jakalx/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: jakalx:04bf11aeaa98b0a2226e9140048ef5d9894bd38f
Branches Tags
jakalx:main
jakalx:develop
jakalx:feature/hledger-web-module
...
compare: jakalx:48edcdcb376a28d0d24be3e8850dd4436ea99de7
Branches Tags
jakalx:develop
jakalx:main
jakalx:feature/hledger-web-module

3 commits
04bf11aeaa ... 48edcdcb37

Author SHA1 Message Date
Alexander Kobjolke
48edcdcb37 git: Add extra config 
- pull via rebase by default
- use three-way-diff
- recurse into submodules
 2024-02-21 16:21:33 +01:00
Alexander Kobjolke
737c593a35 modules: Add hardening configuration 2024-02-20 23:17:44 +01:00
Alexander Kobjolke
96955c8053 emacs: Add support for haskell wingman 2024-02-20 23:17:44 +01:00
3 changed files with 774 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
home/alex/programs/emacs/doom/config.el
View file

@ -118,6 +118,21 @@
(after! lsp-haskell
(setq lsp-haskell-formatting-provider "fourmolu"))
;; will define elisp functions for the given lsp code actions, prefixing the
;; given function names with "lsp"
(lsp-make-interactive-code-action wingman-fill-hole "refactor.wingman.fillHole")
(lsp-make-interactive-code-action wingman-case-split "refactor.wingman.caseSplit")
(lsp-make-interactive-code-action wingman-refine "refactor.wingman.refine")
(lsp-make-interactive-code-action wingman-split-func-args "refactor.wingman.spltFuncArgs")
(lsp-make-interactive-code-action wingman-use-constructor "refactor.wingman.useConstructor")
;; example key bindings
;; (define-key haskell-mode-map (kbd "C-c d") #'lsp-wingman-case-split)
;; (define-key haskell-mode-map (kbd "C-c n") #'lsp-wingman-fill-hole)
;; (define-key haskell-mode-map (kbd "C-c r") #'lsp-wingman-refine)
;; (define-key haskell-mode-map (kbd "C-c c") #'lsp-wingman-use-constructor)
;; (define-key haskell-mode-map (kbd "C-c a") #'lsp-wingman-split-func-args)
;; tweak some VI defaults
(after! evil
(setq evil-ex-substitute-global t ; I like my s/../.. to by global by default

7
home/alex/programs/git/default.nix
View file

@ -13,6 +13,13 @@
# TODO create option for my own account meta data
userEmail = "me@failco.de";
userName = "Alexander Kobjolke";
extraConfig = {
pull = { rebase = true; };
merge = { conflictstyle = "diff3"; };
submodule = { recurse = true; };
};
aliases = {
a = "add";
c = "commit";

