{ pkgs, lib, config, ... }:
{
boot.kernelPackages = pkgs.linuxPackages;
#boot.kernelPackages = pkgs.linuxPackages_latest;
#boot.kernelPackages = pkgs.linuxPackages_hardened;
#boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
#environment.memoryAllocator.provider = "libc";
nix.settings.allowed-users = [ "@users" ];
networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
security.allowSimultaneousMultithreading = false;
security.apparmor.enable = lib.mkDefault true;
security.forcePageTableIsolation = true;
security.lockKernelModules = lib.mkDefault true;
security.protectKernelImage = true;
security.virtualisation.flushL1DataCache = "always";
boot.blacklistedKernelModules = [
  # Obscure network protocols
  "ax25"
  "netrom"
  "rose"

  # Old or rare or insufficiently audited filesystems
  "adfs"
  "affs"
  "bfs"
  "befs"
  "cramfs"
  "efs"
  "erofs"
  "exofs"
  "freevxfs"
  "f2fs"
  "hfs"
  "hpfs"
  "jfs"
  "minix"
  "nilfs2"
  "ntfs"
  "omfs"
  "qnx4"
  "qnx6"
  "sysv"
  "ufs"
];
boot.kernel.sysctl = {
  # Mitigate kernel pointer leaks
  "kernel.kptr_restrict" = 2;
  # Restricts the kernel log to the CAP_SYSLOG capability
  "kernel.dmesg_restrict" = 1;
  # Prevent information leaks
  #kernel.printk = "3 3 3 3";
  # Restrict eBPF to the CAP_BPF capability
  # and enable JIT hardening techniques
  # such as constant blinding.
  "kernel.unprivileged_bpf_disabled" = 1;
  "net.core.bpf_jit_harden" = 2;
  # Restricts loading TTY line disciplines
  # to the CAP_SYS_MODULE capability to prevent
  # unprivileged attackers from loading vulnerable
  # line disciplines with the TIOCSETD ioctl
  "dev.tty.ldisc_autoload" = 0;
  # The userfaultfd() syscall is often abused to exploit
  # use-after-free flaws.
  # Due to this, this sysctl is used to restrict
  # this syscall to the CAP_SYS_PTRACE capability.
  "vm.unprivileged_userfaultfd" = 0;
  # kexec is a system call that is used
  # to boot another kernel during runtime.
  "kernel.kexec_load_disabled" = 1;
  # User namespaces are a feature in the kernel which aim to
  # improve sandboxing and make it easily accessible for
  # unprivileged users however, this feature exposes
  # significant kernel attack surface for privilege
  # escalation so this sysctl restricts the usage of user
  # namespaces to the CAP_SYS_ADMIN capability.
  "kernel.unprivileged_userns_clone" = 0;
  # Restricts all usage of performance events to the
  # CAP_PERFMON capability
  "kernel.perf_event_paranoid" = 3;
  # Helps protect against SYN flood attacks
  "net.ipv4.tcp_syncookies" = 1;
  # Protects against time-wait assassination
  # by dropping RST packets for sockets
  # in the time-wait state.
  "net.ipv4.tcp_rfc1337" = 1;
  # Disable ICMP redirect acceptance and sending to prevent
  # man-in-the-middle attacks and minimize information disclosure.
  "net.ipv4.conf.all.accept_redirects" = 0;
  "net.ipv4.conf.default.accept_redirects" = 0;
  "net.ipv4.conf.all.secure_redirects" = 0;
  "net.ipv4.conf.default.secure_redirects" = 0;
  "net.ipv6.conf.all.accept_redirects" = 0;
  "net.ipv6.conf.default.accept_redirects" = 0;
  "net.ipv4.conf.all.send_redirects" = 0;
  "net.ipv4.conf.default.send_redirects" = 0;
  # Disable source routing, a mechanism
  # that allows users to redirect network traffic.
  "net.ipv4.conf.all.accept_source_route" = 0;
  "net.ipv4.conf.default.accept_source_route" = 0;
  "net.ipv6.conf.all.accept_source_route" = 0;
  "net.ipv6.conf.default.accept_source_route" = 0;
  /*
  # Disable TCP SACK, which is commonly exploited
  # and unnecessary for many circumstances.
  # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
  "net.ipv4.tcp_sack" = 0;
  "net.ipv4.tcp_dsack" = 0;
  "net.ipv4.tcp_fack" = 0;
  */
  # Generate a random IPv6 address
  "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
  "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
  # Restricts usage of ptrace to only processes
  # with the CAP_SYS_PTRACE capability
  "kernel.yama.ptrace_scope" = 2;
  # Do source validation by confirming reverse path
  "net.ipv4.conf.all.rp_filter" = 1;
  "net.ipv4.conf.default.rp_filter" = 1;
};
boot.kernelParams = [
  "slab_nomerge"
  "slub_debug=FZ"
  #"init_on_alloc=1"
  #"init_on_free=1"
  "page_alloc.shuffle=1"
  "pti=on"
  "vsyscall=none"
  "debugfs=off"
  "oops=panic"
  # Disabled because zfs and wireguard modules are not signed
  "module.sig_enforce=0"
  "lockdown=confidentiality"
  "mce=0"
  #"quiet"
  #"loglevel=0"
];
services.journald.extraConfig = ''
  Compress=true
  MaxRetentionSec=1month
  Storage=persistent
  SystemMaxUse=100M
'';
systemd.coredump = {
  enable = lib.mkDefault false;
  extraConfig = ''
    Compress=true
    MaxUse=1024M
    Storage=external
  '';
};
services.openssh = {
  openFirewall = lib.mkDefault false;
  passwordAuthentication = false;
};
}