{ config, lib, pkgs, ... }: { # memory allocator # BREAKS REDIS-IMMICH # environment.memoryAllocator.provider = "graphene-hardened"; # disable coredumps systemd.coredump.enable = false; # Needed for Nix sandbox UID/GID mapping inside derivation builds. # See https://github.com/NixOS/nixpkgs/issues/287194 security.unprivilegedUsernsClone = true; # Disable kexec to prevent replacing the running kernel at runtime. security.protectKernelImage = true; # Kernel hardening boot parameters. These recover most of the runtime- # configurable protections that the linux-hardened patchset provided. boot.kernelParams = [ # Zero all page allocator pages on free / alloc. Prevents info leaks # and use-after-free from seeing stale data. Modest CPU overhead. "init_on_alloc=1" "init_on_free=1" # Prevent SLUB allocator from merging caches with similar size/flags. # Keeps different kernel object types in separate slabs, making heap # exploitation (type confusion, spray, use-after-free) significantly harder. "slab_nomerge" # Randomize order of pages returned by the buddy allocator. "page_alloc.shuffle=1" # Disable debugfs entirely (exposes kernel internals). "debugfs=off" # Disable legacy vsyscall emulation (unused by any modern glibc). "vsyscall=none" # Strict IOMMU TLB invalidation (no batching). Prevents DMA-capable # devices from accessing stale mappings after unmap. "iommu.strict=1" ]; boot.kernel.sysctl = { # Immediately reboot on kernel oops (don't leave a compromised # kernel running). Negative value = reboot without delay. "kernel.panic" = -1; # Hide kernel pointers from all processes, including CAP_SYSLOG. # Prevents info leaks used to defeat KASLR. "kernel.kptr_restrict" = 2; # Disable bpf() JIT compiler (eliminates JIT spray attack vector). "net.core.bpf_jit_enable" = false; # Disable ftrace (kernel function tracer) at runtime. "kernel.ftrace_enabled" = false; # Strict reverse-path filtering: drop packets arriving on an interface # where the source address isn't routable back via that interface. "net.ipv4.conf.all.rp_filter" = 1; "net.ipv4.conf.default.rp_filter" = 1; "net.ipv4.conf.all.log_martians" = true; "net.ipv4.conf.default.log_martians" = true; # Ignore ICMP redirects (prevents route table poisoning). "net.ipv4.conf.all.accept_redirects" = false; "net.ipv4.conf.all.secure_redirects" = false; "net.ipv4.conf.default.accept_redirects" = false; "net.ipv4.conf.default.secure_redirects" = false; "net.ipv6.conf.all.accept_redirects" = false; "net.ipv6.conf.default.accept_redirects" = false; # Don't send ICMP redirects (we are not a router). "net.ipv4.conf.all.send_redirects" = false; "net.ipv4.conf.default.send_redirects" = false; # Ignore broadcast ICMP (SMURF amplification mitigation). "net.ipv4.icmp_echo_ignore_broadcasts" = true; # Filesystem hardening: prevent hardlink/symlink-based attacks. # protected_hardlinks/symlinks: block unprivileged creation of hard/symlinks # to files the user doesn't own (prevents TOCTOU privilege escalation). # protected_fifos/regular (level 2): restrict opening FIFOs and regular files # in world-writable sticky directories to owner/group match only. # Also required for systemd-tmpfiles to chmod hardlinked files. "fs.protected_hardlinks" = true; "fs.protected_symlinks" = true; "fs.protected_fifos" = 2; "fs.protected_regular" = 2; }; services = { dbus.implementation = "broker"; /* logrotate.enable = true; journald = { storage = "volatile"; # Store logs in memory upload.enable = false; # Disable remote log upload (the default) extraConfig = '' SystemMaxUse=500M SystemMaxFileSize=50M ''; }; */ }; services.fail2ban = { enable = true; # Use iptables actions for compatibility banaction = "iptables-multiport"; banaction-allports = "iptables-allports"; }; }