4 boot.kernelPackages = mkDefault pkgs.linuxPackages;
5 #boot.kernelPackages = pkgs.linuxPackages_latest;
6 #boot.kernelPackages = pkgs.linuxPackages_hardened;
7 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
8 #environment.memoryAllocator.provider = "libc";
9 nix.settings.allowed-users = [ "@users" ];
10 nix.settings.trusted-substituters = [
11 "https://nix-community.cachix.org"
13 nix.settings.trusted-public-keys = [
14 "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
16 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
17 security.allowSimultaneousMultithreading = false;
18 security.apparmor.enable = mkDefault true;
19 security.forcePageTableIsolation = true;
20 security.lockKernelModules = mkDefault true;
21 security.protectKernelImage = true;
22 security.virtualisation.flushL1DataCache = "always";
23 # Only allow members of the wheel group to execute sudo by setting
24 # the executable’s permissions accordingly.
25 # This prevents users that are not members of wheel
26 # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
27 security.sudo.execWheelOnly = true;
28 boot.blacklistedKernelModules = [
29 # Obscure network protocols
34 # Old or rare or insufficiently audited filesystems
57 boot.kernel.sysctl = {
58 # Mitigate kernel pointer leaks
59 "kernel.kptr_restrict" = 2;
60 # Restricts the kernel log to the CAP_SYSLOG capability
61 "kernel.dmesg_restrict" = 1;
62 # Prevent information leaks
63 #kernel.printk = "3 3 3 3";
64 # Restrict eBPF to the CAP_BPF capability
65 # and enable JIT hardening techniques
66 # such as constant blinding.
67 "kernel.unprivileged_bpf_disabled" = 1;
68 "net.core.bpf_jit_harden" = 2;
69 # Restricts loading TTY line disciplines
70 # to the CAP_SYS_MODULE capability to prevent
71 # unprivileged attackers from loading vulnerable
72 # line disciplines with the TIOCSETD ioctl
73 "dev.tty.ldisc_autoload" = 0;
74 # The userfaultfd() syscall is often abused to exploit
75 # use-after-free flaws.
76 # Due to this, this sysctl is used to restrict
77 # this syscall to the CAP_SYS_PTRACE capability.
78 "vm.unprivileged_userfaultfd" = 0;
79 # kexec is a system call that is used
80 # to boot another kernel during runtime.
81 "kernel.kexec_load_disabled" = 1;
82 # User namespaces are a feature in the kernel which aim to
83 # improve sandboxing and make it easily accessible for
84 # unprivileged users however, this feature exposes
85 # significant kernel attack surface for privilege
86 # escalation so this sysctl restricts the usage of user
87 # namespaces to the CAP_SYS_ADMIN capability.
88 "kernel.unprivileged_userns_clone" = 0;
89 # Restricts all usage of performance events to the
90 # CAP_PERFMON capability
91 "kernel.perf_event_paranoid" = 3;
92 # Helps protect against SYN flood attacks
93 "net.ipv4.tcp_syncookies" = 1;
94 # Protects against time-wait assassination
95 # by dropping RST packets for sockets
96 # in the time-wait state.
97 "net.ipv4.tcp_rfc1337" = 1;
98 # Disable ICMP redirect acceptance and sending to prevent
99 # man-in-the-middle attacks and minimize information disclosure.
100 "net.ipv4.conf.all.accept_redirects" = 0;
101 "net.ipv4.conf.default.accept_redirects" = 0;
102 "net.ipv4.conf.all.secure_redirects" = 0;
103 "net.ipv4.conf.default.secure_redirects" = 0;
104 "net.ipv6.conf.all.accept_redirects" = 0;
105 "net.ipv6.conf.default.accept_redirects" = 0;
106 "net.ipv4.conf.all.send_redirects" = 0;
107 "net.ipv4.conf.default.send_redirects" = 0;
108 # Disable source routing, a mechanism
109 # that allows users to redirect network traffic.
110 "net.ipv4.conf.all.accept_source_route" = 0;
111 "net.ipv4.conf.default.accept_source_route" = 0;
112 "net.ipv6.conf.all.accept_source_route" = 0;
113 "net.ipv6.conf.default.accept_source_route" = 0;
115 # Disable TCP SACK, which is commonly exploited
116 # and unnecessary for many circumstances.
117 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
118 "net.ipv4.tcp_sack" = 0;
119 "net.ipv4.tcp_dsack" = 0;
120 "net.ipv4.tcp_fack" = 0;
122 # Generate a random IPv6 address
123 "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
124 "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
125 # Restricts usage of ptrace to only processes
126 # with the CAP_SYS_PTRACE capability
127 "kernel.yama.ptrace_scope" = 2;
128 # Do source validation by confirming reverse path
129 "net.ipv4.conf.all.rp_filter" = 1;
130 "net.ipv4.conf.default.rp_filter" = 1;
132 boot.kernelParams = [
137 "page_alloc.shuffle=1"
142 # Disabled because zfs and wireguard modules are not signed
143 "module.sig_enforce=0"
144 "lockdown=confidentiality"
149 services.journald.extraConfig = ''
151 MaxRetentionSec=1month
156 enable = mkDefault false;
164 # Avoid TOFU MITM by providing well known public keys here.
166 "git.sr.ht".hostNames = [ "git.sr.ht" ];
167 "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
169 "github.com".hostNames = [ "github.com" ];
170 "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
172 "gitlab.com".hostNames = [ "gitlab.com" ];
173 "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
175 openFirewall = mkDefault false;
177 KbdInteractiveAuthentication = mkDefault false;
178 # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
181 "curve25519-sha256@libssh.org"
182 "diffie-hellman-group16-sha512"
183 "diffie-hellman-group18-sha512"
184 "sntrup761x25519-sha512@openssh.com"
186 PasswordAuthentication = false;
187 # Remove any remote gpg-agent's socket.
188 StreamLocalBindUnlink = true;
189 UseDns = mkDefault false;
190 X11Forwarding = mkDefault false;