cschmatzler/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

harden

Browse Source
This commit is contained in:
Christoph Schmatzler
2026-01-24 09:08:55 +00:00
parent 139b1defe7
commit aa322301fb
4 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/tahani/default.nix
View File

@@ -52,6 +52,8 @@
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
users.users.${user}.extraGroups = ["docker"];
swapDevices = [ swapDevices = [
{ {
device = "/swapfile"; device = "/swapfile";

2
hosts/tahani/networking.nix
View File

@@ -11,7 +11,7 @@
nameservers = ["1.1.1.1"]; nameservers = ["1.1.1.1"];
firewall = { firewall = {
enable = true; enable = true;
trustedInterfaces = ["eno1" "tailscale0"]; trustedInterfaces = ["tailscale0"];
allowedUDPPorts = [config.services.tailscale.port]; allowedUDPPorts = [config.services.tailscale.port];
allowedTCPPorts = [22]; allowedTCPPorts = [22];
checkReversePath = "loose"; checkReversePath = "loose";

1
profiles/nixos.nix
View File

@@ -65,7 +65,6 @@
"sudo" "sudo"
"network" "network"
"systemd-journal" "systemd-journal"
"docker"
]; ];
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = constants.sshKeys; openssh.authorizedKeys.keys = constants.sshKeys;

2
profiles/openssh.nix
View File

@@ -2,7 +2,7 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
PermitRootLogin = "prohibit-password"; PermitRootLogin = "no";
PasswordAuthentication = false; PasswordAuthentication = false;
}; };
}; };