gwg313/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial commit

Browse source
This commit is contained in:
gwg313 2026-04-15 18:26:05 -04:00
commit ebc1be5217
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
143 changed files with 7721 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
modules/features/security/security-auditd.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
config.dendritic.features.security-auditd = {
nixosModules = [
(
{ ... }:
{
# start as early in the boot process as possible
boot.kernelParams = [ "audit=1" ];
security.auditd.enable = true;
security.audit.enable = true;
security.audit.rules = [
# Log all program executions on 64-bit architecture
"-a exit,always -F arch=b64 -S execve"
];
}
)
];
};
}

17
modules/features/security/security-firewall-nftables.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
config.dendritic.features.security-firewall = {
nixosModules = [
(
{ ... }:
{
networking.nftables.enable = true;
networking.firewall = {
enable = true;
};
}
)
];
};
}

102
modules/features/security/security-kernel-hardened.nix Normal file
View file

@ -0,0 +1,102 @@
{ ... }:
{
config.dendritic.features.security-kernel-hardened = {
nixosModules = [
(
{ pkgs, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_hardened;
security = {
protectKernelImage = true;
lockKernelModules = false; # this breaks iptables, wireguard, and virtd
# force-enable the Page Table Isolation (PTI) Linux kernel feature
forcePageTableIsolation = true;
# User namespaces are required for sandboxing.
# this means you cannot set `"user.max_user_namespaces" = 0;` in sysctl
allowUserNamespaces = true;
# Disable unprivileged user namespaces, unless containers are enabled
# unprivilegedUsernsClone = true;
allowSimultaneousMultithreading = true;
};
boot.kernelParams = [
# make it harder to influence slab cache layout
"slab_nomerge"
# enables zeroing of memory during allocation and free time
# helps mitigate use-after-free vulnerabilaties
"init_on_alloc=1"
"init_on_free=1"
# randomizes page allocator freelist, improving security by
# making page allocations less predictable
"page_alloc.shuffel=1"
# enables Kernel Page Table Isolation, which mitigates Meltdown and
# prevents some KASLR bypasses
"pti=on"
# randomizes the kernel stack offset on each syscall
# making attacks that rely on a deterministic stack layout difficult
"randomize_kstack_offset=on"
# disables vsyscalls, they've been replaced with vDSO
"vsyscall=none"
# disables debugfs, which exposes sensitive info about the kernel
"debugfs=off"
# certain exploits cause an "oops", this makes the kernel panic if an "oops" occurs
"oops=panic"
# only alows kernel modules that have been signed with a valid key to be loaded
# making it harder to load malicious kernel modules
# can make VirtualBox or Nvidia drivers unusable
"module.sig_enforce=1"
# prevents user space code excalation
"lockdown=confidentiality"
# "rd.udev.log_level=3"
# "udev.log_priority=3"
];
boot.blacklistedKernelModules = [
# Obscure networking protocols
"dccp"
"sctp"
"rds"
"tipc"
"n-hdlc"
"ax25"
"netrom"
"x25"
"rose"
"decnet"
"econet"
"af_802154"
"ipx"
"appletalk"
"psnap"
"p8023"
"p8022"
"can"
"atm"
# Various rare filesystems
"cramfs"
"freevxfs"
"jffs2"
"hfs"
"hfsplus"
"udf"
# Not so rare filesystems
"squashfs"
"cifs"
"nfs"
"nfsv3"
"nfsv4"
"ksmbd"
"gfs2"
# vivid driver is only useful for testing purposes and has been the
# cause of privilege escalation vulnerabilities
"vivid"
];
}
)
];
};
}

33
modules/features/security/security-malware-clamav.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
config.dendritic.features.security-malware-clamav = {
nixosModules = [
(
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
clamav
];
services.clamav = {
daemon.enable = true;
updater.enable = true;
updater.frequency = 12; # Number of database checks per day
scanner = {
enable = true;
# 4:00 AM
interval = "*-*-* 04:00:00";
scanDirectories = [
"/home"
"/var/lib"
"/tmp"
"/etc"
"/var/tmp"
];
};
};
}
)
];
};
}

