andy/linux-nixos-hyprland-config-dotfiles
Template
1
0
Fork 0
mirror of https://github.com/XNM1/linux-nixos-hyprland-config-dotfiles.git synced 2025-09-15 09:45:58 +03:00
Code Activity

security update

Browse Source 
Checklog:
1. Enabled `SELinux` patches
2. Enabled `tomoyo` Linux Security Module
3. Added snippet for `Mullvad VPN`
4. Added snippet for `containerd`
5. Added snippet for `firecracker`
This commit is contained in:
xnm
2023-11-26 21:28:27 +02:00
parent 83316f40f7
commit 61befd2849
2 changed files with 43 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -40,6 +40,8 @@ This approach ensures that you stay on the forefront of technology, receiving th
🚨Please note that the system utilizes **Podman** instead of **Docker** for containerization due to various reasons, primarily related to security (rootless and daemonless containers), easier migration to Kubernetes, availability of pods, compatibility with systemd, and better security for `distrobox`. If you prefer to use **Docker** instead of **Podman**, you can make the switch by commenting out the **Podman** section in the `configuration.nix` file and uncommenting the **Docker** section. More details on **Docker** configuration in NixOS can be found [here](https://nixos.wiki/wiki/Docker). 🚨Please note that the system utilizes **Podman** instead of **Docker** for containerization due to various reasons, primarily related to security (rootless and daemonless containers), easier migration to Kubernetes, availability of pods, compatibility with systemd, and better security for `distrobox`. If you prefer to use **Docker** instead of **Podman**, you can make the switch by commenting out the **Podman** section in the `configuration.nix` file and uncommenting the **Docker** section. More details on **Docker** configuration in NixOS can be found [here](https://nixos.wiki/wiki/Docker).
The system also enables SELinux patches, as well as AppArmor and Tomoyo Linux Security Modules. It includes security daemons such as Fail2Ban and USBGuard, with Firejail preinstalled to meet your security requirements.
You have the flexibility to customize these configurations according to your needs by modifying the respective configuration files. You have the flexibility to customize these configurations according to your needs by modifying the respective configuration files.
## 🌟 Showcase ## 🌟 Showcase

45
nixos/configuration.nix
View File

@@ -17,7 +17,6 @@
boot.loader.timeout = 2; boot.loader.timeout = 2;
boot.initrd.enable = true; boot.initrd.enable = true;
boot.initrd.systemd.enable = true; boot.initrd.systemd.enable = true;
boot.kernelParams = [ "quiet" "fbcon=nodefer" "vt.global_cursor_default=0" "kernel.modules_disabled=1" "lsm=landlock,lockdown,yama,integrity,apparmor,bpf" "usbcore.autosuspend=-1" "video4linux" "acpi_rev_override=5" ];
boot.plymouth = { boot.plymouth = {
enable = true; enable = true;
# logo = pkgs.fetchurl { # logo = pkgs.fetchurl {
@@ -168,6 +167,28 @@
# Linux Kernel # Linux Kernel
boot.kernelPackages = pkgs.linuxKernel.packages.linux_testing; boot.kernelPackages = pkgs.linuxKernel.packages.linux_testing;
boot.kernelParams = [
"quiet"
"fbcon=nodefer"
"vt.global_cursor_default=0"
"kernel.modules_disabled=1"
"lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
"usbcore.autosuspend=-1"
"video4linux"
"acpi_rev_override=5"
"security=selinux"
];
# boot.kernelPatches = [ {
# name = "selinux-config";
# patch = null;
# extraConfig = ''
# SECURITY_SELINUX y
# SECURITY_SELINUX_BOOTPARAM n
# SECURITY_SELINUX_DEVELOP y
# SECURITY_SELINUX_AVC_STATS y
# DEFAULT_SECURITY_SELINUX n
# '';
# } ];
# Enable networking # Enable networking
networking.networkmanager = { networking.networkmanager = {
@@ -271,6 +292,10 @@
StateDirectory = "dnscrypt-proxy"; StateDirectory = "dnscrypt-proxy";
}; };
# Enable Mullvad VPN
# services.mullvad-vpn.enable = true;
# services.mullvad-vpn.package = pkgs.mullvad; # `pkgs.mullvad` only provides the CLI tool, use `pkgs.mullvad-vpn` instead if you want to use the CLI and the GUI.
# Enable MAC Randomize # Enable MAC Randomize
# systemd.services.macchanger = { # systemd.services.macchanger = {
# enable = true; # enable = true;
@@ -339,6 +364,7 @@
}; };
# Systemd services setup # Systemd services setup
systemd.package = pkgs.systemd.override { withSelinux = true; };
systemd.packages = with pkgs; [ systemd.packages = with pkgs; [
auto-cpufreq auto-cpufreq
]; ];
@@ -391,7 +417,11 @@
# Enable CUPS to print documents. # Enable CUPS to print documents.
# services.printing.enable = true; # services.printing.enable = true;
# Enable container manager ### Enable container manager
# Enable Containerd
# virtualisation.containerd.enable = true;
# Enable Docker # Enable Docker
# virtualisation.docker.enable = true; # virtualisation.docker.enable = true;
# virtualisation.docker.rootless = { # virtualisation.docker.rootless = {
@@ -399,6 +429,7 @@
# setSocketVariable = true; # setSocketVariable = true;
# }; # };
# users.extraGroups.docker.members = [ "xnm" ]; # users.extraGroups.docker.members = [ "xnm" ];
# Enable Podman # Enable Podman
virtualisation = { virtualisation = {
podman = { podman = {
@@ -474,6 +505,7 @@
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
policycoreutils
mold mold
gcc13 gcc13
jdk11 jdk11
@@ -526,13 +558,12 @@
wasmi wasmi
# wasm3 # wasm3
# mullvad-closest
license-generator license-generator
git-ignore git-ignore
just just
xh xh
tgpt tgpt
distrobox
qemu
wezterm wezterm
cool-retro-term cool-retro-term
# mcfly # terminal history # mcfly # terminal history
@@ -573,6 +604,12 @@
felix-fm felix-fm
chafa chafa
# nerdctl
# firecracker
# firectl
# flintlock
distrobox
qemu
podman-compose podman-compose
podman-tui podman-tui