From 7a17948e909dacf67dc37dcb7ae351f711dcce4b Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Mon, 15 Apr 2024 21:20:19 +0200 Subject: [PATCH 01/15] Limit journal size --- system/shared/services/default.nix | 2 ++ system/shared/services/fstrim.nix | 35 +++++++++++++++++++++++++++++ system/shared/services/journald.nix | 9 ++++++++ 3 files changed, 46 insertions(+) create mode 100644 system/shared/services/fstrim.nix create mode 100644 system/shared/services/journald.nix diff --git a/system/shared/services/default.nix b/system/shared/services/default.nix index 4a85a49..b0a0fe2 100644 --- a/system/shared/services/default.nix +++ b/system/shared/services/default.nix @@ -5,5 +5,7 @@ _: { ./logrotate.nix ./oomd.nix ./thermald.nix + ./journald.nix + ./fstrim.nix ]; } diff --git a/system/shared/services/fstrim.nix b/system/shared/services/fstrim.nix new file mode 100644 index 0000000..01bda11 --- /dev/null +++ b/system/shared/services/fstrim.nix @@ -0,0 +1,35 @@ +{ config, lib, ... }: let + inherit (lib.modules) mkIf; +in { + # if lvm is enabled, then tell it to issue discards + # (this is good for SSDs and has almost no downsides on HDDs, so + # it's a good idea to enable it unconditionally) + environment.etc."lvm/lvm.conf".text = mkIf config.services.lvm.enable '' + devices { + issue_discards = 1 + } + ''; + + # discard blocks that are not in use by the filesystem, good for SSDs + services.fstrim = { + # we may enable this unconditionally across all systems becuase it's performance + # impact is negligible on systems without a SSD - which means it's a no-op with + # almost no downsides aside from the service firing once per week + enable = true; + + # the default value, good enough for average-load systems + interval = "weekly"; + }; + + # tweak fstim service to run only when on AC power + # and to be nice to other processes + # (this is a good idea for any service that runs periodically) + systemd.services.fstrim = { + unitConfig.ConditionACPower = true; + + serviceConfig = { + Nice = 19; + IOSchedulingClass = "idle"; + }; + }; +} diff --git a/system/shared/services/journald.nix b/system/shared/services/journald.nix new file mode 100644 index 0000000..ac97726 --- /dev/null +++ b/system/shared/services/journald.nix @@ -0,0 +1,9 @@ +{ + # Limit systemd journal size, as the default is unlimited and + # journals get big really fast + services.journald.extraConfig = '' + SystemMaxUse=100M + RuntimeMaxUse=50M + SystemMaxFileSize=50M + ''; +} From 4ea6be120da6bc0d3a3e032ceb2fdd52852c945c Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Mon, 15 Apr 2024 22:13:19 +0200 Subject: [PATCH 02/15] Add apparmor --- system/shared/default.nix | 1 + system/shared/security/apparmor.nix | 60 +++++++++++++++++++++++++++++ system/shared/security/default.nix | 5 +++ 3 files changed, 66 insertions(+) create mode 100644 system/shared/security/apparmor.nix create mode 100644 system/shared/security/default.nix diff --git a/system/shared/default.nix b/system/shared/default.nix index 5ed5a2c..a93ddac 100644 --- a/system/shared/default.nix +++ b/system/shared/default.nix @@ -6,6 +6,7 @@ _: { ./nix ./environment ./impermanence + ./security ./programs.nix ./system.nix ./network.nix diff --git a/system/shared/security/apparmor.nix b/system/shared/security/apparmor.nix new file mode 100644 index 0000000..44cc3c6 --- /dev/null +++ b/system/shared/security/apparmor.nix @@ -0,0 +1,60 @@ +{ config, pkgs, ... }: { + services.dbus.apparmor = "enabled"; + + environment.systemPackages = with pkgs; [ + apparmor-pam + apparmor-utils + apparmor-parser + apparmor-profiles + apparmor-bin-utils + apparmor-kernel-patches + libapparmor + ]; + + # apparmor configuration + security.apparmor = { + enable = true; + + # whether to enable AppArmor cache + # in /var/cache/apparmor + enableCache = true; + + # whether to kill processes which have an AppArmor profile enabled + # but are not confined (AppArmor can only confine new processes) + killUnconfinedConfinables = true; + + # packages to be added to AppArmor's include path + packages = [pkgs.apparmor-profiles]; + + # AppArmor policies + policies = [ + "default_deny" = { + enforce = false; + enable = false; + profile = '' + profile default_deny /** {} + ''; + }; + + "sudo" = { + enforce = false; + enable = false; + profile = '' + ${pkgs.sudo}/bin/sudo { + file /** rwlkUx + } + ''; + }; + + "nix" = { + enforce = false; + enable = false; + profile = '' + ${config.nix.package}/bin/nix { + unconfined + } + ''; + }; + ]; + }; +} diff --git a/system/shared/security/default.nix b/system/shared/security/default.nix new file mode 100644 index 0000000..df16fb6 --- /dev/null +++ b/system/shared/security/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./apparmor.nix + ]; +} From c3dda54f90ea7c0fd285695be7a7a09187233539 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Mon, 15 Apr 2024 22:47:54 +0200 Subject: [PATCH 03/15] Add auditd --- hosts/herugrim/default.nix | 7 ++++ options/default.nix | 1 + options/security/auditd.nix | 61 ++++++++++++++++++++++++++++++ options/security/default.nix | 5 +++ system/shared/security/auditd.nix | 52 +++++++++++++++++++++++++ system/shared/security/default.nix | 1 + 6 files changed, 127 insertions(+) create mode 100644 options/security/auditd.nix create mode 100644 options/security/default.nix create mode 100644 system/shared/security/auditd.nix diff --git a/hosts/herugrim/default.nix b/hosts/herugrim/default.nix index ecffaed..7000dfb 100644 --- a/hosts/herugrim/default.nix +++ b/hosts/herugrim/default.nix @@ -59,6 +59,13 @@ hasTPM = true; }; + security = { + auditd = { + enable = true; + autoPrune.enable = true; + }; + }; + workstation = { printing.enable = true; }; diff --git a/options/default.nix b/options/default.nix index 5385c36..3853e45 100644 --- a/options/default.nix +++ b/options/default.nix @@ -4,5 +4,6 @@ _: { ./home ./system ./workstation + ./security ]; } diff --git a/options/security/auditd.nix b/options/security/auditd.nix new file mode 100644 index 0000000..fccb222 --- /dev/null +++ b/options/security/auditd.nix @@ -0,0 +1,61 @@ +{ lib, config, ... }: with lib; let + inherit (lib) mkEnableOption mkOption literalExpression types; +in +{ + options.myOptions.security.auditd = { + enable = mkEnableOption "the audit daemon."; + autoPrune = { + enable = mkEnableOption '' + automatic pruning of audit logs. + + Enabling this is HEAVILY recommended, as audit logs + can grow very large very quickly. + ''; + + size = mkOption { + type = types.int; + default = 524288000; # roughly 500MB + description = '' + The maximum size of the audit log in bytes. + + The default is 500MB. + ''; + }; + + schedule = mkOption { + type = types.str; + default = "daily"; + example = "weekly"; + description = "How often cleaning is triggered. Passed to systemd.time"; + }; + }; + + extraFiles = mkOption { + default = []; + type = types.listOf types.path; + example = literalExpression ''["/etc/nix/id_rsa"]''; + description = '' + Additional files in root to link to persistent storage. + ''; + }; + + extraDirectories = mkOption { + default = []; + type = types.listOf types.path; + example = literalExpression ''["/etc/nix/id_rsa"]''; + description = '' + Additional directories in root to link to persistent storage. + ''; + }; + + persistentMountPoint = mkOption { + default = "/persist"; + description = '' + Path to a persistent directory (usually a mount point to a + standalone partition / subvolume), which will hold the persistent + system state files. + ''; + }; + }; +} + diff --git a/options/security/default.nix b/options/security/default.nix new file mode 100644 index 0000000..015276a --- /dev/null +++ b/options/security/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./auditd.nix + ]; +} diff --git a/system/shared/security/auditd.nix b/system/shared/security/auditd.nix new file mode 100644 index 0000000..eaa4780 --- /dev/null +++ b/system/shared/security/auditd.nix @@ -0,0 +1,52 @@ +{ config, lib, ... }: let + inherit (lib) mkIf; + + cfg = config.myOptions.security.auditd; +in { + config = mkIf cfg.enable { + security = { + auditd.enable = true; + audit = { + enable = true; + # maximum number of outstanding audit buffers allowed + # exceeding this is considered a failure and handled in + # a manner specified by failureMode + backlogLimit = 8192; + # how to handle critical errors in the auditing system + failureMode = "printk"; # "silent" | "printk" | "panic" + rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + }; + }; + + systemd = mkIf cfg.autoPrune.enable { + # Systemd timer to clean /var/log/audit.log on configured schedule + timers."clean-audit-log" = { + description = "Periodically clean audit log"; + wantedBy = ["timers.target"]; + timerConfig = { + OnCalendar = cfg.autoPrune.schedule; + Persistent = true; + }; + }; + + # clean audit log if it's larger than the configured size + services."clean-audit-log" = { + script = '' + set -eu + if [[ $(stat -c "%s" /var/log/audit/audit.log) -gt ${cfg.autoPrune.size} ]]; then + echo "Clearing Audit Log"; + rm -rvf /var/log/audit/audit.log; + echo "Done!" + fi + ''; + + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + }; + }; +} diff --git a/system/shared/security/default.nix b/system/shared/security/default.nix index df16fb6..c7c2b61 100644 --- a/system/shared/security/default.nix +++ b/system/shared/security/default.nix @@ -1,5 +1,6 @@ { imports = [ ./apparmor.nix + ./auditd.nix ]; } From 4eb78554dd4f480ec258eea862ee5b78c47bae3e Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Mon, 15 Apr 2024 22:57:39 +0200 Subject: [PATCH 04/15] Log all actions polkit actions --- system/shared/security/default.nix | 1 + system/shared/security/polkit.nix | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 system/shared/security/polkit.nix diff --git a/system/shared/security/default.nix b/system/shared/security/default.nix index c7c2b61..f2f6476 100644 --- a/system/shared/security/default.nix +++ b/system/shared/security/default.nix @@ -2,5 +2,6 @@ imports = [ ./apparmor.nix ./auditd.nix + ./polkit.nix ]; } diff --git a/system/shared/security/polkit.nix b/system/shared/security/polkit.nix new file mode 100644 index 0000000..ac8d279 --- /dev/null +++ b/system/shared/security/polkit.nix @@ -0,0 +1,14 @@ +{ config, lib, ... }: { + security.polkit = { + enable = true; + debug = lib.mkDefault true; + + # Have polkit log all actions, if debug is enabled + extraConfig = lib.mkIf config.security.polkit.debug '' + /* Log authorization checks. */ + polkit.addRule(function(action, subject) { + polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + }); + ''; + }; +} From 662657dadbb77fd68848a78dd6119d360f3410b1 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Mon, 15 Apr 2024 23:10:06 +0200 Subject: [PATCH 05/15] Add nix-index --- home/programs/terminal/tools/default.nix | 1 + home/programs/terminal/tools/nix-index.nix | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 home/programs/terminal/tools/nix-index.nix diff --git a/home/programs/terminal/tools/default.nix b/home/programs/terminal/tools/default.nix index 6ece1ab..00fcb55 100644 --- a/home/programs/terminal/tools/default.nix +++ b/home/programs/terminal/tools/default.nix @@ -12,5 +12,6 @@ _: { ./btop.nix ./bottom.nix ./bat.nix + ./nix-index.nix ]; } diff --git a/home/programs/terminal/tools/nix-index.nix b/home/programs/terminal/tools/nix-index.nix new file mode 100644 index 0000000..241e136 --- /dev/null +++ b/home/programs/terminal/tools/nix-index.nix @@ -0,0 +1,15 @@ +{ config, ... }: { + programs = { + # nix-index is a file database for nixpkgs + # this provides `nix-locate` command. + nix-index = { + enable = true; + enableBashIntegration = config.programs.bash.enable; + enableZshIntegration = config.programs.zsh.enable; + }; + + # Allows interactive shells to show which Nix package (if any) + # provides a missing command. + command-not-found.enable = true; + }; +} From 1c52e91b56cc601f8eb1bd19df3905c2aaee8333 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Mon, 15 Apr 2024 23:22:23 +0200 Subject: [PATCH 06/15] Add physlock --- system/roles/workstation/programs/default.nix | 1 + system/roles/workstation/programs/physlock.nix | 8 ++++++++ 2 files changed, 9 insertions(+) create mode 100644 system/roles/workstation/programs/physlock.nix diff --git a/system/roles/workstation/programs/default.nix b/system/roles/workstation/programs/default.nix index 5ad52c9..661d81a 100644 --- a/system/roles/workstation/programs/default.nix +++ b/system/roles/workstation/programs/default.nix @@ -1,5 +1,6 @@ { imports = [ ./misc.nix + ./physlock.nix ]; } diff --git a/system/roles/workstation/programs/physlock.nix b/system/roles/workstation/programs/physlock.nix new file mode 100644 index 0000000..b692160 --- /dev/null +++ b/system/roles/workstation/programs/physlock.nix @@ -0,0 +1,8 @@ +{ + # Screen locker which works across all virtual terminals + # Use `systemctl start physlock` to securely lock the screen + services.physlock = { + enable = true; + lockMessage = "System is locked..."; + }; +} From 0e3bbe7dd2cd93e8d6cf0cf8a5a7bc99c3d7389d Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Tue, 16 Apr 2024 11:54:15 +0200 Subject: [PATCH 07/15] Update vbox_nix host config --- hosts/vbox_nix/default.nix | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/hosts/vbox_nix/default.nix b/hosts/vbox_nix/default.nix index 1da37a6..6a37faa 100644 --- a/hosts/vbox_nix/default.nix +++ b/hosts/vbox_nix/default.nix @@ -22,19 +22,48 @@ system = { hostname = "vboxnix"; username = "itsdrike"; + + impermanence = { + root.enable = false; + autoWipeBtrfs.enable = false; + }; + + boot = { + secure-boot.enable = false; + tmpOnTmpfs = false; + }; }; + device = { - type = "desktop"; - virtual-machine = true; + roles = { + type = "desktop"; + virtual-machine = true; + }; cpu.type = "amd"; + hasTPM = false; }; + + security = { + auditd = { + enable = true; + autoPrune.enable = true; + }; + }; + + workstation = { + printing.enable = false; + }; + home-manager = { enable = true; stateVersion = "23.11"; git = { userName = "ItsDrike"; userEmail = "itsdrike@protonmail.com"; - signing.key = "FA2745890B7048C0"; + signing = { + enabled = true; + key = "FA2745890B7048C0"; + }; }; }; }; From 9bd3848584872589eaa37710342bfd0738e6e18a Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Tue, 16 Apr 2024 11:55:53 +0200 Subject: [PATCH 08/15] Rename git.signing.enabled to enable --- hosts/herugrim/default.nix | 2 +- hosts/vbox_nix/default.nix | 2 +- options/home/git.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/herugrim/default.nix b/hosts/herugrim/default.nix index 7000dfb..7a9b9bb 100644 --- a/hosts/herugrim/default.nix +++ b/hosts/herugrim/default.nix @@ -77,7 +77,7 @@ userName = "ItsDrike"; userEmail = "itsdrike@protonmail.com"; signing = { - enabled = true; + enable = true; key = "FA2745890B7048C0"; }; }; diff --git a/hosts/vbox_nix/default.nix b/hosts/vbox_nix/default.nix index 6a37faa..e87f939 100644 --- a/hosts/vbox_nix/default.nix +++ b/hosts/vbox_nix/default.nix @@ -61,7 +61,7 @@ userName = "ItsDrike"; userEmail = "itsdrike@protonmail.com"; signing = { - enabled = true; + enable = true; key = "FA2745890B7048C0"; }; }; diff --git a/options/home/git.nix b/options/home/git.nix index f9d6b4c..b9f148a 100644 --- a/options/home/git.nix +++ b/options/home/git.nix @@ -15,7 +15,7 @@ in }; signing = { - enabled = mkEnableOption '' + enable = mkEnableOption '' git commit signing. Requires `myOptions.home-manager.git.signing.key` to be set. ''; From d2572ab99ffa224566e2a51b4abf6b0b41d2e563 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Tue, 16 Apr 2024 11:57:05 +0200 Subject: [PATCH 09/15] Fix typo --- system/shared/security/apparmor.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system/shared/security/apparmor.nix b/system/shared/security/apparmor.nix index 44cc3c6..716c4c4 100644 --- a/system/shared/security/apparmor.nix +++ b/system/shared/security/apparmor.nix @@ -27,7 +27,7 @@ packages = [pkgs.apparmor-profiles]; # AppArmor policies - policies = [ + policies = { "default_deny" = { enforce = false; enable = false; @@ -55,6 +55,6 @@ } ''; }; - ]; + }; }; } From 2cd16c9b78038ce433fbe46145b77c8c7f283a83 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Tue, 16 Apr 2024 11:59:07 +0200 Subject: [PATCH 10/15] Include lanzaboote input --- hosts/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/default.nix b/hosts/default.nix index 40a5834..4dcd9eb 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -16,6 +16,7 @@ in ./vbox_nix inputs.home-manager.nixosModules.home-manager inputs.impermanence.nixosModules.impermanence + inputs.lanzaboote.nixosModules.lanzaboote ] ++ shared; }; From 76a86402463470686f10c8457210d974c06715d3 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Tue, 16 Apr 2024 12:02:24 +0200 Subject: [PATCH 11/15] Remove command-not-found in favor of nix-index integration) --- home/programs/terminal/tools/nix-index.