mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

fix: esphome & hostapd systemd restrictions, hostapd ACS disable

Browse source
This commit is contained in:
oddlama 2023-03-18 01:46:56 +01:00
parent 711c97b393
commit 20e539020c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
5 changed files with 57 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

36
hosts/zackbiene/esphome.nix
View file

@ -21,11 +21,12 @@ in {
# Hardening # Hardening
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = false; # NodeJs-JIT :/ MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
DeviceAllow = "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0";
SupplementaryGroups = ["dialout"];
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true;
PrivateUsers = true; PrivateUsers = true;
PrivateTmp = true; PrivateTmp = true;
ProtectClock = true; ProtectClock = true;
@ -41,11 +42,15 @@ in {
ReadWritePaths = dataDir; ReadWritePaths = dataDir;
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"]; RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
RestrictNamespaces = true; RestrictNamespaces = false; # Required by platformio for chroot
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service" "~@privileged"]; SystemCallFilter = [
"@system-service"
"~@privileged"
"@mount" # Required by platformio for chroot
];
UMask = "0077"; UMask = "0077";
}; };
}; };
@ -58,4 +63,25 @@ in {
}; };
users.groups.esphome.gid = 316; users.groups.esphome.gid = 316;
services.nginx.upstreams = {
"esphome" = {
servers = {"unix:/run/esphome/esphome.sock" = {};};
extraConfig = ''
zone esphome 64k;
keepalive 2;
'';
};
};
services.nginx.virtualHosts = {
#"${nodeSecrets.esphome.domain}" = {
# forceSSL = true;
# enableACME = true;
"192.168.1.22" = {
locations."/" = {
proxyPass = "http://esphome";
proxyWebsockets = true;
};
};
};
} }

31
hosts/zackbiene/hostapd.nix
View file

@ -11,8 +11,8 @@
wpa = false; wpa = false;
# Use 2.4GHz, this network is ment for dumb embedded devices # Use 2.4GHz, this network is ment for dumb embedded devices
hwMode = "g"; hwMode = "g";
# Automatically select channel at runtime using acs_survey # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
channel = 0; channel = 13;
# Respect the local regulations # Respect the local regulations
countryCode = "DE"; countryCode = "DE";
@ -28,16 +28,14 @@
# Ensure TX Power and frequencies compliance with local regulatory requirements # Ensure TX Power and frequencies compliance with local regulatory requirements
ieee80211h=1 ieee80211h=1
# IEEE 802.11ac (WiFi 4) # IEEE 802.11ac (WiFi 4) - MIMO and channel bonding support
# MIMO and channel bonding support
ieee80211n=1 ieee80211n=1
# Add wider channel-width support and MU-MIMO (multi user MIMO) ht_capab=[LDPC][HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1]
# IEEE 802.11ac (WiFi 5) # IEEE 802.11ac (WiFi 5) - adds wider channel-width support and MU-MIMO (multi user MIMO)
ieee80211ac=1 ieee80211ac=1
ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40] #vht_capab=[SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN] #vht_oper_chwidth=1
vht_oper_chwidth=1
# WPA3 # WPA3
wpa=2 wpa=2
@ -53,7 +51,7 @@
# Derive PWE using both hunting-and-pecking loop and hash-to-element # Derive PWE using both hunting-and-pecking loop and hash-to-element
sae_pwe=2 sae_pwe=2
# SAE can also use wpa_psk, which allows us to use a separate file, # SAE can also use wpa_psk, which allows us to use a separate file,
# but it restricts the password length to [2,63] which is ok. # but it restricts the password length to [8,63] which is ok.
# This conatins a list of passwords for each client MAC. # This conatins a list of passwords for each client MAC.
wpa_psk_file=${config.rekey.secrets.wifi-clients.path} wpa_psk_file=${config.rekey.secrets.wifi-clients.path}
@ -62,11 +60,12 @@
accept_mac_file=/run/hostapd/client-macs accept_mac_file=/run/hostapd/client-macs
# Hide network and require devices to know the ssid in advance # Hide network and require devices to know the ssid in advance
ignore_broadcast_ssid=1 #ignore_broadcast_ssid=1
# Don't allow clients to communicate with each other # Don't allow clients to communicate with each other
ap_isolate=1 ap_isolate=1
''; '';
}; };
# TODO dont adverttise!
# Associates each known client to a unique password # Associates each known client to a unique password
rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age; rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age;
@ -80,25 +79,25 @@
serviceConfig = { serviceConfig = {
ExecReload = "/bin/kill -HUP $MAINPID"; ExecReload = "/bin/kill -HUP $MAINPID";
RuntimeDirectory = "hostapd"; RuntimeDirectory = "hostapd";
DeviceAllow = "/dev/rfkill rw";
# Hardening # Hardening
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = false; # Needs /dev/rfkill PrivateDevices = true;
PrivateUsers = true; PrivateUsers = false; # hostapd requires real system root access.
PrivateTmp = true; PrivateTmp = true;
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = false; # Needs write-access to /sys/class/net/... ProtectControlGroups = true;
ProtectHome = true; ProtectHome = true;
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = false; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProcSubset = "pid"; ProcSubset = "pid";
ProtectSystem = "strict"; ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"]; RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;

