diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index b8d9b3d..103cd7e 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -23,7 +23,7 @@ in { CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; - MemoryDenyWriteExecute = false; + MemoryDenyWriteExecute = false; # NodeJs-JIT :/ NoNewPrivileges = true; PrivateDevices = true; PrivateUsers = true; @@ -40,17 +40,12 @@ in { ProtectSystem = "strict"; ReadWritePaths = dataDir; RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_UNIX" - ]; + RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service @pkey" - "~@privileged @resources" - ]; + SystemCallFilter = ["@system-service" "~@privileged"]; UMask = "0077"; }; }; diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix index 390fc06..1d6e6c7 100644 --- a/hosts/zackbiene/hostapd.nix +++ b/hosts/zackbiene/hostapd.nix @@ -18,67 +18,94 @@ # This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM) extraConfig = '' - utf8_ssid=1 - # Enable QoS, required for 802.11n/ac/ax - wmm_enabled=1 + utf8_ssid=1 + # Enable QoS, required for 802.11n/ac/ax + wmm_enabled=1 - # DFS (IEEE 802.11d, IEEE 802.11h) - # Limit to frequencies allowed in country - ieee80211d=1 - # Ensure TX Power and frequencies compliance with local regulatory requirements - ieee80211h=1 + # DFS (IEEE 802.11d, IEEE 802.11h) + # Limit to frequencies allowed in country + ieee80211d=1 + # Ensure TX Power and frequencies compliance with local regulatory requirements + ieee80211h=1 - # IEEE 802.11ac (WiFi 4) - # MIMO and channel bonding support - ieee80211n=1 - # Add wider channel-width support and MU-MIMO (multi user MIMO) + # IEEE 802.11ac (WiFi 4) + # MIMO and channel bonding support + ieee80211n=1 + # Add wider channel-width support and MU-MIMO (multi user MIMO) - # IEEE 802.11ac (WiFi 5) - ieee80211ac=1 - ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40] + # IEEE 802.11ac (WiFi 5) + ieee80211ac=1 + ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40] vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN] vht_oper_chwidth=1 - # WPA3 + # WPA3 wpa=2 - wpa_pairwise=CCMP CCMP-256 - rsn_pairwise=CCMP CCMP-256 - wpa_key_mgmt=SAE - # Require WPA, disable WEP - auth_algs=1 - # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w=2 - # Force WPA3-Personal without transition + wpa_pairwise=CCMP CCMP-256 + rsn_pairwise=CCMP CCMP-256 + wpa_key_mgmt=SAE + # Require WPA, disable WEP + auth_algs=1 + # Encrypt management frames to protect against deauthentication and similar attacks + ieee80211w=2 + # Force WPA3-Personal without transition transition_disable=0x01 - # Derive PWE using both hunting-and-pecking loop and hash-to-element - sae_pwe=2 - # SAE can also use wpa_psk, which allows us to use a separate file, + # Derive PWE using both hunting-and-pecking loop and hash-to-element + sae_pwe=2 + # SAE can also use wpa_psk, which allows us to use a separate file, # but it restricts the password length to [2,63] which is ok. # This conatins a list of passwords for each client MAC. - wpa_psk=${config.rekey.secrets.wifi-stations.path} + wpa_psk_file=${config.rekey.secrets.wifi-clients.path} - # Use a MAC-address access control list - macaddr_acl=1 - accept_mac_file=/run/hostapd/client-macs + # Use a MAC-address access control list + macaddr_acl=1 + accept_mac_file=/run/hostapd/client-macs - # Hide network and require devices to know the ssid in advance - ignore_broadcast_ssid=1 - # Don't allow stations to communicate with each other - ap_isolate=1 + # Hide network and require devices to