infra/nixos/modules/hardening.nix

63 lines
1.8 KiB
Nix

{
config,
lib,
...
}:
with lib; let
cfg = config.gen.hardening;
in {
options.gen.hardening = {
hardenBpf = mkEnableOption "place heavier restrictions on BPF";
fullRpFilter = mkEnableOption "full reverse path filtering. (breaks dynamic routing, probably)";
ignoreIcmpEcho = mkEnableOption "ignore icmp echos. (obviously, this makes pings unresponsive)";
disableSack = mkEnableOption "disable tcp sack";
disableConsole = mkEnableOption "disable console. (not recommended for test machines)";
};
config = {
### Sysctls ###
boot.kernel.sysctl = mkMerge [
{
"kernel.kptr_restrict" = 1;
"kernel.dmesg_restrict" = 1;
"kernel.printk" = "3 3 3 3";
"dev.tty.ldisc_autoload" = 0;
"vm.unprivileged_userfaultfd" = 0;
"kernel.kexec_load_disabled" = 1;
"kernel.sysrq" = 0; # ignore sysrq key
"kernel.perf_event_paranoid" = 3;
"net.ipv4.tcp_rfc1337" = 1; # drop RSTs during time-wait state
}
(mkIf cfg.ignoreIcmpEcho {
"net.ipv4.icmp_echo_ignore_all" = 1;
})
(mkIf cfg.hardenBpf {
"kernel.unprivileged_bpf_disabled" = 1;
"net.core.bpf_jit_harden" = 2;
})
(mkIf cfg.fullRpFilter {
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
})
(mkIf cfg.disableSack {
"net.ipv4.tcp_sack" = 0;
"net.ipv4.tcp_dsack" = 0;
"net.ipv4.tcp_fack" = 0;
})
];
### Security options ###
security.protectKernelImage = true;
### Disable emergency access ###
systemd.enableEmergencyMode = false;
boot.initrd.systemd.emergencyAccess = false;
### Disable tty login ###
console = {
earlySetup = true;
enable = !cfg.disableConsole;
};
};
}