From 1a07cd8e274f561b9cc4f7ec0d3c99fe2ac72338 Mon Sep 17 00:00:00 2001 From: ChaotiCryptidz Date: Sun, 16 Jan 2022 11:37:09 +0000 Subject: [PATCH] move cross and kernels into seporate profile things --- hosts/lappy/lappy.nix | 15 ++--- profiles/cross/arm64.nix | 8 +++ profiles/hardening/hardening.nix | 101 ------------------------------- profiles/kernels/latest.nix | 1 + 4 files changed, 15 insertions(+), 110 deletions(-) create mode 100644 profiles/cross/arm64.nix delete mode 100644 profiles/hardening/hardening.nix create mode 100644 profiles/kernels/latest.nix diff --git a/hosts/lappy/lappy.nix b/hosts/lappy/lappy.nix index ef42405..41650af 100644 --- a/hosts/lappy/lappy.nix +++ b/hosts/lappy/lappy.nix @@ -9,6 +9,9 @@ profiles.printing profiles.sshd + # required for dualsense controller + profiles.kernels.latest + profiles.laptop profiles.gui @@ -22,6 +25,9 @@ # for sci-hub and whenever websites break profiles.tor + + # For cross compiling and deploying to raspberry + profiles.cross.arm64 ]; home-manager.users.root = { imports = with tree; [ home.base ]; }; @@ -53,18 +59,9 @@ ]; }; - boot.binfmt = { - emulatedSystems = [ "aarch64-linux" ]; - registrations.aarch64-linux = { - interpreter = lib.mkForce "${pkgs.qemu}/bin/qemu-aarch64"; - }; - }; - services.getty.extraArgs = [ "--skip-login" "--login-options" "chaoticryptidz" ]; - boot.kernelPackages = pkgs.linuxPackages_latest; - networking.firewall.enable = true; # let vscode, vivaldi, etc work. security.unprivilegedUsernsClone = true; diff --git a/profiles/cross/arm64.nix b/profiles/cross/arm64.nix new file mode 100644 index 0000000..62e50c9 --- /dev/null +++ b/profiles/cross/arm64.nix @@ -0,0 +1,8 @@ +{ pkgs, lib, ... }: { + boot.binfmt = { + emulatedSystems = [ "aarch64-linux" ]; + registrations.aarch64-linux = { + interpreter = lib.mkForce "${pkgs.qemu}/bin/qemu-aarch64"; + }; + }; +} diff --git a/profiles/hardening/hardening.nix b/profiles/hardening/hardening.nix deleted file mode 100644 index 3d49032..0000000 --- a/profiles/hardening/hardening.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, pkgs, lib, ... }: { - # modified from https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix - # but with some stuff not turned on - - boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened; - - environment.memoryAllocator.provider = "scudo"; - environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; - - # TODO: this breaks NetworkManager - # security.lockKernelModules = true; - - security.protectKernelImage = true; - - security.forcePageTableIsolation = true; - - # This is required by podman to run containers in rootless mode. - security.unprivilegedUsernsClone = - lib.mkDefault config.virtualisation.containers.enable; - - security.virtualisation.flushL1DataCache = "always"; - - boot.kernelParams = [ - # Slab/slub sanity checks, redzoning, and poisoning - "slub_debug=FZP" - - # Overwrite free'd memory - "page_poison=1" - - # Enable page allocator randomization - "page_alloc.shuffle=1" - - # Disable slab merging - "slab_nomerge" - - # Zero memory on alloc and init - # Scudo should do this but make kernel do it as well - "init_on_alloc=1" - "init_on_free=1" - - # Make page allocations less predictable - "page_alloc.shuffle=1" - - # Turn on page table isolation - "pti=on" - - # Disable vsyscalls - "vsyscall=none" - - # Disable debugfs - "debugfs=off" - ]; - - boot.kernel.sysctl = { - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - "kernel.yama.ptrace_scope" = 1; - - # Hide kptrs even for processes with CAP_SYSLOG - "kernel.kptr_restrict" = 2; - - # Disable bpf() JIT (to eliminate spray attacks) - "net.core.bpf_jit_enable" = false; - - # Disable unprivileged bpf - "kernel.unprivileged_bpf_disabled" = 1; - - # Disable ftrace debugging - "kernel.ftrace_enabled" = false; - - # Disable kexec - "kernel.kexec_load_disabled" = 1; - - # Disable sysrq - "kernel.sysrq" = 0; - - # Enable strict reverse path filtering (that is, do not attempt to route - # packets that "obviously" do not belong to the iface's network; dropped - # packets are logged as martians). - "net.ipv4.conf.all.log_martians" = true; - "net.ipv4.conf.all.rp_filter" = "1"; - "net.ipv4.conf.default.log_martians" = true; - "net.ipv4.conf.default.rp_filter" = "1"; - - # Ignore broadcast ICMP (mitigate SMURF) - "net.ipv4.icmp_echo_ignore_broadcasts" = true; - - # Ignore incoming ICMP redirects (note: default is needed to ensure that the - # setting is applied to interfaces added after the sysctls are set) - "net.ipv4.conf.all.accept_redirects" = false; - "net.ipv4.conf.all.secure_redirects" = false; - "net.ipv4.conf.default.accept_redirects" = false; - "net.ipv4.conf.default.secure_redirects" = false; - "net.ipv6.conf.all.accept_redirects" = false; - "net.ipv6.conf.default.accept_redirects" = false; - - # Ignore outgoing ICMP redirects (this is ipv4 only) - "net.ipv4.conf.all.send_redirects" = false; - "net.ipv4.conf.default.send_redirects" = false; - }; -} diff --git a/profiles/kernels/latest.nix b/profiles/kernels/latest.nix new file mode 100644 index 0000000..d268c3d --- /dev/null +++ b/profiles/kernels/latest.nix @@ -0,0 +1 @@ +{ pkgs, ... }: { boot.kernelPackages = pkgs.linuxPackages_latest; }