linerds.us>
2025-05-04 19:31:59 +03:00
parent 9510cc48e2
commit 4652ce19db
19 changed files with 103 additions and 308 deletions
--- a/hosts/dunamis/configuration.nix
+++ b/hosts/dunamis/configuration.nix
@ -38,7 +38,6 @@
  locale.ukrainian.enable = true;
  opentabletdriver.enable = false;
  qmk-vial.enable = true;
-  security.basic.enable = true;
  virtual.libvirt.enable = true;

  nix = let
--- a/hosts/eldrid/configuration.nix
+++ b/hosts/eldrid/configuration.nix
@ -33,7 +33,6 @@
  locale.ukrainian.enable = true;
  opentabletdriver.enable = false;
  qmk-vial.enable = true;
-  security.basic.enable = true;
  virtual.libvirt.enable = false;

  swapDevices = [
--- a/hosts/legion/configuration.nix
+++ b/hosts/legion/configuration.nix
@ -23,7 +23,7 @@
  };
  opentabletdriver.enable = false;
  qmk-vial.enable = true;
-  security.basic.enable = true;
+
  system.stateVersion = "25.05";
  time.timeZone = "Europe/Kyiv";
  virtual.libvirt.enable = true;
--- a/hosts/sarien/configuration.nix
+++ b/hosts/sarien/configuration.nix
@ -35,6 +35,5 @@
  locale.ukrainian.enable = true;
  opentabletdriver.enable = false;
  qmk-vial.enable = true;
-  security.basic.enable = true;
  virtual.libvirt.enable = true;
 }
--- a/modules/nixos/config/boot/default.nix
+++ b/modules/nixos/config/boot/default.nix
@ -1,5 +1,4 @@
 {
-  config,
  inputs,
  pkgs,
  ...
@ -13,21 +12,6 @@
    plymouth.enable = true;
    consoleLogLevel = 0;
    kernelPackages = pkgs.linuxPackages_cachyos;
-    kernelParams = [
-      "amd_iommu=force_isolation"
-      "debugfs=off"
-      "efi=disable_early_pci_dma"
-      "gather_data_sampling=force"
-      "intel_iommu=on"
-      "iommu.passthrough=0"
-      "iommu.strict=1"
-      "iommu=force"
-      "page_alloc.shuffle=1"
-      "vsyscall=none"
-      # "ia32_emulation=0"
-      # "lockdown=confidentiality"
-      # "module.sig_enforce=1"
-    ];
    initrd = {
      systemd.enable = true;
      systemd.tpm2.enable = false;
--- a/modules/nixos/config/default.nix
+++ b/modules/nixos/config/default.nix
@ -13,6 +13,7 @@ in {
    ./hardware
    ./networking
    ./nix
+    ./security
    ./programs.nix
    ./services.nix
    ./users.nix
--- a/modules/nixos/config/nix/default.nix
+++ b/modules/nixos/config/nix/default.nix
@ -2,6 +2,5 @@
  imports = [
    ./common.nix
    ./substituters.nix
-    # ./ssh-serve.nix
  ];
 }
--- a/modules/nixos/config/nix/distributed-build.nix
+++ b/modules/nixos/config/nix/distributed-build.nix
@ -1,30 +0,0 @@
-{
-  config,
-  inputs,
-  ...
-}: let
-  inherit (builtins) readFile;
-  inherit (config.networking) hostName;
-  inherit (config.sops) secrets;
-  inherit (inputs) mysecrets;
-  pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64";
-in {
-  nix = {
-    distributedBuilds = true;
-    buildMachines = [
-      {
-        hostName = "dunamis";
-        publicHostKey = pubHost;
-        sshKey = secrets."ssh-${hostName}-user".path;
-        sshUser = "nix-ssh";
-        supportedFeatures = [
-          "benchmark"
-          "big-parallel"
-          "kvm"
-          "nixos-test"
-        ];
-        system = "x86_64-linux";
-      }
-    ];
-  };
-}
--- a/modules/nixos/config/nix/ssh-serve.nix
+++ b/modules/nixos/config/nix/ssh-serve.nix
@ -1,11 +0,0 @@
-{config, ...}: let
-  inherit (builtins) readFile;
-  inherit (config.users.users) user;
-in {
-  nix.settings.trusted-users = ["nix-ssh"];
-  nix.sshServe = {
-    enable = true;
-    write = true;
-    keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles;
-  };
-}
--- a/modules/nixos/config/security/default.nix
+++ b/modules/nixos/config/security/default.nix
@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf mkDefault;
+in {
+  security = {
+    sudo.enable = false;
+    # doas.enable = true;
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+    };
+    polkit.enable = true;
+    polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (
+          subject.isInGroup("users")
+            && (
+              action.id == "org.freedesktop.login1.reboot" ||
+              action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+              action.id == "org.freedesktop.login1.power-off" ||
+              action.id == "org.freedesktop.login1.power-off-multiple-sessions"
+            )
+          )
+        {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+    apparmor.enable = mkDefault true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
+  ];
+
+  services.dbus = {
+    apparmor = "enabled";
+    implementation = "broker";
+  };
+  services.ntpd-rs = {
+    enable = true;
