fuji: harden the system

fuji/configuration.nix

@@ -98,6 +98,19 @@ in
       "net.core.default_qdisc" = "fq";
       "net.ipv4.tcp_congestion_control" = "bbr";
       "kernel.unprivileged_userns_clone" = "1"; /* Needed with harderned kernel */
+      "kernel.kptr_restrict" = 2;
+      "kernel.dmesg_restrict" = 1;
+      "kernel.kexec_load_disabled" = 1;
+      "kernel.yama.ptrace_scope" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.log_martians" = 1;
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
     };
     loader.efi.canTouchEfiVariables = true;
     loader.systemd-boot = {
@@ -116,6 +129,7 @@ in
     rtkit.enable = true;
     allowSimultaneousMultithreading = true;
     sudo.enable = true;
+    sudo.execWheelOnly = true;
     doas.enable = true;
     doas.extraRules = [
       {
@@ -124,6 +138,10 @@ in
         persist = true;
       }
     ];
+    apparmor = {
+      enable = true;
+      killUnconfinedConfinables = true;
+    };
   };
 
   powerManagement = {
@@ -134,6 +152,7 @@ in
     nftables.enable = true;
     firewall = {
       enable = true;
+      logRefusedConnections = true;
       allowedTCPPorts = [
         80
         443