From 6eef6108c4027abf215d197f3f2b64725b0a45df Mon Sep 17 00:00:00 2001 From: kenji Date: Tue, 30 Dec 2025 19:20:21 -0600 Subject: [PATCH] fix(security): harden system configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove SSH service (was temporary) - Close unused firewall ports (22, 80, 53) - Require sudo password for wheel group - Disable systemd-boot editor to prevent boot tampering - Remove boot.shell_on_fail kernel parameter - Add kernel hardening parameters (slab_nomerge, init_on_alloc, etc.) - Add sysctl hardening (dmesg_restrict, kptr_restrict, etc.) - Disable Avahi firewall broadcast - Disable Bluetooth auto power-on at boot 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- TODO.md | 3 --- modules/nixos/boot.nix | 1 + modules/nixos/hardware.nix | 6 +++--- modules/nixos/kernel.nix | 14 +++++++++++++- modules/nixos/security.nix | 9 +++++++++ modules/nixos/services.nix | 3 +-- 6 files changed, 27 insertions(+), 9 deletions(-) diff --git a/TODO.md b/TODO.md index 3c8bf5f..4bebd2a 100644 --- a/TODO.md +++ b/TODO.md @@ -1,6 +1,3 @@ * fix: special workspace preload always loads first. Toggling it back is easy, but i'd rather create a new sh script that forces back to normal workspace. -* add: hypridle * add: similar to omarchy-menu * cleanup: stylix configurations and wallpaper -* cleanup: convert `anonymize` fixme's to secret keys -* add: hyprlock diff --git a/modules/nixos/boot.nix b/modules/nixos/boot.nix index 9999b49..38aedc7 100644 --- a/modules/nixos/boot.nix +++ b/modules/nixos/boot.nix @@ -6,6 +6,7 @@ timeout = 0; systemd-boot = { enable = true; + editor = false; }; efi = { diff --git a/modules/nixos/hardware.nix b/modules/nixos/hardware.nix index 1ae3d3d..5da7b93 100644 --- a/modules/nixos/hardware.nix +++ b/modules/nixos/hardware.nix @@ -6,7 +6,7 @@ hardware = { bluetooth = { enable = true; - powerOnBoot = true; + powerOnBoot = false; }; }; networking = { @@ -16,8 +16,8 @@ wireless.iwd.enable = true; firewall = { enable = true; - allowedTCPPorts = [22 80]; - allowedUDPPorts = [53]; + allowedTCPPorts = []; + allowedUDPPorts = []; }; }; } diff --git a/modules/nixos/kernel.nix b/modules/nixos/kernel.nix index f158eab..c2389bf 100644 --- a/modules/nixos/kernel.nix +++ b/modules/nixos/kernel.nix @@ -5,9 +5,21 @@ "quiet" "splash" "intremap=on" - "boot.shell_on_fail" "udev.log_priority=3" "rd.systemd.show_status=auto" + # Security hardening + "slab_nomerge" + "init_on_alloc=1" + "init_on_free=1" + "page_alloc.shuffle=1" + "randomize_kstack_offset=on" + "vsyscall=none" ]; + kernel.sysctl = { + "kernel.dmesg_restrict" = 1; + "kernel.kptr_restrict" = 2; + "kernel.unprivileged_bpf_disabled" = 1; + "net.core.bpf_jit_harden" = 2; + }; }; } diff --git a/modules/nixos/security.nix b/modules/nixos/security.nix index 0d726ce..75df300 100644 --- a/modules/nixos/security.nix +++ b/modules/nixos/security.nix @@ -5,6 +5,15 @@ ... }: { security.pam.services.greetd.enableGnomeKeyring = true; + security.sudo = { + enable = true; + wheelNeedsPassword = true; + execWheelOnly = true; + extraConfig = '' + Defaults timestamp_timeout=15 + Defaults passwd_tries=3 + ''; + }; environment.systemPackages = with pkgs; [ sops age diff --git a/modules/nixos/services.nix b/modules/nixos/services.nix index 072c11e..deddea6 100644 --- a/modules/nixos/services.nix +++ b/modules/nixos/services.nix @@ -18,7 +18,6 @@ }; # essentials - openssh.enable = true; # FIXME: remove when done blueman.enable = true; # for encryption support for unfree apps @@ -29,7 +28,7 @@ avahi = { enable = true; nssmdns4 = true; - openFirewall = true; + openFirewall = false; }; pipewire = { enable = true;