flake/nixos/profiles/common/core/hardening/default.nix

44 lines
835 B
Nix
Raw Normal View History

2023-12-22 03:10:59 +00:00
{...}: {
2023-12-16 08:58:10 +00:00
### Basic hardening
# ref: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
# ref: https://madaidans-insecurities.github.io/guides/linux-hardening.html
2023-12-22 03:10:59 +00:00
imports = [
./sysctl.nix
];
2023-12-16 08:58:10 +00:00
environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id
security.apparmor.enable = true;
2023-12-25 13:03:49 +00:00
security.sudo-rs.enable = true;
security.sudo-rs.execWheelOnly = true;
2023-12-16 08:58:10 +00:00
boot.blacklistedKernelModules = [
# Obscure network protocols
"ax25"
"netrom"
"rose"
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
}