87
modules/features/security/security-ssh-client.nix Normal file
View file

@ -0,0 +1,87 @@
{ ... }:
{
config.dendritic.features.security-ssh-client = {
nixosModules = [
(
{ ... }:
{
programs.ssh = {
# disable unnecessary forwardings
forwardX11 = false;
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
hostKeyAlgorithms = [
"ssh-ed25519"
"ssh-ed25519-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"sk-ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-256"
"rsa-sha2-256-cert-v01@openssh.com"
"rsa-sha2-512"
"rsa-sha2-512-cert-v01@openssh.com"
];
macs = [
"hmac-sha2-256-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"umac-128-etm@openssh.com"
];
kexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
];
extraConfig = "
# disable unnecessary forwardings
ForwardAgent no
ForwardX11Trusted no
GatewayPorts no
Tunnel no
# disable unnecessary authentication methods
ChallengeResponseAuthentication no
HostbasedAuthentication no
# define authentication methods to be used
PasswordAuthentication yes
PubkeyAuthentication yes
PreferredAuthentications publickey,password
# disable pre-connection compression as it could cause security issues
Compression no
# in addition to checking a host's hostname, also check the host's IP address
# this provides extra safety against DNS spoofing attacks
CheckHostIP yes
# ask the user if the user wants to accept the new host's host key
StrictHostKeyChecking ask
# hash the entries in the known_hosts file to prevent disclosure
# of the file's content
HashKnownHosts yes
# send a keepalive message to the server when the session has been idle for 60 seconds
# this prevents/detects connection timeouts
ServerAliveInterval 60
# increase the number of password retries
NumberOfPasswordPrompts 5
# display an ASCII art of the server's host key
VisualHostKey yes
";
};
}
)
];
};
}

177
modules/features/security/security-ssh.nix Normal file
View file

@ -0,0 +1,177 @@
{ ... }:
{
config.dendritic.features = {
security-ssh-server-hardening.nixosModules = [
(
{ config, ... }:
{
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
# ignoreIP = [
# "172.16.0.0/12"
# "192.168.0.0/16"
# "2601:881:8100:8de0:31e6:ac52:b5be:462a"
# "matrix.org"
# "app.element.io" # don't ratelimit matrix users
# ];
bantime-increment = {
enable = true; # Enable increment of bantime after each violation
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations
};
};
# https://www.ssh-audit.com/hardening_guides.html
# https://github.com/jtesta/ssh-audit
services.openssh = {
enable = true;
settings = {
########## Features ##########
# disallow ssh-agent forwarding to prevent lateral movement
AllowAgentForwarding = false;
# prevent TCP ports from being forwarded over SSH tunnels
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
# any user with an interactive login shell can spin up his/her own instance of sshd
AllowTcpForwarding = true;
# prevent StreamLocal (Unix-domain socket) forwarding
AllowStreamLocalForwarding = false;
# disables all forwarding features
# overrides all other forwarding switches
DisableForwarding = false;
# disallow remote hosts from connecting to forwarded ports
# i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
GatewayPorts = "no";
# prevent tun device forwarding
PermitTunnel = false;
# suppress MOTD
PrintMotd = false;
# disable X11 forwarding since it is not necessary
X11Forwarding = false;
########## Authentication ##########
# AllowUsers = ["${user}"];
# Use keys only. Remove if you want to SSH using password (not recommended)
PasswordAuthentication = false;
HostbasedAuthentication = false;
# enable pubkey authentication
PubkeyAuthentication = true;
# Forbid root login through SSH.
PermitRootLogin = "no";
# nix enables pam by default
# UsePAM = false;
# challenge-response authentication backend it not configured by default
# therefore, it is set to "no" by default to avoid the use of an unconfigured backend
ChallengeResponseAuthentication = false;
# set maximum authentication retries to prevent brute force attacks
MaxAuthTries = 3;
# disallow connecting using empty passwords
PermitEmptyPasswords = false;
########## Cryptography ##########
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
Ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
Macs = [
"hmac-sha2-256-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"umac-128-etm@openssh.com"
];
KexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
];
# hostKeyAlgorithms = [
# "rsa-sha2-512"
# "rsa-sha2-256"
# "ssh-ed25519"
# ];
########## Connection Preferences ##########
# enforce SSH server to only use SSH protocol version 2
# SSHv1 contains security issues and should be avoided at all costs
# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
# specified anyways to ensure this configuration file's compatibility
# with older versions of OpenSSH server
Protocol = 2;
# number of client alive messages sent without client responding
ClientAliveCountMax = 2;
# send a keepalive message to the client when the session has been idle for 300 seconds
# this prevents/detects connection timeouts
ClientAliveInterval = 300;
# compression before encryption might cause security issues
Compression = false;
# prevent SSH trust relationships from allowing lateral movements
IgnoreRhosts = true;
# log verbosely for addtional information
LogLevel = "VERBOSE";
# allow a maximum of two multiplexed sessions over a single TCP connection
MaxSessions = 2;
# let ClientAliveInterval handle keepalive
TCPKeepAlive = false;
# disable reverse DNS lookups
# UseDNS = false;
};
extraConfig = ''
########## Features ##########
# accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
########## Connection Preferences ##########
# disable reverse DNS lookups
UseDNS no
########## Disable GSS ##########
GSSAPIAuthentication no
'';
};
}
)
];
};
}

