Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Operating Systems
ChromeOS & Linux
NixOS it's strengths, weaknesses and how to fix them
Message
<blockquote data-quote="Victor M" data-source="post: 1084522" data-attributes="member: 96560"><p>Made some changes to have a partially secure configuration. You need to do a 2 stage installation process.</p><p></p><p>First you change Gnome Settings > Networking > and set the network Ethernet and WiFi to manual and to use a static ip, and also you turn off Automatic DNS and give it your favourite DNS severs, like '9.9.9.9,149.112.112.112' which specifies Quad9. The use of a manual ip will get rid of the bootp protocol, which can be a attack vector.</p><p></p><p>Then you add these lines to the default '/etc/nixos/confguration.nix' . These lines give you a set of modified firewall rules. You don't need to be on-line, the change do not need fetching online things.</p><p></p><p>[ICODE]</p><p>services.printing.enable = false;</p><p> # networking.enableIPv6 = false;</p><p> services.avahi.enable = false;</p><p> # services.ipp-usb.enable = false;</p><p> networking.firewall.enable = true;</p><p> networking.useDHCP = false;</p><p> networking.firewall.extraCommands = "iptables -I INPUT 1 -f -j DROP</p><p> iptables -I INPUT 2 -m state --state NEW -j DROP</p><p> iptables -I INPUT 3 -p tcp --tcp-flags ALL ALL -j DROP</p><p> iptables -I INPUT 4 -p tcp --tcp-flags ALL NONE -j DROP</p><p> iptables -I INPUT 5 -p tcp --dport 6000:6007 -j DROP</p><p> iptables -I INPUT 6 -p udp --sport 68 -j DROP</p><p> iptables -I INPUT 7 -p tcp --sport 68 -j DROP</p><p> iptables -I INPUT 8 -m state --state RELATED -j DROP</p><p> iptables -I INPUT 9 -p tcp --dport 5353 -j DROP</p><p> iptables -I INPUT 10 -p udp --dport 5353 -j DROP</p><p> ";</p><p>[/ICODE]</p><p></p><p>Now do a 'sudo nixos-rebuild switch' . This puts the firewall rules into effect.</p><p></p><p></p><p>Then issue this command: 'sudo nix-channel --add channels.nixos.org/nixos-unstable nixos'</p><p>If the command doesn't work, add 'https://' in front of that channel, MT changed it to something else when I had the https:// in front.</p><p>This sets the update channel to unstable, which gives you the most recent packages.</p><p>Additionally, some of the options below depends on the unstable channel.</p><p></p><p></p><p>Then you use the following 'configuration.nix':</p><p>[ICODE]</p><p># Edit this configuration file to define what should be installed on</p><p># your system. Help is available in the configuration.nix(5) man page</p><p># and in the NixOS manual (accessible by running ‘nixos-help’).</p><p></p><p>{ config, pkgs, ... }:</p><p></p><p>{</p><p>imports =</p><p>[ ./restrict-nix-env.nix # Path to your module file</p><p># Include the results of the hardware scan.</p><p>./hardware-configuration.nix</p><p>];</p><p># imports = [</p><p># ./restrict-nix-env.nix # Path to your module file</p><p># ];</p><p></p><p># lib.mkForce = "/etc/nixos/configuration.nix";</p><p></p><p># Bootloader.</p><p>boot.loader.systemd-boot.enable = true;</p><p>boot.loader.efi.canTouchEfiVariables = true;</p><p></p><p>networking.hostName = "nixos"; # Define your hostname.</p><p># networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.</p><p></p><p>#####MY CHANGES</p><p>networking.enableIPv6 = false;</p><p># networking.tcpcrypt.enable = true ;</p><p></p><p># Configure network proxy if necessary</p><p># networking.proxy.default = "http://user:password@proxy:port/";</p><p># networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";</p><p></p><p># Enable networking</p><p>networking.networkmanager.enable = true;</p><p></p><p># Set your time zone.</p><p></p><p># Select internationalisation properties.</p><p>i18n.defaultLocale = "en_US.UTF-8";</p><p></p><p># Enable the X11 windowing system.</p><p>services.xserver.enable = true;</p><p></p><p># Enable GNOME Desktop Environment.