From 61befd2849cc92fdc395a7dda798ca3f2547f029 Mon Sep 17 00:00:00 2001 From: xnm Date: Sun, 26 Nov 2023 21:28:27 +0200 Subject: [PATCH] security update Checklog: 1. Enabled `SELinux` patches 2. Enabled `tomoyo` Linux Security Module 3. Added snippet for `Mullvad VPN` 4. Added snippet for `containerd` 5. Added snippet for `firecracker` --- README.md | 2 ++ nixos/configuration.nix | 45 +++++++++++++++++++++++++++++++++++++---- 2 files changed, 43 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0ddc7c5..ea9ecae 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ This approach ensures that you stay on the forefront of technology, receiving th 🚨Please note that the system utilizes **Podman** instead of **Docker** for containerization due to various reasons, primarily related to security (rootless and daemonless containers), easier migration to Kubernetes, availability of pods, compatibility with systemd, and better security for `distrobox`. If you prefer to use **Docker** instead of **Podman**, you can make the switch by commenting out the **Podman** section in the `configuration.nix` file and uncommenting the **Docker** section. More details on **Docker** configuration in NixOS can be found [here](https://nixos.wiki/wiki/Docker). +The system also enables SELinux patches, as well as AppArmor and Tomoyo Linux Security Modules. It includes security daemons such as Fail2Ban and USBGuard, with Firejail preinstalled to meet your security requirements. + You have the flexibility to customize these configurations according to your needs by modifying the respective configuration files. ## 🌟 Showcase diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 5f44350..56e5dce 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -17,7 +17,6 @@ boot.loader.timeout = 2; boot.initrd.enable = true; boot.initrd.systemd.enable = true; - boot.kernelParams = [ "quiet" "fbcon=nodefer" "vt.global_cursor_default=0" "kernel.modules_disabled=1" "lsm=landlock,lockdown,yama,integrity,apparmor,bpf" "usbcore.autosuspend=-1" "video4linux" "acpi_rev_override=5" ]; boot.plymouth = { enable = true; # logo = pkgs.fetchurl { @@ -168,6 +167,28 @@ # Linux Kernel boot.kernelPackages = pkgs.linuxKernel.packages.linux_testing; + boot.kernelParams = [ + "quiet" + "fbcon=nodefer" + "vt.global_cursor_default=0" + "kernel.modules_disabled=1" + "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux" + "usbcore.autosuspend=-1" + "video4linux" + "acpi_rev_override=5" + "security=selinux" + ]; + # boot.kernelPatches = [ { + # name = "selinux-config"; + # patch = null; + # extraConfig = '' + # SECURITY_SELINUX y + # SECURITY_SELINUX_BOOTPARAM n + # SECURITY_SELINUX_DEVELOP y + # SECURITY_SELINUX_AVC_STATS y + # DEFAULT_SECURITY_SELINUX n + # ''; + # } ]; # Enable networking networking.networkmanager = { @@ -271,6 +292,10 @@ StateDirectory = "dnscrypt-proxy"; }; + # Enable Mullvad VPN + # services.mullvad-vpn.enable = true; + # services.mullvad-vpn.package = pkgs.mullvad; # `pkgs.mullvad` only provides the CLI tool, use `pkgs.mullvad-vpn` instead if you want to use the CLI and the GUI. + # Enable MAC Randomize # systemd.services.macchanger = { # enable = true; @@ -339,6 +364,7 @@ }; # Systemd services setup + systemd.package = pkgs.systemd.override { withSelinux = true; }; systemd.packages = with pkgs; [ auto-cpufreq ]; @@ -391,7 +417,11 @@ # Enable CUPS to print documents. # services.printing.enable = true; - # Enable container manager + ### Enable container manager + + # Enable Containerd + # virtualisation.containerd.enable = true; + # Enable Docker # virtualisation.docker.enable = true; # virtualisation.docker.rootless = { @@ -399,6 +429,7 @@ # setSocketVariable = true; # }; # users.extraGroups.docker.members = [ "xnm" ]; + # Enable Podman virtualisation = { podman = { @@ -474,6 +505,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ + policycoreutils mold gcc13 jdk11 @@ -526,13 +558,12 @@ wasmi # wasm3 + # mullvad-closest license-generator git-ignore just xh tgpt - distrobox - qemu wezterm cool-retro-term # mcfly # terminal history @@ -573,6 +604,12 @@ felix-fm chafa + # nerdctl + # firecracker + # firectl + # flintlock + distrobox + qemu podman-compose podman-tui