From df9ca7aefa562d7cc05b61b90467732398b94e0f Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Thu, 5 Sep 2024 23:59:39 +0800 Subject: [PATCH] feat: hardening nixos desktops (#160) * feat: hardening nixos desktops * refactor: move hardening to the root folder * feat: add nixpaks into nixpkgs via overlays * feat: nixpak - add netease music * docs: hardening * fix: nvidia * fix: disable apparmor & hardening profile to avoid neovim being killed * fix: firefox cursor & fonts --- .gitignore | 1 + flake.lock | 69 +++++++++++++++ flake.nix | 5 ++ hardening/README.md | 70 ++++++++++++++++ hardening/apparmor/default.nix | 58 +++++++++++++ hardening/firejail/default.nix | 75 +++++++++++++++++ hardening/firejail/firejailWrapper.nix | 35 ++++++++ hardening/nixpaks/default.nix | 30 +++++++ hardening/nixpaks/firefox-desktop-item.nix | 11 +++ hardening/nixpaks/firefox.nix | 75 +++++++++++++++++ hardening/nixpaks/modules/gui-base.nix | 84 +++++++++++++++++++ hardening/nixpaks/modules/network.nix | 8 ++ hardening/nixpaks/qq-desktop-item.nix | 15 ++++ hardening/nixpaks/qq.nix | 59 +++++++++++++ hardening/profiles/default.nix | 9 ++ home/linux/gui/base/games.nix | 2 +- home/linux/gui/base/misc.nix | 5 +- .../gui/hyprland/values/wayland-apps.nix | 12 +-- modules/nixos/desktop/default.nix | 6 +- modules/nixos/desktop/insecure-packages.nix | 6 ++ outputs/x86_64-linux/src/idols-ai.nix | 4 + 21 files changed, 626 insertions(+), 13 deletions(-) create mode 100644 hardening/README.md create mode 100644 hardening/apparmor/default.nix create mode 100644 hardening/firejail/default.nix create mode 100644 hardening/firejail/firejailWrapper.nix create mode 100644 hardening/nixpaks/default.nix create mode 100644 hardening/nixpaks/firefox-desktop-item.nix create mode 100644 hardening/nixpaks/firefox.nix create mode 100644 hardening/nixpaks/modules/gui-base.nix create mode 100644 hardening/nixpaks/modules/network.nix create mode 100644 hardening/nixpaks/qq-desktop-item.nix create mode 100644 hardening/nixpaks/qq.nix create mode 100644 hardening/profiles/default.nix create mode 100644 modules/nixos/desktop/insecure-packages.nix diff --git a/.gitignore b/.gitignore index 4f61d2053..186d3000d 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ result/ .DS_Store .pre-commit-config.yaml logs/ +core* diff --git a/flake.lock b/flake.lock index 5f1699729..8d99396f1 100644 --- a/flake.lock +++ b/flake.lock @@ -264,6 +264,27 @@ "type": "github" } }, + "flake-parts_4": { + "inputs": { + "nixpkgs-lib": [ + "nixpak", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -382,6 +403,31 @@ "type": "github" } }, + "hercules-ci-effects": { + "inputs": { + "flake-parts": [ + "nixpak", + "flake-parts" + ], + "nixpkgs": [ + "nixpak", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719226092, + "narHash": "sha256-YNkUMcCUCpnULp40g+svYsaH1RbSEj6s4WdZY/SHe38=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "11e4b8dc112e2f485d7c97e1cee77f9958f498f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -576,6 +622,28 @@ "type": "github" } }, + "nixpak": { + "inputs": { + "flake-parts": "flake-parts_4", + "hercules-ci-effects": "hercules-ci-effects", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724898170, + "narHash": "sha256-/QslnBDv9+dnBCkAd4tto7sZck2CUeCIHtnpzRmZ+Lo=", + "owner": "nixpak", + "repo": "nixpak", + "rev": "02d04e4ac37fd71f117aaaf367d5c41fad14d29b", + "type": "github" + }, + "original": { + "owner": "nixpak", + "repo": "nixpak", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1723221148, @@ -882,6 +950,7 @@ "nix-gaming": "nix-gaming", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", + "nixpak": "nixpak", "nixpkgs": "nixpkgs_2", "nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-stable": "nixpkgs-stable_2", diff --git a/flake.nix b/flake.nix index 2a826660d..53413a7d6 100644 --- a/flake.nix +++ b/flake.nix @@ -106,6 +106,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nixpak = { + url = "github:nixpak/nixpak"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + ######################## Some non-flake repositories ######################################### # doom-emacs is a configuration framework for GNU Emacs. diff --git a/hardening/README.md b/hardening/README.md new file mode 100644 index 000000000..9cb222ac0 --- /dev/null +++ b/hardening/README.md @@ -0,0 +1,70 @@ +# Linux Hardening + +## Goal + +- **System Level**: Protect critical files from being accessed by untrusted applications. + 1. Such as browser cookies, SSH keys, etc. +- **Per-App Level**: Prevent untrusted applications(such as closed-source apps) from: + 1. Accessing files they shouldn't. + - Such as a malicious application accessing your browser's cookies, SSH Keys, etc. + 1. Accessing the network when they don't need to. + 1. Accessing hardware devices they don't need. + +## Kernel Hardening + +- NixOS Kernel Config: + https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/kernel/hardened/config.nix + +## System Hardening + +- NixOS Profile: + https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix +- Apparmor: [roddhjav/apparmor.d)](https://github.com/roddhjav/apparmor.d) + - https://gitlab.com/apparmor/apparmor/-/wikis/Documentation + - AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based + applications and processes. + - Nix Package: + [roddhjav-apparmor-rules](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/ro/roddhjav-apparmor-rules/package.nix#L33) + - https://github.com/NixOS/nixpkgs/issues/331645 +- SELinux: too complex, not recommended for personal use. + +## Application Sandboxing + +- [Firejail](https://github.com/netblue30/firejail/tree/master/etc): A SUID security sandbox with + hundreds of security profiles for many common applications in the default installation. + - https://wiki.nixos.org/wiki/Firejail + - Firejail needs SUID to work, which is considered a security risk - + [Does firejail improve the security of my system?](https://github.com/netblue30/firejail/discussions/4601) +- [Bubblewrap](https://github.com/containers/bubblewrap): + [nixpak](https://github.com/nixpak/nixpak), more secure than firejail, but no batteries included. + - NixOS's FHSEnv is implemented using bubblewrap by default. +- [Systemd/Hardening](https://wiki.nixos.org/wiki/Systemd/Hardening): Systemd also provides some + sandboxing features. + +## NOTE + +**Running untrusted code is never safe, kernel hardening & sandboxing cannot change this**. + +If you want to run untrusted code, please use a VM & an isolated network environment, which will +provide a much higher level of security. + +## References + +- [Harden your NixOS workstation - dataswamp](https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html) +- [Linux Insecurities - Madaidans](https://madaidans-insecurities.github.io/linux.html) +- [Sandboxing all programs by default - NixOS Discourse](https://discourse.nixos.org/t/sandboxing-all-programs-by-default/7792) +- [在 Firejail 中运行 Steam](https://imbearchild.cyou/archives/2021/11/steam-in-firejail/) +- [Firejail - Arch Linux Wiki](https://wiki.archlinux.org/title/Firejail) +- nixpak configs: + - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application + - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak + - https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak + - https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix +- firejail configs: + - https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261 +- apparmor configs: + - https://github.com/sukhmancs/nixos-configs/blob/7fcf737c506ad843113cd5b94796b49d4d4dfad2/modules/shared/security/apparmor/default.nix#L8 + - https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4 +- Others: + - Directly via `buildFHSUserEnvBubblewrap`: + https://github.com/xddxdd/nur-packages/blob/master/pkgs/uncategorized/wechat-uos/default.nix diff --git a/hardening/apparmor/default.nix b/hardening/apparmor/default.nix new file mode 100644 index 000000000..d82f31434 --- /dev/null +++ b/hardening/apparmor/default.nix @@ -0,0 +1,58 @@ +{ + config, + pkgs, + ... +}: { + services.dbus.apparmor = "enabled"; + security.apparmor = { + enable = true; + + # kill process that are not confined but have apparmor profiles enabled + killUnconfinedConfinables = true; + packages = with pkgs; [ + apparmor-utils + apparmor-profiles + ]; + + # apparmor policies + policies = { + "default_deny" = { + enforce = false; + enable = false; + profile = '' + profile default_deny /** { } + ''; + }; + + "sudo" = { + enforce = false; + enable = false; + profile = '' + ${pkgs.sudo}/bin/sudo { + file /** rwlkUx, + } + ''; + }; + + "nix" = { + enforce = false; + enable = false; + profile = '' + ${config.nix.package}/bin/nix { + unconfined, + } + ''; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + apparmor-bin-utils + apparmor-profiles + apparmor-parser + libapparmor + apparmor-kernel-patches + apparmor-pam + apparmor-utils + ]; +} diff --git a/hardening/firejail/default.nix b/hardening/firejail/default.nix new file mode 100644 index 000000000..d709b016a --- /dev/null +++ b/hardening/firejail/default.nix @@ -0,0 +1,75 @@ +{pkgs, ...}: let + firejailWrapper = import ./firejailWrapper.nix pkgs; +in { + programs.firejail.enable = true; + + # Add firejailed Apps into nixsuper, and reference them in home-manager or other nixos modules + nixpkgs.overlays = [ + (_: super: { + firejailed = { + steam = firejailWrapper { + name = "steam-firejailed"; + executable = "${super.steam}/bin/steam"; + profile = "${super.firejail}/etc/firejail/steam.profile"; + }; + steam-run = firejailWrapper { + name = "steam-run-firejailed"; + executable = "${super.steam}/bin/steam-run"; + profile = "${super.firejail}/etc/firejail/steam.profile"; + }; + + # firefox = firejailWrapper { + # name = "firefox-firejailed"; + # executable = "${super.lib.getBin super.firefox-wayland}/bin/firefox"; + # profile = "${super.firejail}/etc/firejail/firefox.profile"; + # }; + # chromium = firejailWrapper { + # name = "chromium-firejailed"; + # executable = "${super.lib.getBin super.ungoogled-chromium}/bin/chromium"; + # profile = "${super.firejail}/etc/firejail/chromium.profile"; + # }; + + mpv = firejailWrapper { + executable = "${super.lib.getBin super.mpv}/bin/mpv"; + profile = "${super.firejail}/etc/firejail/mpv.profile"; + }; + imv = firejailWrapper { + executable = "${super.lib.getBin super.imv}/bin/imv"; + profile = "${super.firejail}/etc/firejail/imv.profile"; + }; + zathura = firejailWrapper { + executable = "${super.lib.getBin super.zathura}/bin/zathura"; + profile = "${super.firejail}/etc/firejail/zathura.profile"; + }; + discord = firejailWrapper { + executable = "${super.lib.getBin super.discord}/bin/discord"; + profile = "${super.firejail}/etc/firejail/discord.profile"; + }; + slack = firejailWrapper { + executable = "${super.lib.getBin super.slack}/bin/slack"; + profile = "${super.firejail}/etc/firejail/slack.profile"; + }; + telegram-desktop = firejailWrapper { + executable = "${super.lib.getBin super.tdesktop}/bin/telegram-desktop"; + profile = "${super.firejail}/etc/firejail/telegram-desktop.profile"; + }; + brave = firejailWrapper { + executable = "${super.lib.getBin super.brave}/bin/brave"; + profile = "${super.firejail}/etc/firejail/brave.profile"; + }; + qutebrowser = firejailWrapper { + executable = "${super.lib.getBin super.qutebrowser}/bin/qutebrowser"; + profile = "${super.firejail}/etc/firejail/qutebrowser.profile"; + }; + thunar = firejailWrapper { + executable = "${super.lib.getBin super.xfce.thunar}/bin/thunar"; + profile = "${super.firejail}/etc/firejail/thunar.profile"; + }; + vscodium = firejailWrapper { + executable = "${super.lib.getBin super.vscodium}/bin/vscodium"; + profile = "${super.firejail}/etc/firejail/vscodium.profile"; + }; + }; + }) + ]; +} diff --git a/hardening/firejail/firejailWrapper.nix b/hardening/firejail/firejailWrapper.nix new file mode 100644 index 000000000..d7072d3a0 --- /dev/null +++ b/hardening/firejail/firejailWrapper.nix @@ -0,0 +1,35 @@ +# https://www.reddit.com/r/NixOS/comments/1b56jdx/simple_nix_function_for_wrapping_executables_with/ +pkgs: { + name ? "firejail-wrapper", + executable, + desktop ? null, + profile ? null, + extraArgs ? [], +}: +pkgs.runCommand name +{ + preferLocalBuild = true; + allowSubstitutes = false; + meta.priority = -1; # take precedence over non-firejailed versions +} +( + let + firejailArgs = pkgs.lib.concatStringsSep " " ( + extraArgs ++ (pkgs.lib.optional (profile != null) "--profile=${toString profile}") + ); + in + '' + command_path="$out/bin/$(basename ${executable})-jailed" + mkdir -p $out/bin + mkdir -p $out/share/applications + cat <<'_EOF' >"$command_path" + #! ${pkgs.runtimeShell} -e + exec /run/wrappers/bin/firejail ${firejailArgs} -- ${toString executable} "\$@" + _EOF + chmod 0755 "$command_path" + '' + + pkgs.lib.optionalString (desktop != null) '' + substitute ${desktop} $out/share/applications/$(basename ${desktop}) \ + --replace ${executable} "$command_path" + '' +) diff --git a/hardening/nixpaks/default.nix b/hardening/nixpaks/default.nix new file mode 100644 index 000000000..4230b667b --- /dev/null +++ b/hardening/nixpaks/default.nix @@ -0,0 +1,30 @@ +{ + pkgs, + nixpak, + ... +}: let + callArgs = { + mkNixPak = nixpak.lib.nixpak { + inherit (pkgs) lib; + inherit pkgs; + }; + safeBind = sloth: realdir: mapdir: [ + (sloth.mkdir (sloth.concat' sloth.appDataDir realdir)) + (sloth.concat' sloth.homeDir mapdir) + ]; + }; + wrapper = _pkgs: path: (_pkgs.callPackage path callArgs).config.script; +in { + # Add nixpaked Apps into nixpkgs, and reference them in home-manager or other nixos modules + nixpkgs.overlays = [ + (_: super: { + nixpaks = { + qq = wrapper super ./qq.nix; + qq-desktop-item = super.callPackage ./qq-desktop-item.nix {}; + + firefox = wrapper super ./firefox.nix; + firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix {}; + }; + }) + ]; +} diff --git a/hardening/nixpaks/firefox-desktop-item.nix b/hardening/nixpaks/firefox-desktop-item.nix new file mode 100644 index 000000000..95878b5a5 --- /dev/null +++ b/hardening/nixpaks/firefox-desktop-item.nix @@ -0,0 +1,11 @@ +{makeDesktopItem}: +makeDesktopItem { + name = "firefox"; + desktopName = "firefox"; + exec = "firefox %U"; + terminal = false; + icon = "firefox"; + type = "Application"; + categories = ["Network"]; + comment = "firefox boxed"; +} diff --git a/hardening/nixpaks/firefox.nix b/hardening/nixpaks/firefox.nix new file mode 100644 index 000000000..8da09fd62 --- /dev/null +++ b/hardening/nixpaks/firefox.nix @@ -0,0 +1,75 @@ +# Refer: +# - Flatpak manifest's docs: +# - https://docs.flatpak.org/en/latest/manifests.html +# - https://docs.flatpak.org/en/latest/sandbox-permissions.html +# - Firefox's flatpak manifest: https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/docker/firefox-flatpak/runme.sh#l151 +{ + lib, + pkgs, + mkNixPak, + ... +}: +mkNixPak { + config = { + config, + sloth, + ... + }: { + app = { + package = pkgs.firefox-wayland; + binPath = "bin/firefox"; + }; + flatpak.appId = "org.mozilla.firefox"; + + imports = [ + ./modules/gui-base.nix + ./modules/network.nix + ]; + + # list all dbus services: + # ls -al /run/current-system/sw/share/dbus-1/services/ + # ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/ + dbus.policies = { + "org.mozilla.firefox.*" = "own"; # firefox + "org.mozilla.firefox_beta.*" = "own"; # firefox beta + "org.mpris.MediaPlayer2.firefox.*" = "own"; + "org.freedesktop.NetworkManager" = "talk"; + }; + + bubblewrap = { + bind.rw = [ + (sloth.concat' sloth.homeDir "/.mozilla") + (sloth.concat' sloth.homeDir "/Downloads") + + # ================ for externsions =============================== + # required by https://github.com/browserpass/browserpass-extension + (sloth.concat' sloth.homeDir "/.local/share/password-store") # pass + ]; + bind.ro = [ + # To actually make Firefox run + "/sys/bus/pci" + ["${config.app.package}/lib/firefox" "/app/etc/firefox"] + + # Unsure + (sloth.concat' sloth.xdgConfigHome "/dconf") + ]; + + sockets = { + x11 = false; + wayland = true; + pipewire = true; + }; + bind.dev = [ + "/dev/shm" # Shared Memory + + # seems required when using nvidia as primary gpu + "/dev/nvidia0" + "/dev/nvidia-uvm" + "/dev/nvidia-modeset" + ]; + tmpfs = [ + "/tmp" + ]; + }; + }; +} diff --git a/hardening/nixpaks/modules/gui-base.nix b/hardening/nixpaks/modules/gui-base.nix new file mode 100644 index 000000000..3df3488b2 --- /dev/null +++ b/hardening/nixpaks/modules/gui-base.nix @@ -0,0 +1,84 @@ +# https://github.com/nixpak/pkgs/blob/master/pkgs/modules/gui-base.nix +{ + config, + lib, + pkgs, + sloth, + ... +}: let + envSuffix = envKey: suffix: sloth.concat' (sloth.env envKey) suffix; + # cursor & icon's theme should be the same as the host's one. + cursorTheme = pkgs.bibata-cursors; + iconTheme = pkgs.papirus-icon-theme; +in { + config = { + dbus.policies = { + "${config.flatpak.appId}" = "own"; + "org.freedesktop.DBus" = "talk"; + "org.gtk.vfs.*" = "talk"; + "org.gtk.vfs" = "talk"; + "ca.desrt.dconf" = "talk"; + "org.freedesktop.portal.