oignon: julm: otpclient only there
[julm/julm-nix.git] / nixos / profiles / security.nix
index 3ae4f2e73d97d62484881cfd2c4f577b380845cb..1935b56dfa6ec9ba80a4651ed3b3601a19bc4af3 100644 (file)
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, ... }:
+with lib;
 {
-boot.kernelPackages = pkgs.linuxPackages_latest;
-#boot.kernelPackages = pkgs.linuxPackages_hardened;
-#boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
-#environment.memoryAllocator.provider = "libc";
-nix.allowedUsers = [ "@users" ];
-networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
-security.allowSimultaneousMultithreading = false;
-security.apparmor.enable = lib.mkDefault true;
-security.forcePageTableIsolation = true;
-security.lockKernelModules = lib.mkDefault true;
-security.protectKernelImage = true;
-security.virtualisation.flushL1DataCache = "always";
-boot.blacklistedKernelModules = [
-  # Obscure network protocols
-  "ax25"
-  "netrom"
-  "rose"
-
-  # Old or rare or insufficiently audited filesystems
-  "adfs"
-  "affs"
-  "bfs"
-  "befs"
-  "cramfs"
-  "efs"
-  "erofs"
-  "exofs"
-  "freevxfs"
-  "f2fs"
-  "hfs"
-  "hpfs"
-  "jfs"
-  "minix"
-  "nilfs2"
-  "ntfs"
-  "omfs"
-  "qnx4"
-  "qnx6"
-  "sysv"
-  "ufs"
-];
-boot.kernel.sysctl = {
-  # Mitigate kernel pointer leaks
-  "kernel.kptr_restrict" = 2;
-  # Restricts the kernel log to the CAP_SYSLOG capability
-  "kernel.dmesg_restrict" = 1;
-  # Prevent information leaks
-  #kernel.printk = "3 3 3 3";
-  # Restrict eBPF to the CAP_BPF capability
-  # and enable JIT hardening techniques
-  # such as constant blinding.
-  "kernel.unprivileged_bpf_disabled" = 1;
-  "net.core.bpf_jit_harden" = 2;
-  # Restricts loading TTY line disciplines
-  # to the CAP_SYS_MODULE capability to prevent
-  # unprivileged attackers from loading vulnerable
-  # line disciplines with the TIOCSETD ioctl
-  "dev.tty.ldisc_autoload" = 0;
-  # The userfaultfd() syscall is often abused to exploit
-  # use-after-free flaws.
-  # Due to this, this sysctl is used to restrict
-  # this syscall to the CAP_SYS_PTRACE capability.
-  "vm.unprivileged_userfaultfd" = 0;
-  # kexec is a system call that is used
-  # to boot another kernel during runtime.
-  "kernel.kexec_load_disabled" = 1;
-  # User namespaces are a feature in the kernel which aim to
-  # improve sandboxing and make it easily accessible for
-  # unprivileged users however, this feature exposes
-  # significant kernel attack surface for privilege
-  # escalation so this sysctl restricts the usage of user
-  # namespaces to the CAP_SYS_ADMIN capability.
-  "kernel.unprivileged_userns_clone" = 0;
-  # Restricts all usage of performance events to the
-  # CAP_PERFMON capability
-  "kernel.perf_event_paranoid" = 3;
-  # Helps protect against SYN flood attacks
-  "net.ipv4.tcp_syncookies" = 1;
-  # Protects against time-wait assassination
-  # by dropping RST packets for sockets
-  # in the time-wait state.
-  "net.ipv4.tcp_rfc1337" = 1;
-  # Disable ICMP redirect acceptance and sending to prevent
-  # man-in-the-middle attacks and minimize information disclosure.
