diff --git a/home/alex/programs/emacs/doom/config.el b/home/alex/programs/emacs/doom/config.el index c2bf3df..7422ddc 100644 --- a/home/alex/programs/emacs/doom/config.el +++ b/home/alex/programs/emacs/doom/config.el @@ -118,21 +118,6 @@ (after! lsp-haskell (setq lsp-haskell-formatting-provider "fourmolu")) -;; will define elisp functions for the given lsp code actions, prefixing the -;; given function names with "lsp" -(lsp-make-interactive-code-action wingman-fill-hole "refactor.wingman.fillHole") -(lsp-make-interactive-code-action wingman-case-split "refactor.wingman.caseSplit") -(lsp-make-interactive-code-action wingman-refine "refactor.wingman.refine") -(lsp-make-interactive-code-action wingman-split-func-args "refactor.wingman.spltFuncArgs") -(lsp-make-interactive-code-action wingman-use-constructor "refactor.wingman.useConstructor") - -;; example key bindings -;; (define-key haskell-mode-map (kbd "C-c d") #'lsp-wingman-case-split) -;; (define-key haskell-mode-map (kbd "C-c n") #'lsp-wingman-fill-hole) -;; (define-key haskell-mode-map (kbd "C-c r") #'lsp-wingman-refine) -;; (define-key haskell-mode-map (kbd "C-c c") #'lsp-wingman-use-constructor) -;; (define-key haskell-mode-map (kbd "C-c a") #'lsp-wingman-split-func-args) - ;; tweak some VI defaults (after! evil (setq evil-ex-substitute-global t ; I like my s/../.. to by global by default diff --git a/home/alex/programs/git/default.nix b/home/alex/programs/git/default.nix index b106d5a..21f6fc9 100644 --- a/home/alex/programs/git/default.nix +++ b/home/alex/programs/git/default.nix @@ -13,13 +13,6 @@ # TODO create option for my own account meta data userEmail = "me@failco.de"; userName = "Alexander Kobjolke"; - - extraConfig = { - pull = { rebase = true; }; - merge = { conflictstyle = "diff3"; }; - submodule = { recurse = true; }; - }; - aliases = { a = "add"; c = "commit"; diff --git a/modules/hardening.nix b/modules/hardening.nix deleted file mode 100644 index 1a63353..0000000 --- a/modules/hardening.nix +++ /dev/null @@ -1,752 +0,0 @@ -{ config, lib, pkgs, ... }: { - systemd.services.systemd-rfkill = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - SystemCallFilter = [ - "write" - "read" - "openat" - "close" - "brk" - "fstat" - "lseek" - "mmap" - "mprotect" - "munmap" - "rt_sigaction" - "rt_sigprocmask" - "ioctl" - "nanosleep" - "select" - "access" - "execve" - "getuid" - "arch_prctl" - "set_tid_address" - "set_robust_list" - "prlimit64" - "pread64" - "getrandom" - ]; - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; - }; - }; - systemd.services.syslog = { - serviceConfig = { - PrivateNetwork = true; - CapabilityBoundingSet = - [ "CAP_DAC_READ_SEARCH" "CAP_SYSLOG" "CAP_NET_BIND_SERVICE" ]; - NoNewPrivileges = true; - PrivateDevices = true; - ProtectClock = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - PrivateMounts = true; - SystemCallArchitectures = "native"; - MemoryDenyWriteExecute = true; - LockPersonality = true; - ProtectKernelTunables = true; - RestrictRealtime = true; - PrivateUsers = true; - PrivateTmp = true; - UMask = "0077"; - RestrictNamespace = true; - ProtectProc = "invisible"; - ProtectHome = true; - DeviceAllow = false; - ProtectSystem = "full"; - }; - }; - - systemd.services.systemd-journald = { - serviceConfig = { - UMask = 77; - PrivateNetwork = true; - ProtectHostname = true; - ProtectKernelModules = true; - }; - }; - systemd.services.auto-cpufreq = { - serviceConfig = { - CapabilityBoundingSet = ""; - ProtectSystem = "full"; - ProtectHome = true; - PrivateNetwork = true; - IPAddressDeny = "any"; - NoNewPrivileges = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectHostname = false; - MemoryDenyWriteExecute = true; - ProtectClock = true; - RestrictNamespaces = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectProc = true; - ReadOnlyPaths = [ "/" ]; - InaccessiblePaths = [ "/home" "/root" "/proc" ]; - SystemCallFilter = [ "@system-service" ]; - SystemCallArchitectures = "native"; - UMask = "0077"; - }; - }; - systemd.services.NetworkManager-dispatcher = { - serviceConfig = { - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectHostname = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateUsers = true; - PrivateDevices = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = "AF_INET"; - RestrictNamespaces = true; - SystemCallFilter = [ - "write" - "read" - "openat" - "close" - "brk" - "fstat" - "lseek" - "mmap" - "mprotect" - "munmap" - "rt_sigaction" - "rt_sigprocmask" - "ioctl" - "nanosleep" - "select" - "access" - "execve" - "getuid" - "arch_prctl" - "set_tid_address" - "set_robust_list" - "prlimit64" - "pread64" - "getrandom" - ]; - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; - }; - }; - systemd.services.display-manager = { - serviceConfig = { - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; # so we won't need all of this - }; - }; - systemd.services.emergency = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; # Might need adjustment for emergency access - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = "AF_INET"; - RestrictNamespaces = true; - SystemCallFilter = [ - "write" - "read" - "openat" - "close" - "brk" - "fstat" - "lseek" - "mmap" - "mprotect" - "munmap" - "rt_sigaction" - "rt_sigprocmask" - "ioctl" - "nanosleep" - "select" - "access" - "execve" - "getuid" - "arch_prctl" - "set_tid_address" - "set_robust_list" - "prlimit64" - "pread64" - "getrandom" - ]; - UMask = "0077"; - IPAddressDeny = "any"; - }; - }; - systemd.services."getty@tty1" = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = "AF_INET"; - RestrictNamespaces = true; - SystemCallFilter = [ - "write" - "read" - "openat" - "close" - "brk" - "fstat" - "lseek" - "mmap" - "mprotect" - "munmap" - "rt_sigaction" - "rt_sigprocmask" - "ioctl" - "nanosleep" - "select" - "access" - "execve" - "getuid" - "arch_prctl" - "set_tid_address" - "set_robust_list" - "prlimit64" - "pread64" - "getrandom" - ]; - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; - }; - }; - systemd.services."getty@tty7" = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = "AF_INET"; - RestrictNamespaces = true; - SystemCallFilter = [ - "write" - "read" - "openat" - "close" - "brk" - "fstat" - "lseek" - "mmap" - "mprotect" - "munmap" - "rt_sigaction" - "rt_sigprocmask" - "ioctl" - "nanosleep" - "select" - "access" - "execve" - "getuid" - "arch_prctl" - "set_tid_address" - "set_robust_list" - "prlimit64" - "pread64" - "getrandom" - ]; - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; - }; - }; - systemd.services.NetworkManager = { - serviceConfig = { - NoNewPrivileges = true; - ProtectClock = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - ProtectKernelModules = true; - SystemCallArchitectures = "native"; - MemoryDenyWriteExecute = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - RestrictNamespaces = true; - ProtectKernelTunables = true; - ProtectHome = true; - PrivateTmp = true; - UMask = "0077"; - }; - }; - systemd.services."nixos-rebuild-switch-to-configuration" = { - serviceConfig = { - ProtectHome = true; - NoNewPrivileges = true; # Prevent gaining new privileges - }; - }; - systemd.services."dbus" = { - serviceConfig = { - PrivateTmp = true; - PrivateNetwork = true; - ProtectSystem = "full"; - ProtectHome = true; - SystemCallFilter = - "~@clock @cpu-emulation @module @mount @obsolete @raw-io @reboot @swap"; - ProtectKernelTunables = true; - NoNewPrivileges = true; - CapabilityBoundingSet = [ - "~CAP_SYS_TIME" - "~CAP_SYS_PACCT" - "~CAP_KILL" - "~CAP_WAKE_ALARM" - "~CAP_SYS_BOOT" - "~CAP_SYS_CHROOT" - "~CAP_LEASE" - "~CAP_MKNOD" - "~CAP_NET_ADMIN" - "~CAP_SYS_ADMIN" - "~CAP_SYSLOG" - "~CAP_NET_BIND_SERVICE" - "~CAP_NET_BROADCAST" - "~CAP_AUDIT_WRITE" - "~CAP_AUDIT_CONTROL" - "~CAP_SYS_RAWIO" - "~CAP_SYS_NICE" - "~CAP_SYS_RESOURCE" - "~CAP_SYS_TTY_CONFIG" - "~CAP_SYS_MODULE" - "~CAP_IPC_LOCK" - "~CAP_LINUX_IMMUTABLE" - "~CAP_BLOCK_SUSPEND" - "~CAP_MAC_*" - "~CAP_DAC_*" - "~CAP_FOWNER" - "~CAP_IPC_OWNER" - "~CAP_SYS_PTRACE" - "~CAP_SETUID" - "~CAP_SETGID" - "~CAP_SETPCAP" - "~CAP_FSETID" - "~CAP_SETFCAP" - "~CAP_CHOWN" - ]; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectControlGroups = true; - RestrictNamespaces = true; - MemoryDenyWriteExecute = true; - RestrictAddressFamilies = [ "~AF_PACKET" "~AF_NETLINK" ]; - ProtectHostname = true; - LockPersonality = true; - RestrictRealtime = true; - PrivateUsers = true; - }; - }; - systemd.services.nix-daemon = { - serviceConfig = { - ProtectHome = true; - PrivateUsers = false; - }; - }; - systemd.services.reload-systemd-vconsole-setup = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - PrivateUsers = true; - PrivateDevices = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictNamespaces = true; - UMask = "0077"; - IPAddressDeny = "any"; - }; - }; - systemd.services.rescue = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; # Might need adjustment for rescue operations - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = - "AF_INET AF_INET6"; # Networking might be necessary in rescue mode - RestrictNamespaces = true; - SystemCallFilter = [ - "write" - "read" - "openat" - "close" - "brk" - "fstat" - "lseek" - "mmap" - "mprotect" - "munmap" - "rt_sigaction" - "rt_sigprocmask" - "ioctl" - "nanosleep" - "select" - "access" - "execve" - "getuid" - "arch_prctl" - "set_tid_address" - "set_robust_list" - "prlimit64" - "pread64" - "getrandom" - ]; - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = - "any"; # May need to be relaxed for