Compare commits

...

6 commits

Author SHA1 Message Date
Yureka 45d4feed49 general quality of life improvements 2024-07-10 01:09:40 +02:00
Yureka 4c5ac2fa0e add global hardening options 2024-07-10 01:09:40 +02:00
Pierre Bourdon afaf49eb97
secrets: rekey 2024-07-10 01:05:05 +02:00
Pierre Bourdon bc8ef7b5fc
ssh-keys: remove raito's key which is too NSA'd for agenix 2024-07-10 01:04:48 +02:00
Pierre Bourdon 61e8048445
sysadmin: remove pwru, does not build on latest nixpkgs 2024-07-10 01:01:27 +02:00
Pierre Bourdon 2ebb0e82e8
flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/9693852a2070b398ee123a329e68f0dab5526681' (2024-06-22)
  → 'github:NixOS/nixpkgs/ab82a9612aa45284d4adf69ee81871a389669a9e' (2024-07-07)
2024-07-10 01:01:17 +02:00
14 changed files with 111 additions and 32 deletions

View file

@ -21,4 +21,10 @@
dates = "daily"; dates = "daily";
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
}; };
services.journald.extraConfig = "SystemMaxUse=512M";
boot.kernelParams = [
"panic=30" "boot.panic_on_fail"
];
} }

View file

@ -5,5 +5,6 @@
./raito-proxy-aware-nginx.nix ./raito-proxy-aware-nginx.nix
./base-server.nix ./base-server.nix
./sysadmin ./sysadmin
./hardening.nix
]; ];
} }

23
common/hardening.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, ... }:
{
nix.settings.allowed-users = [ "root" ];
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
"/proc".options = [ "hidepid=2" ];
};
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
services.openssh = {
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
authorizedKeysFiles = lib.mkForce [
"/etc/ssh/authorized_keys.d/%u"
];
};
users.mutableUsers = false;
}

View file

@ -26,7 +26,6 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="
]; ];
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ]; k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ]; maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];

View file

@ -22,6 +22,6 @@ in
ncdu ncdu
# Useful to invoke `coredumpctl gdb` # Useful to invoke `coredumpctl gdb`
gdb gdb
] ++ lib.optional (lib.hasAttr "pwru" pkgs) pkgs.pwru; ];
}; };
} }

View file

@ -267,11 +267,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1719082008, "lastModified": 1720368505,
"narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=", "narHash": "sha256-5r0pInVo5d6Enti0YwUSQK4TebITypB42bWy5su3MrQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9693852a2070b398ee123a329e68f0dab5526681", "rev": "ab82a9612aa45284d4adf69ee81871a389669a9e",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -1,7 +1,20 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 j2r2qQ Xl0fSOuF0xNTJrtVGdRLRIszd15LFrG5KCFNvSBK4Go -> ssh-ed25519 j2r2qQ qI/dlkHZYcNkCVgZbxpw5Ps2anl8pofaFPi4p6kOHAo
qSEMBBw90jz4j8elpoUeyS4CTLBhZtNDhLNigesJq+0 KWL+H9at/p/AfCjfO8+SgMhn97F+DqLO2ymYUOHkWjQ
-> ssh-ed25519 K3b7BA cKI0twKiuuTKv1Js4jqt5v8cOqpxEMY9dmVghgJtbzw -> ssh-ed25519 K3b7BA URYQ0jFY5yHS+dodR1RqodNWrrXkMnzTp5OCSv1gbWI
K5o31XP/nLsswsrMaxnIzCXVUtJqmJWoFglWFsV7+AQ bnyrPvWnzDRNh4mI5HBPkNl3NSZE1ycMK3LLExMEYbo
--- X8pvqCHeCQ0LjzcjIHThkqp6YeOOT8dBMLuktgdgeY4 -> ssh-ed25519 +qVung z8e56tCZ4TLkrX7BfH+5RrGxGoT3q9V1FB/ySsH3tg4
sZÓ¸ŠíØ[þ²X<C2B2>“¡èÅ®Š5°=÷6)ÇT¿Q†N{•x³I1ƒ!ÓÜøB ƒzš*×íåL~K jIpEEVF8jCp/ks5eYXh3O7+TLidvzYsnBRFd3LkgLXw
-> ssh-rsa krWCLQ
XG8KKBT/hEvB+c1RDGUrDR4HrfAertfOIzQTquMQ+Z3Nde3Ybxf8W+rWGQDErbq4
VlvC/wVVnGnqgE/tJMQP41sCMKSH61MPyiNZC63g4RW9e2H9YQfWWrnuBh668G+3
3sE0FSdIAB+UlI2jlbMiG60QaT6zV0XyOrugLX/G2R+D4aXYIVvMtcwYq2oIHy58
1DE5llUZHGsQ8APXZle7ZGyO48ELOQkVn8ozPlPFhvz2y9srgBZvNL/wadjvLstv
2vBTBoRk8HnTLOiybAnGtOfK6kWUMdfSYMvhu0IM8UBSoxwxOHTfIttKDu2ZMB8g
c/RnKbV2z0PBdXVrYuijPg
-> ssh-ed25519 /vwQcQ qinzScNz0IFoHUaCeGXne6ddllQ0dA/TJr5Z/nbfvTQ
0YpTZ2Z2WwN0sJ1CIV8voPS298u9uHbRQMlV0GMrvFI
-> ssh-ed25519 0R97PA en5iGTQoH0/QJKl38HNe4xun/FxVBIun7Z23mBW+4XE
Sjshx8hLyP4iY40y/Fehc0wZTBH0d1Lu+auX8L5n28s
--- i5+vCeWbFTRR2YbIX4lwbEORRhaI5NkCwqaMEJqrPEs
ÿ\ìƒF·Ri±ñXa,.øÝoªârçhE0=$ÇuGa/oÑÑÆÂiíf¥•x¦Óš?Ðg¹CiÉ

