moritz
/
dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
dotfiles/modules/security/default.nix

100 lines
3.7 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{ config
, lib
, ...
}: {
## System security tweaks
# sets hidepid=2 on /proc (make process info visible only to owning user)
# NOTE Was removed on nixpkgs-unstable because it doesn't do anything
# security.hideProcessInformation = true;
# Prevent replacing the running kernel w/o reboot
security.protectKernelImage = lib.mkDefault true;
# tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
# on ssd systems, and volatile! Because it's wiped on reboot.
boot.tmpOnTmpfs = lib.mkDefault true;
# If not using tmpfs, which is naturally purged on reboot, we must clean it
# /tmp ourselves. /tmp should be volatile storage!
boot.cleanTmpDir = lib.mkDefault (!config.boot.tmpOnTmpfs);
# Fix a security hole in place for backwards compatibility. See desc in
# nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
boot.loader.systemd-boot.editor = false;
boot.kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're on a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
# Log martian packages
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.default.log_martians" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelModules = [ "tcp_bbr" ];
# So we don't have to do this later...
security.acme.acceptTerms = true;
# Enable doas as an alternative to sudo
security.doas = {
enable = lib.mkDefault true;
extraRules = [
# Do not ask for a password again for some time after the user successfully authenticates.
{
groups = [ "wheel" "doas" ];
persist = true;
}
];
};
security.sudo.enable = !config.security.doas.enable;
# SSH
services.openssh = {
# Disable ssh password login
passwordAuthentication = lib.mkDefault false;
logLevel = "VERBOSE";
extraConfig = ''
AllowAgentForwarding no
AllowTcpForwarding no
ClientAliveCountMax 2
Compression no
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
'';
};
}
Reference in New Issue View Git Blame Copy Permalink