Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Operating Systems
ChromeOS & Linux
NixOS it's strengths, weaknesses and how to fix them
Message
<blockquote data-quote="Victor M" data-source="post: 1083860" data-attributes="member: 96560"><p>Hi Everybody,</p><p></p><p>Here is the 'configuration.nix' configuration file for setting up and configuring NixOS. It belongs in the /etc/nixos directory.</p><p></p><p>The primary focus of the config is security. For example, I have a $25 YubiKey, which is a thin offline USB insert that Google helped popularize offering 2nd factor authentication. And I have added the necessary packages, and included comments on how to set it up. This 2nd factor is added to logins and sudo commands.</p><p></p><p>I have also inserted some firewall rules which drops unwanted packets early, and overrides what the default firewall rules accept. For example, packets that are of the 'new' state should never happen in a home setting; you reach outbound with your browser; send requests to the web site, and the returning traffic from the web site are of the state 'established'. So you can safely drop all 'new' packets. An attack would create 'new' packets. One would only encounter legit 'new' packets when one has a web server and thus have un-before seen incoming traffic. Windows Defender firewall rules doesn't have this capability. You should also drop tcp dport 6000:6007 traffic, they allow connections to an old Xwindows entry point, you have been warned. Firewall rules are your first line of defense, but there are ways around firewalls; like manipulating ip fragments and firewall optimisation behaviour. So the next thing to do is the reduce the amount of software and daemons ( services) that runs. Every unnecessary piece adds to your 'attack surface': your running pieces are potentially targets of exploits. Systemd is responsible for executing daemons like svchost is responsible for starting services in Windows. But Linix has hardening options which can be added to each service's configuration text file: like restricting it from affecting the kernel, accessing your home folders, manipulating devices, denying any IP traffic, and many more. Then there are useless standard programs that come along with Gnome, my chosen windows manager. And there is a place to specify which ones to eliminate. It's like going to Settings / Apps and removing programs like Sticky Notes ( which requires an MS account and lets MS read your notes and offer to sell additional things to you) . Except in NixOS, you do it all in one text file, set it up once, and it can be re-used and re-applied whenever you do a re-install, without repeating thru all the manual labor.</p><p></p><p>My additions are preceded with the comments '###MY', Anyways, here it is:</p><p>[ICODE]</p><p># Edit this configuration file to define what should be installed on</p><p># your system. Help is available in the configuration.nix(5) man page</p><p># and in the NixOS manual (accessible by running ‘nixos-help’).</p><p>{ config, pkgs, ... }:</p><p>{</p><p>imports =</p><p>[ ./restrict-nix-env.nix # Path to your module file</p><p># Include the results of the hardware scan.</p><p>./hardware-configuration.nix</p><p>];</p><p># imports = [</p><p># ./restrict-nix-env.nix # Path to your module file</p><p># ];</p><p># lib.mkForce = "/etc/nixos/configuration.nix";</p><p># Bootloader.</p><p>boot.loader.systemd-boot.enable = true;</p><p>boot.loader.efi.canTouchEfiVariables = true;</p><p>networking.hostName = "nixos"; # Define your hostname.</p><p># networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.</p><p></p><p>#####MY CHANGES</p><p>networking.enableIPv6 = false;</p><p># networking.tcpcrypt.enable = true ;</p><p># Configure network proxy if necessary</p><p># networking.proxy.default = "http://user:password@proxy:port/";</p><p># networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";</p><p># Enable networking</p><p>networking.networkmanager.enable = true;</p><p># Set your time zone.