Compare commits
8 commits
Author | SHA1 | Date | |
---|---|---|---|
0aed53464d | |||
f7d031ddf9 | |||
3b465c7eb1 | |||
51b7e7887d | |||
2746f3de5c | |||
2d8a53db82 | |||
9c0691d133 | |||
12221697d2 |
21 changed files with 573 additions and 63 deletions
|
@ -34,11 +34,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725432240,
|
"lastModified": 1725634671,
|
||||||
"narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=",
|
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "ad416d066ca1222956472ab7d0555a6946746a80",
|
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
19
flake.nix
19
flake.nix
|
@ -6,25 +6,29 @@
|
||||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
};
|
};
|
||||||
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let
|
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let
|
||||||
|
imports = [
|
||||||
|
];
|
||||||
passInputs = ({lib,config,...}:{
|
passInputs = ({lib,config,...}:{
|
||||||
options.inputs = lib.mkOption{type = lib.types.attrs;};
|
options.flakePath = lib.mkOption {type = lib.types.path;};
|
||||||
|
config.flakePath = ./.;
|
||||||
|
options.inputs = lib.mkOption {type = lib.types.attrs;};
|
||||||
config.inputs = inputs;
|
config.inputs = inputs;
|
||||||
options.pkgsInstances = lib.mkOption{type = lib.types.attrs;};
|
options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
|
||||||
config.pkgsInstances = {
|
config.pkgsInstances = {
|
||||||
unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;};
|
unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
inherit (nixpkgs) lib;
|
||||||
|
mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
|
||||||
in {
|
in {
|
||||||
|
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
"forgejo" = nixpkgs.lib.nixosSystem {
|
"forgenite" = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/forgenite
|
./hosts/forgenite
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
passInputs
|
passInputs
|
||||||
|
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"forgejo-ci" = nixpkgs.lib.nixosSystem {
|
"forgejo-ci" = nixpkgs.lib.nixosSystem {
|
||||||
|
@ -33,6 +37,7 @@
|
||||||
./hosts/forgejo-ci
|
./hosts/forgejo-ci
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
passInputs
|
passInputs
|
||||||
|
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,17 +1,21 @@
|
||||||
{ config, pkgs, lib, inputs, ... }: {
|
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
./../../services/forgejo-ci.nix
|
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./../../users/lyn
|
./../../users/lyn
|
||||||
./../../meta/profiles/base.nix
|
|
||||||
./../../meta/profiles/vm.nix
|
|
||||||
];
|
];
|
||||||
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
|
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
|
||||||
|
lyn.kernel.latest.enable = true;
|
||||||
|
lyn.kernel.hardened.enable = true;
|
||||||
|
lyn.profiles.base.enable = true;
|
||||||
|
lyn.profiles.vm.enable = true;
|
||||||
|
lyn.services.forgejo-ci.enable = true;
|
||||||
|
lyn.services.forgejo-ci.domain = "git.shibe.pro";
|
||||||
|
lyn.services.forgejo-ci.instancename = "shibepro-ci";
|
||||||
# Use UEFI
|
# Use UEFI
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
|
||||||
networking.hostName = "forgenite"; # Define your hostname.
|
networking.hostName = "forgejo-ci"; # Define your hostname.
|
||||||
|
|
||||||
# Firewall stuff:
|
# Firewall stuff:
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
|
|
|
@ -1,16 +1,21 @@
|
||||||
{ config, pkgs, lib, inputs, ... }: {
|
{ config, pkgs, lib, inputs, ... }: {
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
./../../services/forgejo.nix
|
|
||||||
./../../users/lyn
|
./../../users/lyn
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./../../meta/profiles/base.nix
|
|
||||||
./../../meta/profiles/vm.nix
|
|
||||||
];
|
];
|
||||||
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
|
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
|
||||||
|
|
||||||
|
lyn.kernel.latest.enable = true;
|
||||||
|
lyn.kernel.hardened.enable =true;
|
||||||
|
lyn.profiles.base.enable = true;
|
||||||
|
lyn.profiles.vm.enable = true;
|
||||||
|
|
||||||
# Use UEFI
|
# Use UEFI
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
# enable git
|
||||||
|
lyn.services.forgejo.enable = true;
|
||||||
|
lyn.services.forgejo.domain = "git.shibe.pro";
|
||||||
networking.hostName = "forgenite"; # Define your hostname.
|
networking.hostName = "forgenite"; # Define your hostname.
