90 lines
3 KiB
Nix
Executable file
90 lines
3 KiB
Nix
Executable file
{ config, lib, options, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.modules.security;
|
|
in {
|
|
options.modules.security = {
|
|
useDoas = mkEnableOption "use opendoas instead of sudo";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
boot = {
|
|
tmp.useTmpfs = lib.mkDefault true;
|
|
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
|
|
|
|
# disable kernel parameter editing on boot
|
|
loader.systemd-boot.editor = false;
|
|
|
|
kernel.sysctl = {
|
|
# magic sysrq key, allows low-level commands through keyboard input
|
|
"kernel.sysrq" = 0;
|
|
|
|
## TCP hardening
|
|
# prevent bogus ICMP errors from filling up logs
|
|
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
|
# do not accept IP source packets (we are not a router)
|
|
"net.ipv4.conf.all.accept_source_route" = 0;
|
|
"net.ipv6.conf.all.accept_source_route" = 0;
|
|
# don't send ICMP redirects (again, we're not a router)
|
|
"net.ipv4.conf.all.send_redirects" = 0;
|
|
"net.ipv4.conf.default.send_redirects" = 0;
|
|
# refuse ICMP redirects (MITM mitigations)
|
|
"net.ipv4.conf.all.accept_redirects" = 0;
|
|
"net.ipv4.conf.default.accept_redirects" = 0;
|
|
"net.ipv4.conf.all.secure_redirects" = 0;
|
|
"net.ipv4.conf.default.secure_redirects" = 0;
|
|
"net.ipv6.conf.all.accept_redirects" = 0;
|
|
"net.ipv6.conf.default.accept_redirects" = 0;
|
|
# protects against SYN flood attacks
|
|
"net.ipv4.tcp_syncookies" = 1;
|
|
# incomplete protection against TIME-WAIT assassination
|
|
"net.ipv4.tcp_rfc1337" = 1;
|
|
|
|
## TCP optimization
|
|
# TCP fastopen
|
|
"net.ipv4.tcp_fastopen" = 3;
|
|
# bufferbloat mitigations + improvement in throughput and latency
|
|
"net.ipv4.tcp_conjestion_control" = "bbr";
|
|
"net.core.default_qdisc" = "cake";
|
|
};
|
|
kernelModules = [ "tcp_bbr" ];
|
|
};
|
|
|
|
security = {
|
|
# prevents replacing the kernel without a reboot
|
|
protectKernelImage = true;
|
|
# rtkit allows unprivileged processes to use realtime scheduling
|
|
# polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
|
|
rtkit.enable = true;
|
|
polkit.enable = true;
|
|
};
|
|
|
|
# personal computer? no firewall ty :3
|
|
networking.firewall.enable = false;
|
|
|
|
|
|
services.usbguard = {
|
|
IPCAllowedUsers = [ "root" "${env.mainUser}" ];
|
|
presentDevicePolicy = "allow";
|
|
rules = ''
|
|
allow with-interface equals { 08:*:* }
|
|
|
|
# reject devices with suspicious combination of interfaces (ex. mass storage + keyboard)
|
|
reject with-interface all-of { 08:*:* 03:00:* }
|
|
reject with-interface all-of { 08:*:* 03:01:* }
|
|
reject with-interface all-of { 08:*:* e0:*:* }
|
|
reject with-interface all-of { 08:*:* 02:*:* }
|
|
'';
|
|
};
|
|
|
|
services.fwupd.enable = true;
|
|
} // (mkIf cfg.useDoas {
|
|
security.sudo.enable = false;
|
|
security.doas.enable = true;
|
|
security.doas.extraRules = [
|
|
{ users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; }
|
|
];
|
|
environment.systemPackages = with pkgs; [ doas-sudo-shim ];
|
|
});
|
|
}
|