Compare commits
No commits in common. "main" and "debug" have entirely different histories.
21 changed files with 63 additions and 573 deletions
|
@ -34,11 +34,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1725634671,
|
||||
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
|
||||
"lastModified": 1725432240,
|
||||
"narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
|
||||
"rev": "ad416d066ca1222956472ab7d0555a6946746a80",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
19
flake.nix
19
flake.nix
|
@ -6,29 +6,25 @@
|
|||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
};
|
||||
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let
|
||||
imports = [
|
||||
];
|
||||
|
||||
passInputs = ({lib,config,...}:{
|
||||
options.flakePath = lib.mkOption {type = lib.types.path;};
|
||||
config.flakePath = ./.;
|
||||
options.inputs = lib.mkOption {type = lib.types.attrs;};
|
||||
options.inputs = lib.mkOption{type = lib.types.attrs;};
|
||||
config.inputs = inputs;
|
||||
options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
|
||||
options.pkgsInstances = lib.mkOption{type = lib.types.attrs;};
|
||||
config.pkgsInstances = {
|
||||
unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
|
||||
unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;};
|
||||
};
|
||||
});
|
||||
inherit (nixpkgs) lib;
|
||||
mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
|
||||
|
||||
in {
|
||||
|
||||
nixosConfigurations = {
|
||||
"forgenite" = nixpkgs.lib.nixosSystem {
|
||||
"forgejo" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./hosts/forgenite
|
||||
sops-nix.nixosModules.sops
|
||||
passInputs
|
||||
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
|
||||
];
|
||||
};
|
||||
"forgejo-ci" = nixpkgs.lib.nixosSystem {
|
||||
|
@ -37,7 +33,6 @@
|
|||
./hosts/forgejo-ci
|
||||
sops-nix.nixosModules.sops
|
||||
passInputs
|
||||
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,21 +1,17 @@
|
|||
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
|
||||
{ config, pkgs, lib, inputs, ... }: {
|
||||
imports =
|
||||
[
|
||||
./../../services/forgejo-ci.nix
|
||||
./hardware-configuration.nix
|
||||
./../../users/lyn
|
||||
./../../meta/profiles/base.nix
|
||||
./../../meta/profiles/vm.nix
|
||||
];
|
||||
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.kernel.hardened.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.vm.enable = true;
|
||||
lyn.services.forgejo-ci.enable = true;
|
||||
lyn.services.forgejo-ci.domain = "git.shibe.pro";
|
||||
lyn.services.forgejo-ci.instancename = "shibepro-ci";
|
||||
# Use UEFI
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
||||
networking.hostName = "forgejo-ci"; # Define your hostname.
|
||||
networking.hostName = "forgenite"; # Define your hostname.
|
||||
|
||||
# Firewall stuff:
|
||||
networking.firewall.enable = true;
|
||||
|
|
|
@ -1,21 +1,16 @@
|
|||
{ config, pkgs, lib, inputs, ... }: {
|
||||
imports =
|
||||
[
|
||||
./../../services/forgejo.nix
|
||||
./../../users/lyn
|
||||
./hardware-configuration.nix
|
||||
./../../meta/profiles/base.nix
|
||||
./../../meta/profiles/vm.nix
|
||||
];
|
||||
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
|
||||
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.kernel.hardened.enable =true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.vm.enable = true;
|
||||
|
||||
# Use UEFI
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
# enable git
|
||||
lyn.services.forgejo.enable = true;
|
||||
lyn.services.forgejo.domain = "git.shibe.pro";
|
||||
|
||||
networking.hostName = "forgenite"; # Define your hostname.