</p><p>services.xserver.displayManager.gdm.enable = true;</p><p>services.xserver.desktopManager.gnome.enable = true;</p><p></p><p># Configure keymap in X11</p><p>services.xserver = {</p><p>layout = "us";</p><p>xkbVariant = "";</p><p>};</p><p></p><p># Enable CUPS to print documents.</p><p># services.printing.enable = true;</p><p></p><p>###MY CHANGE</p><p>services.ipp-usb.enable = false;</p><p>services.printing.enable = false;</p><p>services.avahi.enable = false;</p><p>networking.firewall.package = pkgs.iptables;</p><p>networking.firewall.enable = true;</p><p>networking.firewall.extraCommands = "iptables -I INPUT 1 -f -j DROP</p><p>iptables -I INPUT 2 -m state --state NEW,RELATED -j DROP</p><p>iptables -I INPUT 3 -p tcp --tcp-flags ALL ALL -j DROP</p><p>iptables -I INPUT 4 -p tcp --tcp-flags ALL NONE -j DROP</p><p>iptables -I INPUT 5 -p tcp --dport 6000:6007 -j DROP</p><p>iptables -I INPUT 6 -p udp --sport 68 -j DROP</p><p>iptables -I INPUT 7 -p tcp --sport 68 -j DROP</p><p>iptables -I INPUT 7 -p tcp --dPort 22:23 -j DROP</p><p>iptables -I INPUT 9 -p tcp --dport 5353 -j DROP;</p><p>iptables -I INPUT 10 -p udp --dport 5353 -j DROP;</p><p>";</p><p>networking.firewall.allowedTCPPorts = [ 443 ];</p><p></p><p></p><p></p><p>###MY CONFIG SECURITY</p><p>security.apparmor.enable = true;</p><p>nix.settings.sandbox = true;</p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p># Enable sound with pipewire.</p><p>sound.enable = true;</p><p>hardware.pulseaudio.enable = false;</p><p>###MY CHANGES</p><p>hardware.pulseaudio.support32Bit = true;</p><p># hardware.pulseaudio.extraConfig = "load-module module-combine-sink";</p><p>security.rtkit.enable = true;</p><p>services.pipewire = {</p><p>enable = true;</p><p>alsa.enable = false;</p><p>alsa.support32Bit = true;</p><p>pulse.enable = true;</p><p># If you want to use JACK applications, uncomment this</p><p>#jack.enable = true;</p><p></p><p></p><p></p><p># use the example session manager (no others are packaged yet so this is enabled by default,</p><p># no need to redefine it in your config for now)</p><p>#media-session.enable = true;</p><p>};</p><p></p><p># Enable touchpad support (enabled default in most desktopManager).</p><p># services.xserver.libinput.enable = true;</p><p></p><p># Define a user account. Don't forget to set a password with ‘passwd’.</p><p>users.users.victor = {</p><p>isNormalUser = true;</p><p>description = "Victor";</p><p>extraGroups = [ "networkmanager" "wheel" ];</p><p>packages = with pkgs; [</p><p># thunderbird</p><p>];</p><p>};</p><p>services.pcscd.enable = true;</p><p>security.pam.yubico = {</p><p>enable = true;</p><p># debug = true;</p><p>control = "required" ;</p><p>mode = "challenge-response";</p><p>### challenge response need to write configuration to yubikey with yubikey personalization tool, installed below</p><p>### then a "challenge* file is written to ~/.yubico with the command "ykpamcfg -2 -v"</p><p>### id generated by : nix-shell --command 'ykinfo -s' -p yubikey-personalization</p><p>id = [ "11084705" ];</p><p>};</p><p></p><p></p><p>users.users.user2 = {</p><p>isNormalUser = true;</p><p>description = "User2";</p><p>packages = with pkgs; [</p><p># thunderbird</p><p>];</p><p>};</p><p></p><p></p><p># Allow unfree packages</p><p>nixpkgs.config.allowUnfree = true ;</p><p></p><p></p><p>###MY PACKAGES</p><p>environment.systemPackages = with pkgs; [</p><p># vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.