forked from the-distro/infra
Compare commits
6 commits
e80df3aef1
...
45d4feed49
Author | SHA1 | Date | |
---|---|---|---|
Yureka | 45d4feed49 | ||
Yureka | 4c5ac2fa0e | ||
Pierre Bourdon | afaf49eb97 | ||
Pierre Bourdon | bc8ef7b5fc | ||
Pierre Bourdon | 61e8048445 | ||
Pierre Bourdon | 2ebb0e82e8 |
|
@ -21,4 +21,10 @@
|
|||
dates = "daily";
|
||||
options = "--delete-older-than 30d";
|
||||
};
|
||||
|
||||
services.journald.extraConfig = "SystemMaxUse=512M";
|
||||
|
||||
boot.kernelParams = [
|
||||
"panic=30" "boot.panic_on_fail"
|
||||
];
|
||||
}
|
||||
|
|
|
@ -5,5 +5,6 @@
|
|||
./raito-proxy-aware-nginx.nix
|
||||
./base-server.nix
|
||||
./sysadmin
|
||||
./hardening.nix
|
||||
];
|
||||
}
|
||||
|
|
23
common/hardening.nix
Normal file
23
common/hardening.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
nix.settings.allowed-users = [ "root" ];
|
||||
|
||||
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
|
||||
"/proc".options = [ "hidepid=2" ];
|
||||
};
|
||||
|
||||
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
|
||||
|
||||
services.openssh = {
|
||||
settings.PasswordAuthentication = false;
|
||||
settings.KbdInteractiveAuthentication = false;
|
||||
|
||||
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
|
||||
authorizedKeysFiles = lib.mkForce [
|
||||
"/etc/ssh/authorized_keys.d/%u"
|
||||
];
|
||||
};
|
||||
|
||||
users.mutableUsers = false;
|
||||
}
|
|
@ -26,7 +26,6 @@
|
|||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="
|
||||
];
|
||||
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
|
||||
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];
|
||||
|
|
|
@ -22,6 +22,6 @@ in
|
|||
ncdu
|
||||
# Useful to invoke `coredumpctl gdb`
|
||||
gdb
|
||||
] ++ lib.optional (lib.hasAttr "pwru" pkgs) pkgs.pwru;
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -267,11 +267,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1719082008,
|
||||
"narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=",
|
||||
"lastModified": 1720368505,
|
||||
"narHash": "sha256-5r0pInVo5d6Enti0YwUSQK4TebITypB42bWy5su3MrQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9693852a2070b398ee123a329e68f0dab5526681",
|
||||
"rev": "ab82a9612aa45284d4adf69ee81871a389669a9e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -1,7 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 j2r2qQ Xl0fSOuF0xNTJrtVGdRLRIszd15LFrG5KCFNvSBK4Go
|
||||
qSEMBBw90jz4j8elpoUeyS4CTLBhZtNDhLNigesJq+0
|
||||
-> ssh-ed25519 K3b7BA cKI0twKiuuTKv1Js4jqt5v8cOqpxEMY9dmVghgJtbzw
|
||||
K5o31XP/nLsswsrMaxnIzCXVUtJqmJWoFglWFsV7+AQ
|
||||
--- X8pvqCHeCQ0LjzcjIHThkqp6YeOOT8dBMLuktgdgeY4
|
||||
sZÓ¸ŠíØ[þ²X<C2B2>“¡èÅ®Š5°=÷6)ÇT¿Q†‘N{•x³I1ƒ!Ó–ÜøB
ƒzš*×íåL~K
|
||||
-> ssh-ed25519 j2r2qQ qI/dlkHZYcNkCVgZbxpw5Ps2anl8pofaFPi4p6kOHAo
|
||||
KWL+H9at/p/AfCjfO8+SgMhn97F+DqLO2ymYUOHkWjQ
|
||||
-> ssh-ed25519 K3b7BA URYQ0jFY5yHS+dodR1RqodNWrrXkMnzTp5OCSv1gbWI
|
||||
bnyrPvWnzDRNh4mI5HBPkNl3NSZE1ycMK3LLExMEYbo
|
||||
-> ssh-ed25519 +qVung z8e56tCZ4TLkrX7BfH+5RrGxGoT3q9V1FB/ySsH3tg4
|
||||
jIpEEVF8jCp/ks5eYXh3O7+TLidvzYsnBRFd3LkgLXw
|
||||
-> ssh-rsa krWCLQ
|
||||
XG8KKBT/hEvB+c1RDGUrDR4HrfAertfOIzQTquMQ+Z3Nde3Ybxf8W+rWGQDErbq4
|
||||
VlvC/wVVnGnqgE/tJMQP41sCMKSH61MPyiNZC63g4RW9e2H9YQfWWrnuBh668G+3
|
||||
3sE0FSdIAB+UlI2jlbMiG60QaT6zV0XyOrugLX/G2R+D4aXYIVvMtcwYq2oIHy58
|
||||
1DE5llUZHGsQ8APXZle7ZGyO48ELOQkVn8ozPlPFhvz2y9srgBZvNL/wadjvLstv
|
||||
2vBTBoRk8HnTLOiybAnGtOfK6kWUMdfSYMvhu0IM8UBSoxwxOHTfIttKDu2ZMB8g
|
||||
c/RnKbV2z0PBdXVrYuijPg
|
||||
-> ssh-ed25519 /vwQcQ qinzScNz0IFoHUaCeGXne6ddllQ0dA/TJr5Z/nbfvTQ
|
||||
0YpTZ2Z2WwN0sJ1CIV8voPS298u9uHbRQMlV0GMrvFI
|
||||
-> ssh-ed25519 0R97PA en5iGTQoH0/QJKl38HNe4xun/FxVBIun7Z23mBW+4XE
|
||||
Sjshx8hLyP4iY40y/Fehc0wZTBH0d1Lu+auX8L5n28s
|
||||
--- i5+vCeWbFTRR2YbIX4lwbEORRhaI5NkCwqaMEJqrPEs
|
||||
ÿ\ìƒF·Ri±ñXa,.øÝoªâr›çhE0=$Ç‚uGa/oÑÑÆÂiíf¥•x¦Óš?Ðg¹CiÉ
|
Binary file not shown.
Binary file not shown.
|
@ -1,9 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 j2r2qQ w0lLquFUUcmEZ/Fh1YSt85tAJkBwavORQbwMr7gMqF4
|
||||
J4T+EHm1uHbCZkAUNoNcB9uGSz082mFL8+dkCnvYQnM
|
||||
-> ssh-ed25519 K3b7BA 28bJZgBPPc2KIE5+b8LJuQ5L4YAiRAJzucEuOqXHdVM
|
||||
7hKENFr8QX0jpwuuQEjGFrUywJuhL1Tdi2V4/gR8JWE
|
||||
--- GSPZxz39TMMWv0qhotNgnXa5679Q7VK8JGjQjI7A8oM
|
||||
J˛\@F“N• łĺ…2‹®ô¨w×!Ż1Vf»§<C2BB>Ž·’ŢO˛CÓw®®V°ŁšĚş.^݆ 7Ťw‡n4äŕdW-Öľ"@0¨úąEĎż·°ck,]M}xŤřĚťˇŰy°[×ÁJ:!č‘ !ř螀c¬
|
||||
BëąR
|
||||
nřę€ţŔáĆ^9í¤–M<ú
|
||||
-> ssh-ed25519 j2r2qQ JzVKQt25f18L96aJWsJtFAR4mvMVCgYMKu/xtJ1BeDw
|
||||
vj+HpNQCNNxDRA+7HgjiD0XlGG/Yy+tk8KmszMkxdag
|
||||
-> ssh-ed25519 K3b7BA judlH57lGOGmaTEG19gYiORJT9uXiAlxZrP+ISTHDT4
|
||||
MS7e24A6rEMUtUUl8DlYXPy9NhqAq4buOWT0iYKvbSY
|
||||
-> ssh-ed25519 +qVung vglRR5LYFZw8v6zRhybGPBctwDgYoskbpGYiLNW9qxM
|
||||
VdjQTykQSVWubGimCHiekQX7EQdgOB3PYsRHiFnpPkg
|
||||
-> ssh-rsa krWCLQ
|
||||
hLYT6U+dUVuicVO8hSw4KcfkM9bay4JR3TEWGlmmIxcQ67LNggzuyRvV6U2yfucg
|
||||
Xyxezdd9LArf8z1eV/y3iwsY0PvK9qwtgpgH/NxaF7djhTA8+c3c3a6w4sqdHn0m
|
||||
/RZU+eKSFeDWII7fn6o7JxzITFhF1FYH6PJYA2cb3PvbPw/JSja8EVZ7192ShqGW
|
||||
22TThbZmmKoOPbmDxmQIygZTxqyaXkoFOnTWqqTzOfNtBOBFXT+cIFh3ctGWLw79
|
||||
u7O5c2dmpXoE0bdndQ7GUSPrgRzOYHQ5hLg8WtC56EYjE11Bxj88fktzw4hZTbYQ
|
||||
jrS8Pa68UPhUmSfutlpd4A
|
||||
-> ssh-ed25519 /vwQcQ MqdVxRlS+EMA3f6B0D6m2ylvCE7WVq1av/CvsNVAB24
|
||||
KX8RJ1bzUUhsYW6qN06FTzis5i13IIoIpUb5FkW9wkw
|
||||
-> ssh-ed25519 0R97PA RHUvc9XQIxOW0GCyt0vRxPHyVXlpqM9gaUps4q/Grx8
|
||||
bxgFxtbtbvDi9knzasdR7u33Mb7x7LcBzqEB/g4Oc4A
|
||||
--- Z175YCdbPBBSItxomyXPSo6xILLV4GT4gpA4Oxz9qgo
|
||||
EìVÀõ±ž™êÞ<EFBFBD>Ú¾¾Ó¦xYÊqšÑ84™6¦¯&Ö‘ï<13>·”ž„Ý!óZmëû°¤Ãd.à™46ÅÈ·ØËòø/<2F>´<EFBFBD>=°ß܈'hM³_ü£j
>ªÑ6ãR<>&Ú·u²þŸøEùÜ^8c;×Ä›¶:Q1Ü)ú1L¹_~,<2C>K¥ÞÃîôµB¤7–
|
|
@ -1,7 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 j2r2qQ nLWy3WcVJWCl3rXkhcSbp1joqmkk06QnxhCZ4UtSvmw
|
||||
iQ+Hx/vhiFgkWfbxHwGjxMBEqzyGww4/9do3W7V/y1Y
|
||||
-> ssh-ed25519 K3b7BA RkF2ADcjOGtivl9MrhO/HFwxlTAkbFHWL3iinUldMiM
|
||||
7q/zdVTMLevukZjkHtcN88iYzfTLvq2s3QdkgsFSO9M
|
||||
--- 1b2HiK06vJPqBgHVDD0QELOtfkl7/rlgGS9uI1mSbus
|
||||
„uܧoL;őĺ¬"
4¦Ű»ZĽ<5A>@§öă<C3B6>Đ’3+93Q4óÄ o•ŚŘwé“„6ŤM-˛DkJn´;ń*g
<0A>OŰYś75ËSň)Ů°©
|
||||
-> ssh-ed25519 j2r2qQ n1lfxDP73nfF/CYtE4gpUH6YgjAQbx/2TTuyfFUBiHQ
|
||||
LGzudpjsYA92pM0UpUT9CWZD+e+rzGFP4ndxPE0MByo
|
||||
-> ssh-ed25519 K3b7BA NRnnKaOtdtIjkRdam5vAA9Yj1RUJRReugWKRglWAoQ4
|
||||
Xprx5TSU1rNH7NMl0X07K1KexCVXMEu7BFxbiPwxvBY
|
||||
-> ssh-ed25519 +qVung qZsGi4JqgpHrjlg2VdY+OhXb0BzYTytBBqY3jNsrSgU
|
||||
GgvQG5iMd6XTZRCC3EBBvqF7nhkqAJmxdIkCFRV46Ok
|
||||
-> ssh-rsa krWCLQ
|
||||
EkmY8uc79xWfKjlIozS4Yigorz9IdK8T8VjMnVcJN6+rhoRctQNVCj4JgogY4wa0
|
||||
V3ObjoRPZgVU3qPmkPgIKVa2Mvf6MrCMwvvE4j2Yyy6lmQEwFdvk4s2c6AD6T8Bf
|
||||
rktRYqOcFavuDr348e0ZzKniFTRcPMcY49mqBR/mWIfSEtLxBgpFUCn6f40PLndT
|
||||
3dse7kgRBlrKbzmf6JIsITHejqwDRq2bZqHWAmZhb6+ske7oDicAt90FDoDbrwvd
|
||||
YwXPRDCxgATlNz8n/xFUxd35X+zEftUUtANSGtihIE4LcdsO7IOwv/FCjdEn/3YW
|
||||
ZtQjphnxgDsY61PEFCMnYg
|
||||
-> ssh-ed25519 /vwQcQ DKQuo5jVunUFTCbOxVV57Xl6q+DDOVDWXdon/lZlLi0
|
||||
doN6en8IK4Ju0uATp+IZAhYl1tvdnfyxHziSobb1ER4
|
||||
-> ssh-ed25519 0R97PA I1GECXSPagJ5kD7CeVA21TQmpMEgLeaiB7XYEomUl2U
|
||||
d0kO+4SkAPC/ois39SZafEhTqvmDpCZbWTUU1aUZ47o
|
||||
--- 555iE+C2kDLIdAJ5KARyKcBQZSDRWASuzcNiKZ9IbRI
|
||||
òeÕceV&˜ßà‰g˜óáÔÄýæ›6•=6!õC<C3B5>Cˆû^»âÕèí€zÕ§®(Ó<>!ÄB•B|ô<>ï°Ú'¿Rªîž†_a UtI³3
|
Binary file not shown.
