-{ pkgs, lib, config, ... }:
+{ pkgs, lib, ... }:
+with lib;
{
-boot.kernelPackages = pkgs.linuxPackages_latest;
-#boot.kernelPackages = pkgs.linuxPackages_hardened;
-#boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
-#environment.memoryAllocator.provider = "libc";
-nix.allowedUsers = [ "@users" ];
-networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
-security.allowSimultaneousMultithreading = false;
-security.apparmor.enable = lib.mkDefault true;
-security.forcePageTableIsolation = true;
-security.lockKernelModules = lib.mkDefault true;
-security.protectKernelImage = true;
-security.virtualisation.flushL1DataCache = "always";
-boot.blacklistedKernelModules = [
- # Obscure network protocols
- "ax25"
- "netrom"
- "rose"
-
- # Old or rare or insufficiently audited filesystems
- "adfs"
- "affs"
- "bfs"
- "befs"
- "cramfs"
- "efs"
- "erofs"
- "exofs"
- "freevxfs"
- "f2fs"
- "hfs"
- "hpfs"
- "jfs"
- "minix"
- "nilfs2"
- "ntfs"
- "omfs"
- "qnx4"
- "qnx6"
- "sysv"
- "ufs"
-];
-boot.kernel.sysctl = {
- # Mitigate kernel pointer leaks
- "kernel.kptr_restrict" = 2;
- # Restricts the kernel log to the CAP_SYSLOG capability
- "kernel.dmesg_restrict" = 1;
- # Prevent information leaks
- #kernel.printk = "3 3 3 3";
- # Restrict eBPF to the CAP_BPF capability
- # and enable JIT hardening techniques
- # such as constant blinding.
- "kernel.unprivileged_bpf_disabled" = 1;
- "net.core.bpf_jit_harden" = 2;
- # Restricts loading TTY line disciplines
- # to the CAP_SYS_MODULE capability to prevent
- # unprivileged attackers from loading vulnerable
- # line disciplines with the TIOCSETD ioctl
- "dev.tty.ldisc_autoload" = 0;
- # The userfaultfd() syscall is often abused to exploit
- # use-after-free flaws.
- # Due to this, this sysctl is used to restrict
- # this syscall to the CAP_SYS_PTRACE capability.
- "vm.unprivileged_userfaultfd" = 0;
- # kexec is a system call that is used
- # to boot another kernel during runtime.
- "kernel.kexec_load_disabled" = 1;
- # User namespaces are a feature in the kernel which aim to
- # improve sandboxing and make it easily accessible for
- # unprivileged users however, this feature exposes
- # significant kernel attack surface for privilege
- # escalation so this sysctl restricts the usage of user
- # namespaces to the CAP_SYS_ADMIN capability.
- "kernel.unprivileged_userns_clone" = 0;
- # Restricts all usage of performance events to the
- # CAP_PERFMON capability
- "kernel.perf_event_paranoid" = 3;
- # Helps protect against SYN flood attacks
- "net.ipv4.tcp_syncookies" = 1;
- # Protects against time-wait assassination
- # by dropping RST packets for sockets
- # in the time-wait state.
- "net.ipv4.tcp_rfc1337" = 1;
- # Disable ICMP redirect acceptance and sending to prevent
- # man-in-the-middle attacks and minimize information disclosure.
- "net.ipv4.conf.all.accept_redirects" = 0;
- "net.ipv4.conf.default.accept_redirects" = 0;
- "net.ipv4.conf.all.secure_redirects" = 0;
- "net.ipv4.conf.default.secure_redirects" = 0;
- "net.ipv6.conf.all.accept_redirects" = 0;
- "net.ipv6.conf.default.accept_redirects" = 0;
- "net.ipv4.conf.all.send_redirects" = 0;
- "net.ipv4.conf.default.send_redirects" = 0;
- # Disable source routing, a mechanism
- # that allows users to redirect network traffic.
- "net.ipv4.conf.all.accept_source_route" = 0;
- "net.ipv4.conf.default.accept_source_route" = 0;
- "net.ipv6.conf.all.accept_source_route" = 0;
- "net.ipv6.conf.default.accept_source_route" = 0;
+ boot.kernelPackages = mkDefault pkgs.linuxPackages;
+ #boot.kernelPackages = pkgs.linuxPackages_latest;
+ #boot.kernelPackages = pkgs.linuxPackages_hardened;
+ #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
+ #environment.memoryAllocator.provider = "libc";
+ nix.settings.allowed-users = [ "@users" ];
/*
- # Disable TCP SACK, which is commonly exploited
- # and unnecessary for many circumstances.
- # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
- "net.ipv4.tcp_sack" = 0;
- "net.ipv4.tcp_dsack" = 0;
- "net.ipv4.tcp_fack" = 0;
+ nix.settings.substituters = [
+ "https://nix-community.cachix.org"
+ ];
+ nix.settings.trusted-public-keys = [
+ "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+ ];
*/
- # Generate a random IPv6 address
- "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
- "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
- # Restricts usage of ptrace to only processes
- # with the CAP_SYS_PTRACE capability
- "kernel.yama.ptrace_scope" = 2;
- # Do source validation by confirming reverse path
- "net.ipv4.conf.all.rp_filter" = 1;
- "net.ipv4.conf.default.rp_filter" = 1;
-};
-boot.kernelParams = [
- "slab_nomerge"
- "slub_debug=FZ"
- #"init_on_alloc=1"
- #"init_on_free=1"
- "page_alloc.shuffle=1"
- "pti=on"
- "vsyscall=none"
- "debugfs=off"
- "oops=panic"
- # Disabled because zfs and wireguard modules are not signed
- "module.sig_enforce=0"
- "lockdown=confidentiality"
- "mce=0"
- #"quiet"
- #"loglevel=0"
-];
-services.journald.extraConfig = ''
- Compress=true
- MaxRetentionSec=1month
- Storage=persistent
- SystemMaxUse=100M
-'';
-services.openssh = {
- openFirewall = lib.mkDefault false;
- passwordAuthentication = false;
-};
+ nix.settings.trusted-users = [
+ "root"
+ "@wheel"
+ ];
+ networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
+ security.allowSimultaneousMultithreading = false;
+ security.apparmor.enable = mkDefault true;
+ security.forcePageTableIsolation = true;
+ security.lockKernelModules = mkDefault true;
+ security.protectKernelImage = true;
+ security.virtualisation.flushL1DataCache = "always";
+ # Only allow members of the wheel group to execute sudo by setting
+ # the executable’s permissions accordingly.
+ # This prevents users that are not members of wheel
+ # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
+ security.sudo.execWheelOnly = true;
+ boot.blacklistedKernelModules = [
+ # Obscure network protocols
+ "ax25"
+ "netrom"
+ "rose"
+
+ # Old or rare or insufficiently audited filesystems
+ "adfs"
+ "affs"
+ "bfs"
+ "befs"
+ "cramfs"
+ "efs"
+ "erofs"
+ "exofs"
+ "freevxfs"
+ "f2fs"
+ "hfs"
+ "hpfs"
+ "jfs"
+ "minix"
+ "nilfs2"
+ "ntfs"
+ "omfs"
+ "qnx4"
+ "qnx6"
+ "sysv"
+ "ufs"
+ ];
+ boot.kernel.sysctl = {
+ # Mitigate kernel pointer leaks
+ "kernel.kptr_restrict" = 2;
+ # Restricts the kernel log to the CAP_SYSLOG capability
+ "kernel.dmesg_restrict" = 1;
+ # Prevent information leaks
+ #kernel.printk = "3 3 3 3";
+ # Restrict eBPF to the CAP_BPF capability
+ # and enable JIT hardening techniques
+ # such as constant blinding.
+ "kernel.unprivileged_bpf_disabled" = 1;
+ "net.core.bpf_jit_harden" = 2;
+ # Restricts loading TTY line disciplines
+ # to the CAP_SYS_MODULE capability to prevent
+ # unprivileged attackers from loading vulnerable
+ # line disciplines with the TIOCSETD ioctl
+ "dev.tty.ldisc_autoload" = 0;
+ # The userfaultfd() syscall is often abused to exploit
+ # use-after-free flaws.
+ # Due to this, this sysctl is used to restrict
+ # this syscall to the CAP_SYS_PTRACE capability.
+ "vm.unprivileged_userfaultfd" = 0;
+ # kexec is a system call that is used
+ # to boot another kernel during runtime.
+ "kernel.kexec_load_disabled" = 1;
+ # User namespaces are a feature in the kernel which aim to
+ # improve sandboxing and make it easily accessible for
+ # unprivileged users however, this feature exposes
+ # significant kernel attack surface for privilege
+ # escalation so this sysctl restricts the usage of user
+ # namespaces to the CAP_SYS_ADMIN capability.
+ "kernel.unprivileged_userns_clone" = 0;
+ # Restricts all usage of performance events to the
+ # CAP_PERFMON capability
+ "kernel.perf_event_paranoid" = 3;
+ # Helps protect against SYN flood attacks
+ "net.ipv4.tcp_syncookies" = 1;
+ # Protects against time-wait assassination
+ # by dropping RST packets for sockets
+ # in the time-wait state.
+ "net.ipv4.tcp_rfc1337" = 1;
+ # Disable ICMP redirect acceptance and sending to prevent
+ # man-in-the-middle attacks and minimize information disclosure.
+ "net.ipv4.conf.all.accept_redirects" = 0;
+ "net.ipv4.conf.default.accept_redirects" = 0;
+ "net.ipv4.conf.all.secure_redirects" = 0;
+ "net.ipv4.conf.default.secure_redirects" = 0;
+ "net.ipv6.conf.all.accept_redirects" = 0;
+ "net.ipv6.conf.default.accept_redirects" = 0;
+ "net.ipv4.conf.all.send_redirects" = 0;
+ "net.ipv4.conf.default.send_redirects" = 0;
+ # Disable source routing, a mechanism
+ # that allows users to redirect network traffic.
+ "net.ipv4.conf.all.accept_source_route" = 0;
+ "net.ipv4.conf.default.accept_source_route" = 0;
+ "net.ipv6.conf.all.accept_source_route" = 0;
+ "net.ipv6.conf.default.accept_source_route" = 0;
+ /*
+ # Disable TCP SACK, which is commonly exploited
+ # and unnecessary for many circumstances.
+ # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
+ "net.ipv4.tcp_sack" = 0;
+ "net.ipv4.tcp_dsack" = 0;
+ "net.ipv4.tcp_fack" = 0;
+ */
+ # Generate a random IPv6 address
+ "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
+ "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
+ # Restricts usage of ptrace to only processes
+ # with the CAP_SYS_PTRACE capability
+ "kernel.yama.ptrace_scope" = 2;
+ # Do source validation by confirming reverse path
+ "net.ipv4.conf.all.rp_filter" = 1;
+ "net.ipv4.conf.default.rp_filter" = 1;
+ };
+ boot.kernelParams = [
+ "slab_nomerge"
+ "slub_debug=FZ"
+ #"init_on_alloc=1"
+ #"init_on_free=1"
+ "page_alloc.shuffle=1"
+ "pti=on"
+ "vsyscall=none"
+ "debugfs=off"
+ "oops=panic"
+ # Disabled because zfs and wireguard modules are not signed
+ "module.sig_enforce=0"
+ "lockdown=confidentiality"
+ "mce=0"
+ #"quiet"
+ #"loglevel=0"
+ ];
+ services.journald.extraConfig = ''
+ Compress=true
+ MaxRetentionSec=1month
+ Storage=persistent
+ SystemMaxUse=100M
+ '';
+ systemd.coredump = {
+ enable = mkDefault false;
+ extraConfig = ''
+ Compress=true
+ MaxUse=1024M
+ Storage=external
+ '';
+ };
+ services.openssh = {
+ # Avoid TOFU MITM by providing well known public keys here.
+ knownHosts = {
+ "git.sr.ht".hostNames = [ "git.sr.ht" ];
+ "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+
+ "github.com".hostNames = [ "github.com" ];
+ "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+
+ "gitlab.com".hostNames = [ "gitlab.com" ];
+ "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+ };
+ openFirewall = mkDefault false;
+ settings = {
+ KbdInteractiveAuthentication = mkDefault false;
+ # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+ KexAlgorithms = [
+ "curve25519-sha256"
+ "curve25519-sha256@libssh.org"
+ "diffie-hellman-group16-sha512"
+ "diffie-hellman-group18-sha512"
+ "sntrup761x25519-sha512@openssh.com"
+ ];
+ PasswordAuthentication = false;
+ # Remove any remote gpg-agent's socket.
+ StreamLocalBindUnlink = true;
+ UseDns = mkDefault false;
+ X11Forwarding = mkDefault false;
+ };
+ };
}