83 lines
3.1 KiB
Nix
83 lines
3.1 KiB
Nix
|
{
|
||
|
|
config,
|
||
|
|
lib,
|
||
|
|
...
|
||
|
|
}: {
|
||
|
|
options.snowflake.core.security = {
|
||
|
|
enable = lib.mkEnableOption "Enable core security configuration";
|
||
|
|
sysctl.enable = lib.mkEnableOption "Enable sysctl security configuration";
|
||
|
|
};
|
||
|
|
|
||
|
|
config = lib.mkIf config.snowflake.core.security.enable {
|
||
|
|
boot = lib.mkMerge [
|
||
|
|
{
|
||
|
|
# Disable console logging.
|
||
|
|
consoleLogLevel = 0;
|
||
|
|
|
||
|
|
# Disable verbose message on initrd to prevent log flooding.
|
||
|
|
initrd.verbose = false;
|
||
|
|
|
||
|
|
# Use tmpfs for /tmp, and clean only when not using tmpfs.
|
||
|
|
tmp.useTmpfs = lib.mkDefault true;
|
||
|
|
tmp.tmpfsSize = "95%";
|
||
|
|
|
||
|
|
# Disable kernel param editing on boot.
|
||
|
|
loader.systemd-boot.editor = false;
|
||
|
|
kernelModules = ["tcp_bbr"];
|
||
|
|
}
|
||
|
|
|
||
|
|
(lib.mkIf config.snowflake.core.security.sysctl.enable {
|
||
|
|
kernel.sysctl = {
|
||
|
|
# The Magic SysRq key is a key combo that allows users connected to the
|
||
|
|
# system console of a Linux kernel to perform some low-level commands.
|
||
|
|
# Disable it, since we don't need it, and is a potential security concern.
|
||
|
|
"kernel.sysrq" = 0;
|
||
|
|
|
||
|
|
## TCP hardening
|
||
|
|
# Prevent bogus ICMP errors from filling up logs.
|
||
|
|
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||
|
|
# Reverse path filtering causes the kernel to do source validation of
|
||
|
|
# packets received from all interfaces. This can mitigate IP spoofing.
|
||
|
|
"net.ipv4.conf.default.rp_filter" = 1;
|
||
|
|
"net.ipv4.conf.all.rp_filter" = 1;
|
||
|
|
# Do not accept IP source route packets (we're not a router).
|
||
|
|
"net.ipv4.conf.all.accept_source_route" = 0;
|
||
|
|
"net.ipv6.conf.all.accept_source_route" = 0;
|
||
|
|
# Don't send ICMP redirects (again, we're on a router).
|
||
|
|
"net.ipv4.conf.all.send_redirects" = 0;
|
||
|
|
"net.ipv4.conf.default.send_redirects" = 0;
|
||
|
|
# Refuse ICMP redirects (MITM mitigations).
|
||
|
|
"net.ipv4.conf.all.accept_redirects" = 0;
|
||
|
|
"net.ipv4.conf.default.accept_redirects" = 0;
|
||
|
|
"net.ipv4.conf.all.secure_redirects" = 0;
|
||
|
|
"net.ipv4.conf.default.secure_redirects" = 0;
|
||
|
|
"net.ipv6.conf.all.accept_redirects" = 0;
|
||
|
|
"net.ipv6.conf.default.accept_redirects" = 0;
|
||
|
|
# Protects against SYN flood attacks.
|
||
|
|
"net.ipv4.tcp_syncookies" = 1;
|
||
|
|
# Incomplete protection again TIME-WAIT assassination.
|
||
|
|
"net.ipv4.tcp_rfc1337" = 1;
|
||
|
|
|
||
|
|
# TCP optimization
|
||
|
|
# Enable TCP Fast Open for incoming and outgoing connections.
|
||
|
|
"net.ipv4.tcp_fastopen" = 3;
|
||
|
|
# Bufferbloat mitigations + slight improvement in throughput & latency.
|
||
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
||
|
|
"net.core.default_qdisc" = "cake";
|
||
|
|
};
|
||
|
|
})
|
||
|
|
];
|
||
|
|
|
||
|
|
security = {
|
||
|
|
# Prevent replacing the kernel without reboot.
|
||
|
|
# protectKernelImage = true;
|
||
|
|
# Accept ACME terms, so we don't have to do this later.
|
||
|
|
acme.acceptTerms = true;
|
||
|
|
# Allows unauthorized applications to send unauthorization request.
|
||
|
|
polkit.enable = true;
|
||
|
|
# Enable sudo.
|
||
|
|
sudo.enable = true;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|