|
||||||
|
|
||||||
# Firewall stuff:
|
# Firewall stuff:
|
||||||
|
|
7
meta/default.nix
Normal file
7
meta/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./mkLocalMods.nix
|
||||||
|
# ./enable.nix
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
{lib, config, ...}: {
|
{lib, config, ...}: {
|
||||||
lib.meta.enable = list: lib.genAttrs
|
config.lyn.lib.enable = list: lib.genAttrs
|
||||||
list
|
list
|
||||||
(name:
|
(
|
||||||
${name}.enable = true;
|
name: {enable = true;}
|
||||||
)
|
);
|
||||||
;
|
|
||||||
}
|
}
|
||||||
|
|
53
meta/mkLocalMods.nix
Normal file
53
meta/mkLocalMods.nix
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
{lib, ...}:
|
||||||
|
let
|
||||||
|
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
|
||||||
|
#kv = key: value: {inherit key value;};
|
||||||
|
recurseNaive = curPath: fn: mapAttrKVs (k: v: let
|
||||||
|
match = builtins.match "(.*)[.]nix" k;
|
||||||
|
in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
|
||||||
|
else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
|
||||||
|
else {key = null; value = null;}
|
||||||
|
) (builtins.readDir curPath);
|
||||||
|
|
||||||
|
getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
|
||||||
|
if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
|
||||||
|
else [{path = prefix ++ [k]; value = v;}]
|
||||||
|
) as);
|
||||||
|
|
||||||
|
getPathKVsRec = prefix: dir: getAttrKVsRec prefix (lib.packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
|
||||||
|
|
||||||
|
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
|
||||||
|
transformLocalMod = {path, value}: let
|
||||||
|
modFn = if lib.isFunction (import value) then import value else (p: import value);
|
||||||
|
newMod = p: let
|
||||||
|
paramNew = p // {
|
||||||
|
cfg = lib.getAttrFromPath path p.config;
|
||||||
|
};
|
||||||
|
|
||||||
|
pathStr = builtins.concatStringsSep "." path;
|
||||||
|
modRaw = modFn paramNew;
|
||||||
|
modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
|
||||||
|
|
||||||
|
mod = modRaw.mod or {};
|
||||||
|
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
|
||||||
|
enablePath = path ++ ["enable"];
|
||||||
|
|
||||||
|
imports = [ {
|
||||||
|
_file = fileCtx "`opt` processor";
|
||||||
|
key = fileCtx "`opt` processor";
|
||||||
|
options = lib.setAttrByPath path (modRaw.opt or {});
|
||||||
|
} {
|
||||||
|
_file = fileCtx "`enable` definition";
|
||||||
|
key = fileCtx "`enable` definition";
|
||||||
|
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
|
||||||
|
} ({config, ...}: {
|
||||||
|
_file = fileCtx "config wrapper";
|
||||||
|
key = fileCtx "config wrapper";
|
||||||
|
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
|
||||||
|
})];
|
||||||
|
|
||||||
|
newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
|
||||||
|
in newMod; in lib.mirrorFunctionArgs modFn newMod;
|
||||||
|
|
||||||
|
mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
|
||||||
|
in mkLocalMods
|
|
@ -1,23 +0,0 @@
|
||||||
{lib, config, ...}: {
|
|
||||||
lib.mkLocalModule = pathInterpolation: optDesc: config: let
|
|
||||||
#example_input = ./some/subdir/MARKER/a/b/c/d/e/f/g;
|
|
||||||
marker = "local-modules";
|
|
||||||
splitAfterMarker = marker: input: builtins.foldl' (acc: new:
|
|
||||||
if acc == false then # marker not found yet
|
|
||||||
if new == marker then [] else acc
|
|
||||||
else # marker found
|
|
||||||
if builtins.typeOf new == "string"
|
|
||||||
then acc ++ [new]
|
|
||||||
else acc
|
|
||||||
) false (builtins.split "/" (builtins.toString input));
|
|
||||||
path = splitAfterMarker marker pathInterpolation;
|
|
||||||
inputs = {
|
|
||||||
#optDesc = "enable this";
|
|
||||||
inherit optDesc: config;
|
|
||||||
};
|
|
||||||
mod = {config, ...}: {
|
|
||||||
options = lib.setAttrsByPath path (lib.mkEnableOption inputs.optDesc);
|
|
||||||
