work/tailscale: harden & integrate with BIND for DNS resolution
This commit is contained in:
@@ -73,6 +73,7 @@ in
|
||||
"mx-sanebot-env".owner = config.users.users.colin.name;
|
||||
"rsync-net-env".owner = config.users.users.colin.name;
|
||||
"rsync-net-id_ed25519".owner = config.users.users.colin.name;
|
||||
"tailscale-work-zones-bind.conf".owner = "named";
|
||||
"transmission_passwd".owner = config.users.users.colin.name;
|
||||
}
|
||||
];
|
||||
|
@@ -24,7 +24,50 @@
|
||||
services.tailscale.extraDaemonFlags = [
|
||||
"-verbose" "7"
|
||||
];
|
||||
# TODO: harden tailscaled
|
||||
services.bind.extraConfig = ''
|
||||
include "${config.sops.secrets."tailscale-work-zones-bind.conf".path}";
|
||||
'';
|
||||
systemd.services.tailscaled = {
|
||||
# systemd hardening (systemd-analyze security tailscaled.service)
|
||||
serviceConfig.AmbientCapabilities = "CAP_NET_ADMIN";
|
||||
serviceConfig.CapabilityBoundingSet = "CAP_NET_ADMIN";
|
||||
serviceConfig.LockPersonality = true;
|
||||
serviceConfig.MemoryDenyWriteExecute = true;
|
||||
serviceConfig.NoNewPrivileges = true;
|
||||
|
||||
serviceConfig.ProtectClock = true;
|
||||
serviceConfig.ProtectControlGroups = true;
|
||||
serviceConfig.ProtectHome = true;
|
||||
serviceConfig.ProtectHostname = true;
|
||||
serviceConfig.ProtectKernelLogs = true;
|
||||
serviceConfig.ProtectKernelModules = true;
|
||||
serviceConfig.ProtectKernelTunables = true;
|
||||
serviceConfig.ProtectProc = "invisible";
|
||||
serviceConfig.ProtectSystem = "strict"; # makes read-only: all but /dev, /proc, /sys.
|
||||
serviceConfig.ProcSubset = "pid";
|
||||
|
||||
# serviceConfig.PrivateIPC = true;
|
||||
serviceConfig.PrivateTmp = true;
|
||||
|
||||
# serviceConfig.RemoveIPC = true; #< does not apply to root
|
||||
serviceConfig.RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
|
||||
# #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
|
||||
# # see `systemd-analyze filesystems` for a full list
|
||||
serviceConfig.RestrictFileSystems = "@application @basic-api @common-block";
|
||||
serviceConfig.RestrictRealtime = true;
|
||||
serviceConfig.RestrictSUIDSGID = true;
|
||||
serviceConfig.SystemCallArchitectures = "native";
|
||||
serviceConfig.SystemCallFilter = [
|
||||
"@system-service"
|
||||
"@sandbox"
|
||||
"~@chown"
|
||||
"~@cpu-emulation"
|
||||
"~@keyring"
|
||||
];
|
||||
serviceConfig.DevicePolicy = "closed"; # only allow /dev/{null,zero,full,random,urandom}
|
||||
serviceConfig.DeviceAllow = "/dev/net/tun"; #< TODO: enable "userspace networking" tailscale option, to remove this?
