initial commit

modules/features/security/sysctl/security-sysctl-userspace.nix

@@ -0,0 +1,35 @@
+{ ... }:
+{
+  config.dendritic.features.security-sysctl-userspace = {
+    nixosModules = [
+      (
+        { ... }:
+        {
+          boot.kernel.sysctl = {
+            # 0 breaks browsers
+            "kernel.unprivileged_userns_clone" = 1;
+
+            "vm.mmap_min_addr" = 65536;
+            "vm.swappiness" = 10;
+
+            # ASLR memory protection (64-bit systems)
+            "vm.mmap_rnd_bits" = 32;
+            "vm.mmap_rnd_compat_bits" = 16;
+
+            # only permit symlinks to be followed when outside of a world-writable sticky directory
+            "fs.protected_symlinks" = 1;
+            "fs.protected_hardlinks" = 1;
+            # Prevent creating files in potentially attacker-controlled environments
+            "fs.protected_fifos" = 2;
+            "fs.protected_regular" = 2;
+
+            # Randomize memory
+            "kernel.randomize_va_space" = 2;
+            # Exec Shield (Stack protection)
+            "kernel.exec-shield" = 1;
+          };
+        }
+      )
+    ];
+  };
+}