</p><p># wget</p><p>libreoffice</p><p>gedit</p><p>iftop</p><p>deja-dup</p><p>nmap</p><p># opera</p><p>yubioath-flutter</p><p>yubikey-manager-qt</p><p>yubikey-touch-detector</p><p>yubikey-personalization-gui</p><p>yubikey-manager</p><p>pam_u2f</p><p>yubikey-personalization</p><p>libu2f-host</p><p>yubico-pam</p><p>chromium</p><p>apparmor-pam</p><p>apparmor-utils</p><p>apparmor-parser</p><p>apparmor-profiles</p><p>apparmor-bin-utils</p><p>apparmor-kernel-patches</p><p>libapparmor</p><p>strace</p><p>];</p><p>nixpkgs.config = {</p><p># allowUnfree = true; # Important: Set to true first</p><p>allowUnfreePredicate = pkg: builtins.elem pkg.name [ "opera" ];</p><p>};</p><p></p><p>environment.defaultPackages = [] ;</p><p></p><p></p><p></p><p>###MY CONFIG</p><p># Disable Deprecated media server</p><p>services.dleyna-server.enable = false;</p><p></p><p>###MY CONFIG</p><p># HARDENIHNG</p><p>services.gnome.rygel.enable = false;</p><p>services.gnome.gnome-remote-desktop.enable = false;</p><p>lib.mkForce = "services.gnome.evolution-data-server.enable = false;</p><p>nix.settings.allowed-users = [ zzz ] ;</p><p>systemd.services.nscd.serviceConfig = { ProtectHome=true;</p><p>ProtectControlGroups = true;</p><p>ProtectKernelModules = true;</p><p>ProtectKernelTunables = true;</p><p># RestrictSUIDSGID = true;</p><p>MemoryDenyWriteExecute = true;</p><p>LockPersonality = true;</p><p>IPAddressDeny = any;</p><p>NoNewPrivileges = true;</p><p>};</p><p></p><p>";</p><p>services.gnome.gnome-user-share.enable = false;</p><p>### The following disables ModemManager, by defining a pre-requisite of avahi.service; which depends on its enabled = false.</p><p>systemd.services."reload-systemd-vconsole-setup".after = [ "avahi.service" ];</p><p>systemd.services."reload-systemd-vconsole-setup".requisite = [ "avahi.service" ];</p><p>systemd.services."getty@".after = [ "avahi.service" ];</p><p>systemd.services."getty@".requisite = [ "avahi.service" ];</p><p>systemd.services."colord".after = [ "avahi.service" ];</p><p>systemd.services."colord".requisite = [ "avahi.service" ];</p><p>systemd.services."network-local-commands".after = [ "avahi.service" ];</p><p>systemd.services."network-local-commands".requisite = [ "avahi.service" ];</p><p>systemd.services."bolt".after = [ "avahi.service" ];</p><p>systemd.services."bolt".requisite = [ "avahi.service" ];</p><p>systemd.services."ModemManager".after = [ "avahi.service" ];</p><p>systemd.services."ModemManager".requisite = [ "avahi.service" ];</p><p>systemd.services."wpa_supplicant".after = [ "avahi.service" ];</p><p>systemd.services."wpa_supplicant".requisite = [ "avahi.service" ];</p><p>services.geoclue2.enable = false ;</p><p>nixpkgs.config.packageOverrides = pkgs: {</p><p># blacklistedPackage1 = null;</p><p># anotherBadPackage = null;</p><p>sshd = null;</p><p>};</p><p>networking.useDHCP = false;</p><p>services.dbus.implementation = "broker";</p><p>boot.initrd.systemd.dbus.enable = false;</p><p>services.xserver.updateDbusEnvironment = false;</p><p>systemd.services.dbus-broker.serviceConfig = { ProtectHome=true;</p><p>ProtectControlGroups = true;</p><p>ProtectKernelModules = true;</p><p>ProtectKernelTunables = true;</p><p>RestrictSUIDSGID = true;</p><p>MemoryDenyWriteExecute = true;</p><p>LockPersonality = true;</p><p>IPAddressDeny = "any";</p><p>NoNewPrivileges = true;</p><p>};</p><p>systemd.services.accounts-daemon.serviceConfig = { ProtectHome=true;</p><p>ProtectControlGroups = true;</p><p>ProtectKernelModules = true;</p><p>ProtectKernelTunables = true;</p><p># RestrictSUIDSGID = true;</p><p>MemoryDenyWriteExecute = true;</p><p>LockPersonality = true;</p><p>IPAddressDeny = "any";</p><p>NoNewPrivileges = true;</p><p>};</p><p></p><p></p><p></p><p></p><p>]</p><p># disable all music things since I cant find the name of the 'music' app</p><p>services.polaris.enable = false ;</p><p>services.navidrome.enable = false ;</p><p>services.gonic.enable = false ;</p><p>services.mpd.enable = false ;</p><p>services.mopidy.enable = false ;</p><p>services.jmusicbot.enable = false ;</p><p>programs.geary.enable = false;</p><p></p><p>environment.gnome.excludePackages = with pkgs; [</p><p># pkgs.gnome-music.org</p><p>gnome.gnome-music</p><p>gnome.totem</p><p>];</p><p></p><p>networking.extraHosts = "0.0.0.0 multicast</p><p>0.0.0.0 bootpc" ;</p><p>services.prometheus.exporters.modemmanager.enable = false ;</p><p></p><p></p><p></p><p># List services that you want to enable:</p><p></p><p></p><p># This value determines the NixOS release from which the default</p><p># settings for stateful data, like file locations and database versions</p><p># on your system were taken. It‘s perfectly fine and recommended to leave</p><p># this value at the release version of the first install of this system.