24
modules/features/security/security-sudo-rs.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }:
{
config.dendritic.features.security-sudo-rs = {
nixosModules = [
(
{ config, ... }:
let
user = config.dendritic.current.primaryUser;
in
{
security = {
sudo.enable = false;
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = true;
};
};
}
)
];
};
}

50
modules/features/security/security-usbguard.nix Normal file
View file

@ -0,0 +1,50 @@
{ ... }:
{
config.dendritic.features.security-usbguard = {
nixosModules = [
(
{
config,
pkgs,
lib,
...
}:
let
user = config.dendritic.current.primaryUser;
in
{
services.usbguard = {
enable = true;
IPCAllowedUsers = [
"root"
user
];
# presentDevicePolicy refers to how to treat USB devices
# that are already connected when the daemon starts
presentDevicePolicy = "allow";
rules = lib.mkBefore ''
# allow `only` devices with mass storage interfaces (USB Mass Storage)
allow with-interface equals { 08:*:* }
# allow mice and keyboards
# allow with-interface equals { 03:*:* }
# Reject devices with suspicious combination of interfaces
reject with-interface all-of { 08:*:* 03:00:* }
reject with-interface all-of { 08:*:* 03:01:* }
reject with-interface all-of { 08:*:* e0:*:* }
reject with-interface all-of { 08:*:* 02:*:* }
'';
};
environment.systemPackages = with pkgs; [
usbguard
usbguard-notifier
];
}
)
];
};
}

18
modules/features/security/sysctl/security-sysctl-bpf.nix Normal file
View file

@ -0,0 +1,18 @@
# Breaks tracing and perf tools
{ ... }:
{
config.dendritic.features.security-sysctl-bpf = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"kernel.unprivileged_bpf_disabled" = 1;
# should be enabled along with bpf above
"net.core.bpf_jit_harden" = 2;
};
}
)
];
};
}

17
modules/features/security/sysctl/security-sysctl-debug.nix Normal file
View file

@ -0,0 +1,17 @@
# Restricts dmesg
{ ... }:
{
config.dendritic.features.security-sysctl-debug = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"kernel.kptr_restrict" = 2;
"kernel.dmesg_restrict" = 1;
};
}
)
];
};
}

29
modules/features/security/sysctl/security-sysctl-kernel.nix Normal file
View file

@ -0,0 +1,29 @@
{ ... }:
{
config.dendritic.features.security-sysctl-kernel = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"fs.suid_dumpable" = 0;
# prevent pointer leaks
# Note: certian container runtimes or browser sandboxes might rely on the following
# restrict loading TTY line disciplines to the CAP_SYS_MODULE
"dev.tty.ldisk_autoload" = 0;
# prevent exploit of use-after-free flaws
"vm.unprivileged_userfaultfd" = 0;
# kexec is used to boot another kernel during runtime and can be abused
"kernel.kexec_load_disabled" = 1;
# Kernel self-protection
# SysRq exposes a lot of potentially dangerous debugging functionality to unprivileged users
# 4 makes it so a user can only use the secure attention key. A value of 0 would disable completely
"kernel.sysrq" = 4;
# restrict all usage of performance events to the CAP_PERFMON capability
"kernel.perf_event_paranoid" = 3;
};
}
)
];
};
}