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/home/programs/terminal/tools/nix-index.nix b/home/programs/terminal/tools/nix-index.nix index 241e136..5b4df13 100644 --- a/home/programs/terminal/tools/nix-index.nix +++ b/home/programs/terminal/tools/nix-index.nix @@ -4,12 +4,9 @@ # this provides `nix-locate` command. nix-index = { enable = true; + # Attempt to find the package that contains the non-existent command enableBashIntegration = config.programs.bash.enable; enableZshIntegration = config.programs.zsh.enable; }; - - # Allows interactive shells to show which Nix package (if any) - # provides a missing command. - command-not-found.enable = true; }; } From d765db533246ba11dae51d7a77a62723766630d6 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Tue, 16 Apr 2024 12:13:42 +0200 Subject: [PATCH 12/15] Fix string coercion issue with clean-audit-log --- system/shared/security/auditd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/shared/security/auditd.nix b/system/shared/security/auditd.nix index eaa4780..3691d6f 100644 --- a/system/shared/security/auditd.nix +++ b/system/shared/security/auditd.nix @@ -35,7 +35,7 @@ in { services."clean-audit-log" = { script = '' set -eu - if [[ $(stat -c "%s" /var/log/audit/audit.log) -gt ${cfg.autoPrune.size} ]]; then + if [[ $(stat -c "%s" /var/log/audit/audit.log) -gt ${builtins.toString cfg.autoPrune.size} ]]; then echo "Clearing Audit Log"; rm -rvf /var/log/audit/audit.log; echo "Done!" From 15947ba93aa03a6746b7a9447d4463e25d08f905 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Tue, 16 Apr 2024 12:15:42 +0200 Subject: [PATCH 13/15] Fix git signing after renaming the custom opt --- home/programs/terminal/tools/git/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/programs/terminal/tools/git/default.nix b/home/programs/terminal/tools/git/default.nix index 4452029..2bb104d 100644 --- a/home/programs/terminal/tools/git/default.nix +++ b/home/programs/terminal/tools/git/default.nix @@ -17,7 +17,7 @@ in userEmail = myGitConf.userEmail; signing = { - signByDefault = myGitConf.signing.enabled; + signByDefault = myGitConf.signing.enable; key = myGitConf.signing.key; }; From edade19d64cd07c2d53f87d4c3c19768d8201e29 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Tue, 16 Apr 2024 12:29:22 +0200 Subject: [PATCH 14/15] Add assertion to prevent enabling autoWipBtrfs without impermanence --- options/system/impermanence.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/options/system/impermanence.nix b/options/system/impermanence.nix index fece564..732f5da 100644 --- a/options/system/impermanence.nix +++ b/options/system/impermanence.nix @@ -85,4 +85,13 @@ in }; }; }; + + config = { + assertions = [ + { + assertion = cfg.autoWipeBtrfs.enable -> cfg.root.enable; + message = "myOptions.system.impermanence.autoWipeBtrfs requires myOptions.system.impermanence.root to be enabled."; + } + ]; + }; } From e47f41a3c05ee20399991fed9bac5b77256e90bb Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Thu, 18 Apr 2024 16:39:39 +0200 Subject: [PATCH 15/15] Explicitly disable nano --- system/shared/programs.nix | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/system/shared/programs.nix b/system/shared/programs.nix index d9eeaf9..9e00d59 100644 --- a/system/shared/programs.nix +++ b/system/shared/programs.nix @@ -1,10 +1,17 @@ -{ +{lib, ...}: let + inherit (lib) mkForce; +in { - # Install an actually usable system-wide editor - programs.neovim = { - enable = true; - defaultEditor = true; - vimAlias = true; - viAlias = true; + programs = { + # Explicitly disable nano, it sucks and I don't want it + nano.enable = mkForce false; + + # Install an actually usable system-wide editor + neovim = { + enable = true; + defaultEditor = true; + vimAlias = true; + viAlias = true; + }; }; }