|
||||
|
||||
# Firewall stuff:
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
{
|
||||
imports = [
|
||||
./mkLocalMods.nix
|
||||
# ./enable.nix
|
||||
];
|
||||
}
|
||||
|
|
@ -1,7 +1,8 @@
|
|||
{lib, config, ...}: {
|
||||
config.lyn.lib.enable = list: lib.genAttrs
|
||||
lib.meta.enable = list: lib.genAttrs
|
||||
list
|
||||
(
|
||||
name: {enable = true;}
|
||||
);
|
||||
(name:
|
||||
${name}.enable = true;
|
||||
)
|
||||
;
|
||||
}
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
{lib, ...}:
|
||||
let
|
||||
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
|
||||
#kv = key: value: {inherit key value;};
|
||||
recurseNaive = curPath: fn: mapAttrKVs (k: v: let
|
||||
match = builtins.match "(.*)[.]nix" k;
|
||||
in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
|
||||
else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
|
||||
else {key = null; value = null;}
|
||||
) (builtins.readDir curPath);
|
||||
|
||||
getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
|
||||
if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
|
||||
else [{path = prefix ++ [k]; value = v;}]
|
||||
) as);
|
||||
|
||||
getPathKVsRec = prefix: dir: getAttrKVsRec prefix (lib.packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
|
||||
|
||||
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
|
||||
transformLocalMod = {path, value}: let
|
||||
modFn = if lib.isFunction (import value) then import value else (p: import value);
|
||||
newMod = p: let
|
||||
paramNew = p // {
|
||||
cfg = lib.getAttrFromPath path p.config;
|
||||
};
|
||||
|
||||
pathStr = builtins.concatStringsSep "." path;
|
||||
modRaw = modFn paramNew;
|
||||
modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
|
||||
|
||||
mod = modRaw.mod or {};
|
||||
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
|
||||
enablePath = path ++ ["enable"];
|
||||
|
||||
imports = [ {
|
||||
_file = fileCtx "`opt` processor";
|
||||
key = fileCtx "`opt` processor";
|
||||
options = lib.setAttrByPath path (modRaw.opt or {});
|
||||
} {
|
||||
_file = fileCtx "`enable` definition";
|
||||
key = fileCtx "`enable` definition";
|
||||
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
|
||||
} ({config, ...}: {
|
||||
_file = fileCtx "config wrapper";
|
||||
key = fileCtx "config wrapper";
|
||||
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
|
||||
})];
|
||||
|
||||
newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
|
||||
in newMod; in lib.mirrorFunctionArgs modFn newMod;
|
||||
|
||||
mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
|
||||
in mkLocalMods
|
23
meta/mkLocalModule.nix
Normal file
23
meta/mkLocalModule.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{lib, config, ...}: {
|
||||
lib.mkLocalModule = pathInterpolation: optDesc: config: let
|
||||
#example_input = ./some/subdir/MARKER/a/b/c/d/e/f/g;
|
||||
marker = "local-modules";
|
||||
splitAfterMarker = marker: input: builtins.foldl' (acc: new:
|
||||
if acc == false then # marker not found yet
|
||||
