magpie: add hardening
This commit is contained in:
@@ -27,6 +27,19 @@
|
||||
boot.kernel.sysctl = {
|
||||
"net.core.default_qdisc" = "fq";
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
"kernel.kptr_restrict" = 2;
|
||||
"kernel.dmesg_restrict" = 1;
|
||||
"kernel.kexec_load_disabled" = 1;
|
||||
"kernel.yama.ptrace_scope" = 1;
|
||||
"net.ipv4.conf.all.rp_filter" = 1;
|
||||
"net.ipv4.conf.default.rp_filter" = 1;
|
||||
"net.ipv4.conf.all.log_martians" = 1;
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
"net.ipv4.conf.default.send_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
};
|
||||
|
||||
boot.initrd = {
|
||||
@@ -49,7 +62,7 @@
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
users.users.root.initialHashedPassword = "";
|
||||
users.users.root.hashedPassword = "!";
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
(builtins.readFile ../nixy/ssh_pubkey)
|
||||
];
|
||||
@@ -108,10 +121,14 @@
|
||||
certificateScheme = "acme-nginx";
|
||||
};
|
||||
|
||||
services.journald.extraConfig = ''SystemMaxUse=50M '';
|
||||
services.journald.extraConfig = ''SystemMaxUse=500M '';
|
||||
services.logind.settings.Login = { KillUserProcesses = true; };
|
||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||||
services.openssh.enable = true;
|
||||
services.openssh.settings = {
|
||||
PermitRootLogin = "prohibit-password";
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
};
|
||||
services.openssh.listenAddresses = [
|
||||
{
|
||||
addr = "10.100.0.1"; # wireguard
|
||||
@@ -119,6 +136,13 @@
|
||||
}
|
||||
];
|
||||
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
maxretry = 5;
|
||||
bantime = "1h";
|
||||
ignoreIP = [ "10.100.0.0/24" ];
|
||||
};
|
||||
|
||||
services.opendkim = {
|
||||
enable = true;
|
||||
selector = "mail";
|
||||
@@ -308,6 +332,12 @@
|
||||
defaults.email = "asmir.abdulahovic@gmail.com";
|
||||
};
|
||||
|
||||
security.sudo.execWheelOnly = true;
|
||||
|
||||
environment.memoryAllocator.provider = "jemalloc";
|
||||
|
||||
systemd.coredump.enable = false;
|
||||
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
secrets = {
|
||||
@@ -341,14 +371,13 @@
|
||||
80
|
||||
443
|
||||
587
|
||||
2049
|
||||
]; # http, mail, mail, nfs
|
||||
]; # http, https, submission
|
||||
allowedUDPPorts = [
|
||||
443
|
||||
51820
|
||||
]; # mail, wireguard
|
||||
]; # http3, wireguard
|
||||
allowPing = true;
|
||||
logRefusedConnections = lib.mkDefault false;
|
||||
logRefusedConnections = lib.mkDefault true;
|
||||
};
|
||||
|
||||
networking.nat = {
|
||||
|
||||
Reference in New Issue
Block a user