Security updates

2025-12-20 17:52:03 -07:00
parent 20fefd7813
commit 1bf4a88be0
4 changed files with 171 additions and 18 deletions
--- a/modules/boot.nix
+++ b/modules/boot.nix
@@ -1,11 +1,32 @@
 { config, pkgs, ... }:

 {
-  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot = {
+    enable = true;
+    editor = false;
+    configurationLimit = 10;
+  };
+
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.initrd.kernelModules = [ "amdgpu" ];
-  boot.kernelParams = [ "preempt=full" ];
+  
+  # Kernel parameters for security and performance
+  boot.kernelParams = [
+    "preempt=full"
+    "slab_nomerge"
+    "init_on_alloc=1"
+    "init_on_free=1"
+    "page_alloc.shuffle=1"
+    "randomize_kstack_offset=on"
+    "vsyscall=none"
+    "mitigations=auto"
+  ];
+
+  boot.kernelModules = [ "tcp_bbr" ];
+
+  boot.tmp.useTmpfs = true;
+  boot.tmp.tmpfsSize = "4G";

  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  xdg.portal.config.common.default = [ "gnome" ];
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -6,17 +6,48 @@ in
 {
  networking.hostName = settings.hostname;

-  networking.networkmanager.enable = true;
+  networking.networkmanager = {
+    enable = true;
+    wifi.scanRandMacAddress = true;
+  };

-  networking.firewall.enable = true;
+  networking.firewall = {
+    enable = true;
+    
+    # Allowed ports
+    allowedTCPPorts = [ 
+      # Sunshine
+      47984 47989 48010 
+    ];
+    allowedUDPPorts = [ 
+      # Sunshine
+      47998 47999 48000 48010 
+    ];

-  networking.firewall.allowedTCPPorts = [ 
-    # Sunshine
-    47984 47989 48010 
-  ];
+    # Firewall
+    logReversePathDrops = true;
+    logRefusedConnections = true;

-  networking.firewall.allowedUDPPorts = [ 
-    # Sunshine
-    47998 47999 48000 48010 
-  ];
+    # Connection tracking
+    connectionTrackingModules = [];
+    autoLoadConntrackHelpers = false;
+
+    extraCommands = ''
+      iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP
+      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
+      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
+    '';
+    extraStopCommands = ''
+      iptables -D INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP 2>/dev/null || true
+      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 2>/dev/null || true
+      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 2>/dev/null || true
+    '';
+  };
+
+  networking.nameservers = [ "1.1.1.1" "9.9.9.9" ];
+  services.resolved = {
+    enable = true;
+    dnsovertls = "opportunistic";
+    fallbackDns = [ "1.0.0.1" "149.112.112.112" ];
+  };
 }
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -1,24 +1,101 @@
 { config, pkgs, ... }:

 {
-  security.sudo.execWheelOnly = true;
+  security.sudo = {
+    execWheelOnly = true;
+    extraConfig = ''
+      # Reduce sudo timeout to 5 minutes
+      Defaults timestamp_timeout=5
+      # Require password for sudo even in same terminal session after timeout
+      Defaults timestamp_type=global
+      # Show asterisks when typing password
+      Defaults pwfeedback
+    '';
+  };

  nix.settings.allowed-users = [ "@wheel" ];

-  security.apparmor.enable = true;
+  security.apparmor = {
+    enable = true;
+    killUnconfinedConfinables = true;
+  };

-  services.fail2ban.enable = true;
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h"; # 1 week max ban
+      factor = "4";
+    };
+  };
+
+  security.pam.loginLimits = [
+    { domain = "*"; type = "hard"; item = "core"; value = "0"; }
+  ];

  boot.kernel.sysctl = {
    "kernel.dmesg_restrict" = 1;
+    "kernel.kptr_restrict" = 2;
+    "kernel.perf_event_paranoid" = 3;
+    "kernel.yama.ptrace_scope" = 1;
+    "kernel.unprivileged_bpf_disabled" = 1;
+    "kernel.sysrq" = 0;
+    "kernel.randomize_va_space" = 2;
+    "kernel.kexec_load_disabled" = 1;
+
    "net.ipv4.conf.all.log_martians" = 1;
    "net.ipv4.conf.default.log_martians" = 1;
    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
    "net.ipv4.conf.all.accept_redirects" = 0;
    "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
    "net.ipv4.conf.all.send_redirects" = 0;
    "net.ipv4.conf.default.send_redirects" = 0;
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv4.conf.default.accept_source_route" = 0;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.tcp_syncookies" = 1;
+    "net.ipv4.tcp_rfc1337" = 1;
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.default.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_ra" = 0;
+    "net.ipv6.conf.default.accept_ra" = 0;
+
+    "net.core.rmem_max" = 16777216;
+    "net.core.wmem_max" = 16777216;
+    "net.ipv4.tcp_fastopen" = 3;
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "fq";
+
+    "vm.swappiness" = 10;
+    "vm.vfs_cache_pressure" = 50;
+    "vm.dirty_ratio" = 10;
+    "vm.dirty_background_ratio" = 5;
+
+    "fs.protected_hardlinks" = 1;
+    "fs.protected_symlinks" = 1;
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
+    "fs.suid_dumpable" = 0;
+  };
+
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = false;
+    dates = "04:00";
+  };
+
+  security.auditd.enable = true;
+  security.audit = {
+    enable = true;
+    rules = [
+      "-a exit,always -F arch=b64 -S execve"
+    ];
  };
 }
--- a/modules/services.nix
+++ b/modules/services.nix
@@ -1,12 +1,36 @@
 { config, pkgs, ... }:

 {
-  # Enable the OpenSSH daemon
+  # Hardened OpenSSH
  services.openssh = {
    enable = true;
+    ports = [ 22 ];
    settings = {
+      # Authentication
      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitEmptyPasswords = false;
+      
+      # Security hardening
+      X11Forwarding = false;
+      AllowTcpForwarding = false;
+      AllowAgentForwarding = false;
+      AllowStreamLocalForwarding = false;
+      
+      # Session settings
+      ClientAliveInterval = 300;
+      ClientAliveCountMax = 2;
+      MaxAuthTries = 3;
+      MaxSessions = 2;
+      LoginGraceTime = 30;
    };
+    # Use only strong key exchange algos
+    extraConfig = ''
+      KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256
+      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+    '';
  };

  # Tailscale