some systemd hardening #67

oysteikt · 2024-08-22T23:03:40+02:00

oysteikt commented

2024-08-22 23:03:40 +02:00

Most of these should probably be upstreamed at some point, but let's dogfood a bit first. I'll create a new issue about upstreaming once this gets merged.

TODO:

~~- [ ] Is there anything more we can do with thermald? I'm unsure exactly what it does, so I've left out a bunch of options that I was unsure about~~

Most of these should probably be upstreamed at some point, but let's dogfood a bit first. I'll create a new issue about upstreaming once this gets merged. **TODO:** <s>- [ ] Is there anything more we can do with thermald? I'm unsure exactly what it does, so I've left out a bunch of options that I was unsure about</s>

oysteikt added 4 commits 2024-08-22 23:03:41 +02:00

cf3b62e01e

bekkalokk/phpfpm-*: systemd hardening

945d53cdb4

bekkalokk/vaultwarden: systemd hardening

ef418bf125

base/logrotate: systemd hardening + more

44b8c9d4a3

WIP: base/thermald: systemd hardening

danio commented

2024-08-24 16:16:31 +02:00

Thermald er en userspace greie som setter p-states og greier for å nå temperatur/performance mål. Det er siginifikant på nyere intel cpuer, men jeg tviler egentlig litt på at vi har noe hardware som drar spesielt nytte av det.

oysteikt commented

2024-08-26 18:34:52 +02:00

I'll drop the hardening for thermald here just to get the PR through, but maybe droppin the entire thing should be discussed in another issue (or I might just create a PR dropping thermald)

oysteikt force-pushed some-systemd-hardening from 44b8c9d4a3 to ef418bf125

2024-08-26 19:18:09 +02:00

Compare

oysteikt changed title from ~~WIP: some systemd hardening~~ to some systemd hardening

2024-08-26 19:18:25 +02:00

felixalb approved these changes 2024-08-26 20:21:46 +02:00

felixalb left a comment

I would like a few internet-exposed services, such as postgresql, as well, but at least noone can rotate our logs with malice anymore.

Looks Glockenspiel To Me 🚀

I would like a few internet-exposed services, such as postgresql, as well, but at least noone can rotate our logs with malice anymore. Looks Glockenspiel To Me 🚀

oysteikt commented

2024-08-26 20:23:59 +02:00

hehe, rotates with ill intent


R = \begin{bmatrix}
\cos \theta & -\sin \theta \\  
\sin \theta & \cos 😈
\end{bmatrix}

<small>hehe, *rotates with ill intent*</small> $$ R = \begin{bmatrix} \cos \theta & -\sin \theta \\ \sin \theta & \cos 😈 \end{bmatrix} $$

oysteikt merged commit ef418bf125 into main

2024-08-26 20:25:16 +02:00

oysteikt deleted branch some-systemd-hardening

2024-08-26 20:25:16 +02:00

Sign in to join this conversation.

No reviewers

No Label

No Milestone

No Assignees

3 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Drift/pvv-nixos-config#67