gwg313/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial commit

Browse source
This commit is contained in:
gwg313 2026-04-15 18:26:05 -04:00
commit ebc1be5217
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
143 changed files with 7721 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/features/security/sysctl/security-sysctl-bpf.nix Normal file
View file

@ -0,0 +1,18 @@
# Breaks tracing and perf tools
{ ... }:
{
config.dendritic.features.security-sysctl-bpf = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"kernel.unprivileged_bpf_disabled" = 1;
# should be enabled along with bpf above
"net.core.bpf_jit_harden" = 2;
};
}
)
];
};
}

17
modules/features/security/sysctl/security-sysctl-debug.nix Normal file
View file

@ -0,0 +1,17 @@
# Restricts dmesg
{ ... }:
{
config.dendritic.features.security-sysctl-debug = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"kernel.kptr_restrict" = 2;
"kernel.dmesg_restrict" = 1;
};
}
)
];
};
}

29
modules/features/security/sysctl/security-sysctl-kernel.nix Normal file
View file

@ -0,0 +1,29 @@
{ ... }:
{
config.dendritic.features.security-sysctl-kernel = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"fs.suid_dumpable" = 0;
# prevent pointer leaks
# Note: certian container runtimes or browser sandboxes might rely on the following
# restrict loading TTY line disciplines to the CAP_SYS_MODULE
"dev.tty.ldisk_autoload" = 0;
# prevent exploit of use-after-free flaws
"vm.unprivileged_userfaultfd" = 0;
# kexec is used to boot another kernel during runtime and can be abused
"kernel.kexec_load_disabled" = 1;
# Kernel self-protection
# SysRq exposes a lot of potentially dangerous debugging functionality to unprivileged users
# 4 makes it so a user can only use the secure attention key. A value of 0 would disable completely
"kernel.sysrq" = 4;
# restrict all usage of performance events to the CAP_PERFMON capability
"kernel.perf_event_paranoid" = 3;
};
}
)
];
};
}

54
modules/features/security/sysctl/security-sysctl-network.nix Normal file
View file

@ -0,0 +1,54 @@
{ ... }:
{
config.dendritic.features.security-sysctl-network = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
# protect against SYN flood attacks (denial of service attack)
"net.ipv4.tcp_syncookies" = 1;
# protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
# enable source validation of packets received (prevents IP spoofing)
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
# Protect against IP spoofing
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# prevent man-in-the-middle attacks
"net.ipv4.icmp_echo_ignore_all" = 1;
# ignore ICMP request, helps avoid Smurf attacks
"net.ipv4.conf.all.forwarding" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv6.conf.default.accept_source_route" = 0;
# Reverse path filtering causes the kernel to do source validation of
"net.ipv6.conf.all.forwarding" = 0;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Disable TCP SACK
"net.ipv4.tcp_sack" = 0;
"net.ipv4.tcp_dsack" = 0;
"net.ipv4.tcp_fack" = 0;
};
}
)
];
};
}

16
modules/features/security/sysctl/security-sysctl-ptrace.nix Normal file
View file

@ -0,0 +1,16 @@
# Breaks Debuggers
{ ... }:
{
config.dendritic.features.security-sysctl-ptrace = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
"kernel.yama.ptrace_scope" = 2;
};
}
)
];
};
}

12
modules/features/security/sysctl/security-sysctl-strict.nix Normal file
View file

@ -0,0 +1,12 @@
# Enable on server not dev machines
{ ... }:
{
config.dendritic.features.security-sysctl-strict = {
features = [
"security-sysctl-ptrace"
"security-sysctl-bpf"
"security-sysctl-debug"
"security-sysctl-userns"
];
};
}

16
modules/features/security/sysctl/security-sysctl-userns.nix Normal file
View file

@ -0,0 +1,16 @@
# Can break containers and flatpaks
{ ... }:
{
config.dendritic.features.security-sysctl-userns = {
nixosModules = [
(
{ lib, ... }:
{
boot.kernel.sysctl = lib.mkForce {
"kernel.unprivileged_userns_clone" = 0;
};
}
)
];
};
}

35
modules/features/security/sysctl/security-sysctl-userspace.nix Normal file
View file

@ -0,0 +1,35 @@
{ ... }:
{
config.dendritic.features.security-sysctl-userspace = {
nixosModules = [
(
{ ... }:
{
boot.kernel.sysctl = {
# 0 breaks browsers
"kernel.unprivileged_userns_clone" = 1;
"vm.mmap_min_addr" = 65536;
"vm.swappiness" = 10;
# ASLR memory protection (64-bit systems)
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
# only permit symlinks to be followed when outside of a world-writable sticky directory
"fs.protected_symlinks" = 1;
"fs.protected_hardlinks" = 1;
# Prevent creating files in potentially attacker-controlled environments
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
# Randomize memory
"kernel.randomize_va_space" = 2;
# Exec Shield (Stack protection)
"kernel.exec-shield" = 1;
};
}
)
];
};
}

21
modules/features/security/sysctl/security-sysctl.nix Normal file
View file

@ -0,0 +1,21 @@
{ ... }:
{
config.dendritic.features.security-sysctl = {
features = [
"security-sysctl-kernel"
"security-sysctl-network"
"security-sysctl-userspace"
];
nixosModules = [
(
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.kernel-hardening-checker ];
}
)
];
};
}