mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

fix(zackbiene): fix esphome hardening to allow socket creation, fix hostapd config syntax

Browse source
This commit is contained in:
oddlama 2023-03-16 03:36:53 +01:00
parent fc8b59178b
commit 711c97b393
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
5 changed files with 92 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

11
hosts/zackbiene/esphome.nix
View file

@ -23,7 +23,7 @@ in {
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = false; # NodeJs-JIT :/
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateUsers = true; PrivateUsers = true;
@ -40,17 +40,12 @@ in {
ProtectSystem = "strict"; ProtectSystem = "strict";
ReadWritePaths = dataDir; ReadWritePaths = dataDir;
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = [ RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
"AF_UNIX"
];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = ["@system-service" "~@privileged"];
"@system-service @pkey"
"~@privileged @resources"
];
UMask = "0077"; UMask = "0077";
}; };
}; };

111
hosts/zackbiene/hostapd.nix
View file

@ -18,67 +18,94 @@
# This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM) # This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM)
extraConfig = '' extraConfig = ''
utf8_ssid=1 utf8_ssid=1
# Enable QoS, required for 802.11n/ac/ax # Enable QoS, required for 802.11n/ac/ax
wmm_enabled=1 wmm_enabled=1
# DFS (IEEE 802.11d, IEEE 802.11h) # DFS (IEEE 802.11d, IEEE 802.11h)
# Limit to frequencies allowed in country # Limit to frequencies allowed in country
ieee80211d=1 ieee80211d=1
# Ensure TX Power and frequencies compliance with local regulatory requirements # Ensure TX Power and frequencies compliance with local regulatory requirements
ieee80211h=1 ieee80211h=1
# IEEE 802.11ac (WiFi 4) # IEEE 802.11ac (WiFi 4)
# MIMO and channel bonding support # MIMO and channel bonding support
ieee80211n=1 ieee80211n=1
# Add wider channel-width support and MU-MIMO (multi user MIMO) # Add wider channel-width support and MU-MIMO (multi user MIMO)
# IEEE 802.11ac (WiFi 5) # IEEE 802.11ac (WiFi 5)
ieee80211ac=1 ieee80211ac=1
ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40] ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40]
vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN] vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
vht_oper_chwidth=1 vht_oper_chwidth=1
# WPA3 # WPA3
wpa=2 wpa=2
wpa_pairwise=CCMP CCMP-256 wpa_pairwise=CCMP CCMP-256
rsn_pairwise=CCMP CCMP-256 rsn_pairwise=CCMP CCMP-256
wpa_key_mgmt=SAE wpa_key_mgmt=SAE
# Require WPA, disable WEP # Require WPA, disable WEP
auth_algs=1 auth_algs=1
# Encrypt management frames to protect against deauthentication and similar attacks # Encrypt management frames to protect against deauthentication and similar attacks
ieee80211w=2 ieee80211w=2
# Force WPA3-Personal without transition # Force WPA3-Personal without transition
transition_disable=0x01 transition_disable=0x01
# Derive PWE using both hunting-and-pecking loop and hash-to-element # Derive PWE using both hunting-and-pecking loop and hash-to-element
sae_pwe=2 sae_pwe=2
# SAE can also use wpa_psk, which allows us to use a separate file, # SAE can also use wpa_psk, which allows us to use a separate file,
# but it restricts the password length to [2,63] which is ok. # but it restricts the password length to [2,63] which is ok.
# This conatins a list of passwords for each client MAC. # This conatins a list of passwords for each client MAC.
wpa_psk=${config.rekey.secrets.wifi-stations.path} wpa_psk_file=${config.rekey.secrets.wifi-clients.path}
# Use a MAC-address access control list # Use a MAC-address access control list
macaddr_acl=1 macaddr_acl=1
accept_mac_file=/run/hostapd/client-macs accept_mac_file=/run/hostapd/client-macs
# Hide network and require devices to know the ssid in advance # Hide network and require devices to know the ssid in advance
ignore_broadcast_ssid=1 ignore_broadcast_ssid=1
# Don't allow stations to communicate with each other # Don't allow clients to communicate with each other
ap_isolate=1 ap_isolate=1
''; '';
}; };
# Associates each known client to a unique password # Associates each known client to a unique password
rekey.secrets.wifi-stations = { rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age;
file = ./secrets/wifi-stations.age;
owner = "hostapd";
};
systemd.services.hostapd = { systemd.services.hostapd = {
# Filter the stations to get a list of all known MAC addresses, # Filter the clients to get a list of all known MAC addresses,
# which we then use for MAC access control. # which we then use for MAC access control.
preStart = lib.mkBefore '' preStart = lib.mkBefore ''
grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-stations.path} > /run/hostapd/client-macs grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-clients.path} > /run/hostapd/client-macs
''; '';
# Add some missing options to the upstream config
serviceConfig = {
ExecReload = "/bin/kill -HUP $MAINPID";
RuntimeDirectory = "hostapd";
# Hardening
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = false; # Needs /dev/rfkill
PrivateUsers = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = false; # Needs write-access to /sys/class/net/...
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = false;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service" "~@privileged" "@chown"];
UMask = "0077";
};
}; };
} }

