reidlab/nix-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nix-server/modules/security.nix
reidlab 4d598a496a oops. dense commit
2024-03-11 17:18:54 -07:00

63 lines
2.2 KiB
Nix
Executable file
Raw Blame History

{ config, lib, options, pkgs, ... }:
with lib;
let
cfg = config.modules.security;
in {
options.modules.security = {
useDoas = mkEnableOption "use doas instead of sudo";
};
config = mkIf cfg.enable {
boot = {
tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
kernel.sysctl = {
# magic sysrq key, allows low-level commands through keyboard input
"kernel.sysrq" = 0;
## TCP hardening
# prevent bogus ICMP errors from filling up logs
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# do not accept IP source packets (we are not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're not a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# incomplete protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP fastopen
"net.ipv4.tcp_fastopen" = 3;
# bufferbloat mitigations + improvement in throughput and latency
"net.ipv4.tcp_conjestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
kernelModules = [ "tcp_bbr" ];
};
security = {
# prevents replacing the kernel without a reboot
protectKernelImage = true;
# allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
polkit.enable = true;
rtkit.enable = true;
};
} // (mkIf cfg.useDoas {
security.sudo.enable = false;
security.doas.enable = true;
environment.systemPackages = with pkgs; [ doas-sudo-shim ];
});
}
Reference in a new issue View git blame Copy permalink