know the ssid in advance + ignore_broadcast_ssid=1 + # Don't allow clients to communicate with each other + ap_isolate=1 ''; }; # Associates each known client to a unique password - rekey.secrets.wifi-stations = { - file = ./secrets/wifi-stations.age; - owner = "hostapd"; - }; - + rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age; systemd.services.hostapd = { - # Filter the stations to get a list of all known MAC addresses, + # Filter the clients to get a list of all known MAC addresses, # which we then use for MAC access control. preStart = lib.mkBefore '' - grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-stations.path} > /run/hostapd/client-macs + grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-clients.path} > /run/hostapd/client-macs ''; + # Add some missing options to the upstream config + serviceConfig = { + ExecReload = "/bin/kill -HUP $MAINPID"; + RuntimeDirectory = "hostapd"; + + # Hardening + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = false; # Needs /dev/rfkill + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = false; # Needs write-access to /sys/class/net/... + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = false; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service" "~@privileged" "@chown"]; + UMask = "0077"; + }; }; } diff --git a/hosts/zackbiene/secrets/wifi-clients.age b/hosts/zackbiene/secrets/wifi-clients.age new file mode 100644 index 0000000..001b19e --- /dev/null +++ b/hosts/zackbiene/secrets/wifi-clients.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 hassPBEEk/UBxKCHkOhG+xCVBRqjLzzIzx+YNxMI1XY +yUPfWO27Ou9Kr/9+9H/QCx/s8z+xaqBknozANAUuRAY +-> piv-p256 xqSe8Q A+Mah3ymwlgxCgF/hqioFnV4dLIs7gIlCi+5Y9hGThUy +/1ILkEDSDzuP1TNm0eAGExBAGP6GvryPwkYN/44stZI +-> yazz-grease 4O +ELmoh/Qew+/mdgIaGxnpR9eTPGHvAEO8Y22uH/tlpwBmlVMZNHa91PQ/dksjMKA8 +7hYCLWcfWtEEF4gVUnCOokyYm3XAZyQ9Lauiw2n4JTvYSKJhmAquXW8Jmto +--- 6650BuMK5X5Z56QmkfgIZdbB6cg8+l2GG05XDZkgK4Q +揵鎧恑蒔e38P 牫 !荗u3抮* 羹5嚹{礅潑錭K菱鯰磉B1欸m&# `襽7佫挚亼 O \ No newline at end of file diff --git a/hosts/zackbiene/secrets/wifi-stations.age b/hosts/zackbiene/secrets/wifi-stations.age deleted file mode 100644 index 1aca425..0000000 --- a/hosts/zackbiene/secrets/wifi-stations.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> X25519 2ysSXvNBkZGUL0kP0IGg9z/FDClzt7Zk60S5OxJvcXQ -VkEGZ/Dap1F0iyQCarSRhPSmftWoiI/sQvLM3Gw1/xA --> piv-p256 xqSe8Q A1wl54gEsL4r8bnGogruc1/9+2e8YjRfvgYcow+UjdSl -6Yv9O8D0bq1EaK41WXme02Pu3BGCpHIr6D3igGnHSAE --> Bwz)--grease wa,. Empc cCS[Rb"L -LnHSEKMfcX3o5znCuYuJQb11c3B0Lb+gN0tjng7Iz/Q ---- eh8DL3+e9zxS1T4Zv1YezTAzbQdrNDwmbTRdFO0cqzQ -议鹞4绥.懄B'籓lA凷g偆C'+9县i},鮀'~搶麅l汝柇糪 O穳V瘄嘪u 9 \ No newline at end of file diff --git a/modules/core/default.nix b/modules/core/default.nix index cdf199f..9fadae4 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -57,10 +57,16 @@ in { }; # Rename known network interfaces - services.udev.extraRules = lib.concatStringsSep "\n" (lib.mapAttrsToList ( - interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME="${interface}"'' - ) - nodeSecrets.networking.interfaces); + services.udev.packages = let + interfaceNamesUdevRules = pkgs.writeTextFile { + name = "interface-names-udev-rules"; + text = lib.concatStringsSep "\n" (lib.mapAttrsToList ( + interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME:="${interface}"'' + ) + nodeSecrets.networking.interfaces); + destination = "/etc/udev/rules.d/01-interface-names.rules"; + }; + in [interfaceNamesUdevRules]; nix.nixPath = [ "nixos-config=${dummyConfig}"