</p><p># Before changing this value read the documentation for this option</p><p># (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).</p><p>system.stateVersion = "23.11"; # Did you read the comment?</p><p></p><p>}</p><p>[/ICODE]</p><p></p><p>Remember to reboot.</p><p></p><p>Today 2024-04-24, the package deja-dup did not install as requested in the 'configuration.nix'. Maybe it is due to using the unstable channel.</p><p>So I have to do 'nix-env -i deja-dup' .</p><p>This installs the Gnome Backup program, without which you cannot restore from backup.</p><p></p><p>Now do this to mount /nix/store as writable: 'sudo /run/wrappers/bin/mount -o remount,rw /nix/store'</p><p></p><p>Next, do a 'whereis nix'. This gives you the base location of the 'nix-env' command and 'nixos-rebuild' command.</p><p>Use 'ls -la' to follow the path revealed.</p><p>Copy the found path, and do a 'ls -la' with that path.</p><p>Repeat until you find the true location, not just a link, where it will show you the file permssions, which includes o+x.</p><p>Then do 'sudo chmod o-x' with the correct path which is not a link.</p><p></p><p>Repeat the steps above changing the permissions of curl.</p><p></p><p>Now reboot. This will re-mount /nix/store to be read-only again as intended by the distro.</p><p></p><p>Remember you have to repeat these 2 things: changing file permissions of nix and curl whenever you rebuild. Or anybody who gains access to your account will be able to install anything they wish.</p></blockquote><p></p>
[QUOTE="Victor M, post: 1084522, member: 96560"] Made some changes to have a partially secure configuration. You need to do a 2 stage installation process. First you change Gnome Settings > Networking > and set the network Ethernet and WiFi to manual and to use a static ip, and also you turn off Automatic DNS and give it your favourite DNS severs, like '9.9.9.9,149.112.112.112' which specifies Quad9. The use of a manual ip will get rid of the bootp protocol, which can be a attack vector. Then you add these lines to the default '/etc/nixos/confguration.nix' . These lines give you a set of modified firewall rules. You don't need to be on-line, the change do not need fetching online things. [ICODE] services.printing.enable = false; # networking.enableIPv6 = false; services.avahi.enable = false; # services.ipp-usb.enable = false; networking.firewall.enable = true; networking.useDHCP = false; networking.firewall.extraCommands = "iptables -I INPUT 1 -f -j DROP iptables -I INPUT 2 -m state --state NEW -j DROP iptables -I INPUT 3 -p tcp --tcp-flags ALL ALL -j DROP iptables -I INPUT 4 -p tcp --tcp-flags ALL NONE -j DROP iptables -I INPUT 5 -p tcp --dport 6000:6007 -j DROP iptables -I INPUT 6 -p udp --sport 68 -j DROP iptables -I INPUT 7 -p tcp --sport 68 -j DROP iptables -I INPUT 8 -m state --state RELATED -j DROP iptables -I INPUT 9 -p tcp --dport 5353 -j DROP iptables -I INPUT 10 -p udp --dport 5353 -j DROP "; [/ICODE] Now do a 'sudo nixos-rebuild switch' . This puts the firewall rules into effect. Then issue this command: 'sudo nix-channel --add channels.nixos.org/nixos-unstable nixos' If the command doesn't work, add 'https://' in front of that channel, MT changed it to something else when I had the https:// in front. This sets the update channel to unstable, which gives you the most recent packages. Additionally, some of the options below depends on the unstable channel. Then you use the following 'configuration.nix': [ICODE] # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ ./restrict-nix-env.nix # Path to your module file # Include the results of the hardware scan. ./hardware-configuration.nix ]; # imports = [ # ./restrict-nix-env.nix # Path to your module file # ]; # lib.mkForce = "/etc/nixos/configuration.nix"; # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "nixos"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. #####MY CHANGES networking.enableIPv6 = false; # networking.tcpcrypt.enable = true ; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking networking.networkmanager.enable = true; # Set your time zone. # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; # Enable the X11 windowing system. services.xserver.enable = true; # Enable GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; # Configure keymap in X11 services.xserver = { layout = "us"; xkbVariant = ""; }; # Enable CUPS to print documents. # services.printing.enable = true; ###MY CHANGE services.ipp-usb.enable = false; services.printing.enable = false; services.avahi.enable = false; networking.firewall.package = pkgs.iptables; networking.firewall.enable = true; networking.firewall.extraCommands = "iptables -I INPUT 1 -f -j DROP iptables -I INPUT 2 -m state --state NEW,RELATED -j DROP iptables -I INPUT 3 -p tcp --tcp-flags ALL ALL -j DROP iptables -I INPUT 4 -p tcp --tcp-flags ALL NONE -j DROP iptables -I INPUT 5 -p tcp --dport 6000:6007 -j DROP iptables -I INPUT 6 -p udp --sport 68 -j DROP iptables -I INPUT 7 -p tcp --sport 68 -j DROP iptables -I INPUT 7 -p tcp --dPort 22:23 -j DROP iptables -I INPUT 9 -p tcp --dport 5353 -j DROP; iptables -I INPUT 10 -p udp --dport 5353 -j DROP; "; networking.firewall.allowedTCPPorts = [ 443 ]; ###MY CONFIG SECURITY security.apparmor.enable = true; nix.settings.sandbox = true; # Enable sound with pipewire. sound.enable = true; hardware.pulseaudio.enable = false; ###MY CHANGES hardware.pulseaudio.support32Bit = true; # hardware.pulseaudio.extraConfig = "load-module module-combine-sink"; security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = false; alsa.support32Bit = true; pulse.enable = true; # If you want to use JACK applications, uncomment this #jack.enable = true; # use the example session manager (no others are packaged yet so this is enabled by default, # no need to redefine it in your config for now) #media-session.enable = true; }; # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.victor = { isNormalUser = true; description = "Victor"; extraGroups = [ "networkmanager" "wheel" ]; packages = with pkgs; [ # thunderbird ]; }; services.pcscd.enable = true; security.pam.yubico = { enable = true; # debug = true; control = "required" ; mode = "challenge-response"; ### challenge response need to write configuration to yubikey with yubikey personalization tool, installed below ### then a "challenge* file is written to ~/.yubico with the command "ykpamcfg -2 -v" ### id generated by : nix-shell --command 'ykinfo -s' -p yubikey-personalization id = [ "11084705" ]; }; users.users.user2 = { isNormalUser = true; description = "User2"; packages = with pkgs; [ # thunderbird ]; }; # Allow unfree packages nixpkgs.config.allowUnfree = true ; ###MY PACKAGES environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget libreoffice gedit iftop deja-dup nmap # opera yubioath-flutter yubikey-manager-qt yubikey-touch-detector yubikey-personalization-gui yubikey-manager pam_u2f yubikey-personalization libu2f-host yubico-pam chromium apparmor-pam apparmor-utils apparmor-parser apparmor-profiles apparmor-bin-utils apparmor-kernel-patches libapparmor strace ]; nixpkgs.config = { # allowUnfree = true; # Important: Set to true first allowUnfreePredicate = pkg: builtins.elem pkg.name [ "opera" ]; }; environment.defaultPackages = [] ; ###MY CONFIG # Disable Deprecated media server services.dleyna-server.enable = false; ###MY CONFIG # HARDENIHNG services.gnome.rygel.enable = false; services.gnome.gnome-remote-desktop.enable = false; lib.mkForce = "services.gnome.evolution-data-server.enable = false; nix.settings.allowed-users = [ zzz ] ; systemd.services.nscd.