unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: hardening, new stuff, admin user

Browse Source
This commit is contained in:
unexplrd
2025-12-21 22:24:51 +02:00
parent 2f1fed539e
commit 62c21f09ba
10 changed files with 319 additions and 1519 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -9,6 +9,7 @@ configs without much hassle.
## Credits
Configurations I took code/ideas from:
- [nix-book by saylesss88](https://saylesss88.github.io/index.html) (especially the Hardening NixOS article)
- [github:TheMaxMur/NixOS-Configuration](https://github.com/TheMaxMur/NixOS-Configuration)
- [github:nix-community/srvos](https://github.com/nix-community/srvos)
- [github:cloud-gouv/securix](https://github.com/cloud-gouv/securix)

2
modules/shared/nixos/nix/common.nix
View File

@@ -1,6 +1,7 @@
{
pkgs,
# inputs,
config,
lib,
...
}: {
@@ -42,4 +43,5 @@
# for container in builds support
nix.settings.system-features = ["uid-range"];
systemd.services.nix-daemon.serviceConfig.RestrictNamespaces = lib.mkForce []; # (lib.remove "~cgroup" config.systemd.services.nix-daemon.serviceConfig.RestrictNamespaces);
}

186
modules/shared/nixos/security/boot.nix Normal file
View File

@@ -0,0 +1,186 @@
{
boot.kernel.sysctl = {
"fs.suid_dumpable" = 0;
# prevent pointer leaks
"kernel.kptr_restrict" = 2;
# restrict kernel log to CAP_SYSLOG capability
"kernel.dmesg_restrict" = 1;
# Note: certian container runtimes or browser sandboxes might rely on the following
# restrict eBPF to the CAP_BPF capability
"kernel.unprivileged_bpf_disabled" = 1;
# should be enabled along with bpf above
# "net.core.bpf_jit_harden" = 2;
# restrict loading TTY line disciplines to the CAP_SYS_MODULE
"dev.tty.ldisk_autoload" = 0;
# prevent exploit of use-after-free flaws
"vm.unprivileged_userfaultfd" = 0;
# kexec is used to boot another kernel during runtime and can be abused
"kernel.kexec_load_disabled" = 1;
# Kernel self-protection
# SysRq exposes a lot of potentially dangerous debugging functionality to unprivileged users
# 4 makes it so a user can only use the secure attention key. A value of 0 would disable completely
"kernel.sysrq" = 0;
# disable unprivileged user namespaces, Note: Docker, NH, and other apps may need this
# "kernel.unprivileged_userns_clone" = 0; # Set to 1 because it makes NH and other programs fail
# This should be set to 0 if you don't rely on flatpak, NH, Docker, etc.
"kernel.unprivileged_userns_clone" = 1;
# restrict all usage of performance events to the CAP_PERFMON capability
"kernel.perf_event_paranoid" = 3;
# Network
# protect against SYN flood attacks (denial of service attack)
"net.ipv4.tcp_syncookies" = 1;
# protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
# enable source validation of packets received (prevents IP spoofing)
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
# Protect against IP spoofing
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# prevent man-in-the-middle attacks
"net.ipv4.icmp_echo_ignore_all" = 1;
# ignore ICMP request, helps avoid Smurf attacks
"net.ipv4.conf.all.forwarding" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv6.conf.default.accept_source_route" = 0;
# Reverse path filtering causes the kernel to do source validation of
"net.ipv6.conf.all.forwarding" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Userspace
# restrict usage of ptrace
"kernel.yama.ptrace_scope" = 2;
# ASLR memory protection (64-bit systems)
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
# only permit symlinks to be followed when outside of a world-writable sticky directory
"fs.protected_symlinks" = 1;
"fs.protected_hardlinks" = 1;
# Prevent creating files in potentially attacker-controlled environments
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
# Randomize memory
"kernel.randomize_va_space" = 2;
# Exec Shield (Stack protection)
"kernel.exec-shield" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelParams = [
"systemd.unified_cgroup_hierarchy=1"
"cgroup_no_v1=all"
"amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma"
"gather_data_sampling=force"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
# "lockdown=integrity" # confidentiality
"module.sig_enforce=1"
"page_alloc.shuffle=1"
"randomize_kstack_offset=on"
"vsyscall=none"
];
boot.blacklistedKernelModules =
[
# Obscure networking protocols
"dccp" # Datagram Congestion Control Protocol
"sctp" # Stream Control Transmission Protocol
"rds" # Reliable Datagram Sockets
"tipc" # Transparent Inter-Process Communication
"n-hdlc" # High-level Data Link Control
"ax25" # Amateur X.25
"netrom" # NetRom
"x25" # X.25
"rose"
"decnet"
"econet"
"af_802154" # IEEE 802.15.4
"ipx" # Internetwork Packet Exchange
"appletalk"
"psnap" # SubnetworkAccess Protocol
"p8023" # Novell raw IEE 802.3
"p8022" # IEE 802.3
"can" # Controller Area Network
"atm"
# Various rare filesystems
"cramfs"
"freevxfs"
"jffs2"
"hfs"
"hfsplus"
"udf"
# "squashfs" # compressed read-only file system used for Live CDs
# "cifs" # cmb (Common Internet File System)
# "nfs" # Network File System
# "nfsv3"
# "nfsv4"
# "ksmbd" # SMB3 Kernel Server
# "gfs2" # Global File System 2
# vivid driver is only useful for testing purposes and has been the
# cause of privilege escalation vulnerabilities
# "vivid"
]
++ [
# Various framebuffer drivers
# "aty128fb"
# "atyfb"
# "radeonfb"
# "cirrusfb"
"cyber2000fb"
"cyblafb"
"gx1fb"
"hgafb"
# "i810fb"
# "intelfb"
# "kyrofb"
"lxfb"
"matroxfb_base"
"neofb"
# "nvidiafb"
"pm2fb"
# "rivafb"
"s1d13xxxfb"
# "savagefb"
"sisfb"
# "sstfb"
# "tdfxfb"
# "tridentfb"
"vesafb"
"vfb"
# "viafb"
"vt8623fb"
"udlfb"
];
}

141
modules/shared/nixos/security/default.nix
View File

@@ -5,18 +5,45 @@
...
}: let
inherit (lib) mkIf mkDefault;
systemd-services-hardened = fetchGit {
url = "https://github.com/wallago/nix-system-services-hardened.git";
ref = "main";
rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
};
fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
in {
# imports = [./nix-mineral];
security = {
sudo.enable = false;
# doas.enable = true;
sudo-rs = {
enable = true;
execWheelOnly = true;
};
polkit = {
enable = true;
extraConfig = ''
imports =
[./boot.nix ./ssh.nix]
++ fromHardened [
"accounts-daemon"
"getty"
# "nix-daemon" # TODO: breaks cgroups, ...
"nscd"
"rescue"
"sshd"
"systemd-machined"
"systemd-rfkill"
"systemd-udevd"
];
networking.modemmanager.enable = false;
security =
lib.attrsets.recursiveUpdate {
# doas.enable = true;
polkit.enable = true;
sudo-rs.enable = false;
sudo.enable = false;
} {
sudo-rs.execWheelOnly = true;
pam.loginLimits = [
{
domain = "*"; # Applies to all users/sessions
type = "-"; # Set both soft and hard limits
item = "core"; # The soft/hard limit item
value = "0"; # Core dumps size is limited to 0 (effectively disabled)
}
];
# pam.sshAgentAuth.enable = true;
polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
subject.isInGroup("users")
@@ -33,91 +60,25 @@ in {
});
'';
};
apparmor.enable = mkDefault true;
# pam.sshAgentAuth.enable = true;
};
environment.systemPackages = with pkgs; [
(mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
];
systemd.coredump.enable = false;
services = {
dbus = {
apparmor = "enabled";
implementation = "broker";
chrony = {
enable = true;
enableNTS = true;
servers = [
"time.cloudflare.com iburst nts"
"ntppool1.time.nl iburst nts"
"nts.netnod.se iburst nts"
"ptbtime1.ptb.de iburst nts"
"time.dfm.dk iburst nts"
"time.cifelli.xyz iburst nts"
];
};
ntpd-rs = {
enable = false;
#settings = {
# server = {
# require-nts = true;
# };
#};
};
};
boot = {
kernel.sysctl = {
"dev.tty.ldisc_autoload" = 0;
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
"fs.suid_dumpable" = 0;
"kernel.kptr_restrict" = 2;
"kernel_kexec_load_disabled" = 1;
# "kernel.modules_disabled" = 1;
"kernel.sysrq" = 0;
"kernel.unprivileged_bpf_disabled" = 1;
"net.ipv4.conf.all.forwarding" = 0;
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.default.log_martians" = 1;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
};
kernelParams = [
"amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma"
"gather_data_sampling=force"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
"page_alloc.shuffle=1"
"vsyscall=none"
# "ia32_emulation=0"
# "lockdown=confidentiality"
# "module.sig_enforce=1"
];
blacklistedKernelModules = [
# Obscure network protocols
"ax25"
"netrom"
"rose"
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
dbus.implementation = "broker";
};
nix.settings.allowed-users = mkDefault ["@users"];

