unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1769288238

Browse Source
This commit is contained in:
unexplrd
2026-01-24 22:57:18 +02:00
parent fa32ae5510
commit 84020b1572
94 changed files with 1428 additions and 1024 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/nixos/shared/security/boot.nix
+190
View File
@@ -0,0 +1,190 @@
{
boot.kernel.sysctl = {
"fs.suid_dumpable" = 0;
# prevent pointer leaks
"kernel.kptr_restrict" = 2;
# restrict kernel log to CAP_SYSLOG capability
"kernel.dmesg_restrict" = 1;
# Note: certian container runtimes or browser sandboxes might rely on the following
# restrict eBPF to the CAP_BPF capability
"kernel.unprivileged_bpf_disabled" = 1;
# should be enabled along with bpf above
# "net.core.bpf_jit_harden" = 2;
# restrict loading TTY line disciplines to the CAP_SYS_MODULE
"dev.tty.ldisk_autoload" = 0;
# prevent exploit of use-after-free flaws
"vm.unprivileged_userfaultfd" = 0;
# kexec is used to boot another kernel during runtime and can be abused
"kernel.kexec_load_disabled" = 1;
# Kernel self-protection
# SysRq exposes a lot of potentially dangerous debugging functionality to unprivileged users
# 4 makes it so a user can only use the secure attention key. A value of 0 would disable completely
"kernel.sysrq" = 0;
# disable unprivileged user namespaces, Note: Docker, NH, and other apps may need this
# "kernel.unprivileged_userns_clone" = 0; # Set to 1 because it makes NH and other programs fail
# This should be set to 0 if you don't rely on flatpak, NH, Docker, etc.
"kernel.unprivileged_userns_clone" = 1;
# restrict all usage of performance events to the CAP_PERFMON capability
"kernel.perf_event_paranoid" = 3;
# Network
# protect against SYN flood attacks (denial of service attack)
"net.ipv4.tcp_syncookies" = 1;
# protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
# enable source validation of packets received (prevents IP spoofing)
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
# Protect against IP spoofing
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# prevent man-in-the-middle attacks
"net.ipv4.icmp_echo_ignore_all" = 1;
# ignore ICMP request, helps avoid Smurf attacks
"net.ipv4.conf.all.forwarding" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv6.conf.default.accept_source_route" = 0;
# Reverse path filtering causes the kernel to do source validation of
"net.ipv6.conf.all.forwarding" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Userspace
# restrict usage of ptrace
# "kernel.yama.ptrace_scope" = 2; # breaks anti-cheat
# ASLR memory protection (64-bit systems)
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
# only permit symlinks to be followed when outside of a world-writable sticky directory
"fs.protected_symlinks" = 1;
"fs.protected_hardlinks" = 1;
# Prevent creating files in potentially attacker-controlled environments
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
# Randomize memory
"kernel.randomize_va_space" = 2;
# Exec Shield (Stack protection)
"kernel.exec-shield" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelParams = [
# "systemd.unified_cgroup_hierarchy=1"
# "cgroup_no_v1=all"
"amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma"
"gather_data_sampling=force"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
# "lockdown=integrity" # confidentiality
"kvm_amd.sev=1"
"kvm_amd.sev_es=1"
"kvm_amd.sev_snp=1"
# "mitigations=auto,nosmt"
"module.sig_enforce=1"
"page_alloc.shuffle=1"
"randomize_kstack_offset=on"
"vsyscall=none"
];
boot.blacklistedKernelModules =
[
# Obscure networking protocols
"dccp" # Datagram Congestion Control Protocol
"sctp" # Stream Control Transmission Protocol
"rds" # Reliable Datagram Sockets
"tipc" # Transparent Inter-Process Communication
"n-hdlc" # High-level Data Link Control
"ax25" # Amateur X.25
"netrom" # NetRom
"x25" # X.25
"rose"
"decnet"
"econet"
"af_802154" # IEEE 802.15.4
"ipx" # Internetwork Packet Exchange
"appletalk"
"psnap" # SubnetworkAccess Protocol
"p8023" # Novell raw IEE 802.3
"p8022" # IEE 802.3
"can" # Controller Area Network
"atm"
# Various rare filesystems
"cramfs"
"freevxfs"
"jffs2"
"hfs"
"hfsplus"
"udf"
