# Kernel Hardening Module # Provides: hardened boot params, sysctl settings, blacklisted modules, ZRAM # # Usage: # myModules.kernelHardening = { # enable = true; # enableZram = true; # default: true # zramPercent = 50; # default: 50 # }; { config, lib, pkgs, ... }: let cfg = config.myModules.kernelHardening; in { options.myModules.kernelHardening = { enable = lib.mkEnableOption "kernel hardening module"; enableZram = lib.mkOption { type = lib.types.bool; default = true; description = "Enable ZRAM swap"; }; zramPercent = lib.mkOption { type = lib.types.int; default = 50; description = "Percentage of RAM to use for ZRAM"; }; zramAlgorithm = lib.mkOption { type = lib.types.str; default = "lz4"; description = "Compression algorithm for ZRAM (lz4, zstd, lzo)"; }; tmpfsPercent = lib.mkOption { type = lib.types.str; default = "50%"; description = "Size of /tmp tmpfs as percentage of RAM"; }; }; config = lib.mkIf cfg.enable { # Secure boot loader settings boot.loader.systemd-boot.editor = false; # Use tmpfs for /tmp boot.tmp = { useTmpfs = true; tmpfsSize = cfg.tmpfsPercent; }; # Runtime kernel hardening boot.kernelParams = [ "slab_nomerge" "init_on_alloc=1" "init_on_free=1" "page_alloc.shuffle=1" "randomize_kstack_offset=on" "vsyscall=none" "oops=panic" ]; # Kernel sysctl hardening boot.kernel.sysctl = { "kernel.kptr_restrict" = 2; "kernel.dmesg_restrict" = 1; "fs.protected_hardlinks" = 1; "fs.protected_symlinks" = 1; "net.ipv4.tcp_syncookies" = 1; "net.ipv4.tcp_rfc1337" = 1; "net.ipv4.ip_forward" = 1; "kernel.unprivileged_bpf_disabled" = 1; "kernel.kexec_load_disabled" = 1; "kernel.perf_event_paranoid" = 3; "net.ipv4.tcp_timestamps" = 0; "dev.tty.ldisc_autoload" = 0; "kernel.yama.ptrace_scope" = 1; "kernel.core_pattern" = "|/bin/false"; "net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.all.secure_redirects" = 0; "net.ipv4.conf.default.secure_redirects" = 0; "net.ipv6.conf.all.accept_redirects" = 0; "net.ipv6.conf.default.accept_redirects" = 0; "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0; "net.ipv4.conf.all.rp_filter" = 2; "net.ipv4.conf.default.rp_filter" = 2; "net.ipv4.conf.all.log_martians" = 1; "net.ipv4.conf.default.log_martians" = 1; "net.ipv4.icmp_echo_ignore_broadcasts" = 1; # Network optimization (TCP Buffers) "net.core.rmem_max" = 2500000; "net.core.wmem_max" = 2500000; "net.ipv4.tcp_rmem" = "4096 87380 2500000"; "net.ipv4.tcp_wmem" = "4096 65536 2500000"; "net.core.netdev_max_backlog" = 5000; }; # Set IO Scheduler to kyber for NVMe and bfq for SATA services.udev.extraRules = '' # NVMe ACTION=="add|change", KERNEL=="nvme[0-9]*n[0-9]*", ATTR{queue/scheduler}="kyber" # SSD/HDD ACTION=="add|change", KERNEL=="sd[a-z]*", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq" ACTION=="add|change", KERNEL=="sd[a-z]*", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq" ''; boot.blacklistedKernelModules = [ "cramfs" "freevxfs" "jffs2" "hfs" "hfsplus" "udf" # DMA vulnerable modules "firewire-core" "firewire_ohci" "thunderbolt" ]; security.lockKernelModules = true; zramSwap = lib.mkIf cfg.enableZram { enable = true; memoryPercent = cfg.zramPercent; algorithm = cfg.zramAlgorithm; }; }; }