config = lib.mkIf (lib.getAttrByPath path config) inputs.config;
|
|
||||||
};
|
|
||||||
in mod;
|
|
||||||
}
|
|
100
meta/modules-extracted.nix
Normal file
100
meta/modules-extracted.nix
Normal file
|
@ -0,0 +1,100 @@
|
||||||
|
# https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix
|
||||||
|
{ lib }:
|
||||||
|
with lib.modules;
|
||||||
|
let
|
||||||
|
inherit (lib)
|
||||||
|
addErrorContext
|
||||||
|
all
|
||||||
|
any
|
||||||
|
attrByPath
|
||||||
|
attrNames
|
||||||
|
catAttrs
|
||||||
|
concatLists
|
||||||
|
concatMap
|
||||||
|
concatStringsSep
|
||||||
|
elem
|
||||||
|
filter
|
||||||
|
foldl'
|
||||||
|
functionArgs
|
||||||
|
getAttrFromPath
|
||||||
|
genericClosure
|
||||||
|
head
|
||||||
|
id
|
||||||
|
imap1
|
||||||
|
isAttrs
|
||||||
|
isBool
|
||||||
|
isFunction
|
||||||
|
isInOldestRelease
|
||||||
|
isList
|
||||||
|
isString
|
||||||
|
length
|
||||||
|
mapAttrs
|
||||||
|
mapAttrsToList
|
||||||
|
mapAttrsRecursiveCond
|
||||||
|
min
|
||||||
|
optional
|
||||||
|
optionalAttrs
|
||||||
|
optionalString
|
||||||
|
recursiveUpdate
|
||||||
|
reverseList sort
|
||||||
|
seq
|
||||||
|
setAttrByPath
|
||||||
|
substring
|
||||||
|
throwIfNot
|
||||||
|
trace
|
||||||
|
typeOf
|
||||||
|
types
|
||||||
|
unsafeGetAttrPos
|
||||||
|
warn
|
||||||
|
warnIf
|
||||||
|
zipAttrs
|
||||||
|
zipAttrsWith
|
||||||
|
;
|
||||||
|
inherit (lib.options)
|
||||||
|
isOption
|
||||||
|
mkOption
|
||||||
|
showDefs
|
||||||
|
showFiles
|
||||||
|
showOption
|
||||||
|
unknownModule
|
||||||
|
;
|
||||||
|
inherit (lib.strings)
|
||||||
|
isConvertibleWithToString
|
||||||
|
;
|
||||||
|
|
||||||
|
unifyModuleSyntax = file: key: m:
|
||||||
|
let
|
||||||
|
addMeta = config: if m ? meta
|
||||||
|
then mkMerge [ config { meta = m.meta; } ]
|
||||||
|
else config;
|
||||||
|
addFreeformType = config: if m ? freeformType
|
||||||
|
then mkMerge [ config { _module.freeformType = m.freeformType; } ]
|
||||||
|
else config;
|
||||||
|
in
|
||||||
|
if m ? config || m ? options then
|
||||||
|
let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in
|
||||||
|
if badAttrs != {} then
|
||||||
|
throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
|
||||||
|
else
|
||||||
|
{ _file = toString m._file or file;
|
||||||
|
_class = m._class or null;
|
||||||
|
key = toString m.key or key;
|
||||||
|
disabledModules = m.disabledModules or [];
|
||||||
|
imports = m.imports or [];
|
||||||
|
options = m.options or {};
|
||||||
|
config = addFreeformType (addMeta (m.config or {}));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
# shorthand syntax
|
||||||
|
throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
|
||||||
|
{ _file = toString m._file or file;
|
||||||
|
_class = m._class or null;
|
||||||
|
key = toString m.key or key;
|
||||||
|
disabledModules = m.disabledModules or [];
|
||||||
|
imports = m.require or [] ++ m.imports or [];
|
||||||
|
options = {};
|
||||||
|
config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
in {inherit unifyModuleSyntax;}
|
299
modules/kernel/hardened.nix
Normal file
299
modules/kernel/hardened.nix
Normal file
|
@ -0,0 +1,299 @@
|
||||||
|
{lib, pkgs, config, cfg, ...}: let
|
||||||
|
ifApparmor = cfg.apparmor.enable;
|
||||||
|
in {
|
||||||
|
opt.apparmor.enable = lib.mkEnableOption "apparmor";
|
||||||
|
boot.kernelPackages = let
|
||||||
|
kernel = pkgs.linux-libre;
|
||||||
|
llvm = pkgs.llvmPackages_latest;
|
||||||
|
|
||||||
|
version = pkgs.kernelPatches."hardened${kernel.meta.branch}".version;
|
||||||
|
major = lib.versions.major version;
|
||||||
|
|
||||||
|
sha256 = pkgs.kernelPatches.hardened."${kernel.meta.branch}:".sha256;
|
||||||
|
modDirVer = lib.replaceStrings
|
||||||
|
[ kernel.version ]
|
||||||
|
[ version ]
|
||||||
|
kernel.modDirVersion;
|
||||||
|
in lib.mkDefault (pkgs.linuxPackagesFor (kernel.override {
