From 79fa032a1565ad547b5ce555ee7768e7a8b33b98 Mon Sep 17 00:00:00 2001
From: MoritzBoehme <mail@moritzboeh.me>
Date: Thu, 30 Sep 2021 19:41:08 +0200
Subject: [PATCH] added security module

---
 modules/default.nix  | 25 ++++++---------
 modules/security.nix | 72 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+), 15 deletions(-)
 create mode 100644 modules/security.nix

diff --git a/modules/default.nix b/modules/default.nix
index a17e26b..a5f80b1 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,33 +1,28 @@
 { lib, pkgs, ... }:
 
 {
-  imports = [
-    ./apps
-    ./cli
-    ./desktop
-    ./services
-  ];
+  imports = [ ./apps ./cli ./desktop ./services ./security.nix ];
 
   # USERS
   users.users.moritz = {
     shell = pkgs.zsh;
     isNormalUser = true;
     home = "/home/moritz";
-    extraGroups = [ "wheel" "networkmanager" "video" ]; # Enable ‘sudo’ for the user.
+    extraGroups =
+      [ "wheel" "networkmanager" "video" ]; # Enable ‘sudo’ for the user.
   };
 
-  fonts.fonts = with pkgs; [
-    (nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" "JetBrainsMono" ]; })
-  ];
+  fonts.fonts = with pkgs;
+    [
+      (nerdfonts.override {
+        fonts = [ "FiraCode" "DroidSansMono" "JetBrainsMono" ];
+      })
+    ];
 
   time.timeZone = "Europe/Berlin";
 
   # PACKAGES
-  environment.systemPackages = with pkgs; [
-    vim
-    wget
-    firefox
-  ];
+  environment.systemPackages = with pkgs; [ vim wget firefox ];
 
   home-manager.users.moritz = {
     # Let Home Manager install and manage itself.
diff --git a/modules/security.nix b/modules/security.nix
new file mode 100644
index 0000000..deed883
--- /dev/null
+++ b/modules/security.nix
@@ -0,0 +1,72 @@
+{ config, lib, ... }:
+
+{
+  ## System security tweaks
+  # sets hidepid=2 on /proc (make process info visible only to owning user)
+  # NOTE Was removed on nixpkgs-unstable because it doesn't do anything
+  # security.hideProcessInformation = true;
+  # Prevent replacing the running kernel w/o reboot
+  security.protectKernelImage = true;
+
+  # tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
+  # on ssd systems, and volatile! Because it's wiped on reboot.
+  boot.tmpOnTmpfs = lib.mkDefault true;
+  # If not using tmpfs, which is naturally purged on reboot, we must clean it
+  # /tmp ourselves. /tmp should be volatile storage!
+  boot.cleanTmpDir = lib.mkDefault (!config.boot.tmpOnTmpfs);
+
+  # Fix a security hole in place for backwards compatibility. See desc in
+  # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+  boot.loader.systemd-boot.editor = false;
+
+  boot.kernel.sysctl = {
+    # The Magic SysRq key is a key combo that allows users connected to the
+    # system console of a Linux kernel to perform some low-level commands.
+    # Disable it, since we don't need it, and is a potential security concern.
+    "kernel.sysrq" = 0;
+
+    # Restrict dmesg access for normal users
+    "kernel.dmesg_restrict" = 1;
+
+    # Restrict printing of kernel addresses
+    "kernel.kptr_restrict" = 2;
+
+    ## TCP hardening
+    # Prevent bogus ICMP errors from filling up logs.
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+    # Reverse path filtering causes the kernel to do source validation of
+    # packets received from all interfaces. This can mitigate IP spoofing.
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Do not accept IP source route packets (we're not a router)
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Don't send ICMP redirects (again, we're on a router)
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Refuse ICMP redirects (MITM mitigations)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Protects against SYN flood attacks
+    "net.ipv4.tcp_syncookies" = 1;
+    # Incomplete protection again TIME-WAIT assassination
+    "net.ipv4.tcp_rfc1337" = 1;
+
+    ## TCP optimization
+    # TCP Fast Open is a TCP extension that reduces network latency by packing
+    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+    # both incoming and outgoing connections:
+    "net.ipv4.tcp_fastopen" = 3;
+    # Bufferbloat mitigations + slight improvement in throughput & latency
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+  boot.kernelModules = [ "tcp_bbr" ];
+
+  # So we don't have to do this later...
+  security.acme.acceptTerms = true;
+}