about summary refs log tree commit diff
path: root/nixos/modules/security.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/security.nix')
-rw-r--r--nixos/modules/security.nix62
1 files changed, 0 insertions, 62 deletions
diff --git a/nixos/modules/security.nix b/nixos/modules/security.nix
deleted file mode 100644
index 358f27b..0000000
--- a/nixos/modules/security.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{ config, lib, ... }:
-
-{
-  # Security-related system tweaks
-
-  # Prevent replacing the running kernel without reboot.
-  security.protectKernelImage = true;
-
-  # mount /tmp in ram. This makes temp file management faster
-  # on ssd systems, and volatile! Because it's wiped on reboot.
-  boot.tmp.useTmpfs = false;
-  boot.tmp.tmpfsSize = "80%";
-
-  # Purge /tmp on boot. (fallback option)
-  boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
-
-  boot.kernel.sysctl = {
-    # The Magic SysRq key is a key combo that allows users connected to the
-    # system console of a Linux kernel to perform some low-level commands.
-    # Disable it, since we don't need it, and is a potential security concern.
-    "kernel.sysrq" = 0;
-
-    ## TCP hardening
-    # Prevent bogus ICMP errors from filling up logs.
-    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
-    # Reverse path filtering causes the kernel to do source validation of
-    # packets received from all interfaces. This can mitigate IP spoofing.
-    "net.ipv4.conf.default.rp_filter" = 1;
-    "net.ipv4.conf.all.rp_filter" = 1;
-    # Do not accept IP source route packets (we're not a router)
-    "net.ipv4.conf.all.accept_source_route" = 0;
-    "net.ipv6.conf.all.accept_source_route" = 0;
-    # Don't send ICMP redirects (again, we're on a router)
-    "net.ipv4.conf.all.send_redirects" = 0;
-    "net.ipv4.conf.default.send_redirects" = 0;
-    # Refuse ICMP redirects (MITM mitigations)
-    "net.ipv4.conf.all.accept_redirects" = 0;
-    "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.secure_redirects" = 0;
-    "net.ipv4.conf.default.secure_redirects" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
-    # Protects against SYN flood attacks
-    "net.ipv4.tcp_syncookies" = 1;
-    # Incomplete protection again TIME-WAIT assassination
-    "net.ipv4.tcp_rfc1337" = 1;
-
-    ## TCP optimization
-    # TCP Fast Open is a TCP extension that reduces network latency by packing
-    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
-    # both incoming and outgoing connections:
-    "net.ipv4.tcp_fastopen" = 3;
-    # Bufferbloat mitigations + slight improvement in throughput & latency
-    "net.ipv4.tcp_congestion_control" = "bbr";
-    "net.core.default_qdisc" = "cake";
-  };
-
-  boot.kernelModules = [ "tcp_bbr" ];
-
-  # Accept CA's ToS.
-  security.acme.acceptTerms = true;
-}