From a4f8f9a1eb7f742c5cc3e104e74c3148fa87faaf Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Thu, 26 Jan 2023 00:38:41 +0300
Subject: [PATCH] hardening config

---
 machines/Home-Hypervisor/boot.nix      | 14 ------------
 machines/Home-Hypervisor/hardening.nix | 30 ++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 14 deletions(-)
 create mode 100644 machines/Home-Hypervisor/hardening.nix

diff --git a/machines/Home-Hypervisor/boot.nix b/machines/Home-Hypervisor/boot.nix
index 89d9826..f7ab5d9 100644
--- a/machines/Home-Hypervisor/boot.nix
+++ b/machines/Home-Hypervisor/boot.nix
@@ -77,20 +77,6 @@ in {
       "rd.systemd.show_status=auto"
       "rd.udev.log_priority=3"
     ];
-    kernel.sysctl = {
-      "kernel.sysrq" = false;
-      "net.core.default_qdisc" = "sch_fq_codel";
-      "net.ipv4.conf.all.accept_source_route" = false;
-      "net.ipv4.icmp_ignore_bogus_error_responses" = true;
-      "net.ipv4.tcp_congestion_control" = "bbr";
-      "net.ipv4.tcp_fastopen" = 3;
-      "net.ipv4.tcp_rfc1337" = true;
-      "net.ipv4.tcp_syncookies" = true;
-      "net.ipv6.conf.all.accept_source_route" = false;
-      # disable ipv6
-      "net.ipv6.conf.all.disable_ipv6" = true;
-      "net.ipv6.conf.default.disable_ipv6" = true;
-    };
     kernel.sysctl = {
       "vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10;
     };
diff --git a/machines/Home-Hypervisor/hardening.nix b/machines/Home-Hypervisor/hardening.nix
new file mode 100644
index 0000000..ed17e60
--- /dev/null
+++ b/machines/Home-Hypervisor/hardening.nix
@@ -0,0 +1,30 @@
+{ modulesPath, config, pkgs, lib, ... }: {
+  imports = [
+    "${toString modulesPath}/profiles/hardened.nix"
+  ];
+
+  boot.kernel.sysctl = {
+    "kernel.sysrq" = false;
+    "net.core.default_qdisc" = "sch_fq_codel";
+    "net.ipv4.conf.all.accept_source_route" = false;
+    "net.ipv4.icmp_ignore_bogus_error_responses" = true;
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.ipv4.tcp_fastopen" = 3;
+    "net.ipv4.tcp_rfc1337" = true;
+    "net.ipv4.tcp_syncookies" = true;
+    "net.ipv6.conf.all.accept_source_route" = false;
+    # disable ipv6
+    "net.ipv6.conf.all.disable_ipv6" = true;
+    "net.ipv6.conf.default.disable_ipv6" = true;
+  };
+
+  security.lockKernelModules = false;
+  security.allowSimultaneousMultithreading = true;
+  security.virtualisation.flushL1DataCache = "cond";
+  # security.forcePageTableIsolation = false;
+
+  # boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = false;
+  # boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "0";
+  # boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = false;
+  # boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "0";
+}
\ No newline at end of file