|
||||||
|
stdenv = llvm.stdenv;
|
||||||
|
extraMakeFlags = [ "LLVM=${llvm.bintools-unwrapped}/bin/" ];
|
||||||
|
kernelPatches = kernel.kernelPatches
|
||||||
|
++ [ pkgs.kernelPatches.hardened."${kernel.meta.branch}" ];
|
||||||
|
modDirVersionArg =
|
||||||
|
modDirVer +
|
||||||
|
(pkgs.kernelPatches.hardened."${kernel.meta.branch}").extra;
|
||||||
|
isHardened = true;
|
||||||
|
argsOverride = {
|
||||||
|
inherit version;
|
||||||
|
src = pkgs.fetchurl {
|
||||||
|
url =
|
||||||
|
"mirror://kernel/linux/kernel/v${major}.x/linux-${version}.tar.xz";
|
||||||
|
inherit sha256;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
structuredExtraConfig = with lib.kernel; {
|
||||||
|
# report BUG() conditions and kill the offending process
|
||||||
|
BUG = yes;
|
||||||
|
|
||||||
|
# safer page access permissions to prevent code injection
|
||||||
|
DEBUG_RODATA = yes;
|
||||||
|
SET_MODULE_RONX = yes;
|
||||||
|
|
||||||
|
# validation of commonly targeted structures
|
||||||
|
DEBUG_CREDENTIALS = yes;
|
||||||
|
DEBUG_NOTIFIERS = yes;
|
||||||
|
DEBUG_PLIST = yes;
|
||||||
|
DEBUG_SG = yes;
|
||||||
|
SCHED_STACK_END_CHECK = yes;
|
||||||
|
|
||||||
|
# randomize page allocator when page_alloc.shuffle=1
|
||||||
|
SHUFFLE_PAGE_ALLOCATOR = yes;
|
||||||
|
|
||||||
|
# allow enabling slub/slab free poisoning with slub_debug=P
|
||||||
|
SLUB_DEBUG = yes;
|
||||||
|
|
||||||
|
# wipe higher-level memory allocations on free() with page_poison=1
|
||||||
|
PAGE_POISONING = yes;
|
||||||
|
PAGE_POISONING_NO_SANITY = yes;
|
||||||
|
PAGE_POISONING_ZERO = yes;
|
||||||
|
|
||||||
|
|
||||||
|
# reboot devices immediately when the kernel panics
|
||||||
|
PANIC_TIMEOUT = freeform "-1";
|
||||||
|
|
||||||
|
|
||||||
|
## GCC options (i use LLVM btw) ##
|
||||||
|
|
||||||
|
# GCC_PLUGINS = yes; # Enable gcc plugin options
|
||||||
|
# Gather additional entropy at boot time for systems that may not
|
||||||
|
# have appropriate entropy sources.
|
||||||
|
# GCC_PLUGIN_LATENT_ENTROPY = yes;
|
||||||
|
# GCC_PLUGIN_STRUCTLEAK = yes; # A port of the PaX structleak plugin
|
||||||
|
# GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = yes; # also cover structs passed by address
|
||||||
|
# GCC_PLUGIN_STACKLEAK = yes; # A port of the PaX stackleak plugin
|
||||||
|
# GCC_PLUGIN_RANDSTRUCT = yes; # A port of the PaX randstruct plugin
|
||||||
|
# GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = yes;
|
||||||
|
|
||||||
|
# enable link-time optimisation
|
||||||
|
LTO_CLANG_THIN = yes;
|
||||||
|
|
||||||
|
# clear memory at reboot via EFI
|
||||||
|
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
|
||||||
|
RESET_ATTACK_MITIGATION = yes;
|
||||||
|
|
||||||
|
# kernel memory permission enforcement
|
||||||
|
STRICT_KERNEL_RWX = yes;
|
||||||
|
STRICT_MODULE_RWX = yes;
|
||||||
|
VMAP_STACK = yes;
|
||||||
|
|
||||||
|
# kernel image and memory ASLR
|
||||||
|
RANDOMIZE_BASE = yes;
|
||||||
|
RANDOMIZE_MEMORY = yes;
|
||||||
|
|
||||||
|
# randomize allocator freelists, harden metadata
|
||||||
|
SLAB_FREELIST_RANDOM = yes;
|
||||||
|
SLAB_FREELIST_HARDENED = yes;
|
||||||
|
RANDOM_KMALLOC_CACHES = yes;
|
||||||
|
|
||||||
|
# sanity check userspace page table mappings
|
||||||
|
PAGE_TABLE_CHECK = yes;
|
||||||
|
PAGE_TABLE_CHECK_ENFORCED = yes;
|
||||||
|
|
||||||
|
# randomize kernel stack offset on syscall entry
|
||||||
|
RANDOMIZE_KSTACK_OFFSET_DEFAULT = yes;
|
||||||
|
|
||||||
|
# stack frame overflow protection
|
||||||
|
STACKPROTECTOR = yes;
|
||||||
|
STACKPROTECTOR_STRONG = yes;
|
||||||
|
|
||||||
|
# buffer length bounds checking
|
||||||
|
HARDENED_USERCOPY = yes;
|
||||||
|
FORTIFY_SOURCE = yes;
|
||||||
|
|
||||||
|
# array index bounds checking
|
||||||
|
UBSAN = yes;
|
||||||
|
UBSAN_TRAP = yes;
|
||||||
|
UBSAN_BOUNDS = yes;
|
||||||
|
UBSAN_ALIGNMENT = yes;
