about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--modules/cachix/default.nix14
-rw-r--r--modules/security.nix116
-rw-r--r--systems/cobalt/default.nix5
-rw-r--r--systems/v-coord1/default.nix4
-rw-r--r--systems/v-nanode1/default.nix4
5 files changed, 87 insertions, 56 deletions
diff --git a/modules/cachix/default.nix b/modules/cachix/default.nix
index 9dd55b5..5222457 100644
--- a/modules/cachix/default.nix
+++ b/modules/cachix/default.nix
@@ -1,5 +1,9 @@
 { config, pkgs, lib, ... }:
+
+with lib;
 let
+  cfg = config.modules.cachix;
+
   folder = ./caches;
   toImport = name: value: folder + ("/" + name);
   filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
@@ -7,7 +11,13 @@ let
 in
 {
   inherit imports;
-  nix.settings.substituters = [ "https://cache.nixos.org/" ];
 
-  environment.systemPackages = [ pkgs.cachix ];
+  options.modules.cachix = {
+    enable = mkEnableOption "cachix";
+  };
+
+  config = mkIf cfg.enable {
+    nix.settings.substituters = [ "https://cache.nixos.org/" ];
+    environment.systemPackages = [ pkgs.cachix ];
+  };
 }
diff --git a/modules/security.nix b/modules/security.nix
index 410b270..d345757 100644
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -1,59 +1,69 @@
 { config, lib, ... }:
 
+with lib;
+let
+  cfg = config.modules.security;
+in
 {
-  # Security-related system tweaks
-
-  # Prevent replacing the running kernel without reboot.
-  security.protectKernelImage = true;
-
-  # mount /tmp in ram. This makes temp file management faster
-  # on ssd systems, and volatile! Because it's wiped on reboot.
-  boot.tmp.useTmpfs = false;
-  boot.tmp.tmpfsSize = "80%";
-
-  # Purge /tmp on boot. (fallback option)
-  boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
-
-  boot.kernel.sysctl = {
-    # The Magic SysRq key is a key combo that allows users connected to the
-    # system console of a Linux kernel to perform some low-level commands.
-    # Disable it, since we don't need it, and is a potential security concern.
-    "kernel.sysrq" = 0;
-
-    ## TCP hardening
-    # Prevent bogus ICMP errors from filling up logs.
-    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
-    # Reverse path filtering causes the kernel to do source validation of
-    # packets received from all interfaces. This can mitigate IP spoofing.
-    "net.ipv4.conf.default.rp_filter" = 1;
-    "net.ipv4.conf.all.rp_filter" = 1;
-    # Do not accept IP source route packets (we're not a router)
-    "net.ipv4.conf.all.accept_source_route" = 0;
-    "net.ipv6.conf.all.accept_source_route" = 0;
-    # Don't send ICMP redirects (again, we're on a router)
-    "net.ipv4.conf.all.send_redirects" = 0;
-    "net.ipv4.conf.default.send_redirects" = 0;
-    # Refuse ICMP redirects (MITM mitigations)
-    "net.ipv4.conf.all.accept_redirects" = 0;
-    "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.secure_redirects" = 0;
-    "net.ipv4.conf.default.secure_redirects" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
-    # Protects against SYN flood attacks
-    "net.ipv4.tcp_syncookies" = 1;
-    # Incomplete protection again TIME-WAIT assassination
-    "net.ipv4.tcp_rfc1337" = 1;
-
-    ## TCP optimization
-    # TCP Fast Open is a TCP extension that reduces network latency by packing
-    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
-    # both incoming and outgoing connections:
-    "net.ipv4.tcp_fastopen" = 3;
-    # Bufferbloat mitigations + slight improvement in throughput & latency
-    "net.ipv4.tcp_congestion_control" = "bbr";
-    "net.core.default_qdisc" = "cake";
+  options.modules.security = {
+    enable = mkEnableOption "Security-related system tweaks";
   };
 
-  boot.kernelModules = [ "tcp_bbr" ];
+  config = mkIf cfg.enable {
+    # Security-related system tweaks
+
+    # Prevent replacing the running kernel without reboot.
+    security.protectKernelImage = true;
+
+    # mount /tmp in ram. This makes temp file management faster
+    # on ssd systems, and volatile! Because it's wiped on reboot.
+    boot.tmp.useTmpfs = false;
+    boot.tmp.tmpfsSize = "80%";
+
+    # Purge /tmp on boot. (fallback option)
+    boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+
+    boot.kernel.sysctl = {
+      # The Magic SysRq key is a key combo that allows users connected to the
+      # system console of a Linux kernel to perform some low-level commands.
+      # Disable it, since we don't need it, and is a potential security concern.
+      "kernel.sysrq" = 0;
+
+      ## TCP hardening
+      # Prevent bogus ICMP errors from filling up logs.
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      # Reverse path filtering causes the kernel to do source validation of
+      # packets received from all interfaces. This can mitigate IP spoofing.
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      # Do not accept IP source route packets (we're not a router)
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      # Don't send ICMP redirects (again, we're on a router)
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # Refuse ICMP redirects (MITM mitigations)
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      # Protects against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # Incomplete protection again TIME-WAIT assassination
+      "net.ipv4.tcp_rfc1337" = 1;
+
+      ## TCP optimization
+      # TCP Fast Open is a TCP extension that reduces network latency by packing
+      # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+      # both incoming and outgoing connections:
+      "net.ipv4.tcp_fastopen" = 3;
+      # Bufferbloat mitigations + slight improvement in throughput & latency
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
+    };
+
+    boot.kernelModules = [ "tcp_bbr" ];
+  };
 }
diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix
index 16e7c37..c8a7139 100644
--- a/systems/cobalt/default.nix
+++ b/systems/cobalt/default.nix
@@ -160,11 +160,14 @@ in
   services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH";
 
   modules = {
-    sops.enable = true;
+    security.enable = true;
     persistence = {
       enable = true;
       storagePath = "/persist";
     };
+    cachix.enable = true;
+
+    sops.enable = true;
 
     services.backup = {
       enable = true;
diff --git a/systems/v-coord1/default.nix b/systems/v-coord1/default.nix
index 9cb711b..cc3407e 100644
--- a/systems/v-coord1/default.nix
+++ b/systems/v-coord1/default.nix
@@ -69,6 +69,10 @@ in
   services.openssh.settings.PermitRootLogin = "prohibit-password";
 
   modules = {
+    security.enable = true;
+    persistence.enable = false;
+    cachix.enable = true;
+
     sops.enable = true;
   };
 
diff --git a/systems/v-nanode1/default.nix b/systems/v-nanode1/default.nix
index beba6ae..9e39830 100644
--- a/systems/v-nanode1/default.nix
+++ b/systems/v-nanode1/default.nix
@@ -81,6 +81,10 @@ in
   services.openssh.settings.PermitRootLogin = "prohibit-password";
 
   modules = {
+    security.enable = true;
+    persistence.enable = false;
+    cachix.enable = true;
+
     sops.enable = true;
   };