*" = "talk"; + "org.a11y.Bus" = "talk"; + }; + # https://github.com/nixpak/nixpak/blob/master/modules/gpu.nix + # 1. bind readonly - /run/opengl-driver + # 2. bind device - /dev/dri + gpu = { + enable = lib.mkDefault true; + provider = "nixos"; + bundlePackage = pkgs.mesa.drivers; # for amd & intel + }; + # https://github.com/nixpak/nixpak/blob/master/modules/gui/fonts.nix + # it works not well, bind system's /etc/fonts directly instead + fonts.enable = true; + fonts.fonts = config.fonts.packages; + # https://github.com/nixpak/nixpak/blob/master/modules/locale.nix + locale.enable = true; + bubblewrap = { + network = lib.mkDefault false; + bind.rw = [ + [ + (envSuffix "HOME" "/.var/app/${config.flatpak.appId}/cache") + sloth.xdgCacheHome + ] + (sloth.concat' sloth.xdgCacheHome "/fontconfig") + (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache") + + (sloth.concat [ + (sloth.env "XDG_RUNTIME_DIR") + "/" + (sloth.envOr "WAYLAND_DISPLAY" "no") + ]) + + (envSuffix "XDG_RUNTIME_DIR" "/at-spi/bus") + (envSuffix "XDG_RUNTIME_DIR" "/gvfsd") + (envSuffix "XDG_RUNTIME_DIR" "/pulse") + + "/run/dbus" + ]; + bind.ro = [ + (envSuffix "XDG_RUNTIME_DIR" "/doc") + (sloth.concat' sloth.xdgConfigHome "/gtk-2.0") + (sloth.concat' sloth.xdgConfigHome "/gtk-3.0") + (sloth.concat' sloth.xdgConfigHome "/gtk-4.0") + (sloth.concat' sloth.xdgConfigHome "/fontconfig") + + "/etc/fonts" # for fontconfig + "/etc/machine-id" + "/etc/localtime" + ]; + env = { + XDG_DATA_DIRS = lib.mkForce (lib.makeSearchPath "share" [ + iconTheme + cursorTheme + pkgs.shared-mime-info + ]); + XCURSOR_PATH = lib.mkForce (lib.concatStringsSep ":" [ + "${cursorTheme}/share/icons" + "${cursorTheme}/share/pixmaps" + ]); + }; + }; + }; +} diff --git a/hardening/nixpaks/modules/network.nix b/hardening/nixpaks/modules/network.nix new file mode 100644 index 000000000..c3404835f --- /dev/null +++ b/hardening/nixpaks/modules/network.nix @@ -0,0 +1,8 @@ +# https://github.com/nixpak/pkgs/blob/master/pkgs/modules/network.nix +{ + etc.sslCertificates.enable = true; + bubblewrap = { + bind.ro = ["/etc/resolv.conf"]; + network = true; + }; +} diff --git a/hardening/nixpaks/qq-desktop-item.nix b/hardening/nixpaks/qq-desktop-item.nix new file mode 100644 index 000000000..5661a3d7b --- /dev/null +++ b/hardening/nixpaks/qq-desktop-item.nix @@ -0,0 +1,15 @@ +{ + makeDesktopItem, + qq, +}: +makeDesktopItem { + name = "qq"; + desktopName = "QQ"; + exec = "qq %U"; + terminal = false; + # icon = "qq"; + icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png"; + type = "Application"; + categories = ["Network"]; + comment = "QQ boxed"; +} diff --git a/hardening/nixpaks/qq.nix b/hardening/nixpaks/qq.nix new file mode 100644 index 000000000..cb6280b90 --- /dev/null +++ b/hardening/nixpaks/qq.nix @@ -0,0 +1,59 @@ +# Refer: +# - Flatpak manifest's docs: +# - https://docs.flatpak.org/en/latest/manifests.html +# - https://docs.flatpak.org/en/latest/sandbox-permissions.html +# - QQ's flatpak manifest: https://github.com/flathub/com.qq.QQ/blob/master/com.qq.QQ.yaml +{ + lib, + pkgs, + mkNixPak, + ... +}: +mkNixPak { + config = {sloth, ...}: { + app = { + package = pkgs.qq.override { + # fix fcitx5 input method + commandLineArgs = lib.concatStringsSep " " ["--enable-wayland-ime"]; + }; + binPath = "bin/qq"; + }; + flatpak.appId = "com.tencent.qq"; + + imports = [ + ./modules/gui-base.nix + ./modules/network.nix + ]; + + # list all dbus services: + # ls -al /run/current-system/sw/share/dbus-1/services/ + # ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/ + dbus.policies = { + "org.gnome.Shell.Screencast" = "talk"; + "org.freedesktop.Notifications" = "talk"; + "org.kde.StatusNotifierWatcher" = "talk"; + }; + bubblewrap = { + bind.rw = [ + (sloth.concat [sloth.xdgConfigHome "/QQ"]) + (sloth.mkdir (sloth.concat [sloth.xdgDownloadDir "/QQ"])) + ]; + sockets = { + x11 = false; + wayland = true; + pipewire = true; + }; + bind.dev = [ + "/dev/shm" # Shared Memory + + # seems required when using nvidia as primary gpu + "/dev/nvidia0" + "/dev/nvidia-uvm" + "/dev/nvidia-modeset" + ]; + tmpfs = [ + "/tmp" + ]; + }; + }; +} diff --git a/hardening/profiles/default.nix b/hardening/profiles/default.nix new file mode 100644 index 000000000..ef52853ac --- /dev/null +++ b/hardening/profiles/default.nix @@ -0,0 +1,9 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/hardened.nix") + ]; + + # disable coredump that could be exploited later + # and also slow down the system when something crash + systemd.coredump.enable = false; +} diff --git a/home/linux/gui/base/games.nix b/home/linux/gui/base/games.nix index 4cd4d87e2..131aa8f70 100644 --- a/home/linux/gui/base/games.nix +++ b/home/linux/gui/base/games.nix @@ -4,7 +4,7 @@ ... }: { home.packages = with pkgs; [ - # nix-gaming.packages.${pkgs.system}.osu-lazer-bin + # nix-gaming.packages.${pkgs.system}.osu-laser-bin gamescope # SteamOS session compositing window manager prismlauncher # A free, open source launcher for Minecraft winetricks # A script to install DLLs needed to work around problems in Wine diff --git a/home/linux/gui/base/misc.nix b/home/linux/gui/base/misc.nix index 5f841eaed..6846141c8 100644 --- a/home/linux/gui/base/misc.nix +++ b/home/linux/gui/base/misc.nix @@ -12,7 +12,6 @@ # instant messaging telegram-desktop discord - pkgs-unstable.qq # https://github.com/NixOS/nixpkgs/tree/master/pkgs/applications/networking/instant-messengers/qq # remote desktop(rdp connect) remmina @@ -21,6 +20,10 @@ # misc flameshot ventoy # multi-boot usb creator + + # my custom hardened packages + pkgs.nixpaks.qq + pkgs.nixpaks.qq-desktop-item ]; # GitHub CLI tool diff --git a/home/linux/gui/hyprland/values/wayland-apps.nix b/home/linux/gui/hyprland/values/wayland-apps.nix index 3387ebd99..717230fad 100644 --- a/home/linux/gui/hyprland/values/wayland-apps.nix +++ b/home/linux/gui/hyprland/values/wayland-apps.nix @@ -21,6 +21,12 @@ '' + (builtins.readFile "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-foot}/catppuccin-mocha.conf"); + home.packages = [ + pkgs.firefox-wayland + # pkgs.nixpaks.firefox + # pkgs.nixpaks.firefox-desktop-item + ]; + programs = { # a wayland only terminal emulator foot = { @@ -54,12 +60,6 @@ ]; }; - firefox = { - enable = true; - enableGnomeExtensions = false; - package = pkgs.firefox-wayland; # firefox with wayland support - }; - vscode = { enable = true; # let vscode sync and update its configuration & extensions across devices, using github account. diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix index 47c5c9773..eeb48a407 100644 --- a/modules/nixos/desktop/default.nix +++ b/modules/nixos/desktop/default.nix @@ -1,7 +1,3 @@ -{ - mylib, - lib, - ... -}: { +{mylib, ...}: { imports = mylib.scanPaths ./.; } diff --git a/modules/nixos/desktop/insecure-packages.nix b/modules/nixos/desktop/insecure-packages.nix new file mode 100644 index 000000000..3d1380824 --- /dev/null +++ b/modules/nixos/desktop/insecure-packages.nix @@ -0,0 +1,6 @@ +{ + nixpkgs.config.permittedInsecurePackages = [ + # required by wechat-uos: + # "openssl-1.1.1w" + ]; +} diff --git a/outputs/x86_64-linux/src/idols-ai.nix b/outputs/x86_64-linux/src/idols-ai.nix index e9c01c8f4..000d5607d 100644 --- a/outputs/x86_64-linux/src/idols-ai.nix +++ b/outputs/x86_64-linux/src/idols-ai.nix @@ -19,6 +19,10 @@ "modules/nixos/desktop.nix" # host specific "hosts/idols-${name}" + # nixos hardening + # "hardening/profiles/default.nix" + "hardening/nixpaks" + # "hardening/apparmor" ]; home-modules = map mylib.relativeToRoot [ # common