|
||||
serviceConfig.RestrictNamespaces = true;
|
||||
};
|
||||
|
||||
sane.programs.guiApps.suggestedPrograms = [
|
||||
"slack"
|
||||
|
47
secrets/common/tailscale-work-zones-bind.conf.bin
Normal file
47
secrets/common/tailscale-work-zones-bind.conf.bin
Normal file
@@ -0,0 +1,47 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:ct3YP4okeobuz7vQbKO4GTiPs4LItvLfglruc0AXOFZV9sGV2fnrJ77VG9O7B0wZ2Mkoo2qhSgnHB9Ql90gH0q9a/6tygfOqa3k44hWS1DwefsvIEf3oMSZ9K7PRSO1GBtfXYwTSHz2hG++yMc5fSyAY98Y8gv33DPYwT5Wut1QSfq35Ec8XVt38Oso2Bkcl1Q0hE5a/FDhoqc5rDjYkdUapQpDNskJ6i3A1Db16hArNvKhq4Q5c7XOMTb+aI1NL5/WzPWVNCHRFURF+JgswP9HNQsvnHlWuW72cD5BcLFugmzdHfeagzu7oBZ9EczazyP6HqnoEeYmf6T3YghYbq/ulDMgdV98/iu8Z8eLy85QMlNRvyV66gdA5i7sbqwU9Riyvvfs0BE19b5DfHipzf7/0mz62ZPLOciXqw+GzyVndzVSUCGnuM3AENFUuQABeAwOndCIRUdL/3XrOxcGP04vtNPaROCn1XCiJiAysFps95Nk0j3DSIpYi+44CQeYm00XCZgAc8dnr+Vu6CTOz7CBSmWkSUAOm3Ogs4gk8qDfVjS9xIZPdhUlgyW7e492fTY6S3A29FWKREIu3pTW/3TTEOaAmmaucwV2cU48XjG36PuyfYfVmYbv97OXjKp5yHgjY0Q1vVeEvQI4LhFirJ4VcUYxFJ+uatygFiGJZXPS6mJKj8J6HN08eGNZOG1foRA==,iv:Nk/FJy8kc7/O1ov3m3OCPHGA0YXnXD3BeTWhCBl2Ttg=,tag:q5clW6bww5wwD/kiPfIuGQ==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNkRNNG5VUkdldGt5amVO\nSXZabUd4Y25RRzg3UDU1NHZTYlJxYW0wcDJjCktFTDdiS2U2M2pHZktpWW8wZldR\nNEtWZEFrYUZOTnpicXVaWS9JTnFtR28KLS0tIHpWSmF1VjZ5R1gvelRjc1JScm9a\nS2hkM0FVVGw1OG5PRk8weFN2OEd5blUKv74Lqc0WNZtZP35w/lFBmxd5sj1usmmT\nC6M+qs05fb+SNjB/8btYGzNiX7xQG4JiNXXkBH3bP8ksFwmyqR4vvw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbWU1amxQY2pIYU5KSDVy\nbVZMRC9WTUk4ZU1oRE8wbjRyL0ZpVFNzN1FRCjRjWWpLcWdRL01veHB5Zkl1M1Rk\nZ2NQTi9mQjZRU2lJU2hGRGxuaVBwT3cKLS0tIDBZWk5NdFdrQVFOVzk3Mk02YWl1\nRUxTMkJDRDd2dXhWcStYdzFBaGE2WUEKDNSUdxEfkyYMN9DxEZcJ/CJPjOYRLbwY\njWoEdvKFh4w1ppS5M42UZyLC1CX4OJtCwXz6MXIUH06fDA083ihJgA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSXFxMEhFeHhBMTYrL2pj\nVHpCL21yT1ZaOHY1czhTZkNDS1YrWktFZmpzCk94STBWQmJRZk44dXFIanRuSDgx\nR1BRd2FpYTFlVW9ocTN6ZnBGdzVWOW8KLS0tIHNSY3haUFlKUHhmU3FNQkRSYkdj\nak5vcjhkVnVNNm9xQVgreXhZRUIySEEKxK17NRHNUtVLsCvwsS3KE8wugTtxnp4L\niGaIuqaCeR+OMQixXIHCag77VZSuzY8AP1BHG+eyyYn475oK1C4lsQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Nk9GUHhpUkR5SG1FTEow\nK3cwSkx3Y2wzNUJNdmh0ZWdZbFpFV1BFMGwwCnBDRTJkZzJPM3FzTWdYMGI1VTZ5\nQVp0dWh4N09yQTVEak5SazFOK3Uyc1kKLS0tIHhxVkltLzFvTkV4Zm1xUGpqVXJH\nRlF4V1lxbFR1bVFBTHdodlJadjhTYncKAmpXofAoGSFfUusqiDtLkws1YJmvGREn\nr+nqp07ZjZ7D+Qd54Xskut5s4ooLhJ0IzkVoqZLEv+MBnDjd2dOkKQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1hl50ufuxnqy0jnk8fqeu4tclh4vte2xn2d59pxff0gun20vsmv5sp78chj",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdk5FQW1vV0V4RUpGTnBQ\nMEIwK2xzN2xWNGwydDZBZGQ5NWR6TUxSSUh3CjlXVnZueHZzeStUMkZxNHhxbzV4\nb2JWSEdQVU1QNFJ4VnEvbHdjS1dmQU0KLS0tIHhnR0R3Z2dBMS85UXVKaDFKcUlJ\nSWtZakVLaHRpSGlSNzF5cHdBRStsYmcK3FBKqg9rH385GbbWKLsJp7tkYWFPIqU4\nPf3lv3DfnlYogEv8WhG0ygoeKoEAia2DkM4Zp9/0ZC0bB2rqLj/vBw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bnNPZE55dGRkNGtNS2R6\nendPbENEQTJsNTF2aXFidFI3bEdqeTA3eVMwCkJPemVQR1ZTMXJIYXJkNWZ0eXRG\nZFo5Uy9jY2FzS002SHhMbHZnRUZaTUUKLS0tIHFNSHRhUHI0eFlRbFpjNC9vNk5Z\nRzhscGFkYlFYWFFCSkcwR1pnUXVzUFEKi/8Ndqo27H2E1c6o2aIx43VfY9Jy8Ewd\nDdkXJ16pDKhgVQeN4dD1rNETwT+jqm25GafgFL+x7UdmExDermCoNg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM2hGNFF0RHpQTElubkhp\naFNFSEgzdGI0bHlENDlIcmlSdWVYUEdUbUNFCjdLaFlpVnVYbFdMTjlMOUJsRHVq\nTTd2QkdPOS9TZDNGcnpCY2JCbjBMdjQKLS0tIHhSSGN3SHhEMXhRTmZWTUhIUkVL\nNWp5U0dmOStKUzBETkJ0Q21YUFduMWcKfgkRpcbN37XmieMj5TmUagJc07NUUuX2\ni+6enVZTmUANcY5de6j1xBAvoF3V8ZHAiC+7Psnus9CbU9AlomtiWw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvVTByaGtZVVRWYmdydGov\nckkxd1NUREhnWjFndjVDTHR1VnlMT0FGNkdNCnVEUDJpaVNTOFNodFpiVGtCOFlB\nNGxVYy9PcllZSHBZMWsrTzJhNVN1VDgKLS0tIG9IcVRWMFovYzJRZHgxLzc0dXZO\nQUJIZGpCS3kybTBmSHFJUEhzVjRwUE0KBPCd07ivvSu6tOjg/AuvUJbhZ8odSWDK\ngHCR+RA47QGOF3Vr62kvqkon53trUFX0vkRonF2xGGoBiafPDg754A==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Z1Q2aGYyOFdUWTg5Qkgx\nd3FHejkwMUcwV3duVzM4em9VZmFBeFVOaTBvCjlVYnI2cFArOEx0V3ZXTUJKMkVJ\nTStsajNzOGhzU2R3ektFYTNkalc5S0EKLS0tIFpZWHl6NThHOVl5Q0N5aGY2Yk9o\na1VrUG1Ga0F0MFR5c2x3MkNQSXlsOGMK2xncgouLBetvsqMVhqD1DePOEk3kKBR2\nhsIli97u2z6MGFPR+V3SUeJK2FzQIsd1nf6oqoB13rZzzMDWPHF/Mg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-05-30T04:32:06Z",
|
||||
"mac": "ENC[AES256_GCM,data:50DijLN+OJ1ByoQLVPElfIjkEznLaO0TOL/Ne7/y+Slx5wwBUn9si/Rh7nPrB7ugvtsuSRg7q2GKHU4ALr18pCnR7bNbL6BK8SkUjQioj7civD7gvvF2vh9VjsEDC2s3ONePf2RbjEwUzFr1vRGKVtUcqtw8sShGaW6Wq8vaL8A=,iv:1huo1ykQJnKa8wNsykHuF3/FjhyFk/Pfksd7iAdXQwU=,tag:rqyAeiE1TJMvMpKsx2lRjw==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user