diff options
-rw-r--r-- | modules/cachix/default.nix | 14 | ||||
-rw-r--r-- | modules/security.nix | 116 | ||||
-rw-r--r-- | systems/cobalt/default.nix | 5 | ||||
-rw-r--r-- | systems/v-coord1/default.nix | 4 | ||||
-rw-r--r-- | systems/v-nanode1/default.nix | 4 |
5 files changed, 87 insertions, 56 deletions
diff --git a/modules/cachix/default.nix b/modules/cachix/default.nix index 9dd55b5..5222457 100644 --- a/modules/cachix/default.nix +++ b/modules/cachix/default.nix @@ -1,5 +1,9 @@ { config, pkgs, lib, ... }: + +with lib; let + cfg = config.modules.cachix; + folder = ./caches; toImport = name: value: folder + ("/" + name); filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; @@ -7,7 +11,13 @@ let in { inherit imports; - nix.settings.substituters = [ "https://cache.nixos.org/" ]; - environment.systemPackages = [ pkgs.cachix ]; + options.modules.cachix = { + enable = mkEnableOption "cachix"; + }; + + config = mkIf cfg.enable { + nix.settings.substituters = [ "https://cache.nixos.org/" ]; + environment.systemPackages = [ pkgs.cachix ]; + }; } diff --git a/modules/security.nix b/modules/security.nix index 410b270..d345757 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -1,59 +1,69 @@ { config, lib, ... }: +with lib; +let + cfg = config.modules.security; +in { - # Security-related system tweaks - - # Prevent replacing the running kernel without reboot. - security.protectKernelImage = true; - - # mount /tmp in ram. This makes temp file management faster - # on ssd systems, and volatile! Because it's wiped on reboot. - boot.tmp.useTmpfs = false; - boot.tmp.tmpfsSize = "80%"; - - # Purge /tmp on boot. (fallback option) - boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); - - boot.kernel.sysctl = { - # The Magic SysRq key is a key combo that allows users connected to the - # system console of a Linux kernel to perform some low-level commands. - # Disable it, since we don't need it, and is a potential security concern. - "kernel.sysrq" = 0; - - ## TCP hardening - # Prevent bogus ICMP errors from filling up logs. - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # Reverse path filtering causes the kernel to do source validation of - # packets received from all interfaces. This can mitigate IP spoofing. - "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.conf.all.rp_filter" = 1; - # Do not accept IP source route packets (we're not a router) - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects (again, we're on a router) - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - # Refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - # Protects against SYN flood attacks - "net.ipv4.tcp_syncookies" = 1; - # Incomplete protection again TIME-WAIT assassination - "net.ipv4.tcp_rfc1337" = 1; - - ## TCP optimization - # TCP Fast Open is a TCP extension that reduces network latency by packing - # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for - # both incoming and outgoing connections: - "net.ipv4.tcp_fastopen" = 3; - # Bufferbloat mitigations + slight improvement in throughput & latency - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; + options.modules.security = { + enable = mkEnableOption "Security-related system tweaks"; }; - boot.kernelModules = [ "tcp_bbr" ]; + config = mkIf cfg.enable { + # Security-related system tweaks + + # Prevent replacing the running kernel without reboot. + security.protectKernelImage = true; + + # mount /tmp in ram. This makes temp file management faster + # on ssd systems, and volatile! Because it's wiped on reboot. + boot.tmp.useTmpfs = false; + boot.tmp.tmpfsSize = "80%"; + + # Purge /tmp on boot. (fallback option) + boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); + + boot.kernel.sysctl = { + # The Magic SysRq key is a key combo that allows users connected to the + # system console of a Linux kernel to perform some low-level commands. + # Disable it, since we don't need it, and is a potential security concern. + "kernel.sysrq" = 0; + + ## TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets (we're not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're on a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + + ## TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + }; + + boot.kernelModules = [ "tcp_bbr" ]; + }; } diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix index 16e7c37..c8a7139 100644 --- a/systems/cobalt/default.nix +++ b/systems/cobalt/default.nix @@ -160,11 +160,14 @@ in services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH"; modules = { - sops.enable = true; + security.enable = true; persistence = { enable = true; storagePath = "/persist"; }; + cachix.enable = true; + + sops.enable = true; services.backup = { enable = true; diff --git a/systems/v-coord1/default.nix b/systems/v-coord1/default.nix index 9cb711b..cc3407e 100644 --- a/systems/v-coord1/default.nix +++ b/systems/v-coord1/default.nix @@ -69,6 +69,10 @@ in services.openssh.settings.PermitRootLogin = "prohibit-password"; modules = { + security.enable = true; + persistence.enable = false; + cachix.enable = true; + sops.enable = true; }; diff --git a/systems/v-nanode1/default.nix b/systems/v-nanode1/default.nix index beba6ae..9e39830 100644 --- a/systems/v-nanode1/default.nix +++ b/systems/v-nanode1/default.nix @@ -81,6 +81,10 @@ in services.openssh.settings.PermitRootLogin = "prohibit-password"; modules = { + security.enable = true; + persistence.enable = false; + cachix.enable = true; + sops.enable = true; }; |