reidlab/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

some security touchups

Browse source
This commit is contained in:
Reid 2024-08-01 17:15:47 -07:00
parent 5558bf7ee8
commit 4a7d8858e5
Signed by: reidlab
GPG key ID: DAF5EAF6665839FD
1 changed files with 33 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

64
modules/security.nix
View file

@ -13,40 +13,40 @@ in {
tmp.useTmpfs = lib.mkDefault true; tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
kernel.sysctl = { kernel.sysctl = {
# magic sysrq key, allows low-level commands through keyboard input # magic sysrq key, allows low-level commands through keyboard input
"kernel.sysrq" = 0; "kernel.sysrq" = 0;
## TCP hardening ## TCP hardening
# prevent bogus ICMP errors from filling up logs # prevent bogus ICMP errors from filling up logs
"net.ipv4.icmp_ignore_bogus_error_responses" = 1; "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# do not accept IP source packets (we are not a router) # do not accept IP source packets (we are not a router)
"net.ipv4.conf.all.accept_source_route" = 0; "net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0; "net.ipv6.conf.all.accept_source_route" = 0;
# don't send ICMP redirects (again, we're not a router) # don't send ICMP redirects (again, we're not a router)
"net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0;
# refuse ICMP redirects (MITM mitigations) # refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0; "net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0; "net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0; "net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0; "net.ipv6.conf.default.accept_redirects" = 0;
# protects against SYN flood attacks # protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1; "net.ipv4.tcp_syncookies" = 1;
# incomplete protection against TIME-WAIT assassination # incomplete protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1; "net.ipv4.tcp_rfc1337" = 1;
## TCP optimization ## TCP optimization
# TCP fastopen # TCP fastopen
"net.ipv4.tcp_fastopen" = 3; "net.ipv4.tcp_fastopen" = 3;
# bufferbloat mitigations + improvement in throughput and latency # bufferbloat mitigations + improvement in throughput and latency
"net.ipv4.tcp_conjestion_control" = "bbr"; "net.ipv4.tcp_conjestion_control" = "bbr";
"net.core.default_qdisc" = "cake"; "net.core.default_qdisc" = "cake";
};
kernelModules = [ "tcp_bbr" ];
}; };
kernelModules = [ "tcp_bbr" ];
};
security = { security = {
# prevents replacing the kernel without a reboot # prevents replacing the kernel without a reboot
@ -59,6 +59,8 @@ in {
# personal computer? no firewall ty :3 # personal computer? no firewall ty :3
networking.firewall.enable = false; networking.firewall.enable = false;
# TODO: usbguard
} // (mkIf cfg.useDoas { } // (mkIf cfg.useDoas {
security.sudo.enable = false; security.sudo.enable = false;
security.doas.enable = true; security.doas.enable = true;