From cf2b4a8485d6d1bd3871da67111da0740cc8487c Mon Sep 17 00:00:00 2001
From: sefidel <contact@sefidel.net>
Date: Sat, 8 Jan 2022 22:02:38 +0900
Subject: nixos: add security module

---
 nixos/configurations/alpha.nix          | 22 +-----------
 nixos/configurations/hardware/alpha.nix |  6 ----
 nixos/modules/default.nix               |  1 +
 nixos/modules/security.nix              | 62 +++++++++++++++++++++++++++++++++
 4 files changed, 64 insertions(+), 27 deletions(-)
 create mode 100644 nixos/modules/security.nix

diff --git a/nixos/configurations/alpha.nix b/nixos/configurations/alpha.nix
index 252c358..c472317 100644
--- a/nixos/configurations/alpha.nix
+++ b/nixos/configurations/alpha.nix
@@ -4,7 +4,6 @@
   imports = [ ];
 
   security = {
-    acme.acceptTerms = true;
     protectKernelImage = true;
     rtkit.enable = true;
     sudo.wheelNeedsPassword = false;
@@ -15,26 +14,7 @@
     "nmi_watchdog=0"
     "systemd.watchdog-device/dev/watchdog"
   ];
-  boot.kernel.sysctl = {
-    "net.ipv4.conf.default.log_martians" = 1;
-    "net.ipv4.conf.all.log_martians" = 1;
-    "net.ipv4.tcp_mtu_probing" = 1;
-    "net.ipv4.tcp_syncookies" = 1;
-    "net.ipv4.tcp_congestion_control" = "bbr2";
-    "net.ipv4.conf.default.rp_filter" = 1;
-    "net.ipv4.conf.all.rp_filter" = 1;
-    "net.ipv4.conf.all.accept_source_route" = 0;
-    "net.ipv4.conf.all.send_redirects" = 0;
-    "net.ipv4.conf.default.send_redirects" = 0;
-    "net.ipv4.conf.all.accept_redirects" = 0;
-    "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.secure_redirects" = 0;
-    "net.ipv4.conf.default.secure_redirects" = 0;
-    "net.ipv6.conf.all.accept_source_route" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
-    "net.ipv4.tcp_rfc1337" = 1;
-  };
+
   # GRUB bootloader
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.grub = {
diff --git a/nixos/configurations/hardware/alpha.nix b/nixos/configurations/hardware/alpha.nix
index 482676e..3e99ea9 100644
--- a/nixos/configurations/hardware/alpha.nix
+++ b/nixos/configurations/hardware/alpha.nix
@@ -42,12 +42,6 @@ in
     fsType = "ext4";
   };
 
-  fileSystems."/tmp" = {
-    fsType = "tmpfs";
-    device = "tmpfs";
-    options = [ "nosuid" "nodev" "relatime" "size=14G" ];
-  };
-
   swapDevices = [{ device = swapDev; }];
 
   nix.maxJobs = lib.mkDefault 4;
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index f17f392..4469650 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -2,4 +2,5 @@
   cachix = import ./cachix;
   flake = import ./flake.nix;
   nix = import ./nix.nix;
+  security = import ./security.nix;
 }
diff --git a/nixos/modules/security.nix b/nixos/modules/security.nix
new file mode 100644
index 0000000..4d79be9
--- /dev/null
+++ b/nixos/modules/security.nix
@@ -0,0 +1,62 @@
+{ config, lib, ... }:
+
+{
+  # Security-related system tweaks
+  
+  # Prevent replacing the running kernel without reboot.
+  security.protectKernelImage = true;
+
+  # mount /tmp in ram. This makes temp file management faster
+  # on ssd systems, and volatile! Because it's wiped on reboot.
+  boot.tmpOnTmpfs = true;
+  #boot.tmpOnTmpfsSize = "80%";
+
+  # Purge /tmp on boot. (fallback option)
+  boot.cleanTmpDir = lib.mkDefault (!config.boot.tmpOnTmpfs);
+
+  boot.kernel.sysctl = {
+        # The Magic SysRq key is a key combo that allows users connected to the
+    # system console of a Linux kernel to perform some low-level commands.
+    # Disable it, since we don't need it, and is a potential security concern.
+    "kernel.sysrq" = 0;
+
+    ## TCP hardening
+    # Prevent bogus ICMP errors from filling up logs.
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+    # Reverse path filtering causes the kernel to do source validation of
+    # packets received from all interfaces. This can mitigate IP spoofing.
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Do not accept IP source route packets (we're not a router)
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Don't send ICMP redirects (again, we're on a router)
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Refuse ICMP redirects (MITM mitigations)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Protects against SYN flood attacks
+    "net.ipv4.tcp_syncookies" = 1;
+    # Incomplete protection again TIME-WAIT assassination
+    "net.ipv4.tcp_rfc1337" = 1;
+
+    ## TCP optimization
+    # TCP Fast Open is a TCP extension that reduces network latency by packing
+    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+    # both incoming and outgoing connections:
+    "net.ipv4.tcp_fastopen" = 3;
+    # Bufferbloat mitigations + slight improvement in throughput & latency
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+
+  boot.kernelModules = [ "tcp_bbr" ];
+
+  # Accept CA's ToS.
+  security.acme.acceptTerms = true;
+}
-- 
cgit 1.4.1