-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, nixosConfig, ... }:
{
-boot.kernelPackages = pkgs.linuxPackages_latest;
-#boot.kernelPackages = pkgs.linuxPackages_hardened;
-#boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
-#environment.memoryAllocator.provider = "libc";
-nix.allowedUsers = [ "@users" ];
-networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
-security.allowSimultaneousMultithreading = false;
-security.apparmor.enable = true;
-security.forcePageTableIsolation = true;
-security.lockKernelModules = lib.mkDefault true;
-security.protectKernelImage = true;
-security.virtualisation.flushL1DataCache = "always";
-boot.blacklistedKernelModules = [
- # Obscure network protocols
- "ax25"
- "netrom"
- "rose"
-
- # Old or rare or insufficiently audited filesystems
- "adfs"
- "affs"
- "bfs"
- "befs"
- "cramfs"
- "efs"
- "erofs"
- "exofs"
- "freevxfs"
- "f2fs"
- "hfs"
- "hpfs"
- "jfs"
- "minix"
- "nilfs2"
- "ntfs"
- "omfs"
- "qnx4"
- "qnx6"
- "sysv"
- "ufs"
-];
-boot.kernel.sysctl = {
- # Mitigate kernel pointer leaks
- "kernel.kptr_restrict" = 2;
- # Restricts the kernel log to the CAP_SYSLOG capability
- "kernel.dmesg_restrict" = 1;
- # Prevent information leaks
- #kernel.printk = "3 3 3 3";
- # Restrict eBPF to the CAP_BPF capability
- # and enable JIT hardening techniques
- # such as constant blinding.
- "kernel.unprivileged_bpf_disabled" = 1;
- "net.core.bpf_jit_harden" = 2;
- # Restricts loading TTY line disciplines
- # to the CAP_SYS_MODULE capability to prevent
- # unprivileged attackers from loading vulnerable
- # line disciplines with the TIOCSETD ioctl
- "dev.tty.ldisc_autoload" = 0;
- # The userfaultfd() syscall is often abused to exploit
- # use-after-free flaws.
- # Due to this, this sysctl is used to restrict
- # this syscall to the CAP_SYS_PTRACE capability.
- "vm.unprivileged_userfaultfd" = 0;
- # kexec is a system call that is used
- # to boot another kernel during runtime.
- "kernel.kexec_load_disabled" = 1;
- # User namespaces are a feature in the kernel which aim to
- # improve sandboxing and make it easily accessible for
- # unprivileged users however, this feature exposes
- # significant kernel attack surface for privilege
- # escalation so this sysctl restricts the usage of user
- # namespaces to the CAP_SYS_ADMIN capability.
- "kernel.unprivileged_userns_clone" = 0;
- # Restricts all usage of performance events to the
- # CAP_PERFMON capability
- "kernel.perf_event_paranoid" = 3;
- # Helps protect against SYN flood attacks
- "net.ipv4.tcp_syncookies" = 1;
- # Protects against time-wait assassination
- # by dropping RST packets for sockets
- # in the time-wait state.
- "net.ipv4.tcp_rfc1337" = 1;
- # Disable ICMP redirect acceptance and sending to prevent
- # man-in-the-middle attacks and minimize information disclosure.
- "net.ipv4.conf.all.accept_redirects" = 0;
- "net.ipv4.conf.default.accept_redirects" = 0;
- "net.ipv4.conf.all.secure_redirects" = 0;
- "net.ipv4.conf.default.secure_redirects" = 0;
- "net.ipv6.conf.all.accept_redirects" = 0;
- "net.ipv6.conf.default.accept_redirects" = 0;
- "net.ipv4.conf.all.send_redirects" = 0;
- "net.ipv4.conf.default.send_redirects" = 0;
- # Disable source routing, a mechanism
- # that allows users to redirect network traffic.
- "net.ipv4.conf.all.accept_source_route" = 0;
- "net.ipv4.conf.default.accept_source_route" = 0;
- "net.ipv6.conf.all.accept_source_route" = 0;
- "net.ipv6.conf.default.accept_source_route" = 0;
- /*
- # Disable TCP SACK, which is commonly exploited
- # and unnecessary for many circumstances.
- # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
- "net.ipv4.tcp_sack" = 0;
- "net.ipv4.tcp_dsack" = 0;
- "net.ipv4.tcp_fack" = 0;
- */
- # Generate a random IPv6 address
- "net.ipv6.conf.all.use_tempaddr" = 2;
- "net.ipv6.conf.default.use_tempaddr" = 2;
- # Restricts usage of ptrace to only processes
- # with the CAP_SYS_PTRACE capability
- "kernel.yama.ptrace_scope" = 2;
- # Do source validation by confirming reverse path
- "net.ipv4.conf.all.rp_filter" = 1;
- "net.ipv4.conf.default.rp_filter" = 1;
-};
-boot.kernelParams = [
- "slab_nomerge"
- "slub_debug=FZ"
- #"init_on_alloc=1"
- #"init_on_free=1"
- "page_alloc.shuffle=1"
- "pti=on"
- "vsyscall=none"
- "debugfs=off"
- "oops=panic"
- # Disabled because zfs and wireguard modules are not signed
- "module.sig_enforce=0"
- "lockdown=confidentiality"
- "mce=0"
- #"quiet"
- #"loglevel=0"
+home.packages = [
+ pkgs.mkpasswd
+ pkgs.pass
+ pkgs.yubikey-personalization
+] ++ lib.optionals nixosConfig.services.xserver.enable [
+ pkgs.keepass
+ pkgs.yubikey-personalization-gui
];
}