|
||||||
|
## unaligned memory access is bad and evil!!
|
||||||
|
## sanitizing this will cause lots of reports and warnings though
|
||||||
|
## it works on x86 though i think
|
||||||
|
UBSAN_SHIFT = unset;
|
||||||
|
UBSAN_DIV_ZERO = unset;
|
||||||
|
UBSAN_UNREACHABLE = unset;
|
||||||
|
UBSAN_SIGNED_WRAP = unset;
|
||||||
|
UBSAN_BOOL = unset;
|
||||||
|
UBSAN_ENUM = unset;
|
||||||
|
|
||||||
|
# sampling-based heap out-of-bounds and user-after-free detection
|
||||||
|
KFENCE = yes;
|
||||||
|
|
||||||
|
# linked list integrity checking
|
||||||
|
LIST_HARDENED = yes;
|
||||||
|
|
||||||
|
# zero-initialise heap variables on allocation
|
||||||
|
INIT_ON_ALLOC_DEFAULT =yes;
|
||||||
|
|
||||||
|
# zero-initialise stack variables on function entry
|
||||||
|
INIT_STACK_ALL_ZERO = yes;
|
||||||
|
|
||||||
|
# disable DMA between EFI hand-off and the kernel's IOMMU setup
|
||||||
|
EFI_DISABLE_PCI_DMA = yes;
|
||||||
|
|
||||||
|
# force IOMMU TLB invalidation so devices will never be able to
|
||||||
|
# access stale data content
|
||||||
|
IOMMU_SUPPORT = yes;
|
||||||
|
IOMMU_DEFAULT_DMA_STRICT = yes;
|
||||||
|
|
||||||
|
# do not allow direct physical memory access to non-device memory
|
||||||
|
STRICT_DEVMEM = option no; # depends on DEVMEM
|
||||||
|
IO_STRICT_DEVMEM = option no; # depends on DEVMEM
|
||||||
|
|
||||||
|
# provide userspace with seccomp BPF API
|
||||||
|
# for syscall attack surface reduction
|
||||||
|
SECCOMP = yes;
|
||||||
|
SECCOMP_FILTER = yes;
|
||||||
|
|
||||||
|
# provides some protections against SYN flooding
|
||||||
|
SYN_COOKIES = yes;
|
||||||
|
|
||||||
|
# enable kernel control flow integrity (currently Clang only)
|
||||||
|
CFI_CLANG = yes;
|
||||||
|
# CFI_PERMISSIVE
|
||||||
|
|
||||||
|
# attack surface reduction; do not autoload TTY line disciplines
|
||||||
|
LDISC_AUTOLOAD = no;
|
||||||
|
|
||||||
|
# dangerous; enabling this disables userpace brk ASLR
|
||||||
|
COMPAT_BRK = no;
|
||||||
|
|
||||||
|
# dangerous; exposes kernel text image layout
|
||||||
|
PROC_KCORE = no;
|
||||||
|
|
||||||
|
# dangerous; enabling this disables userspace VDSO ASLR
|
||||||
|
COMPAT_VDSO = no;
|
||||||
|
|
||||||
|
# attack surface reduction: use modern PTY interface (devpts) only
|
||||||
|
LEGACY_PTYS = no;
|
||||||
|
|
||||||
|
# dangerous; allows writing directly to physical memory
|
||||||
|
ACPI_CUSTOM_METHOD = no;
|
||||||
|
|
||||||
|
# attack surface reduction; has been used for heap based attacks
|
||||||
|
INET_DIAG = no;
|
||||||
|
|
||||||
|
# Security modules
|
||||||
|
SECURITY_SELINUX = yes;
|
||||||
|
SECURITY_APPARMOR = yes;
|
||||||
|
SECURITY_SAFESETID = yes;
|
||||||
|
DEFAULT_SECURITY_APPARMOR = lib.mkIf ifApparmor yes;
|
||||||
|
DEFAULT_SECURITY = lib.mkIf ifApparmor (freeform "apparmor");
|
||||||
|
SECURITY_APPARMOR_BOOTPARAM_VALUE = lib.mkIf ifApparmor (freeform "1");
|
||||||
|
|
||||||
|
# mark LSM hooks read-only after init
|
||||||
|
SECURITY_WRITABLE_HOOKS = no;
|
||||||
|
|
||||||
|
# enable BPF; may expose kernel to spray attacks though
|
||||||
|
BPF_JIT_ALWAYS_ON = yes;
|
||||||
|
|
||||||
|
# Replace menu governour with TEO
|
||||||
|
CPU_IDLE_GOV_MENU = no;
|
||||||
|
CPU_IDLE_GOV_TEO = yes;
|
||||||
|