+    #settings = {
+    #  server = {
+    #    require-nts = true;
+    #  };
+    #};
+  };
+
+  boot.kernelParams = [
+    "amd_iommu=force_isolation"
+    "debugfs=off"
+    "efi=disable_early_pci_dma"
+    "gather_data_sampling=force"
+    "intel_iommu=on"
+    "iommu.passthrough=0"
+    "iommu.strict=1"
+    "iommu=force"
+    "page_alloc.shuffle=1"
+    "vsyscall=none"
+    # "ia32_emulation=0"
+    # "lockdown=confidentiality"
+    # "module.sig_enforce=1"
+  ];
+
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "ax25"
+    "netrom"
+    "rose"
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "hfs"
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "ntfs"
+    "omfs"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ufs"
+  ];
+
+  nix.settings.allowed-users = mkDefault ["@users"];
+}
--- a/modules/nixos/system/default.nix
+++ b/modules/nixos/system/default.nix
@ -2,8 +2,6 @@
  imports = [
    ./common.nix
    ./misc
-    ./security
    ./virtual
-    ./wireless
  ];
 }
--- a/modules/nixos/system/misc/locale.nix
+++ b/modules/nixos/system/misc/locale.nix
@ -4,12 +4,13 @@
  ...
 }: let
  inherit (lib) mkIf mkEnableOption;
+  cfg = config.locale.ukrainian;
 in {
  options = {
    locale.ukrainian.enable =
      mkEnableOption "enables ukrainian locale";
  };
-  config = mkIf config.locale.ukrainian.enable {
+  config = mkIf cfg.enable {
    i18n = let
      locale = "uk_UA.UTF-8";
    in {
--- a/modules/nixos/system/misc/mullvad-vpn.nix
+++ b/modules/nixos/system/misc/mullvad-vpn.nix
@ -1,6 +0,0 @@
-{pkgs, ...}: {
-  services.mullvad-vpn = {
-    enable = true;
-    package = pkgs.mullvad-vpn;
-  };
-}
--- a/modules/nixos/system/security/basic.nix
+++ b/modules/nixos/system/security/basic.nix
@ -1,90 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  inherit (lib) mkIf mkEnableOption mkDefault;
-  cfg = config.security.basic;
-in {
-  options = {
-    security.basic.enable =
-      mkEnableOption "enable basic security";
-  };
-  config = mkIf cfg.enable {
-    security = {
-      sudo.enable = false;
-      # doas.enable = true;
-      sudo-rs = {
-        enable = true;
-        execWheelOnly = true;
-      };
-      polkit.enable = true;
-      polkit.extraConfig = ''
-        polkit.addRule(function(action, subject) {
-          if (
-            subject.isInGroup("users")
-              && (
-                action.id == "org.freedesktop.login1.reboot" ||
-                action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
-                action.id == "org.freedesktop.login1.power-off" ||
-                action.id == "org.freedesktop.login1.power-off-multiple-sessions"
-              )
-            )
-          {
-            return polkit.Result.YES;
-          }
-        });
-      '';
-      apparmor.enable = mkDefault true;
-    };
-
-    environment.systemPackages = with pkgs; [
-      (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
-    ];
-
-    services.dbus = {
-      apparmor = "enabled";
-      implementation = "broker";
-    };
-    services.ntpd-rs = {
-      enable = true;
-      #settings = {
-      #  server = {
-      #    require-nts = true;
-      #  };
-      #};
-    };
-
-    boot.blacklistedKernelModules = [
-      # Obscure network protocols
-      "ax25"
-      "netrom"
-      "rose"
-      # Old or rare or insufficiently audited filesystems
-      "adfs"
-      "affs"
-      "bfs"
-      "befs"
-      "cramfs"
-      "efs"
-      "erofs"
-      "exofs"
-      "freevxfs"
-      "f2fs"
-      "hfs"
-      "hpfs"
-      "jfs"
-      "minix"
-      "nilfs2"
-      "ntfs"
-      "omfs"
-      "qnx4"
-      "qnx6"
-      "sysv"
-      "ufs"
-    ];
-
-    nix.settings.allowed-users = mkDefault ["@users"];
-  };
-}
--- a/modules/nixos/system/security/default.nix
+++ b/modules/nixos/system/security/default.nix
@ -1,7 +0,0 @@
-{
-  imports = [
-    ./basic.nix
-    ./extensive.nix
-    ./dnscrypt-proxy.nix
-  ];
-}
--- a/modules/nixos/system/security/dnscrypt-proxy.nix
+++ b/modules/nixos/system/security/dnscrypt-proxy.nix
@ -1,49 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib; {
-  options = {
-    security.dnscrypt-proxy.enable =
-      mkEnableOption "enable dnscrypt-proxy";
-  };
-  config = mkIf config.security.dnscrypt-proxy.enable {
-    networking = {
-      nameservers = ["127.0.0.1" "::1"];
-      # If using dhcpcd:
-      dhcpcd.extraConfig = "nohook resolv.conf";
-      # If using NetworkManager:
-      networkmanager.dns = "none";
-    };
-
-    # Make sure you don't have services.resolved.enable on.
