{ inputs, pkgs, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; config = { environment.systemPackages = with pkgs; [ bitwarden sops ]; sops = { defaultSopsFile = ../../secrets/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/"; }; security = { sudo.execWheelOnly = true; acme.acceptTerms = true; polkit.enable = true; pam = { u2f = { enable = true; settings.cue = true; }; }; }; networking.firewall.enable = true; programs.gnupg.agent.enable = true; boot = { loader.systemd-boot = { editor = false; configurationLimit = 50; }; kernelModules = [ "tcp_bbr" ]; kernel.sysctl = { ## TCP hardening # Prevent bogus ICMP errors from filling up logs. "net.ipv4.icmp_ignore_bogus_error_responses" = 1; # Reverse path filtering causes the kernel to do source validation of # packets received from all interfaces. This can mitigate IP spoofing. "net.ipv4.conf.default.rp_filter" = 1; "net.ipv4.conf.all.rp_filter" = 1; # Do not accept IP source route packets (we're not a router) "net.ipv4.conf.all.accept_source_route" = 0; "net.ipv6.conf.all.accept_source_route" = 0; # Don't send ICMP redirects (again, we're on a router) "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0; # Refuse ICMP redirects (MITM mitigations) "net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.all.secure_redirects" = 0; "net.ipv4.conf.default.secure_redirects" = 0; "net.ipv6.conf.all.accept_redirects" = 0; "net.ipv6.conf.default.accept_redirects" = 0; # Protects against SYN flood attacks "net.ipv4.tcp_syncookies" = 1; # Incomplete protection again TIME-WAIT assassination "net.ipv4.tcp_rfc1337" = 1; ## TCP optimization # Enable TCP Fast Open for incoming and outgoing connections "net.ipv4.tcp_fastopen" = 3; # Bufferbloat mitigations + slight improvement in throughput & latency "net.ipv4.tcp_congestion_control" = "bbr"; "net.core.default_qdisc" = "cake"; }; }; }; }