feat: hardened profile from nixpkgs with some additions

2025-03-10 18:34:03 +03:00 · 2025-03-10 18:34:03 +03:00 · 0bf6498de3
commit 0bf6498de3
parent 1e47f00539
2 changed files with 106 additions and 0 deletions
--- a/modules/nixos/profiles/hardened.nix
+++ b/modules/nixos/profiles/hardened.nix
@ -0,0 +1,105 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+let
+  inherit (lib)
+    mkDefault
+    mkEnableOption
+    mkForce
+    mkIf
+    mkMerge
+    ;
+in
+{
+  options.ataraxia.profiles.hardened = mkEnableOption "hardened profile";
+
+  imports = [
+    (modulesPath + "/profiles/hardened.nix")
+  ];
+
+  config = mkMerge [
+    (mkIf (!config.ataraxia.profiles.hardened) {
+      profiles.hardened = false;
+    })
+    (mkIf config.ataraxia.profiles.hardened {
+      profiles.hardened = true;
+
+      boot.kernel.sysctl = {
+        "dev.tty.ldisc_autoload" = mkDefault false;
+        "fs.protected_fifos" = mkDefault "2";
+        "fs.protected_regular" = mkDefault "2";
+        "fs.suid_dumpable" = mkDefault false;
+        "kernel.printk" = mkForce "3 3 3 3";
+        "kernel.sysrq" = mkDefault false;
+        "kernel.yama.ptrace_scope" = mkDefault "2";
+        "net.ipv4.tcp_timestamps" = mkDefault false;
+        "syskernel.core_pattern" = mkDefault "|/bin/false";
+
+        "net.ipv4.tcp_congestion_control" = mkDefault "bbr";
+        "net.core.default_qdisc" = mkDefault "cake";
+        "net.ipv4.conf.all.accept_source_route" = mkDefault false;
+        "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault true;
+        "net.ipv4.tcp_dsack" = mkDefault false;
+        "net.ipv4.tcp_fastopen" = mkDefault 3;
+        "net.ipv4.tcp_rfc1337" = mkDefault true;
+        "net.ipv4.tcp_sack" = mkDefault false;
+        "net.ipv4.tcp_syncookies" = mkDefault true;
+        "net.ipv6.conf.all.accept_ra" = mkDefault false;
+        "net.ipv6.conf.all.accept_source_route" = mkDefault false;
+        "net.ipv6.default.accept_ra" = mkDefault false;
+      };
+
+      boot.kernelParams = [
+        "lockdown=confidentiality"
+        "module.sig_enforce=1"
+        "oops=panic"
+        "loglevel=0"
+        "vsyscall=none"
+      ];
+
+      boot.blacklistedKernelModules = [
+        # Obscure networking protocols
+        "af_802154"
+        "appletalk"
+        "atm"
+        "can"
+        "dccp"
+        "decnet"
+        "econet"
+        "ipx"
+        "n-hdlc"
+        "p8022"
+        "p8023"
+        "psnap"
+        "rds"
+        "sctp"
+        "tipc"
+        "x25"
+        # Various rare filesystems
+        "cifs"
+        "gfs2"
+        "hfsplus"
+        "jffs2"
+        "nfs"
+        "nfsv3"
+        "squashfs"
+        "udf"
+        "vivid"
+        # Disable Bluetooth
+        "bluetooth"
+        "btusb"
+        # Disable webcam
+        "uvcvideo"
+        # Disable Thunderbolt and FireWire to prevent DMA attacks
+        "firewire-core"
+        "thunderbolt"
+      ];
+
+      # "always" may incurs significant performance cost
+      security.virtualisation.flushL1DataCache = "cond";
+    })
+  ];
+}
--- a/modules/nixos/roles/default.nix
+++ b/modules/nixos/roles/default.nix
@ -53,6 +53,7 @@ in
        };
      };
      serverRole = recursiveUpdate baseRole {
+        ataraxia.profiles.hardened = mkDefault true;
        ataraxia.profiles.minimal = mkDefault true;

        time.timeZone = "Etc/UTC";