diff --git a/hosts/template/README.md b/hosts/template/README.md new file mode 100644 index 0000000..2e17939 --- /dev/null +++ b/hosts/template/README.md @@ -0,0 +1,172 @@ +# Procédure d'installation d'un poste sécurisé. +La procédure ci-dessous permet de mettre en place un poste sécurisé. Les fichiers de ce dépôt ont vocation à être utilisés comme template. + +Le disque est chiffré, l'authentification des comptes utilisateurs nécessite une clé hardware et un mot de passe (2FA). +Le déchiffrement du poste nécessite également une clé hardware (FIDO2). + +Pour la sécurité, **apparmor** et **clamav** sont installés. + +Le compte utilisateur ne peut pas devenir root, il faut passer par un compte tiers. Sous **nixos** il n'y a pas pas beaucoup d'intéret puisque nous utilisons **home-manager** pour installer des applications, mais c'est une bonne pratique. +Ce template installe gnome comme environnement de bureau, pour sa polyvalence. + +Pour aller plus loins en matière de sécurité, nous pouvons supprimer les mots de passes de déchiffrement. Attention, la suppression des mots de passes rend impossible l'ajout d'une clé (matériel) ou d'un nouveau mot de passe. +**systemd-cryptenroll** permet de créer un mo de passe de récupération. Il est généré par l'ordinateur avec beaucoup d'entropie. + +Personnellement, j'ai une clé yubikey, une clé nitrokey et un mot de passe de récupération, stocké dans une base chiffrée. + +# Partie 1 : installation de base +Le poste dispose d'un EFI, le disque sera chiffré + +## partitionnement + + gdisk /dev/sda + + * ````o```` creation d'une nouvelle table de partitions + * ```n``` ajouter une partition de 500M de type ef00 pour l'EFI + * ```` n ```` ajouter une partition avec le reste de l'espace disponible, type 8300 + * ```` w ```` on valide la table et on sort + +### Chiffrement + + cryptsetup luksFormat /dev/sda2 # création d'un volume chiffré + cryptsetup luksOpen /dev/sda2 enc-pv # ouverture du volume chiffré sur le point /dev/mapper/enc-vp + +### Partitionnement LVM +Création de deux volumes logiques LVM. Le premier de 8Go pour la swap (j'ai 8Go de RAM) et le second pour la racine + + pvcreate /dev/mapper/enc-pv + vgcreate vg /dev/mapper/enc-pv + lvcreate -L 8G -n swap vg + lvcreate -l '100%FREE' -n root vg + +### formattage + + mkfs.fat /dev/sda1 + mkfs.ext4 -L root /dev/vg/root + mkswap -L swap /dev/vg/swap + +## Pré-installation + + mount /dev/vg/root /mnt + mkdir /mnt/boot + mount /dev/sda1 /mnt/boot + swapon /dev/vg/swap + +## Préparation de l'installation + + nixos-generate-config --root /mnt + +A partir de là le template peut-être installé. + + nix-shell -p git + git clone https://git.atlanticaweb.fr/alexandre/nixos-config.git + +Enfin dans le hardware.nix, il faut ajouter le volume /boot pour qu'il soit dans le **fstab** puis ajouter le chargement dans l'initrd du LVM et du déchiffrement. ça nous donne : + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0BEC-722D"; + fsType = "vfat"; + }; + boot.initrd.luks.devices = { + "partitions" = { + device = "/dev/sda2"; + preLVM = true; + }; + }; + +## Notes sur la sécurisation u2f et le déchiffrement via clé FIDO2 + +### Pour la partie authentification u2f +L'authentification u2f avec une clée Yubikey 5 nécessite une configuration par utilisateur. + + nix-shell -p pam_u2f + mkdir -p ~/.config/Yubico + pamu2fcfg > ~/.config/Yubico/u2f_keys + +Si vous avez 2 clés, pour ajouter la seconde clé : + + pamu2fcfg -n >> ~/.config/Yubico/u2f_keys + +### Pour le déchiffrement de la partition LUKS avec le protocole FIDO2 +Pour cette partie, il faut regénéré l'initrd avec le support FIDO2 et l'ajout de systemd. + +Pour cela il faut modifier : + + boot.initrd.luks.devices = { + "partitions" = { + device = "/dev/sda2"; + preLVM = true; + }; + }; + +en : + + boot.initrd.luks.devices = { + "partitions" = { + device = "/dev/sda2"; + preLVM = true; + crypttabExtraOpts = ["fido2-device=auto"]; + }; + }; + boot.initrd.systemd.enable = true; + +L'ajout des clés de déchiffrement se fait simplement via : + + systemd-cryptenroll --fido2-device=auto /dev/sda2 + +ou pour