3
modules/shared/nixos/security/nix-mineral/default.nix
View File

@@ -1,3 +0,0 @@
{
imports = [./nix-mineral.nix ./nm-overrides.nix];
}

1135
modules/shared/nixos/security/nix-mineral/nix-mineral.nix
View File

File diff suppressed because it is too large Load Diff

228
modules/shared/nixos/security/nix-mineral/nm-overrides.nix
View File

@@ -1,228 +0,0 @@
# This file is part of nix-mineral (https://github.com/cynicsketch/nix-mineral/).
# Copyright (c) 2025 cynicsketch
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# This is the overrides file for nix-mineral, containing a non-comprehensive
# list of options that one may wish to override for any number of reasons.
#
# The goal is primarily to provide a premade template for users to make
# nix-mineral work with any system and use case.
({
config,
lib,
pkgs,
...
}: (with lib; {
## Compatibility
# Options to ensure compatibility with certain usecases and hardware, at the
# expense of overall security.
# Set boot parameter "module.sig_enforce=0" to allow loading unsigned kernel
# modules, which may include certain drivers. Lockdown must also be disabled,
# see option below this one.
# nm-overrides.compatibility.allow-unsigned-modules.enable = true;
# Disable Linux Kernel Lockdown to *permit* loading unsigned kernel modules
# and hibernation.
# nm-overrides.compatibility.no-lockdown.enable = true;
# Enable binfmt_misc. This is required for Roseta to function.
# nm-overrides.compatibility.binfmt-misc.enable = true;
# Reenable the busmaster bit at boot. This may help with low resource systems
# that are prevented from booting by the defaults of nix-mineral.
# nm-overrides.compatibility.busmaster-bit.enable = true;
# Reenable io_uring, which is the cause of many vulnerabilities. This may
# be desired for specific environments concerning Proxmox.
# nm-overrides.compatibility.io-uring.enable = true;
# Enable ip forwarding. Useful for certain VM networking and is required if
# the system is meant to function as a router.
# nm-overrides.compatibility.ip-forward.enable = true;
## Desktop
# Options that are useful to desktop experience and general convenience. Some
# of these may also be to specific server environments, too. Most of these
# options reduce security to a certain degree.
# Reenable multilib, may be useful to playing certain games.
nm-overrides.desktop.allow-multilib.enable = true;
# Reenable unprivileged userns. Although userns is the target of many
# exploits, it also used in the Chromium sandbox, unprivileged containers,
# and bubblewrap among many other applications.
nm-overrides.desktop.allow-unprivileged-userns.enable = true;
# Enable doas-sudo wrapper, useful for scripts that use "sudo." Installs
# nano for rnano as a "safe" method of editing text as root.
# Use this when replacing sudo with doas, see "Software Choice."
# sudo = doas
# doasedit/sudoedit = doas rnano
# nm-overrides.desktop.doas-sudo-wrapper.enable = true;
# Allow executing binaries in /home. Highly relevant for games and other
# programs executing in the /home folder.
nm-overrides.desktop.home-exec.enable = true;
# Allow executing binaries in /tmp. Certain applications may need to execute
# in /tmp, Java being one example.
nm-overrides.desktop.tmp-exec.enable = true;
# Allow executing binaries in /var/lib. LXC, and system-wide Flatpaks are
# among some examples of applications that requiring executing in /var/lib.
# nm-overrides.desktop.var-lib-exec.enable = true;
# Allow all users to use nix, rather than just users of the "wheel" group.
# May be useful for allowing a non-wheel user to, for example, use devshell.
# nm-overrides.desktop.nix-allow-all-users.enable = true;
# Automatically allow all connected devices at boot in USBGuard. Note that
# for laptop users, inbuilt speakers and bluetooth cards may be disabled
# by USBGuard by default, so whitelisting them manually or enabling this
# option may solve that.
# nm-overrides.desktop.usbguard-allow-at-boot.enable = true;
# Enable USBGuard dbus daemon and add polkit rules to integrate USBGuard with
# GNOME Shell. If you use GNOME, this means that USBGuard automatically
# allows all newly connected devices while unlocked, and blacklists all
# newly connected devices while locked. This is obviously very convenient,
# and is similar behavior to handling USB as ChromeOS and GrapheneOS.
# nm-overrides.usbguard-gnome-integration.enable = true;
# Completely disable USBGuard to avoid hassle with handling USB devices at
# all.
nm-overrides.desktop.usbguard-disable.enable = true;
# Rather than disable ptrace entirely, restrict ptrace so that parent
# processes can ptrace descendants. May allow certain Linux game anticheats
# to function.
nm-overrides.desktop.yama-relaxed.enable = true;
# Allow processes that can ptrace a process to read its process information.
# Requires ptrace to even be allowed in the first place, see above option.
# Note: While nix-mineral has made provisions to unbreak systemd, it is
# not supported by upstream, and breakage may still occur:
# https://github.com/systemd/systemd/issues/12955
# nm-overrides.desktop.hideproc-relaxed.enable = true;
## Performance
# Options to revert some performance taxing tweaks by nix-mineral, at the cost
# of security. In general, it's recommended not to use these unless your system
# is otherwise unusable without tweaking these.
# Allow symmetric multithreading and just use default CPU mitigations, to
# potentially improve performance.
nm-overrides.performance.allow-smt.enable = true;
# Disable all CPU mitigations. Do not use with the above option. May improve
# performance further, but is even more dangerous!
# nm-overrides.performance.no-mitigations.enable = true;
# Enable bypassing the IOMMU for direct memory access. Could increase I/O
# performance on ARM64 systems, with risk. See URL: https://wiki.ubuntu.com/ARM64/performance
# nm-overrides.performance.iommu-passthrough.enable = true;
# Page table isolation mitigates some KASLR bypasses and the Meltdown CPU
# vulnerability. It may also tax performance, so this option disables it.
# nm-overrides.perforamcne.no-pti.enable = true;
## Security
# Other security related options that were not enabled by default for one
# reason or another.
# Lock the root account. Requires another method of privilege escalation, i.e
# sudo or doas, and declarative accounts to work properly.
nm-overrides.security.lock-root.enable = true;
# Reduce swappiness to bare minimum. May reduce risk of writing sensitive
# information to disk, but hampers zram performance. Also useless if you do
# not even use a swap file/partition, i.e zram only setup.
# nm-overrides.security.minimum-swappiness.enable = true;
# Enable SAK (Secure Attention Key). SAK prevents keylogging, if used
# correctly. See URL: https://madaidans-insecurities.github.io/guides/linux-hardening.html#accessing-root-securely
# nm-overrides.security.sysrq-sak.enable = true;
# Privacy/security split.
# This option disables TCP timestamps. By default, nix-mineral enables
# tcp-timestamps. Disabling prevents leaking system time, enabling protects
# against wrapped sequence numbers and improves performance.
#
# Read more about the issue here:
# URL: (In favor of disabling): https://madaidans-insecurities.github.io/guides/linux-hardening.html#tcp-timestamps
# URL: (In favor of enabling): https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# nm-overrides.security.tcp-timestamp-disable.enable = true;
# Disable loading kernel modules (except those loaded at boot via kernel
# commandline)
# Very likely to cause breakage unless you can compile a list of every module
# you need and add that to your boot parameters manually.
# nm-overrides.security.disable-modules.enable = true;
# Disable TCP window scaling. May help mitigate TCP reset DoS attacks, but
# may also harm network performance when at high latencies.
# nm-overrides.security.disable-tcp-window-scaling.enable = true;
# Disable bluetooth entirely. nix-mineral borrows a privacy preserving
# bluetooth configuration file by default, but if you never use bluetooth
# at all, this can reduce attack surface further.
# nm-overrides.security.disable-bluetooth.enable = true;
# Disable Intel ME related kernel modules. This is to avoid putting trust in
# the highly privilege ME system, but there are potentially other
# consequences.
#
# If you use an AMD system, you can enable this without negative consequence
# and reduce attack surface.
#
# Intel users should read more about the issue at the below links:
# https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
# https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities
# https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages
# https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813
# https://github.com/Kicksecure/security-misc/issues/239
#
# nm-overrides.security.disable-intelme-kmodules.enable = true;
# DO NOT USE THIS OPTION ON ANY PRODUCTION SYSTEM! FOR TESTING PURPOSES ONLY!
# Use hardened-malloc as default memory allocator for all processes.
# nm-overrides.security.hardened-malloc.enable = true;
## Software Choice
# Options to add (or remove) opinionated software replacements by nix-mineral.
# Replace sudo with doas. doas has a lower attack surface, but is less
# audited.
# nm-overrides.software-choice.doas-no-sudo.enable = true;
# Replace systemd-timesyncd with chrony, for NTS support and its seccomp
# filter.
nm-overrides.software-choice.secure-chrony.enable = true;
# Use Linux Kernel with hardened patchset. Concurs a multitude of security
# benefits, but prevents hibernation.*
#
# (No longer recommended as of July 25, 2024. The patchset being behind by
# about a week or so is one thing, but the package as included in nixpkgs is
# way too infrequently updated, being several weeks or even months behind.
# Therefore, it is recommended to choose an LTS kernel like 5.15, 6.1, or 6.6
# in your own system configuration.*)
#
# nm-overrides.software-choice.hardened-kernel.enable = true;
# Dont use the nix-mineral default firewall, if you wish to use alternate
# applications for the same purpose.
# nm-overrides.software-choice.no-firewall.enable = true;
}))