</p><p>time.timeZone = "America/California";</p><p># Select internationalisation properties.</p><p>i18n.defaultLocale = "en_US.UTF-8";</p><p># Enable the X11 windowing system.</p><p>services.xserver.enable = true;</p><p># Enable GNOME Desktop Environment.</p><p>services.xserver.displayManager.gdm.enable = true;</p><p>services.xserver.desktopManager.gnome.enable = true;</p><p># Configure keymap in X11</p><p>services.xserver = {</p><p>layout = "us";</p><p>xkbVariant = "";</p><p>};</p><p># Enable CUPS to print documents.</p><p># services.printing.enable = true;</p><p>###MY CHANGE</p><p>services.ipp-usb.enable = false;</p><p>services.printing.enable = false;</p><p>services.avahi.enable = false;</p><p>networking.firewall.package = pkgs.iptables;</p><p>networking.firewall.enable = true;</p><p>networking.firewall.extraCommands = "iptables -I INPUT 1 -f -j DROP</p><p>iptables -I INPUT 2 -m state --state NEW -j DROP</p><p>iptables -I INPUT 3 -p tcp --tcp-flags ALL ALL -j DROP</p><p>iptables -I INPUT 4 -p tcp --tcp-flags ALL NONE -j DROP</p><p>iptables -I INPUT 5 -p tcp --dport 6000:6007 -j DROP</p><p>iptables -I INPUT 6 -p udp --dport 6000:6007 -j DROP</p><p>iptables -I INPUT 7 -p tcp --dport 22:23 -j DROP</p><p>iptables -I INPUT 8 -m state --state RELATED -j DROP;</p><p>iptables -I INPUT 9 -p tcp --dport 5353 -j DROP;</p><p>iptables -I INPUT 10 -p udp --dport 5353 -j DROP;</p><p>";</p><p>networking.firewall.allowedTCPPorts = [ 443 ];</p><p>###MY CONFIG SECURITY</p><p>security.apparmor.enable = true;</p><p>nix.settings.sandbox = true;</p><p>#programs.firefox = {</p><p># package = pkgs.firefox ;</p><p># security.sandbox = pkgs.sandboxed; # Basic sandbox with some restrictions</p><p># OR (for more granular control)</p><p># security.sandbox = pkgs.firefox.apparmor;</p><p># };</p><p># Rest of your configuration</p><p></p><p></p><p></p><p></p><p># Enable sound with pipewire.</p><p>sound.enable = true;</p><p>hardware.pulseaudio.enable = false;</p><p>###MY CHANGES</p><p>hardware.pulseaudio.support32Bit = true;</p><p># hardware.pulseaudio.extraConfig = "load-module module-combine-sink";</p><p>security.rtkit.enable = true;</p><p>services.pipewire = {</p><p>enable = true;</p><p>alsa.enable = false;</p><p>alsa.support32Bit = true;</p><p>pulse.enable = true;</p><p># If you want to use JACK applications, uncomment this</p><p>#jack.enable = true;</p><p></p><p></p><p></p><p># use the example session manager (no others are packaged yet so this is enabled by default,</p><p># no need to redefine it in your config for now)</p><p>#media-session.enable = true;</p><p>};</p><p># Enable touchpad support (enabled default in most desktopManager).</p><p># services.xserver.libinput.enable = true;</p><p># Define a user account. Don't forget to set a password with ‘passwd’.</p><p>users.users.victor = {</p><p>isNormalUser = true;</p><p>description = "victor";</p><p>extraGroups = [ "networkmanager" "wheel" ];</p><p>packages = with pkgs; [</p><p># thunderbird</p><p>];</p><p>};</p><p>services.pcscd.enable = true;</p><p>security.pam.yubico = {</p><p>enable = true;</p><p># debug = true;</p><p>control = "required" ;</p><p>mode = "challenge-response";</p><p>### challenge response need to write configuration to yubikey with yubikey personalization tool, installed below</p><p>### then a "challenge* file is written to ~/.yubico with the command "ykpamcfg -2 -v"</p><p>### id generated by : nix-shell --command 'ykinfo -s' -p yubikey-personalization</p><p>id = [ "xxxxxxx" ];</p><p>};</p><p>###MY USER 2</p><p>users.users.user2 = {</p><p>isNormalUser = true;</p><p>description = "User2";</p><p>packages = with pkgs; [</p><p># thunderbird</p><p>];</p><p>};</p><p></p><p># Allow unfree packages</p><p>###MY CHANGE</p><p>nixpkgs.config.allowUnfree = true ;</p><p># List packages installed in system profile. To search, run:</p><p># $ nix search wget</p><p>###MY PACKAGES</p><p>environment.systemPackages = with pkgs; [</p><p># vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.