dotfiles/modules/security/default.nix

{ config
, lib
, ...
}: {
  ## System security tweaks
  # Prevent replacing the running kernel w/o reboot
  # security.protectKernelImage = lib.mkDefault true; # NOTE disabled for now to enable hibernate
  boot = {

    # tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
    # on ssd systems, and volatile! Because it's wiped on reboot.
    tmp.useTmpfs = lib.mkDefault true;
    # If not using tmpfs, which is naturally purged on reboot, we must clean it
    # /tmp ourselves. /tmp should be volatile storage!
    tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);

    # Fix a security hole in place for backwards compatibility. See desc in
    # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
    loader.systemd-boot.editor = false;

    kernel.sysctl = {
      # The Magic SysRq key is a key combo that allows users connected to the
      # system console of a Linux kernel to perform some low-level commands.
      # Disable it, since we don't need it, and is a potential security concern.
      "kernel.sysrq" = 0;

      ## TCP hardening
      # Prevent bogus ICMP errors from filling up logs.
      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
      # Reverse path filtering causes the kernel to do source validation of
      # packets received from all interfaces. This can mitigate IP spoofing.
      "net.ipv4.conf.default.rp_filter" = 1;
      "net.ipv4.conf.all.rp_filter" = 1;
      # Do not accept IP source route packets (we're not a router)
      "net.ipv4.conf.all.accept_source_route" = 0;
      "net.ipv6.conf.all.accept_source_route" = 0;
      # Don't send ICMP redirects (again, we're on a router)
      "net.ipv4.conf.all.send_redirects" = 0;
      "net.ipv4.conf.default.send_redirects" = 0;
      # Refuse ICMP redirects (MITM mitigations)
      "net.ipv4.conf.all.accept_redirects" = 0;
      "net.ipv4.conf.default.accept_redirects" = 0;
      "net.ipv4.conf.all.secure_redirects" = 0;
      "net.ipv4.conf.default.secure_redirects" = 0;
      "net.ipv6.conf.all.accept_redirects" = 0;
      "net.ipv6.conf.default.accept_redirects" = 0;
      # Protects against SYN flood attacks
      "net.ipv4.tcp_syncookies" = 1;
      # Incomplete protection again TIME-WAIT assassination
      "net.ipv4.tcp_rfc1337" = 1;
      # Log martian packages
      "net.ipv4.conf.all.log_martians" = 1;
      "net.ipv4.conf.default.log_martians" = 1;

      ## TCP optimization
      # TCP Fast Open is a TCP extension that reduces network latency by packing
      # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
      # both incoming and outgoing connections:
      "net.ipv4.tcp_fastopen" = 3;
      # Bufferbloat mitigations + slight improvement in throughput & latency
      "net.ipv4.tcp_congestion_control" = "bbr";
      "net.core.default_qdisc" = "cake";
    };
    kernelModules = [ "tcp_bbr" ];
  };

  # So we don't have to do this later...
  security.acme.acceptTerms = true;

  # SSH
  services.openssh = {
    settings = {
      # Disable ssh password login
      PasswordAuthentication = lib.mkDefault false;
      LogLevel = "VERBOSE";
    };
    extraConfig = ''
      AllowAgentForwarding no
      AllowTcpForwarding no
      ClientAliveCountMax 2
      Compression no
      MaxAuthTries 3
      MaxSessions 2
      TCPKeepAlive no
    '';
  };
}
-												:broom: restructure layout

											
										
										
											2022-07-15 13:11:54 +02:00
+								{ config
 								, lib
 								, ...
 								}: {
-												added security module

											
										
										
											2021-09-30 19:41:08 +02:00
+								  ## System security tweaks
 								  # Prevent replacing the running kernel w/o reboot
-												feat!: enable hibernation again

											
										
										
											2023-05-07 12:05:38 +02:00
+								  # security.protectKernelImage = lib.mkDefault true; # NOTE disabled for now to enable hibernate
-												feat(flake): use flake-parts

											
										
										
											2023-09-27 12:38:41 +02:00
+								  boot = {
-												added security module

											
										
										
											2021-09-30 19:41:08 +02:00
-												feat(flake): use flake-parts

											
										
										
											2023-09-27 12:38:41 +02:00
+								    # tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
 								    # on ssd systems, and volatile! Because it's wiped on reboot.
 								    tmp.useTmpfs = lib.mkDefault true;
 								    # If not using tmpfs, which is naturally purged on reboot, we must clean it
 								    # /tmp ourselves. /tmp should be volatile storage!
 								    tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
-												added security module

											
										
