feat: add systemd

hardenedlinux · Dec 13, 2023 · baaec4d · baaec4d
1 parent 0cff035
commit baaec4d
Show file tree

Hide file tree

Showing 8 changed files with 106 additions and 17 deletions.
diff --git a/nix/src/pops/lego.nix b/nix/src/pops/lego.nix
@@ -0,0 +1,9 @@
+{
+  omnibus,
+  projectDir,
+  inputs,
+}:
+omnibus.pops.load {
+  src = projectDir + /units/lego;
+  inputs = {};
+}
diff --git a/nix/src/pops/nixosProfiles.nix b/nix/src/pops/nixosProfiles.nix
@@ -13,16 +13,19 @@
       };
     };
   };
-  nixos = eachSystem (system: omnibus.pops.nixosProfiles.addLoadExtender {
-    load = {
-      src = projectDir + /units/nixosProfiles;
-      type = "nixosProfilesOmnibus";
-      inputs = {
-        inherit system;
-        inputs = inputs // {
-          inherit ((omnibus.flake.setSystem system).inputs) nixos-23_11;
+  nixos = eachSystem (
+    system:
+    omnibus.pops.nixosProfiles.addLoadExtender {
+      load = {
+        src = projectDir + /units/nixosProfiles;
+        type = "nixosProfilesOmnibus";
+        inputs = {
+          inherit system;
+          inputs = inputs // {
+            inherit ((omnibus.flake.setSystem system).inputs) nixos-23_11;
+          };
         };
       };
-    };
-  });
+    }
+  );
 }
diff --git a/nix/std/cells/repo/nixago.nix b/nix/std/cells/repo/nixago.nix
@@ -25,8 +25,10 @@ in
 
   nginx = inputs.std.lib.dev.mkNixago {
     data = {
-      ansible-collection-hardening = inputs.lego-hardening.units.ansible-collection-hardening.${nixpkgs.system}.nginx.argument_specs;
-      nixos = inputs.lego-hardening.units.nixosProfiles.nixos.${nixpkgs.system}.options.nginxNixosOptionsDocJson;
+      ansible-collection-hardening =
+        inputs.lego-hardening.units.ansible-collection-hardening.${nixpkgs.system}.nginx.argument_specs;
+      nixos =
+        inputs.lego-hardening.units.nixosProfiles.nixos.${nixpkgs.system}.options.nginxNixosOptionsDocJson;
     };
     output = "compare/nginx.yml";
     format = "yaml";

diff --git a/nix/std/flake.nix b/nix/std/flake.nix
@@ -22,9 +22,13 @@
     {std, call-flake, ...}@inputs:
     std.growOn
       {
-        inputs = inputs // (call-flake ../lock).inputs // (call-flake ../..).inputs // {
-          lego-hardening = call-flake ../..;
-        };
+        inputs =
+          inputs
+          // (call-flake ../lock).inputs
+          // (call-flake ../..).inputs
+          // {
+            lego-hardening = call-flake ../..;
+          };
         cellsFrom = ./cells;
 
         cellBlocks = with std.blockTypes; [

diff --git a/units/dev-sec/ansible-collection-hardening/nginx.nix b/units/dev-sec/ansible-collection-hardening/nginx.nix
@@ -1,7 +1,8 @@
 {ansibleCollectionHardeningSrc}:
 let
   defaults = ansibleCollectionHardeningSrc.roles.nginx_hardening.defaults.main;
-  argument_specs = ansibleCollectionHardeningSrc.roles.nginx_hardening.meta.argument_specs;
+  argument_specs =
+    ansibleCollectionHardeningSrc.roles.nginx_hardening.meta.argument_specs;
 in
 {
   inherit defaults argument_specs;

diff --git a/units/lego/os/sysctl.nix b/units/lego/os/sysctl.nix
@@ -0,0 +1,11 @@
+{
+  default = [
+    {
+      keywords = ["sysctl"];
+      knowlaedges = [
+        " https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl"
+      ];
+      profiles = [];
+    }
+  ];
+}
diff --git a/units/lego/os/systemd.nix b/units/lego/os/systemd.nix
@@ -0,0 +1,55 @@
+{self}:
+{
+  isolate = {
+    CapabilityBoundingSet = "";
+    DeviceAllow = "";
+    IPAddressDeny = "any";
+    KeyringMode = "private";
+    LockPersonality = true;
+    MemoryDenyWriteExecute = true;
+    NoNewPrivileges = true;
+    NotifyAccess = "none";
+    ProcSubset = "pid";
+    RemoveIPC = true;
+
+    PrivateDevices = true;
+    PrivateMounts = true;
+    PrivateNetwork = true;
+    PrivateTmp = true;
+    PrivateUsers = true;
+
+    ProtectClock = true;
+    ProtectControlGroups = true;
+    ProtectHome = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectHostname = true;
+    ProtectProc = "invisible";
+    ProtectSystem = "strict";
+    RestrictAddressFamilies = "";
+    RestrictNamespaces = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+  };
+  cap = {
+    AmbientCapabilities = [
+      "CAP_NET_BIND_SERVICE"
+      "CAP_NET_RAW"
+    ];
+    CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
+  };
+
+  networked = self.isolate // {
+    IPAddressDeny = [""];
+    PrivateNetwork = false;
+    RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+    ];
+  };
+
+  socketed = self.isolate // {
+    RestrictAddressFamilies = ["AF_UNIX"];
+  };
+}
diff --git a/units/nixosProfiles/options.nix b/units/nixosProfiles/options.nix
@@ -19,5 +19,9 @@
   nginxNixosOptionsDoc = inputs.nixos-23_11.legacyPackages.nixosOptionsDoc {
     options = self.nginx.options.services.nginx;
   };
-  nginxNixosOptionsDocJson = builtins.fromJSON (builtins.readFile (self.nginxNixosOptionsDoc.optionsJSON + "/share/doc/nixos/options.json"));
+  nginxNixosOptionsDocJson = builtins.fromJSON (
+    builtins.readFile (
+      self.nginxNixosOptionsDoc.optionsJSON + "/share/doc/nixos/options.json"
+    )
+  );
 }