initial

hosts/sarien/system/security/extensive.nix

@@ -0,0 +1,66 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.security.extensive;
+in {
+  options = {
+    security.extensive.enable =
+      mkEnableOption "enable extensive security";
+  };
+  config = mkIf cfg.enable {
+    security.basic.enable = true;
+
+    environment.memoryAllocator.provider = mkDefault "scudo";
+    environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
+
+    security = {
+      lockKernelModules = mkDefault false;
+      protectKernelImage = mkDefault true;
+      # allowSimultaneousMultithreading = mkDefault false;
+      forcePageTableIsolation = mkDefault true;
+      unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
+      virtualisation.flushL1DataCache = mkDefault "always";
+      apparmor.enable = mkDefault true;
+      apparmor.killUnconfinedConfinables = mkDefault true;
+    };
+
+    boot.kernel.sysctl = {
+      # Hide kptrs even for processes with CAP_SYSLOG
+      "kernel.kptr_restrict" = mkOverride 500 2;
+      # Disable bpf() JIT (to eliminate spray attacks)
+      "net.core.bpf_jit_enable" = mkDefault false;
+      # Disable ftrace debugging
+      "kernel.ftrace_enabled" = mkDefault false;
+    };
+
+    boot.kernel.sysctl = {
+      # Enable strict reverse path filtering (that is, do not attempt to route
+      # packets that "obviously" do not belong to the iface's network; dropped
+      # packets are logged as martians).
+      "net.ipv4.conf.all.log_martians" = mkDefault true;
+      "net.ipv4.conf.all.rp_filter" = mkDefault "1";
+      "net.ipv4.conf.default.log_martians" = mkDefault true;
+      "net.ipv4.conf.default.rp_filter" = mkDefault "1";
+
+      # Ignore broadcast ICMP (mitigate SMURF)
+      "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
+
+      # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+      # setting is applied to interfaces added after the sysctls are set)
+      "net.ipv4.conf.all.accept_redirects" = mkDefault false;
+      "net.ipv4.conf.all.secure_redirects" = mkDefault false;
+      "net.ipv4.conf.default.accept_redirects" = mkDefault false;
+      "net.ipv4.conf.default.secure_redirects" = mkDefault false;
+      "net.ipv6.conf.all.accept_redirects" = mkDefault false;
+      "net.ipv6.conf.default.accept_redirects" = mkDefault false;
+
+      # Ignore outgoing ICMP redirects (this is ipv4 only)
+      "net.ipv4.conf.all.send_redirects" = mkDefault false;
+      "net.ipv4.conf.default.send_redirects" = mkDefault false;
+    };
+  };
+}