-  "net.ipv4.conf.all.accept_redirects" = 0;
-  "net.ipv4.conf.default.accept_redirects" = 0;
-  "net.ipv4.conf.all.secure_redirects" = 0;
-  "net.ipv4.conf.default.secure_redirects" = 0;
-  "net.ipv6.conf.all.accept_redirects" = 0;
-  "net.ipv6.conf.default.accept_redirects" = 0;
-  "net.ipv4.conf.all.send_redirects" = 0;
-  "net.ipv4.conf.default.send_redirects" = 0;
-  # Disable source routing, a mechanism
-  # that allows users to redirect network traffic.
-  "net.ipv4.conf.all.accept_source_route" = 0;
-  "net.ipv4.conf.default.accept_source_route" = 0;
-  "net.ipv6.conf.all.accept_source_route" = 0;
-  "net.ipv6.conf.default.accept_source_route" = 0;
+  boot.kernelPackages = mkDefault pkgs.linuxPackages;
+  #boot.kernelPackages = pkgs.linuxPackages_latest;
+  #boot.kernelPackages = pkgs.linuxPackages_hardened;
+  #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
+  #environment.memoryAllocator.provider = "libc";
+  nix.settings.allowed-users = [ "@users" ];
   /*
-  # Disable TCP SACK, which is commonly exploited
-  # and unnecessary for many circumstances.
-  # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
-  "net.ipv4.tcp_sack" = 0;
-  "net.ipv4.tcp_dsack" = 0;
-  "net.ipv4.tcp_fack" = 0;
+    nix.settings.substituters = [
+    "https://nix-community.cachix.org"
+    ];
+    nix.settings.trusted-public-keys = [
+    "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
   */
-  # Generate a random IPv6 address
-  "net.ipv6.conf.all.use_tempaddr" = lib.mkForce 2;
-  "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
-  # Restricts usage of ptrace to only processes
-  # with the CAP_SYS_PTRACE capability
-  "kernel.yama.ptrace_scope" = 2;
-  # Do source validation by confirming reverse path
-  "net.ipv4.conf.all.rp_filter" = 1;
-  "net.ipv4.conf.default.rp_filter" = 1;
-};
-boot.kernelParams = [
-  "slab_nomerge"
-  "slub_debug=FZ"
-  #"init_on_alloc=1"
-  #"init_on_free=1"
-  "page_alloc.shuffle=1"
-  "pti=on"
-  "vsyscall=none"
-  "debugfs=off"
-  "oops=panic"
-  # Disabled because zfs and wireguard modules are not signed
-  "module.sig_enforce=0"
-  "lockdown=confidentiality"
-  "mce=0"
-  #"quiet"
-  #"loglevel=0"
-];
-services.journald.extraConfig = ''
-  Compress=true
-  MaxRetentionSec=1month
-  Storage=persistent
-  SystemMaxUse=100M
-'';
-services.openssh = {
-  openFirewall = lib.mkDefault false;
-  passwordAuthentication = false;
-};
+  nix.settings.trusted-users = [
+    "root"
+    "@wheel"
+  ];
+  networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
+  security.allowSimultaneousMultithreading = false;
+  security.apparmor.enable = mkDefault true;
+  security.forcePageTableIsolation = true;
+  security.lockKernelModules = mkDefault true;
+  security.protectKernelImage = true;
+  security.virtualisation.flushL1DataCache = "always";
+  # Only allow members of the wheel group to execute sudo by setting
+  # the executable’s permissions accordingly.
+  # This prevents users that are not members of wheel
+  # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
+  security.sudo.execWheelOnly = true;
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "ax25"
+    "netrom"
+    "rose"
+
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "hfs"
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "ntfs"
+    "omfs"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ufs"
+  ];
+  boot.kernel.sysctl = {
+    # Mitigate kernel pointer leaks
+    "kernel.kptr_restrict" = 2;
+    # Restricts the kernel log to the CAP_SYSLOG capability
+    "kernel.dmesg_restrict" = 1;
+    # Prevent information leaks
+    #kernel.printk = "3 3 3 3";
+    # Restrict eBPF to the CAP_BPF capability
+    # and enable JIT hardening techniques
+    # such as constant blinding.
