refactor: rename modules folder

2025-04-10 16:28:33 +08:00 · 2025-04-10 16:28:33 +08:00 · 2a80ef07bf
commit 2a80ef07bf
parent f082ed8ac0
69 changed files with 16 additions and 16 deletions
--- a/configs/networking.nix
+++ b/configs/networking.nix
@ -0,0 +1,74 @@
+{
+  hostname,
+  lib,
+  config,
+  ...
+}:
+{
+  systemd.services.NetworkManager-dispatcher.serviceConfig = {
+    ProtectClock = true; # Prevents the service from changing the system time or timezone.
+    ProtectKernelTunables = true; # Restricts the service's ability to modify kernel parameters via sysctl.
+    ProtectKernelModules = true; # Prevents the service from loading or unloading kernel modules.
+    ProtectKernelLogs = true; # Prevents the service from reading kernel logs directly.
+    SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; # Whitelists system calls, blocking all others based on specified groups.
+    ProtectControlGroups = true; # Prevents the service from joining or modifying control groups other than its own.
+    RestrictNamespaces = true; # Enforces stricter namespace isolation, preventing user namespace creation/joining.
+    LockPersonality = true; # Disables the `personality()` system call, preventing execution domain changes.
+    MemoryDenyWriteExecute = true; # Prevents the service from mapping memory pages as both writable and executable (W^X).
+    RestrictRealtime = true; # Prevents the service from using real-time scheduling policies.
+    RestrictSUIDSGID = true; # Prevents the service from utilizing setuid/setgid functionality.
+  };
+
+  systemd.services.NetworkManager.serviceConfig = {
+    ProtectClock = true; # Prevents the service from changing the system time or timezone.
+    ProtectKernelTunables = true; # Restricts the service's ability to modify kernel parameters via sysctl.
+    ProtectKernelModules = true; # Prevents the service from loading or unloading kernel modules.
+    ProtectKernelLogs = true; # Prevents the service from reading kernel logs directly.
+    SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; # Whitelists system calls, blocking all others based on specified groups.
+    ProtectControlGroups = true; # Prevents the service from joining or modifying control groups other than its own.
+    RestrictNamespaces = true; # Enforces stricter namespace isolation, preventing user namespace creation/joining.
+    LockPersonality = true; # Disables the `personality()` system call, preventing execution domain changes.
+    MemoryDenyWriteExecute = true; # Prevents the service from mapping memory pages as both writable and executable (W^X).
+    RestrictRealtime = true; # Prevents the service from using real-time scheduling policies.
+    RestrictSUIDSGID = true; # Prevents the service from utilizing setuid/setgid functionality.
+  };
+
+  networking = {
+    hostName = hostname;
+    useDHCP = lib.mkDefault true;
+    networkmanager.enable = true;
+    networkmanager.wifi.backend = "iwd";
+
+    # Configures a simple stateful firewall.
+    # By default, it doesn't allow any incoming connections.
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22 # SSH
+        5353 # spotifyd
+      ];
+      allowedUDPPorts = [
+        5353 # spotifyd
+      ];
+    };
+
+    interfaces.enp12s0.wakeOnLan.policy = [
+      "phy"
+      "unicast"
+      "multicast"
+      "broadcast"
+      "arp"
+      "magic"
+      "secureon"
+    ];
+    interfaces.enp12s0.wakeOnLan.enable = true;
+  };
+  services.openssh = {
+    enable = true;
+    settings.PrintMotd = true;
+  };
+  services.tailscale = {
+    enable = true;
+    authKeyFile = config.sops.secrets.ts_auth_key.path;
+  };
+}