home-manager: update

[julm/julm-nix.git] / nixos / profiles / security.nix

diff --git a/nixos/profiles/security.nix b/nixos/profiles/security.nix
index 9b0981d9716d5d501942a0f4da7fb89b6fc4a950..bc37e4b6812188e0be8651210c95127c38e093c9 100644 (file)
--- a/nixos/profiles/security.nix
+++ b/nixos/profiles/security.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 with lib;
 {
   options = {
@@ -194,7 +199,7 @@ with lib;
       "lockdown=confidentiality"
       # https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.rst
       "mce=bootlog"
-      "mitigations=${config.security.kernel.mitigations}" #    kspp   | self_protection
+      "mitigations=${config.security.kernel.mitigations}" # kspp   | self_protection
       #"spectre_v2=on" # defconfig | self_protection
       #"spectre_v2_user=on" # defconfig | self_protection
       #"spec_store_bypass_disable=on" # defconfig | self_protection
@@ -208,11 +213,11 @@ with lib;
       # Disable AVX to mitigate systems without microcode mitigation. No effect if the microcode mitigation is present. Known to cause crashes in userspace with buggy AVX enumeration.
       #"gather_data_sampling=force" # defconfig | self_protection
       # https://www.phoronix.com/news/randomize_kstack_offset-perf
-      "randomize_kstack_offset=1" #    kspp   | self_protection
+      "randomize_kstack_offset=1" # kspp   | self_protection
       # See https://unix.stackexchange.com/questions/592538/what-are-the-implication-of-using-iommu-force-in-the-boot-kernel-options
-      "iommu=force" #   clipos  | self_protection
+      "iommu=force" # clipos  | self_protection
       # DMA unmap operations invalidate IOMMU hardware TLBs synchronously.
-      "iommu.strict=1" #    kspp   | self_protection
+      "iommu.strict=1" # kspp   | self_protection
       "kfence.sample_interval=100" # a13xp0p0v | self_protection
       "kfence.deferrable=1"
       # Unconditionally disables IA32 emulation
@@ -240,13 +245,16 @@ with lib;
       # Avoid TOFU MITM by providing well known public keys here.
       knownHosts = {
         "git.sr.ht".hostNames = [ "git.sr.ht" ];
-        "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+        "git.sr.ht".publicKey =
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
 
         "github.com".hostNames = [ "github.com" ];
-        "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+        "github.com".publicKey =
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
 
         "gitlab.com".hostNames = [ "gitlab.com" ];
-        "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+        "gitlab.com".publicKey =
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
       };
       openFirewall = mkDefault false;
       settings = {
@@ -275,7 +283,8 @@ with lib;
       };
     };
   };
-  /* TODO:
+  /*
+    TODO: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
     =========================================================================================================================
                 option_name               | type  |desired_val | decision |      reason      | check_result
     =========================================================================================================================