} // lib.optionalAttrs pkgs.stdenv.hostPlatform.isx86_64 {
|
||||||
|
X86_EXTENDED_PLATFORM = no;
|
||||||
|
|
||||||
|
# don't sanitize unaligned memory access resulting in
|
||||||
|
# undefined behavior because x86 supports unalligned access
|
||||||
|
UBSAN_ALIGNMENT = no;
|
||||||
|
|
||||||
|
# enable chip-specific IOMMU support
|
||||||
|
INTEL_IOMMU = yes;
|
||||||
|
INTEL_IOMMU_DEFAULT_ON = yes;
|
||||||
|
INTEL_IOMMU_SVM = yes;
|
||||||
|
AMD_IOMMU = yes;
|
||||||
|
|
||||||
|
# enforce CET Indirect Branch Tracking in the kernel
|
||||||
|
X86_KERNEL_IBT = yes;
|
||||||
|
|
||||||
|
# enable CET shadow stack for userspace
|
||||||
|
X86_USER_SHADOW_STACK = yes;
|
||||||
|
|
||||||
|
# disable legacy x86 interfaces
|
||||||
|
STRICT_SIGALTSTACK_SIZE = yes;
|
||||||
|
LEGACY_VSYSCALL_XONLY = no;
|
||||||
|
|
||||||
|
# modern libc no longer needs a fixed-position mapping in userspace,
|
||||||
|
# remove it as a possible target
|
||||||
|
LEGACY_VSYSCALL_NONE = yes;
|
||||||
|
|
||||||
|
# disable IO delay
|
||||||
|
IO_DELAY_NONE = yes;
|
||||||
|
};
|
||||||
|
}));
|
||||||
|
boot.kernelParams = [
|
||||||
|
# set apparmor as the default security module
|
||||||
|
(lib.mkIf ifApparmor "security=apparmor")
|
||||||
|
|
||||||
|
# zero-fill page and slab allocations
|
||||||
|
"init_on_free=1"
|
||||||
|
|
||||||
|
# disable IO delay
|
||||||
|
"io_delay=none"
|
||||||
|
|
||||||
|
# enable page allocator free list randomization
|
||||||
|
"page_alloc.shuffle=1"
|
||||||
|
|
||||||
|
# overwrite free()'d pages
|
||||||
|
"page_poison=1"
|
||||||
|
|
||||||
|
# disable slab merging
|
||||||
|
"slab_nomerge"
|
||||||
|
|
||||||
|
# disable vsyscall mechanism
|
||||||
|
"vsyscall=none"
|
||||||
|
|
||||||
|
# enable transparent hugepages
|
||||||
|
"transparent_hugepage=always"
|
||||||
|
|
||||||
|
# disable debugfs
|
||||||
|
"debugfs=off"
|
||||||
|
|
||||||
|
# clear mlocked memory in case the program crashes
|
||||||
|
"init_mlocked_on_free=1"
|
||||||
|
];
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
# disable automatic loading of TTY line disciplines
|
||||||
|
"dev.tty.ldisc_autoload" = 0;
|
||||||
|
|
||||||
|
"kernel.ftrace_enabled" = lib.mkDefault false;
|
||||||
|
|
||||||
|
# disable first 64 KiB of virtual memory for allocation
|
||||||
|
"vm.mmap_min_addr" = 65536;
|
||||||
|
|
||||||
|
# increase ASLR randomisation
|
||||||
|
"vm.mmap_rnd_bits" = 32;
|
||||||
|
"vm.mmap_rnd_compat_bits" = 16;
|
||||||
|
|
||||||
|
# restrict ptrace()
|
||||||
|
"kernel.yama.ptrace_scope" = 1;
|
||||||
|
|
||||||
|
# enable hardened eBPF JIT
|
||||||
|
"net.core.bpf_jit_enable" = 1;
|
||||||
|
"net.core.bpf_jit_harden" = 1;
|
||||||
|
|
||||||
|
# Dirty page cache ratio
|
||||||
|
"vm.dirty_background_ratio" = 3;
|
||||||
|
"vm.dirty_ratio" = 6;
|
||||||
|
|
||||||
|
# Hide kptrs even for processes with CAP_SYSLOG
|
||||||
|
"kernel.kptr_restrict" = lib.mkOverride 500 2;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
# references:
|
||||||
|
# - https://github.com/NixOS/nixpkgs/blob/e6db435973160591fe7348876a5567c729495175/pkgs/os-specific/linux/kernel/hardened/config.nix
|
||||||
|
# - https://nixos.wiki/wiki/Linux_kernel#Custom_configuration
|
||||||
|
# - https://kspp.github.io/
|
||||||
|