54
modules/features/security/sysctl/security-sysctl-network.nix Normal file
View file

@ -0,0 +1,54 @@
{ ... }:
{
config.dendritic.features.security-sysctl-network = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
# protect against SYN flood attacks (denial of service attack)
"net.ipv4.tcp_syncookies" = 1;
# protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
# enable source validation of packets received (prevents IP spoofing)
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
# Protect against IP spoofing
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# prevent man-in-the-middle attacks
"net.ipv4.icmp_echo_ignore_all" = 1;
# ignore ICMP request, helps avoid Smurf attacks
"net.ipv4.conf.all.forwarding" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv6.conf.default.accept_source_route" = 0;
# Reverse path filtering causes the kernel to do source validation of
"net.ipv6.conf.all.forwarding" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Disable TCP SACK
"net.ipv4.tcp_sack" = 0;
"net.ipv4.tcp_dsack" = 0;
"net.ipv4.tcp_fack" = 0;
};
}
)
];
};
}

16
modules/features/security/sysctl/security-sysctl-ptrace.nix Normal file
View file

@ -0,0 +1,16 @@
# Breaks Debuggers
{ ... }:
{
config.dendritic.features.security-sysctl-ptrace = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"kernel.yama.ptrace_scope" = 2;
};
}
)
];
};
}

12
modules/features/security/sysctl/security-sysctl-strict.nix Normal file
View file

@ -0,0 +1,12 @@
# Enable on server not dev machines
{ ... }:
{
config.dendritic.features.security-sysctl-strict = {
features = [
"security-sysctl-ptrace"
"security-sysctl-bpf"
"security-sysctl-debug"
"security-sysctl-userns"
];
};
}

16
modules/features/security/sysctl/security-sysctl-userns.nix Normal file
View file

@ -0,0 +1,16 @@
# Can break containers and flatpaks
{ ... }:
{
config.dendritic.features.security-sysctl-userns = {
nixosModules = [
(
{ lib, ... }:
{
boot.kernel.sysctl = lib.mkForce {
"kernel.unprivileged_userns_clone" = 0;
};
}
)
];
};
}

35
modules/features/security/sysctl/security-sysctl-userspace.nix Normal file
View file

@ -0,0 +1,35 @@
{ ... }:
{
config.dendritic.features.security-sysctl-userspace = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
# 0 breaks browsers
"kernel.unprivileged_userns_clone" = 1;
"vm.mmap_min_addr" = 65536;
"vm.swappiness" = 10;
# ASLR memory protection (64-bit systems)
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
# only permit symlinks to be followed when outside of a world-writable sticky directory
"fs.protected_symlinks" = 1;
"fs.protected_hardlinks" = 1;
# Prevent creating files in potentially attacker-controlled environments
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
# Randomize memory
"kernel.randomize_va_space" = 2;
# Exec Shield (Stack protection)
"kernel.exec-shield" = 1;
};
}
)
];
};
}

21
modules/features/security/sysctl/security-sysctl.nix Normal file
View file

@ -0,0 +1,21 @@
{ ... }:
{
config.dendritic.features.security-sysctl = {
features = [
"security-sysctl-kernel"
"security-sysctl-network"
"security-sysctl-userspace"
];
nixosModules = [
(
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.kernel-hardening-checker ];
}
)
];
};
}

46
modules/features/security/systemd/security-systemd-ask-password-console.nix Normal file
View file

@ -0,0 +1,46 @@
{ ... }:
{
config.dendritic.features.security-systemd-ask-password-console = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-ask-password-console.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateNetwork = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
};
}
)
];
};
}

