1 { pkgs, lib, config, ... }:
3 boot.kernelPackages = pkgs.linuxPackages;
4 #boot.kernelPackages = pkgs.linuxPackages_latest;
5 #boot.kernelPackages = pkgs.linuxPackages_hardened;
6 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
7 #environment.memoryAllocator.provider = "libc";
8 nix.allowedUsers = [ "@users" ];
9 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
10 security.allowSimultaneousMultithreading = false;
11 security.apparmor.enable = lib.mkDefault true;
12 security.forcePageTableIsolation = true;
13 security.lockKernelModules = lib.mkDefault true;
14 security.protectKernelImage = true;
15 security.virtualisation.flushL1DataCache = "always";
16 boot.blacklistedKernelModules = [
17 # Obscure network protocols
22 # Old or rare or insufficiently audited filesystems
45 boot.kernel.sysctl = {
46 # Mitigate kernel pointer leaks
47 "kernel.kptr_restrict" = 2;
48 # Restricts the kernel log to the CAP_SYSLOG capability
49 "kernel.dmesg_restrict" = 1;
50 # Prevent information leaks
51 #kernel.printk = "3 3 3 3";
52 # Restrict eBPF to the CAP_BPF capability
53 # and enable JIT hardening techniques
54 # such as constant blinding.
55 "kernel.unprivileged_bpf_disabled" = 1;
56 "net.core.bpf_jit_harden" = 2;
57 # Restricts loading TTY line disciplines
58 # to the CAP_SYS_MODULE capability to prevent
59 # unprivileged attackers from loading vulnerable
60 # line disciplines with the TIOCSETD ioctl
61 "dev.tty.ldisc_autoload" = 0;
62 # The userfaultfd() syscall is often abused to exploit
63 # use-after-free flaws.
64 # Due to this, this sysctl is used to restrict
65 # this syscall to the CAP_SYS_PTRACE capability.
66 "vm.unprivileged_userfaultfd" = 0;
67 # kexec is a system call that is used
68 # to boot another kernel during runtime.
69 "kernel.kexec_load_disabled" = 1;
70 # User namespaces are a feature in the kernel which aim to
71 # improve sandboxing and make it easily accessible for
72 # unprivileged users however, this feature exposes
73 # significant kernel attack surface for privilege
74 # escalation so this sysctl restricts the usage of user
75 # namespaces to the CAP_SYS_ADMIN capability.
76 "kernel.unprivileged_userns_clone" = 0;
77 # Restricts all usage of performance events to the
78 # CAP_PERFMON capability
79 "kernel.perf_event_paranoid" = 3;
80 # Helps protect against SYN flood attacks
81 "net.ipv4.tcp_syncookies" = 1;
82 # Protects against time-wait assassination
83 # by dropping RST packets for sockets
84 # in the time-wait state.
85 "net.ipv4.tcp_rfc1337" = 1;
86 # Disable ICMP redirect acceptance and sending to prevent
87 # man-in-the-middle attacks and minimize information disclosure.
88 "net.ipv4.conf.all.accept_redirects" = 0;
89 "net.ipv4.conf.default.accept_redirects" = 0;
90 "net.ipv4.conf.all.secure_redirects" = 0;
91 "net.ipv4.conf.default.secure_redirects" = 0;
92 "net.ipv6.conf.all.accept_redirects" = 0;
93 "net.ipv6.conf.default.accept_redirects" = 0;
94 "net.ipv4.conf.all.send_redirects" = 0;
95 "net.ipv4.conf.default.send_redirects" = 0;
96 # Disable source routing, a mechanism
97 # that allows users to redirect network traffic.
98 "net.ipv4.conf.all.accept_source_route" = 0;
99 "net.ipv4.conf.default.accept_source_route" = 0;
100 "net.ipv6.conf.all.accept_source_route" = 0;
101 "net.ipv6.conf.default.accept_source_route" = 0;
103 # Disable TCP SACK, which is commonly exploited
104 # and unnecessary for many circumstances.
105 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
106 "net.ipv4.tcp_sack" = 0;
107 "net.ipv4.tcp_dsack" = 0;
108 "net.ipv4.tcp_fack" = 0;
110 # Generate a random IPv6 address
111 "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
112 "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
113 # Restricts usage of ptrace to only processes
114 # with the CAP_SYS_PTRACE capability
115 "kernel.yama.ptrace_scope" = 2;
116 # Do source validation by confirming reverse path
117 "net.ipv4.conf.all.rp_filter" = 1;
118 "net.ipv4.conf.default.rp_filter" = 1;
120 boot.kernelParams = [
125 "page_alloc.shuffle=1"
130 # Disabled because zfs and wireguard modules are not signed
131 "module.sig_enforce=0"
132 "lockdown=confidentiality"
137 services.journald.extraConfig = ''
139 MaxRetentionSec=1month
144 openFirewall = lib.mkDefault false;
145 passwordAuthentication = false;