# - linux src/arch/x86/configs/hardening.config and src/kernel/configs/hardening.config
|
||||||
|
# - trial and error
|
||||||
|
# - illdef
|
3
modules/kernel/latest.nix
Normal file
3
modules/kernel/latest.nix
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
{lib, config, pkgs, ...}: {
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
}
|
7
modules/packages/archivetools.nix
Normal file
7
modules/packages/archivetools.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{lib, config, pkgs, ...}: {
|
||||||
|
users.users.lyn.packages = with pkgs; [
|
||||||
|
p7zip
|
||||||
|
zstd
|
||||||
|
unzip
|
||||||
|
];
|
||||||
|
}
|
6
modules/packages/crypto.nix
Normal file
6
modules/packages/crypto.nix
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
{lib, config, pkgs, ...}: {
|
||||||
|
users.users.lyn.packages = with pkgs; [
|
||||||
|
pinentry
|
||||||
|
gnupg
|
||||||
|
];
|
||||||
|
}
|
22
modules/packages/network.nix
Normal file
22
modules/packages/network.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{lib, config, pkgs, ...}: {
|
||||||
|
users.users.lyn.packages = with pkgs; [
|
||||||
|
magic-wormhole-rs
|
||||||
|
inetutils
|
||||||
|
tcpdump
|
||||||
|
tor
|
||||||
|
wireguard-tools
|
||||||
|
openvpn
|
||||||
|
nmap
|
||||||
|
netcat
|
||||||
|
sabnzbd
|
||||||
|
sshfs
|
||||||
|
subfinder
|
||||||
|
tshark
|
||||||
|
dnsutils
|
||||||
|
yt-dlp
|
||||||
|
yggdrasil
|
||||||
|
traceroute
|
||||||
|
wget
|
||||||
|
curl
|
||||||
|
];
|
||||||
|
}
|
21
modules/packages/security.nix
Normal file
21
modules/packages/security.nix
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
{lib, config, pkgs, ...}: {
|
||||||
|
users.users.lyn.packages = with pkgs; [
|
||||||
|
checksec
|
||||||
|
mitmproxy
|
||||||
|
mitmproxy2swagger
|
||||||
|
websploit
|
||||||
|
bettercap
|
||||||
|
cantoolz
|
||||||
|
ssh-mitm
|
||||||
|
jadx
|
||||||
|
frida-tools
|
||||||
|
apktool
|
||||||
|
thc-hydra
|
||||||
|
john
|
||||||
|
metasploit
|
||||||
|
sherlock
|
||||||
|
radare2
|
||||||
|
subfinder
|
||||||
|
seclists
|
||||||
|
];
|
||||||
|
}
|
|
@ -1,11 +1,9 @@
|
||||||
{lib, config, pkgs, ...}: {
|
{lib, config, pkgs, ...}: {
|
||||||
imports = [
|
lyn.sops.default.enable = true;
|
||||||
../modules/sops
|
|
||||||
];
|
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
nix.package = config.pkgsInstances.unstable.lix;
|
nix.package = config.pkgsInstances.unstable.lix;
|
||||||
environment.variables.EDITOR = "vim";
|
environment.variables.EDITOR = "nvim";
|
||||||
|
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
|
@ -23,7 +21,8 @@
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
git
|
git
|
||||||
vim
|
vim
|
||||||
|
neovim
|
||||||
wget
|
wget
|
||||||
curl
|
curl
|
||||||
htop
|
htop
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, lib, inputs, ... }:
|
{ config, pkgs, lib, inputs, cfg, ... }:
|
||||||
{
|
{
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
docker
|
docker
|
||||||
|
@ -12,14 +12,16 @@
|
||||||
ipv6 = true;
|
ipv6 = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
opt.domain = lib.mkOption {type = lib.types.str;};
|
||||||
|
opt.instancename = lib.mkOption {type = lib.types.str;};
|
||||||
# Forgejo actions runner
|
# Forgejo actions runner
|
