refactor server security
This commit is contained in:
Cyryl Płotnicki
parent
304a1f7ce1
commit
5cda9a116c
5 changed files with 4 additions and 13 deletions
|
|
@ -3,7 +3,7 @@
|
|||
imports = [
|
||||
./brix-boot.nix
|
||||
./real-hardware.nix
|
||||
../security.nix
|
||||
../../server-security.nix
|
||||
../cli.nix
|
||||
../vpn.nix
|
||||
./restic-server.nix
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
imports = [
|
||||
./vultr-boot.nix
|
||||
../vpn.nix
|
||||
../security.nix
|
||||
../../server-security.nix
|
||||
../cli.nix
|
||||
./nginx.nix
|
||||
./search.nix
|
||||
|
|
|
|||
|
|
@ -38,8 +38,6 @@
|
|||
|
||||
fonts.fonts = with pkgs; [ powerline-fonts weather-icons material-icons source-code-pro fira-code noto-fonts-emoji emojione iosevka font-awesome nerdfonts ];
|
||||
|
||||
services.haveged.enable = true;
|
||||
|
||||
nix = {
|
||||
autoOptimiseStore = true;
|
||||
daemonIONiceLevel = 7;
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
security.forcePageTableIsolation = true;
|
||||
security.virtualisation.flushL1DataCache = "always";
|
||||
security.apparmor.enable = true;
|
||||
services.haveged.enable = true;
|
||||
boot.kernelParams = [
|
||||
"page_poison=1"
|
||||
"page_alloc.shuffle=1"
|
||||
|
|
|
|||
|
|
@ -1,21 +1,13 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./security.nix
|
||||
];
|
||||
security.acme.email = "admin@cyplo.dev";
|
||||
security.acme.acceptTerms = true;
|
||||
security.forcePageTableIsolation = true;
|
||||
security.protectKernelImage = true;
|
||||
security.apparmor.enable = true;
|
||||
security.lockKernelModules = true;
|
||||
|
||||
services.haveged.enable = true;
|
||||
services.fail2ban.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
knockknock
|
||||
];
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "prohibit-password";
|
||||
Loading…
Reference in a new issue