if new == marker then [] else acc
|
||||
else # marker found
|
||||
if builtins.typeOf new == "string"
|
||||
then acc ++ [new]
|
||||
else acc
|
||||
) false (builtins.split "/" (builtins.toString input));
|
||||
path = splitAfterMarker marker pathInterpolation;
|
||||
inputs = {
|
||||
#optDesc = "enable this";
|
||||
inherit optDesc: config;
|
||||
};
|
||||
mod = {config, ...}: {
|
||||
options = lib.setAttrsByPath path (lib.mkEnableOption inputs.optDesc);
|
||||
config = lib.mkIf (lib.getAttrByPath path config) inputs.config;
|
||||
};
|
||||
in mod;
|
||||
}
|
|
@ -1,100 +0,0 @@
|
|||
# https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix
|
||||
{ lib }:
|
||||
with lib.modules;
|
||||
let
|
||||
inherit (lib)
|
||||
addErrorContext
|
||||
all
|
||||
any
|
||||
attrByPath
|
||||
attrNames
|
||||
catAttrs
|
||||
concatLists
|
||||
concatMap
|
||||
concatStringsSep
|
||||
elem
|
||||
filter
|
||||
foldl'
|
||||
functionArgs
|
||||
getAttrFromPath
|
||||
genericClosure
|
||||
head
|
||||
id
|
||||
imap1
|
||||
isAttrs
|
||||
isBool
|
||||
isFunction
|
||||
isInOldestRelease
|
||||
isList
|
||||
isString
|
||||
length
|
||||
mapAttrs
|
||||
mapAttrsToList
|
||||
mapAttrsRecursiveCond
|
||||
min
|
||||
optional
|
||||
optionalAttrs
|
||||
optionalString
|
||||
recursiveUpdate
|
||||
reverseList sort
|
||||
seq
|
||||
setAttrByPath
|
||||
substring
|
||||
throwIfNot
|
||||
trace
|
||||
typeOf
|
||||
types
|
||||
unsafeGetAttrPos
|
||||
warn
|
||||
warnIf
|
||||
zipAttrs
|
||||
zipAttrsWith
|
||||
;
|
||||
inherit (lib.options)
|
||||
isOption
|
||||
mkOption
|
||||
showDefs
|
||||
showFiles
|
||||
showOption
|
||||
unknownModule
|
||||
;
|
||||
inherit (lib.strings)
|
||||
isConvertibleWithToString
|
||||
;
|
||||
|
||||
unifyModuleSyntax = file: key: m:
|
||||
let
|
||||
addMeta = config: if m ? meta
|
||||
then mkMerge [ config { meta = m.meta; } ]
|
||||
else config;
|
||||
addFreeformType = config: if m ? freeformType
|
||||
then mkMerge [ config { _module.freeformType = m.freeformType; } ]
|
||||
else config;
|
||||
in
|
||||
if m ? config || m ? options then
|
||||
let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in
|
||||
if badAttrs != {} then
|
||||
throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
|
||||
else
|
||||
{ _file = toString m._file or file;
|
||||
_class = m._class or null;
|
||||
key = toString m.key or key;
|
||||
disabledModules = m.disabledModules or [];
|
||||
imports = m.imports or [];
|
||||
options = m.options or {};
|
||||
config = addFreeformType (addMeta (m.config or {}));
|
||||
}
|
||||
else
|
||||
# shorthand syntax
|
||||
throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
|
||||
{ _file = toString m._file or file;
|
||||
_class = m._class or null;
|
||||
key = toString m.key or key;
|
||||
disabledModules = m.disabledModules or [];
|
||||
imports = m.require or [] ++ m.imports or [];
|
||||
options = {};
|
||||
config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
|
||||
};
|
||||
|
||||
|
||||
in {inherit unifyModuleSyntax;}
