gwg313/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial commit

Browse source
This commit is contained in:
gwg313 2026-04-15 18:26:05 -04:00
commit ebc1be5217
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
143 changed files with 7721 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

46
modules/features/security/systemd/security-systemd-ask-password-console.nix Normal file
View file

@ -0,0 +1,46 @@
{ ... }:
{
config.dendritic.features.security-systemd-ask-password-console = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-ask-password-console.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateNetwork = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
};
}
)
];
};
}

46
modules/features/security/systemd/security-systemd-ask-password-wall.nix Normal file
View file

@ -0,0 +1,46 @@
{ ... }:
{
config.dendritic.features.security-systemd-ask-password-wall = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-ask-password-wall.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateNetwork = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
};
}
)
];
};
}

51
modules/features/security/systemd/security-systemd-auditd.nix Normal file
View file

@ -0,0 +1,51 @@
{ ... }:
{
config.dendritic.features.security-systemd-auditd = {
nixosModules = [
(
{ ... }:
{
systemd.services.auditd.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "full";
ProtectHome = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
ProtectClock = true;
PrivateTmp = true;
PrivateNetwork = true;
PrivateMounts = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallFilter = [
"~@clock"
"~@module"
"~@mount"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
CapabilityBoundingSet = [
"~CAP_CHOWN"
"~CAP_FSETID"
"~CAP_SETFCAP"
];
};
}
)
];
};
}

28
modules/features/security/systemd/security-systemd-bluetooth.nix Normal file
View file

@ -0,0 +1,28 @@
{ ... }:
{
config.dendritic.features.security-systemd-bluetooth = {
nixosModules = [
(
{ lib, ... }:
{
systemd.services.bluetooth.serviceConfig = lib.mkForce {
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
SystemCallFilter = [
"~@obsolete"
"~@cpu-emulation"
"~@swap"
"~@reboot"
"~@mount"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

50
modules/features/security/systemd/security-systemd-dbus.nix Normal file
View file

@ -0,0 +1,50 @@
{ ... }:
{
config.dendritic.features.security-systemd-dbus = {
nixosModules = [
(
{ ... }:
{
systemd.services.dbus.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "stric";
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
PrivateMounts = true;
PrivateDevices = true;
PrivateTmp = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
];
RestrictNamespaces = true;
SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@obsolete"
"~@resources"
"~@debug"
"~@mount"
"~@reboot"
"~@swap"
"~@cpu-emulation"
];
LockPersonality = true;
IPAddressDeny = [
"0.0.0.0/0"
"::/0"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
UMask = 0077;
};
}
)
];
};
}

49
modules/features/security/systemd/security-systemd-getty.nix Normal file
View file

@ -0,0 +1,49 @@
{ ... }:
{
config.dendritic.features.security-systemd-getty = {
nixosModules = [
(
{ ... }:
{
systemd.services."getty@".serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "stric";
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectClock = true;
PrivateMounts = true;
PrivateTmp = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
];
RestrictNamespaces = true;
SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@obsolete"
"~@debug"
"~@reboot"
"~@swap"
"~@clock"
"~@cpu-emulation"
];
LockPersonality = true;
IPAddressDeny = [
"0.0.0.0/0"
"::/0"
];
MemoryDenyWriteExecute = true;
UMask = 0077;
};
}
)
];
};
}

18
modules/features/security/systemd/security-systemd-journald.nix Normal file
View file

@ -0,0 +1,18 @@
{ ... }:
{
config.dendritic.features.security-systemd-journald = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-journald.serviceConfig = {
NoNewPrivileges = true;
ProtectProc = "invisible";
ProtectHostname = true;
PrivateMounts = true;
};
}
)
];
};
}

33
modules/features/security/systemd/security-systemd-machined.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
config.dendritic.features.security-systemd-machined = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-machined.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateUsers = true;
PrivateNetwork = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [ "AF_UNIX" ];
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
};
}
)
];
};
}

38
modules/features/security/systemd/security-systemd-ncsd.nix Normal file
View file

@ -0,0 +1,38 @@
{ ... }:
{
config.dendritic.features.security-systemd-ncsd = {
nixosModules = [
(
{ ... }:
{
systemd.services.nscd.serviceConfig = {
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
RestrictRealtime = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallFilter = [
"~@mount"
"~@swap"
"~@clock"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
CapabilityBoundingSet = [
"~CAP_CHOWN"
"~CAP_FSETID"
"~CAP_SETFCAP"
];
};
}
)
];
};
}

