courge: wireguard: init

[julm/julm-nix.git] / nixos / profiles / security.nix

diff --git a/nixos/profiles/security.nix b/nixos/profiles/security.nix
index d061565060d2a526157839dac7cc8ff2434f013f..1935b56dfa6ec9ba80a4651ed3b3601a19bc4af3 100644 (file)
--- a/nixos/profiles/security.nix
+++ b/nixos/profiles/security.nix
@@ -7,13 +7,30 @@ with lib;
   #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
   #environment.memoryAllocator.provider = "libc";
   nix.settings.allowed-users = [ "@users" ];
+  /*
+    nix.settings.substituters = [
+    "https://nix-community.cachix.org"
+    ];
+    nix.settings.trusted-public-keys = [
+    "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  */
+  nix.settings.trusted-users = [
+    "root"
+    "@wheel"
+  ];
   networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
   security.allowSimultaneousMultithreading = false;
-  security.apparmor.enable = lib.mkDefault true;
+  security.apparmor.enable = mkDefault true;
   security.forcePageTableIsolation = true;
-  security.lockKernelModules = lib.mkDefault true;
+  security.lockKernelModules = mkDefault true;
   security.protectKernelImage = true;
   security.virtualisation.flushL1DataCache = "always";
+  # Only allow members of the wheel group to execute sudo by setting
+  # the executable’s permissions accordingly.
+  # This prevents users that are not members of wheel
+  # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
+  security.sudo.execWheelOnly = true;
   boot.blacklistedKernelModules = [
     # Obscure network protocols
     "ax25"
@@ -109,8 +126,8 @@ with lib;
       "net.ipv4.tcp_fack" = 0;
     */
     # Generate a random IPv6 address
-    "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
-    "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
+    "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
+    "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
     # Restricts usage of ptrace to only processes
     # with the CAP_SYS_PTRACE capability
     "kernel.yama.ptrace_scope" = 2;
@@ -142,7 +159,7 @@ with lib;
     SystemMaxUse=100M
   '';
   systemd.coredump = {
-    enable = lib.mkDefault false;
+    enable = mkDefault false;
     extraConfig = ''
       Compress=true
       MaxUse=1024M
@@ -150,9 +167,33 @@ with lib;
     '';
   };
   services.openssh = {
-    openFirewall = lib.mkDefault false;
+    # Avoid TOFU MITM by providing well known public keys here.
+    knownHosts = {
+      "git.sr.ht".hostNames = [ "git.sr.ht" ];
+      "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+
+      "github.com".hostNames = [ "github.com" ];
+      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+
+      "gitlab.com".hostNames = [ "gitlab.com" ];
+      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+    };
+    openFirewall = mkDefault false;
     settings = {
+      KbdInteractiveAuthentication = mkDefault false;
+      # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+      KexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
       PasswordAuthentication = false;
+      # Remove any remote gpg-agent's socket.
+      StreamLocalBindUnlink = true;
+      UseDns = mkDefault false;
+      X11Forwarding = mkDefault false;
     };
   };
 }