some security updates

hosts/configuration.nix

@@ -72,6 +72,7 @@
       usbutils
       wget
       lsof
+      firefox
     ];
   };
 
@@ -85,8 +86,6 @@
   programs.hyprland.enable = true;
   # List services that you want to enable:
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
   services.pipewire = {
     # Sound
     enable = true;
@@ -107,11 +106,36 @@
 
   nix.settings.auto-optimise-store = true;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
+  # enable firewall and block all ports
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ ];
+  networking.firewall.allowedUDPPorts = [ ];
+
+  # only members of wheel can interact with the nix daemon
+  nix.settings.allowed-users = [ "@wheel" ];
+  security.sudo.execWheelOnly = true;
+
+  programs.firejail = {
+    enable = true;
+    wrappedBinaries = {
+      firefox = {
+        executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
+        profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+        extraArgs = [
+          # Required for U2F USB stick
+          "--ignore=private-dev"
+          # Enable system notifications
+          "--dbus-user.talk=org.freedesktop.Notifications"
+        ];
+      };
+    };
+  };
+
+
+  # enable antivirus clamav and
+  # keep the signatures' database updated
+  services.clamav.daemon.enable = true;
+  services.clamav.updater.enable = true;
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions

hosts/home.nix

@@ -89,7 +89,7 @@
 
       # Apps
       appimage-run # Runs AppImages on NixOS
-      firefox # Browser
+      #firefox # Browser
       google-chrome # Browser
       remmina # XRDP & VNC Client
       anki

hosts/thinkpad/auditd.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  security.auditd.enable = true;
+  security.audit.enable = true;
+  security.audit.rules = [
+    "-a exit,always -F arch=b64 -S execve"
+  ];
+}

hosts/thinkpad/default.nix

@@ -5,9 +5,13 @@
     [ (import ./hardware-configuration.nix) ] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
     (import ../../modules/desktop/virtualisation/default.nix) ++
     (import ../../modules/hardware/default.nix) ++
+    #    (import ./auditd.nix) ++
+    [ (import ./sysctl.nix) ] ++
+    [ (import ./kernel.nix) ] ++
+    [ (import ./auditd.nix) ] ++
+    [ (import ./openssh.nix) ] ++
     [ (import ../../modules/desktop/hyprland/default.nix) ]; # Window Manager
 
-
   hardware.sane = {
     # Used for scanning with Xsane
     enable = true;
@@ -34,6 +38,8 @@
     tailscale.enable = true;
   };
 
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+
   #temporary bluetooth fix
   systemd.tmpfiles.rules = [
     "d /var/lib/bluetooth 700 root root - -"

hosts/thinkpad/kernel.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, stdenv, ... }:
+
+{
+  boot.kernelPackages = pkgs.linuxPackages_hardened;
+  boot.kernelParams = [
+    # Disable slab merging to prevent heap exploitation
+    "slab_nomerge"
+    # Enable zeroing memory during allocation and free time
+    "init_on_alloc=1"
+    "init_on_free=1"
+    # Randomize page allocator freelists
+    "page_alloc.shuffle=1"
+    # Mitigations
+    "pti=on"
+
+    "vsyscall=none"
+    "debugfs=off"
+    "oops=panic"
+
+    # Enable lockdown LSM
+    "lockdown=confidentiality"
+  ];
+
+}

hosts/thinkpad/openssh.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      challengeResponseAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+}

hosts/thinkpad/sysctl.nix

@@ -0,0 +1,60 @@
+{ config, pkgs, ... }:
+
+{
+  boot.kernel.sysctl = {
+    # Restrict kernel pointers
+    "kernel.kptr_restrict" = 2;
+
+    "kernel.dmesg_restrict" = 1;
+
+    # Restrict eBPF
+    "kernel.unprivileged_bpf_disabled" = 1;
+
+    # Harden JIT
+    "net.core.bpf_jit_harden" = 2;
+
+    "dev.tty.ldisc_autoload" = 0;
+    "vm.unprivileged_userfaultfd" = 0;
+
+    # Disable loading other kernels at runtime
+    "kernel.kexec_load_disabled" = 1;
+
+    # Disable SysRq key for non-users (can be used in remote exploits)
+    "kernel.sysrq" = 4;
+
+    "kernel.perf_event_paranoid" = 3;
+    "kernel.unprivileged_userns_clone" = 1;
+
+    ## NETWORK
+
+    # SYN flood attack prevention
+    "net.ipv4.tcp_syncookies" = 1;
+
+    # Prevent IP spoofing
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+
+    # MITM attack prevention (disable redirect acceptance)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+
+    # Clock fingerprinting prevention (disabled ICMP requests)
+    "net.ipv4.icmp_echo_ignore_all" = 1;
+
+    # Restrict ptrace usage
+    "kernel.yama.ptrace_scope" = 2;
+
+    # ASLR exploit mitigation
+    "vm.mmap_rnd_bits" = 32;
+    "vm.mmap_rnd_compat_bits" = 16;
+
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
+  };
+}

modules/programs/alacritty.nix

@@ -50,7 +50,7 @@
         family = "MonoLisa";
         style = "Bold Italic";
       };
-      size = 14;
+      size = 12;
       #bold_italic = {};
     };
   };

modules/shell/zsh/home.nix

@@ -51,7 +51,7 @@
       clock = "sudo ntpd -gq";
       octal = "stat -c '%a %n'";
 
-      v = "nix run ~/Projects/nvim-flake --";
+      v = "nix run ~/Projects/nixvim --";
       lvim = "/home/glen/.local/bin/lvim";
 
     };