Binary file not shown.

Binary file not shown.

View file

@ -1,9 +1,20 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 j2r2qQ w0lLquFUUcmEZ/Fh1YSt85tAJkBwavORQbwMr7gMqF4 -> ssh-ed25519 j2r2qQ JzVKQt25f18L96aJWsJtFAR4mvMVCgYMKu/xtJ1BeDw
J4T+EHm1uHbCZkAUNoNcB9uGSz082mFL8+dkCnvYQnM vj+HpNQCNNxDRA+7HgjiD0XlGG/Yy+tk8KmszMkxdag
-> ssh-ed25519 K3b7BA 28bJZgBPPc2KIE5+b8LJuQ5L4YAiRAJzucEuOqXHdVM -> ssh-ed25519 K3b7BA judlH57lGOGmaTEG19gYiORJT9uXiAlxZrP+ISTHDT4
7hKENFr8QX0jpwuuQEjGFrUywJuhL1Tdi2V4/gR8JWE MS7e24A6rEMUtUUl8DlYXPy9NhqAq4buOWT0iYKvbSY
--- GSPZxz39TMMWv0qhotNgnXa5679Q7VK8JGjQjI7A8oM -> ssh-ed25519 +qVung vglRR5LYFZw8v6zRhybGPBctwDgYoskbpGYiLNW9qxM
J˛\@F“N• łĺ2®ô¨w×!Ż1Vf»§<C2BB>Ž·ŢO˛CÓw®®V°ŁšĚş.^݆ w‡n4äŕdW-Öľ"@0¨úąEĎż·°ck,]M}xŤřĚťˇŰy°[×ÁJ:!č‘ !ř螀c¬ VdjQTykQSVWubGimCHiekQX7EQdgOB3PYsRHiFnpPkg
BëąR -> ssh-rsa krWCLQ
nřę€ţŔáĆ^9í¤M<ú hLYT6U+dUVuicVO8hSw4KcfkM9bay4JR3TEWGlmmIxcQ67LNggzuyRvV6U2yfucg
Xyxezdd9LArf8z1eV/y3iwsY0PvK9qwtgpgH/NxaF7djhTA8+c3c3a6w4sqdHn0m
/RZU+eKSFeDWII7fn6o7JxzITFhF1FYH6PJYA2cb3PvbPw/JSja8EVZ7192ShqGW
22TThbZmmKoOPbmDxmQIygZTxqyaXkoFOnTWqqTzOfNtBOBFXT+cIFh3ctGWLw79
u7O5c2dmpXoE0bdndQ7GUSPrgRzOYHQ5hLg8WtC56EYjE11Bxj88fktzw4hZTbYQ
jrS8Pa68UPhUmSfutlpd4A
-> ssh-ed25519 /vwQcQ MqdVxRlS+EMA3f6B0D6m2ylvCE7WVq1av/CvsNVAB24
KX8RJ1bzUUhsYW6qN06FTzis5i13IIoIpUb5FkW9wkw
-> ssh-ed25519 0R97PA RHUvc9XQIxOW0GCyt0vRxPHyVXlpqM9gaUps4q/Grx8
bxgFxtbtbvDi9knzasdR7u33Mb7x7LcBzqEB/g4Oc4A
--- Z175YCdbPBBSItxomyXPSo6xILLV4GT4gpA4Oxz9qgo
EìVÀõ±ž™êÞ<EFBFBD>Ú¾¾Ó¦xYÊqšÑ84™6¦¯&Ö‘ï<13>·”ž„Ý!óZmëû°¤Ãd.à™46ÅÈ·ØËòø/<2F>´<EFBFBD>=°ß܈'hM³_ü£j >ªÑ6ãR<>·u²þŸøEùÜ^8c;×Ä›¶:Q1Ü)ú1L¹_~,<2C>K¥ÞÃîôµB¤7

