alexandre
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ADD template for security desktop

main
LUCAZEAU Alexandre 2023-10-22 14:16:52 +02:00
parent 74a7fbc330
commit 60876aa336
8 changed files with 646 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
hosts/template/README.md Normal file
View File

@ -0,0 +1,172 @@
# Procédure d'installation d'un poste sécurisé.
La procédure ci-dessous permet de mettre en place un poste sécurisé. Les fichiers de ce dépôt ont vocation à être utilisés comme template.
Le disque est chiffré, l'authentification des comptes utilisateurs nécessite une clé hardware et un mot de passe (2FA).
Le déchiffrement du poste nécessite également une clé hardware (FIDO2).
Pour la sécurité, **apparmor** et **clamav** sont installés.
Le compte utilisateur ne peut pas devenir root, il faut passer par un compte tiers. Sous **nixos** il n'y a pas pas beaucoup d'intéret puisque nous utilisons **home-manager** pour installer des applications, mais c'est une bonne pratique.
Ce template installe gnome comme environnement de bureau, pour sa polyvalence.
Pour aller plus loins en matière de sécurité, nous pouvons supprimer les mots de passes de déchiffrement. Attention, la suppression des mots de passes rend impossible l'ajout d'une clé (matériel) ou d'un nouveau mot de passe.
**systemd-cryptenroll** permet de créer un mo de passe de récupération. Il est généré par l'ordinateur avec beaucoup d'entropie.
Personnellement, j'ai une clé yubikey, une clé nitrokey et un mot de passe de récupération, stocké dans une base chiffrée.
# Partie 1 : installation de base
Le poste dispose d'un EFI, le disque sera chiffré
## partitionnement
gdisk /dev/sda
* ````o```` creation d'une nouvelle table de partitions
* ```n``` ajouter une partition de 500M de type ef00 pour l'EFI
* ```` n ```` ajouter une partition avec le reste de l'espace disponible, type 8300
* ```` w ```` on valide la table et on sort
### Chiffrement
cryptsetup luksFormat /dev/sda2 # création d'un volume chiffré
cryptsetup luksOpen /dev/sda2 enc-pv # ouverture du volume chiffré sur le point /dev/mapper/enc-vp
### Partitionnement LVM
Création de deux volumes logiques LVM. Le premier de 8Go pour la swap (j'ai 8Go de RAM) et le second pour la racine
pvcreate /dev/mapper/enc-pv
vgcreate vg /dev/mapper/enc-pv
lvcreate -L 8G -n swap vg
lvcreate -l '100%FREE' -n root vg
### formattage
mkfs.fat /dev/sda1
mkfs.ext4 -L root /dev/vg/root
mkswap -L swap /dev/vg/swap
## Pré-installation
mount /dev/vg/root /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
swapon /dev/vg/swap
## Préparation de l'installation
nixos-generate-config --root /mnt
A partir de là le template peut-être installé.
nix-shell -p git
git clone https://git.atlanticaweb.fr/alexandre/nixos-config.git
Enfin dans le hardware.nix, il faut ajouter le volume /boot pour qu'il soit dans le **fstab** puis ajouter le chargement dans l'initrd du LVM et du déchiffrement. ça nous donne :
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0BEC-722D";
fsType = "vfat";
};
boot.initrd.luks.devices = {
"partitions" = {
device = "/dev/sda2";
preLVM = true;
};
};
## Notes sur la sécurisation u2f et le déchiffrement via clé FIDO2
### Pour la partie authentification u2f
L'authentification u2f avec une clée Yubikey 5 nécessite une configuration par utilisateur.
nix-shell -p pam_u2f
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
Si vous avez 2 clés, pour ajouter la seconde clé :
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
### Pour le déchiffrement de la partition LUKS avec le protocole FIDO2
Pour cette partie, il faut regénéré l'initrd avec le support FIDO2 et l'ajout de systemd.
Pour cela il faut modifier :
boot.initrd.luks.devices = {
"partitions" = {
device = "/dev/sda2";
preLVM = true;
};
};
en :
boot.initrd.luks.devices = {
"partitions" = {
device = "/dev/sda2";
preLVM = true;
crypttabExtraOpts = ["fido2-device=auto"];
};
};
boot.initrd.systemd.enable = true;
L'ajout des clés de déchiffrement se fait simplement via :
systemd-cryptenroll --fido2-device=auto /dev/sda2
ou pour un déchiffrement uniquement via clé fido2 :
systemd-cryptenroll --unlock-fido2-device=auto /dev/sda2
Cette commande est à exécutée pour chaque clée que vous possédez.
Pour générer une clé de récupération :
systemd-cryptenroll --recovery-key /dev/sda2
Pour supprimer une clée d'un slot :
systemd-cryptenroll --wipe-slot=2 #supprime la clé du slot 2
Pour supprimer tous les mots de passe :
systemd-cryptenroll --wipe-slot=password /dev/sda2
Pour supprimer toutes les clés :
systemd-cryptenroll --wipe-slot=fido2 /dev/sda2
## Installation
On peut démarrer l'installation avec :
nixos-install
reboot
En cas d'erreur au reboot, on redémarre sur la clé. POur accéder à la configuration :
cryptsetup luksOpen /dev/sda2 enc-pv
lvchange -a y /dev/vg/swap
lvchange -a y /dev/vg/root
mount /dev/vg/root /mnt
mount /dev/sda1 /mnt/boot
swapon /dev/vg/swap
cp /mnt/etc/wpa_supplicant.conf /etc
Au reboot, je me connecte en root et je change le password de mon user.
# Configuration utilisateur
## home-manager
J'ai opté pour une installation locale à mon utilisateur de home-manager
ajouter le dépot correspondant à la version en cours de nixpkgs :
nix-channel --add https://github.com/nix-community/home-manager/archive/release-22.11.tar.gz home-manager
mise à jour de la base
nix-channel --update
reboot
Installation
nix-shell '<home-manager>' -A install

