From 1722c0cf66ca61e2d747449e6b5179b8565fbed8 Mon Sep 17 00:00:00 2001
From: Glen Goodwin <glen.goodwin1992@gmail.com>
Date: Thu, 21 Sep 2023 13:50:00 -0400
Subject: [PATCH] some security updates

---
 hosts/configuration.nix        | 38 +++++++++++++++++----
 hosts/home.nix                 |  2 +-
 hosts/thinkpad/auditd.nix      |  8 +++++
 hosts/thinkpad/default.nix     |  8 ++++-
 hosts/thinkpad/kernel.nix      | 24 ++++++++++++++
 hosts/thinkpad/openssh.nix     | 11 +++++++
 hosts/thinkpad/sysctl.nix      | 60 ++++++++++++++++++++++++++++++++++
 modules/programs/alacritty.nix |  2 +-
 modules/shell/zsh/home.nix     |  2 +-
 9 files changed, 144 insertions(+), 11 deletions(-)
 create mode 100644 hosts/thinkpad/auditd.nix
 create mode 100644 hosts/thinkpad/kernel.nix
 create mode 100644 hosts/thinkpad/openssh.nix
 create mode 100644 hosts/thinkpad/sysctl.nix

diff --git a/hosts/configuration.nix b/hosts/configuration.nix
index 1b8a17b..1526758 100644
--- a/hosts/configuration.nix
+++ b/hosts/configuration.nix
@@ -72,6 +72,7 @@
       usbutils
       wget
       lsof
+      firefox
     ];
   };
 
@@ -85,8 +86,6 @@
   programs.hyprland.enable = true;
   # List services that you want to enable:
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
   services.pipewire = {
     # Sound
     enable = true;
@@ -107,11 +106,36 @@
 
   nix.settings.auto-optimise-store = true;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
+  # enable firewall and block all ports
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ ];
+  networking.firewall.allowedUDPPorts = [ ];
+
+  # only members of wheel can interact with the nix daemon
+  nix.settings.allowed-users = [ "@wheel" ];
+  security.sudo.execWheelOnly = true;
+
+  programs.firejail = {
+    enable = true;
+    wrappedBinaries = {
+      firefox = {
+        executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
+        profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+        extraArgs = [
+          # Required for U2F USB stick
+          "--ignore=private-dev"
+          # Enable system notifications
+          "--dbus-user.talk=org.freedesktop.Notifications"
+        ];
+      };
+    };
+  };
+
+
+  # enable antivirus clamav and
+  # keep the signatures' database updated
+  services.clamav.daemon.enable = true;
+  services.clamav.updater.enable = true;
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
diff --git a/hosts/home.nix b/hosts/home.nix
index 4bd46cf..6d5cbfe 100644
--- a/hosts/home.nix
+++ b/hosts/home.nix
@@ -89,7 +89,7 @@
 
       # Apps
       appimage-run # Runs AppImages on NixOS
-      firefox # Browser
+      #firefox # Browser
       google-chrome # Browser
       remmina # XRDP & VNC Client
       anki
diff --git a/hosts/thinkpad/auditd.nix b/hosts/thinkpad/auditd.nix
new file mode 100644
index 0000000..ddc96b4
--- /dev/null
+++ b/hosts/thinkpad/auditd.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+  security.auditd.enable = true;
+  security.audit.enable = true;
+  security.audit.rules = [
+    "-a exit,always -F arch=b64 -S execve"
+  ];
+}
diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix
index 333f67b..60c9b95 100644
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@@ -5,9 +5,13 @@
     [ (import ./hardware-configuration.nix) ] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
     (import ../../modules/desktop/virtualisation/default.nix) ++
     (import ../../modules/hardware/default.nix) ++
+    #    (import ./auditd.nix) ++
+    [ (import ./sysctl.nix) ] ++
+    [ (import ./kernel.nix) ] ++
+    [ (import ./auditd.nix) ] ++
+    [ (import ./openssh.nix) ] ++
     [ (import ../../modules/desktop/hyprland/default.nix) ]; # Window Manager
 
-
   hardware.sane = {
     # Used for scanning with Xsane
     enable = true;
@@ -34,6 +38,8 @@
     tailscale.enable = true;
   };
 