46
modules/features/security/systemd/security-systemd-ask-password-wall.nix Normal file
View file

@ -0,0 +1,46 @@
{ ... }:
{
config.dendritic.features.security-systemd-ask-password-wall = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-ask-password-wall.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateNetwork = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
};
}
)
];
};
}

51
modules/features/security/systemd/security-systemd-auditd.nix Normal file
View file

@ -0,0 +1,51 @@
{ ... }:
{
config.dendritic.features.security-systemd-auditd = {
nixosModules = [
(
{ ... }:
{
systemd.services.auditd.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "full";
ProtectHome = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
ProtectClock = true;
PrivateTmp = true;
PrivateNetwork = true;
PrivateMounts = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallFilter = [
"~@clock"
"~@module"
"~@mount"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
CapabilityBoundingSet = [
"~CAP_CHOWN"
"~CAP_FSETID"
"~CAP_SETFCAP"
];
};
}
)
];
};
}

28
modules/features/security/systemd/security-systemd-bluetooth.nix Normal file
View file

@ -0,0 +1,28 @@
{ ... }:
{
config.dendritic.features.security-systemd-bluetooth = {
nixosModules = [
(
{ lib, ... }:
{
systemd.services.bluetooth.serviceConfig = lib.mkForce {
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
SystemCallFilter = [
"~@obsolete"
"~@cpu-emulation"
"~@swap"
"~@reboot"
"~@mount"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

50
modules/features/security/systemd/security-systemd-dbus.nix Normal file
View file

@ -0,0 +1,50 @@
{ ... }:
{
config.dendritic.features.security-systemd-dbus = {
nixosModules = [
(
{ ... }:
{
systemd.services.dbus.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "stric";
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
PrivateMounts = true;
PrivateDevices = true;
PrivateTmp = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
];
RestrictNamespaces = true;
SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@obsolete"
"~@resources"
"~@debug"
"~@mount"
"~@reboot"
"~@swap"
"~@cpu-emulation"
];
LockPersonality = true;
IPAddressDeny = [
"0.0.0.0/0"
"::/0"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
UMask = 0077;
};
}
)
];
};
}

49
modules/features/security/systemd/security-systemd-getty.nix Normal file
View file

@ -0,0 +1,49 @@
{ ... }:
{
config.dendritic.features.security-systemd-getty = {
nixosModules = [
(
{ ... }:
{
systemd.services."getty@".serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "stric";
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectClock = true;
PrivateMounts = true;
PrivateTmp = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
];
RestrictNamespaces = true;
SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@obsolete"
"~@debug"
"~@reboot"
"~@swap"
"~@clock"
"~@cpu-emulation"
];
LockPersonality = true;
IPAddressDeny = [
"0.0.0.0/0"
"::/0"
];
MemoryDenyWriteExecute = true;
UMask = 0077;
};
}
)
];
};
}

18
modules/features/security/systemd/security-systemd-journald.nix Normal file
View file

@ -0,0 +1,18 @@
{ ... }:
{
config.dendritic.features.security-systemd-journald = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-journald.serviceConfig = {
NoNewPrivileges = true;
ProtectProc = "invisible";
ProtectHostname = true;
PrivateMounts = true;
};
}
)
];
};
}

33
modules/features/security/systemd/security-systemd-machined.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
config.dendritic.features.security-systemd-machined = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-machined.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateUsers = true;
PrivateNetwork = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [ "AF_UNIX" ];
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
};
}
)
];
};
}

38
modules/features/security/systemd/security-systemd-ncsd.nix Normal file
View file

@ -0,0 +1,38 @@
{ ... }:
{
config.dendritic.features.security-systemd-ncsd = {
nixosModules = [
(
{ ... }:
{
systemd.services.nscd.serviceConfig = {
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
RestrictRealtime = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallFilter = [
"~@mount"
"~@swap"
"~@clock"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
CapabilityBoundingSet = [
"~CAP_CHOWN"
"~CAP_FSETID"
"~CAP_SETFCAP"
];
};
}
)
];
};
}

47
modules/features/security/systemd/security-systemd-networkmanager-dispatcher.nix Normal file
View file