# "squashfs" # compressed read-only file system used for Live CDs
# "cifs" # cmb (Common Internet File System)
# "nfs" # Network File System
# "nfsv3"
# "nfsv4"
# "ksmbd" # SMB3 Kernel Server
# "gfs2" # Global File System 2
# vivid driver is only useful for testing purposes and has been the
# cause of privilege escalation vulnerabilities
# "vivid"
]
++ [
# Various framebuffer drivers
# "aty128fb"
# "atyfb"
# "radeonfb"
# "cirrusfb"
"cyber2000fb"
"cyblafb"
"gx1fb"
"hgafb"
# "i810fb"
# "intelfb"
# "kyrofb"
"lxfb"
"matroxfb_base"
"neofb"
# "nvidiafb"
"pm2fb"
# "rivafb"
"s1d13xxxfb"
# "savagefb"
"sisfb"
# "sstfb"
# "tdfxfb"
# "tridentfb"
"vesafb"
"vfb"
# "viafb"
"vt8623fb"
"udlfb"
];
}
modules/nixos/shared/security/coredump.nix
+11
View File
@@ -0,0 +1,11 @@
{
security.pam.loginLimits = [
{
domain = "*"; # Applies to all users/sessions
type = "-"; # Set both soft and hard limits
item = "core"; # The soft/hard limit item
value = "0"; # Core dumps size is limited to 0 (effectively disabled)
}
];
systemd.coredump.enable = false;
}
modules/nixos/shared/security/default.nix
+75
View File
@@ -0,0 +1,75 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkIf;
in {
imports = [
./boot.nix
./coredump.nix
./services.nix
./ssh.nix
];
networking.modemmanager.enable = false;
nix.settings.allowed-users = ["@users"];
nix.settings.trusted-users = ["@wheel"];
environment.systemPackages = with pkgs; [
(mkIf config.security.doas.enable doas-sudo-shim)
];
security =
lib.attrsets.recursiveUpdate {
# doas.enable = true;
polkit.enable = true;
sudo-rs.enable = false;
sudo.enable = false;
wrappers = {
newgrp.enable = false;
pkexec.enable = false;
sg.enable = false;
su.enable = false;
};
} {
sudo-rs.execWheelOnly = true;
# pam.sshAgentAuth.enable = true;
polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
subject.isInGroup("users")
&& (
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions"
)
)
{
return polkit.Result.YES;
}
});
'';
};
services.dbus.implementation = "broker";
services.chrony = {
enable = true;
enableRTCTrimming = false;
enableNTS = true;
extraConfig = "rtcsync";
extraFlags = ["-r" "-s"];
servers = [
"time.cloudflare.com iburst nts"
"ntppool1.time.nl iburst nts"
"nts.netnod.se iburst nts"
"ptbtime1.ptb.de iburst nts"
"time.dfm.dk iburst nts"
"time.cifelli.xyz iburst nts"
];
};
}
modules/nixos/shared/security/services.nix
+29
View File
@@ -0,0 +1,29 @@
{
# config,
lib,
# pkgs,
...
}: let
systemd-services-hardened = fetchGit {
url = "https://github.com/wallago/nix-system-services-hardened.git";
ref = "main";
rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
};
fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
in {
imports = fromHardened [
"accounts-daemon"
"getty"
# "nix-daemon" # TODO: breaks cgroups, ...
"nscd"
"rescue"
"sshd"
"systemd-machined"
"systemd-rfkill"
"systemd-udevd"
];
systemd.services = {
nix-daemon.serviceConfig.RestrictNamespaces = lib.mkForce [];
sshd.serviceConfig.ProtectHome = lib.mkForce "no";
};
}
modules/nixos/shared/security/ssh.nix
+59
View File
@@ -0,0 +1,59 @@
{config, ...}: {
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitEmptyPasswords = false;
PermitTunnel = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = config.services.xserver.enable;
MaxAuthTries = 3;
MaxSessions = 2;
ClientAliveInterval = 300;
ClientAliveCountMax = 0;
# AllowUsers = ["user"];
TCPKeepAlive = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
LogLevel = "VERBOSE";
PermitRootLogin = "no";
KexAlgorithms = [
# Post-Quantum: https://www.openssh.org/pq.html
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
"curve25519-sha256@libssh.org"
"ecdh-sha2-nistp521"
"ecdh-sha2-nistp384"
"ecdh-sha2-nistp256"
"diffie-hellman-group-exchange-sha256"
];
Ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
# stream cipher alternative to aes256, proven to be resilient
# Very fast on basically anything
"chacha20-poly1305@openssh.com"
# industry standard, fast if you have AES-NI hardware
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
Macs = [
# Combines the SHA-512 hash func with a secret key to create a MAC
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
}