From 5cda9a116c67589668290293c600124b55b80e86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Sat, 12 Jun 2021 14:19:19 +0100 Subject: [PATCH] refactor server security --- nixos/boxes/brix/default.nix | 2 +- nixos/boxes/vultr1/default.nix | 2 +- nixos/common.nix | 2 -- nixos/security.nix | 1 + nixos/{boxes/security.nix => server-security.nix} | 10 +--------- 5 files changed, 4 insertions(+), 13 deletions(-) rename nixos/{boxes/security.nix => server-security.nix} (84%) diff --git a/nixos/boxes/brix/default.nix b/nixos/boxes/brix/default.nix index 3d3caf3e..3cc50923 100644 --- a/nixos/boxes/brix/default.nix +++ b/nixos/boxes/brix/default.nix @@ -3,7 +3,7 @@ imports = [ ./brix-boot.nix ./real-hardware.nix - ../security.nix + ../../server-security.nix ../cli.nix ../vpn.nix ./restic-server.nix diff --git a/nixos/boxes/vultr1/default.nix b/nixos/boxes/vultr1/default.nix index f159b87a..75a3ac36 100644 --- a/nixos/boxes/vultr1/default.nix +++ b/nixos/boxes/vultr1/default.nix @@ -5,7 +5,7 @@ imports = [ ./vultr-boot.nix ../vpn.nix - ../security.nix + ../../server-security.nix ../cli.nix ./nginx.nix ./search.nix diff --git a/nixos/common.nix b/nixos/common.nix index 668d610a..73e18fe3 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -38,8 +38,6 @@ fonts.fonts = with pkgs; [ powerline-fonts weather-icons material-icons source-code-pro fira-code noto-fonts-emoji emojione iosevka font-awesome nerdfonts ]; - services.haveged.enable = true; - nix = { autoOptimiseStore = true; daemonIONiceLevel = 7; diff --git a/nixos/security.nix b/nixos/security.nix index c38d33f7..ade00546 100644 --- a/nixos/security.nix +++ b/nixos/security.nix @@ -6,6 +6,7 @@ security.forcePageTableIsolation = true; security.virtualisation.flushL1DataCache = "always"; security.apparmor.enable = true; + services.haveged.enable = true; boot.kernelParams = [ "page_poison=1" "page_alloc.shuffle=1" diff --git a/nixos/boxes/security.nix b/nixos/server-security.nix similarity index 84% rename from nixos/boxes/security.nix rename to nixos/server-security.nix index d8a1df51..03ced51d 100644 --- a/nixos/boxes/security.nix +++ b/nixos/server-security.nix @@ -1,21 +1,13 @@ { config, pkgs, ... }: { imports = [ + ./security.nix ]; security.acme.email = "admin@cyplo.dev"; security.acme.acceptTerms = true; - security.forcePageTableIsolation = true; - security.protectKernelImage = true; - security.apparmor.enable = true; - security.lockKernelModules = true; - services.haveged.enable = true; services.fail2ban.enable = true; - environment.systemPackages = with pkgs; [ - knockknock - ]; - services.openssh = { enable = true; permitRootLogin = "prohibit-password";