Drift/pvv-nixos-config
Drift
/
pvv-nixos-config
16
4
Fork 1
Code Issues Pull Requests 6 Wiki Activity

Compare commits

base: Drift:48752c954997c53bcb828dbcb99c5df5f35d4717
Branches Tags
Drift:main
Drift:pvvvvv
Drift:init-bakke
Drift:hookshot
Drift:disable-postgres-on-bekkalokk
Drift:sleipner-authorised-keys
Drift:sounding
Drift:retain-flake-inputs
Drift:openstack-image-builder
Drift:elysium
Drift:cleanup
Drift:fix-openstack-networking
Drift:systemd_exporter
Drift:backup-databases
Drift:smartd-notifs
Drift:systemd-journald-remote
Drift:skrot
Drift:deploy-doorbell
Drift:misc-gitea-fixes
Drift:run-vm
Drift:spotifyd
Drift:remote
Drift:nix-topology
Drift:dagali-heimdal-openldap-sasl-stack
Drift:setup-bikkje-login
Drift:ozai-prod
Drift:add-bluemap
Drift:ozai
Drift:setup-postfix-for-service-machines
Drift:fix-gitea-ci-runner-network-issues
Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
Drift:gitea-metrics
Drift:misc1
Drift:add-simple-saml-theme
Drift:misc-extra-gitea-setup
Drift:add-skrott
Drift:setup-kerberos
Drift:setup-home-areas
Drift:setup-openvpn-tunnel
Drift:shark-kanidm
Drift:prometheusexim
..
compare: Drift:44b8c9d4a3e0af3aaee2e9b055f043dd1137106d
Branches Tags
Drift:pvvvvv
Drift:main
Drift:init-bakke
Drift:hookshot
Drift:disable-postgres-on-bekkalokk
Drift:sleipner-authorised-keys
Drift:sounding
Drift:retain-flake-inputs
Drift:openstack-image-builder
Drift:elysium
Drift:cleanup
Drift:fix-openstack-networking
Drift:systemd_exporter
Drift:backup-databases
Drift:smartd-notifs
Drift:systemd-journald-remote
Drift:skrot
Drift:deploy-doorbell
Drift:misc-gitea-fixes
Drift:run-vm
Drift:spotifyd
Drift:remote
Drift:nix-topology
Drift:dagali-heimdal-openldap-sasl-stack
Drift:setup-bikkje-login
Drift:ozai-prod
Drift:add-bluemap
Drift:ozai
Drift:setup-postfix-for-service-machines
Drift:fix-gitea-ci-runner-network-issues
Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
Drift:gitea-metrics
Drift:misc1
Drift:add-simple-saml-theme
Drift:misc-extra-gitea-setup
Drift:add-skrott
Drift:setup-kerberos
Drift:setup-home-areas
Drift:setup-openvpn-tunnel
Drift:shark-kanidm
Drift:prometheusexim

4 Commits
48752c9549 ... 44b8c9d4a3

Author SHA1 Message Date
Oystein Kristoffer Tveit 44b8c9d4a3
WIP: base/thermald: systemd hardening 2024-08-22 23:01:08 +02:00
Oystein Kristoffer Tveit ef418bf125
base/logrotate: systemd hardening + more 2024-08-22 23:00:45 +02:00
Oystein Kristoffer Tveit 945d53cdb4
bekkalokk/vaultwarden: systemd hardening 2024-08-22 22:59:32 +02:00
Oystein Kristoffer Tveit cf3b62e01e
bekkalokk/phpfpm-*: systemd hardening 2024-08-22 22:58:48 +02:00
3 changed files with 1 additions and 8 deletions
Show Stats Expand all files Collapse all files

3
base.nix
View File

@ -174,7 +174,6 @@
extraConfig = "return 444;"; extraConfig = "return 444;";
}; };
# TODO: upstream
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = { systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ]; documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
@ -211,8 +210,6 @@
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = [
"@system-service" "@system-service"
# "~@privileged"
# "~@resources"
]; ];
}; };
}; };

4
hosts/bekkalokk/services/phpfpm.nix
View File

@ -31,7 +31,7 @@ in
PrivateMounts = true; PrivateMounts = true;
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = true; # Needed to read passwords from /run maybe? ProtectHome = true;
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
@ -45,8 +45,6 @@ in
KeyringMode = "private"; KeyringMode = "private";
SystemCallFilter = [ SystemCallFilter = [
"@system-service" "@system-service"
# "~@privileged"
# "~@resources"
]; ];
}; };
}); });

2
hosts/bekkalokk/services/vaultwarden.nix
View File

@ -71,8 +71,6 @@ in {
AmbientCapabilities = [ "" ]; AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ]; DeviceAllow = [ "" ];
# IPAddressDeny = [ "any" ];
# IPAddressAllow = [ ];
LockPersonality = true; LockPersonality = true;
NoNewPrivileges = true; NoNewPrivileges = true;
# MemoryDenyWriteExecute = true; # MemoryDenyWriteExecute = true;