From 3c3e5d3845fd106d9adbd73b5612883701403402 Mon Sep 17 00:00:00 2001
From: tdback <tyler@tdback.net>
Date: Fri, 24 Jan 2025 23:31:48 -0500
Subject: modules: overhauled, adding several security/network tweaks

---
 modules/profiles/common/default.nix | 115 +++++++++++++++++++++++++-----------
 1 file changed, 82 insertions(+), 33 deletions(-)

(limited to 'modules/profiles')

diff --git a/modules/profiles/common/default.nix b/modules/profiles/common/default.nix
index d364a7f..678717a 100644
--- a/modules/profiles/common/default.nix
+++ b/modules/profiles/common/default.nix
@@ -1,27 +1,33 @@
 {
   inputs,
+  config,
   lib,
   pkgs,
   ...
 }:
 {
-  nix = {
-    settings = {
-      trusted-users = [
-        "@wheel"
-        "root"
-      ];
-      experimental-features = lib.mkDefault [
-        "nix-command"
-        "flakes"
-      ];
-      auto-optimise-store = true;
-    };
-    gc = {
-      automatic = true;
-      dates = "weekly";
-      options = "--delete-older-than 14d";
-    };
+  nix.settings = {
+    trusted-users = [
+      "@wheel"
+      "root"
+    ];
+    # Experimental?! How about always enable!
+    experimental-features = lib.mkDefault [
+      "nix-command"
+      "flakes"
+    ];
+    # During builds, save disk space by replacing duplicates with a hard-link
+    # to a single copy. This may slow down some builds.
+    auto-optimise-store = true;
+  };
+
+  # Periodically clean the store and remove older boot entries. We could also
+  # limit boot entries with `boot.loader.systemd-boot.configurationLimit`, but
+  # this should be frequent enough.
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 14d";
   };
 
   nixpkgs = {
@@ -29,6 +35,7 @@
       allowUnfree = true;
       allowUnfreePredicate = (_: true);
     };
+    # Allow choice between stable and unstable pkgs.
     overlays = [
       (final: _prev: {
         unstable = import inputs.nixpkgs-unstable {
@@ -39,23 +46,65 @@
     ];
   };
 
-  security = {
-    polkit.enable = true;
-    sudo = {
-      enable = lib.mkDefault true;
-      wheelNeedsPassword = lib.mkDefault false;
-    };
+  security.polkit.enable = true;
+  security.sudo = {
+    enable = lib.mkDefault true;
+    wheelNeedsPassword = lib.mkDefault false;
   };
 
-  programs = {
-    git.enable = true;
-    htop.enable = true;
-    neovim = {
-      enable = true;
-      package = pkgs.unstable.neovim-unwrapped;
-      viAlias = true;
-      vimAlias = true;
-      defaultEditor = true;
-    };
+  # /tmp is mounted in RAM. This makes tmp file management go BRRRR on SSDs and
+  # also more secure (and volatile). The tmpfs is wiped on reboot.
+  boot.tmp.useTmpfs = lib.mkDefault true;
+  # If not using tmpfs (purged on reboot), we must clean it ourselves.
+  boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+
+  # Fix security hole in place for backwards compatibility. See desc in
+  # nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+  boot.loader.systemd-boot.editor = false;
+
+  # Tweak runtime kernel parameters.
+  boot.kernel.sysctl = {
+    # Disable "Magic SysRq" key, since we don't need it.
+    "kernel.sysrq" = 0;
+    # Don't accept IP source packets (we aren't a router).
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Don't send ICMP redirects (we still aren't a router).
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    # Refuse ICMP redirects (MITM mitigation).
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Protect against SYN flood attacks.
+    "net.ipv4.tcp_syncookies" = 1;
+    # Incomplete protection against TIME-WAIT assassination.
+    "net.ipv4.tcp_rfc1337" = 1;
+    # Mitigate IP spoofing with reverse path filtering. This forces the kernel
+    # to do source validation of packets received from all interfaces.
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    # Reduce network latency by packing data in sender's initial TCP SYN.
+    # A value of '3' enables TCP Fast Open for both incoming and outgoing
+    # connections.
+    "net.ipv4.tcp_fastopen" = 3;
+    # Bufferbloat mitigations and slight improvement in throughput and latency.
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+  boot.kernelModules = [ "tcp_bbr" ];
+
+  programs.git.enable = true;
+  programs.htop.enable = true;
+  # Ensure we have the latest available neovim by default.
+  programs.neovim = {
+    enable = true;
+    package = pkgs.unstable.neovim-unwrapped;
+    viAlias = true;
+    vimAlias = true;
+    defaultEditor = true;
   };
 }
-- 
cgit v1.2.3