View file

@ -1,7 +1,20 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 j2r2qQ nLWy3WcVJWCl3rXkhcSbp1joqmkk06QnxhCZ4UtSvmw -> ssh-ed25519 j2r2qQ n1lfxDP73nfF/CYtE4gpUH6YgjAQbx/2TTuyfFUBiHQ
iQ+Hx/vhiFgkWfbxHwGjxMBEqzyGww4/9do3W7V/y1Y LGzudpjsYA92pM0UpUT9CWZD+e+rzGFP4ndxPE0MByo
-> ssh-ed25519 K3b7BA RkF2ADcjOGtivl9MrhO/HFwxlTAkbFHWL3iinUldMiM -> ssh-ed25519 K3b7BA NRnnKaOtdtIjkRdam5vAA9Yj1RUJRReugWKRglWAoQ4
7q/zdVTMLevukZjkHtcN88iYzfTLvq2s3QdkgsFSO9M Xprx5TSU1rNH7NMl0X07K1KexCVXMEu7BFxbiPwxvBY
--- 1b2HiK06vJPqBgHVDD0QELOtfkl7/rlgGS9uI1mSbus -> ssh-ed25519 +qVung qZsGi4JqgpHrjlg2VdY+OhXb0BzYTytBBqY3jNsrSgU
„uܧoL;őĺ¬" 4¦Ű»ZĽ<5A>@§öă<C3B6>Đ3+93Q4óÄ o•ŚŘwé“„6ŤM-˛DkJn´;ń*g <0A>Yś75ËSň)Ů°© GgvQG5iMd6XTZRCC3EBBvqF7nhkqAJmxdIkCFRV46Ok
-> ssh-rsa krWCLQ
EkmY8uc79xWfKjlIozS4Yigorz9IdK8T8VjMnVcJN6+rhoRctQNVCj4JgogY4wa0
V3ObjoRPZgVU3qPmkPgIKVa2Mvf6MrCMwvvE4j2Yyy6lmQEwFdvk4s2c6AD6T8Bf
rktRYqOcFavuDr348e0ZzKniFTRcPMcY49mqBR/mWIfSEtLxBgpFUCn6f40PLndT
3dse7kgRBlrKbzmf6JIsITHejqwDRq2bZqHWAmZhb6+ske7oDicAt90FDoDbrwvd
YwXPRDCxgATlNz8n/xFUxd35X+zEftUUtANSGtihIE4LcdsO7IOwv/FCjdEn/3YW
ZtQjphnxgDsY61PEFCMnYg
-> ssh-ed25519 /vwQcQ DKQuo5jVunUFTCbOxVV57Xl6q+DDOVDWXdon/lZlLi0
doN6en8IK4Ju0uATp+IZAhYl1tvdnfyxHziSobb1ER4
-> ssh-ed25519 0R97PA I1GECXSPagJ5kD7CeVA21TQmpMEgLeaiB7XYEomUl2U
d0kO+4SkAPC/ois39SZafEhTqvmDpCZbWTUU1aUZ47o
--- 555iE+C2kDLIdAJ5KARyKcBQZSDRWASuzcNiKZ9IbRI
òeÕceV&˜ßà‰g˜óáÔÄýæ6•=6!õC<C3B5>Cˆû^»âÕèí€zÕ§®(Ó<>!ÄB•B|ô<>ï° Ú'¿Rªîž†_a Ut3

Binary file not shown.

