From 1bf4a88be0e4686882f9cf8515a27fc3e8712446 Mon Sep 17 00:00:00 2001
From: Atridad Lahiji <me@atri.dad>
Date: Sat, 20 Dec 2025 17:52:03 -0700
Subject: [PATCH] Security updates

---
 modules/boot.nix       | 25 +++++++++++-
 modules/networking.nix | 51 ++++++++++++++++++++-----
 modules/security.nix   | 87 +++++++++++++++++++++++++++++++++++++++---
 modules/services.nix   | 26 ++++++++++++-
 4 files changed, 171 insertions(+), 18 deletions(-)

diff --git a/modules/boot.nix b/modules/boot.nix
index 459b51f..3be8c31 100644
--- a/modules/boot.nix
+++ b/modules/boot.nix
@@ -1,11 +1,32 @@
 { config, pkgs, ... }:
 
 {
-  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot = {
+    enable = true;
+    editor = false;
+    configurationLimit = 10;
+  };
+
   boot.loader.efi.canTouchEfiVariables = true;
   boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.initrd.kernelModules = [ "amdgpu" ];
-  boot.kernelParams = [ "preempt=full" ];
+  
+  # Kernel parameters for security and performance
+  boot.kernelParams = [
+    "preempt=full"
+    "slab_nomerge"
+    "init_on_alloc=1"
+    "init_on_free=1"
+    "page_alloc.shuffle=1"
+    "randomize_kstack_offset=on"
+    "vsyscall=none"
+    "mitigations=auto"
+  ];
+
+  boot.kernelModules = [ "tcp_bbr" ];
+
+  boot.tmp.useTmpfs = true;
+  boot.tmp.tmpfsSize = "4G";
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   xdg.portal.config.common.default = [ "gnome" ];
diff --git a/modules/networking.nix b/modules/networking.nix
index 43c85eb..45dac04 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -6,17 +6,48 @@ in
 {
   networking.hostName = settings.hostname;
 
-  networking.networkmanager.enable = true;
+  networking.networkmanager = {
+    enable = true;
+    wifi.scanRandMacAddress = true;
+  };
 
-  networking.firewall.enable = true;
+  networking.firewall = {
+    enable = true;
+    
+    # Allowed ports
+    allowedTCPPorts = [ 
+      # Sunshine
+      47984 47989 48010 
+    ];
+    allowedUDPPorts = [ 
+      # Sunshine
+      47998 47999 48000 48010 
+    ];
 
-  networking.firewall.allowedTCPPorts = [ 
-    # Sunshine
-    47984 47989 48010 
-  ];
+    # Firewall
+    logReversePathDrops = true;
+    logRefusedConnections = true;
 
-  networking.firewall.allowedUDPPorts = [ 
-    # Sunshine
-    47998 47999 48000 48010 
-  ];
+    # Connection tracking
+    connectionTrackingModules = [];
+    autoLoadConntrackHelpers = false;
+
+    extraCommands = ''
+      iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP
+      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
+      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
+    '';
+    extraStopCommands = ''
+      iptables -D INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP 2>/dev/null || true
+      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 2>/dev/null || true
+      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 2>/dev/null || true
+    '';
+  };
+
+  networking.nameservers = [ "1.1.1.1" "9.9.9.9" ];
+  services.resolved = {
+    enable = true;
+    dnsovertls = "opportunistic";
+    fallbackDns = [ "1.0.0.1" "149.112.112.112" ];
+  };
 }
diff --git a/modules/security.nix b/modules/security.nix
index ba2a6ef..e7a58ae 100644
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -1,24 +1,101 @@
 { config, pkgs, ... }:
 
 {
-  security.sudo.execWheelOnly = true;
+  security.sudo = {
+    execWheelOnly = true;
+    extraConfig = ''
+      # Reduce sudo timeout to 5 minutes
+      Defaults timestamp_timeout=5
+      # Require password for sudo even in same terminal session after timeout
+      Defaults timestamp_type=global
+      # Show asterisks when typing password
+      Defaults pwfeedback
+    '';
+  };
 
   nix.settings.allowed-users = [ "@wheel" ];
 
-  security.apparmor.enable = true;
+  security.apparmor = {
+    enable = true;
+    killUnconfinedConfinables = true;
+  };
 
-  services.fail2ban.enable = true;
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h"; # 1 week max ban
+      factor = "4";
+    };
+  };
+
+  security.pam.loginLimits = [
+    { domain = "*"; type = "hard"; item = "core"; value = "0"; }
+  ];
 
   boot.kernel.sysctl = {
     "kernel.dmesg_restrict" = 1;
+    "kernel.kptr_restrict" = 2;
+    "kernel.perf_event_paranoid" = 3;
+    "kernel.yama.ptrace_scope" = 1;
+    "kernel.unprivileged_bpf_disabled" = 1;
+    "kernel.sysrq" = 0;
+    "kernel.randomize_va_space" = 2;
+    "kernel.kexec_load_disabled" = 1;
+
     "net.ipv4.conf.all.log_martians" = 1;
     "net.ipv4.conf.default.log_martians" = 1;
     "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
     "net.ipv4.conf.all.accept_redirects" = 0;
     "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
     "net.ipv4.conf.all.send_redirects" = 0;
     "net.ipv4.conf.default.send_redirects" = 0;
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv4.conf.default.accept_source_route" = 0;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.tcp_syncookies" = 1;
+    "net.ipv4.tcp_rfc1337" = 1;
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.default.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_ra" = 0;
+    "net.ipv6.conf.default.accept_ra" = 0;
+
+    "net.core.rmem_max" = 16777216;
+    "net.core.wmem_max" = 16777216;
+    "net.ipv4.tcp_fastopen" = 3;
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "fq";
+
+    "vm.swappiness" = 10;
+    "vm.vfs_cache_pressure" = 50;
+    "vm.dirty_ratio" = 10;
+    "vm.dirty_background_ratio" = 5;
+
+    "fs.protected_hardlinks" = 1;
+    "fs.protected_symlinks" = 1;
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
+    "fs.suid_dumpable" = 0;
+  };
+
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = false;
+    dates = "04:00";
+  };
+
+  security.auditd.enable = true;
+  security.audit = {
+    enable = true;
+    rules = [
+      "-a exit,always -F arch=b64 -S execve"
+    ];
   };
 }
diff --git a/modules/services.nix b/modules/services.nix
index 2c7b01c..acd0c5b 100644
--- a/modules/services.nix
+++ b/modules/services.nix
@@ -1,12 +1,36 @@
 { config, pkgs, ... }:
 
 {
-  # Enable the OpenSSH daemon
+  # Hardened OpenSSH
   services.openssh = {
     enable = true;
+    ports = [ 22 ];
     settings = {
+      # Authentication
       PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitEmptyPasswords = false;
+      
+      # Security hardening
+      X11Forwarding = false;
+      AllowTcpForwarding = false;
+      AllowAgentForwarding = false;
+      AllowStreamLocalForwarding = false;
+      
+      # Session settings
+      ClientAliveInterval = 300;
+      ClientAliveCountMax = 2;
+      MaxAuthTries = 3;
+      MaxSessions = 2;
+      LoginGraceTime = 30;
     };
+    # Use only strong key exchange algos
+    extraConfig = ''
+      KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256
+      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+    '';
   };
 
   # Tailscale