.
This commit is contained in:
root
parent
73ff9ee8ee
commit
664eb70e8c
14 changed files with 698 additions and 495 deletions
|
|
@ -3,6 +3,22 @@
|
|||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
nsExec = pkgs.writeShellScriptBin "ns-raw" ''
|
||||
ns="$1"
|
||||
shift
|
||||
exec ${pkgs.iproute2}/bin/ip netns exec "$ns" \
|
||||
${pkgs.util-linux}/bin/setpriv \
|
||||
--reuid="$DOAS_USER" --regid="$DOAS_USER" \
|
||||
--clear-groups \
|
||||
--inh-caps=-all \
|
||||
"$@"
|
||||
'';
|
||||
nsWrapper = pkgs.writeShellScriptBin "ns" ''
|
||||
|
||||
exec /run/wrappers/bin/doas ${nsExec}/bin/ns-raw "$@"
|
||||
'';
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./hardened.nix
|
||||
|
|
@ -38,18 +54,63 @@
|
|||
extraRules = [
|
||||
{
|
||||
users = [ "user" ];
|
||||
runAs = "root";
|
||||
keepEnv = true;
|
||||
persist = true;
|
||||
}
|
||||
{
|
||||
users = [ "user" ];
|
||||
runAs = "agent";
|
||||
runAs = "work";
|
||||
noPass = true;
|
||||
keepEnv = false;
|
||||
}
|
||||
{
|
||||
users = [ "user" ];
|
||||
runAs = "agent";
|
||||
noPass = true;
|
||||
keepEnv = true;
|
||||
}
|
||||
{
|
||||
users = [
|
||||
"user"
|
||||
"agent"
|
||||
"work"
|
||||
];
|
||||
runAs = "root";
|
||||
noPass = true;
|
||||
keepEnv = true;
|
||||
cmd = "${nsExec}/bin/ns-raw";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
environment.systemPackages = [ nsWrapper ];
|
||||
|
||||
security.pam.services.su.requireWheel = true;
|
||||
security.pam.services.newgrp.requireWheel = true;
|
||||
security.pam.services.login.text = ''
|
||||
# Account management.
|
||||
account required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10900)
|
||||
|
||||
# Authentication management.
|
||||
auth optional /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so likeauth nullok # unix-early (order 11700)
|
||||
auth optional /nix/store/r7z6w4c2nq9cwjf0m2mjabpa0xy4c7d3-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so # gnome_keyring (order 12200)
|
||||
auth sufficient /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so likeauth nullok try_first_pass # unix (order 12900)
|
||||
auth required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_deny.so # deny (order 13700)
|
||||
|
||||
# Password management.
|
||||
password sufficient /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so nullok yescrypt # unix (order 10200)
|
||||
password optional /nix/store/r7z6w4c2nq9cwjf0m2mjabpa0xy4c7d3-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so use_authtok # gnome_keyring (order 11100)
|
||||
|
||||
# Session management.
|
||||
session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
|
||||
session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10200)
|
||||
session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_loginuid.so # loginuid (order 10300)
|
||||
session optional /nix/store/wxyn8d3m8g4fnn6xazinjwhzhzdg6wib-systemd-259/lib/security/pam_systemd.so # systemd (order 12000)
|
||||
session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_limits.so conf=/nix/store/zxagblabdf6xawphfs1w50pg2b0ml9px-limits.conf # limits (order 12200)
|
||||
session optional /nix/store/r7z6w4c2nq9cwjf0m2mjabpa0xy4c7d3-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so auto_start # gnome_keyring (order 12600)
|
||||
'';
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue