From 619a00618dae1b5ff5562de23f2fcd8b5541d97c Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 24 Jan 2025 10:19:55 -0600 Subject: [PATCH] moreclean up and more hardening --- nixos/hosts/shadowfax/default.nix | 49 ++++++++----------- .../nixos/services/qbittorrent/default.nix | 40 +++++---------- 2 files changed, 32 insertions(+), 57 deletions(-) diff --git a/nixos/hosts/shadowfax/default.nix b/nixos/hosts/shadowfax/default.nix index c2374c0..68625e7 100644 --- a/nixos/hosts/shadowfax/default.nix +++ b/nixos/hosts/shadowfax/default.nix @@ -4,28 +4,26 @@ inputs, pkgs, ... -}: -let - sanoidConfig = import ./config/sanoid.nix { }; +}: let + sanoidConfig = import ./config/sanoid.nix {}; disks = import ./config/disks.nix; - smartdDevices = map (device: { inherit device; }) disks; -in -{ + smartdDevices = map (device: {inherit device;}) disks; +in { imports = [ inputs.disko.nixosModules.disko (import ../../profiles/disko-nixos.nix { - disks = [ "/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E" ]; + disks = ["/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"]; }) inputs.nix-minecraft.nixosModules.minecraft-servers ]; boot = { initrd = { - kernelModules = [ "nfs" ]; - supportedFilesystems = [ "nfs" ]; + kernelModules = ["nfs"]; + supportedFilesystems = ["nfs"]; }; - binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for arm compilation + binfmt.emulatedSystems = ["aarch64-linux"]; # Enabled for arm compilation kernelModules = [ "vfio" @@ -33,11 +31,11 @@ in "vfio_pci" "vfio_virqfd" ]; - extraModulePackages = [ ]; - kernelParams = [ "zfs.zfs_arc_max=107374182400" ]; # 100GB + extraModulePackages = []; + kernelParams = ["zfs.zfs_arc_max=107374182400"]; # 100GB }; - swapDevices = [ ]; + swapDevices = []; hardware = { cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; @@ -47,7 +45,7 @@ in nvidia-container-toolkit.enable = true; }; - users.users.root.openssh.authorizedKeys.keys = [ ]; + users.users.root.openssh.authorizedKeys.keys = []; # Network settings networking = { @@ -73,11 +71,6 @@ in }; }; - # Programs - environment.systemPackages = with pkgs; [ - # Headless qBittorrent - qbittorrent-nox - ]; - programs = { # 1Password cli _1password.enable = true; @@ -124,7 +117,7 @@ in # Minio minio = { enable = true; - dataDir = [ "/eru/minio" ]; + dataDir = ["/eru/minio"]; rootCredentialsFile = config.sops.secrets."minio".path; }; @@ -151,7 +144,7 @@ in # Soft Serve - SSH git server soft-serve = { enable = true; - settings = import ./config/soft-serve.nix { }; + settings = import ./config/soft-serve.nix {}; }; # Tailscale @@ -163,7 +156,7 @@ in # VSCode Compatibility Settings vscode-server.enable = true; - xserver.videoDrivers = [ "nvidia" ]; + xserver.videoDrivers = ["nvidia"]; }; # sops @@ -173,19 +166,19 @@ in owner = "minio"; group = "minio"; mode = "400"; - restartUnits = [ "minio.service" ]; + restartUnits = ["minio.service"]; }; "syncthing/publicCert" = { sopsFile = ./secrets.sops.yaml; owner = "jahanson"; mode = "400"; - restartUnits = [ "syncthing.service" ]; + restartUnits = ["syncthing.service"]; }; "syncthing/privateKey" = { sopsFile = ./secrets.sops.yaml; owner = "jahanson"; mode = "400"; - restartUnits = [ "syncthing.service" ]; + restartUnits = ["syncthing.service"]; }; # "caddy/env" = { # sopsFile = ./secrets.sops.yaml; @@ -236,7 +229,7 @@ in # qBittorrent qbittorrent = { enable = true; - package = pkgs.unstable.qbittorrent.override { guiSupport = false; }; + package = pkgs.unstable.qbittorrent.override {guiSupport = false;}; user = "qbittorrent"; group = "qbittorrent"; dataDir = "/nahar/qbittorrent"; @@ -259,9 +252,9 @@ in system = { incus = { enable = true; - preseed = import ./config/incus-preseed.nix { }; + preseed = import ./config/incus-preseed.nix {}; }; - motd.networkInterfaces = [ "bond0" ]; + motd.networkInterfaces = ["bond0"]; nfs.enable = true; zfs.enable = true; zfs.mountPoolsAtBoot = [ diff --git a/nixos/modules/nixos/services/qbittorrent/default.nix b/nixos/modules/nixos/services/qbittorrent/default.nix index 698708d..2c9c9e4 100644 --- a/nixos/modules/nixos/services/qbittorrent/default.nix +++ b/nixos/modules/nixos/services/qbittorrent/default.nix @@ -78,6 +78,7 @@ in }; environment.systemPackages = [ + cfg.package ]; systemd.services.qbittorrent = { @@ -88,34 +89,13 @@ in QBT_DOWNLOADS_PATH = "${cfg.dataDir}/downloads"; XDG_CONFIG_HOME = cfg.dataDir; XDG_DATA_HOME = cfg.dataDir; - CONFIG_DIR = "${cfg.dataDir}"; - CONFIG_FILE = "${cfg.dataDir}/qBittorrent.conf"; + CONFIG_DIR = "${cfg.dataDir}/qBittorrent"; + CONFIG_FILE = "${cfg.dataDir}/qBittorrent/config/qBittorrent.conf"; LOG_DIR = "${cfg.dataDir}/logs"; LOG_FILE = "${cfg.dataDir}/logs/qbittorrent.log"; }; - preStart = '' - # Ensure config directory exists - mkdir -p "$CONFIG_DIR" - - # Set up log directory and file - mkdir -p "$LOG_DIR" - - # Copy default config if it doesn't exist - if [[ ! -f "$CONFIG_FILE" ]]; then - cat > "$CONFIG_FILE" << EOF - [BitTorrent] - Session\DefaultSavePath=${cfg.downloadsDir} - Session\Port=${toString cfg.qbittorrentPort} - Session\TempPath=${cfg.downloadsDir}/temp - EOF - fi - - # Ensure correct permissions - chown -R ${cfg.user}:${cfg.group} "$CONFIG_DIR" - ''; - - serviceConfig = + serviceConfig = lib.mkMerge [ { ExecStart = "${cfg.package}/bin/qbittorrent-nox --profile=${cfg.dataDir}"; ReadWritePaths = [ @@ -124,9 +104,12 @@ in ]; Restart = "on-failure"; RestartSec = 5; + User = cfg.user; + Group = cfg.group; } - // lib.mkIf cfg.hardening { - CapabilityBoundingSet = [ ]; + (lib.mkIf cfg.hardening { + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -141,8 +124,6 @@ in RestrictAddressFamilies = [ "AF_INET" "AF_INET6" - "AF_NETLINK" - "AF_UNIX" ]; RestrictNamespaces = [ "uts" @@ -159,7 +140,8 @@ in "~@privileged" "~@resources" ]; - }; + }) + ]; }; networking.firewall = mkIf cfg.openFirewall {