security-nix
所属分类:系统/网络安全
开发工具:Nix
文件大小:0KB
下载次数:0
上传日期:2023-10-12 15:59:33
上 传 者:
sh-1993
说明: 用于运行安全NixOS服务器的nix模块的集合,
(A collection of nix modules for running a secure NixOS server,)
文件列表:
.editorconfig (204, 2023-12-30)
.pre-commit-config.yaml (823, 2023-12-30)
.whitesource (213, 2023-12-30)
LICENSE (1073, 2023-12-30)
flake.lock (1496, 2023-12-30)
flake.nix (1635, 2023-12-30)
looney/ (0, 2023-12-30)
looney/default.nix (257, 2023-12-30)
looney/glibc.nix (602, 2023-12-30)
looney/workaround/ (0, 2023-12-30)
looney/workaround/default.nix (11230, 2023-12-30)
looney/workaround/wrapper.c (7340, 2023-12-30)
looney/workaround/wrapper.nix (627, 2023-12-30)
modules/ (0, 2023-12-30)
modules/disablemod.nix (2237, 2023-12-30)
modules/hostfw.nix (2022, 2023-12-30)
# security-nix [](https://github.com/fiksn/security-nix/actions/workflows/daily.yml) [](https://tippin.me/@fiksn)
A collection of [nix](https://nixos.org/) modules for running a secure NixOS server
You might want to import:
```
```
## Hostfw
Hostfw is a module for managing the firewall. Using this simple abstraction you can open a certain UDP or TCP port for a list of trusted IPs instead of
having to call low-level code (like directly calling `iptables` or modifying `networking.firewall.extraCommands`)
### Usage
```
imports = [ ./hostfw.nix ];
# networking.firewall.allowedTCPPorts = [ 80 443 ];
services.hostfw = {
enable = true;
tcpPortAllowIpList = [
{ port = 80; ips = trustedIps; }
{ port = 443; ips = trustedIps; }
];
};
```
## Disablemod
I had trouble with `security.lockKernelModules`. Without that set to false `boot.blacklistedKernelModules` does not prevent
a particular module to be loaded.
### Usage
```
import = [ ./disablemod.nix ];
services.disablemod = {
enable = true;
modules = with config.services.disablemod; cisRecommendedModules ++ cisNoUsbRecommendedModules;
};
```
## Nginx [Cloudflare](https://www.cloudflare.com/)
This is used to allow traffic just from [Cloudflare](https://www.cloudflare.com/) [IPs](https://www.cloudflare.com/ips/).
### Usage
```
virtualHosts."demo.local" = {
locations."/" = {
extraConfig = ''
include ${security.lib.nginxCfAllow};
''
};
};
```
## CVE-2023-4911: Looney Tunables - Local Privilege Escalation workaround
This was forked from https://github.com/NixOS/nixpkgs/pull/259039
### Usage
```
outputs = { self, nixpkgs, security }:
{
nixosConfigurations = {
"server" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ... ] ++ [ security.nixosModule.looneyHack ];
};
};
};
```
近期下载者:
相关文件:
收藏者: