Compare commits

...

2 commits

Author SHA1 Message Date
Yureka e80df3aef1 general quality of life improvements 2024-07-10 01:05:15 +02:00
Yureka 3dd46c665a add global hardening options 2024-07-10 01:05:15 +02:00
3 changed files with 30 additions and 0 deletions

View file

@ -21,4 +21,10 @@
dates = "daily"; dates = "daily";
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
}; };
services.journald.extraConfig = "SystemMaxUse=512M";
boot.kernelParams = [
"panic=30" "boot.panic_on_fail"
];
} }

View file

@ -5,5 +5,6 @@
./raito-proxy-aware-nginx.nix ./raito-proxy-aware-nginx.nix
./base-server.nix ./base-server.nix
./sysadmin ./sysadmin
./hardening.nix
]; ];
} }

23
common/hardening.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, ... }:
{
nix.settings.allowed-users = [ "root" ];
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
"/proc".options = [ "hidepid=2" ];
};
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
services.openssh = {
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
authorizedKeysFiles = lib.mkForce [
"/etc/ssh/authorized_keys.d/%u"
];
};
users.mutableUsers = false;
}