</p><p># wget</p><p>libreoffice</p><p>gedit</p><p>iftop</p><p>deja-dup</p><p>nmap</p><p>opera</p><p>yubioath-flutter</p><p>yubikey-manager-qt</p><p>yubikey-touch-detector</p><p>yubikey-personalization-gui</p><p>yubikey-manager</p><p>pam_u2f</p><p>yubikey-personalization</p><p>libu2f-host</p><p>yubico-pam</p><p>chromium</p><p>apparmor-pam</p><p>apparmor-utils</p><p>apparmor-parser</p><p>apparmor-profiles</p><p>apparmor-bin-utils</p><p>apparmor-kernel-patches</p><p>libapparmor</p><p>strace</p><p>];</p><p>nixpkgs.config = {</p><p># allowUnfree = true; # Important: Set to true first ( ### already set above )</p><p>allowUnfreePredicate = pkg: builtins.elem pkg.name [ "opera" ];</p><p>};</p><p>environment.defaultPackages = [] ;</p><p>###MY CONFIG</p><p># Disable Deprecated media server</p><p>services.dleyna-server.enable = false;</p><p>###MY CONFIG: HARDENIHNG</p><p>services.gnome.rygel.enable = false;</p><p>services.gnome.gnome-remote-desktop.enable = false;</p><p>lib.mkForce = "services.gnome.evolution-data-server.enable = false;</p><p>nix.settings.allowed-users = [ zzz ] ;</p><p>systemd.services.nscd.serviceConfig = { ProtectHome=true;</p><p>ProtectControlGroups = true;</p><p>ProtectKernelModules = true;</p><p>ProtectKernelTunables = true;</p><p># RestrictSUIDSGID = true;</p><p>MemoryDenyWriteExecute = true;</p><p>LockPersonality = true;</p><p>IPAddressDeny = any;</p><p>NoNewPrivileges = true;</p><p>};</p><p></p><p>";</p><p>services.gnome.gnome-user-share.enable = false;</p><p>###MY HARDENING: The following disables ModemManager and other systemd daemons, by defining a pre-requisite of avahi.service; which depends on it's setting of 'enabled = false' above.</p><p>systemd.services."reload-systemd-vconsole-setup".after = [ "avahi.service" ];</p><p>systemd.services."reload-systemd-vconsole-setup".requisite = [ "avahi.service" ];</p><p>systemd.services."getty@".after = [ "avahi.service" ];</p><p>systemd.services."getty@".requisite = [ "avahi.service" ];</p><p>systemd.services."colord".after = [ "avahi.service" ];</p><p>systemd.services."colord".requisite = [ "avahi.service" ];</p><p>systemd.services."network-local-commands".after = [ "avahi.service" ];</p><p>systemd.services."network-local-commands".requisite = [ "avahi.service" ];</p><p>systemd.services."bolt".after = [ "avahi.service" ];</p><p>systemd.services."bolt".requisite = [ "avahi.service" ];</p><p>systemd.services."ModemManager".after = [ "avahi.service" ];</p><p>systemd.services."ModemManager".requisite = [ "avahi.service" ];</p><p>systemd.services."wpa_supplicant".after = [ "avahi.service" ];</p><p>systemd.services."wpa_supplicant".requisite = [ "avahi.service" ];</p><p>services.geoclue2.enable = false ;</p><p>nixpkgs.config.packageOverrides = pkgs: {</p><p># blacklistedPackage1 = null;</p><p># anotherBadPackage = null;</p><p>sshd = null;</p><p>};</p><p>###MY HARDENING</p><p>networking.useDHCP = false;</p><p>services.dbus.implementation = "broker";</p><p>boot.initrd.systemd.dbus.enable = false;</p><p>services.xserver.updateDbusEnvironment = false;</p><p>systemd.services.dbus-broker.serviceConfig = { ProtectHome=true;</p><p>ProtectControlGroups = true;</p><p>ProtectKernelModules = true;</p><p>ProtectKernelTunables = true;</p><p>RestrictSUIDSGID = true;</p><p>MemoryDenyWriteExecute = true;</p><p>LockPersonality = true;</p><p>IPAddressDeny = "any";</p><p>NoNewPrivileges = true;</p><p>};</p><p>systemd.services.accounts-daemon.serviceConfig = { ProtectHome=true;</p><p>ProtectControlGroups = true;</p><p>ProtectKernelModules = true;</p><p>ProtectKernelTunables = true;</p><p># RestrictSUIDSGID = true;</p><p>MemoryDenyWriteExecute = true;</p><p>LockPersonality = true;</p><p>IPAddressDeny = "any";</p><p>NoNewPrivileges = true;</p><p>};</p><p></p><p></p><p></p><p>###This is an official option, but it doesnt work to disable wpa_supplicant</p><p># networking.wireless.enable = false ;</p><p></p><p>###MY CHANGE</p><p># disable all music things since I cant find the name of the 'music' app</p><p>services.polaris.enable = false ;</p><p>services.navidrome.enable = false ;</p><p>services.gonic.enable = false ;</p><p>services.mpd.enable = false ;</p><p>services.mopidy.enable = false ;</p><p>services.jmusicbot.enable = false ;</p><p>programs.geary.enable = false;</p><p></p><p>###MY ADDITIONS, things I dont use</p><p>environment.gnome.excludePackages = with pkgs; [</p><p>gnome.gnome-music</p><p>gnome.totem</p><p>];</p><p>###MY CHANGE. This is supposed to stop the desired protocols</p><p>networking.extraHosts = "0.0.0.0 multicast</p><p>0.0.0.0 bootpc" ;</p><p>services.prometheus.exporters.modemmanager.enable = false ;</p><p># Some programs need SUID wrappers, can be configured further or are</p><p># started in user sessions.</p><p># programs.mtr.enable = true;</p><p># programs.gnupg.agent = {</p><p># enable = true;</p><p># enableSSHSupport = true;</p><p># };</p><p># List services that you want to enable:</p><p># Enable the OpenSSH daemon.</p><p># services.openssh.enable = true;</p><p># Open ports in the firewall.</p><p># networking.firewall.allowedTCPPorts = [ ... ];</p><p># networking.firewall.allowedUDPPorts = [ ... ];</p><p># Or disable the firewall altogether.</p><p># networking.firewall.enable = false;</p><p># This value determines the NixOS release from which the default</p><p># settings for stateful data, like file locations and database versions</p><p># on your system were taken. It‘s perfectly fine and recommended to leave</p><p># this value at the release version of the first install of this system.</p><p># Before changing this value read the documentation for this option</p><p># (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).</p><p>system.stateVersion = "23.11"; # Did you read the comment?</p><p>}</p><p>[/ICODE]</p></blockquote><p></p>
[QUOTE="Victor M, post: 1083860, member: 96560"] Hi Everybody, Here is the 'configuration.nix' configuration file for setting up and configuring NixOS. It belongs in the /etc/nixos directory. The primary focus of the config is security. For example, I have a $25 YubiKey, which is a thin offline USB insert that Google helped popularize offering 2nd factor authentication. And I have added the necessary packages, and included comments on how to set it up. This 2nd factor is added to logins and sudo commands. I have also inserted some firewall rules which drops unwanted packets early, and overrides what the default firewall rules accept. For example, packets that are of the 'new' state should never happen in a home setting; you reach outbound with your browser; send requests to the web site, and the returning traffic from the web site are of the state 'established'. So you can safely drop all 'new' packets. An attack would create 'new' packets. One would only encounter legit 'new' packets when one has a web server and thus have un-before seen incoming traffic. Windows Defender firewall rules doesn't have this capability. You should also drop tcp dport 6000:6007 traffic, they allow connections to an old Xwindows entry point, you have been warned. Firewall rules are your first line of defense, but there are ways around firewalls; like manipulating ip fragments and firewall optimisation behaviour. So the next thing to do is the reduce the amount of software and daemons ( services) that runs. Every unnecessary piece adds to your 'attack surface': your running pieces are potentially targets of exploits. Systemd is responsible for executing daemons like svchost is responsible for starting services in Windows. But Linix has hardening options which can be added to each service's configuration text file: like restricting it from affecting the kernel, accessing your home folders, manipulating devices, denying any IP traffic, and many more. Then there are useless standard programs that come along with Gnome, my chosen windows manager. And