modules

1 files changed, 78 insertions, 14 deletions

diff --git a/modules/boot/default.nix b/modules/boot/default.nix
index 4d8b8d1..6042882 100644
--- a/modules/boot/default.nix
+++ b/modules/boot/default.nix
@@ -12,9 +12,11 @@
 
   boot = {
     crashDump.enable = false;
+    consoleLogLevel = 3;
 
     loader = {
       timeout = 5;
+      generationsDir.copyKernels = true;
 
       efi = {
         canTouchEfiVariables = true;
@@ -23,24 +25,86 @@
     };
 
     kernelPackages = pkgs.linuxPackages_zen;
-    kernelModules = [ "v4l2loopback" ];
-    extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
-
-    kernel.sysctl = lib.mkMerge (
-      map
-        (interface: {
-          "net.ipv6.conf.${interface}.disable_ipv6" = true;
-        })
-        [
-          "enp42s0"
-          "wlp4s0"
-          "tun0"
-        ]
-    );
+    blacklistedKernelModules = [ "nouveau" ];
+
+    extraModulePackages = with config.boot.kernelPackages; [
+      v4l2loopback
+      zenpower
+    ];
+
+    # initrd.availableKernelModules = [
+    #   "aesni_intel"
+    #   "cryptd"
+    #   "usb_storage"
+    # ];
+
+    kernelModules = [
+      "v4l2loopback"
+      "tls"
+      "tcp_bbr"
+      "uhid"
+      "amd-pstate"
+      "zenpower"
+      "msr"
+    ];
+
+    kernel.sysctl = {
+      # TCP hardening
+      # Prevent bogus ICMP errors from filling up logs.
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      # Reverse path filtering causes the kernel to do source validation of
+      # packets received from all interfaces. This can mitigate IP spoofing.
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      # Do not accept IP source route packets (we're not a router)
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      # Don't send ICMP redirects (again, we're on a router)
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # Refuse ICMP redirects (MITM mitigations)
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      # Protects against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # Incomplete protection again TIME-WAIT assassination
+      "net.ipv4.tcp_rfc1337" = 1;
+      # And other stuff
+      "net.ipv4.conf.all.log_martians" = true;
+      "net.ipv4.conf.default.log_martians" = true;
+      "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+      "net.ipv6.conf.default.accept_ra" = 0;
+      "net.ipv6.conf.all.accept_ra" = 0;
+      "net.ipv4.tcp_timestamps" = 0;
+
+      # TCP optimization
+      # TCP Fast Open is a TCP extension that reduces network latency by packing
+      # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+      # both incoming and outgoing connections:
+      "net.ipv4.tcp_fastopen" = 3;
+      # Bufferbloat mitigations + slight improvement in throughput & latency
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
+
+      "net.ipv6.conf.enp42s0.disable_ipv6" = true;
+      "net.ipv6.conf.wlp4s0.disable_ipv6" = true;
+      "net.ipv6.conf.tun0.disable_ipv6" = true;
+    };
 
     kernelParams = [
       "nvidia-drm.fbdev=1"
       "nvidia.NVreg_PreserveVideoMemoryAllocations=1"
+      "usbcore.autosuspend=-1"
+      "iommu=pt"
+      "threadirqs"
+      "btusb"
+      "amd_iommu=on"
+      "luks.options=timeout=0"
+      "rd.luks.options=timeout=0"
     ];
   };
 }