47
modules/features/security/systemd/security-systemd-networkmanager-dispatcher.nix Normal file
View file

@ -0,0 +1,47 @@
{ ... }:
{
config.dendritic.features.security-systemd-networkmanager-dispatcher = {
nixosModules = [
(
{ ... }:
{
systemd.services.NetworkManager-dispatcher.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectHostname = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET"
"AF_INET6"
"AF_PACKET"
];
RestrictNamespaces = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
SystemCallFilter = [
"~@mount"
"~@module"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
"ptrace"
];
SystemCallArchitectures = "native";
LockPersonality = true;
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
};
}
)
];
};
}

44
modules/features/security/systemd/security-systemd-networkmanager.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }:
{
config.dendritic.features.security-systemd-networkmanager = {
nixosModules = [
(
{ ... }:
{
systemd.services.NetworkManager.serviceConfig = {
NoNewPrivileges = true;
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectHostname = true;
ProtectProc = "invisible";
PrivateTmp = true;
RestrictRealtime = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET"
"AF_INET6"
"AF_PACKET"
];
RestrictNamespaces = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
SystemCallFilter = [
"~@mount"
"~@module"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
"ptrace"
];
SystemCallArchitectures = "native";
LockPersonality = true;
};
}
)
];
};
}

68
modules/features/security/systemd/security-systemd-nix-daemon.nix Normal file
View file

@ -0,0 +1,68 @@
{ ... }:
{
config.dendritic.features.security-systemd-nix-daemon = {
nixosModules = [
(
{ ... }:
{
systemd.services.nix-daemon.serviceConfig = {
NoNewPrivileges = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateDevices = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictNamespaces = [ "~cgroup" ];
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET6"
"AF_INET"
];
CapabilityBoundingSet = [
"~CAP_SYS_CHROOT"
"~CAP_BPF"
"~CAP_AUDIT_WRITE"
"~CAP_AUDIT_CONTROL"
"~CAP_AUDIT_READ"
"~CAP_SYS_PTRACE"
"~CAP_SYS_NICE"
"~CAP_SYS_RESOURCE"
"~CAP_SYS_RAWIO"
"~CAP_SYS_TIME"
"~CAP_SYS_PACCT"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_WAKE_ALARM"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_BOOT"
"~CAP_LEASE"
"~CAP_BLOCK_SUSPEND"
"~CAP_MAC_ADMIN"
"~CAP_MAC_OVERRIDE"
];
SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@resources"
"~@module"
"~@obsolete"
"~@debug"
"~@reboot"
"~@swap"
"~@cpu-emulation"
"~@clock"
"~@raw-io"
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
UMask = 0077;
};
}
)
];
};
}

44
modules/features/security/systemd/security-systemd-reload-systemd-vconsole-setup.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }:
{
config.dendritic.features.security-systemd-reload-vconsole = {
nixosModules = [
(
{ ... }:
{
systemd.services.reload-systemd-vconsole-setup.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateNetwork = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

48
modules/features/security/systemd/security-systemd-rescue.nix Normal file
View file

@ -0,0 +1,48 @@
{ ... }:
{
config.dendritic.features.security-systemd-rescue = {
nixosModules = [
(
{ ... }:
{
systemd.services.rescue.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "full";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateNetwork = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallFilter = [
"~@swap"
"~@clock"
"~@obsolete"
"~@cpu-emulation"
"~@resources"
];
SystemCallArchitectures = "native";
CapabilityBoundingSet = [
"~CAP_CHOWN"
"~CAP_FSETID"
"~CAP_SETFCAP"
];
};
}
)
];
};
}

44
modules/features/security/systemd/security-systemd-rtkit.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }:
{
config.dendritic.features.security-systemd-rtkit = {
nixosModules = [
(
{ lib, ... }:
{
systemd.services.rtkit-daemon.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = lib.mkDefault true;
PrivateTmp = lib.mkDefault true;
PrivateMounts = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"~AF_INET6"
"~AF_INET"
"~AF_PACKET"
];
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
LockPersonality = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
};
}
)
];
};
}

42
modules/features/security/systemd/security-systemd-sshd.nix Normal file
View file

@ -0,0 +1,42 @@
{ ... }:
{
config.dendritic.features.security-systemd-sshd = {
nixosModules = [
(
{ ... }:
{
systemd.services.sshd.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = "read-only";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateMounts = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
DevicePolicy = "closed";
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@clock"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

