Browse Source

having a configuration that works is sensibly better

rework-profiles
parent
commit
1006fe7d4a
Signed by: govanify GPG Key ID: DE62E1E2A6145556
4 changed files with 13 additions and 10 deletions
  1. +1
    -1
      README.md
  2. +5
    -1
      common/graphical.nix
  3. +3
    -0
      common/security.nix
  4. +4
    -8
      common/tor.nix

+ 1
- 1
README.md View File

@ -9,7 +9,7 @@ Currently the machines populated by this configuration are:
TODo list sorted by priority:
* security: redirect IPv6 through tor + profiles
* security: tor profiles and fix iana
* workflow: weechat-matrix setup
* workflow: make cursor visible in sway
* security: security hardening through sandboxing


+ 5
- 1
common/graphical.nix View File

@ -15,11 +15,15 @@
# multimedia
mpv imv
# web browsers
# standard firefox is used for basically everything and is "impossible" to
# fingerprint with my configuration, but i do login on websites sometimes.
# As such tor is used as a clean cut identity that also make sure I didn't
# fuck up tracking when need happens.
firefox-wayland tor-browser-bundle-bin
# art
blender krita kdenlive ardour
# stem
freecad kicad
freecad kicad wireshark
#ghidra in the future when it is actually updated
# themes
breeze-gtk breeze-qt5 breeze-icons


+ 3
- 0
common/security.nix View File

@ -19,6 +19,9 @@ in {
security.allowUserNamespaces = true;
# it seems that linux nowadays won't allow you to disable the jit
boot.kernel.sysctl."net.core.bpf_jit_enable" = true;
# any hardened allocator doesn't even let me boot
#environment.memoryAllocator.provider = "graphene-hardened";
security.allowSimultaneousMultithreading = true;


+ 4
- 8
common/tor.nix View File

@ -29,7 +29,7 @@ in {
};
virtualNetworkIPv6 = mkOption {
type = types.str;
default = "[FC00::]/7";
default = "FC00::/7";
description = "Cidr that tor will use to map tor accessed hosts to in IPv6.";
};
exceptionNetworks = mkOption {
@ -54,11 +54,11 @@ in {
# makes ourselves reachable through ssh, keys and hostname in /var/lib/tor
hiddenServices.ssh = { map = [{port = 22;}]; };
enable = true;
# enabling the sandbox breaks stuff, should be checked!
extraConfig = ''
VirtualAddrNetworkIPv4 ${cfg.virtualNetwork}
VirtualAddrNetworkIPv6 ${cfg.virtualNetworkIPv6}
AutomapHostsOnResolve 1
Sandbox 1
TransPort ${transPort} IPv6Traffic PreferIPv6
DNSPort ${dnsPort}
'';
@ -139,10 +139,6 @@ in {
### IPv6 ###
@ -195,10 +191,10 @@ in {
ip6tables -A OUTPUT -o ${cfg.outputNic} -m owner --uid-owner ${torUid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
#allow loopback output
ip6tables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
ip6tables -A OUTPUT -d ::1/128 -o lo -j ACCEPT
#tor transproxy magic
ip6tables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport ${transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
ip6tables -A OUTPUT -d ::1/128 -p tcp -m tcp --dport ${transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#allow access to lan hosts in ${transExceptionsIPv6}
for _except in ${transExceptionsIPv6}; do


Loading…
Cancel
Save