]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/security.nix
git: tweak GUI config
[julm/julm-nix.git] / nixos / profiles / security.nix
1 { pkgs, lib, ... }:
2 with lib;
3 {
4 boot.kernelPackages = mkDefault pkgs.linuxPackages;
5 #boot.kernelPackages = pkgs.linuxPackages_latest;
6 #boot.kernelPackages = pkgs.linuxPackages_hardened;
7 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
8 #environment.memoryAllocator.provider = "libc";
9 nix.settings.allowed-users = [ "@users" ];
10 nix.settings.trusted-substituters = [
11 "https://nix-community.cachix.org"
12 ];
13 nix.settings.trusted-public-keys = [
14 "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
15 ];
16 nix.settings.trusted-users = [
17 "root"
18 "@wheel"
19 ];
20 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
21 security.allowSimultaneousMultithreading = false;
22 security.apparmor.enable = mkDefault true;
23 security.forcePageTableIsolation = true;
24 security.lockKernelModules = mkDefault true;
25 security.protectKernelImage = true;
26 security.virtualisation.flushL1DataCache = "always";
27 # Only allow members of the wheel group to execute sudo by setting
28 # the executable’s permissions accordingly.
29 # This prevents users that are not members of wheel
30 # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
31 security.sudo.execWheelOnly = true;
32 boot.blacklistedKernelModules = [
33 # Obscure network protocols
34 "ax25"
35 "netrom"
36 "rose"
37
38 # Old or rare or insufficiently audited filesystems
39 "adfs"
40 "affs"
41 "bfs"
42 "befs"
43 "cramfs"
44 "efs"
45 "erofs"
46 "exofs"
47 "freevxfs"
48 "f2fs"
49 "hfs"
50 "hpfs"
51 "jfs"
52 "minix"
53 "nilfs2"
54 "ntfs"
55 "omfs"
56 "qnx4"
57 "qnx6"
58 "sysv"
59 "ufs"
60 ];
61 boot.kernel.sysctl = {
62 # Mitigate kernel pointer leaks
63 "kernel.kptr_restrict" = 2;
64 # Restricts the kernel log to the CAP_SYSLOG capability
65 "kernel.dmesg_restrict" = 1;
66 # Prevent information leaks
67 #kernel.printk = "3 3 3 3";
68 # Restrict eBPF to the CAP_BPF capability
69 # and enable JIT hardening techniques
70 # such as constant blinding.
71 "kernel.unprivileged_bpf_disabled" = 1;
72 "net.core.bpf_jit_harden" = 2;
73 # Restricts loading TTY line disciplines
74 # to the CAP_SYS_MODULE capability to prevent
75 # unprivileged attackers from loading vulnerable
76 # line disciplines with the TIOCSETD ioctl
77 "dev.tty.ldisc_autoload" = 0;
78 # The userfaultfd() syscall is often abused to exploit
79 # use-after-free flaws.
80 # Due to this, this sysctl is used to restrict
81 # this syscall to the CAP_SYS_PTRACE capability.
82 "vm.unprivileged_userfaultfd" = 0;
83 # kexec is a system call that is used
84 # to boot another kernel during runtime.
85 "kernel.kexec_load_disabled" = 1;
86 # User namespaces are a feature in the kernel which aim to
87 # improve sandboxing and make it easily accessible for
88 # unprivileged users however, this feature exposes
89 # significant kernel attack surface for privilege
90 # escalation so this sysctl restricts the usage of user
91 # namespaces to the CAP_SYS_ADMIN capability.
92 "kernel.unprivileged_userns_clone" = 0;
93 # Restricts all usage of performance events to the
94 # CAP_PERFMON capability
95 "kernel.perf_event_paranoid" = 3;
96 # Helps protect against SYN flood attacks
97 "net.ipv4.tcp_syncookies" = 1;
98 # Protects against time-wait assassination
99 # by dropping RST packets for sockets
100 # in the time-wait state.
101 "net.ipv4.tcp_rfc1337" = 1;
102 # Disable ICMP redirect acceptance and sending to prevent
103 # man-in-the-middle attacks and minimize information disclosure.
104 "net.ipv4.conf.all.accept_redirects" = 0;
105 "net.ipv4.conf.default.accept_redirects" = 0;
106 "net.ipv4.conf.all.secure_redirects" = 0;
107 "net.ipv4.conf.default.secure_redirects" = 0;
108 "net.ipv6.conf.all.accept_redirects" = 0;
109 "net.ipv6.conf.default.accept_redirects" = 0;
110 "net.ipv4.conf.all.send_redirects" = 0;
111 "net.ipv4.conf.default.send_redirects" = 0;
112 # Disable source routing, a mechanism
113 # that allows users to redirect network traffic.
114 "net.ipv4.conf.all.accept_source_route" = 0;
115 "net.ipv4.conf.default.accept_source_route" = 0;
116 "net.ipv6.conf.all.accept_source_route" = 0;
117 "net.ipv6.conf.default.accept_source_route" = 0;
118 /*
119 # Disable TCP SACK, which is commonly exploited
120 # and unnecessary for many circumstances.
121 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
122 "net.ipv4.tcp_sack" = 0;
123 "net.ipv4.tcp_dsack" = 0;
124 "net.ipv4.tcp_fack" = 0;
125 */
126 # Generate a random IPv6 address
127 "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
128 "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
129 # Restricts usage of ptrace to only processes
130 # with the CAP_SYS_PTRACE capability
131 "kernel.yama.ptrace_scope" = 2;
132 # Do source validation by confirming reverse path
133 "net.ipv4.conf.all.rp_filter" = 1;
134 "net.ipv4.conf.default.rp_filter" = 1;
135 };
136 boot.kernelParams = [
137 "slab_nomerge"
138 "slub_debug=FZ"
139 #"init_on_alloc=1"
140 #"init_on_free=1"
141 "page_alloc.shuffle=1"
142 "pti=on"
143 "vsyscall=none"
144 "debugfs=off"
145 "oops=panic"
146 # Disabled because zfs and wireguard modules are not signed
147 "module.sig_enforce=0"
148 "lockdown=confidentiality"
149 "mce=0"
150 #"quiet"
151 #"loglevel=0"
152 ];
153 services.journald.extraConfig = ''
154 Compress=true
155 MaxRetentionSec=1month
156 Storage=persistent
157 SystemMaxUse=100M
158 '';
159 systemd.coredump = {
160 enable = mkDefault false;
161 extraConfig = ''
162 Compress=true
163 MaxUse=1024M
164 Storage=external
165 '';
166 };
167 services.openssh = {
168 # Avoid TOFU MITM by providing well known public keys here.
169 knownHosts = {
170 "git.sr.ht".hostNames = [ "git.sr.ht" ];
171 "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
172
173 "github.com".hostNames = [ "github.com" ];
174 "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
175
176 "gitlab.com".hostNames = [ "gitlab.com" ];
177 "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
178 };
179 openFirewall = mkDefault false;
180 settings = {
181 KbdInteractiveAuthentication = mkDefault false;
182 # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
183 KexAlgorithms = [
184 "curve25519-sha256"
185 "curve25519-sha256@libssh.org"
186 "diffie-hellman-group16-sha512"
187 "diffie-hellman-group18-sha512"
188 "sntrup761x25519-sha512@openssh.com"
189 ];
190 PasswordAuthentication = false;
191 # Remove any remote gpg-agent's socket.
192 StreamLocalBindUnlink = true;
193 UseDns = mkDefault false;
194 X11Forwarding = mkDefault false;
195 };
196 };
197 }