23
modules/features/security/systemd/security-systemd-udevd.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }:
{
config.dendritic.features.security-systemd-udevd = {
nixosModules = [
(
{ ... }:
{
systemd.services.systemd-udevd.serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
CapabilityBoundingSet = "~CAP_SYS_PTRACE ~CAP_SYS_PACCT";
};
}
)
];
};
}

41
modules/features/security/systemd/security-systemd-user.nix Normal file
View file

@ -0,0 +1,41 @@
{ ... }:
{
config.dendritic.features.security-systemd-user = {
nixosModules = [
(
{ ... }:
{
systemd.services."user@".serviceConfig = {
ProtectSystem = "strict";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateNetwork = true;
MemoryDenyWriteExecute = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_BLUETOOTH"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallFilter = [
"~@keyring"
"~@swap"
"~@debug"
"~@module"
"~@obsolete"
"~@cpu-emulation"
];
SystemCallArchitectures = "native";
};
}
)
];
};
}

58
modules/features/security/systemd/security-systemd.nix Normal file
View file

@ -0,0 +1,58 @@
{ ... }:
{
config.dendritic.features.security-systemd = {
features = [
"security-systemd-ask-password-console"
"security-systemd-ask-password-wall"
"security-systemd-auditd"
# "security-systemd-dbus" using dbus-broker
"security-systemd-display-manager"
# "security-systemd-getty"
"security-systemd-journald"
"security-systemd-machined"
"security-systemd-ncsd"
"security-systemd-networkmanager"
"security-systemd-networkmanager-dispatcher"
"security-systemd-nix-daemon"
"security-systemd-reload-vconsole"
"security-systemd-rescue"
"security-systemd-rtkit"
"security-systemd-sshd"
"security-systemd-udevd"
#"security-systemd-user"
];
nixosModules = [
(
{ lib, ... }:
{
services = {
# mDNS/DNS-SD
avahi.enable = false;
# Geoclue (location services)
geoclue2.enable = false;
# udisks2.enable = false;
# accounts-daemon.enable = lib.mkDefault false;
};
# Only needed for WWAN/3G/4G modems, otherwise it runs `mmcli` unnecessarily
networking.modemmanager.enable = false;
# Bluetooth has a long history of vulnerabilities
hardware.bluetooth.enable = false;
# Prefer manual upgrades on a hardened system
system.autoUpgrade.enable = false;
systemd.coredump.enable = false;
# ➡️ Sets the kernel's resource limit (ulimit -c 0)
security.pam.loginLimits = [
{
domain = "*"; # Applies to all users/sessions
type = "-"; # Set both soft and hard limits
item = "core"; # The soft/hard limit item
value = "0"; # Core dumps size is limited to 0 (effectively disabled)
}
];
}
)
];
};
}

68
modules/features/security/systemd/services-systemd-display-manager.nix Normal file
View file

@ -0,0 +1,68 @@
{ ... }:
{
config.dendritic.features.security-systemd-display-manager = {
nixosModules = [
(
{ lib, ... }:
{
systemd.services.display-manager.serviceConfig = {
ProtectSystem = "full";
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelModules = true;
PrivateMounts = true;
PrivateIPC = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictNamespaces = [
"~cgroup"
];
RestrictAddressFamilies = [
"AF_UNIX"
"AF_NETLINK"
"AF_INET"
"AF_INET6"
];
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"~@obsolete"
"~@cpu-emulation"
"~@clock"
"~@swap"
"~@module"
"~@reboot"
"~@raw-io"
"~@debug"
];
SystemCallArchitectures = "native";
LockPersonality = true;
IPAddressDeny = [
"0.0.0.0/0"
"::/0"
];
CapabilityBoundingSet = [
"CAP_SYS_ADMIN"
"CAP_SETUID"
"CAP_SETGID"
"CAP_SETPCAP"
"CAP_KILL"
"CAP_SYS_TTY_CONFIG"
"CAP_DAC_OVERRIDE"
"CAP_DAC_READ_SEARCH"
"CAP_FOWNER"
"CAP_IPC_OWNER"
"CAP_FSETID"
"CAP_SETFCAP"
"CAP_CHOWN"
];
DeviceAllow = "/dev/tty7 rw";
DevicePolicy = "closed";
UMask = 0077;
LogLevelMax = "debug";
KeyringMode = lib.mkForce "private";
};
}
)
];
};
}