From e6e3dc85f6b144028a2d894cec853f2ff38fb766 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Tue, 29 Nov 2022 21:05:42 +0800 Subject: [PATCH] profiles/server: init module --- hosts/plover/default.nix | 17 ++-- modules/nixos/profiles/desktop.nix | 26 ------ modules/nixos/profiles/server.nix | 122 +++++++++++++++++++++++++++++ 3 files changed, 127 insertions(+), 38 deletions(-) create mode 100644 modules/nixos/profiles/server.nix diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index ccd0f120..bccafd39 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -99,11 +99,6 @@ in }; }; - services.openssh = { - enable = true; - passwordAuthentication = false; - }; - # Enable database services that is used in all of the services here so far. services.postgresql = { enable = true; @@ -119,13 +114,11 @@ in ]; }; - # Time to harden... - profiles.desktop.hardened-config.enable = true; - - # Generate them certificates. - security.acme = { - acceptTerms = true; - defaults.email = "admin@foodogsquared.one"; + profiles.server = { + enable = true; + headless.enable = true; + hardened-config.enable = true; + cleanup.enable = true; }; # Some additional dependencies for this system. diff --git a/modules/nixos/profiles/desktop.nix b/modules/nixos/profiles/desktop.nix index 9bb015d5..f4315fd7 100644 --- a/modules/nixos/profiles/desktop.nix +++ b/modules/nixos/profiles/desktop.nix @@ -23,7 +23,6 @@ in { default = pkgs.wineWowPackages.stable; }; }; - hardened-config.enable = lib.mkEnableOption "hardened configuration primarily intended for servers"; }; config = lib.mkIf cfg.enable (lib.mkMerge [ @@ -236,30 +235,5 @@ in { bottles # PlayOnLinux but better. :> ]; }) - - # The profile intended to be used for servers. Most of the things here are - # based from the Securing Debian document. - (lib.mkIf cfg.hardened-config.enable { - # Don't replace it mid-way! DON'T TURN LEFT!!!! - security.protectKernelImage = true; - - # Hardened config equals hardened kernel. - boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_0_hardened; - - # Be STRICT! MUAHAHAHAHA!!!! - services.fail2ban = { - enable = true; - bantime-increment = { - enable = true; - factor = "4"; - maxtime = "24h"; - }; - }; - - boot.kernel.sysctl = { - # Disable system console entirely. We don't need it so get rid of it. - "kernel.sysrq" = 0; - }; - }) ]); } diff --git a/modules/nixos/profiles/server.nix b/modules/nixos/profiles/server.nix new file mode 100644 index 00000000..a1697690 --- /dev/null +++ b/modules/nixos/profiles/server.nix @@ -0,0 +1,122 @@ +# All of the settings related to server systems. +{ config, options, lib, pkgs, ... }: + +let + cfg = config.profiles.server; +in +{ + options.profiles.server = { + enable = lib.mkEnableOption "server-related settings"; + headless.enable = lib.mkEnableOption "configuration for headless servers"; + hardened-config.enable = lib.mkEnableOption "additional hardened configuration for NixOS systems"; + cleanup.enable = lib.mkEnableOption "cleanup service for the system"; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + ({ + assertions = [{ + assertion = + !config.profiles.desktop.enable || !config.profiles.server.enable; + message = '' + Desktop profile is also enabled. The profiles `desktop` and `server` + are mutually exclusive. + ''; + }]; + + # Most servers will have to be accessed for debugging so it is here. But + # be sure to set the appropriate public keys for the users from that + # server. + services.openssh = lib.mkDefault { + enable = true; + + # Both are good for hardening as it only requires the keyfiles. + passwordAuthentication = false; + permitRootLogin = "no"; + }; + + # Most of the servers will be deployed with outside access in mind so + # generate them certificates. Anything with a private network, ehh... so + # just set it off. + security.acme = { + acceptTerms = true; + defaults.email = "admin@foodogsquared.one"; + }; + + # We're only going to deal with servers in English. + i18n.defaultLocale = "en_US.UTF-8"; + i18n.supportedLocales = [ config.i18n.defaultLocale ]; + }) + + # We're only covering the most basic settings here. + (lib.mkIf cfg.headless.enable { + # So does sounds... + sound.enable = false; + + # ...and Bluetooth because it's so insecure. + hardware.bluetooth.enable = false; + + # And other devices... + hardware.opentabletdriver.enable = false; + services.printing.enable = false; + }) + + # Most of the things here are based from the Securing Debian document. + (lib.mkIf cfg.hardened-config.enable { + # Don't replace it mid-way! DON'T TURN LEFT!!!! + security.protectKernelImage = true; + + # Hardened config equals hardened kernel. + boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_0_hardened; + + # Be STRICT! MUAHAHAHAHA!!!! + services.fail2ban = { + enable = true; + bantime-increment = { + enable = true; + factor = "4"; + maxtime = "24h"; + }; + }; + + boot.kernel.sysctl = { + # Disable system console entirely. We don't need it so get rid of it. + "kernel.sysrq" = 0; + }; + }) + + (lib.mkIf cfg.cleanup.enable { + # Weekly garbage collection of Nix store. Unlike in the desktop config, + # this has looser requirements for the store items age for up to 21 days + # older. + nix.gc = { + automatic = true; + persistent = true; + dates = "weekly"; + options = "--delete-older-than 21d"; + }; + + # Run the optimizer. + nix.optimise = { + automatic = true; + dates = [ "weekly" ]; + }; + + # Journals cleanup every week. + systemd.services.cleanup-logs = { + description = "Weekly log cleanup"; + documentation = [ "man:journalctl(1)" ]; + script = "${pkgs.systemd}/bin/journalctl --vacuum-time=30d"; + }; + + systemd.timers.clean-log = { + description = "Weekly log cleanup"; + documentation = [ "man:journalctl(1)" ]; + wantedBy = [ "multi-user.target" ]; + timerConfig = { + OnCalendar = "weekly"; + Persistent = true; + }; + }; + }) + ]); +}