diff --git a/README.md b/README.md index 7187e0c..27b33f9 100755 --- a/README.md +++ b/README.md @@ -22,3 +22,4 @@ snowflake + [NobbZ](https://github.com/NobbZ) - general nix assistance + [MatthiasBenaets](https://github.com/MatthiasBenaets) - amazing nixos introduction video + [sioodmy](https://github.com/sioodmy) - general dotfile stuff ++ p[hlissner](https://github.com/hlissner) - security.nix diff --git a/hosts/tsuki/default.nix b/hosts/tsuki/default.nix index 9cc15f6..a55c068 100755 --- a/hosts/tsuki/default.nix +++ b/hosts/tsuki/default.nix @@ -5,6 +5,7 @@ [ ./hardware-configuration.nix ../../modules/home/wayland + ../../modules/security.nix ]; # bootloader @@ -111,7 +112,7 @@ nvidia-vaapi-driver ]; }; - + }; users = { defaultUserShell = pkgs.nushell; users.notoh = { diff --git a/modules/security.nix b/modules/security.nix new file mode 100644 index 0000000..accda7c --- /dev/null +++ b/modules/security.nix @@ -0,0 +1,51 @@ +# security tweaks borrowed from @hlissner +{ + boot.kernel.sysctl = { + # The Magic SysRq key is a key combo that allows users connected to the + # system console of a Linux kernel to perform some low-level commands. + # Disable it, since we don't need it, and is a potential security concern. + "kernel.sysrq" = 0; + + ## TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets (we're not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're on a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + + ## TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + }; + boot.kernelModules = ["tcp_bbr"]; + + # So we don't have to do this later... + security.acme = { + acceptTerms = true; + defaults.email = "github@notohh.dev"; + }; +} + diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..e69de29