181 lines
4.9 KiB
Nix
181 lines
4.9 KiB
Nix
{
|
||
config,
|
||
lib,
|
||
...
|
||
}: {
|
||
# Boot
|
||
boot = {
|
||
loader.systemd-boot.enable = true;
|
||
loader.systemd-boot.configurationLimit = 5;
|
||
loader.efi.canTouchEfiVariables = true;
|
||
|
||
tmp.useTmpfs = lib.mkDefault true;
|
||
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
|
||
|
||
initrd.availableKernelModules = ["nvme" "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];
|
||
initrd.kernelModules = [];
|
||
kernelModules = ["kvm-intel" "tcp_bbr" "coretemp" "nct6775"];
|
||
kernelParams = ["threadirqs"];
|
||
|
||
kernel.sysctl = {
|
||
# The Magic SysRq key is a key combo that allows users connected to the
|
||
# system console of a Linux kernel to perform some low-level commands.
|
||
# Disable it, since we don't need it, and is a potential security concern.
|
||
"kernel.sysrq" = 0;
|
||
|
||
## TCP hardening
|
||
# Prevent bogus ICMP errors from filling up logs.
|
||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||
# Reverse path filtering causes the kernel to do source validation of
|
||
# packets received from all interfaces. This can mitigate IP spoofing.
|
||
"net.ipv4.conf.default.rp_filter" = 1;
|
||
"net.ipv4.conf.all.rp_filter" = 1;
|
||
# Do not accept IP source route packets
|
||
"net.ipv4.conf.all.accept_source_route" = 0;
|
||
"net.ipv6.conf.all.accept_source_route" = 0;
|
||
# Don't send ICMP redirects
|
||
"net.ipv4.conf.all.send_redirects" = 0;
|
||
"net.ipv4.conf.default.send_redirects" = 0;
|
||
# Refuse ICMP redirects (MITM mitigations)
|
||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||
# Protects against SYN flood attacks
|
||
"net.ipv4.tcp_syncookies" = 1;
|
||
# Incomplete protection again TIME-WAIT assassination
|
||
"net.ipv4.tcp_rfc1337" = 1;
|
||
|
||
## TCP optimization
|
||
# TCP Fast Open is a TCP extension that reduces network latency by packing
|
||
# data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
|
||
# both incoming and outgoing connections:
|
||
"net.ipv4.tcp_fastopen" = 3;
|
||
# Bufferbloat mitigations + slight improvement in throughput & latency
|
||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||
"net.core.default_qdisc" = "cake";
|
||
};
|
||
};
|
||
|
||
# Security
|
||
security = {
|
||
protectKernelImage = true;
|
||
sudo.extraConfig = ''Defaults timestamp_timeout=30'';
|
||
rtkit.enable = true;
|
||
};
|
||
|
||
# Filesystem
|
||
fileSystems = {
|
||
"/" = {
|
||
device = "/dev/disk/by-label/nixos";
|
||
fsType = "btrfs";
|
||
options = ["subvol=root" "compress=zstd"];
|
||
};
|
||
|
||
"/nix" = {
|
||
device = "/dev/disk/by-label/nixos";
|
||
fsType = "btrfs";
|
||
options = ["subvol=nix" "compress=zstd" "noatime"];
|
||
};
|
||
|
||
"/home" = {
|
||
device = "/dev/disk/by-label/nixos";
|
||
fsType = "btrfs";
|
||
options = ["subvol=home" "compress=zstd"];
|
||
};
|
||
|
||
"/boot" = {
|
||
device = "/dev/disk/by-label/boot";
|
||
fsType = "vfat";
|
||
};
|
||
|
||
"/swap" = {
|
||
device = "/dev/disk/by-label/nixos";
|
||
fsType = "btrfs";
|
||
options = ["subvol=swap" "noatime"];
|
||
};
|
||
|
||
"/media/storage" = {
|
||
device = "/dev/disk/by-label/storage";
|
||
fsType = "btrfs";
|
||
options = ["subvol=storage" "nofail" "compress=zstd"];
|
||
};
|
||
|
||
"/media/btrbk-backups" = {
|
||
device = "/dev/disk/by-label/storage";
|
||
fsType = "btrfs";
|
||
options = ["subvol=btrbk-backups" "nofail" "compress=zstd"];
|
||
};
|
||
};
|
||
|
||
swapDevices = [
|
||
{device = "/swap/swapfile";}
|
||
];
|
||
|
||
services.fstrim.enable = true;
|
||
|
||
# Hardware etc
|
||
hardware = {
|
||
enableRedistributableFirmware = true;
|
||
|
||
cpu.intel.updateMicrocode = true;
|
||
|
||
bluetooth.enable = true;
|
||
|
||
pulseaudio.enable = false;
|
||
};
|
||
|
||
networking = {
|
||
networkmanager.enable = true;
|
||
useDHCP = false;
|
||
hostName = "catarina";
|
||
extraHosts = '''';
|
||
|
||
firewall = {
|
||
enable = true;
|
||
allowedTCPPorts = [80 443 3001 25600 8080 8085];
|
||
};
|
||
|
||
interfaces.enp9s0 = {
|
||
useDHCP = false;
|
||
ipv4.addresses = [
|
||
{
|
||
address = "192.168.156.102";
|
||
prefixLength = 24;
|
||
}
|
||
];
|
||
};
|
||
|
||
defaultGateway = "192.168.156.1";
|
||
nameservers = ["192.168.156.1" "8.8.8.8"];
|
||
|
||
nat = {
|
||
enable = true;
|
||
externalInterface = "enp9s0";
|
||
internalInterfaces = ["ve-+"];
|
||
};
|
||
};
|
||
|
||
services.logind.lidSwitchExternalPower = "ignore";
|
||
|
||
# Common
|
||
time.timeZone = "Asia/Yekaterinburg";
|
||
|
||
i18n = {
|
||
defaultLocale = "en_US.UTF-8";
|
||
extraLocaleSettings = {
|
||
LC_ADDRESS = "en_US.UTF-8";
|
||
LC_IDENTIFICATION = "en_US.UTF-8";
|
||
LC_MEASUREMENT = "en_US.UTF-8";
|
||
LC_MONETARY = "en_US.UTF-8";
|
||
LC_NAME = "en_US.UTF-8";
|
||
LC_NUMERIC = "en_US.UTF-8";
|
||
LC_PAPER = "en_US.UTF-8";
|
||
LC_TELEPHONE = "en_US.UTF-8";
|
||
LC_TIME = "en_US.UTF-8";
|
||
};
|
||
};
|
||
}
|