refactor server security
This commit is contained in:
parent
304a1f7ce1
commit
5cda9a116c
5 changed files with 4 additions and 13 deletions
|
@ -3,7 +3,7 @@
|
||||||
imports = [
|
imports = [
|
||||||
./brix-boot.nix
|
./brix-boot.nix
|
||||||
./real-hardware.nix
|
./real-hardware.nix
|
||||||
../security.nix
|
../../server-security.nix
|
||||||
../cli.nix
|
../cli.nix
|
||||||
../vpn.nix
|
../vpn.nix
|
||||||
./restic-server.nix
|
./restic-server.nix
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
imports = [
|
imports = [
|
||||||
./vultr-boot.nix
|
./vultr-boot.nix
|
||||||
../vpn.nix
|
../vpn.nix
|
||||||
../security.nix
|
../../server-security.nix
|
||||||
../cli.nix
|
../cli.nix
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
./search.nix
|
./search.nix
|
||||||
|
|
|
@ -38,8 +38,6 @@
|
||||||
|
|
||||||
fonts.fonts = with pkgs; [ powerline-fonts weather-icons material-icons source-code-pro fira-code noto-fonts-emoji emojione iosevka font-awesome nerdfonts ];
|
fonts.fonts = with pkgs; [ powerline-fonts weather-icons material-icons source-code-pro fira-code noto-fonts-emoji emojione iosevka font-awesome nerdfonts ];
|
||||||
|
|
||||||
services.haveged.enable = true;
|
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
autoOptimiseStore = true;
|
autoOptimiseStore = true;
|
||||||
daemonIONiceLevel = 7;
|
daemonIONiceLevel = 7;
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
security.forcePageTableIsolation = true;
|
security.forcePageTableIsolation = true;
|
||||||
security.virtualisation.flushL1DataCache = "always";
|
security.virtualisation.flushL1DataCache = "always";
|
||||||
security.apparmor.enable = true;
|
security.apparmor.enable = true;
|
||||||
|
services.haveged.enable = true;
|
||||||
boot.kernelParams = [
|
boot.kernelParams = [
|
||||||
"page_poison=1"
|
"page_poison=1"
|
||||||
"page_alloc.shuffle=1"
|
"page_alloc.shuffle=1"
|
||||||
|
|
|
@ -1,21 +1,13 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
./security.nix
|
||||||
];
|
];
|
||||||
security.acme.email = "admin@cyplo.dev";
|
security.acme.email = "admin@cyplo.dev";
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
security.forcePageTableIsolation = true;
|
|
||||||
security.protectKernelImage = true;
|
|
||||||
security.apparmor.enable = true;
|
|
||||||
security.lockKernelModules = true;
|
|
||||||
|
|
||||||
services.haveged.enable = true;
|
|
||||||
services.fail2ban.enable = true;
|
services.fail2ban.enable = true;
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
knockknock
|
|
||||||
];
|
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
permitRootLogin = "prohibit-password";
|
permitRootLogin = "prohibit-password";
|
Loading…
Reference in a new issue