security: hardening, new stuff, admin user

2025-12-21 22:24:51 +02:00
parent 2f1fed539e
commit 62c21f09ba
10 changed files with 319 additions and 1519 deletions
@@ -5,18 +5,45 @@
  ...
 }: let
  inherit (lib) mkIf mkDefault;
+  systemd-services-hardened = fetchGit {
+    url = "https://github.com/wallago/nix-system-services-hardened.git";
+    ref = "main";
+    rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
+  };
+  fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
 in {
-  # imports = [./nix-mineral];
-  security = {
-    sudo.enable = false;
-    # doas.enable = true;
-    sudo-rs = {
-      enable = true;
-      execWheelOnly = true;
-    };
-    polkit = {
-      enable = true;
-      extraConfig = ''
+  imports =
+    [./boot.nix ./ssh.nix]
+    ++ fromHardened [
+      "accounts-daemon"
+      "getty"
+      # "nix-daemon" # TODO: breaks cgroups, ...
+      "nscd"
+      "rescue"
+      "sshd"
+      "systemd-machined"
+      "systemd-rfkill"
+      "systemd-udevd"
+    ];
+  networking.modemmanager.enable = false;
+  security =
+    lib.attrsets.recursiveUpdate {
+      # doas.enable = true;
+      polkit.enable = true;
+      sudo-rs.enable = false;
+      sudo.enable = false;
+    } {
+      sudo-rs.execWheelOnly = true;
+      pam.loginLimits = [
+        {
+          domain = "*"; # Applies to all users/sessions
+          type = "-"; # Set both soft and hard limits
+          item = "core"; # The soft/hard limit item
+          value = "0"; # Core dumps size is limited to 0 (effectively disabled)
+        }
+      ];
+      # pam.sshAgentAuth.enable = true;
+      polkit.extraConfig = ''
        polkit.addRule(function(action, subject) {
          if (
            subject.isInGroup("users")
@@ -33,91 +60,25 @@ in {
        });
      '';
    };
-    apparmor.enable = mkDefault true;
-    # pam.sshAgentAuth.enable = true;
-  };

  environment.systemPackages = with pkgs; [
    (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
  ];
+  systemd.coredump.enable = false;
  services = {
-    dbus = {
-      apparmor = "enabled";
-      implementation = "broker";
+    chrony = {
+      enable = true;
+      enableNTS = true;
+      servers = [
+        "time.cloudflare.com iburst nts"
+        "ntppool1.time.nl iburst nts"
+        "nts.netnod.se iburst nts"
+        "ptbtime1.ptb.de iburst nts"
+        "time.dfm.dk iburst nts"
+        "time.cifelli.xyz iburst nts"
+      ];
    };
-    ntpd-rs = {
-      enable = false;
-      #settings = {
-      #  server = {
-      #    require-nts = true;
-      #  };
-      #};
-    };
-  };
-  boot = {
-    kernel.sysctl = {
-      "dev.tty.ldisc_autoload" = 0;
-      "fs.protected_fifos" = 2;
-      "fs.protected_regular" = 2;
-      "fs.suid_dumpable" = 0;
-      "kernel.kptr_restrict" = 2;
-      "kernel_kexec_load_disabled" = 1;
-      # "kernel.modules_disabled" = 1;
-      "kernel.sysrq" = 0;
-      "kernel.unprivileged_bpf_disabled" = 1;
-      "net.ipv4.conf.all.forwarding" = 0;
-      "net.ipv4.conf.all.log_martians" = 1;
-      "net.ipv4.conf.all.rp_filter" = 1;
-      "net.ipv4.conf.all.send_redirects" = 0;
-      "net.ipv4.conf.default.accept_redirects" = 0;
-      "net.ipv4.conf.default.log_martians" = 1;
-      "net.ipv6.conf.all.accept_redirects" = 0;
-      "net.ipv6.conf.default.accept_redirects" = 0;
-    };
-    kernelParams = [
-      "amd_iommu=force_isolation"
-      "debugfs=off"
-      "efi=disable_early_pci_dma"
-      "gather_data_sampling=force"
-      "intel_iommu=on"
-      "iommu.passthrough=0"
-      "iommu.strict=1"
-      "iommu=force"
-      "page_alloc.shuffle=1"
-      "vsyscall=none"
-      # "ia32_emulation=0"
-      # "lockdown=confidentiality"
-      # "module.sig_enforce=1"
-    ];
-
-    blacklistedKernelModules = [
-      # Obscure network protocols
-      "ax25"
-      "netrom"
-      "rose"
-      # Old or rare or insufficiently audited filesystems
-      "adfs"
-      "affs"
-      "bfs"
-      "befs"
-      "cramfs"
-      "efs"
-      "erofs"
-      "exofs"
-      "freevxfs"
-      "f2fs"
-      "hfs"
-      "hpfs"
-      "jfs"
-      "minix"
-      "nilfs2"
-      "ntfs"
-      "omfs"
-      "qnx4"
-      "qnx6"
-      "sysv"
-      "ufs"
-    ];
+    dbus.implementation = "broker";
  };

  nix.settings.allowed-users = mkDefault ["@users"];