||||||
services.gitea-actions-runner = {
|
services.gitea-actions-runner = {
|
||||||
package = config.pkgsInstances.unstable.forgejo-runner;
|
package = config.pkgsInstances.unstable.forgejo-runner;
|
||||||
instances = {
|
instances = {
|
||||||
"shibepro-ci" = {
|
"${cfg.instancename}" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
url = "https://git.shibe.pro";
|
url = "https://${cfg.domain}";
|
||||||
name = "shibepro-ci";
|
name = cfg.instancename;
|
||||||
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
|
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
|
||||||
labels = [];
|
labels = [];
|
||||||
};
|
};
|
|
@ -1,11 +1,12 @@
|
||||||
{pkgs, lib, config, ...}:
|
{pkgs, lib, config, cfg, ...}:
|
||||||
with lib; with builtins; {
|
with lib; with builtins; {
|
||||||
|
opt.domain = lib.mkOption {type = lib.types.str;};
|
||||||
services.forgejo = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = config.pkgsInstances.unstable.forgejo;
|
package = config.pkgsInstances.unstable.forgejo;
|
||||||
settings.server = {
|
settings.server = {
|
||||||
ROOT_URL = "https://git.shibe.pro";
|
ROOT_URL = "https://${cfg.domain}";
|
||||||
DOMAIN = "git.shibe.pro";
|
DOMAIN = cfg.domain;
|
||||||
HTTP_PORT = 48540;
|
HTTP_PORT = 48540;
|
||||||
OFFLINE_MODE = true; # disable gravatar, CDN
|
OFFLINE_MODE = true; # disable gravatar, CDN
|
||||||
};
|
};
|
|
@ -16,7 +16,7 @@ in
|
||||||
name_split = lib.splitString "/" name;
|
name_split = lib.splitString "/" name;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sopsFile = ../../../secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
|
sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
|
||||||
} // value)
|
} // value)
|
||||||
cfg.secrets;
|
cfg.secrets;
|
||||||
};
|
};
|
|
@ -1,6 +1,6 @@
|
||||||
hosts:
|
hosts:
|
||||||
forgejo-ci:
|
forgejo-ci:
|
||||||
forgejo_ci_token: ENC[AES256_GCM,data:zZQPn/YxMKly1hcT2m3cGoIILh4wG7GiCXwiKRwNLrrPfwJlfAUn9g==,iv:xKVR09JhCIM5plxifcHeAEcsp1UyuXaqXaQCqIPywtU=,tag:zF032vUnTr8Mj79ZLCWcfg==,type:str]
|
forgejo_ci_token: ENC[AES256_GCM,data:mUGfczGcttcKQ8kXmESnRjpOxF1WNHZn7PSuek5dsbuZyaErCqQxtIUjvV90sQ==,iv:CjTrx56WChzFq5PSGj23dirl6iWF6Nqx93yCLHJQPRo=,tag:FrkOjdAiTq0kAYaUAQKfBQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -25,8 +25,8 @@ sops:
|
||||||
SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8
|
SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8
|
||||||
Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw==
|
Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-09-06T03:55:48Z"
|
lastmodified: "2024-09-17T00:30:12Z"
|
||||||
mac: ENC[AES256_GCM,data:H9RZy7w/quqfjMedaQe1NHAasC0FspxcXPyAXoy5uZaAoevNdXQNIe5yqBW+BRrw/5uIKKtLuS7YS5B3evpor2WRV0EeoPmy4dI/oFYZWg2kNzLVTumxQp4Q1vOOcrBrMUmm7OeoItr85p42Cx/08I9TnwRieGMnG5Mn0J6o+Zo=,iv:XbWd6j2LhhOld7NXN2m58f1cUJpLcdb3Ywf0bNkQYdA=,tag:T5gTjfRCCLfGFtIzXE7OfA==,type:str]
|
mac: ENC[AES256_GCM,data:bppWgKwMHPDHwHdegjcseFJefUZ2bThMWvk9s8l3IG/jRJaP5bTtdJppKeC0EGE0W1FjQtFP+aYscZRLsFYdpVqJMvo5XJp5VcW+vE1IZ09Qs5GCMpHHDEmuU5tx6h8fTIk5KLskGfxbtBvSABS+QZgF6QRa6FRq2DxVaf07P2I=,iv:NVrqJZOfpTwkTlmycR1Zg0XdHJwRkDaiR5uud7IML3g=,tag:I++gzcdhJR2eiIMJHUZ9Ag==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
Loading…
Reference in a new issue