@ -0,0 +1,47 @@
{ ... }:
{
config.dendritic.features.security-systemd-networkmanager-dispatcher = {
nixosModules = [
(
{ ... }:
{
systemd.services.NetworkManager-dispatcher.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectHostname = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET"
"AF_INET6"
"AF_PACKET"
];
RestrictNamespaces = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
SystemCallFilter = [
"~@mount"
"~@module"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
"ptrace"
];
SystemCallArchitectures = "native";
LockPersonality = true;
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
};
}
)
];
};
}

44
modules/features/security/systemd/security-systemd-networkmanager.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }:
{
config.dendritic.features.security-systemd-networkmanager = {
nixosModules = [
(
{ ... }:
{
systemd.services.NetworkManager.serviceConfig = {
NoNewPrivileges = true;
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectHostname = true;
ProtectProc = "invisible";
PrivateTmp = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET"
"AF_INET6"
"AF_PACKET"
];
RestrictNamespaces = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
SystemCallFilter = [
"~@mount"
"~@module"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
"ptrace"
];
SystemCallArchitectures = "native";
LockPersonality = true;
};
}
)
];
};
}

68
modules/features/security/systemd/security-systemd-nix-daemon.nix Normal file
View file

@ -0,0 +1,68 @@
{ ... }:
{
config.dendritic.features.security-systemd-nix-daemon = {
nixosModules = [
(
{ ... }:
{
systemd.services.nix-daemon.serviceConfig = {
NoNewPrivileges = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateDevices = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictNamespaces = [ "~cgroup" ];
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET6"
"AF_INET"
];
CapabilityBoundingSet = [
"~CAP_SYS_CHROOT"
"~CAP_BPF"
"~CAP_AUDIT_WRITE"
"~CAP_AUDIT_CONTROL"
"~CAP_AUDIT_READ"
"~CAP_SYS_PTRACE"
"~CAP_SYS_NICE"
"~CAP_SYS_RESOURCE"
"~CAP_SYS_RAWIO"
"~CAP_SYS_TIME"
"~CAP_SYS_PACCT"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_WAKE_ALARM"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_BOOT"
"~CAP_LEASE"
"~CAP_BLOCK_SUSPEND"
"~CAP_MAC_ADMIN"
"~CAP_MAC_OVERRIDE"
];
SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@resources"
"~@module"
"~@obsolete"
"~@debug"
"~@reboot"
"~@swap"
"~@cpu-emulation"
"~@clock"
"~@raw-io"
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
UMask = 0077;
};
}
)
];
};
}

44
modules/features/security/systemd/security-systemd-reload-systemd-vconsole-setup.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }:
{
config.dendritic.features.security-systemd-reload-vconsole = {
nixosModules = [
(
{ ... }:
{
systemd.services.reload-systemd-vconsole-setup.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateNetwork = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

48
modules/features/security/systemd/security-systemd-rescue.nix Normal file
View file

@ -0,0 +1,48 @@
{ ... }:
{
config.dendritic.features.security-systemd-rescue = {
nixosModules = [
(
{ ... }:
{
systemd.services.rescue.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "full";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateNetwork = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallFilter = [
"~@swap"
"~@clock"
"~@obsolete"
"~@cpu-emulation"
"~@resources"
];
SystemCallArchitectures = "native";
CapabilityBoundingSet = [
"~CAP_CHOWN"
"~CAP_FSETID"
"~CAP_SETFCAP"
];
};
}
)
];
};
}

44
modules/features/security/systemd/security-systemd-rtkit.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }:
{
config.dendritic.features.security-systemd-rtkit = {
nixosModules = [
(
{ lib, ... }:
{
systemd.services.rtkit-daemon.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = lib.mkDefault true;
PrivateTmp = lib.mkDefault true;
PrivateMounts = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
};
}
)
];
};
}

42
modules/features/security/systemd/security-systemd-sshd.nix Normal file
View file

@ -0,0 +1,42 @@
{ ... }:
{
config.dendritic.features.security-systemd-sshd = {
nixosModules = [
(
{ ... }:
{
systemd.services.sshd.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = "read-only";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
DevicePolicy = "closed";
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