+    "kernel.unprivileged_bpf_disabled" = 1;
+    "net.core.bpf_jit_harden" = 2;
+    # Restricts loading TTY line disciplines
+    # to the CAP_SYS_MODULE capability to prevent
+    # unprivileged attackers from loading vulnerable
+    # line disciplines with the TIOCSETD ioctl
+    "dev.tty.ldisc_autoload" = 0;
+    # The userfaultfd() syscall is often abused to exploit
+    # use-after-free flaws.
+    # Due to this, this sysctl is used to restrict
+    # this syscall to the CAP_SYS_PTRACE capability.
+    "vm.unprivileged_userfaultfd" = 0;
+    # kexec is a system call that is used
+    # to boot another kernel during runtime.
+    "kernel.kexec_load_disabled" = 1;
+    # User namespaces are a feature in the kernel which aim to
+    # improve sandboxing and make it easily accessible for
+    # unprivileged users however, this feature exposes
+    # significant kernel attack surface for privilege
+    # escalation so this sysctl restricts the usage of user
+    # namespaces to the CAP_SYS_ADMIN capability.
+    "kernel.unprivileged_userns_clone" = 0;
+    # Restricts all usage of performance events to the
+    # CAP_PERFMON capability
+    "kernel.perf_event_paranoid" = 3;
+    # Helps protect against SYN flood attacks
+    "net.ipv4.tcp_syncookies" = 1;
+    # Protects against time-wait assassination
+    # by dropping RST packets for sockets
+    # in the time-wait state.
+    "net.ipv4.tcp_rfc1337" = 1;
+    # Disable ICMP redirect acceptance and sending to prevent
+    # man-in-the-middle attacks and minimize information disclosure.
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Disable source routing, a mechanism
+    # that allows users to redirect network traffic.
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv4.conf.default.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.default.accept_source_route" = 0;
+    /*
+      # Disable TCP SACK, which is commonly exploited
+      # and unnecessary for many circumstances.
+      # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
+      "net.ipv4.tcp_sack" = 0;
+      "net.ipv4.tcp_dsack" = 0;
+      "net.ipv4.tcp_fack" = 0;
+    */
+    # Generate a random IPv6 address
+    "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
+    "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
+    # Restricts usage of ptrace to only processes
+    # with the CAP_SYS_PTRACE capability
+    "kernel.yama.ptrace_scope" = 2;
+    # Do source validation by confirming reverse path
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+  };
+  boot.kernelParams = [
+    "slab_nomerge"
+    "slub_debug=FZ"
+    #"init_on_alloc=1"
+    #"init_on_free=1"
+    "page_alloc.shuffle=1"
+    "pti=on"
+    "vsyscall=none"
+    "debugfs=off"
+    "oops=panic"
+    # Disabled because zfs and wireguard modules are not signed
+    "module.sig_enforce=0"
+    "lockdown=confidentiality"
+    "mce=0"
+    #"quiet"
+    #"loglevel=0"
+  ];
+  services.journald.extraConfig = ''
+    Compress=true
+    MaxRetentionSec=1month
+    Storage=persistent
+    SystemMaxUse=100M
+  '';
+  systemd.coredump = {
+    enable = mkDefault false;
+    extraConfig = ''
+      Compress=true
+      MaxUse=1024M
+      Storage=external
+    '';
+  };
+  services.openssh = {
+    # Avoid TOFU MITM by providing well known public keys here.
+    knownHosts = {
+      "git.sr.ht".hostNames = [ "git.sr.ht" ];
+      "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+
+      "github.com".hostNames = [ "github.com" ];
+      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+
+      "gitlab.com".hostNames = [ "gitlab.com" ];
+      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+    };
+    openFirewall = mkDefault false;
+    settings = {
+      KbdInteractiveAuthentication = mkDefault false;
+      # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+      KexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
+      PasswordAuthentication = false;
+      # Remove any remote gpg-agent's socket.
+      StreamLocalBindUnlink = true;
+      UseDns = mkDefault false;
+      X11Forwarding = mkDefault false;
+    };
+  };
 }