diff --git a/default.nix b/default.nix index c685d66..b42b9a8 100755 --- a/default.nix +++ b/default.nix @@ -6,7 +6,9 @@ let inherit (lib.my) mapModulesRec'; in { imports = - [ inputs.home-manager.nixosModules.home-manager ] + [ + inputs.home-manager.nixosModules.home-manager + ] ++ (mapModulesRec' (toString ./modules) import); nix = { @@ -27,11 +29,10 @@ in { environment.systemPackages = with pkgs; [ unrar unzip curl wget - # nix does not work without git. - # do not remove this. + # nixos-rebuild w/ flakes does not work without git + # do not remove this # nix is awesome git - neofetch ]; time.timeZone = mkDefault "America/Los_Angeles"; diff --git a/modules/security.nix b/modules/security.nix index 7f56006..474b50c 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -14,24 +14,38 @@ in { tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); kernel.sysctl = { + # magic sysrq key, allows low-level commands through keyboard input "kernel.sysrq" = 0; - "net.ipv4.conf.all.accept_source_code" = 0; - "net.ipv6.conf.all.accept_source_code" = 0; - "net.ipv4.conf.default.send_redirects" = 0; + ## TCP hardening + # prevent bogus ICMP errors from filling up logs + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # do not accept IP source packets (we are not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're not a router) "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # refuse ICMP redirects (MITM mitigations) "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # protects against SYN flood attacks "net.ipv4.tcp_syncookies" = 1; + # incomplete protection against TIME-WAIT assassination "net.ipv4.tcp_rfc1337" = 1; + + ## TCP optimization + # TCP fastopen "net.ipv4.tcp_fastopen" = 3; + # bufferbloat mitigations + improvement in throughput and latency "net.ipv4.tcp_conjestion_control" = "bbr"; "net.core.default_qdisc" = "cake"; }; + kernelModules = [ "tcp_bbr" ]; }; security = { diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index babc2bd..4743b4c 100755 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -11,10 +11,7 @@ let }; in { options.modules.services.forgejo = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable forgejo, a lightweight git server"; domain = mkOption { type = types.str; default = "git.reidlab.online"; diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix index 270f71c..1cbd26b 100644 --- a/modules/services/metrics.nix +++ b/modules/services/metrics.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.metrics; in { options.modules.services.metrics = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable grafana with loki, prometheus, and promtail"; domain = mkOption { type = types.str; default = "grafana.reidlab.online"; diff --git a/modules/services/mosh.nix b/modules/services/mosh.nix index da344a3..2860c6f 100755 --- a/modules/services/mosh.nix +++ b/modules/services/mosh.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.mosh; in { options.modules.services.mosh = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable mosh, the mobile SSH shell"; }; config = mkIf cfg.enable { diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix index f3dc6a8..f446f57 100755 --- a/modules/services/nginx-conf.nix +++ b/modules/services/nginx-conf.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.nginx-config; in { options.modules.services.nginx-config = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable nginx, a high performance web server along with default configurations"; package = mkOption { type = types.package; diff --git a/modules/services/postgres.nix b/modules/services/postgres.nix index abde301..5074c6c 100755 --- a/modules/services/postgres.nix +++ b/modules/services/postgres.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.postgres; in { options.modules.services.postgres = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable postgres, the database industry standard"; }; config = mkIf cfg.enable { diff --git a/modules/services/redis.nix b/modules/services/redis.nix index cc8ae4b..30f1888 100755 --- a/modules/services/redis.nix +++ b/modules/services/redis.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.redis; in { options.modules.services.redis = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable redis, a speedy cache database"; }; config = mkIf cfg.enable { diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix index e8dba7c..59fc01c 100755 --- a/modules/services/ssh.nix +++ b/modules/services/ssh.nix @@ -5,11 +5,7 @@ let cfg = config.modules.services.ssh; in { options.modules.services.ssh = { - enable = mkOption { - type = types.bool; - default = false; - description = "Provide system SSH support though OpenSSH."; - }; + enable = mkEnableOption "enable openssh, a server for remote shell access"; requirePassword = mkOption { type = types.bool; diff --git a/readme.md b/readme.md index dabed97..955a65a 100755 --- a/readme.md +++ b/readme.md @@ -21,3 +21,4 @@ before committing, please run `nix flake check` and make sure everything is ok - remove the lua static stuff from nginx + the cf ip - per-host architecture selection, atm it is hardcoded to `aarch64` - some weird perl error abt locales when building??? it only happened after the big lib update. help me +- leverage nixos-hardware