nixos/profiles/hardened: replace 'with' using inherit and add disable option

2025-06-14 13:39:15 +03:00 · 2025-01-19 17:45:14 +01:00 · 2025-01-19 17:45:14 +01:00 · 958d1fb821
commit 958d1fb821
parent 81f97de458
1 changed files with 97 additions and 85 deletions
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -12,114 +12,126 @@
  pkgs,
  ...
 }:
-
+let
-with lib;
+  inherit (lib)
-
+    mkDefault
    mkOverride
    mkEnableOption
    mkIf
    maintainers
    ;
 in
 {
-  meta = {
+  options.profiles.hardened = mkEnableOption "hardened" // {
-    maintainers = [
+    default = true;
-      maintainers.joachifm
+    example = false;
      maintainers.emily
    ];
  };
  config = mkIf config.profiles.hardened {
    meta = {
      maintainers = [
        maintainers.joachifm
        maintainers.emily
      ];
    };
-  boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
+    boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
-  nix.settings.allowed-users = mkDefault [ "@users" ];
+    nix.settings.allowed-users = mkDefault [ "@users" ];
-  environment.memoryAllocator.provider = mkDefault "scudo";
+    environment.memoryAllocator.provider = mkDefault "scudo";
-  environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
+    environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
-  security.lockKernelModules = mkDefault true;
+    security.lockKernelModules = mkDefault true;
-  security.protectKernelImage = mkDefault true;
+    security.protectKernelImage = mkDefault true;
-  security.allowSimultaneousMultithreading = mkDefault false;
+    security.allowSimultaneousMultithreading = mkDefault false;
-  security.forcePageTableIsolation = mkDefault true;
+    security.forcePageTableIsolation = mkDefault true;
-  # This is required by podman to run containers in rootless mode.
+    # This is required by podman to run containers in rootless mode.
-  security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
+    security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
-  security.virtualisation.flushL1DataCache = mkDefault "always";
+    security.virtualisation.flushL1DataCache = mkDefault "always";
-  security.apparmor.enable = mkDefault true;
+    security.apparmor.enable = mkDefault true;
-  security.apparmor.killUnconfinedConfinables = mkDefault true;
+    security.apparmor.killUnconfinedConfinables = mkDefault true;
-  boot.kernelParams = [
+    boot.kernelParams = [
-    # Don't merge slabs
+      # Don't merge slabs
-    "slab_nomerge"
+      "slab_nomerge"
-    # Overwrite free'd pages
+      # Overwrite free'd pages
-    "page_poison=1"
+      "page_poison=1"
-    # Enable page allocator randomization
+      # Enable page allocator randomization
-    "page_alloc.shuffle=1"
+      "page_alloc.shuffle=1"
-    # Disable debugfs
+      # Disable debugfs
-    "debugfs=off"
+      "debugfs=off"
-  ];
+    ];
-  boot.blacklistedKernelModules = [
+    boot.blacklistedKernelModules = [
-    # Obscure network protocols
+      # Obscure network protocols
-    "ax25"
+      "ax25"
-    "netrom"
+      "netrom"
-    "rose"
+      "rose"
-    # Old or rare or insufficiently audited filesystems
+      # Old or rare or insufficiently audited filesystems
-    "adfs"
+      "adfs"
-    "affs"
+      "affs"
-    "bfs"
+      "bfs"
-    "befs"
+      "befs"
-    "cramfs"
+      "cramfs"
-    "efs"
+      "efs"
-    "erofs"
+      "erofs"
-    "exofs"
+      "exofs"
-    "freevxfs"
+      "freevxfs"
-    "f2fs"
+      "f2fs"
-    "hfs"
+      "hfs"
-    "hpfs"
+      "hpfs"
-    "jfs"
+      "jfs"
-    "minix"
+      "minix"
-    "nilfs2"
+      "nilfs2"
-    "ntfs"
+      "ntfs"
-    "omfs"
+      "omfs"
-    "qnx4"
+      "qnx4"
-    "qnx6"
+      "qnx6"
-    "sysv"
+      "sysv"
-    "ufs"
+      "ufs"
-  ];
+    ];
-  # Hide kptrs even for processes with CAP_SYSLOG
+    # Hide kptrs even for processes with CAP_SYSLOG
-  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
+    boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
-  # Disable bpf() JIT (to eliminate spray attacks)
+    # Disable bpf() JIT (to eliminate spray attacks)
-  boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
+    boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
-  # Disable ftrace debugging
+    # Disable ftrace debugging
-  boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
+    boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
-  # Enable strict reverse path filtering (that is, do not attempt to route
+    # Enable strict reverse path filtering (that is, do not attempt to route
-  # packets that "obviously" do not belong to the iface's network; dropped
+    # packets that "obviously" do not belong to the iface's network; dropped
-  # packets are logged as martians).
+    # packets are logged as martians).
-  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
+    boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
+    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
-  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
+    boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
+    boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
-  # Ignore broadcast ICMP (mitigate SMURF)
+    # Ignore broadcast ICMP (mitigate SMURF)
-  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
+    boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
-  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+    # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-  # setting is applied to interfaces added after the sysctls are set)
+    # setting is applied to interfaces added after the sysctls are set)
-  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
+    boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
+    boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
+    boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
+    boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
+    boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
+    boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
-  # Ignore outgoing ICMP redirects (this is ipv4 only)
+    # Ignore outgoing ICMP redirects (this is ipv4 only)
-  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
+    boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
-  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
+    boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
  };
 }