Compare commits
2 commits
c51676a560
...
39d2352bbc
Author | SHA1 | Date | |
---|---|---|---|
Yureka | 39d2352bbc | ||
Yureka | a7d21e96a0 |
|
@ -21,4 +21,10 @@
|
||||||
dates = "daily";
|
dates = "daily";
|
||||||
options = "--delete-older-than 30d";
|
options = "--delete-older-than 30d";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.journald.extraConfig = "SystemMaxUse=512M";
|
||||||
|
|
||||||
|
boot.kernelParams = [
|
||||||
|
"panic=30" "boot.panic_on_fail"
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,5 +5,6 @@
|
||||||
./raito-proxy-aware-nginx.nix
|
./raito-proxy-aware-nginx.nix
|
||||||
./base-server.nix
|
./base-server.nix
|
||||||
./sysadmin
|
./sysadmin
|
||||||
|
./hardening.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
23
common/hardening.nix
Normal file
23
common/hardening.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
nix.settings.allowed-users = [ "root" ];
|
||||||
|
|
||||||
|
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
|
||||||
|
"/proc".options = [ "hidepid=2" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
settings.PasswordAuthentication = false;
|
||||||
|
settings.KbdInteractiveAuthentication = false;
|
||||||
|
|
||||||
|
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
|
||||||
|
authorizedKeysFiles = lib.mkForce [
|
||||||
|
"/etc/ssh/authorized_keys.d/%u"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.mutableUsers = false;
|
||||||
|
}
|
Loading…
Reference in a new issue