|
|
@ -16,7 +16,7 @@ in
|
|||
name_split = lib.splitString "/" name;
|
||||
in
|
||||
{
|
||||
sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
|
||||
sopsFile = ../../../secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
|
||||
} // value)
|
||||
cfg.secrets;
|
||||
};
|
|
@ -1,9 +1,11 @@
|
|||
{lib, config, pkgs, ...}: {
|
||||
lyn.sops.default.enable = true;
|
||||
imports = [
|
||||
../modules/sops
|
||||
];
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
nix.package = config.pkgsInstances.unstable.lix;
|
||||
environment.variables.EDITOR = "nvim";
|
||||
environment.variables.EDITOR = "vim";
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
|
@ -21,8 +23,7 @@
|
|||
|
||||
environment.systemPackages = with pkgs; [
|
||||
git
|
||||
vim
|
||||
neovim
|
||||
vim
|
||||
wget
|
||||
curl
|
||||
htop
|
|
@ -1,299 +0,0 @@
|
|||
{lib, pkgs, config, cfg, ...}: let
|
||||
ifApparmor = cfg.apparmor.enable;
|
||||
in {
|
||||
opt.apparmor.enable = lib.mkEnableOption "apparmor";
|
||||
boot.kernelPackages = let
|
||||
kernel = pkgs.linux-libre;
|
||||
llvm = pkgs.llvmPackages_latest;
|
||||
|
||||
version = pkgs.kernelPatches."hardened${kernel.meta.branch}".version;
|
||||
major = lib.versions.major version;
|
||||
|
||||
sha256 = pkgs.kernelPatches.hardened."${kernel.meta.branch}:".sha256;
|
||||
modDirVer = lib.replaceStrings
|
||||
[ kernel.version ]
|
||||
[ version ]
|
||||
kernel.modDirVersion;
|
||||
in lib.mkDefault (pkgs.linuxPackagesFor (kernel.override {
|
||||
stdenv = llvm.stdenv;
|
||||
extraMakeFlags = [ "LLVM=${llvm.bintools-unwrapped}/bin/" ];
|
||||
kernelPatches = kernel.kernelPatches
|
||||
++ [ pkgs.kernelPatches.hardened."${kernel.meta.branch}" ];
|
||||
modDirVersionArg =
|
||||
modDirVer +
|
||||
(pkgs.kernelPatches.hardened."${kernel.meta.branch}").extra;
|
||||
isHardened = true;
|
||||
argsOverride = {
|
||||
inherit version;
|
||||
src = pkgs.fetchurl {
|
||||
url =
|
||||
"mirror://kernel/linux/kernel/v${major}.x/linux-${version}.tar.xz";
|
||||
inherit sha256;
|
||||
};
|
||||
};
|
||||
structuredExtraConfig = with lib.kernel; {
|
||||
# report BUG() conditions and kill the offending process
|
||||
BUG = yes;
|
||||
|
||||
# safer page access permissions to prevent code injection
|
||||
DEBUG_RODATA = yes;
|
||||
SET_MODULE_RONX = yes;
|
||||
|
||||
# validation of commonly targeted structures
|
||||
DEBUG_CREDENTIALS = yes;
|
||||
DEBUG_NOTIFIERS = yes;
|
||||
DEBUG_PLIST = yes;
|
||||
DEBUG_SG = yes;
|
||||
SCHED_STACK_END_CHECK = yes;
|
||||
|
||||
# randomize page allocator when page_alloc.shuffle=1
|
||||
SHUFFLE_PAGE_ALLOCATOR = yes;
|
||||
|
||||
# allow enabling slub/slab free poisoning with slub_debug=P
|
||||
SLUB_DEBUG = yes;
|
||||
|
||||
# wipe higher-level memory allocations on free() with page_poison=1
|
||||
PAGE_POISONING = yes;
|
||||
PAGE_POISONING_NO_SANITY = yes;
|
||||
PAGE_POISONING_ZERO = yes;
|
||||
|
||||
|
||||
# reboot devices immediately when the kernel panics
|
||||
PANIC_TIMEOUT = freeform "-1";
