nixos/profiles/server: remove hardened-config submodule

We're also moving it to a profiles module ala-nixpkgs.
2025-02-07 06:19:00 +00:00 · 2024-01-22 12:21:37 +08:00 · 2024-01-22 12:21:37 +08:00 · d5c5ac2f0c
commit d5c5ac2f0c
parent fc3f7eb7c7
3 changed files with 18 additions and 28 deletions
--- a/configs/nixos/plover/default.nix
+++ b/configs/nixos/plover/default.nix
@ -55,7 +55,6 @@

  profiles.server = {
    enable = true;
-    hardened-config.enable = true;
    cleanup.enable = true;
  };

--- a/modules/nixos/_private/profiles/server.nix
+++ b/modules/nixos/_private/profiles/server.nix
@ -9,7 +9,6 @@ in
 {
  options.profiles.server = {
    enable = lib.mkEnableOption "server-related settings";
-    hardened-config.enable = lib.mkEnableOption "additional hardened configuration for NixOS systems";
    cleanup.enable = lib.mkEnableOption "cleanup service for the system";
    auto-upgrade.enable = lib.mkEnableOption "unattended system upgrades";
  };
@ -70,32 +69,6 @@ in
      i18n.supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
    })

-    # Most of the things here are based from the Securing Debian document.
-    (lib.mkIf cfg.hardened-config.enable {
-      # Don't replace it mid-way! DON'T TURN LEFT!!!!
-      security.protectKernelImage = true;
-
-      # Hardened config equals hardened kernel.
-      boot.kernelPackages = lib.mkDefault pkgs.linuxKernel.packages.linux_6_6_hardened;
-
-      # Be STRICT! MUAHAHAHAHA!!!!
-      services.fail2ban = {
-        enable = true;
-        bantime-increment = {
-          enable = true;
-          factor = "4";
-          maxtime = "24h";
-          overalljails = true;
-        };
-        extraPackages = with pkgs; [ ipset ];
-      };
-
-      boot.kernel.sysctl = {
-        # Disable system console entirely. We don't need it so get rid of it.
-        "kernel.sysrq" = 0;
-      };
-    })
-
    (lib.mkIf cfg.auto-upgrade.enable {
      system.autoUpgrade = {
        enable = true;
--- a/modules/nixos/profiles/hardened.nix
+++ b/modules/nixos/profiles/hardened.nix
@ -0,0 +1,18 @@
+# A extended hardened configuration from nixpkgs for desktop and server
+# systems.
+{ pkgs, lib, modulesPath, ... }:
+
+{
+  imports = [
+    "${modulesPath}/profiles/hardened.nix"
+  ];
+
+  # Don't replace it mid-way! DON'T TURN LEFT!!!!
+  security.protectKernelImage = true;
+
+  # Hardened config equals hardened kernel.
+  boot.kernelPackages = lib.mkOverride 500 pkgs.linuxKernel.packages.linux_6_6_hardened;
+
+  # Disable system console entirely. We don't need it so get rid of it.
+  boot.kernel.sysctl."kernel.sysrq" = 0;
+}