752
modules/hardening.nix Normal file
View file

@ -0,0 +1,752 @@
{ config, lib, pkgs, ... }: {
systemd.services.systemd-rfkill = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
SystemCallFilter = [
"write"
"read"
"openat"
"close"
"brk"
"fstat"
"lseek"
"mmap"
"mprotect"
"munmap"
"rt_sigaction"
"rt_sigprocmask"
"ioctl"
"nanosleep"
"select"
"access"
"execve"
"getuid"
"arch_prctl"
"set_tid_address"
"set_robust_list"
"prlimit64"
"pread64"
"getrandom"
];
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services.syslog = {
serviceConfig = {
PrivateNetwork = true;
CapabilityBoundingSet =
[ "CAP_DAC_READ_SEARCH" "CAP_SYSLOG" "CAP_NET_BIND_SERVICE" ];
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
PrivateMounts = true;
SystemCallArchitectures = "native";
MemoryDenyWriteExecute = true;
LockPersonality = true;
ProtectKernelTunables = true;
RestrictRealtime = true;
PrivateUsers = true;
PrivateTmp = true;
UMask = "0077";
RestrictNamespace = true;
ProtectProc = "invisible";
ProtectHome = true;
DeviceAllow = false;
ProtectSystem = "full";
};
};
systemd.services.systemd-journald = {
serviceConfig = {
UMask = 77;
PrivateNetwork = true;
ProtectHostname = true;
ProtectKernelModules = true;
};
};
systemd.services.auto-cpufreq = {
serviceConfig = {
CapabilityBoundingSet = "";
ProtectSystem = "full";
ProtectHome = true;
PrivateNetwork = true;
IPAddressDeny = "any";
NoNewPrivileges = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectHostname = false;
MemoryDenyWriteExecute = true;
ProtectClock = true;
RestrictNamespaces = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectProc = true;
ReadOnlyPaths = [ "/" ];
InaccessiblePaths = [ "/home" "/root" "/proc" ];
SystemCallFilter = [ "@system-service" ];
SystemCallArchitectures = "native";
UMask = "0077";
};
};
systemd.services.NetworkManager-dispatcher = {
serviceConfig = {
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateUsers = true;
PrivateDevices = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET";
RestrictNamespaces = true;
SystemCallFilter = [
"write"
"read"
"openat"
"close"
"brk"
"fstat"
"lseek"
"mmap"
"mprotect"
"munmap"
"rt_sigaction"
"rt_sigprocmask"
"ioctl"
"nanosleep"
"select"
"access"
"execve"
"getuid"
"arch_prctl"
"set_tid_address"
"set_robust_list"
"prlimit64"
"pread64"
"getrandom"
];
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services.display-manager = {
serviceConfig = {
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true; # so we won't need all of this
};
};
systemd.services.emergency = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true; # Might need adjustment for emergency access
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET";
RestrictNamespaces = true;
SystemCallFilter = [
"write"
"read"
"openat"
"close"
"brk"
"fstat"
"lseek"
"mmap"
"mprotect"
"munmap"
"rt_sigaction"
"rt_sigprocmask"
"ioctl"
"nanosleep"
"select"
"access"
"execve"
"getuid"
"arch_prctl"
"set_tid_address"
"set_robust_list"
"prlimit64"
"pread64"
"getrandom"
];
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services."getty@tty1" = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET";
RestrictNamespaces = true;
SystemCallFilter = [
"write"
"read"
"openat"
"close"
"brk"
"fstat"
"lseek"
"mmap"
"mprotect"
"munmap"
"rt_sigaction"
"rt_sigprocmask"
"ioctl"
"nanosleep"
"select"
"access"
"execve"
"getuid"
"arch_prctl"
"set_tid_address"
"set_robust_list"
"prlimit64"
"pread64"
"getrandom"
];
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services."getty@tty7" = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET";
RestrictNamespaces = true;
SystemCallFilter = [
"write"
"read"
"openat"
"close"
"brk"
"fstat"
"lseek"
"mmap"
"mprotect"
"munmap"
"rt_sigaction"
"rt_sigprocmask"
"ioctl"
"nanosleep"
"select"
"access"
"execve"
"getuid"
"arch_prctl"
"set_tid_address"
"set_robust_list"
"prlimit64"
"pread64"
"getrandom"
];
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services.NetworkManager = {
serviceConfig = {
NoNewPrivileges = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
SystemCallArchitectures = "native";
MemoryDenyWriteExecute = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RestrictNamespaces = true;
ProtectKernelTunables = true;
ProtectHome = true;
PrivateTmp = true;
UMask = "0077";
};
};
systemd.services."nixos-rebuild-switch-to-configuration" = {
serviceConfig = {
ProtectHome = true;
NoNewPrivileges = true; # Prevent gaining new privileges
};
};
systemd.services."dbus" = {
serviceConfig = {
PrivateTmp = true;
PrivateNetwork = true;
ProtectSystem = "full";
ProtectHome = true;
SystemCallFilter =
"~@clock @cpu-emulation @module @mount @obsolete @raw-io @reboot @swap";
ProtectKernelTunables = true;
NoNewPrivileges = true;
CapabilityBoundingSet = [
"~CAP_SYS_TIME"
"~CAP_SYS_PACCT"
"~CAP_KILL"
"~CAP_WAKE_ALARM"
"~CAP_SYS_BOOT"
"~CAP_SYS_CHROOT"
"~CAP_LEASE"
"~CAP_MKNOD"
"~CAP_NET_ADMIN"
"~CAP_SYS_ADMIN"
"~CAP_SYSLOG"
"~CAP_NET_BIND_SERVICE"
"~CAP_NET_BROADCAST"
"~CAP_AUDIT_WRITE"
"~CAP_AUDIT_CONTROL"
"~CAP_SYS_RAWIO"
"~CAP_SYS_NICE"
"~CAP_SYS_RESOURCE"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_MODULE"
"~CAP_IPC_LOCK"
"~CAP_LINUX_IMMUTABLE"
"~CAP_BLOCK_SUSPEND"
"~CAP_MAC_*"
"~CAP_DAC_*"
"~CAP_FOWNER"
"~CAP_IPC_OWNER"
"~CAP_SYS_PTRACE"
"~CAP_SETUID"
"~CAP_SETGID"
"~CAP_SETPCAP"
"~CAP_FSETID"
"~CAP_SETFCAP"
"~CAP_CHOWN"
];
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectControlGroups = true;
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
