refactor server security

2021-06-12 14:19:19 +01:00 · 2021-06-12 14:19:19 +01:00 · 5cda9a116c
commit 5cda9a116c
parent 304a1f7ce1
5 changed files with 4 additions and 13 deletions
--- a/nixos/boxes/brix/default.nix
+++ b/nixos/boxes/brix/default.nix
@ -3,7 +3,7 @@
  imports = [
    ./brix-boot.nix
    ./real-hardware.nix
-    ../security.nix
+    ../../server-security.nix
    ../cli.nix
    ../vpn.nix
    ./restic-server.nix
--- a/nixos/boxes/vultr1/default.nix
+++ b/nixos/boxes/vultr1/default.nix
@ -5,7 +5,7 @@
  imports = [
    ./vultr-boot.nix
    ../vpn.nix
-    ../security.nix
+    ../../server-security.nix
    ../cli.nix
    ./nginx.nix
    ./search.nix
--- a/nixos/common.nix
+++ b/nixos/common.nix
@ -38,8 +38,6 @@
    fonts.fonts = with pkgs; [ powerline-fonts weather-icons material-icons source-code-pro fira-code noto-fonts-emoji emojione iosevka font-awesome nerdfonts ];
    services.haveged.enable = true;
    nix = {
      autoOptimiseStore = true;
      daemonIONiceLevel = 7;
--- a/nixos/security.nix
+++ b/nixos/security.nix
@ -6,6 +6,7 @@
  security.forcePageTableIsolation = true;
  security.virtualisation.flushL1DataCache = "always";
  security.apparmor.enable = true;
  services.haveged.enable = true;
  boot.kernelParams = [
    "page_poison=1"
    "page_alloc.shuffle=1"
--- a/nixos/server-security.nix
+++ b/nixos/server-security.nix
@ -1,21 +1,13 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./security.nix
  ];
  security.acme.email = "admin@cyplo.dev";
  security.acme.acceptTerms = true;
  security.forcePageTableIsolation = true;
  security.protectKernelImage = true;
  security.apparmor.enable = true;
  security.lockKernelModules = true;
  services.haveged.enable = true;
  services.fail2ban.enable = true;
  environment.systemPackages = with pkgs; [
    knockknock
  ];
  services.openssh = {
    enable = true;
    permitRootLogin = "prohibit-password";