106 lines
2.6 KiB
Nix
106 lines
2.6 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
modulesPath,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
mkDefault
|
|
mkEnableOption
|
|
mkForce
|
|
mkIf
|
|
mkMerge
|
|
;
|
|
in
|
|
{
|
|
options.ataraxia.profiles.hardened = mkEnableOption "hardened profile";
|
|
|
|
imports = [
|
|
(modulesPath + "/profiles/hardened.nix")
|
|
];
|
|
|
|
config = mkMerge [
|
|
(mkIf (!config.ataraxia.profiles.hardened) {
|
|
profiles.hardened = false;
|
|
})
|
|
(mkIf config.ataraxia.profiles.hardened {
|
|
profiles.hardened = true;
|
|
|
|
boot.kernel.sysctl = {
|
|
"dev.tty.ldisc_autoload" = mkDefault false;
|
|
"fs.protected_fifos" = mkDefault "2";
|
|
"fs.protected_regular" = mkDefault "2";
|
|
"fs.suid_dumpable" = mkDefault false;
|
|
"kernel.printk" = mkForce "3 3 3 3";
|
|
"kernel.sysrq" = mkDefault false;
|
|
"kernel.yama.ptrace_scope" = mkDefault "2";
|
|
"net.ipv4.tcp_timestamps" = mkDefault false;
|
|
"syskernel.core_pattern" = mkDefault "|/bin/false";
|
|
|
|
"net.ipv4.tcp_congestion_control" = mkDefault "bbr";
|
|
"net.core.default_qdisc" = mkDefault "cake";
|
|
"net.ipv4.conf.all.accept_source_route" = mkDefault false;
|
|
"net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault true;
|
|
"net.ipv4.tcp_dsack" = mkDefault false;
|
|
"net.ipv4.tcp_fastopen" = mkDefault 3;
|
|
"net.ipv4.tcp_rfc1337" = mkDefault true;
|
|
"net.ipv4.tcp_sack" = mkDefault false;
|
|
"net.ipv4.tcp_syncookies" = mkDefault true;
|
|
"net.ipv6.conf.all.accept_ra" = mkDefault false;
|
|
"net.ipv6.conf.all.accept_source_route" = mkDefault false;
|
|
"net.ipv6.default.accept_ra" = mkDefault false;
|
|
};
|
|
|
|
boot.kernelParams = [
|
|
"lockdown=confidentiality"
|
|
"module.sig_enforce=1"
|
|
"oops=panic"
|
|
"loglevel=0"
|
|
"vsyscall=none"
|
|
];
|
|
|
|
boot.blacklistedKernelModules = [
|
|
# Obscure networking protocols
|
|
"af_802154"
|
|
"appletalk"
|
|
"atm"
|
|
"can"
|
|
"dccp"
|
|
"decnet"
|
|
"econet"
|
|
"ipx"
|
|
"n-hdlc"
|
|
"p8022"
|
|
"p8023"
|
|
"psnap"
|
|
"rds"
|
|
"sctp"
|
|
"tipc"
|
|
"x25"
|
|
# Various rare filesystems
|
|
"cifs"
|
|
"gfs2"
|
|
"hfsplus"
|
|
"jffs2"
|
|
"nfs"
|
|
"nfsv3"
|
|
"squashfs"
|
|
"udf"
|
|
"vivid"
|
|
# Disable Bluetooth
|
|
"bluetooth"
|
|
"btusb"
|
|
# Disable webcam
|
|
"uvcvideo"
|
|
# Disable Thunderbolt and FireWire to prevent DMA attacks
|
|
"firewire-core"
|
|
"thunderbolt"
|
|
];
|
|
|
|
# "always" may incurs significant performance cost
|
|
security.virtualisation.flushL1DataCache = "cond";
|
|
})
|
|
];
|
|
}
|