winston/infra
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

chore: security hardening
All checks were successful
/ check (push) Successful in 17m58s
Details

Browse source
This commit is contained in:
winston 2024-09-18 23:32:50 +02:00
parent af3dc8b59e
commit e94b793bc7
Signed by: winston
GPG key ID: 3786770EDBC2B481
4 changed files with 20 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
config/network.nix
View file

@ -9,7 +9,14 @@
openssh = {
enable = true;
openFirewall = true;
allowSFTP = false;
challengeResponseAuthentication = false;
settings = {
AllowAgentForwarding = false;
AllowStreamLocalForwarding = false;
AllowTcpForwarding = true;
AuthenticationMethods = "publickey";
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
@ -19,7 +26,7 @@
];
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
StreamLocalBindUnlink = "yes";
X11Forwarding = false;
};
};
};

6
config/nix.nix
View file

@ -7,10 +7,8 @@
"nix-command"
"flakes"
];
trusted-users = [
"@wheel"
"winston"
];
allowed-users = [ "root" ];
trusted-users = [ "root" ];
};
};
}

13
flake.nix
View file

@ -22,8 +22,15 @@
modules = [
{
nixpkgs = {
config.allowUnfree = true;
inherit overlays;
config.allowUnfreePredicate =
pkg:
builtins.elem (nixpkgs.lib.getName pkg) [
"elasticsearch"
"satisfactory-server"
"steamworks-sdk-redist"
"valheim-server"
];
};
}
./hosts/main-node
@ -65,12 +72,10 @@
devShells.default = pkgs.mkShell {
inherit (config.pre-commit.devShell) shellHook;
buildInputs = [
packages = [
inputs'.agenix.packages.agenix
pkgs.age-plugin-yubikey
pkgs.unstable.deploy-rs
pkgs.unstable.nh
pkgs.unstable.nixd
self'.formatter
];
};

1
modules/wakapi.nix
View file

@ -30,6 +30,7 @@ let
Group = "wakapi";
DynamicUser = true;
NoNewPrivileges = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;