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; # RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = any; NoNewPrivileges = true; }; "; services.gnome.gnome-user-share.enable = false; ### The following disables ModemManager, by defining a pre-requisite of avahi.service; which depends on its enabled = false. systemd.services."reload-systemd-vconsole-setup".after = [ "avahi.service" ]; systemd.services."reload-systemd-vconsole-setup".requisite = [ "avahi.service" ]; systemd.services."getty@".after = [ "avahi.service" ]; systemd.services."getty@".requisite = [ "avahi.service" ]; systemd.services."colord".after = [ "avahi.service" ]; systemd.services."colord".requisite = [ "avahi.service" ]; systemd.services."network-local-commands".after = [ "avahi.service" ]; systemd.services."network-local-commands".requisite = [ "avahi.service" ]; systemd.services."bolt".after = [ "avahi.service" ]; systemd.services."bolt".requisite = [ "avahi.service" ]; systemd.services."ModemManager".after = [ "avahi.service" ]; systemd.services."ModemManager".requisite = [ "avahi.service" ]; systemd.services."wpa_supplicant".after = [ "avahi.service" ]; systemd.services."wpa_supplicant".requisite = [ "avahi.service" ]; services.geoclue2.enable = false ; nixpkgs.config.packageOverrides = pkgs: { # blacklistedPackage1 = null; # anotherBadPackage = null; sshd = null; }; networking.useDHCP = false; services.dbus.implementation = "broker"; boot.initrd.systemd.dbus.enable = false; services.xserver.updateDbusEnvironment = false; systemd.services.dbus-broker.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = "any"; NoNewPrivileges = true; }; systemd.services.accounts-daemon.serviceConfig = { ProtectHome=true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; # RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; IPAddressDeny = "any"; NoNewPrivileges = true; }; ] # disable all music things since I cant find the name of the 'music' app services.polaris.enable = false ; services.navidrome.enable = false ; services.gonic.enable = false ; services.mpd.enable = false ; services.mopidy.enable = false ; services.jmusicbot.enable = false ; programs.geary.enable = false; environment.gnome.excludePackages = with pkgs; [ # pkgs.gnome-music.org gnome.gnome-music gnome.totem ]; networking.extraHosts = "0.0.0.0 multicast 0.0.0.0 bootpc" ; services.prometheus.exporters.modemmanager.enable = false ; # List services that you want to enable: # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.11"; # Did you read the comment? } [/ICODE] Remember to reboot. Today 2024-04-24, the package deja-dup did not install as requested in the 'configuration.nix'. Maybe it is due to using the unstable channel. So I have to do 'nix-env -i deja-dup' . This installs the Gnome Backup program, without which you cannot restore from backup. Now do this to mount /nix/store as writable: 'sudo /run/wrappers/bin/mount -o remount,rw /nix/store' Next, do a 'whereis nix'. This gives you the base location of the 'nix-env' command and 'nixos-rebuild' command. Use 'ls -la' to follow the path revealed. Copy the found path, and do a 'ls -la' with that path. Repeat until you find the true location, not just a link, where it will show you the file permssions, which includes o+x. Then do 'sudo chmod o-x' with the correct path which is not a link. Repeat the steps above changing the permissions of curl. Now reboot. This will re-mount /nix/store to be read-only again as intended by the distro. Remember you have to repeat these 2 things: changing file permissions of nix and curl whenever you rebuild. Or anybody who gains access to your account will be able to install anything they wish. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