57
modules/shared/nixos/security/nix-mineral/sources.toml
View File

@@ -1,57 +0,0 @@
# This file is part of nix-mineral (https://github.com/cynicsketch/nix-mineral/).
# Copyright (c) 2025 cynicsketch
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
[issue]
user = "Kicksecure"
repo = "security-misc"
rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
file = "usr/lib/issue.d/20_security-misc.issue"
sha256 = "00ilswn1661h8rwfrq4w3j945nr7dqd1g519d3ckfkm0dr49f26b"
modified = "2024/08/02"
[gitconfig]
user = "Kicksecure"
repo = "security-misc"
rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
file = "etc/gitconfig"
sha256 = "1p3adrbmv7fvy84v3i3m3xrzbc2zdrxzn6prac8f6418vwrdmyp7"
modified = "2024/08/02"
[bluetooth]
user = "Kicksecure"
repo = "security-misc"
rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
file = "etc/bluetooth/30_security-misc.conf"
sha256 = "0xyvvgmm0dhf0dfhfj4hdbyf2ma30bpd1m5zx6xnjdfvy2fr44na"
modified = "2024/08/02"
[module-blacklist]
user = "Kicksecure"
repo = "security-misc"
rev = "de6f3ea74a5a1408e4351c955ecb7010825364c5"
file = "etc/modprobe.d/30_security-misc_disable.conf"
sha256 = "1mab9cnnwpc4a0x1f5n45yn4yhhdy1affdmmimmslg8rcw65ajh2"
modified = "2024/08/02"
[chrony]
user = "GrapheneOS"
repo = "infrastructure"
rev = "1f4d7316b8bd42476fc8e98224f67ce8d150527d"
file = "etc/chrony.conf"
sha256 = "sha256:0cfd5dwimiv4sadmknnc4l4zm7y49bmdnjdk7wc8wvnhfri3mick"
modified = "2025/04/16"

59
modules/shared/nixos/security/ssh.nix Normal file
View File

@@ -0,0 +1,59 @@
{config, ...}: {
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitEmptyPasswords = false;
PermitTunnel = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = config.services.xserver.enable;
MaxAuthTries = 3;
MaxSessions = 2;
ClientAliveInterval = 300;
ClientAliveCountMax = 0;
# AllowUsers = ["user"];
TCPKeepAlive = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
LogLevel = "VERBOSE";
PermitRootLogin = "no";
KexAlgorithms = [
# Post-Quantum: https://www.openssh.org/pq.html
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
"curve25519-sha256@libssh.org"
"ecdh-sha2-nistp521"
"ecdh-sha2-nistp384"
"ecdh-sha2-nistp256"
"diffie-hellman-group-exchange-sha256"
];
Ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
# stream cipher alternative to aes256, proven to be resilient
# Very fast on basically anything
"chacha20-poly1305@openssh.com"
# industry standard, fast if you have AES-NI hardware
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
Macs = [
# Combines the SHA-512 hash func with a secret key to create a MAC
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
}

26
modules/shared/nixos/users.nix
View File

@@ -10,15 +10,29 @@
inherit (inputs) mysecrets;
sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub";
in {
nix.settings.trusted-users = ["user"];
users.groups.admin = {};
# --------------------------------------
nix.settings.trusted-users = ["user" "admin"];
users.mutableUsers = false;
users.users = {
user = {
admin = {
isNormalUser = true;
description = "System administrator";
extraGroups = ["wheel"]; # wheel = sudo
# run `mkpasswd --method=yescrypt` and replace "changeme" w/ the result
hashedPasswordFile = secrets."user-password-hashed".path;
openssh.authorizedKeys.keyFiles = map sshKeys [
"dunamis"
"eldrid"
"legion"
"morphius"
"sarien"
];
};
user = {
extraGroups = ["video" "libvirtd" "dialout"];
hashedPasswordFile = secrets."user-password-hashed".path;
extraGroups =
["wheel" "video" "libvirtd" "dialout"]
# for lisgd
++ lib.optional (hostName == "morphius" && config.desktop.niri.enable) "input";
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = map sshKeys [