From 6a8f0aa5b8c7697b5fc96af1f43a7bb7e2d75c45 Mon Sep 17 00:00:00 2001
From: notohh <github@notohh.dev>
Date: Mon, 27 Feb 2023 05:10:58 -0500
Subject: [PATCH] feat: init secrets + security

---
 README.md               |  1 +
 hosts/tsuki/default.nix |  3 ++-
 modules/security.nix    | 51 +++++++++++++++++++++++++++++++++++++++++
 secrets/secrets.nix     |  0
 4 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 modules/security.nix
 create mode 100644 secrets/secrets.nix

diff --git a/README.md b/README.md
index 7187e0c..27b33f9 100755
--- a/README.md
+++ b/README.md
@@ -22,3 +22,4 @@ snowflake
 + [NobbZ](https://github.com/NobbZ) - general nix assistance
 + [MatthiasBenaets](https://github.com/MatthiasBenaets) - amazing nixos introduction video
 + [sioodmy](https://github.com/sioodmy) - general dotfile stuff
++ p[hlissner](https://github.com/hlissner) - security.nix
diff --git a/hosts/tsuki/default.nix b/hosts/tsuki/default.nix
index 9cc15f6..a55c068 100755
--- a/hosts/tsuki/default.nix
+++ b/hosts/tsuki/default.nix
@@ -5,6 +5,7 @@
     [ 
     ./hardware-configuration.nix
     ../../modules/home/wayland
+    ../../modules/security.nix
     ];
 
   # bootloader 
@@ -111,7 +112,7 @@
     nvidia-vaapi-driver
     ];
    };
-
+ };
   users = {
   defaultUserShell = pkgs.nushell;
   users.notoh = {
diff --git a/modules/security.nix b/modules/security.nix
new file mode 100644
index 0000000..accda7c
--- /dev/null
+++ b/modules/security.nix
@@ -0,0 +1,51 @@
+# security tweaks borrowed from @hlissner
+{
+  boot.kernel.sysctl = {
+    # The Magic SysRq key is a key combo that allows users connected to the
+    # system console of a Linux kernel to perform some low-level commands.
+    # Disable it, since we don't need it, and is a potential security concern.
+    "kernel.sysrq" = 0;
+
+    ## TCP hardening
+    # Prevent bogus ICMP errors from filling up logs.
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+    # Reverse path filtering causes the kernel to do source validation of
+    # packets received from all interfaces. This can mitigate IP spoofing.
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Do not accept IP source route packets (we're not a router)
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Don't send ICMP redirects (again, we're on a router)
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Refuse ICMP redirects (MITM mitigations)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Protects against SYN flood attacks
+    "net.ipv4.tcp_syncookies" = 1;
+    # Incomplete protection again TIME-WAIT assassination
+    "net.ipv4.tcp_rfc1337" = 1;
+
+    ## TCP optimization
+    # TCP Fast Open is a TCP extension that reduces network latency by packing
+    # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+    # both incoming and outgoing connections:
+    "net.ipv4.tcp_fastopen" = 3;
+    # Bufferbloat mitigations + slight improvement in throughput & latency
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+  boot.kernelModules = ["tcp_bbr"];
+
+  # So we don't have to do this later...
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "github@notohh.dev";
+  };
+}
+
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..e69de29