bro
This commit is contained in:
parent
90572a1ff0
commit
4304b5c887
GPG key ID:
DAF5EAF6665839FD
2 changed files with 61 additions and 52 deletions
|
|
@ -18,7 +18,7 @@ in {
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
kernelPackages = mkDefault pkgs.linuxPackages_latest;
|
kernelPackages = mkDefault pkgs.linuxPackages_latest;
|
||||||
kernelParams = [ "pci_aspm.policy=performance" ];
|
kernelParams = [ "pcie_aspm.policy=performance" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
time.timeZone = mkDefault "America/Los_Angeles";
|
time.timeZone = mkDefault "America/Los_Angeles";
|
||||||
|
|
|
||||||
|
|
@ -8,62 +8,71 @@ in {
|
||||||
useDoas = mkEnableOption "use opendoas instead of sudo";
|
useDoas = mkEnableOption "use opendoas instead of sudo";
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkMerge [
|
||||||
boot = {
|
{
|
||||||
tmp.useTmpfs = lib.mkDefault true;
|
boot = {
|
||||||
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
|
tmp.useTmpfs = lib.mkDefault true;
|
||||||
|
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
|
||||||
|
|
||||||
kernel.sysctl = {
|
# disable kernel parameter editing on boot
|
||||||
# magic sysrq key, allows low-level commands through keyboard input
|
loader.systemd-boot.editor = false;
|
||||||
"kernel.sysrq" = 0;
|
|
||||||
|
|
||||||
## TCP hardening
|
kernel.sysctl = {
|
||||||
# prevent bogus ICMP errors from filling up logs
|
# magic sysrq key, allows low-level commands through keyboard input
|
||||||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
"kernel.sysrq" = 0;
|
||||||
# do not accept IP source packets (we are not a router)
|
|
||||||
"net.ipv4.conf.all.accept_source_route" = 0;
|
|
||||||
"net.ipv6.conf.all.accept_source_route" = 0;
|
|
||||||
# don't send ICMP redirects (again, we're not a router)
|
|
||||||
"net.ipv4.conf.all.send_redirects" = 0;
|
|
||||||
"net.ipv4.conf.default.send_redirects" = 0;
|
|
||||||
# refuse ICMP redirects (MITM mitigations)
|
|
||||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
|
||||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
|
||||||
"net.ipv4.conf.all.secure_redirects" = 0;
|
|
||||||
"net.ipv4.conf.default.secure_redirects" = 0;
|
|
||||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
|
||||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
|
||||||
# protects against SYN flood attacks
|
|
||||||
"net.ipv4.tcp_syncookies" = 1;
|
|
||||||
# incomplete protection against TIME-WAIT assassination
|
|
||||||
"net.ipv4.tcp_rfc1337" = 1;
|
|
||||||
|
|
||||||
## TCP optimization
|
## TCP hardening
|
||||||
# TCP fastopen
|
# prevent bogus ICMP errors from filling up logs
|
||||||
"net.ipv4.tcp_fastopen" = 3;
|
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||||||
# bufferbloat mitigations + improvement in throughput and latency
|
# do not accept IP source packets (we are not a router)
|
||||||
"net.ipv4.tcp_conjestion_control" = "bbr";
|
"net.ipv4.conf.all.accept_source_route" = 0;
|
||||||
"net.core.default_qdisc" = "cake";
|
"net.ipv6.conf.all.accept_source_route" = 0;
|
||||||
|
# don't send ICMP redirects (again, we're not a router)
|
||||||
|
"net.ipv4.conf.all.send_redirects" = 0;
|
||||||
|
"net.ipv4.conf.default.send_redirects" = 0;
|
||||||
|
# refuse ICMP redirects (MITM mitigations)
|
||||||
|
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||||
|
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||||
|
"net.ipv4.conf.all.secure_redirects" = 0;
|
||||||
|
"net.ipv4.conf.default.secure_redirects" = 0;
|
||||||
|
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||||
|
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||||
|
# protects against SYN flood attacks
|
||||||
|
"net.ipv4.tcp_syncookies" = 1;
|
||||||
|
# incomplete protection against TIME-WAIT assassination
|
||||||
|
"net.ipv4.tcp_rfc1337" = 1;
|
||||||
|
|
||||||
|
## TCP optimization
|
||||||
|
# TCP fastopen
|
||||||
|
"net.ipv4.tcp_fastopen" = 3;
|
||||||
|
# bufferbloat mitigations + improvement in throughput and latency
|
||||||
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||||
|
"net.core.default_qdisc" = "cake";
|
||||||
|
};
|
||||||
|
kernelModules = [ "tcp_bbr" ];
|
||||||
};
|
};
|
||||||
kernelModules = [ "tcp_bbr" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
security = {
|
security = {
|
||||||
# prevents replacing the kernel without a reboot
|
# prevents replacing the kernel without a reboot
|
||||||
protectKernelImage = true;
|
protectKernelImage = true;
|
||||||
# rtkit allows unprivileged processes to use realtime scheduling
|
# rtkit allows unprivileged processes to use realtime scheduling
|
||||||
# polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
|
# polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
|
||||||
rtkit.enable = true;
|
rtkit.enable = true;
|
||||||
polkit.enable = true;
|
polkit.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# while this is on by default, i am going to explicitly specify this
|
# while this is on by default, i am going to explicitly specify this
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
|
|
||||||
services.fwupd.enable = true;
|
services.fwupd.enable = true;
|
||||||
} // (mkIf cfg.useDoas {
|
}
|
||||||
security.sudo.enable = false;
|
(mkIf cfg.useDoas {
|
||||||
security.doas.enable = true;
|
security.sudo.enable = false;
|
||||||
environment.systemPackages = with pkgs; [ doas-sudo-shim ];
|
security.doas.enable = true;
|
||||||
});
|
security.doas.extraRules = [
|
||||||
|
{ users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; }
|
||||||
|
];
|
||||||
|
environment.systemPackages = with pkgs; [ doas-sudo-shim ];
|
||||||
|
})
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue