refactor server security

This commit is contained in:
Cyryl Płotnicki 2021-06-12 14:19:19 +01:00
parent 304a1f7ce1
commit 5cda9a116c
5 changed files with 4 additions and 13 deletions

View file

@ -3,7 +3,7 @@
imports = [ imports = [
./brix-boot.nix ./brix-boot.nix
./real-hardware.nix ./real-hardware.nix
../security.nix ../../server-security.nix
../cli.nix ../cli.nix
../vpn.nix ../vpn.nix
./restic-server.nix ./restic-server.nix

View file

@ -5,7 +5,7 @@
imports = [ imports = [
./vultr-boot.nix ./vultr-boot.nix
../vpn.nix ../vpn.nix
../security.nix ../../server-security.nix
../cli.nix ../cli.nix
./nginx.nix ./nginx.nix
./search.nix ./search.nix

View file

@ -38,8 +38,6 @@
fonts.fonts = with pkgs; [ powerline-fonts weather-icons material-icons source-code-pro fira-code noto-fonts-emoji emojione iosevka font-awesome nerdfonts ]; fonts.fonts = with pkgs; [ powerline-fonts weather-icons material-icons source-code-pro fira-code noto-fonts-emoji emojione iosevka font-awesome nerdfonts ];
services.haveged.enable = true;
nix = { nix = {
autoOptimiseStore = true; autoOptimiseStore = true;
daemonIONiceLevel = 7; daemonIONiceLevel = 7;

View file

@ -6,6 +6,7 @@
security.forcePageTableIsolation = true; security.forcePageTableIsolation = true;
security.virtualisation.flushL1DataCache = "always"; security.virtualisation.flushL1DataCache = "always";
security.apparmor.enable = true; security.apparmor.enable = true;
services.haveged.enable = true;
boot.kernelParams = [ boot.kernelParams = [
"page_poison=1" "page_poison=1"
"page_alloc.shuffle=1" "page_alloc.shuffle=1"

View file

@ -1,21 +1,13 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
./security.nix
]; ];
security.acme.email = "admin@cyplo.dev"; security.acme.email = "admin@cyplo.dev";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.forcePageTableIsolation = true;
security.protectKernelImage = true;
security.apparmor.enable = true;
security.lockKernelModules = true;
services.haveged.enable = true;
services.fail2ban.enable = true; services.fail2ban.enable = true;
environment.systemPackages = with pkgs; [
knockknock
];
services.openssh = { services.openssh = {
enable = true; enable = true;
permitRootLogin = "prohibit-password"; permitRootLogin = "prohibit-password";