un déchiffrement uniquement via clé fido2 : + + systemd-cryptenroll --unlock-fido2-device=auto /dev/sda2 + +Cette commande est à exécutée pour chaque clée que vous possédez. + +Pour générer une clé de récupération : + + systemd-cryptenroll --recovery-key /dev/sda2 + +Pour supprimer une clée d'un slot : + + systemd-cryptenroll --wipe-slot=2 #supprime la clé du slot 2 + +Pour supprimer tous les mots de passe : + + systemd-cryptenroll --wipe-slot=password /dev/sda2 + +Pour supprimer toutes les clés : + + systemd-cryptenroll --wipe-slot=fido2 /dev/sda2 + +## Installation +On peut démarrer l'installation avec : + + nixos-install + reboot + +En cas d'erreur au reboot, on redémarre sur la clé. POur accéder à la configuration : + + cryptsetup luksOpen /dev/sda2 enc-pv + lvchange -a y /dev/vg/swap + lvchange -a y /dev/vg/root + mount /dev/vg/root /mnt + mount /dev/sda1 /mnt/boot + swapon /dev/vg/swap + cp /mnt/etc/wpa_supplicant.conf /etc + +Au reboot, je me connecte en root et je change le password de mon user. + +# Configuration utilisateur +## home-manager +J'ai opté pour une installation locale à mon utilisateur de home-manager +ajouter le dépot correspondant à la version en cours de nixpkgs : + + nix-channel --add https://github.com/nix-community/home-manager/archive/release-22.11.tar.gz home-manager + +mise à jour de la base + + nix-channel --update + reboot + +Installation + + nix-shell '' -A install + diff --git a/hosts/template/home-manager/firefox.nix b/hosts/template/home-manager/firefox.nix new file mode 100644 index 0000000..33b3c1b --- /dev/null +++ b/hosts/template/home-manager/firefox.nix @@ -0,0 +1,84 @@ +{ config, pkgs, theme, ... }: +{ + + programs.firefox = { + enable = true; + package = pkgs.wrapFirefox pkgs.firefox-unwrapped { + extraPolicies = { + CaptivePortal = false; + DisableFirefoxStudies = true; + DisablePocket = true; + DisableTelemetry = true; + DisableFirefoxAccounts = false; + NoDefaultBookmarks = true; + OfferToSaveLogins = true; + OfferToSaveLoginsDefault = true; + PasswordManagerEnabled = true; + FirefoxHome = { + Search = true; + Pocket = false; + Snippets = false; + TopSites = false; + Highlights = false; + }; + UserMessaging = { + ExtensionRecommendations = false; + SkipOnboarding = true; + }; + }; + }; + profiles = { + alexandre = { + id = 0; + name = "alexandre"; + search = { + force = true; + default = "Google"; + engines = { + "Nix Packages" = { + urls = [{ + template = "https://search.nixos.org/packages"; + params = [ + { name = "type"; value = "packages"; } + { name = "query"; value = "{searchTerms}"; } + ]; + }]; + icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@np" ]; + }; + "NixOS Wiki" = { + urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }]; + iconUpdateURL = "https://nixos.wiki/favicon.png"; + updateInterval = 24 * 60 * 60 * 1000; + definedAliases = [ "@nw" ]; + }; + "Wikipedia (en)".metaData.alias = "@wiki"; + "Google".metaData.hidden = false; + "Amazon.com".metaData.hidden = true; + "Bing".metaData.hidden = true; + "eBay".metaData.hidden = true; + }; + }; + + extensions = with pkgs.nur.repos.rycee.firefox-addons; [ + ublock-origin + privacy-badger + keepassxc-browser + clearurls + decentraleyes + floccus + languagetool + disconnect + ]; + settings = { + "general.smoothScroll" = true; + }; + # extraConfig = '' + # user_pref("full-screen-api.ignore-widgets", true); + # user_pref("media.ffmpeg.vaapi.enabled", true); + # user_pref("media.rdd-vpx.enabled", true); + # ''; + }; + }; + }; +} diff --git a/hosts/template/home-manager/home.nix b/hosts/template/home-manager/home.nix new file mode 100644 index 0000000..6c453ea --- /dev/null +++ b/hosts/template/home-manager/home.nix @@ -0,0 +1,73 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./firefox.nix + ]; + # Home Manager needs a bit of information about you and the paths it should + # manage. + home.username = "alexandre"; + home.homeDirectory = "/home/alexandre"; + + # This value determines the Home Manager release that your configuration is + # compatible with. This helps avoid breakage when a new Home Manager release + # introduces backwards incompatible changes. + # + # You should not change this value, even if you update Home Manager. If you do + # want to update the value, then make sure to first check the Home Manager + # release notes. + home.stateVersion = "23.05"; # Please read the comment before changing. + + # The home.packages option allows you to install Nix packages into your + # environment. + home.packages = [ + # # Adds the 'hello' command to your environment. It prints a friendly + # # "Hello, world!" when run. + # pkgs.hello + + # # It is sometimes useful to fine-tune packages, for example, by applying + # # overrides. You can do that directly here, just don't forget the + # # parentheses. Maybe you want to install Nerd Fonts with a limited number of + # # fonts? + # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; }) + + # # You can also create simple shell scripts directly inside your + # # configuration. For example, this adds a command 'my-hello' to your + # # environment: + # (pkgs.writeShellScriptBin "my-hello" '' + # echo "Hello, ${config.home.username}!" + # '') + ]; + + # Home Manager is pretty good at managing dotfiles. The primary way to manage + # plain files is through 'home.file'. + home.file = { + # # Building this configuration will create a copy of 'dotfiles/screenrc' in + # # the Nix store. Activating the configuration will then make '~/.screenrc' a + # # symlink to the Nix store copy. + # ".screenrc".source = dotfiles/screenrc; + + # # You can also set the file content immediately. + # ".gradle/gradle.properties".text = '' + # org.gradle.console=verbose + # org.gradle.daemon.idletimeout=3600000 + # ''; + }; + + # You can also manage environment variables but you will have to manually + # source + # + # ~/.nix-profile/etc/profile.d/hm-session-vars.sh + # + # or + # + # /etc/profiles/per-user/alexandre/etc/profile.d/hm-session-vars.sh + # + # if you don't want to manage your shell through Home Manager. + home.sessionVariables = { + # EDITOR = "emacs"; + }; + + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; +} diff --git a/hosts/template/nixos/configuration.nix b/hosts/template/nixos/configuration.nix new file mode 100644 index 0000000..5c82ea4 --- /dev/null +++ b/hosts/template/nixos/configuration.nix @@ -0,0 +1,177 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running `nixos-help`). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./services.nix + ./extra_hw.nix + ]; + + boot = { + loader.systemd-boot.enable = true; + loader.grub.efiSupport = true; + loader.grub.efiInstallAsRemovable = true; + loader.grub.device = "nodev"; + plymouth.enable = true; + tmp.cleanOnBoot = true ; + kernelParams = [ "i915.enable_fbc=1" ]; + }; + + networking = { + hostName = "d2nix"; # Define your hostname. + networkmanager.enable = true; + firewall.enable = true; + }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + i18n.defaultLocale = "fr_FR.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "fr"; + }; + fonts = { + fontDir.enable = true; + enableGhostscriptFonts = true; + fonts = with pkgs; [ + corefonts + vistafonts + powerline-fonts + inconsolata + terminus_font + proggyfonts + dejavu_fonts + font-awesome + nerdfonts + source-code-pro + source-sans-pro + source-serif-pro + iosevka + roboto-mono + fira-code + ]; + }; + + #sound.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users = { + groups.ntp = {}; + defaultUserShell = "/run/current-system/sw/bin/fish"; + extraUsers.alexandre = { + isNormalUser = true; + home = "/home/alexandre"; + description = "alexandre"; + extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" "scanner" "plocate" "lp" ]; + packages = with pkgs; [ + firefox + gitAndTools.gitFull + ]; + }; + extraUsers.oem = { + isNormalUser = true; + home = "/home/oem"; + description = "oem"; + extraGroups = [ "wheel" "networkmanager" ]; + }; + }; + + environment.variables = { + EDITOR = "nvim"; + BROWSER = "firefox"; + LESS = "--quit-if-one-screen --RAW-CONTROL-CHARS"; + TERMINAL = "xfce4-terminal"; + PRIVATE_BROWSER = "firefox -private"; + }; + + security = { + rtkit.enable = true; # for pipewire + apparmor.enable = true; + pam = { + u2f = { + enable = true; + control = "requisite"; + }; + services = { + login.u2fAuth = true; + lightdm.u2fAuth = true; + gdm.u2fAuth = true; + }; + }; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + nixpkgs.config = { + allowUnfree = true; + }; + + nix.settings.auto-optimise-store = true; + nix.gc = { + automatic = true; + dates = "weekly"; + persistent = true; + options = "--delete-older-than 10d"; + }; + + + programs = { + htop = { + enable = true; + settings.show_cpu_temperature = 1; + }; + fish = { + enable = true; + interactiveShellInit = '' + set -gx EDITOR nvim + ''; + shellAliases = { + ll = "ls -l"; + ls = "lsd"; + cat = "bat"; + sysrs = "sudo nixos-rebuild switch"; + sysup = "sudo nixos-rebuild switch --upgrade"; + sysclean = "sudo nix-collect-garbage -d; and sudo nix-store --optimise"; +# nvim = "nvim -u ~/.config/nvim/init.lua"; + }; + }; + }; + environment.systemPackages = with pkgs; [ + neovim + bat + lsd + pam_u2f + gsmartcontrol + lm_sensors + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + + nixpkgs.config.packageOverrides = pkgs: { + nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") { + inherit pkgs; + }; + }; +} + diff --git a/hosts/template/nixos/extra_hw.nix b/hosts/template/nixos/extra_hw.nix new file mode 100644 index 0000000..43a4ce3 --- /dev/null +++ b/hosts/template/nixos/extra_hw.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: +{ + hardware = { + cpu.intel.updateMicrocode = true; + enableAllFirmware = true; + pulseaudio.enable = false; + bluetooth = { + enable = true; + settings = { + General = { + Enable = "Source,Sink,Media,Socket"; + }; + }; + }; + logitech = { + wireless.enable = true; + wireless.enableGraphical = true; + }; + opengl = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; + }; + }; + # Video acceleration + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; +} diff --git a/hosts/template/nixos/hardware-configuration.nix b/hosts/template/nixos/hardware-configuration.nix new file mode 100644 index 0000000..87652bb --- /dev/null +++ b/hosts/template/nixos/hardware-configuration.nix @@ -0,0 +1,49 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "vfat" "nls_cp437" "nls_iso8859-1" ]; + boot.initrd.kernelModules = [ "dm-snapshot" "coretemp" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/8eea016d-9dd3-4149-8e5c-014d7d90695f"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0382-3D00"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/1ffd2601-020f-4635-923b-4053676070d7"; } + ]; +# boot.initrd.luks.yubikeySupport = true; + boot.initrd.luks.devices = { + "partitions" = { + device = "/dev/sda2"; + preLVM = true; + crypttabExtraOpts = ["fido2-device=auto"]; + }; + }; + boot.initrd.systemd.enable = true; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp0s20f0u10.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/template/nixos/laptop.nix b/hosts/template/nixos/laptop.nix new file mode 100644 index 0000000..6bb29f2 --- /dev/null +++ b/hosts/template/nixos/laptop.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: +{ + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + +} diff --git a/hosts/template/nixos/services.nix b/hosts/template/nixos/services.nix new file mode 100644 index 0000000..de6af0d --- /dev/null +++ b/hosts/template/nixos/services.nix @@ -0,0 +1,51 @@ +{ config, pkgs, ... }: +{ + services = { + avahi = { + enable = true; + openFirewall = true; + }; + + clamav = { + daemon.enable = true; + updater.enable = true; + }; + + ntp = { + enable = true; + }; + + thermald = { + enable = true; + }; + + fstrim = { + enable = true; + }; + + locate = { + enable = true; + locate = pkgs.plocate; + interval = "hourly"; + localuser = null; + }; + + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + # Enable the X11 windowing system. + xserver = { + enable = true; + # Configure keymap in X11 + layout = "fr"; + xkbOptions = "eurosign:e,caps:escape"; + # Enable the GNOME Desktop Environment. + displayManager.gdm.enable = true; + desktopManager.gnome.enable = true; + }; + }; +}