reidlab/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

SONNNN

Browse source
This commit is contained in:
Reid 2026-04-02 01:07:12 -07:00
parent 3f3f770622
commit 98f3f2df9a
Signed by: reidlab
GPG key ID: DAF5EAF6665839FD
2 changed files with 72 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

2
default.nix
View file

@ -24,7 +24,7 @@ in {
boot = { boot = {
kernelPackages = mkDefault pkgs.linuxPackages_latest; kernelPackages = mkDefault pkgs.linuxPackages_latest;
kernelParams = [ "pci_aspm.policy=performance" ]; kernelParams = [ "pcie_aspm.policy=performance" ];
}; };
# configure keymap in x11 # configure keymap in x11

139
modules/security.nix
View file

@ -8,82 +8,85 @@ in {
useDoas = mkEnableOption "use opendoas instead of sudo"; useDoas = mkEnableOption "use opendoas instead of sudo";
}; };
config = mkIf cfg.enable { config = mkMerge [
boot = { {
tmp.useTmpfs = lib.mkDefault true; boot = {
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
# disable kernel parameter editing on boot # disable kernel parameter editing on boot
loader.systemd-boot.editor = false; loader.systemd-boot.editor = false;
kernel.sysctl = { kernel.sysctl = {
# magic sysrq key, allows low-level commands through keyboard input # magic sysrq key, allows low-level commands through keyboard input
"kernel.sysrq" = 0; "kernel.sysrq" = 0;
## TCP hardening ## TCP hardening
# prevent bogus ICMP errors from filling up logs # prevent bogus ICMP errors from filling up logs
"net.ipv4.icmp_ignore_bogus_error_responses" = 1; "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# do not accept IP source packets (we are not a router) # do not accept IP source packets (we are not a router)
"net.ipv4.conf.all.accept_source_route" = 0; "net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0; "net.ipv6.conf.all.accept_source_route" = 0;
# don't send ICMP redirects (again, we're not a router) # don't send ICMP redirects (again, we're not a router)
"net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0;
# refuse ICMP redirects (MITM mitigations) # refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0; "net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0; "net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0; "net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0; "net.ipv6.conf.default.accept_redirects" = 0;
# protects against SYN flood attacks # protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1; "net.ipv4.tcp_syncookies" = 1;
# incomplete protection against TIME-WAIT assassination # incomplete protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1; "net.ipv4.tcp_rfc1337" = 1;
## TCP optimization ## TCP optimization
# TCP fastopen # TCP fastopen
"net.ipv4.tcp_fastopen" = 3; "net.ipv4.tcp_fastopen" = 3;
# bufferbloat mitigations + improvement in throughput and latency # bufferbloat mitigations + improvement in throughput and latency
"net.ipv4.tcp_conjestion_control" = "bbr"; "net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake"; "net.core.default_qdisc" = "cake";
};
kernelModules = [ "tcp_bbr" ];
}; };
kernelModules = [ "tcp_bbr" ];
};
security = { security = {
# prevents replacing the kernel without a reboot # prevents replacing the kernel without a reboot
protectKernelImage = true; protectKernelImage = true;
# rtkit allows unprivileged processes to use realtime scheduling # rtkit allows unprivileged processes to use realtime scheduling
# polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot) # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
rtkit.enable = true; rtkit.enable = true;
polkit.enable = true; polkit.enable = true;
}; };
# personal computer? no firewall ty :3 # personal computer? no firewall ty :3
networking.firewall.enable = false; networking.firewall.enable = false;
services.usbguard = { services.usbguard = {
IPCAllowedUsers = [ "root" "${env.mainUser}" ]; IPCAllowedUsers = [ "root" "${env.mainUser}" ];
presentDevicePolicy = "allow"; presentDevicePolicy = "allow";
rules = '' rules = ''
allow with-interface equals { 08:*:* } allow with-interface equals { 08:*:* }
# reject devices with suspicious combination of interfaces (ex. mass storage + keyboard) # reject devices with suspicious combination of interfaces (ex. mass storage + keyboard)
reject with-interface all-of { 08:*:* 03:00:* } reject with-interface all-of { 08:*:* 03:00:* }
reject with-interface all-of { 08:*:* 03:01:* } reject with-interface all-of { 08:*:* 03:01:* }
reject with-interface all-of { 08:*:* e0:*:* } reject with-interface all-of { 08:*:* e0:*:* }
reject with-interface all-of { 08:*:* 02:*:* } reject with-interface all-of { 08:*:* 02:*:* }
''; '';
}; };
services.fwupd.enable = true; services.fwupd.enable = true;
} // (mkIf cfg.useDoas { }
security.sudo.enable = false; (mkIf cfg.useDoas {
security.doas.enable = true; security.sudo.enable = false;
security.doas.extraRules = [ security.doas.enable = true;
{ users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; } security.doas.extraRules = [
]; { users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; }
environment.systemPackages = with pkgs; [ doas-sudo-shim ]; ];
}); environment.systemPackages = with pkgs; [ doas-sudo-shim ];
})
];
} }