23
modules/features/security/systemd/security-systemd-udevd.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }:
{
config.dendritic.features.security-systemd-udevd = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-udevd.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
CapabilityBoundingSet = "~CAP_SYS_PTRACE ~CAP_SYS_PACCT";
};
}
)
];
};
}

41
modules/features/security/systemd/security-systemd-user.nix Normal file
View file

@ -0,0 +1,41 @@
{ ... }:
{
config.dendritic.features.security-systemd-user = {
nixosModules = [
(
{ ... }:
{
systemd.services."user@".serviceConfig = {
ProtectSystem = "strict";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateNetwork = true;
MemoryDenyWriteExecute = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_BLUETOOTH"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@debug"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

58
modules/features/security/systemd/security-systemd.nix Normal file
View file

@ -0,0 +1,58 @@
{ ... }:
{
config.dendritic.features.security-systemd = {
features = [
"security-systemd-ask-password-console"
"security-systemd-ask-password-wall"
"security-systemd-auditd"
# "security-systemd-dbus" using dbus-broker
"security-systemd-display-manager"
# "security-systemd-getty"
"security-systemd-journald"
"security-systemd-machined"
"security-systemd-ncsd"
"security-systemd-networkmanager"
"security-systemd-networkmanager-dispatcher"
"security-systemd-nix-daemon"
"security-systemd-reload-vconsole"
"security-systemd-rescue"
"security-systemd-rtkit"
"security-systemd-sshd"
"security-systemd-udevd"
#"security-systemd-user"
];
nixosModules = [
(
{ lib, ... }:
{
services = {
# mDNS/DNS-SD
avahi.enable = false;
# Geoclue (location services)
geoclue2.enable = false;
# udisks2.enable = false;
# accounts-daemon.enable = lib.mkDefault false;
};
# Only needed for WWAN/3G/4G modems, otherwise it runs `mmcli` unnecessarily
networking.modemmanager.enable = false;
# Bluetooth has a long history of vulnerabilities
hardware.bluetooth.enable = false;
# Prefer manual upgrades on a hardened system
system.autoUpgrade.enable = false;
systemd.coredump.enable = false;
# ➡️ Sets the kernel's resource limit (ulimit -c 0)
security.pam.loginLimits = [
{
domain = "*"; # Applies to all users/sessions
type = "-"; # Set both soft and hard limits
item = "core"; # The soft/hard limit item
value = "0"; # Core dumps size is limited to 0 (effectively disabled)
}
];
}
)
];
};
}

68
modules/features/security/systemd/services-systemd-display-manager.nix Normal file
View file

@ -0,0 +1,68 @@
{ ... }:
{
config.dendritic.features.security-systemd-display-manager = {
nixosModules = [
(
{ lib, ... }:
{
systemd.services.display-manager.serviceConfig = {
ProtectSystem = "full";
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelModules = true;
PrivateMounts = true;
PrivateIPC = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictNamespaces = [
"~cgroup"
];
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET"
"AF_INET6"
];
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"~@obsolete"
"~@cpu-emulation"
"~@clock"
"~@swap"
"~@module"
"~@reboot"
"~@raw-io"
"~@debug"
];
SystemCallArchitectures = "native";
LockPersonality = true;
IPAddressDeny = [
"0.0.0.0/0"
"::/0"
];
CapabilityBoundingSet = [
"CAP_SYS_ADMIN"
"CAP_SETUID"
"CAP_SETGID"
"CAP_SETPCAP"
"CAP_KILL"
"CAP_SYS_TTY_CONFIG"
"CAP_DAC_OVERRIDE"
"CAP_DAC_READ_SEARCH"
"CAP_FOWNER"
"CAP_IPC_OWNER"
"CAP_FSETID"
"CAP_SETFCAP"
"CAP_CHOWN"
];
DeviceAllow = "/dev/tty7 rw";
DevicePolicy = "closed";
UMask = 0077;
LogLevelMax = "debug";
KeyringMode = lib.mkForce "private";
};
}
)
];
};
}