diff --git a/default.nix b/default.nix index 903ac9d..c287945 100755 --- a/default.nix +++ b/default.nix @@ -24,7 +24,7 @@ in { boot = { kernelPackages = mkDefault pkgs.linuxPackages_latest; - kernelParams = [ "pci_aspm.policy=performance" ]; + kernelParams = [ "pcie_aspm.policy=performance" ]; }; # configure keymap in x11 diff --git a/modules/security.nix b/modules/security.nix index dd99a6b..4bc3f4b 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -8,82 +8,85 @@ in { useDoas = mkEnableOption "use opendoas instead of sudo"; }; - config = mkIf cfg.enable { - boot = { - tmp.useTmpfs = lib.mkDefault true; - tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); + config = mkMerge [ + { + boot = { + tmp.useTmpfs = lib.mkDefault true; + tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); - # disable kernel parameter editing on boot - loader.systemd-boot.editor = false; + # disable kernel parameter editing on boot + loader.systemd-boot.editor = false; - kernel.sysctl = { - # magic sysrq key, allows low-level commands through keyboard input - "kernel.sysrq" = 0; + kernel.sysctl = { + # magic sysrq key, allows low-level commands through keyboard input + "kernel.sysrq" = 0; - ## TCP hardening - # prevent bogus ICMP errors from filling up logs - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # do not accept IP source packets (we are not a router) - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # don't send ICMP redirects (again, we're not a router) - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - # refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - # protects against SYN flood attacks - "net.ipv4.tcp_syncookies" = 1; - # incomplete protection against TIME-WAIT assassination - "net.ipv4.tcp_rfc1337" = 1; + ## TCP hardening + # prevent bogus ICMP errors from filling up logs + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # do not accept IP source packets (we are not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # don't send ICMP redirects (again, we're not a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # incomplete protection against TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; - ## TCP optimization - # TCP fastopen - "net.ipv4.tcp_fastopen" = 3; - # bufferbloat mitigations + improvement in throughput and latency - "net.ipv4.tcp_conjestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; + ## TCP optimization + # TCP fastopen + "net.ipv4.tcp_fastopen" = 3; + # bufferbloat mitigations + improvement in throughput and latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + }; + kernelModules = [ "tcp_bbr" ]; }; - kernelModules = [ "tcp_bbr" ]; - }; - security = { - # prevents replacing the kernel without a reboot - protectKernelImage = true; - # rtkit allows unprivileged processes to use realtime scheduling - # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot) - rtkit.enable = true; - polkit.enable = true; - }; + security = { + # prevents replacing the kernel without a reboot + protectKernelImage = true; + # rtkit allows unprivileged processes to use realtime scheduling + # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot) + rtkit.enable = true; + polkit.enable = true; + }; - # personal computer? no firewall ty :3 - networking.firewall.enable = false; + # personal computer? no firewall ty :3 + networking.firewall.enable = false; - services.usbguard = { - IPCAllowedUsers = [ "root" "${env.mainUser}" ]; - presentDevicePolicy = "allow"; - rules = '' - allow with-interface equals { 08:*:* } + services.usbguard = { + IPCAllowedUsers = [ "root" "${env.mainUser}" ]; + presentDevicePolicy = "allow"; + rules = '' + allow with-interface equals { 08:*:* } - # reject devices with suspicious combination of interfaces (ex. mass storage + keyboard) - reject with-interface all-of { 08:*:* 03:00:* } - reject with-interface all-of { 08:*:* 03:01:* } - reject with-interface all-of { 08:*:* e0:*:* } - reject with-interface all-of { 08:*:* 02:*:* } - ''; - }; + # reject devices with suspicious combination of interfaces (ex. mass storage + keyboard) + reject with-interface all-of { 08:*:* 03:00:* } + reject with-interface all-of { 08:*:* 03:01:* } + reject with-interface all-of { 08:*:* e0:*:* } + reject with-interface all-of { 08:*:* 02:*:* } + ''; + }; - services.fwupd.enable = true; - } // (mkIf cfg.useDoas { - security.sudo.enable = false; - security.doas.enable = true; - security.doas.extraRules = [ - { users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; } - ]; - environment.systemPackages = with pkgs; [ doas-sudo-shim ]; - }); + services.fwupd.enable = true; + } + (mkIf cfg.useDoas { + security.sudo.enable = false; + security.doas.enable = true; + security.doas.extraRules = [ + { users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; } + ]; + environment.systemPackages = with pkgs; [ doas-sudo-shim ]; + }) + ]; }