84
hosts/template/home-manager/firefox.nix Normal file
View File

@ -0,0 +1,84 @@
{ config, pkgs, theme, ... }:
{
programs.firefox = {
enable = true;
package = pkgs.wrapFirefox pkgs.firefox-unwrapped {
extraPolicies = {
CaptivePortal = false;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DisableFirefoxAccounts = false;
NoDefaultBookmarks = true;
OfferToSaveLogins = true;
OfferToSaveLoginsDefault = true;
PasswordManagerEnabled = true;
FirefoxHome = {
Search = true;
Pocket = false;
Snippets = false;
TopSites = false;
Highlights = false;
};
UserMessaging = {
ExtensionRecommendations = false;
SkipOnboarding = true;
};
};
};
profiles = {
alexandre = {
id = 0;
name = "alexandre";
search = {
force = true;
default = "Google";
engines = {
"Nix Packages" = {
urls = [{
template = "https://search.nixos.org/packages";
params = [
{ name = "type"; value = "packages"; }
{ name = "query"; value = "{searchTerms}"; }
];
}];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@np" ];
};
"NixOS Wiki" = {
urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
iconUpdateURL = "https://nixos.wiki/favicon.png";
updateInterval = 24 * 60 * 60 * 1000;
definedAliases = [ "@nw" ];
};
"Wikipedia (en)".metaData.alias = "@wiki";
"Google".metaData.hidden = false;
"Amazon.com".metaData.hidden = true;
"Bing".metaData.hidden = true;
"eBay".metaData.hidden = true;
};
};
extensions = with pkgs.nur.repos.rycee.firefox-addons; [
ublock-origin
privacy-badger
keepassxc-browser
clearurls
decentraleyes
floccus
languagetool
disconnect
];
settings = {
"general.smoothScroll" = true;
};
# extraConfig = ''
# user_pref("full-screen-api.ignore-widgets", true);
# user_pref("media.ffmpeg.vaapi.enabled", true);
# user_pref("media.rdd-vpx.enabled", true);
# '';
};
};
};
}

73
hosts/template/home-manager/home.nix Normal file
View File

@ -0,0 +1,73 @@
{ config, pkgs, ... }:
{
imports = [
./firefox.nix
];
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = "alexandre";
home.homeDirectory = "/home/alexandre";
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "23.05"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
home.packages = [
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# You can also manage environment variables but you will have to manually
# source
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/alexandre/etc/profile.d/hm-session-vars.sh
#
# if you don't want to manage your shell through Home Manager.
home.sessionVariables = {
# EDITOR = "emacs";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
}

