diff --git a/common/security.nix b/common/security.nix index 6c9234f..61a1c24 100644 --- a/common/security.nix +++ b/common/security.nix @@ -27,17 +27,62 @@ "net.ipv4.tcp_rfc1337" = 1; "net.ipv4.tcp_fastopen" = 3; + + "kernel.kptr_restrict" = 2; + "randomize_kstack_offset" = "on"; + "spec_store_bypass_disable" = "on"; }; # otherwise /tmp is on disk. This *may* be problematic as nix # builds in /tmp but I think my swap is large enough... tmp.useTmpfs = lib.mkDefault true; tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); + + kernelParams = [ + "init_on_free=1" # zero freed pages + "page_alloc.shuffle=1" + "page_poison=1" + "slab_nomerge" + "slub_debug=FZ" + "vsyscall=none" # diable virtual syscalls + ]; + + blacklistedKernelModules = [ + "ax25" + "netrom" + "rose" + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" + ]; }; security = { protectKernelImage = true; + forcePageTableIsolation = true; + + apparmor.enable = true; + apparmor.killUnconfinedConfinables = true; sudo.enable = false; + doas = { enable = true; extraRules = [ diff --git a/common/shell.nix b/common/shell.nix index 2027afa..10c077b 100644 --- a/common/shell.nix +++ b/common/shell.nix @@ -7,11 +7,13 @@ environment.systemPackages = with pkgs; [ colmena + dive dnsutils - docker-compose fd htop killall + podman-compose + podman-tui ripgrep unison unzip diff --git a/desktop/software/default.nix b/desktop/software/default.nix index 9113be4..0d64064 100644 --- a/desktop/software/default.nix +++ b/desktop/software/default.nix @@ -41,7 +41,11 @@ in ]; virtualisation = { - docker.enable = true; + podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; + }; }; programs.kdeconnect.enable = true;