atridad/lavitz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security updates

Browse Source
This commit is contained in:
Atridad Lahiji
2025-12-20 17:52:03 -07:00
parent 20fefd7813
commit 1bf4a88be0
4 changed files with 171 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
modules/boot.nix
View File

@@ -1,11 +1,32 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot = {
enable = true;
editor = false;
configurationLimit = 10;
};
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.kernelModules = [ "amdgpu" ]; boot.initrd.kernelModules = [ "amdgpu" ];
boot.kernelParams = [ "preempt=full" ];
# Kernel parameters for security and performance
boot.kernelParams = [
"preempt=full"
"slab_nomerge"
"init_on_alloc=1"
"init_on_free=1"
"page_alloc.shuffle=1"
"randomize_kstack_offset=on"
"vsyscall=none"
"mitigations=auto"
];
boot.kernelModules = [ "tcp_bbr" ];
boot.tmp.useTmpfs = true;
boot.tmp.tmpfsSize = "4G";
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
xdg.portal.config.common.default = [ "gnome" ]; xdg.portal.config.common.default = [ "gnome" ];

41
modules/networking.nix
View File

@@ -6,17 +6,48 @@ in
{ {
networking.hostName = settings.hostname; networking.hostName = settings.hostname;
networking.networkmanager.enable = true; networking.networkmanager = {
enable = true;
wifi.scanRandMacAddress = true;
};
networking.firewall.enable = true; networking.firewall = {
enable = true;
networking.firewall.allowedTCPPorts = [ # Allowed ports
allowedTCPPorts = [
# Sunshine # Sunshine
47984 47989 48010 47984 47989 48010
]; ];
allowedUDPPorts = [
networking.firewall.allowedUDPPorts = [
# Sunshine # Sunshine
47998 47999 48000 48010 47998 47999 48000 48010
]; ];
# Firewall
logReversePathDrops = true;
logRefusedConnections = true;
# Connection tracking
connectionTrackingModules = [];
autoLoadConntrackHelpers = false;
extraCommands = ''
iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
'';
extraStopCommands = ''
iptables -D INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP 2>/dev/null || true
iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 2>/dev/null || true
iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 2>/dev/null || true
'';
};
networking.nameservers = [ "1.1.1.1" "9.9.9.9" ];
services.resolved = {
enable = true;
dnsovertls = "opportunistic";
fallbackDns = [ "1.0.0.1" "149.112.112.112" ];
};
} }

87
modules/security.nix
View File

@@ -1,24 +1,101 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
security.sudo.execWheelOnly = true; security.sudo = {
execWheelOnly = true;
extraConfig = ''
# Reduce sudo timeout to 5 minutes
Defaults timestamp_timeout=5
# Require password for sudo even in same terminal session after timeout
Defaults timestamp_type=global
# Show asterisks when typing password
Defaults pwfeedback
'';
};
nix.settings.allowed-users = [ "@wheel" ]; nix.settings.allowed-users = [ "@wheel" ];
security.apparmor.enable = true; security.apparmor = {
enable = true;
killUnconfinedConfinables = true;
};
services.fail2ban.enable = true; services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
bantime-increment = {
enable = true;
maxtime = "168h"; # 1 week max ban
factor = "4";
};
};
security.pam.loginLimits = [
{ domain = "*"; type = "hard"; item = "core"; value = "0"; }
];
boot.kernel.sysctl = { boot.kernel.sysctl = {
"kernel.dmesg_restrict" = 1; "kernel.dmesg_restrict" = 1;
"kernel.kptr_restrict" = 2;
"kernel.perf_event_paranoid" = 3;
"kernel.yama.ptrace_scope" = 1;
"kernel.unprivileged_bpf_disabled" = 1;
"kernel.sysrq" = 0;
"kernel.randomize_va_space" = 2;
"kernel.kexec_load_disabled" = 1;
"net.ipv4.conf.all.log_martians" = 1; "net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.default.log_martians" = 1; "net.ipv4.conf.default.log_martians" = 1;
"net.ipv4.icmp_echo_ignore_broadcasts" = 1; "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
"net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.tcp_rfc1337" = 1;
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv6.conf.default.accept_source_route" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
"net.core.rmem_max" = 16777216;
"net.core.wmem_max" = 16777216;
"net.ipv4.tcp_fastopen" = 3;
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "fq";
"vm.swappiness" = 10;
"vm.vfs_cache_pressure" = 50;
"vm.dirty_ratio" = 10;
"vm.dirty_background_ratio" = 5;
"fs.protected_hardlinks" = 1;
"fs.protected_symlinks" = 1;
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
"fs.suid_dumpable" = 0;
};
system.autoUpgrade = {
enable = true;
allowReboot = false;
dates = "04:00";
};
security.auditd.enable = true;
security.audit = {
enable = true;
rules = [
"-a exit,always -F arch=b64 -S execve"
];
}; };
} }

26
modules/services.nix
View File

@@ -1,12 +1,36 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
# Enable the OpenSSH daemon # Hardened OpenSSH
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = [ 22 ];
settings = { settings = {
# Authentication
PermitRootLogin = "no"; PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitEmptyPasswords = false;
# Security hardening
X11Forwarding = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
AllowStreamLocalForwarding = false;
# Session settings
ClientAliveInterval = 300;
ClientAliveCountMax = 2;
MaxAuthTries = 3;
MaxSessions = 2;
LoginGraceTime = 30;
}; };
# Use only strong key exchange algos
extraConfig = ''
KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
'';
}; };
# Tailscale # Tailscale