colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
Files
04eb5ed0129f96df11f3e0af85c54ee20b51ae6e
nix-files/hosts/common/systemd.nix
Colin 875d919fa8 systemd-rfkill: harden
2024-08-10 00:34:13 +00:00

112 lines
3.6 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ ... }:
let
# N.B.: systemd doesn't like to honor its timeout settings.
# a timeout of 20s is actually closer to 70s,
# because it allows 20s, then after the 20s passes decides to allow 40s, then 60s,
# finally it peacefully kills stuff, and then 10s later actually kills shit.
haltTimeout = 10;
in
{
sane.persist.sys.byStore.ephemeral = [
"/var/lib/systemd/coredump"
];
security.polkit.extraConfig = ''
/* allow ordinary users to:
* - reboot
* - shutdown
* source: <https://nixos.wiki/wiki/Polkit>
*/
polkit.addRule(function(action, subject) {
if (
subject.isInGroup("users")
&& (
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions"
)
)
{
return polkit.Result.YES;
}
})
/* allow members of wheel to:
* - systemctl daemon-reload
* - systemctl stop|start|restart SERVICE
*/
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel") && (
action.id == "org.freedesktop.systemd1.reload-daemon" ||
action.id == "org.freedesktop.systemd1.manage-units"
)) {
return polkit.Result.YES;
}
})
'';
# hard to wrangle systemd early-logging and my persistence.
# instead, don't have systemd-journald try to persist its logs at all --
# use a separate program like rsyslogd (configured elsewhere) to ingest the journal into persistent storage
services.journald.storage = "volatile";
# services.journald.extraConfig = ''
# # docs: `man journald.conf`
# # merged journald config is deployed to /etc/systemd/journald.conf
# [Journal]
# # disable journal compression because the underlying fs is compressed
# Compress=no
# '';
# see: `man logind.conf`
# dont shutdown when power button is short-pressed (commonly done an accident, or by cats).
# but do on long-press: useful to gracefully power-off server.
services.logind.powerKey = "lock";
services.logind.powerKeyLongPress = "poweroff";
services.logind.lidSwitch = "lock";
# under logind, 'uaccess' tag would grant the logged in user access to a device.
# outside logind, map uaccess tag -> plugdev group to grant that access.
services.udev.extraRules = ''
TAG=="uaccess" GROUP="plugdev"
'';
systemd.extraConfig = ''
# DefaultTimeoutStopSec defaults to 90s, and frequently blocks overall system shutdown.
DefaultTimeoutStopSec=${builtins.toString haltTimeout}
'';
# hard base systemd services
# see: `systemd-analyze security`
systemd.services.systemd-rfkill.serviceConfig = {
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DevicePolicy = "closed";
IPAddressDeny = "any";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = "AF_UNIX";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
};
}
Reference in New Issue View Git Blame Copy Permalink