										
											2021-09-30 19:41:08 +02:00
-												feat(flake): use flake-parts

											
										
										
											2023-09-27 12:38:41 +02:00
+								    # Fix a security hole in place for backwards compatibility. See desc in
 								    # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
 								    loader.systemd-boot.editor = false;
-												added security module

											
										
										
											2021-09-30 19:41:08 +02:00
-												feat(flake): use flake-parts

											
										
										
											2023-09-27 12:38:41 +02:00
+								    kernel.sysctl = {
 								      # The Magic SysRq key is a key combo that allows users connected to the
 								      # system console of a Linux kernel to perform some low-level commands.
 								      # Disable it, since we don't need it, and is a potential security concern.
 								      "kernel.sysrq" = 0;
-												added security module

											
										
										
											2021-09-30 19:41:08 +02:00
-												feat(flake): use flake-parts

											
										
										
											2023-09-27 12:38:41 +02:00
+								      ## TCP hardening
 								      # Prevent bogus ICMP errors from filling up logs.
 								      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
 								      # Reverse path filtering causes the kernel to do source validation of
 								      # packets received from all interfaces. This can mitigate IP spoofing.
 								      "net.ipv4.conf.default.rp_filter" = 1;
 								      "net.ipv4.conf.all.rp_filter" = 1;
 								      # Do not accept IP source route packets (we're not a router)
 								      "net.ipv4.conf.all.accept_source_route" = 0;
 								      "net.ipv6.conf.all.accept_source_route" = 0;
 								      # Don't send ICMP redirects (again, we're on a router)
 								      "net.ipv4.conf.all.send_redirects" = 0;
 								      "net.ipv4.conf.default.send_redirects" = 0;
 								      # Refuse ICMP redirects (MITM mitigations)
 								      "net.ipv4.conf.all.accept_redirects" = 0;
 								      "net.ipv4.conf.default.accept_redirects" = 0;
 								      "net.ipv4.conf.all.secure_redirects" = 0;
 								      "net.ipv4.conf.default.secure_redirects" = 0;
 								      "net.ipv6.conf.all.accept_redirects" = 0;
 								      "net.ipv6.conf.default.accept_redirects" = 0;
 								      # Protects against SYN flood attacks
 								      "net.ipv4.tcp_syncookies" = 1;
 								      # Incomplete protection again TIME-WAIT assassination
 								      "net.ipv4.tcp_rfc1337" = 1;
 								      # Log martian packages
 								      "net.ipv4.conf.all.log_martians" = 1;
 								      "net.ipv4.conf.default.log_martians" = 1;
-												added security module

											
										
										
											2021-09-30 19:41:08 +02:00
-												feat(flake): use flake-parts

											
										
										
											2023-09-27 12:38:41 +02:00
+								      ## TCP optimization
 								      # TCP Fast Open is a TCP extension that reduces network latency by packing
 								      # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
 								      # both incoming and outgoing connections:
 								      "net.ipv4.tcp_fastopen" = 3;
 								      # Bufferbloat mitigations + slight improvement in throughput & latency
 								      "net.ipv4.tcp_congestion_control" = "bbr";
 								      "net.core.default_qdisc" = "cake";
 								    };
 								    kernelModules = [ "tcp_bbr" ];
-												added security module

											
										
										
											2021-09-30 19:41:08 +02:00
+								  };
 								  # So we don't have to do this later...
 								  security.acme.acceptTerms = true;
-												:rocket: reenable security

											
										
										
											2021-12-30 11:14:32 +01:00
-												:rocket: add more security defaults

											
										
										
											2022-04-18 12:26:17 +02:00
+								  # SSH
 								  services.openssh = {
-												update inputs

											
										
										
											2023-02-02 11:38:23 +01:00
+								    settings = {
 								      # Disable ssh password login
-												build: bump inputs

											
										
										
											2023-06-10 10:23:31 +02:00
+								      PasswordAuthentication = lib.mkDefault false;
 								      LogLevel = "VERBOSE";
-												update inputs

											
										
										
											2023-02-02 11:38:23 +01:00
+								    };
-												:rocket: add more security defaults

											
										
										
											2022-04-18 12:26:17 +02:00
+								    extraConfig = ''
 								      AllowAgentForwarding no
 								      AllowTcpForwarding no
 								      ClientAliveCountMax 2
 								      Compression no
 								      MaxAuthTries 3
 								      MaxSessions 2
 								      TCPKeepAlive no
 								    '';
 								  };
-												added security module

											
										
										
											2021-09-30 19:41:08 +02:00
+								}