AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add hardened kernel

Browse Source
This commit is contained in:
Dmitriy Kholkin 2021-10-26 01:04:15 +03:00
parent 70f24bc294
commit d4a78796b2
1 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
profiles/boot.nix
View File

@ -1,5 +1,6 @@
{ lib, pkgs, config, ... }: { { lib, pkgs, config, ... }:
boot = { with config.deviceSpecific; {
boot = if !isServer then {
loader = { loader = {
timeout = lib.mkForce 4; timeout = lib.mkForce 4;
systemd-boot.enable = pkgs.system == "x86_64-linux"; systemd-boot.enable = pkgs.system == "x86_64-linux";
@ -25,5 +26,29 @@
kernel.sysctl = { kernel.sysctl = {
"vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10; "vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10;
}; };
} else {
kernelPackages = pkgs.linuxPackages_hardened;
kernelModules = [ "tcp_bbr" ];
kernel.sysctl = {
"kernel.sysrq" = 0;
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv4.tcp_rfc1337" = 1;
"net.ipv4.tcp_fastopen" = 3;
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
}; };
} }