refactor: split sysctl file

2024-02-04 12:52:08 -05:00 · 2024-02-04 12:52:08 -05:00 · 1b98ea698d
commit 1b98ea698d
parent f0d2e555ac
13 changed files with 346 additions and 127 deletions
--- a/hosts/candlekeep/configuration.nix
+++ b/hosts/candlekeep/configuration.nix
@ -15,7 +15,7 @@
    # outputs.nixosModules.example
    ../../common/nixos/common.nix
    ../../common/nixos/laptop.nix
-    #../../common/networking/zerotier.nix
+    ../../common/networking/zerotier.nix
    ../../common/nixos/bluetooth.nix
    ../../common/nixos/restic.nix
    ../../common/nixos/ssh.nix
@ -26,10 +26,10 @@
    ../../common/virtualization/podman.nix
    ../../common/virtualization/kubernetes.nix
    ../../common/virtualization/libvirt.nix
+    ../../common/nixos/sysctl/default.nix

    ./auditd.nix
    ./kernel.nix
-    ./sysctl.nix
    ./earlyoom.nix

    # Or modules from other flakes (such as nixos-hardware):
--- a/hosts/candlekeep/sysctl.nix
+++ b/hosts/candlekeep/sysctl.nix
@ -1,62 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  boot.kernel.sysctl = {
-    # Restrict kernel pointers
-    "kernel.kptr_restrict" = 2;
-
-    "kernel.dmesg_restrict" = 1;
-
-    # Restrict eBPF
-    "kernel.unprivileged_bpf_disabled" = 1;
-
-    # Harden JIT
-    "net.core.bpf_jit_harden" = 2;
-
-    "dev.tty.ldisc_autoload" = 0;
-    "vm.unprivileged_userfaultfd" = 0;
-
-    # Disable loading other kernels at runtime
-    "kernel.kexec_load_disabled" = 1;
-
-    # Disable SysRq key for non-users (can be used in remote exploits)
-    "kernel.sysrq" = 4;
-
-    "kernel.perf_event_paranoid" = 3;
-    "kernel.unprivileged_userns_clone" = 1;
-
-    ## NETWORK
-
-    # SYN flood attack prevention
-    "net.ipv4.tcp_syncookies" = 1;
-
-    # Prevent IP spoofing
-    "net.ipv4.conf.all.rp_filter" = 1;
-    "net.ipv4.conf.default.rp_filter" = 1;
-
-    # MITM attack prevention (disable redirect acceptance)
-    "net.ipv4.conf.all.accept_redirects" = 0;
-    "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.secure_redirects" = 0;
-    "net.ipv4.conf.default.secure_redirects" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.send_redirects" = 0;
-    "net.ipv4.conf.default.send_redirects" = 0;
-
-    # Clock fingerprinting prevention (disabled ICMP requests)
-    "net.ipv4.icmp_echo_ignore_all" = 1;
-
-    # Restrict ptrace usage
-    "kernel.yama.ptrace_scope" = 2;
-
-    # ASLR exploit mitigation
-    "vm.mmap_rnd_bits" = 32;
-    "vm.mmap_rnd_compat_bits" = 16;
-
-    "fs.protected_fifos" = 2;
-    "fs.protected_regular" = 2;
-  };
-}
--- a/hosts/grymforge/configuration.nix
+++ b/hosts/grymforge/configuration.nix
@ -25,10 +25,10 @@
    ../../common/virtualization/podman.nix
    ../../common/virtualization/kubernetes.nix
    ../../common/virtualization/libvirt.nix
+    ../../common/nixos/sysctl/default.nix

    ./auditd.nix
    ./kernel.nix
-    ./sysctl.nix
    ./earlyoom.nix

    # Or modules from other flakes (such as nixos-hardware):
--- a/hosts/grymforge/sysctl.nix
+++ b/hosts/grymforge/sysctl.nix
@ -1,62 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  boot.kernel.sysctl = {
-    # Restrict kernel pointers
-    "kernel.kptr_restrict" = 2;
-
-    "kernel.dmesg_restrict" = 1;
-
-    # Restrict eBPF
-    "kernel.unprivileged_bpf_disabled" = 1;
-
-    # Harden JIT
-    "net.core.bpf_jit_harden" = 2;
-
-    "dev.tty.ldisc_autoload" = 0;
-    "vm.unprivileged_userfaultfd" = 0;
-
-    # Disable loading other kernels at runtime
-    "kernel.kexec_load_disabled" = 1;
-
-    # Disable SysRq key for non-users (can be used in remote exploits)
-    "kernel.sysrq" = 4;
-
-    "kernel.perf_event_paranoid" = 3;
-    "kernel.unprivileged_userns_clone" = 1;
-
-    ## NETWORK
-
-    # SYN flood attack prevention
-    "net.ipv4.tcp_syncookies" = 1;
-
-    # Prevent IP spoofing
-    "net.ipv4.conf.all.rp_filter" = 1;
-    "net.ipv4.conf.default.rp_filter" = 1;
-
-    # MITM attack prevention (disable redirect acceptance)
-    "net.ipv4.conf.all.accept_redirects" = 0;
-    "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.secure_redirects" = 0;
-    "net.ipv4.conf.default.secure_redirects" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.send_redirects" = 0;
-    "net.ipv4.conf.default.send_redirects" = 0;
-
-    # Clock fingerprinting prevention (disabled ICMP requests)
-    "net.ipv4.icmp_echo_ignore_all" = 1;
-
-    # Restrict ptrace usage
-    "kernel.yama.ptrace_scope" = 2;
-
-    # ASLR exploit mitigation
-    "vm.mmap_rnd_bits" = 32;
-    "vm.mmap_rnd_compat_bits" = 16;
-
-    "fs.protected_fifos" = 2;
-    "fs.protected_regular" = 2;
-  };
-}