10
hosts/zackbiene/secrets/wifi-clients.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 hassPBEEk/UBxKCHkOhG+xCVBRqjLzzIzx+YNxMI1XY
yUPfWO27Ou9Kr/9+9H/QCx/s8z+xaqBknozANAUuRAY
-> piv-p256 xqSe8Q A+Mah3ymwlgxCgF/hqioFnV4dLIs7gIlCi+5Y9hGThUy
/1ILkEDSDzuP1TNm0eAGExBAGP6GvryPwkYN/44stZI
-> yazz-grease 4O
ELmoh/Qew+/mdgIaGxnpR9eTPGHvAEO8Y22uH/tlpwBmlVMZNHa91PQ/dksjMKA8
7hYCLWcfWtEEF4gVUnCOokyYm3XAZyQ9Lauiw2n4JTvYSKJhmAquXW8Jmto
--- 6650BuMK5X5Z56QmkfgIZdbB6cg8+l2GG05XDZkgK4Q
揵鎧恑蒔e�3�8P 牫�� !荗u3抮* 羹5嚹{礅潑錭K菱鯰磉B1欸�m&# `襽7佫挚亼 O

9
hosts/zackbiene/secrets/wifi-stations.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> X25519 2ysSXvNBkZGUL0kP0IGg9z/FDClzt7Zk60S5OxJvcXQ
VkEGZ/Dap1F0iyQCarSRhPSmftWoiI/sQvLM3Gw1/xA
-> piv-p256 xqSe8Q A1wl54gEsL4r8bnGogruc1/9+2e8YjRfvgYcow+UjdSl
6Yv9O8D0bq1EaK41WXme02Pu3BGCpHIr6D3igGnHSAE
-> Bwz)--grease wa,. Empc cCS[Rb"L
LnHSEKMfcX3o5znCuYuJQb11c3B0Lb+gN0tjng7Iz/Q
--- eh8DL3+e9zxS1T4Zv1YezTAzbQdrNDwmbTRdFO0cqzQ
ÒéðÎ�4Ëç.‘¦B÷'»OlA„Sg‚¤C'ó+¥z9ÏØãi}¥,õD'~“ŒûƒœlÈê–­¼\ O·‰V¯|‡Xu ä9

14
modules/core/default.nix
View file

@ -57,10 +57,16 @@ in {
}; };
# Rename known network interfaces # Rename known network interfaces
services.udev.extraRules = lib.concatStringsSep "\n" (lib.mapAttrsToList ( services.udev.packages = let
interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME="${interface}"'' interfaceNamesUdevRules = pkgs.writeTextFile {
) name = "interface-names-udev-rules";
nodeSecrets.networking.interfaces); text = lib.concatStringsSep "\n" (lib.mapAttrsToList (
interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME:="${interface}"''
)
nodeSecrets.networking.interfaces);
destination = "/etc/udev/rules.d/01-interface-names.rules";
};
in [interfaceNamesUdevRules];
nix.nixPath = [ nix.nixPath = [
"nixos-config=${dummyConfig}" "nixos-config=${dummyConfig}"