]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/security.nix
julm: carotte: no need for vim
[julm/julm-nix.git] / nixos / profiles / security.nix
1 { pkgs, lib, ... }:
2 with lib;
3 {
4 boot.kernelPackages = mkDefault pkgs.linuxPackages;
5 #boot.kernelPackages = pkgs.linuxPackages_latest;
6 #boot.kernelPackages = pkgs.linuxPackages_hardened;
7 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
8 #environment.memoryAllocator.provider = "libc";
9 nix.settings.allowed-users = [ "@users" ];
10 /*
11 nix.settings.substituters = [
12 "https://nix-community.cachix.org"
13 ];
14 nix.settings.trusted-public-keys = [
15 "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
16 ];
17 */
18 nix.settings.trusted-users = [
19 "root"
20 "@wheel"
21 ];
22 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
23 security.allowSimultaneousMultithreading = false;
24 security.apparmor.enable = mkDefault true;
25 security.forcePageTableIsolation = true;
26 security.lockKernelModules = mkDefault true;
27 security.protectKernelImage = true;
28 security.virtualisation.flushL1DataCache = "always";
29 # Only allow members of the wheel group to execute sudo by setting
30 # the executable’s permissions accordingly.
31 # This prevents users that are not members of wheel
32 # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
33 security.sudo.execWheelOnly = true;
34 boot.blacklistedKernelModules = [
35 # Obscure network protocols
36 "ax25"
37 "netrom"
38 "rose"
39
40 # Old or rare or insufficiently audited filesystems
41 "adfs"
42 "affs"
43 "bfs"
44 "befs"
45 "cramfs"
46 "efs"
47 "erofs"
48 "exofs"
49 "freevxfs"
50 "f2fs"
51 "hfs"
52 "hpfs"
53 "jfs"
54 "minix"
55 "nilfs2"
56 "ntfs"
57 "omfs"
58 "qnx4"
59 "qnx6"
60 "sysv"
61 "ufs"
62 ];
63 boot.kernel.sysctl = {
64 # Mitigate kernel pointer leaks
65 "kernel.kptr_restrict" = 2;
66 # Restricts the kernel log to the CAP_SYSLOG capability
67 "kernel.dmesg_restrict" = 1;
68 # Prevent information leaks
69 #kernel.printk = "3 3 3 3";
70 # Restrict eBPF to the CAP_BPF capability
71 # and enable JIT hardening techniques
72 # such as constant blinding.
73 "kernel.unprivileged_bpf_disabled" = 1;
74 "net.core.bpf_jit_harden" = 2;
75 # Restricts loading TTY line disciplines
76 # to the CAP_SYS_MODULE capability to prevent
77 # unprivileged attackers from loading vulnerable
78 # line disciplines with the TIOCSETD ioctl
79 "dev.tty.ldisc_autoload" = 0;
80 # The userfaultfd() syscall is often abused to exploit
81 # use-after-free flaws.
82 # Due to this, this sysctl is used to restrict
83 # this syscall to the CAP_SYS_PTRACE capability.
84 "vm.unprivileged_userfaultfd" = 0;
85 # kexec is a system call that is used
86 # to boot another kernel during runtime.
87 "kernel.kexec_load_disabled" = 1;
88 # User namespaces are a feature in the kernel which aim to
89 # improve sandboxing and make it easily accessible for
90 # unprivileged users however, this feature exposes
91 # significant kernel attack surface for privilege
92 # escalation so this sysctl restricts the usage of user
93 # namespaces to the CAP_SYS_ADMIN capability.
94 "kernel.unprivileged_userns_clone" = 0;
95 # Restricts all usage of performance events to the
96 # CAP_PERFMON capability
97 "kernel.perf_event_paranoid" = 3;
98 # Helps protect against SYN flood attacks
99 "net.ipv4.tcp_syncookies" = 1;
100 # Protects against time-wait assassination
101 # by dropping RST packets for sockets
102 # in the time-wait state.