Binary file not shown.
|
@ -1,8 +1,21 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 j2r2qQ ryGcgO1/XLIyQ7Ry+ve0PGnyRMHknhK5xGdKGwY9U1Y
|
||||
SvKOCTDDt5BbFcfpFHACX4aRGXxgVBsdR07LZ48o8IE
|
||||
-> ssh-ed25519 K3b7BA qqac4R3OjiUYoubVXStrOjDHQMb5URY48NZvFf8JPAU
|
||||
FlonuMkY2hr3XQ31toHlX7H1syxj/jWhtheaBpyEM80
|
||||
--- zJCZzU6v0LlnEsyeUf0dHdMS84N9FkaXvIym9K0et40
|
||||
>*»«ş\OŻ¦Ó÷ŕk.´ćĂĚ8:´˝Ďń\Xăe7µQYě*,ŻĄâKlD{Ő}}ŮÝ*â[c_ďF#ód>…Yîn±Oód€6”Đ
™ć»öPfM‰"A\ىX3ÇđĚ˝$÷=ZĆŐx“W–öÁsËďďüÖLR?KŽé¬ŐLµO#Łű»—Ľ-€ĽëĆ˙~
|
||||
=©Ţ•‰ř±ň<16>h[Ëâ*Ţ
“óÓGkç}4…ek°Éň2ţ*‰Vr´ß¬ńgUMĹMyă‚;ĚĎ„<C48E>
Mş^<03>PÚÚ92µÎçTęąćZŇ)¦l5yO§ŃÇW
|
||||
-> ssh-ed25519 j2r2qQ 8qMRxnJL5p7M7Egtim/MZQTx0Z55dK1VKbR1drFkMRk
|
||||
q7AWFD4wg4eEIoPzPY3gmPNt9vSPv9s1TII2R0a4QoA
|
||||
-> ssh-ed25519 K3b7BA tZtpUP6oDvY28vaLwzlLwlv/QQaDmbuwdPRvs2j3yxM
|
||||
gnJPbdLJML4MldoJTwsR/93ioOId53IvuSnpQwqmYoY
|
||||
-> ssh-ed25519 +qVung fYyGsDgnf2wO4NZ+zOeiWWu3wLe001xHgZatXvVd60w
|
||||
Kxs9u1EZbP/abuBev0u9f8keraKibvoVDHqYvvbZJOA
|
||||
-> ssh-rsa krWCLQ
|
||||
dGijkGbcpWqNgrsYSXGEYgLJadgf2imVRDZpMpR2SNqKeBgvIRSriwQQSUCnntZB
|
||||
pwul5dzZ9okr16xrghK66tCizBWwvfHtyACAFcI0xyCEf20Ydm1pbarSibK9RDb3
|
||||
JwJdvUor370sTkuWagBzM3+cfpeO8HhxEu46tNG1RP2EtEkdSXQ8056g7TrSUQt/
|
||||
XI385S5/WuurmBVlZuVTBXVsvGYU4OBAIlrYiym4loaSOGJMUCK8MZMfg+3w+RXW
|
||||
fScsZ0VS1eB4DkAiJEptJlesrpHPOegq+HyczxGAp0z7mcO0ffZBOrKzBQB7fsdV
|
||||
sn0R1gKpx9y9T6VE/uJ4Tg
|
||||
-> ssh-ed25519 /vwQcQ mUHdSEXaTCrk2Nq/OPoo/3i8jXZfLbUBZewg6rwvdGQ
|
||||
7wxUPlQqkZXNo6zhqd/niQDUZWrKVzgWWkUPcW/ueds
|
||||
-> ssh-ed25519 0R97PA nuM2B10VwPti+CBybZzBGLzo7SM9lHgKAM1CZj4U8iY
|
||||
3tfc6NC/D+lPPk5Fk6tDWbc15m4Eo/sI4WGTC33zQAc
|
||||
--- efqcGqHksXsmGOFOwC+0UcYtUk+FuiGt4PHkHFzQ4OQ
|
||||
ˆ 3᫬ÒÊSâj´;…Dæ©æÄ6¾±R˜LݘƒmÄ+þÃc<07>˜ÞU¶WÅÐSü<53>yï!yÁËlwÅ ¼˜u3ÏõBb‰nloò q
êÏTÑÙñ&é•.ªpš4‰¢‰¸!ó<>ËÎÔÞ€ÏÙ‚Ãò’ˆCì‚F¸¤$<13>§‰&
|
||||
<Ix¹LWy3çÔñqvbspêÐŽX²LÙob‡,-ÜJÌñ¯G’Ò³À6çéó“°û1¼s_rÆþgŒ7%×]÷»Œqž‡×›AôV¤*ï`«‹ê\Æ̽tLpöi®Þf
|
Loading…
Reference in a new issue