1
hosts/zackbiene/net.nix
View file

@ -14,7 +14,6 @@
matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac; matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
networkConfig = { networkConfig = {
Address = "10.90.0.1/24"; Address = "10.90.0.1/24";
Gateway = "10.90.0.1";
}; };
}; };
}; };

2
hosts/zackbiene/nginx.nix
View file

@ -40,4 +40,6 @@
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [80 443];
} }

18
hosts/zackbiene/secrets/wifi-clients.age
View file

@ -1,10 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> X25519 hassPBEEk/UBxKCHkOhG+xCVBRqjLzzIzx+YNxMI1XY -> X25519 J0OVJ0jJkIkBk0nFoeZ7QhFoH2KZtVNEaqVrPAPOMkU
yUPfWO27Ou9Kr/9+9H/QCx/s8z+xaqBknozANAUuRAY gPL8EodGaHRmGU7SjCi0A+VSHX0Jki4QTSQJqKakOmc
-> piv-p256 xqSe8Q A+Mah3ymwlgxCgF/hqioFnV4dLIs7gIlCi+5Y9hGThUy -> piv-p256 xqSe8Q ApYjO1OYkLa5P5y/CUcreVv1D+XIuzmvL22b8xOn4KCo
/1ILkEDSDzuP1TNm0eAGExBAGP6GvryPwkYN/44stZI zXbQ2bBEoNfRBccduRzhezOHir1NoFgSaNpB2Kz9iLM
-> yazz-grease 4O -> 3}-b-grease vM C
ELmoh/Qew+/mdgIaGxnpR9eTPGHvAEO8Y22uH/tlpwBmlVMZNHa91PQ/dksjMKA8 9zBNWTL08GkY4ZkDLmiQQqc2Di2oFiHko39JdKAzdF53kRcEkpojS0MwOhii5673
7hYCLWcfWtEEF4gVUnCOokyYm3XAZyQ9Lauiw2n4JTvYSKJhmAquXW8Jmto Pg0s035+WayZNZkpKHelA27aA7Yo+u6kGZ0xLP2N0ZxxjgZabYau
--- 6650BuMK5X5Z56QmkfgIZdbB6cg8+l2GG05XDZkgK4Q --- CkGhrXo9Gfpf5A1h9A4ZVRtdr3KOlE78J7wXOUyMJjI
揵鎧恑蒔e�3�8P 牫�� !荗u3抮* 羹5嚹{礅潑錭K菱鯰磉B1欸�m&# `襽7佫挚亼 O B6úµÖůĆ^áaµŇ@VÇ�hĘąą#ťG7›&…•ęőkË~ #¶_k™Hž™`ňxcčČÝk•ŐşËJ�ýwú¶ó±¸ĆĐ ‰hF¦®ž[HéĂťęަ—�!ż}UR>•g’ÔşđÍBo¨ô�5 ÂĐ9VĽ$ř’‡©Ŕ˝AŰ ob“g ,š/