177
hosts/template/nixos/configuration.nix Normal file
View File

@ -0,0 +1,177 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./services.nix
./extra_hw.nix
];
boot = {
loader.systemd-boot.enable = true;
loader.grub.efiSupport = true;
loader.grub.efiInstallAsRemovable = true;
loader.grub.device = "nodev";
plymouth.enable = true;
tmp.cleanOnBoot = true ;
kernelParams = [ "i915.enable_fbc=1" ];
};
networking = {
hostName = "d2nix"; # Define your hostname.
networkmanager.enable = true;
firewall.enable = true;
};
# Set your time zone.
time.timeZone = "Europe/Paris";
i18n.defaultLocale = "fr_FR.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "fr";
};
fonts = {
fontDir.enable = true;
enableGhostscriptFonts = true;
fonts = with pkgs; [
corefonts
vistafonts
powerline-fonts
inconsolata
terminus_font
proggyfonts
dejavu_fonts
font-awesome
nerdfonts
source-code-pro
source-sans-pro
source-serif-pro
iosevka
roboto-mono
fira-code
];
};
#sound.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users = {
groups.ntp = {};
defaultUserShell = "/run/current-system/sw/bin/fish";
extraUsers.alexandre = {
isNormalUser = true;
home = "/home/alexandre";
description = "alexandre";
extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" "scanner" "plocate" "lp" ];
packages = with pkgs; [
firefox
gitAndTools.gitFull
];
};
extraUsers.oem = {
isNormalUser = true;
home = "/home/oem";
description = "oem";
extraGroups = [ "wheel" "networkmanager" ];
};
};
environment.variables = {
EDITOR = "nvim";
BROWSER = "firefox";
LESS = "--quit-if-one-screen --RAW-CONTROL-CHARS";
TERMINAL = "xfce4-terminal";
PRIVATE_BROWSER = "firefox -private";
};
security = {
rtkit.enable = true; # for pipewire
apparmor.enable = true;
pam = {
u2f = {
enable = true;
control = "requisite";
};
services = {
login.u2fAuth = true;
lightdm.u2fAuth = true;
gdm.u2fAuth = true;
};
};
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nixpkgs.config = {
allowUnfree = true;
};
nix.settings.auto-optimise-store = true;
nix.gc = {
automatic = true;
dates = "weekly";
persistent = true;
options = "--delete-older-than 10d";
};
programs = {
htop = {
enable = true;
settings.show_cpu_temperature = 1;
};
fish = {
enable = true;
interactiveShellInit = ''
set -gx EDITOR nvim
'';
shellAliases = {
ll = "ls -l";
ls = "lsd";
cat = "bat";
sysrs = "sudo nixos-rebuild switch";
sysup = "sudo nixos-rebuild switch --upgrade";
sysclean = "sudo nix-collect-garbage -d; and sudo nix-store --optimise";
# nvim = "nvim -u ~/.config/nvim/init.lua";
};
};
};
environment.systemPackages = with pkgs; [
neovim
bat
lsd
pam_u2f
gsmartcontrol
lm_sensors
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
nixpkgs.config.packageOverrides = pkgs: {
nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") {
inherit pkgs;
};
};
}

33
hosts/template/nixos/extra_hw.nix Normal file
View File

@ -0,0 +1,33 @@
{ config, pkgs, ... }:
{
hardware = {
cpu.intel.updateMicrocode = true;
enableAllFirmware = true;
pulseaudio.enable = false;
bluetooth = {
enable = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
logitech = {
wireless.enable = true;
wireless.enableGraphical = true;
};
opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiVdpau
libvdpau-va-gl
];
};
};
# Video acceleration
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
}

49
hosts/template/nixos/hardware-configuration.nix Normal file
View File

@ -0,0 +1,49 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "vfat" "nls_cp437" "nls_iso8859-1" ];
boot.initrd.kernelModules = [ "dm-snapshot" "coretemp" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/8eea016d-9dd3-4149-8e5c-014d7d90695f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0382-3D00";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/1ffd2601-020f-4635-923b-4053676070d7"; }
];
# boot.initrd.luks.yubikeySupport = true;
boot.initrd.luks.devices = {
"partitions" = {
device = "/dev/sda2";
preLVM = true;
crypttabExtraOpts = ["fido2-device=auto"];
};
};
boot.initrd.systemd.enable = true;
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp0s20f0u10.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

7
hosts/template/nixos/laptop.nix Normal file
View File

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
}

51
hosts/template/nixos/services.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, pkgs, ... }:
{
services = {
avahi = {
enable = true;
openFirewall = true;
};
clamav = {
daemon.enable = true;
updater.enable = true;
};
ntp = {
enable = true;
};
thermald = {
enable = true;
};
fstrim = {
enable = true;
};
locate = {
enable = true;
locate = pkgs.plocate;
interval = "hourly";
localuser = null;
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
# Enable the X11 windowing system.
xserver = {
enable = true;
# Configure keymap in X11
layout = "fr";
xkbOptions = "eurosign:e,caps:escape";
# Enable the GNOME Desktop Environment.
displayManager.gdm.enable = true;
desktopManager.gnome.enable = true;
};
};
}