61 lines
1.8 KiB
Nix
61 lines
1.8 KiB
Nix
|
{
|
||
|
config,
|
||
|
lib,
|
||
|
...
|
||
|
}: let
|
||
|
cfg = config.gen.system.hardening;
|
||
|
in {
|
||
|
options.gen.system.hardening = {
|
||
|
hardenBpf = lib.mkEnableOption "place heavier restrictions on BPF";
|
||
|
fullRpFilter = lib.mkEnableOption "enable full reverse path filtering. breaks dynamic routing, probably";
|
||
|
ignoreIcmpEcho = lib.mkEnableOption "ignore icmp echos. obviously, this makes pings unresponsive";
|
||
|
disableSack = lib.mkEnableOption "disable tcp sack";
|
||
|
disableConsole = lib.mkEnableOption "disable console. not recommended for test machines";
|
||
|
};
|
||
|
|
||
|
config = {
|
||
|
### Sysctls ###
|
||
|
boot.kernel.sysctl =
|
||
|
{
|
||
|
"kernel.kptr_restrict" = 1;
|
||
|
"kernel.dmesg_restrict" = 1;
|
||
|
"kernel.printk" = "3 3 3 3";
|
||
|
"dev.tty.ldisc_autoload" = 0;
|
||
|
"vm.unprivileged_userfaultfd" = 0;
|
||
|
"kernel.kexec_load_disabled" = 1;
|
||
|
"kernel.sysrq" = 0; # ignore sysrq key
|
||
|
"kernel.perf_event_paranoid" = 3;
|
||
|
"net.ipv4.tcp_rfc1337" = 1; # drop RSTs during time-wait state
|
||
|
}
|
||
|
// lib.mkIf cfg.ignoreIcmpEcho {
|
||
|
"net.ipv4.icmp_echo_ignore_all" = 1;
|
||
|
}
|
||
|
// lib.mkIf cfg.hardenBpf {
|
||
|
"kernel.unprivileged_bpf_disabled" = 1;
|
||
|
"net.core.bpf_jit_harden" = 2;
|
||
|
}
|
||
|
// lib.mkIf cfg.fullRpFilter {
|
||
|
"net.ipv4.conf.all.rp_filter" = 1;
|
||
|
"net.ipv4.conf.default.rp_filter" = 1;
|
||
|
}
|
||
|
// lib.mkIf cfg.disableSack {
|
||
|
"net.ipv4.tcp_sack" = 0;
|
||
|
"net.ipv4.tcp_dsack" = 0;
|
||
|
"net.ipv4.tcp_fack" = 0;
|
||
|
};
|
||
|
|
||
|
### Security options ###
|
||
|
security.protectKernelImage = true;
|
||
|
|
||
|
### Disable emergency access ###
|
||
|
systemd.enableEmergencyMode = false;
|
||
|
boot.initrd.systemd.emergencyAccess = false;
|
||
|
|
||
|
### Disable tty login ###
|
||
|
console = {
|
||
|
earlySetup = true;
|
||
|
enable = !cfg.disableConsole;
|
||
|
};
|
||
|
};
|
||
|
}
|