{ config, lib, options, pkgs, ... }: with lib; let cfg = config.modules.security; in { options.modules.security = { useDoas = mkEnableOption "use doas instead of sudo"; }; config = mkIf cfg.enable { boot = { tmp.useTmpfs = lib.mkDefault true; tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); kernel.sysctl = { # magic sysrq key, allows low-level commands through keyboard input "kernel.sysrq" = 0; ## TCP hardening # prevent bogus ICMP errors from filling up logs "net.ipv4.icmp_ignore_bogus_error_responses" = 1; # do not accept IP source packets (we are not a router) "net.ipv4.conf.all.accept_source_route" = 0; "net.ipv6.conf.all.accept_source_route" = 0; # don't send ICMP redirects (again, we're not a router) "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0; # refuse ICMP redirects (MITM mitigations) "net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.all.secure_redirects" = 0; "net.ipv4.conf.default.secure_redirects" = 0; "net.ipv6.conf.all.accept_redirects" = 0; "net.ipv6.conf.default.accept_redirects" = 0; # protects against SYN flood attacks "net.ipv4.tcp_syncookies" = 1; # incomplete protection against TIME-WAIT assassination "net.ipv4.tcp_rfc1337" = 1; ## TCP optimization # TCP fastopen "net.ipv4.tcp_fastopen" = 3; # bufferbloat mitigations + improvement in throughput and latency "net.ipv4.tcp_conjestion_control" = "bbr"; "net.core.default_qdisc" = "cake"; }; kernelModules = [ "tcp_bbr" ]; }; security = { # prevents replacing the kernel without a reboot protectKernelImage = true; # allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot) rtkit.enable = true; polkit.enable = true; }; } // (mkIf cfg.useDoas { security.sudo.enable = false; security.doas.enable = true; environment.systemPackages = with pkgs; [ doas-sudo-shim ]; }); }