there is a place to specify which ones to eliminate. It's like going to Settings / Apps and removing programs like Sticky Notes ( which requires an MS account and lets MS read your notes and offer to sell additional things to you) . Except in NixOS, you do it all in one text file, set it up once, and it can be re-used and re-applied whenever you do a re-install, without repeating thru all the manual labor. My additions are preceded with the comments '###MY', Anyways, here it is: [ICODE] # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ ./restrict-nix-env.nix # Path to your module file # Include the results of the hardware scan. ./hardware-configuration.nix ]; # imports = [ # ./restrict-nix-env.nix # Path to your module file # ]; # lib.mkForce = "/etc/nixos/configuration.nix"; # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "nixos"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. #####MY CHANGES networking.enableIPv6 = false; # networking.tcpcrypt.enable = true ; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking networking.networkmanager.enable = true; # Set your time zone. time.timeZone = "America/California"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; # Enable the X11 windowing system. services.xserver.enable = true; # Enable GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; # Configure keymap in X11 services.xserver = { layout = "us"; xkbVariant = ""; }; # Enable CUPS to print documents. # services.printing.enable = true; ###MY CHANGE services.ipp-usb.enable = false; services.printing.enable = false; services.avahi.enable = false; networking.firewall.package = pkgs.iptables; networking.firewall.enable = true; networking.firewall.extraCommands = "iptables -I INPUT 1 -f -j DROP iptables -I INPUT 2 -m state --state NEW -j DROP iptables -I INPUT 3 -p tcp --tcp-flags ALL ALL -j DROP iptables -I INPUT 4 -p tcp --tcp-flags ALL NONE -j DROP iptables -I INPUT 5 -p tcp --dport 6000:6007 -j DROP iptables -I INPUT 6 -p udp --dport 6000:6007 -j DROP iptables -I INPUT 7 -p tcp --dport 22:23 -j DROP iptables -I INPUT 8 -m state --state RELATED -j DROP; iptables -I INPUT 9 -p tcp --dport 5353 -j DROP; iptables -I INPUT 10 -p udp --dport 5353 -j DROP; "; networking.firewall.allowedTCPPorts = [ 443 ]; ###MY CONFIG SECURITY security.apparmor.enable = true; nix.settings.sandbox = true; #programs.firefox = { # package = pkgs.firefox ; # security.sandbox = pkgs.sandboxed; # Basic sandbox with some restrictions # OR (for more granular control) # security.sandbox = pkgs.firefox.apparmor; # }; # Rest of your configuration # Enable sound with pipewire. sound.enable = true; hardware.pulseaudio.enable = false; ###MY CHANGES hardware.pulseaudio.support32Bit = true; # hardware.pulseaudio.extraConfig = "load-module module-combine-sink"; security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = false; alsa.support32Bit = true; pulse.enable = true; # If you want to use JACK applications, uncomment this #jack.enable = true; # use the example session manager (no others are packaged yet so this is enabled by default, # no need to redefine it in your config for now) #media-session.enable = true; }; # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.victor = { isNormalUser = true; description = "victor"; extraGroups = [ "networkmanager" "wheel" ]; packages = with pkgs; [ # thunderbird ]; }; services.pcscd.enable = true; security.pam.yubico = { enable = true; # debug = true; control = "required" ; mode = "challenge-response"; ### challenge response need to write configuration to yubikey with yubikey personalization tool, installed below ### then a "challenge* file is written to ~/.yubico with the command "ykpamcfg -2 -v" ### id generated by : nix-shell --command 'ykinfo -s' -p yubikey-personalization id = [ "xxxxxxx" ]; }; ###MY USER 2 users.users.user2 = { isNormalUser = true; description = "User2"; packages = with pkgs; [ # thunderbird ]; }; # Allow unfree packages ###MY CHANGE nixpkgs.config.allowUnfree = true ; # List packages installed in system profile. To search, run: # $ nix search wget ###MY PACKAGES environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget libreoffice gedit iftop deja-dup nmap opera yubioath-flutter yubikey-manager-qt yubikey-touch-detector yubikey-personalization-gui yubikey-manager pam_u2f yubikey-personalization libu2f-host yubico-pam chromium apparmor-pam apparmor-utils apparmor-parser apparmor-profiles apparmor-bin-utils apparmor-kernel-patches libapparmor strace ]; nixpkgs.config = { # allowUnfree = true; # Important: Set to true first ( ### already set above ) allowUnfreePredicate = pkg: builtins.elem pkg.name [ "opera" ]; }; environment.defaultPackages = [] ; ###MY CONFIG # Disable Deprecated media server services.dleyna-server.enable = false; ###MY CONFIG: HARDENIHNG services.gnome.rygel.enable = false; services.gnome.gnome-remote-desktop.enable = false; lib.mkForce = "services.gnome.evolution-data-server.enable = false; nix.settings.allowed-users = [ zzz ] ; systemd.services.nscd.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; # RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = any; NoNewPrivileges = true; }; "; services.gnome.gnome-user-share.enable = false; ###MY HARDENING: The following disables ModemManager and other systemd daemons, by defining a pre-requisite of avahi.service; which depends on it's setting of 'enabled = false' above. systemd.services."reload-systemd-vconsole-setup".after = [ "avahi.service" ]; systemd.services."reload-systemd-vconsole-setup".requisite = [ "avahi.service" ]; systemd.services."getty@".after = [ "avahi.service" ]; systemd.services."getty@".requisite = [ "avahi.service" ]; systemd.services."colord".after = [ "avahi.service" ]; systemd.services."colord".requisite = [ "avahi.service" ]; systemd.services."network-local-commands".after = [ "avahi.service" ]; systemd.services."network-local-commands".requisite = [ "avahi.service" ]; systemd.services."bolt".after = [ "avahi.service" ]; systemd.services."bolt".requisite = [ "avahi.service" ]; systemd.services."ModemManager".after = [ "avahi.service" ]; systemd.services."ModemManager".requisite = [ "avahi.service" ]; systemd.services."wpa_supplicant".after = [ "avahi.service" ]; systemd.services."wpa_supplicant".requisite = [ "avahi.service" ]; services.geoclue2.enable = false ; nixpkgs.config.packageOverrides = pkgs: { # blacklistedPackage1 = null; # anotherBadPackage = null; sshd = null; }; ###MY HARDENING networking.useDHCP = false; services.dbus.implementation = "broker"; boot.initrd.systemd.dbus.enable = false; services.xserver.updateDbusEnvironment = false; systemd.services.dbus-broker.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = "any"; NoNewPrivileges = true; }; systemd.services.accounts-daemon.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; # RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = "any"; NoNewPrivileges = true; }; ###This is an official option, but it doesnt work to disable wpa_supplicant # networking.wireless.enable = false ; ###MY CHANGE # disable all music things since I cant find the name of the 'music' app services.polaris.enable = false ; services.navidrome.enable = false ; services.gonic.enable = false ; services.mpd.enable = false ; services.mopidy.enable = false ; services.jmusicbot.enable = false ; programs.geary.enable = false; ###MY ADDITIONS, things I dont use environment.gnome.excludePackages = with pkgs; [ gnome.gnome-music gnome.totem ]; ###MY CHANGE. This is supposed to stop the desired protocols networking.extraHosts = "0.0.0.0 multicast 0.0.0.0 bootpc" ; services.prometheus.exporters.modemmanager.enable = false ; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: # Enable the OpenSSH daemon. # services.openssh.enable = true; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.11"; # Did you read the comment? } [/ICODE] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