|
||||
|
||||
|
||||
## GCC options (i use LLVM btw) ##
|
||||
|
||||
# GCC_PLUGINS = yes; # Enable gcc plugin options
|
||||
# Gather additional entropy at boot time for systems that may not
|
||||
# have appropriate entropy sources.
|
||||
# GCC_PLUGIN_LATENT_ENTROPY = yes;
|
||||
# GCC_PLUGIN_STRUCTLEAK = yes; # A port of the PaX structleak plugin
|
||||
# GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = yes; # also cover structs passed by address
|
||||
# GCC_PLUGIN_STACKLEAK = yes; # A port of the PaX stackleak plugin
|
||||
# GCC_PLUGIN_RANDSTRUCT = yes; # A port of the PaX randstruct plugin
|
||||
# GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = yes;
|
||||
|
||||
# enable link-time optimisation
|
||||
LTO_CLANG_THIN = yes;
|
||||
|
||||
# clear memory at reboot via EFI
|
||||
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
|
||||
RESET_ATTACK_MITIGATION = yes;
|
||||
|
||||
# kernel memory permission enforcement
|
||||
STRICT_KERNEL_RWX = yes;
|
||||
STRICT_MODULE_RWX = yes;
|
||||
VMAP_STACK = yes;
|
||||
|
||||
# kernel image and memory ASLR
|
||||
RANDOMIZE_BASE = yes;
|
||||
RANDOMIZE_MEMORY = yes;
|
||||
|
||||
# randomize allocator freelists, harden metadata
|
||||
SLAB_FREELIST_RANDOM = yes;
|
||||
SLAB_FREELIST_HARDENED = yes;
|
||||
RANDOM_KMALLOC_CACHES = yes;
|
||||
|
||||
# sanity check userspace page table mappings
|
||||
PAGE_TABLE_CHECK = yes;
|
||||
PAGE_TABLE_CHECK_ENFORCED = yes;
|
||||
|
||||
# randomize kernel stack offset on syscall entry
|
||||
RANDOMIZE_KSTACK_OFFSET_DEFAULT = yes;
|
||||
|
||||
# stack frame overflow protection
|
||||
STACKPROTECTOR = yes;
|
||||
STACKPROTECTOR_STRONG = yes;
|
||||
|
||||
# buffer length bounds checking
|
||||
HARDENED_USERCOPY = yes;
|
||||
FORTIFY_SOURCE = yes;
|
||||
|
||||
# array index bounds checking
|
||||
UBSAN = yes;
|
||||
UBSAN_TRAP = yes;
|
||||
UBSAN_BOUNDS = yes;
|
||||
UBSAN_ALIGNMENT = yes;
|
||||
## unaligned memory access is bad and evil!!
|
||||
## sanitizing this will cause lots of reports and warnings though
|
||||
## it works on x86 though i think
|
||||
UBSAN_SHIFT = unset;
|
||||
UBSAN_DIV_ZERO = unset;
|
||||
UBSAN_UNREACHABLE = unset;
|
||||
UBSAN_SIGNED_WRAP = unset;
|
||||
UBSAN_BOOL = unset;
|
||||
UBSAN_ENUM = unset;
|
||||
|
||||
# sampling-based heap out-of-bounds and user-after-free detection
|
||||
KFENCE = yes;
|
||||
|
||||
# linked list integrity checking
|
||||
LIST_HARDENED = yes;
|
||||
|
||||
# zero-initialise heap variables on allocation
|
||||
INIT_ON_ALLOC_DEFAULT =yes;
|
||||
|
||||
# zero-initialise stack variables on function entry
|
||||
INIT_STACK_ALL_ZERO = yes;
|
||||
|
||||
# disable DMA between EFI hand-off and the kernel's IOMMU setup
|
||||
EFI_DISABLE_PCI_DMA = yes;
|
||||
|
||||
# force IOMMU TLB invalidation so devices will never be able to
|
||||
# access stale data content
|
||||
IOMMU_SUPPORT = yes;
|
||||
IOMMU_DEFAULT_DMA_STRICT = yes;
