{ config, lib, ... }: let cfg = config.gen.hardening; in { options.gen.hardening = { hardenBpf = lib.mkEnableOption "place heavier restrictions on BPF"; fullRpFilter = lib.mkEnableOption "enable full reverse path filtering. breaks dynamic routing, probably"; ignoreIcmpEcho = lib.mkEnableOption "ignore icmp echos. obviously, this makes pings unresponsive"; disableSack = lib.mkEnableOption "disable tcp sack"; disableConsole = lib.mkEnableOption "disable console. not recommended for test machines"; }; config = { ### Sysctls ### boot.kernel.sysctl = { "kernel.kptr_restrict" = 1; "kernel.dmesg_restrict" = 1; "kernel.printk" = "3 3 3 3"; "dev.tty.ldisc_autoload" = 0; "vm.unprivileged_userfaultfd" = 0; "kernel.kexec_load_disabled" = 1; "kernel.sysrq" = 0; # ignore sysrq key "kernel.perf_event_paranoid" = 3; "net.ipv4.tcp_rfc1337" = 1; # drop RSTs during time-wait state } // lib.mkIf cfg.ignoreIcmpEcho { "net.ipv4.icmp_echo_ignore_all" = 1; } // lib.mkIf cfg.hardenBpf { "kernel.unprivileged_bpf_disabled" = 1; "net.core.bpf_jit_harden" = 2; } // lib.mkIf cfg.fullRpFilter { "net.ipv4.conf.all.rp_filter" = 1; "net.ipv4.conf.default.rp_filter" = 1; } // lib.mkIf cfg.disableSack { "net.ipv4.tcp_sack" = 0; "net.ipv4.tcp_dsack" = 0; "net.ipv4.tcp_fack" = 0; }; ### Security options ### security.protectKernelImage = true; ### Disable emergency access ### systemd.enableEmergencyMode = false; boot.initrd.systemd.emergencyAccess = false; ### Disable tty login ### console = { earlySetup = true; enable = !cfg.disableConsole; }; }; }