mirror of
https://github.com/kuhyx/testsAndMisc.git
synced 2026-07-04 15:03:01 +02:00
93 lines
2.7 KiB
Nix
93 lines
2.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.linuxConfigPoc;
|
|
repo = toString cfg.repoPath;
|
|
commonScriptPath = with pkgs; [
|
|
bash
|
|
coreutils
|
|
findutils
|
|
gawk
|
|
gnugrep
|
|
gnused
|
|
util-linux
|
|
];
|
|
|
|
customHostsEntries = pkgs.runCommand "linux-config-custom-hosts" { } ''
|
|
sed -n '/^# Custom blocking entries$/,/^EOF$/p' ${cfg.repoPath}/hosts/install.sh \
|
|
| sed '$d' > "$out"
|
|
'';
|
|
in {
|
|
config = lib.mkIf cfg.enable {
|
|
networking.extraHosts = builtins.readFile customHostsEntries;
|
|
|
|
# Protect hosts lookup ordering against bypasses.
|
|
system.nssDatabases.hosts = [ "files" "myhostname" "dns" ];
|
|
|
|
systemd.services.hosts-guard = {
|
|
description = "Enforce canonical /etc/hosts contents";
|
|
after = [ "local-fs.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
ExecStart = "${repo}/hosts/guard/enforce-hosts.sh";
|
|
Nice = "10";
|
|
IOSchedulingClass = "idle";
|
|
};
|
|
path = commonScriptPath;
|
|
};
|
|
|
|
systemd.paths.hosts-guard = {
|
|
description = "Watch /etc/hosts and trigger enforcement";
|
|
wantedBy = [ "multi-user.target" ];
|
|
pathConfig = {
|
|
PathChanged = [ "/etc/hosts" ];
|
|
Unit = "hosts-guard.service";
|
|
};
|
|
};
|
|
|
|
systemd.services.nsswitch-guard = {
|
|
description = "Enforce canonical /etc/nsswitch.conf (prevents hosts bypass)";
|
|
after = [ "local-fs.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
ExecStart = "${repo}/hosts/guard/enforce-nsswitch.sh";
|
|
Nice = "10";
|
|
IOSchedulingClass = "idle";
|
|
};
|
|
path = commonScriptPath;
|
|
};
|
|
|
|
systemd.paths.nsswitch-guard = {
|
|
description = "Watch /etc/nsswitch.conf for tampering";
|
|
wantedBy = [ "multi-user.target" ];
|
|
pathConfig = {
|
|
PathChanged = [ "/etc/nsswitch.conf" ];
|
|
Unit = "nsswitch-guard.service";
|
|
};
|
|
};
|
|
|
|
systemd.services.resolved-guard = {
|
|
description = "Enforce canonical /etc/systemd/resolved.conf (prevents hosts bypass)";
|
|
after = [ "local-fs.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
ExecStart = "${repo}/hosts/guard/enforce-resolved.sh";
|
|
Nice = "10";
|
|
IOSchedulingClass = "idle";
|
|
};
|
|
path = commonScriptPath;
|
|
};
|
|
|
|
systemd.paths.resolved-guard = {
|
|
description = "Watch /etc/systemd/resolved.conf for tampering";
|
|
wantedBy = [ "multi-user.target" ];
|
|
pathConfig = {
|
|
PathChanged = [ "/etc/systemd/resolved.conf" "/etc/systemd/resolved.conf.d" ];
|
|
Unit = "resolved-guard.service";
|
|
};
|
|
};
|
|
};
|
|
}
|