bro

2026-04-01 22:24:48 -07:00 · 2026-04-01 22:24:48 -07:00 · 4304b5c887
commit 4304b5c887
parent 90572a1ff0
2 changed files with 61 additions and 52 deletions
--- a/modules/security.nix
+++ b/modules/security.nix
@ -8,62 +8,71 @@ in {
    useDoas = mkEnableOption "use opendoas instead of sudo";
  };

-  config = mkIf cfg.enable {
-  boot = {
-    tmp.useTmpfs = lib.mkDefault true;
-    tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+  config = mkMerge [
+    {
+      boot = {
+        tmp.useTmpfs = lib.mkDefault true;
+        tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);

-    kernel.sysctl = {
-      # magic sysrq key, allows low-level commands through keyboard input
-      "kernel.sysrq" = 0;
+        # disable kernel parameter editing on boot
+        loader.systemd-boot.editor = false;

-      ## TCP hardening
-      # prevent bogus ICMP errors from filling up logs
-      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
-      # do not accept IP source packets (we are not a router)
-      "net.ipv4.conf.all.accept_source_route" = 0;
-      "net.ipv6.conf.all.accept_source_route" = 0;
-      # don't send ICMP redirects (again, we're not a router)
-      "net.ipv4.conf.all.send_redirects" = 0;
-      "net.ipv4.conf.default.send_redirects" = 0;
-      # refuse ICMP redirects (MITM mitigations)
-      "net.ipv4.conf.all.accept_redirects" = 0;
-      "net.ipv4.conf.default.accept_redirects" = 0;
-      "net.ipv4.conf.all.secure_redirects" = 0;
-      "net.ipv4.conf.default.secure_redirects" = 0;
-      "net.ipv6.conf.all.accept_redirects" = 0;
-      "net.ipv6.conf.default.accept_redirects" = 0;
-      # protects against SYN flood attacks
-      "net.ipv4.tcp_syncookies" = 1;
-      # incomplete protection against TIME-WAIT assassination
-      "net.ipv4.tcp_rfc1337" = 1;
+        kernel.sysctl = {
+          # magic sysrq key, allows low-level commands through keyboard input
+          "kernel.sysrq" = 0;

-      ## TCP optimization
-      # TCP fastopen
-      "net.ipv4.tcp_fastopen" = 3;
-      # bufferbloat mitigations + improvement in throughput and latency
-      "net.ipv4.tcp_conjestion_control" = "bbr";
-      "net.core.default_qdisc" = "cake";
+          ## TCP hardening
+          # prevent bogus ICMP errors from filling up logs
+          "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+          # do not accept IP source packets (we are not a router)
+          "net.ipv4.conf.all.accept_source_route" = 0;
+          "net.ipv6.conf.all.accept_source_route" = 0;
+          # don't send ICMP redirects (again, we're not a router)
+          "net.ipv4.conf.all.send_redirects" = 0;
+          "net.ipv4.conf.default.send_redirects" = 0;
+          # refuse ICMP redirects (MITM mitigations)
+          "net.ipv4.conf.all.accept_redirects" = 0;
+          "net.ipv4.conf.default.accept_redirects" = 0;
+          "net.ipv4.conf.all.secure_redirects" = 0;
+          "net.ipv4.conf.default.secure_redirects" = 0;
+          "net.ipv6.conf.all.accept_redirects" = 0;
+          "net.ipv6.conf.default.accept_redirects" = 0;
+          # protects against SYN flood attacks
+          "net.ipv4.tcp_syncookies" = 1;
+          # incomplete protection against TIME-WAIT assassination
+          "net.ipv4.tcp_rfc1337" = 1;
+
+          ## TCP optimization
+          # TCP fastopen
+          "net.ipv4.tcp_fastopen" = 3;
+          # bufferbloat mitigations + improvement in throughput and latency
+          "net.ipv4.tcp_congestion_control" = "bbr";
+          "net.core.default_qdisc" = "cake";
+        };
+        kernelModules = [ "tcp_bbr" ];
      };
-      kernelModules = [ "tcp_bbr" ];
-    };

-    security = {
-      # prevents replacing the kernel without a reboot
-      protectKernelImage = true;
-      # rtkit allows unprivileged processes to use realtime scheduling
-      # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
-      rtkit.enable = true;
-      polkit.enable = true;
-    };
+      security = {
+        # prevents replacing the kernel without a reboot
+        protectKernelImage = true;
+        # rtkit allows unprivileged processes to use realtime scheduling
+        # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
+        rtkit.enable = true;
+        polkit.enable = true;
+      };

-    # while this is on by default, i am going to explicitly specify this
-    networking.firewall.enable = true;
+      # while this is on by default, i am going to explicitly specify this
+      networking.firewall.enable = true;

-    services.fwupd.enable = true;
-  } // (mkIf cfg.useDoas {
-    security.sudo.enable = false;
-    security.doas.enable = true;
-    environment.systemPackages = with pkgs; [ doas-sudo-shim ];
-  });
+      services.fwupd.enable = true;
+    }
+    (mkIf cfg.useDoas {
+      security.sudo.enable = false;
+      security.doas.enable = true;
+      security.doas.extraRules = [
+        { users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; }
+      ];
+      environment.systemPackages = with pkgs; [ doas-sudo-shim ];
+    })
+  ];
 }