network troubleshooting in rescue mode - }; - }; - systemd.services."systemd-ask-password-console" = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; # May need adjustment for console access - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = "AF_INET AF_INET6"; - RestrictNamespaces = true; - SystemCallFilter = [ "@system-service" ]; # A more permissive filter - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; - }; - }; - systemd.services."systemd-ask-password-wall" = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = "AF_INET AF_INET6"; - RestrictNamespaces = true; - SystemCallFilter = [ "@system-service" ]; # A more permissive filter - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; - }; - }; - systemd.services.thermald = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; # Necessary for adjusting cooling policies - ProtectKernelModules = true; # May need adjustment for module control - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; # May require access to specific hardware devices - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - CapabilityBoundingSet = ""; - RestrictNamespaces = true; - SystemCallFilter = [ "@system-service" ]; - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; - DeviceAllow = [ ]; - RestrictAddressFamilies = [ ]; - }; - }; - systemd.services."user@1000" = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; # Be cautious, as this may restrict user operations - PrivateDevices = true; - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = "AF_INET AF_INET6"; - RestrictNamespaces = true; - SystemCallFilter = [ "@system-service" ]; # Adjust based on user needs - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; - }; - }; - systemd.services.virtlockd = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; # May need adjustment for accessing VM resources - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = "AF_INET AF_INET6"; - RestrictNamespaces = true; - SystemCallFilter = [ "@system-service" ]; # Adjust as necessary - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; # May need adjustment for network operations - }; - }; - systemd.services.virtlogd = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; # May need adjustment for accessing VM logs - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = "AF_INET AF_INET6"; - RestrictNamespaces = true; - SystemCallFilter = - [ "@system-service" ]; # Adjust based on log management needs - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = - "any"; # May need to be relaxed for network-based log collection - }; - }; - systemd.services.virtlxcd = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; # Necessary for container management - ProtectKernelModules = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = - true; # Be cautious, might need adjustment for container user management - PrivateDevices = true; # Containers might require broader device access - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = - "AF_INET AF_INET6"; # Necessary for networked containers - RestrictNamespaces = true; - SystemCallFilter = - [ "@system-service" ]; # Adjust based on container operations - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; # May need to be relaxed for network functionality - }; - }; - systemd.services.virtqemud = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; # Necessary for VM management - ProtectKernelModules = - true; # May need adjustment for VM hardware emulation - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = - true; # Be cautious, might need adjustment for VM user management - PrivateDevices = true; # VMs might require broader device access - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = - "AF_INET AF_INET6"; # Necessary for networked VMs - RestrictNamespaces = true; - SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; # May need to be relaxed for network functionality - }; - }; - systemd.services.virtvboxd = { - serviceConfig = { - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; # Required for some VM management tasks - ProtectKernelModules = true; # May need adjustment for module handling - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - PrivateTmp = true; - PrivateUsers = - true; # Be cautious, might need adjustment for VM user management - PrivateDevices = true; # VMs may require access to certain devices - PrivateIPC = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = - "AF_INET AF_INET6"; # Necessary for networked VMs - RestrictNamespaces = true; - SystemCallFilter = [ "@system-service" ]; # Adjust based on VM operations - SystemCallArchitectures = "native"; - UMask = "0077"; - IPAddressDeny = "any"; # May need to be relaxed for network functionality - }; - }; -}