Binary file not shown.

View file

@ -1,8 +1,21 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 j2r2qQ ryGcgO1/XLIyQ7Ry+ve0PGnyRMHknhK5xGdKGwY9U1Y -> ssh-ed25519 j2r2qQ 8qMRxnJL5p7M7Egtim/MZQTx0Z55dK1VKbR1drFkMRk
SvKOCTDDt5BbFcfpFHACX4aRGXxgVBsdR07LZ48o8IE q7AWFD4wg4eEIoPzPY3gmPNt9vSPv9s1TII2R0a4QoA
-> ssh-ed25519 K3b7BA qqac4R3OjiUYoubVXStrOjDHQMb5URY48NZvFf8JPAU -> ssh-ed25519 K3b7BA tZtpUP6oDvY28vaLwzlLwlv/QQaDmbuwdPRvs2j3yxM
FlonuMkY2hr3XQ31toHlX7H1syxj/jWhtheaBpyEM80 gnJPbdLJML4MldoJTwsR/93ioOId53IvuSnpQwqmYoY
--- zJCZzU6v0LlnEsyeUf0dHdMS84N9FkaXvIym9K0et40 -> ssh-ed25519 +qVung fYyGsDgnf2wO4NZ+zOeiWWu3wLe001xHgZatXvVd60w
>*»«ş\OŻ¦Ó÷ŕk.´ćĂĚ8:´˝Ďń\Xăe7µQYě*,ŻĄâKlD{Ő}}ŮÝ*â[c_ďF#ód>…Yîn±Oód€6”Đ ™ć»öPfM‰"A\ىX3ÇđĚ ˝$÷=ZĆŐx“WöÁsËďďüÖLR?KŽé¬ŐLµO#Łű»—Ľ-€ĽëĆ˙~ Kxs9u1EZbP/abuBev0u9f8keraKibvoVDHqYvvbZJOA
=©Ţ•‰ř±ň<16>h[Ëâ*Ţ “óÓGkç}4…ek°Éň2ţ*‰Vr´ß¬ńgUMĹMyă;ĚĎ„<C48E> Mş^<03>PÚÚ92µÎçTęąćZŇ)¦l5yO§ŃÇW -> ssh-rsa krWCLQ
dGijkGbcpWqNgrsYSXGEYgLJadgf2imVRDZpMpR2SNqKeBgvIRSriwQQSUCnntZB
pwul5dzZ9okr16xrghK66tCizBWwvfHtyACAFcI0xyCEf20Ydm1pbarSibK9RDb3
JwJdvUor370sTkuWagBzM3+cfpeO8HhxEu46tNG1RP2EtEkdSXQ8056g7TrSUQt/
XI385S5/WuurmBVlZuVTBXVsvGYU4OBAIlrYiym4loaSOGJMUCK8MZMfg+3w+RXW
fScsZ0VS1eB4DkAiJEptJlesrpHPOegq+HyczxGAp0z7mcO0ffZBOrKzBQB7fsdV
sn0R1gKpx9y9T6VE/uJ4Tg
-> ssh-ed25519 /vwQcQ mUHdSEXaTCrk2Nq/OPoo/3i8jXZfLbUBZewg6rwvdGQ
7wxUPlQqkZXNo6zhqd/niQDUZWrKVzgWWkUPcW/ueds
-> ssh-ed25519 0R97PA nuM2B10VwPti+CBybZzBGLzo7SM9lHgKAM1CZj4U8iY
3tfc6NC/D+lPPk5Fk6tDWbc15m4Eo/sI4WGTC33zQAc
--- efqcGqHksXsmGOFOwC+0UcYtUk+FuiGt4PHkHFzQ4OQ
ˆ 3᫬ÒÊSâj´;…Dæ©æÄ6¾±R˜˜ƒmÄ +þÃc<07>˜ÞU¶WÅÐSü<53>yï!yÁËlwÅ ¼˜u3ÏõBb‰nloò q êÏTÑÙñ&é•.ªpš4‰¢‰¸<>ËÎÔÞ€Ï Ù‚ÃòˆF¸¤$<13>§‰&
<Ix¹LWy3çÔñqvbspêÐŽX²LÙob‡,-ÜJÌñ¯GÒ³À6çéó“°û1¼s_rÆþgŒ7%×]÷»Œqž‡×V¤*ï`«‹ê\Æ̽tLpöÞf