|
||||
|
||||
# do not allow direct physical memory access to non-device memory
|
||||
STRICT_DEVMEM = option no; # depends on DEVMEM
|
||||
IO_STRICT_DEVMEM = option no; # depends on DEVMEM
|
||||
|
||||
# provide userspace with seccomp BPF API
|
||||
# for syscall attack surface reduction
|
||||
SECCOMP = yes;
|
||||
SECCOMP_FILTER = yes;
|
||||
|
||||
# provides some protections against SYN flooding
|
||||
SYN_COOKIES = yes;
|
||||
|
||||
# enable kernel control flow integrity (currently Clang only)
|
||||
CFI_CLANG = yes;
|
||||
# CFI_PERMISSIVE
|
||||
|
||||
# attack surface reduction; do not autoload TTY line disciplines
|
||||
LDISC_AUTOLOAD = no;
|
||||
|
||||
# dangerous; enabling this disables userpace brk ASLR
|
||||
COMPAT_BRK = no;
|
||||
|
||||
# dangerous; exposes kernel text image layout
|
||||
PROC_KCORE = no;
|
||||
|
||||
# dangerous; enabling this disables userspace VDSO ASLR
|
||||
COMPAT_VDSO = no;
|
||||
|
||||
# attack surface reduction: use modern PTY interface (devpts) only
|
||||
LEGACY_PTYS = no;
|
||||
|
||||
# dangerous; allows writing directly to physical memory
|
||||
ACPI_CUSTOM_METHOD = no;
|
||||
|
||||
# attack surface reduction; has been used for heap based attacks
|
||||
INET_DIAG = no;
|
||||
|
||||
# Security modules
|
||||
SECURITY_SELINUX = yes;
|
||||
SECURITY_APPARMOR = yes;
|
||||
SECURITY_SAFESETID = yes;
|
||||
DEFAULT_SECURITY_APPARMOR = lib.mkIf ifApparmor yes;
|
||||
DEFAULT_SECURITY = lib.mkIf ifApparmor (freeform "apparmor");
|
||||
SECURITY_APPARMOR_BOOTPARAM_VALUE = lib.mkIf ifApparmor (freeform "1");
|
||||
|
||||
# mark LSM hooks read-only after init
|
||||
SECURITY_WRITABLE_HOOKS = no;
|
||||
|
||||
# enable BPF; may expose kernel to spray attacks though
|
||||
BPF_JIT_ALWAYS_ON = yes;
|
||||
|
||||
# Replace menu governour with TEO
|
||||
CPU_IDLE_GOV_MENU = no;
|
||||
CPU_IDLE_GOV_TEO = yes;
|
||||
} // lib.optionalAttrs pkgs.stdenv.hostPlatform.isx86_64 {
|
||||
X86_EXTENDED_PLATFORM = no;
|
||||
|
||||
# don't sanitize unaligned memory access resulting in
|
||||
# undefined behavior because x86 supports unalligned access
|
||||
UBSAN_ALIGNMENT = no;
|
||||
|
||||
# enable chip-specific IOMMU support
|
||||
INTEL_IOMMU = yes;
|
||||
INTEL_IOMMU_DEFAULT_ON = yes;
|
||||
INTEL_IOMMU_SVM = yes;
|
||||
AMD_IOMMU = yes;
|
||||
|
||||
# enforce CET Indirect Branch Tracking in the kernel
|
||||
X86_KERNEL_IBT = yes;
|
||||
|
||||
# enable CET shadow stack for userspace
|
||||
X86_USER_SHADOW_STACK = yes;
|
||||
|
||||
# disable legacy x86 interfaces
|
||||
STRICT_SIGALTSTACK_SIZE = yes;
|
||||
LEGACY_VSYSCALL_XONLY = no;
|
||||
|
||||
# modern libc no longer needs a fixed-position mapping in userspace,
|
||||
# remove it as a possible target
|
||||
LEGACY_VSYSCALL_NONE = yes;
|
||||
|
||||
# disable IO delay
|
||||
IO_DELAY_NONE = yes;
|
||||
};
|
||||
}));
|
||||
boot.kernelParams = [
|
||||
# set apparmor as the default security module
|
