63 lines
1.8 KiB
Nix
63 lines
1.8 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
with lib; let
|
|
cfg = config.gen.hardening;
|
|
in {
|
|
options.gen.hardening = {
|
|
hardenBpf = mkEnableOption "place heavier restrictions on BPF";
|
|
fullRpFilter = mkEnableOption "full reverse path filtering. (breaks dynamic routing, probably)";
|
|
ignoreIcmpEcho = mkEnableOption "ignore icmp echos. (obviously, this makes pings unresponsive)";
|
|
disableSack = mkEnableOption "disable tcp sack";
|
|
disableConsole = mkEnableOption "disable console. (not recommended for test machines)";
|
|
};
|
|
|
|
config = {
|
|
### Sysctls ###
|
|
boot.kernel.sysctl = mkMerge [
|
|
{
|
|
"kernel.kptr_restrict" = 1;
|
|
"kernel.dmesg_restrict" = 1;
|
|
"kernel.printk" = "3 3 3 3";
|
|
"dev.tty.ldisc_autoload" = 0;
|
|
"vm.unprivileged_userfaultfd" = 0;
|
|
"kernel.kexec_load_disabled" = 1;
|
|
"kernel.sysrq" = 0; # ignore sysrq key
|
|
"kernel.perf_event_paranoid" = 3;
|
|
"net.ipv4.tcp_rfc1337" = 1; # drop RSTs during time-wait state
|
|
}
|
|
(mkIf cfg.ignoreIcmpEcho {
|
|
"net.ipv4.icmp_echo_ignore_all" = 1;
|
|
})
|
|
(mkIf cfg.hardenBpf {
|
|
"kernel.unprivileged_bpf_disabled" = 1;
|
|
"net.core.bpf_jit_harden" = 2;
|
|
})
|
|
(mkIf cfg.fullRpFilter {
|
|
"net.ipv4.conf.all.rp_filter" = 1;
|
|
"net.ipv4.conf.default.rp_filter" = 1;
|
|
})
|
|
(mkIf cfg.disableSack {
|
|
"net.ipv4.tcp_sack" = 0;
|
|
"net.ipv4.tcp_dsack" = 0;
|
|
"net.ipv4.tcp_fack" = 0;
|
|
})
|
|
];
|
|
|
|
### Security options ###
|
|
security.protectKernelImage = true;
|
|
|
|
### Disable emergency access ###
|
|
systemd.enableEmergencyMode = false;
|
|
boot.initrd.systemd.emergencyAccess = false;
|
|
|
|
### Disable tty login ###
|
|
console = {
|
|
earlySetup = true;
|
|
enable = !cfg.disableConsole;
|
|
};
|
|
};
|
|
}
|