77 lines
2.4 KiB
Nix
77 lines
2.4 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
./systemd
|
|
./ssh-as-sudo.nix
|
|
./apparmor
|
|
./opensnitch
|
|
./security.nix
|
|
./encrypt-dns.nix
|
|
./filesystem-deny-mount.nix
|
|
];
|
|
|
|
specialisation.unhardened.configuration = {
|
|
services.opensnitch.enable = lib.mkForce false;
|
|
security.apparmor.enable = lib.mkForce false;
|
|
};
|
|
|
|
systemd.oomd.enable = false;
|
|
|
|
boot.kernel.sysctl = {
|
|
"net.ipv6.conf.all.accept_ra" = 0;
|
|
"net.ipv6.conf.default.accept_ra" = 0;
|
|
"net.ipv4.conf.all.send_redirects"=0;
|
|
"net.ipv4.conf.default.accept_source_route"=0;
|
|
"net.ipv4.conf.all.accept_redirects"=0;
|
|
"net.ipv4.conf.default.accept_redirects"=0;
|
|
"net.ipv6.conf.all.accept_redirects"=0;
|
|
"net.ipv6.conf.default.accept_redirects"=0;
|
|
"net.ipv4.conf.all.secure_redirects"=0;
|
|
"net.ipv4.conf.default.secure_redirects"=0;
|
|
"net.ipv4.conf.all.log_martians"=1;
|
|
"net.ipv4.conf.default.log_martians"=1;
|
|
"net.ipv4.icmp_echo_ignore_broadcasts"=1;
|
|
"net.ipv4.conf.all.rp_filter"=1;
|
|
"net.ipv4.conf.default.rp_filter"=1;
|
|
|
|
"fs.suid_dumpable" = 0;
|
|
};
|
|
|
|
environment.etc."motd" = { text = config.users.motd; mode = "644"; };
|
|
environment.etc."limits.conf".text = "* hard core 0";
|
|
environment.etc."hosts.allow" = { text = "ALL: LOCAL"; mode = "644"; };
|
|
environment.etc."hosts.deny" = { text = ""; mode = "644"; };
|
|
environment.etc."issue" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };
|
|
environment.etc."issue.net" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };
|
|
|
|
# systemd.tmpfiles.rules = [
|
|
# "L+ /etc/passwd- 0644 root root - /etc/passwd"
|
|
# "L+ /etc/shadow- 0644 root root - /etc/shadow"
|
|
# "L+ /etc/group- 0644 root root - /etc/group"
|
|
# "L+ /etc/gshadow- 0644 root root - /etc/gshadow"
|
|
# ];
|
|
|
|
users.motd = "welcome to grimms paranoid box";
|
|
|
|
security.loginDefs.settings = {
|
|
# PASS_MAX_DAYS = 365;
|
|
PASS_MIN_DAYS = 7;
|
|
PASS_WARN_AGE = 14;
|
|
ENCRYPT_METHOD = "SHA512";
|
|
};
|
|
|
|
systemd.tpm2.enable = false;
|
|
systemd.enableEmergencyMode = false;
|
|
virtualisation.vswitch.enable = false;
|
|
services.resolved.enable = false;
|
|
security.unprivilegedUsernsClone = true;
|
|
security.apparmor.enable = true;
|
|
security.allowSimultaneousMultithreading = true;
|
|
environment.defaultPackages = lib.mkForce [ ];
|
|
environment.systemPackages = with pkgs; [ nano clamav linux-bench ];
|
|
}
|