From d4a78796b2ac12208c057ecf15ed497d56cf2ede Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <alukard.develop@gmail.com>
Date: Tue, 26 Oct 2021 01:04:15 +0300
Subject: [PATCH] add hardened kernel

---
 profiles/boot.nix | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/profiles/boot.nix b/profiles/boot.nix
index 546abda..fc3d905 100644
--- a/profiles/boot.nix
+++ b/profiles/boot.nix
@@ -1,5 +1,6 @@
-{ lib, pkgs, config, ... }: {
-  boot = {
+{ lib, pkgs, config, ... }:
+with config.deviceSpecific; {
+  boot = if !isServer then {
     loader = {
       timeout = lib.mkForce 4;
       systemd-boot.enable = pkgs.system == "x86_64-linux";
@@ -25,5 +26,29 @@
     kernel.sysctl = {
       "vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10;
     };
+  } else {
+    kernelPackages = pkgs.linuxPackages_hardened;
+    kernelModules = [ "tcp_bbr" ];
+    kernel.sysctl = {
+      "kernel.sysrq" = 0;
+      "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      "net.ipv4.tcp_syncookies" = 1;
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      "net.ipv4.tcp_rfc1337" = 1;
+      "net.ipv4.tcp_fastopen" = 3;
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
+    };
   };
 }