{ inputs, pkgs, lib, config, ... }: { #boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; #environment.memoryAllocator.provider = "libc"; nix.allowedUsers = [ "@users" ]; networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5"; security.allowSimultaneousMultithreading = false; security.apparmor.enable = lib.mkDefault true; security.forcePageTableIsolation = true; security.lockKernelModules = lib.mkDefault true; security.protectKernelImage = true; security.virtualisation.flushL1DataCache = "always"; services.openssh.passwordAuthentication = false; boot.blacklistedKernelModules = [ # Obscure network protocols "ax25" "netrom" "rose" # Old or rare or insufficiently audited filesystems "adfs" "affs" "bfs" "befs" "cramfs" "efs" "erofs" "exofs" "freevxfs" "f2fs" "hfs" "hpfs" "jfs" "minix" "nilfs2" "ntfs" "omfs" "qnx4" "qnx6" "sysv" "ufs" ]; boot.kernel.sysctl = { # Mitigate kernel pointer leaks "kernel.kptr_restrict" = 2; # Restricts the kernel log to the CAP_SYSLOG capability "kernel.dmesg_restrict" = 1; # Prevent information leaks #kernel.printk = "3 3 3 3"; # Restrict eBPF to the CAP_BPF capability # and enable JIT hardening techniques # such as constant blinding. "kernel.unprivileged_bpf_disabled" = 1; "net.core.bpf_jit_harden" = 2; # Restricts loading TTY line disciplines # to the CAP_SYS_MODULE capability to prevent # unprivileged attackers from loading vulnerable # line disciplines with the TIOCSETD ioctl "dev.tty.ldisc_autoload" = 0; # The userfaultfd() syscall is often abused to exploit # use-after-free flaws. # Due to this, this sysctl is used to restrict # this syscall to the CAP_SYS_PTRACE capability. "vm.unprivileged_userfaultfd" = 0; # kexec is a system call that is used # to boot another kernel during runtime. "kernel.kexec_load_disabled" = 1; # User namespaces are a feature in the kernel which aim to # improve sandboxing and make it easily accessible for # unprivileged users however, this feature exposes # significant kernel attack surface for privilege # escalation so this sysctl restricts the usage of user # namespaces to the CAP_SYS_ADMIN capability. "kernel.unprivileged_userns_clone" = 0; # Restricts all usage of performance events to the # CAP_PERFMON capability "kernel.perf_event_paranoid" = 3; # Helps protect against SYN flood attacks "net.ipv4.tcp_syncookies" = 1; # Protects against time-wait assassination # by dropping RST packets for sockets # in the time-wait state. "net.ipv4.tcp_rfc1337" = 1; # Disable ICMP redirect acceptance and sending to prevent # man-in-the-middle attacks and minimize information disclosure. "net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.all.secure_redirects" = 0; "net.ipv4.conf.default.secure_redirects" = 0; "net.ipv6.conf.all.accept_redirects" = 0; "net.ipv6.conf.default.accept_redirects" = 0; "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0; # Disable source routing, a mechanism # that allows users to redirect network traffic. "net.ipv4.conf.all.accept_source_route" = 0; "net.ipv4.conf.default.accept_source_route" = 0; "net.ipv6.conf.all.accept_source_route" = 0; "net.ipv6.conf.default.accept_source_route" = 0; /* # Disable TCP SACK, which is commonly exploited # and unnecessary for many circumstances. # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off "net.ipv4.tcp_sack" = 0; "net.ipv4.tcp_dsack" = 0; "net.ipv4.tcp_fack" = 0; */ # Generate a random IPv6 address "net.ipv6.conf.all.use_tempaddr" = 2; "net.ipv6.conf.default.use_tempaddr" = 2; # Restricts usage of ptrace to only processes # with the CAP_SYS_PTRACE capability "kernel.yama.ptrace_scope" = 2; # Do source validation by confirming reverse path "net.ipv4.conf.all.rp_filter" = 1; "net.ipv4.conf.default.rp_filter" = 1; }; boot.kernelParams = [ "slab_nomerge" "slub_debug=FZ" #"init_on_alloc=1" #"init_on_free=1" "page_alloc.shuffle=1" "pti=on" "vsyscall=none" "debugfs=off" "oops=panic" # Disabled because zfs and wireguard modules are not signed "module.sig_enforce=0" "lockdown=confidentiality" "mce=0" #"quiet" #"loglevel=0" ]; }