103 "net.ipv4.tcp_rfc1337" = 1;
104 # Disable ICMP redirect acceptance and sending to prevent
105 # man-in-the-middle attacks and minimize information disclosure.
106 "net.ipv4.conf.all.accept_redirects" = 0;
107 "net.ipv4.conf.default.accept_redirects" = 0;
108 "net.ipv4.conf.all.secure_redirects" = 0;
109 "net.ipv4.conf.default.secure_redirects" = 0;
110 "net.ipv6.conf.all.accept_redirects" = 0;
111 "net.ipv6.conf.default.accept_redirects" = 0;
112 "net.ipv4.conf.all.send_redirects" = 0;
113 "net.ipv4.conf.default.send_redirects" = 0;
114 # Disable source routing, a mechanism
115 # that allows users to redirect network traffic.
116 "net.ipv4.conf.all.accept_source_route" = 0;
117 "net.ipv4.conf.default.accept_source_route" = 0;
118 "net.ipv6.conf.all.accept_source_route" = 0;
119 "net.ipv6.conf.default.accept_source_route" = 0;
120 /*
121 # Disable TCP SACK, which is commonly exploited
122 # and unnecessary for many circumstances.
123 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
124 "net.ipv4.tcp_sack" = 0;
125 "net.ipv4.tcp_dsack" = 0;
126 "net.ipv4.tcp_fack" = 0;
127 */
128 # Generate a random IPv6 address
129 "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
130 "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
131 # Restricts usage of ptrace to only processes
132 # with the CAP_SYS_PTRACE capability
133 "kernel.yama.ptrace_scope" = 2;
134 # Do source validation by confirming reverse path
135 "net.ipv4.conf.all.rp_filter" = 1;
136 "net.ipv4.conf.default.rp_filter" = 1;
137 };
138 boot.kernelParams = [
139 "slab_nomerge"
140 "slub_debug=FZ"
141 #"init_on_alloc=1"
142 #"init_on_free=1"
143 "page_alloc.shuffle=1"
144 "pti=on"
145 "vsyscall=none"
146 "debugfs=off"
147 "oops=panic"
148 # Disabled because zfs and wireguard modules are not signed
149 "module.sig_enforce=0"
150 "lockdown=confidentiality"
151 "mce=0"
152 #"quiet"
153 #"loglevel=0"
154 ];
155 services.journald.extraConfig = ''
156 Compress=true
157 MaxRetentionSec=1month
158 Storage=persistent
159 SystemMaxUse=100M
160 '';
161 systemd.coredump = {
162 enable = mkDefault false;
163 extraConfig = ''
164 Compress=true
165 MaxUse=1024M
166 Storage=external
167 '';
168 };
169 services.openssh = {
170 # Avoid TOFU MITM by providing well known public keys here.
171 knownHosts = {
172 "git.sr.ht".hostNames = [ "git.sr.ht" ];
173 "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
174
175 "github.com".hostNames = [ "github.com" ];
176 "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
177
178 "gitlab.com".hostNames = [ "gitlab.com" ];
179 "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
180 };
181 openFirewall = mkDefault false;
182 settings = {
183 Ciphers = [
184 # Not hardware accelerated, but fast enough and somehow more secure
185 # (packet sizes are encrypted and less vulnerable to timing attacks).
186 "chacha20-poly1305@openssh.com"
187 # A bit more throughput.
188 "aes128-gcm@openssh.com"
189 "aes256-gcm@openssh.com"
190 ];
191 KbdInteractiveAuthentication = mkDefault false;
192 # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
193 KexAlgorithms = [
194 "curve25519-sha256"
195 "curve25519-sha256@libssh.org"
196 "diffie-hellman-group16-sha512"
197 "diffie-hellman-group18-sha512"
198 "sntrup761x25519-sha512@openssh.com"
199 ];
200 PasswordAuthentication = false;
201 # Remove any remote gpg-agent's socket.
202 StreamLocalBindUnlink = true;
203 UseDns = mkDefault false;
204 X11Forwarding = mkDefault false;
205 };
206 };
207 }