fix systemd-tmpfiles

configuration.nix

@@ -133,8 +133,8 @@
   boot.kernel.sysctl."vm.nr_hugepages" = service_configs.hugepages_2m.total_pages;
 
   boot = {
-    # 6.12 LTS until 2026
+    # 6.18 LTS until 2027
-    kernelPackages = pkgs.linuxPackages_6_12_hardened;
+    kernelPackages = pkgs.linuxPackages_6_18;
 
     loader = {
       # Use the systemd-boot EFI boot loader.

modules/security.nix

@@ -13,12 +13,89 @@
   # disable coredumps
   systemd.coredump.enable = false;
 
-  # The hardened kernel defaults kernel.unprivileged_userns_clone to 0, which
+  # Needed for Nix sandbox UID/GID mapping inside derivation builds.
-  # prevents the Nix sandbox from mapping UIDs/GIDs. Without this, any derivation
+  # See https://github.com/NixOS/nixpkgs/issues/287194
-  # that calls `id` in its build phase (e.g. logrotate checkPhase) fails when not
-  # served from the binary cache. See https://github.com/NixOS/nixpkgs/issues/287194
   security.unprivilegedUsernsClone = true;
 
+  # Disable kexec to prevent replacing the running kernel at runtime.
+  security.protectKernelImage = true;
+
+  # Kernel hardening boot parameters. These recover most of the runtime-
+  # configurable protections that the linux-hardened patchset provided.
+  boot.kernelParams = [
+    # Zero all page allocator pages on free / alloc. Prevents info leaks
+    # and use-after-free from seeing stale data. Modest CPU overhead.
+    "init_on_alloc=1"
+    "init_on_free=1"
+
+    # Prevent SLUB allocator from merging caches with similar size/flags.
+    # Keeps different kernel object types in separate slabs, making heap
+    # exploitation (type confusion, spray, use-after-free) significantly harder.
+    "slab_nomerge"
+
+    # Randomize order of pages returned by the buddy allocator.
+    "page_alloc.shuffle=1"
+
+    # Disable debugfs entirely (exposes kernel internals).
+    "debugfs=off"
+
+    # Disable legacy vsyscall emulation (unused by any modern glibc).
+    "vsyscall=none"
+
+    # Strict IOMMU TLB invalidation (no batching). Prevents DMA-capable
+    # devices from accessing stale mappings after unmap.
+    "iommu.strict=1"
+  ];
+
+  boot.kernel.sysctl = {
+    # Immediately reboot on kernel oops (don't leave a compromised
+    # kernel running). Negative value = reboot without delay.
+    "kernel.panic" = -1;
+
+    # Hide kernel pointers from all processes, including CAP_SYSLOG.
+    # Prevents info leaks used to defeat KASLR.
+    "kernel.kptr_restrict" = 2;
+
+    # Disable bpf() JIT compiler (eliminates JIT spray attack vector).
+    "net.core.bpf_jit_enable" = false;
+
+    # Disable ftrace (kernel function tracer) at runtime.
+    "kernel.ftrace_enabled" = false;
+
+    # Strict reverse-path filtering: drop packets arriving on an interface
+    # where the source address isn't routable back via that interface.
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.log_martians" = true;
+    "net.ipv4.conf.default.log_martians" = true;
+
+    # Ignore ICMP redirects (prevents route table poisoning).
+    "net.ipv4.conf.all.accept_redirects" = false;
+    "net.ipv4.conf.all.secure_redirects" = false;
+    "net.ipv4.conf.default.accept_redirects" = false;
+    "net.ipv4.conf.default.secure_redirects" = false;
+    "net.ipv6.conf.all.accept_redirects" = false;
+    "net.ipv6.conf.default.accept_redirects" = false;
+
+    # Don't send ICMP redirects (we are not a router).
+    "net.ipv4.conf.all.send_redirects" = false;
+    "net.ipv4.conf.default.send_redirects" = false;
+
+    # Ignore broadcast ICMP (SMURF amplification mitigation).
+    "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+    # Filesystem hardening: prevent hardlink/symlink-based attacks.
+    # protected_hardlinks/symlinks: block unprivileged creation of hard/symlinks
+    # to files the user doesn't own (prevents TOCTOU privilege escalation).
+    # protected_fifos/regular (level 2): restrict opening FIFOs and regular files
+    # in world-writable sticky directories to owner/group match only.
+    # Also required for systemd-tmpfiles to chmod hardlinked files.
+    "fs.protected_hardlinks" = true;
+    "fs.protected_symlinks" = true;
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
+  };
+
   services = {
     dbus.implementation = "broker";
     /*

services/harmonia.nix

@@ -17,8 +17,22 @@
     settings.bind = "127.0.0.1:${toString service_configs.ports.private.harmonia.port}";
   };
 
+  # serve latest deploy store paths (unauthenticated — just a path string)
+  # CI writes to /var/lib/dotfiles-deploy/<hostname> after building
   services.caddy.virtualHosts."nix-cache.${service_configs.https.domain}".extraConfig = ''
+    handle_path /deploy/* {
+        root * /var/lib/dotfiles-deploy
+        file_server
+    }
+
+    handle {
         import ${config.age.secrets.nix-cache-auth.path}
         reverse_proxy :${toString service_configs.ports.private.harmonia.port}
-  '';
+    }
+  '';
+
+  # directory for CI to record latest deploy store paths
+  systemd.tmpfiles.rules = [
+    "d /var/lib/dotfiles-deploy 0755 gitea-runner gitea-runner"
+  ];
 }