feat: harden some systemd units

2024-11-27 03:04:43 +01:00 · 2024-11-27 03:04:43 +01:00 · 7e524df309
commit 7e524df309
parent 1f43ca5d2c
9 changed files with 106 additions and 27 deletions
--- a/home/graphical/cliphist.nix
+++ b/home/graphical/cliphist.nix
@ -1,16 +1,25 @@
-{ lib, config, ... }:
+{
+  pkgs,
+  lib,
+  osConfig,
+  ...
+}:
 let
-  package = config.services.cliphist.package;
+  cfg = osConfig.modules.services.cliphist;
+  exec = pkgs.writers.writeBash "rofi-cliphist" {
+    makeWrapperArgs = [
+      "--prefix"
+      "PATH"
+      ":"
+      "${lib.makeBinPath [ pkgs.cliphist ]}"
+    ];
+  } "cliphist-rofi-img";
 in
 {
-  config = lib.mkIf config.services.cliphist.enable {
+  config = lib.mkIf cfg.enable {
    programs.rofi = {
      enable = true;
-      extraConfig = {
-        modes = [
-          "clipboard:${lib.my.checkPath package "cliphist-rofi-img"}"
-        ];
-      };
+      extraConfig.modes = [ "clipboard:${exec}" ];
    };
  };
 }
--- a/home/graphical/swww.nix
+++ b/home/graphical/swww.nix
@ -1,4 +1,10 @@
-{ self, pkgs, ... }:
+{
+  self,
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 {
  systemd.user.services.swww = {
    Install.WantedBy = [ "graphical-session.target" ];
@ -10,22 +16,17 @@
    Service = {
      Type = "simple";
      ExecStart = "${pkgs.swww}/bin/swww-daemon";
+      ExecStartPost = "${pkgs.swww}/bin/swww img ${self + "/assets/landscape-pink-pastel.jpg"} -t wipe";
+
      Restart = "on-failure";
-    };
-  };
-
-  systemd.user.services.swww-set-background = {
-    Install.WantedBy = [ "graphical-session.target" ];
-
-    Unit = {
-      Wants = [ "graphical-session.target" ];
-      After = [ "graphical-session.target" ];
-    };
-
-    Service = {
-      Type = "oneshot";
-      ExecStart = "${pkgs.swww}/bin/swww img ${self + "/assets/landscape-pink-pastel.jpg"} -t wipe";
-    };
+      ProtectHome = "tmpfs";
+      BindPaths = "/run/user /home/${config.home.username}/.cache/swww";
+      ProtectProc = "noaccess";
+      RestrictNamespaces = true;
+      CapabilityBoundingSet = "";
+      PrivateUsers = true;
+      RestrictAddressFamilies = "AF_UNIX";
+    } // lib.my.systemdHardening;
  };

  home.packages = [ pkgs.swww ];
--- a/hosts/brontes/default.nix
+++ b/hosts/brontes/default.nix
@ -38,6 +38,7 @@
    };

    services = {
+      cliphist.enable = true;
      nysh.enable = true;
      tailscale = {
        enable = true;
@ -60,7 +61,10 @@
    };
    media.enableAll = true;
  };
-
+  documentation = {
+    doc.enable = false;
+    man.generateCaches = false;
+  };
  services = {
    displayManager.sddm.enable = true;
    dbus.enable = true;
--- a/hosts/brontes/home.nix
+++ b/hosts/brontes/home.nix
@ -31,7 +31,6 @@
    services = {
      blueman-applet.enable = true;
      syncthing.enable = true;
-      cliphist.enable = true;
    };

    home = {
--- a/hosts/marr/default.nix
+++ b/hosts/marr/default.nix
@ -24,6 +24,7 @@
    };

    services = {
+      cliphist.enable = true;
      nysh.enable = true;
      tailscale = {
        enable = true;
--- a/hosts/marr/home.nix
+++ b/hosts/marr/home.nix
@ -40,7 +40,6 @@
    services = {
      blueman-applet.enable = true;
      syncthing.enable = true;
-      cliphist.enable = true;
    };

    home = {
--- a/options/services/cliphist.nix
+++ b/options/services/cliphist.nix
@ -0,0 +1,44 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.modules.services.cliphist;
+in
+{
+  options.modules.services.cliphist = {
+    enable = mkEnableOption "cliphist, a clipboard history manager for wayland";
+    package = lib.mkPackageOption pkgs "cliphist" { };
+    extraOptions = lib.mkOption {
+      type = with lib.types; listOf str;
+      default = [
+        "-max-items"
+        "250"
+      ];
+      description = ''
+        Flags to append to the cliphist command.
+      '';
+      apply = lib.escapeShellArgs;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.user.services.cliphist = {
+      description = "Clipboard management daemon";
+      partOf = [ "graphical-session.target" ];
+      wantedBy = [ "graphical-session.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.wl-clipboard}/bin/wl-paste --watch ${cfg.package}/bin/cliphist ${cfg.extraOptions} store";
+        Restart = "on-failure";
+      } // lib.my.systemdHardening;
+
+      postStop = "${cfg.package}/bin/cliphist wipe";
+    };
+  };
+}
--- a/options/services/default.nix
+++ b/options/services/default.nix
@ -3,5 +3,6 @@
    ./nysh.nix
    ./tailscale.nix
    ./rsync-backup
+    ./cliphist.nix
  ];
 }
--- a/parts/lib/functions.nix
+++ b/parts/lib/functions.nix
@ -8,6 +8,27 @@ let
  inherit (lib) mkOption;
 in
 {
+
+  systemdHardening = {
+    IPAddressDeny = "any";
+    NoNewPrivileges = true;
+    ProtectSystem = "full";
+    PrivateDevices = true;
+    ProtectKernelTunables = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    MemoryDenyWriteExecute = true;
+    PrivateTmp = true;
+    LockPersonality = true;
+    RestrictRealtime = true;
+    DevicePolicy = "closed";
+    ProtectClock = true;
+    PrivateNetwork = true;
+    ProtectControlGroups = true;
+    SystemCallArchitectures = "native";
+  };
+
  # Verify the existence of a binary inside of a derivation.
  # Returns the path to the binary or throws.
  checkPath =