From 497c3cd7864fdbcc546408d6d86ebfad37aa9b78 Mon Sep 17 00:00:00 2001 From: sefidel Date: Wed, 24 Jan 2024 19:18:11 +0900 Subject: wip: try to use infra-modules --- modules/security.nix | 69 ---------------------------------------------------- 1 file changed, 69 deletions(-) delete mode 100644 modules/security.nix (limited to 'modules/security.nix') diff --git a/modules/security.nix b/modules/security.nix deleted file mode 100644 index d345757..0000000 --- a/modules/security.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, lib, ... }: - -with lib; -let - cfg = config.modules.security; -in -{ - options.modules.security = { - enable = mkEnableOption "Security-related system tweaks"; - }; - - config = mkIf cfg.enable { - # Security-related system tweaks - - # Prevent replacing the running kernel without reboot. - security.protectKernelImage = true; - - # mount /tmp in ram. This makes temp file management faster - # on ssd systems, and volatile! Because it's wiped on reboot. - boot.tmp.useTmpfs = false; - boot.tmp.tmpfsSize = "80%"; - - # Purge /tmp on boot. (fallback option) - boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); - - boot.kernel.sysctl = { - # The Magic SysRq key is a key combo that allows users connected to the - # system console of a Linux kernel to perform some low-level commands. - # Disable it, since we don't need it, and is a potential security concern. - "kernel.sysrq" = 0; - - ## TCP hardening - # Prevent bogus ICMP errors from filling up logs. - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # Reverse path filtering causes the kernel to do source validation of - # packets received from all interfaces. This can mitigate IP spoofing. - "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.conf.all.rp_filter" = 1; - # Do not accept IP source route packets (we're not a router) - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects (again, we're on a router) - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - # Refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - # Protects against SYN flood attacks - "net.ipv4.tcp_syncookies" = 1; - # Incomplete protection again TIME-WAIT assassination - "net.ipv4.tcp_rfc1337" = 1; - - ## TCP optimization - # TCP Fast Open is a TCP extension that reduces network latency by packing - # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for - # both incoming and outgoing connections: - "net.ipv4.tcp_fastopen" = 3; - # Bufferbloat mitigations + slight improvement in throughput & latency - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; - }; - - boot.kernelModules = [ "tcp_bbr" ]; - }; -} -- cgit 1.4.1