-    services.dnscrypt-proxy2 = {
-      enable = true;
-      settings = {
-        ipv6_servers = false;
-        require_dnssec = true;
-
-        sources.public-resolvers = {
-          urls = [
-            "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-            "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-          ];
-          cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
-          minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
-        };
-
-        # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
-        server_names = [
-          #"quad9-dnscrypt-ip4-filter-pri"
-          "cloudflare"
-        ];
-      };
-    };
-
-    systemd.services.dnscrypt-proxy2.serviceConfig = {
-      StateDirectory = "dnscrypt-proxy";
-    };
-  };
-}
--- a/modules/nixos/system/security/extensive.nix
+++ b/modules/nixos/system/security/extensive.nix
@ -1,66 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib; let
-  cfg = config.security.extensive;
-in {
-  options = {
-    security.extensive.enable =
-      mkEnableOption "enable extensive security";
-  };
-  config = mkIf cfg.enable {
-    security.basic.enable = true;
-
-    environment.memoryAllocator.provider = mkDefault "scudo";
-    environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
-
-    security = {
-      lockKernelModules = mkDefault false;
-      protectKernelImage = mkDefault true;
-      # allowSimultaneousMultithreading = mkDefault false;
-      forcePageTableIsolation = mkDefault true;
-      unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
-      virtualisation.flushL1DataCache = mkDefault "always";
-      apparmor.enable = mkDefault true;
-      apparmor.killUnconfinedConfinables = mkDefault true;
-    };
-
-    boot.kernel.sysctl = {
-      # Hide kptrs even for processes with CAP_SYSLOG
-      "kernel.kptr_restrict" = mkOverride 500 2;
-      # Disable bpf() JIT (to eliminate spray attacks)
-      "net.core.bpf_jit_enable" = mkDefault false;
-      # Disable ftrace debugging
-      "kernel.ftrace_enabled" = mkDefault false;
-    };
-
-    boot.kernel.sysctl = {
-      # Enable strict reverse path filtering (that is, do not attempt to route
-      # packets that "obviously" do not belong to the iface's network; dropped
-      # packets are logged as martians).
-      "net.ipv4.conf.all.log_martians" = mkDefault true;
-      "net.ipv4.conf.all.rp_filter" = mkDefault "1";
-      "net.ipv4.conf.default.log_martians" = mkDefault true;
-      "net.ipv4.conf.default.rp_filter" = mkDefault "1";
-
-      # Ignore broadcast ICMP (mitigate SMURF)
-      "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
-
-      # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-      # setting is applied to interfaces added after the sysctls are set)
-      "net.ipv4.conf.all.accept_redirects" = mkDefault false;
-      "net.ipv4.conf.all.secure_redirects" = mkDefault false;
-      "net.ipv4.conf.default.accept_redirects" = mkDefault false;
-      "net.ipv4.conf.default.secure_redirects" = mkDefault false;
-      "net.ipv6.conf.all.accept_redirects" = mkDefault false;
-      "net.ipv6.conf.default.accept_redirects" = mkDefault false;
-
-      # Ignore outgoing ICMP redirects (this is ipv4 only)
-      "net.ipv4.conf.all.send_redirects" = mkDefault false;
-      "net.ipv4.conf.default.send_redirects" = mkDefault false;
-    };
-  };
-}
--- a/modules/nixos/system/wireless/bluetooth.nix
+++ b/modules/nixos/system/wireless/bluetooth.nix
@ -1,20 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  cfg = config.wireless.bluetooth;
-in {
-  options = {
-    wireless.bluetooth = {
-      enable = mkEnableOption "enable bluetooth";
-      enableBlueman = mkEnableOption "enable bluetooth manager";
-    };
-  };
-  config = mkIf cfg.enable {
-    hardware.bluetooth.enable = true;
-    hardware.bluetooth.powerOnBoot = true;
-    services.blueman.enable = cfg.enableBlueman;
-  };
-}
--- a/modules/nixos/system/wireless/default.nix
+++ b/modules/nixos/system/wireless/default.nix
@ -1,5 +0,0 @@
-{
-  imports = [
-    ./bluetooth.nix
-  ];
-}