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+
   #temporary bluetooth fix
   systemd.tmpfiles.rules = [
     "d /var/lib/bluetooth 700 root root - -"
diff --git a/hosts/thinkpad/kernel.nix b/hosts/thinkpad/kernel.nix
new file mode 100644
index 0000000..ce90c0e
--- /dev/null
+++ b/hosts/thinkpad/kernel.nix
@@ -0,0 +1,24 @@
+{ config, pkgs, stdenv, ... }:
+
+{
+  boot.kernelPackages = pkgs.linuxPackages_hardened;
+  boot.kernelParams = [
+    # Disable slab merging to prevent heap exploitation
+    "slab_nomerge"
+    # Enable zeroing memory during allocation and free time
+    "init_on_alloc=1"
+    "init_on_free=1"
+    # Randomize page allocator freelists
+    "page_alloc.shuffle=1"
+    # Mitigations
+    "pti=on"
+
+    "vsyscall=none"
+    "debugfs=off"
+    "oops=panic"
+
+    # Enable lockdown LSM
+    "lockdown=confidentiality"
+  ];
+
+}
diff --git a/hosts/thinkpad/openssh.nix b/hosts/thinkpad/openssh.nix
new file mode 100644
index 0000000..30f6664
--- /dev/null
+++ b/hosts/thinkpad/openssh.nix
@@ -0,0 +1,11 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      challengeResponseAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+}
diff --git a/hosts/thinkpad/sysctl.nix b/hosts/thinkpad/sysctl.nix
new file mode 100644
index 0000000..3d37630
--- /dev/null
+++ b/hosts/thinkpad/sysctl.nix
@@ -0,0 +1,60 @@
+{ config, pkgs, ... }:
+
+{
+  boot.kernel.sysctl = {
+    # Restrict kernel pointers
+    "kernel.kptr_restrict" = 2;
+
+    "kernel.dmesg_restrict" = 1;
+
+    # Restrict eBPF
+    "kernel.unprivileged_bpf_disabled" = 1;
+
+    # Harden JIT
+    "net.core.bpf_jit_harden" = 2;
+
+    "dev.tty.ldisc_autoload" = 0;
+    "vm.unprivileged_userfaultfd" = 0;
+
+    # Disable loading other kernels at runtime
+    "kernel.kexec_load_disabled" = 1;
+
+    # Disable SysRq key for non-users (can be used in remote exploits)
+    "kernel.sysrq" = 4;
+
+    "kernel.perf_event_paranoid" = 3;
+    "kernel.unprivileged_userns_clone" = 1;
+
+    ## NETWORK
+
+    # SYN flood attack prevention
+    "net.ipv4.tcp_syncookies" = 1;
+
+    # Prevent IP spoofing
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+
+    # MITM attack prevention (disable redirect acceptance)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+
+    # Clock fingerprinting prevention (disabled ICMP requests)
+    "net.ipv4.icmp_echo_ignore_all" = 1;
+
+    # Restrict ptrace usage
+    "kernel.yama.ptrace_scope" = 2;
+
+    # ASLR exploit mitigation
+    "vm.mmap_rnd_bits" = 32;
+    "vm.mmap_rnd_compat_bits" = 16;
+
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
+  };
+}
diff --git a/modules/programs/alacritty.nix b/modules/programs/alacritty.nix
index 5818299..f9540a6 100644
--- a/modules/programs/alacritty.nix
+++ b/modules/programs/alacritty.nix
@@ -50,7 +50,7 @@
         family = "MonoLisa";
         style = "Bold Italic";
       };
-      size = 14;
+      size = 12;
       #bold_italic = {};
     };
   };
diff --git a/modules/shell/zsh/home.nix b/modules/shell/zsh/home.nix
index 6b09a6c..0ca388a 100644
--- a/modules/shell/zsh/home.nix
+++ b/modules/shell/zsh/home.nix
@@ -51,7 +51,7 @@
       clock = "sudo ntpd -gq";
       octal = "stat -c '%a %n'";
 
-      v = "nix run ~/Projects/nvim-flake --";
+      v = "nix run ~/Projects/nixvim --";
       lvim = "/home/glen/.local/bin/lvim";
 
     };