RestrictAddressFamilies = [ "~AF_PACKET" "~AF_NETLINK" ];
ProtectHostname = true;
LockPersonality = true;
RestrictRealtime = true;
PrivateUsers = true;
};
};
systemd.services.nix-daemon = {
serviceConfig = {
ProtectHome = true;
PrivateUsers = false;
};
};
systemd.services.reload-systemd-vconsole-setup = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
PrivateUsers = true;
PrivateDevices = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictNamespaces = true;
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services.rescue = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true; # Might need adjustment for rescue operations
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies =
"AF_INET AF_INET6"; # Networking might be necessary in rescue mode
RestrictNamespaces = true;
SystemCallFilter = [
"write"
"read"
"openat"
"close"
"brk"
"fstat"
"lseek"
"mmap"
"mprotect"
"munmap"
"rt_sigaction"
"rt_sigprocmask"
"ioctl"
"nanosleep"
"select"
"access"
"execve"
"getuid"
"arch_prctl"
"set_tid_address"
"set_robust_list"
"prlimit64"
"pread64"
"getrandom"
];
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny =
"any"; # May need to be relaxed for network troubleshooting in rescue mode
};
};
systemd.services."systemd-ask-password-console" = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true; # May need adjustment for console access
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictNamespaces = true;
SystemCallFilter = [ "@system-service" ]; # A more permissive filter
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services."systemd-ask-password-wall" = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictNamespaces = true;
SystemCallFilter = [ "@system-service" ]; # A more permissive filter
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services.thermald = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true; # Necessary for adjusting cooling policies
ProtectKernelModules = true; # May need adjustment for module control
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true; # May require access to specific hardware devices
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
CapabilityBoundingSet = "";
RestrictNamespaces = true;
SystemCallFilter = [ "@system-service" ];
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any";
DeviceAllow = [ ];
RestrictAddressFamilies = [ ];
};
};
systemd.services."user@1000" = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true; # Be cautious, as this may restrict user operations
PrivateDevices = true;
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictNamespaces = true;
SystemCallFilter = [ "@system-service" ]; # Adjust based on user needs
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services.virtlockd = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true; # May need adjustment for accessing VM resources
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictNamespaces = true;
SystemCallFilter = [ "@system-service" ]; # Adjust as necessary
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any"; # May need adjustment for network operations
};
};
systemd.services.virtlogd = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true; # May need adjustment for accessing VM logs
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictNamespaces = true;
SystemCallFilter =
[ "@system-service" ]; # Adjust based on log management needs
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny =
"any"; # May need to be relaxed for network-based log collection
};
};
systemd.services.virtlxcd = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true; # Necessary for container management
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers =
true; # Be cautious, might need adjustment for container user management
PrivateDevices = true; # Containers might require broader device access
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies =
"AF_INET AF_INET6"; # Necessary for networked containers
RestrictNamespaces = true;
SystemCallFilter =
[ "@system-service" ]; # Adjust based on container operations
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any"; # May need to be relaxed for network functionality
};
};
systemd.services.virtqemud = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true; # Necessary for VM management
ProtectKernelModules =
true; # May need adjustment for VM hardware emulation
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers =
true; # Be cautious, might need adjustment for VM user management
PrivateDevices = true; # VMs might require broader device access
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies =
"AF_INET AF_INET6"; # Necessary for networked VMs
RestrictNamespaces = true;
SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any"; # May need to be relaxed for network functionality
};
};
systemd.services.virtvboxd = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true; # Required for some VM management tasks
ProtectKernelModules = true; # May need adjustment for module handling
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
PrivateUsers =
true; # Be cautious, might need adjustment for VM user management
PrivateDevices = true; # VMs may require access to certain devices
PrivateIPC = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies =
"AF_INET AF_INET6"; # Necessary for networked VMs
RestrictNamespaces = true;
SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any"; # May need to be relaxed for network functionality
};
};
}