base/hardening: ban a few more modules

base/mitigations: blacklist modules for copyfail and pintheft
README: add gluttony
2026-05-20 21:41:12 +02:00 · 2026-05-20 16:33:55 +09:00 · 2026-05-20 16:33:55 +09:00 · 2026-05-20 06:24:26 +02:00 · 2026-05-20 06:07:41 +02:00 · 2026-05-19 16:38:34 +02:00
9 changed files with 35 additions and 23 deletions
--- a/README.md
+++ b/README.md
@@ -39,6 +39,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
+| [gluttony][glu]            | Virtual  | General purpose compute                                   |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
@@ -57,6 +58,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
+[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
--- a/base/hardening.nix
+++ b/base/hardening.nix
@@ -7,7 +7,13 @@
    "ax25"
    "batman-adv"
    "can"
+    "dccp"
+    "ipx"
+    "llc"
+    "n-hdlc"
    "netrom"
+    "p8022"
+    "p8023"
    "psnap"
    "rds"
    "rose"
@@ -23,7 +29,6 @@
    "cramfs"
    "efs"
    "exofs"
-    "orangefs"
    "freevxfs"
    "gfs2"
    "hfs"
@@ -35,10 +40,12 @@
    "nilfs2"
    "ntfs"
    "omfs"
+    "orangefs"
    "qnx4"
    "qnx6"
    "sysv"
    "ubifs"
+    "udf"
    "ufs"

    # Legacy hardware
--- a/base/mitigations.nix
+++ b/base/mitigations.nix
@@ -2,16 +2,19 @@

 {
  boot.blacklistedKernelModules = [
-  "rxrpc" # dirtyfrag
-  "esp6" # dirtyfrag
-  "esp4" # dirtyfrag
+    # copy.fail
+    "af_alg"
+    "algif_aead"
+    "algif_hash"
+    "algif_rng"
+    "algif_skcipher"
+
+    # dirtyfrag / Fragnesia
+    "esp4"
+    "esp6"
+    "rxrpc"
+
+    # PinTheft
+    "rds"
  ];
-boot.extraModprobeConfig = ''
-  # dirtyfrag
-  install esp4 /bin/false
-  # dirtyfrag
-  install esp6 /bin/false
-  # dirtyfrag
-  install rxrpc /bin/false
-'';
 }
--- a/hosts/gluttony/hardware-configuration.nix
+++ b/hosts/gluttony/hardware-configuration.nix
@@ -22,7 +22,7 @@
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" = {
@@ -31,7 +31,7 @@
  };

  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/933A-3005";
+    device = "/dev/disk/by-uuid/BD97-FCA0";
    fsType = "vfat";
    options = [
      "fmask=0077"
--- a/hosts/ildkule/hardware-configuration.nix
+++ b/hosts/ildkule/hardware-configuration.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-1.nix
+++ b/hosts/lupine/hardware-configuration/lupine-1.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-3.nix
+++ b/hosts/lupine/hardware-configuration/lupine-3.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/hosts/lupine/hardware-configuration/lupine-5.nix
+++ b/hosts/lupine/hardware-configuration/lupine-5.nix
@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
--- a/values.nix
+++ b/values.nix
@@ -86,10 +86,10 @@ in rec {
      ipv6 = pvv-ipv6 167;
    };
    gluttony = {
-      ipv4 = "129.241.100.118";
-      ipv4_internal = "192.168.20.77";
-      ipv4_internal_gw = "192.168.20.1";
-      ipv6 = "2001:700:305:aa07::3b3";
+      ipv4 = "129.241.100.37";
+      ipv4_internal = "192.168.1.219";
+      ipv4_internal_gw = "192.168.1.1";
+      ipv6 = "2001:700:305:8a0f:f816:3eff:fe9b:7a46";
    };
    wenche = {
      ipv4 = pvv-ipv4 240;
Author	SHA1	Message	Date
h7x4	ecc4417e0f	base/hardening: ban a few more modules	2026-05-20 16:33:55 +09:00
h7x4	ffce1bd607	base/mitigations: blacklist modules for copyfail and pintheft	2026-05-20 16:33:55 +09:00
Vegard Bieker Matthey	e5804c043a	README: add gluttony	2026-05-20 06:24:26 +02:00
Vegard Bieker Matthey	9c227f3022	update gluttony IPs and boot device	2026-05-20 06:07:41 +02:00
Felix Albrigtsen	69fdf709d7	grr: fix the heccin quotes	2026-05-19 16:38:34 +02:00