||||
(lib.mkIf ifApparmor "security=apparmor")
|
||||
|
||||
# zero-fill page and slab allocations
|
||||
"init_on_free=1"
|
||||
|
||||
# disable IO delay
|
||||
"io_delay=none"
|
||||
|
||||
# enable page allocator free list randomization
|
||||
"page_alloc.shuffle=1"
|
||||
|
||||
# overwrite free()'d pages
|
||||
"page_poison=1"
|
||||
|
||||
# disable slab merging
|
||||
"slab_nomerge"
|
||||
|
||||
# disable vsyscall mechanism
|
||||
"vsyscall=none"
|
||||
|
||||
# enable transparent hugepages
|
||||
"transparent_hugepage=always"
|
||||
|
||||
# disable debugfs
|
||||
"debugfs=off"
|
||||
|
||||
# clear mlocked memory in case the program crashes
|
||||
"init_mlocked_on_free=1"
|
||||
];
|
||||
boot.kernel.sysctl = {
|
||||
# disable automatic loading of TTY line disciplines
|
||||
"dev.tty.ldisc_autoload" = 0;
|
||||
|
||||
"kernel.ftrace_enabled" = lib.mkDefault false;
|
||||
|
||||
# disable first 64 KiB of virtual memory for allocation
|
||||
"vm.mmap_min_addr" = 65536;
|
||||
|
||||
# increase ASLR randomisation
|
||||
"vm.mmap_rnd_bits" = 32;
|
||||
"vm.mmap_rnd_compat_bits" = 16;
|
||||
|
||||
# restrict ptrace()
|
||||
"kernel.yama.ptrace_scope" = 1;
|
||||
|
||||
# enable hardened eBPF JIT
|
||||
"net.core.bpf_jit_enable" = 1;
|
||||
"net.core.bpf_jit_harden" = 1;
|
||||
|
||||
# Dirty page cache ratio
|
||||
"vm.dirty_background_ratio" = 3;
|
||||
"vm.dirty_ratio" = 6;
|
||||
|
||||
# Hide kptrs even for processes with CAP_SYSLOG
|
||||
"kernel.kptr_restrict" = lib.mkOverride 500 2;
|
||||
};
|
||||
}
|
||||
# references:
|
||||
# - https://github.com/NixOS/nixpkgs/blob/e6db435973160591fe7348876a5567c729495175/pkgs/os-specific/linux/kernel/hardened/config.nix
|
||||
# - https://nixos.wiki/wiki/Linux_kernel#Custom_configuration
|
||||
# - https://kspp.github.io/
|
||||
# - linux src/arch/x86/configs/hardening.config and src/kernel/configs/hardening.config
|
||||
# - trial and error
|
||||
# - illdef
|
|
@ -1,3 +0,0 @@
|
|||
{lib, config, pkgs, ...}: {
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
{lib, config, pkgs, ...}: {
|
||||
users.users.lyn.packages = with pkgs; [
|
||||
p7zip
|
||||
zstd
|
||||
unzip
|
||||
];
|
||||
}
|
|
@ -1,6 +0,0 @@
|
|||
{lib, config, pkgs, ...}: {
|
||||
users.users.lyn.packages = with pkgs; [
|
||||
pinentry
|
||||
gnupg
|
||||
];
|
||||
}
|
|
@ -1,22 +0,0 @@
|
|||
{lib, config, pkgs, ...}: {
|
||||
users.users.lyn.packages = with pkgs; [
|
||||
magic-wormhole-rs
|
||||
inetutils
|
||||
tcpdump
|
||||
tor
|
||||
wireguard-tools
|
||||
openvpn
|
||||
nmap
|
||||
netcat
|
||||
sabnzbd
|
||||
sshfs
|
||||
subfinder
|
||||
tshark
|
||||
dnsutils
|
||||
yt-dlp
|
||||
yggdrasil
|
||||
traceroute
|
||||
wget
|
||||
curl
|
||||
];
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
{lib, config, pkgs, ...}: {
|
||||
users.users.lyn.packages = with pkgs; [
|
||||
checksec
|
||||
mitmproxy
|
||||
mitmproxy2swagger
|
||||
websploit
|
||||
bettercap
|
||||
cantoolz
|
||||
ssh-mitm
|
||||
jadx
|
||||
frida-tools
|
||||
apktool
|
||||
thc-hydra
|
||||
john
|
||||
metasploit
|
||||
sherlock
|
||||
radare2
|
||||
subfinder
|
||||
seclists
|
||||
];
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
hosts:
|
||||
forgejo-ci:
|
||||
forgejo_ci_token: ENC[AES256_GCM,data:mUGfczGcttcKQ8kXmESnRjpOxF1WNHZn7PSuek5dsbuZyaErCqQxtIUjvV90sQ==,iv:CjTrx56WChzFq5PSGj23dirl6iWF6Nqx93yCLHJQPRo=,tag:FrkOjdAiTq0kAYaUAQKfBQ==,type:str]
|
||||
forgejo_ci_token: ENC[AES256_GCM,data:zZQPn/YxMKly1hcT2m3cGoIILh4wG7GiCXwiKRwNLrrPfwJlfAUn9g==,iv:xKVR09JhCIM5plxifcHeAEcsp1UyuXaqXaQCqIPywtU=,tag:zF032vUnTr8Mj79ZLCWcfg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -25,8 +25,8 @@ sops:
|
|||
SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8
|
||||
Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-17T00:30:12Z"
|
||||
mac: ENC[AES256_GCM,data:bppWgKwMHPDHwHdegjcseFJefUZ2bThMWvk9s8l3IG/jRJaP5bTtdJppKeC0EGE0W1FjQtFP+aYscZRLsFYdpVqJMvo5XJp5VcW+vE1IZ09Qs5GCMpHHDEmuU5tx6h8fTIk5KLskGfxbtBvSABS+QZgF6QRa6FRq2DxVaf07P2I=,iv:NVrqJZOfpTwkTlmycR1Zg0XdHJwRkDaiR5uud7IML3g=,tag:I++gzcdhJR2eiIMJHUZ9Ag==,type:str]
|
||||
lastmodified: "2024-09-06T03:55:48Z"
|
||||
mac: ENC[AES256_GCM,data:H9RZy7w/quqfjMedaQe1NHAasC0FspxcXPyAXoy5uZaAoevNdXQNIe5yqBW+BRrw/5uIKKtLuS7YS5B3evpor2WRV0EeoPmy4dI/oFYZWg2kNzLVTumxQp4Q1vOOcrBrMUmm7OeoItr85p42Cx/08I9TnwRieGMnG5Mn0J6o+Zo=,iv:XbWd6j2LhhOld7NXN2m58f1cUJpLcdb3Ywf0bNkQYdA=,tag:T5gTjfRCCLfGFtIzXE7OfA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, inputs, cfg, ... }:
|
||||
{ config, pkgs, lib, inputs, ... }:
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
docker
|
||||
|
@ -12,16 +12,14 @@
|
|||
ipv6 = true;
|
||||
};
|
||||
};
|
||||
opt.domain = lib.mkOption {type = lib.types.str;};
|
||||
opt.instancename = lib.mkOption {type = lib.types.str;};
|
||||
# Forgejo actions runner
|
||||
services.gitea-actions-runner = {
|
||||
package = config.pkgsInstances.unstable.forgejo-runner;
|
||||
instances = {
|
||||
"${cfg.instancename}" = {
|
||||
"shibepro-ci" = {
|
||||
enable = true;
|
||||
url = "https://${cfg.domain}";
|
||||
name = cfg.instancename;
|
||||
url = "https://git.shibe.pro";
|
||||
name = "shibepro-ci";
|
||||
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
|
||||
labels = [];
|
||||
};
|
|
@ -1,12 +1,11 @@
|
|||
{pkgs, lib, config, cfg, ...}:
|
||||
{pkgs, lib, config, ...}:
|
||||
with lib; with builtins; {
|
||||
opt.domain = lib.mkOption {type = lib.types.str;};
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
package = config.pkgsInstances.unstable.forgejo;
|
||||
settings.server = {
|
||||
ROOT_URL = "https://${cfg.domain}";
|
||||
DOMAIN = cfg.domain;
|
||||
ROOT_URL = "https://git.shibe.pro";
|
||||
DOMAIN = "git.shibe.pro";
|
||||
HTTP_PORT = 48540;
|
||||
OFFLINE_MODE = true; # disable gravatar, CDN
|
||||
};
|
Loading…
Reference in a new issue