forked from the-distro/infra
add global hardening options
This commit is contained in:
parent
664fa033aa
commit
3dd46c665a
|
@ -5,5 +5,6 @@
|
|||
./raito-proxy-aware-nginx.nix
|
||||
./base-server.nix
|
||||
./sysadmin
|
||||
./hardening.nix
|
||||
];
|
||||
}
|
||||
|
|
23
common/hardening.nix
Normal file
23
common/hardening.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
nix.settings.allowed-users = [ "root" ];
|
||||
|
||||
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
|
||||
"/proc".options = [ "hidepid=2" ];
|
||||
};
|
||||
|
||||
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
|
||||
|
||||
services.openssh = {
|
||||
settings.PasswordAuthentication = false;
|
||||
settings.KbdInteractiveAuthentication = false;
|
||||
|
||||
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
|
||||
authorizedKeysFiles = lib.mkForce [
|
||||
"/etc/ssh/authorized_keys.d/%u"
|
||||
];
|
||||
};
|
||||
|
||||
users.mutableUsers = false;
|
||||
}
|
Loading…
Reference in a new issue