huge

2025-12-31 15:03:16 +02:00
parent c93c93a810
commit fa32ae5510
69 changed files with 1093 additions and 659 deletions
@@ -4,44 +4,39 @@
  pkgs,
  ...
 }: let
-  inherit (lib) mkIf mkDefault;
-  systemd-services-hardened = fetchGit {
-    url = "https://github.com/wallago/nix-system-services-hardened.git";
-    ref = "main";
-    rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
-  };
-  fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
+  inherit (lib) mkIf;
 in {
-  imports =
-    [./boot.nix ./ssh.nix]
-    ++ fromHardened [
-      "accounts-daemon"
-      "getty"
-      # "nix-daemon" # TODO: breaks cgroups, ...
-      "nscd"
-      "rescue"
-      "sshd"
-      "systemd-machined"
-      "systemd-rfkill"
-      "systemd-udevd"
-    ];
+  imports = [
+    ./boot.nix
+    ./coredump.nix
+    ./services.nix
+    ./ssh.nix
+  ];
+
  networking.modemmanager.enable = false;
+
+  nix.settings.allowed-users = ["@users"];
+  nix.settings.trusted-users = ["@wheel"];
+
+  environment.systemPackages = with pkgs; [
+    (mkIf config.security.doas.enable doas-sudo-shim)
+  ];
+
  security =
    lib.attrsets.recursiveUpdate {
      # doas.enable = true;
      polkit.enable = true;
      sudo-rs.enable = false;
      sudo.enable = false;
+
+      wrappers = {
+        newgrp.enable = false;
+        pkexec.enable = false;
+        sg.enable = false;
+        su.enable = false;
+      };
    } {
      sudo-rs.execWheelOnly = true;
-      pam.loginLimits = [
-        {
-          domain = "*"; # Applies to all users/sessions
-          type = "-"; # Set both soft and hard limits
-          item = "core"; # The soft/hard limit item
-          value = "0"; # Core dumps size is limited to 0 (effectively disabled)
-        }
-      ];
      # pam.sshAgentAuth.enable = true;
      polkit.extraConfig = ''
        polkit.addRule(function(action, subject) {
@@ -61,25 +56,20 @@ in {
      '';
    };

-  environment.systemPackages = with pkgs; [
-    (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim
-  ];
-  systemd.coredump.enable = false;
-  services = {
-    chrony = {
-      enable = true;
-      enableNTS = true;
-      servers = [
-        "time.cloudflare.com iburst nts"
-        "ntppool1.time.nl iburst nts"
-        "nts.netnod.se iburst nts"
-        "ptbtime1.ptb.de iburst nts"
-        "time.dfm.dk iburst nts"
-        "time.cifelli.xyz iburst nts"
-      ];
-    };
-    dbus.implementation = "broker";
+  services.dbus.implementation = "broker";
+  services.chrony = {
+    enable = true;
+    enableRTCTrimming = false;
+    enableNTS = true;
+    extraConfig = "rtcsync";
+    extraFlags = ["-r" "-s"];
+    servers = [
+      "time.cloudflare.com iburst nts"
+      "ntppool1.time.nl iburst nts"
+      "nts.netnod.se iburst nts"
+      "ptbtime1.ptb.de iburst nts"
+      "time.dfm.dk iburst nts"
+      "time.cifelli.xyz iburst nts"
+    ];
  };
-
-  nix.settings.allowed-users = mkDefault ["@users"];
 }