mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-02-12 06:19:00 +00:00
nixos/profiles/server: remove hardened-config submodule
We're also moving it to a profiles module ala-nixpkgs.
This commit is contained in:
parent
fc3f7eb7c7
commit
d5c5ac2f0c
@ -55,7 +55,6 @@
|
|||||||
|
|
||||||
profiles.server = {
|
profiles.server = {
|
||||||
enable = true;
|
enable = true;
|
||||||
hardened-config.enable = true;
|
|
||||||
cleanup.enable = true;
|
cleanup.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@ -9,7 +9,6 @@ in
|
|||||||
{
|
{
|
||||||
options.profiles.server = {
|
options.profiles.server = {
|
||||||
enable = lib.mkEnableOption "server-related settings";
|
enable = lib.mkEnableOption "server-related settings";
|
||||||
hardened-config.enable = lib.mkEnableOption "additional hardened configuration for NixOS systems";
|
|
||||||
cleanup.enable = lib.mkEnableOption "cleanup service for the system";
|
cleanup.enable = lib.mkEnableOption "cleanup service for the system";
|
||||||
auto-upgrade.enable = lib.mkEnableOption "unattended system upgrades";
|
auto-upgrade.enable = lib.mkEnableOption "unattended system upgrades";
|
||||||
};
|
};
|
||||||
@ -70,32 +69,6 @@ in
|
|||||||
i18n.supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
|
i18n.supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
|
||||||
})
|
})
|
||||||
|
|
||||||
# Most of the things here are based from the Securing Debian document.
|
|
||||||
(lib.mkIf cfg.hardened-config.enable {
|
|
||||||
# Don't replace it mid-way! DON'T TURN LEFT!!!!
|
|
||||||
security.protectKernelImage = true;
|
|
||||||
|
|
||||||
# Hardened config equals hardened kernel.
|
|
||||||
boot.kernelPackages = lib.mkDefault pkgs.linuxKernel.packages.linux_6_6_hardened;
|
|
||||||
|
|
||||||
# Be STRICT! MUAHAHAHAHA!!!!
|
|
||||||
services.fail2ban = {
|
|
||||||
enable = true;
|
|
||||||
bantime-increment = {
|
|
||||||
enable = true;
|
|
||||||
factor = "4";
|
|
||||||
maxtime = "24h";
|
|
||||||
overalljails = true;
|
|
||||||
};
|
|
||||||
extraPackages = with pkgs; [ ipset ];
|
|
||||||
};
|
|
||||||
|
|
||||||
boot.kernel.sysctl = {
|
|
||||||
# Disable system console entirely. We don't need it so get rid of it.
|
|
||||||
"kernel.sysrq" = 0;
|
|
||||||
};
|
|
||||||
})
|
|
||||||
|
|
||||||
(lib.mkIf cfg.auto-upgrade.enable {
|
(lib.mkIf cfg.auto-upgrade.enable {
|
||||||
system.autoUpgrade = {
|
system.autoUpgrade = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|||||||
18
modules/nixos/profiles/hardened.nix
Normal file
18
modules/nixos/profiles/hardened.nix
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
# A extended hardened configuration from nixpkgs for desktop and server
|
||||||
|
# systems.
|
||||||
|
{ pkgs, lib, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
"${modulesPath}/profiles/hardened.nix"
|
||||||
|
];
|
||||||
|
|
||||||
|
# Don't replace it mid-way! DON'T TURN LEFT!!!!
|
||||||
|
security.protectKernelImage = true;
|
||||||
|
|
||||||
|
# Hardened config equals hardened kernel.
|
||||||
|
boot.kernelPackages = lib.mkOverride 500 pkgs.linuxKernel.packages.linux_6_6_hardened;
|
||||||
|
|
||||||
|
# Disable system console entirely. We don't need it so get rid of it.
|
||||||
|
boot.kernel.sysctl."kernel.sysrq" = 0;
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue
Block a user